All modules
CMVP Validated Module · FIPS 140-3 Security Policy

VaultIP RT-130

Certificate#5100StandardFIPS 140-3Level2TypeHardwareEmbodimentSingle ChipStatusActiveVendorRambus Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 7 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date12/1/2030
CaveatWhen operated in approved mode.
VendorRambus Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for VaultIP RT-130
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>firmware load</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>No authentication</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for VaultIP RT-130
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>firmware load</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>No authentication</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Rambus Inc. VaultIP RT-130 Prepared by: Prepared for: atsec information security corporation Rambus Inc.

4516 Seton Center Parkway, Suite 250 4453 North First Street, Suite 100

Austin, TX 78759 San Jose, CA 95134 www.atsec.com www.rambus.com

Page 2
Table of Contents
#SectionPage
Page 3

©2024 Rambus Inc. / atsec information security.

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Hardware9
Table 3: Modes List and Description9
Table 4: Approved Algorithms13
Table 5: Vendor-Affirmed Algorithms13
Table 6: Non-Approved, Allowed Algorithms13
Table 7: Non-Approved, Allowed Algorithms with No Security Claimed14
Table 8: Non-Approved, Not Allowed Algorithms15
Table 9: Security Function Implementations19
Table 10: Entropy Certificates20
Table 11: Entropy Sources20
Table 12: Ports and Interfaces22
Table 13: Authentication Methods23
Table 14: Roles23
Table 15: Approved Services36
Table 16: Non-Approved Services38
Table 17: Mechanisms and Actions Required42
Table 18: Storage Areas44
Table 19: SSP Input-Output Methods45
Table 20: SSP Zeroization Methods45
Table 21: SSP Table 150
Table 22: SSP Table 255
Table 23: Pre-Operational Self-Tests56
Table 24: Conditional Self-Tests59
Table 25: Pre-Operational Periodic Information60
Table 26: Conditional Periodic Information61
Table 27: Error States62
Figure 1 - Xilinx Zynq XC7Z045 FPGA7
Figure 2: Block Diagram8
Page 5
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for the Rambus VaultIP RT-

130 cryptographic module (hereafter referred to as “the module” or RT-130 or only VaultIP).

It contains a specification of the rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 2 module.

1.2 Security Levels

Section Title Security Level

1 General 2

2 Cryptographic module specification 2

3 Cryptographic module interfaces 2

4 Roles, services, and authentication 2

5 Software/Firmware security 2

6 Operational environment N/A

7 Physical security 2

8 Non-invasive security N/A

9 Sensitive security parameter management 2

10 Self-tests 2

11 Life-cycle assurance 2

12 Mitigation of other attacks N/A

Overall Level 2 Table 1: Security Levels

1.3 Additional Information

VaultIP is a Silicon IP Security Module which includes a complete set of high-level and lowlevel cryptographic functions. It offers key management and crypto functions needed for platform and application security such as Content Protection and Mobile Payment, and can be used stand-alone or as a 'Root of Trust' to support a Trusted Execution Environment-based platform. VaultIP completely shields all key and security sensitive data from all CPUs, interfaces and memory. Security sensitive materials are stored as assets that never leave VaultIP in unencrypted and/or non-authenticated form. Additionally, VaultIP offers hardware security features that are needed when operating in a Trusted Execution Environment (TEE). These features include One-Time-Programmable memory (OTP) access and management, Random Number Generation / entropy source, timers, (short) monotonic/non-volatile counters and import and export of keys and other assets. ©2024 Rambus Inc. / atsec information security.

Page 6

The module provides a slave and a master interface. The slave interface is used to receive commands from one or more host CPUs. The master interface is used for autonomous data reads and writes from and to an external memory, flash or interface. VaultIP supports many Approved or Allowed cryptographic algorithms. ©2024 Rambus Inc. / atsec information security.

Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The primary application of VaultIP is in mobile communications and consumer electronics appliances, where authentication, encrypted content processing using standard protocols, and protection of keys and other sensitive assets are required. VaultIP is best suited for mobile phones, tablets, wireless handsets, PDA-like devices and set top boxes that have the resources and connectivity to download, store and play back digital media content. These small, battery-powered devices require a low power IP solution with these features available in VaultIP. VaultIP is primarily aimed to be integrated in the design of Application-Specific Integrated Circuits (ASIC). However, it can also be synthesized in a Field-Programmable Gate Array (FPGA). Module Type: Hardware Module Embodiment: SingleChip Module Characteristics [O]: SubChip Cryptographic Boundary: The block diagram in Figure 2 shows the cryptographic module boundary represented with the red line box and the physical boundary shown as the most external thick black line. The orange and grey boxes represent the VaultIP components that comprise the IP core. The VaultIP firmware is stored in Program ROM and Program RAM. Figure 2 shows the details of interfaces that cross the security boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): For the purpose of this Cryptographic Module Validation, VaultIP is synthesized on the Xilinx Zynq XC7Z045 FPGA chip, which belongs to the Zynq-7000 All Programmable SoC series. The Xilinx ZC706 evaluation board for the XC7Z045 SoC provides the hardware environment for developing and evaluating the hardware design of VaultIP. Photograph and Block Diagram The module physical boundary is defined by the Xilinx Zynq XC7Z045 FPGA perimeter. The FPGA is a rectangular enclosure measuring approximately 31 mm x 31 mm x 3 mm. Figure 1 - Xilinx Zynq XC7Z045 FPGA The block diagram of the sub-chip module is shown below. ©2024 Rambus Inc. / atsec information security.

Page 8

Figure 2: Block Diagram ©2024 Rambus Inc. / atsec information security.

Page 9
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered whenever Approved Equivalent to the mode an approved service is requested indicator of the requested service Non- Automatically entered whenever Non- Equivalent to the approved a non-approved service is Approved indicator of the mode requested requested service Table 3: Modes List and Description Mode Change Instructions and Status: Once the module is powered on and the self-tests are successful, the module becomes operational and transitions to approved mode automatically. The mode of operation is assumed based on the service invoked i.e., the module switches back and forth between approved and non-approved modes based on the service called. By default, the module is in approved mode. The non-approved mode of operation is entered when non-approved services are requested (Section 4.4). The module switches back to approved mode of operation when an approved service in Section 4.3 is called. The module implements the approved service indicator as described in Section 4.3.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A5264 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 ©2024 Rambus Inc. / atsec information security.

Page 10

Algorithm CAVP Properties Reference Cert AES-CCM A5264 Key Length - 128, 192, 256 SP 800-38C AES-CMAC A5264 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A5264 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5264 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A5264 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.2 Key Length - 128, 192, 256 AES-GMAC A5264 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.2 Key Length - 128, 192, 256 AES-KWP A5264 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-XTS Testing A5264 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A5264 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No ECDSA KeyGen A5264 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode - extra bits ECDSA KeyVer A5264 Curve - P-192 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A5264 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A5264 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 Component - No ECDSA SigVer A5264 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, PHash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512 ECDSA SigVer A5263 Curve - P-256 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-256 ECDSA SigVer A5264 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512 ©2024 Rambus Inc. / atsec information security.

Page 11

Algorithm CAVP Properties Reference Cert HMAC-SHA-1 A5264 Key Length - Key Length: 112-512 FIPS 198-1 Increment 8 HMAC-SHA2-224 A5264 Key Length - Key Length: 112-512 FIPS 198-1 Increment 8 HMAC-SHA2-256 A5264 Key Length - Key Length: 128-512 FIPS 198-1 Increment 8 HMAC-SHA2-384 A5264 Key Length - Key Length: 192-1024 FIPS 198-1 Increment 8 HMAC-SHA2-512 A5264 Key Length - Key Length: 256-1024 FIPS 198-1 Increment 8 HMAC-SHA3-224 A5264 Key Length - Key Length: 112-1152 FIPS 198-1 Increment 8 HMAC-SHA3-256 A5264 Key Length - Key Length: 128-1088 FIPS 198-1 Increment 8 HMAC-SHA3-384 A5264 Key Length - Key Length: 192-832 FIPS 198-1 Increment 8 HMAC-SHA3-512 A5264 Key Length - Key Length: 256-576 FIPS 198-1 Increment 8 KAS-ECC Sp800- A5264 Domain Parameter Generation Methods SP 800-56A 56Ar3 - P-224, P-256, P-384, P-521 Rev. 3 Function - Key Pair Generation Scheme fullUnified KAS Role - Initiator, Responder KDF Methods oneStepKdf Key Length - 512 ephemeralUnified KAS Role - Initiator, Responder KDF Methods oneStepKdf Key Length - 512 onePassUnified KAS Role - Initiator, Responder KDF Methods oneStepKdf Key Length - 512 onePassDh KAS Role - Initiator, Responder KDF Methods oneStepKdf Key Length - 512 staticUnified KAS Role - Initiator, Responder KDF Methods ©2024 Rambus Inc. / atsec information security.

Page 12

Algorithm CAVP Properties Reference Cert oneStepKdf Key Length - 512 KDF SP800-108 A5264 KDF Mode - Counter, Feedback SP 800-108 Supported Lengths - Supported Lengths: Rev. 1 112-1152 Increment 8 KTS-IFC A5264 Modulo - 2048, 3072 SP 800-56B Key Generation Methods - rsakpg1-basic Rev. 2 Scheme KTS-OAEP-basic KAS Role - responder Key Transport Method Key Length - 1024 RSA SigGen A5264 Modulo - 2048, 3072 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss RSA SigVer A5264 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-2) Modulo - 1536 RSA SigVer A5264 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 RSA SigVer A5264 Modulo - 2048, 3072 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss SHA-1 A5264 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-224 A5264 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-256 A5255 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-256 A5263 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-256 A5264 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-384 A5264 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-512 A5264 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA3-224 A5264 Message Length - Message Length: 0- FIPS 202

65536 Increment 8

SHA3-256 A5264 Message Length - Message Length: 0- FIPS 202

65536 Increment 8

SHA3-384 A5264 Message Length - Message Length: 0- FIPS 202

65536 Increment 8

©2024 Rambus Inc. / atsec information security.

Page 13

Algorithm CAVP Properties Reference Cert SHA3-512 A5264 Message Length - Message Length: 0- FIPS 202

65536 Increment 8

Table 4: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key N/A SP 800-133r2, Section 4, (symmetric) Type:Symmetric example 1 CKG Key N/A SP 800-133r2, Section 4, (asymmetric) Type:Asymmetric example 1 Table 5: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: Name Properties Implementation Reference ECDSA key Curves:brainpoolP224r1, Rambus Root of FIPS 140-3 IG pair brainpoolP256r1, brainpoolP384r1, Trust RT-130 (RAM) C.A; RFC generation brainpoolP512r1 (112, 128, 192, 256 5639 bits of security) ECDSA Curves:brainpoolP224r1, Rambus Root of FIPS 140-3 IG signature brainpoolP256r1, brainpoolP384r1, Trust RT-130 (RAM) C.A; RFC generation brainpoolP512r1 (112, 128, 192, 256 5639 bits of security) ECDSA Curves:brainpoolP192r1, Rambus Root of FIPS 140-3 IG signature brainpoolP224r1, brainpoolP256r1, Trust RT-130 (RAM) C.A; RFC verification brainpoolP384r1, brainpoolP512r1 5639 (96, 112, 128, 192, 256 bits of security) KAS-ECC Curves:brainpoolP224r1, Rambus Root of FIPS 140-3 IG brainpoolP256r1, brainpoolP384r1, Trust RT-130 (RAM) C.A; RFC brainpoolP512r1 (112, 128, 192, 256 5639 bits of security) Table 6: Non-Approved, Allowed Algorithms Non-Approved, Allowed Algorithms with No Security Claimed: Name Caveat Use and Function Image de- Firmware images obfuscated using a non- De-obfuscation of the obfuscation approved AES key are considered plaintext RAM firmware image and unprotected (IG 2.4.A) ©2024 Rambus Inc. / atsec information security.

Page 14

Name Caveat Use and Function AES SIV SSPs obfuscated using this algorithm are De-obfuscation of Asset considered plaintext and unprotected (IG Key Blobs or OTP Key 2.4.A) Blobs Table 7: Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: Name Use and Function AES CTR using external IV Encryption AES ICM Encryption, Decryption AES GCM using external IV Authenticated encryption AES GCM using IV generated with non- Authenticated encryption approved entropy source configuration SHA-1 standalone Message digest AES CBC-MAC MAC AES GMAC using IV generated with non- MAC approved entropy source configuration HMAC with key sizes less than 112 bits MAC Non-approved entropy source configuration Random number generation TwoStep KDF Key derivation CKG with key sizes less than 112 bits Symmetric key generation CKG with non-approved entropy source Symmetric key generation configuration ECDSA key pair generation with non-approved Key pair generation entropy source configuration ECDSA with P-192 Key pair generation, Signature generation ECDSA with SHA-1 Signature generation ECDSA with non-approved entropy source Signature generation configuration ECDSA (pre-hashed message) Signature generation, Signature verification RSA with modulus size not 2048 or 3072 bits Signature generation RSA with modulus size not 1024, 1536, 2048, Signature verification or 3072 bits RSA with SHA-1 Signature generation RSA-PSS with non-approved entropy source Signature generation configuration ©2024 Rambus Inc. / atsec information security.

Page 15

Name Use and Function RSA-PSS with invalid salt length Signature generation, Signature verification Diffie-Hellman Key pair generation, Key pair verification, Shared secret computation EC Diffie-Hellman Shared secret computation Ed25519 Key pair generation, Signature generation, Signature verification X25519 Key pair generation, Shared secret computation RSA-OAEP Key encapsulation RSA-PKCS#1v1.5 Key encapsulation, Key un-encapsulation ECIES Key encapsulation, Key un-encapsulation Table 8: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Signature DigSig-SigVer Verify a digital ECDSA SigVer verification signature (ROM) (FIPS186-5): (ROM) (A5263) SHA2-256: (A5263) Encryption BC-UnAuth Encrypt a AES-CBC: plaintext (A5264) AES-CTR: (A5264) AES-ECB: (A5264) AES-XTS Testing Revision 2.0: (A5264) Decryption BC-UnAuth Decrypt a AES-CBC: ciphertext (A5264) AES-CTR: (A5264) AES-ECB: (A5264) AES-XTS Testing Revision 2.0: (A5264) Authenticated BC-Auth Encrypt a AES-CCM: encryption plaintext (A5264) AES-GCM: (A5264) ©2024 Rambus Inc. / atsec information security.

Page 16

Name Type Description Properties Algorithms Authenticated BC-Auth Decrypt a AES-CCM: decryption plaintext (A5264) AES-GCM: (A5264) Message digest SHA Compute a SHA2-224: message digest (A5264) SHA2-256: (A5264) SHA2-384: (A5264) SHA2-512: (A5264) SHA3-224: (A5264) SHA3-256: (A5264) SHA3-384: (A5264) SHA3-512: (A5264) MAC MAC Compute a MAC AES-CMAC: tag (A5264) AES-GMAC: (A5264) SHA-1: (A5264) HMAC-SHA-1: (A5264) HMAC-SHA2224: (A5264) HMAC-SHA2256: (A5264) HMAC-SHA2384: (A5264) HMAC-SHA2512: (A5264) HMAC-SHA3224: (A5264) HMAC-SHA3256: (A5264) HMAC-SHA3384: (A5264) HMAC-SHA3512: (A5264) Random DRBG Generate SHA2-256: number random bytes (A5255) generation Counter DRBG: (A5264) Key wrapping KTS-Wrap Wrap a key Key size:128, AES-KWP: (KTS) 192, 256 bits (A5264) Standard:SP ©2024 Rambus Inc. / atsec information security.

Page 17

Name Type Description Properties Algorithms 800-38F IG D.G:approved Key confirmation:no Caveat:Key establishment methodology provides between 128 and 256 bits of security strength Key unwrapping KTS-Unwrap Unwrap a Key size:128, AES-KWP: (KTS) wrapped key 192, 256 bits (A5264) Standard:SP 800-56Brev2 IG D.G:approved Key confirmation:no Caveat:Key establishment methodology provides between 128 and 256 bits of security strength Key derivation KBKDF Derive a key KDF SP800-108: from a key (A5264) derivation key Symmetric key CKG Generate a Standard:SP CKG generation symmetric key 800-133r2, (symmetric): () Section 4, Counter DRBG: example 1 (A5264) Key pair AsymKeyPair- Generate an EC ECDSA KeyGen generation KeyGen key pair (FIPS186-5): (A5264) Key pair AsymKeyPair- Verify an EC key ECDSA KeyVer verification KeyVer pair (FIPS186-4): (A5264) ECDSA KeyVer (FIPS186-5): (A5264) Signature DigSig-SigGen Generate a ECDSA SigGen generation digital signature (FIPS186-5): (A5264) RSA SigGen ©2024 Rambus Inc. / atsec information security.

Page 18

Name Type Description Properties Algorithms (FIPS186-5): (A5264) Signature DigSig-SigVer Verify a digital SHA-1: (A5264) verification signature ECDSA SigVer (FIPS186-4): (A5264) ECDSA SigVer (FIPS186-5): (A5264) RSA SigVer (FIPS186-2): (A5264) RSA SigVer (FIPS186-4): (A5264) RSA SigVer (FIPS186-5): (A5264) KAS KAS-Full Establish a Curve:P-224, P- KAS-ECC Sp800shared key 256, P-384, P- 56Ar3: (A5264) among two 521 parties Security strength:112, 128, 192, 256 bits IG:IG D.F Scenario 2, path (2), end-to-end Key confirmation:no Key derivation:KDA (tested as part KAS certificate) Caveat:Key establishment methodology provides between 112 and 256 bits of security strength KTS- KTS-Decap Un-encapsulate Modulus KTS-IFC: Decapsulation an size:2048, 3072 (A5264) encapsulated bits key RSA key generation method:N/A Standard:SP 800-56Brev2 IG ©2024 Rambus Inc. / atsec information security.

Page 19

Name Type Description Properties Algorithms D.G:approved Key confirmation:no Caveat:Key establishment methodology provides between 112 and 128 bits of security strength Table 9: Security Function Implementations

2.7 Algorithm Specific Information

AES-GCM IV (IG C.H): VaultIP is compliant with scenario 2 of FIPS 140-3 IG C.H in [FIPS1403_IG]. The internal IV is generated in the encryption operation using the RBG-based construction method as defined in section 8.2.2 of [SP800-38D]. VaultIP generates an IV with a length of 96 bits, initialized with random data obtained from the SP800-90Ar1 DRBG implemented in the module. AES-XTS (IG C.I): The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP800-38E]. VaultIP implements a check to ensure that the two AES keys used in XTS-AES algorithm are not identical, meeting the requirement of FIPS 140-3 IG C.I in [FIPS140-3_IG]. SP800-56Ar3 assurances (IG D.F): To comply with the assurances found in Section 5.6.2 of SP 800-56Ar3, the keys for KAS-ECC must be generated using the approved key generation services specified in Section 2.9. The module performs full public key validation on the generated public keys. Additionally, the module performs full public key validation on the received public keys. If the module is used to perform key agreement with the “One-Pass Diffie-Hellman”, “Static Unified Model”, or “One-Pass Unified Model” schemes, a trusted third party is used to obtain the assurance of private key possession for the static peer public key. RSA modulus size (IG C.F): In compliance with FIPS 186-5, the RSA Signature Generation uses module sizes greater or equal to 2048 bits. The 1536 bits RSA is used in approved mode for FIPS 186-2 signature verification, the 1024-bit modulus is used in approved mode for FIPS 186-4 signature verification and the modulus size for FIPS 186-5 signature verification are

2048 and 3072 bits. All supported modulus sizes have been CAVP tested.

SP800-56Br2 assurances (IG D.G): The entity using the IUT must obtain required assurances listed in section 6.4 of SP 800-56Br2 as follows:

6.4.1.1 of the SP 800-56Br2. Additionally, the entity shall renew these assurances

over time by using any method described in section 6.4.1.5 of the SP 800-56Br2. Legacy use (IG C.M): Per SP800-131r2, the SHA-1 with FIPS 186-4 RSA and ECDSA Digital Signature Verification is used in approved mode (for legacy use), the FIPS 186-4 ECDSA Signature Verification with P-192 is used in approved mode (for legacy use), RSA Digital Signature Verification is used in approved mode (for legacy use) with 1024-bit or 1536-bit modulus. ©2024 Rambus Inc. / atsec information security.

Page 20
2.8 RBG and Entropy

Cert Vendor Number Name E167 Rambus Inc. Table 10: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample EIP130 TRNG Physical Xilinx Zynq 256 bits Full SHA2-256 Entropy Source XC7Z045 FPGA Entropy (A5255) Table 11: Entropy Sources The module provides an SP800-90Ar1-compliant Deterministic Random Bit Generator (DRBG) using CTR_DRBG mechanism with AES-256 for generation of key components of asymmetric keys, and random number generation. The DRBG does not employ a derivation function. The DRBG is seeded and reseeded with 384 bits of entropy input (corresponding to 384 bits of entropy) provided from the entropy source inside the module. This corresponds to scenario 1 of IG 9.3.A. The module complies with the Public Use Document (URL provided in section 11.2) for ESV certificate E167 by reading entropy data from the SHA2-256 conditioning function, which corresponds to the conditioned GetEntropy() function. Outputs of multiple GetEntropy() calls are concatenated to receive the entropy input length greater than 256 bits. The output is truncated to get the entropy input string which is not a multiple of 256. The 384 bits of entropy source output is obtained by calling the GetEntropy() twice, with each call providing 256 bits of output. The second call output is truncated to 128 bits and concatenated to the 256-bit output from the first call. The operational environment on the ESV certificate is identical to the Xilinx Zynq XC7Z045 FPGA, in which the sub-chip components are contained. There are no maintenance requirements for the entropy source.

2.9 Key Generation

VaultIP provides services for generating symmetric and asymmetric keys compliant with [SP800-133r2] section 4 example 1 (vendor affirmed). VaultIP implements symmetric key generation for AES and HMAC keys (”Asset Load (random)” service), using random data obtained from a Deterministic Random Bit Generator (DRBG) compliant with [SP800-90Ar1]. VaultIP implements asymmetric key generation for ECDSA and EC Diffie-Hellman key pairs ("Key pair generation" service) with the following methods:

5.2 i.e. key generation method specified in [SP800-56Ar3] section 5.6.1.2.1 used by

approved key-establishment schemes which maps to [FIPS186-5]. ©2024 Rambus Inc. / atsec information security.

Page 21

Intermediate key generation values are not output from the cryptographic module during or after processing the service. VaultIP implements a key-based key derivation function (KBKDF) in Counter or Feedback modes ("Asset Load (derive)" service) using HMAC-SHA-256 or AES-CMAC [SP800-108r1upd1].

2.10 Key Establishment

Vault IP also provides EC Diffie-Hellman key agreement compliant with [SP800-56Ar3] and using SHA-256 as a one-step key derivation function compliant with section 4.1 of [SP80056Cr2] according to scenario 2 path (2) of IG D.F. The key agreement scheme provides between 112 and 256 bits of security strength. VaultIP provides SSP transport to the dynamic assets entered in encrypted form:

2.11 Industry Protocols

The module does not implement any industry protocol. ©2024 Rambus Inc. / atsec information security.

Page 22
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Port Logical Data That Passes Interface(s) TCM slave Data Input Service requests, service input data, service Data Output output data, service result codes Control Input Status Output DMA-TCM master Data Input Bulk service input and output data Data Output Coprocessor interface Data Output Asset (SSP) data MODULE_STATUS Status Module status register Output soft_reset pin Control Input Soft reset abort_req pin Control Input Soft reset reset_n pin Control Input Hard reset clk pin Control Input Clock signal fatal_error pin Status Fatal error Output power pin Power Power Table 12: Ports and Interfaces The slave and master interfaces connect the VaultIP RT-130 to the AXI bus system. The slave interface is used to receive commands from one or more host CPUs and send the appropriate response. The master interface is used for autonomous data reads and writes from and to an external memory, flash or interface. ©2024 Rambus Inc. / atsec information security.

Page 23
4 Roles, Services, and Authentication
4.1 Authentication Methods

Method Description Security Strength Strength per Name Mechanism Each Minute Attempt Login 32-bit PIN value Module compares 32- 32 bits (guess 22.74 bits (guess service must be bit PIN value provided probability = probability = provided via the by operator with 1/2^32, 614/2^32, Login service Login PIN provisioned approx. 10^- approx. 10^-6.84) during module 9.63) at 614 attempts installation per minute Table 13: Authentication Methods The Crypto Officer role is initialized via the “Provision Random HUK” service, which accepts the 32-bit Login PIN and instructs the module to generate the Hardware Unique Key (HUK) and install the 32-bit Login PIN. The Login PIN is stored in One Time Programmable (OTP) memory and is protected against disclosure, modification, and substitution like any CSP. It cannot be altered except by zeroization of the whole OTP memory. After power-up, the module will require the authentication of the Crypto Officer role before allowing execution of most services (exceptions listed in the table below). Authentication is performed through the use of a 32-bit Login PIN provided in the input parameters of the Login service. The module compares this PIN with the 32-bit Login PIN stored in the OTP during installation. If the comparison succeeds, then the Login service succeeds and the module is unlocked. Otherwise, the module enters the firmware error state and must be hard reset to allow a new authentication attempt. The Crypto Officer role is always authenticated, both in approved mode and non-approved modes of operation. No authentication data can be output by any of the available services.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO Login service Table 14: Roles No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Description Indicator Inputs Output Security SSP s Function Access s System Continue FW Firmware N/A Signature Unauthenti Boot initialization accepted bit signature, verificatio cated of the module is set in the de- n (ROM) by loading MODULE_ST obfuscatio ©2024 Rambus Inc. / atsec information security.

Page 24

Name Description Indicator Inputs Output Security SSP s Function Access s the RAM ATUS n key, firmware register ECDSA image public key, deobfuscatio n IV Encryptio Encrypt a FAsvc bit is Plaintext, Ciphert Encryptio Crypto n plaintext set in the IV (if ext n Officer service applicable - Static AES output ), asset key: E store - Dynamic reference AES key: E to key Decryptio Decrypt a FAsvc bit is Ciphertext Plaintex Decryptio Crypto n ciphertext set in the , IV (if t n Officer service applicable - Static AES output ), asset key: E store - Dynamic reference AES key: E to key Authentic Encrypt a FAsvc bit is Plaintext, Ciphert Authentic Crypto ated plaintext set in the IV, asset ext, ated Officer Encryptio service store MAC encryptio - Static AES n output reference tag n key: E to key - Dynamic AES key: E Authentic Decrypt a FAsvc bit is Ciphertext Plaintex Authentic Crypto ated ciphertext set in the , IV, MAC t or fail ated Officer Decryptio service tag, asset decryptio - Static AES n output store n key: E reference - Dynamic to key AES key: E Hash Compute a FAsvc bit is Message Digest Message Crypto message set in the value digest Officer digest service output MAC Tag Generate a FAsvc bit is Message, MAC MAC Crypto Generatio MAC tag set in the asset tag Officer n service store - Static AES output reference key: E to key - Dynamic AES key: E - Static HMAC key: E - Dynamic ©2024 Rambus Inc. / atsec information security.

Page 25

Name Description Indicator Inputs Output Security SSP s Function Access s HMAC key: E MAC Tag Verify a MAC FAsvc bit is Message, Pass/fail MAC Crypto Verificatio tag for a set in the MAC tag, Officer n message service asset - Static AES output store key: E reference - Dynamic to key AES key: E - Static HMAC key: E - Dynamic HMAC key: E RNG Reseed the FAsvc bit is N/A N/A Random Crypto Configura DRBG set in the number Officer tion service generatio - Entropy (reseed) output n input: G,E,Z - DRBG seed: G,E,Z - Internal state (V, Key): G,E,Z RNG Get Generate FAsvc bit is Output Rando Random Crypto Random random bytes set in the size m bytes number Officer Number using the service generatio - Internal DRBG or output n state (V, entropy Key): E source RNG Post- Verify the N/A Known Test None Crypto Processin conditioning noise random Officer g component input or bits Verificatio and DRBG DRBG n self-tests state using known values inputs RNG Verify the N/A Health Result None Crypto Hardware entropy test Officer Self-Test source health paramete Verificatio tests using rs, known n known inputs noise input Symmetri Wrap key FAsvc bit is Key Wrappe Key Crypto c Wrap material set in the wrapping d key wrapping Officer using AES service key or materia (KTS) - Static AES KWP output asset l key: E store - Dynamic ©2024 Rambus Inc. / atsec information security.

Page 26

Name Description Indicator Inputs Output Security SSP s Function Access s reference AES key: E to key - AES key wrapping wrapping key, key key: W,E material to be wrapped Symmetri Unwrap key FAsvc bit is Key Unwrap Key Crypto c Unwrap material set in the wrapping ped key unwrappi Officer using AES service key, materia ng (KTS) - AES key KWP output wrapped l wrapping key key: W,E material Asset Allocate N/A Asset size Asset None Crypto Create space for an store Officer asset in the referen Dynamic ce to Asset Store SSP Static Search for an N/A Asset Asset None Unauthenti Asset asset in the number store cated Search Static Asset referen Store ce to SSP Asset Derive a key FAsvc bit is Asset N/A Key Crypto Load from a key set in the store derivation Officer (derive) derivation service reference - HUK: E key and store output to key - Dynamic the result in derivation AES key: G the Dynamic key, asset - Dynamic Asset Store store HMAC key: reference G to derived - Static key key derivation key: E - Dynamic key derivation key: G,E Asset De-obfuscate N/A Obfuscate N/A None Crypto Load obfuscated d key Officer (import) key material material, - Dynamic using AES-SIV asset AES key: W and store the store - Dynamic result in the reference HMAC key: Dynamic to key W Asset Store - Dynamic (AES key, key ©2024 Rambus Inc. / atsec information security.

Page 27

Name Description Indicator Inputs Output Security SSP s Function Access s HMAC key, derivation key key: W derivation - Dynamic key, EC EC public public/private key: W key, or RSA - Dynamic public/private EC private key) key: W - Dynamic RSA public key: W - Dynamic RSA private key: W Asset Generate FAsvc bit is Key size, Obfusca Symmetri Crypto Load symmetric set in the asset ted key c key Officer (random) key material service store materia generatio - Internal using the output reference l n state (V, DRBG, store to key (option Key): E the result in material al) - Dynamic the Dynamic AES key: Asset Store, G,R and - Dynamic optionally HMAC key: output the G,R obfuscated - Dynamic result key derivation key: G,R Asset Store N/A Plaintext Obfusca None Crypto Load plaintext key key ted key Officer (plaintext material in material, materia - Dynamic ) the Dynamic asset l AES key: Asset Store store (option R,W and reference al) - Dynamic optionally to key HMAC key: output the R,W obfuscated - Dynamic result key derivation key: R,W - Dynamic EC public key: R,W - Dynamic EC private key: R,W - Dynamic RSA public ©2024 Rambus Inc. / atsec information security.

Page 28

Name Description Indicator Inputs Output Security SSP s Function Access s key: R,W - Dynamic RSA private key: R,W Asset Unwrap FAsvc bit is Wrapped N/A Key Crypto Load wrapped key set in the key unwrappi Officer (unwrap) material service material, ng (KTS) - Dynamic using AES output asset AES key: W KWP and store - Dynamic store the reference HMAC key: result in the to key W Dynamic - Dynamic Asset Store key derivation key: W - Dynamic EC public key: W - Dynamic EC private key: W - Dynamic RSA public key: W - Dynamic RSA private key: W Asset Delete an N/A Asset N/A None Crypto Delete asset from store Officer the Dynamic reference - Dynamic Asset Store to SSP AES key: Z - Dynamic HMAC key: Z - Dynamic key derivation key: Z - Dynamic EC public key: Z - Dynamic EC private key: Z - Dynamic RSA public key: Z - Dynamic ©2024 Rambus Inc. / atsec information security.

Page 29

Name Description Indicator Inputs Output Security SSP s Function Access s RSA private key: Z Asset Export an N/A Asset Asset None Crypto Export asset via the store data Officer coprocessor reference - Dynamic interface to SSP, AES key: R coprocess - Dynamic or HMAC key: selection R - Dynamic key derivation key: R - Dynamic EC public key: R - Dynamic EC private key: R - Dynamic RSA public key: R - Dynamic RSA private key: R Public Read a Public N/A Asset Public None Unauthenti Data Data asset store Data cated Read reference asset Monotoni Read a N/A Asset Monoto None Unauthenti c Counter Monotonic store nic cated Read Counter asset reference Counter value Monotoni Increment a N/A Asset N/A None Crypto c Counter Monotonic store Officer Increment Counter asset reference OTP Data De-obfuscate N/A Obfuscate N/A None Crypto Write obfuscated d key Officer key material material, - HUK: W using AES-SIV asset - Static AES and store the store key: W result in the reference - Static Static Asset to key HMAC key: Store (HUK, W AES key, - Static key HMAC key, derivation key key: W derivation - Static EC ©2024 Rambus Inc. / atsec information security.

Page 30

Name Description Indicator Inputs Output Security SSP s Function Access s key, EC public key: public/private W key, or RSA - Static EC public/private private key: key) W - Static RSA public key: W - Static RSA private key: W Provision Generate a HUK has Login PIN, AES-SIV Symmetri Crypto Random random HUK FIPSApprove HUK size obfusca c key Officer HUK using the d bit set ted HUK generatio - Internal DRBG and n state (V, store the Key): E result - Login PIN: (together W with the - HUK: G,R provided Login PIN) in the Static Asset Store Secure Start, stop, or N/A Asset Timer None Crypto Timer read a timer store value Officer reference Dynamic Zeroize the N/A N/A N/A None Crypto Asset Dynamic Officer Store Asset Store - Dynamic Reset AES key: Z - Dynamic HMAC key: Z - Dynamic key derivation key: Z - Dynamic EC public key: Z - Dynamic EC private key: Z - Dynamic RSA public key: Z - Dynamic ©2024 Rambus Inc. / atsec information security.

Page 31

Name Description Indicator Inputs Output Security SSP s Function Access s RSA private key: Z Show Return N/A N/A Module None Unauthenti status information status cated about the module state Show Return N/A N/A Module None Unauthenti version information version cated about the module hardware and firmware Self-Test Perform all FAsvc bit is N/A N/A None Crypto CASTs set in the Officer service output Reset Reset the N/A N/A N/A None Crypto module to its Officer initial state Login Authenticate N/A Login PIN N/A None Unauthenti as the Crypto cated Officer - Login PIN: E Authentic Step 1 in the FAsvc bit is Asset Nonce Random Crypto ated two-step set in the store number Officer Unlock protocol to service reference generatio - Internal Start enable output to n state (V, Secure authentic Key): E Debug for ation key peripherals Authentic Step 2 in the FAsvc bit is Nonce, N/A Signature Crypto ated two-step set in the signature verificatio Officer Unlock protocol to service n - Static EC Verify enable output public key: Secure E Debug for - Dynamic peripherals EC public key: E Set Activate a N/A Port N/A None Crypto Secure Secure number Officer Debug Debug port for a peripheral ©2024 Rambus Inc. / atsec information security.

Page 32

Name Description Indicator Inputs Output Security SSP s Function Access s Key pair Generate a FAsvc bit is Curve or N/A Key pair Crypto generatio key pair set in the modulus generatio Officer n service size, asset n - Internal output store state (V, reference Key): E s to key - Static EC pair public key: G - Dynamic EC public key: G - Static EC private key: G - Dynamic EC private key: G - Static RSA public key: G - Dynamic RSA public key: G - Static RSA private key: G - Dynamic RSA private key: G Intermediat e key generation value: G,E,Z Key pair Verify a key FAsvc bit is Asset Pass/fail Key pair Crypto verificatio pair set in the store verificatio Officer n service reference n - Static EC output s to key public key: pair G - Dynamic EC public key: G - Static EC private key: G - Dynamic EC private key: G ©2024 Rambus Inc. / atsec information security.

Page 33

Name Description Indicator Inputs Output Security SSP s Function Access s - NIST SP 80056Arev3 domain parameters :E Signature Generate a FAsvc bit is Message, Signatu Signature Crypto generatio signature for set in the asset re generatio Officer n a message service store n - Static EC output reference private key: to private E key - Dynamic EC private key: E - Static RSA private key: E - Dynamic RSA private key: E Signature Verify a FAsvc bit is Message, Pass/fail Signature Crypto verificatio signature for set in the signature, verificatio Officer n a message service asset n - Static EC output store public key: reference E to public - Dynamic key EC public key: E - Static RSA public key: E - Dynamic RSA public key: E KAS Establish a FAsvc bit is Asset N/A KAS Crypto shared key set in the store Officer among two service reference( - Static AES parties output s) to key: G owner - Dynamic private AES key: G key(s), - Static asset HMAC key: store G reference( - Dynamic s) to peer HMAC key: public G key(s), - Static key asset derivation store key: G ©2024 Rambus Inc. / atsec information security.

Page 34

Name Description Indicator Inputs Output Security SSP s Function Access s reference - Dynamic to shared key key derivation key: G - Static EC public key: E - Dynamic EC public key: E - Static EC private key: E - Dynamic EC private key: E - Shared secret: G,E,Z - NIST SP 80056Arev3 domain parameters :E Key un- Un- FAsvc bit is Encapsula N/A KTS- Crypto encapsula encapsulate set in the ted key Decapsul Officer tion key material service material, ation - Dynamic using KTS-IFC output asset AES key: W store - Dynamic reference HMAC key: to owner W private - Dynamic key, asset key store derivation reference key: W to un- - Dynamic encapsula EC public ted key key: W - Dynamic EC private key: W - Dynamic RSA public key: W - Static RSA public key: E - Dynamic ©2024 Rambus Inc. / atsec information security.

Page 35

Name Description Indicator Inputs Output Security SSP s Function Access s RSA private key: W,E Register Read from a N/A Address Read None Unauthenti Read specified data cated address Register Write to a N/A Address, N/A None Crypto Write specified write data Officer address Clock Activate/deac N/A Clock N/A None Crypto Switch tivate clocks configurat Officer ion Zeroize Zeroize the N/A N/A N/A None Crypto Output output Officer Mailbox mailbox Select Step 1 in the N/A N/A N/A None Crypto OTP OTP Officer Zeroize zeroization process Zeroize Step 2 in the N/A N/A N/A None Crypto OTP OTP Officer zeroization - Login PIN: process Z - HUK: Z - Static AES key: Z - Static HMAC key: Z - Static key derivation key: Z - Static EC public key: Z - Static EC private key: Z - Static RSA public key: Z - Static RSA private key: Z - NIST SP 80056Arev3 domain ©2024 Rambus Inc. / atsec information security.

Page 36

Name Description Indicator Inputs Output Security SSP s Function Access s parameters :Z Sleep Move the N/A N/A N/A None Crypto Mode module to the Officer Sleep Mode Resume Restore the N/A N/A N/A None Unauthenti From module to the cated Sleep operational state Firmware Verify a FAsvc bit is Firmware Pass/fail Signature Crypto Check firmware set in the image, verificatio Officer image using service firmware n - Firmware ECDSA output signature signature signature verificatio verification verification n key key: W,E Update Update the N/A New N/A None Crypto RollbackI RollbackID RollbackI Officer D D Hard Forcefully N/A N/A N/A None Unauthenti reset reset the cated module using a hardware pin Table 15: Approved Services The following convention is used to specify access rights to SSPs:

4.4 Non-Approved Services

©2024 Rambus Inc. / atsec information security.

Page 37

Name Description Algorithms Role Encryption Encrypt a plaintext AES CTR using external Crypto IV Officer AES ICM Decryption Decrypt a ciphertext AES CTR using external Crypto IV Officer AES ICM Authenticated Encrypt a plaintext AES GCM using Crypto Encryption external IV Officer AES GCM using IV generated with nonapproved entropy source configuration Hash Compute a message digest SHA-1 standalone Crypto Officer MAC Tag Generate a MAC tag AES CBC-MAC Crypto Generation AES GMAC using IV Officer generated with nonapproved entropy source configuration HMAC with key sizes less than 112 bits MAC Tag Verify a MAC tag for a message AES CBC-MAC Crypto Verification HMAC with key sizes Officer less than 112 bits RNG Configuration Use non-approved entropy Non-approved entropy Crypto (reconfiguration) source configuration source configuration Officer RNG Get Random Generate random bytes using a Non-approved entropy Crypto Number non-approved entropy source source configuration Officer configuration Asset Load (derive) Derive a key from a key TwoStep KDF Crypto derivation key and store the Officer result in the Dynamic Asset Store Asset Load Generate symmetric key CKG with key sizes less Crypto (random) material using the DRBG, store than 112 bits Officer the result in the Dynamic Asset CKG with non-approved Store, and optionally output the entropy source obfuscated result configuration Authenticated Step 1 in the two-step protocol Non-approved entropy Crypto Unlock Start to enable Secure Debug for source configuration Officer peripherals Key pair generation Generate a key pair ECDSA key pair Crypto generation with non- Officer approved entropy source configuration ECDSA with P-192 ©2024 Rambus Inc. / atsec information security.

Page 38

Name Description Algorithms Role Diffie-Hellman Ed25519 X25519 Key pair Verify a key pair Diffie-Hellman Crypto verification Officer Signature Generate a signature for a ECDSA with P-192 Crypto generation message ECDSA with SHA-1 Officer ECDSA with nonapproved entropy source configuration ECDSA (pre-hashed message) RSA with modulus size not 2048 or 3072 bits RSA with SHA-1 RSA-PSS with nonapproved entropy source configuration RSA-PSS with invalid salt length Ed25519 Signature Verify a signature for a message ECDSA (pre-hashed Crypto verification message) Officer RSA with modulus size not 1024, 1536, 2048, or 3072 bits RSA-PSS with invalid salt length Ed25519 Key agreement Establish a shared key among Diffie-Hellman Crypto two parties X25519 Officer Shared secret Establish a shared secret among Diffie-Hellman Crypto computation two parties EC Diffie-Hellman Officer X25519 Key encapsulation Encapsulate key material RSA-OAEP Crypto RSA-PKCS#1v1.5 Officer ECIES Key un- Un-encapsulate key material RSA-PKCS#1v1.5 Crypto encapsulation ECIES Officer Table 16: Non-Approved Services

4.5 External Software/Firmware Loaded

Upon startup, the ROM firmware component loads the RAM firmware from external storage into the sub-chip cryptographic subsystem. The integrity of the RAM firmware is determined by verifying an ECDSA P-256 with SHA2-256 signature stored in the firmware that was computed at build time. If the signature verification fails, the firmware load test fails. The ©2024 Rambus Inc. / atsec information security.

Page 39

public key used to verify this signature is provided with the RAM firmware, the private key associated with this public key is controlled by the vendor. The hash of the public key is compared with a hash value stored in ROM to ensure the authenticity of the provided public key. All data output is inhibited during the execution of the firmware load test and the firmware loading process. ©2024 Rambus Inc. / atsec information security.

Page 40
5 Software/Firmware Security
5.1 Integrity Techniques

The module employs a CRC24 as integrity technique to integrity verify the ROM code during startup.

5.2 Initiate on Demand

Integrity tests are performed when the module is powered on. The integrity test can be performed on demand by powering off and powering on the module. ©2024 Rambus Inc. / atsec information security.

Page 41
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Non-Modifiable How Requirements are Satisfied: N/A ©2024 Rambus Inc. / atsec information security.

Page 42
7 Physical Security
7.1 Mechanisms and Actions Required

Mechanism Inspection Inspection Frequency Guidance Tamper-evident coating covering the FPGA components: N/A N/A integrated heat spreader, substrate with solder ball grid array, silicon chip with TMI Table 17: Mechanisms and Actions Required The integrated heat spreader (IHS) serves as a protective shell for the processing silicon chip. The IHS lid, the substrate with solder ball grid array, and the silicon chip covered with Thermal Interface material (TMI) are production-grade components. They provide opacity in the visible spectrum. ©2024 Rambus Inc. / atsec information security.

Page 43
8 Non-Invasive Security

The module does not implement any non-invasive security mechanisms. ©2024 Rambus Inc. / atsec information security.

Page 44
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Area Description Persistence Name Type Static Asset Store SSPs are stored in One Time Programmable (OTP) Static memory Dynamic Asset SSPs are maintained in Data RAM Dynamic Store Table 18: Storage Areas The Static Asset Store and Dynamic Asset Store maintain internal separation of the SSPs (including CSPs) in approved and non-approved modes of operation. Each asset internally maintains a "Fips Approved" bit which indicates if the asset can be used in an approved service or not. SSPs that are not stored in an Asset Store are only transiently used for a specific service. They are by definition exclusive between approved and non-approved services.

9.2 SSP Input-Output Methods

Name From To Format Distributio Entry SFI or Type n Type Type Algorithm OTP Static Coprocesso Plaintext Manual Electroni coprocesso Asset r interface c r export Store OTP Operator Static Asset Plaintext Manual Electroni obfuscated calling Store c import applicatio n (TOEPP) OTP Static Operator Plaintext Manual Electroni obfuscated Asset calling c export Store application (TOEPP) RAM Dynamic Coprocesso Plaintext Manual Electroni coprocesso Asset r interface c r export Store RAM Operator Dynamic Plaintext Manual Electroni plaintext calling Asset Store c import applicatio n (TOEPP) RAM Operator Dynamic Plaintext Manual Electroni obfuscated calling Asset Store c import applicatio n (TOEPP) ©2024 Rambus Inc. / atsec information security.

Page 45

Name From To Format Distributio Entry SFI or Type n Type Type Algorithm RAM Dynamic Operator Plaintext Manual Electroni obfuscated Asset calling c export Store application (TOEPP) RAM Operator Dynamic Encrypte Manual Electroni Key encrypted calling Asset Store d c unwrappin import applicatio g (KTS) n (TOEPP) RAM Dynamic Operator Encrypte Manual Electroni Key encrypted Asset calling d c wrapping export Store application (KTS) (TOEPP) Table 19: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Method Initiation Asset Delete Zeroize and delete Memory occupied by SSPs is By invoking the service an SSP from the overwritten with zeroes, Asset Delete Dynamic Asset Store which renders the SSP service values irretrievable Zeroize OTP Zeroize all OTP OTP memory is overwritten By invoking the service memory, including all by ones, which renders the Select OTP SSPs contained in the SSP values for all SSPs in Zeroize and Static Asset Store the Static Asset Store Zeroize OTP irretrievable services Dynamic Asset Zeroize all SSPs Dynamic Asset Store By invoking the Store Reset contained in the memory is overwritten by Dynamic Asset service Dynamic Asset Store zeroes, which renders the Store Reset SSP values for all SSPs in service the Dynamic Asset Store irretrievable Automatic SSP is automatically Memory occupied by SSPs is N/A zeroized by the overwritten with zeroes, module when no which renders the SSP longer needed values irretrievable Module reset De-allocates the Volatile memory used by Via the soft_reset, volatile memory used the module is overwritten abort_req, or to store SSPs in the within nanoseconds when reset_n pins, or by Dynamic Asset Store the module is reset invoking the Reset service Table 20: SSP Zeroization Methods ©2024 Rambus Inc. / atsec information security.

Page 46

SSP zeroization when overwriting RAM or OTP memory is performed without delay. Additionally, control is not returned to the operator until the zeroization is completed, preventing any potential compromise of the zeroized SSP. All data output is inhibited during zeroization. The Asset Delete, Zeroize OTP, and Dynamic Asset Store Reset services provide an explicit indicator when the service (i.e., zeroization) completes: Result output parameter. Automatic SSP zeroization is indicated to the operator by successful completion of the relevant service.

9.4 SSPs

Name Descripti Size - Type - Generat Establish Used By on Strength Category ed By ed By Login PIN PIN value 32 bits - 32 Authenticat used to bits ion data authentic CSP ate the Crypto Officer HUK Hardware 128, 256 bits Root key - Symmetr Key Unique - 128, 256 CSP ic key derivation Key used bits generati to derive on trusted keys Static AES AES key XTS: 256, Symmetric Symmetr Key Encryption key used for 512 bits; key - CSP ic key unwrappin Decryption encryptio other modes: generati g (KTS) Authentica n, 128, 192, on KAS ted decryptio 256 bits - Key KTS- encryption n, and XTS: 128, derivatio Decapsulat Authentica computin 256 bits; n ion ted g MAC other modes: decryption tags 128, 192, MAC

256 bits Key

wrapping (KTS) Dynamic AES key XTS: 256, Symmetric Symmetr Key Encryption AES key used for 512 bits; key - CSP ic key unwrappin Decryption encryptio other modes: generati g (KTS) Authentica n, 128, 192, on KAS ted decryptio 256 bits - Key KTS- encryption n, and XTS: 128, derivatio Decapsulat Authentica computin 256 bits; n ion ted g MAC other modes: decryption tags 128, 192, MAC

256 bits

AES key AES key 128, 192, Symmetric Key Key wrapping used for 256 bits - key - CSP wrapping wrapping key wrapping (KTS) (KTS) ©2024 Rambus Inc. / atsec information security.

Page 47

Name Descripti Size - Type - Generat Establish Used By on Strength Category ed By ed By and 128, 192, Key Key unwrappi 256 bits unwrappin unwrappin ng g (KTS) g (KTS) Static HMAC key 112-1152 Symmetric Symmetr Key MAC HMAC key used for bits - 112- key - CSP ic key unwrappin computin 256 bits generati g (KTS) g MAC on KAS tags Key KTSderivatio Decapsulat n ion Dynamic HMAC key 112-1152 Symmetric Symmetr Key MAC HMAC key used for bits - 112- key - CSP ic key unwrappin computin 256 bits generati g (KTS) g MAC on KAS tags Key KTSderivatio Decapsulat n ion Entropy Entropy 384 bits - Entropy Random Random input input 384 bits input - CSP number number used to generati generation seed the on DRBG DRBG DRBG 384 bits - Seed - CSP Random Random seed seed 384 bits number number derived generati generation from the on entropy input Internal Internal 384 bits - Internal Random Random state (V, state of 256 bits state - CSP number number Key) CTR_DRB generati generation G on instance Static key Symmetri 112-1152 Symmetric Symmetr Key Key derivation c key bits - 112- key - CSP ic key unwrappin derivation key used to 256 bits generati g (KTS) derive on KTSsymmetri Key Decapsulat c keys derivatio ion n Dynamic Symmetri 112-1152 Symmetric Symmetr Key Key key c key bits - 112- key - CSP ic key unwrappin derivation derivation used to 256 bits generati g (KTS) key derive on KTSsymmetri Key Decapsulat c keys derivatio ion n ©2024 Rambus Inc. / atsec information security.

Page 48

Name Descripti Size - Type - Generat Establish Used By on Strength Category ed By ed By Static EC Public key P-192, P-224, Public key - Key pair KTS- Key pair public key used for P-256, P-384, PSP generati Decapsulat verification ECDSA P-521, on ion Signature and KAS- brainpoolP19 verification ECC 2r1, KAS brainpoolP22 4r1, brainpoolP25 6r1, brainpoolP38 4r1, brainpoolP51 2r1 - 96-256 bits Dynamic Public key P-192, P-224, Public key - Key pair KTS- Key pair EC public used for P-256, P-384, PSP generati Decapsulat verification key ECDSA P-521, on ion Signature and KAS- brainpoolP19 verification ECC 2r1, KAS brainpoolP22 4r1, brainpoolP25 6r1, brainpoolP38 4r1, brainpoolP51 2r1 - 96-256 bits Static EC Private P-224, P-256, Private key Key pair KTS- Key pair private key used P-384, P-521, - CSP generati Decapsulat verification key for ECDSA brainpoolP22 on ion Signature and KAS- 4r1, generation ECC brainpoolP25 KAS 6r1, brainpoolP38 4r1, brainpoolP51 2r1 - 112-

256 bits

Dynamic Private P-224, P-256, Private key Key pair KTS- Key pair EC key used P-384, P-521, - CSP generati Decapsulat verification private for ECDSA brainpoolP22 on ion Signature key and KAS- 4r1, generation ECC brainpoolP25 KAS 6r1, brainpoolP38 4r1, brainpoolP51 ©2024 Rambus Inc. / atsec information security.

Page 49

Name Descripti Size - Type - Generat Establish Used By on Strength Category ed By ed By 2r1 - 112-

256 bits

Static Public key 1024, 1536, Public key - KTS- Signature RSA used for 2048, 3072 PSP Decapsulat verification public key RSA bits - 80-132 ion bits Dynamic Public key 1024, 1536, Public key - KTS- Signature RSA used for 2048, 3072 PSP Decapsulat verification public key RSA bits - 80-132 ion bits Static Private 2048, 3072 Private key KTS- Signature RSA key used bits - 110- - CSP Decapsulat generation private for RSA 132 bits ion KTSkey Decapsulat ion Dynamic Private 2048, 3072 Private key KTS- Signature RSA key used bits - 110- - CSP Decapsulat generation private for RSA 132 bits ion KTSkey Decapsulat ion Firmware Public key P-256 - 128 Public key - Signature signature used for bits PSP verification verificatio firmware n key signature verificatio n Shared Shared 224-512 bits Shared KAS KAS secret secret - 112-256 secret establishe bits CSP d as part of KASECC Intermedi Temporar 224-4096 Intermediat ate key y value bits - 112- e value generatio generate 256 bits CSP n value d during key pair generatio n services NIST SP Domain P-192, P-224, Domain KAS 800- paramete P-256, P-384, parameter 56Arev3 rs used as P-521, - PSP domain part of brainpoolP19 paramete KAS-ECC 2r1, rs brainpoolP22 4r1, brainpoolP25 ©2024 Rambus Inc. / atsec information security.

Page 50

Name Descripti Size - Type - Generat Establish Used By on Strength Category ed By ed By 6r1, brainpoolP38 4r1, brainpoolP51 2r1 - 96-256 bits Table 21: SSP Table 1 Name Input - Storage Storage Zeroizatio Related Output Duration n SSPs Login PIN OTP Static Asset For the Zeroize OTP obfuscated Store:Obfuscate lifetime of service import d the module HUK OTP Static Asset For the Zeroize OTP obfuscated Store:Obfuscate lifetime of service import d the module OTP obfuscated export Static AES OTP Static Asset Until Zeroize OTP HUK:Derived key coprocesso Store:Obfuscate explicitly service From r export d zeroized Static key OTP derivation obfuscated key:Derived import From Dynamic key derivation key:Derived From Shared secret:Derive d From Dynamic RAM Dynamic Asset Until Asset HUK:Derived AES key coprocesso Store:Obfuscate explicitly Delete From r export d zeroized or service Static key RAM module Module derivation plaintext reset reset key:Derived import Dynamic From RAM Asset Store Dynamic key obfuscated Reset derivation import service key:Derived RAM From obfuscated Shared export secret:Derive RAM d From encrypted import RAM ©2024 Rambus Inc. / atsec information security.

Page 51

Name Input - Storage Storage Zeroizatio Related Output Duration n SSPs encrypted export AES key RAM For the Automatic wrapping plaintext duration of key import the service Static HMAC OTP Static Asset Until Zeroize OTP HUK:Derived key coprocesso Store:Obfuscate explicitly service From r export d zeroized Static key OTP derivation obfuscated key:Derived import From Dynamic key derivation key:Derived From Shared secret:Derive d From Dynamic RAM Dynamic Asset Until Asset HUK:Derived HMAC key coprocesso Store:Obfuscate explicitly Delete From r export d zeroized or service Static key RAM module Dynamic derivation plaintext reset Asset Store key:Derived import Reset From RAM service Dynamic key obfuscated Module derivation import reset key:Derived RAM From obfuscated Shared export secret:Derive RAM d From encrypted import RAM encrypted export Entropy From Automatic input generation until DRBG seed is created DRBG seed While the Automatic Entropy DRBG is input:Derived being From instantiated Internal From DRBG Automatic DRBG state (V, instantiatio Module seed:Derived Key) n until reset From ©2024 Rambus Inc. / atsec information security.

Page 52

Name Input - Storage Storage Zeroizatio Related Output Duration n SSPs DRBG termination Static key OTP Static Asset Until Zeroize OTP HUK:Derived derivation coprocesso Store:Obfuscate explicitly service From key r export d zeroized Shared OTP secret:Derive obfuscated d From import Dynamic RAM Dynamic Asset Until Asset HUK:Derived key coprocesso Store:Obfuscate explicitly Delete From derivation r export d zeroized or service Shared key RAM module Dynamic secret:Derive plaintext reset Asset Store d From import Reset RAM service obfuscated Module import reset RAM obfuscated export RAM encrypted import RAM encrypted export Static EC OTP Static Asset Until Zeroize OTP Static EC public key coprocesso Store:Obfuscate explicitly service private r export d zeroized key:Paired OTP With obfuscated import Dynamic EC RAM Dynamic Asset Until Asset Dynamic EC public key coprocesso Store:Obfuscate explicitly Delete private r export d zeroized or service key:Paired RAM module Dynamic With plaintext reset Asset Store import Reset RAM service obfuscated Module import reset RAM obfuscated export RAM encrypted import RAM ©2024 Rambus Inc. / atsec information security.

Page 53

Name Input - Storage Storage Zeroizatio Related Output Duration n SSPs encrypted export Static EC OTP Static Asset Until Zeroize OTP Static EC private key coprocesso Store:Obfuscate explicitly service public r export d zeroized key:Paired OTP With obfuscated import Dynamic EC RAM Dynamic Asset Until Asset Dynamic EC private key coprocesso Store:Obfuscate explicitly Delete public r export d zeroized or service key:Paired RAM module Dynamic With plaintext reset Asset Store import Reset RAM service obfuscated Module import reset RAM obfuscated export RAM encrypted import RAM encrypted export Static RSA OTP Static Asset Until Zeroize OTP Static RSA public key coprocesso Store:Obfuscate explicitly service private r export d zeroized key:Paired OTP With obfuscated import Dynamic RAM Dynamic Asset Until Asset Dynamic RSA RSA public coprocesso Store:Obfuscate explicitly Delete private key r export d zeroized or service key:Paired RAM module Dynamic With plaintext reset Asset Store import Reset RAM service obfuscated Module import reset RAM obfuscated export RAM encrypted import RAM ©2024 Rambus Inc. / atsec information security.

Page 54

Name Input - Storage Storage Zeroizatio Related Output Duration n SSPs encrypted export Static RSA OTP Static Asset Until Zeroize OTP Static RSA private key coprocesso Store:Obfuscate explicitly service public r export d zeroized key:Paired OTP With obfuscated import Dynamic RAM Dynamic Asset Until Asset Dynamic RSA RSA private coprocesso Store:Obfuscate explicitly Delete public key r export d zeroized or service key:Paired RAM module Dynamic With plaintext reset Asset Store import Reset RAM service obfuscated Module import reset RAM obfuscated export RAM encrypted import RAM encrypted export Firmware RAM For the Automatic signature plaintext duration of verification import the service key Shared For the Automatic secret duration of the service Intermediat For the Automatic e key duration of generation the service value NIST SP Dynamic Asset Until Asset Static EC 800- Store:Obfuscate explicitly Delete public 56Arev3 d zeroized or service key:Used domain Static Asset module Zeroize OTP With parameters Store:Obfuscate reset service Static EC d Dynamic private Asset Store key:Used Reset With service Dynamic EC Module public reset key:Used ©2024 Rambus Inc. / atsec information security.

Page 55

Name Input - Storage Storage Zeroizatio Related Output Duration n SSPs With Dynamic EC private key:Used With Table 22: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2030. ©2024 Rambus Inc. / atsec information security.

Page 56
10 Self-Tests

While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module does not process service requests from the operator until the tests are completed.

10.1 Pre-Operational Self-Tests

Algorithm Test Test Test Indicator Details or Test Properties Method Type CRC24 N/A Error SW/FW CRC24 ok bit is set CRC24 check is Detection Integrity in the performed on Code MODULE_STATUS the entire ROM register firmware image Table 23: Pre-Operational Self-Tests The pre-operational firmware integrity test on the ROM firmware component is performed automatically when the module is initialized. If this test fails, the module transitions to the Hardware Error state.

10.2 Conditional Self-Tests

As part of the initialization, the ROM firmware component performs the SHA2-256 and ECDSA Signature Verification CASTs. Then, the ROM firmware loads the RAM firmware component and performs the firmware load test on the RAM firmware. Only if these tests succeed, will the RAM firmware be executed. Finally, the RAM firmware automatically performs the rest of the CASTs listed in the table below, before transitioning to the operational state. If any of the tests performed by the firmware components fail, the module transitions to the Firmware Error state. Algorith Test Test Test Indicator Details Condition m or Propertie Method Type s Test s ECDSA P-256 with KAT CAST ROM firmware KAT ROM SigVer SHA2-256 is ready to signature firmware (FIPS186- accept RAM verification integrity 5) firmware image test (A5263) passed KAT SHA2-256 320-bit KAT CAST ROM firmware KAT ROM (A5263) message is ready to message firmware accept RAM digest integrity firmware image test passed ECDSA P-256 with Signature SW/F FW accepted bit Signature RAM SigVer SHA2-256 verificatio W is set in the verification firmware (FIPS186- n Load MODULE_STATU is image is S register performed loaded on the ©2024 Rambus Inc. / atsec information security.

Page 57

Algorith Test Test Test Indicator Details Condition m or Propertie Method Type s Test s 5) entire RAM (A5263) firmware image AES-CBC 128-bit KAT CAST SelftestActive KAT RAM (A5264) key field in System encryption firmware Information and load test output is set to decryption passed AES-CCM 192-bit KAT CAST SelftestActive KAT RAM (A5264) key, 88-bit field in System encryption firmware nonce Information and load test output is set to decryption passed AES-XTS 256-bit KAT CAST SelftestActive KAT RAM Testing key field in System encryption firmware Revision Information and load test

2.0 output is set to decryption passed

(A5264) 0 AES-GCM 256-bit KAT CAST SelftestActive KAT RAM (A5264) key, 128- field in System encryption firmware bit IV Information and load test output is set to decryption passed AES- 256-bit KAT CAST SelftestActive KAT MAC RAM CMAC key field in System tag firmware (A5264) Information generation load test output is set to passed Counter AES-256 KAT CAST SelftestActive KAT RAM DRBG field in System instantiate, firmware (A5264) Information reseed, load test output is set to generate, passed

0 generate

(compliant to SP 80090A Section 11.3) SHA-1 256-bit KAT CAST SelftestActive KAT RAM (A5264) message field in System message firmware Information digest load test output is set to passed ©2024 Rambus Inc. / atsec information security.

Page 58

Algorith Test Test Test Indicator Details Condition m or Propertie Method Type s Test s SHA2-224 320-bit KAT CAST SelftestActive KAT RAM (A5264) message field in System message firmware Information digest load test output is set to passed HMAC- 256-bit KAT CAST SelftestActive KAT MAC RAM SHA2-256 key field in System tag firmware (A5264) Information generation load test output is set to passed KDF HMAC KAT CAST SelftestActive KAT key- RAM SP800- SHA2-256 field in System based key firmware

108 in Information derivation load test

(A5264) feedback output is set to passed mode 0 SHA2-512 640-bit KAT CAST SelftestActive KAT RAM (A5264) message field in System message firmware Information digest load test output is set to passed SHA3-512 320-bit KAT CAST SelftestActive KAT RAM (A5264) message field in System message firmware Information digest load test output is set to passed KDA OneStep KAT CAST SelftestActive KAT key RAM (A5264) KDA with field in System derivation firmware SHA2-256 Information from load test output is set to shared passed

0 secret

ECDSA P-224 with KAT CAST SelftestActive KAT RAM SigGen SHA2-224 field in System signature firmware (FIPS186- Information generation load test 5) output is set to passed (A5264) 0 ECDSA P-224 with KAT CAST SelftestActive KAT RAM SigVer SHA2-224 field in System signature firmware (FIPS186- Information verification load test 5) output is set to passed (A5264) 0 KAS-ECC KAS-ECC- KAT CAST SelftestActive KAT shared RAM Sp800- SSC with field in System secret firmware 56Ar3 P-224 Information computatio load test (A5264) output is set to n passed ©2024 Rambus Inc. / atsec information security.

Page 59

Algorith Test Test Test Indicator Details Condition m or Propertie Method Type s Test s RSA 2048-bit KAT CAST SelftestActive KAT RAM SigGen modulus field in System signature firmware (FIPS186- with Information generation load test

  1. PKCS#1 output is set to passed (A5264) v1.5 0 padding and SHA2RSA 2048-bit KAT CAST SelftestActive KAT RAM SigVer modulus field in System signature firmware (FIPS186- with Information verification load test
  2. PKCS#1 output is set to passed (A5264) v1.5 0 padding and SHA2ECDSA SHA-224, PCT PCT Successful key Signature Key pair KeyGen SHA-256, pair generation generation generation (FIPS186- SHA-384, &
  3. SHA-512 verification (A5264) ECDSA N/A PCT PCT Successful key SP 800- Key pair KeyGen pair generation 56Ar3 generation (FIPS186- Section 5) 5.6.2.1.4 (A5264) Sp80056Ar3 Entropy Cutoff: 31 Startup CAST Entropy source Repetition Entropy Source samples health produces Count Test source RCT-ST test entropy startup Entropy Cutoff: Startup CAST Entropy source Adaptive Entropy Source 325 health produces Proportion source APT-ST samples test entropy Test startup Entropy Cutoff: 31 Continuou CAST Entropy source Repetition DRBG Source samples s health produces Count Test seeding RCT-C test entropy Entropy Cutoff: Continuou CAST Entropy source Adaptive DRBG Source 325 s health produces Proportion seeding APT-C samples test entropy Test Table 24: Conditional Self-Tests
10.3 Periodic Self-Test Information

©2024 Rambus Inc. / atsec information security.

Page 60

Algorithm or Test Method Test Type Period Periodic Test Method CRC24 Error Detection SW/FW Integrity On demand Manually Code Table 25: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5263) KAT SHA2-256 KAT CAST On demand Manually (A5263) ECDSA SigVer Signature SW/FW Load On demand Manually (FIPS186-5) verification (A5263) AES-CBC KAT CAST On demand Manually (A5264) AES-CCM KAT CAST On demand Manually (A5264) AES-XTS Testing KAT CAST On demand Manually Revision 2.0 (A5264) AES-GCM KAT CAST On demand Manually (A5264) AES-CMAC KAT CAST On demand Manually (A5264) Counter DRBG KAT CAST On demand Manually (A5264) SHA-1 (A5264) KAT CAST On demand Manually SHA2-224 KAT CAST On demand Manually (A5264) HMAC-SHA2- KAT CAST On demand Manually

256 (A5264)

KDF SP800-108 KAT CAST On demand Manually (A5264) SHA2-512 KAT CAST On demand Manually (A5264) SHA3-512 KAT CAST On demand Manually (A5264) KDA (A5264) KAT CAST On demand Manually ©2024 Rambus Inc. / atsec information security.

Page 61

Algorithm or Test Method Test Type Period Periodic Test Method ECDSA SigGen KAT CAST On demand Manually (FIPS186-5) (A5264) ECDSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5264) KAS-ECC Sp800- KAT CAST On demand Manually 56Ar3 (A5264) RSA SigGen KAT CAST On demand Manually (FIPS186-5) (A5264) RSA SigVer KAT CAST On demand Manually (FIPS186-5) (A5264) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A5264) ECDSA KeyGen PCT PCT On demand Manually (FIPS186-5) (A5264) Sp80056Ar3 Entropy Source Startup health CAST On demand Manually RCT-ST test Entropy Source Startup health CAST On demand Manually APT-ST test Entropy Source Continuous CAST On demand Manually RCT-C health test Entropy Source Continuous CAST On demand Manually APT-C health test Table 26: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Hardware Hardware failed ROM firmware Power off CRC24 error bit is set in error to verify the integrity test the MODULE_STATUS integrity of the failure register ROM firmware Firmware ROM or RAM Unsuccessful Hard reset Fatal error bit is set or error firmware login (reset_n pin) FW accepted bit is not RAM firmware or power off set in the ©2024 Rambus Inc. / atsec information security.

Page 62

Name Description Conditions Recovery Indicator Method encountered an load test MODULE_STATUS error failure register CAST failure PCT failure DMA error Table 27: Error States In the Hardware Error state, no firmware input or output is possible at all, only the hardware registers such as the MODULE_STATUS register. In the Firmware Error state, only the Show status, Show version and Hard Reset services are available. Cryptographic functions and data output are inhibited.

10.5 Operator Initiation of Self-Tests

To perform the on-demand self-tests that includes the pre-operational self-tests and CASTs, the Crypto Officer shall power-off and power-on or perform a hard reset of the module. ©2024 Rambus Inc. / atsec information security.

Page 63
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

VaultIP synthesized in the Xillinx Zynq XC7Z045 FPGA is a single chip hardware module. The chip is delivered from the vendor via a trusted delivery courier. Upon reception of VaultIP, the customer should verify that the package does not have any irregular tears or openings. The chip comes preloaded with the following code packages:

11.2 Administrator Guidance

The Public Use Document related to the ESV certificate is posted here: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validationprogram/documents/entropy/E167_PublicUse.pdf The module is configured as a FIPS140-3 module at factory for the Xilinx Zynq XC7Z045 FPGA tested implementation. In this FPGA configuration the Crypto Officer should execute the “Show version" service and verify the following outputs:

11.3 Non-Administrator Guidance
11.4 Design and Rules

The Crypto Officer shall consider the following requirements and restrictions when using the module.

11.5 End of Life

Secure sanitization of the module consists of performing the Zeroize OTP service then powering off the module. This will zeroize all SSPs in non-volatile and volatile memory. ©2024 Rambus Inc. / atsec information security.

Page 64
12 Mitigation of Other Attacks

The module does not implement security mechanisms to mitigate other attacks. ©2024 Rambus Inc. / atsec information security.

Page 65

Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard ASIC Application-Specific Integrated Circuit CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CBC-MAC Cipher Block Chaining Message Authentication Code CCM Counter with Cipher Block Chaining Message Authentication Code CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPU Central Processing Unit CRC Cyclic Redundancy Check CTR Counter Mode DMA Direct Memory Access DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm ECIES Elliptic Curve Integrated Encryption Scheme ESV Entropy Source Validation FIPS Federal Information Processing Standards Publication FPGA Field Programmable Gate Array GCM Galois Counter Mode GMAC Galois Message Authentication Code HMAC Keyed-Hash Message Authentication Code HUK Hardware Unique Key ICM Integer Counter Mode IFC Integer Factorization Cryptography IV Initialization Vector KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function KTS Key Transport Scheme KWP AES Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OTP One-Time Programmable PCT Pair-wise Consistency Test PDA Personal Digital Assistant PIN Personal Identification Number PSS Probabilistic Signature Scheme RAM Random-Access Memory ROM Read-Only Memory RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SIV Synthetic Initialization Vector SoC System on Chip SSP Sensitive Security Parameter TCM Tightly-Coupled Memory TEE Trusted Execution Environment XTS XEX-based Tweaked-codebook mode with cipher text Stealing ©2024 Rambus Inc. / atsec information security.

Page 66

Appendix B. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://doi.org/10.6028/NIST.FIPS.140-3 FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validationprogram/fips-140-3-ig-announcements FIPS180-4 Secure Hash Standard (SHS) August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-2 Digital Signature Standard (DSS) Jan 2000 https://csrc.nist.gov/files/pubs/fips/186-2/final/docs/fips186-2.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS186-5 Digital Signature Standard (DSS) February 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and ExtendableOutput Functions August 2015 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC 5639 Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation March 2010 https://doi.org/10.17487/RFC5639 SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf ©2024 Rambus Inc. / atsec information security.

Page 67

SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80056Ar3.pdf SP800-56Br2 Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography March 2019 https://doi.org/10.6028/NIST.SP.800-56Br2 SP800-56Cr2 Recommendation for Key Derivation through Extraction-thenExpansion August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80056Cr2.pdf SP800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B ©2024 Rambus Inc. / atsec information security.

Page 68

SP800-108r1- NIST Special Publication 800-108 - Recommendation for Key upd1 Derivation Using Pseudorandom Functions (Revised) August 2022 https://doi.org/10.6028/NIST.SP.800-108r1-upd1 SP800-133r2 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800133r2.pdf SP800-140Br1 NIST Special Publication 800-140Br1 - CMVP Security Policy Requirements November 2023 https://doi.org/10.6028/NIST.SP.800-140Br1 ©2024 Rambus Inc. / atsec information security.