All modules
CMVP Validated Module · FIPS 140-3 Security Policy

SAP CommonCryptoLib Crypto Kernel

Certificate#5093StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorSAP SE
Medium review priority  ·  no TCB surface named  ·  last validated 8 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/13/2030
CaveatWhen operated in approved mode. When installed, initialized, and configured as specified in Section 11.1 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorSAP SE

Approved Algorithms (60)

AlgorithmACVP Cert
SHA2-384/512
AES-CBCA5497
AES-CBC-CS3A5497
AES-CFB128A5497
AES-CFB8A5497
AES-CTRA5497
AES-ECBA5497
AES-GCMA5497
AES-OFBA5497
Counter DRBGA5497
DSA KeyGen (FIPS186-4)A5497
DSA PQGGen (FIPS186-4)A5497
ECDSA KeyGen (FIPS186-5)A5497
ECDSA KeyVer (FIPS186-5)A5497
ECDSA SigGen (FIPS186-5)A5497
ECDSA SigVer (FIPS186-5)A5497
EDDSA KeyGenA5497
EDDSA KeyVerA5497
EDDSA SigGenA5497
EDDSA SigVerA5497
HMAC-SHA-1A5497
HMAC-SHA2-224A5497
HMAC-SHA2-256A5497
HMAC-SHA2-384A5497
HMAC-SHA2-512A5497
HMAC-SHA3-224A5497
HMAC-SHA3-256A5497
HMAC-SHA3-384A5497
HMAC-SHA3-512A5497
KAS-ECC-SSC Sp800-56Ar3A5497
KAS-FFC-SSC Sp800-56Ar3A5497
KTS-IFCA5497
RSA KeyGen (FIPS186-5)A5497
RSA SigGen (FIPS186-5)A5497
RSA SigVer (FIPS186-5)A5497
SHA-1A5497
SHA2-224A5497
SHA2-256A5497
SHA2-384A5497
SHA2-512A5497
SHA3-224A5497
SHA3-256A5497
SHA3-384A5497
SHA3-512A5497
SHAKE-128A5497
SHAKE-256A5497
DSA PQGVer (FIPS186-4)A5497
DSA SigVer (FIPS186-4)A5497
ECDSA KeyVer (FIPS186-4)A5497
ECDSA SigVer (FIPS186-4)A5497
RSA SigVer (FIPS186-4)A5497
KAS-ECC CDH-Component SP800-56Ar3 (CVL)A5497
RSA Decryption Primitive Sp800-56Br2 (CVL)A5497
RSA Signature Primitive (CVL)A5497
SP 800-56Ar3, 5.6.2.3.1
KAS-FFC-SSC (C(0e, 2s, FFC DH))
SP 800-56Ar3, 5.6.2.3.3
KTS-IFC (KTS-OAEP-basic)
RSA Decryption Primitive
SHA2-256 checksum

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment2
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for SAP CommonCryptoLib Crypto Kernel
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load<br/>Recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>AES encryption / decryption<br/>AES CFB encryption / decryption<br/>Initialize and self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for SAP CommonCryptoLib Crypto Kernel
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load<br/>Recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>AES encryption / decryption<br/>AES CFB encryption / decryption<br/>Initialize and self-test</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

SAP SE SAP CommonCryptoLib Crypto Kernel Document version: 1.4 Date: 2025-10-21 This document may be reproduced and distributed only in its original entirely without revision.

Page 2
Table of Contents
#SectionPage
1General7
1.1Overview7
1.2Security Levels7
Cryptographic Module Specification8
2.1Description8
2.2Tested and Vendor Affirmed Module Version and Identification9
2.3Excluded Components13
2.4Modes of Operation14
2.5Algorithms15
2.6Security Function Implementations23
2.7Algorithm Specific Information30
2.8RBG and Entropy32
2.9Key Generation34
2.10Key Establishment34
2.11Industry Protocols36
3Cryptographic Module Interfaces37
3.1Ports and Interfaces37
3.2Trusted Channel Specification37
3.3Control Interface Not Inhibited37
3.4Additional Information37
4Roles, Services, and Authentication38
4.1Authentication Methods38
4.2Roles38
4.3Approved Services38
4.4Non-Approved Services50
4.5External Software/Firmware Loaded54
4.6Bypass Actions and Status54
4.7Cryptographic Output Actions and Status55
5Software/Firmware Security56
5.1Integrity Techniques56
5.2Initiate on Demand56
6Operational Environment57
6.1Operational Environment Type and Requirements57
6.2Configuration Settings and Restrictions57
7Physical Security58
8Non-Invasive Security59
9Sensitive Security Parameters Management60
9.1Storage Areas60
9.2SSP Input-Output Methods60
9.3SSP Zeroization Methods61
9.4SSPs62
9.5Transitions72
10Self-Tests73
10.1Pre-Operational Self-Tests73
10.2Conditional Self-Tests73
10.3Periodic Self-Test Information78
10.4Error States81
10.5Operator Initiation of Self-Tests82
11Life-Cycle Assurance83
11.1Installation, Initialization, and Startup Procedures83
11.2Administrator Guidance85
11.3Non-Administrator Guidance85
11.4Design and Rules85
11.5Maintenance Requirements86
11.6End of Life86
12Mitigation of Other Attacks87
12.1Attack List87
12.2Mitigation Effectiveness87
12.3Guidance and Constraints87
Page 3

This document may be reproduced and distributed only in its original entirely without revision.

Page 4

This document may be reproduced and distributed only in its original entirely without revision.

Page 5
List of Tables
ItemPage
Table 1: Security Levels7
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)10
Table 3: Tested Operational Environments - Software, Firmware, Hybrid12
Table 4: Optionally Available PAAs per Algorithm13
Table 5: Modes List and Description14
Table 6: Approved Algorithms - General18
Table 7: Approved Algorithms - Legacy18
Table 8: Approved Algorithms - CVL19
Table 9: Vendor-Affirmed Algorithms20
Table 10: Non-Approved, Not Allowed Algorithms22
Table 11: Security Function Implementations30
Table 12: Entropy Certificates32
Table 13: Entropy Sources32
Table 14: Obtained Assurances for the Implemented Approved KAS-SSC and KTS35
Table 15: Ports and Interfaces37
Table 16: Roles38
Table 17: Approved Services49
Table 18: Non-Approved Services54
Table 19: Storage Areas60
Table 20: SSP Input-Output Methods60
Table 21: SSP Zeroization Methods61
Table 22: SSP Table 168
Table 23: SSP Table 271
Table 24: Pre-Operational Self-Tests73
Table 25: Conditional Self-Tests78
Table 26: Pre-Operational Periodic Information79
Table 27: Conditional Periodic Information81
Table 28: Error States81
Table 29: Error Causes and Expected Return Codes82
Table 30: Module File Names and Checksums83
Table 31: File Access Permissions84
Page 6
List of Figures
ItemPage
Figure 1: Block Diagram9
Figure 2: Module in Context of its Operational Environment9
Page 7
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacks1
Overall LevelOverall Level1
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for the cryptographic module “SAP CommonCryptoLib Crypto Kernel” (hereafter denoted as “module”) in its version 8.6.1 developed by SAP SE.

1.2 Security Levels

N/A N/A Table 1: Security Levels This document may be reproduced and distributed only in its original entirely without revision.

Page 8
2.1 Description

Purpose and Use: The module is a shared software library that implements various cryptographic functions such as encryption/decryption, signature generation/verification, key establishment, key generation, and random number generation. The module also implements an entropy source. It provides C/C++ APIs for key management and operation of the implemented cryptographic functions. The module itself is subdivided as shown in Figure

  1. The arrows in this figure indicate the interactions between the different module components. The module is used by a single operator, which is the linked application using the library by calling its functions and methods. Typically, this application is the “SAP CommonCryptoLib” (not in scope of the validation), which itself is a library providing cryptographic protocols and services to an application using it. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module comprises the shared library (including its executable code and data as well as its runtime representation) and a file containing the reference value for the software/firmware integrity test (see Section 5 Software/Firmware Security and Section 11.1 Installation, Initialization, and Startup Procedures for details). In Figure 2, the contents of the cryptographic boundary are indicated by the blue boxes. The “API” box shown in Figure 2 corresponds to the blue box shown in the block diagram in Figure
  2. The linked application calling the module’s services and residing in the same shared volatile memory region is outside the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP of the module is made up by the workstation, laptop, or server hardware the module is running on. Figure 2 shows the module and its interactions in context of the modifiable operational environment. The module interacts with the operating system within the TOEPP as well as the application it is linked to. At runtime, the module resides in the volatile memory provided by the TOEPP. This document may be reproduced and distributed only in its original entirely without revision.
Page 9
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackage
aix-6.1-ppc-648.6.1 (aix-6.1-ppc-64)HMAC-SHA2-256aix-6.1-ppc-64
aix-7.2-ppc-648.6.1 (aix-7.2-ppc-64)HMAC-SHA2-256aix-7.2-ppc-64
hpux-b.11.31-ia-648.6.1 (hpux-b.11.31-ia-64)HMAC-SHA2-256hpux-b.11.31-ia-64
linux-gcc-11.2-armv8-648.6.1 (linux-gcc-11.2-armv8- 64)HMAC-SHA2-256linux-gcc-11.2-armv8-64
linux-gcc-4.3-ia-648.6.1 (linux-gcc-4.3-ia-64)HMAC-SHA2-256linux-gcc-4.3-ia-64
linux-gcc-4.3-s390x-648.6.1 (linux-gcc-4.3-s390x-64)HMAC-SHA2-256linux-gcc-4.3-s390x-64
linux-gcc-4.3-x86-648.6.1 (linux-gcc-4.3-x86-64)HMAC-SHA2-256linux-gcc-4.3-x86-64
linux-gcc-4.8-ppcle-648.6.1 (linux-gcc-4.8-ppcle-64)HMAC-SHA2-256linux-gcc-4.8-ppcle-64
linux-musl-1.2.4-x86-648.6.1 (linux-musl-1.2.4-x86-64)HMAC-SHA2-256linux-musl-1.2.4-x86-64
macosx-arm-648.6.1 (macosx-arm-64)HMAC-SHA2-256macosx-arm-64
macosx-x86-648.6.1 (macosx-x86-64)HMAC-SHA2-256macosx-x86-64
sunos-5.10-sparc-648.6.1 (sunos-5.10-sparc-64)HMAC-SHA2-256sunos-5.10-sparc-64
sunos-5.10-x86-648.6.1 (sunos-5.10-x86-64)HMAC-SHA2-256sunos-5.10-x86-64
windows-x86-648.6.1 (windows-x86-64)HMAC-SHA2-256windows-x86-64
SLES 15 SP4SLES 15 SP4Amazon EC2 c7g.16xlarge8.6.1 (linux- gcc-11.2- armv8-64)AWS Graviton3YesAWS Nitro System

Figure 1: Block Diagram Figure 2: Module in Context of its Operational Environment

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 10
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackage
linux-gcc-4.8-ppcle-648.6.1 (linux-gcc-4.8-ppcle-64)HMAC-SHA2-256linux-gcc-4.8-ppcle-64
linux-musl-1.2.4-x86-648.6.1 (linux-musl-1.2.4-x86-64)HMAC-SHA2-256linux-musl-1.2.4-x86-64
macosx-arm-648.6.1 (macosx-arm-64)HMAC-SHA2-256macosx-arm-64
macosx-x86-648.6.1 (macosx-x86-64)HMAC-SHA2-256macosx-x86-64
sunos-5.10-sparc-648.6.1 (sunos-5.10-sparc-64)HMAC-SHA2-256sunos-5.10-sparc-64
sunos-5.10-x86-648.6.1 (sunos-5.10-x86-64)HMAC-SHA2-256sunos-5.10-x86-64
windows-x86-648.6.1 (windows-x86-64)HMAC-SHA2-256windows-x86-64
SLES 15 SP4SLES 15 SP4Amazon EC2 c7g.16xlarge8.6.1 (linux- gcc-11.2- armv8-64)AWS Graviton3YesAWS Nitro System
Apple macOS 14Apple macOS 14MacBook Pro (2019)8.6.1 (macosx-x86- 64)Intel Core i7- 9750HYes
Apple macOS 12Apple macOS 12Mac mini (2020)8.6.1 (macosx- arm-64)Apple M1Yes
SunOS 5.10SunOS 5.10Sun-4u - Fujitsu M40008.6.1 (sunos- 5.10-sparc- 64)Fujitsu SPARC64-VINo
HP-UX 11.31 (IA64)HP-UX 11.31 (IA64)Hewlett-Packard rx2800 i48.6.1 (hpux- b.11.31-ia- 64)Intel Itanium Processor 9540No
SLES 15 SP2SLES 15 SP2IBM z138.6.1 (linux- gcc-4.3- s390x-64)IBM S390NoIBM z/VM 7.2.0
IBM AIX 7.2IBM AIX 7.2IBM Power System S8248.6.1 (aix- 7.2-ppc-64)IBM POWER9YesIBM PowerVM 3.1.4.21
IBM AIX 6.1IBM AIX 6.1IBM Power System S8248.6.1 (aix- 6.1-ppc-64)IBM POWER8NoIBM PowerVM 3.1.4.21
SLES 15 SP4SLES 15 SP4Ampere D12A-M1-AA8.6.1 (linux- gcc-11.2- armv8-64)Arm Neoverse N1YesQEMU (KVM) 6.2 on SLES 15 SP4
SLES 11 SP1SLES 11 SP1Hewlett-Packard rx26608.6.1 (linux- gcc-4.3-ia- 64)Intel Itanium Processor 9120NNo
SLES 12 SP5SLES 12 SP5IBM Power System E9808.6.1 (linux- gcc-4.8- ppcle-64)IBM POWER8YesIBM PowerVM 3.1.4.21
SunOS 5.10SunOS 5.10i86pc - Fujitsu Primergy RX600 S68.6.1 (sunos- 5.10-x86-64)Intel Xeon E7- 4807Yes

Table 2: Tested Module Identification

8.6.1 (linuxgcc-11.2armv8-64)

This document may be reproduced and distributed only in its original entirely without revision.

Page 11
8.6.1 (macosx-x8664) 8.6.1 (macosxarm-64)
8.6.1 (linuxgcc-4.3s390x-64)
8.6.1 (linuxgcc-11.2armv8-64)
8.6.1 (linuxgcc-4.3-ia64)
8.6.1 (linuxgcc-4.8ppcle-64)

This document may be reproduced and distributed only in its original entirely without revision.

Page 12
Module configuration
NameOperating SystemHardware PlatformSoftware VersionProcessorPaa PaiHypervisor
Alpine Linux 3.18.2Alpine Linux 3.18.2LENOVO_MT_20QU_BU_Think_FM_ThinkPad P1 Gen 28.6.1 (linux- musl-1.2.4- x86-64)Intel Core i9- 9880HYesVMware Workstation 17.5.0 on Windows 11 Enterprise
SLES 15 SP5SLES 15 SP5Dell EMC PowerEdge R8408.6.1 (linux- gcc-4.3-x86- 64)Intel Xeon Platinum 8260MYesVMware ESXi 7.0.3
Microsoft Windows Server 2022 StandardMicrosoft Windows Server 2022 StandardDELL EMC PowerEdge R8408.6.1 (windows- x86-64)Intel Xeon Platinum 8260MYesVMware ESXi 7.0.3
Approved algorithm
NameMode Method
PackageAlgorithmPackage
SHA2-384/512AES (all modes)AES-GCM1SHA-1SHA2-224/256
aix-6.1-ppc-64aix-6.1-ppc-64P8P8P8P8
aix-7.2-ppc-64aix-7.2-ppc-64P8P8P8P8
linux-gcc-11.2-armv8-64linux-gcc-11.2-armv8-64AESSHA2SHA5122SHA1
PackageAlgorithmPackage
SHA2-384/512AES (all modes)AES-GCM1SHA-1SHA2-224/256
linux-gcc-4.3-x86-64linux-gcc-4.3-x86-64AES-NI, SSSE33CLMUL
linux-gcc-4.8-ppcle-64linux-gcc-4.8-ppcle-64P8P8P8P8
linux-musl-1.2.4-x86-64linux-musl-1.2.4-x86-64AES-NI, SSSE33CLMUL
macosx-arm-64macosx-arm-64AESSHA2SHA512SHA1
macosx-x86-64macosx-x86-64AES-NI, SSSE33CLMUL
sunos-5.10-x86-64sunos-5.10-x86-64AES-NI, SSSE33CLMUL
windows-x86-64windows-x86-64AES-NI, SSSE33CLMUL
7.0.3 7.0.3
8.6.1 (linuxmusl-1.2.4x86-64)
8.6.1 (linuxgcc-4.3-x8664)

8.6.1 (windowsx86-64) Table 3: Tested Operational Environments - Software, Firmware, Hybrid All operational environments listed above with “Yes” in the “PAA/PAI” column can optionally use what is considered as a Processor Algorithm Acceleration (PAA) for certain approved algorithm implementations. For details on the PAAs supported by each binary, please refer to Table 4 and its footnotes as well as the CAVP certificate referenced in Section 2.5 Algorithms. The PAAs are also used when the listed algorithms are embedded into other higher cryptographic algorithms (e.g., SHA-256 used as part of an HMAC). AES-GCM 1 SHA512 2

1 The PAAs listed in this column are used for the counter logic of AES-GCM. They are used in addition to the PAAs listed in the “AES (all modes)”

2 Not supported by the tested operational environment using the Arm Neoverse-N1 CPU.

This document may be reproduced and distributed only in its original entirely without revision.

Page 13

AES-GCM 1 Table 4: Optionally Available PAAs per Algorithm In compliance with IG 2.3.C, the module implements every algorithm utilizing a PAA also entirely in software. Different combinations of enabled and disabled PAAs were used during testing to cover all code paths of the implemented algorithms. Before module initialization, the crypt_disable_cpu_features API can be used to configure the activated PAAs. Reconfiguration of the activated PAAs is only possible after re-initializing the module (see Section 11.1 Installation, Initialization, and Startup Procedures for more details). Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: No vendor-affirmed operational environments are claimed. Nevertheless, the module may be ported to other operational environments that have the necessary capabilities (operating system, system libraries, sufficient hardware, etc.) per the CMVP porting rules specified in the FIPS 140-3 Management Manual. However, in this case the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. In addition, when running a module on such an untested platform the “No assurance of the minimum strength of generated SSPs (e.g., keys)” caveat applies per IG 9.3.A.

2.3 Excluded Components

There are no excluded components within the cryptographic boundary.

3 The use of AES-NI and SSS3 for AES is mutually exclusive.

This document may be reproduced and distributed only in its original entirely without revision.

Page 14
Service
NameDescriptionIndicatorType
Non- approved modeThe module provides non- approved services as part of its regular operation.Provided by each service as a return code. Non-approved services either return the value "0" or do not have a return code.Non- Approved

Modes List and Description: Nonapproved NonApproved Table 5: Modes List and Description As the module supports both an approved mode and non-approved modes, the caveat “when operated in approved mode” is applicable. The module further supports a non-compliant test mode that is off by default. This mode allows for additional controls for functional testing that violate the FIPS 140-3 requirements. As the test mode is non-compliant, the caveat “when installed, initialized, and configured as specified in Section 11.1 of the Security Policy” is additionally applicable. When this mode is activated, the module is not considered to be FIPS 140-3 validated. Mode Change Instructions and Status: With the module’s default configuration, both approved and non-approved services are available at the same time. There is no transitioning procedure to switch between different modes. The return codes of the called security services indicate whether they were executed in the approved mode or the non-approved mode depending on the provided input parameters. For more details, please see Section 4.3 Approved Services. The module’s non-compliant test mode can be activated by passing the “TESTMODE” value to the crypt_control API before module initialization. When this mode is activated, all the module’s security services, including those that are usually approved, are non-approved services. This is reflected by the implemented approved service indicator. The test mode can be deactivated by reloading the module or by passing the value “PRODUCTIONMODE” to the crypt_control API. This document may be reproduced and distributed only in its original entirely without revision.

Page 15
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA5497Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A5497Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB128A5497Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A5497Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA5497Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA5497Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-GCMA5497Direction - Decrypt, Encrypt IV Generation - Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256SP 800-38D
AES-OFBA5497Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
Counter DRBGA5497Prediction Resistance - No Mode - AES-256 Derivation Function Enabled - YesSP 800-90A Rev. 1
DSA KeyGen (FIPS186-4)A5497L - 2048, 3072 N - 224, 256FIPS 186-4
DSA PQGGen (FIPS186-4)A5497L - 2048, 3072 N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512FIPS 186-4
ECDSA KeyGen (FIPS186-5)A5497Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - testing candidatesFIPS 186-5
ECDSA KeyVer (FIPS186-5)A5497Curve - P-224, P-256, P-384, P-521FIPS 186-5
ECDSA SigGen (FIPS186-5)A5497Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Component - No, YesFIPS 186-5
ECDSA SigVer (FIPS186-5)A5497Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-5
EDDSA KeyGenA5497Curve - ED-25519, ED-448FIPS 186-5
EDDSA KeyVerA5497Curve - ED-25519, ED-448FIPS 186-5
EDDSA SigGenA5497Curve - ED-25519, ED-448FIPS 186-5
EDDSA SigVerA5497Curve - ED-25519, ED-448FIPS 186-5
HMAC-SHA-1A5497Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-224A5497Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-256A5497Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-384A5497Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-512A5497Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-224A5497Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-256A5497Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-384A5497Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-512A5497Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A5497Domain Parameter Generation Methods - P-224, P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responder staticUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A5497Domain Parameter Generation Methods - FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 Scheme -SP 800-56A Rev. 3
KTS-IFCA5497Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-crt Scheme - KTS-OAEP-basic - KAS Role - initiator, responder Key Transport Method - Key Length - 1024SP 800-56B Rev. 2
RSA KeyGen (FIPS186-5)A5497Key Generation Mode - probable Modulo - 2048, 3072, 4096, 6144, 8192 Primality Tests - 2pow100 Private Key Format - crtFIPS 186-5
RSA SigGen (FIPS186-5)A5497Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pssFIPS 186-5
RSA SigVer (FIPS186-5)A5497Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pssFIPS 186-5
Safe Primes Key GenerationA5497Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192SP 800-56A Rev. 3
Safe Primes Key VerificationA5497Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192SP 800-56A Rev. 3
SHA-1A5497Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A5497Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A5497Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A5497Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A5497Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA3-224A5497Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-256A5497Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-384A5497Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-512A5497Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHAKE-128A5497Output Length - Output Length: 16-65536 Increment 8FIPS 202
SHAKE-256A5497Output Length - Output Length: 16-65536 Increment 8FIPS 202
DSA PQGVer (FIPS186-4)A5497L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512FIPS 186-4
DSA SigVer (FIPS186-4)A5497L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512FIPS 186-4
ECDSA KeyVer (FIPS186-4)A5497Curve - P-192FIPS 186-4
ECDSA SigVer (FIPS186-4)A5497Component - No Curve - P-192 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3- 224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
RSA SigVer (FIPS186-4)A5497Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 2048, 3072, 4096FIPS 186-4
2.5 Algorithms

Approved Algorithms: General This document may be reproduced and distributed only in its original entirely without revision.

Page 16

This document may be reproduced and distributed only in its original entirely without revision.

Page 17

This document may be reproduced and distributed only in its original entirely without revision.

Page 18

Table 6: Approved Algorithms - General Legacy Table 7: Approved Algorithms - Legacy This document may be reproduced and distributed only in its original entirely without revision.

Page 19
Approved algorithm
NameCAVP CertPropertiesReference
KAS-ECC CDH-Component SP800-56Ar3 (CVL)A5497Function - Full Public Key Validation, Key Pair Generation Curve - P-224, P-256, P-384, P-521SP 800-56A Rev. 3
RSA Decryption Primitive Sp800-56Br2 (CVL)A5497Modulo - 2048, 3072, 4096SP 800-56B Rev. 2
RSA Signature Primitive (CVL)A5497Modulo - 2048, 3072, 4096FIPS 186-4
Service
NameApproved FunctionsProperties
AES CKGKey type: SymmetricN/ASP 800-133r2 Sections 4 / 6.1 (no post-processing or value V are used)
Signature CKGKey type: AsymmetricN/ASP 800-133r2 Sections 4 / 5.1 (no post-processing or value V are used)
Key establishment CKGKey type: AsymmetricN/ASP 800-133r2 Sections 4 / 5.2 (no post-processing or value V are used)
DSA signature verification with SHA-3Key size: L: 1024/N: 160, L: 2048/N: 224, L: 2048/N: 256, L: 3072/N: 256 Hash functions: SHA3-224, SHA3- 256, SHA3-384, SHA3-512SAP CommonCryptoLib Crypto KernelFIPS 186-4 Section 4, IG C.C
MD2, MD4, MD5Hash generation
RIPEMD-128, RIPEMD-160Hash generation
CRC32Checksum generation
IDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEEDBlock cipher encryption / decryption, key generation
DES (non-compliant)Block cipher encryption / decryption, key generation
2-key / 3-key TDES (non-compliant)Block cipher encryption / decryption and key generation

Table 8: Approved Algorithms - CVL Before approved signature verification is performed, the module performs a partial public key validation as required by

Page 20
Service
NameApproved FunctionsProperties
Signature CKGKey type: AsymmetricN/ASP 800-133r2 Sections 4 / 5.1 (no post-processing or value V are used)
Key establishment CKGKey type: AsymmetricN/ASP 800-133r2 Sections 4 / 5.2 (no post-processing or value V are used)
DSA signature verification with SHA-3Key size: L: 1024/N: 160, L: 2048/N: 224, L: 2048/N: 256, L: 3072/N: 256 Hash functions: SHA3-224, SHA3- 256, SHA3-384, SHA3-512SAP CommonCryptoLib Crypto KernelFIPS 186-4 Section 4, IG C.C
MD2, MD4, MD5Hash generation
RIPEMD-128, RIPEMD-160Hash generation
CRC32Checksum generation
IDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEEDBlock cipher encryption / decryption, key generation
DES (non-compliant)Block cipher encryption / decryption, key generation
2-key / 3-key TDES (non-compliant)Block cipher encryption / decryption and key generation
AES with the mode of operations * ciphertext stealing (CTS) ECB or * OFB with a non-standard number of feedback bits. (non-compliant)Block cipher encryption / decryption
AES-GCM with * user-provided IV for encryption (outside of the use within TLS 1.2 / 1.3) * decryption without prior tag check, or * tags with a length of < 96 bits. (non-compliant)Authenticated encryption / decryption
RC4Stream cipher encryption / decryption, key generation
HMAC generation with * key length less than 112 bits, * IPAD and/or OPAD configured to values not specified in FIPS 198-1, * non-approved hash functions, or * SHAKE128 or SHAKE256. (non-compliant)HMAC generation
DSA signature generation using key sizes of L: 2048 / N: 224, L: 2048 / N: 256, and L: 3072 / N: 256 and hash functions SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. (non-compliant)Signature generation
DSA signature verification with * groups not approved for signature verification, * hash functions not approved for signature generation respectively verification, or * pre-hashed messages. (non-compliant)Signature verification
DSA key pair and domain parameter generation * with groups not approved for KAS-FFC or * for use outside of KAS-FFC. (non-compliant)Key pair and domain parameter generation
RSA signature generation / verification with * modulus length not approved for signature generation respectively verification, * user-provided salt (only PSS generation), * padding not approved for signature generation,Signature generation, signature verification
RSA key pair generation with modulus length not approved for key generation. (non-compliant)Key pair generation
ECDSA signature generation / verification with * curves not approved for signature generation respectively verification, * hash functions not approved for signature generation respectively verification, * using SHAKE-128 or SHAKE-256, or * pre-hashed messages (only verification). (non-compliant)Signature generation
ECDSA key pair generation with curves not approved for key generation. (non-compliant)Key pair generation
KAS-ECC-SSC with curves not approved for KAS-ECC. (non-compliant)Key agreement, key pair generation
KAS-FFC-SSC with groups not approved for KAS-FFC. (non-compliant)Key agreement, key pair generation
KTS-IFC (OAEP) with * modulus length not approved for KTS-IFC, * hash functions not approved for use with OAEP, or * user-provided seed (only encapsulation). (non-compliant)Key transport, key pair generation
RSA key transport with * no padding (only encapsulation) or * padding not approved for use with RSA (i.e., non-OAEP padding). (non-compliant)Key transport
ElGamalKey encapsulation, key generation
Counter DRBG using AES-128, AES-192, or AES-256 with derivation function when seeded entirely by the calling application. (non-compliant)Random number generation

N/A N/A Table 9: Vendor-Affirmed Algorithms For the approved key generation algorithms used together with the CKG claimed according to IG D.H, please see the approved algorithms table above and Section 2.6 Security Function Implementations. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: This document may be reproduced and distributed only in its original entirely without revision.

Page 21

This document may be reproduced and distributed only in its original entirely without revision.

Page 22

Table 10: Non-Approved, Not Allowed Algorithms This document may be reproduced and distributed only in its original entirely without revision.

Page 23
Service
NameDescriptionApproved FunctionsType
HMAC generationTruncation: not supported Key length: >= 112 bitsHMAC-SHA-1: (A5497) HMAC-SHA2-224: (A5497) HMAC-SHA2-256: (A5497) HMAC-SHA2-384: (A5497) HMAC-SHA2-512: (A5497) HMAC-SHA3-224: (A5497) HMAC-SHA3-256: (A5497) HMAC-SHA3-384: (A5497) HMAC-SHA3-512: (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497)MAC
Hash generationSHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497)SHA
XOF generationSHAKE-128: (A5497) SHAKE-256: (A5497)XOF
Random number generationCounter DRBG: (A5497) AES-CTR: (A5497) Key length: 256 bits SHA2-512: (A5497)DRBG ENT-Cond ENT-ESV
AES encryption / decryptionAES-CBC: (A5497) AES-CBC-CS3: (A5497) AES-CTR: (A5497) AES-ECB: (A5497) AES-OFB: (A5497)BC-UnAuth
AES GCM encryption / decryption (random IV)Tag length: >= 96 bits IV length (for encryption): >= 96 bitsAES-GCM: (A5497)BC-Auth
AES GCM encryption / decryption (TLS 1.2)Standards: RFC 5246 and RFC 5288AES-GCM: (A5497)BC-Auth
AES GCM encryption / decryption (TLS 1.3)Standard: RFC 8446AES-GCM: (A5497)BC-Auth
AES CFB encryption / decryptions: 8, 16, ..., 128 (only s = 8 and 128 are CAVP- tested)AES-CFB8: (A5497) AES-CFB128: (A5497)BC-UnAuth
Ed25519 signature generationEDDSA SigGen: (A5497) SHA2-512: (A5497)DigSig-SigGen
Ed25519 signature verificationEDDSA SigVer: (A5497) SHA2-512: (A5497)DigSig-SigVer
Ed448 signature generationEDDSA SigGen: (A5497) SHAKE-256: (A5497)DigSig-SigGen
Ed448 signature verificationEDDSA SigVer: (A5497) SHAKE-256: (A5497)DigSig-SigVer
RSA PKCS1-v1.5 signature generationModulus length: >= 2048 bits (only modulus length of 2048, 3072, and 4096 are CAVP- tested)RSA SigGen (FIPS186- 5): (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497)DigSig-SigGen
RSA PKCS1-v1.5 signature verificationModulus length: 1024 bits and >= 2048 bits (only modulus length of 1024, 2048, 3072, and 4096 are CAVP-tested)RSA SigVer (FIPS186- 4): (A5497) RSA SigVer (FIPS186- 5): (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497)DigSig-SigVer
RSA PSS signature generationModulus length: >= 2048 bits (only modulus length of 2048, 3072, and 4096 are CAVP- tested)RSA SigGen (FIPS186- 5): (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497) SHAKE-128: (A5497) SHAKE-256: (A5497)DigSig-SigGen
RSA PSS signature verificationModulus length: 1024 bits and >= 2048 bits (only modulus length of 1024, 2048, 3072, and 4096 are CAVP-tested)RSA SigVer (FIPS186- 4): (A5497) RSA SigVer (FIPS186- 5): (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497) SHAKE-128: (A5497) SHAKE-256: (A5497)DigSig-SigVer
RSA signature generation with pre- computed hash (CVL)Modulus length: >= 2048 bits (only modulus length of 2048, 3072,RSA Signature Primitive: (A5497)DigSig-SigGen
ECDSA signature generationCurves: P-224, P-256, P-384, P-521ECDSA SigGen (FIPS186-5): (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497)DigSig-SigGen
ECDSA signature verificationCurves: P-192, P-224, P-256, P-384, P-521ECDSA SigVer (FIPS186-4): (A5497) ECDSA SigVer (FIPS186-5): (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) SHA3-224: (A5497) SHA3-256: (A5497) SHA3-384: (A5497) SHA3-512: (A5497)DigSig-SigVer
ECDSA signature generation with pre- computed hash (CVL)Curves: P-224, P-256, P-384, P-521ECDSA SigGen (FIPS186-5): (A5497)DigSig-SigGen
DSA signature verificationGroups: L: 1024/N: 160, L: 2048/N: 224, L: 2048/N: 256, L: 3072/N: 256DSA SigVer (FIPS186- 4): (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497)DigSig-SigVer
EdDSA public key validationCurves: Edwards25519, Edwards448EDDSA KeyVer: (A5497)AsymKeyPair- PubKeyVal
ECDSA public key validationCurves: P-192, P-224, P-256, P-384, P-521ECDSA KeyVer (FIPS186-4): (A5497) ECDSA KeyVer (FIPS186-5): (A5497)AsymKeyPair- PubKeyVal
DSA domain parameter validationGroups: L: 1024/N: 160, L: 2048/N: 224 (FB), L: 2048/N: 256 (FC), L: 3072/N: 256DSA PQGVer (FIPS186-4): (A5497) SHA-1: (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497)AsymKeyPair-DomPar
EdDSA key pair generationCurves: Edwards25519, Edwards448EDDSA KeyGen: (A5497) Signature CKG: ()AsymKeyPair-KeyGen CKG
ECDSA key pair generationCurves: P-224, P-256, P-384, P-521ECDSA KeyGen (FIPS186-5): (A5497) Signature CKG: ()AsymKeyPair-KeyGen CKG
RSA key pair generationModulus length: 2048 to 8192 bits (only modulus length of 2048, 3072, 4096, and 8192 are CAVP-tested)RSA KeyGen (FIPS186- 5): (A5497) Signature CKG: ()AsymKeyPair-KeyGen CKG
AES key generationKey length: 128, 192, 256 bitsAES CKG: ()CKG
KTS-IFCStandard: SP 800- 56Brev2 IG D.G: Approved RSA- based key transport scheme Key confirmation: No Caveat: Key establishment methodology provides between 112 and 256 bits of security strength Modulus length: 2048 bits (only modulus length of 2048, 3072, and 4096 are CAVP- tested)KTS-IFC: (A5497) Key establishment CKG: () RSA KeyGen (FIPS186- 5): (A5497) RSA Decryption Primitive Sp800-56Br2: (A5497)KTS-Encap
KAS-SSC FFCIG: IG D.F Scenario 2, path (1) Caveat: Key establishment methodology provides between 112 and 192 bits of security strength Groups: FB, FC, MODP 2048, MODP 3072, MODP 4096, MODP 6144, MODP 8192, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192KAS-FFC-SSC Sp800- 56Ar3: (A5497) DSA KeyGen (FIPS186- 4): (A5497) DSA PQGGen (FIPS186-4): (A5497) SHA2-224: (A5497) SHA2-256: (A5497) SHA2-384: (A5497) SHA2-512: (A5497) DSA PQGVer (FIPS186-4): (A5497) Key establishment CKG: () Safe Primes Key Generation: (A5497)AsymKeyPair-DomPar CKG KAS-KeyGen KAS-SSC
KAS-SSC ECCIG: IG D.F Scenario 2, path (1) Caveat: Key establishment methodology provides between 112 and 256 bits of security strengthKAS-ECC-SSC Sp800- 56Ar3: (A5497) KAS-ECC CDH- Component SP800- 56Ar3: (A5497) EDDSA KeyGen: (A5497) Key establishment CKG: () ECDSA KeyVer (FIPS186-5): (A5497)CKG KAS-KeyGen KAS-SSC

Note that “non-approved” in the above non-approved, not allowed algorithms table refers to algorithms or parameter sets (e.g., modulus sizes or curves) not listed as approved in either the approved algorithms table or the vendor-affirmed algorithms table. Please further note the algorithm specific information provided in Section 2.7 Algorithm Specific Information. Note that some of the functions listed in the above table are non-compliant implementations of what appear to be approved algorithms. For a description of the security strength as a function of the key length respectively the algorithm parameters of the listed non-approved security functions, please see SP 800-57 Part 1 Revision 5 Section 5.6.1.

2.6 Security Function Implementations

This document may be reproduced and distributed only in its original entirely without revision.

Page 24

This document may be reproduced and distributed only in its original entirely without revision.

Page 25

This document may be reproduced and distributed only in its original entirely without revision.

Page 26

This document may be reproduced and distributed only in its original entirely without revision.

Page 27

This document may be reproduced and distributed only in its original entirely without revision.

Page 28

AsymKeyPairPubKeyVal AsymKeyPairPubKeyVal () This document may be reproduced and distributed only in its original entirely without revision.

Page 29

This document may be reproduced and distributed only in its original entirely without revision.

Page 30

Table 11: Security Function Implementations Unless identified otherwise in the above table, all tested capabilities (e.g., key sizes, curves, modes) of the listed algorithms are used by the security function implementations. For details, please refer to Section 2.5 Algorithms. Note that the “random number generation” SFI also makes use of the module’s validated entropy source (cf. 2.8 RBG and Entropy).

2.7 Algorithm Specific Information

When using the approved security functions (see Section 2.6 Security Function Implementations), the Crypto Officer shall observe the following algorithm-specific requirements: KAS-SSC FFC / ECC: The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KTS-IFC: The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS. AES-CTR Encryption: Externally loaded counter values shall have the properties required by SP 800-38A Section 6.5. This document may be reproduced and distributed only in its original entirely without revision.

Page 31

AES-GCM: The module provides APIs to use AES-GCM encryption as specified in SP 800-38D as an approved service according to the following scenarios of IG C.H:

Page 32
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
SAP CommonCryptoLib Entropy Collector 1.0.0Non- Physical512 bitsAll operating environments listed in Section 2.2 Tested and Vendor Affirmed Module Version and Identification.Full entropySHA2-512 (see Section 2.5 Algorithms for the CAVP Cert.)
CertVendor
NumberName
E172SAP

SHA-1: SHA-1 shall only be used for digital signature generation where specifically allowed by NIST protocol-specific guidance. For all other applications, SHA-1 shall not be used for digital signature generation. When used for digital signature verification, SHA-1 shall only be used in legacy applications. For non-digital-signature applications, SHA-1 shall only be used in applications that do not require collision resistance. Table 12: Entropy Certificates NonPhysical Table 13: Entropy Sources The entropy source is within the cryptographical boundary of the module. The module’s entropy source provides 512 bits of minentropy per conditioned 512-bit output. The module implements an internal Counter DRBG instance using AES-256 with derivation function, but without support for reseeding and predication resistance (i.e., the Counter DRBG is only seeded once during module initialization). This DBRG instance is managed internally by the module and used for all random number generation in the approved security functions, for SSP generation, and SSP establishment. It is seeded entirely by the validated entropy source during module initialization and thus provides a security strength of 256 bits. After the allowed maximum number of random bits was requested from the Counter DRBG, further output is blocked, and the module shall be reinitialized to request additional outputs. The Counter DRBG’s additional input and personalization string used for its initialization are derived from additional outputs of the entropy source and, if available, data obtained from the operating system (“dev/urandom” on operating systems that provide this file) as well as data provided by the linked application during module initialization. Note that this additional data is not considered in the security strength estimate of the approved Counter DRBG. This document may be reproduced and distributed only in its original entirely without revision.

Page 33

In compliance with IG 2.4.A, the internal Counter DRBG is used by approved and non-approved services for the following purposes by the module: In Approved Services:

Page 34
2.9 Key Generation

The module’s key generation methods as well as the related vendor-affirmed CKG entries per IG D.H are specified in Section 2.5 Algorithms and Section 2.6 Security Function Implementations. The approved services for key generation cover

2.10 Key Establishment

The key establishment schemes in terms of the implemented Key Agreement Schemes Shared Secret Computation (KAS-SSC) and Key Transport Schemes (KTS) as specified in SP 800-56Ar3 and SP 800-56Br2 implemented by the module are listed in Section 2.5 Algorithms and Section 2.6 Security Function Implementations. The module only supports the shared secret computation. It does not implement key derivation or key confirmation. It can act both in the initiator and responder roles. As required by IG D.F, for the implemented approved schemes, the module obtains all assurances required by the respective standards for which the module has the necessary inputs either using explicit assurance checks or by generating all values as specified in the respective algorithm standard. The coverage of the required assurances, other than the pair-wise consistency tests that are always performed when a key pair (i.e., both a private and a public key) is generated or imported (see Section 11.2 Administrator Guidance for details), are explained in Table 14. When not stated otherwise, the assurances are obtained directly by the dedicated KAS-SSC and KTS APIs. Some assurances must be manually obtained by the operator of the module as the module does not have the necessary inputs to perform the validations by itself. For the implemented KAS-SSC, the owner’s private key and received public key are validated at the latest before generating the shared secret. It is also ensured that the owner’s static or ephemeral private / public key is validated before it is first exported. This document may be reproduced and distributed only in its original entirely without revision.

Page 35
Approved algorithm
NameKey SizeUse Function
SchemeSchemeOwner’s private keyOwner’s public keyReceived public keyDomain parameters
SP 800-56Ar3, 5.6.2.3.1N/A for named approved groups. For FIPS 186-type FFC domain parameters, explicit domain parameter validation (for the unverifiable generation method of g) as specified in SP 800-89 Section 4.1 respectively FIPS 186-4 Section A.1.1.3 / A.2.2 is performed if the used seed is provided.KAS-FFC-SSC (C(2e, 0s, FFC-DH))SP 800-56Ar3, 5.6.2.1.2SP 800-56Ar3, 5.6.2.2.2
KAS-FFC-SSC (C(0e, 2s, FFC DH))KAS-FFC-SSC (C(0e, 2s, FFC DH))SP 800-56Ar3, 5.6.2.2.1
SP 800-56Ar3, 5.6.2.3.3N/A for approved named curves.KAS-ECC-SSC (C(2e, 0s, ECC CDH))SP 800-56Ar3, 5.6.2.1.2SP 800-56Ar3, 5.6.2.3.3
Shall be obtained manually (see below) as the owner’s public key is not input into this API.KAS-ECC (ECC CDH primitive / component)
KTS-IFC (KTS-OAEP-basic)N/A for RSA.KTS-IFC (KTS-OAEP-basic)Shall be obtained manually (see below) before calling the KTS APIs, which only take the owner’s private key and received ciphertext as inputs.SP 800-56Br2, 6.4.2.2 / SP 800-89, 5.3.3
RSA Decryption PrimitiveRSA Decryption PrimitiveN/A as this Scheme does not allow encrypting.

5.6.2.2.2 5.6.2.1.2 5.6.2.3.1 5.6.2.2.1 5.6.2.3.3 5.6.2.1.2 5.6.2.3.3 This document may be reproduced and distributed only in its original entirely without revision.

Page 36

The module further provides the following standalone functions, which can be used independently of the dedicated KAS-SSC and KTS APIs addressed in Table 14, to manually obtain assurances:

6.4.1.2.3 for RSA key pairs.
2.11 Industry Protocols

The module itself does not implement any industry protocols. However, note the information provided in Section 2.7 Algorithm Specific Information for the use of AES-GCM encryption in context of the TLS 1.2 and 1.3 protocols. This document may be reproduced and distributed only in its original entirely without revision.

Page 37
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputAPI input parameters
N/AN/AData OutputAPI output parameters
N/AN/AControl InputAPI calls
N/AN/AStatus OutputAPI output parameters for status and API return values
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 15: Ports and Interfaces As the module is a software library, its logical interfaces are realized in terms of a set of APIs. The above table maps the FIPS 140-3 logical interfaces to the distinct parts of these APIs. All functionality of the module is made available to the calling application (i.e., the operator of the module) in terms of exported functions (APIs). Some of these functions are also used internally, e.g., the self-test service makes use of some of those functions when performing cryptographic algorithm self-tests. For a full reference of all exported APIs, please see the guidance documents referenced in Section 11.2 Administrator Guidance. Because the module is a software library, it does not have any physical ports or manual controls of its own and does not support any external input or output devices. It also does not have a maintenance access interface.

3.2 Trusted Channel Specification

The module does not implement a trusted channel.

3.3 Control Interface Not Inhibited

Not applicable as the module does not implement a control output interface.

3.4 Additional Information

The module uses technical means to inhibit the data output interface during pre-operational self-tests, during zeroization of nontemporary SSPs that are under control of the module, and when in an error state. This document may be reproduced and distributed only in its original entirely without revision.

Page 38
Service
NameDescriptionRole AccessCsps AccessedIndicatorTypeInputOutput
Crypto OfficerCORoleNone
Initialize and self-testConfigures and initializes the module as well as performs the pre- operational self- tests and the CASTs.Crypto Officer - Counter DBRG seed: entropy source output: G - Counter DRBG key: G - Counter DRBG V: GReturn value 1Additional input for DRBG, memory management callback pointers, PAA and test mode configuration, path to the shared library (for non-tested OEs)List of available API functions if all self- tests passed or test result in form of error code if any test failedHMAC generation Hash generation XOF generation Random number generation AES encryption / decryption AES GCM encryption / decryption
Service
NameDescriptionRole AccessCsps AccessedIndicatorTypeInputOutput
Crypto OfficerCORoleNone
Initialize and self-testConfigures and initializes the module as well as performs the pre- operational self- tests and the CASTs.Crypto Officer - Counter DBRG seed: entropy source output: G - Counter DRBG key: G - Counter DRBG V: GReturn value 1Additional input for DRBG, memory management callback pointers, PAA and test mode configuration, path to the shared library (for non-tested OEs)List of available API functions if all self- tests passed or test result in form of error code if any test failedHMAC generation Hash generation XOF generation Random number generation AES encryption / decryption AES GCM encryption / decryption
Finalize and zeroizeFinalizes the module. Internal resources are zeroized / released.Crypto Officer - Counter DRBG key: Z - Counter DRBG V: ZReturn value 1None
Show versioning informationOutputs the module name and version.Crypto OfficerNoneModule name and versionNone
Show statusInforms about the module status, (e.g., the status of each service call).Crypto OfficerNoneStatus informationNone
Block cipher encryptionEncrypt data using a symmetric block cipher.Crypto Officer - AES keys: W,EReturn value 1Algorithm, mode of operation, plaintext, key, IV (optional), additional authenticated data (if any), authenticationCiphertext, authentication tag (if any)Random number generation AES encryption / decryption
tag (if any), padding schemetag (if any), padding schemeAES GCM encryption / decryption (random IV) AES GCM encryption / decryption (TLS 1.2) AES GCM encryption / decryption (TLS 1.3) AES CFB encryption / decryption
Block cipher decryptionDecrypt data using a symmetric block cipher.Crypto Officer - AES keys: W,EReturn value 1Algorithm, mode of operation, ciphertext, key, IV, additional authenticated data (if any), authentication tag (if any), padding schemePlaintext, tag check resultAES encryption / decryption AES GCM encryption / decryption (random IV) AES GCM encryption / decryption (TLS 1.2) AES GCM encryption / decryption (TLS 1.3) AES CFB encryption / decryption
Key transportAsymmetric key material encapsulation and decapsulation.Crypto Officer - KTS-IFC private key: G,R,W,E - KTS-IFC public key: G,R,W,E - Received KTS-IFC public key: W,E - Intermediate key generation values: G,Z - Keying material: R,W,E - Counter DRBG key: E - Counter DRBG V: EReturn value 1Scheme, public key / private key (optional), keying material / ciphertextCiphertext / keying materialKTS-IFC
Signature generationDigital signature generation.Crypto Officer - EdDSA private keys: W,E - ECDSA private keys: W,E - RSA private keys: W,E - Counter DRBG key: EReturn value 1Algorithm, domain parameters, private key, hash algorithm, (hash of) message, padding schemeSignatureRandom number generation Ed25519 signature generation Ed448 signature generation RSA PKCS1- v1.5 signature
4 Roles, Services, and Authentication

The module does not implement operator authentication.

4.2 Roles

Table 16: Roles mechanisms, the Crypto Officer role is implicitly assumed by the operator when calling any of the module’s APIs. Note that the module does not allow the operator to perform maintenance services and thus does not support a maintenance role.

4.3 Approved Services

G This document may be reproduced and distributed only in its original entirely without revision.

Page 39

RSA PKCS1v1.5 with precomputed with precomputed This document may be reproduced and distributed only in its original entirely without revision.

Page 40

W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 41

W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 42

RSA PKCS1v1.5 G,R,W,E G,R,W,E W,E R,W,E W,E W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 43
Service
NameDescriptionRole AccessCsps AccessedIndicatorInputOutput
Signature verificationDigital signature verification.Ed25519 signature verification Ed448 signature verification RSA PKCS1- v1.5 signature verification RSA PSS signature verification ECDSACrypto Officer - EdDSA public keys: W,E - ECDSA public keys: W,E - DSA public keys: W,E - RSA public keys: W,E - Counter DRBG key: E - CounterReturn value 1Algorithm, domain parameters, public key, hash algorithm, (hash of) message, padding scheme, signatureVerification result
signature verification DSA signature verification EdDSA public key validation ECDSA public key validation DSA domain parameter validationsignature verification DSA signature verification EdDSA public key validation ECDSA public key validation DSA domain parameter validationDRBG V: E - Intermediate key generation values: G,Z
Shared secret computationECC and FFC key agreement.Random number generation KAS-SSC FFC KAS-SSC ECCCrypto Officer - KAS-ECC private key: G,R,W,E - KAS-ECC public key: G,R,W,E - Received KAS-ECC public key: W,E - KAS-FFC private key: G,R,W,E - KAS-FFC public key: G,R,W,E - Received KAS-FFC public key:Return value 1Scheme, domain parameters, own private key (optional), received public keyOwn public key, shared secret
Assurance checksPerform assurance checks as specified in Section 2.10 Key Establishment.Random number generation EdDSA public key validation ECDSA public key validation DSA domain parameter validationCrypto Officer - KTS-IFC private key: W,E - KTS-IFC public key: W,E - Received KAS-ECC public key: W,E - Received KAS-FFC public key: W,EReturn value 1Domain parameters, public key, private keyCheck result
HMAC generationHMAC generation.HMAC generationCrypto Officer - HMAC keys: W,EReturn value 1Hash algorithm, key, IPAD and OPAD values, dataHMAC value
Hash generationHash generation.Hash generationCrypto OfficerReturn value 1Hash algorithm, dataHash value
XOF generationXOF generation.XOF generationCrypto OfficerReturn value 1XOF algorithm, data, output lengthXOF output
Random number generationRandom number generation.Random number generationCrypto Officer - Counter DRBG key: E - Counter DRBG V: EReturn value 1Number of bytes to generateRandom data
Signature key pair generationSignature key pair generationRandom number generation EdDSA key pair generation ECDSA key pair generationCrypto Officer - EdDSA private keys: G,R - EdDSA public keys: G,R - ECDSA private keys:Return value 1Key type, key size, domain parameters, hash algorithm (for DSA and EdDSA)Generated key pair

with precomputed with precomputed RSA PKCS1v1.5 W,E W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 44

G,R,W,E G,R,W,E W,E G,R,W,E G,R,W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 45

W,E R,W,E G,R,W,E W,E W,E W,E W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 46

W,E W,E W,E G,R G,R This document may be reproduced and distributed only in its original entirely without revision.

Page 47
Sensitive security parameter
NameDescriptionGenerationInputOutputAccessIndicator
Symmetric key generationSymmetric key generation.Random number generation AES key generationKey type, key sizeGenerated keyCrypto Officer - AES keys: G,R - Counter DRBG key: E - Counter DRBG V: EReturn value 1
Export / import cryptographic objectExport / import of cryptographic context objects.NoneContext object / blobBlob / context objectCrypto Officer - AES keys: R,W - HMAC keys: R,W - EdDSA private keys: R,W - EdDSA public keys: R,W - ECDSA private keys: R,W - ECDSAReturn value 1

G,R G,R G,R R,W R,W R,W R,W R,W This document may be reproduced and distributed only in its original entirely without revision.

Page 48

R,W R,W R,W R,W R,W R,W R,W R,W This document may be reproduced and distributed only in its original entirely without revision.

Page 49

R,W R,W Table 17: Approved Services For the table above, the following notation is used to indicate the type of SSP access:

Page 50
Service
NameDescriptionRolesApproved Functions
Block cipher encryptionEncrypt data using a symmetric block cipher.Crypto OfficerIDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEED AES with the mode of operations * ciphertext stealing (CTS) ECB or * OFB with a non-standard number of feedback bits. (non-compliant) AES-GCM with * user-provided IV for encryption (outside of the use within TLS 1.2 / 1.3) * decryption without prior tag check, or * tags with a length of < 96 bits. (non-compliant)
Block cipher decryptionDecrypt data using a symmetric block cipher.Crypto OfficerIDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEED AES with the mode of operations * ciphertext stealing (CTS) ECB or * OFB with a non-standard number of feedback bits. (non-compliant)
Key transportAsymmetric key material encapsulation and decapsulation.Crypto OfficerElGamal KTS-IFC (OAEP) with * modulus length not approved for KTS-IFC, * hash functions not approved for use with OAEP, or * user-provided seed (only encapsulation). (non-compliant) RSA key transport with * no padding (only encapsulation) or * padding not approved for use with RSA (i.e., non-OAEP padding). (non-compliant)
Signature generationDigital signature generation.Crypto OfficerDSA signature generation using key sizes of L: 2048 / N: 224, L: 2048 / N: 256, and L: 3072 / N: 256 and hash functions SHA2- 224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, and SHA3-512. (non-compliant)
1.2 / 1.3)

This document may be reproduced and distributed only in its original entirely without revision.

Page 51
Service
NameDescriptionRolesRole Access
Signature verificationDigital signature verification.Crypto OfficerDSA signature verification with * groups not approved for signature verification, * hash functions not approved for signature generation respectively verification, or * pre-hashed messages. (non-compliant) RSA signature generation / verification with * modulus length not approved for signature generation respectively verification, * user-provided salt (only PSS generation), * padding not approved for signature generation, * hash functions not approved for signature generation respectively verification, or * pre-hashed messages (only verification). (non-compliant) ECDSA signature generation / verification with * curves not approved for signature generation respectively
Shared secret computationECC and FFC key agreement.Crypto OfficerDSA key pair and domain parameter generation * with groups not approved for KAS-FFC or * for use outside of KAS-FFC. (non-compliant) RSA key pair generation with modulus length not approved for key generation. (non-compliant) ECDSA key pair generation with curves not approved for key generation. (non-compliant) KAS-ECC-SSC with curves not approved for KAS-ECC. (non-compliant) KAS-FFC-SSC with groups not approved for KAS-FFC. (non-compliant)
HMAC generationHMAC generation.Crypto OfficerHMAC generation with * key length less than 112 bits, * IPAD and/or OPAD configured to values not specified in FIPS 198-1, * non-approved hash functions, or * SHAKE128 or SHAKE256. (non-compliant)
Hash generationHash generation.Crypto OfficerMD2, MD4, MD5 RIPEMD-128, RIPEMD-160 CRC32
Random number generationRandom number generation.Crypto OfficerCounter DRBG using AES-128, AES-192, or AES-256 with derivation function when seeded entirely by the calling application. (non-compliant)
Signature key pair generationSignature key pair generation.Crypto OfficerDSA key pair and domain parameter generation * with groups not approved for KAS-FFC or * for use outside of KAS-FFC. (non-compliant) RSA key pair generation with modulus length not approved for key generation. (non-compliant) ECDSA key pair generation with curves not approved for key generation. (non-compliant)
Symmetric key generationSymmetric key generation.Crypto OfficerIDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEED RC4 ElGamal 2-key / 3-key TDES (non-compliant) DES (non-compliant)
Export / import cryptographic objectExport / import of cryptographic context objects of non-approved algorithms.Crypto OfficerMD2, MD4, MD5 RIPEMD-128, RIPEMD-160 CRC32 IDEA, RC2, RC5-32, ARIA128, ARIA192, ARIA256, SEED DES (non-compliant) 2-key / 3-key TDES (non-compliant) AES with the mode of operations * ciphertext stealing (CTS) ECB or * OFB with a non-standard number of feedback bits. (non-compliant) AES-GCM with * user-provided IV for encryption (outside of the use within TLS 1.2 / 1.3) * decryption without prior tag check, or * tags with a length of < 96 bits.
Stream cipher encryption / decryptionEncrypt / decrypt data using a symmetric stream cipher.Crypto OfficerRC4

This document may be reproduced and distributed only in its original entirely without revision.

Page 52

This document may be reproduced and distributed only in its original entirely without revision.

Page 53
1.2 / 1.3)

This document may be reproduced and distributed only in its original entirely without revision.

Page 54

Table 18: Non-Approved Services Note that the approved internal Counter DRBG instance is used by some of the non-approved services per the allowance in IG 2.4.A. For a detailed description of the purposes for which this DRBG instance is used, please refer to Section 2.8 RBG and Entropy.

4.5 External Software/Firmware Loaded

The module does not support software/firmware loading.

4.6 Bypass Actions and Status

The module does not implement a bypass capability. This document may be reproduced and distributed only in its original entirely without revision.

Page 55
4.7 Cryptographic Output Actions and Status

The module does not implement a self-initiated output capability. This document may be reproduced and distributed only in its original entirely without revision.

Page 56
5 Software/Firmware Security
5.1 Integrity Techniques

The module uses an HMAC-SHA2-256 (see Section 2.5 Algorithms for the CAVP certificate number) as the approved integrity technique for the software/firmware integrity test. The HMAC is computed over the entire shared library file during module initialization. The reference value for the integrity test is stored in a separate file, with the exact delivery format depending on the used platform (see Section 11.1 Installation, Initialization, and Startup Procedures for more details):

5.2 Initiate on Demand

The integrity test can be executed on demand by re-initializing the module. This process is described in more detail in Section 10.5 Operator Initiation of Self-Tests. This document may be reproduced and distributed only in its original entirely without revision.

Page 57
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: This module is expected to be run in operational environments where each user application runs in a virtually-separated, independent process with its own address space. By default, all tested operating systems (Windows as well as the Unix derivates) provide such a separation so that no other, unauthorized process can access or modify SSPs while the cryptographic module is in use. The virtual memory provided by the operating systems also ensures that every instance of the module has exclusive control over its own SSPs. The module does not spawn any processes or threads. It uses only memory within the virtual address space of the process and does not communicate with any other process in any way (e.g., using inter-process communication such as pipes). The application linked to the module and running in the same virtual memory area is expected to only interact with the module through the defined interfaces.

6.2 Configuration Settings and Restrictions

The operator of the module shall not configure the operating systems in a way that disables the process separation mechanisms referenced in Section 6.1 Operational Environment Type and Requirements. This document may be reproduced and distributed only in its original entirely without revision.

Page 58
7 Physical Security

The module comprises only software. It runs on operational environments with a multiple-chip standalone embodiment. It has no physical protection mechanisms. Therefore, the physical security requirements are not applicable. This document may be reproduced and distributed only in its original entirely without revision.

Page 59
8 Non-Invasive Security

The module does not implement any non-invasive security measures that are referenced in SP 800-140F. This document may be reproduced and distributed only in its original entirely without revision.

Page 60
Sensitive security parameter
NameTypeDescription
RAMDynamicVolatile system memory shared with the linked application.
Service
NameTypeFromTo
API InputPlaintextLinked application in the TOEPPRAMManualElectronic
API outputPlaintextRAMLinked application in the TOEPPManualElectronic
9 Sensitive Security Parameters Management
9.1 Storage Areas

Table 19: Storage Areas The state of the internal Counter DRBG instance is stored at most until the end of the module’s runtime in volatile memory allocated by the module itself. All other SSPs used by the module are stored in the volatile memory shared with the linked application. SSPs passed to the module via memory pointers by the linked application are only accessed and used within a single API call. The module does not keep references to these SSPs after the API call is done. To allow chaining of related APIs (e.g., for encrypting multiple blocks of data) the state of certain security functions is stored in context objects that include any required SSPs (either by reference or directly as byte arrays). These objects are passed back and forth between the module and the linked application for each API call. Where necessary to allow for procedural zeroization of such objects, the module provides information about the location and size of allocated memory to the linked application (see also Section

9.3 SSP Zeroization Methods).

Note that the linked application mentioned above runs inside the module’s Tested Operational Environment’s Physical Perimeter (TOEPP) but outside its cryptographic boundary. It resides in the same volatile memory area as the module.

9.2 SSP Input-Output Methods

Table 20: SSP Input-Output Methods This document may be reproduced and distributed only in its original entirely without revision.

Page 61
ZeroizationDescriptionRationaleOperator Initiation
Method
Module: AutomaticSSPs temporarily allocated by the module or derived from operator- supplied inputs for use within a single API call are automatically zeroized by the module before the respective function returns.To prevent the unintended reuse of SSPs stored in volatile memory are explicitly overwritten with zeros before the memory is deallocated. This zeroing process typically takes place at the end of a function call, ensuring that no residual data remains in memory after the function returns.Not required as this zeroization is triggered automatically by the module itself.
Module: FinalizationZeroization of SSPs that are stored under control of the module for longer than a single API call (internal Counter DRBG instance).To prevent the unintended reuse of SSPs, those stored in volatile memory are explicitly overwritten with zeros before the memory is deallocated. This zeroing process occurs during the module_final() API function call or when the module is unloaded, ensuring that no residual data remains in memory after finalization or unloading.Finalizing / unloading the module.
ProceduralSSPs that are not under control of the module can be procedurally zeroized by the operator.The operator can perform procedural zeroization SSPs that are not managed by the cryptographic module by overwriting the specific regions of volatile memory where these parameters reside with zeros.Procedural zeroization is independent of the module's control and must be triggered by the operator.

SSPs are passed between the module and the linked application running via API input and output parameters in plaintext. The parameters contain pointers to memory locations inside the shared volatile memory. As required, the module does not output any SSPs to locations outside the TOEPP. For other key establishment methods, please refer to Section 2.10 Key Establishment.

9.3 SSP Zeroization Methods

Table 21: SSP Zeroization Methods As detailed in Section 9.1 Storage Areas, the module does not store any references to SSPs other than for the internal Counter control of the module only for individual API calls because these SSPs are otherwise under full control of the linked application. This document may be reproduced and distributed only in its original entirely without revision.

Page 62
Sensitive security parameter
NameTypeDescriptionStrengthUse
AES keysAES key - CSPKeys used for AES encryption / decryption128, 192, or 256 bits - 128, 192, or 256 bitsAES encryption / decryption AES GCM encryption / decryption (random IV) AES GCM encryption / decryption (TLS 1.2) AES GCM encryption / decryption (TLSAES key generation
HMAC keysHMAC key - CSPKeys used for HMAC generation>= 112 bits - >= 112 bitsHMAC generation
EdDSA private keysEdDSA private key - CSPKeys used for EdDSA signature generation32 or 57 bytes - 128 or 224 bitsEd25519 signature generation Ed448 signature generationEdDSA key pair generation
EdDSA public keysEdDSA public key - PSPKeys used for EdDSA signature verification32 or 57 bytes - 128 or 224 bitsEd25519 signature verification Ed448 signature verification EdDSA public key validationEdDSA key pair generation
ECDSA private keysECDSA private key - CSPKeys used for ECDSA signature generationUp to 521 bits - 112 to 256 bitsECDSA signature generationECDSA key pair generation
ECDSA public keysECDSA public key - PSPKeys used for ECDSA signature verificationUp to 521 bits - <= 80 (P-192) or 112 to 256 bits (other curves)ECDSA signature verification ECDSA public key validationECDSA key pair generation
DSA public keysDSA public key - PSPKeys used for DSA signature verificationUp to 3072 bits - <= 80 (L: 1024/N: 160) or 112 to 128 bits (other groups)DSA signature verification DSA domain parameter validation
RSA private keysRSA private key - CSPKeys used for RSA signature generationVariable - 112 to 256 bitsRSA PKCS1- v1.5 signature generation RSA PSS signature generation RSA signature generation with pre-computed hash (CVL)RSA key pair generation
RSA public keysRSA public key - PSPKeys used for RSA signature verificationVariable - <= 80 (1024 bits modulus) or 112 to 256 bits (longer modulus)RSA PKCS1- v1.5 signature verification RSA PSS signature verificationRSA key pair generation
KAS-ECC private keyECDSA private key - CSPOwn private keys used for KAS-ECCUp to 521 bits - 112 to 256 bitsKAS-SSC ECCKAS-SSC ECC
KAS-ECC public keyECDSA public key - PSPOwn public keys used for KAS-ECCUp to 521 bits - 112 to 256 bitsECDSA public key validation KAS-SSC ECCKAS-SSC ECC
KAS-FFC private keyDSA private key - CSPOwn private keys used for KAS-FFCUp to 3072 bits - 112 to 128 bitsKAS-SSC FFCKAS-SSC FFC
KAS-FFC public keyDSA public key - PSPOwn public keys used for KAS-FFCUp to 3072 bits - 112 to 128 bitsKAS-SSC FFCKAS-SSC FFC
Received KAS- ECC public keyECDSA public key - PSPReceived public keys used for KAS- ECCUp to 521 bits - 112 to 256 bitsKAS-SSC ECC
Received KAS- FFC public keyDSA public key - PSPReceived public keys used for KAS- FFCUp to 3072 bits - 112 to 128 bitsKAS-SSC FFC
9.4 SSPs

1.2) This document may be reproduced and distributed only in its original entirely without revision.

Page 63

1.3) This document may be reproduced and distributed only in its original entirely without revision.

Page 64

This document may be reproduced and distributed only in its original entirely without revision.

Page 65
Sensitive security parameter
NameTypeDescriptionStrengthUse
KTS-IFC private keyRSA private key - CSPOwn private keys used for KTS-IFCVariable - 112 to 256 bitsKTS-IFCKTS-IFC
KTS-IFC public keyRSA public key - PSPOwn public keys used for KTS-IFCVariable - 112 to 256 bitsKTS-IFCKTS-IFC
Received KTS- IFC public keyRSA public key - PSPReceived public keys used for KTS- IFCVariable - 112 to 256 bitsKTS-IFC
Shared secretShared secret - CSPOutput of KAS-ECC and KAS-FFCVariable - 112 to 256 bitsKAS-SSC FFC KAS-SSC ECC
Counter DRBG keyCounter DRBG key - CSPKey of the internal state of the AES- 256 Counter DRBG instance256 bits - 256 bitsRandom number generation AES encryption / decryption AES GCM encryption / decryption (random IV) AES CFB encryption / decryption RSA PKCS1- v1.5 signature generation RSA PSS signature generation ECDSA signature generation DSA domain parameterRandom number generation

This document may be reproduced and distributed only in its original entirely without revision.

Page 66
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
Counter DRBG VCounter DRBG value V - CSPValue V of the internal state of the AES-256 Counter DRBG instance128 bits - 128 bitsRandom number generationRandom number generation AES encryption / decryption AES GCM encryption / decryption (random IV) AES CFB encryption / decryption RSA PKCS1- v1.5 signature generation RSA PSS signature generation ECDSA signature generation DSA domain

V This document may be reproduced and distributed only in its original entirely without revision.

Page 67
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
Counter DBRG seed: entropy source outputBit string - CSPOutput of the entropy source512 bits - 512 bitsRandom number generationRandom number generation
Intermediate key generation valuesValues used for DSA, ECDSA, EdDSA, RSA key generation - CSPTemporary values used during key generationVariable - N/AEdDSA key pair generation ECDSA key pair generation RSA key pair generation KAS-SSC FFC KTS-IFC KAS-SSC ECC
Keying materialKeying material - CSPInput / output of KTS-IFCVariable - N/AKTS-IFCKTS-IFC

This document may be reproduced and distributed only in its original entirely without revision.

Page 68
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUseInputStorage DurationRelated SSPs
KAS-ECC domain parametersDomain parameters - PSPDomain parameters used by the KAS- SSC ECCVariable - N/AKAS-SSC ECC
KAS-FFC domain parametersSP 800-56Ar3 FFC domain parameters - PSPDomain parameters used by the KAS- SSC FFCVariable - N/AKAS-SSC FFCKAS-SSC FFC
AES keysRAM:PlaintextModule: Automatic ProceduralAPI Input API outputFor a single API call
HMAC keysRAM:PlaintextProceduralAPI Input API outputFor a single API call
EdDSA private keysRAM:PlaintextModule: Automatic ProceduralAPI Input API outputFor a single API callEdDSA public keys:Paired With
EdDSA public keysRAM:PlaintextModule: Automatic ProceduralAPI Input API outputFor a single API callEdDSA private keys:Paired With
ECDSA private keysRAM:PlaintextProceduralAPI Input API outputFor a single API callECDSA public keys:Paired With
ECDSA public keysRAM:PlaintextProceduralAPI InputFor a single API callECDSA private keys:Paired With
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUseInputStorage DurationRelated SSPs
KAS-ECC domain parametersDomain parameters - PSPDomain parameters used by the KAS- SSC ECCVariable - N/AKAS-SSC ECC
KAS-FFC domain parametersSP 800-56Ar3 FFC domain parameters - PSPDomain parameters used by the KAS- SSC FFCVariable - N/AKAS-SSC FFCKAS-SSC FFC
AES keysRAM:PlaintextModule: Automatic ProceduralAPI Input API outputFor a single API call
HMAC keysRAM:PlaintextProceduralAPI Input API outputFor a single API call
EdDSA private keysRAM:PlaintextModule: Automatic ProceduralAPI Input API outputFor a single API callEdDSA public keys:Paired With
EdDSA public keysRAM:PlaintextModule: Automatic ProceduralAPI Input API outputFor a single API callEdDSA private keys:Paired With
ECDSA private keysRAM:PlaintextProceduralAPI Input API outputFor a single API callECDSA public keys:Paired With
ECDSA public keysRAM:PlaintextProceduralAPI InputFor a single API callECDSA private keys:Paired With

Table 22: SSP Table 1 This document may be reproduced and distributed only in its original entirely without revision.

Page 69
Sensitive security parameter
NameStorageZeroizationOutputStorage DurationRelated SSPs
DSA public keysRAM:PlaintextProceduralAPI Input API outputFor a single API call
RSA private keysRAM:PlaintextProceduralAPI Input API outputFor a single API callRSA public keys:Paired With
RSA public keysRAM:PlaintextProceduralAPI Input API outputFor a single API callRSA private keys:Paired With
KAS-ECC private keyRAM:PlaintextProceduralAPI Input API outputFor a single API callKAS-ECC public key:Paired With Received KAS-ECC public key:Used With
KAS-ECC public keyRAM:PlaintextProceduralAPI Input API outputFor a single API callKAS-ECC private key:Paired With
KAS-FFC private keyRAM:PlaintextProceduralAPI Input API outputFor a single API callKAS-FFC public key:Paired With Received KAS-FFC public key:Used With
KAS-FFC public keyRAM:PlaintextProceduralAPI Input API outputFor a single API callKAS-FFC private key:Paired With
Received KAS-ECC public keyRAM:PlaintextProceduralAPI InputFor a single API callKAS-ECC private key:Used With
Received KAS-FFC public keyRAM:PlaintextProceduralAPI Input API outputFor a single API callKAS-FFC private key:Used With
KTS-IFC private keyRAM:PlaintextProceduralAPI Input API outputFor a single API callKTS-IFC public key:Paired With KTS-IFC public key:Used With
KTS-IFC public keyRAM:PlaintextProceduralAPI Input API outputFor a single API callKTS-IFC private key:Paired With
Received KTS-IFC public keyRAM:PlaintextProceduralAPI Input API outputFor a single API callKTS-IFC private key:Used With
Shared secretRAM:PlaintextProceduralAPI outputFor a single API callKAS-ECC private key:Derived From Received KAS-ECC public key:Derived From KAS-FFC private key:Derived From Received KAS-FFC public key:Derived From
Counter DRBG keyRAM:PlaintextModule: FinalizationUntil finalization of the moduleCounter DBRG seed: entropy source output:Derived From Counter DRBG V:Paired With
Counter DRBG VRAM:PlaintextModule: FinalizationUntil finalization of the moduleCounter DRBG key:Paired With
Counter DBRG seed: entropy source outputRAM:PlaintextModule: AutomaticFor a single API call
Intermediate key generation valuesRAM:PlaintextModule: AutomaticFor a single API callCounter DRBG key:Derived From EdDSA private keys:Generates ECDSA public keys:Generates RSA private keys:Generates RSA public keys:Generates ECDSA private keys:Generates EdDSA public keys:Generates KAS-ECC private key:Generates KAS-ECC public key:Generates KAS-FFC private key:Generates KAS-FFC public key:Generates KTS-IFC private key:Generates KTS-IFC public key:Generates Counter DRBG V:Derived From
Keying materialRAM:PlaintextProceduralAPI Input API outputFor a single API callKTS-IFC private key:Decrypts Received KTS-IFC public key:Encrypts
KAS-ECC domain parametersRAM:PlaintextProceduralAPI Input API outputFor a single API callKAS-ECC private key:Used With KAS-ECC public key:Used With Received KAS-ECC public key:Used With
KAS-FFC domain parametersRAM:PlaintextProceduralAPI Input API outputFor a single API callKAS-FFC private key:Used With KAS-FFC public key:Used With Received KAS-FFC public key:Used With

This document may be reproduced and distributed only in its original entirely without revision.

Page 70

This document may be reproduced and distributed only in its original entirely without revision.

Page 71

Table 23: SSP Table 2 This document may be reproduced and distributed only in its original entirely without revision.

Page 72

For the use of the above SSPs by the module’s approved services, please refer to Section 4.3 Approved Services. The module’s non-approved services do not access any of the module’s SSPs other than the Counter DRBG state, which is permitted per IG 2.4.A. For details on the use of the DRBG by the approved and non-approved services, please refer to Section 2.8 RBG and Entropy. Note that the HMAC key used for the integrity test is not considered as an SSP. Keys used by non-approved services are also not considered as SSPs.

9.5 Transitions

Information on the transitions for the CMVP-approved algorithms and security functions are provided in SP 800-57 Part 1 Revision 5 and SP 800-131A Revision 2 as well as on the NIST website. At the time of publication of this Security Policy, the following transitions are identified, which take effect in 2031:

Page 73
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorTest PropertiesConditions
HMAC- SHA2-256 (A5497)HMAC- SHA2-256 (A5497)The integrity of the module binary is tested by computing an HMAC over the entire shared library file. The correct reference value is stored in a separate file with the file extension "sha256".SW/FW IntegrityThe HMAC-SHA2-256 is self-tested using a KAT before this integrity test is performedKey length: 32 bytesReturn code < 0 in case of a failure.
HMAC-SHA2-256 (A5497)HMAC-SHA2-256 (A5497)KATCASTHMAC generationReturn code < 0 in case of a failure.Key length: 20 bytesModule initialization
SHAKE-128 (A5497)SHAKE-128 (A5497)KATCASTXOF generationReturn code < 0 inN/AModule initialization
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorTest PropertiesConditions
HMAC- SHA2-256 (A5497)HMAC- SHA2-256 (A5497)The integrity of the module binary is tested by computing an HMAC over the entire shared library file. The correct reference value is stored in a separate file with the file extension "sha256".SW/FW IntegrityThe HMAC-SHA2-256 is self-tested using a KAT before this integrity test is performedKey length: 32 bytesReturn code < 0 in case of a failure.
HMAC-SHA2-256 (A5497)HMAC-SHA2-256 (A5497)KATCASTHMAC generationReturn code < 0 in case of a failure.Key length: 20 bytesModule initialization
SHAKE-128 (A5497)SHAKE-128 (A5497)KATCASTXOF generationReturn code < 0 inN/AModule initialization
SHAKE-256 (A5497)SHAKE-256 (A5497)KATCASTXOF generationReturn code < 0 in case of a failure.N/AModule initialization
SHA-1 (A5497)SHA-1 (A5497)KATCASTHash generationReturn code < 0 in case of a failure.N/AModule initialization
SHA2-224 (A5497)SHA2-224 (A5497)KATCASTHash generationReturn code < 0 in case of a failure.N/AModule initialization
SHA2-256 (A5497)SHA2-256 (A5497)KATCASTHash generationReturn code < 0 in case of a failure.N/AModule initialization
SHA2-384 (A5497)SHA2-384 (A5497)KATCASTHash generationReturn code < 0 in case of a failure.N/AModule initialization
SHA2-512 (A5497)SHA2-512 (A5497)KATCASTHash generationReturn code < 0 in case of a failure.N/AModule initialization
SHA3-224 (A5497)SHA3-224 (A5497)KATCASTHash generationReturn code < 0 in case of a failure.N/AModule initialization
SHA3-256 (A5497)SHA3-256 (A5497)KATCASTHash generationReturn code < 0 inN/AModule initialization
SHA3-384 (A5497)SHA3-384 (A5497)KATCASTHash generationReturn code < 0 in case of a failureN/AModule initialization
SHA3-512 (A5497)SHA3-512 (A5497)KATCASTHash generationReturn code < 0 in case of a failureN/AModule initialization
DSA SigVer (FIPS186-4) (A5497)DSA SigVer (FIPS186-4) (A5497)KATCASTSignature verification using a fixed 32-byte hashReturn code < 0 in case of a failureGroup: FB (L: 2048/N: 224)Module initialization
ECDSA SigGen (FIPS186-5) (A5497)ECDSA SigGen (FIPS186-5) (A5497)KATCASTSignature generation using a fixed 32-byte hashReturn code < 0 in case of a failureCurve: P-256Module initialization
ECDSA SigVer (FIPS186-5) (A5497)ECDSA SigVer (FIPS186-5) (A5497)KATCASTSignature verification using a fixed 32-byte hashReturn code < 0 in case of a failureCurve: P-256Module initialization
EDDSA SigGen (A5497) with Edwards25519EDDSA SigGen (A5497) with Edwards25519KATCASTSignature generationReturn code < 0 in case of a failureCurve: Edwards25519Module initialization
EDDSA SigVer (A5497) with Edwards25519EDDSA SigVer (A5497) with Edwards25519KATCASTSignature verificationReturn code < 0 in case of a failureCurve: Edwards25519Module initialization
EDDSA SigGen (A5497) with Edwards448EDDSA SigGen (A5497) with Edwards448KATCASTSignature generationReturn code < 0 in case of a failureCurve: Edwards448Module initialization
EDDSA SigVer (A5497) with Edwards448EDDSA SigVer (A5497) with Edwards448KATCASTSignature verificationReturn code < 0 in case of a failureCurve: Edwards448Module initialization
RSA SigGen (FIPS186-5) (A5497)RSA SigGen (FIPS186-5) (A5497)KATCASTSignature generation using a fixed 32-byte hashReturn code < 0 in case of a failureModulus size: 2048 bits, Padding: PKCS1- v1.5Module initialization
RSA SigVer (FIPS186-5) (A5497)RSA SigVer (FIPS186-5) (A5497)KATCASTSignature verification using a fixed 32-byte hashReturn code < 0 in case of a failureModulus size: 2048 bits, Padding: PKCS1- v1.5Module initialization
KAS-ECC-SSC Sp800-56Ar3 (A5497)KAS-ECC-SSC Sp800-56Ar3 (A5497)KATCASTShared secret computation with two fixed key pairsReturn code < 0 in case of a failureCurve: P-256Module initialization
KAS-FFC-SSC Sp800-56Ar3 (A5497)KAS-FFC-SSC Sp800-56Ar3 (A5497)KATCASTShared secret computation with fixed keys (with g^x > p)Return code < 0 in case of a failureGroup: FB (L: 2048/N: 224) and ffdhe2048Module initialization
AES-ECB (A5497)AES-ECB (A5497)KATCASTEncryption and decryptionReturn code < 0 in case of a failureKey length: 128, 192, and 256 bitsModule initialization
AES-GCM (A5497)AES-GCM (A5497)KATCASTEncryption and decryptionReturn code < 0 in case of a failureKey length: 128 bitsModule initialization
Counter DRBG (A5497)Counter DRBG (A5497)KATCASTInstantiation with fixed entropy input, generation of random bytes with additional input (generated bytes are tested against known answer), reseed with fix entropy input and again generation of random bytes, now without additional input (generated bytes are tested against known answer)Return code < 0 in case of a failureKey length: 256 bitsModule initialization
DSA PQGGen (FIPS186-4) (A5497)DSA PQGGen (FIPS186-4) (A5497)KATCASTGeneration of p, q, and g with fixed randomnessReturn code < 0 in case of a failureGroup: FB (L: 2048/N: 224)Module initialization
DSA PQGVer (FIPS186-4) (A5497)DSA PQGVer (FIPS186-4) (A5497)KATCASTDomain parameter validation of fixed, correct parametersReturn code < 0 in case of a failureGroup: FB (L: 2048/N: 224)Module initialization
Entropy source: start-up / continuous health testsEntropy source: start-up / continuous health testsFault- detection testCASTAPT and RCT as specified in SP 800-90B as well as additional variations thereof performed on 6000 symbols.Return code < 0 in case of a failureN/AModule initialization
RSA SigGen and SigVer (FIPS186- 5) (A5497)RSA SigGen and SigVer (FIPS186- 5) (A5497)PCTPCTRSA signature generation and verification of a random 32-byte pseudo-hashReturn code < 0 in case of a failurePadding: PKCS1- v1.5After RSA and KTS-IFC key pair generation and RSA key pair import
RSA key-pair consistency (SP 800-56Br2)RSA key-pair consistency (SP 800-56Br2)PCTPCTKey-pair consistency check as specified in Section 6.4.1.2.3 of SP 800-56Br2Return code < 0 in case of a failureN/AAfter RSA and KTS-IFC key pair generation
ECDSA SigGen and SigVerECDSA SigGen and SigVerPCTPCTECDSA signature generation and verification of a random 32-byte pseudo-hashReturn code < 0 inN/AAfter ECDSA key pair
10 Self-Tests
10.1 Pre-Operational Self-Tests

HMACSHA2-256 Table 24: Pre-Operational Self-Tests The module only implements one pre-operational self-test. This test is performed under control of the module when the function crypt_init is called by the operator after the module was loaded. This function either returns RC_FIPS_APPROVED (value “1”) when all self-tests passed or an error code when something went wrong during initialization. Only when the return value is RC_FIPS_APPROVED, the module returns pointers to the exported APIs required to execute the module’s other security services. In addition to the pre-operational self-test described above, the module also automatically executes the Cryptographic Algorithm SelfTests (CASTs) described in Section 10.2 Conditional Self-Tests during its initialization. In case of a failure in at least one of the selftests executed during start-up, the module enters an error state (see Section 10.4 Error States for details). Please note that the module neither implements a pre-operational bypass test, as it does not implement a bypass functionality, nor a pre-operational critical function test, as all functions critical to its secure operation are already covered by other self-tests.

10.2 Conditional Self-Tests

N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 74

N/A N/A N/A N/A N/A N/A N/A N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 75

N/A N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 76

Padding: PKCS1v1.5 Padding: PKCS1v1.5 This document may be reproduced and distributed only in its original entirely without revision.

Page 77

N/A Faultdetection Padding: PKCS1v1.5 N/A N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 78
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditionsTest Properties
(FIPS186-5) (A5497)(FIPS186-5) (A5497)case of a failuregeneration and import
KAS-ECC pair- wise consistency (SP 800-56Ar3)KAS-ECC pair- wise consistency (SP 800-56Ar3)PCTPCTKey-pair consistency check as specified in Section 5.6.2.1.4 of SP 800-56Ar3Return code < 0 in case of a failureAfter ECDSA and KAS-ECC key pair generation and importN/A
EdDSA SigGen and SigVer (FIPS186-5) (A5497)EdDSA SigGen and SigVer (FIPS186-5) (A5497)PCTPCTEdDSA signature generation and verification of a fixed 7-byte messageReturn code < 0 in case of a failureAfter EdDSA key pair generation and importN/A
KAS-FFC pair- wise consistency (SP 800-56Ar3)KAS-FFC pair- wise consistency (SP 800-56Ar3)PCTPCTKey-pair consistency check as specified in Section 5.6.2.1.4 of SP 800-56Ar3Return code < 0 in case of a failureAfter KAS-FFC key pair generation and importN/A
HMAC-SHA2-256 (A5497)HMAC-SHA2-256 (A5497)The integrity of the module binary is testedSW/FW IntegrityOn demandModule reinitialization.
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditionsTest Properties
(FIPS186-5) (A5497)(FIPS186-5) (A5497)case of a failuregeneration and import
KAS-ECC pair- wise consistency (SP 800-56Ar3)KAS-ECC pair- wise consistency (SP 800-56Ar3)PCTPCTKey-pair consistency check as specified in Section 5.6.2.1.4 of SP 800-56Ar3Return code < 0 in case of a failureAfter ECDSA and KAS-ECC key pair generation and importN/A
EdDSA SigGen and SigVer (FIPS186-5) (A5497)EdDSA SigGen and SigVer (FIPS186-5) (A5497)PCTPCTEdDSA signature generation and verification of a fixed 7-byte messageReturn code < 0 in case of a failureAfter EdDSA key pair generation and importN/A
KAS-FFC pair- wise consistency (SP 800-56Ar3)KAS-FFC pair- wise consistency (SP 800-56Ar3)PCTPCTKey-pair consistency check as specified in Section 5.6.2.1.4 of SP 800-56Ar3Return code < 0 in case of a failureAfter KAS-FFC key pair generation and importN/A
HMAC-SHA2-256 (A5497)HMAC-SHA2-256 (A5497)The integrity of the module binary is testedSW/FW IntegrityOn demandModule reinitialization.

N/A N/A N/A Table 25: Conditional Self-Tests Since the module does not implement the corresponding functionality, it does not implement a conditional software/firmware load test, manual entry test, bypass test, or critical function test. As explained in Section 2.2 Tested and Vendor Affirmed Module Version and Identification, the module can be configured to use different PAAs for certain algorithms. These PAAs must be configured before the module’s self-tests are performed during module initialization. During module initialization, the module performs the conditional self-tests using the activated PAAs. While the module is in its initialized state, re-configuration of the activated PAAs is blocked. Changing the activated PAAs thus requires a re-initialization of the module (see Section 11.2 Administrator Guidance for details). Note that the module also implements self-tests for some non-approved algorithms (e.g., MD5 and RC4), but these self-tests are not listed here.

10.3 Periodic Self-Test Information

This document may be reproduced and distributed only in its original entirely without revision.

Page 79
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
HMAC-SHA2-256 (A5497)HMAC-SHA2-256 (A5497)KATCASTOn demandModule reinitialization.
SHAKE-128 (A5497)SHAKE-128 (A5497)KATCASTOn demandModule reinitialization.
SHAKE-256 (A5497)SHAKE-256 (A5497)KATCASTOn demandModule reinitialization.
SHA-1 (A5497)SHA-1 (A5497)KATCASTOn demandModule reinitialization.
SHA2-224 (A5497)SHA2-224 (A5497)KATCASTOn demandModule reinitialization.
SHA2-256 (A5497)SHA2-256 (A5497)KATCASTOn demandModule reinitialization.
SHA2-384 (A5497)SHA2-384 (A5497)KATCASTOn demandModule reinitialization.
SHA2-512 (A5497)SHA2-512 (A5497)KATCASTOn demandModule reinitialization.
SHA3-224 (A5497)SHA3-224 (A5497)KATCASTOn demandModule reinitialization.
SHA3-256 (A5497)SHA3-256 (A5497)KATCASTOn demandModule reinitialization.
SHA3-384 (A5497)SHA3-384 (A5497)KATCASTOn demandModule reinitialization.
SHA3-512 (A5497)SHA3-512 (A5497)KATCASTOn demandModule reinitialization.
DSA SigVer (FIPS186- 4) (A5497)DSA SigVer (FIPS186- 4) (A5497)KATCASTOn demandModule reinitialization.
ECDSA SigGen (FIPS186-5) (A5497)ECDSA SigGen (FIPS186-5) (A5497)KATCASTOn demandModule reinitialization
ECDSA SigVer (FIPS186-5) (A5497)ECDSA SigVer (FIPS186-5) (A5497)KATCASTOn demandModule reinitialization
EDDSA SigGen (A5497) with Edwards25519EDDSA SigGen (A5497) with Edwards25519KATCASTOn demandModule reinitialization
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
HMAC-SHA2-256 (A5497)HMAC-SHA2-256 (A5497)KATCASTOn demandModule reinitialization.
SHAKE-128 (A5497)SHAKE-128 (A5497)KATCASTOn demandModule reinitialization.
SHAKE-256 (A5497)SHAKE-256 (A5497)KATCASTOn demandModule reinitialization.
SHA-1 (A5497)SHA-1 (A5497)KATCASTOn demandModule reinitialization.
SHA2-224 (A5497)SHA2-224 (A5497)KATCASTOn demandModule reinitialization.
SHA2-256 (A5497)SHA2-256 (A5497)KATCASTOn demandModule reinitialization.
SHA2-384 (A5497)SHA2-384 (A5497)KATCASTOn demandModule reinitialization.
SHA2-512 (A5497)SHA2-512 (A5497)KATCASTOn demandModule reinitialization.
SHA3-224 (A5497)SHA3-224 (A5497)KATCASTOn demandModule reinitialization.
SHA3-256 (A5497)SHA3-256 (A5497)KATCASTOn demandModule reinitialization.
SHA3-384 (A5497)SHA3-384 (A5497)KATCASTOn demandModule reinitialization.
SHA3-512 (A5497)SHA3-512 (A5497)KATCASTOn demandModule reinitialization.
DSA SigVer (FIPS186- 4) (A5497)DSA SigVer (FIPS186- 4) (A5497)KATCASTOn demandModule reinitialization.
ECDSA SigGen (FIPS186-5) (A5497)ECDSA SigGen (FIPS186-5) (A5497)KATCASTOn demandModule reinitialization
ECDSA SigVer (FIPS186-5) (A5497)ECDSA SigVer (FIPS186-5) (A5497)KATCASTOn demandModule reinitialization
EDDSA SigGen (A5497) with Edwards25519EDDSA SigGen (A5497) with Edwards25519KATCASTOn demandModule reinitialization
EDDSA SigVer (A5497) with Edwards25519EDDSA SigVer (A5497) with Edwards25519KATCASTOn demandModule reinitialization
EDDSA SigGen (A5497) with Edwards448EDDSA SigGen (A5497) with Edwards448KATCASTOn demandModule reinitialization
EDDSA SigVer (A5497) with Edwards448EDDSA SigVer (A5497) with Edwards448KATCASTOn demandModule reinitialization
RSA SigGen (FIPS186- 5) (A5497)RSA SigGen (FIPS186- 5) (A5497)KATCASTOn demandModule reinitialization
RSA SigVer (FIPS186- 5) (A5497)RSA SigVer (FIPS186- 5) (A5497)KATCASTOn demandModule reinitialization
KAS-ECC-SSC Sp800- 56Ar3 (A5497)KAS-ECC-SSC Sp800- 56Ar3 (A5497)KATCASTOn demandModule reinitialization
KAS-FFC-SSC Sp800- 56Ar3 (A5497)KAS-FFC-SSC Sp800- 56Ar3 (A5497)KATCASTOn demandModule reinitialization
AES-ECB (A5497)AES-ECB (A5497)KATCASTOn demandModule reinitialization
AES-GCM (A5497)AES-GCM (A5497)KATCASTOn demandModule reinitialization
Counter DRBG (A5497)Counter DRBG (A5497)KATCASTOn demandModule reinitialization
DSA PQGGen (FIPS186-4) (A5497)DSA PQGGen (FIPS186-4) (A5497)KATCASTOn demandModule reinitialization
DSA PQGVer (FIPS186-4) (A5497)DSA PQGVer (FIPS186-4) (A5497)KATCASTOn demandModule reinitialization
Entropy source: start-up / continuous health testsEntropy source: start-up / continuous health testsFault-detection testCASTOn demandModule reinitialization
RSA SigGen and SigVer (FIPS186-5) (A5497)RSA SigGen and SigVer (FIPS186-5) (A5497)PCTPCTOn demandRSA and KTS-IFC key pair generation and import
RSA key-pair consistency (SP 800- 56Br2)RSA key-pair consistency (SP 800- 56Br2)PCTPCTOn demandRSA and KTS-IFC key pair generation
ECDSA SigGen and SigVer (FIPS186-5) (A5497)ECDSA SigGen and SigVer (FIPS186-5) (A5497)PCTPCTOn demandECDSA key pair generation and import
KAS-ECC pair-wise consistency (SP 800- 56Ar3)KAS-ECC pair-wise consistency (SP 800- 56Ar3)PCTPCTOn demandECDSA and KAS-ECC key pair generation and import
EdDSA SigGen and SigVer (FIPS186-5) (A5497)EdDSA SigGen and SigVer (FIPS186-5) (A5497)PCTPCTOn demandEdDSA key pair generation and import
KAS-FFC pair-wise consistency (SP 800- 56Ar3)KAS-FFC pair-wise consistency (SP 800- 56Ar3)PCTPCTOn demandKAS-FFC key pair generation and import

Table 26: Pre-Operational Periodic Information This document may be reproduced and distributed only in its original entirely without revision.

Page 80

This document may be reproduced and distributed only in its original entirely without revision.

Page 81
Service
NameDescriptionRole AccessIndicator
Initialization errorThe module remains in its uninitialized state. No cryptographic services are available.Module initialization failed due to self-test failure.Return code < 0 during module initialization.Manually by calling the crypt_init function.
Operational errorA conditional self-test performed after module initialized failed. Output of the affected data is inhibited.PCT failure.Return code < 0 returned by the function call that invoked the failed self-test.The module automatically recovers from this error state.

Table 27: Conditional Periodic Information The module does not perform any periodic self-testing on its own. When desired, the operator can manually perform periodic selftesting using the means described in Section 10.5 Operator Initiation of Self-Tests.

10.4 Error States

Table 28: Error States The module implements two different error states. In case of a failure during the self-tests performed during module start-up (i.e., the pre-operational integrity test and the CASTs), the module enters an error state that requires operator intervention to recover from. An initialization. If the module initialization fails due to failed self-tests or any other problem, the module does not return pointers to its other APIs, which are required to execute the module’s cryptographic security services. It also behaves as if it is still in its uninitialized state, thereby preventing the use of any previously returned function pointers. Exiting this error state is possible by reinitializing the module (see Section 10.5 Operator Initiation of Self-Tests for details). This document may be reproduced and distributed only in its original entirely without revision.

Page 82
Error causeReturned error code
Integrity test failureERR_CRYPT__CHECKSUM
Error reading shared library or checksum fileERR_CRYPT__CHECKSUMIO
CAST failureERR_CRYPT__ALGTEST
Entropy source self-test failureERR_CRYPT__RND
PCT failureERR_CRYPT__VALIDATION_FAILED

In case of a failure during a conditional self-test that is not automatically performed during start-up (see Section 10.2 Conditional SelfTests), the module briefly enters a different, transient error state. An error indicator is provided by the return value of the function that invoked the self-test. Output of the generated or imported key pair that caused the conditional self-test error is inhibited. Afterwards, the module automatically recovers from this error state. The concerned conditional self-test is repeated the next time the corresponding operation is performed (e.g., the pair-wise consistency tests are performed for each generated key pair). Table 29 lists the expected error codes (error indicators) related to failures of performed self-tests. More detailed information about which self-tests performed during module initialization failed can be obtained using the sec_crypto_get_feature_info API. Table 29: Error Causes and Expected Return Codes Please note that the module does not enter an error state when a failure unrelated to the conditional self-tests is detected after successful module initialization (e.g., because an invalid padding was detected, memory could not be allocated, or an assurance check failed). Instead, the function return values indicate to the operator the type of occurred failure.

10.5 Operator Initiation of Self-Tests

All self-tests listed in Section 10.3 Periodic Self-Test Information with “module initialization” listed as their execution condition can be executed on-demand using the ‘initialize and self-test’ service described in Section 4.3 Approved Services. The exact procedure to use this service depends on the current state of the module:

Page 83
Approved algorithm
NameMode Method
SHA2-256 checksumPackageShared library fileHMAC file
aix-6.1-ppc-64D5E4BC00EB784AE9F0179361B7189B4959 33ACFFEF50D1789A659E6F5827A364aix-6.1-ppc-64libslcryptokernel.solibslcryptokernel.so.sha256
aix-7.2-ppc-641A5D901BEA61ED1D0BFC138A5BF9698C4 C076A88AADAD60AB94506A21062F5C2aix-7.2-ppc-64libslcryptokernel.solibslcryptokernel.so.sha256
hpux-b.11.31-ia-644B55441FA1F732499A20F979A00FEF335C 7E252804DFED956356959DFF1F157Ahpux-b.11.31-ia-64libslcryptokernel.solibslcryptokernel.so.sha256
linux-gcc-11.2-armv8-645106BBAA77B89DB6B320CCF46706FF92C D343DD55388AB1D58637D225F6E580Dlinux-gcc-11.2-armv8-64libslcryptokernel.solibslcryptokernel.so.sha256
linux-gcc-4.3-ia-643AFF87073CFC5397525577A3141F60D8A9 C08458D5791CB1E01FD73C715040E0linux-gcc-4.3-ia-64libslcryptokernel.solibslcryptokernel.so.sha256
linux-gcc-4.3-s390x-64B649BD3CED0C78473F27A102C48A957AD A35399CDDCF239B31D1AEB89F93CB65linux-gcc-4.3-s390x-64libslcryptokernel.solibslcryptokernel.so.sha256
linux-gcc-4.3-x86-64FAAEA6FE2320E29990DDB52DE893E33D8 5186E5F3C8DE255510355648E22D5FFlinux-gcc-4.3-x86-64libslcryptokernel.solibslcryptokernel.so.sha256
linux-gcc-4.8-ppcle-648DA6D5355BB2A0DF40D105662696AF434 A537D2E3E651556F0D3689F80CE1B29linux-gcc-4.8-ppcle-64libslcryptokernel.solibslcryptokernel.so.sha256
linux-musl-1.2.4-x86-64881BF8113DB20671975EF4EBF30957F8D9 916526D88A6BC1388AA6F3CD2F36E1linux-musl-1.2.4-x86-64libslcryptokernel.solibslcryptokernel.so.sha256
macosx-arm-64DA40327726E62140992D4FDE9D3A9CA55 7020750F81F45D68E23B9BBC9D8DF7Amacosx-arm-64libslcryptokernel.dyliblibslcryptokernel.dylib.sha256
macosx-x86-64FEBD7C3E85E0F0817D6B903B35E93060E 231368784028CAE2DE8C672076DFDF1macosx-x86-64libslcryptokernel.dyliblibslcryptokernel.dylib.sha25
sunos-5.10-sparc-6439653C77CFF17DD9EFE61CF6F31F7FB1B AF580DF4D6585CECB68F65832278EDFsunos-5.10-sparc-64libslcryptokernel.solibslcryptokernel.so.sha256
sunos-5.10-x86-64F9260FB594EE2E62247518CFCC4EDA4A4 E803B5681D7C77042E68FCE47E60392sunos-5.10-x86-64libslcryptokernel.solibslcryptokernel.so.sha256
windows-x86-6442BD86658272851A24510F14316491B0805 6B421012DF0C13E08A9F39E5AB92Awindows-x86-64slcryptokernel.dllslcryptokernel.dll.sha256
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Two files are provided for the installation of the module as explained in Section 2.2 Tested and Vendor Affirmed Module Version and Identification. The file names depend on the operating system for which the module is provided. The file names for the tested operational environments are listed in Table 30. Table 30: Module File Names and Checksums The module is delivered as part of multiple applications developed by SAP SE. Each application’s installation package contains the FIPS 140-3 certified module. The Crypto Officer should use the SHA2-256 checksum provided in Table 30 to check that the desired version of the module is installed. This document may be reproduced and distributed only in its original entirely without revision.

Page 84
FileNon-AdministratorAdministrator
Shared libraryRead, executeRead, write, execute
HMAC fileReadRead, write

The Crypto Officer should also make sure that the files are installed with the access permissions shown in Table 31. The following terms are used in this table:

Page 85
11.2 Administrator Guidance

The administrator and non-administrator guidance is provided in the following documents that are provided by SAP SE together with the module:

11.3 Non-Administrator Guidance

The same set of guidance is applicable to administrator and non-administrator users of the module. Therefore, please refer to Section 11.2 Administrator Guidance for the non-administrator guidance.

11.4 Design and Rules

Please refer to Section 11.1 Installation, Initialization, and Startup Procedures and Section 11.2 Administrator Guidance for a description of the module’s rules of operation. This document may be reproduced and distributed only in its original entirely without revision.

Page 86
11.5 Maintenance Requirements

The module does not require any maintenance.

11.6 End of Life

The module does not store any SSPs persistently. Secure sanitation of the module can thus be performed by using the ‘finalize and zeroize service to zeroize all SSPs that are under control of the module and by procedurally zeroizing of all other SSPs that are under control of the operator. For details, please see Section 4.3 Approved Services and Section 9.3 SSP Zeroization Methods. This document may be reproduced and distributed only in its original entirely without revision.

Page 87
12 Mitigation of Other Attacks
12.1 Attack List

The module implements the following measures to mitigate attacks other than those already addressed by functionality required by FIPS 140-3 Security Level 1:

12.2 Mitigation Effectiveness

The use of a random blinding factor that is unknown to an attacker makes it more difficult to perform successful timing attacks on RSA private key and ECDSA signature generation operations, as the execution time is not only dependent on the private key value. However, it is important to note that blinding does not completely eliminate these attacks.

12.3 Guidance and Constraints

As blinding is performed transparently within the boundary of the cryptographic module, no user configuration or interaction is involved. This document may be reproduced and distributed only in its original entirely without revision.

Page 88

This document may be reproduced and distributed only in its original entirely without revision. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. See

Referenced URLs