All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Spectro Cloud Cryptographic Library

Certificate#5061StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorSpectro Cloud, Inc.
Low review priority  ·  no TCB surface named  ·  last validated 6 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/22/2029
CaveatNo assurance of the minimum strength of generated SSPs (e.g., keys). When operated in approved mode.
VendorSpectro Cloud, Inc.

Approved Algorithms (28)

AlgorithmACVP Cert
AES-CBCA2811
AES-CCMA2811
AES-CTRA2811
AES-ECBA2811
AES-GCMA2811
AES-KWA2811
AES-KWPA2811
Counter DRBGA2811
ECDSA KeyGen (FIPS186-4)A2811
ECDSA KeyVer (FIPS186-4)A2811
ECDSA SigGen (FIPS186-4)A2811
ECDSA SigVer (FIPS186-4)A2811
HMAC-SHA-1A2811
HMAC-SHA2-224A2811
HMAC-SHA2-256A2811
HMAC-SHA2-384A2811
HMAC-SHA2-512A2811
KAS-ECC-SSC Sp800-56Ar3A2811
KDF TLSA2811
RSA KeyGen (FIPS186-4)A2811
RSA SigGen (FIPS186-4)A2811
RSA SigVer (FIPS186-4)A2811
SHA-1A2811
SHA2-224A2811
SHA2-256A2811
SHA2-384A2811
SHA2-512A2811
SHA2-512/256A2811

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Spectro Cloud Cryptographic Library
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Self-Test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: boringssl</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Spectro Cloud Cryptographic Library
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Self-Test<br/>Show Status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: boringssl</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Spectro Cloud, Inc. Spectro Cloud Cryptographic Library Software Version: v2 Date: November 5, 2025 Prepared by: www.corsec.com www.spectrocloud.com

2024 Public Material

Page 2

Introduction Federal Information Processing Standards Publication 140-3

2024 Public Material

Page 3
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1 - Security Levels5
Table 2 - Tested Operational Environments7
Table 3 - Vendor Affirmed Operational Environments7
Table 4 - Approved Algorithms9
Table 6 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation10
Table 7 - Ports and Interfaces12
Table 8 - Roles, Service Commands, Input and Output13
Table 9 - Approved Services15
Table 10 - Non-Approved Services16
Table 11 – SSP21
Table 12 - Non-Deterministic Random Number Generation Specification22
Figure 1 - BoringCrypto boundary10
Page 5

1. General This document describes Spectro Cloud’s cryptographic module Security Policy (SP) for the Spectro Cloud Cryptographic Library (Software version: v2) cryptographic module (also referred to as the “module” hereafter). It contains specification of the security rules under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. The module is a software module and has a Multi-Chip Stand Alone embodiment. The module meets the overall Level 1 security requirements of FIPS 140-3. The following table lists the level of validation for each area in FIPS 140-3: ISO/IEC 24759 FIPS 140-3 Section Title Security Level Section 6.

1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-Invasive Security N/A
9 Sensitive Security Parameter 1
10 Self-Tests 1
11 Life-Cycle Assurance 1
12 Mitigation of Other Attacks N/A

2024 Public Material

Page 6

2. Cryptographic Module Specification Spectro Cloud Cryptographic Library module by Spectro Cloud, Inc. is an open-source, general-purpose cryptographic library which provides approved cryptographic algorithms to serve BoringSSL and other user-space applications. The module is intended for use in environments specified in Table 2 below and any general-purpose environment that requires cryptographic primitives. The Tested Operational Environment’s Physical Perimeter (TOEPP) of the module is the physical perimeter of the tested environment, which is listed in Table 2 below. The module is a software module and has a Multi-Chip Stand Alone embodiment. The installation instructions are provided in Section 11 of this document. The boundary of the module is defined as a single object file, bcm.o. The module version is: v2. The module was tested on the following operational environments: # Operating Hardware Platform Processor PAA/Acceleration System

1 Android 13 Google Pixel 7 Pro Google Tensor G2 64-bit With PAA

2 Android 13 Google Pixel 7 Pro Google Tensor G2 64-bit Without PAA

3 Android 13 Google Pixel 6 Pro Google Tensor 64-bit With PAA

4 Android 13 Google Pixel 6 Pro Google Tensor 64-bit Without PAA

5 Android 13 Google Pixel 5a Qualcomm Snapdragon 765 With PAA

6 Android 13 Google Pixel 5a Qualcomm Snapdragon 765 Without PAA

7 Android 13 Google Pixel 4a Qualcomm Snapdragon 730 With PAA

8 Android 13 Google Pixel 4a Qualcomm Snapdragon 730 Without PAA

9 Android 13 Google Pixel 4XL Qualcomm Snapdragon 855 With PAA

10 Android 13 Google Pixel 4XL Qualcomm Snapdragon 855 Without PAA

11 Google Prodimage IN762 IN762 With PAA

12 Google Prodimage IN762 IN762 Without PAA

13 Google Prodimage Tau t2a Ampere Altra With PAA

14 Google Prodimage Tau t2a Ampere Altra Without PAA

15 Debian Linux n2d AMD EPYC 7B12 With PAA

5.17.11 (Rodete)

2024 Public Material

Page 7

16 Debian Linux n2d AMD EPYC 7B12 Without PAA

5.17.11 (Rodete)

17 Google Prodimage n1 Intel Xeon E5 2696 v4 With PAA

18 Google Prodimage n1 Intel Xeon E5 2696 v4 Without PAA

with Linux 4.15.0 Table 2 - Tested Operational Environments The cryptographic module is also supported on the following operational environments for which operational testing and algorithm testing was not performed. The CMVP makes no statement as to the correct operation of the module on the operational environments for which operational testing was not performed. # Operating System Hardware Platform

1 Linux 4.X x86_64 architecture

ARMv7 architecture ARMv8 architecture

2 Linux 5.X X86_64 architecture

ARMv7 architecture ARMv8 architecture

3 Linux 6.X x86_64 architecture

ARMv7 architecture ARMv8 architecture

4 Ubuntu 22.04 x86_64 architecture

ARMv7 architecture ARMv8 architecture

5 Ubuntu 20.04 x86_64 architecture

ARMv7 architecture ARMv8 architecture

6 Red Hat Enterprise Linux 9 x86_64 architecture

ARMv7 architecture ARMv8 architecture

7 Red Hat Enterprise Linux 8 x86_64 architecture

ARMv7 architecture ARMv8 architecture

8 SUSE Linux Enterprise Server 15 x86_64 architecture

ARMv7 architecture ARMv8 architecture Table 3 - Vendor Affirmed Operational Environments Table 4 below lists all the approved algorithms implemented in the module:

2024 Public Material

Page 8

CAVP Cert1 Algorithm and Mode/Method Description / Key Use / Function Standard Size(s) / Key Strength(s) A2811 AES CBC, ECB, CTR Key sizes: 128, 192, Encryption, Decryption FIPS 197 256 bits; SP800-38A Strength: 128, 192,

256 bits

A2811 AES GCM Key sizes: 128, 192, Authenticated Encryption, FIPS 197 256 bits; Authenticated Decryption SP800-38D Strength: 128, 192,

256 bits

A2811 AES FIPS 197 CCM Key size: 128 bits; Authenticated Encryption, SP800-38C Strength: 128 bits Authenticated Decryption A2811 AES, KTS KW, KWP Key sizes: 128, 192, Key Transport per IG D.G FIPS 197 256 bits; Key establishment methodology SP800-38F Strength: 128, 192, provides between 128 and 256

256 bits bits of encryption strength

CVL TLS v1.0/1.1 and v1.2 N/A SHA2-256, SHA2- Key Derivation A2811 KDF2 384, SHA2-512; SP800-135rev1 Strength: 256, 384,

512 bits

Vendor Affirmed CKG SP800-133rev2 Cryptographic Key Key Generation Generation: Symmetric keys and seeds are Section 5: Generation generated as the direct output of Key Pairs for of the DRBG Asymmetric-Key Algorithms, Section 6.1: The “Direct Generation” of Symmetric Keys A2811 DRBG CTR_DRBG AES-256; Random Bit Generation SP800-90Arev1 Key size: 256 bits; Strength: 256 bits A2811 ECDSA FIPS 186-4 Key Pair Generation, P-224, P-256, P-384, Digital Signature Services Signature Generation, P-521; Signature Verification, Strength: 112, 128, Public Key Validation 192, 256 bits There are algorithms that have been CAVP-tested on the same certificate but are not used by any approved service of the module Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. No parts of this protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

2024 Public Material

Page 9

CAVP Cert1 Algorithm and Mode/Method Description / Key Use / Function Standard Size(s) / Key Strength(s) A2811 HMAC Generate, Verify HMAC-SHA-1, Generation, Authentication FIPS 198-1 HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512; Strength: 128, 192, 256, 384, 512 bits A2811 RSA Key Generation, 1024, 2048, 3072, Digital Signature Services FIPS 186-4 Signature Generation, 4096; Signature Verification Strength: 80, 112, PKCS 1.5 and PSS 128, 152 bits; Note: Key size 1024 should be only used for Signature Verification A2811 SHA Hashing SHA-13, SHA2-224, Digital Signature Generation, FIPS 180-4 SHA2-256, SHA2-384, Digital Signature Verification, SHA2-512, SHA2- Non-Digital Signature 512/256; Applications Strength: 80, 112, 128, 192, 256, 128 bits A2811 KAS-SSC KAS-ECC-SSC ECC: P-224, P-256, P- Key Agreement Scheme Shared SP800-56Arev3 ephemeralUnified 384 and P-521; Secret Computation per Strength: 112, 128, SP800-56Arev3; 192, 256 bits Key establishment methodology provides between 112 and 256 bits of security strength Table 4 - Approved Algorithms Algorithm Caveat Use / Function MD5 As allowed per SP800-135rev1 When used with the TLS (No security claimed) protocol version 1.0 and 1.1 Table 5 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed Used for non-digital signature applications or to verify existing digital signatures only

2024 Public Material

Page 10

Algorithm/Function Use/Function MD5, MD4 Non-Approved hashing POLYVAL Non-Approved authenticated encryption DES, Triple-DES (non-compliant) Non-Approved encryption/decryption AES-GCM-SIV (non-compliant) Non-Approved encryption/decryption DH (non-compliant) Non-Approved key agreement Table 6 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Physical Perimeter: General Purpose Computer Application (out of validation scope) Calling Function Caller CSPs API invocation System calls Spectro Cloud Cryptographic Library System calls Operating System CPU Memory Storage Ports Figure 1 - Spectro Cloud Cryptographic Library v2 boundary

2024 Public Material

Page 11
2.1 Overall Security Design and Rules of Operation
2.1.1 Usage of AES-GCM

AES GCM encryption and decryption are used in the context of the TLS protocol version 1.2 (compliant to Scenario 1a in FIPS 140-3 IG C.H). The module is compliant with NIST SP 800-52 and the mechanism for IV generation is compliant with RFC 5288. The module ensures that it is strictly increasing and thus cannot repeat. When the IV exhausts the maximum number of possible values for a given session key, the first party (client or server) to encounter this condition may either trigger a handshake to establish a new encryption key in accordance with RFC 5246 or fail. In either case, the module prevents any IV duplication and thus enforces the security property. The module’s IV is generated internally by the module’s Approved DRBG, which is internal to the module’s boundary. The IV is 96 bits in length per NIST SP 800-38D, Section 8.2.2 and FIPS 140-3 IG C.H scenario 2. The selection of the IV construction method is the responsibility of the user of this cryptographic module. In approved mode, users of the module must not utilize GCM with an externally generated IV. Per IG C.H, in the event module power is lost and restored, the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed. The module implements the KDF TLS 1.2, and other cryptographic primitives used in TLS 1.2, but does not implement the TLS 1.2 protocol itself.

2.1.2 RSA and ECDSA Keys

The module allows the use of 1024-bit RSA keys for legacy purposes including signature generation, which is disallowed in Approved mode as per NIST SP800-131Arev2. Therefore, cryptographic operations with the Non-Approved key sizes will result in the module operating in Non-Approved mode. The elliptic curves utilized shall be the validated NIST-recommended curves and shall provide a minimum of 112 bits of encryption strength.

2.1.3 CSP Sharing

Non-Approved cryptographic algorithms shall not share the same key or CSP as an approved algorithm. As such, Approved algorithms shall not use the keys generated by the module’s Non-Approved key generation methods or the converse.

2.1.4 Modes of Operation

The module supports two modes of operation: Approved and Non-approved. The module will be in approved mode when all self-tests have completed successfully, and only Approved algorithms are invoked. See Table 4 above for a list of the supported Approved algorithms. The non-Approved mode is entered when a non-Approved algorithm is invoked. See Table 6 for a list of non-Approved algorithms.

2024 Public Material

Page 12

3. Cryptographic Module Interfaces The Data Input interface consists of the input parameters of the API functions. The Data Output interface consists of the output parameters of the API functions. The Control Input interface consists of the actual API input parameters. The Status Output interface includes the return values of the API functions. Logical interface Data that passes over port/interface Data Input API input parameters Data Output API output parameters and return values Control Input API input parameters Status Output API return values Table 7 - Ports and Interfaces The module does not implement a power input interface or a control output interface. As a software module, control of the physical ports is outside the module scope. However, when the module is performing self-tests, or is in an error state, all output on the module’s logical data output interfaces is inhibited.

2024 Public Material

Page 13

4. Roles, Services, and Authentication

4.1 Roles

The cryptographic module only implements a Crypto Officer (CO) role. The CO role is implicitly assumed by the entity accessing services implemented by the module. An operator is considered the owner of the thread that instantiates the module and, therefore, only one operator is allowed, and no concurrent operators are allowed.

4.2 Authentication

The module does not support operator authentication.

4.3 Services

The Approved services supported by the module and access rights within services accessible over the module’s public interface are listed in the table below: Role Service Input Output CO Symmetric Encryption Plaintext, encryption key Return code, ciphertext CO Symmetric Decryption Ciphertext, decryption key Return code, plaintext CO Keyed Hashing Message, key Return code, Message Authentication Code CO Hashing Message Return code, hash CO Random Bit Generation API call parameters Return code, random bits CO Signature Generation Message, signing key Return code, signature CO Signature Verification Signature, verification key Return code CO Key Transport API call parameters, wrapping key Return code, wrapped key CO Key Agreement API call parameters Return code, shared secret CO TLS Key Derivation API call parameters, TLS pre- Return code, TLS Key master secret CO Key Generation API call parameters Return code, key pair CO Key Verification API call parameters, key pair Return code CO On-Demand Self-Test N/A Return code CO Zeroization N/A N/A CO Show Status API call parameters Return code, status Table 8 - Roles, Service Commands, Input and Output Approved services are listed in Table 9. The SSPs listed in the table indicate the access required using below notation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroize: The module zeroizes the SSP.

2024 Public Material

Page 14

Service Description Approved Security Keys and/or SSPs Roles Access Rights to Indicator Functions Keys and/or SSPs Symmetric Encryption Perform symmetric AES CBC, ECB, CTR, AES Key, AES-GCM Key CO W, E 1 encryption operations CCM (Cert. #A2811) CKG Symmetric Decryption Perform symmetric AES CBC, ECB, CTR, AES Key, AES-GCM Key, CO W, E 1 decryption operations GCM, CCM AES-GCM IV (Cert. #A2811) CKG Keyed Hashing Perform keyed hashing HMAC-SHA-1, HMAC Key CO W, E 1 operations HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512 (Cert. #A2811) Hashing Perform hashing operations SHA-1, SHA2-224, N/A CO N/A 1 SHA2-256, SHA2384, SHA2-512, SHA2-512/256 (Cert. #A2811) Random Bit Generate random numbers CTR_DRBG DRBG Seed, CTR_DRBG CO G, E 1 Generation (Cert. #A2811) V, CTR_DRBG Key CKG DRBG output CO G, R CTR_DRBG CO W, E Entropy Input Signature Generation Perform signing operations CTR_DRBG, RSA Signature CO G, W, E 1 RSA SigGen, Generation Key, ECDSA SigGen ECDSA Signing Key (Cert. #A2811) Signature Verification Perform verification RSA SigVer, RSA Signature Verification CO G, W, E 1 operations ECDSA SigVer Key, (Cert. #A2811) ECDSA Verification Key Public Material

Page 15

Key Transport Perform key encryption AES KW, KWP AES Wrapping Key CO W, E 1 operations; KTS using (Cert. #A2811) AES-KW, AES-KWP per IG CKG D.G Key Agreement Perform key agreement KAS-ECC-SSC EC DH Private Key, EC CO G, W, E 1 operations (Cert. #A2811) DH Public Key Shared Secret G TLS Key Derivation Perform key derivation TLS KDF TLS Pre-Master Secret CO W, E 1 operations (Cert. #A2811) TLS Master Secret G, E Key Generation Perform generation CTR_DRBG, RSA Signature CO G, W, E 1 operations RSA KeyGen, Generation Key, ECDSA KeyGen ECDSA Signing Key (Cert. #A2811) CKG Key Verification Perform key pair ECDSA KeyVer ECDSA Signing Key, CO G, W, E 1 verification operations (Cert. #A2811) ECDSA Verification Key On-Demand Self-Test Execute self-tests on N/A N/A CO N/A 1 demand Zeroization Zeroize all SSPs N/A All SSPs CO Z N/A Show Status Obtain the module status N/A N/A CO N/A N/A and versioning information Table 9 - Approved Services Public Material

Page 16

Non-Approved Services are listed in the Table 10 below: Service Description Algorithms Accessed Role Indicator Hashing (as allowed per Perform hashing operations when used with MD5 CO 0 SP800-135rev1) the TLS protocol version 1.0 and 1.1 Hashing Perform hashing operations MD4 CO 0 Hashing Used as part of AES-GCM-SIV POLYVAL CO 0 Symmetric Perform symmetric encryption and/or DES CO 0 encryption/decryption decryption operations Triple-DES AES Key Generation Perform generation operations DH CO 0 RSA Primitives (RSADP, Perform RSA related primitive operations RSA CO 0 RSAEP, RSASP, RSAVP) (decrypt, encrypt, sign, verify) Table 10 - Non-Approved Services Public Material

Page 17

5. Software/Firmware Security The pre-operational integrity test is performed using HMAC-SHA2-256. The integrity test can be executed on demand by power-cycling the host platform and reloading the module. The module does not support software loading. Please refer to Section 11.1 for instructions on compiling the source code into executable.

5.1 Module Format

The form of the module is a single object file, bcm.o.

  1. Operational Environment The module runs on a GPC, which is a modifiable operational environment, running one of the operating systems specified in Table
  2. Each approved operating system manages processes and threads in a logically separated manner. The module’s user is considered the owner of the calling application that instantiates the module. No specific security rules, settings or restrictions to the configuration of the operational environment applies to the module. The module is designed to ensure that all the self-tests are initiated automatically when the module is loaded.
  3. Physical Security As a software module, the physical security requirements are not applicable.
  4. Non-invasive Security The module does not claim any non-invasive security measures. Public Material – May be reproduced only in its original entirety (without revision).
Page 18

9. Sensitive Security Parameter Management All the SSPs are zeroized implicitly when host platform is restarted. The various SSPs used by the module are listed in Table 11 below: Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & Related Name/Type Function and Export Keys Cert. Number AES Key 128/192/256 bits AES-CBC, ECB, External Input via API N/A Plaintext Power-cycle AES encrypt / (CSP) CTR, CCM in plaintext in RAM host decrypt A2811 (Electronic Entry) AES-GCM Key 128/192/256 bits AES-GCM External Input via API N/A Plaintext Power-cycle AES decrypt / (CSP) A2811 in plaintext in RAM host verify (Electronic Entry) AES-GCM IV4 96 bits AES-GCM External Input via API N/A Plaintext Power-cycle AES decrypt / (CSP) A2811 in plaintext in RAM host verify (Electronic Entry) AES Wrapping 128/192/256 bits AES-KW, External Input via API N/A Plaintext Power-cycle AES key wrapping Key AES-KWP in plaintext in RAM Host (CSP) A2811 (Electronic Entry) ECDSA Signing 112/128/192/256 ECDSA SigGen Internally Input via API N/A Plaintext Power-cycle ECDSA signature Key bits A2811 Generated in plaintext in RAM host generation (CSP) (Electronic Entry); Output via API in plaintext (Electronic Entry) As specified in Section 2.1.1, usage of externally generated IV is only allowed for AES-GCM decryption in the approved mode of operation. Public Material

Page 19

Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & Related Name/Type Function and Export Keys Cert. Number ECDSA 112/128/192/256 ECDSA SigVer Internally Input via API N/A Plaintext Power-cycle ECDSA signature Verification Key bits A2811 Generated in plaintext in RAM Host verification (PSP) (Electronic Entry); Output via API in plaintext (Electronic Entry) EC DH 112/128/192/256 ECDSA KeyGen Internally Input via API N/A Plaintext Power-cycle Key Agreement Private Key bits A2811 Generated in plaintext in RAM host (CSP) (Electronic Entry); Output via API in plaintext (Electronic Entry) EC DH Public 112/128/192/256 ECDSA KeyGen Internally Input via API N/A Plaintext Power-cycle Key Agreement Key bits A2811 Generated in plaintext in RAM host (PSP) (Electronic Entry); Output via API in plaintext (Electronic Entry) HMAC Key 128/192/256/384 HMAC-SHA-1, External Input via API N/A Plaintext Power-cycle Keyed hashing (CSP) /512 bits HMAC-SHA2- in plaintext in RAM host 224, HMAC- (Electronic SHA2-256, Entry) HMAC-SHA2384, HMACPublic Material

Page 20

Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & Related Name/Type Function and Export Keys Cert. Number SHA2-512 A2811 Shared Secret 112/128/192/256 KAS-ECC-SSC Internally N/A SP800-56Arev3 Plaintext Power-cycle Key Agreement (CSP) bits A2811 Generated in RAM host RSA 112, 128, 152 bits RSA SigGen Internally Input via API N/A Plaintext Power-cycle RSA signature Signature A2811 Generated in plaintext in RAM host generation Generation Key (Electronic (CSP) Entry); Output via API in plaintext (Electronic Entry) RSA 80, 112, 128, 152 RSA SigVer Internally Input via API N/A Plaintext Power-cycle RSA signature Signature bits A2811 Generated in plaintext in RAM host verification Verification (Electronic Key Entry); (PSP) Output via API in plaintext (Electronic Entry) TLS Master 384 bits TLS KDF Internally N/A N/A Plaintext Power-cycle TLS key derivation Secret A2811 Derived via key in RAM host (CSP) derivation function defined in SP800-135rev1 KDF (TLS) Public Material

Page 21

Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & Related Name/Type Function and Export Keys Cert. Number TLS Pre-Master 112-256 bits TLS KDF External Input via API N/A Plaintext Power-cycle TLS key derivation Secret A2811 in plaintext in RAM host (CSP) (Electronic Entry) DRBG Seed 384 bits CTR_DRBG Internally N/A N/A Plaintext Power-cycle DRBG Seeding (CSP) A2811 Generated in RAM host material CTR_DRBG V 128 bits CTR_DRBG Internally N/A N/A Plaintext Power-cycle DRBG internal (CSP) A2811 Generated in RAM host state CTR_DRBG 256 bits CTR_DRBG Internally N/A N/A Plaintext Power-cycle DRBG internal Key A2811 Generated in RAM host state (CSP) CTR_DRBG 384 bits used as CTR_DRBG External Input via API N/A Plaintext Power- DRBG entropy Entropy Input seed, quality of A2811 in plaintext in RAM cycle (CSP) entropy at least (Electronic host

112 bits Entry)

DRBG output 2048 bits CTR_DRBG Internally N/A N/A Plaintext Power- Random bits A2811 Generated in RAM cycle provided for the host calling application Table 11

Page 22

Entropy sources Minimum number of bits of Details entropy Passive Entropy 112 bits and above Use of a [SP800-90B] compliant entropy source with at least 256 bits of security strength. Entropy is supplied to the Module via callback functions. The callback functions shall return an error if the minimum entropy strength cannot be met. The caveat “No assurance of the minimum strength of generated SSPs (e.g., keys)” is applicable Table 12 - Non-Deterministic Random Number Generation Specification 10. Self-Tests ISO/IEC 19790 requires the module to perform self-tests to ensure the integrity of the module and the correctness of the cryptographic functionality. Some functions also require conditional tests during normal operation of the module. The self-tests can be requested on demand by power cycling the host platform. The module has a single error state, which is called the error state. This state is entered upon failure of a self-test. The module indicates this error state by providing the output status “*** KAT failed” where *** is the algorithm name (example: ECDSA-sign KAT failed). The module can be recovered by terminating execution of the host program and reclamation by the host operating system. The supported tests are listed and described in this section.

10.1 Pre-Operational Self-Tests

Pre-operational self-tests are run upon the initialization of the module and further reboots of the host platform. The CAST (Cryptographic Algorithm Self-Test) for HMAC-SHA2-256 is performed before the integrity test. Self-tests do not require operator intervention to run. If any of the tests fail, the module will not initialize and enter an error state where no services can be accessed. The module implements the following pre-operational self-tests:

10.2 Conditional Self-Tests

Conditional Cryptographic Algorithm Self-Tests (CAST) are run prior to the first use of the cryptographic algorithm. CASTs do not require operator intervention to run. If any of the tests fail, the module will enter an error state and no services can be accessed. Public Material

Page 23

The module implements the following CASTs:

Page 24
11.1 Installation Instructions

During the manufacturing process, Spectro Cloud executes the build and installation instructions for the module. The module is pre-installed and configured in supported Spectro Cloud solutions. FIPS mode is enabled by default. There are no additional installation or configuration instructions for operators intending to use the module. Public Material

Page 25
11.1.1 Retrieving Module Name and Version

The following methods will provide the module name and versions:

Page 26

References and Standards The following Standards are referenced in this Security Policy: Abbreviation Full Specification Name FIPS 140-3 Security Requirements for Cryptographic modules FIPS 180-4 Secure Hash Standard (SHS) FIPS 186-4 Digital Signature Standard (DSS) FIPS 197 Advanced Encryption Standard FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) Implementation Guidance for FIPS PUB 140-3 and the Cryptographic IG Module Validation Program Recommendation for Block Cipher Modes of Operation: Three Variants of SP 800-38A Ciphertext Stealing for CBC Mode Recommendation for Block Cipher Modes of Operation: the CCM Mode for SP 800-38C Authentication and Confidentiality Recommendation for Block Cipher Modes of Operation: Galois/Counter SP 800-38D Mode (GCM) and GMAC Recommendation for Block Cipher Modes of Operation: Methods for Key SP 800-38F Wrapping Guidelines for the Selection, Configuration, and Use of Transport Layer SP 800-52 Security (TLS) Implementations Recommendation for Pair-Wise Key Establishment Schemes Using Discrete SP 800-56A Logarithm Cryptography SP 800-90A Recommendation for Random Number Generation Using Deterministic Random Bit Generators SP 800-131A Transitioning the Use of Cryptographic Algorithms and Key Lengths SP 800-133 Recommendation for Cryptographic Key Generation SP 800-135 Recommendation for Existing Application-Specific Key Derivation Functions Public Material

Page 27

Acronyms Acronym Definition AES Advanced Encryption Standard API Application Programming Interface CAVP Cryptographic Algorithm Validation Program CBC Cipher-Block Chaining CCCS Canadian Centre for Cyber Security CFB Cipher Feedback CKG Cooperative Key Generation CMVP Crypto Module Validation Program CO Cryptographic Officer CRNGT Continuous Random Number Generator Test CSP Critical Security Parameter CTR Counter-mode DES Data Encryption Standard DH Diffie-Hellman DRBG Deterministic Random Bit Generator DSS Digital Signature Standard EC Elliptic Curve ECB Electronic Code Book ECC Elliptic Curve Cryptography EC DH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Authority FIPS Federal Information Processing Standards GCM Galois/Counter Mode GMAC Galois Message Authentication Code GPC General Purpose Computer HMAC Key-Hashed Message Authentication Code IG Implementation Guidance IV Initialization Vector KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function KW Key Wrap KWP Key Wrap with Padding LLC Limited Liability Company MAC Message Authentication Code MD4 Message Digest algorithm MD4 MD5 Message Digest algorithm MD5 N/A Not-Applicable NIST National Institute of Standards and Technology NVLAP National Voluntary Lab Accreditation Program Public Material

Page 28

OFB Output Feedback PAA Processor Algorithm Accelerator RAM Random Access Memory RFC Request For Comment RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SHS Secure Hash Standard SP Special Publication SSL Secure Socket Layer TLS Transport Layer Security Triple-DES Triple Data Encryption Standard Public Material