All modules
CMVP Validated Module · FIPS 140-3 Security Policy

OpenSK Cryptographic Module

Certificate#5087StandardFIPS 140-3Level1TypeHardwareEmbodimentSingle ChipStatusActiveVendorGoogle, LLC.
Medium review priority  ·  exposes firmware-update authentication, debug/recovery interface, HSM/SE firmware trust anchor  ·  last validated 9 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date10/22/2030
CaveatNone
VendorGoogle, LLC.

Approved Algorithms (11)

AlgorithmACVP Cert
AES-CBCA5101
AES-ECBA5101
ECDSA KeyGen (FIPS186-4)A5101
ECDSA KeyVer (FIPS186-4)A5101
ECDSA SigGen (FIPS186-4)A5101
ECDSA SigVer (FIPS186-4)A5101
HMAC DRBGA5101
HMAC-SHA2-256A2352
KAS-ECC-SSC Sp800-56Ar3A5101
KDA HKDF SP800-56Cr2A5101
SHA2-256A2352

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical Security7
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for OpenSK Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Vendor_Upgrade</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Data Encryption/Decryptio n<br/>Wink Command<br/>FIDO U2F: U2F_Register</i>"]
    C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>USB pins (D+ and D-)</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>IPSEC<br/>no library/version identified</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C4 --> I4 --> R4 --> E4
  C5 --> I5 --> R5 --> E5
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C4,C5 clue;
  class I2,I3,I4,I5 infer;
  class R2,R3,R4,R5 risk;
  class E2,E3,E4,E5 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for OpenSK Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Vendor_Upgrade</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Data Encryption/Decryptio n<br/>Wink Command<br/>FIDO U2F: U2F_Register</i><br/>src: securityPolicy.services"]
    C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>USB pins (D+ and D-)</i><br/>src: securityPolicy.portsAndInterfaces"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>IPSEC<br/>no library/version identified</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C4 clueHigh;
  class C5 clueLow;

Security Policy, page by page

Page 1

Google, LLC. OpenSK Cryptographic Module Document Version 1.0 October 15th, 2025 Prepared by: www.lightshipsec.com Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 2

OpenSK Cryptographic Module Table of Contents Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 3

OpenSK Cryptographic Module Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 4

OpenSK Cryptographic Module List of Tables List of Figures Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical security3
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacks1
Overall LevelOverall Level1
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for the Google, LLC. OpenSK Cryptographic Module (running firmware version 4.0.2), hereafter referred to as, “the module”. It contains the security rules under which the module must operate and describes how the module meets the requirements as specified in FIPS PUB 140-3 for

1.2 Security Levels

The table below describes the individual security areas of FIPS 140-3, as well as the Security Levels of those individual areas. N/A Table 1: Security Levels Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The module is a USB 1.1/2.0 compliant Client To Authenticator Protocol (CTAP) 2.1 token, instantiated as a single chip hardware module, used for first or second factor authentication. It is also backwards compatible with Universal 2nd Factor (U2F, also known as CTAP1). CTAP standardizes how request and response messages are sent over the USB transport to the CTAP key. After registration, a user can use their Security Key with an origin-specific key pair across all online services that implement WebAuthn. CTAP and WebAuthn are both part of FIDO2, a set of standards for online authentication. The Security Key performs two operations that focus on authentication (with a backwards compatible alternative): MakeCredential (or U2F Register) associates a key pair (or credential) with an origin, google.com here, while GetAssertion (or U2F Authenticate), verifies that signature with the Titan Security Key, Chip Boundary to prove physical possession of the hardware second factor. Then, and only then, is the User able to authenticate to Google services. In addition, CTAP 2.1 provides functionality related to this process: GetInfo lists information about the Security Key. ClientPin allows setting up a PIN to unlock some of the Security Key commands. Reset performs a factory reset by deleting all stored user data, including credentials. CredentialManagement allows listing and deleting existing credentials. Selection performs a user presence check, so users can indicate what device they want to use. LargeBlobs lets you read and write a binary string to store inside the security key. There are two custom commands that are not part of the CTAP specification. Both are used for upgrading the firmware: One that provides detailed information about the running firmware version, and the other to send the new, signed firmware binary. The chip runs a version of OpenSK that manages all access control, cryptographic algorithms and the life cycle of all keys. OpenSK is an app running on top of a version of TockOS, which manages all low-level resources. Module Type: Hardware Module Embodiment: SingleChip Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the module is the outer perimeter of the chip, as shown in the figures below. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 7
Module configuration
NameModelHardware VersionFirmware VersionProcessor
OpenSK Cryptographic ModuleOpenSK Cryptographic ModuleH1B2GOpenSK 4.0.2N/A

Figure 1: OpenSK Cryptographic Module (Block Diagram) Figure 2: OpenSK Cryptographic Module (Front and Back) Tested Operational Environment’s Physical Perimeter (TOEPP): The module is a single-chip module as defined by FIPS 140-3. The hardware version of the module is H1B2G.

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8

OpenSK Cryptographic Module Table 2: Tested Module Identification

2.3 Excluded Components

There are no components within the cryptographic boundary that are excluded from the FIPS 140-3 security requirements.

2.4 Modes of Operation

Modes List and Description: The table below details the Modes of Operation supported by the module. Table 3: Modes List and Description Mode Change Instructions and Status: The module implements only one mode of operation, the approved mode, in which the approved services are available. No configuration is necessary for the module to operate and remain in the approved mode. After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode.

2.5 Algorithms

Approved Algorithms: The table below lists all the Approved Algorithms supported by the module. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 9
Approved algorithm
NameCAVP CertReference
AES-CBCA5101SP 800-38A
AES-ECBA5101SP 800-38A
ECDSA KeyGen (FIPS186-4)A5101FIPS 186-4
ECDSA KeyVer (FIPS186-4)A5101FIPS 186-4
ECDSA SigGen (FIPS186-4)A5101FIPS 186-4
ECDSA SigVer (FIPS186-4)A5101FIPS 186-4
HMAC DRBGA5101SP 800-90A Rev. 1
HMAC-SHA2-256A2352FIPS 198-1
HMAC-SHA2-256A5101FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A5101SP 800-56A Rev. 3
KDA HKDF SP800-56Cr2A5101SP 800-56C Rev. 2
SHA2-256A2352FIPS 180-4
SHA2-256A5101FIPS 180-4
Service
NamePropertiesImplementationI
CKGCKG:Cryptographic Key Generation Publication:NIST SP 800-133r2 Sections 4, 5, and 6Titan OpenSK Gnubby cryptographic libraryFIPS 140-3 IG D.H
KDFKDF:Asymmetric Key Derivation MethodTitan OpenSK Gnubby cryptographic libraryN/A
LargeBlobKey FIDO extensionFIPS 140-3 IG 2.4.A
Service
NamePropertiesImplementationI
CKGCKG:Cryptographic Key Generation Publication:NIST SP 800-133r2 Sections 4, 5, and 6Titan OpenSK Gnubby cryptographic libraryFIPS 140-3 IG D.H
KDFKDF:Asymmetric Key Derivation MethodTitan OpenSK Gnubby cryptographic libraryN/A
LargeBlobKey FIDO extensionFIPS 140-3 IG 2.4.A
Service
NamePropertiesImplementationI
CKGCKG:Cryptographic Key Generation Publication:NIST SP 800-133r2 Sections 4, 5, and 6Titan OpenSK Gnubby cryptographic libraryFIPS 140-3 IG D.H
KDFKDF:Asymmetric Key Derivation MethodTitan OpenSK Gnubby cryptographic libraryN/A
LargeBlobKey FIDO extensionFIPS 140-3 IG 2.4.A

Table 4: Approved Algorithms Vendor-Affirmed Algorithms: The table below lists all the Vendor-Affirmed Algorithms supported by the module. D.H Table 5: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: The table below lists all the Non-Approved, Allowed Algorithms supported by the module. N/A Table 6: Non-Approved, Allowed Algorithms Non-Approved, Allowed Algorithms with No Security Claimed: The table below lists all the Non-Approved, Allowed Algorithms with No Security Claimed. Table 7: Non-Approved, Allowed Algorithms with No Security Claimed The module supports largeBlobKey FIDO extension functionality where an external party can encode an arbitrary string of bits on the device. No security is claimed for this encoded arbitrary data is considered the equivalent to plaintext. Non-Approved, Not Allowed Algorithms: The module does not support any Non-Approved Algorithms that are not Allowed in the Approved Mode of Operation. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 10
Service
NameDescriptionApproved FunctionsTypeProperties
Data Encryption/Decryptio nSymmetric Encryption/Decryptio nAES-CBC: (A5101) AES-ECB: (A5101)BC-UnAuthPublication:NIS T SP 800-38A
Asymmetric Key GenerationAsymmetric Key Pair Generation and VerificationECDSA KeyGen (FIPS186-4): (A5101) ECDSA KeyVer (FIPS186-4): (A5101) CKG: () CKG: Cryptographi c Key Generation Publication: NIST SP 800-133r2 Sections 4, 5, and 6AsymKeyPair -KeyGen AsymKeyPair -KeyVerPublication:FIP S 186-4 Publication: NIST SP 800- 133r2
Digital SignatureDigital Signature Generation and VerificationECDSA SigGen (FIPS186-4): (A5101) ECDSA SigVer (FIPS186-4): (A5101)DigSig- SigGen DigSig- SigVerPublication:FIP S 186-4
Deterministic Random Bit GenerationDeterministic Random Bit GenerationHMAC DRBG: (A5101)DRBGPublication:SP 800-90Ar1
Message Authentication FWMAC Generation and VerificationHMAC- SHA2-256: (A5101)MACPublication:FIP S 198-1
Key Agreement ECCKey AgreementKAS-ECC- SSC Sp800- 56Ar3: (A5101)KAS-SSCPublication:NIS T SP 800- 56Ar3
Key Derivation FunctionKey Derivation FunctionKDA HKDF SP800- 56Cr2: (A5101)KBKDFPublication:NIS T SP 800- 56Cr2
Message Digest FWHashingSHA2-256: (A5101)SHAPublication:FIP S 180-4
Message AuthenticationMAC Generation and VerificationHMAC- SHA2-256: (A2352)MACPublication:FIP S 198-1
Message DigestHashingSHA2-256: (A2352)SHAPublication:FIP S 180-4
Key TransportKey TransportAES-CBC: (A5101) HMAC- SHA2-256: (A5101)KTS-WrapPublication:FIP S 140-3 IG D.G
Symmetric Key GenerationSymmetric Key GenerationCKG: () CKG: Cryptographi c Key Generation Publication: NIST SP 800-133r2 Sections 4, 5, and 6CKGPublication:NIS T SP 800-133r2

OpenSK Cryptographic Module N/A for this module.

2.6 Security Function Implementations

The table below lists the Security Function Implementations supported by the module. n n DigSigSigGen DigSigSigVer T SP 80056Ar3 T SP 80056Cr2 HMACSHA2-256: KAS-ECCSSC Sp80056Ar3: SP80056Cr2: Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 11
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
Titan Security Key TRNG ImplementationPhysical256 bitsGoogle H1B2256 bitsA2352 (SHA2- 256)

OpenSK Cryptographic Module HMACSHA2-256: HMACSHA2-256: Table 8: Security Function Implementations

2.7 Algorithm Specific Information

There is no algorithm specific information. The tables below detail the modules ESV information. Table 9: Entropy Certificates Table 10: Entropy Sources The module generates a minimum of 256 bits of entropy for key generation. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 12
2.9 Key Generation

The module generates Keys and SSPs in accordance with FIPS 140-3 IG D.H. The cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys as per SP 800-133r2 (vendor affirmed), compliant with FIPS 186-4, and using DRBG compliant with SP 800-90A]. A seed (the random value) used in asymmetric key generation is obtained from SP 800-90A DRBG. The key generation service for ECDSA, as well as the SP 800-90A DRBG have been ACVP tested with algorithm certificates found in Approved Algorithms Table.

2.10 Key Establishment

The module provides SP 800-56Arev3 compliant key establishment according to FIPS 140-3 IG D.F scenario 2 path (1) with ECDH shared secret computation. A Hash-Based KDF specified in NIST SP 800-56Crev2 is used as the Key Derivation Algorithm. The module provides key transport according to FIPS 140-3 IG D.G using an approved key wrapping technique based on AES-CBC and HMAC-SHA2-256.

2.11 Industry Protocols

The module does not implement any industry protocols. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 13
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
USB pins (D+ and D-)USB pins (D+ and D-)Data Input Data Output Control Input Status OutputHID command and parameters for data, HID input parameters for control
LED pinsLED pinsStatus OutputSignals (high/low)
VDD pinsVDD pinsPowerPower
GND pinsGND pinsControl InputN/A
RST pinsRST pinsControl InputN/A
BoardID pinsBoardID pinsStatus OutputStatus values
CAPTOUCH pinsCAPTOUCH pinsControl InputCircuit (high/low)
NC (Not Connected)NC (Not Connected)NoneN/A
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

The table below details the module Ports and Interfaces. D-) N/A N/A N/A Table 11: Ports and Interfaces All communication between the module and a host device is conducted in accordance with the U2F and CTAP protocol. The U2F protocol is based on a request-response mechanism, where a requester sends a request message to a U2F device, which always results in a response message being sent back from the U2F device to the requester. All request-response messages are framed in ISO7816-4:2005 APDU format. This specifies how to transport the raw message and any error codes if the command failed. The CTAP2 protocol supports longer messages using CTAPHID. The CTAPHID messages are encoded in CBOR. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 14
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputAuthentication Methods
Crypto OfficerCORoleNone
UserUserRoleNone
InitializationConnect to host over USBCrypto OfficerNoneN/ANoneNone
Wink CommandComma nd issued to device to blink LEDsCrypto OfficerNoneN/AAPDU over HID comma ndStatus output to LED pin
FIDO U2F: U2F_RegisterCreate a U2F credenti alUser - DRBG Entropy Input: G,E - DRBG Seed: E - DRBG V: E - DRBG Key: E -Asymmetric Key Generation Digital Signature Deterministic Random Bit Generation Message Digest FW Key TransportSucces s or FailAPDU over HID comma nd and parame tersAPDU over HID comm and respon se / Status output to LED pin
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutputAuthentication Methods
Crypto OfficerCORoleNone
UserUserRoleNone
InitializationConnect to host over USBCrypto OfficerNoneN/ANoneNone
Wink CommandComma nd issued to device to blink LEDsCrypto OfficerNoneN/AAPDU over HID comma ndStatus output to LED pin
FIDO U2F: U2F_RegisterCreate a U2F credenti alUser - DRBG Entropy Input: G,E - DRBG Seed: E - DRBG V: E - DRBG Key: E -Asymmetric Key Generation Digital Signature Deterministic Random Bit Generation Message Digest FW Key TransportSucces s or FailAPDU over HID comma nd and parame tersAPDU over HID comm and respon se / Status output to LED pin
4 Roles, Services, and Authentication

The module does not support authentication for roles. N/A for this module.

4.2 Roles

The module supports two roles that an operator may assume: Crypto Officer (CO) role and User role. Roles are assumed implicitly based on the service accessed. The table below lists the roles supported by the module. Table 12: Roles

4.3 Approved Services

The table below lists all approved services supported by the module. The abbreviations of the access rights to keys and SSPs have the following interpretation: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g., the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. N/A N/A V: E Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 15
Service
NameCsps AccessedDescripIndicatOutpuSecurity
tionAccesstionortsFunctions
Symmetric Key GenerationSymmetric Key GenerationIndividual Attestatio n Determini stic Seed: G,E - Individual Attestatio n Signing (Private) Key: G,E - Batch Attestatio n Determini stic Seed: G,E - Batch Attestatio n Signing (Private) Key: G,E - Personalit y Determini stic Seed: G,E - Key Handle Encryptio n Key: G - Key Handle Authentic ation Determini stic Seed: G,E - Key Handle Authentic ation Key: G - U2F/Serv er-Side Determini

OpenSK Cryptographic Module n G,E n G,E y G,E G,E G Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 16
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
FIDO U2F: U2F_AuthenticateSign to Authenti cateUser - DRBG Entropy Input: G,E - DRBG Seed: E - DRBG V: E - DRBG Key: E - Key Handle Encryptio n Key: E - Key Handle Authentic ation Key: EData Encryption/Dec ryption Digital Signature Deterministic Random Bit Generation Message Authentication FW Message Digest FWSucces s or FailAPDU over HID comma nd and parame tersAPDU over HID comm and respon se / Status output to LED pin
FIDO U2F: U2F_VersionShow U2F version stringUserNoneSucces s or FailAPDU over HID comma ndAPDU over HID comm and respon se / Status output to LED pin
FIDO2_Make_Credent ialCreate a FIDO2 credenti alUser - DRBG Entropy Input: G,E - DRBG Seed: E - DRBG V: E - DRBG Key: E - Resident Signing (Private) Keys: G - PIN UV Auth Token: R,E - FIDO2/Se rver-Side Determini stic Seed: W,E - FIDO2/Se rver-Side Signing (Private) Keys : GData Encryption/Dec ryption Asymmetric Key Generation Deterministic Random Bit Generation Key TransportSucces s or FailCTAP HID comma nd and parame tersCTAP HID comm and respon se / Status output to LED pin
FIDO2_Get_AssertionSign to Authenti cateUser - DRBG Entropy Input: G,E - DRBG Seed: E - DRBG V: E - DRBG Key: E - Key Handle Encryptio n Key: E - Key Handle Authentic ation Key: E - U2F/Serv er-Side Signing (Private) Keys (Legacy): E - Resident Signing (Private) Keys: E - PIN UV Auth Token: E - CredRand om Determini stic Seed:Data Encryption/Dec ryption Asymmetric Key Generation Digital Signature Deterministic Random Bit Generation Message Authentication FW Key Derivation Function Message Digest FW Key Transport Symmetric Key GenerationSucces s or FailCTAP HID comma nd and parame tersCTAP HID comm and respon se / Status output to LED pin
FIDO2_Get_Next_Ass ertionSign to Authenti cate a different credenti alUser - DRBG Entropy Input: G,E - DRBG Seed: G,E - DRBG V: G,E - DRBG Key: G,E - Key Handle Encryptio n Key: E - Key Handle Authentic ation Key: E -Data Encryption/Dec ryption Asymmetric Key Generation Digital Signature Deterministic Random Bit Generation Message Authentication FW Key Derivation Function Message Digest FW Key Transport Symmetric Key GenerationSucces s or FailCTAP HID comma ndCTAP HID comm and respon se / Status output to LED pin
FIDO2_Get_InfoShow device informati onUserNoneSucces s or FailCTAP HID comma ndCTAP HID comm and respon
FIDO2_Client_PinSetup / Change / Use a PINUser - DRBG Entropy Input: G,E - DRBG Seed: E - DRBG V: E - DRBG Key: E - PIN Protocol Agreeme nt Key: G,E - PIN Protocol Deriving Z: G,E - PIN Protocol Encryptio n Key: G,E - PIN Protocol Authentic ation Key: G,E - PIN UV Auth Token: G,R,E - PIN: W - PIN Hash: E - PIN Hash Attemp: W - Pin Protocol Agreeme nt (Public) Key: G,R - PINData Encryption/Dec ryption Asymmetric Key Generation Deterministic Random Bit Generation Message Authentication FW Key Agreement ECC Key Derivation Function Message Digest FW Key TransportSucces s or FailCTAP HID comma nd and parame tersCTAP HID comm and respon se / Status output to LED pin
FIDO2_ResetFactory resetUser - DRBG Entropy Input: Z - DRBG Seed: Z - DRBG V: Z - DRBG Key: Z - Personalit y Determini stic Seed: Z - Individual Attestatio n Determini stic Seed: Z - Batch Attestatio n Determini stic Seed: Z - Key Handle Authentic ation Determini stic Seed: Z - Batch Attestatio n Signing (Private) Key: Z - Individual Attestatio n SigningNoneModule reset to factoryCTAP HID comma ndCTAP HID comm and respon se / Status output to LED pin

OpenSK Cryptographic Module W,E G G,R :R V: E E Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 17

OpenSK Cryptographic Module E V: E R,E W,E Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 18

OpenSK Cryptographic Module V: E E E Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 19

OpenSK Cryptographic Module G,E W,E R G,E V: G,E E Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 20

OpenSK Cryptographic Module E G,E W,E R Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 21

OpenSK Cryptographic Module V: E G,E Z: G,E G,E G,E G,R,E W Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 22

OpenSK Cryptographic Module V: Z y Z n Z n Z Z Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 23
Service
NameCsps AccessedDescripIndicatOutpuSecurity
tionAccesstionortsFunctions
tionAccesstionortsFunctions

OpenSK Cryptographic Module Z Z Z: Z Z Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 24

OpenSK Cryptographic Module Z Z Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 25
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
FIDO2_Credential_Ma nagementEnumer ate and delete credenti alsUser - PIN UV Auth Token: E,Z - FIDO2/Se rver-Side Signing (Public) Keys: RNoneSucces s or FailSucces s or FailCTAP HID comm and respon se / Status output to LED pin
FIDO2_SelectionTouch to choose deviceUserNoneSucces s or FailCTAP HID comma ndStatus output to LED pin
FIDO2_Large_BlobsStore binary dataUser - PIN UV Auth Token: ENoneSucces s or FailCTAP HID comma nd and parame tersCTAP HID comm and respon se / Modul e status
Vendor_UpgradeFirmwar e upgradeCrypto OfficerDigital SignatureSucces s or FailCTAP HID comma nd and parame tersStatus Output
Vendor_SysinfoShow vendor specific informati onCrypto OfficerNoneReturn module version informa tionCTAP HID comma ndCTAP HID comm and respon se / Modul e status
Show StatusReturn the module statusUserNoneNoneNoneModul e status
On-Demand Self-testInitiate on- demand self- tests by reboot or power cycleCrypto OfficerData Encryption/Dec ryption Asymmetric Key Generation Digital Signature Deterministic Random Bit Generation Message Authentication FW Key Agreement ECC Key Derivation Function Message Digest FW Message Authentication Message DigestNoneNonePass or Fail

OpenSK Cryptographic Module e Z Z Z E,Z Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 26

OpenSK Cryptographic Module e ondemand selftests by e e Table 13: Approved Services Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 27
4.4 Non-Approved Services

The module does not support any Non-Approved Services. N/A for this module.

4.5 External Software/Firmware Loaded

The module supports external firmware loaded for upgrades. An Approved ECDSA Signature Verification (P-256, SHA2-256) firmware load test operation is performed prior to a firmware upgrade. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 28
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the executable firmware is verified by comparing a SHA2-256 digest calculated at boot time with the SHA2-256 digest value stored in the module that was computed at build time.

5.2 Initiate on Demand

The integrity test is performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity test can be invoked on demand via reboot or power-cycle the module, which will perform (among others) the firmware integrity test. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 29
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Limited How Requirements are Satisfied: The limited modifiable operational environment of the module prevents users from accessing secret keys, private keys or SSPs which they are not authorized to access. There was no logical or physical access to the SSPs. The module is designed to accept only controlled firmware changes that successfully pass the software/firmware load test. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 30
MechanismInspectionInspection Guidance
Frequency
N/AN/AN/A
Temp/Voltage TypeTemperature or VoltageEFP or EFTResult
LowTemperature-20° CEFTEnvironmental Failure
HighTemperature85° CEFTEnvironmental Failure
LowVoltage2VEFTEnvironmental Failure
HighVoltage6VEFTEnvironmental Failure
TemperatureTemperature
Type
LowTemperature-5°C
HighTemperature+70°C
7 Physical Security
7.1 Mechanisms and Actions Required

The table below details the Physical Security Mechanisms supported by the module. N/A N/A N/A Table 14: Mechanisms and Actions Required The module has a single-chip embodiment that employs standard passivation techniques and meets commercial grade specs regarding power and voltage ranges, temperature, reliability, and shock/vibration. The module is encased in an opaque, tamper-evident, removal-resistant IC packaging material which cannot be removed or penetrated without causing serious damage to the module (i.e. the module will not function). The table below details the module Environmental Failure Testing information. Table 15: EFP/EFT Information

7.3 Hardness Testing Temperature Ranges

The table below details the module Hardness Testing Temperature Ranges. Table 16: Hardness Testing Temperatures Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 31
8 Non-Invasive Security

Currently, the ISO/IEC 19790:2012 non-invasive security area is not required by FIPS 140-3 (see NIST SP 800-140F). The requirements of this area are not applicable to the module. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 32
Sensitive security parameter
NameTypeDescription
RAMDynamicRandom Access Memory
FlashStaticFlash Memory
Service
NameTypeFromTo
PSP ExportPlaintextRAMOutsideN/AN/A
PIN Protocol OutputEncryptedRAMOutsideAutomatedElectronicKey Transport
ZeroizationDescriptionRationaleOperator Initiation
Method
RebootZeroisation when module is rebootedKeys are procedurally zeroised by rebooting the module, which is acceptable at Security Level 1Crypto Officer by rebooting the host system
Reset commandZeroisation when the module is resetKeys are automatically zeroised by resetting the module, which is acceptable at Security Level 1Crypto Officer or User by resetting the module
Remove powerZeroisation when power is removed from the moduleKeys are procedurally zeroised by rebooting the module, which is acceptable at Security Level 1Crypto Officer by removing power
9 Sensitive Security Parameters Management
9.1 Storage Areas

The table below lists Sensitive Security Parameters (SSPs) storage areas for the module. Section 9.4 below selects from the storage areas listed and specifies the appropriate parameter in the “Storage” column if applicable to a specific SSP. Table 17: Storage Areas

9.2 SSP Input-Output Methods

The table below lists SSP input and output methods for the module. Section 9.4 below selects from the input and output methods listed and specifies the appropriate parameter in the “Inputs/Outputs” column if applicable to a specific SSP. N/A N/A Table 18: SSP Input-Output Methods

9.3 SSP Zeroization Methods

The table below lists SSP zeroisation methods for this module. Section 9.4 below selects from the zeroisation methods listed and specifies the appropriate parameter in the “Zeroization” column if applicable to a specific SSP. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 33
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentUseSize - Strengt h
DRBG Entropy InputDRBG Parameter - CSPInput bitstring that provides an assessed minimum amount of unpredictab ility for the DRBG mechanism256 - 256Factory Loaded and Internal TRNGDeterministic Random Bit Generation
DRBG SeedSeed - CSPA string of bits that is used as input to a DRBG mechanism256 - 256Deterministic Random Bit Generation
DRBG VInternal Value - CSPSecret value of the DRBG internal stateN/A - N/ADeterministic Random Bit Generation
DRBG KeySymmetric Key - CSPSecret value of the DRBG internal stateN/A - N/ADeterministic Random Bit Generation
Personality Determinist ic SeedDeterminis tic Seed - CSPParameter related to user credentials (key handle, user). Used to derive256 - 256Allowed KDF MethodDeterministic Random Bit Generation
Individual Attestation Determinist ic SeedDeterminis tic Seed - CSPDeterminist ic seed used to derive the Individual Attestation Key256 - 256Allowed KDF MethodDeterministic Random Bit Generation
Batch Attestation Determinist ic SeedDeterminis tic Seed - CSPDeterminist ic seed used to derive the Batch Attestation Key256 - 256Allowed KDF MethodDeterministic Random Bit Generation
Key Handle Authenticat ion Determinist ic SeedDeterminis tic Seed - CSPDeterminist ic seed used to derive the Key Handle Authenticati on Key256 - 256Allowed KDF MethodDeterministic Random Bit Generation
Batch Attestation Signing (Private) KeyPrivate Key - CSPUsed for signature in U2F and FIDO2 registration during batch attestation256 - 256Asymmetr ic Key Generatio n Determini stic Random Bit Generatio nDigital Signature
Individual Attestation Signing (Private) KeyPrivate Key - CSPUsed for signature in U2F and FIDO2 registration during enterprise attestation256 - 256Asymmetr ic Key Generatio n Determini stic Random Bit Generatio nDigital Signature
Key Handle Encryption KeySymmetric Key - CSPEncrypt server-side credentials256 - 256Determini stic Random Bit Generatio n Symmetri c Key Generatio nData Encryption/Decry ption
Key Handle Authenticat ion KeyAuthentica tion Key - CSPAuthenticat e server- side credentials256 - 256Determini stic Random Bit Generatio n Symmetri c Key Generatio nMessage Authentication FW
U2F/Serve r-Side Signing (Private) Keys (Legacy)Private Key - CSPPrivate key for core Legacy FIDO functionalit y256 - 256Asymmetr ic Key Generatio n Determini stic Random Bit Generatio nDigital Signature
FIDO2/Ser ver-Side Signing (Private) KeysPrivate Key - CSPPrivate key for core FIDO2 functionalit y256 - 256Asymmetr ic Key Generatio n Determini stic Random Bit Generatio nDigital Signature
Resident Signing (Private) KeysPrivate Key - CSPPrivate key for core FIDO2 functionalit y256 - 256Asymmetr ic Key Generatio n Determini stic RandomDigital Signature
PIN Protocol Agreement KeyPrivate Key - CSPModule's pin protocol agreement private key256 - 256Asymmetr ic Key Generatio n Determini stic Random Bit Generatio nKey Agreement ECC
PIN Protocol Deriving ZShared Secret - CSPShared Secret for client PIN256 - 256Key Agreeme nt ECCKey Derivation Function
PIN Protocol Encryption KeySymmetric Key - CSPDerived shared encryption key256 - 256Key Derivation FunctionData Encryption/Decry ption
PIN Protocol Authenticat ion KeyAuthentica tion Key - CSPDerived shared authenticati on key256 - 256Key Derivation FunctionMessage Authentication FW
PIN UV Auth TokenAuthentica tion Token - CSPShort lived authenticati on token256 - 256Determini stic Random Bit Generatio n Symmetri c Key Generatio nKey TransportData Encryption/Decry ption
PINPIN - CSPUser verification knowledge factorMinimu m 6 charact ers - 48 bitsKey Transport
PIN HashHash Value - CSPHash prefix of PIN128 - 128
PIN Hash AttempHash Value - CSPUser guessed PIN hash128 - 128Key Transport
CredRand om Determinist ic SeedDeterminis tic Seed - CSPDeterminist ic Seed used to derive the CredRando m Deriving Keys256 - 256Allowed KDFDeterministic Random Bit Generation
CredRand om Deriving Keys (with and without UV)Symmetric Key - CSPDerived keys used to derive the CredRando m256 - 256Determini stic Random Bit Generatio n Symmetri c Key Generatio nKey Derivation Function
CredRand omDerived Symmetric Key - CSPDerived key used for hmac- secret extension256 - 256Key Derivation FunctionMessage Authentication FW
FIDO2 HMAC Secret SaltsSalt - CSPInput for hmac- secret extension256 - 256Key TransportMessage Authentication FW
FIDO2 HMAC Secret OutputsMAC Output - CSPOutputs for hmac- secret extension, used to do offline encryption with arbitrary user data256 - 256Key TransportData Encryption/Decry ption
Pin Protocol Agreement (Public) KeyPublic Key - PSPModule's pin protocol agreement public key256 - 256Asymmetr ic Key Generatio n Determini stic Random Bit Generatio nKey Agreement ECC
Batch Attestation Signing (Public) KeyPublic Key - PSPBatch attestation256 - 256Factory LoadedDigital Signature
PIN Protocol Deriving (Public) KeyPublic Key - PSPClient PIN Protocol agreement public key256 - 256Key Agreeme nt ECC
U2F/Serve r-Side Signing (Public) Keys (Legacy)Public Key - PSPPublic key for core Legacy FIDO functionalit y256 - 256Asymmetr ic Key Generatio n Determini stic Random Bit Generatio nDigital Signature
FIDO2/Ser ver-Side Signing (Public) KeysPublic Key - PSPPublic key for core FIDO2 functionalit y256 - 256Asymmetr ic Key Generatio n Determini stic Random Bit Generatio nDigital Signature
Resident Signing (Public) KeysPublic Key - PSPPublic key for core FIDO2 functionalit y256 - 256Asymmetr ic Key Generatio n Determini stic Random Bit Generatio nDigital Signature
Individual Attestation Signing (Public) CertificatePublic Certificate - PSPUsed for signature in U2F and FIDO2 registration during256 - 256Factory LoadedDigital Signature
U2F/Serve r-Side Determinist ic SeedDeterminis tic Seed - CSPDeterminist ic seed used to derive the U2F/Server -Side signing (Private) Keys (Legacy)256 - 256Key TransportDeterministic Random Bit Generation
FIDO2/Ser ver-Side Determinist ic SeedDeterminis tic Seed - CSPDeterminist ic seed used to derive the FIDO2/Ser ver-Side Signing (Private) Keys256 - 256Key TransportDeterministic Random Bit Generation
DRBG Entropy InputRAM:PlaintextReboot Remove power Environmenta l FailureDRBG Seed:Used With DRBG V:Used With DRBG Key:Used WithUntil module loses power/reboot or environmenta l failure occurs
DRBG SeedRAM:PlaintextReboot Remove power Environmenta l FailureDRBG Entropy Input:Used With DRBG V:Used With DRBG Key:Used WithUntil module loses power/reboot or environmenta l failure occurs
DRBG VRAM:PlaintextReboot Remove power Environmenta l FailureDRBG Entropy Input:Used With DRBG Seed:Used With DRBG Key:Used WithUntil module loses power/reboot or environmenta l failure occurs
ZeroizationDescriptionRationaleOperator Initiation
Method
Environmental FailureZeroisation when the temperature or voltage falls outside the module's normal operating rangesKeys are automatically zeroised by a power cycle, which is acceptable at Security Level 1Automatically when an environmental failure occurs

OpenSK Cryptographic Module Table 19: SSP Zeroization Methods

9.4 SSPs

The following table summarizes the keys and Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module: n h N/A N/A N/A N/A Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 34

OpenSK Cryptographic Module n h n n n n Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 35

OpenSK Cryptographic Module n h e serverside y y y n n n n n n n n n Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 36

OpenSK Cryptographic Module n h n n n n n m6 Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 37

OpenSK Cryptographic Module n m for hmacsecret hmacsecret hmacsecret h n n n n Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 38

OpenSK Cryptographic Module n h y y y n n n n n n Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 39

OpenSK Cryptographic Module n h Table 20: SSP Table 1 Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 40
Sensitive security parameter
NameStorageZeroizationRelated SSPs
DRBG KeyRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occursDRBG Entropy Input:Used With DRBG Seed:Used With DRBG V:Used With
Personality Deterministic SeedFlash:PlaintextReset commandN/A
Individual Attestation Deterministic SeedFlash:PlaintextReset commandN/A
Batch Attestation Deterministic SeedFlash:PlaintextReset commandN/A
Key Handle Authentication Deterministic SeedFlash:PlaintextReset commandN/A
Batch Attestation Signing (Private) KeyRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occursBatch Attestation Deterministic Seed:Derived From
Individual Attestation Signing (Private) KeyRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occursIndividual Attestation Deterministic Seed:Derived From
Key Handle Encryption KeyRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occursPersonality Deterministic Seed:Derived From
Key Handle Authentication KeyRAM:PlaintextReboot Remove powerUntil module loses power/reboot orKey Handle Authentication Deterministic
environmenta l failure occursEnvironmenta l Failureenvironmenta l failure occursSeed:Derived From
U2F/Server- Side Signing (Private) Keys (Legacy)RAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occursU2F/Server- Side Deterministic Seed:Derived From
FIDO2/Server -Side Signing (Private) KeysRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occursFIDO2/Server- Side Deterministic Seed:Derived From
Resident Signing (Private) KeysRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occurs
PIN Protocol Agreement KeyRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occurs
PIN Protocol Deriving ZRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occurs
PIN Protocol Encryption KeyRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occursPIN Protocol Deriving (Private) Key:Derived From
PIN Protocol Authentication KeyRAM:PlaintextReboot Remove powerUntil module loses power/rebootPIN Protocol Deriving (Private)

OpenSK Cryptographic Module N/A N/A N/A N/A Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 41

OpenSK Cryptographic Module U2F/ServerSide FIDO2/ServerSide Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 42
Sensitive security parameter
NameStorageZeroizationOr environmenta l failure occursRelated SSPs Key:Derived From
PIN UV Auth TokenRAM:PlaintextReboot Remove power Environmenta l FailurePIN Protoco l OutputUntil module loses power/reboot or environmenta l failure occurs
PINRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occurs
PIN HashFlash:Encrypte dReset commandN/A
PIN Hash AttempRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occurs
CredRandom Deterministic SeedFlash:PlaintextReset commandN/A
CredRandom Deriving Keys (with and without UV)RAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occursCredRandom Deterministic Seed:Derived From
CredRandomRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occursCredRandom Deriving Keys (with and without UV):Derived From
FIDO2 HMAC Secret SaltsRAM:PlaintextReboot Remove powerUntil module loses power/reboot or
environmenta l failure occursEnvironmenta l Failureenvironmenta l failure occurs
FIDO2 HMAC Secret OutputsRAM:PlaintextReboot Remove power Environmenta l FailurePIN Protoco l OutputUntil module loses power/reboot or environmenta l failure occurs
Pin Protocol Agreement (Public) KeyRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occursPIN Protocol Agreement Key:Paired With
Batch Attestation Signing (Public) KeyFlash:PlaintextN/APSP ExportN/A
PIN Protocol Deriving (Public) KeyRAM:PlaintextReboot Remove power Environmenta l FailureUntil module loses power/reboot or environmenta l failure occurs
U2F/Server- Side Signing (Public) Keys (Legacy)RAM:PlaintextReboot Remove power Environmenta l FailurePSP ExportUntil module loses power/reboot or environmenta l failure occursU2F/Server- Side Signing (Private) Keys (Legacy):Paire d With
FIDO2/Server -Side Signing (Public) KeysRAM:PlaintextReboot Remove power Environmenta l FailurePSP ExportUntil module loses power/reboot or environmenta l failure occursFIDO2/Server- Side Signing (Private) Keys :Paired With
Resident Signing (Public) KeysRAM:PlaintextReboot Remove power Environmenta l FailurePSP ExportUntil module loses power/reboot or environmentaResident Signing (Private) Keys:Paired With
Individual Attestation Signing (Public) CertificateFlash:PlaintextN/APSP ExportN/A
U2F/Server- Side Deterministic SeedFlash:PlaintextReset commandN/A
FIDO2/Server -Side Deterministic SeedFlash:PlaintextReset commandN/A

OpenSK Cryptographic Module d N/A N/A Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 43

OpenSK Cryptographic Module N/A N/A Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 44

OpenSK Cryptographic Module N/A U2F/ServerSide N/A N/A N/A Table 21: SSP Table 2

9.5 Transitions

Per FIPS 140-3, IG C.K FIPS 186-4 CAVP tests performed are mathematically identical to FIPS 186-5 CAVP tests, therefore the module can claim FIPS 186-5 compliance for these tests. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 45
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorAlgorithm or TestTest Properties
SHA2-256 (A2352)SHA2-256 (A2352)Firmware IntegritySW/FW IntegrityApproved Hash256-bit hashStatus Output
SHA2-256 (A5101)SHA2-256 (A5101)CASTSuccessfu l initializatio n of the moduleModule Initializatio nHash256-bit hashKAT
HMAC- SHA2-256 (A5101)HMAC- SHA2-256 (A5101)CASTSuccessfu l initializatio n of the moduleModule Initializatio nMAC256-bit keyKAT
ECDSA SigGen (FIPS186- 4) (A5101)ECDSA SigGen (FIPS186- 4) (A5101)CASTSuccessfu l initializatio n of the moduleModule Initializatio nSignature GenerationNIST P- 256KAT
ECDSA SigVer (FIPS186- 4) (A5101)ECDSA SigVer (FIPS186- 4) (A5101)CASTSuccessfu l initializatio n of the moduleModule Initializatio nSignature VerificationNIST P- 256KAT
KAS- ECC-SSC Sp800-KAS- ECC-SSC Sp800-CASTSuccessfu l initializatioModule Initializatio nEphemeral UnifiedNIST P- 256KAT
56Ar3 (A5101)56Ar3 (A5101)n of the module
HMAC DRBG (A5101)HMAC DRBG (A5101)CASTSuccessfu l initializatio n of the moduleModule Initializatio nInstantiate, Generate and ReseedAs specified in NIST SP 800- 90Ar1 Section 11.3KAT
KDA HKDF SP800- 56Cr2 (A5101)KDA HKDF SP800- 56Cr2 (A5101)CASTSuccessfu l initializatio n of the moduleModule Initializatio nKey DerivationHMAC- SHA2- 256KAT
AES-CBC (A5101)AES-CBC (A5101)CASTSuccessfu l initializatio n of the moduleModule Initializatio nEncryption/Decrypti on256-bit keyKAT
ECDSA KeyGen (FIPS186- 4) (A5101)ECDSA KeyGen (FIPS186- 4) (A5101)PCTSuccess or failure of serviceKey Pair Generatio n and Key Agreemen tKey Pair GenerationNIST P- 256PCT
SHA2-256 (A2352)SHA2-256 (A2352)CASTSuccessfu l initializatio n of the moduleModule Initializatio nHash256-bit hashKAT
HMAC- SHA2-256 (A2352)HMAC- SHA2-256 (A2352)CASTSuccessfu l initializatio n of the moduleModule Initializatio nHash256-bit keyKAT
Firmware Load TestFirmware Load TestSW/F W LoadSuccessfu l firmware updateFirmware Update RequestN/AECDSA Signature Verificatio n with NIST P- 256Firmware Load Test
Entropy Source 90B Start- Up RCT and APTEntropy Source 90B Start- Up RCT and APTCASTSuccessfu l initializatio n of the entropy sourceModule Initializatio nEntropy GenerationRepetition Count Test (RCT) and Adaptativ eStart-up Health Tests
Entropy Source 90B Continuou s RCT and APTEntropy Source 90B Continuou s RCT and APTCASTSuccessfu ll output of entropy bitsEntropy Bits RequestEntropy GenerationRepetition Count Test (RCT) and Adaptativ e Proportio n Test (APT) as specified in NIST SP 800- 90B Sections 4.4.1 and 4.4.2Continuou s Health Tests
SHA2-256 (A2352)SHA2-256 (A2352)Firmware IntegritySW/FW IntegrityOn DemandReboot, reset or power cycle
10 Self-Tests

This section specifies the pre-operational and conditional self-tests performed by the module. The pre-operational and conditional self-tests ensure that the module is not corrupted and that the cryptographic algorithms work as expected.

10.1 Pre-Operational Self-Tests

Pre-operational Self-Tests are run upon the power up/initialization of the module. The module transitions to the operational state only after the pre-operational self-tests (and the cryptographic algorithm self-tests (CASTs)) are passed successfully. The design of the module ensures that all data output, via the data output interface, is inhibited whenever the module is in a pre-operational self-test condition. The Pre-Operational Self-Tests are detailed in the table below. Table 22: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

Conditional Self-Tests are run when an applicable security function or process is invoked. The Conditional Self-Tests are detailed in the table below. s s n HMACSHA2-256 n (FIPS1864) (FIPS1864) KASECC-SSC NIST P256 n NIST P256 n NIST P256 l l l l l n Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 46

OpenSK Cryptographic Module s SP 80090Ar1 HMACSHA2256 (FIPS1864) NIST P256 HMACSHA2-256 NIST P256 e W SP80056Cr2 s l n n n l l l l l t n n N/A n Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 47
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsAlgorithm or TestTest PropertiesIndicator
Entropy Source 90B Continuou s RCT and APTEntropy Source 90B Continuou s RCT and APTCASTSuccessfu ll output of entropy bitsEntropy Bits RequestRepetition Count Test (RCT) and Adaptativ e Proportio n Test (APT) as specified in NIST SP 800- 90B Sections 4.4.1 and 4.4.2Continuou s Health TestsEntropy Generation
SHA2-256 (A2352)SHA2-256 (A2352)Firmware IntegritySW/FW IntegrityOn DemandReboot, reset or power cycle
SHA2-256 (A5101)SHA2-256 (A5101)KATCASTOn DemandReboot, reset or power cycle
HMAC-SHA2- 256 (A5101)HMAC-SHA2- 256 (A5101)KATCASTOn DemandReboot, reset or power cycle
ECDSA SigGen (FIPS186-4) (A5101)ECDSA SigGen (FIPS186-4) (A5101)KATCASTOn DemandReboot, reset or power cycle
ECDSA SigVer (FIPS186-4) (A5101)ECDSA SigVer (FIPS186-4) (A5101)KATCASTOn DemandReboot, reset or power cycle
KAS-ECC-SSC Sp800-56Ar3 (A5101)KAS-ECC-SSC Sp800-56Ar3 (A5101)KATCASTOn DemandReboot, reset or power cycle
HMAC DRBG (A5101)HMAC DRBG (A5101)KATCASTOn DemandReboot, reset or power cycle
KDA HKDF SP800-56Cr2 (A5101)KDA HKDF SP800-56Cr2 (A5101)KATCASTOn DemandReboot, reset or power cycle
AES-CBC (A5101)AES-CBC (A5101)KATCASTOn DemandReboot, reset or power cycle
ECDSA KeyGen (FIPS186-4) (A5101)ECDSA KeyGen (FIPS186-4) (A5101)PCTPCTOn DemandReboot, reset or power cycle
SHA2-256 (A2352)SHA2-256 (A2352)KATCASTOn DemandReboot, reset or power cycle
HMAC-SHA2- 256 (A2352)HMAC-SHA2- 256 (A2352)KATCASTOn DemandReboot, reset or power cycle
Firmware Load TestFirmware Load TestFirmware Load TestSW/FW LoadOn DemandFirmware Update Request
Entropy Source 90B Start-Up RCT and APTEntropy Source 90B Start-Up RCT and APTStart-up Health TestsCASTOn DemandReboot, reset or power cycle
Entropy Source 90B Continuous RCT and APTEntropy Source 90B Continuous RCT and APTContinuous Health TestsCASTEntropy GenerationEntropy Bits Request

OpenSK Cryptographic Module s SP 80090B 4.4.2 e SP 80090B 4.4.2 s Table 23: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms supported in the approved mode of operation, using the tests shown in the table above. To ensure all conditional CASTs are performed prior to the first operational use of the associated algorithm, all CASTs are performed during the module’s initial power-up sequence. The CASTs for algorithms used in the pre-operational firmware integrity test are performed prior to the integrity test itself; all other CASTs are executed immediately after the successful completion of the firmware integrity test. Services are not available, and data output (via the data output interface) is inhibited during the self-tests. If any of these tests fails, the module transitions to the error state.

10.3 Periodic Self-Test Information

Pre-operational self-tests can be run on-demand, for periodic testing, by rebooting the module. Table 24: Pre-Operational Periodic Information Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 48

OpenSK Cryptographic Module Table 25: Conditional Periodic Information

10.4 Error States

If any of the Pre-operational Self-Tests or Conditional Self-Tests fail, the module will output an error status and enter an error state, where all data output is inhibited. Upon entering an error state, an operator can attempt to clear the error state by removing the module from the USB port and reinserting it to restart the module. If the error state cannot be cleared, the module must be returned to the manufacturer. The table below shows the different causes that lead to the Error States and the status indicators reported. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 49
Service
NameDescriptionRole AccessIndicator
ErrorThe module's error statePOST, CAST or PCT FailureError CodeModule reboot and power cycle

OpenSK Cryptographic Module Table 26: Error States Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 50
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

No configuration of the module or installation steps are required from the operator. When the module is powered on its power-up self-tests are executed without any operator intervention. The module enters in approved mode automatically if the power-up self-test completes successfully. If any of the self-tests fail during power-up, the module transitions to an Error state. The operator can verify that the module is in the Approved mode of operation and that the FIPS validated version is being used, by checking the version output using the "Vendor_Sysinfo" command and comparing it against the versioning information on the module certificate. The status of the module can be determined by the availability of the module or by executing the “Show Status” service. If the module is available, it has passed all self-tests. If it is unavailable, it is in the error state.

11.2 Administrator Guidance
11.3 Non-Administrator Guidance

None. Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 51
12 Mitigation of Other Attacks

The module is protected against the following non-invasive attacks: Fault Injection: Code signing Execution gating Storage parity Transmission parity Power On Self-Test Voltage monitoring Temperature monitoring Internal clock Active Security Shield Side-Channel Attacks: Constant-time (data-independent) code execution Random insertion of wait states Jittery clock Power masking Data blinding TRNG Entropy Churning Computation Throttling Google, LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Referenced URLs