| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/29/2030 |
| Caveat | When operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | Apple Inc. |
flowchart LR
%% Deterministic review-risk graph for Apple corecrypto Module v13.0 [Apple silicon, Kernel, Software, SL1]
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Unauthenticated<br/>UnAuth</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Apple corecrypto Module v13.0 [Apple silicon, Kernel, Software, SL1]
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Unauthenticated<br/>UnAuth</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IKEV<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Apple Inc. Apple corecrypto Module v13.0 [Apple silicon, Kernel, Software, SL1] Prepared for: Apple Inc. One Apple Park Way Cupertino, CA 95014 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com
| # | Section | Page |
|---|
This document may be reproduced and distributed only in its original entirely without revision.
| Item | Page |
|---|---|
| Table 1: Security Levels | 7 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 9 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 11 |
| Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid | 12 |
| Table 5: Modes List and Description | 12 |
| Table 6: Approved Algorithms - AES-CBC | 12 |
| Table 7: Approved Algorithms - AES-CCM | 13 |
| Table 8: Approved Algorithms - AES-CFB128 | 13 |
| Table 9: Approved Algorithms - AES-CFB8 | 13 |
| Table 10: Approved Algorithms - AES-CTR | 13 |
| Table 11: Approved Algorithms - AES-ECB | 13 |
| Table 12: Approved Algorithms - AES-GCM | 14 |
| Table 13: Approved Algorithms - AES-KW | 14 |
| Table 14: Approved Algorithms - AES-OFB | 14 |
| Table 15: Approved Algorithms - AES-XTS | 14 |
| Table 16: Approved Algorithms - CTR_DRBG | 14 |
| Table 17: Approved Algorithms - ECDSA-KEYGEN | 14 |
| Table 18: Approved Algorithms - ECDSA-KEYVER | 14 |
| Table 19: Approved Algorithms - ECDSA-SIGGEN | 15 |
| Table 20: Approved Algorithms - ECDSA-SIGVER | 15 |
| Table 21: Approved Algorithms - HMAC-SHA1 | 15 |
| Table 22: Approved Algorithms - HMAC-SHA224 | 15 |
| Table 23: Approved Algorithms - HMAC-SHA256 | 15 |
| Table 24: Approved Algorithms - HMAC-SHA384 | 15 |
| Table 25: Approved Algorithms - HMAC-SHA512 | 16 |
| Table 26: Approved Algorithms - HMAC-SHA512/256 | 16 |
| Table 27: Approved Algorithms - RSA-SIGGEN | 16 |
| Table 28: Approved Algorithms - RSA-SIGVER | 16 |
| Table 29: Approved Algorithms - SHA1 | 16 |
| Table 30: Approved Algorithms - SHA224 | 16 |
| Table 31: Approved Algorithms - SHA256 | 17 |
| Table 32: Approved Algorithms - SHA384 | 17 |
| Table 33: Approved Algorithms - SHA512 | 17 |
| Table 34: Approved Algorithms - SHA512/256 | 17 |
| Table 35: Vendor-Affirmed Algorithms | 17 |
| Table 36: Non-Approved, Not Allowed Algorithms | 18 |
| Table 37: Security Function Implementations | 21 |
| Table 38: Entropy Certificates | 21 |
| Table 39: Entropy Sources | 22 |
| Table 40: Ports and Interfaces | 23 |
| Table 41: Roles | 24 |
List of Figures This document may be reproduced and distributed only in its original entirely without revision.
Trademarks Apple’s trademarks applicable to this document are listed in https://www.apple.com/legal/intellectual-property/trademark/appletmlist.html. Other company, product, and service names may be trademarks or service marks of others. This document may be reproduced and distributed only in its original entirely without revision.
This document is the non-proprietary FIPS 140-3 Security Policy for Apple corecrypto Module v13.0 [Apple silicon, Kernel, Software, SL1] cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 1 module. This document provides all tables and diagrams (when applicable) required by NIST SP 800140Br1.
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Overall Level 1 Table 1: Security Levels This document may be reproduced and distributed only in its original entirely without revision.
Purpose and Use: The Apple corecrypto Module v13.0 [Apple silicon, Kernel, Software, SL1] cryptographic module (hereafter referred to as “the module”) provides implementations of lowlevel cryptographic primitives to the Device OS’s kernels (iOS 16, iPadOS 16, watchOS 9, tvOS 16) Security Framework and Common Crypto. The module provides services intended to protect data in transit and at rest. The module is optimized for library use within the Device OS kernel space and does not contain any terminating assertions or exceptions. It is implemented as a Device OS dynamically loadable library. The library is loaded into the Device OS kernel and its cryptographic functions are made available to Device OS kernel services only. Any internal error detected by the module is returned to the caller with an appropriate return code. The calling Device OS kernel service must examine the return code and act accordingly. The module communicates any error status synchronously through the use of its documented return codes, thus indicating the module’s status. Caller-induced or internal errors do not reveal any sensitive material to callers. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The module cryptographic boundary is delineated by the dotted green rectangle in the Figure 1 where the Kernel Extension (KEXT) is a bundle that performs low-level tasks. KEXTs run in kernel space, which gives them elevated privileges and the ability to perform tasks that user-space apps can’t. This document may be reproduced and distributed only in its original entirely without revision.
Figure 1: Block Diagram Tested Operational Environment’s Physical Perimeter (TOEPP): The physical perimeter is represented by the most exterior black line in the block diagram Figure 1. The module executes within the kernel space of the computing platforms and operating systems listed in the Tested Operational Environments Table section 2.2.
Tested Module Identification
Operating Hardware Platform Processors PAA/PAI Hypervisor Version(s) System or Host OS iPadOS 16 iPad mini (5th Apple A Series A12 Yes NA v13.0 generation) Bionic iPadOS 16 iPad Pro 11-inch (1st Apple A Series Yes NA v13.0 generation) A12X Bionic iPadOS 16 iPad Pro 11-inch (2nd Apple A Series Yes NA v13.0 generation) A12Z Bionic iPadOS 16 iPad (9th generation) Apple A Series A13 Yes NA v13.0 Bionic iPadOS 16 iPad Air (4th Apple A Series A14 Yes NA v13.0 generation) Bionic iPadOS 16 iPad mini (6th Apple A Series A15 Yes NA v13.0 generation) Bionic iPadOS 16 iPad Pro 11-inch (3rd Apple M Series M1 Yes NA v13.0 generation) iPadOS 16 iPad Pro 11-inch (4th Apple M Series M2 Yes NA v13.0 generation) iOS 16 iPhone X Apple A Series A11 Yes NA v13.0 Bionic iOS 16 iPhone XS Max Apple A Series A12 Yes NA v13.0 Bionic iOS 16 iPhone 11 Pro Apple A Series A13 Yes NA v13.0 Bionic iOS 16 iPhone 12 Apple A Series A14 Yes NA v13.0 Bionic iOS 16 iPhone 13 Pro Max Apple A Series A15 Yes NA v13.0 Bionic iOS 16 iPhone 14 Pro Max Apple A Series A16 Yes NA v13.0 Bionic watchOS Apple Watch Series S4 Apple S Series S4 Yes NA v13.0 watchOS Apple Watch Series S5 Apple S Series S5 Yes NA v13.0 watchOS Apple Watch Series S6 Apple S Series S6 Yes NA v13.0 watchOS Apple Watch Series S7 Apple S Series S7 Yes NA v13.0 watchOS Apple Watch Series S8 Apple S Series S8 Yes NA v13.0 This document may be reproduced and distributed only in its original entirely without revision.
Operating Hardware Platform Processors PAA/PAI Hypervisor Version(s) System or Host OS iPadOS 16 iPad Pro 10.5-inch Apple A Series Yes NA v13.0 A10X Fusion tvOS 16 Apple TV 4K (2nd Apple A Series A12 Yes NA v13.0 generation) Bionic tvOS 16 Apple TV 4K (3rd Apple A Series A15 Yes NA v13.0 generation) Bionic Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Operating System Hardware Platform iPadOS 16 iPad Pro 12.9-inch iPadOS 16 iPad (6th generation) iPadOS 16 iPad Pro 12.9-inch (2nd generation) iPadOS 16 iPad Air (3rd generation) iPadOS 16 iPad (8th generation) iPadOS 16 iPad Pro 12.9-inch (3rd generation) iPadOS 16 iPad Pro 12.9-inch (4th generation) iPadOS 16 iPad Pro 12.9-inch (5th generation) iPadOS 16 iPad Pro 12.9-inch (6th generation) iOS 16 iPhone 8 iOS 16 iPhone 8 Plus iOS 16 iPhone XS iOS 16 iPhone XR iOS 16 iPhone 11 iOS 16 iPhone 11 Pro Max iOS 16 iPhone SE (2nd generation) iOS 16 iPhone 12 mini iOS 16 iPhone 12 Pro iOS 16 iPhone 12 Pro Max iOS 16 iPhone 13 mini iOS 16 iPhone 13 iOS 16 iPhone 13 Pro iOS 16 iPhone 14 Pro watchOS 9 Apple Watch SE macOS 13 Ventura Mac mini macOS 13 Ventura iMac (24-inch) macOS 13 Ventura MacBook Pro (14-inch, 2021) macOS 13 Ventura MacBook Air This document may be reproduced and distributed only in its original entirely without revision.
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
None for this module
Modes List and Description: Mode Description Type Status Indicator Name Approved Approved mode of operation Approved return a '1' from mode is entered when the module fips_allowed_mode() for block utilizes the services that use cipher functions and fips_allowed() the security functions listed in for all other services to indicate the the Approved Algorithms executed cryptographic algorithm Table and the Vendor was approved Affirmed Algorithms Table. Non- Non-Approved mode of Non- return a '0' from Approved operation is entered when the Approved fips_allowed_mode() for block mode module utilizes non-approved cipher functions and fips_allowed() security functions in the Table for all other services to indicate the Non-Approved Algorithms executed cryptographic algorithm Not Allowed in the Approved was non- approved Mode of Operation. Table 5: Modes List and Description
Approved Algorithms: AES-CBC Algorithm CAVP Cert Properties Reference AES-CBC A3682 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A3683 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Table 6: Approved Algorithms - AES-CBC This document may be reproduced and distributed only in its original entirely without revision.
AES-CCM Algorithm CAVP Cert Properties Reference AES-CCM A3685 Key Length - 128, 192, 256 SP 800-38C Table 7: Approved Algorithms - AES-CCM AES-CFB128 Algorithm CAVP Cert Properties Reference AES-CFB128 A3682 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3683 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Table 8: Approved Algorithms - AES-CFB128 AES-CFB8 Algorithm CAVP Cert Properties Reference AES-CFB8 A3683 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Table 9: Approved Algorithms - AES-CFB8 AES-CTR Algorithm CAVP Cert Properties Reference AES-CTR A3683 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A3685 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Table 10: Approved Algorithms - AES-CTR AES-ECB Algorithm CAVP Cert Properties Reference AES-ECB A3682 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3683 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3685 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Table 11: Approved Algorithms - AES-ECB AES-GCM Algorithm CAVP Cert Properties Reference AES-GCM A3685 Direction - Decrypt, Encrypt SP 800-38D IV Generation - Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 This document may be reproduced and distributed only in its original entirely without revision.
Table 12: Approved Algorithms - AES-GCM AES-KW Algorithm CAVP Cert Properties Reference AES-KW A3683 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 Table 13: Approved Algorithms - AES-KW AES-OFB Algorithm CAVP Cert Properties Reference AES-OFB A3682 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-OFB A3683 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Table 14: Approved Algorithms - AES-OFB AES-XTS Algorithm CAVP Cert Properties Reference AES-XTS Testing Revision 2.0 A3682 Direction - Decrypt, Encrypt SP 800-38E Key Length - 128, 256 Table 15: Approved Algorithms - AES-XTS CTR_DRBG Algorithm CAVP Cert Properties Reference Counter DRBG A3683 Prediction Resistance - No SP 800-90A Rev. 1 Mode - AES-128, AES-256 Derivation Function Enabled - Yes Counter DRBG A3685 Prediction Resistance - No SP 800-90A Rev. 1 Mode - AES-128, AES-256 Derivation Function Enabled - Yes Table 16: Approved Algorithms - CTR_DRBG ECDSA-KEYGEN Algorithm CAVP Cert Properties Reference ECDSA KeyGen A3686 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates Table 17: Approved Algorithms - ECDSA-KEYGEN ECDSA-KEYVER Algorithm CAVP Cert Properties Reference ECDSA KeyVer (FIPS186-4) A3686 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 Table 18: Approved Algorithms - ECDSA-KEYVER This document may be reproduced and distributed only in its original entirely without revision.
ECDSA-SIGGEN Algorithm CAVP Cert Properties Reference ECDSA SigGen A3686 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 Table 19: Approved Algorithms - ECDSA-SIGGEN ECDSA-SIGVER Algorithm CAVP Cert Properties Reference ECDSA SigVer A3686 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512 Table 20: Approved Algorithms - ECDSA-SIGVER HMAC-SHA1 Algorithm CAVP Cert Properties Reference HMAC-SHA- A3686 Key Length - Key Length: 8-262144 Increment FIPS 198-1
Table 21: Approved Algorithms - HMAC-SHA1 HMAC-SHA224 Algorithm CAVP Cert Properties Reference HMAC-SHA2- A3686 Key Length - Key Length: 8-262144 FIPS 198-1
Table 22: Approved Algorithms - HMAC-SHA224 HMAC-SHA256 Algorithm CAVP Cert Properties Reference HMAC-SHA2- A3686 Key Length - Key Length: 8-262144 FIPS 198-1
HMAC-SHA2- A3687 Key Length - Key Length: 8-262144 FIPS 198-1
Table 23: Approved Algorithms - HMAC-SHA256 HMAC-SHA384 Algorithm CAVP Cert Properties Reference HMAC-SHA2- A3684 Key Length - Key Length: 8-262144 FIPS 198-1
HMAC-SHA2- A3686 Key Length - Key Length: 8-262144 FIPS 198-1
Table 24: Approved Algorithms - HMAC-SHA384 This document may be reproduced and distributed only in its original entirely without revision.
HMAC-SHA512 Algorithm CAVP Cert Properties Reference HMAC-SHA2- A3684 Key Length - Key Length: 8-262144 FIPS 198-1
HMAC-SHA2- A3686 Key Length - Key Length: 8-262144 FIPS 198-1
Table 25: Approved Algorithms - HMAC-SHA512 HMAC-SHA512/256 Algorithm CAVP Cert Properties Reference HMAC-SHA2- A3684 Key Length - Key Length: 8-262144 FIPS 198-1 512/256 Increment 8 HMAC-SHA2- A3686 Key Length - Key Length: 8-262144 FIPS 198-1 512/256 Increment 8 Table 26: Approved Algorithms - HMAC-SHA512/256 RSA-SIGGEN Algorithm CAVP Cert Properties Reference RSA SigGen (FIPS186-4) A3686 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 Modulo - 2048, 3072, 4096 Table 27: Approved Algorithms - RSA-SIGGEN RSA-SIGVER Algorithm CAVP Cert Properties Reference RSA SigVer (FIPS186-4) A3686 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 Modulo - 1024, 2048, 3072, 4096 Table 28: Approved Algorithms - RSA-SIGVER SHA1 Algorithm CAVP Cert Properties Reference SHA-1 A3686 Message Length - Message Length: 0-32768 FIPS 180-4 Increment 8 Table 29: Approved Algorithms - SHA1 SHA224 Algorithm CAVP Cert Properties Reference SHA2- A3686 Message Length - Message Length: 0-32768 FIPS 180-4
Table 30: Approved Algorithms - SHA224 This document may be reproduced and distributed only in its original entirely without revision.
SHA256 Algorithm CAVP Cert Properties Reference SHA2- A3686 Message Length - Message Length: 0-32768 FIPS 180-4
SHA2- A3687 Message Length - Message Length: 0-32768 FIPS 180-4
Table 31: Approved Algorithms - SHA256 SHA384 Algorithm CAVP Cert Properties Reference SHA2- A3684 Message Length - Message Length: 0-32768 FIPS 180-4
SHA2- A3686 Message Length - Message Length: 0-32768 FIPS 180-4
Table 32: Approved Algorithms - SHA384 SHA512 Algorithm CAVP Cert Properties Reference SHA2- A3684 Message Length - Message Length: 0-32768 FIPS 180-4
SHA2- A3686 Message Length - Message Length: 0-32768 FIPS 180-4
Table 33: Approved Algorithms - SHA512 SHA512/256 Algorithm CAVP Cert Properties Reference SHA2- A3684 Message Length - Message Length: 0-32768 FIPS 180-4 512/256 Increment 8 SHA2- A3686 Message Length - Message Length: 0-32768 FIPS 180-4 512/256 Increment 8 Table 34: Approved Algorithms - SHA512/256 The FIPS 186-4 CAVP tests in the listed ACVP certificates above are mathematically identical to the FIPS 186-5 CAVP tests. Per FIPS 140-3 C.K Additional Comments 2, the module claims compliance with FIPS 186-5 tests. Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key Type:Asymmetric N/A SP800-133rev2 section 4 example 1 Table 35: Vendor-Affirmed Algorithms This document may be reproduced and distributed only in its original entirely without revision.
Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function ANSI X9.63 KDF Hash based Key Derivation Function Blowfish Encryption / Decryption CAST5 Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit increments DES Encryption / Decryption Key Size: 56-bits ECDSA Generation / Verification / SigGen / SigVer with curve P-192 ECDSA KeyGen Key Pair Generation for compact point representation of points EdDSA Key Generation, Signature Generation, Signature Verification with Ed25519 HKDF [SP800-56Crev2] Key Derivation Function Integrated Encryption Scheme on Encryption / Decryption elliptic curves (ECIES) MD2 Message Digest size: 128-bit MD4 Message Digest size: 128-bit OMAC (One-Key CBC MAC) MAC generation /verification RC2 Encryption / Decryption Key Sizes 8 to 1024-bits RC4 Encryption / Decryption Key Sizes 8 to 4096-bits RIPEMD Message Digest size: 160-bits RSA SigGen PKCS#1 v1.5 and PSS; Signature Generation Key Size < 2048 RSA SigVer Signature Verification Key Size < 1024 RSA Key Wrapping OAEP, PKCS#1 v1.5 and -PSS schemes Triple-DES [SP 800-67r2] CBC, CTR, CFB64, ECB, CFB8, OFB MD5 Message Digest size: 128-bit RFC 6637 Key Derivation SHA-256, SHA-512, AES-128, AES-256 Table 36: Non-Approved, Not Allowed Algorithms
This document may be reproduced and distributed only in its original entirely without revision.
Name Type Description Properties Algorithms Unauthenticated BC-UnAuth Key Size / Key AES [FIPS 197; AES-CBC: Symmetric Strength: 128, SP 800- (A3682, A3683) Encryption and 192, 256-bits 38A]:ECB, CBC, AES-CFB128: Decryption (for all but XTS, CFB8, CFB128, (A3682, A3683) which supports OFB, CTR AES-XTS Testing
keys) SP 800-38E]:XTS (A3682) AES-ECB: (A3682, A3683, A3685) AES-OFB: (A3682, A3683) AES-CFB8: (A3683) AES-CTR: (A3683, A3685) Authenticated BC-Auth Key Size/ Key AES [FIPS 197; AES-CCM: Symmetric Strength: 128, SP 800- (A3685) Encryption and 192, 256-bits 38C]:CCM AES-GCM: Decryption AES [FIPS 197; (A3685) SP 80038D]:GCM Random DRBG Key Length/ Key CTR_DRBG Counter DRBG: Number Strength: 128, [SP800- (A3683, A3685) Generation 256 90ARev1]:AES128, AES-256 Derivation Function Enabled No Prediction Resistance ECDSA AsymKeyPair- Curve: P-224, P- key generation ECDSA KeyGen Asymmetric Key KeyGen 256, P-384, P- method:Testing (FIPS186-4): Generation CKG 521. Key Candidates (A3686) Strength: from Supported CKG: ()
256, P-384, P- Asymmetric ECDSA Public- AsymKeyPair- Curve: P-224, P- ECDSA [FIPS ECDSA KeyVer Key Validation PubKeyVal 256, P-384, P- 186-5]:Public- (FIPS186-4): 521. Key Key Validation (A3686) (PKV) This document may be reproduced and distributed only in its original entirely without revision.
Name Type Description Properties Algorithms Strength: from
ECDSA Digital DigSig-SigGen Curve: P-224, P- ECDSA [FIPS ECDSA SigGen Signature 256, P-384, P- 186-5]:Signature (FIPS186-4): Generation 521. Key Generation (A3686) Strength: from
ECDSA Digital DigSig-SigVer Curve: P-224, P- ECDSA [FIPS ECDSA SigVer Signature 256, P-384, P- 186-5]:Signature (FIPS186-4): Verification 521. Key Verification (A3686) Strength: from
HMAC Message MAC Key Length 8 - HMAC [FIPS HMAC-SHA2Authentication 262144 bits/ Key 198] 384: (A3684, Strength: 112 to (vng_ltc):SHA-1, A3686)
256, SHA-384, 512: (A3684, SHA-512, SHA- A3686) 512/256 HMAC-SHA2HMAC [FIPS 198] 512/256: (A3684, (c_ltc):SHA-384, A3686) SHA-512, SHA- HMAC-SHA2512/256 256: (A3686, HMAC [FIPS 198] A3687) (vng_neon):SHA- HMAC-SHA-1:
HMAC-SHA2224: (A3686) key wrapping / KTS-Wrap Key Size/ Key KTS (AES) [SP AES-KW: (A3683) key unwrapping Strength: 128, 800-38F]:AES192, 256-bits KW RSA Digital DigSig-SigGen Modulus: 2048, RSA [FIPS 186- RSA SigGen Signature 3072, 4096. Key 5]:Signature (FIPS186-4): Generation Strength: from Generation (A3686)
and (PKCS PSS) RSA Digital DigSig-SigVer Modulus: 1024 RSA [FIPS 186- RSA SigVer Signature (legacy use per 5]:Signature (FIPS186-4): Verification FIPS 140-3 IG Verification (A3686) C.K), 2048, 3072, PKCS#1 v1.5) 4096. Key and (PKCS PSS) This document may be reproduced and distributed only in its original entirely without revision.
Name Type Description Properties Algorithms Strength: from
Message Digest SHA N/A SHS [FIPS 180- SHA2-384: 4] (vng_ltc):SHA- (A3684, A3686) 1, SHA-224, SHA2-512: SHA-256, SHA- (A3684, A3686) 384, SHA-512, SHA2-512/256: SHA-512/256 (A3684, A3686) SHS [FIPS 180- SHA2-224: 4] (c_ltc):SHA- (A3686) 384, SHA-512, SHA2-256: SHA-512/256 (A3686, A3687) SHS [FIPS 180-4] SHA-1: (A3686) (vng_neon):SHATable 37: Security Function Implementations
AES-GCM AES-GCM IV is constructed in compliance with IG C.H scenario
Cert Vendor Number Name E14 apple E15 apple Table 38: Entropy Certificates This document may be reproduced and distributed only in its original entirely without revision.
Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample Apple corecrypto Physical See Tested 256 bit 256 bit SHA-256 [ACVP physical entropy Operational cert. # C1223] source Environment Table Apple corecrypto Non- See Tested 256 bit 256 bit SHA-256 [ACVP non- physical Physical Operational Certs. # A3687] entropy source Environment Table Table 39: Entropy Sources Entropy sources: Two entropy sources (one non-physical entropy source and one physical entropy source) residing within the TOEPP provide the random bits. The entropy sources are located within the physical perimeter of the module (TOEPP) but outside the cryptographic boundary of the module. RBGs: The NIST [SP 800-90ARev1] approved deterministic random bit generators (DRBG) used for random number generation is a CTR_DRBG using AES-256 with derivation function and without prediction resistance. The module performs DRBG health tests according to [SP800-90ARev1 section 11.3]. The deterministic random bit generators are seeded by “read_random”. The read_random is the Kernel Space interface. RBG Output: The output of entropy sources provides 256-bits of entropy to seed and reseed SP800-90ARev1 DRBG during initialization (seed) and reseeding (reseed).
See vendor affirmed algorithms (CKG) in section 2.5. The module does not implement symmetric key generation.
No parts of the IPSec, other than those mentioned above, have been tested by the CAVP and CMVP. This document may be reproduced and distributed only in its original entirely without revision.
Physical Logical Data That Passes Port Interface(s) N/A Data Input Data inputs/outputs are provided in the variables passed in the C Data language Kernel Interfaces (KPIs) and callable service invocations, Output generally through caller-supplied buffers N/A Control Control inputs which control the mode of the module are provided Input through dedicated parameters. N/A Status Status output is provided in return codes and through messages. Output Documentation for each KPI lists possible return codes. A complete list of all return codes returned by the C language KPIs within the module is provided in the header files and the KPI documentation. Messages are also documented in the KPI documentation. Table 40: Ports and Interfaces The module does not implement a Control Output Logical Interface This document may be reproduced and distributed only in its original entirely without revision.
N/A for this module. FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not support an authentication mechanism for Crypto Officer. The Crypto Officer role is authorized to access all services provided by the module (see Table - Approved Services and Table - Non-Approved Services).
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 41: Roles
Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access AES Execute 1 plaintext ciphertext Unauthenticat Crypto Encryption/Decrypt AES- data and data / ed Symmetric Officer ion mode key / plaintext Encryption - AES encrypt or ciphertex data and key: decrypt t data Decryption W,E operation and key Authenticated Symmetric Encryption and Decryption AES Key Wrapping Execute 1 key wrapped key wrapping Crypto / Key Unwrapping AES-key wrapping key / / key Officer wrapping key, unwrappe unwrapping - AES or unwrapp d key keyunwrappi ed key / wrappin ng Wrapped g key: operation key, AES W,E key wrapping key This document may be reproduced and distributed only in its original entirely without revision.
Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access Secure Hash Generate 1 message digest Message Crypto Generation a digest Digest Officer for the requested algorithm Message Generate 1 message, MAC HMAC Crypto Authentication a MAC MAC key, Message Officer Generation digest MAC Authenticatio - HMAC using the algorithm n key: requested W,E SHA algorithm Message Verify a 1 MAC, pass/fail HMAC Crypto Authentication MAC message, Message Officer Code Verification digest MAC key, Authenticatio - HMAC MAC n key: algorithm W,E RSA signature Sign a 1 SigGen: SigGen: RSA Digital Crypto generation and message private compute Signature Officer verification with a key, d Generation - RSA specified message, signature; RSA Digital key RSA hash SigVer: Signature pair: private function; pass/fail Verification W,E key. Verify SigVer: result of the public digital signature key, signature of a digital verificatio message signature, n with a message, specified hash RSA function public key. ECDSA signature Sign a 1 SigGen: SigGen: ECDSA Digital Crypto generation and message private compute Signature Officer verification with a key, d Generation specified message, signature; ECDSA Digital ECDSA ECDSA hash SigVer: Signature key private function; pass/fail Verification pair: key Verify SigVer: result of W,E the public digital This document may be reproduced and distributed only in its original entirely without revision.
Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access signature key, signature of a digital verificatio message signature, n with a message, specified hash ECDSA function public key Random Number Generate 1 length of random Random Crypto Generation random generate bit-string Number Officer number d number Generation Entropy input string: E - DRBG seed, internal state V value, and key: G,R,E ECDSA key pair Generate 1 domain key pair ECDSA Crypto generation and a keypair paramete Asymmetric Officer validation for a rs Key requested Generation ECDSA elliptic ECDSA Public- key curve and Key Validation pair: validity G,R,E Self-test execute 1 power pass/fail Unauthenticat Crypto CASTs results ed Symmetric Officer Encryption - HMAC and key: E Decryption - AES Authenticated key: E Symmetric - AES Encryption keyand wrappin Decryption g key: E Random Number ECDSA Generation key This document may be reproduced and distributed only in its original entirely without revision.
Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access ECDSA pair: E Asymmetric - RSA Key key Generation pair: E ECDSA Public- - DRBG Key Validation seed, ECDSA Digital internal Signature state V Generation value, ECDSA Digital and Signature key: E Verification HMAC Message Authenticatio n key wrapping / key unwrapping RSA Digital Signature Generation RSA Digital Signature Verification Message Digest Show Status Return N/A N/A Status None Crypto the output Officer module status Show module Return N/A N/A Module None Crypto version info Module informati Officer Base on Name and Module Version Number Zeroization SSPs are 1 N/A N/A None Crypto zeroised Officer when the - AES This document may be reproduced and distributed only in its original entirely without revision.
Name Descriptio Indicat Inputs Outputs Security SSP n or Functions Access system is key: Z powered - AES down, keywhen all wrappin resources g key: Z of - HMAC symmetric key: Z crypto function ECDSA context, key all pair: Z resources - RSA of hash key context, pair: Z all resources Entropy of input asymmetri string: Z c crypto - DRBG function seed, context internal are state V released. value, and key: Z Table 42: Approved Services The abbreviations of the access rights to SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. N/A = The service does not access any SSP during its operation
Name Description Algorithms Role Triple-DES encryption / Execute Triple-DES mode Triple-DES [SP 800- CO decryption encrypt or decrypt operation. 67r2] This document may be reproduced and distributed only in its original entirely without revision.
Name Description Algorithms Role RSA Key Encapsulation The CAST does not perform RSA Key Wrapping CO the full KTS, only the raw RSA encrypt/decrypt. RSA Signature Generation Sign a message with a non- RSA SigGen CO approved RSA private key size RSA Signature Verification Verify the signature of a RSA SigVer CO message with a nonapproved RSA public key size ECDSA key-pair generation, For curve P-192 ECDSA CO ECDSA PKV, ECDSA signature generation, ECDSA signature verification ECDSA Key Pair Generation for For compact point ECDSA KeyGen CO compact point representation of representation of points points EdDSA Key Generation, Ed25519 EdDSA CO Signature Generation, Signature Verification ECIES Elliptic Curve encrypt/ Integrated CO decrypt Encryption Scheme on elliptic curves (ECIES) ANSI X9.63 Key Derivation SHA-1 hash-based ANSI X9.63 KDF CO SP800-56Crev2 Key Derivation SHA-256 hash-based HKDF [SP800- CO (HKDF) 56Crev2] OMAC Message Authentication One-Key CBC-MAC using OMAC (One-Key CO Code Generation 128-bit key CBC MAC) OMAC Message Authentication One-Key CBC-MAC using OMAC (One-Key CO Code Verification 128-bit key CBC MAC) Message digest generation Message digest generation MD2 CO using non-approved MD4 algorithms RIPEMD MD5 Symmetric encryption / Symmetric encryption / Blowfish CO decryption decryption using non- CAST5 approved algorithms DES RC2 RC4 RFC 6637 KDF SHA-256, SHA-512, AES-128, RFC 6637 Key CO AES-256 Derivation This document may be reproduced and distributed only in its original entirely without revision.
Table 43: Non-Approved Services
N/A This document may be reproduced and distributed only in its original entirely without revision.
A software integrity test is performed on the runtime image of the module. The HMAC-SHA256 implemented in the module is used as the approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e. the module is not operational.
The module’s integrity test can be performed on demand by power-cycling the computing platform. Integrity test on demand is performed as part of the Pre-Operational Self-Tests, automatically executed at power-on. This document may be reproduced and distributed only in its original entirely without revision.
Type of Operational Environment: Modifiable
The module is supplied as part of Device OS, a commercially available general-purpose operating system executing on the computing platforms specified in section 2.2. This document may be reproduced and distributed only in its original entirely without revision.
The FIPS 140-3 physical security requirements do not apply to the Apple corecrypto Module v13.0 [Apple silicon, Kernel, Software, SL1] since it is a software module. This document may be reproduced and distributed only in its original entirely without revision.
Per IG 12.A, until the requirements of NIST SP 800-140F are defined, non-invasive mechanisms fall under ISO/IEC 19790:2012 Section 7.12 Mitigation of other attacks. The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirely without revision.
Storage Description Persistence Area Type Name RAM The module stores ephemeral SSPs in RAM provided by the Dynamic operational environment. They are received for use or generated by the module only at the command of the calling application. The operating system protects all SSPs through the memory separation and protection mechanisms. No process other than the module itself can access the SSPs in its process' memory. Table 44: Storage Areas
Name From To Format Distribution Entry SFI or Type Type Type Algorithm KPI input Operating Cryptographic Plaintext Manual Electronic parameters calling module application (TOEPP) KPI output Cryptographic Operating Plaintext Manual Electronic parameters module calling application (TOEPP) Table 45: SSP Input-Output Methods
Zeroization Description Rationale Operator Method Initiation Context object SSPs are zeroised when the Zeroization when structure By calling the destruction appropriate context object is deallocated zeroization is destroyed function cc_clear Power down SSPs are zeroised when the SSPs are zeroised when the Operator can system is powered down system is powered down initiate power down This document may be reproduced and distributed only in its original entirely without revision.
Zeroization Description Rationale Operator Method Initiation Intermediate Intermediate keygen values Intermediate keygen values N/A value are zeroized before the are zeroized before the zeroization module returns from the module returns from the key generation function. key generation function. Table 46: SSP Zeroization Methods Data output interfaces are inhibited while zeroisation is performed.
Name Description Size - Type - Generated Establishe Used By Strengt Category By d By h AES key AES key 128 to Symmetric Unauthenticate
256 bits - CSP d Symmetric
256 bits Decryption
Authenticated Symmetric Encryption and Decryption AES key- AES KW 128 to symmetric key wrapping / wrappin 256 bits - CSP key unwrapping g key - 128 to
HMAC HMAC key 128 to MAC - CSP HMAC Message key 256 - Authentication
ECDSA ECDSA key P-224, Asymmetri ECDSA ECDSA Publickey pair pair P-256, c - CSP Asymmetri Key Validation (including P-384, c Key ECDSA Digital intermediat P-521 - Generation Signature e keygen 112 to Generation values) 256 bits ECDSA Digital Signature Verification RSA key RSA key 2048 - Asymmetri RSA Digital pair pair 4096 - c - CSP Signature
112 to Generation
150 bits RSA Digital
This document may be reproduced and distributed only in its original entirely without revision.
Name Description Size - Type - Generated Establishe Used By Strengt Category By d By h Signature Verification Entropy Entropy 256 bits Entropy Random input input string - 256 input string Number string bits - CSP Generation DRBG DRBG input 256 bits DRBG - Random Random seed, parameters - 256 CSP Number Number internal bits Generation Generation state V value, and key Table 47: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES key KPI input RAM:Plaintext From service Context parameters invocation to object service destruction completion Power down AES key- KPI input RAM:Plaintext From service Context wrapping parameters invocation to object key service destruction completion Power down HMAC key KPI input RAM:Plaintext From service Context parameters invocation to object service destruction completion Power down ECDSA key KPI input RAM:Plaintext From service Context DRBG seed, pair parameters invocation to object internal state V KPI output service destruction value, and parameters completion Power down key:Used With Intermediate value zeroization RSA key pair KPI input RAM:Plaintext From service Context parameters invocation to object service destruction completion Power down Intermediate This document may be reproduced and distributed only in its original entirely without revision.
Name Input - Storage Storage Zeroization Related SSPs Output Duration value zeroization Entropy RAM:Plaintext Storage Power down DRBG seed, input string duration internal state V during the value, and usage of the key:Used With CSP DRBG seed, Storage Power down Entropy input internal duration string:Used state V during the With value, and usage of the key CSP Table 48: SSP Table 2 This document may be reproduced and distributed only in its original entirely without revision.
While the module is executing the self-tests, services are not available, and input and output are inhibited.
The module performs a pre-operational software integrity automatically when the module is loaded into memory (i.e., at power on) before the module transitions to the operational state. A software integrity test is performed on the runtime image of the module with HMAC-SHA256 used to perform the approved integrity technique. Prior to using HMAC-SHA-256, a Conditional Cryptographic Algorithm Self-Tests (CAST) is performed. Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- 112-bit Message SW/FW Module The HMAC-SHA2-256 SHA2-256 key Authentication Integrity successful value calculated at (A3687) execution runtime is compared with the HMAC-SHA2-
module, computed at compilation time. Table 49: Pre-Operational Self-Tests
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-GCM 128-bit key KAT CAST Module Authenticated Test runs at (A3685) becomes decryption Power-on operational before the integrity test Counter AES 128-bit KAT CAST Module Health test per Test runs at DRBG key becomes SP800- 90ARev1 Power-on (A3685) operational section 11.3 before the integrity test HMAC- SHA2-256 KAT CAST Module Message Test runs at SHA2-256 becomes authentication Power-on (A3686) operational before the integrity test HMAC- SHA-1 KAT CAST Module Message Test runs at SHA-1 becomes authentication Power-on (A3686) operational This document may be reproduced and distributed only in its original entirely without revision.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type before the integrity test HMAC- SHA2-512 KAT CAST Module Message Test runs at SHA2-512 becomes authentication Power-on (A3684) operational before the integrity test RSA PKCS#1 KAT CAST Module Signature Test runs at SigGen v1.5 with becomes Generation Power-on (FIPS186-4) 2048 bit key operational service request before the (A3686) and SHA2- integrity test RSA SigVer PKCS#1 KAT CAST Module Signature Test runs at (FIPS186-4) v1.5 with becomes Verification Power-on (A3686) 2048 bit key operational service request before the and SHA2- integrity test ECDSA SHA2-256 PCT PCT Successful Key generation Key pair KeyGen and key generation. (FIPS186-4) respective generation (A3686) keys ECDSA P-256 with KAT CAST Module Signature Test runs at SigGen SHA-256 becomes Generation or Power-on (FIPS186-4) operational Key Generation before the (A3686) service request integrity test ECDSA P-224 with KAT CAST Module Signature Test runs at SigVer SHA-224 becomes Verification or Power-on (FIPS186-4) operational Key Generation before the (A3686) service request integrity test AES-CBC 128-bit key KAT CAST Module Encryption and Test runs at (A3682) becomes decryption run Power-on operational separately before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption and Test runs at (A3682) becomes decryption run Power-on operational separately before the integrity test AES-XTS 128-bit key KAT CAST Module Encryption Test runs at Testing becomes Power-on Revision operational before the
2.0 (A3682) integrity test
This document may be reproduced and distributed only in its original entirely without revision.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-CCM 128-bit key KAT CAST Module Authenticated Test runs at (A3685) becomes encryption / Power-on operational decryption before the operations are integrity test performed separately HMAC- SHA2- KAT CAST Module Message Test runs at SHA2- 512/256 becomes authentication Power-on 512/256 operational before the (A3686) integrity test Table 50: Conditional Self-Tests
Algorithm or Test Method Test Type Period Periodic Method Test HMAC-SHA2- Message SW/FW Integrity Whenever Upon every
256 (A3687) Authentication module is power on
powered on Table 51: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Method Test AES-GCM KAT CAST On Demand Manually (A3685) Counter DRBG KAT CAST On Demand Manually (A3685) HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA-1 KAT CAST On Demand Manually (A3686) HMAC-SHA2- KAT CAST On Demand Manually
RSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3686) RSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3686) This document may be reproduced and distributed only in its original entirely without revision.
Algorithm or Test Method Test Type Period Periodic Method Test ECDSA KeyGen PCT PCT Upon generation Upon generation (FIPS186-4) of an ECDSA key of an ECDSA key (A3686) pair pair ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A3686) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A3686) AES-CBC KAT CAST On Demand Manually (A3682) AES-ECB (A3682) KAT CAST On Demand Manually AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3682) AES-CCM KAT CAST On Demand Manually (A3685) HMAC-SHA2- KAT CAST On Demand Manually 512/256 (A3686) Table 52: Conditional Periodic Information
Name Description Conditions Recovery Indicator Method Error
Name Description Conditions Recovery Indicator Method match the operational known value software or 3) The integrity test signature and the failed to verify Conditional successfully in CASTs. the Conditional PCT. No cryptographic services are provided, and data output is prohibited Table 53: Error States
The module permits operators to initiate the pre-operational or conditional self-tests on demand for periodic testing of the module by rebooting the system (i.e., power-cycling). This document may be reproduced and distributed only in its original entirely without revision.
Startup Procedures: The module is built into Device OS defined in section 2 and delivered/ installed with the respective Device OS. There is no standalone delivery of the module as a software library. Installation Process and Authentication Mechanisms: The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version. For additional assurance, the module is digitally signed by vendor, and it is verified during the integration into Host Device OS. This digital signature-based integrity protection during the delivery/integration process is not to be confused with the HMAC-256 based integrity check performed by the module itself as part of its pre-operational self- tests.
The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table - Non-Approved Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. The ESV Public Use Document (PUD) reference for physical entropy source is: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E14_PublicUse.pdf The ESV Public Use Document (PUD) reference for non-physical entropy source is: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E15_PublicUse.pdf Apple Platform Certifications guide [platform certifications] and Apple Platform Security guide [SEC] are provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation.
The Crypto Officer shall consider the following requirements and restrictions when using the module.
The module secure sanitization is accomplished through the Lost Mode, remote wipe, and remote lock sections of the provided vendor document [platform certifications]. This document may be reproduced and distributed only in its original entirely without revision.
The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirely without revision.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard CAVP Cryptographic Algorithm Validation Program CAST Cryptographic Algorithm Self-Test CAST5 A symmetric-key 64-bit block cipher with 128-bit key CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DRBG Deterministic Random Bit Generator ECB Electronic Code Book ESVP Entropy Source Validation Program FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAT Known Answer Test KDF Key Derivation Function KEXT Kernel Extension KW AES Key Wrap MAC Message Authentication Code KPI Kernel Programming Interface NIST National Institute of Science and Technology OFB Output Feedback PAA Processor Algorithm Acceleration PKG Key-Pair Generation PKV Public Key Validation PSS Probabilistic Signature Scheme PUD Public Use Document (ESVP) RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard TOEPP Tested Operational Environment Physical Perimeter XTS XEX-based Tweaked-codebook mode with cipher text Stealing This document may be reproduced and distributed only in its original entirely without revision.
Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 SP 800-140x CMVP FIPS 140-3 Related Reference https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-standards FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program September 2020 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-ig-announcements FIPS140-3_MM CMVP FIPS 140-3 Draft Management Manual https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS-140-3-CMVP%20Management%20Manual%20v2.0.pdf SP 800-140 FIPS 140-3 Derived Test Requirements (DTR) https://csrc.nist.gov/publications/detail/sp/800-140/final SP 800-140A CMVP Documentation Requirements https://csrc.nist.gov/publications/detail/sp/800-140a/final SP 800-140Br1 CMVP Security Policy Requirements https://doi.org/10.6028/NIST.SP.800-140Br1 SP 800-140C CMVP Approved Security Functions https://csrc.nist.gov/publications/detail/sp/800-140c/final SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods https://csrc.nist.gov/publications/detail/sp/800-140d/final SP 800-140E CMVP Approved Authentication Mechanisms https://csrc.nist.gov/publications/detail/sp/800-140e/final SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics https://csrc.nist.gov/publications/detail/sp/800-140f/final FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-5 Digital Signature Standard (DSS) F3b 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf This document may be reproduced and distributed only in its original entirely without revision.
PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 SP800-57 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://doi.org/10.6028/NIST.SP.800-57pt1r5 SP800-67r2 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 (withdrawn January 2014) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf SP800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 This document may be reproduced and distributed only in its original entirely without revision.
SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-108r1 NIST Special Publication 800-108r1 - Recommendation for Key Derivation Using Pseudorandom Functions Aug 2022 https://doi.org/10.6028/NIST.SP.800-108r1 SP800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SEC Apple Platform Security https://support.apple.com/guide/security/welcome/web https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf platform certifications Apple Platform Certifications https://support.apple.com/guide/certifications/welcome/web This document may be reproduced and distributed only in its original entirely without revision.