| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/22/2029 |
| Caveat | No assurance of the minimum strength of generated SSPs (e.g., keys). When operated in approved mode. |
| Vendor | Samsung Electronics Co., Ltd. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3285 |
| AES-CCM | A3285 |
| AES-CTR | A3285 |
| AES-ECB | A3285 |
| AES-GCM | A3285 |
| AES-KW | A3285 |
| AES-KWP | A3285 |
| Counter DRBG | A3285 |
| ECDSA KeyGen (FIPS186-4) | A3285 |
| ECDSA KeyVer (FIPS186-4) | A3285 |
| ECDSA SigGen (FIPS186-4) | A3285 |
| ECDSA SigVer (FIPS186-4) | A3285 |
| HMAC-SHA-1 | A3285 |
| HMAC-SHA2-224 | A3285 |
| HMAC-SHA2-256 | A3285 |
| HMAC-SHA2-384 | A3285 |
| HMAC-SHA2-512 | A3285 |
| KAS-ECC-SSC Sp800-56Ar3 | A3285 |
| KDF TLS | A3285 |
| RSA KeyGen (FIPS186-4) | A3285 |
| RSA SigGen (FIPS186-4) | A3285 |
| RSA SigVer (FIPS186-4) | A3285 |
| SHA-1 | A3285 |
| SHA2-224 | A3285 |
| SHA2-256 | A3285 |
| SHA2-384 | A3285 |
| SHA2-512 | A3285 |
| SHA2-512/256 | A3285 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Non-Invasive Security | N/A |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for Samsung BoringCrypto Android
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>On-Demand Self-Test<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: boringssl</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Samsung BoringCrypto Android
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>On-Demand Self-Test<br/>Show Status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: boringssl</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3 clueHigh;
class C5,C6 clueLow;Samsung BoringCrypto Android Software Version: 2022061300 Date: 09/18/2025 Prepared by: www.acumensecurity.net Samsung Electronics Co., Ltd. Version 1.1 Public Material
Introduction Federal Information Processing Standards Publication 140-3
| # | Section | Page |
|---|---|---|
| Introduction | 2 | |
| About this Document | 2 | |
| Disclaimer | 2 | |
| Notices | 2 | |
| 1 | General | 5 |
| 2 | Cryptographic Module Specification | 6 |
| 2.1 | Overall Security Design and Rules of Operation | 11 |
| 2.1.1 | Usage of AES-GCM | 11 |
| 2.1.2 | RSA and ECDSA Keys | 11 |
| 2.1.3 | CSP Sharing | 11 |
| 2.1.4 | Modes of Operation | 11 |
| 3 | Cryptographic Module Interfaces | 12 |
| 4 | Roles, Services, and Authentication | 13 |
| 4.1 | Roles | 13 |
| 4.2 | Authentication | 13 |
| 4.3 | Services | 13 |
| 5 | Software/Firmware Security | 17 |
| 5.1 | Module Format | 17 |
| 6 | Operational Environment | 17 |
| 7 | Physical Security | 17 |
| 8 | Non-invasive Security | 17 |
| 9 | Sensitive Security Parameter Management | 18 |
| 10 | Self-Tests | 22 |
| 10.1 | Pre-Operational Self-Tests | 22 |
| 10.2 | Conditional Self-Tests | 22 |
| 11 | Life-Cycle Assurance | 24 |
| 11.1 | Installation Instructions | 24 |
| 11.1.1 | Building for Android | 24 |
| 11.1.2 | Retrieving Module Name and Version | 25 |
| 12 | Mitigation of Other Attacks | 26 |
| References and Standards | 27 | |
| Acronyms | 28 |
| Item | Page |
|---|---|
| Table 1 - Security Levels | 5 |
| Table 2 - Tested Operational Environments | 7 |
| Table 3 - Approved Algorithms | 9 |
| Table 5 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation | 10 |
| Table 6 - Ports and Interfaces | 12 |
| Table 7 - Roles, Service Commands, Input and Output | 13 |
| Table 8 - Approved Services | 15 |
| Table 9 - Non-Approved Services | 16 |
| Table 10 - SSP | 21 |
| Table 11 - Non-Deterministic Random Number Generation Specification | 22 |
| Figure 1 - Samsung BoringCrypto Android boundary | 10 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| Section 6. | Section 6. | ||
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic Module Specification | 1 |
| 3 | 3 | Cryptographic Module Interfaces | 1 |
| 4 | 4 | Roles, Services, and Authentication | 1 |
| 5 | 5 | Software/Firmware Security | 1 |
| 6 | 6 | Operational Environment | 1 |
| 7 | 7 | Physical Security | N/A |
| 8 | 8 | Non-Invasive Security | N/A |
| 9 | 9 | Sensitive Security Parameter Management | 1 |
| 10 | 10 | Self-Tests | 1 |
| 11 | 11 | Life-Cycle Assurance | 1 |
| 12 | 12 | Mitigation of Other Attacks | N/A |
1. This document describes Samsung Electronics Co., Ltd.’s cryptographic module Security Policy (SP) for the Samsung BoringCrypto Android (Software version: 2022061300) cryptographic module (also referred to as the “module” hereafter). It contains specification of the security rules under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. The module is a software module and has a Multi-Chip Stand Alone embodiment. The module meets the overall Level 1 security requirements of FIPS 140-3. The following table lists the level of validation for each area in FIPS 140-3: N/A N/A N/A Table 1 - Security Levels Samsung Electronics Co., Ltd. Version 1.1 Public Material
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 1 | Android 13 | Z Flip 4 F721U | Snapdragon8+ Gen 1 | With PAA | 1 |
| 2 | Android 13 | Z Flip 4 F721U | Snapdragon8+ Gen 1 | Without PAA | 2 |
| 3 | Android 13 | XCover6 Pro | Snapdragon 778G | With PAA | 3 |
| 4 | Android 13 | XCover6 Pro | Snapdragon 778G | Without PAA | 4 |
| 5 | Android 13 | A71 5G (US) | Snapdragon 765G | With PAA | 5 |
| 6 | Android 13 | A71 5G (US) | Snapdragon 765G | Without PAA | 6 |
| 7 | Android 13 | Galaxy S20+ 5G SM- G986U | Snapdragon 865 | With PAA | 7 |
| 8 | Android 13 | Galaxy S20+ 5G SM- G986U | Snapdragon 865 | Without PAA | 8 |
| 9 | Android 13 | Galaxy S21+ 5G SM- G996U | Snapdragon 888 | With PAA | 9 |
| 10 | Android 13 | Galaxy S21+ 5G SM- G996U | Snapdragon 888 | Without PAA | 10 |
| 11 | Android 13 | S22 | Snapdragon8 Gen 1 | With PAA | 11 |
| 12 | Android 13 | S22 | Snapdragon8 Gen 1 | Without PAA | 12 |
| 13 | Android 13 | A52 | Snapdragon 750G | With PAA | 13 |
| 14 | Android 13 | A52 | Snapdragon 750G | Without PAA | 14 |
| 15 | Android 13 | S23 | Snapdragon8 Gen2 | With PAA | 15 |
| 16 | Android 13 | S23 | Snapdragon8 Gen2 | Without PAA | 16 |
| 17 | Android 13 | Z-FLIP | Snapdragon 855+ | With PAA | 17 |
| 18 | Android 13 | Z-FLIP | Snapdragon 855+ | Without PAA | 18 |
| 19 | Android 13 | Galaxy S20+ 5G SM- G986B/DS | Exynos 990 | With PAA | 19 |
| 20 | Android 13 | Galaxy S20+ 5G SM- G986B/DS | Exynos 990 | Without PAA | 20 |
| 21 | Android 13 | Galaxy S21+ 5G SM- G996B/DS | Exynos 2100 | With PAA | 21 |
| 22 | Android 13 | Galaxy S21+ 5G SM- G996B/DS | Exynos 2100 | Without PAA | 22 |
| 23 | Android 13 | Galaxy S22 Ultra SM- S908B | Exynos 2200 | With PAA | 23 |
| 24 | Android 13 | Galaxy S22 Ultra SM- S908B | Exynos 2200 | Without PAA | 24 |
| 25 | Android 13 | A53 | Exynos1280 | With PAA | 25 |
| 26 | Android 13 | A53 | Exynos1280 | Without PAA | 26 |
| 27 | Android 13 | XCover, G715FN | Exynos 9611 | With PAA | 27 |
| 28 | Android 13 | XCover, G715FN | Exynos 9611 | Without PAA | 28 |
| 29 | Android 13 | TAB S9 FE | Exynos 1380 | With PAA | 29 |
| 30 | Android 13 | TAB S9 FE | Exynos 1380 | Without PAA | 30 |
| 31 | Android 13 | Tab Active3 | Exynos 9810 | With PAA | 31 |
| 32 | Android 13 | Tab Active3 | Exynos 9810 | Without PAA | 32 |
2. Cryptographic Module Specification Samsung BoringCrypto Android module by Samsung Electronics Co., Ltd. is an general-purpose cryptographic library which provides approved cryptographic algorithms to serve BoringSSL and other user-space applications. The module is intended for use in environment specified in Table 2 below and any general-purpose environment that requires cryptographic primitives. The Tested Operational Environment’s Physical Perimeter (TOEPP) of the module is the physical perimeter of the tested environment, which is listed in Table 2 below. The module is a software module and has a Multi-Chip Stand Alone embodiment. The installation instructions are provided in Section 11 of this document. The boundary of the module is defined as a single object file, bcm.o. The module version is: 2022061300. The module was tested on the following operational environments: # Samsung Electronics Co., Ltd. Version 1.1 Public Material
Table 2 - Tested Operational Environments Table 3 below lists all the approved algorithms implemented in the module: Samsung Electronics Co., Ltd. Version 1.1 Public Material
| Name | CAVP Cert | Mode Method | Key Size | Use Function | Use / Function |
|---|---|---|---|---|---|
| AES FIPS 197 SP800-38A | A3285 | CBC, ECB, CTR | Key sizes: 128, 192, 256 bits; Strength: 128, 192, 256 bits | Encryption, Decryption | |
| AES FIPS 197 SP800-38D | A3285 | GCM | Key sizes: 128, 192, 256 bits; Strength: 128, 192, 256 bits | Authenticated Encryption, Authenticated Decryption | |
| AES FIPS 197 SP800-38C | A3285 | CCM | Key size: 128 bits; Strength: 128 bits | Authenticated Encryption, Authenticated Decryption | |
| AES, KTS FIPS 197 SP800-38F | A3285 | KW, KWP | Key sizes: 128, 192, 256 bits; Strength: 128, 192, 256 bits | Key Transport per IG D.G Key establishment methodology provides between 128 and 256 bits of encryption strength | |
| TLS v1.0/1.1 and v1.2 KDF2 SP800-135rev1 | CVL A3285 | N/A | SHA2-256, SHA2- 384, SHA2-512; Strength: 256, 384, 512 bits | Key Derivation | |
| CKG | Vendor Affirmed | SP800-133rev2 | Cryptographic Key Generation: Section 5: Generation of Key Pairs for Asymmetric-Key Algorithms, Section 6.1: The “Direct Generation” of Symmetric Keys | Key Generation Symmetric keys and seeds are generated as the direct output of the DRBG | |
| DRBG SP800-90Arev1 | A3285 | CTR_DRBG | AES-256; Key size: 256 bits; Strength: 256 bits | Random Bit Generation | |
| ECDSA FIPS 186-4 | A3285 | Key Pair Generation, Signature Generation, Signature Verification, Public Key Validation | P-224, P-256, P-384, P-521; Strength: 112, 128, 192, 256 bits | Digital Signature Services | |
| HMAC FIPS 198-1 | A3285 | Generate, Verify | HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512; Strength: 128, 192, 256, 384, 512 bits | Generation, Authentication | |
| RSA FIPS 186-4 | A3285 | Key Generation, Signature Generation, Signature Verification PKCS 1.5 and PSS | 1024, 2048, 3072, 4096; Strength: 80, 112, 128, 152 bits; Note: Key size 1024 should be only used for Signature Verification | Digital Signature Services | |
| SHA FIPS 180-4 | A3285 | Hashing | SHA-13, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/256; Strength: 80, 112, 128, 192, 256, 128 bits | Digital Signature Generation, Digital Signature Verification, Non-Digital Signature Applications | |
| KAS-SSC SP800-56Arev3 | A3285 | KAS-ECC-SSC ephemeralUnified | ECC: P-224, P-256, P- 384 and P-521; Strength: 112, 128, 192, 256 bits | Key Agreement Scheme Shared Secret Computation per SP800-56Arev3; Key establishment methodology provides between 112 and 256 bits of security strength | |
| MD5 | As allowed per SP800-135rev1 (No security claimed) | When used with the TLS protocol version 1.0 and 1.1 |
N/A There are algorithms that have been CAVP-tested on the same certificate but are not used by any approved service of the module Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. No parts of this protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the Samsung Electronics Co., Ltd. Version 1.1 Public Material
| Name | CAVP Cert | Mode Method | Key Size | Use Function | Use / Function |
|---|---|---|---|---|---|
| HMAC FIPS 198-1 | A3285 | Generate, Verify | HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512; Strength: 128, 192, 256, 384, 512 bits | Generation, Authentication | |
| RSA FIPS 186-4 | A3285 | Key Generation, Signature Generation, Signature Verification PKCS 1.5 and PSS | 1024, 2048, 3072, 4096; Strength: 80, 112, 128, 152 bits; Note: Key size 1024 should be only used for Signature Verification | Digital Signature Services | |
| SHA FIPS 180-4 | A3285 | Hashing | SHA-13, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2- 512/256; Strength: 80, 112, 128, 192, 256, 128 bits | Digital Signature Generation, Digital Signature Verification, Non-Digital Signature Applications | |
| KAS-SSC SP800-56Arev3 | A3285 | KAS-ECC-SSC ephemeralUnified | ECC: P-224, P-256, P- 384 and P-521; Strength: 112, 128, 192, 256 bits | Key Agreement Scheme Shared Secret Computation per SP800-56Arev3; Key establishment methodology provides between 112 and 256 bits of security strength | |
| MD5 | As allowed per SP800-135rev1 (No security claimed) | When used with the TLS protocol version 1.0 and 1.1 |
Table 3 - Approved Algorithms Samsung Electronics Co., Ltd. Public Material
| Name | Use Function |
|---|---|
| MD5, MD4 | Non-Approved hashing |
| POLYVAL | Non-Approved authenticated encryption |
| DES, Triple-DES (non-compliant) | Non-Approved encryption/decryption |
| AES-GCM-SIV (non-compliant) | Non-Approved encryption/decryption |
| DH (non-compliant) | Non-Approved key agreement |
Table 5 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Figure 1 - Samsung BoringCrypto Android boundary Samsung Electronics Co., Ltd. Version 1.1 Public Material
AES GCM encryption and decryption are used in the context of the TLS protocol version 1.2 (compliant to Scenario 1a in FIPS 140-3 IG C.H). The module is compliant with NIST SP 800-52 and the mechanism for IV generation is compliant with RFC 5288. The module ensures that it is strictly increasing and thus cannot repeat. When the IV exhausts the maximum number of possible values for a given session key, the first party (client or server) to encounter this condition may either trigger a handshake to establish a new encryption key in accordance with RFC 5246 or fail. In either case, the module prevents any IV duplication and thus enforces the security property. The module’s IV is generated internally by the module’s Approved DRBG, which is internal to the module’s boundary. The IV is 96 bits in length per NIST SP 800-38D, Section 8.2.2 and FIPS 140-3 IG C.H scenario 2. The selection of the IV construction method is the responsibility of the user of this cryptographic module. In approved mode, users of the module must not utilize GCM with an externally generated IV. Per IG C.H, in the event module power is lost and restored, the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed. The module implements the KDF TLS 1.2, and other cryptographic primitives used in TLS 1.2, but does not implement the TLS 1.2 protocol itself.
The module allows the use of 1024-bit RSA keys for legacy purposes including signature generation, which is disallowed in Approved mode as per NIST SP800-131Arev2. Therefore, cryptographic operations with the Non-Approved key sizes will result in the module operating in Non-Approved mode. The elliptic curves utilized shall be the validated NIST-recommended curves and shall provide a minimum of 112 bits of encryption strength.
Non-Approved cryptographic algorithms shall not share the same key or CSP as an approved algorithm. As such, Approved algorithms shall not use the keys generated by the module’s Non-Approved key generation methods or the converse.
The module supports two modes of operation: Approved and Non-approved. The module will be in approved mode when all self-tests have completed successfully, and only Approved algorithms are invoked. See Table 4 above for a list of the supported Approved algorithms. The non-Approved mode is entered when a non-Approved algorithm is invoked. See Table 6 for a list of non-Approved algorithms. Samsung Electronics Co., Ltd. Version 1.1 Public Material
| Name | Physical Port | Logical Interface |
|---|---|---|
| Data Input | API input parameters | Data Input |
| Data Output | API output parameters and return values | Data Output |
| Control Input | API input parameters | Control Input |
| Status Output | API return values | Status Output |
3. Cryptographic Module Interfaces functions. Table 6 - Ports and Interfaces The module does not implement a power input interface or a control output interface. As a software module, control of the physical ports is outside the module scope. However, when the module is performing self-tests, or is in an error state, all output on the module’s logical data output interfaces is inhibited. Samsung Electronics Co., Ltd. Version 1.1 Public Material
| Name | Roles | Input | Output |
|---|---|---|---|
| Symmetric Encryption | CO | Plaintext, encryption key | Return code, ciphertext |
| Symmetric Decryption | CO | Ciphertext, decryption key | Return code, plaintext |
| Keyed Hashing | CO | Message, key | Return code, Message Authentication Code |
| Hashing | CO | Message | Return code, hash |
| Random Bit Generation | CO | API call parameters | Return code, random bits |
| Signature Generation | CO | Message, signing key | Return code, signature |
| Signature Verification | CO | Signature, verification key | Return code |
| Key Transport | CO | API call parameters, wrapping key | Return code, wrapped key |
| Key Agreement | CO | API call parameters | Return code, shared secret |
| TLS Key Derivation | CO | API call parameters, TLS pre- master secret | Return code, TLS Key |
| Key Verification | CO | API call parameters, key pair | Return code |
| On-Demand Self-Test | CO | N/A | Return code |
| Show Status | CO | API call parameters | Return code, status |
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Symmetric Encryption | Perform symmetric encryption operations | CO | AES Key, AES-GCM Key | AES CBC, ECB, CTR, CCM (Cert. #A3285) CKG | W, E | 1 |
| Symmetric Decryption | Perform symmetric decryption operations | CO | AES Key, AES-GCM Key, AES-GCM IV | AES CBC, ECB, CTR, GCM, CCM (Cert. #A3285) CKG | W, E | 1 |
| Keyed Hashing | Perform keyed hashing operations | CO | HMAC Key | HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512 (Cert. #A3285) | W, E | 1 |
| Hashing | Perform hashing operations | CO | N/A | SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/256 (Cert. #A3285) | N/A | 1 |
| Random Bit Generation | Generate random numbers | CO | DRBG Seed, CTR_DRBG V, CTR_DRBG Key | CTR_DRBG (Cert. #A3285) CKG | G, E | 1 |
| DRBG output | CO | DRBG output | G, R | |||
| CTR_DRBG Entropy Input | CO | CTR_DRBG Entropy Input | W, E | |||
| Signature Generation | Perform signing operations | CO | RSA Signature Generation Key, ECDSA Signing Key | CTR_DRBG, RSA SigGen, ECDSA SigGen (Cert. #A3285) | G, W, E | 1 |
| Signature Verification | Perform verification operations | CO | RSA Signature Verification Key, ECDSA Verification Key | RSA SigVer, ECDSA SigVer (Cert. #A3285) | G, W, E | 1 |
| Key Transport | Perform key encryption operations; KTS using AES-KW, AES-KWP per IG D.G | CO | AES Wrapping Key | AES KW, KWP (Cert. #A3285) CKG | W, E | 1 |
| Key Agreement | Perform key agreement operations | CO | EC DH Private Key, EC DH Public Key | KAS-ECC-SSC (Cert. #A3285) | G, W, E | 1 |
| Shared Secret | Shared Secret | G | ||||
| TLS Key Derivation | Perform key derivation operations | CO | TLS Pre-Master Secret | TLS KDF (Cert. #A3285) | W, E | 1 |
| TLS Master Secret | TLS Master Secret | G, E | ||||
| Key Verification | Perform key pair verification operations | CO | ECDSA Signing Key, ECDSA Verification Key | ECDSA KeyVer (Cert. #3285) | G, W, E | 1 |
| On-Demand Self-Test | Execute self-tests on demand | CO | N/A | N/A | N/A | 1 |
| Show Status | Obtain the module status and versioning information | CO | N/A | N/A | N/A | N/A |
Samsung Electronics Co., Ltd. W, E W, E W, E N/A N/A G, E G, R W, E G, W, E G, W, E Version 1.1 Public Material
D.G W, E G, W, E G W, E G, E G, W, E G, W, E N/A N/A N/A N/A N/A N/A Z N/A N/A N/A Table 8 - Approved Services Samsung Electronics Co., Ltd. Version 1.1 Public Material
| Name | Description | Roles | Approved Functions | Indicator |
|---|---|---|---|---|
| Hashing (as allowed per SP800-135rev1) | Perform hashing operations when used with the TLS protocol version 1.0 and 1.1 | CO | MD5 | 0 |
| Hashing | Perform hashing operations | CO | MD4 | 0 |
| Hashing | Used as part of AES-GCM-SIV | CO | POLYVAL | 0 |
| Symmetric encryption/decryption | Perform symmetric encryption and/or decryption operations | CO | DES Triple-DES AES | 0 |
| RSA Primitives (RSADP, RSAEP, RSASP, RSAVP) | Perform RSA related primitive operations (decrypt, encrypt, sign, verify) | CO | RSA | 0 |
Non-Approved Services are listed in the Table 9 below: Table 9 - Non-Approved Services Samsung Electronics Co., Ltd. Public Material
| Name | Strength | Security Function | Generation | Establishment | Storage | Import Export | Key/SSP Name/Type | Zeroisation |
|---|---|---|---|---|---|---|---|---|
| AES encrypt / decrypt | 128/192/256 bits | AES-CBC, ECB, CTR, CCM A3285 | External | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry) | AES Key (CSP) | Power-cycle host |
| AES decrypt / verify | 128/192/256 bits | AES-GCM A3285 | External | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry) | AES-GCM Key (CSP) | Power-cycle host |
| AES decrypt / verify | 96 bits | AES-GCM A3285 | External | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry) | AES-GCM IV4 (CSP) | Power-cycle host |
| AES key wrapping | 128/192/256 bits | AES-KW, AES-KWP A3285 | External | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry) | AES Wrapping Key (CSP) | Power-cycle Host |
| ECDSA signature generation | 112/128/192/256 bits | ECDSA SigGen A3285 | Internally Generated | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry) | ECDSA Signing Key (CSP) | Power-cycle host |
| ECDSA signature verification | 112/128/192/256 bits | ECDSA SigVer A3285 | Internally Generated | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry) | ECDSA Verification Key (PSP) | Power-cycle Host |
| Key Agreement | 112/128/192/256 bits | ECDSA KeyGen A3285 | Internally Generated | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry) | EC DH Private Key (CSP) | Power-cycle host |
| Key Agreement | 112/128/192/256 bits | ECDSA KeyGen A3285 | Internally Generated | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry) | EC DH Public Key (PSP) | Power-cycle host |
| Keyed hashing | 128/192/256/384 /512 bits | HMAC-SHA-1, HMAC-SHA2- 224, HMAC- SHA2-256, HMAC-SHA2- 384, HMAC- | External | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry) | HMAC Key (CSP) | Power-cycle host |
| Key Agreement | 112/128/192/256 bits | KAS-ECC-SSC A3285 | Internally Generated | SP800-56Arev3 | Plaintext in RAM | N/A | Shared Secret (CSP) | Power-cycle host |
| RSA signature generation | 112, 128, 152 bits | RSA SigGen A3285 | Internally Generated | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry) | RSA Signature Generation Key (CSP) | Power-cycle host |
| RSA signature verification | 80, 112, 128, 152 bits | RSA SigVer A3285 | Internally Generated | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry); Output via API in plaintext (Electronic Entry) | RSA Signature Verification Key (PSP) | Power-cycle host |
| TLS key derivation | 384 bits | TLS KDF A3285 | Internally Derived via key derivation function defined in SP800-135rev1 KDF (TLS) | N/A | Plaintext in RAM | N/A | TLS Master Secret (CSP) | Power-cycle host |
| TLS key derivation | 112-256 bits | TLS KDF A3285 | External | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry) | TLS Pre-Master Secret (CSP) | Power-cycle host |
| DRBG Seeding material | 384 bits | CTR_DRBG A3285 | Internally Generated | N/A | Plaintext in RAM | N/A | DRBG Seed (CSP) | Power-cycle host |
| DRBG internal state | 128 bits | CTR_DRBG A3285 | Internally Generated | N/A | Plaintext in RAM | N/A | CTR_DRBG V (CSP) | Power-cycle host |
| DRBG internal state | 256 bits | CTR_DRBG A3285 | Internally Generated | N/A | Plaintext in RAM | N/A | CTR_DRBG Key (CSP) | Power-cycle host |
| DRBG entropy | 384 bits used as seed, quality of entropy at least 112 bits | CTR_DRBG A3285 | External | N/A | Plaintext in RAM | Input via API in plaintext (Electronic Entry) | CTR_DRBG Entropy Input (CSP) | Power- cycle host |
| Random bits provided for the calling application | 2048 bits | CTR_DRBG A3285 | Internally Generated | N/A | Plaintext in RAM | N/A | DRBG output | Power- cycle host |
9. Sensitive Security Parameter Management All the SSPs are zeroized implicitly when host platform is restarted. The various SSPs used by the module are listed in Table 10 below: As specified in Section 2.1.1, usage of externally generated IV is only allowed for AES-GCM decryption in the approved mode of operation. Samsung Electronics Co., Ltd. Version 1.1 Public Material
HMAC-SHA2224, HMACSHA2-256, HMAC-SHA2384, HMACSamsung Electronics Co., Ltd. Version 1.1 Public Material
N/A N/A N/A Samsung Electronics Co., Ltd. Version 1.1 Public Material
N/A N/A N/A N/A N/A N/A N/A N/A Powercycle N/A N/A Powercycle Table 10
| Name | Key Size | ||
|---|---|---|---|
| Details | Entropy sources | Minimum number of bits of | |
| Use of a [SP800-90B] compliant entropy source with at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The callback functions shall return an error if the minimum entropy strength cannot be met. The caveat “No assurance of the minimum strength of generated SSPs (e.g., keys)” is applicable | 112 bits and above | Passive Entropy |
Table 11 - Non-Deterministic Random Number Generation Specification 10. Self-Tests ISO/IEC 19790 requires the module to perform self-tests to ensure the integrity of the module and the correctness of the cryptographic functionality. Some functions also require conditional tests during normal operation of the module. The self-tests can be requested on demand by power cycling the host platform. The module has a single error state, which is called the error state. This state is entered upon failure of a self-test. The module indicates this error state by providing the output status “*** KAT failed” where *** is the algorithm name (example: ECDSA-sign KAT failed). The module can be recovered by terminating execution of the host program and reclamation by the host operating system. The supported tests are listed and described in this section.
Pre-operational self-tests are run upon the initialization of the module and further reboots of the host platform. The CAST (Cryptographic Algorithm Self-Test) for HMAC-SHA2-256 is performed before the integrity test. Self-tests do not require operator intervention to run. If any of the tests fail, the module will not initialize and enter an error state where no services can be accessed. The module implements the following pre-operational self-tests:
Conditional Cryptographic Algorithm Self-Tests (CAST) are run prior to the first use of the cryptographic algorithm. CASTs do not require operator intervention to run. If any of the tests fail, the module will enter an error state and no services can be accessed. Samsung Electronics Co., Ltd. Version 1.1 Public Material
The module implements the following CASTs:
11. Life-Cycle Assurance The cryptographic module is initialized by loading the module before any cryptographic functionality is available. In User Space, the operating system is responsible for the initialization process and loading of the library. There are no maintenance requirements applicable. General guidance about the module can be found at https://boringssl.googlesource.com/boringssl. This includes information about the APIs, building and specific information related to FIPS can be found at https://boringssl.googlesource.com/boringssl.git/+/refs/heads/fips20220613/crypto/fipsmodule/FIPS.md (note this still mentions 140-2, but the information there is the same).
The module is open source. A Linux workstation with the following tools is required to build and compile the module: Android 13 git 2.23 or later (https://git-scm.com/download/linux) base64, curl, sha256sum (these should come with the Linux installation)
Once a Linux workstation with the above tools has been obtained, issue the following commands to download and verify repo: curl 'https://gerrit.googlesource.com/git-repo/+/e778e57f11/repo?format=TEXT' | base64 -d > ~/repo chmod u+x ~/repo gpg --recv-key 8BB9AD793E8E6153AF0F9A4416530D5E920F5C65 curl https://storage.googleapis.com/git-repo-downloads/repo.asc | gpg --verify - ~/repo Download the manifest from https://ci.android.com/builds/submitted/8918218/aosp_arm64userdebug/latest/manifest_8918218.xml by clicking the Download button. Verify the manifest using the following command: Sha256sum ~/manifest_8918218.xml Manually validate that the output from the final command indicates the following expected hash values for this file: fae7a587167b3b3ebdf5b2c53335a1d1827beddcf23d2788d07f3bbbe9ff7182 manifest_8918218.xml The module can be obtained by issuing the following commands: mkdir aosp cd aosp ~/repo init -u https://android.googlesource.com/platform/manifest --depth 1 ~/repo init -m ~/manifest_8918218.xml ~/repo sync -q -c -j 20 Samsung Electronics Co., Ltd. Version 1.1 Public Material
Once downloaded, the module can be built using the following command: . build/envsetup.sh lunch aosp_arm64-eng m clean m test_fips
The following methods will provide the module name and versions:
12. Mitigation of Other Attacks The module is not designed to mitigate attacks which are outside of the scope of FIPS 140-3. Samsung Electronics Co., Ltd. Version 1.1 Public Material
References and Standards The following Standards are referenced in this Security Policy: Abbreviation FIPS 140-3 FIPS 180-4 FIPS 186-4 FIPS 197 FIPS 198-1 IG SP 800-38A SP 800-38C SP 800-38D SP 800-38F SP 800-52 SP 800-56A SP 800-90A SP 800-131A SP 800-133 SP 800-135 Full Specification Name Security Requirements for Cryptographic modules Secure Hash Standard (SHS) Digital Signature Standard (DSS) Advanced Encryption Standard The Keyed-Hash Message Authentication Code (HMAC) Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography Recommendation for Random Number Generation Using Deterministic Random Bit Generators Transitioning the Use of Cryptographic Algorithms and Key Lengths Recommendation for Cryptographic Key Generation Recommendation for Existing Application-Specific Key Derivation Functions Samsung Electronics Co., Ltd. Version 1.1 Public Material
Acronyms Acronym AES API CAVP CBC CCCS CFB CKG CMVP CO CRNGT CSP CTR DES DH DRBG DSS EC ECB ECC EC DH ECDSA FIPS GCM GMAC GPC HMAC IG IV KAS KAT KDF KW KWP LLC MAC MD4 MD5 N/A NIST Definition Advanced Encryption Standard Application Programming Interface Cryptographic Algorithm Validation Program Cipher-Block Chaining Canadian Centre for Cyber Security Cipher Feedback Cooperative Key Generation Crypto Module Validation Program Cryptographic Officer Continuous Random Number Generator Test Critical Security Parameter Counter-mode Data Encryption Standard Diffie-Hellman Deterministic Random Bit Generator Digital Signature Standard Elliptic Curve Electronic Code Book Elliptic Curve Cryptography Elliptic Curve Diffie-Hellman Elliptic Curve Digital Signature Authority Federal Information Processing Standards Galois/Counter Mode Galois Message Authentication Code General Purpose Computer Key-Hashed Message Authentication Code Implementation Guidance Initialization Vector Key Agreement Scheme Known Answer Test Key Derivation Function Key Wrap Key Wrap with Padding Limited Liability Company Message Authentication Code Message Digest algorithm MD4 Message Digest algorithm MD5 Not-Applicable National Institute of Standards and Technology NVLAP National Voluntary Lab Accreditation Program Samsung Electronics Co., Ltd. Version 1.1 Public Material
OFB PAA RAM RFC RSA SHA SHS SP SSL TLS Triple-DES Output Feedback Processor Algorithm Accelerator Random Access Memory Request For Comment Rivest Shamir Adleman Secure Hash Algorithm Secure Hash Standard Special Publication Secure Socket Layer Transport Layer Security Triple Data Encryption Standard Samsung Electronics Co., Ltd. Version 1.1 Public Material