| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 11/13/2030 |
| Caveat | When operated in approved mode. When installed, initialized, and configured as specified in Section 11.1 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | SAP SE |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 2 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for SAP CommonCryptoLib Crypto Kernel
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load<br/>Recovery</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>AES encryption / decryption<br/>AES CFB encryption / decryption<br/>Initialize and self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for SAP CommonCryptoLib Crypto Kernel
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load<br/>Recovery</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>AES encryption / decryption<br/>AES CFB encryption / decryption<br/>Initialize and self-test</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;SAP SE SAP CommonCryptoLib Crypto Kernel Document version: 1.4 Date: 2025-10-21 This document may be reproduced and distributed only in its original entirely without revision.
| # | Section | Page |
|---|---|---|
| 1 | General | 7 |
| 1.1 | Overview | 7 |
| 1.2 | Security Levels | 7 |
| Cryptographic Module Specification | 8 | |
| 2.1 | Description | 8 |
| 2.2 | Tested and Vendor Affirmed Module Version and Identification | 9 |
| 2.3 | Excluded Components | 13 |
| 2.4 | Modes of Operation | 14 |
| 2.5 | Algorithms | 15 |
| 2.6 | Security Function Implementations | 23 |
| 2.7 | Algorithm Specific Information | 30 |
| 2.8 | RBG and Entropy | 32 |
| 2.9 | Key Generation | 34 |
| 2.10 | Key Establishment | 34 |
| 2.11 | Industry Protocols | 36 |
| 3 | Cryptographic Module Interfaces | 37 |
| 3.1 | Ports and Interfaces | 37 |
| 3.2 | Trusted Channel Specification | 37 |
| 3.3 | Control Interface Not Inhibited | 37 |
| 3.4 | Additional Information | 37 |
| 4 | Roles, Services, and Authentication | 38 |
| 4.1 | Authentication Methods | 38 |
| 4.2 | Roles | 38 |
| 4.3 | Approved Services | 38 |
| 4.4 | Non-Approved Services | 50 |
| 4.5 | External Software/Firmware Loaded | 54 |
| 4.6 | Bypass Actions and Status | 54 |
| 4.7 | Cryptographic Output Actions and Status | 55 |
| 5 | Software/Firmware Security | 56 |
| 5.1 | Integrity Techniques | 56 |
| 5.2 | Initiate on Demand | 56 |
| 6 | Operational Environment | 57 |
| 6.1 | Operational Environment Type and Requirements | 57 |
| 6.2 | Configuration Settings and Restrictions | 57 |
| 7 | Physical Security | 58 |
| 8 | Non-Invasive Security | 59 |
| 9 | Sensitive Security Parameters Management | 60 |
| 9.1 | Storage Areas | 60 |
| 9.2 | SSP Input-Output Methods | 60 |
| 9.3 | SSP Zeroization Methods | 61 |
| 9.4 | SSPs | 62 |
| 9.5 | Transitions | 72 |
| 10 | Self-Tests | 73 |
| 10.1 | Pre-Operational Self-Tests | 73 |
| 10.2 | Conditional Self-Tests | 73 |
| 10.3 | Periodic Self-Test Information | 78 |
| 10.4 | Error States | 81 |
| 10.5 | Operator Initiation of Self-Tests | 82 |
| 11 | Life-Cycle Assurance | 83 |
| 11.1 | Installation, Initialization, and Startup Procedures | 83 |
| 11.2 | Administrator Guidance | 85 |
| 11.3 | Non-Administrator Guidance | 85 |
| 11.4 | Design and Rules | 85 |
| 11.5 | Maintenance Requirements | 86 |
| 11.6 | End of Life | 86 |
| 12 | Mitigation of Other Attacks | 87 |
| 12.1 | Attack List | 87 |
| 12.2 | Mitigation Effectiveness | 87 |
| 12.3 | Guidance and Constraints | 87 |
This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
| Item | Page |
|---|---|
| Table 1: Security Levels | 7 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 10 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 12 |
| Table 4: Optionally Available PAAs per Algorithm | 13 |
| Table 5: Modes List and Description | 14 |
| Table 6: Approved Algorithms - General | 18 |
| Table 7: Approved Algorithms - Legacy | 18 |
| Table 8: Approved Algorithms - CVL | 19 |
| Table 9: Vendor-Affirmed Algorithms | 20 |
| Table 10: Non-Approved, Not Allowed Algorithms | 22 |
| Table 11: Security Function Implementations | 30 |
| Table 12: Entropy Certificates | 32 |
| Table 13: Entropy Sources | 32 |
| Table 14: Obtained Assurances for the Implemented Approved KAS-SSC and KTS | 35 |
| Table 15: Ports and Interfaces | 37 |
| Table 16: Roles | 38 |
| Table 17: Approved Services | 49 |
| Table 18: Non-Approved Services | 54 |
| Table 19: Storage Areas | 60 |
| Table 20: SSP Input-Output Methods | 60 |
| Table 21: SSP Zeroization Methods | 61 |
| Table 22: SSP Table 1 | 68 |
| Table 23: SSP Table 2 | 71 |
| Table 24: Pre-Operational Self-Tests | 73 |
| Table 25: Conditional Self-Tests | 78 |
| Table 26: Pre-Operational Periodic Information | 79 |
| Table 27: Conditional Periodic Information | 81 |
| Table 28: Error States | 81 |
| Table 29: Error Causes and Expected Return Codes | 82 |
| Table 30: Module File Names and Checksums | 83 |
| Table 31: File Access Permissions | 84 |
| Item | Page |
|---|---|
| Figure 1: Block Diagram | 9 |
| Figure 2: Module in Context of its Operational Environment | 9 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | 1 |
| Overall Level | Overall Level | 1 |
This document is the non-proprietary FIPS 140-3 Security Policy for the cryptographic module “SAP CommonCryptoLib Crypto Kernel” (hereafter denoted as “module”) in its version 8.6.1 developed by SAP SE.
N/A N/A Table 1: Security Levels This document may be reproduced and distributed only in its original entirely without revision.
Purpose and Use: The module is a shared software library that implements various cryptographic functions such as encryption/decryption, signature generation/verification, key establishment, key generation, and random number generation. The module also implements an entropy source. It provides C/C++ APIs for key management and operation of the implemented cryptographic functions. The module itself is subdivided as shown in Figure
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package |
|---|---|---|---|---|---|---|---|---|---|
| aix-6.1-ppc-64 | 8.6.1 (aix-6.1-ppc-64) | HMAC-SHA2-256 | aix-6.1-ppc-64 | ||||||
| aix-7.2-ppc-64 | 8.6.1 (aix-7.2-ppc-64) | HMAC-SHA2-256 | aix-7.2-ppc-64 | ||||||
| hpux-b.11.31-ia-64 | 8.6.1 (hpux-b.11.31-ia-64) | HMAC-SHA2-256 | hpux-b.11.31-ia-64 | ||||||
| linux-gcc-11.2-armv8-64 | 8.6.1 (linux-gcc-11.2-armv8- 64) | HMAC-SHA2-256 | linux-gcc-11.2-armv8-64 | ||||||
| linux-gcc-4.3-ia-64 | 8.6.1 (linux-gcc-4.3-ia-64) | HMAC-SHA2-256 | linux-gcc-4.3-ia-64 | ||||||
| linux-gcc-4.3-s390x-64 | 8.6.1 (linux-gcc-4.3-s390x-64) | HMAC-SHA2-256 | linux-gcc-4.3-s390x-64 | ||||||
| linux-gcc-4.3-x86-64 | 8.6.1 (linux-gcc-4.3-x86-64) | HMAC-SHA2-256 | linux-gcc-4.3-x86-64 | ||||||
| linux-gcc-4.8-ppcle-64 | 8.6.1 (linux-gcc-4.8-ppcle-64) | HMAC-SHA2-256 | linux-gcc-4.8-ppcle-64 | ||||||
| linux-musl-1.2.4-x86-64 | 8.6.1 (linux-musl-1.2.4-x86-64) | HMAC-SHA2-256 | linux-musl-1.2.4-x86-64 | ||||||
| macosx-arm-64 | 8.6.1 (macosx-arm-64) | HMAC-SHA2-256 | macosx-arm-64 | ||||||
| macosx-x86-64 | 8.6.1 (macosx-x86-64) | HMAC-SHA2-256 | macosx-x86-64 | ||||||
| sunos-5.10-sparc-64 | 8.6.1 (sunos-5.10-sparc-64) | HMAC-SHA2-256 | sunos-5.10-sparc-64 | ||||||
| sunos-5.10-x86-64 | 8.6.1 (sunos-5.10-x86-64) | HMAC-SHA2-256 | sunos-5.10-x86-64 | ||||||
| windows-x86-64 | 8.6.1 (windows-x86-64) | HMAC-SHA2-256 | windows-x86-64 | ||||||
| SLES 15 SP4 | SLES 15 SP4 | Amazon EC2 c7g.16xlarge | 8.6.1 (linux- gcc-11.2- armv8-64) | AWS Graviton3 | Yes | AWS Nitro System |
Figure 1: Block Diagram Figure 2: Module in Context of its Operational Environment
Tested Module Identification
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package |
|---|---|---|---|---|---|---|---|---|---|
| linux-gcc-4.8-ppcle-64 | 8.6.1 (linux-gcc-4.8-ppcle-64) | HMAC-SHA2-256 | linux-gcc-4.8-ppcle-64 | ||||||
| linux-musl-1.2.4-x86-64 | 8.6.1 (linux-musl-1.2.4-x86-64) | HMAC-SHA2-256 | linux-musl-1.2.4-x86-64 | ||||||
| macosx-arm-64 | 8.6.1 (macosx-arm-64) | HMAC-SHA2-256 | macosx-arm-64 | ||||||
| macosx-x86-64 | 8.6.1 (macosx-x86-64) | HMAC-SHA2-256 | macosx-x86-64 | ||||||
| sunos-5.10-sparc-64 | 8.6.1 (sunos-5.10-sparc-64) | HMAC-SHA2-256 | sunos-5.10-sparc-64 | ||||||
| sunos-5.10-x86-64 | 8.6.1 (sunos-5.10-x86-64) | HMAC-SHA2-256 | sunos-5.10-x86-64 | ||||||
| windows-x86-64 | 8.6.1 (windows-x86-64) | HMAC-SHA2-256 | windows-x86-64 | ||||||
| SLES 15 SP4 | SLES 15 SP4 | Amazon EC2 c7g.16xlarge | 8.6.1 (linux- gcc-11.2- armv8-64) | AWS Graviton3 | Yes | AWS Nitro System | |||
| Apple macOS 14 | Apple macOS 14 | MacBook Pro (2019) | 8.6.1 (macosx-x86- 64) | Intel Core i7- 9750H | Yes | ||||
| Apple macOS 12 | Apple macOS 12 | Mac mini (2020) | 8.6.1 (macosx- arm-64) | Apple M1 | Yes | ||||
| SunOS 5.10 | SunOS 5.10 | Sun-4u - Fujitsu M4000 | 8.6.1 (sunos- 5.10-sparc- 64) | Fujitsu SPARC64-VI | No | ||||
| HP-UX 11.31 (IA64) | HP-UX 11.31 (IA64) | Hewlett-Packard rx2800 i4 | 8.6.1 (hpux- b.11.31-ia- 64) | Intel Itanium Processor 9540 | No | ||||
| SLES 15 SP2 | SLES 15 SP2 | IBM z13 | 8.6.1 (linux- gcc-4.3- s390x-64) | IBM S390 | No | IBM z/VM 7.2.0 | |||
| IBM AIX 7.2 | IBM AIX 7.2 | IBM Power System S824 | 8.6.1 (aix- 7.2-ppc-64) | IBM POWER9 | Yes | IBM PowerVM 3.1.4.21 | |||
| IBM AIX 6.1 | IBM AIX 6.1 | IBM Power System S824 | 8.6.1 (aix- 6.1-ppc-64) | IBM POWER8 | No | IBM PowerVM 3.1.4.21 | |||
| SLES 15 SP4 | SLES 15 SP4 | Ampere D12A-M1-AA | 8.6.1 (linux- gcc-11.2- armv8-64) | Arm Neoverse N1 | Yes | QEMU (KVM) 6.2 on SLES 15 SP4 | |||
| SLES 11 SP1 | SLES 11 SP1 | Hewlett-Packard rx2660 | 8.6.1 (linux- gcc-4.3-ia- 64) | Intel Itanium Processor 9120N | No | ||||
| SLES 12 SP5 | SLES 12 SP5 | IBM Power System E980 | 8.6.1 (linux- gcc-4.8- ppcle-64) | IBM POWER8 | Yes | IBM PowerVM 3.1.4.21 | |||
| SunOS 5.10 | SunOS 5.10 | i86pc - Fujitsu Primergy RX600 S6 | 8.6.1 (sunos- 5.10-x86-64) | Intel Xeon E7- 4807 | Yes |
Table 2: Tested Module Identification
This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
| Name | Operating System | Hardware Platform | Software Version | Processor | Paa Pai | Hypervisor |
|---|---|---|---|---|---|---|
| Alpine Linux 3.18.2 | Alpine Linux 3.18.2 | LENOVO_MT_20QU_BU_Think_FM_ThinkPad P1 Gen 2 | 8.6.1 (linux- musl-1.2.4- x86-64) | Intel Core i9- 9880H | Yes | VMware Workstation 17.5.0 on Windows 11 Enterprise |
| SLES 15 SP5 | SLES 15 SP5 | Dell EMC PowerEdge R840 | 8.6.1 (linux- gcc-4.3-x86- 64) | Intel Xeon Platinum 8260M | Yes | VMware ESXi 7.0.3 |
| Microsoft Windows Server 2022 Standard | Microsoft Windows Server 2022 Standard | DELL EMC PowerEdge R840 | 8.6.1 (windows- x86-64) | Intel Xeon Platinum 8260M | Yes | VMware ESXi 7.0.3 |
| Name | Mode Method | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Package | Algorithm | Package | ||||||||
| SHA2-384/512 | AES (all modes) | AES-GCM1 | SHA-1 | SHA2-224/256 | ||||||
| aix-6.1-ppc-64 | aix-6.1-ppc-64 | P8 | P8 | P8 | P8 | |||||
| aix-7.2-ppc-64 | aix-7.2-ppc-64 | P8 | P8 | P8 | P8 | |||||
| linux-gcc-11.2-armv8-64 | linux-gcc-11.2-armv8-64 | AES | SHA2 | SHA5122 | SHA1 | |||||
| Package | Algorithm | Package | ||||||||
| SHA2-384/512 | AES (all modes) | AES-GCM1 | SHA-1 | SHA2-224/256 | ||||||
| linux-gcc-4.3-x86-64 | linux-gcc-4.3-x86-64 | AES-NI, SSSE33 | CLMUL | |||||||
| linux-gcc-4.8-ppcle-64 | linux-gcc-4.8-ppcle-64 | P8 | P8 | P8 | P8 | |||||
| linux-musl-1.2.4-x86-64 | linux-musl-1.2.4-x86-64 | AES-NI, SSSE33 | CLMUL | |||||||
| macosx-arm-64 | macosx-arm-64 | AES | SHA2 | SHA512 | SHA1 | |||||
| macosx-x86-64 | macosx-x86-64 | AES-NI, SSSE33 | CLMUL | |||||||
| sunos-5.10-x86-64 | sunos-5.10-x86-64 | AES-NI, SSSE33 | CLMUL | |||||||
| windows-x86-64 | windows-x86-64 | AES-NI, SSSE33 | CLMUL |
8.6.1 (windowsx86-64) Table 3: Tested Operational Environments - Software, Firmware, Hybrid All operational environments listed above with “Yes” in the “PAA/PAI” column can optionally use what is considered as a Processor Algorithm Acceleration (PAA) for certain approved algorithm implementations. For details on the PAAs supported by each binary, please refer to Table 4 and its footnotes as well as the CAVP certificate referenced in Section 2.5 Algorithms. The PAAs are also used when the listed algorithms are embedded into other higher cryptographic algorithms (e.g., SHA-256 used as part of an HMAC). AES-GCM 1 SHA512 2
1 The PAAs listed in this column are used for the counter logic of AES-GCM. They are used in addition to the PAAs listed in the “AES (all modes)”
2 Not supported by the tested operational environment using the Arm Neoverse-N1 CPU.
This document may be reproduced and distributed only in its original entirely without revision.
AES-GCM 1 Table 4: Optionally Available PAAs per Algorithm In compliance with IG 2.3.C, the module implements every algorithm utilizing a PAA also entirely in software. Different combinations of enabled and disabled PAAs were used during testing to cover all code paths of the implemented algorithms. Before module initialization, the crypt_disable_cpu_features API can be used to configure the activated PAAs. Reconfiguration of the activated PAAs is only possible after re-initializing the module (see Section 11.1 Installation, Initialization, and Startup Procedures for more details). Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: No vendor-affirmed operational environments are claimed. Nevertheless, the module may be ported to other operational environments that have the necessary capabilities (operating system, system libraries, sufficient hardware, etc.) per the CMVP porting rules specified in the FIPS 140-3 Management Manual. However, in this case the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. In addition, when running a module on such an untested platform the “No assurance of the minimum strength of generated SSPs (e.g., keys)” caveat applies per IG 9.3.A.
There are no excluded components within the cryptographic boundary.
This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non- approved mode | The module provides non- approved services as part of its regular operation. | Provided by each service as a return code. Non-approved services either return the value "0" or do not have a return code. | Non- Approved |
Modes List and Description: Nonapproved NonApproved Table 5: Modes List and Description As the module supports both an approved mode and non-approved modes, the caveat “when operated in approved mode” is applicable. The module further supports a non-compliant test mode that is off by default. This mode allows for additional controls for functional testing that violate the FIPS 140-3 requirements. As the test mode is non-compliant, the caveat “when installed, initialized, and configured as specified in Section 11.1 of the Security Policy” is additionally applicable. When this mode is activated, the module is not considered to be FIPS 140-3 validated. Mode Change Instructions and Status: With the module’s default configuration, both approved and non-approved services are available at the same time. There is no transitioning procedure to switch between different modes. The return codes of the called security services indicate whether they were executed in the approved mode or the non-approved mode depending on the provided input parameters. For more details, please see Section 4.3 Approved Services. The module’s non-compliant test mode can be activated by passing the “TESTMODE” value to the crypt_control API before module initialization. When this mode is activated, all the module’s security services, including those that are usually approved, are non-approved services. This is reflected by the implemented approved service indicator. The test mode can be deactivated by reloading the module or by passing the value “PRODUCTIONMODE” to the crypt_control API. This document may be reproduced and distributed only in its original entirely without revision.
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A5497 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC-CS3 | A5497 | Direction - decrypt, encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CFB128 | A5497 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CFB8 | A5497 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CTR | A5497 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-ECB | A5497 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-GCM | A5497 | Direction - Decrypt, Encrypt IV Generation - Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 | SP 800-38D |
| AES-OFB | A5497 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| Counter DRBG | A5497 | Prediction Resistance - No Mode - AES-256 Derivation Function Enabled - Yes | SP 800-90A Rev. 1 |
| DSA KeyGen (FIPS186-4) | A5497 | L - 2048, 3072 N - 224, 256 | FIPS 186-4 |
| DSA PQGGen (FIPS186-4) | A5497 | L - 2048, 3072 N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 |
| ECDSA KeyGen (FIPS186-5) | A5497 | Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - testing candidates | FIPS 186-5 |
| ECDSA KeyVer (FIPS186-5) | A5497 | Curve - P-224, P-256, P-384, P-521 | FIPS 186-5 |
| ECDSA SigGen (FIPS186-5) | A5497 | Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Component - No, Yes | FIPS 186-5 |
| ECDSA SigVer (FIPS186-5) | A5497 | Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | FIPS 186-5 |
| EDDSA KeyGen | A5497 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| EDDSA KeyVer | A5497 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| EDDSA SigGen | A5497 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| EDDSA SigVer | A5497 | Curve - ED-25519, ED-448 | FIPS 186-5 |
| HMAC-SHA-1 | A5497 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-224 | A5497 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-256 | A5497 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-384 | A5497 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-512 | A5497 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-224 | A5497 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-256 | A5497 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-384 | A5497 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-512 | A5497 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| KAS-ECC-SSC Sp800-56Ar3 | A5497 | Domain Parameter Generation Methods - P-224, P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responder staticUnified - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KAS-FFC-SSC Sp800-56Ar3 | A5497 | Domain Parameter Generation Methods - FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Scheme - | SP 800-56A Rev. 3 |
| KTS-IFC | A5497 | Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-crt Scheme - KTS-OAEP-basic - KAS Role - initiator, responder Key Transport Method - Key Length - 1024 | SP 800-56B Rev. 2 |
| RSA KeyGen (FIPS186-5) | A5497 | Key Generation Mode - probable Modulo - 2048, 3072, 4096, 6144, 8192 Primality Tests - 2pow100 Private Key Format - crt | FIPS 186-5 |
| RSA SigGen (FIPS186-5) | A5497 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pss | FIPS 186-5 |
| RSA SigVer (FIPS186-5) | A5497 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pss | FIPS 186-5 |
| Safe Primes Key Generation | A5497 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | SP 800-56A Rev. 3 |
| Safe Primes Key Verification | A5497 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | SP 800-56A Rev. 3 |
| SHA-1 | A5497 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-224 | A5497 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-256 | A5497 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-384 | A5497 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-512 | A5497 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA3-224 | A5497 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHA3-256 | A5497 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHA3-384 | A5497 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHA3-512 | A5497 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHAKE-128 | A5497 | Output Length - Output Length: 16-65536 Increment 8 | FIPS 202 |
| SHAKE-256 | A5497 | Output Length - Output Length: 16-65536 Increment 8 | FIPS 202 |
| DSA PQGVer (FIPS186-4) | A5497 | L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 |
| DSA SigVer (FIPS186-4) | A5497 | L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-4) | A5497 | Curve - P-192 | FIPS 186-4 |
| ECDSA SigVer (FIPS186-4) | A5497 | Component - No Curve - P-192 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3- 224, SHA3-256, SHA3-384, SHA3-512 | FIPS 186-4 |
| RSA SigVer (FIPS186-4) | A5497 | Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 2048, 3072, 4096 | FIPS 186-4 |
Approved Algorithms: General This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
Table 6: Approved Algorithms - General Legacy Table 7: Approved Algorithms - Legacy This document may be reproduced and distributed only in its original entirely without revision.
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| KAS-ECC CDH-Component SP800-56Ar3 (CVL) | A5497 | Function - Full Public Key Validation, Key Pair Generation Curve - P-224, P-256, P-384, P-521 | SP 800-56A Rev. 3 |
| RSA Decryption Primitive Sp800-56Br2 (CVL) | A5497 | Modulo - 2048, 3072, 4096 | SP 800-56B Rev. 2 |
| RSA Signature Primitive (CVL) | A5497 | Modulo - 2048, 3072, 4096 | FIPS 186-4 |
| Name | Approved Functions | Properties | ||
|---|---|---|---|---|
| AES CKG | Key type: Symmetric | N/A | SP 800-133r2 Sections 4 / 6.1 (no post-processing or value V are used) | |
| Signature CKG | Key type: Asymmetric | N/A | SP 800-133r2 Sections 4 / 5.1 (no post-processing or value V are used) | |
| Key establishment CKG | Key type: Asymmetric | N/A | SP 800-133r2 Sections 4 / 5.2 (no post-processing or value V are used) | |
| DSA signature verification with SHA-3 | Key size: L: 1024/N: 160, L: 2048/N: 224, L: 2048/N: 256, L: 3072/N: 256 Hash functions: SHA3-224, SHA3- 256, SHA3-384, SHA3-512 | SAP CommonCryptoLib Crypto Kernel | FIPS 186-4 Section 4, IG C.C | |
| MD2, MD4, MD5 | Hash generation | |||
| RIPEMD-128, RIPEMD-160 | Hash generation | |||
| CRC32 | Checksum generation | |||
| IDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEED | Block cipher encryption / decryption, key generation | |||
| DES (non-compliant) | Block cipher encryption / decryption, key generation | |||
| 2-key / 3-key TDES (non-compliant) | Block cipher encryption / decryption and key generation |
Table 8: Approved Algorithms - CVL Before approved signature verification is performed, the module performs a partial public key validation as required by
| Name | Approved Functions | Properties | ||
|---|---|---|---|---|
| Signature CKG | Key type: Asymmetric | N/A | SP 800-133r2 Sections 4 / 5.1 (no post-processing or value V are used) | |
| Key establishment CKG | Key type: Asymmetric | N/A | SP 800-133r2 Sections 4 / 5.2 (no post-processing or value V are used) | |
| DSA signature verification with SHA-3 | Key size: L: 1024/N: 160, L: 2048/N: 224, L: 2048/N: 256, L: 3072/N: 256 Hash functions: SHA3-224, SHA3- 256, SHA3-384, SHA3-512 | SAP CommonCryptoLib Crypto Kernel | FIPS 186-4 Section 4, IG C.C | |
| MD2, MD4, MD5 | Hash generation | |||
| RIPEMD-128, RIPEMD-160 | Hash generation | |||
| CRC32 | Checksum generation | |||
| IDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEED | Block cipher encryption / decryption, key generation | |||
| DES (non-compliant) | Block cipher encryption / decryption, key generation | |||
| 2-key / 3-key TDES (non-compliant) | Block cipher encryption / decryption and key generation | |||
| AES with the mode of operations * ciphertext stealing (CTS) ECB or * OFB with a non-standard number of feedback bits. (non-compliant) | Block cipher encryption / decryption | |||
| AES-GCM with * user-provided IV for encryption (outside of the use within TLS 1.2 / 1.3) * decryption without prior tag check, or * tags with a length of < 96 bits. (non-compliant) | Authenticated encryption / decryption | |||
| RC4 | Stream cipher encryption / decryption, key generation | |||
| HMAC generation with * key length less than 112 bits, * IPAD and/or OPAD configured to values not specified in FIPS 198-1, * non-approved hash functions, or * SHAKE128 or SHAKE256. (non-compliant) | HMAC generation | |||
| DSA signature generation using key sizes of L: 2048 / N: 224, L: 2048 / N: 256, and L: 3072 / N: 256 and hash functions SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. (non-compliant) | Signature generation | |||
| DSA signature verification with * groups not approved for signature verification, * hash functions not approved for signature generation respectively verification, or * pre-hashed messages. (non-compliant) | Signature verification | |||
| DSA key pair and domain parameter generation * with groups not approved for KAS-FFC or * for use outside of KAS-FFC. (non-compliant) | Key pair and domain parameter generation | |||
| RSA signature generation / verification with * modulus length not approved for signature generation respectively verification, * user-provided salt (only PSS generation), * padding not approved for signature generation, | Signature generation, signature verification | |||
| RSA key pair generation with modulus length not approved for key generation. (non-compliant) | Key pair generation | |||
| ECDSA signature generation / verification with * curves not approved for signature generation respectively verification, * hash functions not approved for signature generation respectively verification, * using SHAKE-128 or SHAKE-256, or * pre-hashed messages (only verification). (non-compliant) | Signature generation | |||
| ECDSA key pair generation with curves not approved for key generation. (non-compliant) | Key pair generation | |||
| KAS-ECC-SSC with curves not approved for KAS-ECC. (non-compliant) | Key agreement, key pair generation | |||
| KAS-FFC-SSC with groups not approved for KAS-FFC. (non-compliant) | Key agreement, key pair generation | |||
| KTS-IFC (OAEP) with * modulus length not approved for KTS-IFC, * hash functions not approved for use with OAEP, or * user-provided seed (only encapsulation). (non-compliant) | Key transport, key pair generation | |||
| RSA key transport with * no padding (only encapsulation) or * padding not approved for use with RSA (i.e., non-OAEP padding). (non-compliant) | Key transport | |||
| ElGamal | Key encapsulation, key generation | |||
| Counter DRBG using AES-128, AES-192, or AES-256 with derivation function when seeded entirely by the calling application. (non-compliant) | Random number generation |
N/A N/A Table 9: Vendor-Affirmed Algorithms For the approved key generation algorithms used together with the CKG claimed according to IG D.H, please see the approved algorithms table above and Section 2.6 Security Function Implementations. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
Table 10: Non-Approved, Not Allowed Algorithms This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| HMAC generation | Truncation: not supported Key length: >= 112 bits | HMAC-SHA-1: (A5497) HMAC-SHA2-224: (A5497) HMAC-SHA2-256: (A5497) HMAC-SHA2-384: (A5497) HMAC-SHA2-512: (A5497) HMAC-SHA3-224: (A5497) HMAC-SHA3-256: (A5497) HMAC-SHA3-384: (A5497) HMAC-SHA3-512: (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) | MAC |
| Hash generation | SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497) | SHA | |
| XOF generation | SHAKE-128: (A5497) SHAKE-256: (A5497) | XOF | |
| Random number generation | Counter DRBG: (A5497) AES-CTR: (A5497) Key length: 256 bits SHA2-512: (A5497) | DRBG ENT-Cond ENT-ESV | |
| AES encryption / decryption | AES-CBC: (A5497) AES-CBC-CS3: (A5497) AES-CTR: (A5497) AES-ECB: (A5497) AES-OFB: (A5497) | BC-UnAuth | |
| AES GCM encryption / decryption (random IV) | Tag length: >= 96 bits IV length (for encryption): >= 96 bits | AES-GCM: (A5497) | BC-Auth |
| AES GCM encryption / decryption (TLS 1.2) | Standards: RFC 5246 and RFC 5288 | AES-GCM: (A5497) | BC-Auth |
| AES GCM encryption / decryption (TLS 1.3) | Standard: RFC 8446 | AES-GCM: (A5497) | BC-Auth |
| AES CFB encryption / decryption | s: 8, 16, ..., 128 (only s = 8 and 128 are CAVP- tested) | AES-CFB8: (A5497) AES-CFB128: (A5497) | BC-UnAuth |
| Ed25519 signature generation | EDDSA SigGen: (A5497) SHA2-512: (A5497) | DigSig-SigGen | |
| Ed25519 signature verification | EDDSA SigVer: (A5497) SHA2-512: (A5497) | DigSig-SigVer | |
| Ed448 signature generation | EDDSA SigGen: (A5497) SHAKE-256: (A5497) | DigSig-SigGen | |
| Ed448 signature verification | EDDSA SigVer: (A5497) SHAKE-256: (A5497) | DigSig-SigVer | |
| RSA PKCS1-v1.5 signature generation | Modulus length: >= 2048 bits (only modulus length of 2048, 3072, and 4096 are CAVP- tested) | RSA SigGen (FIPS186- 5): (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497) | DigSig-SigGen |
| RSA PKCS1-v1.5 signature verification | Modulus length: 1024 bits and >= 2048 bits (only modulus length of 1024, 2048, 3072, and 4096 are CAVP-tested) | RSA SigVer (FIPS186- 4): (A5497) RSA SigVer (FIPS186- 5): (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) | DigSig-SigVer |
| RSA PSS signature generation | Modulus length: >= 2048 bits (only modulus length of 2048, 3072, and 4096 are CAVP- tested) | RSA SigGen (FIPS186- 5): (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497) SHAKE-128: (A5497) SHAKE-256: (A5497) | DigSig-SigGen |
| RSA PSS signature verification | Modulus length: 1024 bits and >= 2048 bits (only modulus length of 1024, 2048, 3072, and 4096 are CAVP-tested) | RSA SigVer (FIPS186- 4): (A5497) RSA SigVer (FIPS186- 5): (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497) SHAKE-128: (A5497) SHAKE-256: (A5497) | DigSig-SigVer |
| RSA signature generation with pre- computed hash (CVL) | Modulus length: >= 2048 bits (only modulus length of 2048, 3072, | RSA Signature Primitive: (A5497) | DigSig-SigGen |
| ECDSA signature generation | Curves: P-224, P-256, P-384, P-521 | ECDSA SigGen (FIPS186-5): (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497) | DigSig-SigGen |
| ECDSA signature verification | Curves: P-192, P-224, P-256, P-384, P-521 | ECDSA SigVer (FIPS186-4): (A5497) ECDSA SigVer (FIPS186-5): (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497) | DigSig-SigVer |
| ECDSA signature generation with pre- computed hash (CVL) | Curves: P-224, P-256, P-384, P-521 | ECDSA SigGen (FIPS186-5): (A5497) | DigSig-SigGen |
| DSA signature verification | Groups: L: 1024/N: 160, L: 2048/N: 224, L: 2048/N: 256, L: 3072/N: 256 | DSA SigVer (FIPS186- 4): (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) | DigSig-SigVer |
| EdDSA public key validation | Curves: Edwards25519, Edwards448 | EDDSA KeyVer: (A5497) | AsymKeyPair- PubKeyVal |
| ECDSA public key validation | Curves: P-192, P-224, P-256, P-384, P-521 | ECDSA KeyVer (FIPS186-4): (A5497) ECDSA KeyVer (FIPS186-5): (A5497) | AsymKeyPair- PubKeyVal |
| DSA domain parameter validation | Groups: L: 1024/N: 160, L: 2048/N: 224 (FB), L: 2048/N: 256 (FC), L: 3072/N: 256 | DSA PQGVer (FIPS186-4): (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) | AsymKeyPair-DomPar |
| EdDSA key pair generation | Curves: Edwards25519, Edwards448 | EDDSA KeyGen: (A5497) Signature CKG: () | AsymKeyPair-KeyGen CKG |
| ECDSA key pair generation | Curves: P-224, P-256, P-384, P-521 | ECDSA KeyGen (FIPS186-5): (A5497) Signature CKG: () | AsymKeyPair-KeyGen CKG |
| RSA key pair generation | Modulus length: 2048 to 8192 bits (only modulus length of 2048, 3072, 4096, and 8192 are CAVP-tested) | RSA KeyGen (FIPS186- 5): (A5497) Signature CKG: () | AsymKeyPair-KeyGen CKG |
| AES key generation | Key length: 128, 192, 256 bits | AES CKG: () | CKG |
| KTS-IFC | Standard: SP 800- 56Brev2 IG D.G: Approved RSA- based key transport scheme Key confirmation: No Caveat: Key establishment methodology provides between 112 and 256 bits of security strength Modulus length: 2048 bits (only modulus length of 2048, 3072, and 4096 are CAVP- tested) | KTS-IFC: (A5497) Key establishment CKG: () RSA KeyGen (FIPS186- 5): (A5497) RSA Decryption Primitive Sp800-56Br2: (A5497) | KTS-Encap |
| KAS-SSC FFC | IG: IG D.F Scenario 2, path (1) Caveat: Key establishment methodology provides between 112 and 192 bits of security strength Groups: FB, FC, MODP 2048, MODP 3072, MODP 4096, MODP 6144, MODP 8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192 | KAS-FFC-SSC Sp800- 56Ar3: (A5497) DSA KeyGen (FIPS186- 4): (A5497) DSA PQGGen (FIPS186-4): (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) DSA PQGVer (FIPS186-4): (A5497) Key establishment CKG: () Safe Primes Key Generation: (A5497) | AsymKeyPair-DomPar CKG KAS-KeyGen KAS-SSC |
| KAS-SSC ECC | IG: IG D.F Scenario 2, path (1) Caveat: Key establishment methodology provides between 112 and 256 bits of security strength | KAS-ECC-SSC Sp800- 56Ar3: (A5497) KAS-ECC CDH- Component SP800- 56Ar3: (A5497) EDDSA KeyGen: (A5497) Key establishment CKG: () ECDSA KeyVer (FIPS186-5): (A5497) | CKG KAS-KeyGen KAS-SSC |
Note that “non-approved” in the above non-approved, not allowed algorithms table refers to algorithms or parameter sets (e.g., modulus sizes or curves) not listed as approved in either the approved algorithms table or the vendor-affirmed algorithms table. Please further note the algorithm specific information provided in Section 2.7 Algorithm Specific Information. Note that some of the functions listed in the above table are non-compliant implementations of what appear to be approved algorithms. For a description of the security strength as a function of the key length respectively the algorithm parameters of the listed non-approved security functions, please see SP 800-57 Part 1 Revision 5 Section 5.6.1.
This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
AsymKeyPairPubKeyVal AsymKeyPairPubKeyVal () This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
Table 11: Security Function Implementations Unless identified otherwise in the above table, all tested capabilities (e.g., key sizes, curves, modes) of the listed algorithms are used by the security function implementations. For details, please refer to Section 2.5 Algorithms. Note that the “random number generation” SFI also makes use of the module’s validated entropy source (cf. 2.8 RBG and Entropy).
When using the approved security functions (see Section 2.6 Security Function Implementations), the Crypto Officer shall observe the following algorithm-specific requirements: KAS-SSC FFC / ECC: The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KTS-IFC: The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS. AES-CTR Encryption: Externally loaded counter values shall have the properties required by SP 800-38A Section 6.5. This document may be reproduced and distributed only in its original entirely without revision.
AES-GCM: The module provides APIs to use AES-GCM encryption as specified in SP 800-38D as an approved service according to the following scenarios of IG C.H:
| Name | Type | Strength | Operational Environment | Conditioning Component | |
|---|---|---|---|---|---|
| SAP CommonCryptoLib Entropy Collector 1.0.0 | Non- Physical | 512 bits | All operating environments listed in Section 2.2 Tested and Vendor Affirmed Module Version and Identification. | Full entropy | SHA2-512 (see Section 2.5 Algorithms for the CAVP Cert.) |
| Cert | Vendor | ||
|---|---|---|---|
| Number | Name | ||
| E172 | SAP |
SHA-1: SHA-1 shall only be used for digital signature generation where specifically allowed by NIST protocol-specific guidance. For all other applications, SHA-1 shall not be used for digital signature generation. When used for digital signature verification, SHA-1 shall only be used in legacy applications. For non-digital-signature applications, SHA-1 shall only be used in applications that do not require collision resistance. Table 12: Entropy Certificates NonPhysical Table 13: Entropy Sources The entropy source is within the cryptographical boundary of the module. The module’s entropy source provides 512 bits of minentropy per conditioned 512-bit output. The module implements an internal Counter DRBG instance using AES-256 with derivation function, but without support for reseeding and predication resistance (i.e., the Counter DRBG is only seeded once during module initialization). This DBRG instance is managed internally by the module and used for all random number generation in the approved security functions, for SSP generation, and SSP establishment. It is seeded entirely by the validated entropy source during module initialization and thus provides a security strength of 256 bits. After the allowed maximum number of random bits was requested from the Counter DRBG, further output is blocked, and the module shall be reinitialized to request additional outputs. The Counter DRBG’s additional input and personalization string used for its initialization are derived from additional outputs of the entropy source and, if available, data obtained from the operating system (“dev/urandom” on operating systems that provide this file) as well as data provided by the linked application during module initialization. Note that this additional data is not considered in the security strength estimate of the approved Counter DRBG. This document may be reproduced and distributed only in its original entirely without revision.
In compliance with IG 2.4.A, the internal Counter DRBG is used by approved and non-approved services for the following purposes by the module: In Approved Services:
The module’s key generation methods as well as the related vendor-affirmed CKG entries per IG D.H are specified in Section 2.5 Algorithms and Section 2.6 Security Function Implementations. The approved services for key generation cover
The key establishment schemes in terms of the implemented Key Agreement Schemes Shared Secret Computation (KAS-SSC) and Key Transport Schemes (KTS) as specified in SP 800-56Ar3 and SP 800-56Br2 implemented by the module are listed in Section 2.5 Algorithms and Section 2.6 Security Function Implementations. The module only supports the shared secret computation. It does not implement key derivation or key confirmation. It can act both in the initiator and responder roles. As required by IG D.F, for the implemented approved schemes, the module obtains all assurances required by the respective standards for which the module has the necessary inputs either using explicit assurance checks or by generating all values as specified in the respective algorithm standard. The coverage of the required assurances, other than the pair-wise consistency tests that are always performed when a key pair (i.e., both a private and a public key) is generated or imported (see Section 11.2 Administrator Guidance for details), are explained in Table 14. When not stated otherwise, the assurances are obtained directly by the dedicated KAS-SSC and KTS APIs. Some assurances must be manually obtained by the operator of the module as the module does not have the necessary inputs to perform the validations by itself. For the implemented KAS-SSC, the owner’s private key and received public key are validated at the latest before generating the shared secret. It is also ensured that the owner’s static or ephemeral private / public key is validated before it is first exported. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Key Size | Use Function | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Scheme | Scheme | Owner’s private key | Owner’s public key | Received public key | Domain parameters | ||||
| SP 800-56Ar3, 5.6.2.3.1 | N/A for named approved groups. For FIPS 186-type FFC domain parameters, explicit domain parameter validation (for the unverifiable generation method of g) as specified in SP 800-89 Section 4.1 respectively FIPS 186-4 Section A.1.1.3 / A.2.2 is performed if the used seed is provided. | KAS-FFC-SSC (C(2e, 0s, FFC-DH)) | SP 800-56Ar3, 5.6.2.1.2 | SP 800-56Ar3, 5.6.2.2.2 | |||||
| KAS-FFC-SSC (C(0e, 2s, FFC DH)) | KAS-FFC-SSC (C(0e, 2s, FFC DH)) | SP 800-56Ar3, 5.6.2.2.1 | |||||||
| SP 800-56Ar3, 5.6.2.3.3 | N/A for approved named curves. | KAS-ECC-SSC (C(2e, 0s, ECC CDH)) | SP 800-56Ar3, 5.6.2.1.2 | SP 800-56Ar3, 5.6.2.3.3 | |||||
| Shall be obtained manually (see below) as the owner’s public key is not input into this API. | KAS-ECC (ECC CDH primitive / component) | ||||||||
| KTS-IFC (KTS-OAEP-basic) | N/A for RSA. | KTS-IFC (KTS-OAEP-basic) | Shall be obtained manually (see below) before calling the KTS APIs, which only take the owner’s private key and received ciphertext as inputs. | SP 800-56Br2, 6.4.2.2 / SP 800-89, 5.3.3 | |||||
| RSA Decryption Primitive | RSA Decryption Primitive | N/A as this Scheme does not allow encrypting. |
5.6.2.2.2 5.6.2.1.2 5.6.2.3.1 5.6.2.2.1 5.6.2.3.3 5.6.2.1.2 5.6.2.3.3 This document may be reproduced and distributed only in its original entirely without revision.
The module further provides the following standalone functions, which can be used independently of the dedicated KAS-SSC and KTS APIs addressed in Table 14, to manually obtain assurances:
The module itself does not implement any industry protocols. However, note the information provided in Section 2.7 Algorithm Specific Information for the use of AES-GCM encryption in context of the TLS 1.2 and 1.3 protocols. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input | API input parameters |
| N/A | N/A | Data Output | API output parameters |
| N/A | N/A | Control Input | API calls |
| N/A | N/A | Status Output | API output parameters for status and API return values |
N/A N/A N/A N/A Table 15: Ports and Interfaces As the module is a software library, its logical interfaces are realized in terms of a set of APIs. The above table maps the FIPS 140-3 logical interfaces to the distinct parts of these APIs. All functionality of the module is made available to the calling application (i.e., the operator of the module) in terms of exported functions (APIs). Some of these functions are also used internally, e.g., the self-test service makes use of some of those functions when performing cryptographic algorithm self-tests. For a full reference of all exported APIs, please see the guidance documents referenced in Section 11.2 Administrator Guidance. Because the module is a software library, it does not have any physical ports or manual controls of its own and does not support any external input or output devices. It also does not have a maintenance access interface.
The module does not implement a trusted channel.
Not applicable as the module does not implement a control output interface.
The module uses technical means to inhibit the data output interface during pre-operational self-tests, during zeroization of nontemporary SSPs that are under control of the module, and when in an error state. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Role Access | Csps Accessed | Indicator | Type | Input | Output | ||
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | None | ||||||
| Initialize and self-test | Configures and initializes the module as well as performs the pre- operational self- tests and the CASTs. | Crypto Officer - Counter DBRG seed: entropy source output: G - Counter DRBG key: G - Counter DRBG V: G | Return value 1 | Additional input for DRBG, memory management callback pointers, PAA and test mode configuration, path to the shared library (for non-tested OEs) | List of available API functions if all self- tests passed or test result in form of error code if any test failed | HMAC generation Hash generation XOF generation Random number generation AES encryption / decryption AES GCM encryption / decryption |
| Name | Description | Role Access | Csps Accessed | Indicator | Type | Input | Output | ||
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | None | ||||||
| Initialize and self-test | Configures and initializes the module as well as performs the pre- operational self- tests and the CASTs. | Crypto Officer - Counter DBRG seed: entropy source output: G - Counter DRBG key: G - Counter DRBG V: G | Return value 1 | Additional input for DRBG, memory management callback pointers, PAA and test mode configuration, path to the shared library (for non-tested OEs) | List of available API functions if all self- tests passed or test result in form of error code if any test failed | HMAC generation Hash generation XOF generation Random number generation AES encryption / decryption AES GCM encryption / decryption | |||
| Finalize and zeroize | Finalizes the module. Internal resources are zeroized / released. | Crypto Officer - Counter DRBG key: Z - Counter DRBG V: Z | Return value 1 | None | |||||
| Show versioning information | Outputs the module name and version. | Crypto Officer | None | Module name and version | None | ||||
| Show status | Informs about the module status, (e.g., the status of each service call). | Crypto Officer | None | Status information | None | ||||
| Block cipher encryption | Encrypt data using a symmetric block cipher. | Crypto Officer - AES keys: W,E | Return value 1 | Algorithm, mode of operation, plaintext, key, IV (optional), additional authenticated data (if any), authentication | Ciphertext, authentication tag (if any) | Random number generation AES encryption / decryption | |||
| tag (if any), padding scheme | tag (if any), padding scheme | AES GCM encryption / decryption (random IV) AES GCM encryption / decryption (TLS 1.2) AES GCM encryption / decryption (TLS 1.3) AES CFB encryption / decryption | |||||||
| Block cipher decryption | Decrypt data using a symmetric block cipher. | Crypto Officer - AES keys: W,E | Return value 1 | Algorithm, mode of operation, ciphertext, key, IV, additional authenticated data (if any), authentication tag (if any), padding scheme | Plaintext, tag check result | AES encryption / decryption AES GCM encryption / decryption (random IV) AES GCM encryption / decryption (TLS 1.2) AES GCM encryption / decryption (TLS 1.3) AES CFB encryption / decryption | |||
| Key transport | Asymmetric key material encapsulation and decapsulation. | Crypto Officer - KTS-IFC private key: G,R,W,E - KTS-IFC public key: G,R,W,E - Received KTS-IFC public key: W,E - Intermediate key generation values: G,Z - Keying material: R,W,E - Counter DRBG key: E - Counter DRBG V: E | Return value 1 | Scheme, public key / private key (optional), keying material / ciphertext | Ciphertext / keying material | KTS-IFC | |||
| Signature generation | Digital signature generation. | Crypto Officer - EdDSA private keys: W,E - ECDSA private keys: W,E - RSA private keys: W,E - Counter DRBG key: E | Return value 1 | Algorithm, domain parameters, private key, hash algorithm, (hash of) message, padding scheme | Signature | Random number generation Ed25519 signature generation Ed448 signature generation RSA PKCS1- v1.5 signature |
The module does not implement operator authentication.
Table 16: Roles mechanisms, the Crypto Officer role is implicitly assumed by the operator when calling any of the module’s APIs. Note that the module does not allow the operator to perform maintenance services and thus does not support a maintenance role.
G This document may be reproduced and distributed only in its original entirely without revision.
RSA PKCS1v1.5 with precomputed with precomputed This document may be reproduced and distributed only in its original entirely without revision.
W,E This document may be reproduced and distributed only in its original entirely without revision.
W,E This document may be reproduced and distributed only in its original entirely without revision.
RSA PKCS1v1.5 G,R,W,E G,R,W,E W,E R,W,E W,E W,E This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Role Access | Csps Accessed | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Signature verification | Digital signature verification. | Ed25519 signature verification Ed448 signature verification RSA PKCS1- v1.5 signature verification RSA PSS signature verification ECDSA | Crypto Officer - EdDSA public keys: W,E - ECDSA public keys: W,E - DSA public keys: W,E - RSA public keys: W,E - Counter DRBG key: E - Counter | Return value 1 | Algorithm, domain parameters, public key, hash algorithm, (hash of) message, padding scheme, signature | Verification result |
| signature verification DSA signature verification EdDSA public key validation ECDSA public key validation DSA domain parameter validation | signature verification DSA signature verification EdDSA public key validation ECDSA public key validation DSA domain parameter validation | DRBG V: E - Intermediate key generation values: G,Z | ||||
| Shared secret computation | ECC and FFC key agreement. | Random number generation KAS-SSC FFC KAS-SSC ECC | Crypto Officer - KAS-ECC private key: G,R,W,E - KAS-ECC public key: G,R,W,E - Received KAS-ECC public key: W,E - KAS-FFC private key: G,R,W,E - KAS-FFC public key: G,R,W,E - Received KAS-FFC public key: | Return value 1 | Scheme, domain parameters, own private key (optional), received public key | Own public key, shared secret |
| Assurance checks | Perform assurance checks as specified in Section 2.10 Key Establishment. | Random number generation EdDSA public key validation ECDSA public key validation DSA domain parameter validation | Crypto Officer - KTS-IFC private key: W,E - KTS-IFC public key: W,E - Received KAS-ECC public key: W,E - Received KAS-FFC public key: W,E | Return value 1 | Domain parameters, public key, private key | Check result |
| HMAC generation | HMAC generation. | HMAC generation | Crypto Officer - HMAC keys: W,E | Return value 1 | Hash algorithm, key, IPAD and OPAD values, data | HMAC value |
| Hash generation | Hash generation. | Hash generation | Crypto Officer | Return value 1 | Hash algorithm, data | Hash value |
| XOF generation | XOF generation. | XOF generation | Crypto Officer | Return value 1 | XOF algorithm, data, output length | XOF output |
| Random number generation | Random number generation. | Random number generation | Crypto Officer - Counter DRBG key: E - Counter DRBG V: E | Return value 1 | Number of bytes to generate | Random data |
| Signature key pair generation | Signature key pair generation | Random number generation EdDSA key pair generation ECDSA key pair generation | Crypto Officer - EdDSA private keys: G,R - EdDSA public keys: G,R - ECDSA private keys: | Return value 1 | Key type, key size, domain parameters, hash algorithm (for DSA and EdDSA) | Generated key pair |
with precomputed with precomputed RSA PKCS1v1.5 W,E W,E This document may be reproduced and distributed only in its original entirely without revision.
G,R,W,E G,R,W,E W,E G,R,W,E G,R,W,E This document may be reproduced and distributed only in its original entirely without revision.
W,E R,W,E G,R,W,E W,E W,E W,E W,E This document may be reproduced and distributed only in its original entirely without revision.
W,E W,E W,E G,R G,R This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Generation | Input | Output | Access | Indicator |
|---|---|---|---|---|---|---|
| Symmetric key generation | Symmetric key generation. | Random number generation AES key generation | Key type, key size | Generated key | Crypto Officer - AES keys: G,R - Counter DRBG key: E - Counter DRBG V: E | Return value 1 |
| Export / import cryptographic object | Export / import of cryptographic context objects. | None | Context object / blob | Blob / context object | Crypto Officer - AES keys: R,W - HMAC keys: R,W - EdDSA private keys: R,W - EdDSA public keys: R,W - ECDSA private keys: R,W - ECDSA | Return value 1 |
G,R G,R G,R R,W R,W R,W R,W R,W This document may be reproduced and distributed only in its original entirely without revision.
R,W R,W R,W R,W R,W R,W R,W R,W This document may be reproduced and distributed only in its original entirely without revision.
R,W R,W Table 17: Approved Services For the table above, the following notation is used to indicate the type of SSP access:
| Name | Description | Roles | Approved Functions |
|---|---|---|---|
| Block cipher encryption | Encrypt data using a symmetric block cipher. | Crypto Officer | IDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEED AES with the mode of operations * ciphertext stealing (CTS) ECB or * OFB with a non-standard number of feedback bits. (non-compliant) AES-GCM with * user-provided IV for encryption (outside of the use within TLS 1.2 / 1.3) * decryption without prior tag check, or * tags with a length of < 96 bits. (non-compliant) |
| Block cipher decryption | Decrypt data using a symmetric block cipher. | Crypto Officer | IDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEED AES with the mode of operations * ciphertext stealing (CTS) ECB or * OFB with a non-standard number of feedback bits. (non-compliant) |
| Key transport | Asymmetric key material encapsulation and decapsulation. | Crypto Officer | ElGamal KTS-IFC (OAEP) with * modulus length not approved for KTS-IFC, * hash functions not approved for use with OAEP, or * user-provided seed (only encapsulation). (non-compliant) RSA key transport with * no padding (only encapsulation) or * padding not approved for use with RSA (i.e., non-OAEP padding). (non-compliant) |
| Signature generation | Digital signature generation. | Crypto Officer | DSA signature generation using key sizes of L: 2048 / N: 224, L: 2048 / N: 256, and L: 3072 / N: 256 and hash functions SHA2- 224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. (non-compliant) |
This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Roles | Role Access |
|---|---|---|---|
| Signature verification | Digital signature verification. | Crypto Officer | DSA signature verification with * groups not approved for signature verification, * hash functions not approved for signature generation respectively verification, or * pre-hashed messages. (non-compliant) RSA signature generation / verification with * modulus length not approved for signature generation respectively verification, * user-provided salt (only PSS generation), * padding not approved for signature generation, * hash functions not approved for signature generation respectively verification, or * pre-hashed messages (only verification). (non-compliant) ECDSA signature generation / verification with * curves not approved for signature generation respectively |
| Shared secret computation | ECC and FFC key agreement. | Crypto Officer | DSA key pair and domain parameter generation * with groups not approved for KAS-FFC or * for use outside of KAS-FFC. (non-compliant) RSA key pair generation with modulus length not approved for key generation. (non-compliant) ECDSA key pair generation with curves not approved for key generation. (non-compliant) KAS-ECC-SSC with curves not approved for KAS-ECC. (non-compliant) KAS-FFC-SSC with groups not approved for KAS-FFC. (non-compliant) |
| HMAC generation | HMAC generation. | Crypto Officer | HMAC generation with * key length less than 112 bits, * IPAD and/or OPAD configured to values not specified in FIPS 198-1, * non-approved hash functions, or * SHAKE128 or SHAKE256. (non-compliant) |
| Hash generation | Hash generation. | Crypto Officer | MD2, MD4, MD5 RIPEMD-128, RIPEMD-160 CRC32 |
| Random number generation | Random number generation. | Crypto Officer | Counter DRBG using AES-128, AES-192, or AES-256 with derivation function when seeded entirely by the calling application. (non-compliant) |
| Signature key pair generation | Signature key pair generation. | Crypto Officer | DSA key pair and domain parameter generation * with groups not approved for KAS-FFC or * for use outside of KAS-FFC. (non-compliant) RSA key pair generation with modulus length not approved for key generation. (non-compliant) ECDSA key pair generation with curves not approved for key generation. (non-compliant) |
| Symmetric key generation | Symmetric key generation. | Crypto Officer | IDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEED RC4 ElGamal 2-key / 3-key TDES (non-compliant) DES (non-compliant) |
| Export / import cryptographic object | Export / import of cryptographic context objects of non-approved algorithms. | Crypto Officer | MD2, MD4, MD5 RIPEMD-128, RIPEMD-160 CRC32 IDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEED DES (non-compliant) 2-key / 3-key TDES (non-compliant) AES with the mode of operations * ciphertext stealing (CTS) ECB or * OFB with a non-standard number of feedback bits. (non-compliant) AES-GCM with * user-provided IV for encryption (outside of the use within TLS 1.2 / 1.3) * decryption without prior tag check, or * tags with a length of < 96 bits. |
| Stream cipher encryption / decryption | Encrypt / decrypt data using a symmetric stream cipher. | Crypto Officer | RC4 |
This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
Table 18: Non-Approved Services Note that the approved internal Counter DRBG instance is used by some of the non-approved services per the allowance in IG 2.4.A. For a detailed description of the purposes for which this DRBG instance is used, please refer to Section 2.8 RBG and Entropy.
The module does not support software/firmware loading.
The module does not implement a bypass capability. This document may be reproduced and distributed only in its original entirely without revision.
The module does not implement a self-initiated output capability. This document may be reproduced and distributed only in its original entirely without revision.
The module uses an HMAC-SHA2-256 (see Section 2.5 Algorithms for the CAVP certificate number) as the approved integrity technique for the software/firmware integrity test. The HMAC is computed over the entire shared library file during module initialization. The reference value for the integrity test is stored in a separate file, with the exact delivery format depending on the used platform (see Section 11.1 Installation, Initialization, and Startup Procedures for more details):
The integrity test can be executed on demand by re-initializing the module. This process is described in more detail in Section 10.5 Operator Initiation of Self-Tests. This document may be reproduced and distributed only in its original entirely without revision.
Type of Operational Environment: Modifiable How Requirements are Satisfied: This module is expected to be run in operational environments where each user application runs in a virtually-separated, independent process with its own address space. By default, all tested operating systems (Windows as well as the Unix derivates) provide such a separation so that no other, unauthorized process can access or modify SSPs while the cryptographic module is in use. The virtual memory provided by the operating systems also ensures that every instance of the module has exclusive control over its own SSPs. The module does not spawn any processes or threads. It uses only memory within the virtual address space of the process and does not communicate with any other process in any way (e.g., using inter-process communication such as pipes). The application linked to the module and running in the same virtual memory area is expected to only interact with the module through the defined interfaces.
The operator of the module shall not configure the operating systems in a way that disables the process separation mechanisms referenced in Section 6.1 Operational Environment Type and Requirements. This document may be reproduced and distributed only in its original entirely without revision.
The module comprises only software. It runs on operational environments with a multiple-chip standalone embodiment. It has no physical protection mechanisms. Therefore, the physical security requirements are not applicable. This document may be reproduced and distributed only in its original entirely without revision.
The module does not implement any non-invasive security measures that are referenced in SP 800-140F. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Type | Description |
|---|---|---|
| RAM | Dynamic | Volatile system memory shared with the linked application. |
| Name | Type | From | To | ||
|---|---|---|---|---|---|
| API Input | Plaintext | Linked application in the TOEPP | RAM | Manual | Electronic |
| API output | Plaintext | RAM | Linked application in the TOEPP | Manual | Electronic |
Table 19: Storage Areas The state of the internal Counter DRBG instance is stored at most until the end of the module’s runtime in volatile memory allocated by the module itself. All other SSPs used by the module are stored in the volatile memory shared with the linked application. SSPs passed to the module via memory pointers by the linked application are only accessed and used within a single API call. The module does not keep references to these SSPs after the API call is done. To allow chaining of related APIs (e.g., for encrypting multiple blocks of data) the state of certain security functions is stored in context objects that include any required SSPs (either by reference or directly as byte arrays). These objects are passed back and forth between the module and the linked application for each API call. Where necessary to allow for procedural zeroization of such objects, the module provides information about the location and size of allocated memory to the linked application (see also Section
Note that the linked application mentioned above runs inside the module’s Tested Operational Environment’s Physical Perimeter (TOEPP) but outside its cryptographic boundary. It resides in the same volatile memory area as the module.
Table 20: SSP Input-Output Methods This document may be reproduced and distributed only in its original entirely without revision.
| Zeroization | Description | Rationale | Operator Initiation | |
|---|---|---|---|---|
| Method | ||||
| Module: Automatic | SSPs temporarily allocated by the module or derived from operator- supplied inputs for use within a single API call are automatically zeroized by the module before the respective function returns. | To prevent the unintended reuse of SSPs stored in volatile memory are explicitly overwritten with zeros before the memory is deallocated. This zeroing process typically takes place at the end of a function call, ensuring that no residual data remains in memory after the function returns. | Not required as this zeroization is triggered automatically by the module itself. | |
| Module: Finalization | Zeroization of SSPs that are stored under control of the module for longer than a single API call (internal Counter DRBG instance). | To prevent the unintended reuse of SSPs, those stored in volatile memory are explicitly overwritten with zeros before the memory is deallocated. This zeroing process occurs during the module_final() API function call or when the module is unloaded, ensuring that no residual data remains in memory after finalization or unloading. | Finalizing / unloading the module. | |
| Procedural | SSPs that are not under control of the module can be procedurally zeroized by the operator. | The operator can perform procedural zeroization SSPs that are not managed by the cryptographic module by overwriting the specific regions of volatile memory where these parameters reside with zeros. | Procedural zeroization is independent of the module's control and must be triggered by the operator. |
SSPs are passed between the module and the linked application running via API input and output parameters in plaintext. The parameters contain pointers to memory locations inside the shared volatile memory. As required, the module does not output any SSPs to locations outside the TOEPP. For other key establishment methods, please refer to Section 2.10 Key Establishment.
Table 21: SSP Zeroization Methods As detailed in Section 9.1 Storage Areas, the module does not store any references to SSPs other than for the internal Counter control of the module only for individual API calls because these SSPs are otherwise under full control of the linked application. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Type | Description | Strength | Use | |
|---|---|---|---|---|---|
| AES keys | AES key - CSP | Keys used for AES encryption / decryption | 128, 192, or 256 bits - 128, 192, or 256 bits | AES encryption / decryption AES GCM encryption / decryption (random IV) AES GCM encryption / decryption (TLS 1.2) AES GCM encryption / decryption (TLS | AES key generation |
| HMAC keys | HMAC key - CSP | Keys used for HMAC generation | >= 112 bits - >= 112 bits | HMAC generation | |
| EdDSA private keys | EdDSA private key - CSP | Keys used for EdDSA signature generation | 32 or 57 bytes - 128 or 224 bits | Ed25519 signature generation Ed448 signature generation | EdDSA key pair generation |
| EdDSA public keys | EdDSA public key - PSP | Keys used for EdDSA signature verification | 32 or 57 bytes - 128 or 224 bits | Ed25519 signature verification Ed448 signature verification EdDSA public key validation | EdDSA key pair generation |
| ECDSA private keys | ECDSA private key - CSP | Keys used for ECDSA signature generation | Up to 521 bits - 112 to 256 bits | ECDSA signature generation | ECDSA key pair generation |
| ECDSA public keys | ECDSA public key - PSP | Keys used for ECDSA signature verification | Up to 521 bits - <= 80 (P-192) or 112 to 256 bits (other curves) | ECDSA signature verification ECDSA public key validation | ECDSA key pair generation |
| DSA public keys | DSA public key - PSP | Keys used for DSA signature verification | Up to 3072 bits - <= 80 (L: 1024/N: 160) or 112 to 128 bits (other groups) | DSA signature verification DSA domain parameter validation | |
| RSA private keys | RSA private key - CSP | Keys used for RSA signature generation | Variable - 112 to 256 bits | RSA PKCS1- v1.5 signature generation RSA PSS signature generation RSA signature generation with pre-computed hash (CVL) | RSA key pair generation |
| RSA public keys | RSA public key - PSP | Keys used for RSA signature verification | Variable - <= 80 (1024 bits modulus) or 112 to 256 bits (longer modulus) | RSA PKCS1- v1.5 signature verification RSA PSS signature verification | RSA key pair generation |
| KAS-ECC private key | ECDSA private key - CSP | Own private keys used for KAS-ECC | Up to 521 bits - 112 to 256 bits | KAS-SSC ECC | KAS-SSC ECC |
| KAS-ECC public key | ECDSA public key - PSP | Own public keys used for KAS-ECC | Up to 521 bits - 112 to 256 bits | ECDSA public key validation KAS-SSC ECC | KAS-SSC ECC |
| KAS-FFC private key | DSA private key - CSP | Own private keys used for KAS-FFC | Up to 3072 bits - 112 to 128 bits | KAS-SSC FFC | KAS-SSC FFC |
| KAS-FFC public key | DSA public key - PSP | Own public keys used for KAS-FFC | Up to 3072 bits - 112 to 128 bits | KAS-SSC FFC | KAS-SSC FFC |
| Received KAS- ECC public key | ECDSA public key - PSP | Received public keys used for KAS- ECC | Up to 521 bits - 112 to 256 bits | KAS-SSC ECC | |
| Received KAS- FFC public key | DSA public key - PSP | Received public keys used for KAS- FFC | Up to 3072 bits - 112 to 128 bits | KAS-SSC FFC |
1.2) This document may be reproduced and distributed only in its original entirely without revision.
1.3) This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
| Name | Type | Description | Strength | Use | ||
|---|---|---|---|---|---|---|
| KTS-IFC private key | RSA private key - CSP | Own private keys used for KTS-IFC | Variable - 112 to 256 bits | KTS-IFC | KTS-IFC | |
| KTS-IFC public key | RSA public key - PSP | Own public keys used for KTS-IFC | Variable - 112 to 256 bits | KTS-IFC | KTS-IFC | |
| Received KTS- IFC public key | RSA public key - PSP | Received public keys used for KTS- IFC | Variable - 112 to 256 bits | KTS-IFC | ||
| Shared secret | Shared secret - CSP | Output of KAS-ECC and KAS-FFC | Variable - 112 to 256 bits | KAS-SSC FFC KAS-SSC ECC | ||
| Counter DRBG key | Counter DRBG key - CSP | Key of the internal state of the AES- 256 Counter DRBG instance | 256 bits - 256 bits | Random number generation AES encryption / decryption AES GCM encryption / decryption (random IV) AES CFB encryption / decryption RSA PKCS1- v1.5 signature generation RSA PSS signature generation ECDSA signature generation DSA domain parameter | Random number generation |
This document may be reproduced and distributed only in its original entirely without revision.
| Name | Type | Description | Strength | Generation | Use |
|---|---|---|---|---|---|
| Counter DRBG V | Counter DRBG value V - CSP | Value V of the internal state of the AES-256 Counter DRBG instance | 128 bits - 128 bits | Random number generation | Random number generation AES encryption / decryption AES GCM encryption / decryption (random IV) AES CFB encryption / decryption RSA PKCS1- v1.5 signature generation RSA PSS signature generation ECDSA signature generation DSA domain |
V This document may be reproduced and distributed only in its original entirely without revision.
| Name | Type | Description | Strength | Generation | Use | |
|---|---|---|---|---|---|---|
| Counter DBRG seed: entropy source output | Bit string - CSP | Output of the entropy source | 512 bits - 512 bits | Random number generation | Random number generation | |
| Intermediate key generation values | Values used for DSA, ECDSA, EdDSA, RSA key generation - CSP | Temporary values used during key generation | Variable - N/A | EdDSA key pair generation ECDSA key pair generation RSA key pair generation KAS-SSC FFC KTS-IFC KAS-SSC ECC | ||
| Keying material | Keying material - CSP | Input / output of KTS-IFC | Variable - N/A | KTS-IFC | KTS-IFC |
This document may be reproduced and distributed only in its original entirely without revision.
| Name | Type | Description | Strength | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs | |
|---|---|---|---|---|---|---|---|---|---|---|
| KAS-ECC domain parameters | Domain parameters - PSP | Domain parameters used by the KAS- SSC ECC | Variable - N/A | KAS-SSC ECC | ||||||
| KAS-FFC domain parameters | SP 800-56Ar3 FFC domain parameters - PSP | Domain parameters used by the KAS- SSC FFC | Variable - N/A | KAS-SSC FFC | KAS-SSC FFC | |||||
| AES keys | RAM:Plaintext | Module: Automatic Procedural | API Input API output | For a single API call | ||||||
| HMAC keys | RAM:Plaintext | Procedural | API Input API output | For a single API call | ||||||
| EdDSA private keys | RAM:Plaintext | Module: Automatic Procedural | API Input API output | For a single API call | EdDSA public keys:Paired With | |||||
| EdDSA public keys | RAM:Plaintext | Module: Automatic Procedural | API Input API output | For a single API call | EdDSA private keys:Paired With | |||||
| ECDSA private keys | RAM:Plaintext | Procedural | API Input API output | For a single API call | ECDSA public keys:Paired With | |||||
| ECDSA public keys | RAM:Plaintext | Procedural | API Input | For a single API call | ECDSA private keys:Paired With |
| Name | Type | Description | Strength | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs | |
|---|---|---|---|---|---|---|---|---|---|---|
| KAS-ECC domain parameters | Domain parameters - PSP | Domain parameters used by the KAS- SSC ECC | Variable - N/A | KAS-SSC ECC | ||||||
| KAS-FFC domain parameters | SP 800-56Ar3 FFC domain parameters - PSP | Domain parameters used by the KAS- SSC FFC | Variable - N/A | KAS-SSC FFC | KAS-SSC FFC | |||||
| AES keys | RAM:Plaintext | Module: Automatic Procedural | API Input API output | For a single API call | ||||||
| HMAC keys | RAM:Plaintext | Procedural | API Input API output | For a single API call | ||||||
| EdDSA private keys | RAM:Plaintext | Module: Automatic Procedural | API Input API output | For a single API call | EdDSA public keys:Paired With | |||||
| EdDSA public keys | RAM:Plaintext | Module: Automatic Procedural | API Input API output | For a single API call | EdDSA private keys:Paired With | |||||
| ECDSA private keys | RAM:Plaintext | Procedural | API Input API output | For a single API call | ECDSA public keys:Paired With | |||||
| ECDSA public keys | RAM:Plaintext | Procedural | API Input | For a single API call | ECDSA private keys:Paired With |
Table 22: SSP Table 1 This document may be reproduced and distributed only in its original entirely without revision.
| Name | Storage | Zeroization | Output | Storage Duration | Related SSPs |
|---|---|---|---|---|---|
| DSA public keys | RAM:Plaintext | Procedural | API Input API output | For a single API call | |
| RSA private keys | RAM:Plaintext | Procedural | API Input API output | For a single API call | RSA public keys:Paired With |
| RSA public keys | RAM:Plaintext | Procedural | API Input API output | For a single API call | RSA private keys:Paired With |
| KAS-ECC private key | RAM:Plaintext | Procedural | API Input API output | For a single API call | KAS-ECC public key:Paired With Received KAS-ECC public key:Used With |
| KAS-ECC public key | RAM:Plaintext | Procedural | API Input API output | For a single API call | KAS-ECC private key:Paired With |
| KAS-FFC private key | RAM:Plaintext | Procedural | API Input API output | For a single API call | KAS-FFC public key:Paired With Received KAS-FFC public key:Used With |
| KAS-FFC public key | RAM:Plaintext | Procedural | API Input API output | For a single API call | KAS-FFC private key:Paired With |
| Received KAS-ECC public key | RAM:Plaintext | Procedural | API Input | For a single API call | KAS-ECC private key:Used With |
| Received KAS-FFC public key | RAM:Plaintext | Procedural | API Input API output | For a single API call | KAS-FFC private key:Used With |
| KTS-IFC private key | RAM:Plaintext | Procedural | API Input API output | For a single API call | KTS-IFC public key:Paired With KTS-IFC public key:Used With |
| KTS-IFC public key | RAM:Plaintext | Procedural | API Input API output | For a single API call | KTS-IFC private key:Paired With |
| Received KTS-IFC public key | RAM:Plaintext | Procedural | API Input API output | For a single API call | KTS-IFC private key:Used With |
| Shared secret | RAM:Plaintext | Procedural | API output | For a single API call | KAS-ECC private key:Derived From Received KAS-ECC public key:Derived From KAS-FFC private key:Derived From Received KAS-FFC public key:Derived From |
| Counter DRBG key | RAM:Plaintext | Module: Finalization | Until finalization of the module | Counter DBRG seed: entropy source output:Derived From Counter DRBG V:Paired With | |
| Counter DRBG V | RAM:Plaintext | Module: Finalization | Until finalization of the module | Counter DRBG key:Paired With | |
| Counter DBRG seed: entropy source output | RAM:Plaintext | Module: Automatic | For a single API call | ||
| Intermediate key generation values | RAM:Plaintext | Module: Automatic | For a single API call | Counter DRBG key:Derived From EdDSA private keys:Generates ECDSA public keys:Generates RSA private keys:Generates RSA public keys:Generates ECDSA private keys:Generates EdDSA public keys:Generates KAS-ECC private key:Generates KAS-ECC public key:Generates KAS-FFC private key:Generates KAS-FFC public key:Generates KTS-IFC private key:Generates KTS-IFC public key:Generates Counter DRBG V:Derived From | |
| Keying material | RAM:Plaintext | Procedural | API Input API output | For a single API call | KTS-IFC private key:Decrypts Received KTS-IFC public key:Encrypts |
| KAS-ECC domain parameters | RAM:Plaintext | Procedural | API Input API output | For a single API call | KAS-ECC private key:Used With KAS-ECC public key:Used With Received KAS-ECC public key:Used With |
| KAS-FFC domain parameters | RAM:Plaintext | Procedural | API Input API output | For a single API call | KAS-FFC private key:Used With KAS-FFC public key:Used With Received KAS-FFC public key:Used With |
This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
Table 23: SSP Table 2 This document may be reproduced and distributed only in its original entirely without revision.
For the use of the above SSPs by the module’s approved services, please refer to Section 4.3 Approved Services. The module’s non-approved services do not access any of the module’s SSPs other than the Counter DRBG state, which is permitted per IG 2.4.A. For details on the use of the DRBG by the approved and non-approved services, please refer to Section 2.8 RBG and Entropy. Note that the HMAC key used for the integrity test is not considered as an SSP. Keys used by non-approved services are also not considered as SSPs.
Information on the transitions for the CMVP-approved algorithms and security functions are provided in SP 800-57 Part 1 Revision 5 and SP 800-131A Revision 2 as well as on the NIST website. At the time of publication of this Security Policy, the following transitions are identified, which take effect in 2031:
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | Test Properties | Conditions | |
|---|---|---|---|---|---|---|---|---|
| HMAC- SHA2-256 (A5497) | HMAC- SHA2-256 (A5497) | The integrity of the module binary is tested by computing an HMAC over the entire shared library file. The correct reference value is stored in a separate file with the file extension "sha256". | SW/FW Integrity | The HMAC-SHA2-256 is self-tested using a KAT before this integrity test is performed | Key length: 32 bytes | Return code < 0 in case of a failure. | ||
| HMAC-SHA2-256 (A5497) | HMAC-SHA2-256 (A5497) | KAT | CAST | HMAC generation | Return code < 0 in case of a failure. | Key length: 20 bytes | Module initialization | |
| SHAKE-128 (A5497) | SHAKE-128 (A5497) | KAT | CAST | XOF generation | Return code < 0 in | N/A | Module initialization |
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | Test Properties | Conditions | |
|---|---|---|---|---|---|---|---|---|
| HMAC- SHA2-256 (A5497) | HMAC- SHA2-256 (A5497) | The integrity of the module binary is tested by computing an HMAC over the entire shared library file. The correct reference value is stored in a separate file with the file extension "sha256". | SW/FW Integrity | The HMAC-SHA2-256 is self-tested using a KAT before this integrity test is performed | Key length: 32 bytes | Return code < 0 in case of a failure. | ||
| HMAC-SHA2-256 (A5497) | HMAC-SHA2-256 (A5497) | KAT | CAST | HMAC generation | Return code < 0 in case of a failure. | Key length: 20 bytes | Module initialization | |
| SHAKE-128 (A5497) | SHAKE-128 (A5497) | KAT | CAST | XOF generation | Return code < 0 in | N/A | Module initialization | |
| SHAKE-256 (A5497) | SHAKE-256 (A5497) | KAT | CAST | XOF generation | Return code < 0 in case of a failure. | N/A | Module initialization | |
| SHA-1 (A5497) | SHA-1 (A5497) | KAT | CAST | Hash generation | Return code < 0 in case of a failure. | N/A | Module initialization | |
| SHA2-224 (A5497) | SHA2-224 (A5497) | KAT | CAST | Hash generation | Return code < 0 in case of a failure. | N/A | Module initialization | |
| SHA2-256 (A5497) | SHA2-256 (A5497) | KAT | CAST | Hash generation | Return code < 0 in case of a failure. | N/A | Module initialization | |
| SHA2-384 (A5497) | SHA2-384 (A5497) | KAT | CAST | Hash generation | Return code < 0 in case of a failure. | N/A | Module initialization | |
| SHA2-512 (A5497) | SHA2-512 (A5497) | KAT | CAST | Hash generation | Return code < 0 in case of a failure. | N/A | Module initialization | |
| SHA3-224 (A5497) | SHA3-224 (A5497) | KAT | CAST | Hash generation | Return code < 0 in case of a failure. | N/A | Module initialization | |
| SHA3-256 (A5497) | SHA3-256 (A5497) | KAT | CAST | Hash generation | Return code < 0 in | N/A | Module initialization | |
| SHA3-384 (A5497) | SHA3-384 (A5497) | KAT | CAST | Hash generation | Return code < 0 in case of a failure | N/A | Module initialization | |
| SHA3-512 (A5497) | SHA3-512 (A5497) | KAT | CAST | Hash generation | Return code < 0 in case of a failure | N/A | Module initialization | |
| DSA SigVer (FIPS186-4) (A5497) | DSA SigVer (FIPS186-4) (A5497) | KAT | CAST | Signature verification using a fixed 32-byte hash | Return code < 0 in case of a failure | Group: FB (L: 2048/N: 224) | Module initialization | |
| ECDSA SigGen (FIPS186-5) (A5497) | ECDSA SigGen (FIPS186-5) (A5497) | KAT | CAST | Signature generation using a fixed 32-byte hash | Return code < 0 in case of a failure | Curve: P-256 | Module initialization | |
| ECDSA SigVer (FIPS186-5) (A5497) | ECDSA SigVer (FIPS186-5) (A5497) | KAT | CAST | Signature verification using a fixed 32-byte hash | Return code < 0 in case of a failure | Curve: P-256 | Module initialization | |
| EDDSA SigGen (A5497) with Edwards25519 | EDDSA SigGen (A5497) with Edwards25519 | KAT | CAST | Signature generation | Return code < 0 in case of a failure | Curve: Edwards25519 | Module initialization | |
| EDDSA SigVer (A5497) with Edwards25519 | EDDSA SigVer (A5497) with Edwards25519 | KAT | CAST | Signature verification | Return code < 0 in case of a failure | Curve: Edwards25519 | Module initialization | |
| EDDSA SigGen (A5497) with Edwards448 | EDDSA SigGen (A5497) with Edwards448 | KAT | CAST | Signature generation | Return code < 0 in case of a failure | Curve: Edwards448 | Module initialization | |
| EDDSA SigVer (A5497) with Edwards448 | EDDSA SigVer (A5497) with Edwards448 | KAT | CAST | Signature verification | Return code < 0 in case of a failure | Curve: Edwards448 | Module initialization | |
| RSA SigGen (FIPS186-5) (A5497) | RSA SigGen (FIPS186-5) (A5497) | KAT | CAST | Signature generation using a fixed 32-byte hash | Return code < 0 in case of a failure | Modulus size: 2048 bits, Padding: PKCS1- v1.5 | Module initialization | |
| RSA SigVer (FIPS186-5) (A5497) | RSA SigVer (FIPS186-5) (A5497) | KAT | CAST | Signature verification using a fixed 32-byte hash | Return code < 0 in case of a failure | Modulus size: 2048 bits, Padding: PKCS1- v1.5 | Module initialization | |
| KAS-ECC-SSC Sp800-56Ar3 (A5497) | KAS-ECC-SSC Sp800-56Ar3 (A5497) | KAT | CAST | Shared secret computation with two fixed key pairs | Return code < 0 in case of a failure | Curve: P-256 | Module initialization | |
| KAS-FFC-SSC Sp800-56Ar3 (A5497) | KAS-FFC-SSC Sp800-56Ar3 (A5497) | KAT | CAST | Shared secret computation with fixed keys (with g^x > p) | Return code < 0 in case of a failure | Group: FB (L: 2048/N: 224) and ffdhe2048 | Module initialization | |
| AES-ECB (A5497) | AES-ECB (A5497) | KAT | CAST | Encryption and decryption | Return code < 0 in case of a failure | Key length: 128, 192, and 256 bits | Module initialization | |
| AES-GCM (A5497) | AES-GCM (A5497) | KAT | CAST | Encryption and decryption | Return code < 0 in case of a failure | Key length: 128 bits | Module initialization | |
| Counter DRBG (A5497) | Counter DRBG (A5497) | KAT | CAST | Instantiation with fixed entropy input, generation of random bytes with additional input (generated bytes are tested against known answer), reseed with fix entropy input and again generation of random bytes, now without additional input (generated bytes are tested against known answer) | Return code < 0 in case of a failure | Key length: 256 bits | Module initialization | |
| DSA PQGGen (FIPS186-4) (A5497) | DSA PQGGen (FIPS186-4) (A5497) | KAT | CAST | Generation of p, q, and g with fixed randomness | Return code < 0 in case of a failure | Group: FB (L: 2048/N: 224) | Module initialization | |
| DSA PQGVer (FIPS186-4) (A5497) | DSA PQGVer (FIPS186-4) (A5497) | KAT | CAST | Domain parameter validation of fixed, correct parameters | Return code < 0 in case of a failure | Group: FB (L: 2048/N: 224) | Module initialization | |
| Entropy source: start-up / continuous health tests | Entropy source: start-up / continuous health tests | Fault- detection test | CAST | APT and RCT as specified in SP 800-90B as well as additional variations thereof performed on 6000 symbols. | Return code < 0 in case of a failure | N/A | Module initialization | |
| RSA SigGen and SigVer (FIPS186- 5) (A5497) | RSA SigGen and SigVer (FIPS186- 5) (A5497) | PCT | PCT | RSA signature generation and verification of a random 32-byte pseudo-hash | Return code < 0 in case of a failure | Padding: PKCS1- v1.5 | After RSA and KTS-IFC key pair generation and RSA key pair import | |
| RSA key-pair consistency (SP 800-56Br2) | RSA key-pair consistency (SP 800-56Br2) | PCT | PCT | Key-pair consistency check as specified in Section 6.4.1.2.3 of SP 800-56Br2 | Return code < 0 in case of a failure | N/A | After RSA and KTS-IFC key pair generation | |
| ECDSA SigGen and SigVer | ECDSA SigGen and SigVer | PCT | PCT | ECDSA signature generation and verification of a random 32-byte pseudo-hash | Return code < 0 in | N/A | After ECDSA key pair |
HMACSHA2-256 Table 24: Pre-Operational Self-Tests The module only implements one pre-operational self-test. This test is performed under control of the module when the function crypt_init is called by the operator after the module was loaded. This function either returns RC_FIPS_APPROVED (value “1”) when all self-tests passed or an error code when something went wrong during initialization. Only when the return value is RC_FIPS_APPROVED, the module returns pointers to the exported APIs required to execute the module’s other security services. In addition to the pre-operational self-test described above, the module also automatically executes the Cryptographic Algorithm SelfTests (CASTs) described in Section 10.2 Conditional Self-Tests during its initialization. In case of a failure in at least one of the selftests executed during start-up, the module enters an error state (see Section 10.4 Error States for details). Please note that the module neither implements a pre-operational bypass test, as it does not implement a bypass functionality, nor a pre-operational critical function test, as all functions critical to its secure operation are already covered by other self-tests.
N/A This document may be reproduced and distributed only in its original entirely without revision.
N/A N/A N/A N/A N/A N/A N/A N/A This document may be reproduced and distributed only in its original entirely without revision.
N/A N/A This document may be reproduced and distributed only in its original entirely without revision.
Padding: PKCS1v1.5 Padding: PKCS1v1.5 This document may be reproduced and distributed only in its original entirely without revision.
N/A Faultdetection Padding: PKCS1v1.5 N/A N/A This document may be reproduced and distributed only in its original entirely without revision.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions | Test Properties |
|---|---|---|---|---|---|---|---|---|---|
| (FIPS186-5) (A5497) | (FIPS186-5) (A5497) | case of a failure | generation and import | ||||||
| KAS-ECC pair- wise consistency (SP 800-56Ar3) | KAS-ECC pair- wise consistency (SP 800-56Ar3) | PCT | PCT | Key-pair consistency check as specified in Section 5.6.2.1.4 of SP 800-56Ar3 | Return code < 0 in case of a failure | After ECDSA and KAS-ECC key pair generation and import | N/A | ||
| EdDSA SigGen and SigVer (FIPS186-5) (A5497) | EdDSA SigGen and SigVer (FIPS186-5) (A5497) | PCT | PCT | EdDSA signature generation and verification of a fixed 7-byte message | Return code < 0 in case of a failure | After EdDSA key pair generation and import | N/A | ||
| KAS-FFC pair- wise consistency (SP 800-56Ar3) | KAS-FFC pair- wise consistency (SP 800-56Ar3) | PCT | PCT | Key-pair consistency check as specified in Section 5.6.2.1.4 of SP 800-56Ar3 | Return code < 0 in case of a failure | After KAS-FFC key pair generation and import | N/A | ||
| HMAC-SHA2-256 (A5497) | HMAC-SHA2-256 (A5497) | The integrity of the module binary is tested | SW/FW Integrity | On demand | Module reinitialization. |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions | Test Properties |
|---|---|---|---|---|---|---|---|---|---|
| (FIPS186-5) (A5497) | (FIPS186-5) (A5497) | case of a failure | generation and import | ||||||
| KAS-ECC pair- wise consistency (SP 800-56Ar3) | KAS-ECC pair- wise consistency (SP 800-56Ar3) | PCT | PCT | Key-pair consistency check as specified in Section 5.6.2.1.4 of SP 800-56Ar3 | Return code < 0 in case of a failure | After ECDSA and KAS-ECC key pair generation and import | N/A | ||
| EdDSA SigGen and SigVer (FIPS186-5) (A5497) | EdDSA SigGen and SigVer (FIPS186-5) (A5497) | PCT | PCT | EdDSA signature generation and verification of a fixed 7-byte message | Return code < 0 in case of a failure | After EdDSA key pair generation and import | N/A | ||
| KAS-FFC pair- wise consistency (SP 800-56Ar3) | KAS-FFC pair- wise consistency (SP 800-56Ar3) | PCT | PCT | Key-pair consistency check as specified in Section 5.6.2.1.4 of SP 800-56Ar3 | Return code < 0 in case of a failure | After KAS-FFC key pair generation and import | N/A | ||
| HMAC-SHA2-256 (A5497) | HMAC-SHA2-256 (A5497) | The integrity of the module binary is tested | SW/FW Integrity | On demand | Module reinitialization. |
N/A N/A N/A Table 25: Conditional Self-Tests Since the module does not implement the corresponding functionality, it does not implement a conditional software/firmware load test, manual entry test, bypass test, or critical function test. As explained in Section 2.2 Tested and Vendor Affirmed Module Version and Identification, the module can be configured to use different PAAs for certain algorithms. These PAAs must be configured before the module’s self-tests are performed during module initialization. During module initialization, the module performs the conditional self-tests using the activated PAAs. While the module is in its initialized state, re-configuration of the activated PAAs is blocked. Changing the activated PAAs thus requires a re-initialization of the module (see Section 11.2 Administrator Guidance for details). Note that the module also implements self-tests for some non-approved algorithms (e.g., MD5 and RC4), but these self-tests are not listed here.
This document may be reproduced and distributed only in its original entirely without revision.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| HMAC-SHA2-256 (A5497) | HMAC-SHA2-256 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHAKE-128 (A5497) | SHAKE-128 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHAKE-256 (A5497) | SHAKE-256 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA-1 (A5497) | SHA-1 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA2-224 (A5497) | SHA2-224 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA2-256 (A5497) | SHA2-256 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA2-384 (A5497) | SHA2-384 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA2-512 (A5497) | SHA2-512 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA3-224 (A5497) | SHA3-224 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA3-256 (A5497) | SHA3-256 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA3-384 (A5497) | SHA3-384 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA3-512 (A5497) | SHA3-512 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| DSA SigVer (FIPS186- 4) (A5497) | DSA SigVer (FIPS186- 4) (A5497) | KAT | CAST | On demand | Module reinitialization. |
| ECDSA SigGen (FIPS186-5) (A5497) | ECDSA SigGen (FIPS186-5) (A5497) | KAT | CAST | On demand | Module reinitialization |
| ECDSA SigVer (FIPS186-5) (A5497) | ECDSA SigVer (FIPS186-5) (A5497) | KAT | CAST | On demand | Module reinitialization |
| EDDSA SigGen (A5497) with Edwards25519 | EDDSA SigGen (A5497) with Edwards25519 | KAT | CAST | On demand | Module reinitialization |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| HMAC-SHA2-256 (A5497) | HMAC-SHA2-256 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHAKE-128 (A5497) | SHAKE-128 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHAKE-256 (A5497) | SHAKE-256 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA-1 (A5497) | SHA-1 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA2-224 (A5497) | SHA2-224 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA2-256 (A5497) | SHA2-256 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA2-384 (A5497) | SHA2-384 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA2-512 (A5497) | SHA2-512 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA3-224 (A5497) | SHA3-224 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA3-256 (A5497) | SHA3-256 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA3-384 (A5497) | SHA3-384 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| SHA3-512 (A5497) | SHA3-512 (A5497) | KAT | CAST | On demand | Module reinitialization. |
| DSA SigVer (FIPS186- 4) (A5497) | DSA SigVer (FIPS186- 4) (A5497) | KAT | CAST | On demand | Module reinitialization. |
| ECDSA SigGen (FIPS186-5) (A5497) | ECDSA SigGen (FIPS186-5) (A5497) | KAT | CAST | On demand | Module reinitialization |
| ECDSA SigVer (FIPS186-5) (A5497) | ECDSA SigVer (FIPS186-5) (A5497) | KAT | CAST | On demand | Module reinitialization |
| EDDSA SigGen (A5497) with Edwards25519 | EDDSA SigGen (A5497) with Edwards25519 | KAT | CAST | On demand | Module reinitialization |
| EDDSA SigVer (A5497) with Edwards25519 | EDDSA SigVer (A5497) with Edwards25519 | KAT | CAST | On demand | Module reinitialization |
| EDDSA SigGen (A5497) with Edwards448 | EDDSA SigGen (A5497) with Edwards448 | KAT | CAST | On demand | Module reinitialization |
| EDDSA SigVer (A5497) with Edwards448 | EDDSA SigVer (A5497) with Edwards448 | KAT | CAST | On demand | Module reinitialization |
| RSA SigGen (FIPS186- 5) (A5497) | RSA SigGen (FIPS186- 5) (A5497) | KAT | CAST | On demand | Module reinitialization |
| RSA SigVer (FIPS186- 5) (A5497) | RSA SigVer (FIPS186- 5) (A5497) | KAT | CAST | On demand | Module reinitialization |
| KAS-ECC-SSC Sp800- 56Ar3 (A5497) | KAS-ECC-SSC Sp800- 56Ar3 (A5497) | KAT | CAST | On demand | Module reinitialization |
| KAS-FFC-SSC Sp800- 56Ar3 (A5497) | KAS-FFC-SSC Sp800- 56Ar3 (A5497) | KAT | CAST | On demand | Module reinitialization |
| AES-ECB (A5497) | AES-ECB (A5497) | KAT | CAST | On demand | Module reinitialization |
| AES-GCM (A5497) | AES-GCM (A5497) | KAT | CAST | On demand | Module reinitialization |
| Counter DRBG (A5497) | Counter DRBG (A5497) | KAT | CAST | On demand | Module reinitialization |
| DSA PQGGen (FIPS186-4) (A5497) | DSA PQGGen (FIPS186-4) (A5497) | KAT | CAST | On demand | Module reinitialization |
| DSA PQGVer (FIPS186-4) (A5497) | DSA PQGVer (FIPS186-4) (A5497) | KAT | CAST | On demand | Module reinitialization |
| Entropy source: start-up / continuous health tests | Entropy source: start-up / continuous health tests | Fault-detection test | CAST | On demand | Module reinitialization |
| RSA SigGen and SigVer (FIPS186-5) (A5497) | RSA SigGen and SigVer (FIPS186-5) (A5497) | PCT | PCT | On demand | RSA and KTS-IFC key pair generation and import |
| RSA key-pair consistency (SP 800- 56Br2) | RSA key-pair consistency (SP 800- 56Br2) | PCT | PCT | On demand | RSA and KTS-IFC key pair generation |
| ECDSA SigGen and SigVer (FIPS186-5) (A5497) | ECDSA SigGen and SigVer (FIPS186-5) (A5497) | PCT | PCT | On demand | ECDSA key pair generation and import |
| KAS-ECC pair-wise consistency (SP 800- 56Ar3) | KAS-ECC pair-wise consistency (SP 800- 56Ar3) | PCT | PCT | On demand | ECDSA and KAS-ECC key pair generation and import |
| EdDSA SigGen and SigVer (FIPS186-5) (A5497) | EdDSA SigGen and SigVer (FIPS186-5) (A5497) | PCT | PCT | On demand | EdDSA key pair generation and import |
| KAS-FFC pair-wise consistency (SP 800- 56Ar3) | KAS-FFC pair-wise consistency (SP 800- 56Ar3) | PCT | PCT | On demand | KAS-FFC key pair generation and import |
Table 26: Pre-Operational Periodic Information This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| Initialization error | The module remains in its uninitialized state. No cryptographic services are available. | Module initialization failed due to self-test failure. | Return code < 0 during module initialization. | Manually by calling the crypt_init function. |
| Operational error | A conditional self-test performed after module initialized failed. Output of the affected data is inhibited. | PCT failure. | Return code < 0 returned by the function call that invoked the failed self-test. | The module automatically recovers from this error state. |
Table 27: Conditional Periodic Information The module does not perform any periodic self-testing on its own. When desired, the operator can manually perform periodic selftesting using the means described in Section 10.5 Operator Initiation of Self-Tests.
Table 28: Error States The module implements two different error states. In case of a failure during the self-tests performed during module start-up (i.e., the pre-operational integrity test and the CASTs), the module enters an error state that requires operator intervention to recover from. An initialization. If the module initialization fails due to failed self-tests or any other problem, the module does not return pointers to its other APIs, which are required to execute the module’s cryptographic security services. It also behaves as if it is still in its uninitialized state, thereby preventing the use of any previously returned function pointers. Exiting this error state is possible by reinitializing the module (see Section 10.5 Operator Initiation of Self-Tests for details). This document may be reproduced and distributed only in its original entirely without revision.
| Error cause | Returned error code | ||
|---|---|---|---|
| Integrity test failure | ERR_CRYPT__CHECKSUM | ||
| Error reading shared library or checksum file | ERR_CRYPT__CHECKSUMIO | ||
| CAST failure | ERR_CRYPT__ALGTEST | ||
| Entropy source self-test failure | ERR_CRYPT__RND | ||
| PCT failure | ERR_CRYPT__VALIDATION_FAILED |
In case of a failure during a conditional self-test that is not automatically performed during start-up (see Section 10.2 Conditional SelfTests), the module briefly enters a different, transient error state. An error indicator is provided by the return value of the function that invoked the self-test. Output of the generated or imported key pair that caused the conditional self-test error is inhibited. Afterwards, the module automatically recovers from this error state. The concerned conditional self-test is repeated the next time the corresponding operation is performed (e.g., the pair-wise consistency tests are performed for each generated key pair). Table 29 lists the expected error codes (error indicators) related to failures of performed self-tests. More detailed information about which self-tests performed during module initialization failed can be obtained using the sec_crypto_get_feature_info API. Table 29: Error Causes and Expected Return Codes Please note that the module does not enter an error state when a failure unrelated to the conditional self-tests is detected after successful module initialization (e.g., because an invalid padding was detected, memory could not be allocated, or an assurance check failed). Instead, the function return values indicate to the operator the type of occurred failure.
All self-tests listed in Section 10.3 Periodic Self-Test Information with “module initialization” listed as their execution condition can be executed on-demand using the ‘initialize and self-test’ service described in Section 4.3 Approved Services. The exact procedure to use this service depends on the current state of the module:
| Name | Mode Method | ||||||
|---|---|---|---|---|---|---|---|
| SHA2-256 checksum | Package | Shared library file | HMAC file | ||||
| aix-6.1-ppc-64 | D5E4BC00EB784AE9F0179361B7189B4959 33ACFFEF50D1789A659E6F5827A364 | aix-6.1-ppc-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| aix-7.2-ppc-64 | 1A5D901BEA61ED1D0BFC138A5BF9698C4 C076A88AADAD60AB94506A21062F5C2 | aix-7.2-ppc-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| hpux-b.11.31-ia-64 | 4B55441FA1F732499A20F979A00FEF335C 7E252804DFED956356959DFF1F157A | hpux-b.11.31-ia-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| linux-gcc-11.2-armv8-64 | 5106BBAA77B89DB6B320CCF46706FF92C D343DD55388AB1D58637D225F6E580D | linux-gcc-11.2-armv8-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| linux-gcc-4.3-ia-64 | 3AFF87073CFC5397525577A3141F60D8A9 C08458D5791CB1E01FD73C715040E0 | linux-gcc-4.3-ia-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| linux-gcc-4.3-s390x-64 | B649BD3CED0C78473F27A102C48A957AD A35399CDDCF239B31D1AEB89F93CB65 | linux-gcc-4.3-s390x-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| linux-gcc-4.3-x86-64 | FAAEA6FE2320E29990DDB52DE893E33D8 5186E5F3C8DE255510355648E22D5FF | linux-gcc-4.3-x86-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| linux-gcc-4.8-ppcle-64 | 8DA6D5355BB2A0DF40D105662696AF434 A537D2E3E651556F0D3689F80CE1B29 | linux-gcc-4.8-ppcle-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| linux-musl-1.2.4-x86-64 | 881BF8113DB20671975EF4EBF30957F8D9 916526D88A6BC1388AA6F3CD2F36E1 | linux-musl-1.2.4-x86-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| macosx-arm-64 | DA40327726E62140992D4FDE9D3A9CA55 7020750F81F45D68E23B9BBC9D8DF7A | macosx-arm-64 | libslcryptokernel.dylib | libslcryptokernel.dylib.sha256 | |||
| macosx-x86-64 | FEBD7C3E85E0F0817D6B903B35E93060E 231368784028CAE2DE8C672076DFDF1 | macosx-x86-64 | libslcryptokernel.dylib | libslcryptokernel.dylib.sha25 | |||
| sunos-5.10-sparc-64 | 39653C77CFF17DD9EFE61CF6F31F7FB1B AF580DF4D6585CECB68F65832278EDF | sunos-5.10-sparc-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| sunos-5.10-x86-64 | F9260FB594EE2E62247518CFCC4EDA4A4 E803B5681D7C77042E68FCE47E60392 | sunos-5.10-x86-64 | libslcryptokernel.so | libslcryptokernel.so.sha256 | |||
| windows-x86-64 | 42BD86658272851A24510F14316491B0805 6B421012DF0C13E08A9F39E5AB92A | windows-x86-64 | slcryptokernel.dll | slcryptokernel.dll.sha256 |
Two files are provided for the installation of the module as explained in Section 2.2 Tested and Vendor Affirmed Module Version and Identification. The file names depend on the operating system for which the module is provided. The file names for the tested operational environments are listed in Table 30. Table 30: Module File Names and Checksums The module is delivered as part of multiple applications developed by SAP SE. Each application’s installation package contains the FIPS 140-3 certified module. The Crypto Officer should use the SHA2-256 checksum provided in Table 30 to check that the desired version of the module is installed. This document may be reproduced and distributed only in its original entirely without revision.
| File | Non-Administrator | Administrator | |||
|---|---|---|---|---|---|
| Shared library | Read, execute | Read, write, execute | |||
| HMAC file | Read | Read, write |
The Crypto Officer should also make sure that the files are installed with the access permissions shown in Table 31. The following terms are used in this table:
The administrator and non-administrator guidance is provided in the following documents that are provided by SAP SE together with the module:
The same set of guidance is applicable to administrator and non-administrator users of the module. Therefore, please refer to Section 11.2 Administrator Guidance for the non-administrator guidance.
Please refer to Section 11.1 Installation, Initialization, and Startup Procedures and Section 11.2 Administrator Guidance for a description of the module’s rules of operation. This document may be reproduced and distributed only in its original entirely without revision.
The module does not require any maintenance.
The module does not store any SSPs persistently. Secure sanitation of the module can thus be performed by using the ‘finalize and zeroize service to zeroize all SSPs that are under control of the module and by procedurally zeroizing of all other SSPs that are under control of the operator. For details, please see Section 4.3 Approved Services and Section 9.3 SSP Zeroization Methods. This document may be reproduced and distributed only in its original entirely without revision.
The module implements the following measures to mitigate attacks other than those already addressed by functionality required by FIPS 140-3 Security Level 1:
The use of a random blinding factor that is unknown to an attacker makes it more difficult to perform successful timing attacks on RSA private key and ECDSA signature generation operations, as the execution time is not only dependent on the private key value. However, it is important to note that blinding does not completely eliminate these attacks.
As blinding is performed transparently within the boundary of the cryptographic module, no user configuration or interaction is involved. This document may be reproduced and distributed only in its original entirely without revision.
This document may be reproduced and distributed only in its original entirely without revision. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See