All modules
CMVP Validated Module · FIPS 140-3 Security Policy

BoringCrypto

Certificate#5104StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorGoogle, LLC
Low review priority  ·  no TCB surface named  ·  last validated 7 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date12/8/2030
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys)
VendorGoogle, LLC

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for BoringCrypto
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: boringssl</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for BoringCrypto
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: boringssl</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Google, LLC BoringCrypto Date: September 10. 2025 Google, LLC 2025 Version 1.0 Public Material

Page 2
Table of Contents
#SectionPage
Page 3

Google, LLC 2025 Version 1.0 Public Material

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)6
Table 3: Tested Operational Environments - Software, Firmware, Hybrid7
Table 4: Modes List and Description7
Table 5: Approved Algorithms9
Table 6: Vendor-Affirmed Algorithms10
Table 7: Non-Approved, Not Allowed Algorithms10
Table 8: Security Function Implementations14
Table 9: Ports and Interfaces17
Table 10: Roles17
Table 11: Approved Services24
Table 12: Non-Approved Services25
Table 13: Storage Areas26
Table 14: SSP Input-Output Methods27
Table 15: SSP Zeroization Methods27
Table 16: SSP Table 130
Table 17: SSP Table 232
Table 18: Pre-Operational Self-Tests32
Table 19: Conditional Self-Tests34
Table 20: Pre-Operational Periodic Information35
Table 21: Conditional Periodic Information37
Table 22: Error States37
Figure 1: Block Diagram6
Page 5
1 General
1.1 Overview

This document describes the cryptographic module Security Policy (SP) for the Google, LLC BoringCrypto (software version: 20240407) cryptographic module (also referred to as the “module” hereafter). It contains a specification of the security rules under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. The module meets the overall Level 1 security requirements of FIPS 140-3.

1.2 Security Levels

Section Title Security Level

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Google, LLC BoringCrypto module is an open-source, general-purpose cryptographic library which provides FIPS 140-3 approved cryptographic algorithms to serve BoringSSL and other user-space applications. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The boundary of the module is defined as a single object file, bcm.o, and its instantiation in memory. Google, LLC 2025 Version 1.0 Public Material

Page 6

Tested Operational Environment’s Physical Perimeter (TOEPP): The TOEPP is the enclosure of the general purpose computer the module is running on. Figure 1: Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 7

Operating System Hardware Processors PAA/PAI Hypervisor Version(s) Platform or Host OS Google Prodimage with APIF-824 AMD EPYC Yes 20240407 Linux 5.10.0 7B12 Google Prodimage with APIF-824 AMD EPYC No 20240407 Linux 5.10.0 7B12 Google Prodimage with APIF-091 ARM Yes 20240407 Linux 5.10.0 Neoverse-N1 Google Prodimage with APIF-091 ARM No 20240407 Linux 5.10.0 Neoverse-N1 Google Prodimage with APIF-738 Intel Xeon Yes 20240407 Linux 5.10.0 8273CL Google Prodimage with APIF-738 Intel Xeon No 20240407 Linux 5.10.0 8273CL Table 3: Tested Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

The module contains no excluded components.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Name Indicator Approved When all self-tests pass and only Approved Approved Per service algorithms are invoked indication Non- When a non-Approved algorithm is invoked Non- Per service Approved Approved indication Table 4: Modes List and Description The module supports two modes of operation: Approved and Non-approved. The module will be in approved mode when all power up self-tests have completed successfully, and only Approved algorithms are invoked (see table below). The non-Approved mode is entered when a nonApproved algorithm is invoked (see table below). Mode Change Instructions and Status: The module does not enforce a general Approved mode, use the service indicators to determine whether a given service is operated in an Approved mode.

2.5 Algorithms

Google, LLC 2025 Version 1.0 Public Material

Page 8

Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A5370 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A5370 Key Length - 128 SP 800-38C AES-CTR A5370 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A5370 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A5370 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.2 Key Length - 128, 192, 256 AES-GMAC A5370 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 192, 256 AES-KW A5370 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A5370 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 Counter DRBG A5370 Prediction Resistance - No SP 800-90A Mode - AES-256 Rev. 1 Derivation Function Enabled - No ECDSA KeyGen A5370 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Secret Generation Mode - testing candidates ECDSA KeyVer A5370 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) ECDSA SigGen A5370 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/256 ECDSA SigVer A5370 Curve - P-224, P-256, P-384, P-521 FIPS 186-5 (FIPS186-5) Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/256 HMAC-SHA-1 A5370 Key Length - Key Length: 8-524288 FIPS 198-1 Increment 8 HMAC-SHA2-224 A5370 Key Length - Key Length: 8-524288 FIPS 198-1 Increment 8 HMAC-SHA2-256 A5370 Key Length - Key Length: 8-524288 FIPS 198-1 Increment 8 HMAC-SHA2-384 A5370 Key Length - Key Length: 8-524288 FIPS 198-1 Increment 8 HMAC-SHA2-512 A5370 Key Length - Key Length: 8-524288 FIPS 198-1 Increment 8 HMAC-SHA2- A5370 Key Length - Key Length: 8-524288 FIPS 198-1 512/256 Increment 8 KAS-ECC-SSC A5370 Domain Parameter Generation Methods - SP 800-56A Sp800-56Ar3 P-224, P-256, P-384, P-521 Rev. 3 Google, LLC 2025 Version 1.0 Public Material

Page 9

Algorithm CAVP Properties Reference Cert Scheme ephemeralUnified KAS Role - initiator, responder staticUnified KAS Role - initiator, responder KAS-FFC-SSC A5370 Domain Parameter Generation Methods - SP 800-56A Sp800-56Ar3 FB, FC Rev. 3 Scheme dhEphem KAS Role - initiator KDA HKDF A5370 Derived Key Length - 2048 SP 800-56C Sp800-56Cr1 Shared Secret Length - Shared Secret Rev. 2 Length: 224-65336 Increment 8 HMAC Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/256 RSA KeyGen A5370 Key Generation Mode - probable FIPS 186-5 (FIPS186-5) Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standard RSA SigGen A5370 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss RSA SigVer A5370 Modulo - 2048, 3072, 4096 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss SHA-1 A5370 Message Length - Message Length: 0- FIPS 180-4

65528 Increment 8

SHA2-224 A5370 Message Length - Message Length: 0- FIPS 180-4

65528 Increment 8

SHA2-256 A5370 Message Length - Message Length: 0- FIPS 180-4

65528 Increment 8

SHA2-384 A5370 Message Length - Message Length: 0- FIPS 180-4

65528 Increment 8

SHA2-512 A5370 Message Length - Message Length: 0- FIPS 180-4

65528 Increment 8

SHA2-512/256 A5370 Message Length - Message Length: 0- FIPS 180-4

65528 Increment 8

TLS v1.2 KDF A5370 Hash Algorithm - SHA2-256, SHA2-384, SP 800-135 RFC7627 (CVL) SHA2-512 Rev. 1 TLS v1.3 KDF A5370 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - DHE, PSK, PSK- Rev. 1 DHE Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key N/A Section 4, example 1: U is directly output Type:Asymmetric without XORing V Google, LLC 2025 Version 1.0 Public Material

Page 10

Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function MD5, MD4 Non-Approved Hashing POLYVAL Non-Approved authenticated encryption DES, Triple-DES (non-compliant) Non-Approved encryption/decryption AES (non-compliant) Non-Approved encryption/decryption DH (non-compliant) Non-Approved key agreement RSA PKCS #1 v1.5 key wrapping (non-compliant) Non-Approved key wrapping TLS 1.0/1.1 KDF (non-compliant) Non-Approved TLS key derivation Table 7: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Authenticated BC-Auth Symmetric AES-CCM: Decryption authenticated (A5370) decryption of AES-GCM: calling (A5370) application data Authenticated BC-Auth Symmetric AES-CCM: Encryption authenticated (A5370) encryption of AES-GCM: calling (A5370) application data Decryption BC-UnAuth Symmetric AES-CBC: decryption of (A5370) calling AES-CTR: application data (A5370) AES-ECB: (A5370) Encryption BC-UnAuth Symmetric AES-CBC: encryption of (A5370) calling AES-CTR: application data (A5370) AES-ECB: (A5370) Google, LLC 2025 Version 1.0 Public Material

Page 11

Name Type Description Properties Algorithms Hashing SHA Hashing of SHA-1: (A5370) calling SHA2-224: application data (A5370) SHA2-256: (A5370) SHA2-384: (A5370) SHA2-512: (A5370) SHA2-512/256: (A5370) KAS-ECC-SSC KAS-SSC SP 800- Caveat:providing KAS-ECC-SSC 56Arev3. 128, 192, or 256 Sp800-56Ar3: KAS_ECC_SSC bits of (A5370) per IG D.F encryption CKG: () Scenario 2, path strength Key Type: (1) Asymmetric Counter DRBG: (A5370) AES-ECB: (A5370) KAS-FFC-SSC KAS-SSC SP 800- Caveat:providing KAS-FFC-SSC 56Arev3. 112 bits of Sp800-56Ar3: KAS_ECC_SSC encryption (A5370) per IG D.F strength CKG: () Scenario 2, path Key Type: (1) Asymmetric Counter DRBG: (A5370) AES-ECB: (A5370) Key Derivation KAS-56CKDF Hash Based Key KDA HKDF Hash Based Derivation to Sp800-56Cr1: support calling (A5370) application SHA2-224: (A5370) SHA2-256: (A5370) SHA2-384: (A5370) SHA2-512: (A5370) SHA2-512/256: (A5370) Key Derivation KAS-135KDF Key derivation to TLS v1.2 KDF TLS 1.2 support calling RFC7627: application's (A5370) TLS implement HMAC-SHA2256: (A5370) Google, LLC 2025 Version 1.0 Public Material

Page 12

Name Type Description Properties Algorithms SHA2-256: (A5370) HMAC-SHA2384: (A5370) SHA2-384: (A5370) HMAC-SHA2512: (A5370) SHA2-512: (A5370) Key Derivation KAS-135KDF Key derivation to TLS v1.3 KDF: TLS 1.3 support calling (A5370) application's HMAC-SHA2TLS implement 256: (A5370) SHA2-256: (A5370) HMAC-SHA2384: (A5370) SHA2-384: (A5370) AES-KeyWrap BC-Auth Symmetric key Caveat:providing AES-KW: wrapping to 128, 192, or 256 (A5370) support calling bits of AES-KWP: application's key encryption (A5370) transport strength Message MAC Message AES-GMAC: Authentication authentication of (A5370) calling HMAC-SHA-1: application data (A5370) Key Size: 112bit or greater HMAC-SHA2224: (A5370) Key Size: 112bit or greater HMAC-SHA2256: (A5370) Key Size: 112bit or greater HMAC-SHA2384: (A5370) Key Size: 112bit or greater HMAC-SHA2512: (A5370) Key Size: 112bit or greater HMAC-SHA2512/256: Google, LLC 2025 Version 1.0 Public Material

Page 13

Name Type Description Properties Algorithms (A5370) Key Size: 112bit or greater SHA-1: (A5370) SHA2-224: (A5370) SHA2-256: (A5370) SHA2-384: (A5370) SHA2-512: (A5370) SHA2-512/256: (A5370) Random Bit DRBG Random Bit Counter DRBG: Generation Generation (A5370) AES-ECB: (A5370) Signature DigSig-SigGen Digital signature ECDSA SigGen Generation generation to (FIPS186-5): support calling (A5370) application RSA SigGen (FIPS186-5): (A5370) SHA2-224: (A5370) SHA2-256: (A5370) SHA2-384: (A5370) SHA2-512: (A5370) SHA2-512/256: (A5370) Signature Key AsymKeyPair- Generation of ECDSA KeyGen Generation KeyGen digital signature (FIPS186-5): key pairs (A5370) RSA KeyGen (FIPS186-5): (A5370) CKG: () Key Type: Asymmetric Counter DRBG: (A5370) AES-ECB: (A5370) Google, LLC 2025 Version 1.0 Public Material

Page 14

Name Type Description Properties Algorithms Signature Key AsymKeyPair- Verification of ECDSA KeyVer Validation KeyVer ECDSA digital (FIPS186-5): signature key (A5370) pair Signature DigSig-SigVer Verification of ECDSA SigVer Verification digital signature (FIPS186-5): to support (A5370) calling RSA SigVer application (FIPS186-5): (A5370) SHA2-224: (A5370) SHA2-256: (A5370) SHA2-384: (A5370) SHA2-512: (A5370) SHA2-512/256: (A5370) Table 8: Security Function Implementations

2.7 Algorithm Specific Information

AES-CTR Reuse of a counter value under the same AES key in AES-CTR is a serious cryptographic vulnerability. The developer integrating the module must prevent this vulnerability by never providing a counter start value that is the same or earlier than the last counter value used under that key for AES-CTR encryption. AES-GCM In the case of AES-GCM, the IV generation method is user-selectable, and the value can be computed in more than one manner. The module does not implement the TLS protocol but offers cryptographic primitives that can be used by an external operator/application to implement TLS. The following restrictions must be followed when an external operator/application uses the module’s AES-GCM within a TLS implementation. In the context of the TLS protocol version 1.3, AES-GCM encryption and decryption is used compliant to Scenario 5 in FIPS 140-3 IG C.H. The module is compliant with NIST SP 80052rev2 and the mechanism for IV generation is compliant with RFC 8446. The module ensures that it is strictly increasing and thus cannot repeat. When the IV exhausts the maximum number of possible values for a given session key, the first party (client or server) to encounter this condition may either send a TLS 1.3 KeyUpdate message to establish a new encryption key, or fail. In either case, the module prevents any IV duplication and thus enforces the security property. Google, LLC 2025 Version 1.0 Public Material

Page 15

In the context of the TLS protocol version 1.2, AES-GCM encryption and decryption is used compliant to Scenario 1 in FIPS 140-3 IG C.H. The module is compatible with TLS protocol version 1.2 using AES-GCM ciphersuites as specified in NIST SP 800-52rev2, Section 3.3.1, and the mechanism for IV generation is compliant with RFC 5288. The module ensures that it is strictly increasing and thus cannot repeat. When the IV exhausts the maximum number of possible values for a given session key, the first party (client or server) to encounter this condition may either trigger a handshake to establish a new encryption key in accordance with RFC 5246 or fail. In either case, the module prevents any IV duplication and thus enforces the security property. The module’s IV is generated internally by the module’s Approved DRBG, which is internal to the module’s boundary. The IV is 96 bits in length per NIST SP 800-38D, Section 8.2.2 and FIPS 140-3 IG C.H scenario 2. The selection of the IV construction method is the responsibility of the user of this cryptographic module. In approved mode, only internally generated IVs, or the TLS modes described above, are considered compliant for use. Per IG C.H, in the event module power is lost and restored, the consuming application must ensure that any of its AES-GCM keys used for encryption or decryption are re-distributed. AES-KW / AES-KWP The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS. Counter DRBG The CTR_DRBG is used without a derivation function. IG D.L requires that a CTR_DRNG used without a derivation function shall be seeded from an entropy source producing full-entropy outputs, and the entropy source shall be located within the TOEPP. The module relies on passively provided entropy and it is the responsibility of the developer integrating the module to ensure that the entropy used to seed the DRBG comes from a source located within the TOEPP which CMVP has evaluated as producing full entropy output. KAS-ECC-SSC and KAS-FFC-SSC The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS. Hashing The module does not perform truncation of hash outputs except as part of the approved SHA2224, SHA2-512/256, and SHA2-384 algorithms. These algorithms inherently produce hash outputs of 224, 256, and 384 bits, respectively, as defined by FIPS 180-4. The module complies with IG C.L because no additional or manual truncation of hash outputs is implemented by the module in any other context. Legacy Use Algorithms SHA-1 is categorized as Legacy Use when using as part of digital signature verification. Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M. It is the responsibility of the developer integrating the module to ensure this restriction is met. Google, LLC 2025 Version 1.0 Public Material

Page 16
2.8 RBG and Entropy

N/A for this module. N/A for this module. The module passively receives entropy, per IG 9.3.A case 2(b), and shall be provided at least

384 bits of entropy. Use a SP 800-90B compliant entropy source with at least 256 bits of

security strength. Entropy is supplied to the Module via callback functions. The callback functions shall return an error if the minimum entropy strength cannot be met. The caveat “No assurance of the minimum strength of generated SSPs (e.g., keys)” is applicable.

2.9 Key Generation

The module provides several key generation methods.

8446 TLS v1.3 KDF.
2.10 Key Establishment

The module provides the cryptographic building blocks for key agreement in its SP 800-56Arev3 KAS-ECC-SSC and KAS-FFC-SSC algorithms. A calling application may link these to the module’s SP 800-135rev1 TLS v1.2 KDF or RFC 8446 TLS v1.3 KDF to form a complete key agreement scheme. No other part of the TLS protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

2.11 Industry Protocols

The module does not implement any complete industry protocols, however it provides the key agreement and key derivation cryptographic algorithm building blocks to allow calling applications to implement the industry standard TLS v1.2 RFC 7627 or TLS v1.3 protocols using FIPS approved key establishment. The key establishment and generation primitives are described in sections 2.9 and 2.10, and the use of AES-GCM within them described in section 2.7. Google, LLC 2025 Version 1.0 Public Material

Page 17
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) n/a Data Input API input parameters n/a Data Output API output parameters and return values n/a Control Input API input parameters n/a Status Output API return values Table 9: Ports and Interfaces The Data Input interface consists of the input parameters of the API functions. The Data Output interface consists of the output parameters of the API functions. The Control Input interface consists of the actual API input parameters. The Status Output interface includes the return values of the API functions. As a software module, control of the physical ports is outside the module scope. However, when the module is performing self-tests, or is in an error state, all output on the module’s logical data output interfaces is inhibited. The module does not implement a power interface or a control output interface.

4 Roles, Services, and Authentication
4.1 Authentication Methods

N/A for this module. The module does not support operator authentication.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer (CO) Role Crypto Officer None Table 10: Roles The cryptographic module only implements a Crypto Officer (CO) role. The CO role is implicitly assumed by the entity accessing services implemented by the module. An operator is considered the owner of the thread that instantiates the module and, therefore, only one concurrent operator is allowed.

4.3 Approved Services

Google, LLC 2025 Version 1.0 Public Material

Page 18

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Module Module N/A N/A Return None Crypto Initializati Initializatio Code Officer on n (CO) Symmetr Symmetric fips_service_indi Plaintext, Return Authenticat Crypto ic encryption cator set to 1 AAD, IV, code, ed Officer Encryptio of calling encryptio ciphertext, Encryption (CO) n application n key tag Encryption - AES data Key: W,E - AESGCM Key: W,E Symmetr Symmetric fips_service_indi Cipherte Return Authenticat Crypto ic decryption cator set to 1 xt, AAD, code, ed Officer Decrypti of calling IV, tag, plaintext Decryption (CO) on application decryptio Decryption - AES data n key Key: W,E - AESGCM Key: W,E Keyed Symmetric fips_service_indi Message Return Message Crypto Hashing message cator set to 1 , key code, Authenticat Officer authenticat Message ion (CO) ion of Authenticat - HMAC calling ion Code Key: W,E application - AESdata GCM Key: W,E Hashing Hashing of fips_service_indi Message Return Hashing Crypto calling cator set to 1 code, hash Officer application (CO) data Random Generation fips_service_indi API call Return Random Crypto Bit of random cator set to 1 paramete code, Bit Officer Generati bits for rs random Generation (CO) on calling bits application CTR_DR BG Entropy Input: W,E CTR_DR BG Seed: G,E CTR_DR BG V: G,E Google, LLC 2025 Version 1.0 Public Material

Page 19

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access CTR_DR BG Key: G,E Signatur Digital fips_service_indi Message Return Signature Crypto e signature cator set to 1 , signing code, Generation Officer Generati of calling key signature (CO) on application - ECDSA data Signing Key: W,E - RSA Signature Generatio n Key: W,E CTR_DR BG V: E CTR_DR BG Key: E Signatur Digital fips_service_indi Signatur Return Signature Crypto e signature cator set to 1 e, code Verification Officer Verificati verification verificatio (CO) on of calling n key - ECDSA application Verificatio data n Key: W,E - RSA Signature Verificatio n Key: W,E Key Symmetric fips_service_indi API call Return AES- Crypto Wrap key cator set to 1 paramete code, KeyWrap Officer Service wrapping rs, wrapped (CO) of calling unwrapp key - AES application ed key, Wrapping key wrapping Key: W,E key Unwrapp ed Key: W Wrapped Key: G,R Google, LLC 2025 Version 1.0 Public Material

Page 20

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Key Symmetric fips_service_indi API call Return AES- Crypto Unwrap key cator set to 1 paramete code, KeyWrap Officer Service unwrappin rs, unwrapped (CO) g of calling wrapped key - AES application key Wrapping key Key: W,E Wrapped Key: W Unwrapp ed Key: G,R Key API call fips_service_indi Return Return KAS-ECC- Crypto Agreeme parameter cator set to 1 code, code, SSC Officer nt s shared shared KAS-FFC- (CO) Service secret secret SSC - EC DH Private Key: G,E - EC DH Public Key: G,R - Other Party EC DH Public Key: W,E - DH Private Key: G,E - DH Public Key: W,E - Other Party DH Public Key: W,E - KAS Shared Secret: G,R Key Hash fips_service_indi API call Return Key Crypto Derivatio based key cator set to 1 paramete code, Derivation Officer n KDA derivation rs, derived Hash (CO) for calling shared keying Based - KDA application secret material Shared Secret: W,E - Derived Google, LLC 2025 Version 1.0 Public Material

Page 21

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Keying Material: G,R TLS Key TLS Key fips_service_indi API call Return Key Crypto Derivatio derivation cator set to 1 paramete code, TLS Derivation Officer n for calling rs, TLS keying TLS 1.2 (CO) application KDF material Key - TLS input Derivation KDF TLS 1.3 Input: G,E - TLS Keying Material: G,R Key Asymmetri fips_service_indi API call Return Signature Crypto Generati c key cator set to 1 paramete code, key Key Officer on generation rs pair Generation (CO) - ECDSA Signing Key: G,R - ECDSA Verificatio n Key: G,R - RSA Signature Generatio n Key: G,R - RSA Signature Verificatio n Key: G,R CTR_DR BG V: E CTR_DR BG Key: E Key Asymmetri fips_service_indi API call Return Signature Crypto Verificati c key pair cator set to 1 paramete code Key Officer on validation rs, key Validation (CO) pair - ECDSA Signing Key: W,E - ECDSA Google, LLC 2025 Version 1.0 Public Material

Page 22

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Verificatio n Key: W,E On- On- fips_service_indi N/A Return Authenticat Crypto Demand Demand cator set to 1 Code ed Officer Self-Test Self-Test Decryption (CO) Authenticat ed Encryption Decryption Encryption Hashing KAS-ECCSSC KAS-FFCSSC Key Derivation Hash Based Key Derivation TLS 1.2 Key Derivation TLS 1.3 AESKeyWrap Message Authenticat ion Random Bit Generation Signature Generation Signature Verification Zeroisati Zeroisation fips_service_indi N/A N/A None Crypto on cator set to 1 Officer (CO) - AES Key: Z - AESGCM Key: Z - AES Wrapping Key: Z Google, LLC 2025 Version 1.0 Public Material

Page 23

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Wrapped Key: Z Unwrapp ed Key: Z - ECDSA Signing Key: Z - ECDSA Verificatio n Key: Z - EC DH Private Key: Z - EC DH Public Key: Z - Other Party EC DH Public Key: Z - DH Private Key: Z - DH Public Key: Z - Other Party DH Public Key: Z - KAS Shared Secret: Z - KDA Shared Secret: Z - HMAC Key: Z - RSA Signature Generatio n Key: Z - RSA Signature Verificatio n Key: Z Google, LLC 2025 Version 1.0 Public Material

Page 24

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access - TLS KDF Input: Z - TLS Keying Material: Z CTR_DR BG Entropy Input: Z CTR_DR BG Seed: Z CTR_DR BG V: Z CTR_DR BG Key: Z - Derived Keying Material: Z Show Show fips_service_indi API call Return None Crypto Status Status cator set to 1 paramete code, Officer rs status (CO) Show Show fips_service_indi API call Return None Crypto Name module cator set to 1 paramete code, Officer name rs string of (CO) module name Show Show fips_service_indi API call Return None Crypto Version module cator set to 1 paramete code, Officer version rs string of (CO) module version Table 11: Approved Services The Approved services supported by the module and access rights within services accessible over the module’s public interface are listed in the table above. The corresponding FIPS_service_indicator_xxx function can be called to query the approved algorithm status of the proceeding service call, or the macro CALL_SERVICE_AND_CHECK_APPROVED can be used to automatically check the approved Google, LLC 2025 Version 1.0 Public Material

Page 25

service indicator and inform the calling application whether the service called through the macro was FIPSStatus::APPROVED or FIPSStatus::NOT_APPROVED.

4.4 Non-Approved Services

Name Description Algorithms Role TLS 1.0/1.1 KDF Perform hashing operations TLS 1.0/1.1 KDF Crypto when used with the TLS (non-compliant) Officer protocol version 1.0 and 1.1 (CO) Hashing Perform hashing operations MD5, MD4 Crypto Officer (CO) Hashing for GCM-SIV Used as part of AES-GCM- POLYVAL Crypto SIV Officer (CO) Symmetric Perform symmetric encryption DES, Triple-DES Crypto encryption/decryption and/or decryption operations (non-compliant) Officer AES (non-compliant) (CO) Key Transport Perform RSA PKCS #1 v1.5 RSA PKCS #1 v1.5 Crypto key transport key wrapping (non- Officer compliant) (CO) Key Agreement Perform non-compliant DH DH (non-compliant) Crypto key agreement Officer (CO) Table 12: Non-Approved Services Non-Approved Services are listed in the table above.

4.5 External Software/Firmware Loaded

The module does not support external software loading.

5 Software/Firmware Security
5.1 Integrity Techniques

The pre-operational integrity test is performed using HMAC-SHA-256.

5.2 Initiate on Demand

The integrity test can be executed on demand by power-cycling the host platform and reloading the module.

5.3 Open-Source Parameters

The module is open-source. To build the approved version of the module the following tools are required to build and compile the module. Google, LLC 2025 Version 1.0 Public Material

Page 26

Target Tools Platform Linux

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable The module runs on a GPC, which is a modifiable operational environment, running one of the operating systems specified in Table 2. Each tested operating system manages processes and threads in a logically separated manner. The module’s user is considered the owner of the calling application that instantiates the module. No special configuration of the operating system is required. The module is designed to ensure that the power-up tests are initiated automatically when the module is loaded.

7 Physical Security

As a software module, the physical security requirements are not applicable.

8 Non-Invasive Security

The module does not claim any non-invasive security measures.

9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Ephemeral storage in RAM Dynamic Table 13: Storage Areas The module has no persistent SSP storage, all SSPs are stored ephemerally in RAM and are zeroised once no longer needed.

9.2 SSP Input-Output Methods

Google, LLC 2025 Version 1.0 Public Material

Page 27

Name From To Format Distribution Entry SFI or Type Type Type Algorithm PT Input Calling RAM Plaintext N/A Electronic Application PT RAM Calling Plaintext N/A Electronic Output Application Table 14: SSP Input-Output Methods The software module inputs and outputs SSP only as part of its API, and normally they are input or output in plaintext. The exceptions are the services that provide key wrapping or key unwrapping, where the wrapped key is entered or output encrypted.

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Method Initiation Power Cycle Turn off or power All module SSPs are held Procedural Host cycle the host ephemerally in RAM, so turning off turn off or computer to clear all or power cycling the computer will power cycle RAM contents cause them to be irretrievably lost. host Table 15: SSP Zeroization Methods The software module has no persistent SSP storage and the zeroisation method for all SSP is procedural. The operator may power-cycle the host computer to zeroise all SSPs the module currently holds.

9.4 SSPs

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h AES Key AES Key 128 192 Symmetri Decryption

256 - c Key - Encryption
128 192 CSP

AES-GCM AES-GCM 128 192 Symmetri Authenticated Key Key 256 - c Key - Decryption

128 192 CSP Authenticated
256 Encryption

Message Authenticatio n AES AES 128 192 Symmetri AESWrapping Wrapping 256 - c Key - KeyWrap Key Key 128 192 CSP Wrapped Any calling Any - Any Key application Any CSP Google, LLC 2025 Version 1.0 Public Material

Page 28

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h key the module AES Key Wraps Unwrapped Any calling Any - Any Key application Any CSP key the module AES Key Unwraps ECDSA ECDSA P-224 P- Private - Signature Signature Signing Key Signing 256 P- CSP Key Generation Key 384 P- Generatio Signature

521 - n Key
112 128 Validation
192 256

ECDSA ECDSA P-224 P- Public - Signature Signature Verification Verification 256 P- PSP Key Key Key Key 384 P- Generatio Validation

521 - n Signature
112 128 Verification
192 256

EC DH EC DH P-256 P- Private - KAS-ECC- KAS-ECCPrivate Key Private Key 384 P- CSP SSC SSC

521 -
128 192

EC DH EC DH P-256 P- Public - KAS-ECC- KAS-ECCPublic Key Private Key 384 P- PSP SSC SSC

521 -
128 192

Other Party Other Party P-256 P- Public - KAS-ECCEC DH EC DH 384 P- PSP SSC Public Key Public Key 521 -

128 192

DH Private DH Private 2048 - Private - KAS-FFC- KAS-FFCKey Key 112 CSP SSC SSC DH Public DH Public 2048 - Public - KAS-FFC- KAS-FFCKey Key 112 PSP SSC SSC Other Party Other Party 2048 - Public - KAS-FFCDH Public DH Public 112 PSP SSC Key Key KAS KAS At least Shared KAS-ECCShared Shared 112-bit - Secret - SSC Secret Secret CSP Google, LLC 2025 Version 1.0 Public Material

Page 29

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h At least KAS-FFC112-bit SSC KDA KDA At least Shared Key Shared Shared 112-bit - Secret - Derivation Secret Secret At least CSP Hash Based 112-bit Derived Derived 112 - Symmetri Key Keying Keying 512 - c Key - Derivation Material Material 112 - CSP Hash

512 Based

HMAC Key HMAC Key At least Symmetri Message 112-bit - c Key - Authenticatio At least CSP n 112-bit RSA RSA 2048 Private - Signature Signature Signature Signature 3072 CSP Key Generation Generation Generation 4096 - Generatio Key Key 112 128 n RSA RSA 2048 Public - Signature Signature Signature Signature 3072 PSP Key Verification Verification Verification 4096 - Generatio Key Key 112 128 n TLS KDF TLS KDF At least Shared Key Input input 112-bit - Secret - Derivation keying At least CSP TLS 1.2 material 112-bit Key Derivation TLS 1.3 TLS Keying TLS Keying At least Symmetri Key Material material 112-bit - c Key - Derivation from TLS At least CSP TLS 1.2 KDF, for 112-bit Key use by Derivation calling TLS 1.3 application TLS protocol CTR_DRB CTR_DRB 384 - Entropy G Entropy G Entropy 384 Input Input Input CSP CTR_DRB CTR_DRB 384 - DRBG Random G Seed G Seed 384 CSP - Bit CSP Generatio n Google, LLC 2025 Version 1.0 Public Material

Page 30

Name Descriptio Size - Type - Generate Establishe Used By n Strengt Category d By d By h CTR_DRB CTR_DRB 128 - DRBG Random GV GV 128 CSP - Bit CSP Generatio n CTR_DRB CTR_DRB 256 - DRBG Random G Key G Key 256 CSP - Bit CSP Generatio n Table 16: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES Key PT RAM:Plaintext Until function Power Input completion Cycle Host AES-GCM PT RAM:Plaintext Until function Power Key Input completion Cycle Host AES PT RAM:Plaintext Until function Power Wrapped Wrapping Input completion Cycle Host Key:Encrypts Key Unwrapped Key:Decrypts Wrapped PT RAM:Plaintext Until function Power AES Wrapping Key Input completion Cycle Host Key:Wrapped By PT Output Unwrapped PT RAM:Plaintext Until function Power AES Wrapping Key Input completion Cycle Host Key:Unwrapped By PT Output ECDSA PT RAM:Plaintext Until function Power ECDSA Verification Signing Key Input completion Cycle Host Key:Paired With PT Output ECDSA PT RAM:Plaintext Until function Power ECDSA Signing Verification Input completion Cycle Host Key:Paired With Key PT Output EC DH PT RAM:Plaintext Until function Power EC DH Public Private Key Input completion Cycle Host Key:Paired With PT Other Party EC DH Output Public Key:Used With KAS Shared Secret:Establishes EC DH PT RAM:Plaintext Until function Power EC DH Private Public Key Input completion Cycle Host Key:Paired With Google, LLC 2025 Version 1.0 Public Material

Page 31

Name Input - Storage Storage Zeroization Related SSPs Output Duration PT Output Other Party PT RAM:Plaintext Until function Power EC DH Private EC DH Input completion Cycle Host Key:Used With Public Key KAS Shared Secret:Establishes DH Private PT RAM:Plaintext Until function Power DH Public Key Input completion Cycle Host Key:Paired With PT Other Party DH Output Public Key:Used With KAS Shared Secret:Establishes DH Public PT RAM:Plaintext Until function Power DH Private Key Input completion Cycle Host Key:Paired With PT Output Other Party PT RAM:Plaintext Until function Power DH Private DH Public Input completion Cycle Host Key:Used With Key KAS Shared Secret:Establishes KAS Shared PT RAM:Plaintext Until function Power EC DH Private Secret Input completion Cycle Host Key:Established By PT Other Party EC DH Output Public Key:Established By DH Private Key:Established By Other Party DH Public Key:Established By KDA Shared PT RAM:Plaintext Until function Power Derived Keying Secret Input completion Cycle Host Material:Derives Derived PT RAM:Plaintext Until function Power KDA Shared Keying Output completion Cycle Host Secret:Derived Material From HMAC Key PT RAM:Plaintext Until function Power Input completion Cycle Host RSA PT RAM:Plaintext Until function Power RSA Signature Signature Input completion Cycle Host Verification Generation PT Key:Paired With Key Output RSA PT RAM:Plaintext Until function Power RSA Signature Signature Input completion Cycle Host Generation Verification PT Key:Paired With Key Output TLS KDF PT RAM:Plaintext Until function Power TLS Keying Input Input completion Cycle Host Material:Derives Google, LLC 2025 Version 1.0 Public Material

Page 32

Name Input - Storage Storage Zeroization Related SSPs Output Duration TLS Keying PT RAM:Plaintext Until function Power TLS KDF Material Output completion Cycle Host Input:Derived From CTR_DRBG PT RAM:Plaintext Until function Power CTR_DRBG Entropy Input completion Cycle Host Seed:Derives Input CTR_DRBG RAM:Plaintext Until DRBG Power CTR_DRBG Seed iunnstantiation Cycle Host Entropy Input:Derived From CTR_DRBG V:Derives CTR_DRBG Key:Derives CTR_DRBG RAM:Plaintext Until DRBG Power CTR_DRBG V iunnstantiation Cycle Host Seed:Derived From CTR_DRBG RAM:Plaintext Until DRBG Power CTR_DRBG Key iunnstantiation Cycle Host Seed:Derived From Table 17: SSP Table 2

10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Test Test Type Indicator Details Test Properties Method HMAC-SHA2- Hardcoded Integrity SW/FW return code of 1 Single HMAC

256 (A5370) 512 bit key Integrity for success, 0 for over entire

failure module Table 18: Pre-Operational Self-Tests Pre-operational self-tests are run upon the initialization of the module. The CAST (Cryptographic Algorithm Self-Test) for HMAC-SHA2-256 is performed before the integrity test. Self-tests do not require operator intervention to run. If any of the tests fail, the module will not initialize and enter an error state where no services can be accessed.

10.2 Conditional Self-Tests

Algorith Test Test Test Indicator Details Conditio m or Properti Method Type ns Test es AES- 128 KAT CAS None on success. "AES- Encrypt module CBC T CBC-encrypt KAT failed" power-up Encrypt on stderr on failure. KAT Google, LLC 2025 Version 1.0 Public Material

Page 33

Algorith Test Test Test Indicator Details Conditio m or Properti Method Type ns Test es AES- 128 KAT CAS None on success. "AES- Decrypt module CBC T CBC-decrypt KAT failed" power-up Decrypt on stderr on failure. KAT AES- 128 KAT CAS None on success. "AES- Encrypt module GCM T GCM-encrypt KAT failed" power-up Encrypt on stderr on failure. KAT AES- 128 KAT CAS None on success. "AES- Decrypt module GCM T GCM-decrypt KAT failed" power-up Decrypt on stderr on failure. KAT Counter initialize, KAT CAS None on success. "CTR- Instantiat module DRBG reseed, T DRBG failed" on stderr e, power-up KAT generate on failure. Reseed, tests, per Generate SP 80090Arev1 Section 11.3 ECDSA P-256 KAT CAS None on success. Sign On first SigGen T "ECDSA-sign KAT failed" use KAT on stderr on failure. ECDSA P-256 KAT CAS None on success. Verify On first SigVer T "ECDSA-verify KAT use KAT failed" on stderr on failure. HMAC- 128 KAT CAS None on success. MAC module SHA2- T "HMAC-SHA-256 KAT power-up

256 KAT failed" on stderr on

failure. KAS- P-256 KAT CAS None on success. "Z- SSC On first ECC- T computation KAT failed." use SSC on stderr on failure. Sp80056Ar3 KAT KAS- 2048 KAT CAS None on success. "FFDH SSC On first FFC- T failed" on stderr on use SSC failure. Sp80056Ar3 KAT KDA HMAC KAT CAS None on success. "HKDF KDF module HKDF SHA-256 T failed" on stderr on power-up Sp800- failure. Google, LLC 2025 Version 1.0 Public Material

Page 34

Algorith Test Test Test Indicator Details Conditio m or Properti Method Type ns Test es 56Cr1 KAT RSA 2048 KAT CAS None on success. "RSA- Sign On first SigGen T sign KAT failed" on stderr use KAT on failure. RSA 2048 KAT CAS None on success. "RSA- Verify On first SigVer T verify KAT failed" on use KAT stderr on failure. SHA-1 n/a KAT CAS None on success. "SHA- Hash module KAT T 1 KAT failed" on stderr on power-up failure. SHA2- n/a KAT CAS None on success. "SHA- Hash module

256 KAT T 256 KAT failed" on stderr power-up

on failure. SHA2- n/a KAT CAS None on success. "SHA- Hash module

512 KAT T 512 KAT failed" on stderr power-up

on failure. TLS v1.2 SHA-256 KAT CAS None on success. KDF module KDF T "TLS12-KDF KAT failed" power-up RFC762 on stderr on failure.

7 KAT

TLS v1.3 SHA-256 KAT CAS None on success. KDF module KDF T "TLS13-KDF KAT failed" power-up KAT on stderr on failure. ECDSA Generate Sign/Veri PCT None on success. Sign/Veri Keypair KeyGen d key- fy PCT "EC_KEY_generate_key_ fy PCT generated PCT pair fips failed" on stderr on failure. RSA Generate Sign/Veri PCT None on success. Sign/Veri Keypair KeyGen d key- fy PCT "RSA_generate_key_fips fy PCT generated PCT pair failed" on stderr on failure. KAS- Generate SP 800- PCT None on success. SP 800- Keypair ECC- d key- 56Arev3 Module aborted on 56Arev3 generated SSC pair validity failure. validity Sp800- tests tests 56Ar3 PCT KAS- Generate SP 800- PCT None on success. Module SP 800- Keypair FFC- d key- 56Arev3 aborted on failure. 56Arev3 generated SSC pair validity validity Sp800- tests tests 56Ar3 PCT Table 19: Conditional Self-Tests Google, LLC 2025 Version 1.0 Public Material

Page 35

Conditional cryptographic algorithm self-tests (CAST) are run prior to the first use of the cryptographic algorithm. CASTs do not require operator intervention to run. If any of the tests fail, the module will enter an error state and no services can be accessed. Pair-wise consistency tests (PCT) are run during the module’s operation when a new asymmetric keypair is generated. If any of these tests fail, the module will enter an error state, where no services can be accessed by the operators. The module can be re-initialized to clear the error and resume approved mode of operation.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Integrity SW/FW Integrity On startup Manually call

256 (A5370) On-Demand

Self-Test service or restart module Table 20: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC KAT CAST Operator chosen Manually call Encrypt KAT On-Demand Self-Test service or restart module AES-CBC KAT CAST Operator chosen Manually call Decrypt KAT On-Demand Self-Test service or restart module AES-GCM KAT CAST Operator chosen Manually call Encrypt KAT On-Demand Self-Test service or restart module AES-GCM KAT CAST Operator chosen Manually call Decrypt KAT On-Demand Self-Test service or restart module Counter DRBG KAT CAST Operator chosen Manually call KAT On-Demand Self-Test service or restart module Google, LLC 2025 Version 1.0 Public Material

Page 36

Algorithm or Test Method Test Type Period Periodic Test Method ECDSA SigGen KAT CAST Operator chosen Manually call KAT On-Demand Self-Test service or restart module ECDSA SigVer KAT CAST Operator chosen Manually call KAT On-Demand Self-Test service or restart module HMAC-SHA2- KAT CAST Operator chosen Manually call

256 KAT On-Demand

Self-Test service or restart module KAS-ECC-SSC KAT CAST Operator chosen Manually call Sp800-56Ar3 On-Demand KAT Self-Test service or restart module KAS-FFC-SSC KAT CAST Operator chosen Manually call Sp800-56Ar3 On-Demand KAT Self-Test service or restart module KDA HKDF KAT CAST Operator chosen Manually call Sp800-56Cr1 On-Demand KAT Self-Test service or restart module RSA SigGen KAT CAST Operator chosen Manually call KAT On-Demand Self-Test service or restart module RSA SigVer KAT CAST Operator chosen Manually call KAT On-Demand Self-Test service or restart module SHA-1 KAT KAT CAST Operator chosen Manually call On-Demand Self-Test service or restart module SHA2-256 KAT KAT CAST Operator chosen Manually call On-Demand Self-Test service Google, LLC 2025 Version 1.0 Public Material

Page 37

Algorithm or Test Method Test Type Period Periodic Test Method or restart module SHA2-512 KAT KAT CAST Operator chosen Manually call On-Demand Self-Test service or restart module TLS v1.2 KDF KAT CAST Operator chosen Manually call RFC7627 KAT On-Demand Self-Test service or restart module TLS v1.3 KDF KAT CAST Operator chosen Manually call KAT On-Demand Self-Test service or restart module ECDSA KeyGen Sign/Verify PCT PCT n/a n/a PCT RSA KeyGen Sign/Verify PCT PCT n/a n/a PCT KAS-ECC-SSC SP 800-56Arev3 PCT n/a n/a Sp800-56Ar3 validity tests PCT KAS-FFC-SSC SP 800-56Arev3 PCT n/a n/a Sp800-56Ar3 validity tests PCT Table 21: Conditional Periodic Information A level 1 module does not require automatic periodic self-testing, however self-tests can be rerun by On-Demand Self-Test service (BORINGSSL_self_test) or restarting the module.

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The module's Failure of any Restart the Possible indication of failed state error state FIPS self-test module test on stderr. Module aborts. Table 22: Error States The module’s single error state is shows above. Google, LLC 2025 Version 1.0 Public Material

Page 38
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The cryptographic module is initialized by loading the module before any cryptographic functionality is available. In User Space the operating system is responsible for the initialization process and loading of the library. General guidance about the module can be found at https://boringssl.googlesource.com/boringssl. This includes information about the APIs, building and specific information related to FIPS can be found at https://boringssl.googlesource.com/boringssl.git/+/refs/heads/fips20230428/crypto/fipsmodule/FIPS.md (note this still mentions 140-2, but the information there is the same). The module is open source and must be built on a Linux workstation using the tools in section

5.3 Open Source Parameters.

Once the above tools have been obtained, issue the following command to create a CMake toolchain file to specify the use of Clang: printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain The FIPS 140-3 validated release of the module can be obtained by downloading the tarball containing the source code at the following location: https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl85897d07196b7bf164dbd4673fc78b762aff3e8b.tar.xz or by issuing the following command: wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl85897d07196b7bf164dbd4673fc78b762aff3e8b.tar.xz The set of files specified in the archive constitutes the complete set of source files of the validated module. There shall be no additions, deletions, or alterations of this set as used during module build. The downloaded tarball file can be verified using the below SHA-256 digest value: b1c87a2746e831dd51448038d8ec7d0ba256d949e73dace0c9a1484889d82d1a By issuing the following command: sha256sum boringssl-85897d07196b7bf164dbd4673fc78b762aff3e8b.tar.xz The tarball can be extracted using the following command: tar xJ < boringssl-85897d07196b7bf164dbd4673fc78b762aff3e8b.tar.xz After the tarball has been extracted, the following commands will compile the module: Google, LLC 2025 Version 1.0 Public Material

Page 39

cd boringssl mkdir build && cd build ninja bcm.o Retrieving Module name and version The following methods will provide the module name and versions:

11.2 Administrator Guidance

CSP Sharing Non-Approved cryptographic algorithms shall not share the same key or CSP as an approved algorithm. As such, Approved algorithms shall not use the keys generated by the module’s NonApproved key generation methods or the converse.

11.3 Non-Administrator Guidance

The module does not support a non-administrator role.

11.4 Additional Information

The source code for the module is maintained in a git repository. While in development, work on the code is maintained internally, before eventually being released externally. BoringCrypto is released publicly to https://boringssl.googlesource.com/boringssl (this is the generic version, available under the Building for Linux instructions). The version number is determined by the developer releasing the version, though git attaches hashes to every single file and branch in the repository.

12 Mitigation of Other Attacks

The module is not designed to mitigate against attacks that are outside of the scope of FIPS 140-3. Google, LLC 2025 Version 1.0 Public Material