All modules
CMVP Validated Module · FIPS 140-3 Security Policy

OpenSSL Cryptographic Module

Certificate#5023StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorF5, Inc.
Medium review priority  ·  no TCB surface named  ·  OpenSSL upstream has published 39 CVEs since this module's initial validation  ·  last validated 13 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date6/7/2030
CaveatWhen operated in approved mode, installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
VendorF5, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for OpenSSL Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>upgrade</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>status output<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for OpenSSL Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>upgrade</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>status output<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

F5, Inc. OpenSSL Cryptographic Module Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com

Page 3
Table of Contents
#SectionPage
Page 5
List of Tables
ItemPage
Table : Security Levels7
Table : Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)9
Table : Tested Operational Environments - Software, Firmware, Hybrid9
Table : Modes List and Description10
Table : Approved Algorithms12
Table : Vendor-Affirmed Algorithms12
Table : Non-Approved, Allowed Algorithms with No Security Claimed12
Table : Non-Approved, Not Allowed Algorithms14
Table : Security Function Implementations16
Table : Entropy Certificates17
Table : Entropy Sources18
Table : Ports and Interfaces20
Table : Roles21
Table : Approved Services26
Table : Non-Approved Services28
Table : Storage Areas33
Table : SSP Input-Output Methods33
Table : SSP Zeroization Methods33
Table : SSP Table 137
Table : SSP Table 238
Table : Pre-Operational Self-Tests39
Table : Conditional Self-Tests41
Table : Pre-Operational Periodic Information41
Table : Conditional Periodic Information42
Table : Error States42
Figure 1: Block Diagram8
Page 6

F5® is Registered trademarks of F5, Inc. Intel® Xeon® and Intel® Atom® processors are Registered trademarks of Intel Corporation. ____________________________________________________________________________________________________________________

Page 7
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy that contains the security rules under which the OpenSSL Cryptographic Module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an Overall Security Level 1 module.

1.2 Security Levels

Section Title Security Level

1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 8
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The OpenSSL Cryptographic Module (hereafter referred to as “the module”) is a cryptographic library offering various cryptographic mechanisms to be used by OpenSSL application running on F5 VELOS system controller and blade. The module provides cryptographic services to applications through an Application Program Interface (API). The module also interacts with the underlying operating system via system calls. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The software block diagram Figure 1 shows the module, its interfaces with the operational environment and the delimitation of its cryptographic boundary with bold black perimeter. The software components of the cryptographic module are listed in Table - Tested Module Identification

Page 9

Tested Operational Environment’s Physical Perimeter (TOEPP): The module is aimed to run on a generalpurpose computer; the physical perimeter is the surface of the case of the target platform, as shown with orange dotted lines in the diagram Figure 1. The components of the TOEPP are listed in Table - Tested Operational Environments - Software, Firmware, Hybrid. The entropy source located within the module’s physical perimeter is outside of the module’s cryptographic boundary (see Figure 1).

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

2.3 Excluded Components
2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved Only approved Approved The status output from the FIPS_set_indicator_status service call is mode security functions provided. To read this indicator, the calling application must register a or vendor affirmed callback function using `FIPS_register_indicator_callback'. The ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 10

Mode Description Type Status Indicator Name security functions callback function should take the input of the form "char *" which is can be used. the form of the indicator being output by the module. Non- Only non-approved Non- No service indicator Approved security functions Approved mode can be used Table 4: Modes List and Description Mode Change Instructions and Status: The module enters the approved mode after pre-operational self-tests succeed. The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A4782 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4783 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A4782 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4782 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4783 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4782 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GCM A4783 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A4782 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 11

Algorithm CAVP Cert Properties Reference IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A4783 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 Counter DRBG A4782 Prediction Resistance - No, Yes SP 800-90A Rev. Mode - AES-256 1 Derivation Function Enabled - No, Yes Counter DRBG A4783 Prediction Resistance - No SP 800-90A Rev. Mode - AES-256 1 Derivation Function Enabled - Yes ECDSA KeyGen (FIPS186- A4782 Curve - P-256, P-384 FIPS 186-4 4) ECDSA KeyVer (FIPS186-4) A4782 Curve - P-256, P-384 FIPS 186-4 ECDSA SigGen (FIPS186-4) A4782 Component - No FIPS 186-4 Curve - P-256, P-384 ECDSA SigVer (FIPS186-4) A4782 Component - No FIPS 186-4 Curve - P-256, P-384 HMAC-SHA-1 A4782 Key Length - Key Length: 8, 16, 64, 128, 1024 FIPS 198-1 HMAC-SHA-1 A4783 Key Length - Key Length: 8, 16, 64, 128, 1024 FIPS 198-1 HMAC-SHA2-256 A4782 Key Length - Key Length: 8, 16, 64, 128, 1024 FIPS 198-1 HMAC-SHA2-384 A4782 Key Length - Key Length: 8, 16, 64, 128, 1024 FIPS 198-1 KAS-ECC-SSC Sp800-56Ar3 A4782 Domain Parameter Generation Methods - P-256, SP 800-56A Rev. P-384 3 Scheme staticUnified KAS Role - initiator, responder KDF SSH (CVL) A4782 Cipher - AES-128, AES-256 SP 800-135 Rev. KDF TLS (CVL) A4782 TLS Version - v1.0/1.1 SP 800-135 Rev. RSA KeyGen (FIPS186-4) A4782 Key Generation Mode - B.3.3 FIPS 186-4 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 12

Algorithm CAVP Cert Properties Reference RSA SigGen (FIPS186-4) A4782 Signature Type - PKCS 1.5 FIPS 186-4 Modulo - 2048, 3072, 4096 RSA SigVer (FIPS186-4) A4782 Signature Type - PKCS 1.5 FIPS 186-4 Modulo - 2048, 3072, 4096 SHA-1 A4782 - FIPS 180-4 SHA-1 A4783 - FIPS 180-4 SHA2-256 A4782 - FIPS 180-4 SHA2-384 A4782 - FIPS 180-4 TLS v1.2 KDF RFC7627 A4782 - SP 800-135 Rev. (CVL) 1 Table 5: Approved Algorithms There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. Vendor-Affirmed Algorithms: Name Properties Implementation Reference Cryptographic Key Key N/A Random bit strings required for generating the Generation (CKG) Type:Asymmetric cryptographic keys is compliant with section 4 example 1 of SP800-133r2 Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. The module does not implement any Non-Approved Allowed algorithms in the Approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: Name Caveat Use and Function MD5 Allowed per IG 2.4.A Message digest used in TLS 1.0 / 1.1 KDF only Table 7: Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 13

Name Use and Function AES with OFB, CCM, CFB, XTS, KW modes Symmetric encryption and decryption Blowfish, Camellia, CAST5, DES, IDEA, RC2, RC4, SEED, SM2, Symmetric encryption and decryption SM4, Triple-DES SHA2-224, SHA2-512, SM3, MD4, MD5 (outside of TLS), MDC2, Message digest RIPEMD, Whirlpool HMAC-SHA2-224, HMAC-SHA2-512, AES CMAC, Triple-DES Message authentication CMAC PKCS #1 v1.5 scheme with 1024 and greater than 4096 up to RSA signature generation and verification

16384 modulus, for all SHA sizes

Probabilistic Signature Scheme (PSS), ANSI X9.31 schemes RSA signature generation and verification PKCS #1 v1.5 scheme with modulus size 2048, 3072, 4096 bits RSA signature generation with SHA-1, SHA2-224, SHA2-512 PKCS #1 v1.5 scheme with modulus size 2048, 3072, 4096 bits RSA signature verification with SHA2-224, SHA2-512 ECDSA with P-224, P-521 ECDSA key generation / verification ECDSA with curves P-256, P-384 with SHA-1 SHA2-224, SHA2- ECDSA signature generation / verification ECDSA using SM2 Digital signature generation and verification RSA with modulus sizes up to 16384 bits RSA encrypt / decrypt DSA with all key and SHA sizes DSA domain parameter generation, domain parameter verification, key pair generation, signature generation and verification HMAC_DRBG and Hash_DRBG for all SHA sizes Random number generation CTR_DRBG with AES-128, AES-192 Random number generation ANSI X9.31 RNG Random number generation Diffie-Hellman Shared secret computation EC Diffie-Hellman Ephemeral Unified with curves other than P- Shared secret computation 256, P-384, without KDF. EC Diffie-Hellman without KDF or using onePassDH / StaticUnified schemes Key Derivation function in the context of TLS using SHA2-224 / TLS KDF SHA2-512 Key Derivation function in the context of SSH using SHA-1 / SSH KDF SHA2-224 / SHA2-512 ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 14

Name Use and Function PKCS #1 v1.5 with keys other than 2048 / 3072 / 4096-bit using RSA signature generation and verification SHA2-256, SHA2-384 Table 8: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms EC Diffie-Hellman KAS-SSC [SP800-56ARev3] Curves:P-256, P-384 KAS-ECC-SSC Shared Secret Shared Secret with strength 128 Sp800-56Ar3: Computation Computation used in and 192-bits (A4782) Key Agreement Scheme (KAS) IG D.F scenario 2 (path 1) AES-Key Wrapping KTS-Wrap FIPS [197, SP800- Keys:128 / 256-bit AES-GCM: (A4783, 38F],IG D.G. key AES key with A4782) wrapping and security strength unwrapping, in the from 128 and 256context of the TLS bits protocol, are provided by the TLS record layer using an approved authenticated encryption mode. Encryption with AES BC-UnAuth Encryption using Keys:128, 192, 256 AES-CBC: (A4783, AES bits with 128-256 bits A4782) of key strength AES-ECB: (A4783, A4782) AES-CTR: (A4782) Decryption with AES BC-UnAuth Decryption using Keys:128, 192, 256 AES-CBC: (A4783, AES bits with 128-256 bits A4782) of key strength AES-ECB: (A4783, A4782) AES-CTR: (A4782) ECC key pair AsymKeyPair- ECDSA / ECDH key Curves:P-256 and P- ECDSA KeyGen generation KeyGen pair generation 384 curves with (FIPS186-4): (A4782) security strength 128 and 192-bits ECC public key AsymKeyPair- [FIPS 186-4] key Curves:P-256 and P- ECDSA KeyVer verification KeyVer verification using 384 with strength 128 (FIPS186-4): (A4782) ECDSA and EC and 192-bits Diffie-Hellman keys ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 15

Name Type Description Properties Algorithms ECDSA signature DigSig-SigGen [FIPS 186-4] Digital Curves:P-256, P- 384 ECDSA SigGen generation signature generation with security (FIPS186-4): (A4782) using ECDSA strength 128 and 192- ECDSA / ECDH key bits pair : P-256, P-384 Hashes:SHA2-256, SHA2-384 ECDSA signature DigSig-SigVer [FIPS 186-4] Curves:P-256 and P- ECDSA SigVer verification Signature verification 384 with security (FIPS186-4): (A4782) using ECDSA strength 128 and 192bits Hashes:SHA2-256, SHA2-384 Message digest SHA [FIPS180-4] Message N/A:N/A SHA-1: (A4783, digest using SHA A4782) SHA2-256: (A4782) SHA2-384: (A4782) Message MAC Message SHA algorithm:SHA- HMAC-SHA-1: authentication authentication 1, SHA2-256, SHA2- (A4783, A4782) generation with generation using 384, HMAC-SHA2-256: HMAC HMAC (A4782) HMAC-SHA2-384: (A4782) Message MAC Message SHA algorithm:SHA- HMAC-SHA-1: authentication authentication 1, SHA2-256, SHA2- (A4783, A4782) verification with verification using 384, HMAC-SHA2-256: HMAC HMAC (A4782) HMAC-SHA2-384: (A4782) Key derivation KAS-135KDF Key derivation using Derived keys:112 to KDF SSH: (A4782) protocol KDF 256 bits KDF TLS: (A4782) TLS v1.2 KDF RFC7627: (A4782) RSA key generation AsymKeyPair- [FIPS 186-4] B.3.3 Keys:2048 / 3072 / RSA KeyGen KeyGen Probable primes with 4096-bit with (FIPS186-4): (A4782) standard key format security strength from 112 to 150-bits Message MAC Message Keys:128 /192 / 256 AES-GMAC: (A4783, authentication authentication bits with security A4782) generation with AES generation using AES strength from 128 to

256 bits
Page 16

Name Type Description Properties Algorithms Message MAC Message Keys:128 /192 / 256 AES-GMAC: (A4783, authentication authentication bits with security A4782) verification with AES verification using strength from 128 to AES 256 bits Authenticated BC-Auth Authenticated Keys:128 or 256 bits AES-GCM: (A4783, encryption with AES encryption using AES with 128 or 256 bits A4782) GCM of strength Authenticated Encryption: Internal IV Mode 8.2.1 Authenticated BC-Auth Authenticated Keys:128 or 256 bits AES-GCM: (A4783, decryption with AES decryption using AES with 128 or 256 bits A4782) GCM of strength. Authenticated Decryption: External IV Random Number DRBG Random number Seed, V and key Counter DRBG: Generation generation using values :Security (A4783, A4782) DRBG with AES-236 strength 256-bits in CTR mode RSA signature DigSig-SigGen PKCS 1.5 digital Keys:2048 / 3072 / RSA SigGen generation signature generation 4096-bit with (FIPS186-4): (A4782) using RSA with SHA- security strength 256, SHA-384 from 112 to 150-bits Hashes:SHA2-256, SHA2-384 RSA signature DigSig-SigVer PKCS 1.5 digital Keys:2048 / 3072 / RSA SigVer verification signature verification 4096-bit with (FIPS186-4): (A4782) using RSA with SHA- security strength 256, SHA-384 from 112 to 150-bits Hashes:SHA2-256, SHA2-384 RSA signature DigSig-SigVer PKCS 1.5 digital Publications:FIPS RSA SigVer verification (legacy) signature verification 140-3 IG C.M legacy (FIPS186-4): (A4782) using RSA with SHA- algorithms

1 Keys:2048 / 3072 /

4096-bit with security strength from 112 to 150-bits Hashes: SHA-1 Table 9: Security Function Implementations ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 17
2.7 Algorithm Specific Information

AES GCM Use: The IV for AES-GCM is constructed in compliance with IG C.H scenario 1a (TLS 1.2) and scenario 1d (SSHv2).

2.8 RBG and Entropy

Cert Vendor Number Name E85 F5 Table 10: Entropy Certificates ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 18

Name Type Operational Sample Entropy Conditioning Component Environment Size per Sample CPU Jitter Non- OEs listed in 256 256 bits SHA-3 vetted conditioning component. ACVP

3.4.1 Physical Table 3 bits Cert. A4093

Table 11: Entropy Sources The module entropy source specified in Table Entropy Sources uses jitter variations caused by executing instructions and memory accessed. The operator does not have the ability to modify the F5 entropy source (ES) configuration settings (see details in Public Use Document referenced in section 11.2). The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90ARev1] for the generation of random value used in asymmetric keys, and for providing a RNG service to calling applications. The approved DRBG provided by the module is the CTR_DRBG with AES-256. The output of entropy sources provides 256-bits of entropy to seed and reseed SP800-90ARev1 DRBG during initialization (seed) and reseeding (reseed).

2.9 Key Generation

The module implements asymmetric key generation methods according to SP 800-133r2 section 5. The key generation methods are specified in the Security Function Implementations table. The module does not implement symmetric key generation.

2.10 Key Establishment

The module implements SSP agreement, compliant with IG D.F scenario 2 (path 1). Additionally, the module implements SSP transport, compliant with IG D.G. The Key Establishment methods are specified in the Security Function Implementations table.

2.11 Industry Protocols

GCM with internal IV generation in the approved mode is compliant with version 1.2 of the TLS protocol (RFC 5288) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the TLS 1.2 and SSH key derivation functions for use in the TLS protocol and SSH protocol (RFC 4253 and RFC 6668) respectively. The strength of the derived session key is based on the shared secret and the SHA function used as follows: For deriving session key with 192 bit strength, the TLS/SSH key derivation functions with shared secret based on P-384 curve using SHA-384 should be used. ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 19

For deriving session key with 128 bit strength,

384 curve using SHA-256 should be used.
384 or P-384 curve using SHA-1, SHA-256 should be used.

The TLS v1.0 / 1.1 / 1.2 and SSHv2 protocols have not been reviewed or tested by the CAVP or CMVP. ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 20
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input Data inputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers N/A Data Data outputs are provided in the variables passed in the API and callable service invocations, Output generally through caller-supplied buffers N/A Control Control inputs which control the mode of the module are provided through dedicated Input parameters. N/A Status Status output is provided in return codes and through messages. Documentation for each API Output lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation. Table 12: Ports and Interfaces The logical interfaces are the API through which the applications request services. The module does not implement Control Output interface. ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 21
4 Roles, Services, and Authentication
4.1 Authentication Methods

FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not implement an authentication mechanism for Crypto Officer. The Crypto Officer role is implicitly assumed when accessing all services provided by the module (see Table - Approved Services and Table - Non-Approved Services below).

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 13: Roles

4.3 Approved Services

Name Description Indicator Inputs Outputs Security SSP Access Functions Encryption Executes AES- AES-ECB, AES- Plaintext and Ciphertext Encryption Crypto Officer mode encrypt CBC, AES-CTR key with AES - AES key : W,E operation Decryption Executes AES- AES-ECB, AES- Ciphertext Plaintext Decryption Crypto Officer mode decrypt CBC, AES-CTR and key with AES - AES key : W,E operation Key wrapping Executes AES- AES-GCM Key wrapping Wrapped AES-Key Crypto Officer key wrapping encrypt / key and key key Wrapping - AES key : W,E or decrypt to be wrapped - GCM IV in unwrapping TLS context: operation G,W,E - GCM IV in SSH context: G,W,E Random Generate CTR-DRBG- Number of Random Random Crypto Officer number Random AES-256 bits numbers Number - Entropy input generation number Generation string : W,E - DRBG seed : G - DRBG internal state (V and key values) : G RSA key pair Generate RSA RSA-KEY- Key size Key pair RSA key Crypto Officer generation key pair GEN-2048, generation - RSA private RSA-KEY- key: G,R GEN-3072, ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 22

Name Description Indicator Inputs Outputs Security SSP Access Functions RSA-KEY- - RSA public GEN-4096 key: G,R RSA signature Sign a RSA-SIG Private key, Computed RSA signature Crypto Officer generation message with Message, signature generation - RSA private a specified Hashing key: W,E RSA private algorithm key Authenticated Authenticated AES-GCM AES key, Ciphertext Authenticated Crypto Officer Encryption Encryption plaintext encryption - AES key : W,E with AES - GCM IV in GCM TLS context: G,W,E - GCM IV in SSH context: G,W,E Authenticated Authenticated AES-GCM AES key, Plaintext Authenticated Crypto Officer Decryption Decryption ciphertext decryption - AES key : W,E with AES - GCM IV in GCM TLS context: W,E - GCM IV in SSH context: W,E Message MAC AES-GMAC AES key, MAC tag Message Crypto Officer Authentication computation message authentication - AES key : W,E Generation generation with AES with AES Message MAC MSG-AUTH- HMAC key, MAC tag Message Crypto Officer Authentication computation HMAC-SHA-1, message authentication - HMAC key : Generation MSG-AUTH- generation W,E with HMAC HMAC-SHA- with HMAC

256 MSG-

AUTH-HMACSHA-384 Message MAC AES-GMAC AES key, Message Message Crypto Officer Authentication computation Authenticated authentication - AES key : W,E Verification message, verification with AES MAC with AES algorithm Message MAC MSG-AUTH- HMAC key, Message Message Crypto Officer Authentication computation HMAC-SHA-1, Authenticated authentication - HMAC key : MSG-AUTH- message, W,E HMAC-SHA____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 23

Name Description Indicator Inputs Outputs Security SSP Access Functions Verification 256 MSG- MAC verification with HMAC AUTH-HMAC- algorithm with HMAC SHA-384 Message Digest Generating MESSAGE- Message Message Message digest Crypto Officer message digest DIGEST-SHA-1 digest MESSAGEDIGEST-SHA-

256 MESSAGE-

DIGEST-SHAECDSA key Generate EC-KEYGEN- Curve ECDSA ECC key pair Crypto Officer pair generation ECDSA key P-256, EC- key pair generation - ECDSA private pair KEYGEN-P- key: G,R

284 - ECDSA public

key: G,R - EC DiffieHellman private key: G,R - EC DiffieHellman public key: G,R ECDSA key Verify ECDSA EC-KEY- Public key Success/ ECC public Crypto Officer pair key pair VERIFY-P-256, error key - ECDSA public verification EC-KEY- verification key: W VERIFY-P-384 - EC DiffieHellman public key: W RSA signature Verify the RSA-VER RSA public Pass / fail RSA signature Crypto Officer verification signature of a key, digital result of verification - RSA public message with signature, digital RSA signature key: W,E a specified message, signature verification RSA public Hashing verification (legacy) key. algorithm ECDSA Sign a ECDSA-SIGN- ECDSA Computed ECDSA Crypto Officer signature message with P-256, ECDSA- private key, signature signature - ECDSA private generation a specified SIGN-P-384 Message, generation key: W,E ECDSA Hashing private key. algorithm ECDSA Verify the ECDSA- ECDSA public Digital ECDSA Crypto Officer signature signature of a VERIFY-P-256, key, digital signature signature - ECDSA public verification message with ECDSA- signature, verification verification key: W,E a specified VERIFY-P-384 message, result ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 24

Name Description Indicator Inputs Outputs Security SSP Access Functions ECDSA public Hashing key algorithm EC Diffie- Calculate a ECDH- EC public key, Shared EC Diffie- Crypto Officer Hellman shared secret COMPUTE- EC private Secret Hellman - EC Diffieshared secret via the ECDH KEY-P-256, key Shared Secret Hellman private computation algorithm. ECDH- Computation key: W COMPUTE- - EC DiffieKEY-P-384 Hellman shared secret: G,R Key derivation Deriving TLS TLS-P-HASH- TLS pre- TLS Key Crypto Officer using TLS pre- keys DERIVATION- primary secret primary derivation - TLS preprimary secret SHA-1 TLS-P- secret primary secret : HASH- W,E DERIVATION- - TLS primary SHA-256 TLS- secret: G,R P-HASHDERIVATION SHA-384 Key derivation Deriving TLS TLS-P-HASH- TLS primary TLS Key Crypto Officer using TLS keys DERIVATION- secret Derived derivation - TLS primary primary secret SHA-1 TLS-P- Key secret: W,E HASH- - TLS derived DERIVATION- session key : G,R SHA-256 TLSP-HASHDERIVATION SHA-384 Key derivation Deriving SSH SSH-KEY- Shared secret, SSH Key Crypto Officer using SSH keys HASH- Key length derived derivation - SSH derived shared secret DERIVATION- Key session key : G,R SHA-256 SSH- - SSH shared KEY-HASH- secret: W,E DERIVATION SHA-384 Show version Return the N/A N/A Module None Unauthenticated SW version name and Crypto Officer and the version module's name Show Status Return the N/A N/A Module None Unauthenticated module status status Crypto Officer ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 25

Name Description Indicator Inputs Outputs Security SSP Access Functions Zeroization Zeroize all N/A N/A All SSPs in None Crypto Officer non-protected the SSPs - AES key : Z SSPs table - HMAC key : Z - RSA private key: Z - RSA public key: Z - ECDSA private key: Z - ECDSA public key: Z - EC DiffieHellman private key: Z - EC DiffieHellman public key: Z - EC DiffieHellman shared secret: Z - TLS preprimary secret : Z - TLS primary secret: Z - TLS derived session key : Z - SSH shared secret: Z - SSH derived session key : Z - Entropy input string : Z - DRBG seed : Z - DRBG internal state (V and key values) : Z Self-tests Execute Integrity test, N/A Pass or fail EC Diffie- Unauthenticated integrity test. CASTs from Hellman Crypto Officer Execute the sections 10.1 Shared Secret CASTs and 10.2 Computation AES-Key Wrapping Encryption with AES Decryption with AES ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 26

Name Description Indicator Inputs Outputs Security SSP Access Functions ECC key pair generation ECC public key verification ECDSA signature generation ECDSA signature verification Message digest Message authentication generation with HMAC Message authentication verification with HMAC Key derivation RSA key generation Message authentication generation with AES Message authentication verification with AES Authenticated encryption with AES GCM Authenticated decryption with AES GCM Random Number Generation RSA signature generation RSA signature verification Table 14: Approved Services ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 27

For the above table, the convention below applies when specifying the access permissions (types) that the service has for each SSP. G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP.

4.4 Non-Approved Services

Name Description Algorithms Role Symmetric encryption and Encryption / AES with OFB, CCM, CFB, XTS, KW modes Crypto decryption decryption Blowfish, Camellia, CAST5, DES, IDEA, Officer RC2, RC4, SEED, SM2, SM4, Triple-DES Message digest Generating message SHA2-224, SHA2-512, SM3, MD4, MD5 Crypto digest (outside of TLS), MDC2, RIPEMD, Officer Whirlpool Message authentication code MAC computation HMAC-SHA2-224, HMAC-SHA2-512, AES Crypto generation and verification CMAC, Triple-DES CMAC Officer RSA key generation Generating key pair PKCS #1 v1.5 scheme with 1024 and greater Crypto than 4096 up to 16384 modulus, for all SHA Officer sizes RSA signature generation and Generating signature, Probabilistic Signature Scheme (PSS), ANSI Crypto verification verifying signature X9.31 schemes Officer PKCS #1 v1.5 scheme with modulus size 2048, 3072, 4096 bits with SHA-1, SHA2224, SHA2-512 PKCS #1 v1.5 scheme with modulus size 2048, 3072, 4096 bits with SHA2-224, SHA2-512 PKCS #1 v1.5 with keys other than 2048 /

3072 / 4096-bit using SHA2-256, SHA2-384

Key generation / verification Generating key pair ECDSA with P-224, P-521 Crypto Officer ECDSA signature generation & Generating signature, ECDSA with P-224, P-521 Crypto verification verifying signature ECDSA with curves P-256, P-384 with SHA- Officer

1 SHA2-224, SHA2-512

ECDSA using SM2 RSA encrypt / decrypt Encryption / RSA with modulus sizes up to 16384 bits Crypto decryption Officer ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 28

Name Description Algorithms Role DSA domain parameter generation, Generating key pair, DSA with all key and SHA sizes Crypto domain parameter verification, key generating signature, Officer pair generation, signature verifying signature generation and verification Random number generation Generating HMAC_DRBG and Hash_DRBG for all SHA Crypto deterministic random sizes Officer number CTR_DRBG with AES-128, AES-192 ANSI X9.31 RNG Diffie-Hellman shared secret Calculate a shared Diffie-Hellman Crypto computation secret via the DH Officer algorithm. ECDH shared secret computation Calculating shared EC Diffie-Hellman Ephemeral Unified with Crypto secret curves other than P-256, P-384, without Officer KDF. EC Diffie-Hellman without KDF or using onePassDH / StaticUnified schemes Key derivation Deriving TLS keys and Key Derivation function in the context of Crypto SSH keys TLS using SHA2-224 / SHA2-512 Officer Key Derivation function in the context of SSH using SHA-1 / SHA2-224 / SHA2-512 Table 15: Non-Approved Services

4.5 External Software/Firmware Loaded
Page 29
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing a HMAC value calculated at run time on the libcrypto.so.1.0.2zc file, with the HMAC-SHA2-256 value stored in the module file .libcrypto.so.1.0.2zc.hmac that was computed at build time. The HMAC key used for integrity verification is 256 bits in length and is stored as part of the module binary. Integrity tests are performed as part of the Pre-Operational Self-Tests.

5.2 Initiate on Demand

The on-demand integrity test is performed as part of the Pre-Operational Self-Tests by reloading the module. ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 30
6 Operational Environment
6.1 Operational Environment Type and Requirements

F5OS-C consists of a Linux based operating system customized for performance that runs directly on the hardware. Type of Operational Environment: Modifiable How Requirements are Satisfied: The module shall be installed as stated in Section 11.1. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data, and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions

The module runs on a F5OS-C 1.6.0 operating system executing on the hardware and hypervisor specified in Table OEs. The module should be installed as stated in section 11. The operator should confirm that the module is installed correctly by section 11.2. ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 31
7 Physical Security

The module is a software and therefore this section is Not Applicable (N/A). ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 32
8 Non-Invasive Security

Per IG 12.A: Until requirements of SP 800-140F are defined, non-invasive mechanisms fall under ISO / IEC 19790:2012 Section 7.12 Mitigation of other attacks. ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 33
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM The memory occupied by SSPs is allocated by regular memory allocation operating system calls. Dynamic Table 16: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API output CM Software App via TOEPP Plaintext Manual Electronic parameters Path API input parameters App via TOEPP CM Software Plaintext Manual Electronic Path Table 17: SSP Input-Output Methods The module does not support manual SSP entry or intermediate key generation output. The SSPs are provided to the module in plaintext form via input API parameters, to and from the calling application running on the same operational environment. This is allowed by [FIPS 140-3_IG] IG 9.5.A Table 1, according to the “CM Software to/from App via TOEPP Path” entry in the table above.

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Free Cipher Zeroizes the The destruction functions The application is responsible for calling the Handle SSPs contained overwrite the memory appropriate destruction functions provided in the within the occupied by keys with module's API: EVP_CIPHER_CTX_cleanup, cipher handle "zeros" and deallocate the HMAC_CTX_cleanup(), FIPS_rsa_free(), memory with the regular EC_KEY_free(), EC_POINT_free(), OPENSSL_cleanse, memory deallocation OPENSSL_free, FIPS_drbg_uninstantiate operating system call. Module De-allocates Volatile memory used by By unloading and reloading the module. Reset the volatile the module is overwritten memory used within nanoseconds when to store SSPs power is removed. Table 18: SSP Zeroization Methods ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 34
9.4 SSPs

Name Description Size - Strength Type - Generated By Established Used By Category By AES key AES key used for Key length: 128 Symmetric - AES-Key encryption, to 256-bits - 128 CSP Wrapping decryption, and to 256-bits Encryption computing MAC with AES tags Decryption with AES Message authentication generation with AES Message authentication verification with AES Authenticated encryption with AES GCM Authenticated decryption with AES GCM HMAC HMAC key for Key length: 112 Symmetric - Message key Message to 192-bits - 112 CSP authentication Authentication to 192-bits generation Generation and with HMAC Verification Message authentication verification with HMAC RSA RSA private key Modulus N: 2048, Asymmetric RSA key RSA signature private used for RSA key 3072 and 4096- - CSP generation generation key generation, bits - 112 to 150signature bits generation RSA RSA public key Modulus N: 2048, Asymmetric RSA key RSA signature public used for RSA key 3072 and 4096- - PSP generation verification key generation, bits - 112 to 150signature bits verification ECDSA ECDSA private Curve size: P- Asymmetric ECC key pair ECDSA private key used for EC 256, P-384 - 128 - CSP generation signature key key generation, and 192-bits generation key verification, ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 35

Name Description Size - Strength Type - Generated By Established Used By Category By signature generation, shared secret computation ECDSA ECDSA public key Curve size: P- Asymmetric ECC key pair ECC public key public used for EC key 256, P-384 - 128 - PSP generation verification key generation, key and 192-bits ECDSA verification, signature signature verification verification, shared secret computation EC EC Diffie- Curve size: P- Asymmetric ECC key pair EC DiffieDiffie- Hellman private 256, P-384 - 128 - CSP generation Hellman Hellman key used for EC and 192-bits Shared Secret private key generation, Computation key key verification, ECC public key signature verification generation, shared secret computation EC EC Diffie- Curve size: P- Asymmetric ECC key pair EC DiffieDiffie- Hellman public 256, P-384 - 128 - PSP generation Hellman Hellman key used for EC and 192-bits Shared Secret public key generation, Computation key key verification, ECC public key signature verification generation, shared secret computation EC EC Diffie- Curve size: P- Asymmetric EC Diffie- EC DiffieDiffie- Hellman shared 256, P-384 - 128 - CSP Hellman Hellman Hellman secret generated and 192-bits Shared Secret Shared Secret shared by KAS-ECC-SSC Computation Computation secret TLS pre- TLS pre-primary ECDH Curve Asymmetric Key derivation primary secret used for size:: P-256, P- - CSP secret deriving the TLS 384 - 128 or 192primary secret bits TLS TLS primary 384-bits - 128 or Symmetric - Key derivation Key derivation primary secret used for 192-bits CSP secret deriving the TLS derived key ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 36

Name Description Size - Strength Type - Generated By Established Used By Category By TLS TLS derived Key length: 128 Symmetric - Key derivation Key derivation derived session key from and 256-bits CSP session TLS primary (AES); key secret HMAC_SHA2256, HMACSHA2-384 - 128 or 192-bits SSH SSH shared secret Curve size: P- Asymmetric Key derivation shared used for deriving 256, P-384 - 128 - CSP secret the SSH key or 192-bits SSH SSH derived Key length: 128 Symmetric - Key derivation Key derivation derived session key and 256-bits CSP session (AES); key HMAC_SHA1, HMAC-SHA2-

256 - 128 or 192-

bits Entropy Entropy input 256 bits - 256 bits Random Random input string used to seed number Number string the DRBG generation - Generation CSP DRBG DRBG seed 256 bits - 256 bits Random Random Random seed derived from number Number Number entropy input as generation - Generation Generation defined in SP 800- CSP 90Ar1 DRBG Internal state of 256 bits - 256 bits Random Random Random internal CTR_DRBG number Number Number state (V generation - Generation Generation and key CSP values) GCM IV Internal IV 96 bits - 96 bits IV - PSP SP 800-38D AES-Key in TLS generated for section 8.2.1 Wrapping context GCM to be used Deterministic Authenticated for TLS compliant generation encryption with RFC5288 with AES GCM Authenticated decryption with AES GCM GCM IV Internal IV 96 bits - 96 bits IV - PSP SP 800-38D AES-Key in SSH generated for section 8.2.1 Wrapping context GCM to be used Authenticated encryption ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 37

Name Description Size - Strength Type - Generated By Established Used By Category By for SSH compliant Deterministic with AES GCM with RFC5647 generation Authenticated decryption with AES GCM Table 19: SSP Table 1 Name Input - Storage Storage Duration Zeroization Related SSPs Output AES key API output RAM:Plaintext From handle Free Cipher parameters creation until freeing Handle API input the cipher handle Module Reset parameters HMAC key API input RAM:Plaintext From handle Free Cipher parameters creation until freeing Handle the cipher handle Module Reset RSA private key API output RAM:Plaintext From handle Free Cipher RSA public key:Paired parameters creation until freeing Handle With API input the cipher handle Module Reset parameters RSA public key API output RAM:Plaintext From handle Free Cipher RSA private key:Paired parameters creation until freeing Handle With API input the cipher handle Module Reset parameters ECDSA private API output RAM:Plaintext From handle Free Cipher ECDSA public key parameters creation until freeing Handle key:Paired With API input the cipher handle Module Reset parameters ECDSA public API output RAM:Plaintext From handle Free Cipher ECDSA private key parameters creation until freeing Handle key:Paired With API input the cipher handle Module Reset parameters EC Diffie- API output RAM:Plaintext From handle Free Cipher EC Diffie-Hellman Hellman private parameters creation until freeing Handle public key:Paired With key API input the cipher handle Module Reset parameters EC Diffie- API output RAM:Plaintext From handle Free Cipher EC Diffie-Hellman Hellman public parameters creation until freeing Handle private key:Paired With key API input the cipher handle Module Reset parameters ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 38

Name Input - Storage Storage Duration Zeroization Related SSPs Output EC Diffie- API output RAM:Plaintext From handle Free Cipher Hellman shared parameters creation until freeing Handle secret the cipher handle Module Reset TLS pre-primary API input RAM:Plaintext From handle Free Cipher TLS primary secret:Used secret parameters creation until freeing Handle With the cipher handle Module Reset TLS primary API output RAM:Plaintext From handle Free Cipher TLS pre-primary secret secret parameters creation until freeing Handle :Used With API input the cipher handle Module Reset parameters TLS derived API output RAM:Plaintext From handle Free Cipher TLS primary session key parameters creation until freeing Handle secret:Derived From the cipher handle Module Reset SSH shared API input RAM:Plaintext From handle Free Cipher SSH derived session key secret parameters creation until freeing Handle :Used With the cipher handle Module Reset SSH derived API output RAM:Plaintext From handle Free Cipher SSH shared session key parameters creation until freeing Handle secret:Derived From the cipher handle Module Reset Entropy input RAM:Plaintext Storage duration Module Reset DRBG seed :Used With string during the usage of the CSP DRBG seed RAM:Plaintext Storage duration Free Cipher DRBG internal state (V during the usage of Handle and key values) :Used the CSP Module Reset With DRBG internal RAM:Plaintext Storage duration Free Cipher DRBG seed :Used With state (V and key during the usage of Handle values) the CSP Module Reset GCM IV in TLS API output RAM:Plaintext From handle Free Cipher context parameters creation until freeing Handle API input the cipher handle parameters GCM IV in SSH API output RAM:Plaintext From handle Free Cipher context parameters creation until freeing Handle API input the cipher handle parameters Table 20: SSP Table 2 ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 39
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm Test Test Method Test Type Indicator Details or Test Properties HMAC- HMAC Message SW/FW Module Integrity of the module is verified by SHA2-256 key: 256- Authentication Integrity becomes comparing the HMAC-SHA2-256 value (A4782) bits operational calculated at runtime with the HMACSHA2-256 value stored in the module crypto boundary that was computed at build time Table 21: Pre-Operational Self-Tests Pre-operational self-tests are performed automatically when the module is loaded into memory. While the module is executing the pre-operational self-tests, services are not available, and input and output are inhibited. The module does not return control to the calling application until the tests are completed. On successful completion of the pre-operational self-tests, the module enters operational mode and cryptographic services are available.

10.2 Conditional Self-Tests

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Counter AES-256 in CTR mode, KAT CAST Module SP800-90ARev1 Test run during DRBG with derivation becomes section 11.3 pre-operational (A4783) function, prediction operational health tests self-test resistance disabled AES-CBC 128-bit key KAT CAST Module Encryption / Test run during (A4783) becomes decryption pre-operational operational self-test AES-GCM 128-bit key KAT CAST Module Encryption / Test run during (A4783) becomes decryption pre-operational operational self-test RSA SigGen 2048 bit key and SHA2- KAT CAST Module Signature Test run during (FIPS186-4) 256 becomes generation pre-operational (A4782) operational self-test RSA SigVer 2048 bit key and SHA2- KAT CAST Module Signature Test run during (FIPS186-4) 256 becomes verification pre-operational (A4782) operational self-test RSA KeyGen 4096 bit key and SHA2- PCT PCT Asymmetric Calculation and Key generation (FIPS186-4) 256 algorithm is verification of a (A4782) performed digital signature ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 40

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type ECDSA P-256 and SHA2-256 KAT CAST Module Signature Test run during SigGen becomes generation pre-operational (FIPS186-4) operational self-test (A4782) ECDSA SigVer P-256 and SHA2-256 KAT CAST Module Signature Test run during (FIPS186-4) becomes verification pre-operational (A4782) operational self-test ECDSA P-256 and SHA2-256 PCT PCT Asymmetric Calculation and Key generation KeyGen algorithm is verification of a (FIPS186-4) performed digital signature (A4782) KAS-ECC-SSC P-256 KAT CAST Module Shared secret Test run during Sp800-56Ar3 becomes computation pre-operational (A4782) operational self-test HMAC-SHA- HMAC-SHA-1 KAT CAST Module MAC Test run during

1 (A4782) becomes pre-operational

operational self-test HMAC- HMAC-SHA2-256 KAT CAST Module MAC Test run during SHA2-256 becomes pre-operational (A4782) operational self-test TLS v1.2 KDF SHA-256 KAT CAST Module Key derivation Test run during RFC7627 becomes used in the TLS pre-operational (A4782) operational protocol self-test KDF TLS SHA-256 KAT CAST Module Key derivation Test run during (A4782) becomes used in the TLS pre-operational operational protocol self-test KDF SSH SHA-256 KAT CAST Module Key derivation Test run during (A4782) becomes used in the SSH pre-operational operational protocol self-test HMAC-SHA- HMAC-SHA-1 KAT CAST Module MAC Test run during

1 (A4783) becomes pre-operational

operational self-test HMAC- HMAC-SHA-384 KAT CAST Module MAC Test run during SHA2-384 becomes pre-operational (A4782) operational self-test AES-CBC 128-bit key KAT CAST Module Encryption / Test run during (A4782) becomes decryption pre-operational operational self-test ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 41

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-GCM 128-bit key KAT CAST Module Encryption / Test run during (A4782) becomes decryption pre-operational operational self-test Counter AES-256 in CTR mode, KAT CAST Module SP800-90ARev1 Test run during DRBG with / without becomes section 11.3 pre-operational (A4782) derivation function, operational health tests self-test prediction resistance enabled and disabled Table 22: Conditional Self-Tests

10.3 Periodic Self-Test Information

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity Determined by the Module reload (A4782) Authentication operator Table 23: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method Counter DRBG KAT CAST On Demand Manually (A4783) AES-CBC (A4783) KAT CAST On Demand Manually AES-GCM (A4783) KAT CAST On Demand Manually RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A4782) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A4782) RSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A4782) ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A4782) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A4782) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A4782) ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 42

Algorithm or Test Test Method Test Type Period Periodic Method KAS-ECC-SSC KAT CAST On Demand Manually Sp800-56Ar3 (A4782) HMAC-SHA-1 KAT CAST On Demand Manually (A4782) HMAC-SHA2-256 KAT CAST On Demand Manually (A4782) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A4782) KDF TLS (A4782) KAT CAST On Demand Manually KDF SSH (A4782) KAT CAST On Demand Manually HMAC-SHA-1 KAT CAST On Demand Manually (A4783) HMAC-SHA2-384 KAT CAST On Demand Manually (A4782) AES-CBC (A4782) KAT CAST On Demand Manually AES-GCM (A4782) KAT CAST On Demand Manually Counter DRBG KAT CAST On Demand Manually (A4782) Table 24: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Halt Module is no HMAC-SHA2-256 The module Module will not load, Error message related to the Error longer operational. KAT failure or must be re- crypto function listed in Table 18 and the flag The data output is HMAC-SHA2-256 loaded 'fips_selftest_fail' is set.Error message a PCT inhibited. integrity test failure failure for RSA, ECDH or ECDSA pairwise Failure of any of the consistency test and the flag 'fips_selftest_fail' is CASTs set. Failure of any of the PCTs Table 25: Error States ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 43
10.5 Operator Initiation of Self-Tests

The on demand self-tests can be invoked by unloading and subsequently reloading the module. This service performs the same cryptographic algorithm tests executed during pre-operational self-test and module loading. During the execution of the on demand self-tests, crypto services are not available, and no data output or input is possible. ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 44
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Startup Procedures: Before the Crypto Officer can configure and use the F5OS-C software on VELOS platforms, the Crypto Officer must license the VELOS system. For automatic VELOS system licensing, the system needs to be able to connect to the F5 licensing server either through the internet or another means of networking. You need to have the Base Registration Key (five sets of characters separated by hyphens) provided by F5, and any add-on keys (two sets of 7 characters separated by a hyphen) that you have purchased. The Base Registration Key with associated add-on keys are pre-installed on a new VELOS system. The activation of the VELOS system license is described in License the system automatically from the CLI (https://techdocs.f5.com/en-us/velos-16-0/velos-systems-installation-upgrade/title-install-before-install-upgrade.html#license-chassis-cli). Installation Process: The Crypto Officer downloads the F5OS-C software image files (ie the module i.e. 1.0.2zc-fips binary and its integrity check file) and deploy it. The VELOS systems (controller or blade platforms) run F5OS-C software packages. After the FIPS validated module license is installed, the command prompt will change to ‘REBOOT REQUIRED’. The Crypto Officer must reboot the BIG-IP for all FIPS-compliant changes to take effect.

11.2 Administrator Guidance

The FIPS validated module activation requires installation of the license referred as ‘FIPS license’. The Crypto Officer should call the show license service (with command "show system licensing"), then verify that the list of license flags includes "FIPS 140 License”. On the BIG-IP product the Crypto Officer should call the dedicated Show version API, fips_get_f5fips_module_version, to ensure that the module identifier and version are shown as: Cryptographic Module and OpenSSL 1.0.2zc-fips. The ESV Public Use Document (PUD) reference for non-physical entropy source is as follows: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropy-validations/certificate/85

11.3 Non-Administrator Guidance
11.4 Design and Rules

The Crypto Officer shall consider the following requirements and restrictions when using the module. The IV for AES-GCM is constructed in compliance with IG C.H scenario 1a (TLS 1.2) and scenario 1d (SSHv2) in section 2.7.

11.6 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 45
12 Mitigation of Other Attacks

The module does not implement security mechanisms to mitigate other attacks. ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 46

Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DES Data Encryption Standard DF Derivation Function DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ESV Entropy Source Validation FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Schema KAT Known Answer Test KW AES Key Wrap MAC Message Authentication Code NDF No Derivation Function NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PCT Pairwise Consistency Test ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 47

PR Prediction Resistance PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSH Secure Shell TDES Triple-DES XTS XEX-based Tweaked-codebook mode with cipher text Stealing ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 48

Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program January 2024 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 49

SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-56ARev3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP800-56CRev2 Recommendation for Key Derivation through Extraction-then-Expansion August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 ____________________________________________________________________________________________________________________ © 2025 F5, Inc.

Page 50

SP800-57 NIST Special Publication 800-57 Part 1 Revision 4 - Recommendation for Key Management Part 1: General January 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf SP800-67 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf SP800-90ARev1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B (Second DRAFT) NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-131A NIST Special Publication 800-131A Revision 1- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths November 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation Part 1: Storage Applications December 2010 http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP800-133Rev2 NIST Special Publication 800-133 - Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135Rev1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing ApplicationSpecific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf ____________________________________________________________________________________________________________________ © 2025 F5, Inc.