| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 9/21/2030 |
| Caveat | When operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | Apple Inc. |
flowchart LR
%% Deterministic review-risk graph for Apple corecrypto Module v13.0 [Apple silicon, User, Software, SL1]
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Unauthenticated<br/>UnAuth</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Apple corecrypto Module v13.0 [Apple silicon, User, Software, SL1]
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Unauthenticated<br/>UnAuth</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Apple Inc. Apple corecrypto Module v13.0 [Apple silicon, User, Software, SL1] Prepared for: Apple Inc. One Apple Park Way Cupertino, CA 95014 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com
| # | Section | Page |
|---|
This document may be reproduced and distributed only in its original entirely without revision.
| Item | Page |
|---|---|
| Table 1: Security Levels | 7 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 9 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 12 |
| Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid | 13 |
| Table 5: Modes List and Description | 13 |
| Table 6: Approved Algorithms - AES-CBC | 14 |
| Table 7: Approved Algorithms - AES-CCM | 14 |
| Table 8: Approved Algorithms - AES-CFB128 | 15 |
| Table 9: Approved Algorithms - AES-CFB8 | 15 |
| Table 10: Approved Algorithms - AES-CMAC | 15 |
| Table 11: Approved Algorithms - AES-CTR | 15 |
| Table 12: Approved Algorithms - AES-ECB | 16 |
| Table 13: Approved Algorithms - AES-GCM | 16 |
| Table 14: Approved Algorithms - AES-KW | 16 |
| Table 15: Approved Algorithms - AES-OFB | 17 |
| Table 16: Approved Algorithms - AES-XTS | 17 |
| Table 17: Approved Algorithms - CTR_DRBG | 17 |
| Table 18: Approved Algorithms - ECDSA-KEYGEN | 18 |
| Table 19: Approved Algorithms - ECDSA-KEYVER | 18 |
| Table 20: Approved Algorithms - ECDSA-SIGGEN | 18 |
| Table 21: Approved Algorithms - ECDSA-SIGVER | 18 |
| Table 22: Approved Algorithms - HMAC-SHA1 | 19 |
| Table 23: Approved Algorithms - HMAC-SHA224 | 19 |
| Table 24: Approved Algorithms - HMAC-SHA256 | 19 |
| Table 25: Approved Algorithms - HMAC-SHA384 | 19 |
| Table 26: Approved Algorithms - HMAC-SHA512 | 20 |
| Table 27: Approved Algorithms - HMAC-SHA512/256 | 20 |
| Table 28: Approved Algorithms - KAS-ECC-SSC | 20 |
| Table 29: Approved Algorithms - KAS-FFC-SSC | 20 |
| Table 30: Approved Algorithms - KBKDF | 21 |
| Table 31: Approved Algorithms - PBKDF | 21 |
| Table 32: Approved Algorithms - RSA-KEYGEN | 21 |
| Table 33: Approved Algorithms - RSA-SIGGEN | 21 |
| Table 34: Approved Algorithms - RSA-SIGVER | 22 |
| Table 35: Approved Algorithms - SAFEPRIME-KEYGEN | 22 |
| Table 36: Approved Algorithms - SHA1 | 22 |
| Table 37: Approved Algorithms - SHA224 | 22 |
| Table 38: Approved Algorithms - SHA256 | 23 |
| Table 39: Approved Algorithms - SHA384 | 23 |
| Table 40: Approved Algorithms - SHA512 | 23 |
| Table 41: Approved Algorithms - SHA512/256 | 23 |
| Table 42: Vendor-Affirmed Algorithms | 24 |
List of Figures This document may be reproduced and distributed only in its original entirely without revision.
Trademarks Apple’s trademarks applicable to this document are listed in https://www.apple.com/legal/intellectual-property/trademark/appletmlist.html. Other company, product, and service names may be trademarks or service marks of others. This document may be reproduced and distributed only in its original entirely without revision.
This document is the non-proprietary FIPS 140-3 Security Policy for Apple corecrypto Module v13.0 [Apple silicon, User, Software, SL1] cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 1 module.
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Overall Level 1 Table 1: Security Levels This document may be reproduced and distributed only in its original entirely without revision.
Purpose and Use: The Apple corecrypto Module v13.0 [Apple silicon, User, Software, SL1] cryptographic module (hereafter referred to as “the module”) provides implementations of lowlevel cryptographic primitives to the Device OS’s (iOS 16, iPadOS 16, watchOS 9, tvOS 16, T2OS
13 and macOS 13 Ventura) Security Framework and Common Crypto. The module provides
services intended to protect data in transit and at rest. The module is optimized for library use within the Device OS user space and does not contain any terminating assertions or exceptions. It is implemented as a Device OS dynamically loadable library. After the library is loaded, its cryptographic functions are made available to the Device OS application. Any internal error detected by the module is returned to the caller with an appropriate return code. The calling Device OS application must examine the return code and act accordingly. The module communicates any error status synchronously through the use of its documented return codes, thus indicating the module’s status. Caller-induced or internal errors do not reveal any sensitive material to callers. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: N/A Cryptographic Boundary: The module cryptographic boundary is delineated by the dotted green rectangle in the Figure
Tested Module Identification
Operating Hardware Platform Processors PAA/PAI Hypervisor Version(s) System or Host OS iPadOS 16 iPad (7th generation) Apple A Series Yes NA v13.0 A10 Fusion iPadOS 16 iPad Pro 10.5-inch Apple A Series Yes NA v13.0 A10X Fusion iPadOS 16 iPad mini (5th Apple A Series Yes NA v13.0 generation) A12 Bionic iPadOS 16 iPad Pro 11-inch (1st Apple A Series Yes NA v13.0 generation) A12X Bionic iPadOS 16 iPad Pro 11-inch (2nd Apple A Series Yes NA v13.0 generation) A12Z Bionic iPadOS 16 iPad (9th generation) Apple A Series Yes NA v13.0 A13 Bionic iPadOS 16 iPad Air (4th Apple A Series Yes NA v13.0 generation) A14 Bionic iPadOS 16 iPad mini (6th Apple A Series Yes NA v13.0 generation) A15 Bionic iPadOS 16 iPad Pro 11-inch (3rd Apple M Series Yes NA v13.0 generation) M1 iPadOS 16 iPad Pro 11-inch (4th Apple M Series Yes NA v13.0 generation) M2 iOS 16 iPhone X Apple A Series Yes NA v13.0 A11 Bionic iOS 16 iPhone XS Max Apple A Series Yes NA v13.0 A12 Bionic iOS 16 iPhone 11 Pro Apple A Series Yes NA v13.0 A13 Bionic iOS 16 iPhone 12 Apple A Series Yes NA v13.0 A14 Bionic iOS 16 iPhone 13 Pro Max Apple A Series Yes NA v13.0 A15 Bionic iOS 16 iPhone 14 Pro Max Apple A Series Yes NA v13.0 A16 Bionic This document may be reproduced and distributed only in its original entirely without revision.
Operating Hardware Platform Processors PAA/PAI Hypervisor Version(s) System or Host OS watchOS 9 Apple Watch Series Apple S Series S4 Yes NA v13.0 S4 watchOS 9 Apple Watch Series Apple S Series S5 Yes NA v13.0 S5 watchOS 9 Apple Watch Series Apple S Series S6 Yes NA v13.0 S6 watchOS 9 Apple Watch Series Apple S Series S7 Yes NA v13.0 S7 watchOS 9 Apple Watch Series Apple S Series S8 Yes NA v13.0 S8 tvOS 16 Apple TV 4K Apple A Series Yes NA v13.0 A10X Fusion tvOS 16 Apple TV 4K (2nd Apple A Series Yes NA v13.0 generation) A12 Bionic tvOS 16 Apple TV 4K (3rd Apple A Series Yes NA v13.0 generation) A15 Bionic T2OS 13 Apple Security Chip Apple T Series T2 Yes NA v13.0 T2 macOS 13 MacBook Pro (13- Apple M Series Yes NA v13.0 Ventura inch, M1, 2020) M1 macOS 13 MacBook Pro (16- Apple M Series Yes NA v13.0 Ventura inch, 2021) M1 Pro macOS 13 MacBook Pro (16- Apple M Series Yes NA v13.0 Ventura inch, 2021) M1 Max macOS 13 Mac Studio Apple M Series Yes NA v13.0 Ventura M1 Ultra macOS 13 MacBook Pro (13- Apple M Series Yes NA v13.0 Ventura inch, M2, 2020) M2 macOS 13 MacBook Pro (14- Apple M Series Yes NA v13.0 Ventura inch, 2023) M2 Pro macOS 13 MacBook Pro (16- Apple M Series Yes NA v13.0 Ventura inch, 2023) M2 Max This document may be reproduced and distributed only in its original entirely without revision.
Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Operating System Hardware Platform iPadOS 16 iPad Pro 12.9-inch iPadOS 16 iPad (6th generation) iPadOS 16 iPad Pro 12.9-inch (2nd generation) iPadOS 16 iPad Air (3rd generation) iPadOS 16 iPad (8th generation) iPadOS 16 iPad Pro 12.9-inch (3rd generation) iPadOS 16 iPad Pro 12.9-inch (4th generation) iPadOS 16 iPad Pro 12.9-inch (5th generation) iPadOS 16 iPad Pro 12.9-inch (6th generation) iOS 16 iPhone 8 iOS 16 iPhone 8 Plus iOS 16 iPhone XS iOS 16 iPhone XR iOS 16 iPhone 11 iOS 16 iPhone 11 Pro Max iOS 16 iPhone SE (2nd generation) iOS 16 iPhone 12 mini iOS 16 iPhone 12 Pro iOS 16 iPhone 12 Pro Max iOS 16 iPhone 13 mini iOS 16 iPhone 13 iOS 16 iPhone 13 Pro iOS 16 iPhone 14 Pro watchOS 9 Apple Watch SE macOS 13 Ventura Mac mini This document may be reproduced and distributed only in its original entirely without revision.
Operating System Hardware Platform macOS 13 Ventura iMac (24-inch) macOS 13 Ventura MacBook Pro (14-inch, 2021) macOS 13 Ventura MacBook Air Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
None for this module
Modes List and Description: Mode Description Type Status Indicator Name Approved Approved mode of Approved The dedicated API function returns a mode operation is entered when '1' from fips_allowed_mode() for the module utilizes the block cipher functions and services that use the security fips_allowed() for all other services to functions listed in the indicate the executed cryptographic Approved Algorithms Table algorithm was approved and the Vendor Affirmed Algorithms Table. Non- Non-Approved mode of Non- The dedicated API function returns a Approved operation is entered when Approved '0' from fips_allowed_mode() for mode the module utilizes non- block cipher functions and approved security functions fips_allowed() for all other services to in the Table Non-Approved indicate the executed cryptographic Algorithms Not Allowed in algorithm was non- approved the Approved Mode of Operation. Table 5: Modes List and Description This document may be reproduced and distributed only in its original entirely without revision.
Approved Algorithms: AES-CBC Algorithm CAVP Cert Properties Reference AES-CBC A3423 - SP 800-38A AES-CBC A3424 - SP 800-38A AES-CBC A3425 - SP 800-38A AES-CBC A3426 - SP 800-38A AES-CBC A3483 - SP 800-38A AES-CBC A3484 - SP 800-38A AES-CBC A3485 - SP 800-38A AES-CBC A3486 - SP 800-38A Table 6: Approved Algorithms - AES-CBC AES-CCM Algorithm CAVP Cert Properties Reference AES-CCM A3424 - SP 800-38C AES-CCM A3426 - SP 800-38C AES-CCM A3427 - SP 800-38C AES-CCM A3484 - SP 800-38C AES-CCM A3486 - SP 800-38C AES-CCM A3487 - SP 800-38C Table 7: Approved Algorithms - AES-CCM AES-CFB128 Algorithm CAVP Cert Properties Reference AES-CFB128 A3423 - SP 800-38A AES-CFB128 A3424 - SP 800-38A AES-CFB128 A3426 - SP 800-38A AES-CFB128 A3483 - SP 800-38A AES-CFB128 A3484 - SP 800-38A This document may be reproduced and distributed only in its original entirely without revision.
Algorithm CAVP Cert Properties Reference AES-CFB128 A3486 - SP 800-38A Table 8: Approved Algorithms - AES-CFB128 AES-CFB8 Algorithm CAVP Cert Properties Reference AES-CFB8 A3424 - SP 800-38A AES-CFB8 A3426 - SP 800-38A AES-CFB8 A3484 - SP 800-38A AES-CFB8 A3486 - SP 800-38A Table 9: Approved Algorithms - AES-CFB8 AES-CMAC Algorithm CAVP Cert Properties Reference AES-CMAC A3426 - SP 800-38B AES-CMAC A3486 - SP 800-38B Table 10: Approved Algorithms - AES-CMAC AES-CTR Algorithm CAVP Cert Properties Reference AES-CTR A3424 - SP 800-38A AES-CTR A3426 - SP 800-38A AES-CTR A3427 - SP 800-38A AES-CTR A3484 - SP 800-38A AES-CTR A3486 - SP 800-38A AES-CTR A3487 - SP 800-38A Table 11: Approved Algorithms - AES-CTR AES-ECB Algorithm CAVP Cert Properties Reference AES-ECB A3423 - SP 800-38A AES-ECB A3424 - SP 800-38A This document may be reproduced and distributed only in its original entirely without revision.
Algorithm CAVP Cert Properties Reference AES-ECB A3426 - SP 800-38A AES-ECB A3427 - SP 800-38A AES-ECB A3483 - SP 800-38A AES-ECB A3484 - SP 800-38A AES-ECB A3486 - SP 800-38A AES-ECB A3487 - SP 800-38A Table 12: Approved Algorithms - AES-ECB AES-GCM Algorithm CAVP Cert Properties Reference AES-GCM A3424 - SP 800-38D AES-GCM A3426 - SP 800-38D AES-GCM A3427 - SP 800-38D AES-GCM A3484 - SP 800-38D AES-GCM A3486 - SP 800-38D AES-GCM A3487 - SP 800-38D Table 13: Approved Algorithms - AES-GCM AES-KW Algorithm CAVP Cert Properties Reference AES-KW A3424 - SP 800-38F AES-KW A3426 - SP 800-38F AES-KW A3484 - SP 800-38F AES-KW A3486 - SP 800-38F Table 14: Approved Algorithms - AES-KW AES-OFB Algorithm CAVP Cert Properties Reference AES-OFB A3423 - SP 800-38A AES-OFB A3424 - SP 800-38A This document may be reproduced and distributed only in its original entirely without revision.
Algorithm CAVP Cert Properties Reference AES-OFB A3426 - SP 800-38A AES-OFB A3483 - SP 800-38A AES-OFB A3484 - SP 800-38A AES-OFB A3486 - SP 800-38A Table 15: Approved Algorithms - AES-OFB AES-XTS Algorithm CAVP Cert Properties Reference AES-XTS Testing Revision 2.0 A3423 - SP 800-38E AES-XTS Testing Revision 2.0 A3424 - SP 800-38E AES-XTS Testing Revision 2.0 A3426 - SP 800-38E AES-XTS Testing Revision 2.0 A3483 - SP 800-38E AES-XTS Testing Revision 2.0 A3484 - SP 800-38E AES-XTS Testing Revision 2.0 A3486 - SP 800-38E Table 16: Approved Algorithms - AES-XTS CTR_DRBG Algorithm CAVP Cert Properties Reference Counter DRBG A3424 - SP 800-90A Rev. 1 Counter DRBG A3426 - SP 800-90A Rev. 1 Counter DRBG A3427 - SP 800-90A Rev. 1 Counter DRBG A3484 - SP 800-90A Rev. 1 Counter DRBG A3486 - SP 800-90A Rev. 1 Counter DRBG A3487 - SP 800-90A Rev. 1 Table 17: Approved Algorithms - CTR_DRBG ECDSA-KEYGEN Algorithm CAVP Cert Properties Reference ECDSA KeyGen (FIPS186-4) A3426 - FIPS 186-4 ECDSA KeyGen (FIPS186-4) A3428 - FIPS 186-4 This document may be reproduced and distributed only in its original entirely without revision.
Algorithm CAVP Cert Properties Reference ECDSA KeyGen (FIPS186-4) A3486 - FIPS 186-4 ECDSA KeyGen (FIPS186-4) A3488 - FIPS 186-4 Table 18: Approved Algorithms - ECDSA-KEYGEN ECDSA-KEYVER Algorithm CAVP Cert Properties Reference ECDSA KeyVer (FIPS186-4) A3426 - FIPS 186-4 ECDSA KeyVer (FIPS186-4) A3428 - FIPS 186-4 ECDSA KeyVer (FIPS186-4) A3486 - FIPS 186-4 ECDSA KeyVer (FIPS186-4) A3488 - FIPS 186-4 Table 19: Approved Algorithms - ECDSA-KEYVER ECDSA-SIGGEN Algorithm CAVP Cert Properties Reference ECDSA SigGen (FIPS186-4) A3426 - FIPS 186-4 ECDSA SigGen (FIPS186-4) A3428 - FIPS 186-4 ECDSA SigGen (FIPS186-4) A3486 - FIPS 186-4 ECDSA SigGen (FIPS186-4) A3488 - FIPS 186-4 Table 20: Approved Algorithms - ECDSA-SIGGEN ECDSA-SIGVER Algorithm CAVP Cert Properties Reference ECDSA SigVer (FIPS186-4) A3426 - FIPS 186-4 ECDSA SigVer (FIPS186-4) A3428 - FIPS 186-4 ECDSA SigVer (FIPS186-4) A3486 - FIPS 186-4 ECDSA SigVer (FIPS186-4) A3488 - FIPS 186-4 Table 21: Approved Algorithms - ECDSA-SIGVER HMAC-SHA1 Algorithm CAVP Cert Properties Reference HMAC-SHA-1 A3426 - FIPS 198-1 This document may be reproduced and distributed only in its original entirely without revision.
Algorithm CAVP Cert Properties Reference HMAC-SHA-1 A3428 - FIPS 198-1 HMAC-SHA-1 A3486 - FIPS 198-1 HMAC-SHA-1 A3488 - FIPS 198-1 Table 22: Approved Algorithms - HMAC-SHA1 HMAC-SHA224 Algorithm CAVP Cert Properties Reference HMAC-SHA2-224 A3426 - FIPS 198-1 HMAC-SHA2-224 A3428 - FIPS 198-1 HMAC-SHA2-224 A3486 - FIPS 198-1 HMAC-SHA2-224 A3488 - FIPS 198-1 Table 23: Approved Algorithms - HMAC-SHA224 HMAC-SHA256 Algorithm CAVP Cert Properties Reference HMAC-SHA2-256 A3426 - FIPS 198-1 HMAC-SHA2-256 A3428 - FIPS 198-1 HMAC-SHA2-256 A3429 - FIPS 198-1 HMAC-SHA2-256 A3486 - FIPS 198-1 HMAC-SHA2-256 A3488 - FIPS 198-1 HMAC-SHA2-256 A3489 - FIPS 198-1 Table 24: Approved Algorithms - HMAC-SHA256 HMAC-SHA384 Algorithm CAVP Cert Properties Reference HMAC-SHA2-384 A3426 - FIPS 198-1 HMAC-SHA2-384 A3428 - FIPS 198-1 HMAC-SHA2-384 A3486 - FIPS 198-1 HMAC-SHA2-384 A3488 - FIPS 198-1 Table 25: Approved Algorithms - HMAC-SHA384 This document may be reproduced and distributed only in its original entirely without revision.
HMAC-SHA512 Algorithm CAVP Cert Properties Reference HMAC-SHA2-512 A3426 - FIPS 198-1 HMAC-SHA2-512 A3428 - FIPS 198-1 HMAC-SHA2-512 A3486 - FIPS 198-1 HMAC-SHA2-512 A3488 - FIPS 198-1 Table 26: Approved Algorithms - HMAC-SHA512 HMAC-SHA512/256 Algorithm CAVP Cert Properties Reference HMAC-SHA2-512/256 A3426 - FIPS 198-1 HMAC-SHA2-512/256 A3428 - FIPS 198-1 HMAC-SHA2-512/256 A3486 - FIPS 198-1 HMAC-SHA2-512/256 A3488 - FIPS 198-1 Table 27: Approved Algorithms - HMAC-SHA512/256 KAS-ECC-SSC Algorithm CAVP Cert Properties Reference KAS-ECC-SSC Sp800-56Ar3 A3426 - SP 800-56A Rev. 3 KAS-ECC-SSC Sp800-56Ar3 A3486 - SP 800-56A Rev. 3 Table 28: Approved Algorithms - KAS-ECC-SSC KAS-FFC-SSC Algorithm CAVP Cert Properties Reference KAS-FFC-SSC Sp800-56Ar3 A3426 - SP 800-56A Rev. 3 KAS-FFC-SSC Sp800-56Ar3 A3486 - SP 800-56A Rev. 3 Table 29: Approved Algorithms - KAS-FFC-SSC KBKDF Algorithm CAVP Cert Properties Reference KDF SP800-108 A3426 - SP 800-108 Rev. 1 KDF SP800-108 A3428 - SP 800-108 Rev. 1 This document may be reproduced and distributed only in its original entirely without revision.
Algorithm CAVP Cert Properties Reference KDF SP800-108 A3486 - SP 800-108 Rev. 1 KDF SP800-108 A3488 - SP 800-108 Rev. 1 Table 30: Approved Algorithms - KBKDF PBKDF Algorithm CAVP Cert Properties Reference PBKDF A3426 - SP 800-132 PBKDF A3428 - SP 800-132 PBKDF A3486 - SP 800-132 PBKDF A3488 - SP 800-132 Table 31: Approved Algorithms - PBKDF RSA-KEYGEN Algorithm CAVP Cert Properties Reference RSA KeyGen (FIPS186-4) A3426 - FIPS 186-4 RSA KeyGen (FIPS186-4) A3428 - FIPS 186-4 RSA KeyGen (FIPS186-4) A3486 - FIPS 186-4 RSA KeyGen (FIPS186-4) A3488 - FIPS 186-4 Table 32: Approved Algorithms - RSA-KEYGEN RSA-SIGGEN Algorithm CAVP Cert Properties Reference RSA SigGen (FIPS186-4) A3426 - FIPS 186-4 RSA SigGen (FIPS186-4) A3428 - FIPS 186-4 RSA SigGen (FIPS186-4) A3486 - FIPS 186-4 RSA SigGen (FIPS186-4) A3488 - FIPS 186-4 Table 33: Approved Algorithms - RSA-SIGGEN RSA-SIGVER Algorithm CAVP Cert Properties Reference RSA SigVer (FIPS186-4) A3426 - FIPS 186-4 This document may be reproduced and distributed only in its original entirely without revision.
Algorithm CAVP Cert Properties Reference RSA SigVer (FIPS186-4) A3428 - FIPS 186-4 RSA SigVer (FIPS186-4) A3486 - FIPS 186-4 RSA SigVer (FIPS186-4) A3488 - FIPS 186-4 Table 34: Approved Algorithms - RSA-SIGVER SAFEPRIME-KEYGEN Algorithm CAVP Cert Properties Reference Safe Primes Key Generation A3426 - SP 800-56A Rev. 3 Safe Primes Key Generation A3486 - SP 800-56A Rev. 3 Table 35: Approved Algorithms - SAFEPRIME-KEYGEN SHA1 Algorithm CAVP Cert Properties Reference SHA-1 A3426 - FIPS 180-4 SHA-1 A3428 - FIPS 180-4 SHA-1 A3486 - FIPS 180-4 SHA-1 A3488 - FIPS 180-4 Table 36: Approved Algorithms - SHA1 SHA224 Algorithm CAVP Cert Properties Reference SHA2-224 A3426 - FIPS 180-4 SHA2-224 A3428 - FIPS 180-4 SHA2-224 A3486 - FIPS 180-4 SHA2-224 A3488 - FIPS 180-4 Table 37: Approved Algorithms - SHA224 SHA256 Algorithm CAVP Cert Properties Reference SHA2-256 A3426 - FIPS 180-4 SHA2-256 A3428 - FIPS 180-4 This document may be reproduced and distributed only in its original entirely without revision.
Algorithm CAVP Cert Properties Reference SHA2-256 A3429 - FIPS 180-4 SHA2-256 A3486 - FIPS 180-4 SHA2-256 A3488 - FIPS 180-4 SHA2-256 A3489 - FIPS 180-4 Table 38: Approved Algorithms - SHA256 SHA384 Algorithm CAVP Cert Properties Reference SHA2-384 A3426 - FIPS 180-4 SHA2-384 A3428 - FIPS 180-4 SHA2-384 A3486 - FIPS 180-4 SHA2-384 A3488 - FIPS 180-4 Table 39: Approved Algorithms - SHA384 SHA512 Algorithm CAVP Cert Properties Reference SHA2-512 A3426 - FIPS 180-4 SHA2-512 A3428 - FIPS 180-4 SHA2-512 A3486 - FIPS 180-4 SHA2-512 A3488 - FIPS 180-4 Table 40: Approved Algorithms - SHA512 SHA512/256 Algorithm CAVP Cert Properties Reference SHA2-512/256 A3426 - FIPS 180-4 SHA2-512/256 A3428 - FIPS 180-4 SHA2-512/256 A3486 - FIPS 180-4 SHA2-512/256 A3488 - FIPS 180-4 Table 41: Approved Algorithms - SHA512/256 Vendor-Affirmed Algorithms: This document may be reproduced and distributed only in its original entirely without revision.
Name Properties Implementation Reference Cryptographic RSA Key Generation:Modulus: Apple corecrypto FIPS 140-3 IG Key Generation 2048, 3072, 4096; Key strength: Module [Apple ARM, D.H. and (CKG) from 112 to 150-bits User, Software, SL1] [SP800ECDSA Key Generation:P-224, P- (c_ltc) 133rev2] 256, P-384, P-521; Key strength: sections 4 and from 112 to 256-bits 5.1 Safe Prime Key Generation:Safe prime groups: MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Key strength: from 112 to 200-bits CKG RSA Key Generation:Modulus: Apple corecrypto FIPS 140-3 IG 2048, 3072, 4096; Key strength: Module [Apple ARM, D.H. and from 112 to 150-bits User, Software, SL1] [SP800ECDSA Key Generation:P-224, P- (vng_ltc) 133rev2] 256, P-384, P-521; Key strength: sections 4 and from 112 to 256-bits 5.1 Safe Prime Key Generation:MODP-2048, MODP3072, MODP-4096, MODP-6144, MODP-8192 Key strength: from
Table 42: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: There are no non-Approved but “Allowed functions” with security claimed algorithms in approved mode. Non-Approved, Allowed Algorithms with No Security Claimed: Name Caveat Use and Function MD5 Allowed in Approved mode with no Message Digest (used as part of the TLS security claimed per IG 2.4.A Digest Size: key establishment scheme v1.0, v1.1 only) 128-bit Table 43: Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: Name Use and Function ANSI X9.63 KDF Hash based Key Derivation Function This document may be reproduced and distributed only in its original entirely without revision.
Name Use and Function Blowfish Encryption / Decryption CAST5 Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit increments DES Encryption / Decryption Key Size: 56-bits Diffie-Hellman Shared Secret Computation using key size < 2048 ECDSA Generation / Verification / SigGen / SigVer with curve P-192 ECDSA KeyGen Key Pair Generation for compact point representation of points EC Diffie-Hellman Shared Secret Computation using curves < P-224 EdDSA Key Generation, Signature Generation, Signature Verification with Ed25519 ECDH Key agreement with X25519 HKDF [SP800-56Crev2] Key Derivation Function Integrated Encryption Scheme on Hybrid encryption scheme elliptic curves (ECIES) MD2 Message Digest size: 128-bit MD4 Message Digest size: 128-bit MD5 (except in the TLS 1.0/1.1 Message Digest size: 128-bit context) OMAC (One-Key CBC MAC) MAC generation / verification RC2 Encryption / Decryption Key Sizes 8 to 1024-bits RC4 Encryption / Decryption Key Sizes 8 to 4096-bits RFC6637 Key Derivation Function RIPEMD Message Digest size: 160-bits RSA KeyGen ANSI X9.31 Key Pair Generation with Key Size < 2048 RSA SigGen PKCS#1 v1.5 and PSS; Signature Generation Key Size < 2048 RSA SigVer Signature Verification Key Size < 1024 RSA Key Wrapping OAEP, PKCS#1 v1.5 and -PSS schemes This document may be reproduced and distributed only in its original entirely without revision.
Name Use and Function Triple-DES [SP 800-67r2] CBC, CTR, CFB64, ECB, CFB8, OFB SHA-3 Message Digest HPKE (Hybrid Public Key Encryption) Hybrid encryption scheme [RFC9180] Keccak Message Digest Table 44: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Unauthenticated BC-UnAuth Key Size / Key AES [FIPS 197; SP AES-CBC Symmetric Strength: 128, 800-38A]:CBC AES-CBC Encryption and 192, 256-bits AES [FIPS 197; SP AES-CBC Decryption (for all but XTS, 800-38A]:CFB128 AES-CBC which supports AES [FIPS 197; SP AES-CBC
keys) AES [FIPS 197; SP AES-CBC 800-38A]:CTR AES-CBC AES [FIPS 197; SP AES-CFB128 800-38A]:ECB AES-CFB128 AES [FIPS 197; SP AES-CFB128 800-38A]:OFB AES-CFB128 AES [FIPS 197; SP AES-CFB128 800-38E]:XTS AES-CFB128 AES-CFB8 AES-CFB8 AES-CFB8 AES-CFB8 AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-CTR AES-ECB AES-ECB AES-ECB AES-ECB AES-ECB This document may be reproduced and distributed only in its original entirely without revision.
Name Type Description Properties Algorithms AES-ECB AES-ECB AES-ECB AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-OFB AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 AES-XTS Testing Revision 2.0 Authenticated BC-Auth Key Size/ Key AES [FIPS 197; SP AES-CCM Symmetric Strength: 128, 800-38C]:CCM AES-CCM Encryption and 192, 256-bits AES [FIPS 197; SP AES-CCM Decryption 800-38D]:GCM AES-CCM AES-CCM AES-CCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM AES-GCM This document may be reproduced and distributed only in its original entirely without revision.
Name Type Description Properties Algorithms Random DRBG Key Size/ Key DRBG [SP800- Counter DRBG Number Strength: 128, 90ARev1]:CTR_DRBG; Counter DRBG Generation 256- bits. AES-128, AES-256 Counter DRBG Derivation Counter DRBG Function Counter DRBG Enabled, No Counter DRBG Prediction Resistance ECDSA AsymKeyPair- Curve: P-224, P- ECDSA ANSI X9.62 ECDSA KeyGen Asymmetric Key KeyGen 256, P-384, P- [FIPS 186-4]:Key Pair (FIPS186-4) Generation CKG 521. Key Generation (CKG ECDSA KeyGen Strength: from using method in (FIPS186-4)
[SP 800-133Rev2]). (FIPS186-4) Testing Candidates ECDSA KeyGen (FIPS186-4) ECDSA AsymKeyPair- Curve: P-224, P- ECDSA ANSI X9.62 ECDSA KeyVer Asymmetric Key KeyVer 256, P-384, P- [FIPS 186-4]:N/A (FIPS186-4) Verification 521. Key ECDSA KeyVer Strength: from (FIPS186-4)
(FIPS186-4) ECDSA KeyVer (FIPS186-4) ECDSA Digital DigSig-SigGen Curve: P-224, P- ECDSA ANSI X9.62 ECDSA SigGen Signature 256, P-384, P- [FIPS 186-4]:SHA2- (FIPS186-4) Generation 521. Key 224, SHA2-256, ECDSA SigGen Strength: from SHA2- 384, SHA2- (FIPS186-4)
(FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA Digital DigSig-SigVer Curve: P-224, P- ECDSA ANSI X9.62 ECDSA SigVer Signature 256, P-384, P- [FIPS 186-4]:SHA-1, (FIPS186-4) Verification 521. Key SHA2-224, SHA2- ECDSA SigVer Strength: from 256, SHA2-384, (FIPS186-4)
(FIPS186-4) This document may be reproduced and distributed only in its original entirely without revision.
Name Type Description Properties Algorithms ECDSA SigVer (FIPS186-4) CMAC Message MAC Key Size/ Key AES [FIPS 197; SP AES-CMAC Authentication Strength: 128, 800-38B]:CMAC AES-CMAC 192, 256-bits HMAC Message MAC Key Size: 8 - HMAC SHA1 [FIPS HMAC-SHA-1 Authentication 262144 bits 198]:Key Strength: HMAC-SHA-1
HMAC SHA224 [FIPS HMAC-SHA-1 198]:Key Strength: HMAC-SHA2-
HMAC SHA256 [FIPS HMAC-SHA2198]:Key Strength: 224
HMAC SHA384 [FIPS 224 198]:Key Strength: HMAC-SHA2-
HMAC SHA512 [FIPS HMAC-SHA2198]:Key Strength: 256
HMAC SHA512/256 256 [FIPS 198]:Key HMAC-SHA2Strength: 256 256 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2This document may be reproduced and distributed only in its original entirely without revision.
Name Type Description Properties Algorithms HMAC-SHA2HMAC-SHA2HMAC-SHA2512/256 HMAC-SHA2512/256 HMAC-SHA2512/256 HMAC-SHA2512/256 ECC Shared KAS-SSC P-224, P-256, KAS-ECC-SSC KAS-ECC-SSC Secret P-384, P-521. [SP800-56ARev 3] Sp800-56Ar3 Computation Key Strength: and FIPS 140-3 IG KAS-ECC-SSC from 112 to D.F scenario 2 path Sp800-56Ar3 256-bits 1:Scheme: ephemeral Unified KAS Role: initiator, responder FFC Shared KAS-SSC MODP-2048, KAS-FFC-SSC KAS-FFC-SSC Secret MODP-3072, [SP800- 56ARev3] Sp800-56Ar3 Computation MODP- 4096, and FIPS 140-3 IG KAS-FFC-SSC MODP-6144, D.F scenario 2 path Sp800-56Ar3 MODP-8192. 1:Scheme: dh Ephem Key Strength: with safe prime from 112 to groups KAS Role:
KBKDF Key KBKDF Key Size / Key KBKDF [SP800- KDF SP800-108 Derivation with Strength: 128 - 108r1]:KDF Mode: KDF SP800-108 HMAC 256 bits Counter and KDF SP800-108 Supported Feedback MAC KDF SP800-108 [output] Mode: HMAC-SHALengths: 8-4096 1, HMAC-SHA2-224, Increment 8 HMAC-SHA2- 256, Fixed Data HMAC-SHA2-384, Order: Before HMAC- SHA2-512; Fixed Data Counter Length: 32 This document may be reproduced and distributed only in its original entirely without revision.
Name Type Description Properties Algorithms Key wrapping/ KTS-Wrap Key Size/ Key KTS (AES) [FIPS 197; AES-KW Key unwrapping Strength: 128, SP 800-38 F]:AES- AES-KW 192, 256-bits KW AES-KW AES-KW RSA Asymmetric AsymKeyPair- Key Size: 2048, RSA [FIPS 186- 4]; RSA KeyGen Key Generation KeyGen 3072, 4096-bits. ANSI X9.31:CKG (FIPS186-4) CKG Key Strength: using method in RSA KeyGen from 112 to Sections 4 and 5.1 (FIPS186-4) 150-bits [SP 800-133Rev2] RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) RSA Digital DigSig-SigGen Key Size: 2048, RSA [FIPS 186- RSA SigGen Signature 3072, 4096-bits. 4]:PKCS#1 v1.5 and (FIPS186-4) Generation Key Strength: PKCS PSS RSA SigGen from 112 to (FIPS186-4) 150-bits RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) RSA Digital DigSig-SigVer Key Size: 1024, RSA [FIPS 186- RSA SigVer Signature 2048, 3072, 4]:PKCS#1 v1.5 and (FIPS186-4) Verification 4096- bits. Key PKCS PSS RSA SigVer Strength: from (FIPS186-4)
(FIPS186-4) RSA SigVer (FIPS186-4) Safeprime Key AsymKeyPair- Safe Prime Safe Primes Key Safe Primes Key Generation KeyGen Groups: MODP- Generation:Safe Generation CKG 2048, MODP- Prime Groups: Safe Primes Key 3072, MODP- MODP-2048, MODP- Generation 4096, MODP- 3072, MODP-4096, 6144, MODP- MODP-6144, MODP8192. Key 8192; CKG using Strength: from method in Sections 4
133Rev2] This document may be reproduced and distributed only in its original entirely without revision.
Name Type Description Properties Algorithms Message Digest SHA N/A SHS [FIPS 180- SHA-1 4]:SHA1 SHA-1 SHS [FIPS 180- SHA-1 4]:SHA224 SHA-1 SHS [FIPS 180- SHA2-224 4]:SHA256 SHA2-224 SHS [FIPS 180- SHA2-224 4]:SHA384 SHA2-224 SHS [FIPS 180- SHA2-256 4]:SHA512 SHA2-256 SHS [FIPS 180- SHA2-256 4]:SHA512/256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 SHA2-512/256 SHA2-512/256 SHA2-512/256 SHA2-512/256 PBKDF Key PBKDF Key Size / Key PBKDF [SP800- PBKDF Derivation Strength: 128 - 132]:HMAC with: PBKDF
Password SHA-256, SHA-384, PBKDF length: 8- 128 SHA-512 bytes Increment 1 Salt Length: 128-4096 Increment 8 Iteration Count: 10-1000 Increment 1 This document may be reproduced and distributed only in its original entirely without revision.
Name Type Description Properties Algorithms KBKDF Key KBKDF Key Size / Key KBKDF [SP800- KDF SP800-108 Derivation with Strength: 128 - 108r1]:KDF Mode: KDF SP800-108 CMAC 256 bits Counter CMAC Supported Mode: CMAC[output] AES128, CMACLengths: 8-4096 AES192, CMACIncrement 8 AES256 Fixed Data Order: Before Fixed Data Counter Length: 8, 16, 24, 32 Table 45: Security Function Implementations
GCM IV AES-GCM IV is constructed in compliance with IG C.H scenario 1 (TLS 1.2) and scenario 2 (IPsecv3). Users should consult IG C.H specific scenario for all the details and requirements of using AES-GCM mode. The GCM IV generation follows RFC 5288 and shall only be used for the TLS protocol version 1.2. The counter portion of the IV is set by the module within its cryptographic boundary. The module does not implement the TLS protocol. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the nonce_explicit, or counter portion of the IV will not exhaust all of its possible values. The GCM IV generation follows RFC 4106 and shall only be used for the IPsec-v3 protocol version 3. The counter portion of the IV is set by the module within its cryptographic boundary. The module does not implement the IPsec protocol. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the IPsec protocol implicitly ensures that the nonce_explicit, or counter portion of the IV will not exhaust all of its possible values. In both protocols in case the module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. This condition is not enforced by the module; however, it is met implicitly. The module does not retain any state when power is lost. As indicated in Table 11, column Storage, the module exclusively uses volatile storage. This means that AES-GCM key/IVs are not persistently stored during power off: therefore, there is no re-connection possible when the power is back on with re-generation of the key used for GCM. After restoration of the power, the user of the module (e.g., TLS, IKE) along with User application This document may be reproduced and distributed only in its original entirely without revision.
that implements the protocol, must perform a complete new key establishment operation using new random numbers (Entropy input string, DRBG seed, DRBG internal state V and Key, shared secret values that are not retained during power cycle, see table 11) with subsequent KDF operations to establish a new GCM key/IV pair on either side of the network communication channel. AES-XTS AES-XTS mode is only approved for hardware storage applications. The length of the AES-XTS data unit does not exceed 220 blocks. The module checks explicitly that Key_1 ≠ Key_2 before using the keys in the XTS-Algorithm to process data with them compliant with IG C.I. Key Derivation using SP 800-132 PBKDF2 The module implements a CAVP compliance tested key derivation function compliant to [SP800132]. The service returns the key derived from the provided password to the caller. The length of the password used as input to PBKDFv2 shall be at least 8 characters and the worst-case probability of guessing the value is 10^8 assuming all characters are digits only. The user shall choose the password length and the iteration count in such a way that the combination will make the key derivation computationally intensive. PBKDFv2 is implemented to support the option 1a specified in section 5.4 of [SP800-132]. The keys derived from [SP800-132] map to section 4.1 of [SP800-133rev2] as indirect generation from DRBG. The derived keys may only be used in storage applications.
Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample Apple corecrypto Physical See Tested 256 bit 256 bit SHA-256 [ACVP physical entropy Operational cert. # C1223] source Environment Table in section 2.2 Apple corecrypto Non- See Tested 256 bit 256 bit SHA-256 [ACVP non- physical Physical Operational Certs. # A3687, entropy source Environment Table in A3522] section 2.2 Table 46: Entropy Sources Entropy sources: Two entropy sources (one non-physical entropy source and one physical entropy source) residing within the TOEPP provide the random bits. The entropy sources are located within the physical perimeter of the module (TOEPP) but outside the cryptographic boundary of the module. This document may be reproduced and distributed only in its original entirely without revision.
RBGs: The NIST [SP 800-90ARev1] approved deterministic random bit generators (DRBG) used for random number generation is a CTR_DRBG using AES-256 with derivation function and without prediction resistance. The module performs DRBG health tests according to [SP800-90ARev1 section 11.3]. The deterministic random bit generators are seeded by /dev/random. The /dev/random is the User Space interface. RBG Output: The output of entropy sources provides 256-bits of entropy to seed and reseed SP800-90ARev1 DRBG during initialization (seed) and reseeding (reseed).
The module generates RSA, Diffie-Hellman, and ECDSA and EC Diffie-Hellman keys and SSPs in accordance with FIPS 140-3 IG D.H. The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per sections 4 and 5.1 [SP800-133r2] (vendor affirmed), compliant with [FIPS186-4], and using DRBG compliant with [SP800-90ARev1]. A seed (i.e., the random value) used in asymmetric key generation is a direct output from [SP800-90ARev1] CTR_DRBG. The key generation service for RSA, Diffie-Hellman, ECDSA and EC Diffie-Hellman key pairs as well as the [SP 800-90ARev1] DRBG have been ACVT tested with algorithm certificates found in the Approved Algorithms Table.
The module provides the following key/SSP establishment services in the Approved mode:
The module provides SP800-56ARev3 compliant key establishment according to FIPS 140-3 IG D.F scenario 2 path (1) with Diffie-Hellman shared secret computation. The shared secret computation provides between 112 and 200 bits of encryption strength.
No parts of the TLS or IPsec protocols, other than those mentioned above, have been tested by the CAVP and CMVP. This document may be reproduced and distributed only in its original entirely without revision.
Physical Logical Data That Passes Port Interface(s) N/A Data Input Data inputs/outputs are provided in the variables passed in the C Data language Application Programming Interfaces (APIs) and callable Output service invocations, generally through caller-supplied buffers N/A Control Control inputs which control the mode of the module are provided Input through dedicated parameters. N/A Status Status output is provided in return codes and through messages. Output Documentation for each API lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation. Table 47: Ports and Interfaces The module does not implement a Control Output Logical Interface This document may be reproduced and distributed only in its original entirely without revision.
FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not support an authentication mechanism for Crypto Officer. The Crypto Officer role is authorized to access all services provided by the module (see Table - Approved Services and Table - Non-Approved Services).
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 48: Roles
The module implements a dedicated API function to indicate if a requested service utilizes an approved security function (see also section 2.4). Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access AES Execute 1 plaintext ciphertext Unauthentica Crypto Encryption/Decryp AES- data and data / ted Officer tion mode key / plaintext Symmetric - AES encrypt ciphertex data Encryption key: W,E or t data and decrypt and key Decryption operation Authenticate d Symmetric Encryption and Decryption AES Key Wrapping Execute 1 AES key wrapped Key Crypto / Key unwrapping AES-key wrapping key / wrapping/ Officer wrapping key, unwrapped Key - AES or unwrapp key unwrapping keyunwrappi ed key / wrappin ng Wrapped g key: operation key, AES W,E key This document may be reproduced and distributed only in its original entirely without revision.
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access wrapping key Secure Hash Generate 1 message digest Message Crypto Generation a digest Digest Officer for the requested algorithm Message Generate 1 message, MAC CMAC Crypto Authentication a MAC MAC key, Message Officer Generation digest MAC Authenticatio - AES using the algorith n key: W,E requested m HMAC - HMAC SHA Message key: W,E algorithm Authenticatio or AES n algorithm Message Verify a 1 MAC, pass/fail CMAC Crypto Authentication MAC message, Message Officer Code Verification digest MAC key, Authenticatio - AES MAC n key: W,E algorith HMAC - HMAC m Message key: W,E Authenticatio n RSA signature Sign a 1 SigGen: SigGen: RSA Digital Crypto generation and message private computed Signature Officer verification with a key, signature; Generation - RSA specified message, SigVer: RSA Digital key pair: RSA hash pass/fail Signature W,E private function; result of Verification key. SigVer: digital Verify the public signature signature key, verification of a digital message signature with a , specified message, RSA This document may be reproduced and distributed only in its original entirely without revision.
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access public hash key. function ECDSA signature Sign a 1 SigGen: SigGen: ECDSA Digital Crypto generation and message private computed Signature Officer verification with a key, signature; Generation - ECDSA specified message, SigVer: ECDSA Digital key pair: ECDSA hash pass/fail Signature W,E private function; result of Verification key Verify SigVer: digital the public signature signature key, verification of a digital message signature with a , specified message, ECDSA hash public function key Random Number Generate 1 Length random bit- Random Crypto Generation random or size string Number Officer number for Generation requeste Entropy d input numbers string: E - DRBG seed, internal state V value, and key: G,R,E PBKDF Derive 1 Password PBKDF PBKDF Key Crypto key from derived key Derivation Officer password - PBKDF derived key: G,R - PBKDF passwor d: E This document may be reproduced and distributed only in its original entirely without revision.
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access KBKDF Derive 1 Derivatio KBKDF KBKDF Key Crypto key from n key derived key Derivation Officer key with HMAC - KBKDF derivation KBKDF Key key key Derivation derivati with CMAC on key: W,E - KBKDF derived key: G,R,E RSA key pair Generate 1 Modulus RSA key RSA Crypto generation a keypair size pair Asymmetric Officer for a Key - RSA requested Generation key pair: modulus G,R,E ECDSA key pair Generate 1 Curve ECDSA key ECDSA Crypto generation a keypair pair Asymmetric Officer for a Key - ECDSA requested Generation key pair: elliptic ECDSA G,R,E curve Asymmetric Key Verification Safe primes key Generate 1 Curve Diffie_Hellm Safeprime Crypto generation a keypair an key pair Key Officer for a Generation - Diffierequested Hellman 'safe' key pair: domain G,R,E paramete r Diffie-Hellman Generate 1 Received DH shared FFC Shared Crypto shared secret a shared public secret Secret Officer computation secret key and Computation - Diffiepossesse Hellman d private shared key This document may be reproduced and distributed only in its original entirely without revision.
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access secret: G,R,W,E EC Diffie-Hellman Generate 1 Received ECDH ECC Shared Crypto shared secret a shared public shared Secret Officer computation secret key and secret Computation - EC possesse Diffied private Hellman key shared secret: G,R,W,E Self-test execute 1 power pass/fail Unauthentica Crypto CASTs in results ted Officer table Symmetric - HMAC section Encryption key: E
10.2 and - AES
Decryption key: E Authenticate - AES d Symmetric keyEncryption wrappin and g key: E Decryption - ECDSA Random key pair: Number E Generation - RSA ECDSA key pair: Asymmetric E Key - DRBG Generation seed, ECDSA internal Asymmetric state V Key value, Verification and key: ECDSA Digital E Signature - PBKDF Generation derived ECDSA Digital key: E Signature - KBKDF Verification key CMAC derivati This document may be reproduced and distributed only in its original entirely without revision.
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access Message on key: Authenticatio E n - KBKDF HMAC derived Message key: E Authenticatio - EC n DiffieECC Shared Hellman Secret shared Computation secret: E FFC Shared - EC Secret Diffie Computation Hellman KBKDF Key key pair: Derivation E with HMAC - DiffieKey Hellman wrapping/ shared Key secret: E unwrapping - DiffieRSA Hellman Asymmetric key pair: Key E Generation RSA Digital Signature Generation RSA Digital Signature Verification Safeprime Key Generation Message Digest PBKDF Key Derivation KBKDF Key Derivation with CMAC This document may be reproduced and distributed only in its original entirely without revision.
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access Show Status Return N/A N/A Status None Crypto the output Officer module status Show module Return N/A N/A Module None Crypto version info Module informatioi Officer Base n Name and Module Version Number Zeroization SSPs are 1 N/A N/A None Crypto zeroised Officer when the - AES system is key: Z powered - AES down, keywhen all wrappin resources g key: Z of - HMAC symmetri key: Z c crypto - ECDSA function key pair: context, Z all - RSA resources key pair: of hash Z context, all Entropy resources input of Diffie- string: Z Hellman - DRBG context seed, for Diffie- internal Hellman state V and EC value, Diffie- and key: Hellman, Z This document may be reproduced and distributed only in its original entirely without revision.
Name Descripti Indicat Inputs Outputs Security SSP on or Functions Access all - PBKDF resources derived of key: Z asymmetr - KBKDF ic crypto key function derivati context on key: and all Z resources - PBKDF of key passwor derivation d: Z function - KBKDF context key are derivati released on key: Z - DiffieHellman key pair: Z - EC Diffie Hellman key pair: Z - DiffieHellman shared secret: Z - EC DiffieHellman shared secret: Z Table 49: Approved Services The abbreviations of the access rights to SSPs have the following interpretation: This document may be reproduced and distributed only in its original entirely without revision.
G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. N/A = The service does not access any SSP during its operation
Name Description Algorithms Role Triple-DES encryption / Execute Triple-DES mode Triple-DES [SP 800- CO decryption encrypt or decrypt 67r2] operation. RSA Key Encapsulation The CAST does not perform RSA Key Wrapping CO the full KTS, only the raw RSA encrypt/decrypt. RSA Key pair Generation Generate a keypair with RSA KeyGen CO non-approved key sizes RSA Signature Generation Sign a message with non- RSA SigGen CO approved private key RSA Signature Verification Verify the signature of a RSA SigVer CO message with a nonapproved public key. Diffie Hellman Shared Secret For key sizes < 2048 Diffie-Hellman CO Computation EC Diffie Hellman Shared Secret For curve sizes < P-224 EC Diffie-Hellman CO Computation ECDSA key-pair generation , For curve P-192 ECDSA CO ECDSA key verification, ECDSA signature generation, ECDSA signature verification ECDSA Key Pair Generation for For compact point ECDSA KeyGen CO compact point representation of representation of points points EdDSA Key Generation, Signature Ed25519 EdDSA CO Generation, Signature Verification ECDH Key Agreement X25519 ECDH CO This document may be reproduced and distributed only in its original entirely without revision.
Name Description Algorithms Role Hybrid encryption scheme Encryption schemes that Integrated CO combine asymmetric and Encryption Scheme symmetric algorithms on elliptic curves (ECIES) HPKE (Hybrid Public Key Encryption) [RFC9180] ANSI X9.63 Key Derivation SHA-1 hash-based ANSI X9.63 KDF CO SP800-56Crev2 Key Derivation SHA-256 hash-based HKDF [SP800- CO (HKDF) 56Crev2] RFC6637 Key Derivation SHA hash based RFC6637 CO OMAC Message Authentication One-Key CBC-MAC using OMAC (One-Key CO Code Generation and Verification 128-bit key CBC MAC) Message digest generation Message digest generation MD2 CO using non-approved MD4 algorithms MD5 (except in the TLS 1.0/1.1 context) RIPEMD SHA-3 Keccak Symmetric encryption / Symmetric encryption / Blowfish CO decryption decryption using non- CAST5 approved algorithms DES RC2 RC4 Table 50: Non-Approved Services
N/A This document may be reproduced and distributed only in its original entirely without revision.
A software integrity test is performed on the runtime image of the module. The HMAC-SHA256 implemented in the module is used as the approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e. the module is not operational.
The module’s integrity test can be performed on demand by power-cycling the computing platform. Integrity tests on demand is performed as part of the Pre-Operational Self-Tests. It is automatically executed at power- on. This document may be reproduced and distributed only in its original entirely without revision.
Type of Operational Environment: Modifiable
The module is supplied as part of Device OS, a commercially available general-purpose operating system executing on the computing platforms specified in section 2.2. This document may be reproduced and distributed only in its original entirely without revision.
The FIPS 140-3 physical security requirements do not apply to the Apple corecrypto Module v12.0 [Apple silicon, User, Software, SL1] since it is a software module. This document may be reproduced and distributed only in its original entirely without revision.
Per IG 12.A, until the requirements of NIST SP 800-140F are defined, non-invasive mechanisms fall under ISO/IEC 19790:2012 Section 7.12 Mitigation of other attacks. The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirely without revision.
Storage Description Persistence Area Type Name RAM The module stores ephemeral SSPs in RAM provided by the Dynamic operational environment. They are received for use or generated by the module only at the command of the calling application. The operating system protects all SSPs through the memory separation and protection mechanisms. No process other than the module itself can access the SSPs in its process’ memory. Table 51: Storage Areas
Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operating Cryptographic Plaintext Manual Electronic parameters calling module application (TOEPP) API output Cryptographic Operating Plaintext Manual Electronic parameters module calling application (TOEPP) Table 52: SSP Input-Output Methods
Zeroization Description Rationale Operator Method Initiation Context object SSPs are zeroised when the Zeroization when structure By calling the destruction appropriate context object is deallocated zeroization is destroyed function cc_clear Power down SSPs are zeroised when the SSPs are zeroised when the Operator can system is powered down system is powered down initiate power down This document may be reproduced and distributed only in its original entirely without revision.
Zeroization Description Rationale Operator Method Initiation Intermediate Intermediate keygen values Intermediate keygen values N/A value are zeroized before the are zeroized before the zeroization module returns from the module returns from the key generation function. key generation function. Table 53: SSP Zeroization Methods Data output interfaces are inhibited while zeroisation is performed.
Name Description Size - Type - Generated Established Used By Strengt Category By By h AES key AES key 128 to Symmetric Unauthenticate
256 bits - CSP d Symmetric
256 bits Decryption
Authenticated Symmetric Encryption and Decryption CMAC Message Authentication AES key- AES KW 128 to symmetric Key wrapping/ wrapping 256 bits - CSP Key key - 128 to unwrapping
HMAC HMAC key 8- MAC - CSP HMAC key 262144 Message bits - Authentication
256-bits ECDSA ECDSA key P-224, Asymmetri ECDSA ECDSA key pair pair P-256, c - CSP Asymmetri Asymmetric (including P-384, c Key Key Verification intermediat P-521 - Generation ECDSA Digital e keygen 112 to Signature values) 256 bits Generation ECDSA Digital This document may be reproduced and distributed only in its original entirely without revision.
Name Description Size - Type - Generated Established Used By Strengt Category By By h Signature Verification RSA key RSA key 2048 - Asymmetri RSA RSA Digital pair pair 4096 - c - CSP Asymmetri Signature (including 112 to c Key Generation intermediat 150 bits Generation RSA Digital e keygen Signature values) Verification Entropy Entropy 256 bits Entropy Random input input string. - 256 input Number string Obtained bits string - Generation from the CSP entropy source, used to seed the DRBG DRBG DRBG input 256 bits DRBG - Random Random seed, parameters - 256 CSP Number Number internal bits Generation Generation state V value, and key PBKDF PBKDF 128 to Storage PBKDF Key derived derived key 256 bits key - CSP Derivation key - 128 to
PBKDF PBKDF 64 to Password - PBKDF Key password password 1024 CSP Derivation bits N/A KBKDF KBKDF key 128 to Derivation KBKDF Key key derivation 256 bits key - CSP Derivation with derivatio key - 128 to HMAC n key 256 bits KBKDF Key This document may be reproduced and distributed only in its original entirely without revision.
Name Description Size - Type - Generated Established Used By Strengt Category By By h Derivation with CMAC KBKDF KBKDF 128 to Derived KBKDF Key derived derived key 256 bits key - CSP Derivation key - 128 to with
KBKDF Key Derivation with CMAC Diffie- Diffie- MODP- Asymmetri Safeprime FFC Shared Hellman Hellman 2048, c - CSP Key Secret key pair key pair MODP- Generation Computation (including 3072, intermediat MODPe keygen 4096, values) MODP6144, MODP-
Diffie- Diffie- MODP- Asymmetri FFC Shared Hellman Hellman 2048, c - CSP Secret shared shared MODP- Computatio secret secret 3072, n MODP4096, MODP6144, MODP-
EC Diffie EC Diffie- P-224, Asymmetri ECDSA ECC Shared Hellman Hellman P-256, c - CSP Asymmetri Secret key pair key pair P-384, c Key Computation (including P-521 - Generation intermediat This document may be reproduced and distributed only in its original entirely without revision.
Name Description Size - Type - Generated Established Used By Strengt Category By By h e keygen 112values) 256 bits EC Diffie- EC Diffie- P-224, Asymmetri ECC Shared Hellman Hellman P-256, c - CSP Secret shared shared P-384, Computatio secret secret P-521 - n 112-
Table 54: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES key API input RAM:Plaintext From service Context parameters invocation object to service destruction completion Power down AES key- API input RAM:Plaintext From service Context wrapping parameters invocation object key to service destruction completion Power down HMAC key API input RAM:Plaintext From service Context parameters invocation object to service destruction completion Power down ECDSA key API input RAM:Plaintext From service Context DRBG seed, pair parameters invocation object internal state V API output to service destruction value, and parameters completion Power down key:Used With Intermediate value zeroization RSA key API input RAM:Plaintext From service Context DRBG seed, pair parameters invocation object internal state V destruction Power down This document may be reproduced and distributed only in its original entirely without revision.
Name Input - Storage Storage Zeroization Related SSPs Output Duration API output to service Intermediate value, and parameters completion value key:Used With zeroization Entropy RAM:Plaintext Storage Power down DRBG seed, input duration internal state V string during the value, and usage of the key:Used With CSP DRBG RAM:Plaintext Storage Power down Entropy input seed, duration string:Derived internal during the From state V usage of the value, and CSP key PBKDF API output RAM:Plaintext From service Context PBKDF derived parameters invocation object password:Derived key to service destruction From completion Power down PBKDF API input RAM:Plaintext From service Context PBKDF derived password parameters invocation object key:Used With to service destruction completion Power down KBKDF key API input RAM:Plaintext From service Context KBKDF derived derivation parameters invocation object key:Used With key to service destruction completion Power down KBKDF API output RAM:Plaintext From service Context KBKDF key derived parameters invocation object derivation key to service destruction key:Derived From completion Power down Diffie- API input RAM:Plaintext From service Context Diffie-Hellman Hellman parameters invocation object shared secret:Used key pair API output to service destruction With parameters completion Power down Intermediate value zeroization This document may be reproduced and distributed only in its original entirely without revision.
Name Input - Storage Storage Zeroization Related SSPs Output Duration Diffie- API output RAM:Plaintext From service Context Diffie- Hellman key Hellman parameters invocation object pair:Used With shared to service destruction secret completion Power down EC Diffie API input RAM:Plaintext From service Context EC Diffie-Hellman Hellman parameters invocation object shared secret:Used key pair API output to service destruction With parameters completion Power down Intermediate value zeroization EC Diffie- API output RAM:Plaintext From service Context EC Diffie Hellman Hellman parameters invocation object key pair:Used With shared to service destruction secret completion Power down Table 55: SSP Table 2 This document may be reproduced and distributed only in its original entirely without revision.
While the module is executing the self-tests, services are not available, and input and output are inhibited.
The module performs a pre-operational software integrity automatically when the module is loaded into memory (i.e., at power on) before the module transitions to the operational state. A software integrity test is performed on the runtime image of the module with HMAC-SHA256 used to perform the approved integrity technique. Prior to using HMAC-SHA-256, a Conditional Cryptographic Algorithm Self-Tests (CAST) is performed. Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- 112-bit Message SW/FW Module The HMAC-SHA2-256 SHA2-256 key Authentication Integrity successful value calculated at (A3486) execution runtime is compared with the HMAC-SHA2-
module, computed at compilation time. Table 56: Pre-Operational Self-Tests
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-GCM 128-bit key KAT CAST Module Authenticated Test runs at (A3424) becomes decryption Power-on operational operation before the integrity test Counter AES 128-bit KAT CAST Module Health test per Test runs at DRBG key becomes SP800- 90ARev1 Power-on (A3487) operational section 11.3 before the integrity test HMAC- SHA2-256 KAT CAST Module Message Test runs at SHA2-256 becomes authentication Power-on (A3426) operational before the integrity test This document may be reproduced and distributed only in its original entirely without revision.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC- SHA-1 KAT CAST Module Message Test runs at SHA-1 becomes authentication Power-on (A3426) operational before the integrity test HMAC- SHA2-512 KAT CAST Module Message Test runs at SHA2-512 becomes authentication Power-on (A3426) operational before the integrity test RSA KeyGen SHA2-256 PCT PCT Successful Calculation and RSA key pair (FIPS186-4) and key verification of a generation. (A3426) respective generation digital signature keys RSA SigGen PKCS#1 KAT CAST Module Signature Test runs at (FIPS186-4) v1.5 with becomes Generation or Power-on (A3426) 2048 bit key operational Key Generation before the and SHA2- service request integrity test RSA SigVer PKCS#1 KAT CAST Module Signature Test runs at (FIPS186-4) v1.5 with becomes Verification or Power-on (A3426) 2048 bit key operational Key Generation before the and SHA2- service request integrity test ECDSA SHA2-256 PCT PCT Successful Key generation EC key pair KeyGen and key generation. (FIPS186-4) respective generation (A3426) keys ECDSA P-224 with KAT CAST Module Signature Test runs at SigGen SHA-224 becomes Generation or Power-on (FIPS186-4) operational Key Generation before the (A3426) service request integrity test ECDSA P-224 with KAT CAST Module Signature Test runs at SigVer SHA-224 becomes Verification or Power-on (FIPS186-4) operational Key Generation before the (A3426) service request integrity test This document may be reproduced and distributed only in its original entirely without revision.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type KAS-ECC- P-224 curve KAT CAST Module Shared secret Test runs at SSC Sp800- becomes computation Power-on 56Ar3 operational before the (A3426) integrity test KAS-FFC- MODP- KAT CAST Module Shared secret Test runs at SSC Sp800- 2048 becomes computation Power-on 56Ar3 operational before the (A3426) integrity test KDF SP800- Counter KAT CAST Module Key derivation Test runs at
108 (A3426) mode using becomes Power-on
SHA-1, operational before the SHA-256, integrity test SHA-512 PBKDF SHA-1, KAT CAST Module Key derivation Test runs at (A3426) SHA-256, becomes Power-on SHA-512 operational before the integrity test Safe Primes MODP- PCT PCT Successful Section 5.6.2.1.4 key gen Key 2048 key of SP 800Generation generation 56Arev3 (A3426) AES-CBC 128-bit key KAT CAST Module Encryption and Test runs at (A3423) becomes decryption run Power-on operational separately before the integrity test AES-ECB 128-bit key KAT CAST Module Encryption and Test runs at (A3423) becomes decryption run Power-on operational separately before the integrity test AES-XTS 128-bit key KAT CAST Module Encryption Test runs at Testing becomes Power-on Revision 2.0 operational before the (A3483) integrity test AES-CCM 128-bit key KAT CAST Module Authenticated Test runs at (A3424) becomes encryption and Power-on operational This document may be reproduced and distributed only in its original entirely without revision.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type decryption run before the separately integrity test AES-CMAC 128-bit key KAT CAST Module Authenticated Test runs at (A3426) becomes encryption Power-on operational before the integrity test HMAC- SHA2- KAT CAST Module Message Test runs at SHA2- 512/256 becomes authentication Power-on 512/256 operational before the (A3486) integrity test Table 57: Conditional Self-Tests
Name Description Conditions Recovery Indicator Method Error
256 value Software which results Print statement “FAILED:<event>” to
computed Integrity in the stdout (<event> refers to any of the over the Test failure module cryptographic functions listed Table module did or being Conditional Self-Tests
Name Description Conditions Recovery Indicator Method signature failed to verify successfully in the Conditional PCT. No cryptographic services are provided, and data output is prohibited Table 58: Error States
The module permits operators to initiate the pre-operational or conditional self-tests on demand for periodic testing of the module by rebooting the system (i.e., power-cycling). This document may be reproduced and distributed only in its original entirely without revision.
Startup Procedures: The module is built into Device OS defined in section 2 and delivered/ installed with the respective Device OS. There is no standalone delivery of the module as a software library. Installation Process and Authentication Mechanisms: The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version. For additional assurance, the module is digitally signed by vendor, and it is verified during the integration into Host Device OS. This digital signature-based integrity protection during the delivery/integration process is not to be confused with the HMAC-256 based integrity check performed by the module itself as part of its pre-operational self- tests.
The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table - Non-Approved Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. The ESV Public Use Document (PUD) reference for physical entropy source is: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E14_PublicUse.pdf The ESV Public Use Document (PUD) reference for non-physical entropy source is: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E15_PublicUse.pdf Apple Platform Certifications guide [platform certifications] and Apple Platform Security guide [SEC] are provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation.
None This document may be reproduced and distributed only in its original entirely without revision.
The Crypto Officer shall consider the following requirements and restrictions when using the module. AES-GCM see section 2.7. AES-XTS see section 2.7. PBKDF see section 2.7.
The module secure sanitization is accomplished through the Lost Mode, remote wipe, and remote lock sections of the provided vendor document [platform certifications]. The operator can initiate sanitization. This document may be reproduced and distributed only in its original entirely without revision.
The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirely without revision.
Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard CAVP Cryptographic Algorithm Validation Program API Application Programming Interfaces CAST Cryptographic Algorithm Self-Test CAST5 A symmetric-key 64-bit block cipher with 128-bit key CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode DRBG Deterministic Random Bit Generator ECB Electronic Code Book ESVP Entropy Source Validation Program FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Schema KAT Known Answer Test KBKDF Key Based Key Derivation Function KDF Key Derivation Function KW AES Key Wrap MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PBKDF Password Based Key Derivation Function PRF Pseudo-Random Function PSS Probabilistic Signature Scheme PUD Public Use Document (ESVP) RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSC Shared Secret Computation TOEPP Tested Operational Environment Physical Perimeter XTS XEX-based Tweaked-codebook mode with cipher text Stealing This document may be reproduced and distributed only in its original entirely without revision.
Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements for Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 SP 800-140x CMVP FIPS 140-3 Related Reference https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3standards FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program September 2020 https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS140-3_MM CMVP FIPS 140-3 Draft Management Manual https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS-140-3CMVP%20Management%20Manual%20v2.0.pdf SP 800-140 FIPS 140-3 Derived Test Requirements (DTR) https://csrc.nist.gov/publications/detail/sp/800-140/final SP 800-140A CMVP Documentation Requirements https://csrc.nist.gov/publications/detail/sp/800-140a/final SP 800-140Br1 CMVP Security Policy Requirements https://csrc.nist.gov/pubs/sp/800/140/b/r1/final SP 800-140C CMVP Approved Security Functions https://csrc.nist.gov/publications/detail/sp/800-140c/final SP 800-140D CMVP Approved Sensitive Security Parameter Generation and Establishment Methods https://csrc.nist.gov/publications/detail/sp/800-140d/final SP 800-140E CMVP Approved Authentication Mechanisms https://csrc.nist.gov/publications/detail/sp/800-140e/final SP 800-140F CMVP Approved Non-Invasive Attack Mitigation Test Metrics https://csrc.nist.gov/publications/detail/sp/800-140f/final FIPS180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf This document may be reproduced and distributed only in its original entirely without revision.
FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 http://www.ietf.org/rfc/rfc3394.txt RFC5649 Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm September 2009 http://www.ietf.org/rfc/rfc5649.txt RFC9180 Hybrid Public Key Encryption February 2022 https://www.ietf.org/rfc/rfc9180.pdf SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf This document may be reproduced and distributed only in its original entirely without revision.
SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-56Ar3 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography April, 2018 https://doi.org/10.6028/NIST.SP.800-56Ar3 SP800-56Br2 Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography March 2019 https://doi.org/10.6028/NIST.SP.800-56Br2 SP800-56Cr2 Recommendation for Key-Derivation Methods in Key-Establishment Schemes August 2020 https://doi.org/10.6028/NIST.SP.800-56Cr2 SP800-57 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://doi.org/10.6028/NIST.SP.800-57pt1r5 SP800-67r2 NIST Special Publication 800-67 Revision 1 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher January 2012 (withdrawn January 2014) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf SP800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions (Revision 1) https://doi.org/10.6028/NIST.SP.800-108r1 SP800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP800-132 NIST Special Publication 800-132 - Recommendation for Password-Based Key Derivation Part 1: Storage Applications December 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf This document may be reproduced and distributed only in its original entirely without revision.
SP800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP800-135r1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing ApplicationSpecific Key Derivation Functions December 2011 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf SEC Apple Platform Security https://support.apple.com/guide/security/welcome/web https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-securityguide.pdf platform Apple Security Certifications and Compliance Center certifications https://support.apple.com/en-gw/guide/certifications/welcome/web This document may be reproduced and distributed only in its original entirely without revision.