| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Firmware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/22/2030 |
| Caveat | When operated in approved mode and when installed, initialized, and configured as specified in Section 11 of the Security Policy with tamper evident labels contained in F5-ADD-BIG-FIPS140 kit and installed as indicated in the Security Policy section 7. |
| Vendor | F5, Inc. |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Physical Security | 7 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
flowchart LR
%% Deterministic review-risk graph for F5OS-A Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configuration</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>AES-CBC<br/>AES-CTR<br/>AES-ECB</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for F5OS-A Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Update own password<br/>Update others password<br/>Configure SSH user configuration</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>AES-CBC<br/>AES-CTR<br/>AES-ECB</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3 clueHigh;
class C5,C6 clueLow;F5, Inc. F5, Inc. F5OS-A Cryptographic Module Module Version: 1.7.0 FIPS Security Level 2 Document Version 1.1 Last update: 05-06-2025 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com
F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module Table of Contents © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module 11.1.1 11.1.2 © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module List of Tables © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module List of Figures © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module F5®, BIG-IP® are registered trademarks of F5, Inc. Intel®, Atom® and Xeon® are registered trademarks of Intel Corporation. © 2024 F5, Inc. / atsec information security.
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 2 |
| 2 | 2 | Cryptographic module specification | 2 |
| 3 | 3 | Cryptographic module interfaces | 2 |
| 4 | 4 | Roles, services, and authentication | 2 |
| 5 | 5 | Software/Firmware security | N/A |
| 6 | 6 | Operational environment | N/A |
| 7 | 7 | Physical security | 2 |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 2 |
| 10 | 10 | Self-tests | 2 |
| 11 | 11 | Life-cycle assurance | 2 |
| 12 | 12 | Mitigation of other attacks | N/A |
| Overall Level | Overall Level | 2 |
This document is the non-proprietary FIPS 140-3 Security Policy for the F5OS-A Cryptographic Module with firmware version 1.7.0. The document contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 2 module.
N/A N/A N/A N/A Table 1: Security Levels © 2024 F5, Inc. / atsec information security.
Purpose and Use: The F5OS-A Cryptographic Module (hereafter referred to as “the module”) is a microservices-based, proprietary platform layer that provides an interface between the BIG-IP ADC and the rSeries hardware. Module Type: Firmware Module Embodiment: MultiChipStand Cryptographic Boundary: The module cryptographic boundary is defined by the red dotted line in Figure
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| F5OS-A | 1.7.0 | N/A | F5OS-A | HMAC-SHA-384 | ||||||
| F5OS-A 1.7.0 | F5OS-A 1.7.0 | rSeries r12900 | 1.7.0 | Intel(R) Xeon(R) Platinum 8531N Ice Lake-SP | Yes | N/A |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| F5OS-A | 1.7.0 | N/A | F5OS-A | HMAC-SHA-384 | ||||||
| F5OS-A 1.7.0 | F5OS-A 1.7.0 | rSeries r12900 | 1.7.0 | Intel(R) Xeon(R) Platinum 8531N Ice Lake-SP | Yes | N/A |
F5OS-A Cryptographic Module Figure 2: Block Diagram
Tested Module Identification
The module does not claim any excluded components.
Modes List and Description: 4.3 © 2024 F5, Inc. / atsec information security.
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non- Approved | Automatically entered whenever a non-approved service is requested | Equivalent to the indicator of the requested service as defined in section 4.3 | Non- Approved |
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A4985 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC | A5261 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CTR | A4985 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CTR | A5261 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-ECB | A4985 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-ECB | A5261 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-GCM | A4985 | Direction - Decrypt, Encrypt IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 | SP 800-38D |
| AES-GCM | A5261 | Direction - Decrypt, Encrypt IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 | SP 800-38D |
| AES-GMAC | A4985 | Direction - Decrypt, Encrypt IV Generation - Internal | SP 800-38D |
| AES-GMAC | A5261 | Direction - Decrypt, Encrypt IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 | SP 800-38D |
| Counter DRBG | A4985 | Prediction Resistance - No, Yes Mode - AES-256 Derivation Function Enabled - No, Yes | SP 800-90A Rev. 1 |
| Counter DRBG | A5261 | Prediction Resistance - No, Yes Mode - AES-256 Derivation Function Enabled - No, Yes | SP 800-90A Rev. 1 |
| ECDSA KeyGen (FIPS186-5) | A4985 | Curve - P-256, P-384 Secret Generation Mode - testing candidates | FIPS 186-5 |
| ECDSA KeyGen (FIPS186-5) | A5261 | Curve - P-256, P-384 Secret Generation Mode - testing candidates | FIPS 186-5 |
| ECDSA KeyVer (FIPS186-5) | A4985 | Curve - P-256, P-384 | FIPS 186-5 |
| ECDSA KeyVer (FIPS186-5) | A5261 | Curve - P-256, P-384 | FIPS 186-5 |
| ECDSA SigGen (FIPS186-5) | A4985 | Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384 Component - No | FIPS 186-5 |
| ECDSA SigGen (FIPS186-5) | A5261 | Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384 Component - No | FIPS 186-5 |
| ECDSA SigVer (FIPS186-5) | A4985 | Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384 | FIPS 186-5 |
| ECDSA SigVer (FIPS186-5) | A5261 | Curve - P-256, P-384 Hash Algorithm - SHA2-256, SHA2-384 | FIPS 186-5 |
| HMAC-SHA-1 | A4985 | Key Length - Key Length: 8, 16, 64, 128, 1024 | FIPS 198-1 |
| HMAC-SHA-1 | A5261 | Key Length - Key Length: 8, 16, 64, 128, 1024 | FIPS 198-1 |
| HMAC-SHA2-256 | A4985 | Key Length - Key Length: 8, 16, 64, 128, 1024 | FIPS 198-1 |
| HMAC-SHA2-256 | A5261 | Key Length - Key Length: 8, 16, 64, 128, 1024 | FIPS 198-1 |
| HMAC-SHA2-384 | A4985 | Key Length - Key Length: 8, 16, 64, 128, 1024 | FIPS 198-1 |
| HMAC-SHA2-384 | A5261 | Key Length - Key Length: 8, 16, 64, 128, 1024 | FIPS 198-1 |
| KAS-ECC-SSC Sp800- 56Ar3 | A4985 | Domain Parameter Generation Methods - P- 256, P-384 Scheme - ephemeralUnified - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KAS-ECC-SSC Sp800- 56Ar3 | A5261 | Domain Parameter Generation Methods - P- 256, P-384 Scheme - ephemeralUnified - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KDF SSH (CVL) | A4985 | Cipher - AES-128, AES-256 Hash Algorithm - SHA2-256, SHA2-384 | SP 800-135 Rev. 1 |
| KDF SSH (CVL) | A5261 | Cipher - AES-128, AES-256 Hash Algorithm - SHA2-256, SHA2-384 | SP 800-135 Rev. 1 |
| RSA KeyGen (FIPS186- 5) | A4985 | Key Generation Mode - probable Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standard | FIPS 186-5 |
| RSA KeyGen (FIPS186- 5) | A5261 | Key Generation Mode - probable Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standard | FIPS 186-5 |
| RSA SigGen (FIPS186- 5) | A4985 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5 | FIPS 186-5 |
| RSA SigGen (FIPS186- 5) | A5261 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5 | FIPS 186-5 |
| RSA SigVer (FIPS186-5) | A4985 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5 | FIPS 186-5 |
| RSA SigVer (FIPS186-5) | A5261 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5 | FIPS 186-5 |
| SHA-1 | A4985 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA-1 | A5261 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-256 | A4985 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-256 | A5261 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-384 | A4985 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-384 | A5261 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| TLS v1.2 KDF RFC7627 (CVL) | A4985 | Hash Algorithm - SHA2-256, SHA2-384 | SP 800-135 Rev. 1 |
| TLS v1.2 KDF RFC7627 (CVL) | A5261 | Hash Algorithm - SHA2-256, SHA2-384 | SP 800-135 Rev. 1 |
F5OS-A Cryptographic Module NonApproved NonApproved 4.3 Table 4: Modes List and Description The module supports two modes of operation:
Approved Algorithms: © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.
| Name | Approved Functions |
|---|---|
| AES-CCM | Symmetric Encryption, Symmetric Decryption |
| AES-CFB | Symmetric Encryption, Symmetric Decryption |
| AES-OFB | Symmetric Encryption, Symmetric Decryption |
| AES-KW | Symmetric Encryption, Symmetric Decryption |
| DES | Symmetric Encryption, Symmetric Decryption |
| RC4 | Symmetric Encryption, Symmetric Decryption |
| Triple-DES | Symmetric Encryption, Symmetric Decryption |
| SM2 | Symmetric Encryption, Symmetric Decryption |
| SM4 | Symmetric Encryption, Symmetric Decryption |
| RSA Asymmetric Encryption and Decryption | Asymmetric Encryption, Asymmetric Decryption |
| RSA Key Generation with modulus sizes other than 2048, and 4096-bits | Key generation |
| DSA | Domain Parameter Generation, Domain Parameter Verification, Key Pair Generation, Digital Signature Generation, Digital Signature Verification |
| EdDSA Signature Generation and Verification using Ed25519 | Digital Signature Generation, Digital Signature Verification |
| ECDSA Key Generation and Verification with curves other than P-256 and P-384 | Key Generation, Key Verification |
| Safe Primes Key Generation and Verification for Diffie-Hellman | Key Generation, Key Verification |
| RSA PKCS#1 v1.5 Signature Generation and Verification using 2048, 3072 or 4096-bits modulus with SHA-1, SHA2-224, SHA2-512 | Digital Signature Generation, Digital Signature Verification |
| RSA PKCS #1 v1.5 Signature Generation and Verification with modulus other than 2048, 3072 or 4096 bits, for all SHA sizes | Digital Signature Generation, Digital Signature Verification |
| RSA PSS Signature Generation and Verification using 2048, 3072 or 4096-bits modulus | Digital Signature Generation, Digital Signature Verification |
| ECDSA Signature Generation and Verification using curves other than P-256 and P-384, all SHA sizes | Digital Signature Generation, Digital Signature Verification |
| ECDSA Signature Generation using curves P- 256 and P-384 with SHA-1, SHA2-224, SHA2- 512, SHA3 | Digital Signature Generation |
| ECDSA Signature Verification using curves P- 256 and P-384 with SHA2-224, SHA2-512, SHA3 | Digital Signature Verification |
| SHA2-224 | Message Digest |
| SHA2-512 | Message Digest |
| SM3 | Message Digest |
| MD5 | Message Digest |
| HMAC-SHA2-224 | Message Authentication |
| HMAC-SHA2-512 | Message Authentication |
| AES-CMAC | Message Authentication |
| Triple-DES | Message Authentication |
| Diffie-Hellman using all Diffie-Hellman Groups | Key Agreement |
| EC Diffie-Hellman using curves other than P- 256 and P-384 | Key Agreement |
| EC Diffie-Hellman using curves P-256 and P- 384 Static Unified and OnePassDh schemes | Key Agreement |
| TLS KDF using MD5, SHA-1, SHA2-224, SHA2- 512, SHA3 | Key Derivation |
| SNMP KDF | Key Derivation |
| IKEv1 KDF | Key Derivation |
| IKEv2 KDF | Key Derivation |
F5OS-A Cryptographic Module 5) 5) 5) 5) Table 5: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module Table 6: Non-Approved, Not Allowed Algorithms © 2024 F5, Inc. / atsec information security.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| AES-CBC | Encryption/Decryption | AES-CBC: (A4985, A5261) | BC-UnAuth | Keys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength |
| AES-CTR | Encryption/Decryption | AES-CTR: (A4985, A5261) | BC-UnAuth | Keys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength |
| AES-ECB | Encryption/Decryption | AES-ECB: (A4985, A5261) | BC-UnAuth | Keys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength |
| AES-GCM (Authenticated Encryption/Decryption) | Authenticated Encryption/Authenticated Decryption | AES-GCM: (A4985, A5261) | BC-Auth | Keys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength |
| AES-GMAC | Message authentication code (MAC) | AES-GMAC: (A4985, A5261) | MAC | Keys:128, 192, 256- bit keys with 128, 192, 256 bits of key strength |
| AES-GCM (Key Wrapping/Unwrapping) | Key Wrapping, Key Unwrapping | AES-GCM: (A4985, A5261) | KTS-Wrap | Keys:128, 256-bit keys with 128 and 256 bits of key strength Compliance:Compliant with IG D.G |
| AES-CBC with HMAC | Key Wrapping, Key Unwrapping | AES-CBC: (A4985, A5261) HMAC-SHA2- 256: (A4985, A5261) HMAC-SHA2- 384: (A4985, A5261) | KTS-Wrap | Keys:128, 256-bit keys with 128 and 256 bits of key strength |
| Counter DRBG | Random Number Generation | Counter DRBG: (A4985, A5261) | DRBG | Compliance:Compliant with SP800-90ARev1 Properties:with / without derivation function, prediction resistance disabled / enabled |
| RSA Signature Generation | Signature Generation | RSA SigGen (FIPS186-5): (A4985, A5261) | DigSig- SigGen | Keys:2048, 3072 and 4096-bit keys with 112 to 150 bits of key strength Hashes:SHA2-256, SHA2-384 Schemes:PKCS#1v1.5 |
| RSA Signature Verification | Signature Verification | RSA SigVer (FIPS186-5): (A4985, A5261) | DigSig-SigVer | Keys: 2048, 3072 and 4096-bit keys with 112 to 150 bits of key strength Hashes:SHA2-256, |
| RSA Key Generation | Key Generation | RSA KeyGen (FIPS186-5): (A4985, A5261) | AsymKeyPair- KeyGen CKG | Keys:2048, 3072 and 4096-bit keys with 112 to 150 bits of key strength Schemes:A.1.3 Random Probable Primes Compliance:IG D.H; SP800-133Rev2 section 5.1 |
| ECDSA Signature Generation | Signature Generation | ECDSA SigGen (FIPS186-5): (A4985, A5261) | DigSig- SigGen | Curves:P-256, P-384 with 128 and 192 bits of strength Hashes:SHA2-256, SHA2-384 |
| ECDSA Signature Verification | Signature Verification | ECDSA SigVer (FIPS186-5): (A4985, A5261) | DigSig-SigVer | Curves:P-256, P-384 with 128 and 192 bits of strength Hashes:SHA2-256, SHA2-384 |
| ECDSA Key Generation | Key Generation | ECDSA KeyGen (FIPS186-5): (A4985, A5261) | AsymKeyPair- KeyGen CKG | Curves: P-256, P-384 with 128 and 192 bits of strength Schemes:FIPS 186-5, A.2.2 Rejection Sampling Compliance:IG D.H; SP800-133Rev2 sections 5.1 and 5.2 |
| ECDSA Key Verification | Key Verification | ECDSA KeyVer (FIPS186-5): (A4985, A5261) | AsymKeyPair- KeyVer | Curves:P-256, P-384 with 128 and 192 bits of strength |
| SHA | Message Digest | SHA-1: (A4985, A5261) SHA2-256: (A4985, A5261) SHA2-384: (A4985, A5261) | SHA | |
| HMAC | Message authentication code (MAC) | HMAC-SHA-1: (A4985, A5261) HMAC-SHA2- 256: (A4985, A5261) HMAC-SHA2- 384: (A4985, A5261) | MAC | Hashes:SHA-1, SHA2- 256, SHA2-384 Keys:112 bits to 1024-bit keys with 112 to 256 bits of key strengths |
| TLS Handshake | Key agreement | KAS-ECC-SSC Sp800-56Ar3: (A4985, | KAS-Full | Curves: P-256, P-384 with 128 and 192 bits of key strength |
| Compliance:IG D.F Scenario 2 (path 2) | A5261) TLS v1.2 KDF RFC7627: (A4985, A5261) | Compliance:IG D.F Scenario 2 (path 2) | ||
| SSH Handshake | Key agreement | KDF SSH: (A4985, A5261) KAS-ECC-SSC Sp800-56Ar3: (A4985, A5261) | KAS-Full | EC Curves:P-256, P- 384 with 128 and 192 bits of key strength Compliance:IG D.F Scenario 2 (path 2) |
| AES-CTR with HMAC | Key Wrapping, Key Unwrapping | AES-CTR: (A4985, A5261) HMAC-SHA-1: (A4985, A5261) HMAC-SHA2- 256: (A4985, A5261) | KTS-Wrap | Keys:128, 256-bit keys with 128 and 256 bits of key strength |
DigSigSignature Generation © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module DigSigSigGen © 2024 F5, Inc. / atsec information security.
| Name | Type | Strength | Operational Environment | Entropy per Sample | Conditioning Component |
|---|---|---|---|---|---|
| CPU Jitter RNG version 3.4.1 entropy source | Non- Physical | 256 bits | F5OS-A 1.7.0 on rSeries r12900 with Intel(R) Xeon(R) Platinum 8531N Ice Lake-SP | 256 bits | SHA3-256 (CAVP cert. #A3769) |
F5OS-A Cryptographic Module Table 7: Security Function Implementations
The User shall consider the following requirements and restrictions when using the module. AES-GCM IV is constructed in accordance with SP800-38D in compliance with IG C.H scenario 1a. The implementation of the nonce_explicit management logic inside the module ensures that when the IV exhausts the maximum number of possible values for a given session key, the module triggers a new handshake request to establish a new key. In case the module’s power is lost and then restored, the key used for the AES GCM encryption or decryption shall be re-distributed. The AES GCM IV generation follows [RFC 5288] and shall only be used for the TLS protocol version 1.2 to be compliant with [FIPS140-3_IG] IG C.H scenario 1a; thus, the module is compliant with [SP800-52Rev2] section 3.3.1. Table 8: Entropy Certificates NonPhysical Table 9: Entropy Sources © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module The module employs a Deterministic Random Bit Generator (DRBG) based on [SP80090ARev1] for the generation of random value used in asymmetric keys. The Approved DRBG provided by the module is the CTR_DRBG with AES-256. The module uses the SP800-90B compliant entropy source specified in the Entropy Sources table to seed the DRBG. The operator does not have the ability to modify the F5 entropy source (ES) configuration settings (see details in Public Use Document referenced in section 11.2). The F5 entropy source is tested in the OE listed in the Tested Operational Environments - Software, Firmware, Hybrid table.
The module implements the following key generation methods:
The module does not implement symmetric key generation as an explicit service. The HMAC and AES symmetric keys are derived from shared secrets by applying [SP 800-135] as part of the TLS/ SSH protocols. The scenario maps to the [SP 800-133Rev2] section 6.2.1.
The module provides the following key establishment services:
AES-CBC or AES-CTR with HMAC in the context of SSH protocol, with 128 and 256bit keys, with 128 and 256 bits of key strength; compliant with IG D.G. AES-CBC with HMAC in the context of TLS protocol, with 128 and 256-bit keys, with
The module implements the SSH key derivation function for use in the SSH protocol (RFC
GCM with internal IV generation in the approved mode is compliant with version 1.2 of the TLS protocol (RFC 5288) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements the TLS 1.2 key derivation function for use in the TLS protocol. © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module No parts of the SSH, TLS, other than those mentioned above, have been tested by the CAVP and CMVP. © 2024 F5, Inc. / atsec information security.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input | TLS/SSH protocol input messages Configuration commands for interface management |
| N/A | N/A | Data Output | TLS/SSH protocol output messages Status log |
| N/A | N/A | Control Input | API which control system state (e.g., reset system, power-off system) |
| N/A | N/A | Status Output | API which provides system status information |
N/A N/A N/A N/A Table 10: Ports and Interfaces The logical interfaces are the commands through which users of the module request services. There are no external input or output devices to the module that can be used for data input, data output, status output or control input. The module does not implement a For the purpose of the FIPS 140-3 validation, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. © 2024 F5, Inc. / atsec information security.
| Name | Description | Strength | Security Mechanism | Strength per Minute |
|---|---|---|---|---|
| Role-based authentication with Password (CLI or WebUI) | The password must consist of a minimum of 8 characters with at least one from each of the three- character classes. Character classes are defined as: digits (0-9), ASCII lowercase letters (a-z), ASCII uppercase letters (A-Z) Assuming a worst-case scenario where the password contains six numerical digits, one ASCII lowercase letter and one ASCII uppercase letter. The probability of guessing every character successfully is (1/10)^6 * (1/26)^1 * (1/26)^1 = 1/676,000,000. Note: this is less than 1/1,000,000. The maximum number of login attempts is limited to 3 after which the account is locked. This means that, in the worst case, an attacker has the probability of guessing the password in one minute as 3/676,000,000. Note: This is less than 1/100,000. | 1/676,000,000 | Password- based authentication | 3/676,000,000 |
| Role-based authentication with SSH ECDSA key-pair (CLI only) | The ECDSA using P-256 or P-384 curves for key based authentication yields a minimum security-strength of 128 bits. The chance of a random authentication attempt falsely succeeding is at most 1/(2^128) that is less than 1/1,000,000. The maximum number of login attempts is limited to 1 after which the account switch to password authentication. Then the attacker probability of succeeding to establish the connection depends on the probability of guessing the password and it is, as above, 3/676,000,000 less than 1/100,000. | 1/(2^128) | ECDSA Signature Verification | 3/676,000,000 |
Table 11: Authentication Methods The module supports role-based authentication. The module supports concurrent operators belonging to different roles (one CO role and one User role) which create different authenticated sessions, while achieving the separation between the concurrent operators. Two interfaces are used to access the module:
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | Authentication Methods |
|---|---|---|---|---|---|---|---|---|---|
| Administrator | CO | Role | Role-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only) | ||||||
| Resource Admin | User | Role | Role-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only) | ||||||
| Operator | User | Role | Role-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only) | ||||||
| Tenant-console | User | Role | Role-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only) | ||||||
| List users | Display list of all user accounts | Administrat or Resource Admin Operator | None | None | None | List of user accounts | |||
| Create additional User | Create additional user | Administrat or - Password: W | None | None | Username / password | Confirmation of account creation |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | Authentication Methods |
|---|---|---|---|---|---|---|---|---|---|
| Administrator | CO | Role | Role-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only) | ||||||
| Resource Admin | User | Role | Role-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only) | ||||||
| Operator | User | Role | Role-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only) | ||||||
| Tenant-console | User | Role | Role-based authentication with Password (CLI or WebUI) Role-based authentication with SSH ECDSA key-pair (CLI only) | ||||||
| List users | Display list of all user accounts | Administrat or Resource Admin Operator | None | None | None | List of user accounts | |||
| Create additional User | Create additional user | Administrat or - Password: W | None | None | Username / password | Confirmation of account creation | |||
| Modify existing Users | Modify existing users | Administrat or | None | None | Username / modification (new username, role, password expiry date/tally count) | Confirmation of account modification | |||
| Delete User | Delete existing user | Administrat or | None | None | Username | Confirmation of deletion | |||
| Unlock User | Remove lock from user who has exceeded login attempts | Administrat or | None | None | Username | Confirmation of unlock | |||
| Update own password | Update own password | Administrat or - Password: W Resource Admin - Password: W Operator - Password: W | None | None | Own password | Confirmation of update of password | |||
| Update others password | Update others password | Administrat or - Password: W | None | None | Username / password | Confirmation of update | |||
| Configure Password Policy | Set password policy features | Administrat or | None | None | New password policy | Confirmation of configuratio n change | |||
| Create TLS Certificate | Self-signed certificate creation | Administrat or - TLS RSA public key: W,E - TLS RSA private key: W,E - TLS ECDSA public key: W,E - TLS ECDSA private key: W,E | RSA Signature Generation ECDSA Signature Generation | Service Indicator: Approved | Certificate identificatio n information | Confirmation of certificate creation | |||
| Create TLS Key | Create key for the SSL Certificate key file | Administrat or - TLS RSA public key: G - TLS RSA | Counter DRBG RSA Key Generation ECDSA Key Generation | Service Indicator: Approved | Key identificatio n information | Confirmation of key creation | |||
| Delete TLS Certificate / Key | Self-signed certificate / key deletion | Administrat or - TLS RSA public key: None - TLS RSA private key: None - TLS ECDSA public key: None - TLS ECDSA private key: None | None | None | Key identificatio n information | Confirmation of key deletion | |||
| List Certificate | Display / log expiration data of installed certificates | Administrat or Resource Admin | None | None | List of certificates to display | Certificate expiration information | |||
| List private keys | List private keys | Administrat or Resource Admin | None | None | List of private keys to display | List of private keys | |||
| View System Audit Log | Display logs/files of configuration changes | Administrat or Resource Admin | None | None | None | Display of system audit logs | |||
| Export Analytics Logs System | Export analytics logs system | Administrat or | None | None | None | Exported system audit logs | |||
| Create Tenant | Create tenant deployment | Administrat or - Password: W,E Resource Admin - Password: W,E | None | None | password / tenant console role | Confirmation of the tenant- console role | |||
| Tenant SSH establish connection | Connecting to tenant-console via SSH | Tenant- console | None | None | F5 rSeries platform manageme nt address / tenant- console / password | Confirmation of Access to the tenant- console remotely over SSH | |||
| Tenant SSH close connection | Closing the tenant-console SSH session | Tenant- console | None | None | None | Confirmation of tenant- console SSH session closure | |||
| Configure SSH access options | Enable / Disable SSH access, configure IP address allow list | Administrat or Resource Admin | None | None | SSH access / IP address list | Confirmation of configuratio n of SSH access options | |||
| Configure SSH user configuration | Update ssh/ authorized_ke ys file for user authentication | Administrat or - SSH ECDSA private key: W - SSH ECDSA public key : W | None | None | SSH ECDSA key pair (public) | Confirmation of configuratio n of SSH user configuratio n | |||
| Reboot System | Restart the cryptographic module | Administrat or - TLS EC Diffie- Hellman public key: Z - TLS EC Diffie- Hellman private key: Z - TLS pre- primary secret : Z - TLS primary secret: Z - TLS derived session key : Z - SSH EC Diffie- Hellman public key: Z - SSH EC Diffie- Hellman private key: Z - SSH shared secret: Z | None | Module reboots | None | Confirmation of system reboot | |||
| Secure Erase | Full system zeroization | Administrat or - TLS RSA public key: Z - TLS RSA private key: Z - TLS ECDSA public key: Z - TLS ECDSA private key: Z - TLS EC Diffie- Hellman public key: Z - TLS EC Diffie- Hellman private key: Z - TLS pre- primary secret : Z - TLS primary secret: Z - TLS derived session key : Z - SSH ECDSA | None | Module end of life | Selection option | Confirmation of full system zeroization | |||
| Establish SSH session | SSH key exchange | Administrat or - SSH EC Diffie- Hellman public key: G,R,W,E - SSH EC Diffie- Hellman private key: G,R,W,E - SSH shared secret: G - Intermediat | ECDSA Signature Generation ECDSA Signature Verification ECDSA Key Generation ECDSA Key Verification SSH Handshake | SSH connectio n successfu l | Password; SSH ECDSA public key or SSH ECDSA private key | EC public key, Confirmation of SSH session establishme nt |
F5OS-A Cryptographic Module
Table 12: Roles The CO and User roles are selected via the authentication credentials that are entered.
r W © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r W W W W W,E W,E W,E W,E G © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r n tenantover SSH G G G W,E W,E Tenantconsole © 2024 F5, Inc. / atsec information security.
r n Tenantconsole W W DiffieHellman Z DiffieHellman Z - TLS preprimary :Z DiffieHellman Z DiffieHellman Z © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r :Z :Z Z Z Z Z Z DiffieHellman Z DiffieHellman Z - TLS preprimary :Z © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r n l Z Z DiffieHellman Z DiffieHellman Z :Z Z :Z Z DiffieHellman G,R,W,E DiffieHellman G,R,W,E © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r E E DiffieHellman G,R,W,E DiffieHellman G,R,W,E E E W,E DiffieHellman G,R,W,E DiffieHellman G,R,W,E © 2024 F5, Inc. / atsec information security.
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Maintain SSH Session (data encryption) | SSH data encryption | Administrat or - SSH derived session key : E Resource Admin - SSH derived session key : E Operator - SSH derived session key : E | AES-CBC AES-CTR AES-CBC with HMAC AES-CTR with HMAC | SSH connectio n successfu l | Plaintext | Ciphertext |
| Maintain SSH Session (data decryption) | SSH data decryption | Administrat or - SSH derived session key : E Resource Admin - SSH derived session key : E Operator - SSH derived session key : E | AES-CBC AES-CTR AES-CBC with HMAC AES-CTR with HMAC | SSH connectio n successfu l | Ciphertext | Plaintext |
| Maintain SSH Session (data integrity) | SSH data integrity | Administrat or - SSH derived session key : E Resource Admin | HMAC | SSH connectio n successfu l | Message | MAC tag |
| Close SSH Session | Close SSH session | Administrat or - SSH EC Diffie- Hellman public key: Z - SSH EC Diffie- Hellman private key: Z - SSH shared secret: Z - SSH derived session key : Z Resource Admin - SSH EC Diffie- Hellman public key: Z - SSH EC Diffie- Hellman private key: Z - SSH shared secret: Z - SSH derived session key : Z Operator - SSH EC Diffie- Hellman public key: Z - SSH EC Diffie- Hellman private key: | None | SSH connectio n closed | None | Confirmation of SSH session closure |
| Establish TLS Session (key exchange) | Key exchange in TLS | Administrat or - TLS EC Diffie- Hellman public key: E - TLS EC Diffie- Hellman private key: E - TLS pre- primary secret : G,E - TLS primary secret: G,E - TLS derived session key : G - TLS RSA public key: E - TLS RSA private key: E - TLS ECDSA public key: E - TLS ECDSA private key: E Resource Admin - TLS EC Diffie- Hellman public key: E - TLS EC Diffie- Hellman private key: E - TLS pre- | RSA Signature Generation RSA Signature Verification ECDSA Signature Generation ECDSA Signature Verification TLS Handshake | Service Indicator: Approved | Ciphersuite s | TLS EC Diffie- Hellman public key, Confirmation of establishme nt of TLS session |
| Maintain TLS Session (authenticate d data encryption) | TLS data encryption | Administrat or - TLS derived session key : E Resource Admin - TLS derived session key : E Operator - TLS derived session key : E | AES-GCM (Authenticated Encryption/Decryptio n) AES-CBC with HMAC HMAC | Service Indicator: Approved | Ciphersuite s, plaintext | Ciphertext |
| Maintain TLS Session (authenticate d data decryption) | TLS data decryption | Administrat or - TLS derived session key : E Resource Admin - TLS derived session key : E Operator - TLS derived session key : E | AES-GCM (Authenticated Encryption/Decryptio n) AES-CBC with HMAC | Service Indicator: Approved | Ciphersuite s, ciphertext | Plaintext |
| Maintain TLS Session (data authenticatio n) | TLS data authentication | Administrat or - TLS derived session key : E Resource Admin - TLS derived session key : E Operator - TLS derived session key : E | HMAC | Service Indicator: Approved | Ciphersuite s, message | MAC tag |
| Close TLS session | Close TLS session | Administrat or - TLS EC Diffie- Hellman public key: Z - TLS EC Diffie- Hellman private key: Z - TLS pre- primary secret : Z - TLS primary secret: Z - TLS derived session key : Z Resource | None | TLS connectio n closed | None | Confirmation of TLS session closure |
| Show version | Return the module name and version | Administrat or Resource Admin Operator | None | None | None | Version information, and module name |
| Show license | Return license indication | Administrat or Resource Admin Operator | None | None | None | FIPS license information |
| Show status | Return the module status | Administrat or Resource | None | None | None | Status of the specific service passed in |
| the show status command | Admin Operator | the show status command | ||||
| Self-test | Execute integrity test; Execute the CASTs | Administrat or Resource Admin Operator | AES-CBC AES-CTR AES-ECB AES-GCM (Authenticated Encryption/Decryptio n) AES-GMAC AES-GCM (Key Wrapping/Unwrappin g) AES-CBC with HMAC Counter DRBG RSA Signature Generation RSA Signature Verification RSA Key Generation ECDSA Signature Generation ECDSA Signature Verification ECDSA Key Generation ECDSA Key Verification SHA HMAC TLS Handshake SSH Handshake AES-CTR with HMAC | None | None | Pass/ fail results of self-tests |
| Show tenant | Lists tenant information | Administrat or Resource Admin Operator | None | None | None | Lists tenant information |
F5OS-A Cryptographic Module r n l n l n l E E W,E :E :E :E :E :E :E :E © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r :E :E DiffieHellman Z DiffieHellman Z :Z DiffieHellman Z DiffieHellman Z :Z DiffieHellman Z DiffieHellman © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r DiffieGeneration Z :Z DiffieHellman E DiffieHellman E - TLS preprimary :G E E E E DiffieHellman E DiffieHellman E © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r :G E E - TLS preprimary :G E E E E n) :E :E :E © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r n) :E :E :E n) :E :E :E DiffieHellman Z DiffieHellman Z - TLS preprimary :Z © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r DiffieHellman Z DiffieHellman Z - TLS preprimary :Z DiffieHellman Z DiffieHellman Z - TLS preprimary :Z © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module r n) g) Table 13: Approved Services The environment variable SECURITY_FIPS140_CIPHER_STRICT is exported with the cipher restriction status. If the cipher_restricted status is enabled, the status output from the service indicator is returned in the /var/log/audit.log file. Using an approved service will provide an indicator which shows which approved algorithms were used. If the cipher_restricted status is disabled, there is no service indicator output. For the SSH services, the service indicator is implicit: when the SSH connection is established the service with the selected cipher is approved. The following variables are used in the Access rights to keys or SSPs column:
| Name | Description | Roles | Approved Functions |
|---|---|---|---|
| Establish TLS session (signature generation and verification) | Signature generation and verification | User/CO | DSA EdDSA Signature Generation and Verification using Ed25519 RSA PKCS#1 v1.5 Signature Generation and Verification using 2048, 3072 or 4096- bits modulus with SHA-1, SHA2-224, SHA2- 512 RSA PKCS #1 v1.5 Signature Generation and Verification with modulus other than 2048, 3072 or 4096 bits, for all SHA sizes RSA PSS Signature Generation and Verification using 2048, 3072 or 4096-bits modulus ECDSA Signature Generation and Verification using curves other than P-256 and P-384, all SHA sizes ECDSA Signature Generation using curves P-256 and P-384 with SHA-1, SHA2-224, SHA2-512, SHA3 ECDSA Signature Verification using curves P-256 and P-384 with SHA2-224, SHA2- 512, SHA3 |
| Establish TLS session (key exchange) | Key exchange | User/CO | RSA Asymmetric Encryption and Decryption Diffie-Hellman using all Diffie-Hellman Groups EC Diffie-Hellman using curves other than P-256 and P-384 EC Diffie-Hellman using curves P-256 and P-384 Static Unified and OnePassDh schemes TLS KDF using MD5, SHA-1, SHA2-224, SHA2-512, SHA3 |
| Maintain TLS session (data encryption) | Data encryption | User/CO | AES-CCM AES-CFB AES-OFB AES-KW DES RC4 Triple-DES SM2 SM4 |
| Maintain TLS session (data authentication) | Data authentication | User/CO | HMAC-SHA2-224 HMAC-SHA2-512 AES-CMAC Triple-DES |
| Create TLS key | Key generation | User/CO | RSA Key Generation with modulus sizes other than 2048, and 4096-bits ECDSA Key Generation and Verification with curves other than P-256 and P-384 Safe Primes Key Generation and Verification for Diffie-Hellman |
| Message digest | Message digest | User/CO | SHA2-224 SHA2-512 SM3 MD5 |
| Key derivation | Key derivation | User/CO | SNMP KDF IKEv1 KDF IKEv2 KDF |
F5OS-A Cryptographic Module
© 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module Table 14: Non-Approved Services
Not applicable. © 2024 F5, Inc. / atsec information security.
The integrity of the module is verified using the approved integrity technique HMAC-SHA384, as listed in the section 10.1, by comparing the HMAC-SHA-384 checksum values of the installed binaries calculated at run time with the stored values computed at build time. If the values do not match, the module enters the Error state.
The on demand pre-operational self-tests, including the integrity test on demand, are performed by rebooting the module. © 2024 F5, Inc. / atsec information security.
Type of Operational Environment: Non-Modifiable How Requirements are Satisfied: Once the module is operational, it does not allow the loading of any additional firmware. © 2024 F5, Inc. / atsec information security.
| Mechanism | Inspection | Inspection Guidance |
|---|---|---|
| Frequency | ||
| Production grade enclosure (SL1) | N/A | N/A |
| Opaque enclosure (SL2) | N/A | N/A |
| Tamper Evident Seals (SL2) | Once per month | The CO checks the quality of the tamper evident labels for any sign of removal, replacement, tearing. If the tamper evident labels require replacement, a kit providing 25 tamper labels is available for purchase (P/N: F5-ADD-BIG-FIPS140). The Crypto Officer shall be responsible for the storage of the label kits. |
N/A N/A N/A N/A Table 15: Mechanisms and Actions Required The module tested on the platform listed in the Tested Operational Environments Software, Firmware, Hybrid table is enclosed in a hard-metallic production grade enclosure that provides opacity and prevents visual inspection of internal components. Each test platform is fitted with tamper evident labels to provide physical evidence of attempts to gain operate in approved mode of operation.
Number: 5 Placement: Shown in Figure 3 Surface Preparation: The following steps should be taken when installing or replacing the tamper evident labels on the test platform on which the module runs. The instructions are also included in F5 Platforms: FIPS Kit Installation provided with the hardware platform.
F5OS-A Cryptographic Module Figure 3 - Tamper labels on r12900 © 2024 F5, Inc. / atsec information security.
Per IG 12.A: Until requirements of SP 800-140F are defined, non-invasive mechanisms fall under ISO / IEC 19790:2012 Section 7.12 Mitigation of other attacks. © 2024 F5, Inc. / atsec information security.
| Name | Approved Functions | Type | From | To | Distribution Type | Entry Type |
|---|---|---|---|---|---|---|
| TLS/SSH Protocol Output | TLS Handshake | Plaintext | CM Software | GPC EXT using a network port | Automated | Electronic |
| Storage | Description | Persistence |
|---|---|---|
| Area | Type | |
| Name | ||
| SSD | The static SSPs remain on the system across power cycle. SSPs are only accessible to the authenticated operator, to which the SSPs are associated. | Static |
| RAM | The memory occupied by SSPs is allocated by regular memory allocation operating system calls. | Dynamic |
| Zeroization | Description | Rationale | Operator Initiation |
|---|---|---|---|
| Method | |||
| Secure Erase | Single pass zeroization erasing the entire module | All SSPs present in the module are erased including the one in the non-volatile memory | The Crypto Officer calling the Secure Erase service which can only be triggered during reboot of the test platform |
| Reboot System | Clear the SSPs present in RAM memory | Volatile memory used by the module is overwritten within nanoseconds when power is removed | The Crypto Officer calling Reboot System service |
Table 17: SSP Input-Output Methods network includes RSA/ECDSA public keys. For TLS with EC Diffie-Hellman key exchange, the TLS pre-primary secret is established during key agreement and is not output from the module. Once the TLS session is established, any key or data transfer performed thereafter is protected by authenticated encryption mode using AES-GCM or by AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying TLS v1.2 KDF RFC7627 (CVL) [SP800-135]. For SSH with EC Diffie-Hellman key exchange, the SSH shared secret is established during key agreement and is not output from the module. SSH ECDSA public keys can be imported into the module by the CO using the "Configure SSH user configuration" service. Once the SSH session is established, any key or data transfer performed thereafter is protected by AES encryption and HMAC authentication through a mutually agreed AES and HMAC session keys derived by applying KDF SSH (CVL) [SP800-135]. There are no encrypted SSPs that are directly entered.
© 2024 F5, Inc. / atsec information security.
| Name | Type | Description | Strength | Generation | Establishment | Use |
|---|---|---|---|---|---|---|
| TLS RSA public key | Asymmetric - PSP | RSA public key used for Digital signature verification in TLS protocol | 2048, 3072, 4096 bits - 112- 150 bits | RSA Key Generation | RSA Signature Verification | |
| TLS RSA private key | Asymmetric - CSP | RSA private key pair used for digital signature generation in TLS protocol | 2048, 3072, 4096 bits - 112- 150 bits | RSA Key Generation | RSA Signature Generation | |
| TLS ECDSA public key | Asymmetric - PSP | ECDSA public key used for digital signature verification in TLS protocol | P-256, P-384 - 128 and 192 bits | ECDSA Key Generation | ECDSA Signature Verification | |
| TLS ECDSA private key | Asymmetric - CSP | ECDSA private key used for digital signature generation in TLS protocol | P-256, P-384 - 128 and 192 bits | ECDSA Key Generation | ECDSA Signature Generation | |
| TLS EC Diffie- Hellman public key | Asymmetric - PSP | ECDH public key used in TLS protocol key exchange | P-256, P-384 - 128 and 192 bits | ECDSA Key Generation | TLS Handshake | |
| TLS EC Diffie- Hellman private key | Asymmetric - CSP | ECDH private key used in TLS protocol key exchange | P-256, P-384 - 128 and 192 bits | ECDSA Key Generation | TLS Handshake | |
| TLS pre- primary secret | Asymmetric - CSP | TLS pre-primary secret used for deriving the TLS primary secret | P-256, P-384 - 128 and 192 bits | TLS Handshake | TLS Handshake | |
| TLS primary secret | Pre-primary secret - CSP | TLS primary secret derived from TLS pre- primary secret | 256 bits - 256 bits | TLS Handshake | TLS Handshake | |
| TLS derived session key | Symmetric - CSP | TLS derived session key derived from TLS primary secret | AES: 128 and 256 bits; HMAC: 112-256 bits - 112-256 its | TLS Handshake | ||
| SSH ECDSA public key | Asymmetric - PSP | ECDSA public key used for SSH key-based authentication | P-256, P-384 - 128 and 192 bits | ECDSA Signature Verification | ||
| SSH ECDSA private key | Asymmetric - CSP | ECDSA private key used for SSH key-based authentication | P-256, P-384 - 128 and 192 bits | ECDSA Signature Generation | ||
| SSH EC Diffie- Hellman public key | Asymmetric - PSP | EC Diffie- Hellman public key used for SSH handshake | P-256, P-384 - 128 and 192 bits | ECDSA Key Generation | SSH Handshake | |
| SSH EC Diffie- Hellman private key | Asymmetric - CSP | EC Diffie- Hellman private key used for SSH handshake | P-256, P-384 - 128 and 192 bits | ECDSA Key Generation | SSH Handshake | |
| SSH shared secret | Shared secret - CSP | SSH shared secret established during SSH shared secret computation | P-256, P-384 - 128 and 192 bits | SSH Handshake | SSH Handshake | |
| SSH derived session key | Symmetric - CSP | SSH derived session key derived from SSH shared secret | AES: 128 and 256 bits; HMAC: 112-256 bits - 112-256 bits | SSH Handshake | ||
| Password | Password - CSP | Password input by the User or CO during creation of a new user or updating an existing password | 8 characters - 1/676,000,000 | |||
| Entropy input string | Entropy - CSP | Entropy obtained from the non- physical entropy source | 256 bits - 256 bits | Counter DRBG | ||
| DRBG seed | Seed - CSP | DRBG seed derived from the entropy input string | 256 bits - 256 bits | Counter DRBG | Counter DRBG | |
| DRBG internal state (V and key values) | Internal state - CSP | DRBG internal state derived from the DRBG seed | 256 bits - 256 bits | Counter DRBG | Counter DRBG | |
| Intermediate key generation value | Intermediate value - CSP | Temporary value generated during key pair generation services | 256-4096 bits - 112-256 bits | RSA Key Generation ECDSA Key Generation | RSA Key Generation ECDSA Key Generation TLS Handshake SSH Handshake |
| Zeroization | Description | Rationale | Operator Initiation |
|---|---|---|---|
| Method | |||
| Closing TLS/SSH Connection | Zeroization of temporary values | SSP temporary values generated during key generation services are zeroized by the module | Closing TLS/SSH Connection |
F5OS-A Cryptographic Module Table 18: SSP Zeroization Methods The zeroization methods listed in the SSP Zeroization Methods table, overwrite the memory occupied by keys with “zeros” or pre-defined values.
© 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module DiffieHellman public Table 19: SSP Table 1 © 2024 F5, Inc. / atsec information security.
| Name | Storage | Zeroization | Input | Storage Duration | Related SSPs |
|---|---|---|---|---|---|
| TLS RSA public key | SSD :Plaintext | Secure Erase | From service invoked to service completed or module reboot | TLS RSA private key:Paired With Intermediate key generation value:Derived From | |
| TLS RSA private key | SSD :Plaintext | Secure Erase | From service invoked to service completed or module reboot | TLS RSA public key:Paired With Intermediate key generation value:Derived From | |
| TLS ECDSA public key | SSD :Plaintext | Secure Erase | From service invoked to service completed or module reboot | TLS RSA private key:Paired With Intermediate key generation value:Derived From | |
| TLS ECDSA private key | SSD :Plaintext | Secure Erase | From service invoked to service completed or module reboot | TLS ECDSA public key:Paired With Intermediate key generation value:Derived From | |
| TLS EC Diffie- Hellman public key | RAM:Plaintext | Secure Erase Reboot System Closing TLS/SSH Connection | TLS/SSH Protocol Output | From service invoked to service completed or module reboot | TLS EC Diffie-Hellman private key:Paired With Intermediate key generation value:Derived From |
| TLS EC Diffie- Hellman private key | RAM:Plaintext | Secure Erase Reboot System Closing TLS/SSH Connection | From service invoked to service completed or module reboot | TLS EC Diffie-Hellman public key:Paired With Intermediate key generation value:Derived From | |
| TLS pre-primary secret | RAM:Plaintext | Secure Erase Reboot System Closing TLS/SSH Connection | From service invoked to service completed or module reboot | TLS primary secret:Derives | |
| TLS primary secret | RAM:Plaintext | Secure Erase Reboot System Closing TLS/SSH Connection | From service invoked to service completed or module reboot | TLS pre-primary secret :Derived From TLS derived session key :Derives | |
| TLS derived session key | RAM:Plaintext | Secure Erase Reboot System Closing TLS/SSH Connection | From service invoked to service completed or module reboot | TLS primary secret:Derived From | |
| SSH ECDSA public key | SSD :Plaintext | Secure Erase | Service Input | From service invoked to service completed or module reboot | SSH ECDSA private key:Paired With |
| SSH ECDSA private key | SSD :Plaintext | Secure Erase | From service invoked to service completed or module reboot | SSH ECDSA public key :Paired With | |
| SSH EC Diffie- Hellman public key | RAM:Plaintext | Secure Erase Reboot System Closing TLS/SSH Connection | TLS/SSH Protocol Output | From service invoked to service completed or module reboot | SSH EC Diffie-Hellman private key:Paired With SSH shared secret:Establishes Intermediate key generation value:Derived From |
| SSH EC Diffie- Hellman private key | RAM:Plaintext | Secure Erase Reboot System Closing TLS/SSH Connection | From service invoked to service completed or module reboot | SSH EC Diffie-Hellman public key:Paired With SSH shared secret:Establishes Intermediate key generation value:Derived From | |
| SSH shared secret | RAM:Plaintext | Secure Erase Reboot System Closing TLS/SSH Connection | From service invoked to service completed or module reboot | SSH EC Diffie-Hellman public key:Established By SSH EC Diffie-Hellman private key:Established By SSH derived session key :Derives | |
| SSH derived session key | RAM:Plaintext | Secure Erase Reboot System Closing TLS/SSH Connection | From service invoked to service completed or module reboot | SSH shared secret:Derived From | |
| Password | SSD :Plaintext | Secure Erase | Service Input | N/A | |
| Entropy input string | RAM:Plaintext | Secure Erase Reboot System | Storage duration during the usage of the CSP | DRBG seed :Derives | |
| DRBG seed | RAM:Plaintext | Secure Erase Reboot System | Storage duration during the usage of the CSP | Entropy input string :Derived From DRBG internal state (V and key values):Derives | |
| DRBG internal state (V and key values) | RAM:Plaintext | Secure Erase Reboot System | Storage duration during the usage of the CSP | DRBG seed :Derived From | |
| Intermediate key generation value | RAM:Plaintext | Secure Erase Reboot System | From service invoked to service completed or module reboot | TLS RSA public key:Derives TLS RSA private key:Derives TLS ECDSA public key:Derives TLS ECDSA private key:Derives SSH EC Diffie-Hellman public key:Derives |
F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module N/A © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module Table 20: SSP Table 2
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. © 2024 F5, Inc. / atsec information security.
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test | Indicator |
|---|---|---|---|---|---|---|
| Test | Test | Properties | ||||
| HMAC-SHA2- 384 (A4985) | HMAC-SHA2- 384 (A4985) | Message authentication | SW/FW Integrity | Integrity test for F5OS-A version 1.7.0 | SHA2-384 | Module is operational and services are available for use |
| HMAC-SHA2- 384 (A5261) | HMAC-SHA2- 384 (A5261) | Message authentication | SW/FW Integrity | Integrity test for F5OS-A version 1.7.0 | SHA2-384 | Module is operational and services are available for use |
| Name | Properties | Test | Indicator | Details | Conditions |
|---|---|---|---|---|---|
| or Test | Type | ||||
| AES-GCM (A4985) | 256-bit key | CAST | Module is operational and services are available for use | Encryption | Module initialization |
| AES-GCM (A5261) | 256-bit key | CAST | Module is operational and services are available for use | Encryption | Module initialization |
| AES-GCM (A4985) | 256-bit key | CAST | Module is operational and services are available for use | Decryption | Module initialization |
| AES-GCM (A5261) | 256-bit key | CAST | Module is operational and services are available for use | Decryption | Module initialization |
| AES-ECB (A4985) | 128 bit-key | CAST | Module is operational and services are available for use | Encryption | Module initialization |
| or Test | Type | ||||
| AES-ECB (A5261) | 128 bit-key | CAST | Module is operational and services are available for use | Encryption | Module initialization |
| AES-ECB (A4985) | 128 bit-key | CAST | Module is operational and services are available for use | Decryption | Module initialization |
| AES-ECB (A5261) | 128 bit-key | CAST | Module is operational and services are available for use | Decryption | Module initialization |
| RSA SigGen (FIPS186-5) (A4985) | PKCS#1 v1.5 with 2048 bit key and SHA2-256 | CAST | Module is operational and services are available for use | Signature generation | Module initialization |
| RSA SigGen (FIPS186-5) (A5261) | PKCS#1 v1.5 with 2048 bit key and SHA2-256 | CAST | Module is operational and services are available for use | Signature generation | Module initialization |
| RSA SigVer (FIPS186-5) (A4985) | PKCS#1 v1.5 with 2048 bit key and SHA2-256 | CAST | Module is operational and services are available for use | Signature verification | Module initialization |
| RSA SigVer (FIPS186-5) (A5261) | PKCS#1 v1.5 with 2048 bit key and SHA2-256 | CAST | Module is operational and services are available for use | Signature verification | Module initialization |
| ECDSA SigGen (FIPS186-5) (A4985) | P-256 and SHA2- 256 | CAST | Module is operational and services are available for use | Signature generation | Module initialization |
| ECDSA SigGen (FIPS186-5) (A5261) | P-256 and SHA2- 256 | CAST | Module is operational and services are available for use | Signature generation | Module initialization |
| ECDSA SigVer (FIPS186-5) (A4985) | P-256 and SHA2- 256 | CAST | Module is operational and services are available for use | Signature verification | Module initialization |
| ECDSA SigVer (FIPS186-5) (A5261) | P-256 and SHA2- 256 | CAST | Module is operational and services are available for use | Signature verification | Module initialization |
| or Test | Type | ||||
| KAS-ECC- SSC Sp800- 56Ar3 (A4985) | P-256 | CAST | Module is operational and services are available for use | Shared secret computation | Module initialization |
| KAS-ECC- SSC Sp800- 56Ar3 (A5261) | P-256 | CAST | Module is operational and services are available for use | Shared secret computation | Module initialization |
| HMAC-SHA- 1 (A4985) | SHA-1 | CAST | Module is operational and services are available for use | Message authentication | Module initialization |
| HMAC-SHA- 1 (A5261) | SHA-1 | CAST | Module is operational and services are available for use | Message authentication | Module initialization |
| HMAC- SHA2-256 (A4985) | SHA2-256 | CAST | Module is operational and services are available for use | Message authentication | Module initialization |
| HMAC- SHA2-256 (A5261) | SHA2-256 | CAST | Module is operational and services are available for use | Message authentication | Module initialization |
| HMAC- SHA2-384 (A4985) | SHA2-384 | CAST | Module is operational and services are available for use | Message authentication | Module initialization |
| HMAC- SHA2-384 (A5261) | SHA2-384 | CAST | Module is operational and services are available for use | Message authentication | Module initialization |
| KDF SSH (A4985) | SHA2-256 | CAST | Module is operational and services are available for use | Key derivation | Module initialization |
| KDF SSH (A5261) | SHA2-256 | CAST | Module is operational and services are available for use | Key derivation | Module initialization |
| KDF TLS (A4985) | SHA2-256 | CAST | Module is operational and services are available for use | Key derivation | Module initialization |
| or Test | Type | ||||
| TLS v1.2 KDF RFC7627 (A5261) | SHA2-256 | CAST | Module is operational and services are available for use | Key derivation | Module initialization |
| ECDSA KeyGen (FIPS186-5) (A4985) | SHA2-256 and respective curve | PCT | Successful key pair generation | Signature Generation & Signature Verification | Key pair generation |
| ECDSA KeyGen (FIPS186-5) (A5261) | SHA2-256 and respective curve | PCT | Successful key pair generation | Signature Generation & Signature Verification | Key pair generation |
| RSA KeyGen (FIPS186-5) (A4985) | SHA2-256 and respective keys | PCT | Successful key pair generation | Signature Generation & Signature Verification | Key pair generation |
| RSA KeyGen (FIPS186-5) (A5261) | SHA2-256 and respective keys | PCT | Successful key pair generation | Signature Generation & Signature Verification | Key pair generation |
| ECDSA KeyGen (FIPS186-5) (A4985) | SHA2-256 and respective curve | PCT | Successful key pair generation | Signature generation & signature verification PCT that covers key pair generation for EC Diffie-Hellman | Key pair generation |
| ECDSA KeyGen (FIPS186-5) (A5261) | SHA2-256 and respective curve | PCT | Successful key pair generation | Signature generation & signature verification PCT that covers key pair generation for EC Diffie-Hellman | Key pair generation |
| Counter DRBG (A4985) | AES-256 with/without derivation function; Health test per section 11.3 of SP 800- 90ARev1 | CAST | Module is operational and services are available for use | KAT CTR_DRBG with AES with 256-bit key with and without prediction resistnace | Module initialization |
| Counter DRBG (A5261) | AES-256 with/without derivation function; Health test per section 11.3 of SP 800- 90ARev1 | CAST | Module is operational and services are available for use | KAT CTR_DRBG with AES with 256-bit key with and without prediction resistnace | Module initialization |
| Entropy Source | Health Test | CAST | Module is operational and services are available for use | Health test at start- up: performed on 1,024 consecutive samples | Module initialization |
| Entropy Source | Health Test | CAST | Module is operational | Health test during runtime: performed | Continuously |
| or Test | Type | ||||
| and services are available for use | and services are available for use | on 1,024 consecutive samples | |||
| Entropy Source | Health Test | CAST | Module is operational and services are available for use | Health test during start-up: performed on 512 consecutive samples | Module initialization |
| Entropy Source | Health Test | CAST | Module is operational and services are available for use | Health test during runtime: performed on 512 consecutive samples | Continuously |
1.7.0 1.7.0 Table 21: Pre-Operational Self-Tests The pre-operational self-test is performed automatically when the module is powered on. At initialization, the module performs pre-operational self-test (integrity test) and the CASTs. Services are not available, and the data output is inhibited during the pre-operational selftest. Upon successful completion of the pre-operational self-tests and CASTs, the module any of the self-tests, the module returns an error code, and transitions to the Error state. Both, the pre-operational tests, and conditional tests are performed without operator intervention, without any external controls, externally provided test vectors, output results and the determination of pass of fail is done by the module.
© 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module SSC Sp80056Ar3 SSC Sp80056Ar3 HMACSHA2-256 HMACSHA2-256 HMACSHA2-384 HMACSHA2-384 © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| HMAC-SHA2-384 (A4985) | HMAC-SHA2-384 (A4985) | Message authentication | SW/FW Integrity | On Demand | Manually |
| HMAC-SHA2-384 (A5261) | HMAC-SHA2-384 (A5261) | Message authentication | SW/FW Integrity | On Demand | Manually |
| AES-GCM (A4985) | AES-GCM (A4985) | Encrypt KAT | CAST | On Demand | Manually |
| AES-GCM (A5261) | AES-GCM (A5261) | Encrypt KAT | CAST | On Demand | Manually |
| AES-GCM (A4985) | AES-GCM (A4985) | Decrypt KAT | CAST | On Demand | Manually |
| AES-GCM (A5261) | AES-GCM (A5261) | Decrypt KAT | CAST | On Demand | Manually |
| AES-ECB (A4985) | AES-ECB (A4985) | Encrypt KAT | CAST | On Demand | Manually |
| AES-ECB (A5261) | AES-ECB (A5261) | Encrypt KAT | CAST | On Demand | Manually |
| AES-ECB (A4985) | AES-ECB (A4985) | Decrypt KAT | CAST | On Demand | Manually |
| AES-ECB (A5261) | AES-ECB (A5261) | Decrypt KAT | CAST | On Demand | Manually |
| RSA SigGen (FIPS186-5) (A4985) | RSA SigGen (FIPS186-5) (A4985) | Sign KAT | CAST | On Demand | Manually |
| RSA SigGen (FIPS186-5) (A5261) | RSA SigGen (FIPS186-5) (A5261) | Sign KAT | CAST | On Demand | Manually |
| RSA SigVer (FIPS186-5) (A4985) | RSA SigVer (FIPS186-5) (A4985) | Verify KAT | CAST | On Demand | Manually |
| RSA SigVer (FIPS186-5) (A5261) | RSA SigVer (FIPS186-5) (A5261) | Verify KAT | CAST | On Demand | Manually |
| ECDSA SigGen (FIPS186-5) (A4985) | ECDSA SigGen (FIPS186-5) (A4985) | Sign KAT | CAST | On Demand | Manually |
| ECDSA SigGen (FIPS186-5) (A5261) | ECDSA SigGen (FIPS186-5) (A5261) | Sign KAT | CAST | On Demand | Manually |
| ECDSA SigVer (FIPS186-5) (A4985) | ECDSA SigVer (FIPS186-5) (A4985) | Verify KAT | CAST | On Demand | Manually |
| ECDSA SigVer (FIPS186-5) (A5261) | ECDSA SigVer (FIPS186-5) (A5261) | Verify KAT | CAST | On Demand | Manually |
| KAS-ECC-SSC Sp800-56Ar3 (A4985) | KAS-ECC-SSC Sp800-56Ar3 (A4985) | Shared secret computation | CAST | On Demand | Manually |
| KAS-ECC-SSC Sp800-56Ar3 (A5261) | KAS-ECC-SSC Sp800-56Ar3 (A5261) | Shared secret computation | CAST | On Demand | Manually |
| HMAC-SHA-1 (A4985) | HMAC-SHA-1 (A4985) | HMAC KAT | CAST | On Demand | Manually |
| HMAC-SHA-1 (A5261) | HMAC-SHA-1 (A5261) | HMAC KAT | CAST | On Demand | Manually |
| HMAC-SHA2-256 (A4985) | HMAC-SHA2-256 (A4985) | HMAC KAT | CAST | On Demand | Manually |
| HMAC-SHA2-256 (A5261) | HMAC-SHA2-256 (A5261) | HMAC KAT | CAST | On Demand | Manually |
| HMAC-SHA2-384 (A4985) | HMAC-SHA2-384 (A4985) | HMAC KAT | CAST | On Demand | Manually |
| HMAC-SHA2-384 (A5261) | HMAC-SHA2-384 (A5261) | HMAC KAT | CAST | On Demand | Manually |
| KDF SSH (A4985) | KDF SSH (A4985) | SSH KDF KAT | CAST | On Demand | Manually |
| KDF SSH (A5261) | KDF SSH (A5261) | SSH KDF KAT | CAST | On Demand | Manually |
| KDF TLS (A4985) | KDF TLS (A4985) | TLS 1.2 KDF KAT | CAST | On Demand | Manually |
| TLS v1.2 KDF RFC7627 (A5261) | TLS v1.2 KDF RFC7627 (A5261) | TLS 1.2 KDF KAT | CAST | On Demand | Manually |
| ECDSA KeyGen (FIPS186-5) (A4985) | ECDSA KeyGen (FIPS186-5) (A4985) | ECDSA PCT | PCT | On Demand | Manually |
| ECDSA KeyGen (FIPS186-5) (A5261) | ECDSA KeyGen (FIPS186-5) (A5261) | ECDSA PCT | PCT | On Demand | Manually |
| RSA KeyGen (FIPS186-5) (A4985) | RSA KeyGen (FIPS186-5) (A4985) | RSA PCT | PCT | On Demand | Manually |
| RSA KeyGen (FIPS186-5) (A5261) | RSA KeyGen (FIPS186-5) (A5261) | RSA PCT | PCT | On Demand | Manually |
| ECDSA KeyGen (FIPS186-5) (A4985) | ECDSA KeyGen (FIPS186-5) (A4985) | ECDH PCT | PCT | On Demand | Manually |
| ECDSA KeyGen (FIPS186-5) (A5261) | ECDSA KeyGen (FIPS186-5) (A5261) | ECDH PCT | PCT | On Demand | Manually |
| Counter DRBG (A4985) | Counter DRBG (A4985) | CTR_DRBG KAT | CAST | On Demand | Manually |
| Counter DRBG (A5261) | Counter DRBG (A5261) | CTR_DRBG KAT | CAST | On Demand | Manually |
| Entropy Source | Entropy Source | RCT | CAST | On Demand | Manually |
| Entropy Source | Entropy Source | RCT | CAST | Continuously | Manually |
| Entropy Source | Entropy Source | APT | CAST | On Demand | Manually |
| Entropy Source | Entropy Source | APT | CAST | Continuously | Manually |
F5OS-A Cryptographic Module Table 22: Conditional Self-Tests During the conditional self-tests, services are not available and the data output interface is inhibited.
Table 23: Pre-Operational Periodic Information © 2024 F5, Inc. / atsec information security.
F5OS-A Cryptographic Module © 2024 F5, Inc. / atsec information security.
| Name | Description | Role Access | Indicator | Recovery Method |
|---|---|---|---|---|
| Error State | Module is no longer operational. The data output is inhibited. | HMAC-SHA2-384 KAT failure or HMAC-SHA2-384 integrity test failure Failure of any of the CAST Failure of any of the PCTs Failure of the APT, RCT at runtime Failure of the APT, RCT at restart (power on) | Module will not load after failing any of the CASTs, the integrity test or APT/RCT at restart (power on); Module will reboot after failing a PCT or APT/RCT at runtime | The module must reboot or be re- loaded with a fresh image |
F5OS-A Cryptographic Module Table 24: Conditional Periodic Information
Table 25: Error States All data output and cryptographic operations are inhibited when the module is in the Error
The software integrity tests, and cryptographic algorithm self-tests can be invoked on demand by rebooting the module. During the execution of the periodic and on-demand selftests, crypto services are not available, and no data output or input is possible. The PCTs are executed on demand during the key generation functions invocation. © 2024 F5, Inc. / atsec information security.
Follow the instructions in the "Initial Configuration" guide for the initial setup and configuration of the hardware module.
F5OS-A Cryptographic Module
The Crypto Officer should call the show version service (with command "show system image"), then confirm that the provided version matches the validated version shown in the Tested Module Identification
The FIPS validated module activation requires installation of the license referred as ‘FIPS license’. The Crypto Officer should call the show license service (with command "show system licensing"), then verify that the list of license flags includes "FIPS 140 License”.
The Crypto Officer should verify that the following specific configuration rules are followed to operate the module in the FIPS validated configuration.
The approved and non-approved security functions available to users are listed in section 2, the physical ports, and logical interfaces available to users are specified in section 3.1. The Approved and non-Approved modes of operation are specified in section 2.4. The algorithmspecific information is listed in section 2.7. © 2024 F5, Inc. / atsec information security.
The module does not implement security mechanisms to mitigate other attacks. © 2024 F5, Inc. / atsec information security.