| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software-hybrid |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 6/25/2030 |
| Caveat | No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs |
| Vendor | Intel Corporation |
| Algorithm | ACVP Cert |
|---|---|
| AES-GCM | A4390 |
| AES-GCM | A4391 |
| DSA SigGen (FIPS186-4) | A4390 |
| DSA SigVer (FIPS186-4) | A4390 |
| ECDSA SigGen (FIPS186-4) | A4389 |
| ECDSA SigGen (FIPS186-4) | A4390 |
| ECDSA SigVer (FIPS186-4) | A4389 |
| ECDSA SigVer (FIPS186-4) | A4390 |
| KAS-ECC-SSC Sp800-56Ar3 | A4389 |
| KAS-ECC-SSC Sp800-56Ar3 | A4390 |
| KAS-FFC-SSC Sp800-56Ar3 | A4390 |
| RSA SigGen (FIPS186-4) | A4389 |
| RSA SigGen (FIPS186-4) | A4390 |
| RSA SigVer (FIPS186-4) | A4389 |
| RSA SigVer (FIPS186-4) | A4390 |
| RSA SigVer (FIPS186-4) | A4392 |
| SHA2-224 | A4391 |
| SHA2-256 | A4391 |
| SHA2-256 | A4392 |
| SHA2-384 | A4391 |
| SHA2-512 | A4391 |
| SHA3-224 | A4390 |
| SHA3-256 | A4390 |
| SHA3-384 | A4390 |
| SHA3-512 | A4390 |
| TLS v1.2 KDF RFC7627 | A4390 |
| TLS v1.3 KDF | A4390 |
flowchart LR
%% Deterministic review-risk graph for Intel® QuickAssist Technology (QAT) Provider
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>Self-test<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Intel® QuickAssist Technology (QAT) Provider
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>Self-test<br/>Show Status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Intel® QuickAssist Technology (QAT) Provider v1.3.1 Cryptographic Module Non-Proprietary FIPS 140-3 Security Policy FIPS 140-3 Security Level: 1 Document version: 1.17 Date: May 9, 2025
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Table of Contents
Intel® QuickAssist Technology (QAT) Provider v1.3.1
Intel® QuickAssist Technology (QAT) Provider v1.3.1 List of Tables List of Figures
Intel® QuickAssist Technology (QAT) Provider v1.3.1
This is a non-proprietary Cryptographic Module Security Policy for the Intel® QuickAssist Technology (QAT) Provider from Intel Corporation. This Security Policy describes how the Intel® QAT Provider meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at https://csrc.nist.gov/projects/cryptographic-module-validation-program. This document also describes how to run the Intel® QAT Provider in a secure Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation. The Intel® QuickAssist Technology (QAT) Provider is referred to in this document as the module.
This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:
ISO/IEC 19790 Annex B uses the same section naming convention as ISO/IEC 19790 section 7 - Security requirements. For example, Annex B section B.2.1 is named “General” and B.2.2 is named “Cryptographic module specification,” which is the same as ISO/IEC 19790 section 7.1 and section 7.2, respectively. Therefore, the format of this Security Policy is presented in the same order as indicated in Annex B, starting with “General” and ending with “Mitigation of other attacks.” If sections are not applicable, they have been marked as such in this document.
Intel® QuickAssist Technology (QAT) Provider v1.3.1
This document is the non-proprietary FIPS 140-3 Security Policy of the Intel® QAT Provider cryptographic module. For the purpose of the FIPS 140-3 validation, the module is a software-hybrid, multiple-chip standalone cryptographic module validated at overall security level 1. The following table shows the claimed security level for each of the twelve sections that comprise the FIPS 140-3 standard. Table 1
Intel® QuickAssist Technology (QAT) Provider v1.3.1
Intel® QuickAssist Technology (QAT) Provider (hereafter referred to as “the module”) supports acceleration for both hardware as well as optimized software based on vectorised instructions. It is a software-hybrid module (compatible with OpenSSL 3.0.8) which supports the ability to accelerate the operations from the stand OpenSSL 3.0.8 to basic Intel instruction set, to either hardware acceleration path (via the qat_hw) or via the optimized software acceleration path (qat_sw). Both are packaged under the same shared library, called qatprovider.so. OpenSSL 3.0.8 is a toolkit for TLS/SSL protocols and has developed a modular system to plugin devicespecific engines. As mentioned above, within the module are two separate internal entities by which acceleration can be performed. Depending on your particular use case, the module can be configured to meet specific acceleration needs. Software acceleration in the module is achieved by using the qat_sw in conjunction with the following supporting libraries:
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Component Description Intel® QuickAssist Technology Dedicated hardware acceleration device SoC The image below illustrates the high-level boundary of the module. Applications such as NGINX and HAProxy are common applications which interfaces to OpenSSL. The block diagram below shows the module, its interfaces with the operational environment (EVP API coming from OpenSSL) and the delimitation of the cryptographic module boundary (dotted red line), which comprised the module and related files and the dedicated Intel® QAT hardware accelerator. Note that green zone represents the Operating System, which is split by the black dotted line in User Space and Kernel Space. Red, blue, yellow and green arrows represent the data input, data output, control input and status output flow data respectively. The TOEPP is the general-purpose computer (GPC) where the processor is installed together with the accelerator hardware device. Figure 1
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Table 3
The module includes the cryptographic algorithm providers listed in Table 4 below: Table 4
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Cryptographic implementation for RSA SigVer and A4392 Intel® Authentication Firmware V1.0.40 SHA256 for Hardware Integrity Test binaries The module supports the following Approved Algorithms listed in Table 5 below: Table 5
Intel® QuickAssist Technology (QAT) Provider v1.3.1 SigGen Digital Signature 2048, 3072, 4096 (PKCS#1-v1.5) Generation A4390 RSA FIPS PUB 186-4 SigVer 1024, 2048, 3072, Digital Signature (PKCS#1-v1.5) 4096 Verification SHA3-224, SHA3A4390 SHA-3 FIPS PUB 202 256, SHA3-384, - Message Digest SHA3-512 Authenticated A4391 AES NIST SP 800-38D GCM 128, 192, 256 encryption/decryption Digital Signature SigGen Generation A4389 ECDSA FIPS PUB 186-4 P-256, P-384 Digital Signature SigVer Verification EC Diffie-Hellman Key Agreement Shared Secret Computation KAS-ECC- EphemeralUnified A4389 NIST SP 800-56Arev3 P-256, P-384 Key establishment SSC scheme methodology provides between 112 and 192 bits of encryption strength SigGen Digital Signature (PKCS#1-v1.5) Generation A4389 RSA FIPS PUB 186-4 2048, 3072, 4096 SigVer Digital Signature (PKCS#1-v1.5) Verification SHA2-224, SHA2A4391 SHS FIPS 180-4 256, SHA2-384, - Message Digest SHA2-512 SigVer Digital Signature A4392 RSA FIPS PUB 186-4 3072 (PKCS#1-v1.5) Verification A4392 SHS FIPS 180-4 SHA2-256 - Message Digest The module does not implement either non-approved but allowed, non-approved allowed algorithms with no security claimed or non-approved and not allowed algorithms in the Approved mode of operation. The module does not implement any vendor affirmed algorithm or security method.
The module supports one mode of operation: Approved. The module will be in Approved mode when all pre-operational and conditional algorithms self-tests have completed successfully, and only Approved and non-approved but allowed security functions are invoked (see Table 5 and ¡Error! No se encuentra el origen de la referencia. above). The module does not support degraded operation.
Intel® QuickAssist Technology (QAT) Provider v1.3.1
As a software-hybrid module, the module does not have physical ports. For the purpose of the FIPS 140-
3 validation, the module interfaces are defined as Hybrid Software (HSMI), and the physical ports are
interpreted to be the physical ports of the hardware platform on which the module runs. The physical ports include the computer network ports, keyboard port, mouse port, power plug and display. The logical interfaces are a C language entry functions pointed by OpenSSL library interface through which calling application request services. The following table summarizes the FIPS 140-3 logical interfaces: Table 6
Intel® QuickAssist Technology (QAT) Provider v1.3.1
The sections below describe the module's authorized role, services, and operator authentication method employed.
The module only supports the following role: the Crypto Officer role. It performs all services as well as the module installation and configuration. The module does not support authentication mechanisms. The module does not support concurrent operators. The Crypto Officer role is implicitly assumed by using the module and invoking any of the available services. Table 7
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Roles Service Input Output Crypto Officer Diffie-Hellman Key API call parameters, key Status, domain parameters, key Agreement Shared Secret Computation Crypto Officer Message digest API call parameters, message Status, hash Crypto Officer TLS key derivation API call parameters, TLS pre- Status, session key, integrity key master secret
All services implemented by the module are listed in tables below. The approved and allowed services are shown in Table 8. Please note that the Sensitive Security Parameters (SSPs) listed below indicate the type of access required using the following notation:
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Table 8
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Service Description Approved Roles SSP and Type of Indicator Security Function Access RSA digital signature Verify an RSA digital RSA sigVer (Cert. CO RSA Public Key - WX qat_fips_service_indicator=1 verification signature A4390; Cert. A4389) EC Diffie-Hellman Key Shared secret KAS-ECC-SSC (Cert. CO ECDH Public Key - RX qat_fips_service_indicator=1 Agreement Shared computation using an A4390; Cert. ECDH Private
Intel® QuickAssist Technology (QAT) Provider v1.3.1
As it is described in section 2.1 the cryptographic module is composed of several software shared libraries as well as the firmware component running over the dedicated QAT hardware accelerator. The integrity of the software libraries is achieved by applying an ECDSA (with a P-256 curve) with SHA2-
256 algorithm over them at the build time. All the obtained signature values are stored in the headers of
the qatprovider.so file. After that, every time that a calling application uses the module, the execution flow passes first through the initialization part of the module, where the integrity is self-verified as follows:
Intel® QuickAssist Technology (QAT) Provider v1.3.1
The module operates in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module runs on a commercially available general-purpose operating system executing on the hardware specified in Table 3. The operating system is restricted to a single operator. Concurrent operators are explicitly excluded. The application that requests cryptographic services is the single user of the module. All SSPs are under the control of the OS, which protects its CSPs against unauthorized disclosure, modification, and substitution as well as PSPs against modification and substitution. Additionally, the OS provides dedicated process space to each executing process, and the module operates entirely within the calling application’s process space. The module only allows access to SSPs through its well-defined interfaces. The module does not have the ability of spawning new processes.
Intel® QuickAssist Technology (QAT) Provider v1.3.1
The module is a software-hybrid with a multiple-chip standalone embodiment. The hardware components of the module consist of production-grade components that include standard passivation techniques. Further, the module is entirely contained within a hard metal enclosure, which blocks physical access to the module. Since the module is evaluated at security level 1 and there is no maintenance interface, no more physical security mechanisms than the above described are implemented.
Intel® QuickAssist Technology (QAT) Provider v1.3.1
The module does not implement any non-invasive attack mitigation technique to protect itself and the module’s unprotected SSPs from non-invasive attacks.
Intel® QuickAssist Technology (QAT) Provider v1.3.1
The following section includes all the information related to the Sensitive Security Parameters (SSPs) and its management. Table 9 below identifies all the SSPs handled by the cryptographic module as well as its purpose, generation method, input and output method, where they are stored and how they are zeroized. Table 9
112 - 256 External N/A persistently
Key Never exits the API call verification stored module ECDSA sigGen (Cert. Plaintext Not ECDSA Private A4390; Cert. A4389) (MD/EE) / Power cycle or Signature
112 - 256 External N/A persistently
Key Never exits the API call generation stored module
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Key/SSP Security Function Strength Generation Import/Export Establishment Storage Zeroization Use Name Cert Number RSA sigVer (Cert. Plaintext Not 80, 112, 128, A4390; Cert. A4389) (MD/EE) / Power cycle or Signature RSA Public Key External N/A persistently
152 Never exits the API call verification
stored module RSA sigGen (Cert. Plaintext Not A4390; Cert. A4389) (MD/EE) / Power cycle or Signature RSA Private Key 112, 128, 152 External N/A persistently Never exits the API call generation stored module KAS-FFC-SSC (Cert. Plaintext Not 112, 128, 152, A4390) (MD/EE) / Power cycle or Shared secret DH Public Key External N/A persistently
200 Never exits the API call generation
stored module KAS-FFC-SSC (Cert. Plaintext Not 112, 128, 152, A4390) (MD/EE) / Power cycle or Shared secret DH Private Key External N/A persistently
200 Never exits the API call generation
stored module KAS-ECC-SSC (Cert. Plaintext Not ECDH Public A4390; Cert. A4389) (MD/EE) / Power cycle or Shared secret
112 - 256 External N/A persistently
Key Never exits the API call generation stored module KAS-ECC-SSC (Cert. Plaintext Not ECDH Private A4390; Cert. A4389) (MD/EE) / Power cycle or Shared secret
112 - 256 External N/A persistently
Key Never exits the API call generation stored module KAS-FFC-SSC (Cert. A4390); KAS-ECC- Generated Not Derivation of SSC (Cert. A4390; NA / Plaintext Power cycle or Shared Secret 112 - 256 inside the N/A persistently the TLS preCert. A4389); (MD/EE) API call module stored master secret CVL (Cert. A4390)
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Key/SSP Security Function Strength Generation Import/Export Establishment Storage Zeroization Use Name Cert Number Plaintext Not Derivation of TLS pre-master (MD/EE) / Power cycle or 256, 384 CVL (Cert. A4390) External N/A persistently the TLS master secret Never exits the API call stored secret module Derived Derivation of internally using Not TLS master NA / Never exits Power cycle or the TLS session 256, 384 CVL (Cert. A4390) the TLS pre- N/A persistently secret the module API call key and TLS master secret stored integrity key via TLS KDF Derived Encryption and internally using Not NA / Plaintext Power cycle or decryption of TLS session key 128, 192, 256 CVL (Cert. A4390) the TLS master N/A persistently (MD/EE) API call TLS session secret via TLS stored packets. KDF Derived internally using Not Authentication TLS integrity NA / Plaintext Power cycle or
112 or greater CVL (Cert. A4390) the TLS master N/A persistently of TLS session
key (MD/EE) API call secret via TLS stored packets. KDF
Intel® QuickAssist Technology (QAT) Provider v1.3.1
The module does not contain an entropy source. The module does not contain a Deterministic Random Bit Generator (DRBG).
For RSA, DSA, ECDSA and Diffie-Hellman and EC Diffie-Hellman keys, the module imports them using API calls. The module does not generate keys. Additionally, the module also imports symmetric keys in the same manner for symmetric algorithms.
The module provides Diffie-Hellman and EC Diffie-Hellman shared secret computation to obtain “shared secret” values. The security strength of the preceding algorithms is as follows:
The keys and SSPs to be entered or exited are provided to the module via API input/output parameters in plaintext form and output via API output parameters in plaintext form. This is allowed per section 7.9.5 of the ISO/IEC 19790:2012 since all CSPs or key components are maintained within the environment and the requirements from section 7.6.3 are met. The module does not support either manual key entry or intermediate key generation values. Additionally, the module implements two independent internal actions in order to prevent the inadvertent output of any plaintext SSP. The mechanism implemented by the module is described below: First of all, the module reserves the required memory where the CSP will be stored after being derived. Then the CSP is derived using the specific entry point of hardware or software implementation. Finally, the derived CSP is copy into a variable received in a parameter of the invoked function and this last function ends. Particular information for the input and output for each SSP, if applicable, is provided under column "Import/Export” of Table 9.
Symmetric keys, and public and private keys are provided to the module by the calling application via API input parameters and are destroyed by the module when invoking the appropriate API function calls.
Intel® QuickAssist Technology (QAT) Provider v1.3.1 No physical storage is offered within the logical boundary, and therefore the module does not store any SSPs persistently beyond the lifetime of the API call. Any persistent key storage occurs outside the module’s logical boundary but within the physical perimeter and the management of these keys is responsibility of the calling application. Table 10 - Storage Areas Name Description Type RAM System Memory Dynamic ARAM Intel® QAT Hardware Device accelerator working memory Dynamic Shared RAM Intel® QAT Hardware Device accelerator CryptoEngine memory Dynamic Particular information for storage of each SSP, is provided under column "Storage" of Table 9.
The memory occupied by keys is allocated by regular memory allocation operating system calls. The application is responsible for calling the appropriate zeroization functions provided in the module's API listed in Table
Intel® QuickAssist Technology (QAT) Provider v1.3.1
FIPS 140-3 requires that the module performs a set of self-test in order to provide the operator assurance that faults have not been introduced that would prevent the module's correct operation. The module includes two different set of self-test: pre-operational self-test (for software and hardware parts) which are executed prior to the module providing any data output via the data output interface; and conditional self-tests (for software and hardware parts) which are executed in the initialization phase of the module. The determination of pass or fail of each self-test is made by the module itself, without external controls, externally provided input test vectors, expected output results, or operator intervention. The following sections list the self-tests performed by the module, their expected error status and error resolutions.
The module executes the following pre-operational software and firmware integrity tests. If some of them fail, the module flows to an error state: Table 11
The module executes the following conditional algorithms self-tests at the module initialization phase prior to the pre-operational integrity tests just after an applicable security function is invoked via the available services:
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Table 12 - Conditional Self-Tests of Hardware implementation Algorithm OE Test Properties Type Details Condition Red Hat Enterprise Linux 9.0 / Intel 2048 bits key size Signature generation and RSA KAT Power-Up Corporation Device with SHA2-256 Signature verification
Red Hat Enterprise Linux 9.0 / Intel P-256 and P-384 Signature generation and ECDSA KAT Power-Up Corporation Device curves with SHA2-256 Signature verification
Red Hat Enterprise Linux 9.0 / Intel 2048,224 key size Signature generation and DSA KAT Power-Up Corporation Device with SHA2-256 Signature verification
Red Hat Enterprise Linux 9.0 / Intel P-256 and P-384 ECDH KAT Shared Secret computation Power-Up Corporation Device curves
Red Hat Enterprise Linux 9.0 / Intel ffdhe2048 safe prime DH KAT Shared Secret computation Power-Up Corporation Device group
Red Hat Enterprise Linux 9.0 / Intel AES GCM 256 bits key size KAT Encryption and Decryption Power-Up Corporation Device
Red Hat Enterprise Linux 9.0 / Intel SHA3 SHA3-256 KAT Generation Power-Up Corporation Device
Key Derivation. Red Hat Enterprise This self-test is implemented to TLS 1.2 Linux 9.0 / Intel Using SHA2-256 and cover the requirement of selfKAT testing the underlying algorithms, Power-Up (PRF) Corporation Device SHA2-384
4940 (rev 40) based on the “10.3.B Self-test for
Embedded Cryptographic Algorithms” of the IG document Key Derivation Red Hat Enterprise This self-test is implemented to TLS 1.3 Linux 9.0 / Intel Using SHA2-256 and cover the requirement of selfKAT testing the underlying algorithms, Power-Up (HKDF) Corporation Device SHA2-384
4940 (rev 40) based on the “10.3.B Self-test for
Embedded Cryptographic Algorithms” of the IG document
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Table 13 - Conditional Self-Tests of Software implementation Algorithm OE Test Properties Type Details Conditions Red Hat Enterprise 2048 bits key size Signature generation and RSA KAT Power-Up Linux 9.0 with SHA2-256 Signature verification P-256 and P-384 Red Hat Enterprise Signature generation and ECDSA curves with SHA2- KAT Power-Up Linux 9.0 Signature verification Red Hat Enterprise P-256 and P-384 ECDH KAT Shared Secret computation Power-Up Linux 9.0 curves Red Hat Enterprise AES GCM 256 bits key size KAT Encryption and Decryption Power-Up Linux 9.0 Red Hat Enterprise SHA2-256 and SJA2SHS KAT Generation Power-Up Linux 9.0 512 The module executes the following conditional algorithms self-tests at the module initialization phase prior to the pre-operational integrity tests of the hardware part. Table 14 - Conditional Self-Tests of Firmware implementation Algorithm OE Test Properties Type Details Conditions Signature verification. Intel Corporation 3072 bits key size Executed by checking the integrity RSA KAT Power-Up Device 4940 (rev 40) with SHA2-256 test of a "dummy" firmware as allowed per FIPS IG 10.2.A, path 2. Generation. Intel Corporation SHS SHA2-256 KAT Used to check RSA public key Power-Up Device 4940 (rev 40) embedded in authentication ROM While the module is executing the conditional self-tests, services are not available, and input and output are inhibited.
The module has two different error states: One error state at software level, “Critical Error (Software)” and one at hardware level, “Critical Error (Hardware)”. The module can flow to "Critical Error" state of the software part if the pre-operational integrity test or if the conditional algorithms self-tests fail. The only manner to recover from this error is by rebooting the module (only the software part). No CSPs output are available on this state. The module can flow to "Critical Error" state of the firmware of the hardware part if the pre-operational integrity test or if the conditional algorithms self-tests fail. The only manner to recover from this error is by rebooting the module (only the software part). No CSPs output are available on this state.
Intel® QuickAssist Technology (QAT) Provider v1.3.1 In both Error states, the cryptographic functions are not available because they are inhibited as well as the logical interfaces. The only manner to recover cryptographic functionality is to reboot the module and pass the Pre-Operational Integrity self-tests as well as Conditional algorithm self-tests again. Table 15 - Error States Recovery Name Description Conditions Indicator Method The module reaches to this state if the Integrity check failure and firmware pre- Restart the algorithms self-tests Pre-operational integrity selfCritical Error operational integrity hardware failure: tests or conditional algorithms (Hardware) self-tests or component of self-tests firmware failure "FW integrity self-test conditional the module. algorithms self-tests failed!" fail. The module reaches Integrity check failure: Restart the “QAT FIPS Integrity test to this state if the application that result: FAIL” pre-operational Pre-operational integrity selfCritical Error exercise the integrity self-tests or tests or conditional algorithms Software algorithms self(Software) software conditional self-tests failure test failure: “QAT FIPS component of algorithms self-tests self-tests(KAT) result: the module. fail. FAIL”
The operator can initiate the execution of the self-test (of the software and hardware algorithms implementation) by powering-off and reloading the module which cause the module to run the preoperational and conditional algorithms self-test again. Regarding the hardware component pre-operational and conditional self-tests, they are initiated when the QAT accelerators are loaded and will be ready for providing cryptographic services. “adf_ctl up” command starts all the available QAT accelerators of the processor, and consequently, the preoperational and conditional self-tests are initiated. By executing “adf_ctl restart” command, it is possible to execute the same pre-operational and conditional self-tests on-demand. During the execution of the operator initiation self-tests, services are not available, and no data output or input is possible.
Intel® QuickAssist Technology (QAT) Provider v1.3.1
The module has been tested in the following operational environments: - Hardware Platform: Intel Eagle Stream, Operating System: Red Hat Enterprise Linux 9.0 with OpenSSL 3.0.8 For installation, the operator shall follow the guidance below described. The RPM package can be downloaded from Intel GitHub repository.
The only role allowed in the module is the Crypto Officer who is in charge to perform all the operations and services of the module. The module only supports one mode of operation: Approved. The module will be in Approved mode when all pre-operational and conditional self-tests have been completed successfully, and only Approved and allowed security functions are invoked. There are no additional installation, configuration, or usage instructions for operators intending to use the module.
The operator shall first install the OpenSSL 3.0.8 in a customized path: - . /config -g --prefix=<customized path> - make -j; make install Since the module is already compiled and packed in a “rpm” package, the operator shall run the following command to install it: - rpm -ivh qatprovider-fips-1.3.1-1.el9.x86_64.rpm--target noarch The operator shall also execute the following commands in order to finalize the installation of the module: - export LD_LIBRARY_PATH=/<customized path>/lib64 - cp -rf /usr/lib64/ossl-modules/qatprovider.so /<customized path>/lib64/ossl-modules/ - cp -rf /usr/lib64/ossl-modules/qatprovider.la /<customized path>/lib64/ossl-modules/
By executing the service 'Show version information', an operator can obtain information about the versioning identification for each component of the cryptographic module. The output return by the service execution is as follows (being relevant the information in bold text): Module Info Name: QAT Provider FIPS ID: qatprovider Version: QAT Engine v1.3.1
Intel® QuickAssist Technology (QAT) Provider v1.3.1 QAT_HW Driver version: QAT20.l.1.0.40-00004 IPSec-mb version: v1.3 IPP-crypto version: ippcp_2021.7.1 Additionally, the operator can check the hardware device version embedded in the CPU using the “lspci” Linux command. The module has been tested and found compliant on the hardware acceleration device: Intel Corporation Device 4940 (rev 40). Using the information, a potential user of the cryptographic module can correlate the module version information with the one included in the FIPS 140-3 certificate.
The module boundary contains a non-reconfigurable memory where it is stored the “Authentication firmware” that implements the RSA Signature Verification with 3072 bits key size with SHA2-256 and SHA2-256 (both CAVP certified under #A4392 certificate number). Since this firmware is stored in a nonreconfigurable memory created by mechanical means, there is not performed an integrity test to check that it has not been modified. This is allowed per “5.A Non-Reconfigurable Memory Integrity Test” of the IG document. As included in the “5 Software/Firmware security” section of this document, this firmware is used to check the integrity of the “Production firmware” that runs in the Cryptoengines. This Non-reconfigurable memory does not store any sensitive information such as SSPs or keys, so there is no need to follow any procedure prior to be distributed to other operators or disposed to remove sensitive information.
Intel® QuickAssist Technology (QAT) Provider v1.3.1
This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation.
Intel® QuickAssist Technology (QAT) Provider v1.3.1
The module does not implement the TLS protocol itself, however, it provides the cryptographic functions required for implementing the protocol. AES GCM encryption is used in the context of the TLS protocol versions 1.2 and 1.3 (per Scenario 1 and Scenario 5 in FIPS 140-3 C.H respectively). For TLS v1.2, the mechanism for IV generation is compliant with RFC 5288. The counter portion of the IV is strictly increasing. When the IV exhausts the maximum number of possible values for a given session key, this results in a failure in encryption and a handshake to establish a new encryption key will be required. It is the responsibility of the user of the module i.e., the first party, client or server, to encounter this condition, to trigger this handshake in accordance with RFC 5246. For TLS v1.3, the mechanism for IV generation is compliant with RFC 8446. The IV is at least 96-bits in length per NIST SP 800-38D, Section 8.2.1 so that the (key, IV) pair collision probability is less than 2-32. The module uses at least 32 bits of the IV field as a name and use 64 bits as a deterministic non-repetitive counter. When the counter part of the IV exhausts the maximum number of possible values for a given session key the encryptor aborts the session. In the event that the module power is lost and restored the user must ensure that the AES-GCM encryption/decryption keys are re-distributed. The module supports importing of GCM IVs when an IV is not generated within the module. In the Approved mode, an IV must not be imported for encryption from outside the cryptographic boundary of the module as this will result in a non-conformance.
Intel recommends following the latest NIST standards when considering the selection of cryptographic algorithms. Consider stronger alternatives for the following algorithms
Intel® QuickAssist Technology (QAT) Provider v1.3.1
The module implements TLS versions 1.2 and 1.3. The AES GCM supported ciphersuites for each version are listed below: Supported AES GCM ciphersuites for TLS v1.2: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Supported AES GCM ciphersuites for TLS v1.3: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384
Intel® QuickAssist Technology (QAT) Provider v1.3.1
Table 16 - References Abbreviation Full Specification Name FIPS 140-3 FIPS 140-3 Security Requirements for Cryptographic modules NIST SP 800-140 FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759 ISO 19790 ISO/IEC 19790:2012/Cor.1:2015(E), Information technology
Table 17 - Acronyms definitions Acronym Definition AES Advanced Encryption Standard API Application Program Interface
Intel® QuickAssist Technology (QAT) Provider v1.3.1 Acronym Definition CAVP Cryptographic Algorithm Validation Program CMVP Cryptographic Module Validation Program CVL Component Validation List DH Diffie-Hellman DSA Digital Signature Algorithm DRGB Deterministic Random Bit Generator ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm FFC Finite Field Cryptographic FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode GPC General Purpose Computer KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function MAC Message Authentication Code NIST National Institute of Science and Technology QAT QuickAssist Technology RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSC Shared Secret Computation TLS Transport Layer Security Intel technologies may require enabled hardware, software or service activation. No product or component can be absolutely secure. Your costs and results may vary. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. © Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.