All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Wave Relay® User Space Crypto Module

Certificate#5079StandardFIPS 140-3Level2TypeSoftwareEmbodimentSingle ChipStatusActiveVendorPersistent Systems, LLC
Low review priority  ·  no TCB surface named  ·  last validated 9 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeSoftware
EmbodimentSingle Chip
StatusActive
Sunset date10/7/2030
CaveatWhen operated in approved mode, No assurance of the minimum strength of generated SSPs (e.g., keys)
VendorPersistent Systems, LLC

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Wave Relay® User Space Crypto Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware Load<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>status output<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Wave Relay® User Space Crypto Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware Load<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>status output<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Persistent Systems, LLC Wave Relay® User Space Crypto Module Document Version: 1.2 Date: September 29, 2025

Page 2
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)7
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Modes List and Description9
Table 5: Approved Algorithms14
Table 6: Vendor-Affirmed Algorithms15
Table 7: Non-Approved, Not Allowed Algorithms15
Table 8: Security Function Implementations40
Table 9: Ports and Interfaces43
Table 10: Authentication Methods44
Table 11: Roles44
Table 12: Approved Services49
Table 13: Non-Approved Services49
Table 14: Storage Areas52
Table 15: SSP Input-Output Methods53
Table 16: SSP Zeroization Methods53
Table 17: SSP Table 156
Table 18: SSP Table 259
Table 19: Pre-Operational Self-Tests61
Table 20: Conditional Self-Tests65
Table 21: Pre-Operational Periodic Information65
Table 22: Conditional Periodic Information66
Table 23: Error States67
Table 24 – References70
Table 25 – Acronyms and Definitions70
Figure 1 Logical Cryptographic Boundary and Physical Perimeter6
Page 5

Section Title Security Level

1 General 2
2 Cryptographic module specification 2
3 Cryptographic module interfaces 2
4 Roles, services, and authentication 2
5 Software/Firmware security 2
6 Operational environment 2

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 2
10 Self-tests 2
11 Life-cycle assurance 2

12 Mitigation of other attacks N/A

Overall Level 2 Table 1: Security Levels

2 – Cryptographic Module Specification

FIPS validated connectivity drives mission success. This Persistent Systems LLC Wave Relay® User Space Crypto Module, hereafter denoted as the “module”, is a Software cryptographic module embedded in the Wave Relay® System that provides FIPS validated cryptographic algorithms which are used by user space system services & protocols (e.g., TLS, IPsec, etc.) The Wave Relay® System is a peer-to-peer wireless MANET networking solution in which there is no master node. If any device fails, the rest of the devices continue to communicate using any remaining connectivity. By eliminating master nodes, gateways, access points, and central coordinators from the design, Wave Relay® delivers high levels of fault tolerance regardless of which nodes might fail.

2.1 Description

Purpose and Use: The module is intended for use by US Federal agencies or other markets that require FIPS 140-3 validated cryptography. The module is intended to be used in various products within the vendor’s portfolio of solutions. Built to create powerful, secure networks anywhere, the module is used to unite all critical data sources in real time giving you and your team the confidence to make difficult decisions in the heat of the moment. Module Type: Software Module Embodiment: SingleChip

Page 6

Module Characteristics: Cryptographic Boundary: The TOEPP of the module is depicted in Figure 1. The Module is a single-chip embodiment. The cryptographic boundary is outlined in red and is defined as a dynamic software library (fips.so). The following block diagram details the module’s boundaries: Figure 1 Logical Cryptographic Boundary and Physical Perimeter

2.2 Tested and Vendor Affirmed Module Version and Identification

N/A for this module. Tested Module Identification

Page 7

Package or File Software/ Firmware Features Integrity Test Name Version Wave Relay User 1.0 HMAC-SHA2-256 Space Crypto Module Table 2: Tested Module Identification

Page 8

Tested Operational Environments - Software, Firmware, Hybrid: Wave Relay® User Space Crypto Module cryptographic module is tested on the following operational environments. Operating Hardware Processors PAA/PAI Hypervisor Version(s) System Platform or Host OS Wave MPU (5th MCIMX6Q6AVT10AE, Yes 1.0 Relay® Generation) MCIMX6Q6AVT10AD OS 2.2 Wave Embedded MCIMX6Q7CZK08AE, Yes 1.0 Relay® Module MSCMMX6QZCK08AB OS 2.2 Wave Embedded MCIMX6Q7CZK08AE, Yes 1.0 Relay® Module lite MSCMMX6QZCK08AB OS 2.2 Wave GVR5 MCIMX6Q7CZK08AE Yes 1.0 Relay® OS 2.2 Wave Integrated MCIMX6Q7CZK08AE Yes 1.0 Relay® Antenna OS 2.2 Series Table 3: Tested Operational Environments - Software, Firmware, Hybrid N/A for this module.

2.3 Excluded Components

No components were excluded from the cryptographic boundary.

2.4 Modes of Operation

Modes List and Description: The Module supports an Approved mode and Non-Approved mode of operation. The module does not support a degraded mode. The Module’s status output will include a “FIPS Indicator” line. If this line explicitly states “not-approved”, then the Module is in the Non-Approved state; otherwise, the line will be blank, indicating the Approved state.

Page 9

Mode Description Type Status Name Indicator Approved The module supports Approved services in the Approved FIPS Indicator: Approved mode of operation. Non-Approved services are not supported in this mode. Non- The module is capable of non-approved services Non- FIPS Indicator: Approved in the non-approved mode of operation only. Approved not-approved Table 4: Modes List and Description Mode Change Instructions and Status : The module provides a service level indicator. All Approved services will indicate they are Approved services, and all non-Approved services will indicate they are non-Approved. No additional configuration or initialization is required.

2.5 Algorithms

Approved Algorithms: The Module implements cryptographic algorithms in the following providers:

Page 10

Algorithm CAVP Properties Reference Cert AES-CMAC A5177 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A5177 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5177 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A5177 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 AES-GMAC A5177 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-KW A5177 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A5177 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A5177 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A5177 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A5177 Prediction Resistance - No, Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - No, Yes ECDSA KeyGen A5177 Curve - B-233, B-283, B-409, B-571, K-233, K- FIPS 186-4 (FIPS186-4) 283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode - Testing Candidates ECDSA KeyVer A5177 Curve - B-163, B-233, B-283, B-409, B-571, K- FIPS 186-4 (FIPS186-4) 163, K-233, K-283, K-409, K-571, P-192, P224, P-256, P-384, P-521 ECDSA SigGen A5177 Component - No, Yes FIPS 186-4 (FIPS186-4) Curve - B-233, B-283, B-409, B-571, K-233, K283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2512/256 ECDSA SigVer A5177 Component - No, Yes FIPS 186-4 (FIPS186-4) Curve - B-163, B-233, B-283, B-409, B-571, K163, K-233, K-283, K-409, K-571, P-192, P224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256

Page 11

Algorithm CAVP Properties Reference Cert Hash DRBG A5177 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC DRBG A5177 Prediction Resistance - No, Yes SP 800-90A Mode - SHA-1, SHA2-256, SHA2-512 Rev. 1 HMAC-SHA-1 A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-224 A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-256 A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-384 A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-512 A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2- A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 512/224 8 HMAC-SHA2- A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 512/256 8 HMAC-SHA3-224 A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-256 A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-384 A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-512 A5177 Key Length - Key Length: 8-524288 Increment FIPS 198-1 KAS-ECC CDH- A5177 Curve - B-233, B-283, B-409, B-571, K-233, K- SP 800-56A Component 283, K-409, K-571, P-224, P-256, P-384, P-521 Rev. 3 SP800-56Ar3 (CVL) KAS-ECC-SSC A5177 Domain Parameter Generation Methods - B- SP 800-56A Sp800-56Ar3 233, B-283, B-409, B-571, K-233, K-283, K- Rev. 3 409, K-571, P-224, P-256, P-384, P-521 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A5177 Domain Parameter Generation Methods - FB, SP 800-56A Sp800-56Ar3 FC, ffdhe2048, ffdhe3072, ffdhe4096, Rev. 3 ffdhe6144, ffdhe8192, MODP-2048, MODP3072, MODP-4096, MODP-6144, MODP-8192 Scheme dhEphem KAS Role - initiator, responder

Page 12

Algorithm CAVP Properties Reference Cert KAS-IFC-SSC A5177 Modulo - 2048, 3072, 4096, 6144, 8192 SP 800-56A Key Generation Methods - rsakpg1-basic, Rev. 3 rsakpg1-crt, rsakpg1-prime-factor, rsakpg2basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KAS1 KAS Role - initiator, responder KAS2 KAS Role - initiator, responder KDA HKDF A5177 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: Rev. 2 224-8192 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 KDA OneStep A5177 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: Rev. 2 224-8192 Increment 8 KDA TwoStep A5177 MAC Salting Methods - default, random SP 800-56C SP800-56Cr2 KDF Mode - feedback Rev. 2 Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 KDF ANS 9.42 A5177 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 A5177 Hash Algorithm - SHA2-224, SHA2-256, SP 800-135 (CVL) SHA2-384, SHA2-512 Rev. 1 Key Data Length - Key Data Length: 128, 4096 KDF IKEv2 A5177 Diffie-Hellman Shared Secret Length - Diffie- SP 800-135 (CVL) Hellman Shared Secret Length: 224, 8192 Rev. 1 Derived Keying Material Length - Derived Keying Material Length: 160, 16384 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512 KDF SP800-108 A5177 KDF Mode - Counter, Feedback SP 800-108 Supported Lengths - Supported Lengths: 8-4096 Rev. 1 Increment 8

Page 13

Algorithm CAVP Properties Reference Cert KDF SSH (CVL) A5177 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512 KMAC-128 A5177 Message Length - Message Length: 0-65536 SP 800-185 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A5177 Message Length - Message Length: 0-65536 SP 800-185 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 KTS-IFC A5177 Modulo - 2048, 3072, 4096, 6144, 8192 SP 800-56B Key Generation Methods - rsakpg1-basic, Rev. 2 rsakpg1-crt, rsakpg1-prime-factor, rsakpg2basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KTS-OAEP-basic KAS Role - initiator, responder Key Transport Method Key Length - 1024 PBKDF A5177 Iteration Count - Iteration Count: 1-10000 SP 800-132 Increment 1 Password Length - Password Length: 8-128 Increment 8 RSA KeyGen A5177 Key Generation Mode - B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A5177 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA Signature A5177 Private Key Format - crt FIPS 186-4 Primitive (CVL) RSA SigVer A5177 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 Safe Primes Key A5177 Safe Prime Groups - ffdhe2048, ffdhe3072, SP 800-56A Generation ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, Rev. 3 MODP-3072, MODP-4096, MODP-6144, MODP-8192 Safe Primes Key A5177 Safe Prime Groups - ffdhe2048, ffdhe3072, SP 800-56A Verification ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, Rev. 3 MODP-3072, MODP-4096, MODP-6144, MODP-8192 SHA-1 A5177 Message Length - Message Length: 160, 0- FIPS 180-4

65536 Increment 8
Page 14

Algorithm CAVP Properties Reference Cert SHA2-224 A5177 Message Length - Message Length: 224, 0- FIPS 180-4

65536 Increment 8

SHA2-256 A5177 Message Length - Message Length: 256, 0- FIPS 180-4

65536 Increment 8

SHA2-384 A5177 Message Length - Message Length: 384, 0- FIPS 180-4

65536 Increment 8

SHA2-512 A5177 Message Length - Message Length: 512, 0- FIPS 180-4

65536 Increment 8

SHA2-512/224 A5177 Message Length - Message Length: 224, 0- FIPS 180-4

65536 Increment 8

SHA2-512/256 A5177 Message Length - Message Length: 256, 0- FIPS 180-4

65536 Increment 8

SHA3-224 A5177 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-256 A5177 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-384 A5177 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-512 A5177 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHAKE-128 A5177 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 SHAKE-256 A5177 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 TLS v1.2 KDF A5177 Hash Algorithm - SHA2-256, SHA2-384, SP 800-135 RFC7627 (CVL) SHA2-512 Rev. 1 TLS v1.3 KDF A5177 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 Table 5: Approved Algorithms ApprovedAlgorithmsTable From Web Cryptik ApprovedAlgorithmsTable Vendor-Affirmed Algorithms: The Module supports SP800-133rev2, CKG, as the sole vendor affirmed cryptographic algorithm.

Page 15

Name Properties Implementation Reference CKG - Symmetric Key Type:Symmetric and N/A SP800-133rev2, and Asymmetric Asymmetric Section 4, Example 1 Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: The module does not support any Non-Approved but Allowed Algorithms in the Approved Mode of Operation. N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: The module does not implement any Non-Approved, Algorithms Allowed with No Security Claimed in the Approved Mode of Operation. N/A for this module. Non-Approved, Not Allowed Algorithms: The Module implements the Non-Approved, Not Allowed cryptographic algorithms listed in the table below. Name Use and Function AES (GCM) - Ext IV GCM with Externally Generated IVs Table 7: Non-Approved, Not Allowed Algorithms

Page 16
2.6 Security Function Implementations

The table below shows the Security Function Implementations that the module implements: Name Type Description Properties Algorithms BCU BC-UnAuth Symmetric Data Publication:FIPS 197 AES-CBC: (A5177) Encryption/Decryption Key Length: 128, 192, 256 AES-CBC-CS1: (A5177) Key Length: 128, 192, 256 AES-CBC-CS2: (A5177) Key Length: 128, 192, 256 AES-CBC-CS3: (A5177) Key Length: 128, 192, 256 AES-CFB128: (A5177) Key Length: 128, 192, 256 AES-CFB8: (A5177) Key Length: 128, 192, 256 AES-CTR: (A5177) Key Length: 128, 192, 256 AES-ECB: (A5177) Key Length: 128, 192, 256 AES-XTS Testing Revision 2.0: (A5177) Key Length: 128, 256 AES-OFB: (A5177) Key Length: 128, 192, 256 AES-CFB1: (A5177) Key Length: 128, 192, 256 BCA BC-Auth Authenticated Publications:FIPS197, AES-CCM: (A5177) Symmetric SP800-38C, SP800- Key Length: 128, 192, 256 Encryption/Decryption 38D, SP800-38F AES-GCM: (A5177) Key Length: 128, 192, 256

Page 17

Name Type Description Properties Algorithms AES-KW: (A5177) Key Length: 128, 192, 256 AES-KWP: (A5177) Key Length: 128, 192, 256 SigVer DigSig-SigVer Signature Verification Publication:186-4 ECDSA SigVer (FIPS186-4): (A5177) Capabilities: Capabilities: Curve: P-

192 Hash Algorithm: SHA-1

Capabilities: Curve: P-224 Hash Algorithm: SHA-1 Capabilities: Curve: P-256 Hash Algorithm: SHA-1 Capabilities: Curve: P-384 Hash Algorithm: SHA-1 Capabilities: Curve: P-521 Hash Algorithm: SHA-1 Capabilities: Curve: K-163 Hash Algorithm: SHA-1 Capabilities: Curve: K-233 Hash Algorithm: SHA-1 Capabilities: Curve: K-283 Hash Algorithm: SHA-1 Capabilities: Curve: K-409 Hash Algorithm: SHA-1 Capabilities: Curve: K-571 Hash Algorithm: SHA-1 Capabilities: Curve: B-163 Hash Algorithm: SHA-1 Capabilities: Curve: B-233 Hash Algorithm: SHA-1 Capabilities: Curve: B-283 Hash Algorithm: SHA-1 Capabilities: Curve: B-409 Hash Algorithm: SHA-1 Capabilities: Curve: B-571 Hash Algorithm: SHA-1 Capabilities: Curve: P-192

Page 18

Name Type Description Properties Algorithms Hash Algorithm: SHA2-224 Capabilities: Curve: P-224 Hash Algorithm: SHA2-224 Capabilities: Curve: P-256 Hash Algorithm: SHA2-224 Capabilities: Curve: P-

384 Hash Algorithm: SHA2-224

Capabilities: Curve: P-521 Hash Algorithm: SHA2-224 Capabilities: Curve: K-163 Hash Algorithm: SHA2-224 Capabilities: Curve: K-

233 Hash Algorithm: SHA2-224

Capabilities: Curve: K-283 Hash Algorithm: SHA2-224 Capabilities: Curve: K-409 Hash Algorithm: SHA2-224 Capabilities: Curve: K-

571 Hash Algorithm: SHA2-224

Capabilities: Curve: B-163 Hash Algorithm: SHA2-224 Capabilities: Curve: B-233 Hash Algorithm: SHA2-224 Capabilities: Curve: B-

283 Hash Algorithm: SHA2-224

Capabilities: Curve: B-409 Hash Algorithm: SHA2-224 Capabilities: Curve: B-571 Hash Algorithm: SHA2-224 Capabilities: Curve: P-

192 Hash Algorithm: SHA2-256

Capabilities: Curve: P-224 Hash Algorithm: SHA2-256 Capabilities: Curve: P-256 Hash Algorithm: SHA2-256 Capabilities: Curve: P-

384 Hash Algorithm: SHA2-256
Page 19

Name Type Description Properties Algorithms Algorithm: SHA2-256 Capabilities: Curve: K-163 Hash Algorithm: SHA2-256 Capabilities: Curve: K-

233 Hash Algorithm: SHA2-256

Capabilities: Curve: K-283 Hash Algorithm: SHA2-256 Capabilities: Curve: K-409 Hash Algorithm: SHA2-256 Capabilities: Curve: K-

571 Hash Algorithm: SHA2-256

Capabilities: Curve: B-163 Hash Algorithm: SHA2-256 Capabilities: Curve: B-233 Hash Algorithm: SHA2-256 Capabilities: Curve: B-

283 Hash Algorithm: SHA2-256

Capabilities: Curve: B-409 Hash Algorithm: SHA2-256 Capabilities: Curve: B-571 Hash Algorithm: SHA2-256 Capabilities: Curve: P-

192 Hash Algorithm: SHA2-384

Capabilities: Curve: P-224 Hash Algorithm: SHA2-384 Capabilities: Curve: P-256 Hash Algorithm: SHA2-384 Capabilities: Curve: P-

384 Hash Algorithm: SHA2-384

Capabilities: Curve: P-521 Hash Algorithm: SHA2-384 Capabilities: Curve: K-163 Hash Algorithm: SHA2-384 Capabilities: Curve: K-

233 Hash Algorithm: SHA2-384

Capabilities: Curve: K-283 Hash Algorithm: SHA2-384 Capabilities: Curve: K-409 Hash Algorithm:

Page 20

Name Type Description Properties Algorithms SHA2-384 Capabilities: Curve: K-

571 Hash Algorithm: SHA2-384

Capabilities: Curve: B-163 Hash Algorithm: SHA2-384 Capabilities: Curve: B-233 Hash Algorithm: SHA2-384 Capabilities: Curve: B-

283 Hash Algorithm: SHA2-384

Capabilities: Curve: B-409 Hash Algorithm: SHA2-384 Capabilities: Curve: B-571 Hash Algorithm: SHA2-384 Capabilities: Curve: P-

192 Hash Algorithm: SHA2-512

Capabilities: Curve: P-224 Hash Algorithm: SHA2-512 Capabilities: Curve: P-256 Hash Algorithm: SHA2-512 Capabilities: Curve: P-

384 Hash Algorithm: SHA2-512

Capabilities: Curve: P-521 Hash Algorithm: SHA2-512 Capabilities: Curve: K-163 Hash Algorithm: SHA2-512 Capabilities: Curve: K-

233 Hash Algorithm: SHA2-512

Capabilities: Curve: K-283 Hash Algorithm: SHA2-512 Capabilities: Curve: K-409 Hash Algorithm: SHA2-512 Capabilities: Curve: K-

571 Hash Algorithm: SHA2-512

Capabilities: Curve: B-163 Hash Algorithm: SHA2-512 Capabilities: Curve: B-233 Hash Algorithm: SHA2-512 Capabilities: Curve: B-

283 Hash Algorithm: SHA2-512
Page 21

Name Type Description Properties Algorithms Capabilities: Curve: B-409 Hash Algorithm: SHA2-512 Capabilities: Curve: B-571 Hash Algorithm: SHA2-512 Capabilities: Curve: P-

192 Hash Algorithm: SHA2-

512/224 Capabilities: Curve: P-224 Hash Algorithm: SHA2-512/224 Capabilities: Curve: P-256 Hash Algorithm: SHA2-512/224 Capabilities: Curve: P-384 Hash Algorithm: SHA2-512/224 Capabilities: Curve: P-521 Hash Algorithm: SHA2-512/224 Capabilities: Curve: K-163 Hash Algorithm: SHA2-512/224 Capabilities: Curve: K-233 Hash Algorithm: SHA2-512/224 Capabilities: Curve: K-283 Hash Algorithm: SHA2-512/224 Capabilities: Curve: K-409 Hash Algorithm: SHA2-512/224 Capabilities: Curve: K-571 Hash Algorithm: SHA2-512/224 Capabilities: Curve: B-163 Hash Algorithm: SHA2-512/224 Capabilities: Curve: B-233 Hash Algorithm: SHA2-512/224 Capabilities: Curve: B-283 Hash Algorithm: SHA2-512/224 Capabilities: Curve: B-409 Hash Algorithm: SHA2-512/224 Capabilities: Curve: B-571 Hash

Page 22

Name Type Description Properties Algorithms Algorithm: SHA2-512/224 Capabilities: Curve: P-192 Hash Algorithm: SHA2-512/256 Capabilities: Curve: P-224 Hash Algorithm: SHA2-512/256 Capabilities: Curve: P-256 Hash Algorithm: SHA2-512/256 Capabilities: Curve: P-384 Hash Algorithm: SHA2-512/256 Capabilities: Curve: P-521 Hash Algorithm: SHA2-512/256 Capabilities: Curve: K-163 Hash Algorithm: SHA2-512/256 Capabilities: Curve: K-233 Hash Algorithm: SHA2-512/256 Capabilities: Curve: K-283 Hash Algorithm: SHA2-512/256 Capabilities: Curve: K-409 Hash Algorithm: SHA2-512/256 Capabilities: Curve: K-571 Hash Algorithm: SHA2-512/256 Capabilities: Curve: B-163 Hash Algorithm: SHA2-512/256 Capabilities: Curve: B-233 Hash Algorithm: SHA2-512/256 Capabilities: Curve: B-283 Hash Algorithm: SHA2-512/256 Capabilities: Curve: B-409 Hash Algorithm: SHA2-512/256 Capabilities: Curve: B-571 Hash Algorithm: SHA2-512/256 RSA SigVer (FIPS186-4): (A5177)

Page 23

Name Type Description Properties Algorithms Capabilities: Signature Type: PKCS

1.5 Properties: Modulo: 1024 Hash

Pair: Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-

256 Hash Pair: Hash Algorithm:

SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2-512/224 Hash Pair: Hash Algorithm: SHA2512/256 Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA-1 Hash Pair: Hash Algorithm: SHA2-

224 Hash Pair: Hash Algorithm:

SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Properties: Modulo:

3072 Hash Pair: Hash Algorithm:

SHA-1 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Properties: Modulo:

4096 Hash Pair: Hash Algorithm:

SHA-1 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash

Page 24

Name Type Description Properties Algorithms Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Hash Pair: Hash Algorithm: SHA2512/224 Hash Pair: Hash Algorithm: SHA2-512/256 Capabilities: Signature Type: PKCSPSS Properties: Modulo: 1024 Hash Pair: Hash Algorithm: SHA-1 Salt Length: 20 Hash Pair: Hash Algorithm: SHA2-224 Salt Length:

24 Hash Pair: Hash Algorithm:

SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length:

62 Hash Pair: Hash Algorithm:

SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2512/256 Salt Length: 32 Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA-1 Salt Length: 20 Hash Pair: Hash Algorithm: SHA2-

224 Salt Length: 24 Hash Pair: Hash

Algorithm: SHA2-256 Salt Length:

32 Hash Pair: Hash Algorithm:

SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt

Page 25

Name Type Description Properties Algorithms Length: 32 Properties: Modulo:

3072 Hash Pair: Hash Algorithm:

SHA-1 Salt Length: 20 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-256 Salt Length:

32 Hash Pair: Hash Algorithm:

SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo:

4096 Hash Pair: Hash Algorithm:

SHA-1 Salt Length: 20 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-256 Salt Length:

32 Hash Pair: Hash Algorithm:

SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Public Exponent Mode: Random AKP-KG AsymKeyPair- Asymmetric Key Pair Publication:SP800- ECDSA KeyGen (FIPS186-4): KeyGen Generation 56Br2, FIPS 186-4 (A5177) Curves:: B-233, B-283, B-409, B571, K-233, K-283, K-409, K-571,

Page 26

Name Type Description Properties Algorithms P-224, P-256, P-384, P-521 RSA KeyGen (FIPS186-4): (A5177) Modulo: 2048, 3072, 4096 KTS-IFC: (A5177) Modulo: 2048, 3072, 4096, 6144, 8192 CKG - Symmetric and Asymmetric: () Safe Primes Key Generation: (A5177) AKP-DP AsymKeyPair- Domain Parameter Publications:SP800- KAS-ECC-SSC Sp800-56Ar3: DomPar Generation 56Ar3 (A5177) Methods: B-233, B-283, B-409, B571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 KAS-FFC-SSC Sp800-56Ar3: (A5177) Methods: FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP3072, MODP-4096, MODP-6144, MODP-8192 AKP-KV AsymKeyPair- ECDSA Key Publication:FIPS186- ECDSA KeyVer (FIPS186-4): KeyVer Verification 4 (A5177) Curve: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K409, K-571, P-192, P-224, P-256, P384, P-521 Safe Primes Key Verification: (A5177)

Page 27

Name Type Description Properties Algorithms AKV-PKV AsymKeyPair- Public Key Validation Publication:FIPS 186- KTS-IFC: (A5177) PubKeyVal 4 Modulo: 2048, 3072, 4096, 6144, 8192 SigGen DigSig-SigGen Signature Generation Publication:FIPS 186- ECDSA SigGen (FIPS186-4): and Signature 4 (A5177) Primitive Capabilities: Capabilities: Curve: P-

224 Hash Algorithm: SHA2-224

Capabilities: Curve: P-256 Hash Algorithm: SHA2-224 Capabilities: Curve: P-384 Hash Algorithm: SHA2-224 Capabilities: Curve: P-

521 Hash Algorithm: SHA2-224

Capabilities: Curve: K-233 Hash Algorithm: SHA2-224 Capabilities: Curve: K-283 Hash Algorithm: SHA2-224 Capabilities: Curve: K-

409 Hash Algorithm: SHA2-224

Capabilities: Curve: K-571 Hash Algorithm: SHA2-224 Capabilities: Curve: B-233 Hash Algorithm: SHA2-224 Capabilities: Curve: B-

283 Hash Algorithm: SHA2-224

Capabilities: Curve: B-409 Hash Algorithm: SHA2-224 Capabilities: Curve: B-571 Hash Algorithm: SHA2-224 Capabilities: Curve: P-

224 Hash Algorithm: SHA2-256

Capabilities: Curve: P-256 Hash Algorithm: SHA2-256 Capabilities: Curve: P-384 Hash Algorithm: SHA2-256 Capabilities: Curve: P-

521 Hash Algorithm: SHA2-256
Page 28

Name Type Description Properties Algorithms Capabilities: Curve: K-233 Hash Algorithm: SHA2-256 Capabilities: Curve: K-283 Hash Algorithm: SHA2-256 Capabilities: Curve: K-

409 Hash Algorithm: SHA2-256

Capabilities: Curve: K-571 Hash Algorithm: SHA2-256 Capabilities: Curve: B-233 Hash Algorithm: SHA2-256 Capabilities: Curve: B-

283 Hash Algorithm: SHA2-256

Capabilities: Curve: B-409 Hash Algorithm: SHA2-256 Capabilities: Curve: B-571 Hash Algorithm: SHA2-256 Capabilities: Curve: P-

224 Hash Algorithm: SHA2-384

Capabilities: Curve: P-256 Hash Algorithm: SHA2-384 Capabilities: Curve: P-384 Hash Algorithm: SHA2-384 Capabilities: Curve: P-

521 Hash Algorithm: SHA2-384

Capabilities: Curve: K-233 Hash Algorithm: SHA2-384 Capabilities: Curve: K-283 Hash Algorithm: SHA2-384 Capabilities: Curve: K-

409 Hash Algorithm: SHA2-384

Capabilities: Curve: K-571 Hash Algorithm: SHA2-384 Capabilities: Curve: B-233 Hash Algorithm: SHA2-384 Capabilities: Curve: B-

283 Hash Algorithm: SHA2-384

Capabilities: Curve: B-409 Hash Algorithm: SHA2-384 Capabilities:

Page 29

Name Type Description Properties Algorithms Curve: B-571 Hash Algorithm: SHA2-384 Capabilities: Curve: P-

224 Hash Algorithm: SHA2-512

Capabilities: Curve: P-256 Hash Algorithm: SHA2-512 Capabilities: Curve: P-384 Hash Algorithm: SHA2-512 Capabilities: Curve: P-

521 Hash Algorithm: SHA2-512

Capabilities: Curve: K-233 Hash Algorithm: SHA2-512 Capabilities: Curve: K-283 Hash Algorithm: SHA2-512 Capabilities: Curve: K-

409 Hash Algorithm: SHA2-512

Capabilities: Curve: K-571 Hash Algorithm: SHA2-512 Capabilities: Curve: B-233 Hash Algorithm: SHA2-512 Capabilities: Curve: B-

283 Hash Algorithm: SHA2-512

Capabilities: Curve: B-409 Hash Algorithm: SHA2-512 Capabilities: Curve: B-571 Hash Algorithm: SHA2-512 Capabilities: Curve: P-

224 Hash Algorithm: SHA2-

512/224 Capabilities: Curve: P-256 Hash Algorithm: SHA2-512/224 Capabilities: Curve: P-384 Hash Algorithm: SHA2-512/224 Capabilities: Curve: P-521 Hash Algorithm: SHA2-512/224 Capabilities: Curve: K-233 Hash Algorithm: SHA2-512/224 Capabilities: Curve: K-283 Hash

Page 30

Name Type Description Properties Algorithms Algorithm: SHA2-512/224 Capabilities: Curve: K-409 Hash Algorithm: SHA2-512/224 Capabilities: Curve: K-571 Hash Algorithm: SHA2-512/224 Capabilities: Curve: B-233 Hash Algorithm: SHA2-512/224 Capabilities: Curve: B-283 Hash Algorithm: SHA2-512/224 Capabilities: Curve: B-409 Hash Algorithm: SHA2-512/224 Capabilities: Curve: B-571 Hash Algorithm: SHA2-512/224 Capabilities: Curve: P-224 Hash Algorithm: SHA2-512/256 Capabilities: Curve: P-256 Hash Algorithm: SHA2-512/256 Capabilities: Curve: P-384 Hash Algorithm: SHA2-512/256 Capabilities: Curve: P-521 Hash Algorithm: SHA2-512/256 Capabilities: Curve: K-233 Hash Algorithm: SHA2-512/256 Capabilities: Curve: K-283 Hash Algorithm: SHA2-512/256 Capabilities: Curve: K-409 Hash Algorithm: SHA2-512/256 Capabilities: Curve: K-571 Hash Algorithm: SHA2-512/256 Capabilities: Curve: B-233 Hash Algorithm: SHA2-512/256 Capabilities: Curve: B-283 Hash

Page 31

Name Type Description Properties Algorithms Algorithm: SHA2-512/256 Capabilities: Curve: B-409 Hash Algorithm: SHA2-512/256 Capabilities: Curve: B-571 Hash Algorithm: SHA2-512/256 RSA SigGen (FIPS186-4): (A5177) Capabilities: Signature Type: PKCS

1.5 Properties: Modulo: 2048 Hash

Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-

256 Hash Pair: Hash Algorithm:

SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Properties: Modulo: 3072 Hash Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-256 Hash Pair: Hash Algorithm: SHA2-384 Hash Pair: Hash Algorithm: SHA2-

512 Properties: Modulo: 4096 Hash

Pair: Hash Algorithm: SHA2-224 Hash Pair: Hash Algorithm: SHA2-

256 Hash Pair: Hash Algorithm:

SHA2-384 Hash Pair: Hash Algorithm: SHA2-512 Capabilities: Signature Type: PKCSPSS Properties: Modulo: 2048 Hash Pair: Hash Algorithm: SHA2-224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-256 Salt Length:

32 Hash Pair: Hash Algorithm:

SHA2-384 Salt Length: 48 Hash Pair: Hash Algorithm: SHA2-512

Page 32

Name Type Description Properties Algorithms Salt Length: 64 Hash Pair: Hash Algorithm: SHA2-512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo:

3072 Hash Pair: Hash Algorithm:

SHA2-224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length:

48 Hash Pair: Hash Algorithm:

SHA2-512 Salt Length: 64 Hash Pair: Hash Algorithm: SHA2512/224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-512/256 Salt Length: 32 Properties: Modulo:

4096 Hash Pair: Hash Algorithm:

SHA2-224 Salt Length: 24 Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 32 Hash Pair: Hash Algorithm: SHA2-384 Salt Length:

48 Hash Pair: Hash Algorithm:

SHA2-512 Salt Length: 64 RSA Signature Primitive: (A5177) Private Key Format: crt RAND DRBG Random Number Publication:SP800- Hash DRBG: (A5177) Genreation 90A Mode: SHA-1, SHA2-256, SHA2Counter DRBG: (A5177) Mode: AES-128, AES-192, AESHMAC DRBG: (A5177)

Page 33

Name Type Description Properties Algorithms Mode: SHA-1, SHA2-256, SHA2Sym-KG CKG Cryptographic Key Counter DRBG: (A5177) Generation Mode: AES-128, AES-192, AESHash DRBG: (A5177) Mode=: SHA-1, SHA2-256, SHA2HMAC DRBG: (A5177) Mode: SHA-1, SHA2-256, SHA2CKG - Symmetric and Asymmetric: () KDF KAS-135KDF Application-Specific Publication:SP800- KDF ANS 9.42: (A5177) Key Derivation 135 KDF Type: DER Hash Algorithm: SHA-1, SHA2224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 KDF ANS 9.63: (A5177) Hash Algorithm: SHA2-224, SHA2-256, SHA2-384, SHA2-512 KDF IKEv2: (A5177) Capabilities: Initiator Nonce Length: 128, 2048 Responder Nonce Length: 128, 2048 Diffie-Hellman Shared Secret Length: 224, 8192 Derived Keying Material Length: 160, 16384 Derived Keying Material Child Length: 160, 16384 Hash Algorithm: SHA-1, SHA2-224,

Page 34

Name Type Description Properties Algorithms SHA2-256, SHA2-384, SHA2-512 KDF SSH: (A5177) Cipher: AES-128, AES-192, AESHash: SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512 TLS v1.2 KDF RFC7627: (A5177) Hash Algorithm: SHA2-256, SHA2384, SHA2-512 TLS v1.3 KDF: (A5177) HMAC Algorithm: SHA2-256, SHA2-384 KDF Running Modes: DHE, PSK, PSK-DHE KDA KAS-56CKDF Key Derivation Publication:SP800- KDA HKDF SP800-56Cr2: (A5177) Methods in Key 56Cr2 HMAC Algorithm: SHA-1, SHA2Establishment 224, SHA2-256, SHA2-384, SHA2Schemes 512, SHA2-512/224, SHA2512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 KDA OneStep SP800-56Cr2: (A5177) Auxiliary Function Name: SHA2512, HMAC-SHA2-224, KMACKDA TwoStep SP800-56Cr2: (A5177) Capabilities: Fixed Info Pattern: algorithmId||l||uPartyInfo||vPartyInfo Fixed Info Encoding: concatenation KDF Mode: feedback MAC Modes: HMAC-SHA-1, HMAC-SHA2-224,

Page 35

Name Type Description Properties Algorithms HMAC-SHA2-256, HMAC-SHA2384, HMAC-SHA2-512, HMACSHA2-512/224, HMAC-SHA2512/256, HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3384, HMAC-SHA3-512 Fixed Data Order: after fixed data Counter Lengths: 8 The KDF supports an empty IV The KDF requires an empty IV Supported Lengths: 2048 KAS-KG KAS-KeyGen KAS Key Generation Publication:SP800- KAS-ECC-SSC Sp800-56Ar3: Methods 56Ar3 (A5177) Domain Parameter Generation Methods: B-233, B-283, B-409, B571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 KAS-FFC-SSC Sp800-56Ar3: (A5177) Domain Parameter Generation Methods: FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP3072, MODP-4096, MODP-6144, MODP-8192 KAS-IFC-SSC: (A5177) Key Generation Methods: rsakpg1basic, rsakpg1-crt, rsakpg1-primefactor, rsakpg2-basic, rsakpg2-crt, rsakpg2-prime-factor SSC KAS-SSC Key Agreement IG:IG D.F Scenario 2, KAS-FFC-SSC Sp800-56Ar3: Shared Secret path (1) (A5177) Calculation Domain Parameter Generation

Page 36

Name Type Description Properties Algorithms Methods: FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP3072, MODP-4096, MODP-6144, MODP-8192 KAS-ECC-SSC Sp800-56Ar3: (A5177) Curve: Curve: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K571, P-224, P-256, P-384, P-521 KAS-IFC-SSC: (A5177) Modulo: 2048, 3072, 4096, 6144, 8192 KAS-ECC CDH-Component SP800-56Ar3: (A5177) Curve: B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P224, P-256, P-384, P-521 KBKDF KBKDF Key Based Key Publication:SP800- KDF SP800-108: (A5177) Derivation 108 Capabilities: KDF Mode: Counter MAC Mode: CMAC-AES128, CMAC-AES192, CMAC-AES256, HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2384, HMAC-SHA2-512 Supported Lengths: 8-4096 Increment 8 Fixed Data Order: Before Fixed Data Counter Length: 32 Custom Key In Length: 0; KDF Mode: Feedback MAC Mode: CMAC-AES128, CMAC-AES192, CMAC-AES256, HMAC-SHA-1, HMAC-SHA2-224,

Page 37

Name Type Description Properties Algorithms HMAC-SHA2-256, HMAC-SHA2384, HMAC-SHA2-512 Supported Lengths: 8-4096 Increment 8 Fixed Data Order: Before Fixed Data Counter Length: 32 Supports Empty IV Requires Empty IV Custom Key In Length: 0 AKP-E AsymKeyPair- Asymmetric Key Pair Standard:SP800- KTS-IFC: (A5177) Encap Encapsulation 56Br2 Modulo: 2048, 3072, 4096, 6144, IG D.G.:Approved 8192 Key Confirmation:No Caveat:Key establishment methodology provides between 112 and 200 bits of security strength AKP-D AsymKeyPair- Asymmetric Key Pair Standard:SP800- KTS-IFC: (A5177) Decap Decapsulation 56Br2 Modulo: 2048, 3072, 4096, 6144, IG D.G.:Approved 8192 Key Confirmation:No Caveat:Key establishment methodology provides between 112 and 200 bits of security strength MAC MAC Message Publication:FIPS 198, AES-CMAC: (A5177) Authentication SP800-38B, SP800- Key Length: 128, 192, 256 38D, SP800-185 AES-GMAC: (A5177) Key Length: 128, 192, 256 HMAC-SHA-1: (A5177)

Page 38

Name Type Description Properties Algorithms Key Length: 8-524288 Increment 8 HMAC-SHA2-224: (A5177) Key Length: 8-524288 Increment 8 HMAC-SHA2-256: (A5177) Key Length: 8-524288 Increment 8 HMAC-SHA2-384: (A5177) Key Length: 8-524288 Increment 8 HMAC-SHA2-512: (A5177) Key Length: 8-524288 Increment 8 HMAC-SHA2-512/224: (A5177) Key Length: 8-524288 Increment 8 HMAC-SHA2-512/256: (A5177) Key Length: 8-524288 Increment 8 HMAC-SHA3-224: (A5177) Key Length: 8-524288 Increment 8 HMAC-SHA3-256: (A5177) Key Length: 8-524288 Increment 8 HMAC-SHA3-384: (A5177) Key Length: 8-524288 Increment 8 KMAC-256: (A5177) Key Length: 128-1024 Increment 8 KMAC-128: (A5177) Key Length: 128-1024 Increment 8 HMAC-SHA3-512: (A5177) Key Length: 8-524288 Increment 8 PBKDF PBKDF Password Based Key Publication:SP800- PBKDF: (A5177) Derivation 132 HMAC Algorithm: SHA-1, SHA2224, SHA2-256, SHA2-384, SHA2512, SHA2-512/224, SHA2-512/256 SHS SHA Message Digest Publications:FIPS SHA-1: (A5177) 180-4, FIPS 202 Message Length: 0-65536 Increment 8, 160

Page 39

Name Type Description Properties Algorithms SHA2-224: (A5177) Message Length: 0-65536 Increment 8, 224 SHA2-256: (A5177) Message Length: 0-65536 Increment 8, 256 SHA2-384: (A5177) Message Length: 0-65536 Increment 8, 384 SHA2-512: (A5177) Message Length: 0-65536 Increment 8, 512 SHA2-512/224: (A5177) Message Length: 0-65536 Increment 8, 224 SHA2-512/256: (A5177) Message Length: 0-65536 Increment 8, 256 SHA3-224: (A5177) Message Length: 0-65536 Increment SHA3-256: (A5177) Message Length: 0-65536 Increment SHA3-384: (A5177) Message Length: 0-65536 Increment SHA3-512: (A5177) Message Length: 0-65536 Increment SHAKE-128: (A5177) Output Length: 16-65536 Increment

Page 40

Name Type Description Properties Algorithms SHAKE-256: (A5177) Output Length: 16-65536 Increment Table 8: Security Function Implementations

Page 41
2.7 Algorithm Specific Information

Below are the documentation requirements for specific algorithms and conditions, as mandated by Implementation Guidance. FIPS140-3 IG C.H, Option 2: AES GCM IV Uniqueness The IV is generated internally at its entirety randomly. The generation uses an Approved DRBG (Cert. #A5177) that is internal to the module’s boundary. The IV length is fixed at 96 bits (per SP 800-38D). FIPS140-3 IG C.I: XTS-AES Requirements The XTS algorithm implementation includes a check prior to use to ensure Key_1 ≠ Key_2. FIPS 140-3 IG D.N: PBKDF Requirements The module conforms to IG D.N, Option 1a. The password length is 8

2.8 RBG and Entropy
Page 42

The Module uses an entropy source from within the TOEPP, but outside of the cryptographic boundary. The module exercises no control over the source of entropy per IG 9.3.A, Scenario 2B. The size of the entropy provided to the DRBG varies depending on the DRBG mechanism (i.e., HASH, CTR, HMAC) and desired security strength. No assurance of the minimum strength of generated SSPs (e.g., keys). N/A for this module.

2.9 Key Generation

The module generates both symmetric and asymmetric cryptographic keys using the internal DRBG (CAVP Cert. #A5177). The module implements key generation methods according to SP 800-133r2 Section 4, Example 1, without the use of V. The key generation methods are specified in the Vendor Affirmed Algorithms table and the Security Function Implementations table. Additionally, the module implements key derivation methods according to Section 6.2 of SP 800-133r2. The key derivation methods are specified in the Security Function Implementations table.

2.10 Key Establishment

The module does not establish SSPs using an approved key agreement scheme (KAS) or key transport scheme (KTS). However, it does offer some or all of the underlying KAS cryptographic functionality and approved authenticated algorithms that can be used by an external operator/application as part of an approved KAS or KTS. The module supports KAS-ECC-SSC, KAS-FFC-SSC, KAS-IFC-SSC, AES-KW, AES-KWP, and KTS-IFC. KAS-IFC SSC [56Br2] - Per [IG] D.F Scenario 1 path (1), compliant the derivation of a shared secret Z in one of the schemes in Sections 8.2 and 8.3 of SP 800-56Brev2. KAS-SSC [56Ar3] - Per [IG] D.F Scenario 2 path (2), compliant with the derivation of a shared secret Z in one or more of the key agreement schemes in Section 6 of SP 800-56Arev3. Testing is split into (i) testing the computation of the shared secret and (ii) testing the key derivation function used in deriving the keying material comply to IG 2.4.B. KAS-SSC as a service: The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS.

2.11 Industry Protocols
Page 43

The module does not implement any Industry Protocols. The module is a cryptographic toolkit that may be used in support for Industry Protocols but does not itself implement the protocol.

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

The Module’s ports and associated FIPS defined logical interface categories are listed below. Physical Logical Data That Passes Port Interface(s) N/A Control

4 Roles, Services, and Authentication
Page 44
4.1 Authentication Methods

Method Name Description Security Strength Each Strength per Minute Mechanism Attempt Role Based Signature SigVer RSA 3072-bit has Each authentication Authentication Verification a security strength attempt takes of 128 bits. The approximately 0.3 probability of seconds, which results in a successfully maximum of 200 guessing the authentication attempts private key is per minute. The probably 1/(2^128). of a brute force attack being successful within a given minute is 200/(2^128). Table 10: Authentication Methods

4.2 Roles

The Module supports one distinct operator role, Crypto Officer (CO). One authentication is allowed per Module reset. The Module does not support concurrent operators. The Cryptographic Officer’s authentication public key is protected by the physical and logical design of the module; it is stored as part of the module binary itself. The Roles Table below lists all operator roles supported by the Module. Name Type Operator Type Authentication Methods Cryptographic Officer Role CO Role Based Authentication Table 11: Roles

4.3 Approved Services

All approved services implemented by the Module are listed in the table below: The SSPs modes of access shown in the table below are defined as:

Page 45

Name Descript Indicator Input Outputs Secur SSP ion s ity Access Funct ions Module Self- Perform OSSL_FIPS_PARAM_I Power Status None Cryptogr Test module NDICATOR aphic initializa Officer tion, pre- operatio Software nal, and Integrity conditio Key: E nal - CO cryptogr Authenti aphic cation algorith Key: E m selftests. Show Status Shows OSSL_FIPS_PARAM_I None Status None Cryptogr module's NDICATOR aphic status Officer Show Version Shows OSSL_FIPS_PARAM_I None Module None Cryptogr module's NDICATOR Base aphic versioni Name + Officer ng Module informat Version ion Number Symmetric Encrypti OSSL_FIPS_PARAM_I AES Plaintext BCU Cryptogr Encryption/D on and NDICATOR Key, or BCA aphic ecryption decrypti Plaint Cipherte Officer on of ext or xt - AES data. Cipher Key: text W,E,Z Keyed MAC Compute OSSL_FIPS_PARAM_I Messa Message MAC Cryptogr a NDICATOR ge, Authenti aphic Message HMA cation Officer Authenti C, Code - AES cation AES, Key: Code or W,E,Z KMA - MAC C Key Key: W,E,Z Hash Compute OSSL_FIPS_PARAM_I Messa Hash SHS Cryptogr a NDICATOR ge Value aphic Message Officer Digest

Page 46

Name Descript Indicator Input Outputs Secur SSP ion s ity Access Funct ions Random Bit Generate OSSL_FIPS_PARAM_I DRB Random RAN Cryptogr Generation random NDICATOR G Values D aphic values Selecti Officer on - DRBGV: W,E,Z - DRBGC: W,E,Z - DRBGKey: W,E,Z - DRBGEI: G,W,E,Z Signature Signatur OSSL_FIPS_PARAM_I Privat Digital SigGe Cryptogr Generation e NDICATOR()=1 e Key, Signatur n aphic Generati Messa e Officer on ge - RSA Private Key: W,E,Z ECDSA Private Key: W,E,Z Signature Signatur OSSL_FIPS_PARAM_I Public Status SigVe Cryptogr Verification e NDICATOR Key, r aphic Verificat Signat Officer ion ure - RSA Public Key: W,E,Z ECDSA Public Key: W,E,Z Key Generate OSSL_FIPS_PARAM_I Key Private AKP- Cryptogr Generation asymmet NDICATOR Attrib Key, KG aphic ric keys utes, AKP- Officer

Page 47

Name Descript Indicator Input Outputs Secur SSP ion s ity Access Funct ions (i.e., Key Public DP - DRBGRSA, Size Key RAN V: E,Z EC) D - RSA KAS- Private KG Key: Sym- G,R,Z KG - RSA Public Key: G,R,Z ECDSA Private Key: G,R,Z ECDSA Public Key: G,R,Z - KAS Private Key: G,R,Z - KAS Public Key: G,R,Z - DRBGC: E,Z - DRBGKey: E,Z Key Asymme OSSL_FIPS_PARAM_I Public Validity AKP- Cryptogr Verification tric Key NDICATOR Key KV aphic Verificat AKV- Officer ion PKV ECDSA Public Key: W,E,Z - KAS Public

Page 48

Name Descript Indicator Input Outputs Secur SSP ion s ity Access Funct ions Key: W,E,Z Key Derive OSSL_FIPS_PARAM_I Key Key KDF Cryptogr Derivation keys NDICATOR Materi Material KDA aphic using al, KBK Officer SP800- Passp DF - AES 56Cr2, hrase PBK Key: SP800- DF W,E,Z 135, - MAC SP800- Key: 108, or W,E,Z SP800- - Key

132 key Material:

derivatio G,R,W,E n ,Z methods Passphra se: W,E,Z Shared Secret Key OSSL_FIPS_PARAM_I RSA Key SSC Cryptogr Calculation agreeme NDICATOR or Material aphic nt using KAS Officer KAS- Public - Key ECC, and Material: KAS- Privat G,R,Z FFC, or e - RSA KAS- Keys Private IFC Key: W,E,Z - RSA Public Key: W,E,Z - KAS Private Key: W,E,Z - KAS Public Key: W,E,Z

Page 49

Name Descript Indicator Input Outputs Secur SSP ion s ity Access Funct ions Key Key OSSL_FIPS_PARAM_I AES Wrapped BCA Cryptogr Transport transport NDICATOR Key, or AKP- aphic using RSA Encapsul E Officer AES- Key ated Key AKP- - AES KW or D Key: KTS- W,E,Z IFC - RSA Public Key: W,E,Z - RSA Private Key: W,E,Z Table 12: Approved Services

4.4 Non-Approved Services

All approved services implemented by the Module are listed in the table below: Name Description Algorithms Role Authenticated Symmetric GCM using externally AES (GCM) - CO Encryption/Decryption generated IVs Ext IV Table 13: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not support an External Software/Firmware Load capability.

5 Software/Firmware Security
5.1 Integrity Techniques

The Module is composed of the following component(s):

Page 50

The software component is protected with the authentication technique, HMAC-SHA2-256, as described in Table 16.

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by power cycling the hardware.

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable The Module has a modifiable operational environment under the FIPS 140-3 definitions. The tested operational environments are listed in Section 2.1. The Operating Environment is modifiable and allows the operator to load and execute software. How Requirements are Satisfied : The module supports a modifiable operational environment. The operator may load and execute software that was not included in the original evaluation as the underlying Wave Relay OS 2.2 operational environment is modifiable. Each instance of a cryptographic module controls its own SSPs and are not owned or controlled by external processes/operators. This requirement is not enforced by administrative documentation and procedures but by the cryptographic module itself. The operational environment provides the capability to separate individual application processes from each other in order to prevent uncontrolled access to CSPs and uncontrolled modification of SSPs.

6.2 Configuration Settings and Restrictions

All cryptographic software, SPPs and control/status information is under the control of an operating system that implements mandatory access control. The Operating system protects against unauthorized execution, unauthorized modification, and unauthorized reading of SSPs and status data. Processes that are spawned by the cryptographic module are owned by the module and are not owned by external processes/operators. The Operating System provides an audit mechanism with the date and time of each audited event.

Page 52
7 Physical Security

The module is software and as such, physical security requirements do not apply. N/A for this module.

8 Non-Invasive Security

The Module does not implement any mitigation method against non-invasive attack.

9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Area Name Description Persistence Type System Memory (S1) Stored in plaintext in volatile memory (RAM). Dynamic Binary (S2) Stored in plaintext as part of the module binary itself. Static Table 14: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm Input in Application System Plaintext Manual Electronic plaintext Software Memory (IO1) (outside) (S1) Output in System Application Plaintext Manual Electronic plaintext Memory Software (IO2) (S1) (outside) Input Application System Encrypted Manual Electronic AKP-D encapsulated Software Memory (IO3) (outside) (S1) Output System Application Encrypted Manual Electronic AKP-E encapsulated Memory Software (IO4) (S1) (outside) Input Application System Encrypted Manual Electronic BCA wrapped Software Memory (IO5) (outside) (S1)

Page 53

Name From To Format Distribution Entry SFI or Type Type Type Algorithm Output System Application Encrypted Manual Electronic BCA wrapped Memory Software (IO6) (S1) (outside) Table 15: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Method Initiation Z1 Zeroisation Active overwriting of SSP values with 0s Automatic upon use immediately after SSP is no longer needed upon use Table 16: SSP Zeroization Methods

Page 54
9.4 SSPs

All usage of these SSPs by the Module are described in the services detailed in Section 4.3. Name Description Size - Strength Type - Generated Established Used Category By By By DRBG-EI Entropy Input 384 - 768 - 128 to 256 bits ENT - CSP RAND DRBG-V DRBG internal state value 440 - 888 (Hash_DRBG); DRBG - RAND AKP(V for all DRBGs) 128 (CTR_DRBG); 160- CSP KG

512 (HMAC_DRBG) - 128 RAND

to 256 SymKG KASKG DRBG-C DRBG internal state value 440 - 888 (Hash_DRBG); DRBG - RAND AKP(C for HASH_DRBG) 128 (CTR_DRBG); 160- CSP KG

512 (HMAC_DRBG) - 128 RAND

to 256 SymKG KASKG DRBG-Key DRBG internal state value 128 to 256 bits DRBG - RAND AKP(Key for HMAC_DRBG (CTR_DRBG); 160-512 CSP KG and CTR_DRBG) (HMAC_DRBG) - 128 to RAND

256 Sym-

KG KASKG AES Key Used for 128, 192, 256 - 128, 192, Symmetric BCU encryption/decryption 256 - CSP BCA operations. May also be KBKDF used for MAC (AES- MAC

Page 55

Name Description Size - Strength Type - Generated Established Used Category By By By CMAC, AES-GMAC) or KBKDF. MAC Key Used for Message HMAC: 8 to 524288 MAC - CSP KDF Authentication (HMAC or (Increment 8) (Legacy less KDA KMAC) than 112) KMAC: 128- KBKDF

1024 (increment 8) - 128 to MAC
512 PBKDF

RSA Private Signature Generation, 2048, 3072, 4096, 6144 Asymmetric AKP-KG SigGen Key KTS-IFC, KAS-IFC (KAS-IFC and KTS-IFC - CSP SSC only), 8192 (KAS-IFC and AKP-D KTS-IFC only) - 112-150 RSA Public Used for signature 1024 (Legacy), 2048, 3072, Asymmetric AKP-KG SigVer Key verification, KTS-IFC, 4096, 6144 (KAS-IFC and - PSP SSC KAS-IFC KTS-IFC only), 8192 AKP-E (KAS-IFC and KTS-IFC only) - 112-150 (Legacy >112) CO Used for authenticating 3072 - 128 Asymmetric At SigVer Authentication the CO - PSP manufacturing Key Software Used for Module Integrity 256 - 256 MAC - At MAC Integrity Key Neither manufacturing ECDSA Used for signature B-233, B-283, B-409, B- Asymmetric AKP-KG SigGen Private Key generation 571, K-233, K-283, K-409, - CSP K-571, P-224, P-256, P-384, P-521 - 112-256 ECDSA Public Used for signature B-163, B-233, B-283, B- Asymmetric AKP-KG SigVer Key verification 409, B-571, K-163, K-233, - PSP K-283, K-409, K-571, P192, P-224, P-256, P-384,

Page 56

Name Description Size - Strength Type - Generated Established Used Category By By By P-521 - 112-256 (Legacy >112) KAS Private Used for key agreement ECC: B-233, B-283, B-409, Asymmetric KAS-KG SSC Key (FFC and ECC) B-571, K-233, K-283, K- - CSP 409, K-571, P-224, P-256, P-384, P-521; FFC: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 - 112-256 KAS Public Used for key agreement ECC: B-233, B-283, B-409, Asymmetric KAS-KG SSC Key (FFC and ECC) B-571, K-233, K-283, K- - PSP 409, K-571, P-224, P-256, P-384, P-521; FFC: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 - 112-256 Passphrase Passphrase to be used 64-1024 - N/A PBKDF2 - PBKDF with PBKDF2 CSP Key Material May be intended for or Varies - 128 to 256 Key SSC the result of SSC, KDA, Material KDF, or KTS CSP Table 17: SSP Table 1

Page 57

Name Input - Output Storage Storage Zeroization Related SSPs Duration DRBG-EI Input in plaintext System Memory Until use Z1 DRBG-V:Used to derive (IO1) (S1):Plaintext completes DRBG-C:Used to derive DRBG-Key:Used to derive DRBG-V System Memory Until use Z1 DRBG-EI:Derived From (S1):Plaintext completes DRBG-C:Used With DRBG-Key:Used With DRBG-C System Memory Until use Z1 DRBG-EI:Derived From (S1):Plaintext completes DRBG-V:Used With DRBG-Key System Memory Until use Z1 DRBG-EI:Derived From (S1):Plaintext completes DRBG-V:Used With AES Key Input in plaintext System Memory Until use Z1 (IO1) (S1):Plaintext completes Output in plaintext (IO2) MAC Key Input in plaintext System Memory Until use Z1 (IO1) (S1):Plaintext completes Output in plaintext (IO2) RSA Private Key Input in plaintext System Memory Until use Z1 RSA Public Key:Paired (IO1) (S1):Plaintext completes With Output in plaintext (IO2) RSA Public Key Input in plaintext System Memory Until use Z1 RSA Private Key:Paired (IO1) (S1):Plaintext completes With Output in plaintext (IO2) CO Authentication Binary (S2):Plaintext Until use Z1 Software Integrity Key System Memory completes Key:Protected by (S1):Plaintext

Page 58

Name Input - Output Storage Storage Zeroization Related SSPs Duration Software Integrity Binary (S2):Plaintext Until use Z1 Key System Memory completes (S1):Plaintext ECDSA Private Input in plaintext System Memory Until use Z1 Key (IO1) (S1):Plaintext completes Output in plaintext (IO2) ECDSA Public Input in plaintext System Memory Until use Z1 ECDSA Private Key:Paired Key (IO1) (S1):Plaintext completes With Output in plaintext (IO2) KAS Private Key Input in plaintext System Memory Until use Z1 KAS Public Key:Paired (IO1) (S1):Plaintext completes With Output in plaintext DRBG-State:Generated with (IO2) Key Material:Establishes KAS Public Key Input in plaintext System Memory Until use Z1 KAS Private Key:Paired (IO1) (S1):Plaintext completes With Output in plaintext DRBG-State:Generated with (IO2) Key Material:Establishes Passphrase Input in plaintext System Memory Until use Z1 Key Material:Derives (IO1) (S1):Plaintext completes Key Material Input in plaintext System Memory Until use Z1 Passphrase:Derived From (IO1) (S1):Plaintext completes RSA Private Key:Derived Output in plaintext From (IO2) RSA Public Key:Derived Input encapsulated From (IO3) KAS Private Key:Derived Output encapsulated From (IO4) KAS Public Key:Derived Input wrapped From (IO5)

Page 59

Name Input - Output Storage Storage Zeroization Related SSPs Duration Output wrapped AES Key:Derived From (IO6) MAC Key:Derived From Table 18: SSP Table 2

Page 61
10 Self-Tests
10.1 Pre-Operational Self-Tests

The Module performs self-tests to ensure the proper operation of the Module. Per FIPS 140-3 these are categorized as either pre-operational self-tests or conditional self-tests. Pre-operational self–tests are available on demand by power cycling the Module. The operator may invoke periodic self-tests by power cycling the module. It is recommended that periodic self-testing be performed weekly. Please note that HMAC-SHA2-256 is self-tested prior to execution of the Software Integrity Test. The Module performs the following pre-operational self-tests in table below. Algorithm or Test Test Properties Test Test Type Indicator Details Method Software Integrity HMAC SHA2- KAT SW/FW verify_integrity_success or HMAC-SHA2-256 Test 256 Integrity verify_integrity failure Verify Table 19: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

The Module performs the following conditional self-tests in the table below. Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type AES-GCM Key size: 256 bits KAT CAST SELF_TEST_post success Encrypt Power-On Encrypt SELF_TEST_post failure

Page 62

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type AES-GCM Key size: 256 bits KAT CAST SELF_TEST_post success Decrypt Power-On Decrypt SELF_TEST_post failure AES-ECB Key size: 128 bits KAT CAST SELF_TEST_post success Decrypt Power-On (A5177) SELF_TEST_post failure Counter Key size: 128 KAT CAST SELF_TEST_post success instantiation, Power-On DRBG SELF_TEST_post failure generate, and (A5177) reseed Hash DRBG SHA2-256 KAT CAST SELF_TEST_post success instantiation, Power-On (A5177) SELF_TEST_post failure generate, and reseed HMAC SHA1 KAT CAST SELF_TEST_post success instantiation, Power-On DRBG SELF_TEST_post failure generate, and (A5177) reseed HMAC- SHA2-256 with KAT CAST SELF_TEST_post success Generate/Verify Power-On SHA2-256 256-bit key SELF_TEST_post failure (A5177) KMAC-256 KMAC-256 with KAT CAST SELF_TEST_post success Generate/Verify Power-On (A5177) 384-bit key SELF_TEST_post failure RSA SigGen PKCS#1, SHA2- KAT CAST SELF_TEST_post success Signature Power-On (FIPS186-4) 256 with 2048-bit SELF_TEST_post failure Generation (A5177) key RSA SigVer PKCS#1, SHA2- KAT CAST SELF_TEST_post success Signature Power-On (FIPS186-4) 256 with 2048-bit SELF_TEST_post failure Verification (A5177) key RSA KeyGen Key Generation PCT PCT OSSL_PROV_PARAM_STATUS = 1 Encrypt/Decrypt Upon key (FIPS186-4) (ok) OSSL_PROV_PARAM_STATUS generation (A5177) = 0 (error) SHA-1 SHA-1 KAT CAST SELF_TEST_post success Generate/Verify Power-On (A5177) SELF_TEST_post failure SHA2-512 SHA2-512 KAT CAST SELF_TEST_post success Generate/Verify Power-On (A5177) SELF_TEST_post failure

Page 63

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type SHA3-256 SHA3-256 KAT CAST SELF_TEST_post success Generate/Verify Power-On (A5177) SELF_TEST_post failure ECDSA P-224, B-233 with KAT CAST SELF_TEST_post success Signature Power-On SigGen SHA2-256 SELF_TEST_post failure Generation (FIPS186-4) (A5177) ECDSA P-224, B-233 with KAT CAST SELF_TEST_post success Signature Power-On SigVer SHA2-256 SELF_TEST_post failure Verification (FIPS186-4) (A5177) KAS-ECC- P-256 KAT CAST SELF_TEST_post success Shared Secret Power-On SSC Sp800- SELF_TEST_post failure Calculation 56Ar3 (A5177) KAS-FFC- ffdhe2048 KAT CAST SELF_TEST_post success Shared Secret Power-On SSC Sp800- SELF_TEST_post failure Calculation 56Ar3 (A5177) Safe Primes Key Generation PCT PCT OSSL_PROV_PARAM_STATUS = 1 SP800-56Ar3 Upon key Key (ok) OSSL_PROV_PARAM_STATUS PCT generation Generation = 0 (error) (A5177) ECDSA Key Generation PCT PCT OSSL_PROV_PARAM_STATUS = 1 Sign/Verify Upon key KeyGen (ok) OSSL_PROV_PARAM_STATUS generation (FIPS186-4) = 0 (error) (A5177) TLS v1.2 SHA2-256 with KAT CAST SELF_TEST_post success Key Derivation Power-On KDF 384-bit secret SELF_TEST_post failure RFC7627 (A5177)

Page 64

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type TLS v1.3 SHA2-256 with KAT CAST SELF_TEST_post success Key Derivation Power-On KDF 256-bit Key SELF_TEST_post failure (A5177) PBKDF HMAC SHA2- KAT CAST SELF_TEST_post success Key Derivation Power-On (A5177) 256 with 24 SELF_TEST_post failure character passphrase KTS-IFC 2048-bit Key KAT CAST SELF_TEST_post success Encrypt/Decrypt Power-On (A5177) SELF_TEST_post failure KDF SSH SHA-1 with 1056- KAT CAST SELF_TEST_post success Key Derivation Power-On (A5177) bits SELF_TEST_post failure KDF SP800- HMAC SHA2- KAT CAST SELF_TEST_post success Key Derivation Power-On

108 (A5177) 256, Counter SELF_TEST_post failure

Mode, 128-bit. CMAC AES-128, Counter Mode, 128-bit KDF IKEv2 SHA-1, 192-bit KAT CAST SELF_TEST_post success Key Derivation Power-On (A5177) secret, 160-bit SELF_TEST_post failure skeyseed KDF ANS SHA2-256, 192- KAT CAST SELF_TEST_post success Key Derivation Power-On

9.63 (A5177) bit secret SELF_TEST_post failure

KDF ANS SHA-1, 160-bit KAT CAST SELF_TEST_post success Key Derivation Power-On

9.42 (A5177) secret SELF_TEST_post failure

KDA HKDF HMAC SHA2- KAT CAST SELF_TEST_post success Key Derivation Power-On SP800-56Cr2 256 SELF_TEST_post failure (A5177) KDA HMAC SHA2- KAT CAST SELF_TEST_post success Key Derivation Power-On OneStep 224 with 448-bit SELF_TEST_post failure SP800-56Cr2 secret (A5177)

Page 65

Table 20: Conditional Self-Tests

10.3 Periodic Self-Test Information

Algorithm or Test Test Method Test Type Period Periodic Method Software Integrity Test KAT SW/FW Integrity On Demand Manually Table 21: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-GCM Encrypt KAT CAST On Demand Manually AES-GCM Decrypt KAT CAST On Demand Manually AES-ECB (A5177) KAT CAST On Demand Manually Counter DRBG (A5177) KAT CAST On Demand Manually Hash DRBG (A5177) KAT CAST On Demand Manually HMAC DRBG (A5177) KAT CAST On Demand Manually HMAC-SHA2-256 KAT CAST On Demand Manually (A5177) KMAC-256 (A5177) KAT CAST On Demand Manually RSA SigGen (FIPS186- KAT CAST On Demand Manually

  1. (A5177) RSA SigVer (FIPS186- KAT CAST On Demand Manually
  2. (A5177) RSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A5177) SHA-1 (A5177) KAT CAST On Demand Manually SHA2-512 (A5177) KAT CAST On Demand Manually
Page 66

Algorithm or Test Test Method Test Type Period Periodic Method SHA3-256 (A5177) KAT CAST On Demand Manually ECDSA SigGen KAT CAST On Demand Manually (FIPS186-4) (A5177) ECDSA SigVer KAT CAST On Demand Manually (FIPS186-4) (A5177) KAS-ECC-SSC Sp800- KAT CAST On Demand Manually 56Ar3 (A5177) KAS-FFC-SSC Sp800- KAT CAST On Demand Manually 56Ar3 (A5177) Safe Primes Key PCT PCT On Demand Manually Generation (A5177) ECDSA KeyGen PCT PCT On Demand Manually (FIPS186-4) (A5177) TLS v1.2 KDF KAT CAST On Demand Manually RFC7627 (A5177) TLS v1.3 KDF (A5177) KAT CAST On Demand Manually PBKDF (A5177) KAT CAST On Demand Manually KTS-IFC (A5177) KAT CAST On Demand Manually KDF SSH (A5177) KAT CAST On Demand Manually KDF SP800-108 KAT CAST On Demand Manually (A5177) KDF IKEv2 (A5177) KAT CAST On Demand Manually KDF ANS 9.63 (A5177) KAT CAST On Demand Manually KDF ANS 9.42 (A5177) KAT CAST On Demand Manually KDA HKDF SP800- KAT CAST On Demand Manually 56Cr2 (A5177) KDA OneStep SP800- KAT CAST On Demand Manually 56Cr2 (A5177) Table 22: Conditional Periodic Information The operator may invoke periodic self-tests by power cycling the module. It is recommended that periodic self-testing be performed weekly.

Page 67
10.4 Error States

Name Description Conditions Recovery Indicator Method ES1 The module fails The Module Power OSSL_PROV_PARAM_STATUS pre-operational enters the cycle the =0 self-tests, error state module conditional selftests, or authentication. Table 23: Error States

10.5 Operator Initiation of Self-Tests

Self-tests may be initiated on demand by power cycling the module.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

No end user action is required to startup the module in an approved mode for operation. The module is built into the Wave Relay® OS and delivered in Persistent Systems’ Wave Relay® Solutions. There is no standalone delivery of the module as a software hybrid module. Persistent Systems’ internal development process guarantees that the correct version of the module is installed within its intended device OS version. Installation and Initialization: The module is pre-installed within the Persistent Systems Solutions, which include the MPU5, Embedded Module, Embedded Module lite, GVR5, or Integrated Antenna Series. No further initialization of the module is required. Upon powering on the hardware platform, the module will automatically perform pre-operational and conditional self-tests in accordance with FIPS 140-3 requirements. Delivery: The module is pre-installed within the Persistent Systems product offerings. The Persistent Systems products are distributed using a trusted courier and packaging must be inspected upon delivery.

11.2 Administrator Guidance
Page 68

There are no specific management activities required of the Crypto Officer Role to ensure that the module runs securely. However, if any irregular activity is noticed or the module is consistently reporting errors, then Persistent Systems Support should be contacted.

11.3 Non-Administrator Guidance

There are no specific management activities required of the Crypto Officer Role to ensure that the module runs securely. However, if any irregular activity is noticed or the module is consistently reporting errors, then Persistent Systems Support should be contacted.

11.4 Design and Rules

Rules of Operation

  1. The Module provides one distinct operator roles: Cryptographic Officer.
  2. The Module provides identity-based authentication.
  3. The Module clears previous authentications on power cycle.
  4. An operator does not have access to any cryptographic services prior to assuming an authorized role.
  5. The Module allows the operator to initiate power-up self-tests by power cycling the Module.
  6. All self-tests do not require any operator action.
  7. Data output is inhibited during self-tests, zeroization, and error states.
  8. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the Module.
  9. There are no restrictions on which keys or SSPs are zeroized after use.
  10. The Module does not support concurrent operators.
  11. The Module does not support a maintenance interface or role.
  12. The Module does not support manual SSP establishment method.
  13. The Module does not have any proprietary external input/output devices used for entry/output of data.
  14. The Module does not store any plaintext CSPs.
  15. The Module does not output intermediate key values.
  16. The Module does not provide bypass services for ports/interfaces.
11.6 End of Life

The module must be zeroized and returned to the manufacturer.

12 Mitigation of Other Attacks

The Module does not implement any mitigation method against other attacks.

Page 70

References and Definitions The following standards are referred to in this Security Policy. Table 24