All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Riverbed Cryptographic Module

Certificate#5017StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorRiverbed Technology, LLC
Low review priority  ·  no TCB surface named  ·  last validated 14 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date5/13/2030
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated keys
VendorRiverbed Technology, LLC

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Riverbed Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Unauthenticated</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Riverbed Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Unauthenticated</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Riverbed Technology, LLC Riverbed Cryptographic Module Software Version: 2.0.1 FIPS Security Level: 1 Document Version: 0.5 Prepared for: Prepared by: Riverbed Technology, LLC Corsec Security, Inc.

275 Shoreline Drive 12600 Fair Lakes Circle, Suite 210

Redwood City, CA 94065 Fairfax, VA 22033 United States of America United States of America Phone: +1 415.247.8800 Phone: +1 703.267.6050 www.riverbed.com www.corsec.com

Page 2
Table of Contents
#SectionPage
Page 3

Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)10
Table 3: Tested Operational Environments - Software, Firmware, Hybrid10
Table 4: Modes List and Description11
Table 5: Approved Algorithms13
Table 6: Vendor-Affirmed Algorithms14
Table 7: Non-Approved, Allowed Algorithms14
Table 8: Non-Approved, Not Allowed Algorithms15
Table 9: Security Function Implementations22
Table 10: Ports and Interfaces26
Table 11: Roles27
Table 12: Approved Services33
Table 13: Non-Approved Services34
Table 14: Storage Areas39
Table 15: SSP Input-Output Methods39
Table 16: SSP Zeroization Methods40
Table 17: SSP Table 141
Table 18: SSP Table 244
Table 19: Pre-Operational Self-Tests45
Table 20: Conditional Self-Tests48
Table 21: Pre-Operational Periodic Information48
Table 22: Conditional Periodic Information49
Table 23: Error States50
Table 24. Acronyms and Abbreviations54
Figure 1. Module Block Diagram (with Cryptographic Boundary)8
Figure 2. GPC Block Diagram9
Page 5
1.1 Overview
1.1.1 Abstract

This is a non-proprietary Cryptographic Module Security Policy for the Riverbed Cryptographic Module (software version: 2.0.1) from Riverbed Technology, LLC (Riverbed). This Security Policy describes how the Riverbed Cryptographic Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the Cryptographic Module Validation Program (CMVP) website, which is maintained by the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). This document also describes how to run the module in a secure Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module. The Riverbed Cryptographic Module is referred to in this document as Riverbed Crypto Module or the module.

1.1.2 References

This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:

1.1.3 Document Organization

ISO/IEC 19790 Annex B uses the same section naming convention as ISO/IEC 19790 section 7 - Security requirements. For example, Annex B section B.2.1 is named “General” and B.2.2 is named “Cryptographic module specification,” which is the same as ISO/IEC 19790 section 7.1 and section 7.2, respectively. Therefore, the format of this Security Policy is presented in the same order as indicated in Annex B, starting with “General” and ending with “Mitigation of other attacks.” If sections are not applicable, they have been marked as such in this document.

1.2 Security Levels

The Riverbed Cryptographic Module is validated at the FIPS 140-3 section levels shown in the table below. Section Title Security Level

1 General 1
2 Cryptographic module specification 1

Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 6

Section Title Security Level

3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels The module has an overall security level of 1. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 7
2.1 Description
2.1.1 Purpose and Use

Since its inception in 2002, Riverbed Technology, LLC has helped the world’s largest organizations maximize the performance of their networks and applications so they can reach the full potential of their IT investments. Riverbed’s products consist of software and hardware focused on network performance monitoring, application performance management, and wide area networks (WANs). The Riverbed Network and Application Performance Platform enables organizations to visualize, optimize, accelerate, and remediate the performance of any network for any application. Only Riverbed addresses performance and visibility holistically with best-in-class WAN optimization, network performance management, application acceleration, and enterprise-grade SD-WAN 1. The Riverbed Cryptographic Module v2.0.1 is a software library providing a C language API 2 for use by Riverbed applications requiring cryptographic functionality. The Riverbed Cryptographic Module offers symmetric encryption/decryption, digital signature generation/verification, hashing, cryptographic key generation, random number generation, message authentication, and key establishment functions to secure data-at-rest/data-inflight and to support secure communications protocols (including TLS 3 1.2/1.3).

2.1.2 Module Type

The Riverbed Cryptographic Module 2.0.1 is a Software module.

2.1.3 Module Embodiment

The Riverbed Cryptographic Module has a MultiChipStand embodiment.

2.1.4 Cryptographic Boundary

The cryptographic boundary is the contiguous perimeter that surrounds all memory-mapped functionality provided by the module when loaded and stored in the host platform’s memory. Figure 2 is a block diagram of the module executing in memory and its interactions with surrounding software components, as well as the module’s cryptographic boundary and Tested Operational Environment’s Physical Perimeter (TOEPP).

1 SD-WAN – Software-Defined Wide Area Network

API

3 TLS – Transport Layer Security

Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 8

Figure 1. Module Block Diagram (with Cryptographic Boundary) The module is entirely contained within the physical perimeter.

2.1.5 Tested Operational Environment’s Physical Perimeter

(TOEPP) As a software cryptographic module, the TOEPP of the cryptographic module is defined by each host platform on which the module is installed. Figure 2 below illustrates a block diagram of a typical GPC (the black dotted line represents the module’s physical perimeter). Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 9

Hardware Network DVD RAM Management Interface HDD Clock SCSI/SATA Generator Controller LEDs/LCD CPU Serial I/O Hub Audio Cache PCI/PCIe Slots USB BIOS Power Graphics PCI/PCIe Interface Controller Slots External Power Supply KEY: BIOS

2.2 Tested and Vendor Affirmed Module Version and
2.2.1 Tested Module Identification – Hardware

This section is only applicable for hardware modules. N/A for this module. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 10
2.2.2 Tested Module Identification – Software, Firmware, Hybrid

(Executable Code Sets) The table below lists the executable code sets of the module. Package or File Name Software/ Firmware Version Features Integrity Test libcrypto.so 2.0.1 N/A Yes libssl.so 2.0.1 N/A Yes Table 2: Tested Module Identification

2.2.3 Tested Module Identification – Hybrid Disjoint Hardware

This section is only applicable to hybrid modules. N/A for this module.

2.2.4 Tested Operational Environments – Software, Firmware,

Hybrid The module was tested and found to be compliant with FIPS 140-3 requirements on the environments listed in the table below. Operating Hypervisor Hardware Platform Processors PAA/PAI Version(s) System or Host OS AlmaLinux 8 Riverbed AppResponse 2180 Intel Xeon Silver 4110 Yes N/A 2.0.1 AlmaLinux 8 Riverbed AppResponse 2180 Intel Xeon Silver 4110 No N/A 2.0.1 Table 3: Tested Operational Environments - Software, Firmware, Hybrid The module is designed to utilize the AES-NI extended instruction set when available by the host platform’s CPU for processor algorithm acceleration (PAA) of its AES implementation.

2.2.5 Vendor-Affirmed Operational Environments – Software,

Firmware, Hybrid There are no vendor-affirmed operational environments claimed. N/A for this module.

2.3 Excluded Components

The module does not exclude any components from the requirements. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 11
2.4 Modes of Operation
2.4.1 Modes List and Description

The module supports two modes of operation: Approved and non-Approved. These operational modes are described in the table below. Mode Description Type Status Indicator Name Approved The module switches between the Approved mode and Non-Approved mode Approved Indicator API depending on the service executed. The module is in this mode once all pre- return value = 1 operational self-tests have completed successfully, and only Approved services are invoked. Non- The module will switch to the non-Approved mode upon execution of a non- Non- Indicator API Approved Approved service. Approved return value other than 1 Table 4: Modes List and Description Section 4.3 of this Security Policy lists the services that constitute the Approved mode of operation. Section 4.4 below lists the services that constitute the non-Approved mode. When following the guidance in section 11.3 of this Security Policy, CSPs are not shared between Approved and non-Approved services and modes of operation. The module does not support degraded operation.

2.5 Algorithms
2.5.1 Approved Algorithms

The module employs cryptographic algorithm implementations from the following sources:

Page 12

Algorithm CAVP Cert Properties Reference AES-GCM A5835 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.2 Key Length - 128, 192, 256 AES-GMAC A5835 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-KW A5835 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A5835 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A5835 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A5835 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A5835 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes DSA KeyGen A5835 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 DSA PQGGen A5835 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 DSA PQGVer A5835 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 DSA SigGen A5835 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 DSA SigVer A5835 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 ECDSA KeyGen A5835 Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, FIPS 186-4 (FIPS186-4) P-384, P-521 Secret Generation Mode - Testing Candidates ECDSA KeyVer A5835 Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, FIPS 186-4 (FIPS186-4) P-192, P-224, P-256, P-384, P-521 ECDSA SigGen A5835 Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, FIPS 186-4 (FIPS186-4) P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 ECDSA SigVer A5835 Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, FIPS 186-4 (FIPS186-4) P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 HMAC-SHA-1 A5835 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2-224 A5835 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2-256 A5835 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2-384 A5835 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2-512 A5835 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA3-224 A5835 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA3-256 A5835 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA3-384 A5835 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA3-512 A5835 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 13

Algorithm CAVP Cert Properties Reference KAS-ECC-SSC Sp800- A5835 Domain Parameter Generation Methods - B-233, B-283, B-409, B-571, K-233, SP 800-56A 56Ar3 K-283, K-409, K-571, P-224, P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC Sp800- A5835 Domain Parameter Generation Methods - FB, FC SP 800-56A 56Ar3 Scheme - Rev. 3 dhEphem KAS Role - initiator, responder PBKDF A5835 Iteration Count - Iteration Count: 10-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 1 RSA KeyGen A5835 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A5835 Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A5835 Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 SHA-1 A5835 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 SHA2-224 A5835 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 SHA2-256 A5835 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 SHA2-384 A5835 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 SHA2-512 A5835 Message Length - Message Length: 0-65528 Increment 8 FIPS 180-4 SHA3-224 A5835 Message Length - Message Length: 0-65528 Increment 8 FIPS 202 SHA3-256 A5835 Message Length - Message Length: 0-65528 Increment 8 FIPS 202 SHA3-384 A5835 Message Length - Message Length: 0-65528 Increment 8 FIPS 202 SHA3-512 A5835 Message Length - Message Length: 0-65528 Increment 8 FIPS 202 SHAKE-128 A5835 Output Length - Output Length: 16-1024 Increment 8 FIPS 202 SHAKE-256 A5835 Output Length - Output Length: 16-1024 Increment 8 FIPS 202 TDES-CBC A5835 Direction - Decrypt SP 800-67 Rev. 2 TDES-CFB1 A5835 Direction - Decrypt SP 800-67 Rev. 2 TDES-CFB64 A5835 Direction - Decrypt SP 800-67 Rev. 2 TDES-CFB8 A5835 Direction - Decrypt SP 800-67 Rev. 2 TDES-CMAC A5835 Direction - Verification SP 800-67 Rev. 2 TDES-ECB A5835 Direction - Decrypt SP 800-67 Rev. 2 TDES-OFB A5835 Direction - Decrypt SP 800-67 Rev. 2 TLS v1.2 KDF A5835 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 TLS v1.3 KDF (CVL) A5836 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 Table 5: Approved Algorithms

2.5.2 Vendor-Affirmed Algorithms

The vendor affirms the following cryptographic security methods: Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 14
2.5.3 Non-Approved, Allowed Algorithms

The table below lists the non-Approved algorithms implemented by the module that are allowed for use in the Approved mode of operation. Name Properties Implementation Reference AES-CBC Key unwrapping:128, 192, Riverbed Cryptographic Module FIPS 197, SP 800-38A, FIPS 140-3 IG

256 (libcrypto) D.G

AES-CFB1 Key unwrapping:128, 192, Riverbed Cryptographic Module FIPS 197, SP 800-38A, FIPS 140-3 IG

256 (libcrypto) D.G

AES-CFB128 Key unwrapping:128, 192, Riverbed Cryptographic Module FIPS 197, SP 800-38A, FIPS 140-3 IG

256 (libcrypto) D.G

AES-CFB8 Key unwrapping:128, 192, Riverbed Cryptographic Module FIPS 197, SP 800-38A, FIPS 140-3 IG

256 (libcrypto) D.G

AES-CTR Key unwrapping:128, 192, Riverbed Cryptographic Module FIPS 197, SP 800-38A, FIPS 140-3 IG

256 (libcrypto) D.G

AES-ECB Key unwrapping:128, 192, Riverbed Cryptographic Module FIPS 197, SP 800-38A, FIPS 140-3 IG

256 (libcrypto) D.G

AES-OFB Key unwrapping:128, 192, Riverbed Cryptographic Module FIPS 197, SP 800-38A, FIPS 140-3 IG

256 (libcrypto) D.G

TDES-CBC (2-key or 3- Key unwrapping: Riverbed Cryptographic Module SP 800-67 Rev. 2, SP 800-38A, FIPS key) (libcrypto) 140-3 IG D.G TDES-CFB1 (2-key or 3- Key unwrapping: Riverbed Cryptographic Module SP 800-67 Rev. 2, SP 800-38A, FIPS key) (libcrypto) 140-3 IG D.G TDES-CFB64 (2-key or Key unwrapping: Riverbed Cryptographic Module SP 800-67 Rev. 2, SP 800-38A, FIPS 3-key) (libcrypto) 140-3 IG D.G TDES-CFB8 (2-key or 3- Key unwrapping: Riverbed Cryptographic Module SP 800-67 Rev. 2, SP 800-38A, FIPS key) (libcrypto) 140-3 IG D.G TDES-ECB (2-key or 3- Key unwrapping: Riverbed Cryptographic Module SP 800-67 Rev. 2, SP 800-38A, FIPS key) (libcrypto) 140-3 IG D.G TDES-OFB (2-key or 3- Key unwrapping: Riverbed Cryptographic Module SP 800-67 Rev. 2, SP 800-38A, FIPS key) (libcrypto) 140-3 IG D.G Table 7: Non-Approved, Allowed Algorithms

2.5.4 Non-Approved, Allowed Algorithms with No Security Claimed

The module does not implement any non-Approved algorithms allowed in the Approved mode of operation for which no security is claimed. N/A for this module. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 15
2.5.5 Non-Approved, Not Allowed Algorithms

The table below lists the non-Approved algorithms that are not allowed for use in the Approved mode of operation. Name Use and Function AES-GCM (non-compliant) Authenticated encryption/decryption using external IV AES-OCB Authenticated encryption/decryption ANSI X9.31 RNG (non- Random number generation using with 128-bit AES core compliant) ARIA Encryption/decryption Blake2 Encryption/decryption Blowfish Encryption/decryption Camellia Encryption/decryption CAST, CAST5 Encryption/decryption ChaCha20 Encryption/decryption DES Encryption/decryption DH (non-compliant) Key agreement (non-compliant with key sizes below 2048) DRBG (non-compliant) Random bit generation (non-compliant when using Hash_DRBG and HMAC_DRBG) DSA (non-compliant) Key pair generation; digital signature generation; digital signature verification (non-compliant with key sizes below the minimums for Approved mode) DSA, ECDSA, and RSA (non- Digital signature generation (non-compliant when used with SHA-1 outside the TLS protocol) compliant) ECDH (non-compliant) Key agreement (non-compliant with curves P-192, K-163, B-163, and non-NIST curves) ECDSA (non-compliant) Key pair generation; digital signature generation; digital signature verification (non-compliant with curves P-192, K-163, B-163, and non-NIST curves) EdDSA Key pair generation; digital signature generation; digital signature verification HKDF HMAC-based key derivation IDEA Encryption/decryption MD2, MD4, MD5 Message digest Poly1305 Message authentication code RC2, RC4, RC5 Encryption/decryption RIPEMD Message digest RMD160 Message digest RSA (non-compliant) Key pair generation; digital signature generation; signature verification; key transport (non-compliant with non-approved/untested key sizes, and functions) SEED Encryption/decryption SHA-1 (non-compliant) Signature generation in TLS 1.0/1.1 SM2, SM3 Message digest SM4 Encryption/decryption TLS 1.2 KDF (non- Key derivation function per (RFC 5246) compliant) Triple-DES (non-compliant) Encryption; MAC generation; key wrapping Whirlpool Message digest Table 8: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

The table below lists the security function implementations for this module. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 16

Name Type Description Properties Algorithms AES for Symmetric BC-UnAuth AES for the AES key, Publication:SP 800-38A AES-CBC Encryption/Decryption which is used for AES-CFB1 symmetric encryption AES-CFB8 and decryption. AES-CFB128 AES-CTR AES-ECB AES-OFB AES-CMAC for MAC MAC AES-CMAC for the AES Publication:SP 800-38B AES-CMAC Generation/Verification CMAC key, which is used for MAC generation and verification. AES-GMAC for MAC MAC AES for the AES GMAC Publication:SP 800-38D AES-GMAC Generation/Verification key, which is used for AES-CTR MAC generation and verification. AES-CCM for BC-Auth AES-CCM for the AES Publication:SP 800-38C AES-CCM Authenticated CCM key, which is used AES-CBC Symmetric for authenticated Encryption/Decryption symmetric encryption and decryption. AES-GCM for BC-Auth AES-GCM for the AES Publication:SP 800-38D AES-GCM Authenticated GCM key, which is used AES-CTR Symmetric for authenticated Counter DRBG Encryption/Decryption symmetric encryption and decryption. AES-XTS for Symmetric BC-UnAuth AES-XTS for the AES XTS Publication:SP 800-38E AES-XTS Testing Encryption/Decryption key, which is used for Revision 2.0 symmetric encryption AES-ECB and decryption. Counter DRBG KTS-AES+MAC KTS-Wrap AES-CMAC for the AES Publication:Publication: AES-CMAC CMAC key, which is Per FIPS 140-3 AES-GMAC used for key transport. Implementation HMAC-SHA-1 Guidance D.G, any HMAC-SHA2-224 Approved mode of AES HMAC-SHA2-256 with CMAC is an HMAC-SHA2-384 Approved key transport HMAC-SHA2-512 technique. HMAC-SHA3-224 Key Strength:Key HMAC-SHA3-256 establishment HMAC-SHA3-384 methodology provides HMAC-SHA3-512 between 128 and 256 AES-CBC bits of encryption AES-CFB1 strength. AES-CFB8 AES-CFB128 AES-CTR AES-ECB AES-OFB Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 17

Name Type Description Properties Algorithms KTS-AES-CCM KTS-Wrap AES-CCM for the AES Publication:Per FIPS AES-CCM CCM key, which is used 140-3 Implementation AES-CTR for key transport. Guidance D.G, AES-CCM is an Approved key transport technique. Key Strength:Key establishment methodology provides between 128 and 256 bits of encryption strength. KTS-AES-GCM KTS-Wrap AES-GCM for the AES Publication:Per FIPS AES-GCM GCM key, which is used 140-3 Implementation AES-CTR for key transport. Guidance D.G, AES-GCM is an Approved key transport technique. Key Strength:Key establishment methodology provides between 128 and 256 bits of encryption strength. KTS-AES-KW KTS-Wrap AES-KW and AES-KWP Publication:SP 800-38F AES-KW for the AES key, which is Key Strength:Key AES-KWP used for key transport. establishment methodology provides between 128 and 256 bits of encryption strength. DRBG DRBG Deterministic random Publication:SP 800-90A Counter DRBG bit generator DSA KeyGen for DH AsymKeyPair-KeyGen Key generation of the Publication:FIPS 186-4 DSA KeyGen (FIPS186-4) DSA private component Counter DRBG and the DSA public CKG1 component. DSA for Digital Signature DigSig-SigVer DSA digital signature Publication:FIPS 186-4 DSA SigVer (FIPS186-4) Verification (legacy) verification for the DSA Publication:FIPS 140-3 SHA-1 public key. IG C.M SHA2-224 SHA2-256 SHA2-384 SHA2-512 ECDSA for Key AsymKeyPair-KeyGen Key generation of the Publication:FIPS 186-4 ECDSA KeyGen Generation ECDSA private key and (FIPS186-4) ECDSA public key. Counter DRBG CKG1 ECDSA KeyGen for ECDH AsymKeyPair-KeyGen Key generation of the Publication:FIPS 186-4 ECDSA KeyGen ECDH private (FIPS186-4) component and the Counter DRBG ECDSA public CKG1 component. ECDSA for Key AsymKeyPair-KeyVer Public key validation Publication:FIPS 186-4 ECDSA KeyVer (FIPS186Verification 4) Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 18

Name Type Description Properties Algorithms ECDSA for Digital DigSig-SigGen ECDSA digital signature Publication:FIPS 186-4 ECDSA SigGen (FIPS186Signature Generation generation for the

  1. ECDSA private key. Counter DRBG SHA2-224 SHA2-256 SHA2-384 SHA2-512 ECDSA for Digital DigSig-SigVer ECDSA digital signature Publication:FIPS 186-4 ECDSA SigVer (FIPS186Signature Verification verification for the
  2. ECDSA public key. SHA2-224 SHA2-256 SHA2-384 SHA2-512 HMAC for Message MAC Message Authentication Publication:FIPS 198-1 HMAC-SHA-1 Authentication HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 HMAC-SHA3-224 HMAC-SHA3-384 HMAC-SHA3-512 SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 ECDH Shared Secret KAS-SSC Shared secret Publication:SP 800-56A KAS-ECC-SSC Sp800Computation computation for ECDH. Rev. 3 56Ar3 Publication:SP 800-90A ECDSA KeyGen Rev. 1 (FIPS186-4) Publication:SP 800-133 ECDSA KeyVer (FIPS186Rev. 2
  3. Publication:FIPS 140-3 SHA2-224 IG D.F Scenario 2(1) SHA2-256 SHA2-384 SHA2-512 Counter DRBG HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC
Page 19

Name Type Description Properties Algorithms DH Shared Secret KAS-SSC Shared secret Publication:SP800 56A KAS-FFC-SSC Sp800Computation computation for DH. Rev.3 56Ar3 Publication:SP 800-90A DSA PQGGen (FIPS186Rev. 1 4) Publication:SP 800-133 DSA KeyGen (FIPS186-4) Rev. 2 SHA2-224 Publication:FIPS 140-3 SHA2-256 IG D.F Scenario 2(1) SHA2-384 SHA2-512 Counter DRBG HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 PBKDF PBKDF Password-based key Publication: SP 800-132 PBKDF derivation SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 RSA for Key Generation AsymKeyPair-KeyGen RSA digital signature Publication:FIPS 186-4 RSA KeyGen (FIPS186-4) generation for the RSA Counter DRBG private key. CKG1 RSA for Signature DigSig-SigGen RSA digital signature Publication:FIPS 186-4 RSA SigGen (FIPS186-4) Generation generation for the RSA SHA2-224 private key. SHA2-256 SHA2-384 SHA2-512 Counter DRBG RSA for Signature DigSig-SigVer RSA signature Publication:FIPS 186-4 RSA SigVer (FIPS186-4) Verification verification for the RSA SHA2-224 public key. SHA2-256 SHA2-384 SHA2-512 SHA/SHAKE for Message SHA Message Digest Publication:FIPS 180-4 SHA-1 Digest XOF SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-128 SHAKE-256 TDES for Symmetric BC-UnAuth TDES for the TDES key, Publication:SP 800-67 TDES-CBC Decryption (legacy) which is used for Rev. 2 TDES-CFB1 symmetric decryption. TDES-CFB64 TDES-CFB8 TDES-ECB TDES-OFB Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 20

Name Type Description Properties Algorithms TDES for MAC MAC TDES-CMAC for the Publication:SP 800-67 TDES-CMAC Verification (legacy) TDES CMAC key, which Rev. 2 is used for MAC verification. TLS1.2-KDF (CVL) KAS-135KDF TLS 1.2 key derivation, Publication :SP 800-135 TLS v1.2 KDF RFC7627 used to derive the TLS Rev. 1 SHA2-256 Session Key (AES key or Caveat:No part of the SHA2-384 AES-GCM key) and TLS TLS v1.2 protocol, other SHA2-512 Authentication Key than the KDF, has been (HMAC key). tested by the CAVP and CMVP. TLS1.3-KDF (CVL) KAS-135KDF TLS 1.3 key derivation, Publication:SP 800-135 TLS v1.3 KDF used to derive the TLS Rev. 1 HMAC-SHA2-256 Session Key (AES key or Caveat:No part of the HMAC-SHA2-384 AES-GCM key) and TLS TLS v1.3 protocol, other SHA2-256 Authentication Key than the KDF, has been SHA2-384 (HMAC key). tested by the CAVP and CMVP. DSA for Domain AsymKeyPair-DomPar DSA domain parameter Publication:Publication: DSA PQGVer (FIPS186-4) Parameter Generation generation FIPS 186-4 DSA for Key Generation AsymKeyPair-KeyGen DSA key generation Publication:FIPS 186-4 DSA KeyGen (FIPS186-4) Counter DRBG CKG1 Key Type: Asymmetric DSA for Digital Signature DigSig-SigGen DSA digital signature Publication:FIPS 186-4 DSA SigGen (FIPS186-4) Generation generation Publication: FIPS 186-4. DSA for Domain AsymKeyPair-DomPar DSA domain parameter Publication:FIPS 186-4 DSA PQGVer (FIPS186-4) Parameter Verification verification Publication:FIPS 140-3 (legacy) IG C.M AES for KTS-Wrap AES key unwrap using Publication:FIPS PUB AES-CBC Unauthenticated Key the AES key (with any 197 AES-CFB1 Unwrap (allowed) Approved Publication:SP 800-38C AES-CFB8 (legacy) unauthenticated mode) Publication:FIPS 140-3 AES-CFB128 IG C.M AES-CTR Publication:FIPS 140-3 AES-ECB IG D.G AES-OFB Key Strength: Key establishment methodology provides between 128 and 256 bits of encryption strength. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 21

Name Type Description Properties Algorithms TDES+MAC for Key KTS-Wrap TDES-CMAC key unwrap Publication :SP 800-67 TDES-CBC Unwrap (legacy) using the TDES-CMAC Rev. 2 TDES-CFB1 key TDES+HMAC key Publication:SP 800-38A TDES-CFB8 unwrap using the TDES Publication:SP 800-38B TDES-CMAC key and HMAC key Publication:FIPS PUB TDES-ECB 198-1 TDES-CFB64 Publication:FIPS 140-3 TDES-OFB IG C.M HMAC-SHA-1 Publication:FIPS 140-3 HMAC-SHA2-224 IG D.G HMAC-SHA2-256 Key Strength:Key HMAC-SHA2-384 establishment HMAC-SHA2-512 methodology provides HMAC-SHA3-224

112 or 168 bits of HMAC-SHA3-256

encryption strength. HMAC-SHA3-384 HMAC-SHA3-512 TDES for KTS-Wrap TDES key unwrap using Publication:SP 800-67 TDES-CBC Unauthenticated Key the TDES key (with any Rev. 2 TDES-CFB1 Unwrap (allowed) Approved Publication:SP 800-38A TDES-CFB64 (legacy) unauthenticated mode) Publication:FIPS 140-3 TDES-CFB8 IG C.M TDES-ECB Publication:FIPS 140-3 TDES-OFB IG D.G Key Strength:Key establishment methodology provides

112 or 168 bits of

encryption strength. AES+MAC for Key KTS-Wrap AES-CMAC key wrap Publication:FIPS PUB AES-CBC Wrap/Unwrap and unwrap using the 197 AES-CFB1 AES-CMAC key AES- Publication:SP 800-38A AES-CFB128 GMAC key wrap and Publication:SP 800-38B AES-CFB8 unwrap using the AES- Publication:SP 800-38D AES-CMAC GMAC key AES+HMAC Publication:FIPS PUB AES-CTR key wrap and unwrap 198-1 AES-ECB using the AES key and Publication:FIPS PUB AES-GMAC HMAC key 180-4 AES-OFB Publication:FIPS PUB HMAC-SHA-1

202 HMAC-SHA2-224

Publication:FIPS 140-3 HMAC-SHA2-256 IG D.G HMAC-SHA2-384 Key Strength:Key HMAC-SHA2-512 establishment HMAC-SHA2-512 methodology provides HMAC-SHA3-224 between 128 and 256 HMAC-SHA3-256 bits of encryption HMAC-SHA3-384 strength. HMAC-SHA3-512 ECDSA for Key AsymKeyPair-KeyVer ECDSA key verification Publication:FIPS 186-4 ECDSA KeyVer (FIPS186Verification (legacy) using the ECDSA public Publication:FIPS 140-3 4) key (with curves B-163, IG C.M K-163, and P-192) ECDSA for Digital DigSig-SigVer ECDSA digital signature Publication:FIPS 186-4 ECDSA SigVer (FIPS186Signature Verification verification using the Publication:FIPS 180-4 4) (legacy) ECDSA public key (with Publication:FIPS 140-3 SHA2-224 curves B-163, K-163, IG C.M SHA2-256 and P-192) SHA2-384 SHA2-512 Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 22

Name Type Description Properties Algorithms RSA for Signature DigSig-SigVer RSA signature Publication:FIPS 186-4 RSA SigVer (FIPS186-4) Verification (legacy) verification using the Publication:FIPS 180-4 SHA-1 RSA public key (with Publication:FIPS 140-3 SHA2-224 SHA-1 and/or a 1024-bit IG C.M SHA2-256 modulo) SHA2-384 SHA2-512 Table 9: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES-GCM

The module supports internal IV generation using its Approved DRBG. The IV is at least 96 bits in length per section

8.2.2 of NIST SP 800‐38D, and the Approved DRBG generates outputs such that the (key, IV) pair collision

probability is less than 2‐32 per section 8 of NIST SP 800‐38D. The module also supports AES GCM encryption used in the context of the TLS protocol versions 1.2 and 1.3. To meet the AES GCM (key/IV) pair uniqueness requirements from NIST SP 800-38D, the module complies with FIPS 140-3 IG C.H as follows:

1.3 protocol.

The mechanism for IV generation falls into scenario 5 in FIPS 140-3 IG C.H and is compliant with RFC 8446. Each session employs a “per-record nonce”, a 64-bit sequence number (or IV) maintained separately for reading and writing records. Each sequence number is set to 0 at the beginning of a connection and whenever the key is changed (the first record transmitted under a particular traffic key uses sequence number 0), and the appropriate sequence number is incremented by one after reading or writing each record. Because the size of sequence numbers is 64 bits, they should not wrap. If a sequence number needs to wrap, it is the responsibility of the module operator to either re-key with a new key for AES-GCM or terminate the connection. In case the module’s power is lost and then restored, the calling application is responsible for ensuring that a new key for use with the AES-GCM encryption/decryption shall be established. This condition is not enforced by the Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 23

module but is met implicitly. The module does not retain any state across resets or power‐cycles, and AES‐GCM key/IVs are not stored in non‐volatile persistent memory (i.e., disk). Hence, no reconnection can occur without a fresh key establishment operation and the associated SSPs. When a GCM IV is used for decryption, the responsibility for the IV generation lies with the party that performs the AES GCM encryption.

2.7.2 AES-XTS

The length of a single data unit encrypted or decrypted with the AES-XTS shall not exceed 2²⁰ AES blocks; that is,

16 MB of data per AES-XTS instance. An XTS instance is defined in section 4 of NIST SP 800-38E.

In compliance with FIPS 140-3 IG C.I, the module implements a check to ensure that the two AES keys used in the XTS-AES algorithm are not identical. As specified in NIST SP 800-132, AES-XTS mode shall only be used for the cryptographic protection of data on storage devices. The AES-XTS shall not be used for other purposes, such as the encryption of data in transit.

2.7.3 PBKDF2

The module uses PBKDF2 option 1a from section 5.4 of NIST SP 800-132. The iteration count shall be selected as large as possible, as long as the time required to generate the resultant key is acceptable for module operators. The minimum iteration count shall be 1000. The length of the password/passphrase used in the PBKDF shall be of at least 20 characters, and shall consist of lower-case, upper-case, and numeric characters. The upper bound for the probability of guessing the value is estimated to be 1/6220 = 10-36, which is less than 2-112. As specified in NIST SP 800-132, keys derived from passwords/passphrases may only be used in storage applications.

2.8 RNG and Entropy

The cryptographic module invokes a GET command to obtain entropy for random number generation (the module requests 256 bits of entropy from the calling application per request), and then passively receives entropy from the calling application while having no knowledge of the entropy source and exercising no control over the amount or the quality of the obtained entropy. The calling application and its entropy sources are located within the operational environment inside the module’s physical perimeter but outside the cryptographic boundary. Thus, there is no assurance of the minimum strength of the generated keys.

2.9 Key Generation

The cryptographic module uses its counter-based DRBG to generate seeds used for asymmetric key generation. The generated seed is an unmodified output from the DRBG. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 24
2.10 Key Establishment

The cryptographic module provides the cryptographic primitives necessary to support key agreement schemes and key transport methods utilized by the calling application to establish keys.

2.10.1 Key Agreement Schemes

The module implements the following Approved key agreement schemes (as specified in FIPS 140‐3 IG D.F Scenario 2, path 1) which have been CAVP tested and validated:

2.10.2 Key Transport Methods

The module implements the following Approved/allowed key transport methods (as specified in FIPS 140‐3 IG D.G) which have been CAVP tested and validated:

Page 25
2.11 Industry Protocols

The module supports the following industry protocols in the Approved mode of operation:

2.12 Additional Information

Algorithms designated as “legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 26
3.1 Ports and Interfaces

The module supports the following four logical interfaces:

Page 27

4. Roles, Services, and Authentication

4.1 Authentication Methods

The module does not support authentication methods; operators implicitly assume an authorized role based on the service selected. N/A for this module.

4.2 Roles

The table below lists the supported roles. Name Type Operator Type Authentication Methods Crypto Officer Role CO None User Role User None Table 11: Roles The module does not support multiple concurrent operators. The calling application that loaded the module is its only operator.

4.3 Approved Services

This module is a software library that provides cryptographic functionality to calling applications. As such, the security functions provided by the module are considered the module’s security services. Indicators for Approved services (in the case of this module, those security functions with algorithm validation certificates and all required self-tests) are provided via API return value. When invoking a security function, the calling application provides inputs via an internal structure, or “context”. Upon each service invocation, the module will determine if the invoked security function is an Approved service. To access the resulting value, the calling application must pass the finalized context to the indicator API associated with that security function (note the indicator check must be performed by the calling application before any context cleanup is performed). The indicator API will return “1” to indicate the usage of an Approved service. Indicators for services providing non-Approved security functions (as well as for services not requiring an indicator) will have a value other than “1”, ensuring that the indicators for Approved services are unambiguous. Additional details on the APIs used for the Approved service indicators are provided in Appendix B below. The keys and Sensitive Security Parameters (SSPs) listed in the table indicate the type of access required using the following notation:

Page 28
Page 29

Zeroize Zeroize and de- N/A Restart calling None None Crypto allocate memory application; Officer containing reboot or - AES key: Z sensitive data power-cycle - AES CCM host platform key : Z - AES GCM key : Z - AES XTS key : Z - AES CMAC key : Z - AES GMAC key : Z - Triple-DES key : Z - Triple-DES CMAC key : Z - HMAC key : Z - DSA public key : Z - ECDSA private key : Z - ECDSA public key : Z - RSA private key : Z - RSA public key : Z - DH private component : Z - DH public component : Z - ECDH private component : Z - ECDH public component : Z Passphrase: Z - AES GCM IV: Z - TLS premaster secret: Z - TLS master secret: Z - DRBG entropy input: Z Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 30

Name Description Indicator Inputs Outputs Security Functions SSP Access - DRBG seed: Z - DRBG ‘Key’ value: Z - DSA private key : Z Perform Encrypt plaintext Indicator API API call Status, AES for Symmetric User symmetric data return value = 1 parameters, ciphertext Encryption/Decryption - AES key: encryption key, plaintext AES-XTS for Symmetric W,E Encryption/Decryption - AES XTS key : W,E Perform Decrypt ciphertext Indicator API API call Status, AES for Symmetric User symmetric data return value = 1 parameters, plaintext Encryption/Decryption - AES key: decryption key, ciphertext AES-XTS for Symmetric W,E Encryption/Decryption - AES XTS TDES for Symmetric key : W,E Decryption (legacy) - Triple-DES key : W,E Generate Generate Indicator API API call Status, AES-CMAC for MAC User symmetric symmetric digest return value = 1 parameters, digest Generation/Verification - AES CMAC digest key, plaintext TDES for MAC key : W,E Verification (legacy) - AES GMAC key : W,E Verify Verify symmetric Indicator API API call API call AES-CMAC for MAC User symmetric digest return value = 1 parameters, parameters, Generation/Verification - AES GCM digest digest digest AES-GMAC for MAC key : W,E Generation/Verification - AES GCM IV: W,E - Triple-DES CMAC key : W,E Perform Encrypt plaintext Encrypt API call Status, AES-CCM for User authenticated using supplied AES plaintext using parameters, ciphertext, Authenticated Symmetric - AES GCM encryption GCM key and IV supplied AES key, plaintext tab Encryption/Decryption key : W,E GCM key and IV AES-GCM for - AES GCM Authenticated Symmetric IV: W,E Encryption/Decryption - AES CCM key : W,E Perform Decrypt ciphertext Indicator API Indicator API Status, AES-CCM for User authenticated using supplied AES return value = 1 return value = plaintext Authenticated Symmetric - AES CCM decryption GCM key and IV 1 Encryption/Decryption key : W,E AES-GCM for - AES GCM Authenticated Symmetric key : W,E Encryption/Decryption - AES GCM IV: W,E Generate Return random Indicator API API call Status, DRBG User random bits to the calling return value = 1 parameters, random - DRBG number application entropy DRBG number entropy state values input: G,E - DRBG seed: G,E - DRBG ‘V’ value: G,E - DRBG ‘Key’ value: G,E Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 31

Name Description Indicator Inputs Outputs Security Functions SSP Access Perform keyed Compute a Indicator API API call Status, MAC HMAC for Message User hash message return value = 1 parameters, Authentication - HMAC key : operations authentication key, message W,E code Generate Generate a Indicator API Indicator API Status, SHA/SHAKE for Message User message message digest return value = 1 return value = digest Digest digest 1 Generate Generate a Indicator API Indicator API Status, key ECDSA for Key User asymmetric public/private key return value = 1 return value = pair Generation - ECDSA key pair pair 1 RSA for Key Generation private key : DSA for Domain G Parameter Generation - ECDSA DSA for Key Generation public key : G - RSA private key : G - RSA public key : G Verify ECDSA Verify an ECDSA Indicator API API call Status ECDSA for Key User public key public key return value = 1 parameters, Verification - ECDSA key ECDSA for Key public key : Verification (legacy) W Generate Generate a digital Indicator API API call Status, ECDSA for Digital User digital signature return value = 1 parameters, signature Signature Generation - ECDSA signature key, message RSA for Signature private key : Generation W,E DSA for Digital Signature - RSA private Generation key : W,E Verify digital Verify a digital Indicator API API call Status DSA for Digital Signature User signature signature return value = 1 parameters, Verification (legacy) - DSA public key, signature, ECDSA for Digital key : W,E message Signature Verification - ECDSA RSA for Signature public key : Verification W,E ECDSA for Digital - RSA public Signature Verification key : W,E (legacy) RSA for Signature Verification (legacy) Perform key Perform key wrap Indicator API API call Status, KTS-AES+MAC User wrap return value = 1 parameters, encrypted KTS-AES-CCM - AES key: encryption key KTS-AES-GCM W,E key, key KTS-AES-KW - AES CCM AES+MAC for Key key : W,E Wrap/Unwrap - AES CMAC key : W,E - AES GMAC key : W,E - AES GCM key : W,E - AES GCM IV: W,E - HMAC key : W,E Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 32

Name Description Indicator Inputs Outputs Security Functions SSP Access Perform key Perform key Indicator API API call Status, KTS-AES+MAC User unwrap unwrap return value = 1 parameters, decrypted KTS-AES-CCM - AES key: decryption key KTS-AES-GCM W,E key, key KTS-AES-KW - AES CCM AES for Unauthenticated key : W,E Key Unwrap (allowed) - AES CMAC (legacy) key : W,E TDES+MAC for Key - AES GMAC Unwrap (legacy) key : W,E TDES for - AES GCM Unauthenticated Key key : W,E Unwrap (allowed) - AES GCM (legacy) IV: W,E AES+MAC for Key - HMAC key : Wrap/Unwrap W,E - Triple-DES key : W,E Compute Perform key Perform key API call API call DSA KeyGen for DH User shared secret unwrap Compute unwrap parameters parameters ECDSA KeyGen for ECDH - DH public DH/ECDH shared Compute ECDH Shared Secret component : secret suitable for DH/ECDH Computation W,E use as input to a shared secret DH Shared Secret - DH private TLS KDF suitable for use Computation component : as input to a W,E TLS KDF - ECDH private component : W,E - ECDH public component : W,E - TLS premaster secret: G,E Derive TLS Derive TLS session Indicator API API call Status, TLS TLS1.2-KDF (CVL) User keys and integrity keys return value = 1 parameters, keys TLS1.3-KDF (CVL) - AES key: TLS pre- G,R master secret - AES GCM key : G,R - AES GCM IV: G,R - HMAC key : G,R - TLS premaster secret: W,E - TLS master secret: G,E Derive key via Derive key via Indicator API API call Status, key PBKDF User PBKDF2 PBKDF2 return value = 1 parameters, password Passphrase: W,E - AES key: G,R - Triple-DES key : G,R Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 33

Name Description Indicator Inputs Outputs Security Functions SSP Access Show Return module N/A API call Module None Crypto versioning versioning parameters name, Officer information information version Generate DSA Generate DSA Indicator API API call Status, DSA for Domain User domain domain return value = 1 parameters domain Parameter Generation parameters parameters parameters Verify DSA Verify DSA domain Indicator API API call Status DSA for Domain User domain parameters return value = 1 parameters Parameter Verification parameters (legacy) Table 12: Approved Services

4.4 Non-Approved Services

The table below lists the non-Approved services available to module operators. Name Description Algorithms Role Perform data encryption (non-compliant) Perform symmetric data encryption ARIA User Blake2 Blowfish Camellia CAST, CAST5 ChaCha20 DES IDEA RC2, RC4, RC5 SEED SM4 Triple-DES (non-compliant) Perform data decryption (non-compliant) Perform symmetric data decryption ARIA User Blake2 Blowfish Camellia CAST, CAST5 ChaCha20 DES IDEA RC2, RC4, RC5 SEED SM4 Perform MAC operations (non-compliant) Perform message authentication Poly1305 User operations Triple-DES (non-compliant) Perform hash operation (non-compliant) Perform hash operation MD2, MD4, MD5 User RIPEMD RMD160 SHA-1 (non-compliant) SM2, SM3 Whirlpool Perform digital signature functions (non- Perform digital signature functions DSA (non-compliant) User compliant) ECDSA (non-compliant) EdDSA RSA (non-compliant) Perform key agreement functions (non- Perform key agreement functions DH (non-compliant) User compliant) ECDH (non-compliant) Perform key wrap (non-compliant) Perform key wrap functions Triple-DES (non-compliant) User Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 34

Name Description Algorithms Role Perform key encapsulation function (non- Perform key encapsulation function RSA (non-compliant) User compliant) Perform key un-encapsulation function (non- Perform key un-encapsulation function RSA (non-compliant) User compliant) Perform key derivation functions (non- Perform key derivation functions HKDF User compliant) TLS 1.2 KDF (non-compliant) Perform authenticated encryption/decryption Perform authenticated AES-GCM (non-compliant) User encryption/decryption AES-OCB Perform random number generation Perform random number generation ANSI X9.31 RNG (non- User compliant) DRBG (non-compliant) Perform key pair generation Perform key pair generation DSA (non-compliant) User DSA, ECDSA, and RSA (noncompliant) ECDSA (non-compliant) EdDSA RSA (non-compliant) Table 13: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not provide the capability to load software from external sources. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 35
5.1 Integrity Techniques

All software components within the cryptographic boundary are verified using an Approved integrity technique implemented within the cryptographic module itself. The module implements independent HMAC SHA2-256 digest checks to test the integrity of each library file; failure of the integrity test for either library file will cause the module to enter a critical error state. The module’s integrity check is performed automatically at module instantiation (i.e., when the module is loaded into memory for execution) without action from the module operator.

5.2 Initiate on Demand

The CO can initiate the pre-operational tests on demand by re-instantiating the module or issuing the FIPS_selftest() API command. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 36
6.1 Operational Environment Type and Requirements

The module is a software cryptographic library that executes in a Non-Modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host platform’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environment provides the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators. Please refer to section 2.1 of this document for a list/description of the applicable operational environments. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 37

7. Physical Security This section is not applicable. Per section 7.7.1 of ISO/IEC 19790:2012, the requirements of this section are “applicable to hardware and firmware modules, and hardware and firmware components of hybrid modules”. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 38

8. Non-Invasive Security This section is not applicable. There are currently no approved non-invasive mitigation techniques references in Annex F of ISO/IEC 19790. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 39

9. Sensitive Security Parameters Management

9.1 Storage Areas

There are no mechanisms within the module’s cryptographic boundary for the persistent storage of SSPs. SSPs are stored in volatile RAM during module operation. The table below lists the storage areas used by the module. Storage Persistence Area Description Type Name RAM SSPs are stored in the RAM Dynamic Table 14: Storage Areas The module stores DRBG state values for the lifetime of the DRBG instance. The module uses SSPs passed in on the stack by the calling application and does not store these SSPs beyond the lifetime of the API call.

9.2 SSP Input-Output Methods

The table below lists input and output methods for the module’s SSPs. Section 9.4 below selects from the input and output methods listed and specifies the appropriate method(s) in the “Inputs - Outputs” column applicable to each SSP. Format Distribution Entry SFI or Name From To Type Type Type Algorithm [Input] External to RAM via Plaintext External RAM Plaintext Automated Electronic [Output] RAM to External via Plaintext RAM External Plaintext Automated Electronic Table 15: SSP Input-Output Methods

9.3 SSP Zeroization Methods

The table below lists SSP zeroization methods available to module operators. Section 9.4 below selects from the zeroization methods listed and specifies the appropriate method(s) in the “Zeroization” column applicable to each SSP. Zeroization Description Rationale Operator Initiation Method Remove Upon removing power from the host Removing power from the host device yields SSPs Operator removes Power device, the SSPs in memory are in memory irretrievable and unusable, effectively power from the host zeroized. zeroizing them. device. Reboot Upon rebooting the host device, the Rebooting the host device yields SSPs in memory Operator reboots the SSPs in memory are zeroized. irretrievable and unusable, effectively zeroizing host device them. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 40

Zeroization Description Rationale Operator Initiation Method Power-cycle Upon power-cycling the host device, Power-cycling the host device yields SSPs in Operator power-cycles the SSPs in memory are zeroized. memory irretrievable and unusable, effectively the host device zeroizing them. Table 16: SSP Zeroization Methods At the end of each applicable function call, temporary SSPs in memory are automatically overwritten with zeroes and the space is deallocated. Maintenance of any keys and CSPs that exist outside the module’s cryptographic boundary, including protection and zeroization, are the responsibility of the module operator.

9.4 SSPs

The module supports the keys and other SSPs listed in the table below. All SSP imports and exports are electronic and performed within the TOEPP. Type - Generated Established Name Description Size - Strength Used By Category By By AES key Symmetric Between 128 Symmetric PBKDF AES for Symmetric encryption, and 256 bits - Key - CSP TLS1.2-KDF Encryption/Decryption decryption Between 128 (CVL) KTS-AES+MAC and 256 bits TLS1.3-KDF (CVL) AES CCM Authenticated Between 128 Symmetric TLS1.2-KDF AES-CCM for Authenticated key symmetric and 256 bits - Key - CSP (CVL) Symmetric encryption, Between 128 TLS1.3-KDF Encryption/Decryption decryption and 256 bits (CVL) KTS-AES-CCM AES GCM Authenticated Between 128 Symmetric TLS1.2-KDF AES-GCM for Authenticated key symmetric and 256 bits - Key - CSP (CVL) Symmetric encryption, Between 128 TLS1.3-KDF Encryption/Decryption decryption and 256 bits (CVL) AES XTS key Symmetric 128 or 256 bits Symmetric AES-XTS for Symmetric encryption, - 128 or 256 Key - CSP Encryption/Decryption decryption bits AES CMAC MAC generation, Between 128 MAC - CSP AES-CMAC for MAC key verification and 256 bits - Generation/Verification Between 128 KTS-AES+MAC and 256 bits AES GMAC MAC generation, Between 128 MAC - CSP AES-GMAC for MAC key verification and 256 bits - Generation/Verification Between 128 KTS-AES+MAC and 256 bits Triple-DES Triple-DES key N/A - N/A Symmetric PBKDF TDES for Symmetric key Key - CSP Decryption (legacy) Triple-DES MAC Verification N/A - N/A MAC - CSP TDES for MAC Verification CMAC key (legacy) HMAC key Keyed Hash 112 bits MAC - CSP TLS1.2-KDF KTS-AES+MAC (minimum) - (CVL) HMAC for Message

112 bits TLS1.3-KDF Authentication

(minimum) (CVL) DSA private Digital signature 2048 or 3072 Private - CSP DSA for Key DSA for Digital Signature key generation bits - 112 or Generation Generation

128 bits

Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 41

Type - Generated Established Name Description Size - Strength Used By Category By By DSA public Digital signature Between 2048 Public - PSP DSA for Digital Signature key verification and 3072 bits - Verification (legacy)

112 or 128 bits

ECDSA Digital signature Between 224 Private - CSP ECDSA for ECDSA for Digital Signature private key generation and 521 bits - Key Generation Between 112 Generation and 256 bits ECDSA Digital signature Between 224 Public - PSP ECDSA for ECDSA for Digital Signature public key verification and 521 bits - Key Verification Between 112 Verification and 256 bits RSA private Digital signature Between 2048 Private - CSP RSA for Key RSA for Signature key generation and 4096 bits - Generation Generation Between 112 and 150 bits RSA public Signature verification Between 2048 Public - PSP RSA for RSA for Signature key and 4096 bits - Signature Verification Between 80 Generation RSA for Signature and 150 bits Verification (legacy) DH private DH shared secret 2048 bits - 112 Private - CSP DSA KeyGen KAS-FFC-SSC Sp800-56Ar3 component computation bits for DH (A5835) DH public DH shared secret 2048 bits - 112 Public - PSP DSA KeyGen KAS-FFC-SSC Sp800-56Ar3 component computation bits for DH (A5835) ECDH ECDH private Between 224 Private - CSP ECDSA KAS-ECC-SSC Sp800-56Ar3 private component and 521 bits - KeyGen for (A5835) component Between 112 ECDH and 256 bits ECDH public ECDH shared secret Between 224 Public - PSP ECDSA KAS-ECC-SSC Sp800-56Ar3 component computation and 521 bits - KeyGen for (A5835) Between 112 ECDH and 256 bits Passphrase Input to PBKDF for N/a - N/A Passphrase - PBKDF key derivation CSP AES GCM IV Derivation of the TLS 96 bits - N/A Initialization DRBG AES-GCM for Authenticated master secret Vector - CSP Symmetric Encryption/Decryption TLS pre- Derivation of the TLS 384 bits - N/A Pre-master TLS1.2-KDF (CVL) master master secret Secret - CSP TLS1.3-KDF (CVL) secret TLS master Derivation of the 384 bits - N/A Master TLS1.2-KDF (CVL) secret AES/AES-GCM key Secret - CSP TLS1.3-KDF (CVL) and HMAC key used for securing TLS connections DRBG Entropy material for Between 128 Entropy DRBG entropy DRBG and 512 bits - input - CSP input N/A DRBG seed Seeding material for Between 256 Seed - CSP DRBG DRBG DRBG and 384 bits N/A DRBG ‘V’ State value for DRBG 128 bits - N/A State Value - DRBG DRBG value CSP DRBG ‘Key’ State value for DRBG Between 128 State Value - DRBG DRBG value and 256 bits - CSP N/A Table 17: SSP Table 1 Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 42

Name Input - Output Storage Storage Duration Zeroization Related SSPs AES key [Input] External to RAM:Plaintext Until the module is Remove TLS master secret:Derived RAM via Plaintext unloaded or the power is Power From removed. Reboot Passphrase:Derived From Power-cycle AES CCM key [Input] External to RAM:Plaintext Until the module is Remove TLS master secret:Derived RAM via Plaintext unloaded or the power is Power From removed Reboot Power-cycle AES GCM key [Input] External to RAM:Plaintext Until the module is Remove TLS master secret:Derived RAM via Plaintext unloaded or the power is Power From removed. Reboot AES GCM IV:Paired With Power-cycle AES XTS key [Input] External to RAM:Plaintext Until the module is Remove RAM via Plaintext unloaded or the power is Power removed. Reboot Power-cycle AES CMAC key [Input] External to RAM:Plaintext Until the module is Remove RAM via Plaintext unloaded or the power is Power removed. Reboot Power-cycle AES GMAC key [Input] External to RAM:Plaintext Until the module is Remove RAM via Plaintext unloaded or the power is Power removed. Reboot Power-cycle Triple-DES key RAM:Plaintext Until the module is Remove unloaded or the power is Power removed. Reboot Power-cycle Triple-DES [Input] External to RAM:Plaintext Until the module is Remove CMAC key RAM via Plaintext unloaded or the power is Power removed. Reboot Power-cycle HMAC key [Input] External to RAM:Plaintext Until the module is Remove TLS master secret:Derived RAM via Plaintext unloaded or the power is Power From removed. Reboot Power-cycle DSA private key [Output] RAM to RAM:Plaintext Until the module is Remove DSA public key :Paired With External via unloaded or the power is Power Plaintext removed. Reboot Power-cycle DSA public key [Output] RAM to RAM:Plaintext Until the module is Remove External via unloaded or the power is Power Plaintext removed. Reboot Power-cycle ECDSA private [Output] RAM to RAM:Plaintext Until the module is Remove ECDSA public key :Paired key External via unloaded or the power is Power With Plaintext removed. Reboot Power-cycle ECDSA public [Output] RAM to RAM:Plaintext Until the module is Remove ECDSA private key :Paired key External via unloaded or the power is Power With Plaintext removed. Reboot Power-cycle RSA private key [Output] RAM to RAM:Plaintext Until the module is Remove RSA public key :Paired With External via unloaded or the power is Power Plaintext removed. Reboot Power-cycle Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 43

Name Input - Output Storage Storage Duration Zeroization Related SSPs RSA public key [Output] RAM to RAM:Plaintext Until the module is Remove RSA private key :Paired External via unloaded or the power is Power With Plaintext removed. Reboot Power-cycle DH private [Output] RAM to RAM:Plaintext Until the module is Remove DH public component component External via unloaded or the power is Power :Paired With Plaintext removed. Reboot Power-cycle DH public [Output] RAM to RAM:Plaintext Until the module is Remove DH private component component External via unloaded or the power is Power :Paired With Plaintext removed. Reboot Power-cycle ECDH private [Output] RAM to RAM:Plaintext Until the module is Remove ECDH public component component External via unloaded or the power is Power :Paired With Plaintext removed. Reboot Power-cycle ECDH public [Output] RAM to RAM:Plaintext Until the module is Remove ECDH private component component External via unloaded or the power is Power :Paired With Plaintext removed. Reboot Power-cycle Passphrase [Input] External to RAM:Plaintext Until the module is Remove AES key:Derived From RAM via Plaintext unloaded or the power is Power removed. Reboot Power-cycle AES GCM IV [Input] External to RAM:Plaintext Until the module is Remove AES GCM key :Used With RAM via Plaintext unloaded or the power is Power removed. Reboot Power-cycle TLS pre-master [Input] External to RAM:Plaintext Until the module is Remove DH private component secret RAM via Plaintext unloaded or the power is Power :Derived From removed. Reboot DH public component Power-cycle :Derived From ECDH private component :Derived From ECDH public component :Derived From TLS master [Input] External to RAM:Plaintext Until the module is Remove TLS pre-master secret RAM via Plaintext unloaded or the power is Power secret:Derived From removed. Reboot Power-cycle DRBG entropy [Input] External to RAM:Plaintext Until the module is Remove DRBG seed:Derived From input RAM via Plaintext unloaded or the power is Power DRBG ‘V’ value:Derived removed. Reboot From Power-cycle DRBG ‘Key’ value:Derived From DRBG seed [Input] External to RAM:Plaintext Until the module is Remove DRBG entropy RAM via Plaintext unloaded or the power is Power input:Derived From removed. Reboot Power-cycle DRBG ‘V’ value [Input] External to RAM:Plaintext Until the module is Remove DRBG seed:Derived From RAM via Plaintext unloaded or the power is Power DRBG ‘Key’ value:Used removed. Reboot With Power-cycle DRBG ‘Key’ [Input] External to RAM:Plaintext Until the module is Remove DRBG seed:Derived From value RAM via Plaintext unloaded or the power is Power DRBG ‘V’ value:Used With removed. Reboot Power-cycle Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 44

Table 18: SSP Table 2 Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 45
10.1 Pre-Operational Self-Tests

The module performs the pre-operational self-tests listed in the following table. Test Algorithm or Test Test Method Test Type Indicator Details Properties HMAC-SHA2-256 SHA2-256 Software SW/FW Returned success or Test for libcrypto. Performed (A5835) Integrity Test Integrity error code automatically without operator action HMAC-SHA2-256 SHA2-256 Software SW/FW Returned success or Test for libssl. Performed automatically (A5835) Integrity Test Integrity error code without operator action Table 19: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

The module performs the conditional self-tests listed in the following table. Algorithm or Test Test Test Properties Indicator Details Conditions Test Method Type AES-CBC 128 bit KAT CAST returned encrypt After successful software (A5835) success or integrity test error code AES-ECB 128 bit KAT CAST returned decrypt After successful software (A5835) success or integrity test error code AES-CCM 192 bit KAT CAST returned encrypt After successful software (A5835) success or integrity test error code AES-CCM 192 bit KAT CAST returned decrypt After successful software (A5835) success or integrity test error code AES-GCM 128 bit KAT CAST returned encrypt After successful software (A5835) success or integrity test error code AES-GCM 128 bit KAT CAST returned decrypt After successful software (A5835) success or integrity test error code AES-XTS Testing 128 bit KAT CAST returned encrypt After successful software Revision 2.0 success or integrity test (A5835) error code AES-XTS Testing 128 bit KAT CAST returned decrypt After successful software Revision 2.0 success or integrity test (A5835) error code AES-CMAC CBC mode, 128- KAT CAST returned Generate After successful software (A5835) bit; 192-bit; 256- success or integrity test bit error code AES-CMAC CBC mode, 128- KAT CAST returned Verify After successful software (A5835) bit; 192-bit; 256- success or integrity test bit error code Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 46

Algorithm or Test Test Test Properties Indicator Details Conditions Test Method Type TDES-ECB 3Key KAT CAST returned Encrypt After successful software (A5835) success or integrity test error code TDES-ECB 3Key KAT CAST returned Decrypt After successful software (A5835) success or integrity test error code TDES-CMAC CBC mode, 3Key KAT CAST returned Generate After successful software (A5835) success or integrity test error code TDES-CMAC CBC mode, 3Key KAT CAST returned Verify After successful software (A5835) success or integrity test error code Counter DRBG AES, 256-bit KAT CAST returned Generate/Instantiate/Reseed After successful software (A5835) success or integrity test error code DSA SigGen 2048-bit; SHA2- KAT CAST returned Sign After successful software (FIPS186-4) 256 success or integrity test (A5835) error code DSA SigVer 2048-bit; SHA2- KAT CAST returned Verify After successful software (FIPS186-4) 256 success or integrity test (A5835) error code ECDSA SigVer P-224; K-233; KAT CAST returned Verify After successful software (FIPS186-4) SHA-256 success or integrity test (A5835) error code RSA SigGen 2048-bit; SHA2- KAT CAST returned Sign After successful software (FIPS186-4) 256; PKCS#1.5 success or integrity test (A5835) scheme error code RSA SigVer 2048-bit; SHA2- KAT CAST returned Verify After successful software (FIPS186-4) 256; PKCS#1.5 success or integrity test (A5835) scheme error code HMAC-SHA-1 SHA-1 KAT CAST returned Hashed Message After successful software (A5835) success or integrity test error code HMAC-SHA2- SHA2-224 KAT CAST returned Hashed Message After successful software

224 (A5835) success or integrity test

error code HMAC-SHA2- SHA2-256 KAT CAST returned Hashed Message Prior to the software

256 (A5835) success or integrity test

error code HMAC-SHA2- SHA2-384 KAT CAST returned Hashed Message After successful software

384 (A5835) success or integrity test

error code HMAC-SHA2- SHA2-512 KAT CAST returned Hashed Message After successful software

512 (A5835) success or integrity test

error code HMAC-SHA3- SHA3-224 KAT CAST returned Hashed Message After successful software

224 (A5835) success or integrity test

error code HMAC-SHA3- SHA3-256 KAT CAST returned Hashed Message Prior to the software

256 (A5835) success or integrity test

error code HMAC-SHA3- SHA3-384 KAT CAST returned Hashed Message After successful software

384 (A5835) success or integrity test

error code Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 47

Algorithm or Test Test Test Properties Indicator Details Conditions Test Method Type HMAC-SHA3- SHA3-512 KAT CAST returned Hashed Message After successful software

512 (A5835) success or integrity test

error code SHA-1 (A5835) - KAT CAST returned Hash After successful software success or integrity test error code SHA2-224 - KAT CAST returned Hash After successful software (A5835) success or integrity test error code SHA2-256 - KAT CAST returned Hash After successful software (A5835) success or integrity test error code SHA2-384 - KAT CAST returned Hash After successful software (A5835) success or integrity test error code SHA2-512 - KAT CAST returned Hash After successful software (A5835) success or integrity test error code SHA3-224 - KAT CAST returned Hash After successful software (A5835) success or integrity test error code SHA3-256 - KAT CAST returned Hash After successful software (A5835) success or integrity test error code SHA3-384 - KAT CAST returned Hash After successful software (A5835) success or integrity test error code SHA3-512 - KAT CAST returned Hash After successful software (A5835) success or integrity test error code KAS-FFC-SSC 2048-bit KAT CAST returned Shared Secret “Z” After successful software Sp800-56Ar3 success or Computation integrity test (A5835) error code KAS-ECC-SSC P-224 KAT CAST returned Shared Secret “Z” After successful software Sp800-56Ar3 success or Computation integrity test (A5835) error code PBKDF (A5835) SHA2-224 KAT CAST returned KDF After successful software success or integrity test error code TLS v1.2 KDF - KAT CAST returned KDF After successful software RFC7627 success or integrity test (A5835) error code TLS v1.3 KDF - KAT CAST returned KDF After successful software (A5836) success or integrity test error code DSA KeyGen - PCT PCT returned Sign/Verify When an ECDSA key pair (FIPS186-4) success or is generated for use with (A5835) error code sign/verify functions ECDSA KeyGen - PCT PCT returned Sign/Verify When an ECDSA key pair (FIPS186-4) success or is generated for use with (A5835) error code sign/verify functions RSA KeyGen - PCT PCT returned Sign/Verify When an RSA key pair is (FIPS186-4) success or generated for use with (A5835) error code sign/verify functions Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 48

Algorithm or Test Test Test Properties Indicator Details Conditions Test Method Type DH - PCT PCT returned Key Agreement When a DSA key pair is success or generated for use with DH error code key transport functions ECDH - PCT PCT returned Key Agreement When an ECDSA key pair success or is generated for use with error code ECDH key transport functions ECDSA SigGen P-224; K-233; KAT CAST returned Sign After successful software (FIPS186-4) SHA-256 success or integrity test (A5835) error code Table 20: Conditional Self-Tests

10.3 Periodic Self-Test Information

The table below specifies the module’s periodic self-test information. Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Software Integrity Test SW/FW Integrity On Demand Manually (A5835) HMAC-SHA2-256 Software Integrity Test SW/FW Integrity On Demand Manually (A5835) Table 21: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-CBC (A5835) KAT CAST On Demand Manually AES-ECB (A5835) KAT CAST On Demand Manually AES-CCM (A5835) KAT CAST On Demand Manually AES-CCM (A5835) KAT CAST On Demand Manually AES-GCM (A5835) KAT CAST On Demand Manually AES-GCM (A5835) KAT CAST On Demand Manually AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A5835) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A5835) AES-CMAC (A5835) KAT CAST On Demand Manually AES-CMAC (A5835) KAT CAST On Demand Manually TDES-ECB (A5835) KAT CAST On Demand Manually TDES-ECB (A5835) KAT CAST On Demand Manually TDES-CMAC (A5835) KAT CAST On Demand Manually TDES-CMAC (A5835) KAT CAST On Demand Manually Counter DRBG (A5835) KAT CAST On Demand Manually DSA SigGen (FIPS186-4) KAT CAST On Demand Manually (A5835) DSA SigVer (FIPS186-4) KAT CAST On Demand Manually (A5835) ECDSA SigVer (FIPS186- KAT CAST On Demand Manually 4) (A5835) RSA SigGen (FIPS186-4) KAT CAST On Demand Manually (A5835) RSA SigVer (FIPS186-4) KAT CAST On Demand Manually (A5835) HMAC-SHA-1 (A5835) KAT CAST On Demand Manually Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 49

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-224 KAT CAST On Demand Manually (A5835) HMAC-SHA2-256 KAT CAST On Demand Manually (A5835) HMAC-SHA2-384 KAT CAST On Demand Manually (A5835) HMAC-SHA2-512 KAT CAST On Demand Manually (A5835) HMAC-SHA3-224 KAT CAST On Demand Manually (A5835) HMAC-SHA3-256 KAT CAST On Demand Manually (A5835) HMAC-SHA3-384 KAT CAST On Demand Manually (A5835) HMAC-SHA3-512 KAT CAST On Demand Manually (A5835) SHA-1 (A5835) KAT CAST On Demand Manually SHA2-224 (A5835) KAT CAST On Demand Manually SHA2-256 (A5835) KAT CAST On Demand Manually SHA2-384 (A5835) KAT CAST On Demand Manually SHA2-512 (A5835) KAT CAST On Demand Manually SHA3-224 (A5835) KAT CAST On Demand Manually SHA3-256 (A5835) KAT CAST On Demand Manually SHA3-384 (A5835) KAT CAST On Demand Manually SHA3-512 (A5835) KAT CAST On Demand Manually KAS-FFC-SSC Sp800- KAT CAST On Demand Manually 56Ar3 (A5835) KAS-ECC-SSC Sp800- KAT CAST On Demand Manually 56Ar3 (A5835) PBKDF (A5835) KAT CAST On Demand Manually TLS v1.2 KDF RFC7627 KAT CAST On Demand Manually (A5835) TLS v1.3 KDF (A5836) KAT CAST On Demand Manually DSA KeyGen (FIPS186-4) PCT PCT On Demand Manually (A5835) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A5835) RSA KeyGen (FIPS186-4) PCT PCT On Demand Manually (A5835) DH PCT PCT On Demand Manually ECDH PCT PCT On Demand Manually ECDSA SigGen (FIPS186- KAT CAST On Demand Manually 4) (A5835) Table 22: Conditional Periodic Information The CO can initiate the pre-operational self-tests and conditional CASTs on demand for periodic testing of the module by re-instantiating the module or issuing the FIPS_selftest() API command.

10.4 Error States

The table below specifies the module’s error state information. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 50

Name Description Conditions Recovery Method Indicator Critical Module immediately terminates the Upon failure of The module must be re- Returns error code upon Error calling application and sets an internal any pre- instantiated by the calling self-test failure; returns flag signaling the error condition. The operational or application. The CO should failure indicator for module disables access to all conditional self- contact Riverbed Technology subsequent requests for cryptographic functions, SSPs, and data test, LLC if errors persist after re- cryptographic services. output services while the error condition instantiation. persists. Table 23: Error States Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 51
11.1 Installation, Initialization, and Startup Procedures

The Riverbed Cryptographic Module is not delivered to end-users as a standalone offering. Rather, it is a pre-built integrated component of Riverbed’s application software, and these applications are the sole consumers of the cryptographic services provided by the module. The module and its calling application are delivered pre-installed on one of the Riverbed platforms specified in section 6 above or one where portability is maintained. Riverbed does not provide end-users with any mechanisms to directly access the module, its source code, its APIs, or any information sent to/from the module. The module’s integrity check is performed automatically at module instantiation (i.e., when the module is loaded into memory for execution) without action from the module operator, and end-users have no ability to bypass the automatic integrity check. No setup steps are required to be performed by end-users.

11.2 Administrator Guidance

There are no specific management activities required of the CO role to ensure that the module runs securely. If any irregular activity is observed, or if the module is consistently reporting errors, then Riverbed Customer Support should be contacted. The following list provides additional guidance for the CO:

11.3 Non-Administrator Guidance

The following list provides additional policies for the User role:

Page 52
Page 53

12. Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 54

Appendix A. Acronyms and Abbreviations Table 24 provides definitions for the acronyms and abbreviations used in this document. Table 24. Acronyms and Abbreviations Term Definition AES Advanced Encryption Standard ANSI American National Standards Institute API Application Programming Interface CAST Cryptographic Algorithm Self-Test CBC Cipher Block Chaining CCCS Canadian Centre for Cyber Security CCM Counter with Cipher Block Chaining - Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-Based Message Authentication Code CMVP Cryptographic Module Validation Program CO Cryptographic Officer CPU Central Processing Unit CSP Critical Security Parameter CTR Counter CVL Component Validation List DEP Default Entry Point DES Data Encryption Standard DH Diffie-Hellman DRBG Deterministic Random Bit Generator DSA Digital Signature Algorithm ECB Electronic Code Book ECC Elliptic Curve Cryptography ECC CDH Elliptic Curve Cryptography Cofactor Diffie-Hellman ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EMI/EMC Electromagnetic Interference /Electromagnetic Compatibility FFC Finite Field Cryptography FIPS Federal Information Processing Standard GCM Galois/Counter Mode Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 55

Term Definition GMAC Galois Message Authentication Code GPC General-Purpose Computer HKDF HMAC-Based Key Derivation Function HMAC (keyed-) Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding MD Message Digest NIST National Institute of Standards and Technology OCB Offset Codebook OFB Output Feedback OS Operating System PBKDF Password-Based Key Derivation Function PCT Pairwise Consistency Test PKCS Public Key Cryptography Standard PSS Probabilistic Signature Scheme PUB Publication RC Rivest Cipher RFC Request for Comment RNG Random Number Generator RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SHAKE Secure Hash Algorithm KECCAK SHS Secure Hash Standard SP Special Publication TDES Triple Data Encryption Standard TLS Transport Layer Security XEX XOR Encrypt XOR XTS XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing Riverbed Cryptographic Module 2.0.1 ©2025 Riverbed Technology, LLC

Page 56

Appendix B. Approved Service Indicators This appendix specifies the APIs that are externally accessible and return the Approved service indicators. Synopsis #include <openssl/service_indicator.h> #include <openssl/ssl.h> int EVP_cipher_get_service_indicator(EVP_CIPHER_CTX *ctx); int DSA_get_service_indicator(DSA * ptr_dsa, DSA_MODES_t mode); int RSA_key_get_service_indicator(RSA * ptr_rsa); int PBKDF_get_service_indicator(); int EVP_Digest_get_service_indicator(EVP_MD_CTX *ctx); int EC_key_get_service_indicator(EC_KEY *ec_key); int CMAC_get_service_indicator(CMAC_CTX *cmac_ctx, CMAC_MODE_t mode); int HMAC_get_service_indicator(HMAC_CTX *ctx); int TLSKDF_get_service_indicator(EVP_PKEY_CTX *tls_ctx); int TLS1_3_kdf_get_service_indicator(EVP_MD *md); int TLS1_3_get_service_indicator(SSL *s); int DRBG_get_service_indicator(RAND_DRBG *drbg); Description These APIs are high-level interfaces that return the Approved service indicator value based on the parameter(s) passed to them.

Page 57
Page 58

Prepared by: Corsec Security, Inc.

12600 Fair Lakes Circle, Suite 210

Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com