All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

Certificate#5030StandardFIPS 140-3Level2TypeHardwareEmbodimentSingle ChipStatusActiveVendorApple Inc.
Low review priority  ·  no TCB surface named  ·  last validated 13 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date6/24/2030
CaveatWhen operated in approved mode
VendorApple Inc.

Approved Algorithms (16)

AlgorithmACVP Cert
AES-CBCA1469
AES-ECBA1362
AES-KWA2843
Counter DRBGA1362
HMAC-SHA-1A2845
HMAC-SHA2-224A2845
HMAC-SHA2-256A2845
HMAC-SHA2-384A2845
HMAC-SHA2-512A2845
HMAC-SHA2- 512/256A2848
SHA-1A2845
SHA2-224A2845
SHA2-256A2845
SHA2-384A2845
SHA2-512A2845
SHA2- 512/256A2848

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Non-Invasive Security8
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Unauthenticated Symmetric Encryption and Decryption<br/>Perform self test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Unauthenticated Symmetric Encryption and Decryption<br/>Perform self test<br/>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Apple Inc. Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Prepared for: Apple Inc. One Apple Park Way Cupertino, CA 95014 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com

Page 2

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] This document may be reproduced and distributed only in its original entirely without revision.

Page 3

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Table of Contents This document may be reproduced and distributed only in its original entirely without revision.

Page 4

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Appendix A. Appendix B. This document may be reproduced and distributed only in its original entirely without revision.

Page 5

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] List of Tables This document may be reproduced and distributed only in its original entirely without revision.

Page 6

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] List of Figures This document may be reproduced and distributed only in its original entirely without revision.

Page 7

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Trademarks Apple’s trademarks applicable to this document are listed in https://www.apple.com/legal/intellectual-property/trademark/appletmlist.html. Other company, product, and service names may be trademarks or service marks of others. This document may be reproduced and distributed only in its original entirely without revision.

Page 8
Security level
NameISO SectionRequirementLevel
11General2
22Cryptographic module specification2
33Cryptographic module interfaces2
44Roles, services, and authentication2
55Software/Firmware security2
66Operational environmentN/A
77Physical security3
88Non-invasive securityN/A
99Sensitive security parameter management2
1010Self-tests2
1111Life-cycle assurance2
1212Mitigation of other attacksN/A
Overall LevelOverall Level2

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 2 module. This document provides all tables and diagrams (when applicable) required by NIST SP 800140Br1.

1.2 Security Levels

N/A N/A N/A Table 1: Security Levels This document may be reproduced and distributed only in its original entirely without revision.

Page 9

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] cryptographic module (hereafter referred to as “the module”) consists of both firmware and hardware components. The Secure Key Store (SKS) application is the module’s firmware which operates within the sepOS execution environment which is separate from the Device OS’ (iPadOS 15) execution environment. The firmware interface is defined as the API offered by the module's mailbox interface to callers from the Device OS execution environment. SKS has an API layer that provides consistent interfaces to the supported services and therefore the supported cryptographic algorithms. In addition, the module provides InterProcess Communication (IPC) interfaces to other applications executing within the sepOS execution environment. The sepOS execution environment is driven by its own CPU and operates from a dedicated region of the device’s memory. Both the Device’s and sepOS’ execution environments are physically separated on the SoC and thus execute independently of each other. Module Type: Hardware Module Embodiment: SingleChip Module Characteristics: SubChip Cryptographic Boundary: The module cryptographic boundary is delineated by the dotted blue rectangle in the Figure 1. The cryptographic module boundary includes the following hardware components:

Page 10

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Figure 1: Block Diagram Tested Operational Environment’s Physical Perimeter (TOEPP): The physical perimeter is represented by the most exterior black line in the block diagram Figure 1. A photograph of each hardware module is shown below Figure 2: Apple A Series A13 Bionic Figure 3: Apple A Series A14 Bionic Figure 4: Apple A Series A15 Bionic

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 11
Module configuration
NameModelHardware VersionFirmware VersionProcessorFeatures
SKS on A13 Bionic embedded in iPad (9th generation) running sepOS distributed with iPadOS 15SKS on A13 Bionic embedded in iPad (9th generation) running sepOS distributed with iPadOS 152.012.0Apple A Series A13 BionicN/A
SKS on A14 Bionic embedded in iPad (4th generation) running sepOS distributed with iPadOS 15SKS on A14 Bionic embedded in iPad (4th generation) running sepOS distributed with iPadOS 152.012.0Apple A Series A14 BionicN/A
SKS on A15 Bionic embedded in iPad (6th generation) running sepOS distributed with iPadOS 15SKS on A15 Bionic embedded in iPad (6th generation) running sepOS distributed with iPadOS 152.012.0Apple A Series A15 BionicN/A
Service
NameDescriptionIndicatorType
Non- Approved modeNon-Approved mode of operation is entered when the module utilizes non-approved security functions in the Table Non-Approved Algorithms Not Allowed in the Approved Mode of Operation.return a '0' from fips_allowed_mode() for block cipher functions and fips_allowed() for all other services to indicate the executed cryptographic algorithm was non- approvedNon- Approved

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] 2.0 N/A 2.0 N/A 2.0 N/A

2.3 Excluded Components

None for this module Modes List and Description: NonApproved This document may be reproduced and distributed only in its original entirely without revision.

Page 12
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA1469Direction - Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA2842Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA2843Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA2844Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA2845Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA2863Direction - Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA510Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA1362Direction - Encrypt Key Length - 256SP 800-38A
AES-ECBA1469Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA2842Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA2843Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA2845Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA2847SP 800-38A
AES-ECBA2863Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA2864Direction - Encrypt Key Length - 256SP 800-38A
AES-ECBA501Direction - Encrypt Key Length - 256SP 800-38A
AES-ECBA510Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-KWA2843Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-KWA2845Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-KWA2846Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
Counter DRBGA1362Prediction Resistance - Yes Mode - AES-256 Derivation Function Enabled - NoSP 800-90A Rev. 1
Counter DRBGA2864Prediction Resistance - Yes Mode - AES-256 Derivation Function Enabled - NoSP 800-90A Rev. 1
Counter DRBGA501Prediction Resistance - Yes Mode - AES-256 Derivation Function Enabled - NoSP 800-90A Rev. 1
HMAC-SHA-1A2845Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA-1A2848Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA2-224A2845Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA2-224A2848Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA2-256A2845Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA2-256A2848Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA2-256A2849Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA2-384A2845Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA2-384A2848Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA2-512A2845Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA2-512A2848Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A2848Key Length - Key Length: 8-262144 Increment 8FIPS 198-1
SHA-1A2845Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA-1A2848Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA2-224A2845Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA2-224A2848Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA2-256A2845Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA2-256A2848Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA2-256A2849Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA2-384A2845Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA2-384A2848Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA2-512A2845Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA2-512A2848Message Length - Message Length: 0-32768 Increment 8FIPS 180-4
SHA2- 512/256A2848Message Length - Message Length: 0-32768 Increment 8FIPS 180-4

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

2.5 Algorithms

Approved Algorithms: Table 4: Approved Algorithms - AES-CBC This document may be reproduced and distributed only in its original entirely without revision.

Page 13

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Table 5: Approved Algorithms - AES-ECB Table 6: Approved Algorithms - AES-KW CTR_DRBG Table 7: Approved Algorithms - CTR_DRBG This document may be reproduced and distributed only in its original entirely without revision.

Page 14

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Table 8: Approved Algorithms - HMAC Message Digest This document may be reproduced and distributed only in its original entirely without revision.

Page 15
Service
NameApproved FunctionsProperties
CKGKey Type:SymmetricN/ASP800-133 Rev2 Section 4, example 1
Ed25519 Key generationEdDSA signature scheme
Ed25519 shared secret generationEdDSA shared secret generation
Curve 25519 key generationkey generation
Curve 25519 shared secret generationshared secret generation
ECDH Key Pair GenerationElliptic Curve Integrated Encryption Scheme (ECIES) Key Generation
ECDH Shared Secret ComputationElliptic Curve Integrated Encryption Scheme (ECIES) Encryption/Decryption
ANSI X9.63 KDFElliptic Curve Integrated Encryption Scheme (ECIES) Encryption/Decryption
AES-GCMElliptic Curve Integrated Encryption Scheme (ECIES) Encryption/Decryption
HKDF RFC5869HMAC based Key Derivation Function
PBKDFKey Derivation
Service
NameDescriptionApproved FunctionsTypeProperties
CKGKey Type:SymmetricN/ASP800-133 Rev2 Section 4, example 1
Ed25519 Key generationEdDSA signature scheme
Ed25519 shared secret generationEdDSA shared secret generation
Curve 25519 key generationkey generation
Curve 25519 shared secret generationshared secret generation
ECDH Key Pair GenerationElliptic Curve Integrated Encryption Scheme (ECIES) Key Generation
ECDH Shared Secret ComputationElliptic Curve Integrated Encryption Scheme (ECIES) Encryption/Decryption
ANSI X9.63 KDFElliptic Curve Integrated Encryption Scheme (ECIES) Encryption/Decryption
AES-GCMElliptic Curve Integrated Encryption Scheme (ECIES) Encryption/Decryption
HKDF RFC5869HMAC based Key Derivation Function
PBKDFKey Derivation
ECDSA implemented in FWKey generation as part of Ref key generation service and validation, Signature generation and verification as part of Device keybag service
ECDSA implemented in HW PKAKey generation as part of Ref key generation service Signature generation primitive
ECDH implemented in FWShared secret computation
ECDH implemented in HW PKAShared secret computation
AES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller keyKey wrapping and unwrapping
Unauthenticated Symmetric Encryption and DecryptionAES Encrypt/DecryptAES-CBC: (A2842, A2843, A2844, A2845, A510, A1469, A2863) Key Size/Strength: 128, 192, 256 AES-ECB: (A2842, A2843, A2845, A510, A2847, A1469, A2863, A2864, A1362) Key Size/Strength: 128, 192, 256 AES-ECB: (A501) Key Size/Strength: 256BC-UnAuthAES [FIPS 197; SP 800- 38A]:CBC, ECB
key wrapping / key unwrappingAES Key WrappingAES-KW: (A2843, A2845, A2846) KeyKTS-WrapKTS (AES) [SP 800-38F]:AES- KW

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] SHA2512/256 Table 9: Approved Algorithms - Message Digest Vendor-Affirmed Algorithms: Table 10: Vendor-Affirmed Algorithms Non-Approved, Not Allowed Algorithms: This document may be reproduced and distributed only in its original entirely without revision.

Page 16
Service
NameDescriptionApproved FunctionsTypeProperties
ECDSA implemented in FWKey generation as part of Ref key generation service and validation, Signature generation and verification as part of Device keybag service
ECDSA implemented in HW PKAKey generation as part of Ref key generation service Signature generation primitive
ECDH implemented in FWShared secret computation
ECDH implemented in HW PKAShared secret computation
AES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller keyKey wrapping and unwrapping
Unauthenticated Symmetric Encryption and DecryptionAES Encrypt/DecryptAES-CBC: (A2842, A2843, A2844, A2845, A510, A1469, A2863) Key Size/Strength: 128, 192, 256 AES-ECB: (A2842, A2843, A2845, A510, A2847, A1469, A2863, A2864, A1362) Key Size/Strength: 128, 192, 256 AES-ECB: (A501) Key Size/Strength: 256BC-UnAuthAES [FIPS 197; SP 800- 38A]:CBC, ECB
key wrapping / key unwrappingAES Key WrappingAES-KW: (A2843, A2845, A2846) KeyKTS-WrapKTS (AES) [SP 800-38F]:AES- KW
Random Number GenerationRandom number generator using AES-256Counter DRBG: (A501, A2864, A1362) Key Size/Strength: 256DRBGCTR_DRBG [SP800- 90ARev1]:AES- 256; No Derivation Function; Prediction Resistance Enabled
HMAC Message AuthenticationKey Length 8 - 262144 bits/ Key Strength: 112 to 256 bitsHMAC-SHA-1: (A2845, A2848) HMAC-SHA2- 224: (A2845, A2848) HMAC-SHA2- 256: (A2845, A2848, A2849) HMAC-SHA2- 384: (A2845, A2848) HMAC-SHA2- 512: (A2845, A2848) HMAC-SHA2- 512/256: (A2848)MACHMAC [FIPS 198]:SHA-1, SHA-224, SHA- 256, SHA-384, SHA-512, SHA- 512/256
Message DigestHash functionSHA-1: (A2845, A2848) SHA2-224: (A2845, A2848) SHA2-256: (A2845, A2848, A2849) SHA2-384: (A2845, A2848) SHA2-512: (A2845, A2848)SHASHS [FIPS 180- 4]:SHA-1, SHA- 224, SHA-256, SHA-384, SHA- 512, SHA- 512/256
Symmetric Key GenerationAES Key GenerationCKG: () AES key: Key Length/ Key Strength: 256 Counter DRBG: (A1362, A2864, A501)CKGCKG [SP800- 133Rev2]:Key Length/Key Strength: 256- bits

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Table 11: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

This document may be reproduced and distributed only in its original entirely without revision.

Page 17

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] [SP80090ARev1]:AES256; No This document may be reproduced and distributed only in its original entirely without revision.

Page 18
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
Apple corecrypto physical entropy sourcePhysical256 bitSee Tested Operational Environment Table256 bitSHA-256 [ACVP cert. # C1223]

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Strength: 256bits Table 12: Security Function Implementations

2.7 Algorithm Specific Information

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes except signature verification, starting January 1, 2030.

2.8 RBG and Entropy

Table 13: Entropy Certificates Table 14: Entropy Sources Entropy sources : The internal physical noise source consisting of ring oscillators. RBGs: The NIST [SP 800-90ARev1] approved deterministic random bit generators (DRBG) used for random number generation is a CTR_DRBG using AES-256 without derivation function and with prediction resistance. The module performs DRBG health tests according to [SP800-90ARev1 section 11.3]. This document may be reproduced and distributed only in its original entirely without revision.

Page 19

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] The deterministic random bit generators are seeded by the physical noise source. RBG Output: The output of hardware entropy source provides 256-bits of security strength in instantiating and reseeding the module approved DRBGs.

2.9 Key Generation

See vendor affirmed algorithms (CKG) in section 2.5.

2.10 Key Establishment

The Module implements AES key wrapping and unwrapping as part of KTS in accordance with IG D.G method 2 and SP800-38F.

2.11 Industry Protocols

None for this module This document may be reproduced and distributed only in its original entirely without revision.

Page 20
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
Mailbox Memory, IPC channelMailbox Memory, IPC channelData Input Data OutputData inputs/outputs are provided through the memory used for mailbox and IPC
Mailbox Memory, IPC channelMailbox Memory, IPC channelControl InputControl input which controls the module's operation is provided through the mailbox by the Device OS' kernel and to applications located within the sepOS execution environment through IPC.
Mailbox Memory, IPC channelMailbox Memory, IPC channelStatus OutputStatus output is provided in return codes and through messages returned via the mailbox or the IPC. Documentation for each service invocation lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation.

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Table 15: Ports and Interfaces This document may be reproduced and distributed only in its original entirely without revision.

Page 21
Sensitive security parameter
NameDescriptionStrengthSecurity MechanismStrength per Minute
AES- KWUnwrapping function256-bitskey wrapping / key unwrapping60,000,000 * 1 / 2^256
ImplicitImplicit role assumption for non-crypto servicesN/ANoneN/A

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

4 Roles, Services, and Authentication
4.1 Authentication Methods

AESKW N/A N/A Table 16: Authentication Methods Within the constraints of FIPS 140-3 overall security level 2 (with physical security at security level 3), the module implements a role-based authentication mechanism for authentication of the user role. The module implements authenticated encryption-based mechanism in the following way: to request an authenticated service from the module the user must provide the credential and a reference to the class C or A keys of the user keybag that is stored encrypted under SP800-38F AES Key Wrapping (AES-KW) within the module. The module performs obfuscation on the Operator provided credential. The resulting value -called REK (Root Encryption Key)- is used as the 256-bit AES key. Using this key, the module decrypts all the class C or A keys in the referenced user keybag with SP800-38F AES Key Unwrapping function (i.e., AES-KW-AD). As AES-KW is an authentication cipher, the decryption operation will only succeed if there is no authentication error. If the user keybag can be successfully decrypted, the user is authenticated to the module and the requested crypto service will then be proceeded with the decrypted user key. The failure of decrypting the user keybag is also a user authentication failure and the Operator will be denied access to the module. The User keybags are configured in the module during factory install. Each User keybag consists of set of class C, A and D keys. Specifically, class C keys include C key, CK key, CKU keys and the class A keys include A key, AK key, AKU key and APKU key. Only the class A or C keys are considered as approved. Any use of class D keys is considered as non-approved. The module maintains authenticated session from the time the User keybags are unwrapped until the power off. Upon power off, the unwrapped User keybags are zeroized and at the next power on the User credential needs to be provided again in order to unwrap the User keybag. All authentication data is provided electronically from the calling application/service and hence is not in visible form. The module does not support concurrent operators. This document may be reproduced and distributed only in its original entirely without revision.

Page 22
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
UserAuthenticatedRoleAES-KW
Crypto OfficerNon- authenticatedRoleImplicit
User Keybag Services via MailboxStep 1: The module receives User credential and the reference to the class C or A key from the User keybag; Step 2. Obfuscation is performed on the User provided credential resulting into a value called REK.; Step 3. REK is used as a key for the AES KW operation to unwrap the referenced class A or C keys in the user keybag stored in the module; Step 4. Status of unwrapping operation of class keys is returned viaUser - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys): W,E - REK: W,E - Authentic ation Credential : W,EUnauthenti cated Symmetric Encryption and Decryption key wrapping / key unwrappin gSuccess returne d from API listed in the custom er proprie tary guidan ce docum entUser creden tial, referen ce to class C/A key from the user keybagstatus (success/e rror)
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
UserAuthenticatedRoleAES-KW
Crypto OfficerNon- authenticatedRoleImplicit
User Keybag Services via MailboxStep 1: The module receives User credential and the reference to the class C or A key from the User keybag; Step 2. Obfuscation is performed on the User provided credential resulting into a value called REK.; Step 3. REK is used as a key for the AES KW operation to unwrap the referenced class A or C keys in the user keybag stored in the module; Step 4. Status of unwrapping operation of class keys is returned viaUser - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys): W,E - REK: W,E - Authentic ation Credential : W,EUnauthenti cated Symmetric Encryption and Decryption key wrapping / key unwrappin gSuccess returne d from API listed in the custom er proprie tary guidan ce docum entUser creden tial, referen ce to class C/A key from the user keybagstatus (success/e rror)
General Authentication serviceThe module invokes the User Keybag Services via Mailbox (i.e. #1 above)User - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys): W,E - REK: W,E - Authentic ation Credential : W,Ekey wrapping / key unwrappin gSuccess returne d from API listed in the custom er proprie tary guidan ce docum entUser creden tial, referen ce to class C/A key from the user keybagstatus (success/e rror)
Generation of Data Encryption Key (DEK)Step 1: The module receives the reference to the class C or A key from the user keybag; Step 2: The module generates a new DEK using the DRBG; Step 3: Referenced class C or A key is used to wrap the DEK using AES-KW; Step 4: Wrapped DEK isUser - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys): W,E - Entropy input string: W,E - DRBGSymmetric Key GenerationSuccess returne d from API listed in the custom er proprie tary guidan ce docum entreferen ce to class C/A key from the User keybagwrapped DEK
sent out of the modulesent out of the moduleseed: W,E - DRBG internal state (V value, Key): W,E - Data Encryptio n Key (DEK) (AES key): G,W,E
Keychain DEK service using AK/AKU/AKPU/ CK/CKU class keyStep 1. The module receives wrapped DEK (that was sent as part of service 3 above) and the pointer to class key AK/AKU/AKPU/ CK/CKU from the user keybag; Step 2. Using the referenced class key, the module unwraps the DEK using AES- KW. If the class key is not available, an error is returned; Step 3. plaintext DEK is sent out to the User. (AS09.16)User - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys): W,E - Data Encryptio n Key (DEK) (AES key): W,Ekey wrapping / key unwrappin gSuccess returne d from API listed in the custom er proprie tary guidan ce docum entpointer to AK/AK U/ AKPU/ CK/ CKU class key, wrapp ed DEKunwrappe d DEK
Backup keybag generationThe module generates new set of back up keybags using the DRBGUser - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Backup Keybag (AES keys): G,E - Entropy input string: W,E - DRBG seed: W,E - DRBG internal state (V value, Key): W,ERandom Number GenerationSuccess returne d from API listed in the custom er proprie tary guidan ce docum entN/Astatus (success/e rror)
Backup keybag serviceStep 1. The module receives wrapped DEK and the class key reference for C and A from the user keybag; 2. Using the referenced class key, the module unwraps the DEK using AES- KW. If the class key is not available, anUser - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys): W,E - Data Encryptio n Key (DEK)key wrapping / key unwrappin gSuccess returne d from API listed in the custom er proprie tary guidan ce docum entwrapp ed DEK, referen ce to class C or A key from the user keybagwrapped DEK

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

4.2 Roles
4.3 Approved Services

C/A g : W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 23

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] C/A g : W,E C/A W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 24

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] G,W,E U/ g W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 25

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] N/A W,E g This document may be reproduced and distributed only in its original entirely without revision.

Page 26
Service
NameDescriptionRolesCsps AccessedApproved FunctionsIndicatorInputOutput
Escrow keybag creationThe module generates new set of escrow keybag using the DRBGUser - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Escrow Keybag (AES keys): G,E - Entropy input string:Random Number GenerationSuccess returne d from API listed in the custom er proprie tary guidan ce docum entN/Astatus (success/e rror)
Export KeybagStep 1. The module receives reference to a keybag; Step 2: A HMAC key is taken as input based on the hardware specific data for the SKS; Step 3: HMAC value is calculated on the entire referenced keybag that includes encrypted keys; Step 4: HMAC is appended at the end of the keybag; Step 5: keybag with the appended HMAC is output to the UserUser - HMAC key: W,E - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys): R,E - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Backup Keybag (AES keys): R,E - Class A, Class C, Class AK, Class AKU, Class CK, Class CKUHMAC Message Authenticat ion Message DigestSuccess returne d from API listed in the custom er proprie tary guidan ce docum entreferen ce to a keybag to be export edkeybag with HMAC tag
Device WipeErase all content (Factory Reset)Crypto Officer - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys): Z - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Backup Keybag (AES keys): Z - Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Escrow Keybag (AES keys): Z - DataNoneSuccess returne d from API listed in the custom er proprie tary guidan ce docum entN/AN/A
Perform self testInitiate pre- operational self- test and CASTs by powering off/onCrypto OfficerUnauthenti cated Symmetric Encryption and Decryption key wrapping / key unwrappin g Random Number Generation HMAC Message AuthenticatN/Amodul e power- off/onresults of self-test
Show StatusN/ACrypto OfficerNoneN/AN/Astatus
Show Module Version InformationN/ACrypto OfficerNoneN/AN/AModule name and version
Class D key File System Services to wrap or unwrap DEKWrapping of provided plaintext DEK or unwrapping of provided wrapped DEK using class D key from Backup keybag or Flash in SEPCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Class D key service to encrypt or decrypt dataEncryption of provided plaintext or decryption of provided ciphertext using class D key from Device or iCloud KeybagCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] W,E W,E R,W,E N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 27

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 28

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] N/A N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 29

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Z :Z N/A e poweroff/on g This document may be reproduced and distributed only in its original entirely without revision.

Page 30
Service
NameDescriptionRolesCsps AccessedApproved FunctionsIndicatorInputOutput
Show StatusN/ACrypto OfficerNoneN/AN/Astatus
Show Module Version InformationN/ACrypto OfficerNoneN/AN/AModule name and version
Class D key File System Services to wrap or unwrap DEKWrapping of provided plaintext DEK or unwrapping of provided wrapped DEK using class D key from Backup keybag or Flash in SEPCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Class D key service to encrypt or decrypt dataEncryption of provided plaintext or decryption of provided ciphertext using class D key from Device or iCloud KeybagCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Class DK/DKU File System Services to wrap or unwrap keychainWrapping of provided plaintext keychain or unwrapping of provided wrapped keychain using class DK/DKU key from Backup keybag or User keybagCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Class DK/DKU key service for data encrypt or decryptEncryption of provided plaintext or decryption of provided ciphertext using DK/DKU key from Device or iCloud keybagCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Generate Ref-KeyKey GenerationCrypto OfficerEd25519 Key generation Curve 25519 key generation ECDH Key Pair Generation
Sign and verify using Ref-keySignature Generation and VerificationCrypto OfficerECDSA implemented in FW ECDSA implemented in HW PKA
Encryption and decryption using Ref- keyshared secret is generated using user provided key and existing ref key followed by HKDF is applied to derived a key which is used to encrypt the provided plaintext or decrypt the provided ciphertextCrypto OfficerAES-GCM HKDF RFC5869 ECDSA implemented in FW ECDSA implemented in HW PKA AES KW using class D key, keys from Device keybag, keys

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] N/A N/A N/A N/A N/A N/A Table 18: Approved Services The abbreviations of the access rights to SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. N/A = The service does not access any SSP during its operation

4.4 Non-Approved Services

This document may be reproduced and distributed only in its original entirely without revision.

Page 31

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] This document may be reproduced and distributed only in its original entirely without revision.

Page 32
Service
NameDescriptionRolesRole Access
Generate Shared Secret using Ref-keyShared secret generationCrypto OfficerEd25519 shared secret generation Curve 25519 shared secret generation ECDH Shared Secret Computation ECDH implemented in FW ECDH implemented in HW PKA
Device Keybag service for data encrypt or decryptEncryption of provided plaintext or decryption of provided ciphertext using any key from Device KeybagCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
iCloud Keybag service for data encrypt or decryptEncryption of provided plaintext or decryption of provided ciphertext using any key from iCloud KeybagCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Escrow keybag service for key wrapping and unwrappingWrapping of provided plaintext key or unwrapping of provided wrapped key using any key from Escrow KeybagCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud
Encrypt or Decrypt service using Class B Curve 22519 key from any keybagshared secret is computed by generating new ephemeral keypair and existing Curve25519 key followed by HKDF is applied to derived a key which is used doe data encryption or decryption. During encryption operations, the wrapped key and the ephemeral public key is sent to the userCrypto OfficerCurve 25519 key generation Curve 25519 shared secret generation HKDF RFC5869 AES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Wrap or unwrap service for DEK or keychain using any Curve 22519 key from asymmetric keybagshared secret is computed by generating new ephemeral keypair and existing Curve25519 key followed by HKDF is applied to derived a key which is used to wrap and unwrap DEK or keychain. During wrapping operation, the wrapped key and the ephemeral public key is sent to the userCrypto OfficerCurve 25519 key generation Curve 25519 shared secret generation HKDF RFC5869 AES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Asymmetric (Ed25519) backup keybag wrap and unwrapPointer to DK/DKU/CK/CKU/AK/AKU/AKPU key from asymmetric keybag, plaintext keychain during wrapping operation or wrapped keychain during unwrapping operationCrypto OfficerEd25519 Key generation Ed25519 shared secret generation HKDF RFC5869 AES KW using class D key, keys from Device
Wrap or unwrap service for keychain using DK/DKU/CK/ CKU/AK/AKU/AKPU Ed25519 key from asymmetric keybagshared secret is computed by generating new ephemeral keypair and existing Curve25519 key followed by HKDF is applied to derived a key which is used to wrap and unwrap. The wrapped key and the ephemeral public key is sent to the userCrypto OfficerEd25519 Key generation Ed25519 shared secret generation HKDF RFC5869 AES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
NVM Storage Controller Key Servicewrapping DEK using NVM storage controller keyCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Elliptic Curve Integrated Encryption Scheme (ECIES) EncryptionEncryptionCrypto OfficerECDH Shared Secret Computation ANSI X9.63 KDF AES-GCM
Elliptic Curve Integrated Encryption Scheme (ECIES) DecryptionDecryptionCrypto OfficerECDH Shared Secret Computation ANSI X9.63 KDF AES-GCM
PBKDF Key DerivationHash-based Key DerivationCrypto OfficerPBKDF
File system DEK serviceUnwrap the DEK using referenced class key and re-wrap using NVM storage controller keyCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Generation of DEK via IPC using class D keyRequesting generate DEK service via IPC Channel using class D keysCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key
Requesting backup keybag service via IPC using class D keyRequesting backup keybag service via IPC Channel using class D keysCrypto OfficerAES KW using class D key, keys from Device keybag, keys from iCloud keybag or NVM storage controller key

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] This document may be reproduced and distributed only in its original entirely without revision.

Page 33

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] This document may be reproduced and distributed only in its original entirely without revision.

Page 34

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] This document may be reproduced and distributed only in its original entirely without revision.

Page 35

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Table 19: Non-Approved Services

4.5 External Software/Firmware Loaded

N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 36

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

5 Software/Firmware Security
5.1 Integrity Techniques

The Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] is in the form of binary executable code. A firmware integrity test is performed on the runtime image of the module. The HMAC-SHA256 implemented in the module is used as the approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e. the module is not operational. As the module is delivered built with the Device OS, there is no standalone delivery of the module. The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version.

5.2 Initiate on Demand

The module’s integrity test can be performed on demand by powering-off and reloading the module. The integrity test on demand is performed as part of the Pre-Operational Self-Tests, automatically executed at power-on. This document may be reproduced and distributed only in its original entirely without revision.

Page 37

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Non-Modifiable

6.2 Configuration Settings and Restrictions

The module operates within the sepOS execution environment which is separate from the Device OS execution environment. The SEP operating system provides memory isolation between all applications executing on it. The Device OS is unable to access the module's memory or observe the module's operation. This document may be reproduced and distributed only in its original entirely without revision.

Page 38
MechanismInspectionInspection
FrequencyGuidance
Production Grade Components that include standard passivationNo operator- performed testing is recommendedN/A
Tamper-Evident Coating or black hard coated material or metal coating, SoC is soldered in logic board from the Ball Grid Array (BGA) or SIP is embedded in hardened resin. The components listed above are opaque within the visible spectrum.No operator- performed testing is recommendedN/A
Hardness of the coatingNo operator- performed testing is recommendedN/A
Environmental Failure Protection (EFP) forces the module to shut downNo operator- performed testing is recommendedN/A

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

7 Physical Security

The defined physical boundary of the Apple corecrypto Module v12 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] is the entire System-on-Chip (SoC) listed in the Tested Module Identification table. Consequently, the physical embodiment of each SoC is considered to be that of a single-chip cryptographic module. The hardware module conforms to the Level 3 requirements for physical security. The physical direct observation, probing, or manipulation of the single-chip as detailed in the Physical Security Mechanisms and Actions Required table. The hardness of the coated material was tested in the module's intended temperature range of operation (Hardness Testing Temperature features as detailed in the EFP/EFT Information Table.

7.1 Mechanisms and Actions Required

N/A N/A N/A N/A Table 20: Mechanisms and Actions Required

7.2 User Placed Tamper Seals

Number: Placement: Surface Preparation: Operator Responsible for Securing Unused Seals: Part Numbers: This document may be reproduced and distributed only in its original entirely without revision.

Page 39
Temp/Voltage TypeTemperature or VoltageEFPResult
or
EFT
LowTemperatureValues found in Apple proprietary documentEFPshutdown
HighTemperatureValues found in Apple proprietary documentEFPshutdown
LowVoltageValues found in Apple proprietary documentEFPshutdown
HighVoltageValues found in Apple proprietary documentEFPshutdown
TemperatureTemperature
Type
LowTemperature-25 Celcius
HighTemperature51 Celcius

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Table 21: EFP/EFT Information N/A

7.4 Hardness Testing Temperature Ranges

Table 22: Hardness Testing Temperatures N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 40

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

8 Non-Invasive Security
8.1 Mitigation Techniques

Per IG 12.A, until the requirements of NIST SP 800-140F are defined, non-invasive mechanisms fall under ISO/IEC 19790:2012 Section 7.12 Mitigation of other attacks. The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirely without revision.

Page 41
Sensitive security parameter
NameTypeDescription
FlashStaticPreloaded at factory
RAMDynamicVolatile memory
Service
NameTypeFromTo
User InputPlaintextUserRAMManualDirect
Export Keybag from FlashEncryptedFlashOperating calling application (TOEPP)AutomatedElectronickey wrapping / key unwrapping
Export Keybag from RAMEncryptedRAMOperating calling application (TOEPP)AutomatedElectronickey wrapping / key unwrapping
Obfuscation of User Input Authentication CredentialPlaintextUserRAMManualDirect
Obtained from ENT (P)PlaintextENT (P)RAMAutomatedElectronicRandom Number Generation
Pre-loaded from FactoryPlaintextFactory installFlashAutomatedElectronic

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

9 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input-Output Methods

Table 24: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Keys and SSPs (including temporary SSPs) are zeroised when the appropriate context object is destroyed by overwriting the entire context object with all zeros. The zeroization occurs at the end of an API function that uses the CSPs or when the system is powered down or when the This document may be reproduced and distributed only in its original entirely without revision.

Page 42
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys)Symmetric - CSPAES keys in user keybag256- bits - 256- bitsUnauthenticat ed Symmetric Encryption and Decryption key wrapping / key unwrapping
Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Backup Keybag (AES keys)Symmetric - CSPAES keys in backup keybag256- bits - 256- bitsSymmetri c Key Generatio nkey wrapping / key unwrapping
Class A, Class C, Class AK, Class AKU, Class CK, Class CKU inSymmetric - CSPAES keys in escrow keybag256- bits - 256- bitsSymmetri c Key Generatio nkey wrapping / key unwrapping
ZeroizationDescriptionRationaleOperator
MethodInitiation
Context object destructionSSPs are zeroised when the appropriate context object is destroyedZeroization when structure is deallocatedN/A
Power DownSSPs are zeroised when the system is powered downPowering down forces context object destructionOperator can initiate a power down
Device WipeErase all content (factory reset)Factory reset zeroizes all SSPs, including those stored in FlashOperator can initiate a device wipe

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] "Device Wipe" service is invoked. Data output interfaces are inhibited while zeroisation is performed. N/A Table 25: SSP Zeroization Methods n h 256bits 256bits 256bits 256bits n 256bits 256bits n This document may be reproduced and distributed only in its original entirely without revision.

Page 43
Sensitive security parameter
NameTypeDescriptionStrengthGenerationStorageZeroizationUseInput
Data Encryption Key (DEK) (AES key)Symmetric - CSPAES keys in user keybag256- bits - 256- bitsSymmetri c Key Generatio nkey wrapping / key unwrapping Random Number Generation
Entropy input stringEntropy - CSPEntropy input string256- bits - 256- bitsRandom Number Generatio nRandom Number Generation
DRBG seedSeed - CSPDRBG seed derived from entropy input (IG D.L compliant )384- bits - 256- bitsRandom Number Generatio nRandom Number Generation
DRBG internal state (V value, Key)DRBG - CSPInternal state values associate d with CTR_DRB G384- bits - 256- bitsRandom Number Generatio nRandom Number Generation
HMAC keyMessage Authenticatio n Key - CSPHMAC key112- bits - 112- bitsSymmetri c Key Generatio nRandom Number Generation
Authenticatio n CredentialUser- generated - CSPUser- provided credential sN/A - N/Akey wrapping / key unwrapping
REKSymmetric - CSPRoot Encryptio n Key256- bits - 256- bitskey wrapping / key unwrapping
Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys)Flash:Encrypte dDevice WipeExport Keybag from Flash Pre-loaded from FactoryFrom factory install to device- wipe
Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Backup Keybag (AES keys)RAM:Encrypte dContext object destructio n Power DownExport Keybag from RAMFrom service invocatio n to service completio n
Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Escrow Keybag (AES keys)RAM:Encrypte dContext object destructio n Power DownExport Keybag from RAMFrom service invocatio n to service completio n
Data Encryption Key (DEK) (AES key)RAM:Encrypte dContext object destructio n Power DownExport Keybag from RAMFrom service invocatio n to service

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] n h 256bits 256bits n 256bits 256bits n D.L ) 384bits 256bits n G 384bits 256bits n 112bits 112bits n N/A N/A Usergenerated CSP s This document may be reproduced and distributed only in its original entirely without revision.

Page 44
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUseInputRelated SSPs
REKSymmetric - CSPRoot Encryptio n Key256- bits - 256- bitskey wrapping / key unwrapping
Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in User Keybag (AES keys)Flash:Encrypte dDevice WipeExport Keybag from Flash Pre-loaded from FactoryFrom factory install to device- wipe
Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Backup Keybag (AES keys)RAM:Encrypte dContext object destructio n Power DownExport Keybag from RAMFrom service invocatio n to service completio n
Class A, Class C, Class AK, Class AKU, Class CK, Class CKU in Escrow Keybag (AES keys)RAM:Encrypte dContext object destructio n Power DownExport Keybag from RAMFrom service invocatio n to service completio n
Data Encryption Key (DEK) (AES key)RAM:Encrypte dContext object destructio n Power DownExport Keybag from RAMFrom service invocatio n to service
Entropy input stringRAM:Encrypte dContext object destructio n Power DownObtained from ENT (P)From service invocatio n to service completio nDRBG seed:Derives
DRBG seedRAM:Encrypte dContext object destructio n Power DownFrom service invocatio n to service completio nEntropy input string:Derived From DRBG internal state (V value, Key):Generates
DRBG internal state (V value, Key)RAM:Encrypte dContext object destructio n Power DownFrom service invocatio n to service completio nDRBG seed:Generated From
HMAC keyRAM:Encrypte dContext object destructio n Power DownFrom service invocatio n to service completio n
Authenticati on CredentialRAM:Obfuscat edContext object destructio n Power DownUser InputFrom service invocatio n to service completio nREK:Derives
REKRAM:PlaintextContext object destructio n Power DownObfuscation of User Input Authenticati on CredentialFrom service invocatio n to service completio nAuthentication Credential:Obfuscati on from

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] n h 256bits 256bits Table 26: SSP Table 1 n d devicewipe d n n d n n d n This document may be reproduced and distributed only in its original entirely without revision.

Page 45

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] n n d n n d n n d n n d n n n n This document may be reproduced and distributed only in its original entirely without revision.

Page 46

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] n n n Table 27: SSP Table 2 This document may be reproduced and distributed only in its original entirely without revision.

Page 47
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
HMAC- SHA2-256 (A2845)HMAC- SHA2-256 (A2845)Message AuthenticationSW/FW IntegrityThe HMAC value is pre- computed at build time and stored in the module. The HMAC value is recalculated during runtime and compared with the stored value.112-bit keyIf the test fails, then the module enters an Error State.
HMAC- SHA2-512 (A2845)HMAC- SHA2-512 (A2845)KATCASTMessage authentication112-bit keyModule becomes operationalTest runs at Power-on before the integrity test
HMAC- SHA2-512 (A2848)HMAC- SHA2-512 (A2848)KATCASTMessage authentication112-bit keyModule becomes operationalTest runs at Power-on before the integrity test
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
HMAC- SHA2-256 (A2845)HMAC- SHA2-256 (A2845)Message AuthenticationSW/FW IntegrityThe HMAC value is pre- computed at build time and stored in the module. The HMAC value is recalculated during runtime and compared with the stored value.112-bit keyIf the test fails, then the module enters an Error State.
HMAC- SHA2-512 (A2845)HMAC- SHA2-512 (A2845)KATCASTMessage authentication112-bit keyModule becomes operationalTest runs at Power-on before the integrity test
HMAC- SHA2-512 (A2848)HMAC- SHA2-512 (A2848)KATCASTMessage authentication112-bit keyModule becomes operationalTest runs at Power-on before the integrity test
HMAC- SHA2-256 (A2849)HMAC- SHA2-256 (A2849)KATCASTMessage authentication112-bit keyModule becomes operationalTest runs at Power-on before the integrity test
SHA2-256 (A2845)SHA2-256 (A2845)KATCASTMessage authenticationN/AModule becomes operationalTest runs at Power-on before the integrity test
SHA2-256 (A2848)SHA2-256 (A2848)KATCASTMessage authenticationN/AModule becomes operationalTest runs at Power-on before the integrity test
SHA-1 (A2845)SHA-1 (A2845)KATCASTMessage authenticationN/AModule becomes operationalTest runs at Power-on before the integrity test
SHA-1 (A2848)SHA-1 (A2848)KATCASTMessage authenticationN/AModule becomes operationalTest runs at Power-on before the integrity test
AES-CBC (A2842)AES-CBC (A2842)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-CBC (A2842)AES-CBC (A2842)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-KW (A2843)AES-KW (A2843)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the
AES-KW (A2843)AES-KW (A2843)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-CBC (A2844)AES-CBC (A2844)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-CBC (A2844)AES-CBC (A2844)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-KW (A2845)AES-KW (A2845)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-KW (A2845)AES-KW (A2845)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-KW (A2846)AES-KW (A2846)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-KW (A2846)AES-KW (A2846)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB (A2847)AES-ECB (A2847)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB (A2847)AES-ECB (A2847)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-CBC (A510)AES-CBC (A510)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-CBC (A510)AES-CBC (A510)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB (A501)AES-ECB (A501)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB (A501)AES-ECB (A501)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB (A1362)AES-ECB (A1362)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB (A1362)AES-ECB (A1362)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the
AES-CBC (A1469)AES-CBC (A1469)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-CBC (A1469)AES-CBC (A1469)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-CBC (A2863)AES-CBC (A2863)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-CBC (A2863)AES-CBC (A2863)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB (A2864)AES-ECB (A2864)KATCASTEncryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
AES-ECB (A2864)AES-ECB (A2864)KATCASTDecryption128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
Counter DRBG (A1362)Counter DRBG (A1362)KATCASTHealth test per SP800- 90ARev1 section 11.3128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
Counter DRBG (A2864)Counter DRBG (A2864)KATCASTHealth test per SP800- 90ARev1 section 11.3128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
Counter DRBG (A501)Counter DRBG (A501)KATCASTHealth test per SP800- 90ARev1 section 11.3128-bit keyModule becomes operationalTest runs at Power-on before the integrity test
ESV-RCT (Startup)ESV-RCT (Startup)fault- detection testCASTSP 800-90B 4.4.1 Repetition Count TestRepetition Count Test performed at entropy source startupsuccessful seeding of SP 800-90A DRBGupon startup of entropy source
ESV-RCT (Continuous)ESV-RCT (Continuous)fault- detection testCASTSP 800-90B 4.4.1 Repetition Count TestRepetition Count Test performed every invocation of entropy source after startupsuccessful seeding of SP 800-90A DRBGupon seeding or reseeding SP 800-90A DRBG
ESV-APT (Startup)ESV-APT (Startup)fault- detection testCASTSP 800-90B 4.4.2 Adaptive Proportion TestAdaptive Proportion Test performed at entropy source startupsuccessful seeding of SP 800-90A DRBGupon startup of entropy source
ESV-APT (Continuous)ESV-APT (Continuous)fault- detection testCASTSP 800-90B 4.4.2 Adaptive Proportion TestAdaptive Proportion Test performed at every invocation of entropy source everysuccessful seeding of SP 800-90A DRBGupon seeding or reseeding SP 800-90A DRBG

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

10 Self-Tests

While the module is executing the self-tests, services are not available, and input and output are inhibited.

10.1 Pre-Operational Self-Tests

HMAC-SHA256 is used as an approved integrity technique. Prior to using HMAC-SHA-256, a Conditional Cryptographic Algorithm Self-Tests (CAST) KAT is performed on the HMAC HMACSHA2-256 Table 28: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

HMACSHA2-512 HMACSHA2-512 This document may be reproduced and distributed only in its original entirely without revision.

Page 48

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] HMACSHA2-256 N/A N/A N/A N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 49

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] This document may be reproduced and distributed only in its original entirely without revision.

Page 50

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] This document may be reproduced and distributed only in its original entirely without revision.

Page 51

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] SP80090ARev1 This document may be reproduced and distributed only in its original entirely without revision.

Page 52

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] SP80090ARev1 SP80090ARev1 faultdetection 4.4.1 faultdetection 4.4.1 faultdetection faultdetection This document may be reproduced and distributed only in its original entirely without revision.

Page 53
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
HMAC-SHA2- 256 (A2845)HMAC-SHA2- 256 (A2845)Message AuthenticationSW/FW IntegrityWhenever module is powered onUpon every power-on
HMAC-SHA2- 512 (A2845)HMAC-SHA2- 512 (A2845)KATCASTOn DemandManually
HMAC-SHA2- 512 (A2848)HMAC-SHA2- 512 (A2848)KATCASTOn DemandManually
HMAC-SHA2- 256 (A2849)HMAC-SHA2- 256 (A2849)KATCASTOn DemandManually
SHA2-256 (A2845)SHA2-256 (A2845)KATCASTOn DemandManually
SHA2-256 (A2848)SHA2-256 (A2848)KATCASTOn DemandManually
SHA-1 (A2845)SHA-1 (A2845)KATCASTOn DemandManually
SHA-1 (A2848)SHA-1 (A2848)KATCASTOn DemandManually
AES-CBC (A2842)AES-CBC (A2842)KATCASTOn DemandManually
AES-CBC (A2842)AES-CBC (A2842)KATCASTOn DemandManually
AES-KW (A2843)AES-KW (A2843)KATCASTOn DemandManually
AES-KW (A2843)AES-KW (A2843)KATCASTOn DemandManually
AES-CBC (A2844)AES-CBC (A2844)KATCASTOn DemandManually
AES-CBC (A2844)AES-CBC (A2844)KATCASTOn DemandManually
AES-KW (A2845)AES-KW (A2845)KATCASTOn DemandManually
AES-KW (A2845)AES-KW (A2845)KATCASTOn DemandManually
AES-KW (A2846)AES-KW (A2846)KATCASTOn DemandManually
AES-KW (A2846)AES-KW (A2846)KATCASTOn DemandManually
AES-ECB (A2847)AES-ECB (A2847)KATCASTOn DemandManually
AES-ECB (A2847)AES-ECB (A2847)KATCASTOn DemandManually
AES-CBC (A510)AES-CBC (A510)KATCASTOn DemandManually
AES-CBC (A510)AES-CBC (A510)KATCASTOn DemandManually
AES-ECB (A501)AES-ECB (A501)KATCASTOn DemandManually
AES-ECB (A501)AES-ECB (A501)KATCASTOn DemandManually
AES-ECB (A1362)AES-ECB (A1362)KATCASTOn DemandManually
AES-ECB (A1362)AES-ECB (A1362)KATCASTOn DemandManually
AES-CBC (A1469)AES-CBC (A1469)KATCASTOn DemandManually
AES-CBC (A1469)AES-CBC (A1469)KATCASTOn DemandManually
AES-CBC (A2863)AES-CBC (A2863)KATCASTOn DemandManually
AES-CBC (A2863)AES-CBC (A2863)KATCASTOn DemandManually
AES-ECB (A2864)AES-ECB (A2864)KATCASTOn DemandManually
AES-ECB (A2864)AES-ECB (A2864)KATCASTOn DemandManually
Counter DRBG (A1362)Counter DRBG (A1362)KATCASTOn DemandManually
Counter DRBG (A2864)Counter DRBG (A2864)KATCASTOn DemandManually
Counter DRBG (A501)Counter DRBG (A501)KATCASTOn DemandManually
ESV-RCT (Startup)ESV-RCT (Startup)fault-detection testCASTOn DemandManually
ESV-RCT (Continuous)ESV-RCT (Continuous)fault-detection testCASTOn DemandManually
ESV-APT (Startup)ESV-APT (Startup)fault-detection testCASTOn DemandManually
ESV-APT (Continuous)ESV-APT (Continuous)fault-detection testCASTOn DemandManually

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Table 29: Conditional Self-Tests

10.3 Periodic Self-Test Information

Table 30: Pre-Operational Periodic Information This document may be reproduced and distributed only in its original entirely without revision.

Page 54

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] This document may be reproduced and distributed only in its original entirely without revision.

Page 55
Service
NameDescriptionRole AccessIndicator
Error stateThe HMAC-SHA-256 value computed over the module did not match the pre- computed value, OR the computed value in the invoked Conditional CAST did not match the known value. No cryptographic services are provided, and data output is prohibitedPre- operational Firmware Integrity Test failure OR Conditional CAST failurefor Integrity: print statement "FAILED: fipspost_post_integrity" to stdout; for CAST: sprint statement "FAILED:<event>" to stdout (<event> refers to any of the cryptographic functions listed in the Conditional Self- test Table)Power off/on

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

10.4 Error States

Preoperational Table 32: Error States

10.5 Operator Initiation of Self-Tests

This document may be reproduced and distributed only in its original entirely without revision.

Page 56

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Startup Procedures: As the module is delivered built with the Device OS, there is no standalone delivery of the module. Installation Process and Authentication Mechanisms: The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version. For additional assurance, the module is digitally signed by vendor, and it is verified during the integration into Host Device OS. This digital signature-based integrity protection used during the delivery/integration process is not to be confused with the HMAC-256 based integrity check performed by the module itself as part of its pre-operational self- tests.

11.2 Administrator Guidance

The biometric authentication option provided by the underlying test platform shall be disabled in order to run the module in the FIPS validated manner. The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table - Non-Approved Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. The ESV Public Use Document (PUD) reference for physical entropy source is: https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropyvalidations/certificate/113 Apple Platform Certifications guide [platform certifications] and Apple Platform Security guide [SEC] are provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation.

11.3 Non-Administrator Guidance

The User role is authenticated with the mechanism described in section 4. The User role can access the module via mailbox interface using the Device OS’s XNU kernel. The User role can perform subset of services from Table - Approved Algorithms. As stated in the Administrator Guidance section above, the Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services. This transition cannot be made by the User directly, as all non-approved services require an implicit transition into the Crypto-Officer role. Any calling of such services is therefore implicitly performed by the Crypto Officer. This document may be reproduced and distributed only in its original entirely without revision.

Page 57

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

11.4 End of Life

The Device Wipe service erases the module content. When performing a Device Wipe service to erase all content of the module, the procedure must be performed under the control of the Operator. This document may be reproduced and distributed only in its original entirely without revision.

Page 58

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3]

12 Mitigation of Other Attacks

The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirely without revision.

Page 59

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interfaces APT Adaptive Proportion Test (SP800-90B health test) BGA Ball Grid Array (Physical Security) CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CMVP Cryptographic Module Validation Program CST Cryptographic and Security Testing CTR Counter Mode DEK Data Encryption Key DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECDSA DSA (Digital Signature Algorithm) based on Elliptic Curve Cryptography (ECC) EMI Electromagnetic Interference (Physical Security) ESV NIST entropy source validation program providing SP 800-90B compliant entropy validation certificate FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code IPC Inter-Process Communication IHS Integrated Heat Spreader (Physical Security) KAT Known Answer Test KDF Key Derivation Function KEK Key Encryption Key KW AES Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology NVM Non-Volatile Memory OFB Output Feedback OS Operating System PBKDF Password Based Key Derivation Function RCT Repetition Count Test (SP800-90B health test) SEP Secure Enclave Processor SHA Secure Hash Algorithm This document may be reproduced and distributed only in its original entirely without revision.

Page 60

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] Appendix B. FIPS140-3 References FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 SP 800-140x CMVP FIPS 140-3 Related Reference https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-standards FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program January 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS140-3_MM CMVP FIPS 140-3 Management Manual February 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS-140-3-CMVP%20Management%20Manual%20v2.1%5B02-292024%5D.pdf SP 800-140 FIPS 140-3 Derived Test Requirements (DTR) March 2020 https://csrc.nist.gov/publications/detail/sp/800-140/final SP 800-140A CMVP Documentation Requirements March 2020 https://csrc.nist.gov/publications/detail/sp/800-140a/final SP 800-140Br1 CMVP Security Policy Requirements November 2023 https://doi.org/10.6028/NIST.SP.800-140Br1 SP 800-140C CMVP Approved Security Functions July 2023 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140Cr2.pdf SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods July 2023 https://doi.org/10.6028/NIST.SP.800-140Dr2 SP 800-140E CMVP Approved Authentication Mechanisms March 2020 https://csrc.nist.gov/publications/detail/sp/800-140e/final SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics March 2020 https://csrc.nist.gov/publications/detail/sp/800-140f/final This document may be reproduced and distributed only in its original entirely without revision.

Page 61

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-5 Digital Signature Standard (DSS) F3b 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf This document may be reproduced and distributed only in its original entirely without revision.

Page 62

Apple corecrypto Module v12.0 [Apple silicon, Secure Key Store, Hardware, SL2/PHY3] SP800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 SP800-57 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://doi.org/10.6028/NIST.SP.800-57pt1r5 SP800-67r2 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 (withdrawn January 2014) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf SP800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-108r1 NIST Special Publication 800-108r1 - Recommendation for Key Derivation Using Pseudorandom Functions Aug 2022 https://doi.org/10.6028/NIST.SP.800-108r1 SP800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SEC Apple Platform Security https://support.apple.com/guide/security/welcome/web https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf platform certifications Apple Platform Certifications https://support.apple.com/guide/certifications/welcome/web This document may be reproduced and distributed only in its original entirely without revision.

Referenced URLs