All modules
CMVP Validated Module · FIPS 140-3 Security Policy

CryptoComply 140-3 FIPS Provider

Certificate#5040StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorSafeLogic Inc.
Low review priority  ·  no TCB surface named  ·  last validated 12 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date8/26/2029
CaveatNo assurance of the minimum strength of generated SSPs (e.g., keys) and random strings. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
VendorSafeLogic Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for CryptoComply 140-3 FIPS Provider
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>status output<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for CryptoComply 140-3 FIPS Provider
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>status output<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

SafeLogic Inc. CryptoComply 140-3 FIPS Provider Software Versions 3.0.0-FIPS 140-3, 3.0.1-FIPS 140-3 Document Version 1.3 July 3, 2025 SafeLogic Inc.

530 Lytton Ave, Suite 200

Palo Alto, CA 94301 www.safelogic.com

Page 2
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)9
Table 3: Tested Operational Environments - Software, Firmware, Hybrid11
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid12
Table 5: Modes List and Description13
Table 6: Approved Algorithms26
Table 7: Vendor-Affirmed Algorithms27
Table 8: Non-Approved, Allowed Algorithms27
Table 9: Security Function Implementations35
Table 10: Ports and Interfaces41
Table 11: Roles42
Table 12: Approved Services56
Table 13: Storage Areas61
Table 14: SSP Input-Output Methods62
Table 15: SSP Zeroization Methods62
Table 16: SSP Table 170
Table 17: SSP Table 277
Table 18: Pre-Operational Self-Tests79
Table 19: Conditional Self-Tests94
Table 20: Pre-Operational Periodic Information95
Table 21: Conditional Periodic Information111
Table 22: Error States112
Figure 1: Block Diagram8
Page 5
1 General
1.1 Overview

This document provides a non-proprietary FIPS 140-3 Security Policy for CryptoComply 140-3 FIPS Provider. SafeLogic Inc.'s CryptoComply 140-3 FIPS Provider is designed to provide FIPS 140-3 validated cryptographic functionality and is available for licensing. For more information, visit www.safelogic.com/cryptocomply.

1.1.1 About FIPS 140

Federal Information Processing Standards Publication 140-3, Security Requirements for Cryptographic Modules, (FIPS 140-3) specifies the latest requirements for cryptographic modules utilized to protect sensitive but unclassified information. The National Institute of Standards and Technology (NIST) and Canadian Centre for Cyber Security (CCCS) collaborate to run the Cryptographic Module Validation Program (CMVP), which assesses conformance to FIPS 140. NIST (through NVLAP) accredits independent testing labs to perform FIPS 140 testing. The CMVP reviews and validates modules tested against FIPS

140 criteria. Validated is the term given to a module that has successfully gone through this FIPS 140

validation process. Validated modules receive a validation certificate that is posted on the CMVP’s website. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program.

1.1.2 About this Document

This non-proprietary cryptographic module Security Policy for CryptoComply 140-3 FIPS Provider from SafeLogic Inc. (SafeLogic) provides an overview of the product and a high-level description of how it meets the security requirements of FIPS 140-3. This document includes details on the module’s cryptographic capabilities, services, sensitive security parameters, and self-tests. This Security Policy also includes guidance on operating the module while maintaining compliance with FIPS 140-3. CryptoComply 140-3 FIPS Provider may also be referred to as the “module” in this document.

1.1.3 External Resources

The SafeLogic website (www.safelogic.com) contains information on SafeLogic services and products. The CMVP website maintains all FIPS 140 certificates for SafeLogic’s FIPS 140 validations. These certificates also include SafeLogic contact information.

Page 6
1.1.4 Notices

This document may be freely reproduced and distributed, but only in its entirety and without modification.

1.2 Security Levels

The following table lists the module’s level of validation for each area in FIPS 140-3. Section Title Security Level

1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks 1

Overall Level 1 Table 1: Security Levels

Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: CryptoComply 140-3 FIPS Provider is a standards-based “Drop-in Compliance™” cryptographic module. The module delivers core cryptographic functions to applications such as servers, personal computers, mobile devices, and appliances. The module features robust algorithm support, including CNSA algorithms. The module delivers cryptographic services to host applications through a C language Application Programming Interface (API). Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The module's cryptographic boundary is delimited by the module’s components, as well as the instantiation of the cryptographic module saved in memory and executed by the processor. The executable files that constitute the cryptographic module are listed in Security Policy Section 2.2 Tested and Vendor Affirmed Module Version and Identification. Additionally, the module’s integrity value is included inside the boundary. Refer to the block diagram in Figure 1 for additional detail. Tested Operational Environment’s Physical Perimeter (TOEPP): As a software cryptographic module, the module operates within the Tested Operational Environment’s Physical Perimeter (TOEPP). The TOEPP consists of the Operating System (OS) and the physical perimeter of the General Purpose Computer (GPC). This TOEPP comprises the Operational Environment (OE) that the module operates in, the module itself, and all other applications that operate within the OE, including the host application for the module. Refer to the block diagram in Figure 1 for additional detail.

Page 8

Figure 1: Block Diagram The module’s block diagram depicts the cryptographic boundary, TOEPP, and the components of each. Additionally, it depicts the data flow between these components. The module’s logical interfaces are defined by its API. These interfaces are used by the host application to interact with the module. All input to the module occurs through the data input interface or control input interface. All output from the module occurs through the data output interface or status output interface. Refer also to Security Policy Section 3 - Cryptographic Module Interfaces and Section 9.2 - SSP Input-Output Methods. The module executes within the operating environments specified in Security Policy Section 2.2 - Tested and Vendor Affirmed Module Version and Identification.

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 9

Tested Module Identification

Page 10

Operating System Hardware Processors PAA/PAI Hypervisor Version(s) Platform or Host OS Debian 11 Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS R830 4667v4 140-3 FreeBSD 13 Dell PowerEdge Intel Xeon E5- Yes 3.0.0-FIPS R830 4667v4 140-3 FreeBSD 13 Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS R830 4667v4 140-3 iOS 16 iPhone 13 Mini Apple A15 Bionic No 3.0.1-FIPS 140-3 iPadOS 16 iPad Air (2022) Apple M1 No 3.0.1-FIPS 140-3 macOS 13 (Ventura) Mac Mini M2 Apple M2 No 3.0.0-FIPS 140-3 Oracle Solaris 11.4 Dell PowerEdge Intel Xeon E5- Yes 3.0.0-FIPS R830 4667v4 140-3 Oracle Solaris 11.4 Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS R830 4667v4 140-3 Red Hat Enterprise Linux 9 Dell PowerEdge Intel Xeon E5- Yes 3.0.0-FIPS R830 4667v4 140-3 Red Hat Enterprise Linux 9 Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS R830 4667v4 140-3 Rocky Linux 9 Dell PowerEdge Intel Xeon E5- Yes 3.0.0-FIPS R830 4667v4 140-3 Rocky Linux 9 Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS R830 4667v4 140-3 SUSE Linux Enterprise Dell PowerEdge Intel Xeon E5- Yes 3.0.0-FIPS Server 15 R830 4667v4 140-3 SUSE Linux Enterprise Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS Server 15 R830 4667v4 140-3 Ubuntu 22.04 Dell PowerEdge Intel Xeon E5- Yes 3.0.0-FIPS R830 4667v4 140-3

Page 11

Operating System Hardware Processors PAA/PAI Hypervisor Version(s) Platform or Host OS Ubuntu 22.04 Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS R830 4667v4 140-3 Windows 10 Dell PowerEdge Intel Xeon E5- Yes 3.0.0-FIPS R830 4667v4 140-3 Windows 10 Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS R830 4667v4 140-3 Windows 11 Dell PowerEdge Intel Xeon E5- Yes 3.0.0-FIPS R830 4667v4 140-3 Windows 11 Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS R830 4667v4 140-3 Windows Server 2019 Dell PowerEdge Intel Xeon E5- Yes 3.0.0-FIPS R830 4667v4 140-3 Windows Server 2019 Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS R830 4667v4 140-3 Windows Server 2022 Dell PowerEdge Intel Xeon E5- Yes 3.0.0-FIPS R830 4667v4 140-3 Windows Server 2022 Dell PowerEdge Intel Xeon E5- No 3.0.0-FIPS R830 4667v4 140-3 Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: The module, when compiled from the same unmodified source code, is vendor affirmed to be FIPS 140-3 compliant when compiled as a static library for the tested operating environments listed above for which the module was tested as a shared object or dynamically loaded library. Operating System Hardware Platform AlmaLinux 9 Any general-purpose platform that supports this OS Android 13 Any general-purpose platform that supports this OS Debian 11 Any general-purpose platform that supports this OS FreeBSD 13 Any general-purpose platform that supports this OS iOS 16 Any general-purpose platform that supports this OS

Page 12

Operating System Hardware Platform iPadOS 16 Any general-purpose platform that supports this OS macOS 13 (Ventura) Any general-purpose platform that supports this OS Oracle Solaris 11.4 Any general-purpose platform that supports this OS Red Hat Enterprise Linux 9 Any general-purpose platform that supports this OS Rocky Linux 9 Any general-purpose platform that supports this OS SUSE Linux Enterprise Server 15 Any general-purpose platform that supports this OS Ubuntu 22.04 Any general-purpose platform that supports this OS Windows 10 Any general-purpose platform that supports this OS Windows 11 Any general-purpose platform that supports this OS Windows Server 2019 Any general-purpose platform that supports this OS Windows Server 2022 Any general-purpose platform that supports this OS Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid Porting guidance is defined in the FIPS 140-3 CMVP Management Manual Section 7.9. FIPS 140-3 validation compliance can be maintained when the following requirements are met:

2.3 Excluded Components
2.4 Modes of Operation

Modes List and Description:

Page 13

Mode Description Type Status Indicator Name Approved Single approved mode Approved In alignment with IG 2.4.C example scenario 2, the module Mode of operation. No non- only provides approved services. The module provides a approved mode is global indicator that services are approved. Additionally, the implemented in the module provides a status code indicating the completion of module. each service, as indicated in Security Policy Section 4.3 Approved Services. The successful completion of a service is an implicit indicator for the use of an approved service. Table 5: Modes List and Description Mode Change Instructions and Status: No instructions are needed to invoke the Approved mode in the module. The module only supports this mode of operation and will operate in this mode once the module is powered on. To confirm that the module is operating in Approved mode, the operator should:

2.5 Algorithms
2.5.1 Approved Algorithms

Approved Algorithms: The module implements the following approved algorithms that have been tested by the Cryptographic Algorithm Validation Program (CAVP). Algorithm CAVP Properties Reference Cert AES-CBC A4593 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A5173 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A4593 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256

Page 14

Algorithm CAVP Properties Reference Cert AES-CBC-CS1 A5173 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A4593 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A5173 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A4593 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A5173 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A4593 Key Length - 128, 192, 256 SP 800-38C AES-CCM A5173 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A4593 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB1 A5173 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A4593 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A5173 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4593 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A5173 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A4593 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CMAC A5173 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A4593 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256

Page 15

Algorithm CAVP Properties Reference Cert AES-CTR A5173 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4593 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5173 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4593 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 AES-GCM A5173 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 AES-GMAC A4593 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 AES-GMAC A5173 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 AES-KW A4593 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KW A5173 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A4593 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A5173 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A4593 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256

Page 16

Algorithm CAVP Properties Reference Cert AES-OFB A5173 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A4593 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 AES-XTS Testing A5173 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A4593 Prediction Resistance - Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes Counter DRBG A5173 Prediction Resistance - Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - Yes DSA KeyGen A4593 L - 2048 FIPS 186-4 (FIPS186-4) N - 224, 256 DSA KeyGen A5173 L - 2048 FIPS 186-4 (FIPS186-4) N - 224, 256 DSA PQGGen A4593 L - 2048 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA PQGGen A5173 L - 2048 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA PQGVer A4593 L - 1024, 2048 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256 DSA PQGVer A5173 L - 1024, 2048 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256 DSA SigVer A4593 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256

Page 17

Algorithm CAVP Properties Reference Cert Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256 DSA SigVer A5173 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256 ECDSA KeyGen A4593 Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P- FIPS 186-4 (FIPS186-4) 224, P-256, P-384, P-521 Secret Generation Mode - Testing Candidates ECDSA KeyGen A5173 Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P- FIPS 186-4 (FIPS186-4) 224, P-256, P-384, P-521 Secret Generation Mode - Testing Candidates ECDSA KeyVer A4593 Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K- FIPS 186-4 (FIPS186-4) 409, K-571, P-192, P-224, P-256, P-384, P-521 ECDSA KeyVer A5173 Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K- FIPS 186-4 (FIPS186-4) 409, K-571, P-192, P-224, P-256, P-384, P-521 ECDSA SigGen A4593 Component - No FIPS 186-4 (FIPS186-4) Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigGen A5173 Component - No FIPS 186-4 (FIPS186-4) Curve - B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A4593 Component - No FIPS 186-4 (FIPS186-4) Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K409, K-571, P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512

Page 18

Algorithm CAVP Properties Reference Cert ECDSA SigVer A5173 Component - No FIPS 186-4 (FIPS186-4) Curve - B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K409, K-571, P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 EDDSA KeyGen A4593 Curve - ED-25519, ED-448 FIPS 186-5 EDDSA KeyGen A5173 Curve - ED-25519, ED-448 FIPS 186-5 EDDSA KeyVer A4593 Curve - ED-25519, ED-448 FIPS 186-5 EDDSA KeyVer A5173 Curve - ED-25519, ED-448 FIPS 186-5 EDDSA SigGen A4593 Curve - ED-25519, ED-448 FIPS 186-5 PreHash - Yes EDDSA SigGen A5173 Curve - ED-25519, ED-448 FIPS 186-5 PreHash - Yes EDDSA SigVer A4593 Curve - ED-25519, ED-448 FIPS 186-5 PreHash - No Pure - Yes EDDSA SigVer A5173 Curve - ED-25519, ED-448 FIPS 186-5 PreHash - No Pure - Yes Hash DRBG A4593 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 Hash DRBG A5173 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A4593 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5173 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC-SHA-1 A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA-1 A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1

Page 19

Algorithm CAVP Properties Reference Cert HMAC-SHA2- A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA2- A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 512/224 HMAC-SHA2- A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 512/256 HMAC-SHA2- A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 512/256 HMAC-SHA3- A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1

Page 20

Algorithm CAVP Properties Reference Cert HMAC-SHA3- A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A4593 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 HMAC-SHA3- A5173 Key Length - Key Length: 8-524288 Increment 8 FIPS 198-1 KAS-ECC-SSC A4593 Domain Parameter Generation Methods - B-233, B-283, B-409, B- SP 800-56A Sp800-56Ar3 571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-ECC-SSC A5173 Domain Parameter Generation Methods - B-233, B-283, B-409, B- SP 800-56A Sp800-56Ar3 571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A4593 Domain Parameter Generation Methods - FB, FC, ffdhe2048, SP 800-56A Sp800-56Ar3 ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, Rev. 3 MODP-3072, MODP-4096, MODP-6144, MODP-8192 Scheme dhEphem KAS Role - initiator, responder KAS-FFC-SSC A5173 Domain Parameter Generation Methods - FB, FC, ffdhe2048, SP 800-56A Sp800-56Ar3 ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, Rev. 3 MODP-3072, MODP-4096, MODP-6144, MODP-8192 Scheme dhEphem KAS Role - initiator, responder KAS-IFC-SSC A4593 Modulo - 2048, 3072, 4096, 6144, 8192 SP 800-56A Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1- Rev. 3 prime-factor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime-factor Scheme -

Page 21

Algorithm CAVP Properties Reference Cert KAS1 KAS Role - initiator, responder KAS2 KAS Role - initiator, responder KAS-IFC-SSC A5173 Modulo - 2048, 3072, 4096, 6144, 8192 SP 800-56A Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1- Rev. 3 prime-factor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KAS1 KAS Role - initiator, responder KAS2 KAS Role - initiator, responder KDA HKDF A4593 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: 224-8192 Rev. 2 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 KDA HKDF A5173 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: 224-8192 Rev. 2 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 KDA OneStep A4593 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: 224-8192 Rev. 2 Increment 8 KDA OneStep A5173 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: 224-8192 Rev. 2 Increment 8 KDA TwoStep A4593 MAC Salting Methods - default, random SP 800-56C SP800-56Cr2 KDF Mode - feedback Rev. 2 Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 KDA TwoStep A5173 MAC Salting Methods - default, random SP 800-56C SP800-56Cr2 KDF Mode - feedback Rev. 2 Derived Key Length - 2048

Page 22

Algorithm CAVP Properties Reference Cert Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 KDF ANS 9.42 A4593 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2- Rev. 1 512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8 KDF ANS 9.42 A5173 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2- Rev. 1 512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 A4593 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 SP 800-135 (CVL) Key Data Length - Key Data Length: 128, 4096 Rev. 1 KDF ANS 9.63 A5173 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 SP 800-135 (CVL) Key Data Length - Key Data Length: 128, 4096 Rev. 1 KDF KMAC A4593 Derived Key Length - Derived Key Length: 112-4096 Increment 8 SP 800-108 Sp800-108r1 Rev. 1 KDF KMAC A5173 Derived Key Length - Derived Key Length: 112-4096 Increment 8 SP 800-108 Sp800-108r1 Rev. 1 KDF SP800-108 A4593 KDF Mode - Counter, Feedback SP 800-108 Supported Lengths - Supported Lengths: 8, 72, 128, 776, 3456, Rev. 1 4096 KDF SP800-108 A5173 KDF Mode - Counter, Feedback SP 800-108 Supported Lengths - Supported Lengths: 8, 72, 128, 776, 3456, Rev. 1 4096 KDF SSH (CVL) A4593 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2- Rev. 1 KDF SSH (CVL) A5173 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2- Rev. 1 KMAC-128 A4593 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8

Page 23

Algorithm CAVP Properties Reference Cert KMAC-128 A5173 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A4593 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A5173 Message Length - Message Length: 0-65536 Increment 8 SP 800-185 Key Data Length - Key Data Length: 128-1024 Increment 8 KTS-IFC A4593 Modulo - 2048, 3072, 4096, 6144 SP 800-56B Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1- Rev. 2 prime-factor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KTS-OAEP-basic KAS Role - initiator, responder Key Transport Method Key Length - 1024 KTS-IFC A5173 Modulo - 2048, 3072, 4096, 6144 SP 800-56B Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1- Rev. 2 prime-factor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KTS-OAEP-basic KAS Role - initiator, responder Key Transport Method Key Length - 1024 PBKDF A4593 Iteration Count - Iteration Count: 1-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 8 PBKDF A5173 Iteration Count - Iteration Count: 1-10000 Increment 1 SP 800-132 Password Length - Password Length: 8-128 Increment 8 RSA KeyGen A4593 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA KeyGen A5173 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard

Page 24

Algorithm CAVP Properties Reference Cert RSA SigGen A4593 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigGen A5173 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4593 Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 RSA SigVer A5173 Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 Safe Primes Key A4593 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Generation ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, Rev. 3 MODP-6144, MODP-8192 Safe Primes Key A5173 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Generation ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, Rev. 3 MODP-6144, MODP-8192 Safe Primes Key A4593 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Verification ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, Rev. 3 MODP-6144, MODP-8192 Safe Primes Key A5173 Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, SP 800-56A Verification ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, Rev. 3 MODP-6144, MODP-8192 SHA-1 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2 SHA2-224 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2 SHA2-256 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2

Page 25

Algorithm CAVP Properties Reference Cert SHA2-384 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2 SHA2-512 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2 SHA2-512/224 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2 SHA2-512/256 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2 SHA3-224 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2 SHA3-256 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2 SHA3-384 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2 SHA3-512 A4593 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8

Page 26

Algorithm CAVP Properties Reference Cert SHA3-512 A5173 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2 SHAKE-128 A4593 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-128 A5173 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-256 A4593 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 SHAKE-256 A5173 Output Length - Output Length: 16-65536 Increment 8 FIPS 202 TDES-CBC A4593 Direction - Decrypt SP 800-67 Rev. 2 TDES-CBC A5173 Direction - Decrypt SP 800-67 Rev. 2 TDES-ECB A4593 Direction - Decrypt SP 800-67 Rev. 2 TDES-ECB A5173 Direction - Decrypt SP 800-67 Rev. 2 TLS v1.2 KDF A4593 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 TLS v1.2 KDF A5173 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 SP 800-135 RFC7627 (CVL) Rev. 1 TLS v1.3 KDF A4593 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 TLS v1.3 KDF A5173 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 Table 6: Approved Algorithms

2.5.2 Vendor-Affirmed Algorithms

Vendor-Affirmed Algorithms: The module implements the following vendor affirmed algorithms that are approved for use in Approved mode.

Page 27

Name Properties Implementation Reference CKG Key Type:Symmetric N/A SP 800-133r2 and IG D.H: Per Section 4, example 1 and Asymmetric CKG Key Type:Symmetric N/A SP 800-133r2 and IG D.H: Per Section 6.3, approved (XTS) method 1. Applicable to AES-XTS compliant to IG C.I because Key_1 and Key_2 are concatenated prior to usage. Table 7: Vendor-Affirmed Algorithms

2.5.3 Non-Approved, Allowed Algorithms

Non-Approved, Allowed Algorithms: The module implements the following algorithms that are allowed for use in Approved mode. Name Properties Implementation Reference EC Diffie-Hellman Curves: brainpoolP224r1 (strength 112 CryptoComply Allowed per IG D.F, with non-NIST bits) brainpoolP256r1 (strength 128 bits) 140-3 FIPS scenario 3 (per IG recommended brainpoolP320r1 (strength 160 bits) Provider C.A, category 1a and curves brainpoolP384r1 (strength 192 bits) SP 800-186 Appendix brainpoolP512r1 (strength 256 bits) H.1) : SSP Agreement ECDSA with non- Curves: brainpoolP224r1 (strength 112 CryptoComply Allowed per IG C.A, NIST recommended bits) brainpoolP256r1 (strength 128 bits) 140-3 FIPS category 1a (per SP curves brainpoolP320r1 (strength 160 bits) Provider 800-186 Appendix brainpoolP384r1 (strength 192 bits) H.1) brainpoolP512r1 (strength 256 bits) : Signature Generation, Signature Verification, Key Generation, Key Verification Table 8: Non-Approved, Allowed Algorithms

2.5.4 Non-Approved, Allowed Algorithms with No Security Claimed

Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. The module does not implement any non-approved algorithms with no security claimed.

2.5.5 Non-Approved, Not Allowed Algorithms

Non-Approved, Not Allowed Algorithms:

Page 28

N/A for this module. The module does not implement any non-approved, not allowed algorithms.

2.6 Security Function Implementations

Security function implementations (SFIs) are defined by the table below. The module is a software library, therefore the SFIs map directly to the module’s services. Refer also to Security Policy Section 4.3 - Approved Services for a description of the module’s services and SSP access. Name Type Description Properties Algorithms AsymmetricKeyGen AsymKeyPair- Used to generate ECDSA Allowed Counter DRBG: DomPar asymmetric keys Curves:brainpoolP224r1 (A4593, A5173) AsymKeyPair- using the DRBG for (strength 112 bits) Hash DRBG: KeyGen CKG per SP 800- brainpoolP256r1 (A4593, A5173) AsymKeyPair- 133r2. Established (strength 128 bits) HMAC DRBG: KeyVer SSPs are passed brainpoolP320r1 (A4593, A5173) AsymKeyPair- out to the calling (strength 160 bits) CKG, asymmetric PubKeyVal application. brainpoolP384r1 keys: () (strength 192 bits) DSA KeyGen brainpoolP512r1 (FIPS186-4): (strength 256 bits) (A4593, A5173) DSA PQGGen (FIPS186-4): (A4593, A5173) DSA PQGVer (FIPS186-4): (A4593, A5173) EDDSA KeyGen: (A4593, A5173) EDDSA KeyVer: (A4593, A5173) RSA KeyGen (FIPS186-4): (A4593, A5173) Safe Primes Key Generation: (A4593, A5173) Safe Primes Key Verification: (A4593, A5173) ECDSA KeyGen (FIPS186-4): (A4593, A5173)

Page 29

Name Type Description Properties Algorithms Approved Curves: B-233, B-283, B409, B-571, K-233, K-283, K-409, K571, P-224, P-256, P-384, P-521 ECDSA KeyVer (FIPS186-4): (A4593, A5173) Approved Curves: B-163, B-233, B283, B-409, B-571, K-163, K-233, K283, K-409, K-571, P-192, P-224, P256, P-384, P-521 AuthSymmetric BC-Auth Used to encrypt or AES-CCM: (A4593, Encrypt/Decrypt decrypt data. SSPs A5173) are passed in by AES-GCM: (A4593, the calling A5173) application. CKG CKG Direct output of Counter DRBG: DRBGs may be (A4593, A5173) used for symmetric CKG: () key generation per Key Type: SP 800-133r2. Symmetric and Asymmetric Hash DRBG: (A4593, A5173) HMAC DRBG: (A4593, A5173) CKG (XTS) CKG AES-XTS key CKG: () concatenation Key Type: Symmetric DigitalSig DigSig-SigGen Used to generate ECDSA Allowed EDDSA SigGen: DigSig-SigVer or verify digital Curves:brainpoolP224r1 (A4593, A5173) signatures. SSPs (strength 112 bits) EDDSA SigVer: are passed in by brainpoolP256r1 (A4593, A5173) the calling (strength 128 bits) RSA SigGen application. brainpoolP320r1 (FIPS186-4): (strength 160 bits) (A4593, A5173)

Page 30

Name Type Description Properties Algorithms brainpoolP384r1 RSA SigVer (strength 192 bits) (FIPS186-4): brainpoolP512r1 (A4593, A5173) (strength 256 bits) ECDSA SigGen (FIPS186-4): (A4593, A5173) Approved Curves: B-233, B-283, B409, B-571, K-233, K-283, K-409, K571, P-224, P-256, P-384, P-521 ECDSA SigVer (FIPS186-4): (A4593, A5173) Approved Curves: B-163, B-233, B283, B-409, B-571, K-163, K-233, K283, K-409, K-571, P-192, P-224, P256, P-384, P-521 DigitalSig (Legacy) AsymKeyPair- Used to verify DSA PQGVer DomPar digital signatures. (FIPS186-4): AsymKeyPair- SSPs are passed in (A4593, A5173) KeyVer by the calling ECDSA KeyVer DigSig-SigVer application. (FIPS186-4): (A4593, A5173) DSA SigVer (FIPS186-4): (A4593, A5173) ECDSA SigVer (FIPS186-4): (A4593, A5173) RSA SigVer (FIPS186-4): (A4593, A5173) IntegrityTest MAC Integrity Test HMAC-SHA2-256: (A4593, A5173) KeyAgreement KAS-SSC Used to perform IG:IG D.F Scenario 2, KAS-ECC-SSC (ECC) key agreement path 1 Sp800-56Ar3: primitives on Key Confirmation:No (A4593, A5173)

Page 31

Name Type Description Properties Algorithms behalf of the Key Derivation:No Approved Curves: calling application Caveat:Key B-233, B-283, B(does not establish establishment 409, B-571, K-233, keys into the methodology provides K-283, K-409, Kmodule). SSPs are between 112 and 256 571, P-224, P-256, passed in by the bits of security strength P-384, P-521 calling application. Allowed Curves: EC Established SSPs Diffie-Hellman are passed out to with non-NIST the calling recommended application. curves KeyAgreement KAS-SSC Used to perform IG:IG D.F Scenario 2, KAS-FFC-SSC (FFC) key agreement path 1 Sp800-56Ar3: primitives on Key Confirmation:No (A4593, A5173) behalf of the Key Derivation:No calling application Caveat:Key (does not establish establishment keys into the methodology provides module). SSPs are between 112 and 200 passed in by the bits of security strength calling application. Established SSPs are passed out to the calling application. KeyAgreement KAS-SSC Used to perform IG:IG D.F Scenario 1, KAS-IFC-SSC: (RSA) key agreement path 1 (A4593, A5173) primitives on Key Confirmation:No behalf of the Key Derivation:No calling application Caveat:Key (does not establish establishment keys into the methodology provides module). SSPs are between 112 and 200 passed in by the bits of security strength calling application. Established SSPs are passed out to the calling application. KeyDerivation KAS-135KDF Used to derive KDA HKDF SP800KAS-56CKDF keys using KBKDF, 56Cr2: (A4593, PBKDF, HKDF, SP A5173)

Page 32

Name Type Description Properties Algorithms KBKDF 800-56Cr2 One- KDA OneStep PBKDF Step KDF (KDA), SP SP800-56Cr2: 800-56Cr2 Two- (A4593, A5173) Step KDF (KDA), KDA TwoStep ANSI X9.42-2001 SP800-56Cr2: KDF, ANSI X9.63- (A4593, A5173)

2001 KDF, SSHv2 KDF ANS 9.42:

KDF, TLS 1.2 KDF, (A4593, A5173) TLS 1.3 KDF (does KDF ANS 9.63: not establish keys (A4593, A5173) into the module). KDF KMAC Sp800SSPs are passed in 108r1: (A4593, by the calling A5173) application. KDF SP800-108: Established SSPs (A4593, A5173) are passed out to KDF SSH: (A4593, the calling A5173) application. PBKDF: (A4593, A5173) TLS v1.2 KDF RFC7627: (A4593, A5173) TLS v1.3 KDF: (A4593, A5173) KeyedHash MAC Used to generate HMAC-SHA-1: XOF or verify data (A4593, A5173) integrity. SSPs are HMAC-SHA2-224: passed in by the (A4593, A5173) calling application. HMAC-SHA2-256: (A4593, A5173) HMAC-SHA2-384: (A4593, A5173) HMAC-SHA2-512: (A4593, A5173) HMAC-SHA2512/224: (A4593, A5173) HMAC-SHA2512/256: (A4593, A5173) HMAC-SHA3-224: (A4593, A5173) HMAC-SHA3-256:

Page 33

Name Type Description Properties Algorithms (A4593, A5173) HMAC-SHA3-384: (A4593, A5173) HMAC-SHA3-512: (A4593, A5173) KMAC-128: (A4593, A5173) KMAC-256: (A4593, A5173) KeyTransport BC-AuthDecrypt Used to encrypt or Standard:SP 800-56Br2 KTS-IFC: (A4593, BC-AuthEncrypt decrypt a key value Key Confirmation:No A5173) on behalf of the Caveat:Key calling application establishment (does not establish methodology provides keys into the between 112 and 256 module). SSPs are bits of security strength passed in by the IG D.G:Approved key calling application. encapsulation Established SSPs are passed out to the calling application. KeyWrapping KTS-Unwrap Used to encrypt or Standard:SP 800-38F AES-KW: (A4593, KTS-Wrap decrypt a key value IG D.G:Approved key A5173) on behalf of the wrapping AES-KWP: (A4593, calling application Key Confirmation:No A5173) (does not establish Caveat:Key keys into the establishment module). SSPs are methodology provides passed in by the between 128 and 256 calling application. bits of encryption Established SSPs strength are passed out to the calling application. MessageDigest SHA Used to generate a SHA-1: (A4593, SHA-1, SHA-2, SHA- A5173) 3, or SHAKE SHA2-224: (A4593, message digest. A5173) SHA2-256: (A4593, A5173) SHA2-384: (A4593,

Page 34

Name Type Description Properties Algorithms A5173) SHA2-512: (A4593, A5173) SHA2-512/224: (A4593, A5173) SHA2-512/256: (A4593, A5173) SHA3-224: (A4593, A5173) SHA3-256: (A4593, A5173) SHA3-384: (A4593, A5173) SHA3-512: (A4593, A5173) SHAKE-128: (A4593, A5173) SHAKE-256: (A4593, A5173) RNG DRBG Random Number Counter DRBG: Generation from (A4593, A5173) the DRBG. Random Hash DRBG: data or established (A4593, A5173) SSPs are passed HMAC DRBG: out to the calling (A4593, A5173) application. CKG: () Key Type: Symmetric and Asymmetric Symmetric Decrypt BC-UnAuth Symmetric TDES-CBC: (A4593, (Legacy) decryption SSPs A5173) are passed in by TDES-ECB: (A4593, the calling A5173) application. Symmetric BC-UnAuth Symmetric AES-CBC: (A4593, Encrypt/Decrypt encryption or A5173) decryption SSPs AES-CBC-CS1: are passed in by (A4593, A5173) the calling AES-CBC-CS2: application. (A4593, A5173) AES-CBC-CS3: (A4593, A5173)

Page 35

Name Type Description Properties Algorithms AES-CFB1: (A4593, A5173) AES-CFB8: (A4593, A5173) AES-CFB128: (A4593, A5173) AES-CTR: (A4593, A5173) AES-ECB: (A4593, A5173) AES-OFB: (A4593, A5173) AES-XTS Testing Revision 2.0: (A4593, A5173) SymmetricDigest MAC Used to generate AES-CMAC: or verify data (A4593, A5173) integrity with AES-GMAC: CMAC or GMAC. (A4593, A5173) SSPs are passed in by the calling application. Table 9: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES-GCM (IG C.H conformance)

The module is compatible with TLS 1.2 and supports AES-GCM IV construction in alignment with IG C.H scenario

  1. The module does not implement the TLS 1.2 protocol itself. However, the module provides the cryptographic functions required for implementing the TLS 1.2 protocol, including for AES-GCM cipher suites specified in Section 3.3.1 of SP 800-52r2. AES GCM encryption is used in the context of the TLS 1.2 protocol and the mechanism for IV generation is compliant with RFC 5288. The counter portion of the AES GCM IV is set by the module within its cryptographic boundary. The counter portion of the IV is strictly increasing. When the IV exhausts the maximum number of possible values for a given session key, encryption will fail. A handshake to establish a new encryption key is required. It is the responsibility of the user of the module (i.e., the first party to encounter this condition, either the client or the server) to trigger this handshake in accordance with RFC 5246. The module supports internal IV generation by the module’s approved DRBGs, in alignment with IG C.H scenario
  2. The IV is at least 96 bits in length per NIST SP 800-38D, Section 8.2.2.
Page 36

The module is compatible with TLS 1.3 and supports AES-GCM IV construction in alignment with IG C.H scenario 5. The module does not implement the TLS 1.3 protocol itself. However, the module provides the cryptographic functions required for implementing the TLS 1.3 protocol. AES GCM encryption is used in the context of the TLS 1.3 protocol. When used in the context of TLS 1.3, the GCM IV is constructed in accordance with RFC 8446.

2.7.2 AES-XTS

Per SP 800-38E, AES-XTS should only be used for storage applications.

2.7.3 DSA

DSA KeyGen (FIPS186-4) and DSA PQGGen (FIPS 186-4) are only implemented for use as a part of an approved SP 800-56Ar3 FFC scheme. In accordance with this, only the FIPS 186-type parameter sets FB (2048, 224) and FC (2048, 256) from SP 800-56Arev3 are supported by the module. For DSA signatures, only DSA PQGVer (FIPS186-4) and DSA SigVer (FIPS186-4) are only implemented. Refer to Security Policy Section 9.5 - Transitions for additional context.

2.7.4 Edwards Curves

Per FIPS 186-5, Edwards curves are only used for digital signatures using EdDSA. Per FIPS 186-5, only SHA-512 is supported with curve Edwards25519 and only SHAKE256 is supported with curve Edwards448.

2.7.5 PBKDF (IG D.N Conformance)

The PBKDF aligns with Option 1a in Section 5.4 of SP 800-132. Keys derived from passwords using the PBKDF may only be used in storage applications. The PBKDF function can be called using the Key Derivation service, but it does not establish keys into the module. The PBKDF function supports passwords from 8 to 128 bytes and iteration counts from 1 to 10,000. SP 800-132 Section 5.2 recommends a minimum iteration count of 1,000. Operators should select an appropriate password length and iteration count for their use case, bearing in mind that both should be as large as is feasible for the application.

2.7.6 RSA

RSA SigVer (FIPS186-4) ANSI X9.31 functionality is only implemented for legacy support. Refer to Security Policy Section 9.5 - Transitions for additional context. The module supports even RSA modulus sizes that are not testable by the CAVP in the following ranges:

Page 37
2.7.7 RSA KTS (IG D.G conformance)

For the RSA KTS (KTS-IFC) algorithm, the module supports the KTS-OAEP-basic scheme. As indicated in Security Policy Section 2.7.6, the module supports even RSA modulus sizes that are not testable by the CAVP. The module supports moduli 2048-16384 for RSA KTS. This is conformant to IG C.F. Refer also to Security Policy Section 2.7.10 - SP 800-140Br1 SSP Establishment for more information on the SSP establishment by the module.

2.7.8 TLS 1.2 KDF (IG D.Q conformance)

As indicated under CAVP certificates A4593 and A5173, the module supports TLS 1.2 KDF per RFC 7627, i.e. using the extended master secret.

2.7.9 Triple-DES

TDES-CBC and TDES-ECB Decryption functionality is only implemented for legacy support. Refer to Security Policy Section 9.5 - Transitions for additional context.

2.7.10 SP 800-140Br1 SSP Establishment

As a cryptographic software library, SSPs used for services are passed in by the calling application. Established SSPs are passed out to the calling application and are not stored in the module. Accordingly, the following statements are required for conformance. For additional details, see also Security Policy Section 2.10 - Key Establishment. The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS. The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS.

Page 38
2.8 RBG and Entropy

Entropy Certificates: N/A for this module. Entropy Sources: N/A for this module. The module does not include an entropy source. The module aligns with IG 9.3.A, scenario 2b, therefore the module’s certificate includes the caveat “No assurance of the minimum strength of generated SSPs (e.g., keys).” The module accepts input from entropy sources external to the cryptographic boundary for use as seed material for the module’s approved DRBG implementations. Entropy is supplied to the module by means of callback functions. Those functions return an error if the minimum entropy strength is not met. Entropy strength requirements are per NIST Special Publication 800-90A Rev. 1 Table 2 (Hash_DRBG, HMAC_DRBG) and Table 3 (CTR_DRBG). At a minimum, the entropy source shall provide at least 128 bits of entropy to the DRBG. All random values used by the module for approved algorithms are provided by the module’s approved DRBGs. The module includes Counter DRBG, Hash DRBG, and HMAC DRBG, all of which are approved RBGs. The output of these approved RBGs is used to generate random data, symmetric keys, and asymmetric keys, as indicated in Security Policy Section 2.5.2 - Vendor-Affirmed Algorithms.

2.9 Key Generation

Any generated SSPs are passed out to the calling application and are not stored in the module. Additional detail is provided in Security Policy Section 2.6 - Security Function Implementations and Section 4.3 - Approved Services. Random values for key generation are provided by the module’s approved DRBGs. The output of the module’s approved DRBGs may be used to generate symmetric and asymmetric keys per SP 800-133r2, as indicated in Security Policy Section 2.5.2 - Vendor-Affirmed Algorithms. The module is a software library that provides a service (called Random Number Generation) for direct output of the approved DRBG (U). This output is approved for generating keys or SSPs. Symmetric keys are generated per SP 800-133r2 Section 6.1 using the Random Number Generation service; additionally, Section 6.3 is applicable for AES-XTS keys. Asymmetric keys are generated per SP

Page 39

800-133r2 Section 5 per FIPS 186-4 and per FIPS 186-5 (for EdDSA only) using the Asymmetric Key Generation service.

2.10 Key Establishment

SSPs used for services are passed in by the calling application. Established SSPs are passed out to the calling application and are not stored in the module. Additional detail is provided in Security Policy Section 2.6 - Security Function Implementations and Section 4.3 - Approved Services. The module provides ECC and FFC shared secret computation that is conformant to SP 800-56Ar3 in alignment with IG D.F scenario 2 (path 1) via the Key Agreement (ECC/FFC) service. For ECC, the module supports the (Cofactor) Ephemeral Unified Model, C(2e, 0s, ECC CDH) Scheme described in SP 800-56Ar3 Section 6.1.2.2. For FFC, the module supports the dhEphem, C(2e, 0s, FFC DH) Scheme described in SP 800-56Ar3 Section 6.1.2.1. The module also provides ECC key agreement using the allowed curves specified in Security Policy Section 2.5.3 - Non-Approved, Allowed Algorithms in alignment with IG D.F scenario 3 via the Key Agreement (ECC/FFC) service. The appropriate public key validation assurances are implemented. For ECC, full public key validation is implemented (SP 800-56Ar3 Section 5.6.2.3.3). For FFC, both full public key validation (per SP 800-56Ar3 Section 5.6.2.3.1) and partial public key validation (per SP 800-56Ar3 Section 5.6.2.3.2) are implemented. The module provides RSA shared secret computation that is conformant to SP 800-56Br2 in alignment with IG D.F scenario 1 (path 1) via the Key Agreement (RSA) service. The module supports the KAS1 basic and KAS2 basic schemes. The module supports various key derivation functions separately via the Key Derivation service. Supported KDFs are conformant to SP 800-108r1 (KBKDF), SP 800-132 (PBKDF), SP 800-56Cr2 (HKDF, KDA OneStep KDA, TwoStep KDA), SP 800-135r1 (ANSI 9.42 KDF, ANSI 9.63 KDF, SSH KDF, TLS 1.2 KDF), and RFC 8446 (TLS 1.3 KDF). The module provides RSA key encapsulation that is conformant to SP 800-56Br2 via the Key Transport service. The module provides AES key wrapping (AES KW, AES KWP) that is conformant to SP 800-38F via the Key Wrapping service. Refer also to Security Policy Section 2.7.10 - SP 800-140Br1 SSP Establishment for more information on the SSP establishment by the module.

2.11 Industry Protocols

The module implements KDFs from SP 800-135r1 (Recommendation for Existing Application-Specific Key Derivation Functions) and the TLS 1.3 KDF. These KDFs have been validated by the CAVP and received

Page 40

CVL certificates (A4593, A5173). No parts of these protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

Page 41
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

As a software cryptographic module, the module supports logical interfaces only and not physical ports. All access to the module is through the module’s API. The API provides and defines the module’s logical interfaces. The API provides functions that may be called by a host application (refer to Security Policy Section 4.3 - Approved Services). Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters for data N/A Data Output API output parameters for data N/A Control Input API function calls N/A Status Output API status outputs (return codes, error messages) Table 10: Ports and Interfaces

3.2 Additional Information

All interfaces are logically separated by the module’s API. The data output path is inhibited during pre-operational self-tests, zeroisation, and when the module is in an error state.

Page 42
4 Roles, Services, and Authentication
4.1 Authentication Methods
4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 11: Roles Crypto Officer is the only role supported by the module. The module does not support a User role or a Maintenance role. The Crypto Officer role is implicitly selected by calling the module’s services.

4.3 Approved Services

The following table describes the services the module provides and the access to SSPs by each service. Additional details on each service are available in the module’s user guidance documentation. SSP Access is divided into the following access types:

Page 43

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access (calls pointer) pre- table operatio nal selftests and CASTs). Self-Test Performs API return value code from None Module State None Crypto pre- SELF_TEST_post(): 1 for (queried via Show Officer operatio success, 0 for failure Status) changes to nal self- Running tests and (FIPS_STATE_RUNN CASTs on ING) demand. Integrity Performs API return value from Expecte Module State IntegrityTest Crypto Test the verify_integrity(): 1 for d HMAC (queried via Show Officer integrity verified, 0 for failure Status) changes to test on Running demand. (FIPS_STATE_RUNN ING) Show Provides Implied if None Module Status: None Crypto Status status EVP_default_properties_is Running Officer informati _fips_enabled() returns (FIPS_STATE_RUNN on by true. API return value: 1 for ING), or Error querying query operation completed (FIPS_STATE_ERRO the successfully, 0 for failure to R) "status" query the parameter paramet er. Output Displays Implied if None name: 140-3 FIPS None Crypto ID/ FIPS EVP_default_properties_is Provider version: Officer Version module _fips_enabled() returns 3.0.0-FIPS 140-3 or Informat version true. API return value: 1 for 3.0.1-FIPS 140-3 ion by query operation completed buildinfo: 3.0.0-FIPS (Show querying successfully, 0 for failure to 140-3 or 3.0.1-FIPS Version) the query the parameter 140-3 "version, " "name," and "buildinf

Page 44

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access o" paramet ers, with the results specified in the output column. The version aligns with the FIPS certificat e and Security Policy Section

2.2 -

Tested and Vendor Affirmed Module Version and Identific ation. Random Used to Implied if Desired Random data RNG Crypto Number seed/res EVP_default_properties_is security CKG Officer Generati eed a _fips_enabled() returns strength - DRBG on DRBG true. API return value: 1 for in bits, Entropy instance operation completed entropy Input: (includin successfully, 0 for failure input W,E,Z g determin CTR_DR ing the BG security Seed: strength) G,E,Z or obtain random CTR_DR

Page 45

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access data. BG V: Random G,E,Z data may be used CTR_DR for CKG BG Key: per SP G,E,Z 800- 133r2. Hash_D Establish RBG ed SSPs Seed: are G,E,Z passed out to Hash_D the RBG V: calling G,E,Z applicati on. Hash_D RBG C: G,E,Z HMAC_ DRBG Seed: G,E,Z HMAC_ DRBG V: G,E,Z HMAC_ DRBG Key: G,E,Z Generic Secret: G,R,Z Symmetr Used to Implied if AES Ciphertext data or Symmetric Crypto ic encrypt EVP_default_properties_is EDK, plaintext data Encrypt/Dec Officer Encrypti or _fips_enabled() returns AES XTS rypt - AES on/ decrypt true. API return value: 1 for key, IV, CKG (XTS) EDK: data. cipherte W,E,Z

Page 46

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access Decrypti SSPs are operation completed xt data, - AES on passed successfully, 0 for failure plaintex XTS key: in by the t data W,E,Z calling applicati on. Authenti Used to Implied if AES Ciphertext data or AuthSymme Crypto cated encrypt EVP_default_properties_is CMAC/C plaintext data tric Officer Symmetr or _fips_enabled() returns CM key, Encrypt/Dec - AES ic decrypt true. API return value: 1 for AES rypt CMAC/C Encrypti data or operation completed GMAC/ CM key: on/ keys. successfully, 0 for failure GCM W,E,Z Decrypti SSPs are key, - AES on passed cipherte GMAC/ in by the xt data, GCM calling plaintex key: applicati t data W,E,Z on. Any - AES establish GMAC/ ed SSPs GCM IV: are G,E,Z passed out to the calling applicati on. Symmetr Used to Implied if Digest Digest or SymmetricDi Crypto ic Digest generate EVP_default_properties_is or verification result gest Officer or verify _fips_enabled() returns message - AES data true. API return value: 1 for , AES CMAC/C integrity operation completed CMAC/C CM key: with successfully, 0 for failure CM key, W,E,Z CMAC or AES - AES GMAC. GMAC/ GMAC/ SSPs are GCM GCM passed key key: in by the W,E,Z calling - AES applicati GMAC/ on.

Page 47

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access GCM IV: G,E,Z Asymme Used to Implied if Desired ECDSA SGK, ECDSA Asymmetric Crypto tric Key generate EVP_default_properties_is security SVK, RSA SGK, RSA KeyGen Officer Generati asymmet _fips_enabled() returns strength SVK, EdDSA SGK, - DRBG on ric keys true. API return value: 1 for in bits, EdDSA SVK, DH Entropy using the operation completed entropy Private, DH Public, Input: DRBG. successfully, 0 for failure input, ECDH Private, ECDH W,E,Z Establish predicti Public, RSA KAK ed SSPs on Private, RSA KAK CTR_DR are resistan Public, RSA KDK BG passed ce, Private, RSA KEK Seed: out to paramet Public G,E,Z the ers and calling values CTR_DR applicati for FFC, BG V: on. ECC, G,E,Z RSA key generati CTR_DR on BG Key: G,E,Z Hash_D RBG Seed: G,E,Z Hash_D RBG V: G,E,Z Hash_D RBG C: G,E,Z HMAC_ DRBG Seed: G,E,Z HMAC_ DRBG V:

Page 48

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access G,E,Z HMAC_ DRBG Key: G,E,Z - ECDSA SGK: G,R,Z - ECDSA SVK: G,R,Z - RSA SGK: G,R,Z - RSA SVK: G,R,Z - EdDSA SGK: G,R,Z - EdDSA SVK: G,R,Z - DH Private: G,R,Z - DH Public: G,R,Z - EC DH Private: G,R,Z - EC DH Public: G,R,Z - RSA KAK Private: G,R,Z - RSA KAK Public:

Page 49

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access G,R,Z - RSA KDK Private: G,R,Z - RSA KEK Public: G,R,Z Digital Used to Implied if DSA Digital signature or DigitalSig Crypto Signatur generate EVP_default_properties_is SVK, verification result Officer es or verify _fips_enabled() returns ECDSA - ECDSA digital true. API return value: 1 for SGK, SGK: signatur operation completed ECDSA W,E,Z es. SSPs successfully, 0 for failure SVK, - ECDSA are RSA SVK: passed SGK, W,E,Z in by the RSA - RSA calling SVK, SGK: applicati EdDSA W,E,Z on. SGK, - RSA EdDSA SVK: SVK W,E,Z - EdDSA SGK: W,E,Z - EdDSA SVK: W,E,Z Keyed Used to Implied if HMAC Keyed hash or KeyedHash Crypto Hash generate EVP_default_properties_is key, verification result Officer or verify _fips_enabled() returns KMAC - HMAC data true. API return value: 1 for key Key: integrity. operation completed W,E,Z SSPs are successfully, 0 for failure - KMAC passed Key: in by the W,E,Z calling applicati on.

Page 50

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access Message Used to Implied if Messag Digest MessageDig Crypto Digest generate EVP_default_properties_is e data est Officer a SHA-1, _fips_enabled() returns SHA-2, true. API return value: 1 for SHA-3, operation completed or SHAKE successfully, 0 for failure message digest. Key Used to Implied if DH DH Private, DH KeyAgreeme Crypto Agreeme perform EVP_default_properties_is Private, Public, ECDH nt (ECC) Officer nt key _fips_enabled() returns DH Private, ECDH KeyAgreeme - DH (ECC/FFC agreeme true. API return value: 1 for Public, Public, KDF secret nt (FFC) Private: ) nt operation completed ECDH R,W,E,Z primitive successfully, 0 for failure Private, - DH s on ECDH Public: behalf of Public R,W,E,Z the - EC DH calling Private: applicati R,W,E,Z on (does - EC DH not Public: establish R,W,E,Z keys into - KDF the Secret: module). G,R,Z SSPs are passed in by the calling applicati on. Establish ed SSPs are passed out to the calling applicati on.

Page 51

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access Key Used to Implied if RSA KAK RSA KAK Private, KeyAgreeme Crypto Agreeme perform EVP_default_properties_is Private, RSA KAK Public, nt (RSA) Officer nt (RSA) key _fips_enabled() returns RSA KAK KDF secret - RSA agreeme true API return value: 1 for Public KAK nt operation completed Private: primitive successfully, 0 for failure R,W,E,Z s on - RSA behalf of KAK the Public: calling R,W,E,Z applicati - KDF on (does Secret: not G,R,Z establish keys into the module). SSPs are passed in by the calling applicati on. Establish ed SSPs are passed out to the calling applicati on Key Used to Implied if KDF Generic Secret KeyDerivatio Crypto Derivatio derive EVP_default_properties_is secret, n Officer n keys _fips_enabled() returns salt, - KDF using true. API return value: 1 for iteration Secret: KBKDF, operation completed count, W,E,Z PBKDF, successfully, 0 for failure MAC, HKDF, SP digest, Generic 800- cipher, Secret: 56Cr2 key G,R,Z One-

Page 52

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access Step KDF (KDA), SP 80056Cr2 TwoStep KDF (KDA), ANSI X9.422001 KDF, ANSI X9.632001 KDF, SSHv2 KDF, TLS

1.2 KDF,

TLS 1.3 KDF (does not establish keys into the module). SSPs are passed in by the calling applicati on. Establish ed SSPs are passed out to the calling applicati on.

Page 53

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access Key Used to Implied if RSA KEK Encapsulated key KeyTranspor Crypto Transpor encrypt EVP_default_properties_is Public (Generic Secret), or t Officer t or _fips_enabled() returns and key unencapsulated key - RSA decrypt true. API return value: 1 for to be (Generic Secret) KDK a key operation completed encapsu Private: value on successfully, 0 for failure lated W,E,Z behalf of (Generic - RSA the Secret), KEK calling or RSA Public: applicati KDK W,E,Z on (does Private not and Generic establish encapsu Secret: keys into lated R,W,Z the key module). (Generic SSPs are Secret) passed in by the calling applicati on. Establish ed SSPs are passed out to the calling applicati on. Key Used to Implied if AES key Wrapped key or KeyWrappin Crypto Wrappin encrypt EVP_default_properties_is wrappin unwrapped key g Officer g or _fips_enabled() returns g key, (Generic Secret) - AES decrypt true. API return value: 1 for key to key a key operation completed be wrappin value on successfully, 0 for failure wrappe g key: behalf of d or W,E,Z the unwrap calling ped Generic applicati on (does

Page 54

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access not (Generic Secret: establish Secret) R,W,Z keys into the module). SSPs are passed in by the calling applicati on. Establish ed SSPs are passed out to the calling applicati on. Zeroise All Implied if Memory The completion of a None Crypto services EVP_default_properties_is to be zeroisation routine Officer automati _fips_enabled() returns cleanse indicates that the - DRBG cally true. API return value: 1 for d zeroisation Entropy overwrit operation completed (pointer procedure Input: Z e SSPs successfully, 0 for failure and succeeded. stored in length) Zeroisation can be CTR_DR allocated confirmed via BG memory EVP_RAND_verify_z Seed: Z (zeroise). eroization: 1 for The success (i.e. the CTR_DR module DRBG CSPs have BG V: Z does not been zeroised), 0 store any for failure. CTR_DR SSP BG Key: persisten Z tly (beyond Hash_D the RBG lifetime Seed: Z of an API call), Hash_D

Page 55

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access except RBG V: Z for DRBG state Hash_D values RBG C: Z (stored for the HMAC_ lifetime DRBG of the Seed: Z DRBG instance) HMAC_ . Stack DRBG V: cleanup Z is the responsi HMAC_ bility of DRBG the Key: Z calling applicati on. Utility Miscella Implied if None None None Crypto neous EVP_default_properties_is Officer helper _fips_enabled() returns function true. API return value: 1 for s. operation completed successfully, 0 for failure Symmetr Used to Implied if TDES Plaintext data Symmetric Crypto ic decrypt EVP_default_properties_is DK, Decrypt Officer Decrypti data. _fips_enabled() returns cipherte (Legacy) - TDES on SSPs are true API return value: 1 for xt data DK: (Legacy) passed operation completed W,E,Z in by the successfully, 0 for failure calling applicati on. Digital Used to Implied if DSA Verification result DigitalSig Crypto Signatur verify EVP_default_properties_is SVK, (Legacy) Officer es digital _fips_enabled() returns ECDSA - DSA (Legacy) signatur true API return value: 1 for SVK SVK: es. SSPs operation completed (Legacy) W,E,Z are successfully, 0 for failure , RSA - ECDSA passed SVK

Page 56

Name Descripti Indicator Inputs Outputs Security SSP on Functions Access in by the SVK (Legacy) calling (Legacy) : W,E,Z applicati - RSA on. SVK (Legacy) : W,E,Z Table 12: Approved Services

4.4 Non-Approved Services

N/A for this module. The module does not implement any non-approved, not allowed algorithms; therefore, it also does not provide any non-approved services.

4.5 External Software/Firmware Loaded

Not applicable for this module.

Page 57
5 Software/Firmware Security
5.1 Integrity Techniques

As specified in the executable code sets table in Security Policy Section 2.2 - Tested and Vendor Affirmed Module Version and Identification, the module implements integrity techniques for all executable code sets. The integrity technique used by the module is HMAC-SHA-256. The integrity technique has received CAVP certificates A4593 and A5173. The integrity technique is implemented by the module itself. The integrity authentication key for the integrity technique is an HMAC-SHA-256 key with a key length of

256 bits. It is integrated into the module during compilation and cannot be changed afterwards. The

module is only provided to the end user in the form of a compiled binary (refer to Security Policy Section 11.1). Note, per ISO 19790:2012 Section 7.5, this key is not considered a SSP. The installation process generates the HMAC digest for the module using this key and the module. For dynamic libraries, the HMAC digest is generated from the module file and is then stored in the module's configuration file. For static and iOS libraries, the HMAC digest is generated from the memory the module is loaded at and is then stored in the executable the module is linked into. To verify the module's integrity (for the pre-operational self-test or on demand), the module generates a new HMAC digest and compares it with the corresponding stored value. The test passes if the values match.

5.2 Initiate on Demand

The Integrity Test can be performed on demand via the “Integrity Test” service.

Page 58
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: Supported operational environments are indicated in Security Policy Section 2.2 - Tested and Vendor Affirmed Module Version and Identification. Refer also to that section for vendor affirmed operating environment porting guidance. The operating environments ensure that every application using the module operates in its own private and isolated environment (memory, I/O, etc.) and that user processes are segregated into separate process spaces. The module does not spawn any processes.

6.2 Configuration Settings and Restrictions

The module must be installed, and the correct installation confirmed, as described in Security Policy Section 11.1 - Installation, Initialization, and Startup Procedures. No specific configuration options are required for the operational environments. No security rules, settings, or restrictions to the configuration of the operational environment are needed for the module to function in an approved manner. It is advised to restrict write access to the module and its related configuration file to the administrator role in the operational environment.

Page 59
7 Physical Security

The requirements of this section are not applicable to the module. The module is a software module and does not implement any physical security mechanisms.

Page 60
8 Non-Invasive Security

The requirements of this section are not applicable to the module.

Page 61
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Area Description Persistence Name Type RAM / DRAM Memory that only holds data during power on of the operating environment Dynamic Table 13: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API Input via Other RAM / DRAM Plaintext Manual Electronic TOEPP path Applications (App per IG 9.5.A) Encrypted API Other RAM / DRAM Encrypted Manual Electronic KeyTransport Input using Key Applications Transport via (App per IG TOEPP path 9.5.A) Encrypted API Other RAM / DRAM Encrypted Manual Electronic KeyWrapping Input using Key Applications Wrapping via (App per IG TOEPP path 9.5.A) API Output via RAM / DRAM Other Plaintext Manual Electronic TOEPP path Applications (App per IG 9.5.A) Encrypted API RAM / DRAM Other Encrypted Manual Electronic KeyTransport Output using Key Applications Transport via (App per IG TOEPP path 9.5.A) Encrypted API RAM / DRAM Other Encrypted Manual Electronic KeyWrapping Output using Key Applications Wrapping via (App per IG TOEPP path 9.5.A)

Page 62

Table 14: SSP Input-Output Methods The information in the table above aligns with IG 9.5.A. IG 9.5.A indicates that SSPs established by a software cryptographic module to or from a general purpose application that operates outside the module’s boundary but within the TOEPP are classified as Manually Distributed using Electronic Entry. The module does not support any other methods of SSP input or output. Specifically, the module does not support Automated Distribution, Wireless Distribution, or Direct Entry. The module outputs CSPs in plaintext unless a KeyTransport (RSA) or KeyWrapping (AES) Security Function Implementation (refer to Security Policy Section 2.6 - Security Function Implementations) is used to encrypt the output CSP.

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Method Initiation Zeroise service Calls OPENSSL_cleanse to zeroise the DRBG CSPs are the only SSPs stored Function DRBG CSPs by the module beyond the lifetime of provided an API call. The Zeroise service via API zeroises SSPs by overwriting zeroes to the memory location occupied by the SSP and further deallocating that area. Call a service Services include appropriate APIs SSPs are zeroised by overwriting Function that creates or (OPENSSL_free or OPENSSL_cleanse) to zeroes to the memory location provided uses the SSP automatically zeroise the SSPs created occupied by the SSP and further via API or used by the services. This zeroises deallocating that area. the context structures that contains the SSP. Table 15: SSP Zeroization Methods As indicated in Security Policy Section 4.3 - Approved Services, the completion of a zeroisation routine indicates that the zeroisation procedure succeeded. Zeroisation can be confirmed via EVP_RAND_verify_zeroization: 1 for success (i.e. the DRBG CSPs have been zeroised), 0 for failure.

9.4 SSPs

The following two tables define the module’s Sensitive Security Parameters (SSPs). Access to SSPs is defined under Security Policy Section 4.3 - Approved Services.

Page 63
9.4.1 SSPs (Table 1 of 2)

Name Description Size - Type - Generated By Established Used By Strength Category By Generic SSPs 112 - 512 Key or other KeyDerivation KeyTranspo KeyTransport Secret generated bits - 112 SSP - CSP CKG rt KeyWrapping from the - 256 bits KeyWrappi direct DRBG ng output (CKG) or by key derivation and directly output by the module, or generic keys that are wrapped or transported and directly output by the module. Note: when the encrypted item is not a key or other SSP, it is denoted as "data" instead of as the Generic Secret SSP. AES EDK AES 128, 192, Symmetric Symmetric encrypt/ 256 bits - Key - CSP Encrypt/Decrypt decrypt key 128, 192,

256 bits
Page 64

Name Description Size - Type - Generated By Established Used By Strength Category By AES AES 128, 192, Symmetric AuthSymmetric CMAC/CCM CMAC/CCM 256 bits - Key - CSP Encrypt/Decrypt key key for 128, 192, SymmetricDigest encrypt/ 256 bits decrypt or generate/ verify AES AES 128, 192, Symmetric AuthSymmetric GMAC/GC GMAC/GC 256 bits - Key - CSP Encrypt/Decrypt M key M key for 128, 192, SymmetricDigest encrypt/ 256 bits decrypt or generate/ verify AES AES 96-1024 IV - CSP RNG AuthSymmetric GMAC/GC GMAC/GC bits - 96- Encrypt/Decrypt M IV M IV for 1024 bits SymmetricDigest encrypt/ decrypt or generate/ verify AES XTS key AES XTS 128, 256 Symmetric CKG (XTS) Symmetric encrypt/ bits - 128, Key - CSP Encrypt/Decrypt decrypt key 256 bits AES key AES KW, 128, 192, Symmetric KeyWrapping wrapping KWP key 256 bits - Key - CSP key 128, 192,

256 bits

TDES DK 3-key 192 bits - Symmetric Symmetric Triple-DES 112 bits Key - CSP Decrypt (Legacy) decrypt key DRBG Entropy 128-1024 RBG - CSP RNG Entropy Input bits AsymmetricKeyG Input (length is en dependen t on the requested security

Page 65

Name Description Size - Type - Generated By Established Used By Strength Category By strength, per SP 800-90A Rev. 1 Table 2 and Table 3) - 128-

256 bits

CTR_DRBG CTR_DRBG 256-896 RBG - CSP RNG RNG Seed seed, bits - 128- AsymmetricKeyG AsymmetricKeyG constructed 256 bits en en from entropy input and other inputs per SP 800-90A Rev. 1 Sections 7.2, 8.6 CTR_DRBG V, internal 128 bits - RBG - CSP RNG RNG V state 128 bits AsymmetricKeyG AsymmetricKeyG en en CTR_DRBG Key (AES), 128, 192, RBG - CSP RNG RNG Key internal 256 bits - AsymmetricKeyG AsymmetricKeyG state 128, 192, en en

256 bits

Hash_DRBG Hash_DRBG 224-736 RBG - CSP RNG RNG Seed seed, bits - 128- AsymmetricKeyG AsymmetricKeyG constructed 256 bits en en from entropy input and other inputs per SP 800-90A Rev 1 Sections 7.2, 8.6

Page 66

Name Description Size - Type - Generated By Established Used By Strength Category By Hash_DRBG V, internal 440, 888 RBG - CSP RNG RNG V state bits - 128, AsymmetricKeyG AsymmetricKeyG

256 bits en en

Hash_DRBG C, internal 440, 888 RBG - CSP RNG RNG C state bits - 128, AsymmetricKeyG AsymmetricKeyG

256 bits en en

HMAC_DRB HMAC_DRB 224-1408 RBG - CSP RNG RNG G Seed G seed, bits - 128, AsymmetricKeyG AsymmetricKeyG constructed 256 bits en en from entropy input and other inputs per SP 800-90A Rev. 1 Sections 7.2, 8.6 HMAC_DRB V, internal 160, 256, RBG - CSP RNG RNG GV state 512 bits - AsymmetricKeyG AsymmetricKeyG 160, 256, en en

512 bits

HMAC_DRB Key 160, 256, RBG - CSP RNG RNG G Key (HMAC), 512 bits - AsymmetricKeyG AsymmetricKeyG internal 160, 256, en en state 512 bits ECDSA SGK ECDSA 224 - 512 Signature - AsymmetricKeyG DigitalSig signature bits - 112 CSP en generation - 256 bits key (P, B, K curves and brainpool) RSA SGK RSA 2048 - Signature - AsymmetricKeyG DigitalSig signature 16384 bits CSP en generation - 112 key 256 bits

Page 67

Name Description Size - Type - Generated By Established Used By Strength Category By EdDSA SGK Ed25519 or 256, 456 Signature - AsymmetricKeyG DigitalSig Ed448 bits - 128, CSP en signature 224 bits generation key DH Private Diffie- For 186-4 Key AsymmetricKeyG KeyAgreement Hellman type key Agreement - en (FFC) private key generatio CSP agreement n: 224, key (186-4- 256 bits. type and For safe safe primes primes) key generatio n: ffdhe2048 , ffdhe3072 , ffdhe4096 , ffdhe6144 , ffdhe8192 , MODP2048, MODP3072, MODP4096, MODP6144, MODP-

8192 -
112 bits

112-200 bits EC DH Elliptic 224 - 512 Key AsymmetricKeyG KeyAgreement Private Curve bits - 112 Agreement - en (ECC) Diffie- - 256 bits CSP Hellman

Page 68

Name Description Size - Type - Generated By Established Used By Strength Category By private key agreement key (P, B, K curves and brainpool) RSA KAK RSA private 2048 - Key AsymmetricKeyG KeyAgreement Private key 16384 bits Agreement - en (RSA) agreement - 112 - CSP key 256 bits RSA KDK RSA private 2048 - Key AsymmetricKeyG KeyTransport Private key 16384 bits Transport - en decryption - 112 - CSP key 256 bits HMAC Key Keyed hash 160, 224, Authenticati KeyedHash key for 256, 384, on - CSP HMAC 512 bits 128, 192

256 bits

KMAC Key Keyed hash 128-1024 Authenticati KeyedHash key for bits - 128, on - CSP KMAC 256 bits KDF Secret Secret 112 - 512 Key KeyAgreement KeyDerivation value used bits - 112 Derivation (ECC) by KDFs - 512 bits Function - KeyAgreement CSP (FFC) KeyAgreement (RSA) DSA SVK DSA DSA (L, N) Signature - DigitalSig signature = (512 L < PSP (Legacy) verification 2048, 160 key (legacy N < 224) only) (2048, 224) (2048, 256) (3072, 256) - 80 -

128 bits
Page 69

Name Description Size - Type - Generated By Established Used By Strength Category By ECDSA SVK ECDSA 224 - 512 Signature - AsymmetricKeyG DigitalSig signature bits - 112 PSP en verification - 256 bits key (P, B, K curves and brainpool) RSA SVK RSA 2048 - Signature - AsymmetricKeyG DigitalSig signature 16384 bits PSP en verification - 112 key 256 bits EdDSA SVK Ed25519 or 256, 456 Signature - AsymmetricKeyG DigitalSig Ed448 bits - 128, PSP en signature 224 bits verification key DH Public Diffie- For 186-4 Key AsymmetricKeyG KeyAgreement Hellman type key Agreement - en (FFC) public key generatio PSP agreement n: 2048 key (186-4- bits. For type and safe safe primes primes) key generatio n: ffdhe2048 , ffdhe3072 , ffdhe4096 , ffdhe6144 , ffdhe8192 , MODP2048, MODP3072, MODP4096, MODP-

Page 70

Name Description Size - Type - Generated By Established Used By Strength Category By 6144, MODP-

8192 -

112-200 bits EC DH Elliptic 224 - 512 Key AsymmetricKeyG KeyAgreement Public Curve bits - 112 Agreement - en (ECC) Diffie- - 256 bits PSP Hellman public key agreement key (P, B, K curves and brainpool) RSA KAK RSA public 2048 - Key AsymmetricKeyG KeyAgreement Public key 16384 bits Agreement - en (RSA) agreement - 112 - PSP key 256 bits RSA KEK RSA public 2048 - Key AsymmetricKeyG KeyTransport Public key 16384 bits Transport - en encryption - 112 - PSP key 256 bits ECDSA SVK ECDSA 163 - 192 Signature - DigitalSig (Legacy) signature bits - 80 PSP (Legacy) verification bits key (P, B, K curves) for legacy curves RSA SVK RSA 1024 - Signature - DigitalSig (Legacy) signature 16384 bits PSP (Legacy) verification - 80 bits key for legacy key lengths or legacy SHATable 16: SSP Table 1

Page 71
9.4.2 SSPs (Table 2 of 2)

Name Input - Storage Storage Duration Zeroization Related SSPs Output Generic API Input via RAM / All SSPs are Call a service KDF Secret:Derived Secret TOEPP path DRAM:Plaintext temporarily stored. that creates From Encrypted API Storage duration is or uses the RSA KDK Input using for the lifetime of SSP Private:May be Key Transport the API call. Wrapped or via TOEPP Unwrapped by path RSA KEK Public:May Encrypted API be Wrapped or Input using Unwrapped by Key Wrapping AES key wrapping via TOEPP key:May be path Wrapped or API Output via Unwrapped by TOEPP path Encrypted API Output using Key Transport via TOEPP path Encrypted API Output using Key Wrapping via TOEPP path AES EDK API Input via RAM / All SSPs are Call a service TOEPP path DRAM:Plaintext temporarily stored. that creates Storage duration is or uses the for the lifetime of SSP the API call. AES API Input via RAM / All SSPs are Call a service CMAC/CCM TOEPP path DRAM:Plaintext temporarily stored. that creates key Storage duration is or uses the for the lifetime of SSP the API call. AES API Input via RAM / All SSPs are Call a service AES GMAC/GCM GMAC/GCM TOEPP path DRAM:Plaintext temporarily stored. that creates IV:Used With key Storage duration is or uses the SSP

Page 72

Name Input - Storage Storage Duration Zeroization Related SSPs Output for the lifetime of the API call. AES RAM / All SSPs are Call a service AES GMAC/GCM GMAC/GCM DRAM:Plaintext temporarily stored. that creates key:Used With IV Storage duration is or uses the for the lifetime of SSP the API call. AES XTS key API Input via RAM / All SSPs are Call a service TOEPP path DRAM:Plaintext temporarily stored. that creates Storage duration is or uses the for the lifetime of SSP the API call. AES key API Input via RAM / All SSPs are Call a service Generic wrapping key TOEPP path DRAM:Plaintext temporarily stored. that creates Secret:Wraps or Storage duration is or uses the Unwraps for the lifetime of SSP the API call. TDES DK API Input via RAM / All SSPs are Call a service TOEPP path DRAM:Plaintext temporarily stored. that creates Storage duration is or uses the for the lifetime of SSP the API call. DRBG API Input via RAM / All DRBG SSPs are Zeroise CTR_DRBG Entropy Input TOEPP path DRAM:Plaintext temporarily stored. service Seed:Used With Storage duration is CTR_DRBG V:Used for the lifetime of With the DRBG instance. CTR_DRBG Key:Used With Hash_DRBG Seed:Used With Hash_DRBG V:Used With Hash_DRBG C:Used With HMAC_DRBG Seed:Used With HMAC_DRBG V:Used With

Page 73

Name Input - Storage Storage Duration Zeroization Related SSPs Output HMAC_DRBG Key:Used With CTR_DRBG RAM / All DRBG SSPs are Zeroise DRBG Entropy Seed DRAM:Plaintext temporarily stored. service Input:Used With Storage duration is CTR_DRBG V:Used for the lifetime of With the DRBG instance. CTR_DRBG Key:Used With CTR_DRBG V RAM / All DRBG SSPs are Zeroise DRBG Entropy DRAM:Plaintext temporarily stored. service Input:Used With Storage duration is CTR_DRBG for the lifetime of Seed:Used With the DRBG instance. CTR_DRBG Key:Used With CTR_DRBG RAM / All DRBG SSPs are Zeroise DRBG Entropy Key DRAM:Plaintext temporarily stored. service Input:Used With Storage duration is CTR_DRBG for the lifetime of Seed:Used With the DRBG instance. CTR_DRBG V:Used With Hash_DRBG RAM / All DRBG SSPs are Zeroise DRBG Entropy Seed DRAM:Plaintext temporarily stored. service Input:Used With Storage duration is Hash_DRBG V:Used for the lifetime of With the DRBG instance. Hash_DRBG C:Used With Hash_DRBG V RAM / All DRBG SSPs are Zeroise DRBG Entropy DRAM:Plaintext temporarily stored. service Input:Used With Storage duration is Hash_DRBG for the lifetime of Seed:Used With the DRBG instance. Hash_DRBG C:Used With Hash_DRBG C RAM / All DRBG SSPs are Zeroise DRBG Entropy DRAM:Plaintext temporarily stored. service Input:Used With Storage duration is Hash_DRBG for the lifetime of Seed:Used With the DRBG instance. Hash_DRBG V:Used With

Page 74

Name Input - Storage Storage Duration Zeroization Related SSPs Output HMAC_DRBG RAM / All DRBG SSPs are Zeroise DRBG Entropy Seed DRAM:Plaintext temporarily stored. service Input:Used With Storage duration is HMAC_DRBG for the lifetime of V:Used With the DRBG instance. HMAC_DRBG Key:Used With HMAC_DRBG RAM / All DRBG SSPs are Zeroise DRBG Entropy V DRAM:Plaintext temporarily stored. service Input:Used With Storage duration is HMAC_DRBG for the lifetime of Seed:Used With the DRBG instance. HMAC_DRBG Key:Used With HMAC_DRBG RAM / All DRBG SSPs are Zeroise DRBG Entropy Key DRAM:Plaintext temporarily stored. service Input:Used With Storage duration is HMAC_DRBG for the lifetime of Seed:Used With the DRBG instance. HMAC_DRBG V:Used With ECDSA SGK API Input via RAM / All SSPs are Call a service ECDSA SVK:Paired TOEPP path DRAM:Plaintext temporarily stored. that creates With API Output via Storage duration is or uses the TOEPP path for the lifetime of SSP the API call. RSA SGK API Input via RAM / All SSPs are Call a service RSA SVK:Paired TOEPP path DRAM:Plaintext temporarily stored. that creates With API Output via Storage duration is or uses the TOEPP path for the lifetime of SSP the API call. EdDSA SGK API Input via RAM / All SSPs are Call a service EdDSA SVK:Paired TOEPP path DRAM:Plaintext temporarily stored. that creates With API Output via Storage duration is or uses the TOEPP path for the lifetime of SSP the API call. DH Private API Input via RAM / All SSPs are Call a service DH Public:Paired TOEPP path DRAM:Plaintext temporarily stored. that creates With API Output via Storage duration is or uses the KDF Secret:Used to TOEPP path for the lifetime of SSP establish the API call.

Page 75

Name Input - Storage Storage Duration Zeroization Related SSPs Output EC DH Private API Input via RAM / All SSPs are Call a service EC DH Public:Paired TOEPP path DRAM:Plaintext temporarily stored. that creates With API Output via Storage duration is or uses the KDF Secret:Used to TOEPP path for the lifetime of SSP establish the API call. RSA KAK API Input via RAM / All SSPs are Call a service RSA KAK Private TOEPP path DRAM:Plaintext temporarily stored. that creates Public:Paired With API Output via Storage duration is or uses the KDF Secret:Used to TOEPP path for the lifetime of SSP establish the API call. RSA KDK API Input via RAM / All SSPs are Call a service RSA KEK Private TOEPP path DRAM:Plaintext temporarily stored. that creates Public:Paired With API Output via Storage duration is or uses the Generic TOEPP path for the lifetime of SSP Secret:Unwraps the API call. HMAC Key API Input via RAM / All SSPs are Call a service TOEPP path DRAM:Plaintext temporarily stored. that creates Storage duration is or uses the for the lifetime of SSP the API call. KMAC Key API Input via RAM / All SSPs are Call a service TOEPP path DRAM:Plaintext temporarily stored. that creates Storage duration is or uses the for the lifetime of SSP the API call. KDF Secret API Input via RAM / All SSPs are Call a service DH Private:Derived TOEPP path DRAM:Plaintext temporarily stored. that creates From API Output via Storage duration is or uses the DH Public:Derived TOEPP path for the lifetime of SSP From the API call. EC DH Private:Derived From EC DH Public:Derived From RSA KAK Private:Derived From RSA KAK

Page 76

Name Input - Storage Storage Duration Zeroization Related SSPs Output Public:Derived From Generic Secret:Used to derive DSA SVK API Input via RAM / All SSPs are Call a service TOEPP path DRAM:Plaintext temporarily stored. that creates Storage duration is or uses the for the lifetime of SSP the API call. ECDSA SVK API Input via RAM / All SSPs are Call a service ECDSA SGK:Paired TOEPP path DRAM:Plaintext temporarily stored. that creates With API Output via Storage duration is or uses the TOEPP path for the lifetime of SSP the API call. RSA SVK API Input via RAM / All SSPs are Call a service RSA SGK:Paired TOEPP path DRAM:Plaintext temporarily stored. that creates With API Output via Storage duration is or uses the TOEPP path for the lifetime of SSP the API call. EdDSA SVK API Input via RAM / All SSPs are Call a service EdDSA SGK:Paired TOEPP path DRAM:Plaintext temporarily stored. that creates With API Output via Storage duration is or uses the TOEPP path for the lifetime of SSP the API call. DH Public API Input via RAM / All SSPs are Call a service DH Private:Paired TOEPP path DRAM:Plaintext temporarily stored. that creates With API Output via Storage duration is or uses the KDF Secret:Used to TOEPP path for the lifetime of SSP establish the API call. EC DH Public API Input via RAM / All SSPs are Call a service EC DH TOEPP path DRAM:Plaintext temporarily stored. that creates Private:Paired With API Output via Storage duration is or uses the KDF Secret:Used to TOEPP path for the lifetime of SSP establish the API call. RSA KAK API Input via RAM / All SSPs are Call a service RSA KAK Public TOEPP path DRAM:Plaintext temporarily stored. that creates Private:Paired With Storage duration is

Page 77

Name Input - Storage Storage Duration Zeroization Related SSPs Output API Output via for the lifetime of or uses the KDF Secret:Used to TOEPP path the API call. SSP establish RSA KEK API Input via RAM / All SSPs are Call a service RSA KDK Public TOEPP path DRAM:Plaintext temporarily stored. that creates Private:Paired With API Output via Storage duration is or uses the Generic TOEPP path for the lifetime of SSP Secret:Wraps the API call. ECDSA SVK API Input via RAM / All SSPs are Call a service (Legacy) TOEPP path DRAM:Plaintext temporarily stored. that creates Storage duration is or uses the for the lifetime of SSP the API call. RSA SVK API Input via RAM / All SSPs are Call a service (Legacy) TOEPP path DRAM:Plaintext temporarily stored. that creates Storage duration is or uses the for the lifetime of SSP the API call. Table 17: SSP Table 2

9.5 Transitions

All algorithms implemented by the module are approved for FIPS 140-3 and their approval status will not be impacted by the transitions specified below. The information below provides context for the algorithms not supported by the module due to algorithm transitions. Refer also to Security Policy Section 2.7 - Algorithm Specific Information. After December 31, 2023, Triple-DES transitioned to non-approved (refer to SP 800-131Ar2.). After December 31, 2023, the following functionality remains approved for legacy use. Because this functionality remains approved, this is the only Triple-DES functionality supported by the module.

Page 78
Page 79
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Test Method Test Type Indicator Details Test Properties HMAC-SHA2- HMAC-SHA- Compare to SW/FW The Module State (queried via Show Verify

256 (A4593) 256 (Cert. pre-computed Integrity Status) changes to Running

A4593) HMAC (FIPS_STATE_RUNNING) HMAC-SHA2- HMAC-SHA- Compare to SW/FW The Module State (queried via Show Verify

256 (A5173) 256 (Cert. pre-computed Integrity Status) changes to Running

A5173) HMAC (FIPS_STATE_RUNNING) Table 18: Pre-Operational Self-Tests The module only performs one pre-operational self-test, which is the software/firmware integrity test. The module does not implement any other pre-operational self-tests, including pre-operational selftests for bypass or critical functions, because the module does not implement corresponding functions. The pre-operational self-tests are executed automatically by the Module Initialization service when the module is powered on. Automatic execution of the pre-operational self-tests relies on use of the default entry point (DEP); no operator intervention is required. For the pre-operational self-tests, the module performs an HMAC-SHA-256 CAST, and then verifies the integrity of the runtime executable using a HMAC-SHA-256 digest computed at build time. If the digests match, the CAST tests are then performed. The integrity technique (HMAC-SHA-256) has received CAVP certificates A4593 and A5173. Note, please refer also to the HMAC-SHA-256 CAST, which is performed before the pre-operational software integrity test.

10.2 Conditional Self-Tests

The module mainly performs two types of conditional self-tests, which are Cryptographic Algorithm SelfTests (CASTs) and Pairwise Consistency Tests (PCTs). The module also performs one critical function test for AES-XTS, per IG C.I. The module does not implement any other conditional self-tests, including conditional self-tests for software/firmware loading, manual entry, or bypass, because the module does not implement corresponding functions. The CAST tests below are executed automatically by the Module Initialization service when the module is powered on. Automatic execution of the CASTs relies on use of the default entry point (DEP); no operator intervention is required.

Page 80

The CASTs execute before the module transitions to the operational state. If the CASTs are successful, the Module State (queried via Show Status) is updated to indicate that the module is in the Running state (FIPS_STATE_RUNNING). All other conditional self-tests are executed when the relevant condition occurs, as specified in the table below. Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d AES-GCM 256-bit AES KAT CAST The Module State Authenticate Initialisation Authenticate (queried via Show d Encrypt d Encrypt Status) changes to (forward KAT (Forward Running cipher) Cipher) (FIPS_STATE_RUNNIN (A4593) G) AES-GCM 256-bit AES KAT CAST The Module State Authenticate Initialisation Authenticate (queried via Show d Encrypt d Encrypt Status) changes to (forward KAT (Forward Running cipher) Cipher) (FIPS_STATE_RUNNIN (A5173) G) AES-GCM 256-bit AES KAT CAST The Module State Decrypt Initialisation Decrypt KAT (queried via Show (forward (Forward Status) changes to cipher) Cipher) Running (A4593) (FIPS_STATE_RUNNIN G) AES-GCM 256-bit AES KAT CAST The Module State Decrypt Initialisation Decrypt KAT (queried via Show (forward (Forward Status) changes to cipher) Cipher) Running (A5173) (FIPS_STATE_RUNNIN G) AES-ECB 256-bit AES KAT CAST The Module State Decrypt Initialisation Decrypt KAT changes to Running (inverse (Inverse cipher) Cipher) (A4593)

Page 81

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d AES-ECB 256-bit AES KAT CAST The Module State Decrypt Initialisation Decrypt KAT changes to Running (inverse (Inverse cipher) Cipher) (A5173) Counter 128-bit AES with KAT CAST The Module State Instantiate, Initialisation DRBG df changes to Running Reseed, (A4593) Generate (per IG 10.3.A,

  1. Counter 128-bit AES with KAT CAST The Module State Instantiate, Initialisation DRBG df changes to Running Reseed, (A5173) Generate (per IG 10.3.A,
  2. Hash DRBG SHA-256 KAT CAST The Module State Instantiate, Initialisation (A4593) changes to Running Reseed, Generate (per IG 10.3.A,
  3. Hash DRBG SHA-256 KAT CAST The Module State Instantiate, Initialisation (A5173) changes to Running Reseed, Generate (per IG 10.3.A,
  4. HMAC DRBG HMAC-SHA-1 KAT CAST The Module State Instantiate, Initialisation (A4593) changes to Running Reseed, Generate (per IG 10.3.A,
  5. HMAC DRBG HMAC-SHA-1 KAT CAST The Module State Instantiate, Initialisation (A5173) changes to Running Reseed, Generate (per IG 10.3.A, 6)
Page 82

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d KDF ANS 9.42 SHA-1 KAT CAST The Module State Derive Initialisation (A4593) changes to Running KDF ANS 9.42 SHA-1 KAT CAST The Module State Derive Initialisation (A5173) changes to Running KDF ANS 9.63 SHA-256 KAT CAST The Module State Derive Initialisation (A4593) changes to Running KDF ANS 9.63 SHA-256 KAT CAST The Module State Derive Initialisation (A5173) changes to Running KDF SSH SHA-1 KAT CAST The Module State Derive Initialisation (A4593) changes to Running KDF SSH SHA-1 KAT CAST The Module State Derive Initialisation (A5173) changes to Running TLS v1.2 KDF HMAC-SHA-256 KAT CAST The Module State Derive Initialisation RFC7627 changes to Running (A4593) TLS v1.2 KDF HMAC-SHA-256 KAT CAST The Module State Derive Initialisation RFC7627 changes to Running (A5173) TLS v1.3 KDF SHA-256 KAT CAST The Module State Derive Initialisation (A4593) changes to Running TLS v1.3 KDF SHA-256 KAT CAST The Module State Derive Initialisation (A5173) changes to Running DSA Verify 2048, SHA-256 KAT CAST The Module State Verify Initialisation (A4593) changes to Running DSA Verify 2048, SHA-256 KAT CAST The Module State Verify Initialisation (A5173) changes to Running ECDSA Sign P-224, SHA-512 KAT CAST The Module State Sign Initialisation KAT for Prime changes to Running Curves (A4593)

Page 83

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d ECDSA Sign P-224, SHA-512 KAT CAST The Module State Sign Initialisation KAT for Prime changes to Running Curves (A5173) ECDSA Sign K-233, SHA-512 KAT CAST The Module State Sign Initialisation KAT for changes to Running Binary Curves (A4593) ECDSA Sign K-233, SHA-512 KAT CAST The Module State Sign Initialisation KAT for changes to Running Binary Curves (A5173) ECDSA Sign brainpoolP224r KAT CAST The Module State Sign Initialisation KAT for 1, SHA-512 changes to Running Brainpool Curves (A4593) ECDSA Sign brainpoolP224r KAT CAST The Module State Sign Initialisation KAT for 1, SHA-512 changes to Running Brainpool Curves (A5173) ECDSA Verify P-224, SHA-512 KAT CAST The Module State Verify Initialisation KAT for Prime changes to Running Curves (A4593) ECDSA Verify P-224, SHA-512 KAT CAST The Module State Verify Initialisation KAT for Prime changes to Running Curves (A5173) ECDSA Verify K-233, SHA-512 KAT CAST The Module State Verify Initialisation KAT for changes to Running Binary Curves (A4593)

Page 84

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d ECDSA Verify K-233, SHA-512 KAT CAST The Module State Verify Initialisation KAT for changes to Running Binary Curves (A5173) ECDSA Verify brainpoolP224r KAT CAST The Module State Verify Initialisation KAT for 1, SHA-512 changes to Running Brainpool Curves (A4593) ECDSA Verify brainpoolP224r KAT CAST The Module State Verify Initialisation KAT for 1, SHA-512 changes to Running Brainpool Curves (A5173) EDDSA Sign Ed25519 KAT CAST The Module State Sign Initialisation KAT for changes to Running Ed25519 (A4593) EDDSA Sign Ed25519 KAT CAST The Module State Sign Initialisation KAT for changes to Running Ed25519 (A5173) EDDSA Sign Ed448 KAT CAST The Module State Sign Initialisation KAT for changes to Running Ed448 (A4593) EDDSA Sign Ed448 KAT CAST The Module State Sign Initialisation KAT for changes to Running Ed448 (A5173) EDDSA Verify Ed25519 KAT CAST The Module State Verify Initialisation KAT for changes to Running Ed25519 (A4593)

Page 85

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d EDDSA Verify Ed25519 KAT CAST The Module State Verify Initialisation KAT for changes to Running Ed25519 (A5173) EDDSA Verify Ed448 KAT CAST The Module State Verify Initialisation KAT for changes to Running Ed448 (A4593) EDDSA Verify Ed448 KAT CAST The Module State Verify Initialisation KAT for changes to Running Ed448 (A5173) HMAC-SHA2- HMAC-SHA-256 KAT CAST The Module State Verify Initialisation

256 (A4593) changes to Running , performed

before preoperational integrity test HMAC-SHA2- HMAC-SHA-256 KAT CAST The Module State Verify Initialisation

256 (A5173) changes to Running , performed

before preoperational integrity test KAS-ECC-SSC P-256 KAT CAST The Module State Verify Initialisation Sp800-56Ar3 changes to Running computation (A4593) of shared secret Z in Ephemeral Unified scheme, per Scenario 2 of IG D.F and Section 6 of SP 800-56Ar3

Page 86

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d KAS-ECC-SSC P-256 KAT CAST The Module State Verify Initialisation Sp800-56Ar3 changes to Running computation (A5173) of shared secret Z in Ephemeral Unified scheme, per Scenario 2 of IG D.F and Section 6 of SP 800-56Ar3 KAS-FFC-SSC FB (2048, 224) KAT CAST The Module State Verify Initialisation Sp800-56Ar3 changes to Running computation (A4593) of shared secret Z in dhEphem scheme, per Scenario 2 of IG D.F and Section 6 of SP 800-56Ar3 KAS-FFC-SSC FB (2048, 224) KAT CAST The Module State Verify Initialisation Sp800-56Ar3 changes to Running computation (A5173) of shared secret Z in dhEphem scheme, per Scenario 2 of IG D.F and Section 6 of SP 800-56Ar3 KAS-IFC-SSC 2048-bit key KAT CAST The Module State RSA Primitive Initialisation (A4593) changes to Running Computation, per Scenario

1 of IG D.F
8.2.2 in SP
Page 87

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d KAS-IFC-SSC 2048-bit key KAT CAST The Module State RSA Primitive Initialisation (A5173) changes to Running Computation, per Scenario

1 of IG D.F
8.2.2 in SP

800-56Br2 KDA OneStep SHA-224 KAT CAST The Module State Derive Initialisation SP800-56Cr2 changes to Running (A4593) KDA OneStep SHA-224 KAT CAST The Module State Derive Initialisation SP800-56Cr2 changes to Running (A5173) KDA TwoStep SHA-256 KAT CAST The Module State Derive Initialisation SP800-56Cr2 changes to Running (A4593) KDA TwoStep SHA-256 KAT CAST The Module State Derive Initialisation SP800-56Cr2 changes to Running (A5173) KDF SP800- Counter Mode KAT CAST The Module State Derive Initialisation

108 (A4593) with HMAC- changes to Running

SHA-256 KDF SP800- Counter Mode KAT CAST The Module State Derive Initialisation

108 (A5173) with HMAC- changes to Running

SHA-256 KTS-IFC 2048-bit key KAT CAST The Module State Encrypt for Initialisation Encrypt KAT changes to Running KTS-OAEPfor KTS- Basic, per IG OAEP-Basic D.G and SP (A4593) 800-56Br2 KTS-IFC 2048-bit key KAT CAST The Module State Encrypt for Initialisation Encrypt KAT changes to Running KTS-OAEPfor KTS- Basic, per IG OAEP-Basic D.G and SP (A5173) 800-56Br2

Page 88

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d KTS-IFC 2048-bit key KAT CAST The Module State Decrypt for Initialisation Decrypt KAT changes to Running KTS-OAEPfor KTS- Basic, per IG OAEP-Basic D.G and SP (A4593) 800-56Br2 KTS-IFC 2048-bit key KAT CAST The Module State Decrypt for Initialisation Decrypt KAT changes to Running KTS-OAEPfor KTS- Basic, per IG OAEP-Basic D.G and SP (A5173) 800-56Br2 KTS-IFC 2048-bit key KAT CAST The Module State Decrypt for Initialisation Decrypt KAT changes to Running CRT, per IG for CRT D.G and SP (A4593) 800-56Br2 KTS-IFC 2048-bit key KAT CAST The Module State Decrypt for Initialisation Decrypt KAT changes to Running CRT, per IG for CRT D.G and SP (A5173) 800-56Br2 PBKDF HMAC-SHA-1 KAT CAST The Module State Derivation of Initialisation (A4593) changes to Running the Master Key (MK), per Section 5.3 of SP 800-132 PBKDF HMAC-SHA-1 KAT CAST The Module State Derivation of Initialisation (A5173) changes to Running the Master Key (MK), per Section 5.3 of SP 800-132 RSA Sign KAT 2048-bit key, KAT CAST The Module State Sign Initialisation (A4593) SHA-256, changes to Running PKCS#1 RSA Sign KAT 2048-bit key, KAT CAST The Module State Sign Initialisation (A5173) SHA-256, changes to Running PKCS#1

Page 89

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d RSA Verify 2048-bit key, KAT CAST The Module State Verify Initialisation KAT (A4593) SHA-256, changes to Running PKCS#1 RSA Verify 2048-bit key, KAT CAST The Module State Verify Initialisation KAT (A5173) SHA-256, changes to Running PKCS#1 SHA3 KAT for SHA3-256 KAT CAST The Module State Hash Initialisation Keccak-p changes to Running Permutation (A4593) SHA3 KAT for SHA3-256 KAT CAST The Module State Hash Initialisation Keccak-p changes to Running Permutation (A5173) SHA-1 SHA-1 KAT CAST The Module State Hash Initialisation (A4593) changes to Running SHA-1 SHA-1 KAT CAST The Module State Hash Initialisation (A5173) changes to Running SHA2-512 SHA-512 KAT CAST The Module State Hash Initialisation (A4593) changes to Running SHA2-512 SHA-512 KAT CAST The Module State Hash Initialisation (A5173) changes to Running TDES-CBC CBC mode, 3- KAT CAST The Module State Decrypt Initialisation (A4593) key changes to Running TDES-CBC CBC mode, 3- KAT CAST The Module State Decrypt Initialisation (A5173) key changes to Running DSA (FFC) All supported PCT PCT Return value for the Sign/Verify Key Pair PCT for Key parameters for relevant API call (i.e. for Key Generation, Agreement KAS-FFC for key pair generation Agreement, Key Pair (A4593) or key pair import): 1 per Import for success, 0 for VE10.35.03 failure

Page 90

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d DSA (FFC) All supported PCT PCT Return value for the Sign/Verify Key Pair PCT for Key parameters for relevant API call (i.e. for Key Generation, Agreement KAS-FFC for key pair generation Agreement, Key Pair (A5173) or key pair import): 1 per Import for success, 0 for VE10.35.03 failure ECC PCT for All supported PCT PCT Return value for the Sign/Verify Key Pair Key Pair curves relevant API call (i.e. for Digital Generation Generation for key pair Signatures, (A4593) generation): 1 for per success, 0 for failure VE10.35.02. At the time of key pair generation, the keys' intended usage is not known (key pairs may be used for digital signatures or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable. ECC PCT for All supported PCT PCT Return value for the Sign/Verify Key Pair Key Pair curves relevant API call (i.e. for Digital Generation Generation for key pair Signatures, (A5173) generation): 1 for per success, 0 for failure VE10.35.02. At the time of key pair generation, the keys' intended usage is not

Page 91

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d known (key pairs may be used for digital signatures or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable. ECC PCT for All supported PCT PCT Return value for the Sign/Verify Key Pair Key Pair curves relevant API call (i.e. for Key Import Import for key pair import): 1 Agreement, (A4593) for success, 0 for per failure VE10.35.03. At the time of key pair import, the keys' intended usage is not known (key pairs may be used for digital signatures or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable ECC PCT for All supported PCT PCT Return value for the Sign/Verify Key Pair Key Pair curves relevant API call (i.e. for Key Import Import for key pair import): 1 Agreement, (A5173) for success, 0 for per failure VE10.35.03.

Page 92

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d At the time of key pair import, the keys' intended usage is not known (key pairs may be used for digital signatures or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable EdDSA PCT All supported PCT PCT Return value for the Sign/Verify Key Pair (A4593) curves relevant API call (i.e. for Digital Generation, (Ed25519, for key pair generation Signatures, Key Pair Ed448) or key pair import): 1 per Import for success, 0 for VE10.35.02. failure EdDSA keys can only be used for digital signatures. EdDSA PCT All supported PCT PCT Return value for the Sign/Verify Key Pair (A5173) curves relevant API call (i.e. for Digital Generation, (Ed25519, for key pair generation Signatures, Key Pair Ed448) or key pair import): 1 per Import for success, 0 for VE10.35.02. failure EdDSA keys can only be used for digital signatures.

Page 93

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d RSA PCT All supported PCT PCT Return value for the Sign/Verify Key Pair (A4593) moduli relevant API call (i.e. for Key Generation, for key pair generation Agreement, Key Pair or key pair import): 1 per Import for success, 0 for VE10.35.03. failure At the time of key pair generation or import, the keys' intended usage is not known (key pairs may be used for key transport, digital signatures, or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable. RSA PCT All supported PCT PCT Return value for the Sign/Verify Key Pair (A5173) moduli relevant API call (i.e. for Key Generation, for key pair generation Agreement, Key Pair or key pair import): 1 per Import for success, 0 for VE10.35.03. failure At the time of key pair generation or import, the keys' intended usage is not known (key pairs may be used for key transport,

Page 94

Algorithm or Test Properties Test Test Indicator Details Conditions Test Metho Type d digital signatures, or key agreement); per IG 10.3.A comment 1, any of the AS10.35 PCTs is acceptable. AES-XTS Key All supported Other Critical Return value for the Test that Symmetric Test (A4593) sizes (128-bit, Functio relevant API call (i.e. Key_1 Encryption/ 256-bit) n for symmetric Key_2, per IG Decryption encryption/decryption C.I with AES-XTS): 1 for success, 0 for failure AES-XTS Key All supported Other Critical Return value for the Test that Symmetric Test (A5173) sizes (128-bit, Functio relevant API call (i.e. Key_1 Encryption/ 256-bit) n for symmetric Key_2, per IG Decryption encryption/decryption C.I with AES-XTS): 1 for success, 0 for failure Table 19: Conditional Self-Tests

10.3 Periodic Self-Test Information

The module provides several methods for the operator to perform periodic self-tests on demand. Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Compare to pre- SW/FW Integrity On demand. It is Pre-Operational (A4593) computed HMAC recommended to Periodic tests are run the periodic called by power tests at least cycling the module, annually. calling the Integrity Test service, or calling the Self-Test service (which calls the module's

Page 95

Algorithm or Test Test Method Test Type Period Periodic Method integrity test and all CASTs). HMAC-SHA2-256 Compare to pre- SW/FW Integrity On demand. It is Pre-Operational (A5173) computed HMAC recommended to Periodic tests are run the periodic called by power tests at least cycling the module, annually. calling the Integrity Test service, or calling the Self-Test service (which calls the module's integrity test and all CASTs). Table 20: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-GCM KAT CAST On demand. It is Conditional Periodic Authenticated recommended to tests are called by Encrypt KAT run the periodic power cycling the (Forward Cipher) tests at least module or calling (A4593) annually. the Self-Test service (which calls the module's integrity test and all CASTs). AES-GCM KAT CAST On demand. It is Conditional Periodic Authenticated recommended to tests are called by Encrypt KAT run the periodic power cycling the (Forward Cipher) tests at least module or calling (A5173) annually. the Self-Test service (which calls the module's integrity test and all CASTs). AES-GCM Decrypt KAT CAST On demand. It is Conditional Periodic KAT (Forward recommended to tests are called by Cipher) (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 96

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). AES-GCM Decrypt KAT CAST On demand. It is Conditional Periodic KAT (Forward recommended to tests are called by Cipher) (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). AES-ECB Decrypt KAT CAST On demand. It is Conditional Periodic KAT (Inverse Cipher) recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). AES-ECB Decrypt KAT CAST On demand. It is Conditional Periodic KAT (Inverse Cipher) recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). Counter DRBG KAT CAST On demand. It is Conditional Periodic (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). Counter DRBG KAT CAST On demand. It is Conditional Periodic (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 97

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). Hash DRBG (A4593) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). Hash DRBG (A5173) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). HMAC DRBG KAT CAST On demand. It is Conditional Periodic (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). HMAC DRBG KAT CAST On demand. It is Conditional Periodic (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KDF ANS 9.42 KAT CAST On demand. It is Conditional Periodic (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 98

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). KDF ANS 9.42 KAT CAST On demand. It is Conditional Periodic (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KDF ANS 9.63 KAT CAST On demand. It is Conditional Periodic (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KDF ANS 9.63 KAT CAST On demand. It is Conditional Periodic (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KDF SSH (A4593) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KDF SSH (A5173) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 99

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). TLS v1.2 KDF KAT CAST On demand. It is Conditional Periodic RFC7627 (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). TLS v1.2 KDF KAT CAST On demand. It is Conditional Periodic RFC7627 (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). TLS v1.3 KDF KAT CAST On demand. It is Conditional Periodic (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). TLS v1.3 KDF KAT CAST On demand. It is Conditional Periodic (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). DSA Verify (A4593) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 100

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). DSA Verify (A5173) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). ECDSA Sign KAT for KAT CAST On demand. It is Conditional Periodic Prime Curves recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). ECDSA Sign KAT for KAT CAST On demand. It is Conditional Periodic Prime Curves recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). ECDSA Sign KAT for KAT CAST On demand. It is Conditional Periodic Binary Curves recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). ECDSA Sign KAT for KAT CAST On demand. It is Conditional Periodic Binary Curves recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 101

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). ECDSA Sign KAT for KAT CAST On demand. It is Conditional Periodic Brainpool Curves recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). ECDSA Sign KAT for KAT CAST On demand. It is Conditional Periodic Brainpool Curves recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). ECDSA Verify KAT KAT CAST On demand. It is Conditional Periodic for Prime Curves recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). ECDSA Verify KAT KAT CAST On demand. It is Conditional Periodic for Prime Curves recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). ECDSA Verify KAT KAT CAST On demand. It is Conditional Periodic for Binary Curves recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 102

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). ECDSA Verify KAT KAT CAST On demand. It is Conditional Periodic for Binary Curves recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). ECDSA Verify KAT KAT CAST On demand. It is Conditional Periodic for Brainpool recommended to tests are called by Curves (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). ECDSA Verify KAT KAT CAST On demand. It is Conditional Periodic for Brainpool recommended to tests are called by Curves (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). EDDSA Sign KAT for KAT CAST On demand. It is Conditional Periodic Ed25519 (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). EDDSA Sign KAT for KAT CAST On demand. It is Conditional Periodic Ed25519 (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 103

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). EDDSA Sign KAT for KAT CAST On demand. It is Conditional Periodic Ed448 (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). EDDSA Sign KAT for KAT CAST On demand. It is Conditional Periodic Ed448 (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). EDDSA Verify KAT KAT CAST On demand. It is Conditional Periodic for Ed25519 recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). EDDSA Verify KAT KAT CAST On demand. It is Conditional Periodic for Ed25519 recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). EDDSA Verify KAT KAT CAST On demand. It is Conditional Periodic for Ed448 (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 104

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). EDDSA Verify KAT KAT CAST On demand. It is Conditional Periodic for Ed448 (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). HMAC-SHA2-256 KAT CAST On demand. It is Conditional Periodic (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). HMAC-SHA2-256 KAT CAST On demand. It is Conditional Periodic (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KAS-ECC-SSC Sp800- KAT CAST On demand. It is Conditional Periodic 56Ar3 (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KAS-ECC-SSC Sp800- KAT CAST On demand. It is Conditional Periodic 56Ar3 (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 105

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). KAS-FFC-SSC Sp800- KAT CAST On demand. It is Conditional Periodic 56Ar3 (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KAS-FFC-SSC Sp800- KAT CAST On demand. It is Conditional Periodic 56Ar3 (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KAS-IFC-SSC KAT CAST On demand. It is Conditional Periodic (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KAS-IFC-SSC KAT CAST On demand. It is Conditional Periodic (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KDA OneStep KAT CAST On demand. It is Conditional Periodic SP800-56Cr2 recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 106

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). KDA OneStep KAT CAST On demand. It is Conditional Periodic SP800-56Cr2 recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KDA TwoStep KAT CAST On demand. It is Conditional Periodic SP800-56Cr2 recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KDA TwoStep KAT CAST On demand. It is Conditional Periodic SP800-56Cr2 recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KDF SP800-108 KAT CAST On demand. It is Conditional Periodic (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KDF SP800-108 KAT CAST On demand. It is Conditional Periodic (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 107

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). KTS-IFC Encrypt KAT KAT CAST On demand. It is Conditional Periodic for KTS-OAEP-Basic recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KTS-IFC Encrypt KAT KAT CAST On demand. It is Conditional Periodic for KTS-OAEP-Basic recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KTS-IFC Decrypt KAT KAT CAST On demand. It is Conditional Periodic for KTS-OAEP-Basic recommended to tests are called by (A4593) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KTS-IFC Decrypt KAT KAT CAST On demand. It is Conditional Periodic for KTS-OAEP-Basic recommended to tests are called by (A5173) run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). KTS-IFC Decrypt KAT KAT CAST On demand. It is Conditional Periodic for CRT (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 108

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). KTS-IFC Decrypt KAT KAT CAST On demand. It is Conditional Periodic for CRT (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). PBKDF (A4593) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). PBKDF (A5173) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). RSA Sign KAT KAT CAST On demand. It is Conditional Periodic (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). RSA Sign KAT KAT CAST On demand. It is Conditional Periodic (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 109

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). RSA Verify KAT KAT CAST On demand. It is Conditional Periodic (A4593) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). RSA Verify KAT KAT CAST On demand. It is Conditional Periodic (A5173) recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). SHA3 KAT for KAT CAST On demand. It is Conditional Periodic Keccak-p recommended to tests are called by Permutation run the periodic power cycling the (A4593) tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). SHA3 KAT for KAT CAST On demand. It is Conditional Periodic Keccak-p recommended to tests are called by Permutation run the periodic power cycling the (A5173) tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). SHA-1 (A4593) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 110

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). SHA-1 (A5173) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). SHA2-512 (A4593) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). SHA2-512 (A5173) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). TDES-CBC (A4593) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the module's integrity test and all CASTs). TDES-CBC (A5173) KAT CAST On demand. It is Conditional Periodic recommended to tests are called by run the periodic power cycling the tests at least module or calling annually. the Self-Test service (which calls the

Page 111

Algorithm or Test Test Method Test Type Period Periodic Method module's integrity test and all CASTs). DSA (FFC) PCT for PCT PCT Key Agreement (A4593) DSA (FFC) PCT for PCT PCT Key Agreement (A5173) ECC PCT for Key Pair PCT PCT Generation (A4593) ECC PCT for Key Pair PCT PCT Generation (A5173) ECC PCT for Key Pair PCT PCT Import (A4593) ECC PCT for Key Pair PCT PCT Import (A5173) EdDSA PCT (A4593) PCT PCT EdDSA PCT (A5173) PCT PCT RSA PCT (A4593) PCT PCT RSA PCT (A5173) PCT PCT AES-XTS Key Test Other Critical Function (A4593) AES-XTS Key Test Other Critical Function (A5173) Table 21: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Method Indicator FIPS_STATE_ERROR The module has Pre- Restart the module Module State (queried entered an error operational via Show Status) state. All self-test cryptographic failure CAST

Page 112

Name Description Conditions Recovery Method Indicator APIs will return self-test changes to Error an error when failure (FIPS_STATE_ERROR) called. Temporary Error The module Conditional The module will reject the The return value for the enters a PCT test tested key or key pair and relevant API call (i.e. for temporary error failure then return automatically key pair generation, key state when a PCT Conditional to the Running state pair import, or test fails or when AES-XTS (FIPS_STATE_RUNNING). symmetric encryption/ the AES-XTS critical decryption with AEScritical function function test XTS) returns 0 for test fails. Keys failure failure that fail the tests are disabled and the module returns to the Running state. Table 22: Error States The module supports two error states, both triggered by failures of the module’s self-tests. The module must be restarted to recover from a failure of the pre-operational or CAST self-test, but it recovers automatically from a failure in the other conditional self-tests.

10.5 Operator Initiation of Self-Tests

Self-tests can be called on demand using the Self-Test service. This service calls the module’s integrity test and all CASTs (i.e. KATs). PCTs are not called by this service; PCTs are only called under the conditions specified in Section 10.2 - Conditional Self-Tests. The integrity test is automatically called as part of the Pre-Operational Self-Tests and can also be manually called by the Integrity Test service (or the Self-Test service).

Page 113
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is only provided to the end user in the form of a compiled binary file. Its source code is not provided. The module is provided to the end user by the vendor as a binary archive and an associated hash value. The end user should validate the integrity of the binary archive against the SHA-256 hash value provided with the binary archive. If the integrity value for the archive is correct, the archive should be extracted, and the binaries should be installed. The module is a FIPS-validated cryptographic provider for use by OpenSSL 3.x. OpenSSL 3.x should be installed per its documentation prior to module installation. The FIPS module may be installed using the following procedure:

  1. If the module is provided as a dynamic library: a. Copy the module binary and configuration files to the OpenSSL Provider Directory, e.g. [OPENSSL_INSTALL_LOCATION]/lib/ossl-modules/
  2. If the module is provided as a static library: a. Copy the module library archive and configuration file to the OpenSSL directory, e.g. [OPENSSL_INSTALL_LOCATION]/lib/ and [OPENSSL_INSTALL_LOCATION]/conf/
  3. If the module is provided as part of an XCFramework bundle: a. Integrate the module framework into an XCode application and install the application on an iOS device. b. Note, when provided as a XCFramework bundle (fips.xcframework), the OpenSSL framework (openssl.xcframework) should also be integrated into the application project. The OpenSSL framework is a general implementation of the OpenSSL 3.x API (common and crypto).
  4. To initialize and start up the module, use the OSSL_PROVIDER_load API call from OpenSSL. An example is specified below: int main(int argc, char **argv) { OSSL_PROVIDER *fips_provider; fips_provider = OSSL_PROVIDER_load(NULL, "fips"); if (fips_provider == NULL) { printf("Could not load FIPS provider\n"); return 1; } printf("Provider %s loaded \n", OSSL_PROVIDER_get0_name(fips_provider)); //Execute commands for the FIPS module if (fips_provider != NULL) OSSL_PROVIDER_unload(fips_provider);
Page 114

return 0; } The Module Initialization service is executed when the module is powered on. After the module starts up, the operator should confirm that the module outputs the Approved mode status indicator (refer to Security Policy Section 2.4 - Modes of Operation) and verify the module’s version using the “Output ID/ Version Information (Show Version)” service (refer to Security Policy Section 4.3 - Approved Services).

11.2 Administrator Guidance

Additional administrator guidance is provided separately in other operator documentation, including the User Manual.

11.3 Non-Administrator Guidance

If the module power is lost and restored, the operator shall establish a new key for use with AES-GCM encryption/decryption. Refer also to Security Policy Section 2.7.1 - AES-GCM (IG C.H conformance). Additional guidance is provided separately in other operator documentation, including the User Manual.

11.4 Design and Rules

The module is designed to meet the applicable requirements of FIPS 140-3. The module initializes when powered on, then performs the pre-operational self-tests and CASTs as specified in Security Policy Section 10 - Self-Tests. After successfully passing these self-tests, the module automatically transitions to the operational state and awaits service requests.

11.5 End of Life

The vendor documentation (User Guide) specifies the procedures for the removal of the FIPS module and secure sanitization of the device that the module was installed on.

Page 115
12 Mitigation of Other Attacks
12.1 Attack List

The module implements two types of mitigations of other attacks, which are constant-time implementations and numeric blinding. Constant-time implementations protect cryptographic implementations in the module against timing analysis. With this mitigation, variations in execution time cannot be traced back to an SSP, key, or secret data. Numeric Blinding protects RSA, DSA, and ECDSA from timing attacks, where attackers measure the time of signature operations or RSA decryption. To mitigate this attack, the module generates a random blinding factor that is provided as an input to the decryption/signature operation and is discarded once the operation has completed. With this mitigation, the execution time cannot be correlated to the RSA, DSA, or ECDSA key via a timing attack because the attacker does not know the blinding factor.

12.2 Mitigation Effectiveness

These mitigations should make the timing of the encryption, decryption, and signing operations independent of the key material or the input data. This should prevent an attacker from recovering information by measuring the timing of these operations.

12.3 Guidance and Constraints

While the module implements countermeasures to prevent timing analysis and timing attacks, other side-channel attacks may be possible. As a Level 1, software-based module, the module is limited in its ability to prevent access at the hardware level; power analysis attacks may be possible for an attacker with physical access. Users of software-based modules should be aware of these limitations and incorporate this information into their threat model.