All modules
CMVP Validated Module · FIPS 140-3 Security Policy

F5OS-A Cryptographic Module

Certificate#5045StandardFIPS 140-3Level2TypeFirmwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorF5, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 12 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeFirmware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/22/2030
CaveatWhen operated in approved mode and when installed, initialized, and configured as specified in Section 11 of the Security Policy with tamper evident labels contained in F5-ADD-BIG-FIPS140 kit and installed as indicated in the Security Policy section 7.
VendorF5, Inc.

Approved Algorithms (53)

AlgorithmACVP Cert
AES-CBCA4985
AES-CTRA4985
AES-ECBA4985
AES-GCMA4985
AES-GMACA4985
Counter DRBGA4985
ECDSA KeyGen (FIPS186-5)A4985
ECDSA KeyVer (FIPS186-5)A4985
ECDSA SigGen (FIPS186-5)A4985
ECDSA SigVer (FIPS186-5)A4985
HMAC-SHA-1A4985
HMAC-SHA2-256A4985
HMAC-SHA2-384A4985
KAS-ECC-SSC Sp800- 56Ar3A4985
KDF SSH (CVL)A4985
RSA KeyGen (FIPS186- 5)A4985
RSA SigGen (FIPS186- 5)A4985
RSA SigVer (FIPS186-5)A4985
SHA-1A4985
SHA2-256A4985
SHA2-384A4985
TLS v1.2 KDF RFC7627 (CVL)A4985
AES-GCM (A4985)
AES-GCM (A5261)
AES-ECB (A4985)
AES-ECB (A5261)
RSA SigGen (FIPS186-5) (A4985)
RSA SigGen (FIPS186-5) (A5261)
RSA SigVer (FIPS186-5) (A4985)
RSA SigVer (FIPS186-5) (A5261)
ECDSA SigGen (FIPS186-5) (A4985)
ECDSA SigGen (FIPS186-5) (A5261)
ECDSA SigVer (FIPS186-5) (A4985)
ECDSA SigVer (FIPS186-5) (A5261)
KAS-ECC- SSC Sp800- 56Ar3 (A4985)
KAS-ECC- SSC Sp800- 56Ar3 (A5261)
HMAC-SHA- 1 (A4985)
HMAC-SHA- 1 (A5261)
HMAC- SHA2-256 (A4985)
HMAC- SHA2-256 (A5261)
HMAC- SHA2-384 (A4985)
HMAC- SHA2-384 (A5261)
KDF SSH (A4985)
KDF SSH (A5261)
KDF TLS (A4985)
TLS v1.2 KDF RFC7627 (A5261)
ECDSA KeyGen (FIPS186-5) (A4985)
ECDSA KeyGen (FIPS186-5) (A5261)
RSA KeyGen (FIPS186-5) (A4985)
RSA KeyGen (FIPS186-5) (A5261)
Counter DRBG (A4985)
Counter DRBG (A5261)
Entropy Source

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical Security7
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for F5OS-A Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configuration</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>AES-CBC<br/>AES-CTR<br/>AES-ECB</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for F5OS-A Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configuration</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>AES-CBC<br/>AES-CTR<br/>AES-ECB</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

F5, Inc. F5, Inc. F5OS-A Cryptographic Module Module Version: 1.7.0 FIPS Security Level 2 Document Version 1.1 Last update: 05-06-2025 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com

Page 2

F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.

2 of 58
Page 3

F5OS-A Cryptographic Module Table of Contents © 2024 F5, Inc. / atsec information security.

3 of 58
Page 4

F5OS-A Cryptographic Module 11.1.1 11.1.2 © 2024 F5, Inc. / atsec information security.

4 of 58
Page 5

F5OS-A Cryptographic Module List of Tables © 2024 F5, Inc. / atsec information security.

5 of 58
Page 6

F5OS-A Cryptographic Module List of Figures © 2024 F5, Inc. / atsec information security.

6 of 58
Page 7

F5OS-A Cryptographic Module F5®, BIG-IP® are registered trademarks of F5, Inc. Intel®, Atom® and Xeon® are registered trademarks of Intel Corporation. © 2024 F5, Inc. / atsec information security.

7 of 58
Page 8
Security level
NameISO SectionRequirementLevel
11General2
22Cryptographic module specification2
33Cryptographic module interfaces2
44Roles, services, and authentication2
55Software/Firmware securityN/A
66Operational environmentN/A
77Physical security2
88Non-invasive securityN/A
99Sensitive security parameter management2
1010Self-tests2
1111Life-cycle assurance2
1212Mitigation of other attacksN/A
Overall LevelOverall Level2
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for the F5OS-A Cryptographic Module with firmware version 1.7.0. The document contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 2 module.

1.2 Security Levels

N/A N/A N/A N/A Table 1: Security Levels © 2024 F5, Inc. / atsec information security.

8 of 58
Page 9
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The F5OS-A Cryptographic Module (hereafter referred to as “the module”) is a microservices-based, proprietary platform layer that provides an interface between the BIG-IP ADC and the rSeries hardware. Module Type: Firmware Module Embodiment: MultiChipStand Cryptographic Boundary: The module cryptographic boundary is defined by the red dotted line in Figure

  1. The TOEPP is defined by the tested platform listed in the Tested Operational Environments - Software, Firmware, Hybrid table and delineated by the black rectangle in Figure
  2. Figure 2 also depicts the flow of status output (SO), control input (CI), data input (DI) and data output (DO) interfaces. Description of the ports and interfaces can be found in the Ports and Interfaces table. Tested Operational Environment’s Physical Perimeter (TOEPP): The figure below shows the platform on which the module was tested. Figure 1: r12900 Platform Front View © 2024 F5, Inc. / atsec information security.
9 of 58
Page 10
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
F5OS-A1.7.0N/AF5OS-AHMAC-SHA-384
F5OS-A 1.7.0F5OS-A 1.7.0rSeries r129001.7.0Intel(R) Xeon(R) Platinum 8531N Ice Lake-SPYesN/A
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
F5OS-A1.7.0N/AF5OS-AHMAC-SHA-384
F5OS-A 1.7.0F5OS-A 1.7.0rSeries r129001.7.0Intel(R) Xeon(R) Platinum 8531N Ice Lake-SPYesN/A

F5OS-A Cryptographic Module Figure 2: Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

2.3 Excluded Components

The module does not claim any excluded components.

2.4 Modes of Operation

Modes List and Description: 4.3 © 2024 F5, Inc. / atsec information security.

10 of 58
Page 11
Service
NameDescriptionIndicatorType
Non- ApprovedAutomatically entered whenever a non-approved service is requestedEquivalent to the indicator of the requested service as defined in section 4.3Non- Approved
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA4985Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA5261Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA4985Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA5261Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4985Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA5261Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-GCMA4985Direction - Decrypt, Encrypt IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GCMA5261Direction - Decrypt, Encrypt IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GMACA4985Direction - Decrypt, Encrypt IV Generation - InternalSP 800-38D
AES-GMACA5261Direction - Decrypt, Encrypt IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
Counter DRBGA4985Prediction Resistance - No, Yes Mode - AES-256 Derivation Function Enabled - No, YesSP 800-90A Rev. 1
Counter DRBGA5261Prediction Resistance - No, Yes Mode - AES-256 Derivation Function Enabled - No, YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-5)A4985Curve - P-256, P-384 Secret Generation Mode - testing candidatesFIPS 186-5
ECDSA KeyGen (FIPS186-5)A5261Curve - P-256, P-384 Secret Generation Mode - testing candidatesFIPS 186-5
ECDSA KeyVer (FIPS186-5)A4985Curve - P-256, P-384FIPS 186-5
ECDSA KeyVer (FIPS186-5)A5261Curve - P-256, P-384FIPS 186-5
ECDSA SigGen (FIPS186-5)A4985Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384 Component - NoFIPS 186-5
ECDSA SigGen (FIPS186-5)A5261Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384 Component - NoFIPS 186-5
ECDSA SigVer (FIPS186-5)A4985Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384FIPS 186-5
ECDSA SigVer (FIPS186-5)A5261Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384FIPS 186-5
HMAC-SHA-1A4985Key Length - Key Length: 8, 16, 64, 128, 1024FIPS 198-1
HMAC-SHA-1A5261Key Length - Key Length: 8, 16, 64, 128, 1024FIPS 198-1
HMAC-SHA2-256A4985Key Length - Key Length: 8, 16, 64, 128, 1024FIPS 198-1
HMAC-SHA2-256A5261Key Length - Key Length: 8, 16, 64, 128, 1024FIPS 198-1
HMAC-SHA2-384A4985Key Length - Key Length: 8, 16, 64, 128, 1024FIPS 198-1
HMAC-SHA2-384A5261Key Length - Key Length: 8, 16, 64, 128, 1024FIPS 198-1
KAS-ECC-SSC Sp800- 56Ar3A4985Domain Parameter Generation Methods - P- 256, P-384 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-ECC-SSC Sp800- 56Ar3A5261Domain Parameter Generation Methods - P- 256, P-384 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KDF SSH (CVL)A4985Cipher - AES-128, AES-256 Hash Algorithm - SHA2-256, SHA2-384SP 800-135 Rev. 1
KDF SSH (CVL)A5261Cipher - AES-128, AES-256 Hash Algorithm - SHA2-256, SHA2-384SP 800-135 Rev. 1
RSA KeyGen (FIPS186- 5)A4985Key Generation Mode - probable Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standardFIPS 186-5
RSA KeyGen (FIPS186- 5)A5261Key Generation Mode - probable Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standardFIPS 186-5
RSA SigGen (FIPS186- 5)A4985Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5FIPS 186-5
RSA SigGen (FIPS186- 5)A5261Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5FIPS 186-5
RSA SigVer (FIPS186-5)A4985Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5FIPS 186-5
RSA SigVer (FIPS186-5)A5261Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5FIPS 186-5
SHA-1A4985Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA-1A5261Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-256A4985Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-256A5261Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-384A4985Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-384A5261Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
TLS v1.2 KDF RFC7627 (CVL)A4985Hash Algorithm - SHA2-256, SHA2-384SP 800-135 Rev. 1
TLS v1.2 KDF RFC7627 (CVL)A5261Hash Algorithm - SHA2-256, SHA2-384SP 800-135 Rev. 1

F5OS-A Cryptographic Module NonApproved NonApproved 4.3 Table 4: Modes List and Description The module supports two modes of operation:

2.5 Algorithms

Approved Algorithms: © 2024 F5, Inc. / atsec information security.

11 of 58
Page 12

F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.

12 of 58
Page 13
Service
NameApproved Functions
AES-CCMSymmetric Encryption, Symmetric Decryption
AES-CFBSymmetric Encryption, Symmetric Decryption
AES-OFBSymmetric Encryption, Symmetric Decryption
AES-KWSymmetric Encryption, Symmetric Decryption
DESSymmetric Encryption, Symmetric Decryption
RC4Symmetric Encryption, Symmetric Decryption
Triple-DESSymmetric Encryption, Symmetric Decryption
SM2Symmetric Encryption, Symmetric Decryption
SM4Symmetric Encryption, Symmetric Decryption
RSA Asymmetric Encryption and DecryptionAsymmetric Encryption, Asymmetric Decryption
RSA Key Generation with modulus sizes other than 2048, and 4096-bitsKey generation
DSADomain Parameter Generation, Domain Parameter Verification, Key Pair Generation, Digital Signature Generation, Digital Signature Verification
EdDSA Signature Generation and Verification using Ed25519Digital Signature Generation, Digital Signature Verification
ECDSA Key Generation and Verification with curves other than P-256 and P-384Key Generation, Key Verification
Safe Primes Key Generation and Verification for Diffie-HellmanKey Generation, Key Verification
RSA PKCS#1 v1.5 Signature Generation and Verification using 2048, 3072 or 4096-bits modulus with SHA-1, SHA2-224, SHA2-512Digital Signature Generation, Digital Signature Verification
RSA PKCS #1 v1.5 Signature Generation and Verification with modulus other than 2048, 3072 or 4096 bits, for all SHA sizesDigital Signature Generation, Digital Signature Verification
RSA PSS Signature Generation and Verification using 2048, 3072 or 4096-bits modulusDigital Signature Generation, Digital Signature Verification
ECDSA Signature Generation and Verification using curves other than P-256 and P-384, all SHA sizesDigital Signature Generation, Digital Signature Verification
ECDSA Signature Generation using curves P- 256 and P-384 with SHA-1, SHA2-224, SHA2- 512, SHA3Digital Signature Generation
ECDSA Signature Verification using curves P- 256 and P-384 with SHA2-224, SHA2-512, SHA3Digital Signature Verification
SHA2-224Message Digest
SHA2-512Message Digest
SM3Message Digest
MD5Message Digest
HMAC-SHA2-224Message Authentication
HMAC-SHA2-512Message Authentication
AES-CMACMessage Authentication
Triple-DESMessage Authentication
Diffie-Hellman using all Diffie-Hellman GroupsKey Agreement
EC Diffie-Hellman using curves other than P- 256 and P-384Key Agreement
EC Diffie-Hellman using curves P-256 and P- 384 Static Unified and OnePassDh schemesKey Agreement
TLS KDF using MD5, SHA-1, SHA2-224, SHA2- 512, SHA3Key Derivation
SNMP KDFKey Derivation
IKEv1 KDFKey Derivation
IKEv2 KDFKey Derivation

F5OS-A Cryptographic Module 5) 5) 5) 5) Table 5: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: © 2024 F5, Inc. / atsec information security.

13 of 58
Page 14

F5OS-A Cryptographic Module Table 6: Non-Approved, Not Allowed Algorithms © 2024 F5, Inc. / atsec information security.

14 of 58
Page 15
Service
NameDescriptionApproved FunctionsTypeProperties
AES-CBCEncryption/DecryptionAES-CBC: (A4985, A5261)BC-UnAuthKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength
AES-CTREncryption/DecryptionAES-CTR: (A4985, A5261)BC-UnAuthKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength
AES-ECBEncryption/DecryptionAES-ECB: (A4985, A5261)BC-UnAuthKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength
AES-GCM (Authenticated Encryption/Decryption)Authenticated Encryption/Authenticated DecryptionAES-GCM: (A4985, A5261)BC-AuthKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength
AES-GMACMessage authentication code (MAC)AES-GMAC: (A4985, A5261)MACKeys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength
AES-GCM (Key Wrapping/Unwrapping)Key Wrapping, Key UnwrappingAES-GCM: (A4985, A5261)KTS-WrapKeys:128, 256-bit keys with 128 and 256 bits of key strength Compliance:Compliant with IG D.G
AES-CBC with HMACKey Wrapping, Key UnwrappingAES-CBC: (A4985, A5261) HMAC-SHA2- 256: (A4985, A5261) HMAC-SHA2- 384: (A4985, A5261)KTS-WrapKeys:128, 256-bit keys with 128 and 256 bits of key strength
Counter DRBGRandom Number GenerationCounter DRBG: (A4985, A5261)DRBGCompliance:Compliant with SP800-90ARev1 Properties:with / without derivation function, prediction resistance disabled / enabled
RSA Signature GenerationSignature GenerationRSA SigGen (FIPS186-5): (A4985, A5261)DigSig- SigGenKeys:2048, 3072 and 4096-bit keys with 112 to 150 bits of key strength Hashes:SHA2-256, SHA2-384 Schemes:PKCS#1v1.5
RSA Signature VerificationSignature VerificationRSA SigVer (FIPS186-5): (A4985, A5261)DigSig-SigVerKeys: 2048, 3072 and 4096-bit keys with 112 to 150 bits of key strength Hashes:SHA2-256,
RSA Key GenerationKey GenerationRSA KeyGen (FIPS186-5): (A4985, A5261)AsymKeyPair- KeyGen CKGKeys:2048, 3072 and 4096-bit keys with 112 to 150 bits of key strength Schemes:A.1.3 Random Probable Primes Compliance:IG D.H; SP800-133Rev2 section 5.1
ECDSA Signature GenerationSignature GenerationECDSA SigGen (FIPS186-5): (A4985, A5261)DigSig- SigGenCurves:P-256, P-384 with 128 and 192 bits of strength Hashes:SHA2-256, SHA2-384
ECDSA Signature VerificationSignature VerificationECDSA SigVer (FIPS186-5): (A4985, A5261)DigSig-SigVerCurves:P-256, P-384 with 128 and 192 bits of strength Hashes:SHA2-256, SHA2-384
ECDSA Key GenerationKey GenerationECDSA KeyGen (FIPS186-5): (A4985, A5261)AsymKeyPair- KeyGen CKGCurves: P-256, P-384 with 128 and 192 bits of strength Schemes:FIPS 186-5, A.2.2 Rejection Sampling Compliance:IG D.H; SP800-133Rev2 sections 5.1 and 5.2
ECDSA Key VerificationKey VerificationECDSA KeyVer (FIPS186-5): (A4985, A5261)AsymKeyPair- KeyVerCurves:P-256, P-384 with 128 and 192 bits of strength
SHAMessage DigestSHA-1: (A4985, A5261) SHA2-256: (A4985, A5261) SHA2-384: (A4985, A5261)SHA
HMACMessage authentication code (MAC)HMAC-SHA-1: (A4985, A5261) HMAC-SHA2- 256: (A4985, A5261) HMAC-SHA2- 384: (A4985, A5261)MACHashes:SHA-1, SHA2- 256, SHA2-384 Keys:112 bits to 1024-bit keys with 112 to 256 bits of key strengths
TLS HandshakeKey agreementKAS-ECC-SSC Sp800-56Ar3: (A4985,KAS-FullCurves: P-256, P-384 with 128 and 192 bits of key strength
Compliance:IG D.F Scenario 2 (path 2)A5261) TLS v1.2 KDF RFC7627: (A4985, A5261)Compliance:IG D.F Scenario 2 (path 2)
SSH HandshakeKey agreementKDF SSH: (A4985, A5261) KAS-ECC-SSC Sp800-56Ar3: (A4985, A5261)KAS-FullEC Curves:P-256, P- 384 with 128 and 192 bits of key strength Compliance:IG D.F Scenario 2 (path 2)
AES-CTR with HMACKey Wrapping, Key UnwrappingAES-CTR: (A4985, A5261) HMAC-SHA-1: (A4985, A5261) HMAC-SHA2- 256: (A4985, A5261)KTS-WrapKeys:128, 256-bit keys with 128 and 256 bits of key strength
2.6 Security Function Implementations

DigSigSignature Generation © 2024 F5, Inc. / atsec information security.

15 of 58
Page 16

F5OS-A Cryptographic Module DigSigSigGen © 2024 F5, Inc. / atsec information security.

16 of 58
Page 17
Sensitive security parameter
NameTypeStrengthOperational EnvironmentEntropy per SampleConditioning Component
CPU Jitter RNG version 3.4.1 entropy sourceNon- Physical256 bitsF5OS-A 1.7.0 on rSeries r12900 with Intel(R) Xeon(R) Platinum 8531N Ice Lake-SP256 bitsSHA3-256 (CAVP cert. #A3769)

F5OS-A Cryptographic Module Table 7: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES GCM IV

The User shall consider the following requirements and restrictions when using the module. AES-GCM IV is constructed in accordance with SP800-38D in compliance with IG C.H scenario 1a. The implementation of the nonce_explicit management logic inside the module ensures that when the IV exhausts the maximum number of possible values for a given session key, the module triggers a new handshake request to establish a new key. In case the module’s power is lost and then restored, the key used for the AES GCM encryption or decryption shall be re-distributed. The AES GCM IV generation follows [RFC 5288] and shall only be used for the TLS protocol version 1.2 to be compliant with [FIPS140-3_IG] IG C.H scenario 1a; thus, the module is compliant with [SP800-52Rev2] section 3.3.1. Table 8: Entropy Certificates NonPhysical Table 9: Entropy Sources © 2024 F5, Inc. / atsec information security.

17 of 58
Page 18

F5OS-A Cryptographic Module The module employs a Deterministic Random Bit Generator (DRBG) based on [SP80090ARev1] for the generation of random value used in asymmetric keys. The Approved DRBG provided by the module is the CTR_DRBG with AES-256. The module uses the SP800-90B compliant entropy source specified in the Entropy Sources table to seed the DRBG. The operator does not have the ability to modify the F5 entropy source (ES) configuration settings (see details in Public Use Document referenced in section 11.2). The F5 entropy source is tested in the OE listed in the Tested Operational Environments - Software, Firmware, Hybrid table.

2.9 Key Generation

The module implements the following key generation methods:

5.2 of [SP800-133Rev2], according to IG D.H.

The module does not implement symmetric key generation as an explicit service. The HMAC and AES symmetric keys are derived from shared secrets by applying [SP 800-135] as part of the TLS/ SSH protocols. The scenario maps to the [SP 800-133Rev2] section 6.2.1.

2.10 Key Establishment

The module provides the following key establishment services:

256 bits of key strength; compliant with IG D.G.

AES-CBC or AES-CTR with HMAC in the context of SSH protocol, with 128 and 256bit keys, with 128 and 256 bits of key strength; compliant with IG D.G. AES-CBC with HMAC in the context of TLS protocol, with 128 and 256-bit keys, with

128 and 256 bits of key strength; compliant with IG D.G.
2.11 Industry Protocols

The module implements the SSH key derivation function for use in the SSH protocol (RFC

4253 and RFC 6668).

GCM with internal IV generation in the approved mode is compliant with version 1.2 of the TLS protocol (RFC 5288) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the TLS 1.2 key derivation function for use in the TLS protocol. © 2024 F5, Inc. / atsec information security.

18 of 58
Page 19

F5OS-A Cryptographic Module No parts of the SSH, TLS, other than those mentioned above, have been tested by the CAVP and CMVP. © 2024 F5, Inc. / atsec information security.

19 of 58
Page 20
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputTLS/SSH protocol input messages Configuration commands for interface management
N/AN/AData OutputTLS/SSH protocol output messages Status log
N/AN/AControl InputAPI which control system state (e.g., reset system, power-off system)
N/AN/AStatus OutputAPI which provides system status information
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 10: Ports and Interfaces The logical interfaces are the commands through which users of the module request services. There are no external input or output devices to the module that can be used for data input, data output, status output or control input. The module does not implement a For the purpose of the FIPS 140-3 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. © 2024 F5, Inc. / atsec information security.

20 of 58
Page 21
Sensitive security parameter
NameDescriptionStrengthSecurity MechanismStrength per Minute
Role-based authentication with Password (CLI or WebUI)The password must consist of a minimum of 8 characters with at least one from each of the three- character classes. Character classes are defined as: digits (0-9), ASCII lowercase letters (a-z), ASCII uppercase letters (A-Z) Assuming a worst-case scenario where the password contains six numerical digits, one ASCII lowercase letter and one ASCII uppercase letter. The probability of guessing every character successfully is (1/10)^6 * (1/26)^1 * (1/26)^1 = 1/676,000,000. Note: this is less than 1/1,000,000. The maximum number of login attempts is limited to 3 after which the account is locked. This means that, in the worst case, an attacker has the probability of guessing the password in one minute as 3/676,000,000. Note: This is less than 1/100,000.1/676,000,000Password- based authentication3/676,000,000
Role-based authentication with SSH ECDSA key-pair (CLI only)The ECDSA using P-256 or P-384 curves for key based authentication yields a minimum security-strength of 128 bits. The chance of a random authentication attempt falsely succeeding is at most 1/(2^128) that is less than 1/1,000,000. The maximum number of login attempts is limited to 1 after which the account switch to password authentication. Then the attacker probability of succeeding to establish the connection depends on the probability of guessing the password and it is, as above, 3/676,000,000 less than 1/100,000.1/(2^128)ECDSA Signature Verification3/676,000,000
4 Roles, Services, and Authentication
4.1 Authentication Methods

Table 11: Authentication Methods The module supports role-based authentication. The module supports concurrent operators belonging to different roles (one CO role and one User role) which create different authenticated sessions, while achieving the separation between the concurrent operators. Two interfaces are used to access the module:

21 of 58
Page 22
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputAuthentication Methods
AdministratorCORoleRole-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only)
Resource AdminUserRoleRole-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only)
OperatorUserRoleRole-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only)
Tenant-consoleUserRoleRole-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only)
List usersDisplay list of all user accountsAdministrat or Resource Admin OperatorNoneNoneNoneList of user accounts
Create additional UserCreate additional userAdministrat or - Password: WNoneNoneUsername / passwordConfirmation of account creation
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputAuthentication Methods
AdministratorCORoleRole-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only)
Resource AdminUserRoleRole-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only)
OperatorUserRoleRole-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only)
Tenant-consoleUserRoleRole-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only)
List usersDisplay list of all user accountsAdministrat or Resource Admin OperatorNoneNoneNoneList of user accounts
Create additional UserCreate additional userAdministrat or - Password: WNoneNoneUsername / passwordConfirmation of account creation
Modify existing UsersModify existing usersAdministrat orNoneNoneUsername / modification (new username, role, password expiry date/tally count)Confirmation of account modification
Delete UserDelete existing userAdministrat orNoneNoneUsernameConfirmation of deletion
Unlock UserRemove lock from user who has exceeded login attemptsAdministrat orNoneNoneUsernameConfirmation of unlock
Update own passwordUpdate own passwordAdministrat or - Password: W Resource Admin - Password: W Operator - Password: WNoneNoneOwn passwordConfirmation of update of password
Update others passwordUpdate others passwordAdministrat or - Password: WNoneNoneUsername / passwordConfirmation of update
Configure Password PolicySet password policy featuresAdministrat orNoneNoneNew password policyConfirmation of configuratio n change
Create TLS CertificateSelf-signed certificate creationAdministrat or - TLS RSA public key: W,E - TLS RSA private key: W,E - TLS ECDSA public key: W,E - TLS ECDSA private key: W,ERSA Signature Generation ECDSA Signature GenerationService Indicator: ApprovedCertificate identificatio n informationConfirmation of certificate creation
Create TLS KeyCreate key for the SSL Certificate key fileAdministrat or - TLS RSA public key: G - TLS RSACounter DRBG RSA Key Generation ECDSA Key GenerationService Indicator: ApprovedKey identificatio n informationConfirmation of key creation
Delete TLS Certificate / KeySelf-signed certificate / key deletionAdministrat or - TLS RSA public key: None - TLS RSA private key: None - TLS ECDSA public key: None - TLS ECDSA private key: NoneNoneNoneKey identificatio n informationConfirmation of key deletion
List CertificateDisplay / log expiration data of installed certificatesAdministrat or Resource AdminNoneNoneList of certificates to displayCertificate expiration information
List private keysList private keysAdministrat or Resource AdminNoneNoneList of private keys to displayList of private keys
View System Audit LogDisplay logs/files of configuration changesAdministrat or Resource AdminNoneNoneNoneDisplay of system audit logs
Export Analytics Logs SystemExport analytics logs systemAdministrat orNoneNoneNoneExported system audit logs
Create TenantCreate tenant deploymentAdministrat or - Password: W,E Resource Admin - Password: W,ENoneNonepassword / tenant console roleConfirmation of the tenant- console role
Tenant SSH establish connectionConnecting to tenant-console via SSHTenant- consoleNoneNoneF5 rSeries platform manageme nt address / tenant- console / passwordConfirmation of Access to the tenant- console remotely over SSH
Tenant SSH close connectionClosing the tenant-console SSH sessionTenant- consoleNoneNoneNoneConfirmation of tenant- console SSH session closure
Configure SSH access optionsEnable / Disable SSH access, configure IP address allow listAdministrat or Resource AdminNoneNoneSSH access / IP address listConfirmation of configuratio n of SSH access options
Configure SSH user configurationUpdate ssh/ authorized_ke ys file for user authenticationAdministrat or - SSH ECDSA private key: W - SSH ECDSA public key : WNoneNoneSSH ECDSA key pair (public)Confirmation of configuratio n of SSH user configuratio n
Reboot SystemRestart the cryptographic moduleAdministrat or - TLS EC Diffie- Hellman public key: Z - TLS EC Diffie- Hellman private key: Z - TLS pre- primary secret : Z - TLS primary secret: Z - TLS derived session key : Z - SSH EC Diffie- Hellman public key: Z - SSH EC Diffie- Hellman private key: Z - SSH shared secret: ZNoneModule rebootsNoneConfirmation of system reboot
Secure EraseFull system zeroizationAdministrat or - TLS RSA public key: Z - TLS RSA private key: Z - TLS ECDSA public key: Z - TLS ECDSA private key: Z - TLS EC Diffie- Hellman public key: Z - TLS EC Diffie- Hellman private key: Z - TLS pre- primary secret : Z - TLS primary secret: Z - TLS derived session key : Z - SSH ECDSANoneModule end of lifeSelection optionConfirmation of full system zeroization
Establish SSH sessionSSH key exchangeAdministrat or - SSH EC Diffie- Hellman public key: G,R,W,E - SSH EC Diffie- Hellman private key: G,R,W,E - SSH shared secret: G - IntermediatECDSA Signature Generation ECDSA Signature Verification ECDSA Key Generation ECDSA Key Verification SSH HandshakeSSH connectio n successfu lPassword; SSH ECDSA public key or SSH ECDSA private keyEC public key, Confirmation of SSH session establishme nt

F5OS-A Cryptographic Module

4.2 Roles

Table 12: Roles The CO and User roles are selected via the authentication credentials that are entered.

4.3 Approved Services

r W © 2024 F5, Inc. / atsec information security.

22 of 58
Page 23

F5OS-A Cryptographic Module r W W W W W,E W,E W,E W,E G © 2024 F5, Inc. / atsec information security.

23 of 58
Page 24

F5OS-A Cryptographic Module r n tenantover SSH G G G W,E W,E Tenantconsole © 2024 F5, Inc. / atsec information security.

24 of 58
Page 25

r n Tenantconsole W W DiffieHellman Z DiffieHellman Z - TLS preprimary :Z DiffieHellman Z DiffieHellman Z © 2024 F5, Inc. / atsec information security.

25 of 58
Page 26

F5OS-A Cryptographic Module r :Z :Z Z Z Z Z Z DiffieHellman Z DiffieHellman Z - TLS preprimary :Z © 2024 F5, Inc. / atsec information security.

26 of 58
Page 27

F5OS-A Cryptographic Module r n l Z Z DiffieHellman Z DiffieHellman Z :Z Z :Z Z DiffieHellman G,R,W,E DiffieHellman G,R,W,E © 2024 F5, Inc. / atsec information security.

27 of 58
Page 28

F5OS-A Cryptographic Module r E E DiffieHellman G,R,W,E DiffieHellman G,R,W,E E E W,E DiffieHellman G,R,W,E DiffieHellman G,R,W,E © 2024 F5, Inc. / atsec information security.

28 of 58
Page 29
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Maintain SSH Session (data encryption)SSH data encryptionAdministrat or - SSH derived session key : E Resource Admin - SSH derived session key : E Operator - SSH derived session key : EAES-CBC AES-CTR AES-CBC with HMAC AES-CTR with HMACSSH connectio n successfu lPlaintextCiphertext
Maintain SSH Session (data decryption)SSH data decryptionAdministrat or - SSH derived session key : E Resource Admin - SSH derived session key : E Operator - SSH derived session key : EAES-CBC AES-CTR AES-CBC with HMAC AES-CTR with HMACSSH connectio n successfu lCiphertextPlaintext
Maintain SSH Session (data integrity)SSH data integrityAdministrat or - SSH derived session key : E Resource AdminHMACSSH connectio n successfu lMessageMAC tag
Close SSH SessionClose SSH sessionAdministrat or - SSH EC Diffie- Hellman public key: Z - SSH EC Diffie- Hellman private key: Z - SSH shared secret: Z - SSH derived session key : Z Resource Admin - SSH EC Diffie- Hellman public key: Z - SSH EC Diffie- Hellman private key: Z - SSH shared secret: Z - SSH derived session key : Z Operator - SSH EC Diffie- Hellman public key: Z - SSH EC Diffie- Hellman private key:NoneSSH connectio n closedNoneConfirmation of SSH session closure
Establish TLS Session (key exchange)Key exchange in TLSAdministrat or - TLS EC Diffie- Hellman public key: E - TLS EC Diffie- Hellman private key: E - TLS pre- primary secret : G,E - TLS primary secret: G,E - TLS derived session key : G - TLS RSA public key: E - TLS RSA private key: E - TLS ECDSA public key: E - TLS ECDSA private key: E Resource Admin - TLS EC Diffie- Hellman public key: E - TLS EC Diffie- Hellman private key: E - TLS pre-RSA Signature Generation RSA Signature Verification ECDSA Signature Generation ECDSA Signature Verification TLS HandshakeService Indicator: ApprovedCiphersuite sTLS EC Diffie- Hellman public key, Confirmation of establishme nt of TLS session
Maintain TLS Session (authenticate d data encryption)TLS data encryptionAdministrat or - TLS derived session key : E Resource Admin - TLS derived session key : E Operator - TLS derived session key : EAES-GCM (Authenticated Encryption/Decryptio n) AES-CBC with HMAC HMACService Indicator: ApprovedCiphersuite s, plaintextCiphertext
Maintain TLS Session (authenticate d data decryption)TLS data decryptionAdministrat or - TLS derived session key : E Resource Admin - TLS derived session key : E Operator - TLS derived session key : EAES-GCM (Authenticated Encryption/Decryptio n) AES-CBC with HMACService Indicator: ApprovedCiphersuite s, ciphertextPlaintext
Maintain TLS Session (data authenticatio n)TLS data authenticationAdministrat or - TLS derived session key : E Resource Admin - TLS derived session key : E Operator - TLS derived session key : EHMACService Indicator: ApprovedCiphersuite s, messageMAC tag
Close TLS sessionClose TLS sessionAdministrat or - TLS EC Diffie- Hellman public key: Z - TLS EC Diffie- Hellman private key: Z - TLS pre- primary secret : Z - TLS primary secret: Z - TLS derived session key : Z ResourceNoneTLS connectio n closedNoneConfirmation of TLS session closure
Show versionReturn the module name and versionAdministrat or Resource Admin OperatorNoneNoneNoneVersion information, and module name
Show licenseReturn license indicationAdministrat or Resource Admin OperatorNoneNoneNoneFIPS license information
Show statusReturn the module statusAdministrat or ResourceNoneNoneNoneStatus of the specific service passed in
the show status commandAdmin Operatorthe show status command
Self-testExecute integrity test; Execute the CASTsAdministrat or Resource Admin OperatorAES-CBC AES-CTR AES-ECB AES-GCM (Authenticated Encryption/Decryptio n) AES-GMAC AES-GCM (Key Wrapping/Unwrappin g) AES-CBC with HMAC Counter DRBG RSA Signature Generation RSA Signature Verification RSA Key Generation ECDSA Signature Generation ECDSA Signature Verification ECDSA Key Generation ECDSA Key Verification SHA HMAC TLS Handshake SSH Handshake AES-CTR with HMACNoneNonePass/ fail results of self-tests
Show tenantLists tenant informationAdministrat or Resource Admin OperatorNoneNoneNoneLists tenant information

F5OS-A Cryptographic Module r n l n l n l E E W,E :E :E :E :E :E :E :E © 2024 F5, Inc. / atsec information security.

29 of 58
Page 30

F5OS-A Cryptographic Module r :E :E DiffieHellman Z DiffieHellman Z :Z DiffieHellman Z DiffieHellman Z :Z DiffieHellman Z DiffieHellman © 2024 F5, Inc. / atsec information security.

30 of 58
Page 31

F5OS-A Cryptographic Module r DiffieGeneration Z :Z DiffieHellman E DiffieHellman E - TLS preprimary :G E E E E DiffieHellman E DiffieHellman E © 2024 F5, Inc. / atsec information security.

31 of 58
Page 32

F5OS-A Cryptographic Module r :G E E - TLS preprimary :G E E E E n) :E :E :E © 2024 F5, Inc. / atsec information security.

32 of 58
Page 33

F5OS-A Cryptographic Module r n) :E :E :E n) :E :E :E DiffieHellman Z DiffieHellman Z - TLS preprimary :Z © 2024 F5, Inc. / atsec information security.

33 of 58
Page 34

F5OS-A Cryptographic Module r DiffieHellman Z DiffieHellman Z - TLS preprimary :Z DiffieHellman Z DiffieHellman Z - TLS preprimary :Z © 2024 F5, Inc. / atsec information security.

34 of 58
Page 35

F5OS-A Cryptographic Module r n) g) Table 13: Approved Services The environment variable SECURITY_FIPS140_CIPHER_STRICT is exported with the cipher restriction status. If the cipher_restricted status is enabled, the status output from the service indicator is returned in the /var/log/audit.log file. Using an approved service will provide an indicator which shows which approved algorithms were used. If the cipher_restricted status is disabled, there is no service indicator output. For the SSH services, the service indicator is implicit: when the SSH connection is established the service with the selected cipher is approved. The following variables are used in the Access rights to keys or SSPs column:

35 of 58
Page 36
Service
NameDescriptionRolesApproved Functions
Establish TLS session (signature generation and verification)Signature generation and verificationUser/CODSA EdDSA Signature Generation and Verification using Ed25519 RSA PKCS#1 v1.5 Signature Generation and Verification using 2048, 3072 or 4096- bits modulus with SHA-1, SHA2-224, SHA2- 512 RSA PKCS #1 v1.5 Signature Generation and Verification with modulus other than 2048, 3072 or 4096 bits, for all SHA sizes RSA PSS Signature Generation and Verification using 2048, 3072 or 4096-bits modulus ECDSA Signature Generation and Verification using curves other than P-256 and P-384, all SHA sizes ECDSA Signature Generation using curves P-256 and P-384 with SHA-1, SHA2-224, SHA2-512, SHA3 ECDSA Signature Verification using curves P-256 and P-384 with SHA2-224, SHA2- 512, SHA3
Establish TLS session (key exchange)Key exchangeUser/CORSA Asymmetric Encryption and Decryption Diffie-Hellman using all Diffie-Hellman Groups EC Diffie-Hellman using curves other than P-256 and P-384 EC Diffie-Hellman using curves P-256 and P-384 Static Unified and OnePassDh schemes TLS KDF using MD5, SHA-1, SHA2-224, SHA2-512, SHA3
Maintain TLS session (data encryption)Data encryptionUser/COAES-CCM AES-CFB AES-OFB AES-KW DES RC4 Triple-DES SM2 SM4
Maintain TLS session (data authentication)Data authenticationUser/COHMAC-SHA2-224 HMAC-SHA2-512 AES-CMAC Triple-DES
Create TLS keyKey generationUser/CORSA Key Generation with modulus sizes other than 2048, and 4096-bits ECDSA Key Generation and Verification with curves other than P-256 and P-384 Safe Primes Key Generation and Verification for Diffie-Hellman
Message digestMessage digestUser/COSHA2-224 SHA2-512 SM3 MD5
Key derivationKey derivationUser/COSNMP KDF IKEv1 KDF IKEv2 KDF

F5OS-A Cryptographic Module

4.4 Non-Approved Services

© 2024 F5, Inc. / atsec information security.

36 of 58
Page 37

F5OS-A Cryptographic Module Table 14: Non-Approved Services

4.5 External Software/Firmware Loaded

Not applicable. © 2024 F5, Inc. / atsec information security.

37 of 58
Page 38
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified using the approved integrity technique HMAC-SHA384, as listed in the section 10.1, by comparing the HMAC-SHA-384 checksum values of the installed binaries calculated at run time with the stored values computed at build time. If the values do not match, the module enters the Error state.

5.2 Initiate on Demand

The on demand pre-operational self-tests, including the integrity test on demand, are performed by rebooting the module. © 2024 F5, Inc. / atsec information security.

38 of 58
Page 39
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Non-Modifiable How Requirements are Satisfied: Once the module is operational, it does not allow the loading of any additional firmware. © 2024 F5, Inc. / atsec information security.

39 of 58
Page 40
MechanismInspectionInspection Guidance
Frequency
Production grade enclosure (SL1)N/AN/A
Opaque enclosure (SL2)N/AN/A
Tamper Evident Seals (SL2)Once per monthThe CO checks the quality of the tamper evident labels for any sign of removal, replacement, tearing. If the tamper evident labels require replacement, a kit providing 25 tamper labels is available for purchase (P/N: F5-ADD-BIG-FIPS140). The Crypto Officer shall be responsible for the storage of the label kits.
7 Physical Security
7.1 Mechanisms and Actions Required

N/A N/A N/A N/A Table 15: Mechanisms and Actions Required The module tested on the platform listed in the Tested Operational Environments Software, Firmware, Hybrid table is enclosed in a hard-metallic production grade enclosure that provides opacity and prevents visual inspection of internal components. Each test platform is fitted with tamper evident labels to provide physical evidence of attempts to gain operate in approved mode of operation.

7.2 User Placed Tamper Seals

Number: 5 Placement: Shown in Figure 3 Surface Preparation: The following steps should be taken when installing or replacing the tamper evident labels on the test platform on which the module runs. The instructions are also included in F5 Platforms: FIPS Kit Installation provided with the hardware platform.

40 of 58
Page 41

F5OS-A Cryptographic Module Figure 3 - Tamper labels on r12900 © 2024 F5, Inc. / atsec information security.

41 of 58
Page 42
8 Non-Invasive Security

Per IG 12.A: Until requirements of SP 800-140F are defined, non-invasive mechanisms fall under ISO / IEC 19790:2012 Section 7.12 Mitigation of other attacks. © 2024 F5, Inc. / atsec information security.

42 of 58
Page 43
Service
NameApproved FunctionsTypeFromToDistribution TypeEntry Type
TLS/SSH Protocol OutputTLS HandshakePlaintextCM SoftwareGPC EXT using a network portAutomatedElectronic
StorageDescriptionPersistence
AreaType
Name
SSDThe static SSPs remain on the system across power cycle. SSPs are only accessible to the authenticated operator, to which the SSPs are associated.Static
RAMThe memory occupied by SSPs is allocated by regular memory allocation operating system calls.Dynamic
ZeroizationDescriptionRationaleOperator Initiation
Method
Secure EraseSingle pass zeroization erasing the entire moduleAll SSPs present in the module are erased including the one in the non-volatile memoryThe Crypto Officer calling the Secure Erase service which can only be triggered during reboot of the test platform
Reboot SystemClear the SSPs present in RAM memoryVolatile memory used by the module is overwritten within nanoseconds when power is removedThe Crypto Officer calling Reboot System service
9 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input-Output Methods

Table 17: SSP Input-Output Methods network includes RSA/ECDSA public keys. For TLS with EC Diffie-Hellman key exchange, the TLS pre-primary secret is established during key agreement and is not output from the module. Once the TLS session is established, any key or data transfer performed thereafter is protected by authenticated encryption mode using AES-GCM or by AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying TLS v1.2 KDF RFC7627 (CVL) [SP800-135]. For SSH with EC Diffie-Hellman key exchange, the SSH shared secret is established during key agreement and is not output from the module. SSH ECDSA public keys can be imported into the module by the CO using the "Configure SSH user configuration" service. Once the SSH session is established, any key or data transfer performed thereafter is protected by AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying KDF SSH (CVL) [SP800-135]. There are no encrypted SSPs that are directly entered.

9.3 SSP Zeroization Methods

© 2024 F5, Inc. / atsec information security.

43 of 58
Page 44
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentUse
TLS RSA public keyAsymmetric - PSPRSA public key used for Digital signature verification in TLS protocol2048, 3072, 4096 bits - 112- 150 bitsRSA Key GenerationRSA Signature Verification
TLS RSA private keyAsymmetric - CSPRSA private key pair used for digital signature generation in TLS protocol2048, 3072, 4096 bits - 112- 150 bitsRSA Key GenerationRSA Signature Generation
TLS ECDSA public keyAsymmetric - PSPECDSA public key used for digital signature verification in TLS protocolP-256, P-384 - 128 and 192 bitsECDSA Key GenerationECDSA Signature Verification
TLS ECDSA private keyAsymmetric - CSPECDSA private key used for digital signature generation in TLS protocolP-256, P-384 - 128 and 192 bitsECDSA Key GenerationECDSA Signature Generation
TLS EC Diffie- Hellman public keyAsymmetric - PSPECDH public key used in TLS protocol key exchangeP-256, P-384 - 128 and 192 bitsECDSA Key GenerationTLS Handshake
TLS EC Diffie- Hellman private keyAsymmetric - CSPECDH private key used in TLS protocol key exchangeP-256, P-384 - 128 and 192 bitsECDSA Key GenerationTLS Handshake
TLS pre- primary secretAsymmetric - CSPTLS pre-primary secret used for deriving the TLS primary secretP-256, P-384 - 128 and 192 bitsTLS HandshakeTLS Handshake
TLS primary secretPre-primary secret - CSPTLS primary secret derived from TLS pre- primary secret256 bits - 256 bitsTLS HandshakeTLS Handshake
TLS derived session keySymmetric - CSPTLS derived session key derived from TLS primary secretAES: 128 and 256 bits; HMAC: 112-256 bits - 112-256 itsTLS Handshake
SSH ECDSA public keyAsymmetric - PSPECDSA public key used for SSH key-based authenticationP-256, P-384 - 128 and 192 bitsECDSA Signature Verification
SSH ECDSA private keyAsymmetric - CSPECDSA private key used for SSH key-based authenticationP-256, P-384 - 128 and 192 bitsECDSA Signature Generation
SSH EC Diffie- Hellman public keyAsymmetric - PSPEC Diffie- Hellman public key used for SSH handshakeP-256, P-384 - 128 and 192 bitsECDSA Key GenerationSSH Handshake
SSH EC Diffie- Hellman private keyAsymmetric - CSPEC Diffie- Hellman private key used for SSH handshakeP-256, P-384 - 128 and 192 bitsECDSA Key GenerationSSH Handshake
SSH shared secretShared secret - CSPSSH shared secret established during SSH shared secret computationP-256, P-384 - 128 and 192 bitsSSH HandshakeSSH Handshake
SSH derived session keySymmetric - CSPSSH derived session key derived from SSH shared secretAES: 128 and 256 bits; HMAC: 112-256 bits - 112-256 bitsSSH Handshake
PasswordPassword - CSPPassword input by the User or CO during creation of a new user or updating an existing password8 characters - 1/676,000,000
Entropy input stringEntropy - CSPEntropy obtained from the non- physical entropy source256 bits - 256 bitsCounter DRBG
DRBG seedSeed - CSPDRBG seed derived from the entropy input string256 bits - 256 bitsCounter DRBGCounter DRBG
DRBG internal state (V and key values)Internal state - CSPDRBG internal state derived from the DRBG seed256 bits - 256 bitsCounter DRBGCounter DRBG
Intermediate key generation valueIntermediate value - CSPTemporary value generated during key pair generation services256-4096 bits - 112-256 bitsRSA Key Generation ECDSA Key GenerationRSA Key Generation ECDSA Key Generation TLS Handshake SSH Handshake
ZeroizationDescriptionRationaleOperator Initiation
Method
Closing TLS/SSH ConnectionZeroization of temporary valuesSSP temporary values generated during key generation services are zeroized by the moduleClosing TLS/SSH Connection

F5OS-A Cryptographic Module Table 18: SSP Zeroization Methods The zeroization methods listed in the SSP Zeroization Methods table, overwrite the memory occupied by keys with “zeros” or pre-defined values.

9.4 SSPs

© 2024 F5, Inc. / atsec information security.

44 of 58
Page 45

F5OS-A Cryptographic Module DiffieHellman public Table 19: SSP Table 1 © 2024 F5, Inc. / atsec information security.

45 of 58
Page 46
Sensitive security parameter
NameStorageZeroizationInputStorage DurationRelated SSPs
TLS RSA public keySSD :PlaintextSecure EraseFrom service invoked to service completed or module rebootTLS RSA private key:Paired With Intermediate key generation value:Derived From
TLS RSA private keySSD :PlaintextSecure EraseFrom service invoked to service completed or module rebootTLS RSA public key:Paired With Intermediate key generation value:Derived From
TLS ECDSA public keySSD :PlaintextSecure EraseFrom service invoked to service completed or module rebootTLS RSA private key:Paired With Intermediate key generation value:Derived From
TLS ECDSA private keySSD :PlaintextSecure EraseFrom service invoked to service completed or module rebootTLS ECDSA public key:Paired With Intermediate key generation value:Derived From
TLS EC Diffie- Hellman public keyRAM:PlaintextSecure Erase Reboot System Closing TLS/SSH ConnectionTLS/SSH Protocol OutputFrom service invoked to service completed or module rebootTLS EC Diffie-Hellman private key:Paired With Intermediate key generation value:Derived From
TLS EC Diffie- Hellman private keyRAM:PlaintextSecure Erase Reboot System Closing TLS/SSH ConnectionFrom service invoked to service completed or module rebootTLS EC Diffie-Hellman public key:Paired With Intermediate key generation value:Derived From
TLS pre-primary secretRAM:PlaintextSecure Erase Reboot System Closing TLS/SSH ConnectionFrom service invoked to service completed or module rebootTLS primary secret:Derives
TLS primary secretRAM:PlaintextSecure Erase Reboot System Closing TLS/SSH ConnectionFrom service invoked to service completed or module rebootTLS pre-primary secret :Derived From TLS derived session key :Derives
TLS derived session keyRAM:PlaintextSecure Erase Reboot System Closing TLS/SSH ConnectionFrom service invoked to service completed or module rebootTLS primary secret:Derived From
SSH ECDSA public keySSD :PlaintextSecure EraseService InputFrom service invoked to service completed or module rebootSSH ECDSA private key:Paired With
SSH ECDSA private keySSD :PlaintextSecure EraseFrom service invoked to service completed or module rebootSSH ECDSA public key :Paired With
SSH EC Diffie- Hellman public keyRAM:PlaintextSecure Erase Reboot System Closing TLS/SSH ConnectionTLS/SSH Protocol OutputFrom service invoked to service completed or module rebootSSH EC Diffie-Hellman private key:Paired With SSH shared secret:Establishes Intermediate key generation value:Derived From
SSH EC Diffie- Hellman private keyRAM:PlaintextSecure Erase Reboot System Closing TLS/SSH ConnectionFrom service invoked to service completed or module rebootSSH EC Diffie-Hellman public key:Paired With SSH shared secret:Establishes Intermediate key generation value:Derived From
SSH shared secretRAM:PlaintextSecure Erase Reboot System Closing TLS/SSH ConnectionFrom service invoked to service completed or module rebootSSH EC Diffie-Hellman public key:Established By SSH EC Diffie-Hellman private key:Established By SSH derived session key :Derives
SSH derived session keyRAM:PlaintextSecure Erase Reboot System Closing TLS/SSH ConnectionFrom service invoked to service completed or module rebootSSH shared secret:Derived From
PasswordSSD :PlaintextSecure EraseService InputN/A
Entropy input stringRAM:PlaintextSecure Erase Reboot SystemStorage duration during the usage of the CSPDRBG seed :Derives
DRBG seedRAM:PlaintextSecure Erase Reboot SystemStorage duration during the usage of the CSPEntropy input string :Derived From DRBG internal state (V and key values):Derives
DRBG internal state (V and key values)RAM:PlaintextSecure Erase Reboot SystemStorage duration during the usage of the CSPDRBG seed :Derived From
Intermediate key generation valueRAM:PlaintextSecure Erase Reboot SystemFrom service invoked to service completed or module rebootTLS RSA public key:Derives TLS RSA private key:Derives TLS ECDSA public key:Derives TLS ECDSA private key:Derives SSH EC Diffie-Hellman public key:Derives

F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.

46 of 58
Page 47

F5OS-A Cryptographic Module N/A © 2024 F5, Inc. / atsec information security.

47 of 58
Page 48

F5OS-A Cryptographic Module Table 20: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. © 2024 F5, Inc. / atsec information security.

48 of 58
Page 49
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTestIndicator
TestTestProperties
HMAC-SHA2- 384 (A4985)HMAC-SHA2- 384 (A4985)Message authenticationSW/FW IntegrityIntegrity test for F5OS-A version 1.7.0SHA2-384Module is operational and services are available for use
HMAC-SHA2- 384 (A5261)HMAC-SHA2- 384 (A5261)Message authenticationSW/FW IntegrityIntegrity test for F5OS-A version 1.7.0SHA2-384Module is operational and services are available for use
Approved algorithm
NamePropertiesTestIndicatorDetailsConditions
or TestType
AES-GCM (A4985)256-bit keyCASTModule is operational and services are available for useEncryptionModule initialization
AES-GCM (A5261)256-bit keyCASTModule is operational and services are available for useEncryptionModule initialization
AES-GCM (A4985)256-bit keyCASTModule is operational and services are available for useDecryptionModule initialization
AES-GCM (A5261)256-bit keyCASTModule is operational and services are available for useDecryptionModule initialization
AES-ECB (A4985)128 bit-keyCASTModule is operational and services are available for useEncryptionModule initialization
or TestType
AES-ECB (A5261)128 bit-keyCASTModule is operational and services are available for useEncryptionModule initialization
AES-ECB (A4985)128 bit-keyCASTModule is operational and services are available for useDecryptionModule initialization
AES-ECB (A5261)128 bit-keyCASTModule is operational and services are available for useDecryptionModule initialization
RSA SigGen (FIPS186-5) (A4985)PKCS#1 v1.5 with 2048 bit key and SHA2-256CASTModule is operational and services are available for useSignature generationModule initialization
RSA SigGen (FIPS186-5) (A5261)PKCS#1 v1.5 with 2048 bit key and SHA2-256CASTModule is operational and services are available for useSignature generationModule initialization
RSA SigVer (FIPS186-5) (A4985)PKCS#1 v1.5 with 2048 bit key and SHA2-256CASTModule is operational and services are available for useSignature verificationModule initialization
RSA SigVer (FIPS186-5) (A5261)PKCS#1 v1.5 with 2048 bit key and SHA2-256CASTModule is operational and services are available for useSignature verificationModule initialization
ECDSA SigGen (FIPS186-5) (A4985)P-256 and SHA2- 256CASTModule is operational and services are available for useSignature generationModule initialization
ECDSA SigGen (FIPS186-5) (A5261)P-256 and SHA2- 256CASTModule is operational and services are available for useSignature generationModule initialization
ECDSA SigVer (FIPS186-5) (A4985)P-256 and SHA2- 256CASTModule is operational and services are available for useSignature verificationModule initialization
ECDSA SigVer (FIPS186-5) (A5261)P-256 and SHA2- 256CASTModule is operational and services are available for useSignature verificationModule initialization
or TestType
KAS-ECC- SSC Sp800- 56Ar3 (A4985)P-256CASTModule is operational and services are available for useShared secret computationModule initialization
KAS-ECC- SSC Sp800- 56Ar3 (A5261)P-256CASTModule is operational and services are available for useShared secret computationModule initialization
HMAC-SHA- 1 (A4985)SHA-1CASTModule is operational and services are available for useMessage authenticationModule initialization
HMAC-SHA- 1 (A5261)SHA-1CASTModule is operational and services are available for useMessage authenticationModule initialization
HMAC- SHA2-256 (A4985)SHA2-256CASTModule is operational and services are available for useMessage authenticationModule initialization
HMAC- SHA2-256 (A5261)SHA2-256CASTModule is operational and services are available for useMessage authenticationModule initialization
HMAC- SHA2-384 (A4985)SHA2-384CASTModule is operational and services are available for useMessage authenticationModule initialization
HMAC- SHA2-384 (A5261)SHA2-384CASTModule is operational and services are available for useMessage authenticationModule initialization
KDF SSH (A4985)SHA2-256CASTModule is operational and services are available for useKey derivationModule initialization
KDF SSH (A5261)SHA2-256CASTModule is operational and services are available for useKey derivationModule initialization
KDF TLS (A4985)SHA2-256CASTModule is operational and services are available for useKey derivationModule initialization
or TestType
TLS v1.2 KDF RFC7627 (A5261)SHA2-256CASTModule is operational and services are available for useKey derivationModule initialization
ECDSA KeyGen (FIPS186-5) (A4985)SHA2-256 and respective curvePCTSuccessful key pair generationSignature Generation & Signature VerificationKey pair generation
ECDSA KeyGen (FIPS186-5) (A5261)SHA2-256 and respective curvePCTSuccessful key pair generationSignature Generation & Signature VerificationKey pair generation
RSA KeyGen (FIPS186-5) (A4985)SHA2-256 and respective keysPCTSuccessful key pair generationSignature Generation & Signature VerificationKey pair generation
RSA KeyGen (FIPS186-5) (A5261)SHA2-256 and respective keysPCTSuccessful key pair generationSignature Generation & Signature VerificationKey pair generation
ECDSA KeyGen (FIPS186-5) (A4985)SHA2-256 and respective curvePCTSuccessful key pair generationSignature generation & signature verification PCT that covers key pair generation for EC Diffie-HellmanKey pair generation
ECDSA KeyGen (FIPS186-5) (A5261)SHA2-256 and respective curvePCTSuccessful key pair generationSignature generation & signature verification PCT that covers key pair generation for EC Diffie-HellmanKey pair generation
Counter DRBG (A4985)AES-256 with/without derivation function; Health test per section 11.3 of SP 800- 90ARev1CASTModule is operational and services are available for useKAT CTR_DRBG with AES with 256-bit key with and without prediction resistnaceModule initialization
Counter DRBG (A5261)AES-256 with/without derivation function; Health test per section 11.3 of SP 800- 90ARev1CASTModule is operational and services are available for useKAT CTR_DRBG with AES with 256-bit key with and without prediction resistnaceModule initialization
Entropy SourceHealth TestCASTModule is operational and services are available for useHealth test at start- up: performed on 1,024 consecutive samplesModule initialization
Entropy SourceHealth TestCASTModule is operationalHealth test during runtime: performedContinuously
or TestType
and services are available for useand services are available for useon 1,024 consecutive samples
Entropy SourceHealth TestCASTModule is operational and services are available for useHealth test during start-up: performed on 512 consecutive samplesModule initialization
Entropy SourceHealth TestCASTModule is operational and services are available for useHealth test during runtime: performed on 512 consecutive samplesContinuously
10 Self-Tests
10.1 Pre-Operational Self-Tests

1.7.0 1.7.0 Table 21: Pre-Operational Self-Tests The pre-operational self-test is performed automatically when the module is powered on. At initialization, the module performs pre-operational self-test (integrity test) and the CASTs. Services are not available, and the data output is inhibited during the pre-operational selftest. Upon successful completion of the pre-operational self-tests and CASTs, the module any of the self-tests, the module returns an error code, and transitions to the Error state. Both, the pre-operational tests, and conditional tests are performed without operator intervention, without any external controls, externally provided test vectors, output results and the determination of pass of fail is done by the module.

10.2 Conditional Self-Tests

© 2024 F5, Inc. / atsec information security.

49 of 58
Page 50

F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.

50 of 58
Page 51

F5OS-A Cryptographic Module SSC Sp80056Ar3 SSC Sp80056Ar3 HMACSHA2-256 HMACSHA2-256 HMACSHA2-384 HMACSHA2-384 © 2024 F5, Inc. / atsec information security.

51 of 58
Page 52

F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.

52 of 58
Page 53
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
HMAC-SHA2-384 (A4985)HMAC-SHA2-384 (A4985)Message authenticationSW/FW IntegrityOn DemandManually
HMAC-SHA2-384 (A5261)HMAC-SHA2-384 (A5261)Message authenticationSW/FW IntegrityOn DemandManually
AES-GCM (A4985)AES-GCM (A4985)Encrypt KATCASTOn DemandManually
AES-GCM (A5261)AES-GCM (A5261)Encrypt KATCASTOn DemandManually
AES-GCM (A4985)AES-GCM (A4985)Decrypt KATCASTOn DemandManually
AES-GCM (A5261)AES-GCM (A5261)Decrypt KATCASTOn DemandManually
AES-ECB (A4985)AES-ECB (A4985)Encrypt KATCASTOn DemandManually
AES-ECB (A5261)AES-ECB (A5261)Encrypt KATCASTOn DemandManually
AES-ECB (A4985)AES-ECB (A4985)Decrypt KATCASTOn DemandManually
AES-ECB (A5261)AES-ECB (A5261)Decrypt KATCASTOn DemandManually
RSA SigGen (FIPS186-5) (A4985)RSA SigGen (FIPS186-5) (A4985)Sign KATCASTOn DemandManually
RSA SigGen (FIPS186-5) (A5261)RSA SigGen (FIPS186-5) (A5261)Sign KATCASTOn DemandManually
RSA SigVer (FIPS186-5) (A4985)RSA SigVer (FIPS186-5) (A4985)Verify KATCASTOn DemandManually
RSA SigVer (FIPS186-5) (A5261)RSA SigVer (FIPS186-5) (A5261)Verify KATCASTOn DemandManually
ECDSA SigGen (FIPS186-5) (A4985)ECDSA SigGen (FIPS186-5) (A4985)Sign KATCASTOn DemandManually
ECDSA SigGen (FIPS186-5) (A5261)ECDSA SigGen (FIPS186-5) (A5261)Sign KATCASTOn DemandManually
ECDSA SigVer (FIPS186-5) (A4985)ECDSA SigVer (FIPS186-5) (A4985)Verify KATCASTOn DemandManually
ECDSA SigVer (FIPS186-5) (A5261)ECDSA SigVer (FIPS186-5) (A5261)Verify KATCASTOn DemandManually
KAS-ECC-SSC Sp800-56Ar3 (A4985)KAS-ECC-SSC Sp800-56Ar3 (A4985)Shared secret computationCASTOn DemandManually
KAS-ECC-SSC Sp800-56Ar3 (A5261)KAS-ECC-SSC Sp800-56Ar3 (A5261)Shared secret computationCASTOn DemandManually
HMAC-SHA-1 (A4985)HMAC-SHA-1 (A4985)HMAC KATCASTOn DemandManually
HMAC-SHA-1 (A5261)HMAC-SHA-1 (A5261)HMAC KATCASTOn DemandManually
HMAC-SHA2-256 (A4985)HMAC-SHA2-256 (A4985)HMAC KATCASTOn DemandManually
HMAC-SHA2-256 (A5261)HMAC-SHA2-256 (A5261)HMAC KATCASTOn DemandManually
HMAC-SHA2-384 (A4985)HMAC-SHA2-384 (A4985)HMAC KATCASTOn DemandManually
HMAC-SHA2-384 (A5261)HMAC-SHA2-384 (A5261)HMAC KATCASTOn DemandManually
KDF SSH (A4985)KDF SSH (A4985)SSH KDF KATCASTOn DemandManually
KDF SSH (A5261)KDF SSH (A5261)SSH KDF KATCASTOn DemandManually
KDF TLS (A4985)KDF TLS (A4985)TLS 1.2 KDF KATCASTOn DemandManually
TLS v1.2 KDF RFC7627 (A5261)TLS v1.2 KDF RFC7627 (A5261)TLS 1.2 KDF KATCASTOn DemandManually
ECDSA KeyGen (FIPS186-5) (A4985)ECDSA KeyGen (FIPS186-5) (A4985)ECDSA PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-5) (A5261)ECDSA KeyGen (FIPS186-5) (A5261)ECDSA PCTPCTOn DemandManually
RSA KeyGen (FIPS186-5) (A4985)RSA KeyGen (FIPS186-5) (A4985)RSA PCTPCTOn DemandManually
RSA KeyGen (FIPS186-5) (A5261)RSA KeyGen (FIPS186-5) (A5261)RSA PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-5) (A4985)ECDSA KeyGen (FIPS186-5) (A4985)ECDH PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-5) (A5261)ECDSA KeyGen (FIPS186-5) (A5261)ECDH PCTPCTOn DemandManually
Counter DRBG (A4985)Counter DRBG (A4985)CTR_DRBG KATCASTOn DemandManually
Counter DRBG (A5261)Counter DRBG (A5261)CTR_DRBG KATCASTOn DemandManually
Entropy SourceEntropy SourceRCTCASTOn DemandManually
Entropy SourceEntropy SourceRCTCASTContinuouslyManually
Entropy SourceEntropy SourceAPTCASTOn DemandManually
Entropy SourceEntropy SourceAPTCASTContinuouslyManually

F5OS-A Cryptographic Module Table 22: Conditional Self-Tests During the conditional self-tests, services are not available and the data output interface is inhibited.

10.3 Periodic Self-Test Information

Table 23: Pre-Operational Periodic Information © 2024 F5, Inc. / atsec information security.

53 of 58
Page 54

F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.

54 of 58
Page 55
Service
NameDescriptionRole AccessIndicatorRecovery Method
Error StateModule is no longer operational. The data output is inhibited.HMAC-SHA2-384 KAT failure or HMAC-SHA2-384 integrity test failure Failure of any of the CAST Failure of any of the PCTs Failure of the APT, RCT at runtime Failure of the APT, RCT at restart (power on)Module will not load after failing any of the CASTs, the integrity test or APT/RCT at restart (power on); Module will reboot after failing a PCT or APT/RCT at runtimeThe module must reboot or be re- loaded with a fresh image

F5OS-A Cryptographic Module Table 24: Conditional Periodic Information

10.4 Error States

Table 25: Error States All data output and cryptographic operations are inhibited when the module is in the Error

10.5 Operator Initiation of Self-Tests

The software integrity tests, and cryptographic algorithm self-tests can be invoked on demand by rebooting the module. During the execution of the periodic and on-demand selftests, crypto services are not available, and no data output or input is possible. The PCTs are executed on demand during the key generation functions invocation. © 2024 F5, Inc. / atsec information security.

55 of 58
Page 56
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures
11.1.1 Delivery and Operation
11.1.2 Installing F5OS

Follow the instructions in the "Initial Configuration" guide for the initial setup and configuration of the hardware module.

56 of 58
Page 57

F5OS-A Cryptographic Module

11.1.3 Version Confirmation

The Crypto Officer should call the show version service (with command "show system image"), then confirm that the provided version matches the validated version shown in the Tested Module Identification

11.1.4 License Confirmation

The FIPS validated module activation requires installation of the license referred as ‘FIPS license’. The Crypto Officer should call the show license service (with command "show system licensing"), then verify that the list of license flags includes "FIPS 140 License”.

11.2 Administrator Guidance

The Crypto Officer should verify that the following specific configuration rules are followed to operate the module in the FIPS validated configuration.

11.3 Non-Administrator Guidance

The approved and non-approved security functions available to users are listed in section 2, the physical ports, and logical interfaces available to users are specified in section 3.1. The Approved and non-Approved modes of operation are specified in section 2.4. The algorithmspecific information is listed in section 2.7. © 2024 F5, Inc. / atsec information security.

57 of 58
Page 58
12 Mitigation of Other Attacks

The module does not implement security mechanisms to mitigate other attacks. © 2024 F5, Inc. / atsec information security.

58 of 58

Referenced URLs