All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Chainguard FIPS Provider for OpenSSL

Certificate#5102StandardFIPS 140-3Level1TypeSoftwareEmbodimentMultiChipStandStatusActiveVendorChainguard, Inc.
Medium review priority  ·  no TCB surface named  ·  OpenSSL upstream has published 38 CVEs since this module's initial validation  ·  last validated 7 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMultiChipStand
StatusActive
Sunset date3/10/2030
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys).
VendorChainguard, Inc.

Approved Algorithms (73)

AlgorithmACVP Cert
AES-CBCA3548
AES-CBC-CS1A3548
AES-CBC-CS2A3548
AES-CBC-CS3A3548
AES-CCMA3548
AES-CFB1A3548
AES-CFB128A3548
AES-CFB8A3548
AES-CMACA3548
AES-CTRA3548
AES-ECBA3548
AES-GCMA3548
AES-GMACA3548
AES-KWA3548
AES-KWPA3548
AES-OFBA3548
AES-XTS Testing Revision 2.0A3548
Counter DRBGA3548
DSA KeyGen (FIPS186-4)A3548
DSA PQGGen (FIPS186-4)A3548
DSA PQGVer (FIPS186-4)A3548
DSA SigGen (FIPS186-4)A3548
DSA SigVer (FIPS186-4)A3548
ECDSA KeyGen (FIPS186-4)A3548
ECDSA KeyVer (FIPS186-4)A3548
ECDSA SigGen (FIPS186-4)A3548
ECDSA SigVer (FIPS186-4)A3548
Hash DRBGA3548
HMAC DRBGA3548
HMAC-SHA-1A3548
HMAC-SHA2-224A3548
HMAC-SHA2-256A3548
HMAC-SHA2-384A3548
HMAC-SHA2-512A3548
HMAC-SHA2- 512/224A3548
HMAC-SHA2- 512/256A3548
HMAC-SHA3-224A3548
HMAC-SHA3-256A3548
HMAC-SHA3-384A3548
HMAC-SHA3-512A3548
KAS-ECC CDH- Component SP800-56Ar3 (CVL)A3548
KAS-ECC-SSC Sp800-56Ar3A3548
KAS-FFC-SSC Sp800-56Ar3A3548
KAS-IFC-SSCA3548
KDA HKDF SP800-56Cr2A3548
KDA OneStep SP800-56Cr2A3548
KDA TwoStep SP800-56Cr2A3548
KDF ANS 9.42 (CVL)A3548
KDF ANS 9.63 (CVL)A3548
KDF KMAC Sp800-108r1A3548
KDF SP800-108A3548
KDF SSH (CVL)A3548
KTS-IFCA3548
PBKDFA3548
RSA KeyGen (FIPS186-4)A3548
RSA SigGen (FIPS186-4)A3548
RSA Signature Primitive (CVL)A3548
RSA SigVer (FIPS186-4)A3548
SHA-1A3548
SHA2-224A3548
SHA2-256A3548
SHA2-384A3548
SHA2-512A3548
SHA2-512/224A3548
SHA2-512/256A3548
SHA3-224A3548
SHA3-256A3548
SHA3-384A3548
SHA3-512A3548
SHAKE-128A3548
SHAKE-256A3548
TLS v1.2 KDF RFC7627 (CVL)A3548
TLS v1.3 KDF (CVL)A3548

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Chainguard FIPS Provider for OpenSSL
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Symmetric Encryption and Decryption<br/>Perform self- tests (All)<br/>Core (all except Teardown) (Show Status, Show…</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Chainguard FIPS Provider for OpenSSL
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Symmetric Encryption and Decryption<br/>Perform self- tests (All)<br/>Core (all except Teardown) (Show Status, Show…</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Chainguard, Inc. Chainguard FIPS Provider for OpenSSL

Page 2
Table of Contents
#SectionPage
1General5
1.1Overview5
1.2Security Levels6
1.3Additional Information6
2Cryptographic Module Specification6
2.1Description6
2.2Tested and Vendor Affirmed Module Version and Identification7
2.3Excluded Components8
2.4Modes of Operation9
2.5Algorithms10
2.6Security Function Implementations18
2.7Algorithm Specific Information33
2.8RBG and Entropy36
2.9Key Generation36
2.10Key Establishment36
2.11Industry Protocols37
3Cryptographic Module Interfaces37
3.1Ports and Interfaces37
4Roles, Services, and Authentication37
4.1Authentication Methods37
4.2Roles38
4.3Approved Services38
4.4Non-Approved Services58
4.5External Software/Firmware Loaded58
4.6Bypass Actions and Status59
4.7Cryptographic Output Actions and Status59
5Software/Firmware Security59
5.1Integrity Techniques59
5.2Initiate on Demand59
5.3Open-Source Parameters59
6Operational Environment59
6.1Operational Environment Type and Requirements59
6.2Configuration Settings and Restrictions60
7Physical Security60
8Non-Invasive Security60
9Sensitive Security Parameters Management60
9.1Storage Areas60
9.2SSP Input-Output Methods60
9.3SSP Zeroization Methods61
9.4SSPs61
10Self-Tests72
10.1Pre-Operational Self-Tests72
10.2Conditional Self-Tests72
10.3Periodic Self-Test Information75
10.4Error States80
10.5Operator Initiation of Self-Tests81
11Life-Cycle Assurance81
11.1Installation, Initialization, and Startup Procedures81
11.2Administrator Guidance82
11.3Non-Administrator Guidance83
11.4Design and Rules83
11.5Maintenance Requirements83
11.6End of Life83
12Mitigation of Other Attacks83
12.1Attack List83
Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)8
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Modes List and Description9
Table 5: Approved Algorithms15
Table 6: Vendor-Affirmed Algorithms16
Table 7: Non-Approved, Allowed Algorithms17
Table 8: Non-Approved, Allowed Algorithms with No Security Claimed17
Table 9: Non-Approved, Not Allowed Algorithms18
Table 10: Security Function Implementations32
Table 11: Ports and Interfaces37
Table 12: Roles38
Table 13: Approved Services56
Table 14: Non-Approved Services58
Table 15: Storage Areas60
Table 16: SSP Input-Output Methods61
Table 17: SSP Zeroization Methods61
Table 18: SSP Table 168
Table 19: SSP Table 271
Table 20: Pre-Operational Self-Tests72
Table 21: Conditional Self-Tests75
Table 22: Pre-Operational Periodic Information76
Table 23: Conditional Periodic Information80
Table 24: Error States80
Figure 1: Chainguard FIPS Provider for OpenSSL Block Diagram7
Page 5
1 General
1.1 Overview

Introduction Federal Information Processing Standards Publication 140-3

Page 6
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance3
1212Mitigation of other attacks1
Overall LevelOverall Level1
1.2 Security Levels

The Module meets FIPS 140-3 overall Level 1 requirements, with security levels as follows: Table 1: Security Levels N/A N/A

1.3 Additional Information

In accordance with AS02.05, [ISO19790] §7.7 Physical Security is optional and does not apply to the Module. In accordance with current CMVP policy, [ISO19790] §7.8 Non-Invasive Security is not applicable.

2.1 Description

Purpose and Use: The Module is a cryptographic software library providing a C-language application program interface (API) for use by applications that require cryptographic functionality and is designated as a software module with a multi-chip standalone embodiment based on the descriptions of [ISO19790] AS02.03. The Module is intended for use by US and Canadian Federal agencies and other markets that require FIPS 140-3 validated cryptographic functionality. The Module’s formal name and version are “Chainguard FIPS Provider for OpenSSL ” and “3.1.2”, respectively. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Module Embodiment: MultiChipStand

Page 7

Cryptographic Boundary: Figure 1 depicts the Module operational environment, with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per [ISO19790] AS02.03. The cryptographic boundary of the Module is the FIPS Provider, a dynamically loadable library. The Module performs no communication other than with the calling application via APIs that invoke the Module. The pre-operational approved integrity test is performed over all components within the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested Operational Environment’s Physical Perimeter (TOEPP) is the General Purpose Computer. Figure 1: Chainguard FIPS Provider for OpenSSL Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
fips.so3.1.2fips.so for Unix/Linux platformsfips.soHMAC-SHA2-256
fips.dll3.1.2fips.dll for Windows platformsfips.dllHMAC-SHA2-256
fips.dylib3.1.2fips.dylib for Mac platformsfips.dylibHMAC-SHA2-256
Ubuntu Linux 22.04.1 ServerUbuntu Linux 22.04.1 ServerDell Inspiron 75733.1.2Intel i7- 8550UNoN/A
Ubuntu Linux 22.04.1 ServerUbuntu Linux 22.04.1 ServerDell Inspiron 75733.1.2Intel i7- 8550UYesN/A
Debian 11.5Debian 11.5Dell Inspiron 75733.1.2Intel i7- 8550UNoN/A
Debian 11.5Debian 11.5Dell Inspiron 75733.1.2Intel i7- 8550UYesN/A
FreeBSD 13.1FreeBSD 13.1Dell Inspiron 7591 2 in 13.1.2Intel i7- 10510UNoN/A
FreeBSD 13.1FreeBSD 13.1Dell Inspiron 7591 2 in 13.1.2Intel i7- 10510UYesN/A
Windows 10 ProWindows 10 ProDell Inspiron 7591 2 in 13.1.2Intel i7- 10510UNoN/A
Windows 10 ProWindows 10 ProDell Inspiron 7591 2 in 13.1.2Intel i7- 10510UYesN/A
macOS 11.5.2macOS 11.5.2Apple M1 Mac Mini3.1.2M1NoN/A
macOS 11.5.2macOS 11.5.2Apple M1 Mac Mini3.1.2M1YesN/A
macOS 11.5.2macOS 11.5.2Apple i7 Mac Mini3.1.2Intel i7NoN/A
macOS 11.5.2macOS 11.5.2Apple i7 Mac Mini3.1.2Intel i7YesN/A
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
fips.so3.1.2fips.so for Unix/Linux platformsfips.soHMAC-SHA2-256
fips.dll3.1.2fips.dll for Windows platformsfips.dllHMAC-SHA2-256
fips.dylib3.1.2fips.dylib for Mac platformsfips.dylibHMAC-SHA2-256
Ubuntu Linux 22.04.1 ServerUbuntu Linux 22.04.1 ServerDell Inspiron 75733.1.2Intel i7- 8550UNoN/A
Ubuntu Linux 22.04.1 ServerUbuntu Linux 22.04.1 ServerDell Inspiron 75733.1.2Intel i7- 8550UYesN/A
Debian 11.5Debian 11.5Dell Inspiron 75733.1.2Intel i7- 8550UNoN/A
Debian 11.5Debian 11.5Dell Inspiron 75733.1.2Intel i7- 8550UYesN/A
FreeBSD 13.1FreeBSD 13.1Dell Inspiron 7591 2 in 13.1.2Intel i7- 10510UNoN/A
FreeBSD 13.1FreeBSD 13.1Dell Inspiron 7591 2 in 13.1.2Intel i7- 10510UYesN/A
Windows 10 ProWindows 10 ProDell Inspiron 7591 2 in 13.1.2Intel i7- 10510UNoN/A
Windows 10 ProWindows 10 ProDell Inspiron 7591 2 in 13.1.2Intel i7- 10510UYesN/A
macOS 11.5.2macOS 11.5.2Apple M1 Mac Mini3.1.2M1NoN/A
macOS 11.5.2macOS 11.5.2Apple M1 Mac Mini3.1.2M1YesN/A
macOS 11.5.2macOS 11.5.2Apple i7 Mac Mini3.1.2Intel i7NoN/A
macOS 11.5.2macOS 11.5.2Apple i7 Mac Mini3.1.2Intel i7YesN/A

3.1.2 3.1.2 3.1.2 Table 2: Tested Module Identification

2.3 Excluded Components

No components are excluded from [FIPS140-3] requirements.

Page 9
Service
NameDescriptionIndicatorType
Non- Approved modeThe module is in the Approved mode of operation by default. Use of the non-Approved Algorithms Not Allowed in the Approved Mode will place the module in the non-approved mode of operation.fips=noNon- Approved

Modes List and Description: NonApproved NonApproved

  1. Manual key entry is not supported.
  2. Data output is inhibited during self-tests, zeroisation, SSP generation and error states.
  3. The Module does not perform any cryptographic function if any self-test has failed. a. security-checks = 1 Enforce minimum key strengths and approved curve names. b. conditional-errors = 1 Enforce the Module entering the error state on conditional test errors such as PCT failure. c. drbg-no-trunc-md=1 Disallow use of truncated digests with HASH and HMAC DRBGs (IG D.R) d. tls1-prf-ems-check=1 Enforce Extended Master Secret (EMS) use with TLS 1.2 (IG D.Q)
  4. The Module is a cryptographic library used by a calling application. The calling application is responsible for: a. Use of the primitives in the correct sequence. b. Use of keys in accordance with [SP800-140Dr2] (as the keys used by the Module for cryptographic purposes are provided over the call stack by the calling application). c. Use of a [SP800-90B] compliant entropy source. Entropy is supplied to the Module via callback functions. The callback functions return an error if the minimum entropy strength cannot be met.
Page 10
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS1A3548Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS2A3548Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A3548Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA3548Key Length - 128, 192, 256SP 800-38C
AES-CFB1A3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB128A3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA3548Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-GCMA3548Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-GMACA3548Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-KWA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-KWPA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA3548Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A3548Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA3548Prediction Resistance - Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - No, YesSP 800-90A Rev. 1
DSA KeyGen (FIPS186-4)A3548L - 2048, 3072 N - 224, 256FIPS 186-4
DSA PQGGen (FIPS186-4)A3548L - 2048, 3072 N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256FIPS 186-4
DSA PQGVer (FIPS186-4)A3548L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256FIPS 186-4
DSA SigGen (FIPS186-4)A3548L - 2048, 3072 N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256FIPS 186-4
DSA SigVer (FIPS186-4)A3548L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256FIPS 186-4
ECDSA KeyGen (FIPS186-4)A3548Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyVer (FIPS186-4)A3548Curve - B-163, B-233, B-283, B-409, B-571, K- 163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3548Component - No, Yes Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A3548Component - No, Yes Curve - B-163, B-233, B-283, B-409, B-571, K- 163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512FIPS 186-4
Hash DRBGA3548Prediction Resistance - Yes Mode - SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-256, SHA3-512SP 800-90A Rev. 1
HMAC DRBGA3548Prediction Resistance - Yes Mode - SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-256, SHA3-512SP 800-90A Rev. 1
HMAC-SHA-1A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-224A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-256A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-384A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-512A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-224A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-256A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-384A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-512A3548Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
KAS-ECC CDH- Component SP800-56Ar3 (CVL)A3548Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521SP 800-56A Rev. 3
KAS-ECC-SSC Sp800-56Ar3A3548Domain Parameter Generation Methods - B- 233, B-283, B-409, B-571, K-233, K-283, K- 409, K-571, P-224, P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A3548Domain Parameter Generation Methods - FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP- 3072, MODP-4096, MODP-6144, MODP-8192 Scheme - dhEphem - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-IFC-SSCA3548Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KAS1 - KAS Role - initiator, responder KAS2 - KAS Role - initiator, responderSP 800-56A Rev. 3
KDA HKDF SP800-56Cr2A3548Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512SP 800-56C Rev. 2
KDA OneStep SP800-56Cr2A3548Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8SP 800-56C Rev. 2
KDA TwoStep SP800-56Cr2A3548MAC Salting Methods - default, random KDF Mode - feedback Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8SP 800-56C Rev. 2
KDF ANS 9.42 (CVL)A3548KDF Type - DER Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8SP 800-135 Rev. 1
KDF ANS 9.63 (CVL)A3548Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512 Key Data Length - Key Data Length: 128, 4096SP 800-135 Rev. 1
KDF KMAC Sp800-108r1A3548Derived Key Length - Derived Key Length: 112- 4096 Increment 8SP 800-108 Rev. 1
KDF SP800-108A3548KDF Mode - Counter, Feedback Supported Lengths - Supported Lengths: 8, 72, 128, 776, 3456, 4096SP 800-108 Rev. 1
KDF SSH (CVL)A3548Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512SP 800-135 Rev. 1
KMAC-128A3548Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8SP 800-185
KMAC-256A3548Message Length - Message Length: 0-65536 Increment 8SP 800-185
KTS-IFCA3548Modulo - 2048, 3072, 4096, 6144 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KTS-OAEP-basic - KAS Role - initiator, responder Key Transport Method - Key Length - 1024SP 800-56B Rev. 2
PBKDFA3548Iteration Count - Iteration Count: 1-10000 Increment 1 Password Length - Password Length: 8-128 Increment 8SP 800-132
RSA KeyGen (FIPS186-4)A3548Key Generation Mode - B.3.3, B.3.6 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2, Table C.3 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186-4)A3548Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA Signature Primitive (CVL)A3548Private Key Format - CRTFIPS 186-4
RSA SigVer (FIPS186-4)A3548Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS Modulo - 1024, 2048, 3072, 4096FIPS 186-4
Safe Primes Key GenerationA3548Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192SP 800-56A Rev. 3
Safe Primes Key VerificationA3548Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192SP 800-56A Rev. 3
SHA-1A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA3-224A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-256A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-384A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-512A3548Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHAKE-128A3548Output Length - Output Length: 16-65536 Increment 8FIPS 202
SHAKE-256A3548Output Length - Output Length: 16-65536 Increment 8FIPS 202
TLS v1.2 KDF RFC7627 (CVL)A3548Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512SP 800-135 Rev. 1
TLS v1.3 KDF (CVL)A3548HMAC Algorithm - SHA2-256, SHA2-384 KDF Running Modes - DHE, PSK, PSK-DHESP 800-135 Rev. 1

Use of the Approved algorithms and Non-Approved Algorithms Allowed in the Approved Mode will ensure operation of the module in the Approved mode of operation. Use of the nonApproved Algorithms Not Allowed in the Approved Mode will place the module in the nonapproved mode of operation. Degraded Mode Description: The module does not support a degraded mode of operation.

2.5 Algorithms
Page 15
Service
NameApproved FunctionsPropertiesCaveat
DSA PQGGen [FIPS 186- 4]Key Size, Key Strength:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method:PQGGen using SHA3OpenSSL Project OpenSSL 3.x FIPS ProviderVendor affirmed per IG C.C and IG C.B Resolution (bullet point #3)
DSA PQGVer [FIPS 186- 4]Key Size, Key Strength:L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128)OpenSSL Project OpenSSL 3.x FIPS ProviderVendor affirmed per IG C.C and IG C.B Resolution (bullet point #3)
DSA SigGen [FIPS 186- 4]Key Size, Key Strength:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method:SigGen using SHA3OpenSSL Project OpenSSL 3.x FIPS ProviderVendor affirmed per IG C.C and IG C.B Resolution (bullet point #3)
DSA SigVer [FIPS186- 4]Key Size, Key Strength:L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method:SigVer using SHA3OpenSSL Project OpenSSL 3.x FIPS ProviderVendor affirmed per IG C.C and IG C.B Resolution (bullet point #3)
CKG - Section 4 and 5.1Key Type :AsymmetricN/ANIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 5.1: Key Pairs for Digital Signature Schemes
CKG - Section 4 and 5.2Key Type:AsymmetricN/ANIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 5.2: Key Pairs for Key Establishment
CKG - Section 4 and Section 6.1Key Type:SymmetricN/ANIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 6.1: Direct Generation of Symmetric Keys
CKG - Section 6.2Key Type:SymmetricN/ANIST SP 800-133r2 Section 6.2: Derivation of Symmetric keys
CKG - Section 6.3Key Type:SymmetricN/ANIST SP 800-133rev2, Section 6.3: Symmetric Keys Produced by Combining Multiple Keys and Other Data
CKG - Section 4Key Type:SymmetricN/ANIST SP800-133r2 Section 4: Using the Output of a Random Bit Random bits returned to the calling application
AESAES KW, KWP (Cert.#A3548):Symmetric key unwrappingOpenSSL Project OpenSSL 3.x FIPS ProviderPer IG D.G Additional Comment 5
N/AN/AN/A
Triple-DESProvides 3-Key ECB and CBC mode, but indicated as fips=no, Encryption, Decryption
Ed448SHAKE256, Ed448 provides 224 bits of security, Digital Signature Generation
Ed25519SHA2-512, Ed25519 provides 128 bits of security, Digital Signature Generation
X448Provides 224 bits of security, Key Agreement
X25519Provides 128 bits of security, Key Agreement
ECDSA SigVer ComponentProvides between 80 and 256 bits for security, Curves: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521, Digital Signature Verification
FIPS 186-2 RSA SigGen/SigVerProvides >= 80 bits of security, RSA signature generation/verification per FIPS 186-2
FIPS 186-2 RSA KeyGenProvides >= 112 bits of security, RSA key generation per FIPS 186-2
X942KDF- CONCATUsage of X942KDF-CONCAT with PRF SHA-1, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256
X963KDFUsage of X963KDF with PRF SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256
HKDFProvides < 112 bits of security, Usage of HKDF with key length less than 112 bits
OneStep KDFUsage of OneStep KDF with PRF SHAKE128, SHAKE256

Table 5: Approved Algorithms The Module implements the Approved cryptographic functions listed in Table 5. [FIPS 1864] [FIPS 1864] #3) #3)

Page 16

#3) #3) N/A N/A 6.1 N/A N/A N/A N/A [FIPS 1864] [FIPS1864] Table 6: Vendor-Affirmed Algorithms

Page 17
Service
NameDescriptionApproved FunctionsTypePropertiesCaveat
AESAES KW, KWP (Cert.#A3548):Symmetric key unwrappingOpenSSL Project OpenSSL 3.x FIPS ProviderPer IG D.G Additional Comment 5
N/AN/AN/A
Triple-DESProvides 3-Key ECB and CBC mode, but indicated as fips=no, Encryption, Decryption
Ed448SHAKE256, Ed448 provides 224 bits of security, Digital Signature Generation
Ed25519SHA2-512, Ed25519 provides 128 bits of security, Digital Signature Generation
X448Provides 224 bits of security, Key Agreement
X25519Provides 128 bits of security, Key Agreement
ECDSA SigVer ComponentProvides between 80 and 256 bits for security, Curves: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521, Digital Signature Verification
FIPS 186-2 RSA SigGen/SigVerProvides >= 80 bits of security, RSA signature generation/verification per FIPS 186-2
FIPS 186-2 RSA KeyGenProvides >= 112 bits of security, RSA key generation per FIPS 186-2
X942KDF- CONCATUsage of X942KDF-CONCAT with PRF SHA-1, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256
X963KDFUsage of X963KDF with PRF SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256
HKDFProvides < 112 bits of security, Usage of HKDF with key length less than 112 bits
OneStep KDFUsage of OneStep KDF with PRF SHAKE128, SHAKE256
HMACProvides < 112 bits of security, Usage of HMAC with key length less than 112 bits for MAC generation
Hash and HMAC DRBGUsage of Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256
Symmetric Encryption and DecryptionSymmetric Encryption and DecryptionAES-CBC: (A3548) AES-CBC- CS1: (A3548) AES-CBC- CS2: (A3548) AES-CBC- CS3: (A3548) AES-CCM: (A3548) AES-CFB1: (A3548) AES-CFB128: (A3548) AES-CFB8: (A3548) AES-CMAC: (A3548) AES-CTR: (A3548) AES-ECB: (A3548) AES-GCM: (A3548) AES-GMAC: (A3548) AES-OFB: (A3548) AES-XTS Testing Revision 2.0: (A3548)BC-Auth BC-UnAuthKey Length:128, 192 and 256 bits Key Length (XTS):128 and 256 bits
Message DigestMessage DigestSHA-1: (A3548) SHA2-224: (A3548) SHA2-256: (A3548)SHASHA-1 :(s = 160) Large Message Sizes: 1, 2, 4, 8gigabytes SHA2:SHA2-224 (s = 224), SHA2-256 (s =

Non-Approved, Allowed Algorithms: Table 7: Non-Approved, Allowed Algorithms Non-Approved, Allowed Algorithms with No Security Claimed: N/A N/A N/A Table 8: Non-Approved, Allowed Algorithms with No Security Claimed The module does not support any Non-Approved Algorithms Allowed in the Approved Mode of Non-Approved, Not Allowed Algorithms: X942KDFCONCAT

Page 18
Service
NameDescriptionApproved FunctionsTypeProperties
HMACProvides < 112 bits of security, Usage of HMAC with key length less than 112 bits for MAC generation
Hash and HMAC DRBGUsage of Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256
Symmetric Encryption and DecryptionSymmetric Encryption and DecryptionAES-CBC: (A3548) AES-CBC- CS1: (A3548) AES-CBC- CS2: (A3548) AES-CBC- CS3: (A3548) AES-CCM: (A3548) AES-CFB1: (A3548) AES-CFB128: (A3548) AES-CFB8: (A3548) AES-CMAC: (A3548) AES-CTR: (A3548) AES-ECB: (A3548) AES-GCM: (A3548) AES-GMAC: (A3548) AES-OFB: (A3548) AES-XTS Testing Revision 2.0: (A3548)BC-Auth BC-UnAuthKey Length:128, 192 and 256 bits Key Length (XTS):128 and 256 bits
Message DigestMessage DigestSHA-1: (A3548) SHA2-224: (A3548) SHA2-256: (A3548)SHASHA-1 :(s = 160) Large Message Sizes: 1, 2, 4, 8gigabytes SHA2:SHA2-224 (s = 224), SHA2-256 (s =
256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2-512/224 (s = 224), SHA2- 512/256 (s = 256). Large Message Sizes: 1, 2, 4, 8gigabytes SHA3:SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512). See Note 1. Large Message Sizes: 1, 2, 4, 8gigabytes SHAKE:SHAKE-128 (s = 128), SHAKE- 256 (s = 256). See Note 1.SHA2-384: (A3548) SHA2-512: (A3548) SHA2- 512/224: (A3548) SHA3-224: (A3548) SHA3-256: (A3548) SHA3-384: (A3548) SHA3-512: (A3548) SHAKE-128: (A3548) SHAKE-256: (A3548) SHA2- 512/256: (A3548)256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2-512/224 (s = 224), SHA2- 512/256 (s = 256). Large Message Sizes: 1, 2, 4, 8gigabytes SHA3:SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512). See Note 1. Large Message Sizes: 1, 2, 4, 8gigabytes SHAKE:SHAKE-128 (s = 128), SHAKE- 256 (s = 256). See Note 1.
Keyed HashKeyed HashHMAC-SHA-1: (A3548) HMAC-SHA2- 224: (A3548) HMAC-SHA2- 256: (A3548) HMAC-SHA2- 384: (A3548) HMAC-SHA2- 512: (A3548) HMAC-SHA2- 512/224: (A3548) HMAC-SHA2- 512/256: (A3548) HMAC-SHA3- 224: (A3548) HMAC-SHA3- 256: (A3548) HMAC-SHA3- 384: (A3548) HMAC-SHA3- 512: (A3548) AES-CMAC: (A3548) KMAC-128: (A3548)BC-Auth MACHMAC-SHA-1 [FIPS198-1]:SHA-1 (s = 160) HMAC-SHA2 [FIPS198-1]:SHA2- 224 (s = 224), SHA2- 256 (s = 256), SHA2- 384 (s = 384), SHA2- 512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256) HMAC-SHA3 [FIPS198-1]:SHA3- 224 (s = 224), SHA3- 256 (s = 256), SHA3- 384 (s = 384), SHA3- 512 (s = 512) KMAC:KMAC-128 (112 s 128), KMAC- 256 (112 s 256). See Note 8.
RSA Digital Signature Generation and VerificationRSA Digital Signature Generation and VerificationRSA SigGen (FIPS186-4): (A3548) RSA SigVer (FIPS186-4): (A3548)DigSig- SigGen DigSig-SigVerSignature type: ANSI X9.31 tested with the listed moduli and the following hash algorithms: SHA2- 256, SHA2-384, SHA2-512:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCS 1.5 tested with the listed moduli and the following hash algorithms: SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2- 512/256:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCSPSS tested with the listed moduli and the following hash algorithms: SHA2- 224, SHA2- 256, SHA2-384, SHA2- 512, SHA2- 512/224, SHA2- 512/256:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: ANSI X9.31 tested with the listed moduli and the following hash algorithms: SHA-1*, SHA2-256, SHA2- 384, SHA2- 512:k=1024 (s 112), k=2048 (s ~= 112), k=3072 (s ~= 128),

Table 9: Non-Approved, Not Allowed Algorithms

Page 19

SHA2512/224: SHA2512/256: HMAC-SHA2256)

Page 21
Service
NameDescriptionCsps AccessedApproved FunctionsType
ECDSA Signature Generation and Signature VerificationECDSA Signature Generation and Signature VerificationSigGen (includes SigGen Component) (tested with SHA2- 224, SHA2-256, SHA2-384, SHA2- 512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512):B-233, K- 233, P-224 (s ~= 112); B-283, K-283, P-256 (s ~= 128); B- 409, K-409, P-384 (s ~= 192); B-571, K- 571, P-521 (s ~= 256) SigVer (tested with SHA-1*, SHA2-224,ECDSA SigGen (FIPS186-4): (A3548) ECDSA SigVer (FIPS186-4): (A3548)DigSig- SigGen DigSig-SigVer
DSA Digital Signature Generation and VerificationDSA Digital Signature Generation and VerificationSigGen (tested with SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2- 512/256); SigGen using SHA3; no ACVP testing is available:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) SigVer (tested with SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256); SigVer using SHA3; no ACVP testing is available:L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128)DSA SigGen (FIPS186-4): (A3548) DSA SigVer (FIPS186-4): (A3548) DSA SigGen [FIPS 186-4]: () Key Size, Key Strength: L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method: SigGen using SHA3 DSA SigVer [FIPS186-4]: () Key Size, Key Strength: L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method: SigVer using SHA3DigSig- SigGen DigSig-SigVer
RSA Signature PrimitiveSignature primitivePrivate Key format:CRT Public Exponent Mode:Fixed : k = 2048RSA Signature Primitive: (A3548)DigSig- SigGen
Asymmetric Key Pair GenerationGeneration of asymmetric key pairsRSA KeyGen:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) DSA KeyGen:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) ECDSA KeyGen: Secret Generation Mode: Testing Candidates:B-233, K- 233, P-224 (s ~= 112); B-283, K-283, P-256 (s ~= 128); B- 409, K-409, P-384 (s ~= 192); B-571, K- 571, P-521 (s ~= 256) Safe Primes Key Generation, Safe Primes Key Verification:ffdhe2048 (s = 112), ffdhe3072 (112 s 128), ffdhe4096 (112 s 152), ffdhe6144 (112 s 176), ffdhe8192 (112 s 200), MODP- 2048 (s = 112), MODP-3072 (112 s 128), MODP-4096 (112 s 152), MODP- 6144 (112 s 176), MODP-8192 (112 s 200) ECDSA KeyVer:B- 163, K-163, P-192 (s < 112); B-233, K-233, P-224 (s ~= 112); B- 283, K-283, P-256 (s ~= 128); B-409, K- 409, P-384 (s ~=RSA KeyGen (FIPS186-4): (A3548) DSA KeyGen (FIPS186-4): (A3548) ECDSA KeyGen (FIPS186-4): (A3548) Safe Primes Key Generation: (A3548) ECDSA KeyVer (FIPS186-4): (A3548) Safe Primes Key Verification: (A3548) CKG - Section 4 and 5.1: () Key Type : Asymmetric CKG - Section 4 and 5.2: () Key Type: Asymmetric DSA PQGGen (FIPS186-4): (A3548) DSA PQGVer (FIPS186-4): (A3548) DSA PQGGen [FIPS 186-4]: () Key Size, Key Strength: L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L =AsymKeyPair- KeyGen AsymKeyPair- KeyVer
192); B-571, K-571, P-521 (s ~= 256) DSA PQGGen (FIPS186-4), DSA PQGGen [FIPS 186- 4] (VA):L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) DSA PQGVer (FIPS186-4), DSA PQGVer [FIPS 186-4] (VA):L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128)192); B-571, K-571, P-521 (s ~= 256) DSA PQGGen (FIPS186-4), DSA PQGGen [FIPS 186- 4] (VA):L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) DSA PQGVer (FIPS186-4), DSA PQGVer [FIPS 186-4] (VA):L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128)3072/N = 256 (s = 128) Mode/Method: PQGGen using SHA3 DSA PQGVer [FIPS 186-4]: () Key Size, Key Strength: L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method: PQGVer using SHA3
Random Number GenerationRandom Number Generation - Hash_DRBG, CTR_DRBG and HMAC_DRBGCounter DRBG [SP800-90Ar1]:AES- 128 (s = 128), AES- 192 (s = 192), AES- 256 (s = 256) Hash DRBG [SP800- 90Ar1]:SHA-1 (s = 160), SHA2-256 (s = 256), SHA2-512 (s = 512) SHA3-256 (s = 256), SHA3-512 (s = 512) HMAC DRBG [SP800-90Ar1]:SHA- 1 (s = 160), SHA2- 256 (s = 256), SHA2- 512 (s = 512) SHA3- 256 (s = 256), SHA3- 512 (s = 512)Counter DRBG: (A3548) Hash DRBG: (A3548) HMAC DRBG: (A3548) CKG - Section 4: () Key Type: SymmetricDRBG
Key DerivationDerive Keying MaterialKDA HKDF:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s =KDA HKDF SP800-56Cr2: (A3548) KDA OneStep SP800-56Cr2: (A3548) KDA TwoStep SP800-56Cr2: (A3548) KDF ANSKBKDF PBKDF
Page 24

[SP800-90Ar1]:SHA1 (s = 160), SHA2256 (s = 256), SHA2512 (s = 512) SHA3256 (s = 256), SHA3512 (s = 512) () 4: ()

Page 25
Service
NameDescriptionApproved Functions
256), SHA3-384 (s = 384), SHA3-512 (s = 512) KDA OneStep:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512); HMAC-SHA-1 (s = 160), HMAC- SHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2- 384 (s = 384), HMAC-SHA2-512 (s = 512), HMAC-SHA2- 512/224 (s = 224), HMAC-SHA2- 512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3- 256 (s = 256), HMAC-SHA3-384 (s = 384), HMAC-SHA3- 512 (s = 512); KMAC-128 (112 s 128), KMAC-256 (112 s 256) KDA TwoStep [SP800- 56Cr2]:HMAC-SHA-1 (s = 160), HMAC- SHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2- 384 (s = 384), HMAC-SHA2-512 (s = 512), HMAC-SHA2- 512/224 (s = 224), HMAC-SHA2- 512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3-256), SHA3-384 (s = 384), SHA3-512 (s = 512) KDA OneStep:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512); HMAC-SHA-1 (s = 160), HMAC- SHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2- 384 (s = 384), HMAC-SHA2-512 (s = 512), HMAC-SHA2- 512/224 (s = 224), HMAC-SHA2- 512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3- 256 (s = 256), HMAC-SHA3-384 (s = 384), HMAC-SHA3- 512 (s = 512); KMAC-128 (112 s 128), KMAC-256 (112 s 256) KDA TwoStep [SP800- 56Cr2]:HMAC-SHA-1 (s = 160), HMAC- SHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2- 384 (s = 384), HMAC-SHA2-512 (s = 512), HMAC-SHA2- 512/224 (s = 224), HMAC-SHA2- 512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3-9.42: (A3548) KDF ANS 9.63: (A3548) KDF KMAC Sp800-108r1: (A3548) KDF SP800- 108: (A3548) KDF SSH: (A3548) PBKDF: (A3548) TLS v1.2 KDF RFC7627: (A3548) TLS v1.3 KDF: (A3548) CKG - Section 6.2: () Key Type: Symmetric
Page 27
Service
NameDescriptionApproved FunctionsTypeProperties
KAS-1Scheme: EphemeralUnified, KAS Role: Initiator, ResponderSP800-56Ar3 KAS- ECC-SSC per IG D.F Scenario 2 path (1):B-233, K-233, P- 224, B-283, K-283, P- 256, B-409, K-409, P- 384, B-571, K-571, and P-521 curves providing 112, 128,KAS-SSCKAS-ECC- SSC Sp800- 56Ar3: (A3548)
KAS-2Scheme: dhEphem. KAS Role: Initiator, ResponderSP800-56Ar3 KAS- FFC-SSC IG D.F Scenario 2 path (1):2048, 3072, 4096, 6144, and 8192-bit key providing 112, 128, 152, 176, or 200 bits of encryption strengthKAS-SSCKAS-FFC- SSC Sp800- 56Ar3: (A3548)
KAS-3Scheme: KAS1, KAS2. KAS Role: Initiator, ResponderSP800-56Br2 KAS- IFC-SSC IG D.F Scenario 1 path (1):2048, 3072, 4096, 6144, and 8192-bit key providing 112, 128, 152, 176, or 200 bits of encryption strengthKAS-SSCKAS-IFC- SSC: (A3548)
KTS-1Key Transport in compliance with [SP800- 38F] when approved using AES KW or KWPSP 800-38F KTS (key wrapping) per IG D.G :128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strengthKTS-WrapAES-KW: (A3548) AES-KWP: (A3548)
KTS-2Key Transport in compliance with [SP800- 38F] when approved AES (any mode) and approved HMAC, KMAC, GMAC or CMAC are used in combinationSP 800-38F KTS (key wrapping) per IG D.G : 128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strengthKTS-WrapAES-CBC: (A3548) AES-CFB1: (A3548) AES-CFB128: (A3548) AES-CFB8: (A3548) AES-CTR: (A3548) AES-ECB: (A3548) AES-OFB: (A3548) AES-XTS Testing Revision 2.0: (A3548) AES-CBC- CS2: (A3548) AES-CBC- CS3: (A3548)
KTS-3Key Transport in compliance with [SP800- 38F] when approved using an Authenticated AES mode (AES CCM; AES GCM;SP 800-38F KTS (key wrapping) per IG D.G : 128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strengthKTS-WrapAES-CCM: (A3548) AES-CMAC: (A3548) AES-GCM: (A3548) AES-GMAC: (A3548)
KTS-4Key Transport; Scheme: KTS- OAEP-basic (no key confirmation): RSA-OAEP, Key Encapsulation, Key Unencapsulation Key Generation Methods: rsakpg1-basic, rsakpg1-crt, rsakpg1-prime- factor, rsakpg2- basic, rsakpg2-crt, rsakpg2- prime- factorSP 800-56Brev2 KTS-IFC (key encapsulation and un-encapsulation) per IG D.G:2048, 3072, 4096, and 6144-bit key providing 112, 128, 152, or 176 bits of encryption strengthKTS-EncapKTS-IFC: (A3548)
KAS ECC CDH ComponentKAS-ECC-SSC primitiveCurves:B-233, K-233, P-224 (s ~= 112); B- 283, K-283, P-256 (s ~= 128); B-409, K- 409, P-384 (s ~= 192); B-571, K-571, P-521 (s ~= 256).KAS-SSCKAS-ECC CDH- Component SP800-56Ar3: (A3548)
Perform self- tests (All)All self-tests executed by the module at bootBC-Auth BC-UnAuth DigSig- SigGen DigSig-SigVer DRBG KAS-SSC KBKDF MAC PBKDF SHA XOFAES-ECB: (A3548) AES-GCM: (A3548) Hash DRBG: (A3548) Counter DRBG: (A3548) HMAC DRBG: (A3548) DSA SigGen (FIPS186-4): (A3548) DSA SigVer (FIPS186-4): (A3548) ECDSA SigGen (FIPS186-4): (A3548) ECDSA SigVer

(1):B-233, K-233, PResponder KAS-ECCSSC Sp80056Ar3:

Page 28

KAS-FFCSSC Sp80056Ar3:

Page 30

DigSigSigGen rsakpg2- primefactor CDHComponent

Page 31
Service
NameDescriptionCsps AccessedType
Cryptographic KeyDirect generation of symmetric keysCKG - Section 4 and Section 6.1: ()CKG

KAS-ECCSSC Sp80056Ar3: KAS-FFCSSC Sp80056Ar3: 6.1: ()

Page 32
Service
NameDescriptionApproved FunctionsTypeProperties
Generation (CKG)per NIST SP 800- 133r2
Software Integrity TestHMAC-SHA2-256 used to perform the software integrity testHMAC-SHA2- 256: (A3548)MACKey size: 256 bits
Cryptographic Key Generation (CKG) - AES XTSAES XTS Key generated to comply with the approved key generation guidelines of NIST SP 800-133rev2, Section 6.3, Symmetric Keys Produced by Combining Multiple Keys and Other DataCKG - Section 6.3: ()CKGKey size:128, 256 bits

6.3: () Table 10: Security Function Implementations Equivalent strength in bits is given for each key or algorithm type (as some algorithms do not use or produce keys). The term s is used throughout to indicate security strength, following the notation used in the majority of the sources. Note 1: Preimage resistance strength applies to hash algorithms used in DRBG, KDFs. Described also in [SP800-57P1r5] Table

  1. Note 2: Elliptic curve strengths are annotated as approximate (i.e., s ~=) since [SP800-186] Table 1 provides approximate security strengths. Note 3: [SP800-186] (cited in [SP800-140Cr2]) and [FIPS140-3_IG] C.K indicate that the Binary (B-) and Koblitz (K-) curves are deprecated. Note 4: Approved elliptic curves for ECC key agreement are given in [SP800-56Ar3] Table
  2. Note 5: In Digital Signature applications, security strength is primarily associated with the asymmetric key pair specification. The hash function used must have equivalent strength equal to or greater than the security strength of the associated key pair. Note 6: Approved key types for FFC key agreement are given in [SP800-56Ar3] Tables 25,
  3. The group notation of Table 26 is used for consistency with CAVP algorithm listings and ACVP capability registration. Note 7: Approved key types for IFC key agreement are given in [SP800-56Br2] Table
  4. IFC key types approved for Digital Signature Generation and Verification are given also in [SP80057P1r5] Table
  5. Equivalent strengths are annotated as approximate (i.e., s ~=) since [SP80056Br2] Table 4 provides approximate security strengths. Note 8: Security strengths for KDA One Step are given in [SP800-56Cr2] Table 1 (hash), Table
2 (HMAC) and Table 3 (KMAC).

Note 9: Security strength for L=2048/N=256 is determined in accordance with [FIPS140-3_IG] D.B Strength of SSP Establishment Methods as y = min(x, N/2), where x is 112 and therefore y = min(112, 128) = 112. Other reference sources for the strengths are as follows:

Page 33
2.7 Algorithm Specific Information

a. AES-GCM Usage AES GCM IV generation must be compliant to [FIPS140-3_IG] C.H Key/IV Pair Uniqueness Requirements from SP 800-38D Scenario 1(a), tested per option (ii) under C.H TLS/DTLS 1.2 protocol IV generation per RFC7627, Scenario 1(d) SSHv2 per RFC4252, RFC4253 and RFC5647 and Scenario 5 TLS 1.3 per RFC8446. IV constructed in compliance with a protocol shall only be used in the context of the AESGCM mode encryptions within the protocol. The Module does not implement the TLS and SSH protocols itself, however, it provides the cryptographic functions required for implementing the protocols. AES GCM encryption is used in the context of the SSH and TLS protocol versions 1.2 and 1.3. The module provides the primitives to support the AES GCM ciphersuites from [SP800-52r1] Section 3.3.1. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The application negotiates the protocol session’s keys and the 32-bit nonce value of the IV. When the IV exhausts the maximum number of possible values for a given session key (2^64 - 1), this results in a failure in encryption and a handshake to establish a new encryption key will be required. It is the responsibility of the user of the module, i.e., the first party, client or server, to encounter this condition, to trigger this handshake in accordance with the TLS/SSH protocol. The Module also supports internal IV generation using the module’s approved DRBG. The IV is at least 96 bits in length per [SP800-38D] Section 8.2.2. Per [FIPS140-3_IG] C.H Scenario 2 and [SP800-38D], the approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2^-32. In each case, in the event that the Module power is lost and restored the user must ensure that the AES GCM encryption/decryption keys are re-distributed in accordance with IG C.H Scenario 3. The module does not support persistent storage of SSPs. The Module also supports importing of GCM IVs when an IV is not generated within the Module. In the approved mode, an IV must not be imported for encryption from outside the cryptographic boundary of the Module as this will result in a non-conformance. This

Page 34

is in accordance with IG 2.4.A: If the module operator (e.g., calling application) can do things outside of the module’s control/visibility that can take an otherwise approved algorithm and use it in a non-approved way (e.g., use PBKDF and/or AES XTS outside of storage applications), the corresponding module service may still be considered approved (and if so, shall have an approved indicator per AS02.24) and the Security Policy shall clarify how to use the service in an approved manner (per ISO 19790 B.2.2 on Overall security design and the rules of operation). b. PBKDF Usage The lower limit on the supported length of a password/passphrase used in key derivation is 1-character. The ASCII system comprises of 94 printable characters (letters, digits, punctuation, and symbols). For a 1-character password/passphrase chosen from 94 printable ASCII characters, the total combinations are: 94^1. Thus, the probability of guessing the correct password/passphrase on a random attempt is: 1/94^1 ~0.010. The module being a software module, does not restrict the usage of a password/string used as the password and input to the PBKDF. The onus is on the calling application to provide a password of an appropriate length based on the intended security strength (and size) of the key to be derived. In accordance with NIST SP 800-132, passwords shorter than 10 characters are usually considered to be weak. There are many other properties that may render a password weak. For example, it is not advisable to use sequences of numbers or sequences of letters as passwords. Easily accessed personal information, such as the user’s name, phone number, and date of birth, should not be used directly as a password. Passphrases frequently consist solely of letters, but they make up for their lack of entropy by being much longer than passwords, typically 20 to 30 characters. Passphrases shorter than 20 characters are usually considered weak. The module complies with NIST SP 800-132 Section 5.4 Option 1 a and IG D.N. The iteration count values used range from 1 to 10000 per NIST SP 800-132 Section 5.2 whereby the iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. Keys derived from passwords, as shown in SP 800-132, may only be used in storage applications. The security strength of the derived key is at least 112 bits. The module implements CKG per NIST SP 800-133r2 Section 6.2.2. c. AES-XTS Usage Usage In accordance with [SP800-38E], the XTS-AES algorithm shall only be used for confidentiality on storage devices. The Module complies with [FIPS140-3_IG] C.I by explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS-AES algorithm to process data with them. The module implements CKG per NIST SP 800-133r2 Section 6.3. d. Legacy Usage The module supports the following implementations for legacy use/support per NIST SP 800-131Ar2:

Page 35
Page 36

III. IV. V. As a PRF in HMAC-SHA-1 As the underlying hash function for RSA SigVer, ECDSA SigVer and DSA SigVer for legacy use/support per NIST SP 800-131Ar2 as specified in the Security Policy Section 2.7 d. As the underlying hash function in Hash DRBG and HMAC DRBG

2.8 RBG and Entropy

The Module relies on the use of a [SP800-90B] compliant entropy source outside the Module boundary. The calling application is responsible for use of an [SP800-90B] compliant entropy source with sufficient entropy based on the required security strength. Entropy is supplied to the Module via callback functions (see Section 2.4 2. c). Minimum Number of Bits of Entropy, depending on the target security strength of generated SSPs are 128, 192 or 256 bits. When using the Counter DRBG implementation without the derivation function enabled, full entropy from the entropy source is required. The following caveat applies to the module: No assurance of the minimum strength of generated SSPs (e.g., keys).

2.9 Key Generation

The module implements NIST SP 800-90Ar1 DRBGs and supports the following sections per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2, 6.1, 6.2 and 6.3.

2.10 Key Establishment

Key Agreement Per IG D.F: The module supports Key Agreement Schemes per NIST SP800-56Ar3 and [FIPS140-3_IG] D.F Scenario 2 (path 1) and NIST SP 800-56Br2 and [FIPS140-3_IG] D.F Scenario 1 (path 1). The KAS-1, KAS-2, KAS-3 in the SFI Table 9 have been documented accordingly. The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC and KAS-IFC-SSC) as individual entries. The Module obtains the [FIPS140-3_IG] D.F required key agreement assurances: [SP800-56Ar3] in accordance with Section 5.6.2. [SP800-56Br2] in accordance with Section 6.4. Per IG C.F Additional Comment 1.e: The elliptic curve used in the key agreement scheme and the associated domain parameters provide more than 112 bits of security as seen in the KAS-1 entry per Table

  1. Per IG C.F Additional Comment 2: The KAS-ECC-SSC and KAS-FFC-SSC implementations each support a scheme of the DiffieHelllman variety. Per IG D.G: The module supports the Key Transport per NIST SP 800-56Br2 (RSA-OAEP) denoted by KTS4 in the SFI Table
  2. The RSA modulus sizes and key generation method have been
Page 37
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AControl InputAPI entry point: stack frame including non-sensitive parameters
N/AN/AData InputAPI call parameters passed by reference or value for cryptographic service input
N/AN/AStatus OutputAPI return value: enumerated status resulting from call execution
N/AN/AData OutputAPI call parameters passed by reference for cryptographic service output

documented in the table as well. The module can also optionally be used in the context of IETF protocols and provide key transport using any approved AES mode(s) and an approved MAC. The corresponding entries KTS-1, KTS-2 and KTS-3 in the SFI Table 9 have been documented accordingly. All KTS entries have been documented in accordance with Additional Comment 4 in the IG. The module also supports the following untested approved moduli for KTS-4: 6144 < nlen <=16384, where nlen denotes the modulus. Per IG D.A and IG D.B: The strengths of the established key have been documented in accordance with IG D.A Additional Comment 4. and per the Resolution in IG D.B.

2.11 Industry Protocols

The Module conforms to Resolution 3 per [FIPS140-3_IG] D.C References to the Support of Industry Protocols: while it provides [SP800-56Ar3] conformant schemes and API entry points oriented to SSH and TLS usage, the Module does not contain the full implementation of SSH or TLS. The following caveat is required: No parts of the SSH and TLS protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 11: Ports and Interfaces Table 11 defines the Module’s [FIPS140-3] logical interfaces; the Module does not interact with physical ports. The Control Output logical interface is not applicable to the Module and is intentionally omitted from Table 11.

4 Roles, Services, and Authentication
4.1 Authentication Methods
Page 38
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerRoleNone
InitializeModule initializationCrypto Officer - DRBG_E I: G,W,E,Z - DRBG_S tate: G - Software Integrity key: ERandom Number Generatio nFIPS_O KCore handle, dispatch in and out, provider contextInitializatio n status (1 = pass, 0 = fail)
Core (all except Teardown) (Show Status, Show Version)Show status; Core operations dispatched by FIPS provider: Metadata (Gettable parameters; Get parameters; Get capabilities); Query; Self- testCrypto OfficerNoneFIPS_O KProvider context, paramete rs types (array), capability , callback pointer and argument s, operation IDParameter types (array) with: Name, Version, BuildInfo, Status, SecurityCh ecks; Status return, TLS group capabilities , Null or array of available operations
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerRoleNone
InitializeModule initializationCrypto Officer - DRBG_E I: G,W,E,Z - DRBG_S tate: G - Software Integrity key: ERandom Number Generatio nFIPS_O KCore handle, dispatch in and out, provider contextInitializatio n status (1 = pass, 0 = fail)
Core (all except Teardown) (Show Status, Show Version)Show status; Core operations dispatched by FIPS provider: Metadata (Gettable parameters; Get parameters; Get capabilities); Query; Self- testCrypto OfficerNoneFIPS_O KProvider context, paramete rs types (array), capability , callback pointer and argument s, operation IDParameter types (array) with: Name, Version, BuildInfo, Status, SecurityCh ecks; Status return, TLS group capabilities , Null or array of available operations
Core: Perform self-testsRun the self- test sequenceCrypto OfficerPerform self-tests (All) Software Integrity TestFIPS_O KProvider contextStatus (1 = pass, 0 = fail)
Core: Teardown (Perform zeroisation)Uninstantiate the module; includes ZeroiseCrypto Officer - DS_SGK : Z - DS_SVK: Z - GKP_Pri vate: Z - GKP_Pu blic: Z - KAS_Pri vate: Z - KAS_Pu blic: Z - KAS_SS: Z - KD_DKM : Z - KH_Key: Z - KTS_KD K: Z - KTS_KE K: Z - KTS_SS: Z - DRBG_E I: Z -NoneFIPS_O KProvider contextNone
Asymmetric cipher (Key Transport) (Perform approved security functions)Encapsulate or decapsulate key material on behalf of the calling process (does not establish keys into the module)Crypto Officer - KTS_KD K: E - KTS_KE K: E - KTS_SS: RKTS-4[KTS- IFC: RSA, 4, (2048, 3072, 4096, 6144, 8192)]Encapsul ate: Key struct (KTS_KD K); Decapsul ate (KTS_KE K)Status return; KTS_SS
Cipher (Encryption/Dec ryption and Key Wrapping) (Perform approved security functions)Encrypt or decrypt data, including AEAD modes (CCM, GCM) and key wrap (KW, KWP) (CSPs are passed in by the calling process or generated within the module)Crypto Officer - SC_EDK : E - KH_Key: ESymmetri c Encryptio n and Decryptio n Keyed Hash KTS-1 KTS-2 KTS-3 Cryptogra phic Key Generatio n (CKG) Cryptogra phic Key Generatio n (CKG) - AES XTS[AES- ECB: AES- 128- ECB, AES- 192- ECB, AES- 256- ECB]; [AES- CBC: AES- 128- CBC, AES- 192- CBC, AES- 256- CBC]; [AES- CBC- CS:SC_EDK and KH_Key (for key wrapping ); flagsStatus return. Plaintext or ciphertext data, or wrapped key

The Module does not provide an authentication or identification method of its own. The CO role is assumed by meeting the conditions of Section 11 of this document.

4.2 Roles

Table 12: Roles The Module supports the mandatory Cryptographic Officer (CO) operational role only (implicitly identified) and does not support a maintenance role or a bypass capability.

4.3 Approved Services
Page 40

r s [KTSIFC: K); K) [AESECB: AES128ECB, AES192ECB, AES256ECB]; [AESCBC: AES128CBC, AES192CBC, AES256CBC]; [AESCBCCS: c n :Z K: E K: E R :E E

Page 41

r AES128CBCCTS, AES192CBCCTS, AES256CBCCTS]; [AESOFB: AES128OFB, AES192OFB, AES256OFB]; [AESCFB1: AES128CFB1, AES192CFB1, AES256CFB1]; [AESCFB8: AES128CFB8, AES192CFB8, AES256CFB8]; [AESCFB128: s

Page 42

r 128CFB, AES192CFB, AES256CFB]; [AESCTR: AES128CTR, AES192CTR, AES256CTR]; [AESCCM: AES128CCM, AES192CCM, AES256CCM]; [AESGCM: AES128GCM, AES192GCM, AES256GCM]; [AESXTS: AES128XTS, s

Page 43
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Key derivation (Perform approved security functions)Derive keying materialCrypto Officer - KAS_SS: W,E - KD_DKM : G,R - KTS_SS: W,E - PBKDF Passwor d: W,E,ZKey Derivatio n[PBKDF: PBKDF2 , (SHA- 1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/224, SHA2- 512/256, SHA3- 224, SHA3- 256, SHA3- 384, SHA3- 512)]; [TLS1- PRF, (SHA2- 256, SHA2- 384, SHA2- 512)]; [TLS13- KDF, (SHA2- 256, SHA2- 384)];KAS_SS; flagsStatus return; KD_DKM

r [AESKW, AES128WRAP, AES256WRAP] , (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512)]; [TLS1PRF, (SHA2256, SHA2384, SHA2512)]; [TLS13KDF, (SHA2256, SHA2384)]; s n W,E : G,R W,E d: W,E,Z

Page 44

r [X963KDF, (SHA2224, SHA2256, SHA2384, SHA2512)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512)]; SP 800108r1 (KMAC128, KMAC256)]; SP 800108r1 s

Page 45

r AES128CBC, AES192CBC, AES256CBC, HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, HMACSHA3224, HMACSHA3256, HMACSHA3384, s

Page 46

r HMACSHA3512]; F, SHA2224, SHA2256, SHA2384, SHA2512)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, HMACSHA1, HMACSHA2224, HMACSHA2256, s

Page 47

r HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, KMAC128, KMAC256)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, s

Page 48
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Key exchange (Perform approved security functions)Perform key agreement primitives on behalf of the calling process (does not establish keys into the module)Crypto Officer - KAS_Pri vate: E - KAS_Pu blic: E - KAS_SS: GKAS-1 KAS-2 KAS-3 KAS ECC CDH Compone nt[KAS- FFC- SSC: DHX]; [KAS- ECC- SSC: EC]Key structs (KAS_Pri vate and KAS_Pu blic); flagsStatus return; KAS_SS
Key management (Perform approved security functions)Generate asymmetric key pairsCrypto Officer - GKP_Pri vate: G - GKP_Pu blic: GAsymmet ric Key Pair Generatio n[SafePri mes: DHX]; [RSA KeyGen: RSA, (2048, 3072, 4096)]; [ECDSAECDSA: curve identifier. DSA/RS A: modulus sizeStatus return; Key struct (GKP_Priv ate, GKP_Publi c)
Message authentication (Perform approved security functions)Generate or verify data integrity. (CSPs are passed in by the calling process or generated within the module)Crypto Officer - KH_Key: EKeyed Hash Cryptogra phic Key Generatio n (CKG)[HMAC: HMAC- SHA1, HMAC- SHA2- 224, HMAC- SHA2- 256, HMAC- SHA2- 384, HMAC- SHA2- 512, HMAC- SHA2- 512/224, HMAC- SHA2- 512/256, HMAC- SHA3- 224, HMAC- SHA3- 256, HMAC- SHA3- 384, HMAC- SHA3- 512]; [CMAC]; [KMAC: KMAC- 128, KMAC-KH_KeyStatus return; Tag value
Message digest (Perform approved security functions)Generate a message digestCrypto OfficerMessage Digest[SHA-1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/224, SHA2- 512/256, SHA3- 224, SHA3- 256, SHA3- 384, SHA3- 512, SHAKE- 128, SHAKE- 256]Message ; flagsStatus return; Hash value
Random (Perform approved security functions)Generate random bits using the DRBGCrypto Officer - DRBG_E I: E - DRBG_S eed: E - DRBG_S tate: ERandom Number Generatio n[Hash DRBG: HASH- DRBG, (SHA1, SHA2- 256, SHA2- 512)]; [HMAC- DRBG, (SHA1,DRBG struct (RBG State); DRBG_E IStatus return; Random value
Signature (Perform approved security functions)Generate or verify digital signatures (SSPs are passed in by the calling process)Crypto Officer - DS_SGK : E - DS_SVK: ERSA Digital Signature Generatio n and Verificatio n ECDSA Signature Generatio n and Signature Verificatio n DSA Digital Signature Generatio n and Verificatio n RSA Signature Primitive[RSA SigGen: RSA, (2048, 3072, 4096), (SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/224, SHA2- 512/256) ]; [RSA SigVer: RSA, (1024, 2048, 3072, 4096), (SHA1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2-Sign: Key struct (DS_SG K); message ; Verify: signature value; Key struct (DS_SV K); flags; sizesStatus return; Signature value

r SHA3512]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512]; [KASFFCSSC: [KASECCSSC: s A: c) G n

Page 49

r HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, HMACSHA3224, HMACSHA3256, HMACSHA3384, HMACSHA3512]; KMAC128, s E

Page 50

r AES128GCM, AES192GCM, AES256GCM] SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, SHAKE128, SHAKE256] HASHDRBG, SHA2256, SHA2512)]; [HMACDRBG, s I n I: E

Page 51

r SHA2256, SHA2512)]; [CTRDRBG, (AES128CTR, AES192CTR, AES256CTR)] (SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) SHA2224, SHA2256, SHA2384, s K); n n n :E E

Page 52

r SHA2512/224, SHA2512/256) e m: (SHA2224, SHA2256, SHA2384, SHA2512, SHA3224, SHA3256, SHA3384, SHA3512)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, s

Page 53

r SHA2512/256) ]; (L= SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) , =SHA2256, SHA2384, SHA2512, SHA2512/256) s

Page 54
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Zeroise (Perform zeroisation)*The core Teardown operationCrypto Officer -NoneZERO_ OKMemory pointerVoid

r (L= (SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) ] s -

Page 55
Service
NameDescriptionCsps Accessed
zeroizes all Module scope SSPs *Call stack cleanup is the duty of the application *Restarting the general- purpose computer clears all SSPs in RAM *OPENSSL_cl eanse provides zeroisation of SSPs managed by the caller; See the notes below this table for additional explanationzeroizes all Module scope SSPs *Call stack cleanup is the duty of the application *Restarting the general- purpose computer clears all SSPs in RAM *OPENSSL_cl eanse provides zeroisation of SSPs managed by the caller; See the notes below this table for additional explanationDS_SGK : Z - DS_SVK: Z - GKP_Pri vate: Z - GKP_Pu blic: Z - KAS_Pri vate: Z - KAS_Pu blic: Z - KAS_SS: Z - KD_DKM : Z - KH_Key: Z - KTS_KD K: Z - KTS_KE K: Z - KTS_SS: Z - DRBG_E I: Z - DRBG_S eed: Z - DRBG_S tate: Z - SC_EDK : Z -
Page 56

r Table 13: Approved Services s Note: The Indicators in Table 13 above follow the format: [Algorithm name: Indicator 1, Indicator 2, etc.] where Indicator 1 is an algorithm identifier and Indicators 2, 3 etc. depending on the algorithm are the specifics i.e. modes/supported curves/SafePrime groups/PRFs, etc.) per algorithm. Each combination of the Indicator 1 along with Indicators 2, 3, etc. in the comma separated list can be observed when the corresponding modes/curves/SafePrimes, PRFs etc. are invoked for a given algorithm in the context of a given service. The service indicators must be requested by the calling applications as by calling the following EVP APIs of the module in the context of each service:

Page 57

EVP_RAND_get0_name used in conjunction with  EVP_MD_get0_name for Hash and HMAC DRBG or  EVP_CIPHER_get0_name for Counter DRBG. Key Transport (OEAP):

Page 58
Service
NameDescriptionRolesApproved Functions
SignatureGenerate or verify digital signatures (SSPs are passed in by the calling process)Crypto OfficerEd448 Ed25519 FIPS 186-2 RSA SigGen/SigVer
Key ExchangePerform key agreement primitives on behalf of the calling process (does not establish keys into the module)Crypto OfficerX448 X25519
Cipher (Encryption/Decryption)Encrypt or decrypt data (CSPs are passed in by the calling process)Crypto OfficerTriple-DES
ECDSA SigVer ComponentVerify ECDSA digital signatures (SSPs are passed in by the calling process)Crypto OfficerECDSA SigVer Component
Key DerivationDerive keys (key derivation key passed in by the calling process)Crypto OfficerX942KDF- CONCAT X963KDF HKDF OneStep KDF
Keyed HashGenerate HMAC using key length less than 112 bitsCrypto OfficerHMAC
RandomGenerate random bits using the non-approved Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256Crypto OfficerHash and HMAC DRBG

Note that the caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of PSPs with the remote participant is All CSPs are zeroized (overwritten with 0s) when they are no longer needed:

4.5 External Software/Firmware Loaded

The module does not support loading of any additional software. X942KDFCONCAT

Page 59
4.6 Bypass Actions and Status

The module does not support bypass.

4.7 Cryptographic Output Actions and Status

The module does not support self-initiated cryptographic output.

5 Software/Firmware Security
5.1 Integrity Techniques

The Module uses HMAC-SHA2-256 as the approved integrity technique; the file fipsmodule.cnf contains the integrity reference value. The HMAC key used for the integrity test is considered a non-SSP. The HMAC-SHA2-256 CAST is performed prior to the software integrity test. The Module is provided in an executable form (as fips.so shared object for use in Linux environments, fips.dylib for use in Mac environments and fips.dll for use in Windows environments). The module does not support loading of any additional software.

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by calling fips_self_test (invoked using OSSL_PROVIDER_self_test called with the Module’s global handle) or reloading the Module.

5.3 Open-Source Parameters

In accordance with [ISO19790] Annex B, as the Module is open source, the tools used to build the Module as tested are:

6 Operational Environment
6.1 Operational Environment Type and Requirements
Page 60
Sensitive security parameter
NameTypeDescription
RAMDynamicTemporary, plaintext storage
Stored in the module's configuration fileStaticPersistent, plaintext storage
Service
NameApproved FunctionsTypeFromToDistributio n Type
CALL STACK (API) INPUT PARAMETER SElectroni cPlaintex tCalling applicationModuleManual
CALL STACK (API) OUTPUT PARAMETER SElectroni cPlaintex tModuleCalling applicationManual
Stored at manufactureN/APlaintex tManufacture rStored in the module's configuratio n fileN/A

Type of Operational Environment: Modifiable How Requirements are Satisfied : The operational environment for the Module is modifiable as it runs in General Purpose Computers (GPC). The Module conforms to [FIPS140-3_IG] 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES-NI functions are identified by [FIPS140-3_IG] 2.3.C as a known PAA.

6.2 Configuration Settings and Restrictions

Table 3 lists the operational environments on which the Module was tested; no operational environment restrictions are required for operation in the approved mode. All conditions for operation of the Module in the approved mode are given in Section 2.

7 Physical Security

Physical Security requirements are not applicable for this software Module.

8 Non-Invasive Security

In accordance with current CMVP policy, Non-Invasive Security is not applicable.

9 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input-Output Methods
Page 61

S t c r t N/A N/A m Table 16: SSP Input-Output Methods The module is complaint with FIPS 140-3 IG 9.5.A MD/EE (CM Software to/from App via TOEPP Path).

9.3 SSP Zeroization Methods

Table 17: SSP Zeroization Methods

Page 62
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStorageZeroizationUseInputRelated SSPs
DS_SGKPrivate key - CSPPrivate key for signature generationRSA: 2048, 3072 and 4096 bits DSA: 2048 and 3072 bits ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, P-521 - RSA: 112, 128 or 152 DSA: 112 or 128 ECDSA: 112, 128, 192, 521RSA Digital Signature Generatio n and Verificatio n ECDSA Signature Generatio n and Signature Verificatio n DSA Digital Signature Generatio n and Verificatio n RSA Signature Primitive
DS_SVKPublic key - PSPPublic key for signature verificationRSA: 1024, 2048, 3072 and 4096 bits DSA: 1024, 2048 and 3072 bits ECDSA: ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, P-521 - RSA: 80, 112, 128 or 152 DSA: 80, 112 or 128 ECDSA: 112, 128, 192, 256RSA Digital Signature Generatio n and Verificatio n ECDSA Signature Generatio n and Signature Verificatio n DSA Digital Signature Generatio n and Verificatio n
GKP_Priva tePrivate key - CSPKey pair (Private: DS_SGK, Public: DS_SVK) generated per caller request; the keypair purpose is unspecifiedRSA: 2048, 3072, 4096 bits DSA: 2048 and 3072 bits ECDSA: ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, P-521 - RSA: 112, 128 or 152 DSA: 112 or 128 ECDSA: 112, 128, 192, 256Asymmetric Key Pair Generation Random Number Generation
GKP_Publi cPublic key - PSPKey pair (Private: GPK_Privat e, Public: GPK_Publi c) generated per caller request; the keypair purpose is unspecifiedRSA: 2048, 3072, 4096 bits DSA: 2048 and 3072 bits ECDSA: ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, P-521 - RSA: 112, 128 or 152 DSA: 112 or 128 ECDSA: 112, 128, 192, 256Asymmetric Key Pair Generation Random Number Generation
KAS_Privat ePrivate key - CSPKey pair component provided by the local participant, used forFFC: FB, FC, MODP2048, ffdhe2048, MODP3072, ffdhe3072, MODP4096,Asymmetric Key Pair Generation Random Number GenerationKAS-1 KAS-2 KAS-3
Diffie- Hellman shared secret generationDiffie- Hellman shared secret generationffdhe4096, MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P- 224, B-283, K-283, P- 256, B-409, K-409, P- 384, B-571, K-571, P- 521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192, 256 IFC [SP800- 56Br2]: 112, 128
KAS_Publi cPublic key - PSPKey pair component provided by the local participant, used for Diffie- Hellman shared secret generationFFC: FB, FC, MODP2048, ffdhe2048, MODP3072, ffdhe3072, MODP4096, ffdhe4096, MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P- 224, B-283, K-283, P- 256, B-409, K-409, P- 384, B-571, K-571, P- 521, IFC: k=2048, 3072, 4096,Asymmetric Key Pair Generation Random Number GenerationKAS-1 KAS-2 KAS-3
KAS_SSShared secret - CSPShared secret calculation; z output value is expected to be used by a KDFFFC: FB, FC, MODP2048, ffdhe2048, MODP3072, ffdhe3072, MODP4096, ffdhe4096, MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P- 224, B-283, K-283, P- 256, B-409, K-409, P- 384, B-571, K-571, P- 521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192, 256 IFC: 112, 128KAS-1 KAS-2 KAS-3
KD_DKMDerived Keying Material - CSPKey Derivation derived keying materialHMAC PRF: 160, 224, 256, 384, 512 - HMAC PRF: 160, 224, 256, 384, 512Key Derivation
KH_KeySymmetr ic key - CSPKeyed Hash keyCMAC: 128, 192, 256 GMAC: 128, 192, 256 HMAC: 160, 256, 512. KMAC: 128, 256 - CMAC: 128, 192, 256 GMAC: 128, 192, 256 HMAC: 160, 256, 512. KMAC: 128, 256Random Number Generation Cryptograph ic Key Generation (CKG)Keyed Hash KTS-2
KTS_KDKPrivate key - CSPPrivate (KDK) component of an RSA key pair used for [SP800- 56Br2] RSA key transport2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176KTS-4
KTS_KEKPublic key - PSPPublic (KEK) component of an RSA key pair used for [SP800- 56Br2] RSA key transport2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176KTS-4
KTS_SSShared secret - CSPThe RSA key transport shared secret2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176KTS-4
DRBG_EIEntropy input - CSPEntropy input from an external source used for DRBG seeding128 - 256 bits - 128 - 256 bitsRandom Number Generatio n
DRBG_Se edDRBG seed - CSPSeed generated from the entropy input for the DRBG128 - 256 bits - 128 - 256 bitsRandom Number Generatio n
DRBG_Sta teDRBG state - CSPHash DRBG: V and C. HMAC DRBG: V and Key CTR DRBG: V and KeyHash DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, 256 - Hash DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, 256Random Number GenerationRandom Number Generatio n
SC_EDKSymmetr ic key - CSPAES key used for symmetric encryption and decryption (including use in key wrapping)AES: 128, 192, 256 AES CCM: 128, 192, 256 AES GCM: 128, 192, 256 AES XTS: 128, 256. - AES: 128, 192, 256 AES CCM: 128, 192, 256 AES GCM: 128, 192, 256 AES XTS: 128, 256Random Number Generation Cryptograph ic Key Generation (CKG) Cryptograph ic Key Generation (CKG) - AES XTSSymmetri c Encryptio n and Decryptio n KTS-1 KTS-2 KTS-3
PBKDF PasswordSymmetr ic key - CSPInput provided to the PBKDFRecommend ed size is greater thanKey Derivatio n
Software Integrity key256 bits - NeitherHMAC- SHA2-256 key used to perform the Software Integrity Test256 bits - 256 bitsSoftware Integrity Test
DS_SGKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useDS_SVK:Paired With
DS_SVKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useDS_SGK:Paired With
GKP_Priv ateRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) OUTPUT PARAMETE RScleared after useGKP_Public:Paired With
Page 64

c n DiffieHellman [SP80056Br2]: 112, DiffieHellman y

Page 66

n [SP80056Br2] RSA [SP80056Br2] RSA y n

Page 68
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUseInputRelated SSPs
Software Integrity key256 bits - NeitherHMAC- SHA2-256 key used to perform the Software Integrity Test256 bits - 256 bitsSoftware Integrity Test
DS_SGKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useDS_SVK:Paired With
DS_SVKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useDS_SGK:Paired With
GKP_Priv ateRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) OUTPUT PARAMETE RScleared after useGKP_Public:Paired With
GKP_Publ icRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) OUTPUT PARAMETE RScleared after useGKP_Private:Paired With
KAS_Priva teRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useKAS_Public:Paired With
KAS_Publi cRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useKAS_Private:Paired With
KAS_SSRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computercleared after useKAS_Private:Establi shed using KAS_Public:Establis hed using
KD_DKMRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) OUTPUT PARAMETE RScleared after use
KH_KeyRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting theCALL STACK (API) INPUT PARAMETE RScleared after use
KTS_KDKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useKTS_KEK:Paired With
KTS_KEKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useKTS_KDK:Paired With
KTS_SSRAM:Plaint extOPENSSL_clea nse Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RS CALL STACK (API) OUTPUT PARAMETE RScleared after use
DRBG_EIRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after useDRBG_Seed:Used to derive
DRBG_Se edRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computercleared after useDRBG_EI:Derived From
DRBG_St ateRAM:Plaint extTeardown Restarting theUntil power-DRBG_Seed:Derive d From
cycling of the underlyi ng host platformgeneral-purpose computercycling of the underlyi ng host platform
SC_EDKRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RS CALL STACK (API) OUTPUT PARAMETE RScleared after use
PBKDF PasswordRAM:Plaint extOPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computerCALL STACK (API) INPUT PARAMETE RScleared after use
Software Integrity keyStored in the module's configuratio n file :PlaintextTeardownStored at manufactureUntil teardow n operatio n is perform ed

n HMACSHA2-256 y Table 18: SSP Table 1 n

Page 71

n n Table 19: SSP Table 2 All SSPs used by the Module are described in this section, arranged for consistency with Table 12; ‘--’ indicates the cell is intentionally empty, not applicable, or not relevant. Keys used for CASTs and the temporary value used in the integrity test are not SSPs; however, the latter is deleted after use as required by AS05.10. Equivalent strength is given for each key or algorithm type (as some algorithms do not use or produce keys). The Module maintains only the DRBG CSPs used for key generation as persistent CSPs; these are used exclusively for approved services. DRBG outputs are used internally to the Module for asymmetric key pair generation and used by calling applications to generate a random value (potentially for use as a symmetric key).

Page 72
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
HMAC-SHA2- 256 (A3548)HMAC-SHA2- 256 (A3548)KATSW/FW IntegrityMAC (HMAC- SHA2-256, A3548)Key Length: 256 bitsSuccess: All self- tests passed (as expected)
AES-ECB (A3548)AES-ECB (A3548)KATCASTDecryptKey Length: 128 bitsFIPS_OKOn reloading the module
AES-GCM (A3548)AES-GCM (A3548)KATCASTEncryptKey Length: 256 bitsFIPS_OKOn reloading the module
AES-GCM (A3548)AES-GCM (A3548)KATCASTDecryptKey Length: 256 bitsFIPS_OKOn reloading the module
Counter DRBG (A3548)Counter DRBG (A3548)KATCASTGenerate, Reseed, Instantiate functionsAES CTR (128 bits) with derivation functionFIPS_OKOn reloading the module
DSA SigGenDSA SigGenKATCASTSignModulus: 2048 bits;FIPS_OKOn reloading the module
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
HMAC-SHA2- 256 (A3548)HMAC-SHA2- 256 (A3548)KATSW/FW IntegrityMAC (HMAC- SHA2-256, A3548)Key Length: 256 bitsSuccess: All self- tests passed (as expected)
AES-ECB (A3548)AES-ECB (A3548)KATCASTDecryptKey Length: 128 bitsFIPS_OKOn reloading the module
AES-GCM (A3548)AES-GCM (A3548)KATCASTEncryptKey Length: 256 bitsFIPS_OKOn reloading the module
AES-GCM (A3548)AES-GCM (A3548)KATCASTDecryptKey Length: 256 bitsFIPS_OKOn reloading the module
Counter DRBG (A3548)Counter DRBG (A3548)KATCASTGenerate, Reseed, Instantiate functionsAES CTR (128 bits) with derivation functionFIPS_OKOn reloading the module
DSA SigGenDSA SigGenKATCASTSignModulus: 2048 bits;FIPS_OKOn reloading the module
(FIPS186- 4) (A3548)(FIPS186- 4) (A3548)Hash: SHA2-384
DSA SigVer (FIPS186- 4) (A3548)DSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyModulus: 2048 bits; Hash: SHA2-384FIPS_OKOn reloading the module
ECDSA SigGen (FIPS186- 4) (A3548)ECDSA SigGen (FIPS186- 4) (A3548)KATCASTSignCurve: P- 224; Hash: SHA2-512FIPS_OKOn reloading the module
ECDSA SigVer (FIPS186- 4) (A3548)ECDSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyCurve: P- 224; Hash: SHA2-512FIPS_OKOn reloading the module
Hash DRBG (A3548)Hash DRBG (A3548)KATCASTGenerate, Reseed, Instantiate functionsPRF: SHA2-256FIPS_OKOn reloading the module
HMAC DRBG (A3548)HMAC DRBG (A3548)KATCASTGenerate, Reseed, Instantiate functionsPRF: HMAC- SHA-1FIPS_OKOn reloading the module
HMAC- SHA2-256 (A3548)HMAC- SHA2-256 (A3548)KATCASTHMAC tag GenerationPRF: SHA2-256FIPS_OKPerformed prior to the software integrity test
KAS- ECC-SSC Sp800- 56Ar3 (A3548)KAS- ECC-SSC Sp800- 56Ar3 (A3548)KATCASTKey Agreement - Shared Secret ComputationScheme: Ephemeral Unified, Curve: P- 256FIPS_OKOn reloading the module
KAS-FFC- SSC Sp800- 56Ar3 (A3548)KAS-FFC- SSC Sp800- 56Ar3 (A3548)KATCASTKey Agreement - Shared Secret ComputationScheme: dhEphem; Modulus: L = 2048 bits, N = 256 bitFIPS_OKOn reloading the module
KAS-IFC- SSC (A3548)KAS-IFC- SSC (A3548)KATCASTKey Agreement - Shared Secret ComputationSchemes: Basic, CRT, Modulus: L = 2048 bitsFIPS_OKOn reloading the module
KDF SP800- 108 (A3548)KDF SP800- 108 (A3548)KATCASTCounter Mode (HMAC- SHA2-256).Mode: Counter, PRF: HMAC- SHA2-256FIPS_OKOn reloading the module
KDA OneStepKDA OneStepKATCASTKey DerivationAuxiliary Function,FIPS_OKOn reloading the module
SP800- 56Cr2 (A3548)SP800- 56Cr2 (A3548)H = SHA2- 224
KDA TwoStep SP800- 56Cr2 (A3548)KDA TwoStep SP800- 56Cr2 (A3548)KATCASTKey DerivationAuxiliary Function, H = HMAC- SHA2-256FIPS_OKOn reloading the module
KTS-IFC (A3548)KTS-IFC (A3548)KATCASTEncryptSchemes: Basic Modulus: L = 2048 bitsFIPS_OKOn reloading the module
KTS-IFC (A3548)KTS-IFC (A3548)KATCASTDecryptSchemes: Basic, CRT, Modulus: L = 2048 bitsFIPS_OKOn reloading the module
PBKDF (A3548)PBKDF (A3548)KATCASTKey DerivationDerivation of the Master Key (MK), PRF: SHA2-256FIPS_OKOn reloading the module
RSA SigGen (FIPS186- 4) (A3548)RSA SigGen (FIPS186- 4) (A3548)KATCASTSignScheme: PKCS#1, Modulus: L = 2048, Hash: SHA2-256FIPS_OKOn reloading the module
RSA SigVer (FIPS186- 4) (A3548)RSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyScheme: PKCS#1, Modulus: L = 2048, Hash: SHA2-256FIPS_OKOn reloading the module
SHA-1 (A3548)SHA-1 (A3548)KATCASTHashSHA-1FIPS_OKOn reloading the module
SHA2-512 (A3548)SHA2-512 (A3548)KATCASTHashSHA2-512FIPS_OKOn reloading the module
SHA3-256 (A3548)SHA3-256 (A3548)KATCASTHashSHA3-256FIPS_OKOn reloading the module
KDF ANS 9.42 (A3548)KDF ANS 9.42 (A3548)KATCASTKey DerivationPRFs: AES KW (128 bits), SHA-1FIPS_OKOn reloading the module
KDF ANS 9.63 (A3548)KDF ANS 9.63 (A3548)KATCASTKey DerivationPRF: SHA2-256FIPS_OKOn reloading the module
10.1 Pre-Operational Self-Tests

Table 20: Pre-Operational Self-Tests The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known

10.2 Conditional Self-Tests
Page 73

(FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) HMACSHA-1 HMACSHA2-256 KASECC-SSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 Curve: P256 HMACSHA2-256 KAS-IFCSSC SP800108 (HMACSHA2-256).

Page 74

SP80056Cr2 SP80056Cr2 (FIPS1864) (A3548) (FIPS1864) (A3548) H = SHA2224 H= HMACSHA2-256

Page 75
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
KDF SSH (A3548)KDF SSH (A3548)KATCASTKey DerivationPRF: SHA- 1FIPS_OKOn reloading the module
TLS v1.2 KDF RFC7627 (A3548)TLS v1.2 KDF RFC7627 (A3548)KATCASTKey DerivationPRF: SHA2-256FIPS_OKOn reloading the module
TLS v1.3 KDF (A3548)TLS v1.3 KDF (A3548)KATCASTKey DerivationPRF: SHA2-256FIPS_OKOn reloading the module
RSA KeyGen (FIPS186- 4) (A3548)RSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Transport (KTS IFC)/Key Agreement (KAS IFC)/Signature Generation/Signature Verification
ECDSA KeyGen (FIPS186- 4) (A3548)ECDSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Agreement (KAS ECC)/Signature Generation/Signature Verification
DSA KeyGen (FIPS186- 4) (A3548)DSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Agreement (KAS FFC)/Signature Generation/Signature Verification
ECDSA SigGen (FIPS186- 4) (A3548)ECDSA SigGen (FIPS186- 4) (A3548)KATCASTSignCurve: K- 233; Hash: SHA2-512FIPS_OKOn reloading the module
ECDSA SigVer (FIPS186- 4) (A3548)ECDSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyCurve: K- 233; Hash: SHA2-512FIPS_OKOn reloading the module
HMAC-SHA2- 256 (A3548)HMAC-SHA2- 256 (A3548)KATSW/FW IntegrityOn DemandManually by reloading the
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
KDF SSH (A3548)KDF SSH (A3548)KATCASTKey DerivationPRF: SHA- 1FIPS_OKOn reloading the module
TLS v1.2 KDF RFC7627 (A3548)TLS v1.2 KDF RFC7627 (A3548)KATCASTKey DerivationPRF: SHA2-256FIPS_OKOn reloading the module
TLS v1.3 KDF (A3548)TLS v1.3 KDF (A3548)KATCASTKey DerivationPRF: SHA2-256FIPS_OKOn reloading the module
RSA KeyGen (FIPS186- 4) (A3548)RSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Transport (KTS IFC)/Key Agreement (KAS IFC)/Signature Generation/Signature Verification
ECDSA KeyGen (FIPS186- 4) (A3548)ECDSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Agreement (KAS ECC)/Signature Generation/Signature Verification
DSA KeyGen (FIPS186- 4) (A3548)DSA KeyGen (FIPS186- 4) (A3548)PCTPCTKey GenerationPerformed post key generationFIPS_OKOn generating keys for Key Agreement (KAS FFC)/Signature Generation/Signature Verification
ECDSA SigGen (FIPS186- 4) (A3548)ECDSA SigGen (FIPS186- 4) (A3548)KATCASTSignCurve: K- 233; Hash: SHA2-512FIPS_OKOn reloading the module
ECDSA SigVer (FIPS186- 4) (A3548)ECDSA SigVer (FIPS186- 4) (A3548)KATCASTVerifyCurve: K- 233; Hash: SHA2-512FIPS_OKOn reloading the module
HMAC-SHA2- 256 (A3548)HMAC-SHA2- 256 (A3548)KATSW/FW IntegrityOn DemandManually by reloading the

(FIPS1864) (A3548) PRF: SHA1 (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) Table 21: Conditional Self-Tests Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. On instantiation, the Module performs the pre-operational self-tests and all CASTs listed above. All KATs must complete successfully prior to any other use of cryptography by the Module.

10.3 Periodic Self-Test Information
Page 76
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
TestTestMethod
AES-ECB (A3548)AES-ECB (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
AES-GCM (A3548)AES-GCM (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
AES-GCM (A3548)AES-GCM (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
Counter DRBG (A3548)Counter DRBG (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
DSA SigGen (FIPS186-4) (A3548)DSA SigGen (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
DSA SigVer (FIPS186-4) (A3548)DSA SigVer (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
ECDSA SigGen (FIPS186-4) (A3548)ECDSA SigGen (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
TestTestMethod
AES-ECB (A3548)AES-ECB (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
AES-GCM (A3548)AES-GCM (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
AES-GCM (A3548)AES-GCM (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
Counter DRBG (A3548)Counter DRBG (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
DSA SigGen (FIPS186-4) (A3548)DSA SigGen (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
DSA SigVer (FIPS186-4) (A3548)DSA SigVer (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
ECDSA SigGen (FIPS186-4) (A3548)ECDSA SigGen (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the
ECDSA SigVer (FIPS186-4) (A3548)ECDSA SigVer (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
Hash DRBG (A3548)Hash DRBG (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
HMAC DRBG (A3548)HMAC DRBG (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
HMAC-SHA2- 256 (A3548)HMAC-SHA2- 256 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KAS-ECC-SSC Sp800-56Ar3 (A3548)KAS-ECC-SSC Sp800-56Ar3 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KAS-FFC-SSC Sp800-56Ar3 (A3548)KAS-FFC-SSC Sp800-56Ar3 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KAS-IFC-SSC (A3548)KAS-IFC-SSC (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KDF SP800-108 (A3548)KDF SP800-108 (A3548)KATCASTOn DemandManually by reloading the module or calling the
KDA OneStep SP800-56Cr2 (A3548)KDA OneStep SP800-56Cr2 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KDA TwoStep SP800-56Cr2 (A3548)KDA TwoStep SP800-56Cr2 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KTS-IFC (A3548)KTS-IFC (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KTS-IFC (A3548)KTS-IFC (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
PBKDF (A3548)PBKDF (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
RSA SigGen (FIPS186-4) (A3548)RSA SigGen (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
RSA SigVer (FIPS186-4) (A3548)RSA SigVer (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
SHA-1 (A3548)SHA-1 (A3548)KATCASTOn DemandManually by reloading the module or calling the
SHA2-512 (A3548)SHA2-512 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
SHA3-256 (A3548)SHA3-256 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KDF ANS 9.42 (A3548)KDF ANS 9.42 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KDF ANS 9.63 (A3548)KDF ANS 9.63 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
KDF SSH (A3548)KDF SSH (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
TLS v1.2 KDF RFC7627 (A3548)TLS v1.2 KDF RFC7627 (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
TLS v1.3 KDF (A3548)TLS v1.3 KDF (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
RSA KeyGen (FIPS186-4) (A3548)RSA KeyGen (FIPS186-4) (A3548)PCTPCTOn DemandOn generation of keys
ECDSA KeyGen (FIPS186-4) (A3548)ECDSA KeyGen (FIPS186-4) (A3548)PCTPCTOn DemandOn generation of keys
DSA KeyGen (FIPS186-4) (A3548)DSA KeyGen (FIPS186-4) (A3548)PCTPCTOn DemandOn generation of keys
ECDSA SigGen (FIPS186-4) (A3548)ECDSA SigGen (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function
ECDSA SigVer (FIPS186-4) (A3548)ECDSA SigVer (FIPS186-4) (A3548)KATCASTOn DemandManually by reloading the module or calling the fips_self_test function

Table 22: Pre-Operational Periodic Information

Page 80
Service
NameDescriptionRole AccessIndicator
ERR OR STA TE*The error state is persistent and no services are available *All attempts to use the Module's services result in the return of a non-zero error code, PROV_R_FIPS_MODULE_IN_ ERROR_STATEIf one of the KATs or if the Softwar e Integrit y Test fails, the Module enters the self-test failure error statePROV_R_FIPS_MODULE_IN_ ERROR_STATETo recove r from an error state, reload the Modul e into memo ry

Table 23: Conditional Periodic Information

10.4 Error States
Page 81
10.5 Operator Initiation of Self-Tests

The operator can reload the module or the fips_self_test function (inclusive of software integrity verification) can also be called on demand, fulfilling AS05.11.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The Module is provided to vendors who integrate it into their product, typically in a manufacturing environment, and is not provided directly to US or Canadian Federal agencies. Adherence to the instructions in this document maintains security throughout the distribution, build, installation and configuration processes. An authorized Cryptographic Officer is required to perform these steps on each platform where it is intended to be used. The config file output contains information about the Module (such as the self-test status and the Module checksum) and must not be manually modified without using the openssl fipsinstall command. Crypto Officer Guidance a. Installation and Usage Guidance The Module is installed as part of the OpenSSL 3.1.2 library. The source distribution package is located at https://www.openssl.org/source/openssl-3.1.2.tar.gz. The Chainguard FIPS Provider for OpenSSL can be installed on the Tested Configurations listed in Table 3 by performing the following steps: 1. Build and install OpenSSL 3.1.2 to the default location: The Chainguard FIPS Provider for OpenSSL (i.e., the Module) does not get built and installed automatically. To install the Module automatically during the normal OpenSSL 3.1.2 installation process it must be enabled by configuring OpenSSL using the ‘enable-fips’ option. Unix/Linux/macOS: $ perl -i -pe "s/OpenSSL FIPS Provider/Chainguard FIPS Provider for OpenSSL/" providers/fips/fipsprov.c test/drbgtest.c $ ./Configure enable-fips $ make $ make install Windows: $ perl -i -pe "s/OpenSSL FIPS Provider/Chainguard FIPS Provider for OpenSSL/" providers\fips\fipsprov.c test\drbgtest.c $ perl Configure enable-fips $ nmake $ nmake install

Page 82

The ‘install_fips’ make target can also be invoked explicitly to install the FIPS Provider independently, without installing the rest of OpenSSL: $ make install_fips Note: The instructions for building and installing OpenSSL 3.1.2 on other platforms can be found in the platform-specific guidance provided in INSTALL.md and README-FIPS.md in the OpenSSL 3.1.2 distribution package. Please see Appendix A for further information on porting the Module to platforms apart from the Tested Configurations in Table 3. 2. Verify the version: $ openssl version -v The Installation of the Chainguard FIPS Provider for OpenSSL that occurs as a result of Step 1 above ensures that the shared library and the configuration file containing information about the Module (e.g., the Module checksum) is copied to its installed location. To install the configuration file to a non-default location, this can be achieved by running the ‘fipsinstall’ command line application manually: $ openssl fipsinstall -pedantic Please see fipsinstall.html /docs/man3.1/man1/openssl-fipsinstall.html for options supported for the ‘openssl fipsinstall’ command. Note: The software integrity check (per Section 5 of this document) is performed using HMACSHA2-256 on the Module file to validate that the Module has not been modified. The integrity value is compared to a value written to the config file during installation. b. CVEs The publication of a CVE does not require immediate re-validation or maintenance in the CMVP process. The module may be updated in the field as needed depending on the severity or consequences of the CVE. The Module will be kept up to date with re-validation and maintenance as required, generally bundling fixes for known CVEs in a next release. The OpenSSL organization maintains a Vulnerabilities page which describes known vulnerabilities and potential resolution. These are reported to the NVD, where they are independently assessed. The OpenSSL group publishes fixes for these vulnerabilities according to their triage process. c. Miscellaneous The module performs run-time checks related to enforcement of security parameters such as the minimum-security strength of keys, valid key sizes, and usage of approved curves. These checks shall not be disabled (by using OPENSSL_NO_FIPS_SECURITYCHECKS or any other method). Validation of domain parameters prior to generating keys using functions provided by the module is the responsibility of the Cryptographic Officer and not enforced by the module itself.

11.2 Administrator Guidance
Page 83

No additional guidance applies for the operation of the module apart from that specified in Sections 2, 3 of this document and other subsections under this section.

11.3 Non-Administrator Guidance

No additional guidance applies for the operation of the module apart from that specified in Sections 2, 3 of this document and other subsections under this section.

11.4 Design and Rules

No additional rules apply for the operation of the module apart from those specified in the remainder of this section and Section 2.4 of this document.

11.5 Maintenance Requirements

No maintenance requirements apply for operation of the module in the Approved/non-Approved modes as defined above.

11.6 End of Life

Module Sanitization and Destruction Sanitization is defined in [ISO19790] as “... the process of removing sensitive information (e.g. SSPs, user data, etc.) from the module, so that it may either be distributed to other operators or disposed.” The Module itself does not manage persistent SSPs, authentication data or any user data. The Module may be securely sanitized by deletion of the folder in which the Module was located. There are no additional procedures required for secure destruction of the Module.

12 Mitigation of Other Attacks
12.1 Attack List

The Module implements mitigations for some types of attacks using the constant-time implementations and blinding. Constant-time implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant-time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this, the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to

Page 84

attempt timing attacks on such operations without the knowledge of the blinding factor, and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key.

Referenced URLs