All modules
CMVP Validated Module · FIPS 140-3 Security Policy

G&D Cryptographic Module

Certificate#5005StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorGuntermann & Drunck GmbH
Low review priority  ·  no TCB surface named  ·  last validated 4 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date1/29/2029
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys)
VendorGuntermann & Drunck GmbH

Approved Algorithms (62)

AlgorithmACVP Cert
AES-CBCA4978
AES-CCMA4978
AES-CFB1A4978
AES-CFB128A4978
AES-CFB8A4978
AES-CMACA4978
AES-CTRA4978
AES-ECBA4978
AES-GCMA4978
AES-GMACA4978
AES-KWA4978
AES-KWPA4978
AES-OFBA4978
AES-XTSA4978
Counter DRBGA4978
DSA KeyGen (FIPS186-4)A4978
DSA PQGGen (FIPS186-4)A4978
DSA PQGVer (FIPS186-4)A4978
DSA SigGen (FIPS186-4)A4978
DSA SigVer (FIPS186-4)A4978
ECDSA KeyGen (FIPS186-4)A4978
ECDSA KeyVer (FIPS186-4)A4978
ECDSA SigGen (FIPS186-4)A4978
ECDSA SigVer (FIPS186-4)A4978
HMAC-SHA-1A4978
HMAC-SHA2-224A4978
HMAC-SHA2-256A4978
HMAC-SHA2-384A4978
HMAC-SHA2-512A4978
HMAC-SHA3-224A4978
HMAC-SHA3-256A4978
HMAC-SHA3-384A4978
HMAC-SHA3-512A4978
KAS-ECC-SSC Sp800-56Ar3A4978
KAS-FFC-SSC Sp800-56Ar3A4978
KDA HKDF SP800-56Cr2A4978
KDF SSHA4978
KDF TLSA4978
PBKDFA4978
RSA KeyGen (FIPS186-4)A4978
RSA SigGen (FIPS186-4)A4978
RSA SigVer (FIPS186-4)A4978
SHA-1A4978
SHA2-224A4978
SHA2-256A4978
SHA2-384A4978
SHA2-512A4978
SHA3-224A4978
SHA3-256A4978
SHA3-384A4978
SHA3-512A4978
SHAKE-128A4978
SHAKE-256A4978
TDES-CBCA4978
TDES-CFB1A4978
TDES-CFB64A4978
TDES-CFB8A4978
TDES-CMACA4978
TDES-ECBA4978
TDES-OFBA4978
TLS v1.2 KDF RFC7627A4978
TLS v1.3 KDFA4979

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for G&D Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for G&D Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Guntermann & Drunck GmbH G&D Cryptographic Module Software Version: 1.1.1s.006 FIPS Security Level: 1 Document Version: 0.4 Prepared for: Prepared by: Guntermann & Drunck GmbH Corsec Security, Inc. Obere Leimbach 9 12600 Fair Lakes Circle Suite 210 Siegen 57074 Fairfax, VA 22033 Germany United States of America Phone: +49 271 238720 Phone: +1 703 267 6050 www.gdsys.com www.corsec.com

Page 2

Abstract This is a non-proprietary Cryptographic Module Security Policy for the G&D Cryptographic Module (software version: 1.1.1s.006) from Guntermann & Drunck GmbH (G&D). This Security Policy describes how the G&D Cryptographic Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the Cryptographic Module Validation Program (CMVP) website, which is maintained by the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). This document also describes how to run the module in a secure Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module. The G&D Cryptographic Module is referred to in this document as “G&D Cryptographic Module” or “module”. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:

Page 3
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1 – Security Levels5
Table 2 – Tested Operational Environments6
Table 3 – Vendor Affirmed Operational Environments6
Table 4 – Approved Algorithms7
Table 5 – Non-Approved Algorithms Allowed in the Approved Mode of Operation11
Table 6 – Non-Approved Algorithms Not Allowed in the Approved Mode of Operation12
Table 7 – Ports and Interfaces16
Table 8 – Roles, Service Commands, Input and Output17
Table 9 – Approved Services19
Table 10 – Non-Approved Services20
Table 11 – SSPs26
Table 12 – Non-Deterministic Random Number Generation Specification29
Table 13 – Acronyms and Abbreviations36
Figure 1 – GPC Block Diagram14
Figure 2 – Module Block Diagram (with Cryptographic Boundary)15
Page 5
  1. General Guntermann & Drunck GmbH is the leading KVM1 manufacturer for control room applications. G&D offers a broad range of KVM products that have been developed over their 35 years of experience with KVMs. G&D is headquartered in Germany with G&D North America headquartered in California. The G&D Cryptographic Module 1.1.1s.006 is a cryptographic library embedded in the G&D KVM-over-IP application software. The G&D Cryptographic Module 1.1.1s.006 offers symmetric encryption/decryption, digital signature generation/verification, hashing, cryptographic key generation, random number generation, message authentication, and key establishment functions to secure data-at-rest/data-in-flight and to support secure communications protocols (including SSH2 and TLS3 1.2/1.3). The G&D Cryptographic Module is validated at the FIPS 140-3 section levels shown in Table
  2. Table 1 – Security Levels ISO/IEC 24579 Section
  3. FIPS 140-3 Section Title Security Level [Number Below]
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1

7 Physical Security N/A

8 Non-Invasive Security N/A

9 Sensitive Security Parameter Management 1
10 Self-Tests 1
11 Life-Cycle Assurance 1

12 Mitigation of Other Attacks N/A

The module has an overall security level of 1.

1 KVM – Keyboard, Video, Mouse
3 TLS – Transport Layer Security

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 6

2. Cryptographic Module Specification The G&D Cryptographic Module is a software module with a multi-chip standalone embodiment. The module is designed to operate within a modifiable operational environment. Additionally, the module is designed to utilize the AES-NI 4 extended instruction set when available by the host platform’s CPU for processor algorithm acceleration (PAA) of its AES implementation.

2.1 Operational Environments

The module was tested and found to be compliant with FIPS 140-3 requirements on the operational environments (OE) listed in Table 2. Table 2

1 Debian 9 Dell PowerEdge R440 Intel® Xeon Silver 4214R With (AES-NI)

2 Debian 9 Dell PowerEdge R440 Intel® Xeon Silver 4214R Without

The module is also vendor affirmed on the platforms listed in Table 3 for which testing was not performed: Table 3

1 ControlCenter-IP (2.0) series ControlCenter-IP 2.0 Marvell Armada A8040 ARM A72 With (AES, SHA2)

2 ControlCenter-IP-XS series ControlCenter-IP-XS NXP i.MX8m mini ARM A53 With (AES, SHA2)

3 VisionXS-IP series VisionXS-IP firmware v1.4 NXP i.MX8m mini ARM A53 With (AES, SHA2)

4 Vision-IP series Vision-IP firmware v2.4 NXP Freescale MPC 8308 PPC e300 Without

5 RemoteAccess IP series RemoteAccess-IP firware NXP i.MX8m ARM A53 With (AES, SHA2)

v1.3 with SecureCert The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys on these operational environments. Module operators may perform post-validation porting of the module and affirm the module’s continued validation compliance. The cryptographic module will remain compliant with the FIPS 140-3 validation on any general-purpose platform/processor that supports the specified operating system listed on the validation entry,

4 AES-NI – Advanced Encryption Standard – New Instruction

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 7

or another compatible operating system. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported to an operational environment not listed on the validation certificate.

2.2 Algorithm Implementations

Validation certificates for each Approved security function are listed in Table 4. Note that there are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any Approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in Table 4 are used by an Approved service of the module. Table 4

5 This table includes vendor-affirmed algorithms that are approved but CAVP testing is not yet available.

6 PUB – Publication

CBC

8 CFB – Cipher Feedback
9 CTR – Counter
10 ECB – Electronic Code Book
12 CMAC – Cipher-Based Message Authentication Code
13 CCM – Counter with Cipher Block Chaining - Message Authentication Code
14 GCM – Galois Counter Mode

GMAC

16 XOR – Exclusive OR
17 XEX – XOR Encrypt XOR
18 XTS – XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing
19 KW – Key Wrap

KWP

21 CKG – Cryptographic Key Generation

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 8

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate5 Standard Key Strengths A4978 CVL22 KDF (SSH, TLS v1.0/1.1, - Key derivation NIST SP 800-135rev1 v1.2) No parts of the SSH or TLS protocols, other than the KDFs, have been tested by the CAVP and CMVP. A4978 CVL KDF (TLS v1.2) - Key derivation RFC23 7627 No part of the TLS v1.2 protocol, other than the KDF, has been tested by the CAVP and CMVP. A4979 CVL KDF (TLS v1.3) - Key derivation RFC 8446 No part of the TLS v1.3 protocol, other than the KDF, has been tested by the CAVP and CMVP. A4978 DRBG24 Counter-based 128, 192, 256-bit AES-CTR Deterministic random bit NIST SP 800-90Arev1 generation A4978 DSA25 KeyGen 2048/224, 2048/256, Key pair generation FIPS PUB 186-4 3072/256 PQGGen 2048/224, 2048/256, Domain parameter generation 3072/256 (SHA2-224, SHA2256, SHA2-384, SHA2-512) PQGVer 2048/224, 2048/256, Domain parameter verification 3072/256 (SHA2-224, SHA2256, SHA2-384, SHA2-512) SigGen 2048/224, 2048/256, Digital signature generation 3072/256 (SHA2-224, SHA2256, SHA2-384, SHA2-512) SigVer 2048/224, 2048/256, Digital signature verification 3072/256 (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2512) A4978 ECDSA26 KeyGen B-233, B-283, B-409, B-571, Key pair generation FIPS PUB 186-4 K-233, K-283, K-409, K-571, Secret generation mode: P-224, P-256, P-384, P-521 Testing candidates KeyVer B-163, B-233, B-283, B-409, Public key validation B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521

22 CVL – Component Validation List
23 RFC – Request for Comments
24 DRBG – Deterministic Random Bit Generator

DSA

26 ECDSA – Elliptic Curve Digital Signature Algorithm

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 9

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate5 Standard Key Strengths SigGen B-233, B-283, B-409, B-571, Digital signature generation K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 (SHA2-224, SHA2-256, SHA2384, SHA2-512) SigVer B-163, B-233, B-283, B-409, Digital signature verification B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 (SHA-1, SHA2-224, SHA2-256, SHA2384, SHA2-512) A4978 HMAC SHA-1, SHA2-224, SHA2- 112 (minimum) Message authentication FIPS PUB 198-1 256, SHA2-384, SHA2512, SHA3-224, SHA3256, SHA3-384, SHA3A4978 KAS-ECC-SSC27 ephemeralUnified B-233, B-283, B-409, B-571, Shared secret computation NIST SP 800-56Arev3 K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 A4978 KAS-FFC-SSC28 dhEphem 2048/224 (FB), 2048/256 NIST SP 800-56Arev3 (FC) A4978 KDA29 HKDF SHA2-224, SHA2-256, SHA2- Key derivation NIST SP 800-56Crev2 384, SHA2-512, SHA2512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512) A4978 KTS30 AES-CCM 128, 192, 256 Key wrap/unwrap (authenticated NIST SP 800-38C encryption)31 Key establishment methodology provides between 128 and 256 bits of encryption strength A4978 KTS AES-GCM 128, 192, 256 Key wrap/unwrap (authenticated NIST SP 800-38D encryption)32 Key establishment methodology provides between 128 and 256 bits of encryption strength A4978 KTS AES-KW, AES-KWP 128, 192, 256 Key wrap/unwrap NIST SP 800-38F Key establishment methodology provides between 128 and 256 bits of encryption strength

27 KAS-ECC-SSC

28 KAS-FFC-SSC

29 KDA – Key Derivation Algorithm
30 KTS – Key Transport Scheme

Per FIPS 140-3 Implementation Guidance D.G, AES-CCM is an Approved key transport technique.

32 Per FIPS 140-3 Implementation Guidance D.G, AES-GCM is an Approved key transport technique.

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 10

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate5 Standard Key Strengths A4978 KTS AES-CMAC 128, 192, 256 Key wrap/unwrap (encryption FIPS PUB 197 with message authentication)33 NIST SP 800-38B Key establishment methodology provides between 128 and 256 bits of encryption strength A4978 KTS AES-ECB with HMAC 128, 192, 256 Key wrap/unwrap (encryption FIPS PUB 197 with message authentication)34 FIPS PUB 198-1 Key establishment methodology provides between 128 and 256 bits of encryption strength A4978 PBKDF235 Section 5.4, option 1a SHA-1, SHA2-224, SHA2-256, Password-based key derivation NIST SP 800-132 SHA2-384, SHA2-512, SHA3224, SHA3-256, SHA3-384, SHA3-512 A4978 RSA36 Key generation mode: 2048, 3072, 4096 Key pair generation FIPS PUB 186-4, B.3.3 Appendix B.3.3 A4978 RSA X9.31 2048, 3072, 4096 (SHA2-256, Digital signature generation FIPS PUB 186-4 SHA2-384, SHA2-512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-256, SHA2384, SHA2-512) PKCS#1 v1.5 2048, 3072, 4096 (SHA2-224, Digital signature generation SHA2-256, SHA2-384, SHA2512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) PSS37 2048, 3072, 4096 (SHA2-224, Digital signature generation SHA2-256, SHA2-384, SHA2512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) A4978 SHA-3 SHA3-224, SHA3-256, - Message digest FIPS PUB 202 SHA3-384, SHA3-512, SHAKE38-128, SHAKE-256 A4978 SHS39 SHA-1, SHA2-224, SHA2- - Message digest FIPS PUB 180-4 256, SHA2-384, SHA2Per FIPS 140-3 Implementation Guidance D.G, AES with CMAC is an Approved key transport technique.

34 Per FIPS 140-3 Implementation Guidance D.G, AES (in any Approved mode) with HMAC is an Approved key transport technique.

35 PBKDF – Password-based Key Derivation Function
36 RSA – Rivest Shamir Adleman
37 PSS – Probabilistic Signature Scheme

SHAKE

39 SHS – Secure Hash Standard

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 11

CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate5 Standard Key Strengths A4978 Triple-DES CBC, CFB1, CFB8, CFB64, 168 Decryption NIST SP 800-67 ECB, OFB NIST SP 800-38A A4978 Triple-DES CMAC 112, 168 MAC verification NIST SP 800-67 NIST SP 800-38B The vendor affirms the following cryptographic security methods:

Page 12

Algorithm Caveat Use / Function SHA-1 Cert. A4978; secure hashing Digital signature generation in TLS v1.0/1.140 Triple-DES Cert. A4978; key unwrapping; Per IG D.G. Symmetric key unwrapping The module does not implement any non-Approved algorithms in the Approved mode of operation with no security claimed. The module employs the non-Approved algorithms shown in Table 6 below. These algorithms shall not be used in the module’s Approved mode of operation. Table 6

40 Per NIST SP 800-52, SHA-1 is allowed for generating digital signatures on ephemeral parameters within TLS v1.0/1.1.

42 EdDSA – Edwards-curve Digital Signature Algorithm

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 13

Algorithm Use / Function Poly1305 Message authentication code RC243, RC4, RC5 Encryption/decryption RIPEMD Message digest RMD160 Message digest RSA (non-compliant with non-approved/untested key Key pair generation; digital signature generation; digital sizes, and functions) signature verification; key transport SEED Encryption/decryption SM2, SM3 Message digest SM4 Encryption/decryption Triple-DES (non-compliant) Encryption; MAC generation; key wrap Whirlpool Message digest

2.3 Cryptographic Boundary

As a software cryptographic module, the module has no physical components. The physical perimeter of the cryptographic module is defined by each host platform on which the module is installed. Figure 1 below illustrates a block diagram of a typical GPC and the module’s physical perimeter.

43 RC – Rivest Cipher

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 14

Hardware Network DVD RAM Management Interface HDD Clock SCSI/SATA Generator Controller LEDs/LCD CPU Serial I/O Hub Audio Cache PCI/PCIe Slots USB BIOS Power Graphics PCI/PCIe Interface Controller Slots External Power Supply KEY: BIOS

Page 15

libssl libssl.hmac Calling Application libcrypto libcrypto.hmac KEY: Cryptographic Boundary Physical Perimeter Operating System Data Input Data Output Control Input Control Output CPU Memory Storage Ports Status Output System Calls Host Device Figure 2

2.4 Modes of Operation

The module supports two modes of operation: Approved and non-Approved. The module will be in Approved mode when all pre-operational self-tests have completed successfully, and only Approved services are invoked. Table 4 and Table 5 above list the Approved and allowed algorithms; Table 9 provides descriptions of the Approved services. The module can also alternate service-by-service between Approved and non-Approved modes of operation. The module will switch to the non-Approved mode upon execution of a non-Approved service. The module will switch back to the Approved mode upon execution of an Approved service. Table 6 lists the non-Approved algorithms implemented by the module; Table 10 below lists the services that constitute the non-Approved mode. When following the guidance in this document, CSPs are not shared between Approved and non-Approved services and modes of operation. G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 16
  1. Cryptographic Module Interfaces FIPS 140-3 defines the following logical interfaces for cryptographic modules: • Data Input • Data Output • Control Input • Control Output • Status Output As a software library, the cryptographic module has no direct access to any of the host platform’s physical ports, as it communicates only to the calling application via its well-defined API. A mapping of the FIPS-defined interfaces and the module’s ports and interfaces at the physical and logical boundaries can be found in Table
  2. Note that the module does not output control information, and thus has no specified control output interface. Table 7 – Ports and Interfaces Physical Port Logical Interface Data That Passes Over Port/Interface Physical data input port(s) of Data Input • Data to be encrypted, decrypted, signed, the tested platforms • API input arguments that provide verified, or hashed input data for processing • Keys to be used in cryptographic services • Random seed material for the module’s DRBG • Keying material to be used as input to key establishment services Physical data output port(s) of Data Output • Data that has been encrypted, the tested platforms • API output arguments that return decrypted, or verified generated or processed data back • Digital signatures to the caller • Hashes • Random values generated by the module’s DRBG • Keys established using module’s key establishment methods Physical control input port(s) of Control Input • API commands invoking cryptographic the tested platforms • API input arguments that are services used to initialize and control the • Modes, key sizes, etc. used with operation of the module cryptographic services Physical status output port(s) Status Output • Status information regarding the module of the tested platforms • API call return values • Status information regarding the invoked service/operation G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH
Page 17

4. Roles, Services, and Authentication The sections below describe the module’s authorized roles, services, and operator authentication methods.

4.1 Authorized Roles

The module supports a Crypto Officer (CO) that authorized operators can assume. The CO role performs cryptographic initialization or management functions and general security services. The module also supports the following role(s):

44 MAC – Message Authentication Code

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 18

Role Service Input Output User Verify digital signature API call parameters, key, Status signature, message User Perform key wrap API call parameters, encryption Status, encrypted key key, key User Perform key unwrap API call parameters, decryption Status, decrypted key key, encrypted key User Compute shared secret API call parameters Status, shared secret User Derive SSH keys API call parameters, SSH master Status, SSH keys secret User Derive TLS keys API call parameters, TLS pre- Status, TLS keys master secret User Derive key via HKDF API call parameters Status, key User Derive key via PBKDF2 API call parameters, passphrase Status, key User Generate symmetric digest API call parameters, key, message Status, MAC (CMAC)

4.2 Authentication Methods

The module does not support authentication mechanisms; roles are implicitly selected based on the service invoked. Refer to Table 8 above for a listing of the services associated with each authorized role.

4.3 Services

Descriptions of the services available to the authorized roles are provided in Table 9 below. This module is a software library that provides cryptographic functionality to calling applications. As such, the security functions provided via the module’s APIs are considered security services, and the module provides indicators for Approved security services as required by FIPS 140-3 IG 2.4.C. When invoking an API for an offered security service, the calling application provides inputs (keys, key sizes, modes, etc.) that the module combines into a single, internal structure, or “context”, that drives the execution of the cryptographic service. Each security service invocation will determine if the invoked service is an Approved security service. Upon completion of the service, that context is first updated with the results of the service as well as the Approved security service indicator, and then returned to the calling application. To access the indicator value from the context, the calling application must pass the resultant context to the indicator API associated with that security function (note the indicator check must be performed before any context cleanup is performed). The indicator API will return “1” to indicate the usage of an Approved service. Indicators for services providing non-Approved security functions (as well as for services not requiring an indicator) will have a value other than “1”, ensuring that the indicators for Approved services are unambiguous. Additional details on the APIs used for the Approved service indicators are provided in Appendix B below. Please note that the keys and Sensitive Security Parameters (SSPs) listed in the table indicate the type of access required using the following notation:

Page 19
Page 20

Service Description Approved Security Function(s) Keys and/or SSPs Roles Access Rights to Keys and/or Indicator SSPs Verify ECDSA Verify an ECDSA ECDSA (Cert. A4978) ECDSA public key User ECDSA public key

Page 21

Service Description Algorithm(s) Accessed Role Indicator Perform MAC operations Perform message Poly1305, Triple-DES/CMAC User API return value (non-compliant) authentication operations (non-compliant for MAC generation) Perform hash operation (non- Perform hash operation MD2, MD4, MD5, RIPEMD, User API return value compliant) RMD160, SM2, SM3, Whirlpool Perform digital signature Perform digital signature DSA (non-compliant), ECDSA User API return value functions (non-compliant) functions (non-compliant), EdDSA, RSA (non-compliant) Perform key encapsulation Perform key encapsulation RSA (non-compliant) User API return value (non-compliant) functions Perform key un-encapsulation Perform key un-encapsulation RSA (non-compliant) User API return value (non-compliant) functions Perform key wrap (non- Perform key wrap functions Triple-DES/CMAC (non- User API return value compliant) compliant) Perform authenticated Perform authenticated AES-OCB User API return value encryption/decryption (non- encryption/decryption compliant) Perform random number Perform random number ANSI X9.31 RNG (with 128-bit User API return value generation (non-compliant) generation AES core) Perform key pair generation Perform key pair generation DSA (non-compliant), ECDSA User API return value (non-compliant) (non-compliant), EdDSA, RSA (non-compliant) G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 22

5. Software/Firmware Security All software components within the cryptographic boundary are verified using an Approved integrity technique implemented within the cryptographic module itself. The module implements independent HMAC SHA2-256 digest checks to test the integrity of each library file ; failure of the integrity check on either library file will cause the module to enter a critical error state. The module’s integrity check is performed automatically at module instantiation (i.e., when the module is loaded into memory for execution) without action from the module operator. The CO can initiate the pre-operational tests on demand by re-instantiating the module or issuing the FIPS_selftest() API command. The G&D Cryptographic Module is not delivered to end-users as a standalone offering. Rather, it is a pre-built integrated component of G&D’s KVM-over-IP devices. G&D does not provide end-users with any mechanisms to directly access the module, its source code, its APIs, or any information sent to/from the module. Thus, end-users have no ability to independently load the module onto target platforms. No configuration steps are required to be performed by end-users, and no end-user action is required to initialize the module for operation. G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 23

6. Operational Environment The G&D Cryptographic Module comprises a software cryptographic library that executes in a modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environments provide the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators. Please refer to section 2.1 of this document for a list/description of the applicable operational environments. G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 24

7. Physical Security The cryptographic module is a software module and does not include physical security mechanisms. Therefore, per ISO/IEC 19790:2012(E) section 7.7.1, requirements for physical security are not applicable. G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 25

8. Non-Invasive Security This section is not applicable. There are currently no approved non-invasive mitigation techniques referenced in ISO/IEC 19790:2021 Annex F. G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 26

9. Sensitive Security Parameter Management

9.1 Keys and Other SSPs

The module supports the keys and other SSPs listed in Table 11. Note that all SSP import and export is electronic and is performed within the Tested OE’s Physical Perimeter (TOEPP). Table 11

Page 27

Key/SSP Strength Security Function Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type and Cert. Number Keys DSA private key 112 or 128 bits DSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature (CSP) (Cert. A4978) Approved DRBG via API parameter stored by the Remove power generation module Exported in plaintext via API parameter DSA public key 112 or 128 bits DSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature (PSP) (Cert. A4978) approved DRBG via API parameter stored by the Remove power verification module Exported in plaintext via API parameter ECDSA private Between 112 ECDSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature key and 256 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power generation (CSP) module Exported in plaintext via API parameter ECDSA public Between 112 ECDSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature key and 256 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power verification (PSP) module Exported in plaintext via API parameter RSA private key Between 112 RSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature (CSP) and 150 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power generation module KTS Exported in plaintext (Cert. A4978) via API parameter RSA public key Between 80 and RSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature (PSP) 150 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power verification module KTS Exported in plaintext (Cert. A4978) via API parameter DH private 112 bits KAS-SSC-FFC Generated via Imported in plaintext - Not persistently Unload module; DH shared component (Cert. A4978) approved DRBG via API parameter stored by the Remove power secret (CSP) module computation Exported in plaintext via API parameter DH public 112 bits KAS-SSC-FFC Generated via Imported in plaintext - Not persistently Unload module; DH shared component (Cert. A4978) approved DRBG via API parameter stored by the Remove power secret (PSP) module computation Exported in plaintext via API parameter ECDH private Between 112 KAS-SSC-ECC Generated via Imported in plaintext - Not persistently Unload module; ECDH shared component and 256 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power secret (CSP) module computation Exported in plaintext via API parameter ECDH public Between 112 KAS-SSC-ECC Generated via Imported in plaintext - Not persistently Unload module; ECDH shared component and 256 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power secret (PSP) module computation Exported in plaintext via API parameter Other SSPs Passphrase - PBKDF - Imported in plaintext - Not persistently Unload module; Input to PBKDF (PSP) (Cert. A4978) via API parameter stored by the Remove power for key module derivation Never exported AES GCM IV - AES (GCM mode) Generated in - - Not persistently Unload module; Initialization (CSP) (Cert. A4978) compliance with stored by the Remove power vector for AES the provisions of a module GCM peer-to-peer industry standard protocol G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 28

Key/SSP Strength Security Function Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type and Cert. Number Keys SSH shared - KDF (SSH) - Imported in plaintext Established via Not persistently Unload module; Derivation of secret (Cert. A4978) via API parameter ECC/FFC shared stored by the Remove power the AES key and (CSP) secret module HMAC key used Exported in plaintext computation for securing SSH via API parameter connections TLS pre-master - KDF (TLS 1.0/1.1) - Imported in plaintext Established via Not persistently Unload module; Derivation of secret (Cert. A4978) via API parameter ECC/FFC shared stored by the Remove power the TLS master (CSP) secret module secret KDF (TLS 1.2) Exported in plaintext computation (Cert. A4978) via API parameter KDF (TLS 1.3) (Cert. A4979) TLS master - KDF (TLS 1.0/1.1) - - Established via Not persistently Unload module; Derivation of secret (Cert. A4978) TLS KDF (using stored by the Remove power the AES/AES(CSP) imported TLS module GCM key and KDF (TLS 1.2) pre-master HMAC key used (Cert. A4978) secret) for securing TLS connections KDF (TLS 1.3) (Cert. A4979) DRBG entropy - DRBG - Imported in plaintext - Not persistently Unload module; Entropy material input (Cert. A4978) via API parameter45; stored by the Remove power for DRBG (CSP) module Never exported DRBG seed - DRBG Generated using - - Not persistently Unload module; Seeding material (CSP) (Cert. A4978) nonce along with stored by the Remove power for DRBG DRBG entropy module input DRBG ‘V’ value - DRBG Generated - - Not persistently Unload module; State values for (CSP) (Cert. A4978) stored by the Remove power DRBG module DRBG ‘Key’ - DRBG Generated - - Not persistently Unload module; State values for value (Cert. A4978) stored by the Remove power DRBG (CSP) module

9.2 DRBGs

The module implements the following Approved DRBG:

Page 29
9.3 SSP Storage Techniques

There is no mechanism within the module’s cryptographic boundary for the persistent storage of SSPs. The module stores DRBG state values for the lifetime of the DRBG instance. The module uses SSPs passed in on the stack by the calling application and does not store these SSPs beyond the lifetime of the API call.

9.4 SSP Zeroization Methods

Maintenance, including protection and zeroization, of any keys and CSPs that exist outside the module’s cryptographic boundary are the responsibility of the end-user. For the zeroization of keys in volatile memory, module operators can unload the module from memory or reboot/power-cycle the host device.

9.5 RBG Entropy Sources

Table 12 below specifies the module’s entropy sources. Table 12

Page 30

10. Self-Tests Both pre-operational and conditional self-tests are performed by the module. Pre-operational tests are performed between the time the cryptographic module is instantiated and before the module transitions to the operational state. Conditional self-tests are performed by the module during module operation when certain conditions exist. The following sections list the self-tests performed by the module, their expected error status, and the error resolutions.

10.1 Pre-Operational Self-Tests

The module performs the following pre-operational self-test(s):

10.2 Conditional Self-Tests

The module performs the following conditional self-tests:

47 CRNGT – Continuous Random Number Generator Test

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 31

To ensure all CASTs are performed prior to the first operational use of the associated algorithm, all CASTs are performed during the module’s initial power-up sequence. The SHA and HMAC KATs are performed prior to the pre-operational software integrity test; all other CASTs are executed after the successful completion of the software integrity test.

10.3 Self-Test Failure Handling

The module reaches the critical error state when any self-test fails. Upon test failure, the module will set an internal flag and enter a critical error state. In this state, the module will no longer perform cryptographic services or output data over the data output interfaces. For any subsequent request for cryptographic services, the module will return a failure indicator. To recover, the module must be re-instantiated by the calling application. If the pre-operational self-tests complete successfully, then the module can resume normal operations. If the module continues to experience self-test failures after reinitializing, then the module will not be able to resume normal operations, and the CO should contact Guntermann & Drunck GmbH for assistance.

48 PCT – Pairwise Consistency Test

G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 32

11. Life-Cycle Assurance The sections below describe how to ensure the module is operating in its validated configuration, including the following:

11.1 Secure Installation

As the module is an integrated component of the G&D’s KVM-over-IP devices, module operators have no ability to independently load the module onto the target platform. The module and its calling application are to install on a platform specified in section 2.1 or one where portability is maintained. G&D does not provide any mechanisms to directly access the module, its source code, its APIs, or any information sent between it and the KVM-over-IP firmware.

11.2 Initialization

This module is designed to support G&D applications, and these applications are the sole consumers of the cryptographic services provided by the module. No end-user action is required to initialize the module for operation; the calling application performs any actions required to initialize the module. The pre-operational integrity test and cryptographic algorithm self-tests are performed automatically via a default entry point (DEP) when the module is loaded for execution, without any specific action from the calling application or the end-user. End-users have no means to short-circuit or bypass these actions. Failure of any of the initialization actions will result in a failure of the module to load for execution.

11.3 Setup

No setup steps are required to be performed by end-users.

11.4 Administrator Guidance

There are no specific management activities required of the CO role to ensure that the module runs securely. However, if any irregular activity is noticed or the module is consistently reporting errors, then G&D Customer Support should be contacted. The following list provides additional guidance for module administrators: G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 33
11.5 Non-Administrator Guidance

The following list provides additional policies for non-Administrators:

Page 34

The module also supports internal IV generation using the module’s Approved DRBG. The IV is at least 96 bits in length per section 8.2.2 of NIST SP 800-38D. Per NIST SP 800-38D and scenario 2 of FIPS 140-3 IG C.H, the DRBG generates outputs such that the (key/IV) pair collision probability is less than 2-32. In the event that power to the module is lost and subsequently restored, the calling application must ensure that any AES-GCM keys used for encryption or decryption are re-distributed.

Page 35

12. Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 36

Appendix A. Acronyms and Abbreviations Table 13 provides definitions for the acronyms and abbreviations used in this document. Table 13

Page 37

Term Definition GPC General-Purpose Computer HMAC (keyed-) Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding MD Message Digest NIST National Institute of Standards and Technology OCB Offset Codebook OE Operational Environment OFB Output Feedback OS Operating System PBKDF Password-Based Key Derivation Function PCT Pairwise Consistency Test PKCS Public Key Cryptography Standard PSS Probabilistic Signature Scheme PUB Publication RC Rivest Cipher RNG Random Number Generator RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SHAKE Secure Hash Algorithm KECCAK SHS Secure Hash Standard SP Special Publication SSC Shared Secret Computation SSP Sensitive Security Parameter TDES Triple Data Encryption Standard TLS Transport Layer Security TOEPP Tested OE’s Physical Perimeter XEX XOR Encrypt XOR XTS XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 38

Appendix B. Approved Service Indicators This appendix specifies the APIs that are externally accessible and return the Approved security service indicators. Synopsis #include <openssl/service_indicator.h> #include <openssl/ssl.h> int EVP_cipher_get_service_indicator(EVP_CIPHER_CTX *ctx); int DSA_get_service_indicator(DSA * ptr_dsa, DSA_MODES_t mode); int RSA_key_get_service_indicator(RSA * ptr_rsa); int PBKDF_get_service_indicator(); int EVP_Digest_get_service_indicator(EVP_MD_CTX *ctx); int EC_key_get_service_indicator(EC_KEY *ec_key); int CMAC_get_service_indicator(CMAC_CTX *cmac_ctx, CMAC_MODE_t mode); int HMAC_get_service_indicator(HMAC_CTX *ctx); int TLSKDF_get_service_indicator(EVP_PKEY_CTX *tls_ctx); int TLS1_3_kdf_get_service_indicator(EVP_MD *md); int TLS1_3_get_service_indicator(SSL *s); int DRBG_get_service_indicator(RAND_DRBG *drbg); Description These APIs are high-level interfaces that return the Approved security service indicator value based on the parameter(s) passed to them.

Page 39
Page 40

int NID = EVP_CIPHER_CTX_nid(ctx); fprintf(stdout,"EVP_des_ede3_ecb (NID %i) encrypt indicator = %i\n", NID, EVP_cipher_get_service_indicator(ctx)); EVP_CIPHER_CTX_cleanup(ctx); //Decrypt ctx = EVP_CIPHER_CTX_new(); EVP_DecryptInit_ex(ctx, cipher, NULL, key, NULL); EVP_CIPHER_CTX_set_key_length(ctx, 24); EVP_DecryptUpdate(ctx, pltmp, &outLen, citmp, 8); // Check the indicator fprintf(stdout,"EVP_des_ede3_ecb (NID %i) decrypt indicator = %i\n", NID, EVP_cipher_get_service_indicator(ctx)); EVP_CIPHER_CTX_cleanup(ctx); EVP_CIPHER_CTX_free(ctx); } G&D Cryptographic Module 1.1.1s.006 ©2025 Guntermann & Drunck GmbH

Page 41

Prepared by: Corsec Security, Inc.

12600 Fair Lakes Circle, Suite 210

Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com