| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 12/10/2030 |
| Caveat | When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys). No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | ST Engineering Urban Solutions Ltd. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A5154 |
| AES-CBC-CS1 | A5154 |
| AES-CBC-CS2 | A5154 |
| AES-CBC-CS3 | A5154 |
| AES-CCM | A5154 |
| AES-CFB1 | A5154 |
| AES-CFB128 | A5154 |
| AES-CFB8 | A5154 |
| AES-CMAC | A5154 |
| AES-CTR | A5154 |
| AES-ECB | A5154 |
| AES-GCM | A5154 |
| AES-GMAC | A5154 |
| AES-KW | A5154 |
| AES-KWP | A5154 |
| AES-OFB | A5154 |
| AES-XTS Testing Revision 2.0 | A5154 |
| Counter DRBG | A5154 |
| ECDSA KeyGen (FIPS186-5) | A5154 |
| ECDSA KeyVer (FIPS186-5) | A5154 |
| ECDSA SigGen (FIPS186-5) | A5154 |
| ECDSA SigVer (FIPS186-5) | A5154 |
| Hash DRBG | A5154 |
| HMAC DRBG | A5154 |
| HMAC-SHA-1 | A5154 |
| HMAC-SHA2-224 | A5154 |
| HMAC-SHA2-256 | A5154 |
| HMAC-SHA2-384 | A5154 |
| HMAC-SHA2-512 | A5154 |
| HMAC-SHA2- 512/224 | A5154 |
| HMAC-SHA2- 512/256 | A5154 |
| HMAC-SHA3-224 | A5154 |
| HMAC-SHA3-256 | A5154 |
| HMAC-SHA3-384 | A5154 |
| HMAC-SHA3-512 | A5154 |
| KAS-ECC CDH- Component SP800-56Ar3 (CVL) | A5154 |
| KAS-ECC-SSC Sp800-56Ar3 | A5154 |
| KAS-FFC-SSC Sp800-56Ar3 | A5154 |
| KAS-IFC-SSC | A5154 |
| KDA HKDF SP800-56Cr2 | A5154 |
| KDA OneStep SP800-56Cr2 | A5154 |
| KDA TwoStep SP800-56Cr2 | A5154 |
| KDF ANS 9.42 (CVL) | A5154 |
| KDF ANS 9.63 (CVL) | A5154 |
| KDF KMAC Sp800-108r1 | A5154 |
| KDF SP800-108 | A5154 |
| KDF SSH (CVL) | A5154 |
| KTS-IFC | A5154 |
| PBKDF | A5154 |
| RSA KeyGen (FIPS186-5) | A5154 |
| RSA SigGen (FIPS186-5) | A5154 |
| RSA Signature Primitive (CVL) | A5154 |
| RSA SigVer (FIPS186-4) | A5154 |
| RSA SigVer (FIPS186-5) | A5154 |
| SHA-1 | A5154 |
| SHA2-224 | A5154 |
| SHA2-256 | A5154 |
| SHA2-384 | A5154 |
| SHA2-512 | A5154 |
| SHA2-512/224 | A5154 |
| SHA2-512/256 | A5154 |
| SHA3-224 | A5154 |
| SHA3-256 | A5154 |
| SHA3-384 | A5154 |
| SHA3-512 | A5154 |
| SHAKE-128 | A5154 |
| SHAKE-256 | A5154 |
| TLS v1.2 KDF RFC7627 (CVL) | A5154 |
| TLS v1.3 KDF (CVL) | A5154 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Triton 2 Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>AES Encrypt/Decrypt<br/>Self-tests<br/>Show Status/Show Version</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Triton 2 Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>AES Encrypt/Decrypt<br/>Self-tests<br/>Show Status/Show Version</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3 clueHigh;
class C5,C6 clueLow;ST Engineering Urban Solutions Ltd. Triton 2 Cryptographic Module This document may be freely reproduced and distributed in its entirety without modification.
| # | Section | Page |
|---|---|---|
| 1 | General | 4 |
| 1.1 | Overview | 4 |
| 1.2 | Security Levels | 5 |
| 1.3 | Additional Information | 5 |
| 2 | Cryptographic Module Specification | 6 |
| 2.1 | Description | 6 |
| 2.2 | Tested and Vendor Affirmed Module Version and Identification | 7 |
| 2.3 | Excluded Components | 8 |
| 2.4 | Modes of Operation | 8 |
| 2.5 | Algorithms | 9 |
| 2.6 | Security Function Implementations | 16 |
| 2.7 | Algorithm Specific Information | 27 |
| 2.8 | RBG and Entropy | 29 |
| 2.9 | Key Generation | 30 |
| 2.10 | Key Establishment | 30 |
| 2.11 | Industry Protocols | 31 |
| 3 | Cryptographic Module Interfaces | 31 |
| 3.1 | Ports and Interfaces | 31 |
| 4 | Roles, Services, and Authentication | 31 |
| 4.1 | Authentication Methods | 31 |
| 4.2 | Roles | 31 |
| 4.3 | Approved Services | 32 |
| 4.4 | Non-Approved Services | 52 |
| 4.5 | External Software/Firmware Loaded | 53 |
| 4.6 | Bypass Actions and Status | 53 |
| 4.7 | Cryptographic Output Actions and Status | 53 |
| 5 | Software/Firmware Security | 53 |
| 5.1 | Integrity Techniques | 53 |
| 5.2 | Initiate on Demand | 53 |
| 6 | Operational Environment | 54 |
| 6.1 | Operational Environment Type and Requirements | 54 |
| 6.2 | Configuration Settings and Restrictions | 54 |
| 7 | Physical Security | 54 |
| 8 | Non-Invasive Security | 54 |
| 9 | Sensitive Security Parameters Management | 54 |
| 9.1 | Storage Areas | 54 |
| 9.2 | SSP Input-Output Methods | 55 |
| 9.3 | SSP Zeroization Methods | 55 |
| 9.4 | SSPs | 55 |
| 9.5 | Transitions | 68 |
| 10 | Self-Tests | 69 |
| 10.1 | Pre-Operational Self-Tests | 69 |
| 10.2 | Conditional Self-Tests | 69 |
| 10.3 | Periodic Self-Test Information | 73 |
| 10.4 | Error States | 75 |
| 10.5 | Operator Initiation of Self-Tests | 76 |
| 11 | Life-Cycle Assurance | 76 |
| 11.1 | Installation, Initialization, and Startup Procedures | 76 |
| 11.2 | Administrator Guidance | 76 |
| 11.3 | Non-Administrator Guidance | 76 |
| 11.4 | Design and Rules | 77 |
| 11.5 | Maintenance Requirements | 77 |
| 11.6 | End of Life | 77 |
| 12 | Mitigation of Other Attacks | 77 |
| 12.1 | Attack List | 77 |
This document may be freely reproduced and distributed in its entirety without modification.
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 8 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 4: Modes List and Description | 8 |
| Table 5: Approved Algorithms | 14 |
| Table 6: Vendor-Affirmed Algorithms | 14 |
| Table 7: Non-Approved, Allowed Algorithms | 15 |
| Table 8: Non-Approved, Not Allowed Algorithms | 16 |
| Table 9: Security Function Implementations | 27 |
| Table 10: Ports and Interfaces | 31 |
| Table 11: Roles | 32 |
| Table 12: Approved Services | 51 |
| Table 13: Non-Approved Services | 53 |
| Table 14: Storage Areas | 54 |
| Table 15: SSP Input-Output Methods | 55 |
| Table 16: SSP Zeroization Methods | 55 |
| Table 17: SSP Table 1 | 64 |
| Table 18: SSP Table 2 | 68 |
| Table 19: Pre-Operational Self-Tests | 69 |
| Table 20: Conditional Self-Tests | 73 |
| Table 21: Pre-Operational Periodic Information | 73 |
| Table 22: Conditional Periodic Information | 75 |
| Table 23: Error States | 76 |
| Figure 1: Block Diagram | 7 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 3 |
| 12 | 12 | Mitigation of other attacks | 1 |
| Overall Level | Overall Level | 1 |
Validated is the term given to a module that is documented and tested against the FIPS 140-3 criteria. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program. About this Document Module (hereafter referred to as “the Module”) from ST Engineering Urban Solutions Ltd. It contains specification of the security rules under which the Module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. This document may be freely reproduced and distributed whole and intact including this The following table lists the level of validation for each area in FIPS 140-3:
The Section 7.7 Physical Security and Section 7.8 Non-Invasive Security from ISO 19790 do not apply to the module. This document may be freely reproduced and distributed in its entirety without modification.
Purpose and Use: The module is intended to execute within the Triton 2 device and provide cryptographic services. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary is as depicted in Figure 1. No components are excluded from the cryptographic boundary. The module supports an Approved mode and a non-Approved mode of operation. The module does not support a degraded mode. Tested Operational Environment’s Physical Perimeter (TOEPP): The block diagram of the Module is depicted in Figure 1 (blue outlined). The Tested Operational Environment’s Physical Perimeter (TOEPP) is the underlying host platform i.e. Triton 2 device on which it runs. The operating environment of the module is modifiable since the platform does support modifications to it. This document may be freely reproduced and distributed in its entirety without modification.
Tested Module Identification
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| triton 2 (.elf) | v9FIPS.2.807 | N/A | triton 2 (.elf) | RSA mod 2048 SHA2-256 | ||||||
| Embedded Linux 3.1.10 | Embedded Linux 3.1.10 | Triton 2 | v9FIPS.2.807 | Samsung S3C6410A, ARM1176JZF-S, 533MHz | No | N/A |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| triton 2 (.elf) | v9FIPS.2.807 | N/A | triton 2 (.elf) | RSA mod 2048 SHA2-256 | ||||||
| Embedded Linux 3.1.10 | Embedded Linux 3.1.10 | Triton 2 | v9FIPS.2.807 | Samsung S3C6410A, ARM1176JZF-S, 533MHz | No | N/A |
| Name | Description | Csps Accessed | Type |
|---|---|---|---|
| non- Approved mode | The module transitions implicitly to the non- Approved mode upon usage of any Non- Approved Algorithms Not Allowed in the Approved Mode | None | Non- Approved |
N/A Table 2: Tested Module Identification
No components have been excluded. Modes List and Description: nonApproved NonApproved Table 4: Modes List and Description
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A5154 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC-CS1 | A5154 | Direction - decrypt, encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC-CS2 | A5154 | Direction - decrypt, encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC-CS3 | A5154 | Direction - decrypt, encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CCM | A5154 | Key Length - 128, 192, 256 | SP 800-38C |
| AES-CFB1 | A5154 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CFB128 | A5154 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CFB8 | A5154 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CMAC | A5154 | Direction - Generation, Verification Key Length - 128, 192, 256 | SP 800-38B |
| AES-CTR | A5154 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-ECB | A5154 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-GCM | A5154 | Direction - Decrypt, Encrypt IV Generation - External, Internal | SP 800-38D |
| AES-GMAC | A5154 | Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 | SP 800-38D |
| AES-KW | A5154 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38F |
| AES-KWP | A5154 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38F |
| AES-OFB | A5154 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-XTS Testing Revision 2.0 | A5154 | Direction - Decrypt, Encrypt Key Length - 128, 256 | SP 800-38E |
| Counter DRBG | A5154 | Prediction Resistance - Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - No, Yes | SP 800-90A Rev. 1 |
| ECDSA KeyGen (FIPS186-5) | A5154 | Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode - testing candidates | FIPS 186-5 |
| ECDSA KeyVer (FIPS186-5) | A5154 | Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 | FIPS 186-5 |
| ECDSA SigGen (FIPS186-5) | A5154 | Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Component - No, Yes | FIPS 186-5 |
| ECDSA SigVer (FIPS186-5) | A5154 | Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | FIPS 186-5 |
| Hash DRBG | A5154 | Prediction Resistance - Yes Mode - SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256 | SP 800-90A Rev. 1 |
| HMAC DRBG | A5154 | Prediction Resistance - Yes Mode - SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256 | SP 800-90A Rev. 1 |
| HMAC-SHA-1 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-224 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-256 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-384 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-512 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2- 512/224 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2- 512/256 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-224 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-256 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-384 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-512 | A5154 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| KAS-ECC CDH- Component SP800-56Ar3 (CVL) | A5154 | Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 | SP 800-56A Rev. 3 |
| KAS-ECC-SSC Sp800-56Ar3 | A5154 | Domain Parameter Generation Methods - B- 233, B-283, B-409, B-571, K-233, K-283, K- 409, K-571, P-224, P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KAS-FFC-SSC Sp800-56Ar3 | A5154 | Domain Parameter Generation Methods - FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP- 3072, MODP-4096, MODP-6144, MODP-8192 Scheme - dhEphem - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KAS-IFC-SSC | A5154 | Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KAS1 - KAS Role - initiator, responder KAS2 - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KDA HKDF SP800-56Cr2 | A5154 | Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, | SP 800-56C Rev. 2 |
| KDA OneStep SP800-56Cr2 | A5154 | Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 | SP 800-56C Rev. 2 |
| KDA TwoStep SP800-56Cr2 | A5154 | MAC Salting Methods - default, random KDF Mode - feedback Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 | SP 800-56C Rev. 2 |
| KDF ANS 9.42 (CVL) | A5154 | KDF Type - DER Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8 | SP 800-135 Rev. 1 |
| KDF ANS 9.63 (CVL) | A5154 | Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512 Key Data Length - Key Data Length: 128, 4096 | SP 800-135 Rev. 1 |
| KDF KMAC Sp800-108r1 | A5154 | Derived Key Length - Derived Key Length: 112- 4096 Increment 8 | SP 800-108 Rev. 1 |
| KDF SP800-108 | A5154 | KDF Mode - Counter, Feedback Supported Lengths - Supported Lengths: 8, 72, 128, 776, 3456, 4096 | SP 800-108 Rev. 1 |
| KDF SSH (CVL) | A5154 | Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512 | SP 800-135 Rev. 1 |
| KMAC-128 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 | SP 800-185 |
| KMAC-256 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 | SP 800-185 |
| KTS-IFC | A5154 | Modulo - 2048, 3072, 4096, 6144 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KTS-OAEP-basic - KAS Role - initiator, responder Key Transport Method - Key Length - 1024 | SP 800-56B Rev. 2 |
| PBKDF | A5154 | Iteration Count - Iteration Count: 1-10000 Increment 1 | SP 800-132 |
| RSA KeyGen (FIPS186-5) | A5154 | Key Generation Mode - probable Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standard | FIPS 186-5 |
| RSA SigGen (FIPS186-5) | A5154 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pss | FIPS 186-5 |
| RSA Signature Primitive (CVL) | A5154 | Private Key Format - CRT | FIPS 186-4 |
| RSA SigVer (FIPS186-4) | A5154 | Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS Modulo - 1024, 2048, 3072, 4096 | FIPS 186-4 |
| RSA SigVer (FIPS186-5) | A5154 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pss | FIPS 186-5 |
| Safe Primes Key Generation | A5154 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | SP 800-56A Rev. 3 |
| Safe Primes Key Verification | A5154 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | SP 800-56A Rev. 3 |
| SHA-1 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-224 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-256 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-384 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-512 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-512/224 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-512/256 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA3-224 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHA3-256 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHA3-384 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHA3-512 | A5154 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHAKE-128 | A5154 | Output Length - Output Length: 16-65536 Increment 8 | FIPS 202 |
| SHAKE-256 | A5154 | Output Length - Output Length: 16-65536 Increment 8 | FIPS 202 |
| TLS v1.2 KDF RFC7627 (CVL) | A5154 | Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512 | SP 800-135 Rev. 1 |
| TLS v1.3 KDF (CVL) | A5154 | HMAC Algorithm - SHA2-256, SHA2-384 KDF Running Modes - DHE, PSK, PSK-DHE | SP 800-135 Rev. 1 |
Approved Algorithms: This document may be freely reproduced and distributed in its entirety without modification.
This document may be freely reproduced and distributed in its entirety without modification.
This document may be freely reproduced and distributed in its entirety without modification.
This document may be freely reproduced and distributed in its entirety without modification.
This document may be freely reproduced and distributed in its entirety without modification.
| Name | Properties | ||
|---|---|---|---|
| CKG (6.3) | Key Type:Symmetric | N/A | NIST SP 800-133rev2, Section 6.3: Symmetric Keys Produced by Combining Multiple Keys and Other Data |
| CKG (4) | Key Type:Symmetric and Asymmetric | N/A | NIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 5.1: Key Pairs for Digital Signature Schemes; Section 5.2: Key Pairs for Key Establishment; Section 6.1: Direct Generation of Symmetric Keys; Section 6.2: Derivation of Symmetric keys |
| AES | Cert. A5154:key unwrapping per IG D.G | Triton 2 | Symmetric key unwrapping per IG D.G Additional Comment 5 |
| FIPS 186-4 RSA SigVer X9.31 | Cert. 5154:signature verification | Triton 2 | IG C.K |
Table 5: Approved Algorithms Vendor-Affirmed Algorithms: (6.3) (4) N/A N/A Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| X448 | SSP Agreement | |||
| X25519 | SSP Agreement | |||
| FIPS 186-5 ECDSA SigVer Component | Curve(s): P-192, P-224, P-256, P-384, P-521, B-163, B-233, B-283, B- 409, B-571, K-163, K-233, K-283, K-409, K-571, Function(s): SigVer | |||
| HMAC Generate | Key length(s): < 112 bits for MAC generation | |||
| HMAC DRBG/Hash DRBG | PRF(s): SHA3 (all sizes) | |||
| ED448 | PRF: SHAKE256, Function(s): SigGen, SigVer | |||
| ED25519 | PRF: SHA2-512, Function(s): SigGen, SigVer | |||
| TDES | Mode(s): CBC and ECB, Function(s): Encrypt, Decrypt | |||
| FIPS 186-4 DSA | Key size (strength): L = 1024, N = 160 (s < 112); L = 2048, N = 224 (s = 112); L = 2048, N = 256 (s = 112); L = 3072, N = 256 (s = 128); Function(s): KeyGen, SigGen, SigVer, PQGVer and PQGGen (SHA-1, SHA2 and SHA3 all sizes); SigVer and PQGVer disapproved per IG C.M 3.e | |||
| FIPS 186-2 RSA Signature | Modulus: > 1024 bits, Function(s): SigGen, SigVer (per IG C.M 3.e. for SigVer) | |||
| FIPS 186-2 RSA Generate Key | Modulus: >= 2048 bits, Function(s): KeyGen | |||
| KDA HKDF SP800- 56Cr1 | Key length(s): < 112 bits | |||
| KDA OneStep SP800-56Cr1 | PRF(s): SHAKE128 and SHAKE256 | |||
| KDF ANS 9.42 | PRF(s): SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK- KMAC128 and KECCAK-KMAC256 | |||
| KDF ANS 9.63 | PRF(s): SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK- KMAC128 and KECCAK-KMAC256 | |||
| RSA PKCS1.5 (for KTS) | Usage of RSA PKCS1.5 Encapsulation/decapsulation in the context of SSP Transport (KTS) | |||
| RSA Signature Primitive | RSASP with modulus 3072, 4096 (since RSASP 2.0 is untested per CAVP Cert. #A5154) | |||
| FIPS 186-4 RSA KeyGen X9.31, FIPS | RSA KeyGen, SigGen per X9.31 per IG C.K | |||
| SHA-1 for SigVer | Usage of SHA-1 in the context of signature verification (per IG C.M 3.e) | |||
| AES Encrypt/Decrypt | Encryption and decryption using AES modes | AES-CBC: (A5154) AES-CBC-CS1: (A5154) AES-CBC-CS2: (A5154) AES-CBC-CS3: (A5154) AES-CCM: (A5154) AES-CFB1: (A5154) AES-CFB128: (A5154) AES-CFB8: (A5154) AES-CMAC: (A5154) AES-CTR: (A5154) AES-ECB: (A5154) AES-GCM: (A5154) AES-GMAC: (A5154) AES-OFB: (A5154) AES-XTS Testing Revision 2.0: (A5154) | BC-Auth BC-UnAuth | Key Length:128, 192 and 256 bits Key Length (XTS):128 and 256 bits |
| AES Key Wrapping | Key Wrapping | AES-KW: (A5154) AES-KWP: (A5154) | KTS-Wrap | Key Length:128, 192 and 256 bits |
Table 7: Non-Approved, Allowed Algorithms Non-Approved, Allowed Algorithms with No Security Claimed: The module does not support any Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Not Allowed Algorithms: C.M 3.e This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| SHA-1 for SigVer | Usage of SHA-1 in the context of signature verification (per IG C.M 3.e) | |||
| AES Encrypt/Decrypt | Encryption and decryption using AES modes | AES-CBC: (A5154) AES-CBC-CS1: (A5154) AES-CBC-CS2: (A5154) AES-CBC-CS3: (A5154) AES-CCM: (A5154) AES-CFB1: (A5154) AES-CFB128: (A5154) AES-CFB8: (A5154) AES-CMAC: (A5154) AES-CTR: (A5154) AES-ECB: (A5154) AES-GCM: (A5154) AES-GMAC: (A5154) AES-OFB: (A5154) AES-XTS Testing Revision 2.0: (A5154) | BC-Auth BC-UnAuth | Key Length:128, 192 and 256 bits Key Length (XTS):128 and 256 bits |
| AES Key Wrapping | Key Wrapping | AES-KW: (A5154) AES-KWP: (A5154) | KTS-Wrap | Key Length:128, 192 and 256 bits |
3.e) Table 8: Non-Approved, Not Allowed Algorithms
This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| SHS | Hashing | SHA-1: (A5154) SHA2-224: (A5154) SHA2-256: (A5154) SHA2-512: (A5154) SHA2-512/224: (A5154) SHA2-512/256: (A5154) SHA3-224: (A5154) SHA3-256: (A5154) SHA2-384: (A5154) SHA3-512: (A5154) SHAKE-128: (A5154) SHAKE-256: (A5154) SHA3-384: (A5154) | SHA |
| MAC | Message Authentication Code | HMAC-SHA-1: (A5154) HMAC-SHA2- 224: (A5154) HMAC-SHA2- 256: (A5154) HMAC-SHA2- 384: (A5154) HMAC-SHA2- 512: (A5154) HMAC-SHA2- 512/224: (A5154) HMAC-SHA2- 512/256: (A5154) HMAC-SHA3- 224: (A5154) HMAC-SHA3- 256: (A5154) HMAC-SHA3- 384: (A5154) | BC-Auth MAC |
This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| RSA SigGen/SigVer | RSA SigGen and SigVer | RSA SigGen (FIPS186-5): (A5154) RSA SigVer (FIPS186-5): (A5154) RSA SigVer (FIPS186-4): (A5154) | DigSig-SigGen DigSig-SigVer | Mode: PKCS 1.5 (SigGen):Modulus: 2048, 3072, 4096; Hash: SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256 Mode: PKCSPSS (SigGen):Modulus: 2048, 3072, 4096; Hash: SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256 Mode: ANSI X9.31 (SigVer only):Modulus: 1024, 2048, 3072, 4096; Hash: SHA2-256, SHA2- 384, SHA2-512 Mode: PKCS 1.5 (SigVer):Modulus: 1024, 2048, 3072, 4096; Hash: SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256 Mode: PKCSPSS (SigVer):Modulus: 1024, 2048, 3072, 4096; Hash: SHA2-256, SHA2- 384, SHA2-512, |
| ECDSA SigGen/SigVer | ECDSA SigGen and SigVer | ECDSA SigGen (FIPS186-5): (A5154) ECDSA SigVer (FIPS186-5): (A5154) | DigSig-SigGen DigSig-SigVer | SigGen:P-224, P- 256, P-384, P- 521, B-233, B- 283, B-409, B- 571, K-233, K- 283, K-409, K- 571; SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512 SigVer :P-192, P- 224, P-256, P- 384, P-521, B- 163, B-233, B- 283, B-409, B- 571, K-163, K- 233, K-283, K- 409, K-571; SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512 |
| RSASP | RSA signature primitive | RSA Signature Primitive: (A5154) | DigSig-SigGen | |
| Generate Key | Keypair generation | ECDSA KeyGen (FIPS186-5): (A5154) RSA KeyGen (FIPS186-5): (A5154) Safe Primes Key Generation: (A5154) Safe Primes Key | AsymKeyPair- KeyGen AsymKeyPair- KeyVer CKG |
This document may be freely reproduced and distributed in its entirety without modification.
AsymKeyPairKeyGen AsymKeyPairKeyVer SigGen:P-224, P256, P-384, P521, B-233, B283, B-409, B571, K-233, K283, K-409, K571; SHA2-224, SigVer :P-192, P224, P-256, P384, P-521, B163, B-233, B283, B-409, B571, K-163, K233, K-283, K409, K-571; This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| Random Bit Generation | Random Number Generation - Hash_DRBG, CTR_DRBG and HMAC_DRBG | Counter DRBG: (A5154) Hash DRBG: (A5154) HMAC DRBG: (A5154) | DRBG |
| Derive | Derive Keying Material | KDA HKDF SP800-56Cr2: (A5154) KDA OneStep SP800-56Cr2: (A5154) KDA TwoStep SP800-56Cr2: (A5154) KDF ANS 9.42: (A5154) KDF ANS 9.63: (A5154) KDF KMAC Sp800-108r1: (A5154) KDF SP800- 108: (A5154) KDF SSH: (A5154) PBKDF: (A5154) TLS v1.2 KDF RFC7627: (A5154) TLS v1.3 KDF: (A5154) CKG (4): () Key Type: Symmetric and Asymmetric | CKG KAS-135KDF KAS-56CKDF KBKDF PBKDF |
This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| KAS-1 | Scheme: EphemeralUnified, KAS Role: Initiator, Responder | KAS-ECC-SSC Sp800-56Ar3: (A5154) | KAS-SSC | IG : IG D.F Scenario 2, path (1) Key confirmation:no Key derivation:no Caveat:Key establishment methodology provides between 112 and 256 bits of security strength |
| KAS-2 | Scheme: dhEphem. KAS Role: Initiator, Responder | KAS-FFC-SSC Sp800-56Ar3: (A5154) | KAS-SSC | IG:IG D.F Scenario 2, path (1) Key confirmation:no Key derivation:no Caveat:Key establishment methodology provides between 112 and 200 bits of security strength |
| KAS-3 | Scheme: KAS1, KAS2. KAS Role: Initiator, Responder | KAS-IFC-SSC: (A5154) | KAS-SSC | IG:IG D.F Scenario 1, path (1) Key confirmation:no Key derivation:no Caveat:Key establishment methodology provides between 112 and 200 bits of security strength |
| KTS-1 | Key Transport in compliance with [SP800- 38F] when approved using an Authenticated AES mode (AES CCM; AES GCM; AES KW, KWP) | AES-CCM: (A5154) AES-GCM: (A5154) AES-KW: (A5154) AES-KWP: (A5154) | KTS-Wrap | Standard:SP 800- 38F IG D.G:approved method from IG D.G Caveat:Key establishment methodology provides between |
| KTS-2 | Key Transport in compliance with [SP800- 38F] when approved AES (any mode) and approved HMAC are used in combination | AES-CBC: (A5154) AES-CBC-CS1: (A5154) AES-CBC-CS2: (A5154) AES-CBC-CS3: (A5154) AES-CCM: (A5154) AES-CFB1: (A5154) AES-CFB128: (A5154) AES-CFB8: (A5154) AES-CMAC: (A5154) AES-CTR: (A5154) AES-ECB: (A5154) AES-GCM: (A5154) AES-GMAC: (A5154) AES-KW: (A5154) AES-KWP: (A5154) AES-OFB: (A5154) AES-XTS Testing Revision 2.0: (A5154) HMAC-SHA-1: (A5154) HMAC-SHA2- 224: (A5154) HMAC-SHA2- 256: (A5154) HMAC-SHA2- 384: (A5154) HMAC-SHA2- | KTS-Wrap | Standard:SP 800- 38F IG D.G:approved method from IG D.G Caveat:Key establishment methodology provides between 128 and 256 bits of security strength |
| KTS-3 | Key Transport in compliance with [SP800- 38F] when approved AES (any mode) and approved CMAC/GMAC are used in combination | AES-CBC: (A5154) AES-CBC-CS1: (A5154) AES-CBC-CS2: (A5154) AES-CBC-CS3: (A5154) AES-CCM: (A5154) AES-CFB1: (A5154) AES-CFB128: (A5154) AES-CFB8: (A5154) AES-CMAC: (A5154) AES-CTR: (A5154) AES-ECB: (A5154) AES-GCM: (A5154) AES-GMAC: (A5154) AES-KW: (A5154) AES-KWP: (A5154) AES-OFB: (A5154) AES-XTS | KTS-Wrap | Standard:SP 800- 38F IG D.G:approved method from IG D.G Caveat:Key establishment methodology provides between 128 and 256 bits of security strength |
| KTS-4 | Key Transport; Scheme: KTS- OAEP-basic (no key confirmation): RSA-OAEP, RSADP, RSAEP, Key Encapsulation, Key Unencapsulation Key Generation Methods: rsakpg1-basic, rsakpg1-crt, rsakpg1-prime- factor, rsakpg2- basic, rsakpg2-crt, rsakpg2- prime- factor | KTS-IFC: (A5154) | KTS-Encap | Standard:SP 800- 56Brev2 IG D.G:approved method per IG D.G Key confirmation:no Caveat:Key establishment methodology provides between 112 and 176 bits of security strength |
| KAS ECC Component | KAS-ECC-SSC primitive (ECC CDH) | KAS-ECC CDH- Component SP800-56Ar3: (A5154) | KAS-SSC | |
| Self-tests | All self-tests executed by the module at boot | AES-ECB: (A5154) AES-GCM: (A5154) Hash DRBG: (A5154) Counter DRBG: (A5154) HMAC DRBG: (A5154) ECDSA SigGen (FIPS186-5): (A5154) ECDSA SigVer (FIPS186-5): (A5154) RSA SigGen (FIPS186-5): (A5154) RSA SigVer | BC-Auth BC-UnAuth DigSig-SigGen DigSig-SigVer DRBG KAS-135KDF KAS-56CKDF KAS-SSC KBKDF MAC PBKDF SHA XOF |
(1) (1) (1) D.G This document may be freely reproduced and distributed in its entirety without modification.
D.G This document may be freely reproduced and distributed in its entirety without modification.
D.G This document may be freely reproduced and distributed in its entirety without modification.
D.G rsakpg2- primefactor CDHComponent This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Csps Accessed | Type |
|---|---|---|---|
| TLS all algorithms | All algorithms supported by the module for the TLS 1.2 protocol/service | AES-GCM: (A5154) SHA2-384: (A5154) RSA SigGen (FIPS186-5): | AsymKeyPair- KeyGen AsymKeyPair- KeyVer BC-Auth CKG |
AsymKeyPairKeyGen AsymKeyPairKeyVer This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| Software Integrity Test | RSA mod 2048 bits SHA2-256 signature Verification | RSA SigVer (FIPS186-5): (A5154) | DigSig-SigVer | |
| KTS-5 | Key wrapping in the context of the TLS 1.2 IETF protocol using an AES GCM 256-bit key | AES-GCM: (A5154) | KTS-Wrap | Standard:SP 800- 38F IG D.G :approved method from IG D.G Caveat:Key establishment methodology provides 256 bits of security strength |
| KAS-4 | Key agreement in the context of the TLS 1.2 IETF protocol; KAS- ECC-SSC P-384 used with KDF TLS 1.2 | KAS-ECC-SSC Sp800-56Ar3: (A5154) TLS v1.2 KDF RFC7627: (A5154) | KAS-Full | IG :IG D.F Scenario 2 path (2) Key confirmation :no Key derivation :IG 2.4.B SP 800- 135rev1 CVL Caveat:Key |
| Symmetric Key Generation | Generation of symmetric keys | CKG (4): () CKG (6.3): () | CKG |
D.G (2) This document may be freely reproduced and distributed in its entirety without modification.
Table 9: Security Function Implementations
a. AES-GCM Usage The AES GCM IV computation must comply with IG C.H and NIST SP 800-38D Scenario 1(a), tested per option (ii) under C.H TLS 1.2 protocol IV generation per RFC7627, Scenario 1(d) SSHv2 per RFC4252, RFC4253 and RFC5647 and Scenario 5 TLS 1.3 per RFC8446. The Module does not implement the TLS 1.3 and SSH protocols itself, however, it provides the cryptographic functions required for implementing these protocols. The module does implement the TLS 1.2 protocol. AES GCM encryption is used in the context of the SSH and TLS protocol versions 1.2 and 1.3 and the IV computed shall only be used within the protocols. The module provides the primitives to support the AES GCM ciphersuites per NIST SP800-52r1 Section 3.3.1. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary in case of TLS 1.3 and SSH protocols. The application negotiates the protocol session’s keys and the 32-bit nonce value of the IV. When the IV exhausts the maximum number of possible values for a given session key (2^64 - 1), this results in a failure in encryption and a handshake to establish a new encryption key will be required. It is the responsibility of the user of the module, i.e., the first party, client or server, to encounter this condition, to trigger this handshake in accordance with the TLS/SSH protocol. The Module also supports internal IV generation using the module’s approved DRBG. The IV is at least 96 bits in length per NIST SP800-38D Section 8.2.2. Per IG C.H Scenario 2 and NIST SP800-38D, the approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2^-32. For all cases of IV generation, in the event that the module power is lost and restored the user must ensure that the AES GCM encryption/decryption keys are redistributed/re-established in accordance with IG C.H Scenario 3. The module does not support persistent storage of SSPs. The Module also supports importing of GCM IVs when an IV is not generated within the Module. In the approved mode, an IV must not be imported for encryption from outside the cryptographic boundary of the Module as this will result in a non-conformance. This This document may be freely reproduced and distributed in its entirety without modification.
is in accordance with IG 2.4.A: “If the module operator (e.g., calling application) can do things outside of the module’s control/visibility that can take an otherwise approved algorithm and use it in a non-approved way (e.g., use PBKDF and/or AES XTS outside of storage applications), the corresponding module service may still be considered approved (and if so, shall have an approved indicator per AS02.24) and the Security Policy shall clarify how to use the service in an approved manner (per ISO 19790 B.2.2 on Overall security design and the rules of operation).” b. AES-XTS Usage Usage In accordance with NIST SP800-38E, the XTS-AES algorithm shall only be used for confidentiality on storage devices. The Module complies with IG C.I by explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS-AES algorithm to process data with them. The module implements CKG per NIST SP 800-133r2 Section 6.3. c. Legacy Usage The module supports the following implementations for legacy use/support per NIST SP 800-131Ar2:
In accordance with NIST SP 800-132, passwords shorter than 10 characters are usually considered to be weak. There are many other properties that may render a password weak. For example, it is not advisable to use sequences of numbers or sequences of letters as passwords. Easily accessed personal information, such as the user’s name, phone number, and date of birth, should not be used directly as a password. Passphrases frequently consist solely of letters, but they make up for their lack of entropy by being much longer than passwords, typically 20 to 30 characters. Passphrases shorter than 20 characters are usually considered weak. f. FIPS 202 Usage Per IG C.C Resolution 2.a., each SHA-3 and SHAKE function has been tested and validated the module’s operational environment. g. RSA Usage
The Module complies with IG 9.3.A Scenario 2. b. and relies on the use of a NIST SP800-90B compliant entropy source outside the cryptographic boundary. The onus is on the calling application to ensure the use of an NIST SP800-90B compliant entropy source and of sufficient entropy for the required security strength. The minimum number of bits of entropy, depending on the target security strength of generated SSPs is 128, 192 or 256 bits. If the Counter DRBG implementation without the derivation function enabled is used, ensure full entropy from the This document may be freely reproduced and distributed in its entirety without modification.
entropy source is provided. The following caveat applies to the module: No assurance of the minimum strength of generated SSPs (e.g., keys).
The module contains NIST SP 800-90Ar1 DRBGs and supports the NIST SP 800-133r2 (CKG) sections 4, 5.1, 5.2, 6.1, 6.2 and 6.3.
The module supports key agreement and key transport in the context of the TLS protocol. Apart from this, it also provides cryptographic primitives in support of key agreement and key transport where the onus is on the calling application to ensure that the primitives are used in the correct sequence. The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS (KTS-1, KTS-2, KTS-3 and KTS-4). In addition to the TLS case, the following applies to the module for SSP agreement: The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS (KAS-1, KAS-2 and KAS-3). Per IG D.F: The module supports Key Agreement Schemes per NIST SP800-56Ar3 and IG D.F Scenario 2 (path 1) and NIST SP800-56Br2 and IG D.F Scenario 1 (path 1). The KAS-1, KAS-2, KAS-3 in the SFI Table 10 have been documented accordingly. The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC and KAS-IFC-SSC) as individual entries. The Module obtains the IG D.F required key agreement assurances: NIST SP800-56Ar3 in accordance with Section 5.6.2. NIST SP800-56Br2 in accordance with Section 6.4. The module also supports key agreement in the context of the IETF TLS 1.2 protocol in accordance with IG D.F Scenario 2 (path 2) and the KAS-4 entry corresponds to the same. Per IG D.G: The module supports the Key Transport per NIST SP 800-56Br2 (RSA-OAEP) denoted by KTS4 in the SFI Table 10. This notation is in accordance with the IG D.G Additional Comment 4: “The FIPS 140-3 annotation details for the approved or allowed key transport schemes (KTS) can be found on SP 800-140B: CMVP Security Policy Requirements (see MIS Guidance “KTS”).” The module also supports the following untested approved moduli for KTS-4: 6144 < nlen <=16384, where nlen denotes the modulus. The RSA modulus sizes and key generation method have been documented in the table as well. The module can also optionally be used in the context of IEFT protocols and provide key transport using any approved AES mode(s) and an approved MAC. The corresponding entries KTS-1, KTS-2 and KTS-3 in the SFI Table 10 This document may be freely reproduced and distributed in its entirety without modification.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Control Input | API input |
| N/A | N/A | Data Input | API parameters passed by calling applications for use in services |
| N/A | N/A | Status Output | API return code/status |
| N/A | N/A | Data Output | API parameters returned to calling applications as a result of service execution |
have been documented accordingly. All KTS entries have been documented in accordance with Additional Comment 4 in the IG. Finally, KTS-5 corresponds to the key transport (wrapping) supported by the module in the context of the IETF TLS 1.2 protocol supported by it. Per IG D.A and IG D.B: The strengths of the established key have been documented in accordance with IG D.A Additional Comment 4. and per the Resolution in IG D.B.
The module supports cryptographic primitives used in the context of SSH, TLS 1.2 and TLS 1.3. It also supports the TLS 1.2 protocol itself. The module does not support the SSH and TLS 1.3 protocols and thus the following in accordance with Resolution #3 applies to the module: No parts of the SSH and TLS 1.3 protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.
N/A N/A N/A N/A Table 10: Ports and Interfaces The module does not support control output and thus the Control Output interface is inapplicable.
The Module does not support authentication.
This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer (CO) | Crypto Officer | Role | None | ||||||
| Module initialization | Module boot and initialization process | Crypto Officer (CO) - Entrop y Input: G,W,E ,Z - State: G - Softw are Integri ty Key - RSA: E | Random Bit Generati on Software Integrity Test | 1 | Ctx passed into the function | Return code 1 for success; 0 for failure | |||
| Show Status/Show Version | Show status; show version | Crypto Officer (CO) | None | 1 | Ctx passed into the function fips_get_ params | Status and versioning information | |||
| Perform Self- Tests | Execution of all self-tests | Crypto Officer (CO) | Self-tests Software Integrity Test | 1 | Reboot | Return code 1 for success; 0 for failure | |||
| Key Transport (Perform approved | Key encapsulation and | Crypto Officer (CO) - SSP | KTS-4 | [KTS- IFC: RSA, 4, (2048, | Encapsul ation: SSP Transport | Key Transport Shared Secret |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer (CO) | Crypto Officer | Role | None | ||||||
| Module initialization | Module boot and initialization process | Crypto Officer (CO) - Entrop y Input: G,W,E ,Z - State: G - Softw are Integri ty Key - RSA: E | Random Bit Generati on Software Integrity Test | 1 | Ctx passed into the function | Return code 1 for success; 0 for failure | |||
| Show Status/Show Version | Show status; show version | Crypto Officer (CO) | None | 1 | Ctx passed into the function fips_get_ params | Status and versioning information | |||
| Perform Self- Tests | Execution of all self-tests | Crypto Officer (CO) | Self-tests Software Integrity Test | 1 | Reboot | Return code 1 for success; 0 for failure | |||
| Key Transport (Perform approved | Key encapsulation and | Crypto Officer (CO) - SSP | KTS-4 | [KTS- IFC: RSA, 4, (2048, | Encapsul ation: SSP Transport | Key Transport Shared Secret | |||
| Encrypt/Decr ypt and Key Wrapping (Perform approved security functions) | Encrypt or decrypt data and key wrap | Crypto Officer (CO) - Symm etric Key: G,E - MAC Key: E | AES Encrypt/ Decrypt AES Key Wrapping KTS-1 KTS-2 KTS-3 Symmetri c Key Generati on | [AES- ECB: AES- 128- ECB, AES- 192- ECB, AES- 256- ECB]; [AES- CBC: AES- 128- CBC, AES- 192- CBC, AES- 256- CBC]; [AES- CBC- CS: AES- 128- CBC- CTS, | Symmetri c Key and MAC Key (for wrapping) | Plaintext/ciphert ext/wrapped key |
Table 11: Roles The module supports the Crypto Officer (CO) role alone, assumed implicitly by the calling application. The module does not support a maintenance role, a bypass role or any unauthorized operators.
s Perform SelfTests [KTSIFC: This document may be freely reproduced and distributed in its entirety without modification. s y G,W,E ,Z G E
[AESECB: AES128ECB, AES192ECB, AES256ECB]; [AESCBC: AES128CBC, AES192CBC, AES256CBC]; [AESCBCCS: AES128CBCCTS, s s E d :R G,E This document may be freely reproduced and distributed in its entirety without modification.
| Name | Csps Accessed | Output |
|---|---|---|
| s | s | s |
| s | s | s |
s AES192CBCCTS, AES256CBCCTS]; [AESOFB: AES128OFB, AES192OFB, AES256OFB]; [AESCFB1: AES128CFB1, AES192CFB1, AES256CFB1]; [AESCFB8: AES128CFB8, AES192CFB8, AES256CFB8]; [AESCFB12 8: AES128CFB, This document may be freely reproduced and distributed in its entirety without modification. s
s AES192CFB, AES256CFB]; [AESCTR: AES128CTR, AES192CTR, AES256CTR]; [AESCCM: AES128CCM, AES192CCM, AES256CCM]; [AESGCM: AES128GCM, AES192GCM, AES256GCM]; [AESXTS: AES128XTS, This document may be freely reproduced and distributed in its entirety without modification. s
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| SSP Derivation (Perform approved security functions) | Derivation of keying material (DKM) | Crypto Officer (CO) - KAS Share d Secret : W,E - DKM: G,R - Key Trans port Share d Secret : W,E | Derive | PBKDF : PBKDF 2, (SHA- 1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/22 4, SHA2- 512/25 6, SHA3- 224, SHA3- 256, SHA3- 384, SHA3- 512)]; [TLS1- PRF, (SHA2- 256, SHA2- 384, SHA2- 512)]; | KAS Shared Secret | DKM |
[AESKW, AES128WRAP, AES256WRAP] : 2, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512)]; [TLS1PRF, (SHA2256, SHA2384, SHA2512)]; s s d : W,E G,R d : W,E This document may be freely reproduced and distributed in its entirety without modification.
| Name | Csps Accessed | Output |
|---|---|---|
| s | s | s |
| s | s | s |
| s | s | s |
| s | s | s |
| s | s | s |
s (SHA2256, SHA2384)]; [X963KDF, (SHA2224, SHA2256, SHA2384, SHA2512)]; DFASNI, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512)]; 800108r1 This document may be freely reproduced and distributed in its entirety without modification. s
s , KMAC256)]; 800108r1 AES128CBC, AES192CBC, AES256CBC, HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2256, HMACSHA2384, This document may be freely reproduced and distributed in its entirety without modification. s
s HMACSHA2512/22 4, HMACSHA2512/25 6, HMACSHA3224, HMACSHA3256, HMACSHA3384, HMACSHA3512]; F, SHA2224, SHA2256, SHA2384, SHA2512)]; , SHA2224, SHA2256, SHA2384, This document may be freely reproduced and distributed in its entirety without modification. s
s SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512, HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/22 4, HMACSHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512, This document may be freely reproduced and distributed in its entirety without modification. s
s KMAC128, KMAC256)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512]; SHA2224, SHA2256, SHA2384, SHA2512, This document may be freely reproduced and distributed in its entirety without modification. s
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Key Agreement (Perform approved security functions) | Shared secret computation | Crypto Officer (CO) - SSP Agree ment Privat e FFC/E CC Key: E - SSP Agree ment Public FFC/E CC Key: E - KAS Share d Secret : G | KAS-1 KAS-2 KAS-3 KAS ECC Compon ent | [KAS- FFC- SSC: DHX]; [KAS- ECC- SSC: EC] | SSP Agreeme nt Private FFC/ECC Key, SSP Agreeme nt Public FFC/ECC Key | KAS Shared Secret |
| Key Pair Generation (Perform approved security functions) | ECC/DH/RSA/ SafePrime key pair generation | Crypto Officer (CO) - Privat e Key: G - Public | Generate Key | [SafePr imes: DHX]; [RSA KeyGe n: RSA, (2048, 3072, 4096)]; | ECDSA: curve id. RSA: modulus | Key pair returned to caller |
| [ECDS A KeyGe n: EC] | Key: G | [ECDS A KeyGe n: EC] | ||||
| MAC Generation/V erification (Perform approved security functions) | Keyed hash generation/veri fication | Crypto Officer (CO) - MAC Key: E | MAC Symmetri c Key Generati on | [HMAC : HMAC- SHA1, HMAC- SHA2- 224, HMAC- SHA2- 256, HMAC- SHA2- 384, HMAC- SHA2- 512, HMAC- SHA2- 512/22 4, HMAC- SHA2- 512/25 6, HMAC- SHA3- 224, HMAC- SHA3- 256, HMAC- SHA3- 384, HMAC- SHA3- 512]; [CMAC ]; [KMAC: KMAC- 128, KMAC- | MAC Key | MAC value |
| Hash generation (Perform approved security functions) | Hashing | Crypto Officer (CO) | SHS | [SHA- 1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/22 4, SHA2- 512/25 6, SHA3- 224, SHA3- 256, SHA3- 384, SHA3- 512, SHAKE -128, SHAKE -256] | Message to be hashed | Hash value |
| Random Bit Generation (Perform approved security functions) | Random bit generation using the DRBG | Crypto Officer (CO) - Entrop y Input: | Random Bit Generati on | [Hash DRBG: HASH- DRBG, (SHA1, SHA2- 256, | DRBG State; DRBG Entropy Input | Random bits |
| SHA2- 512)]; [HMAC - DRBG, (SHA1, SHA2- 256, SHA2- 512)]; [CTR- DRBG, (AES- 128- CTR, AES- 192- CTR, AES- 256- CTR)] | E - Seed: E - State: E | SHA2- 512)]; [HMAC - DRBG, (SHA1, SHA2- 256, SHA2- 512)]; [CTR- DRBG, (AES- 128- CTR, AES- 192- CTR, AES- 256- CTR)] | ||||
| Digital Signature Generation/V erification (Perform approved security functions) | RSA/ECDSA signature generation and verification | Crypto Officer (CO) - SigGe n Key: E - SigVe r Key: E | RSA SigGen/S igVer ECDSA SigGen/S igVer RSASP | [RSA SigGen : RSA, (2048, 3072, 4096), (SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/22 4, SHA2- 512/25 6)]; [RSA SigVer: RSA, (1024, 2048, | Sign: SigGen Key; Verify: SigVer Key | Signature value for SigGen, 1 or 0 respectively for success or failure in case of SigVer |
SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512] [KASFFCSSC: [KASECCSSC: s s e d :G G This document may be freely reproduced and distributed in its entirety without modification.
A : HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/22 4, HMACSHA2512/25 6, HMACSHA3224, HMACSHA3256, HMACSHA3384, HMACSHA3512]; ]; KMAC128, s s G This document may be freely reproduced and distributed in its entirety without modification.
: AES128GCM, AES192GCM, AES256GCM] SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512, HASHDRBG, SHA2256, s s y This document may be freely reproduced and distributed in its entirety without modification.
SHA2512)]; SHA2256, SHA2512)]; [CTRDRBG, (AES128CTR, AES192CTR, AES256CTR)] (SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6)]; s s E E E E E This document may be freely reproduced and distributed in its entirety without modification.
| Name | Csps Accessed | Output |
|---|---|---|
| s | s | s |
s SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6)]; m: A (SHA2224, SHA2256, SHA2384, SHA2512, SHA3224, SHA3256, SHA3384, This document may be freely reproduced and distributed in its entirety without modification. s
| Name | Description | Role Access | Csps Accessed | Approved Functions | Input | Output |
|---|---|---|---|---|---|---|
| Perform zeroisation | * Zeroisation in the context of function calls * Restarting the host platform * TLS 1.2 Session Termination * Module uninstantiation | 1 | Crypto Officer (CO) - SigGe n Key: Z - SigVe r Key: Z - Privat e Key: Z - Public Key: Z | None | Location of SSP | Return code 1 |
A SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6)]; A s s Z Z Z This document may be freely reproduced and distributed in its entirety without modification.
| Name | Csps Accessed | Output |
|---|---|---|
| s | s | s |
| s | s | s |
s This document may be freely reproduced and distributed in its entirety without modification. s e d :Z Z Z d :Z y
s This document may be freely reproduced and distributed in its entirety without modification. s Z Z Z r :Z Z A A Z Z
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| HTTPS communicati ons with backend (Perform approved security functions) | TLS v1.2 protocol used | Crypto Officer (CO) - TLS Maste r Secret : G,E,Z - TLS Pre- Maste r Secret : G,E,Z - TLS Sessi on Key: G,E,Z - KAS Privat e Key: G,E,Z - KAS Public Key: G,R,E | TLS all algorithm s KTS-5 KAS-4 | Succes sful comple tion of the service, i.e. succes sful TLS 1.2 session negotia tion combin ed with the string "Check TCP flag 3" printed in the boot logs | TLS Peer Public Key (KAS Peer Public Key) | Packets transferred over TLS 1.2 |
s i.e. 1.2 s This document may be freely reproduced and distributed in its entirety without modification. s PreMaste r :Z Z r : G,E,Z PreMaste r : G,E,Z G,E,Z G,E,Z G,R,E
| Name | Csps Accessed | Indicator | Output | Outputs | |
|---|---|---|---|---|---|
| s | s | s | |||
| SSP Agreement | KAS-SSC | X448 X25519 | Crypto Officer (CO) | ||
| FIPS 186-5 ECDSA SigVer Component | Signature verification | FIPS 186-5 ECDSA SigVer Component | Crypto Officer (CO) | ||
| HMAC Generate | MAC generation with key length < 112 bits | HMAC Generate | Crypto Officer (CO) | ||
| HMAC DRBG/Hash DRBG | PRF(s): SHA3 (all sizes) | HMAC DRBG/Hash DRBG | Crypto Officer (CO) | ||
| TDES Encrypt/Decrypt | Encryption and decryption | TDES | Crypto Officer (CO) | ||
| Digital Signature Generation/Verification | Signature generation and verification | ED448 ED25519 FIPS 186-4 DSA FIPS 186-2 RSA Signature | Crypto Officer (CO) | ||
| FIPS 186-2 RSA Key Generation | RSA public/private key pair generation per FIPS 186-2 | FIPS 186-2 RSA Generate Key | Crypto Officer (CO) | ||
| Derive | Key derivation | KDA HKDF SP800- 56Cr1 KDA OneStep SP800-56Cr1 KDF ANS 9.42 KDF ANS 9.63 | Crypto Officer (CO) | ||
| SSP Transport | SSP transport using RSA PKCS1.5 padding | RSA PKCS1.5 (for KTS) | Crypto Officer (CO) | ||
| RSA Signature Primitive | Signature primitive function/signature generation with modulus 3072 and 4096 | RSA Signature Primitive | Crypto Officer (CO) | ||
| FIPS 186-4 RSA X9.31 Key Generation and Signature Generation | Key generation and signature generation per ANS X9.31 | FIPS 186-4 RSA KeyGen X9.31, | Crypto Officer (CO) | ||
| SHA-1 for Signature Verification | FIPS 186-5 RSA/ECDSA Signature Verification using SHA-1 (in accordance with IG C.M 3.e) | SHA-1 for SigVer | Crypto Officer (CO) |
s s ,Z A G,R,E ,Z A G,E,Z G,R,E ,Z G,E,Z W,E,Z Table 12: Approved Services The following indicate the type of access: G = Generate: The service generates or derives the CSP/Public Key. W = Write/Input: The service inputs the CSP/Public Key. E = Execute: The Module executes using the CSP/Public Key. R = Read/Output: The service outputs the CSP/Public Key. CSP are always protected with the approved KTS. Z = Zeroise: The Module zeroizes the CSP/Public Key after usage. A zeroised CSP is not retrievable or reusable. The module provides service indicators in accordance with the FIPS 140-3 IG 2.4.C example 3. All CSPs are zeroised when they are no longer needed: - Temporary CSPs are zeroised within the relevant function calls per service. This document may be freely reproduced and distributed in its entirety without modification.
The DRBG state is zeroised on Module instantiation The temporary underlying hash value generated as part of the RSA Signature Verification computed in the context of the integrity test performed, is zeroised prior to exiting the integrity test function. TLS 1.2 SSPs are zeroised upon TLS 1.2 session termination.
This document may be freely reproduced and distributed in its entirety without modification.
Table 13: Non-Approved Services
The module does not support loading software from an external source.
The module does not support bypass.
The module supports self-initiated cryptographic output over the TLS 1.2 IETF protocol. Two internal actions are performed i.e. two distinct software flags are checked within the module prior to allowing output over TLS 1.2. The TLS 1.2 i.e. self-initiated cryptographic output capability is inherently active per the module’s design. The Crypto Officer only needs to power on the underlying platform, i.e., Triton 2 device. Successful negotiation of the TLS 1.2 session combined with the string "Check TCP flag 3" printed in the boot logs indicates that the selfinitiated cryptographic output capability is active.
The Module uses RSA 2048 SHA2-256 as the approved integrity technique. The pre-calculated value of the approved digital signature is included with the module. The integrity test covers the entirety of the module software. If the value calculated at boot for the approved digital signature does not match the pre-calculated, stored value, the test fails. The RSA 2048 SHA2-256 CAST is performed prior to the software integrity test in accordance with the IG 10.2.A. The Module is provided in the executable form (.elf). The software integrity RSA mod 2048 public key used for signature verification is considered a non-SSP and stored within the module.
This document may be freely reproduced and distributed in its entirety without modification.
| Name | Type | Description |
|---|---|---|
| RAM | Dynamic | Temporary, plaintext storage |
| Stored in the module binary | Static | Persistent, plaintext storage |
An operator of the module can perform the integrity test on demand by reloading the module. If the integrity test fails, module enters an error state. The module does not support loading of any additional software from an external source.
Type of Operational Environment: Modifiable How Requirements are Satisfied: The module is a Level 1 multi-chip standalone software module with a modifiable operational environment.
There are no restrictions on the operational environment of the module.
The Module is a software module thus the requirements per this section do not apply.
The Module is a software module thus the requirements per this section do not apply.
Table 14: Storage Areas This document may be freely reproduced and distributed in its entirety without modification.
| Name | Approved Functions | Type | From | To | Distributio n Type |
|---|---|---|---|---|---|
| API input | Electroni c | Plaintex t | Calling application | Module | Manual |
| API output | Electroni c | Plaintex t | Module | Calling application | Manual |
| Stored at manufactur e - 1 | N/A | Plaintex t | Manufacture r | Stored in the module binary | N/A |
| Input during TLS 1.2 negotiation | Electroni c | Plaintex t | TLS 1.2 peer/external endpoint | RAM | Automated |
| Output during TLS 1.2 negotiation | Electroni c | Plaintex t | RAM | TLS 1.2 peer/externa l endpoint | Automated |
| Zeroization | Description | Rationale | Operator | ||
|---|---|---|---|---|---|
| Method | Initiation | ||||
| Zeroisation in the context of function calls | Temporary CSPs are zeroised within the relevant function calls per service | Automatic zeroisation per module's design in the context of each function called | Module initiated | ||
| Restarting the host platform | SSPs are stored temporarily in RAM | RAM is cleansed via reboot of the underlying host; no copies of SSPs are maintained/stored within the module itself | Operator initiated | ||
| TLS 1.2 Session Termination | SSPs zeroised upon TLS 1.2 session termination | TLS 1.2 SSPs are stored ephemerally until session termination | Module initiated | ||
| Module uninstantiation | DRBG state zeroisation | Un-instantiation of the module zeroises the DRBG state | Operator initiated |
t t t c c N/A t c t c e-1 1.2 r N/A m Table 15: SSP Input-Output Methods The module is compliant with IG 9.5.A MD/EE (CM Software to/from App via TOEPP Path) and with AD/EE in the context of the TLS 1.2 protocol.
Table 16: SSP Zeroization Methods This document may be freely reproduced and distributed in its entirety without modification.
| Name | Type | Description | Strength | Generation | Establishment | Use | Type - Catego ry |
|---|---|---|---|---|---|---|---|
| SigGen Key | Private key - CSP | Private key for signature generation | RSA: 2048, 3072 and 4096 bits ECDSA: B-233, K- 233, P- 224; B- 283, K- 283, P- 256; B- 409, K- 409, P- 384; B- 571, K- 571, P- 521 - RSA: 112, 128 or 152 ECDSA: 112, 128, 192, 521 | RSA SigGen/Sig Ver ECDSA SigGen/Sig Ver RSASP | |||
| SigVer Key | Public key - PSP | Public key for signature verification | RSA: 1024, 2048, 3072 and 4096 bits ECDSA: ECDSA: B-233, K- 233, P- 224; B- 283, K- 283, P- 256; B- 409, K- 409, P- 384; B- 571, K- 571, P- 521 - RSA: 80, 112, 128 or 152 ECDSA: | RSA SigGen/Sig Ver ECDSA SigGen/Sig Ver | |||
| Private Key | Private key - CSP | Private key requested by calling application (purpose unknown) | RSA: 2048, 3072, 4096 bits ECDSA: ECDSA: B-233, K- 233, P- 224; B- 283, K- 283, P- 256; B- 409, K- 409, P- 384; B- 571, K- 571, P- 521 - RSA: 112, 128 or 152 ECDSA: 112, 128, 192, 256 | Generat e Key Random Bit Generati on | |||
| Public Key | Public key - PSP | Public key requested by calling application (purpose unknown) | RSA: 2048, 3072, 4096 bits ECDSA: ECDSA: B-233, K- 233, P- 224; B- 283, K- 283, P- 256; B- 409, K- 409, P- 384; B- 571, K- 571, P- 521 - RSA: 112, 128 | Generat e Key Random Bit Generati on | |||
| SSP Agreem ent Private FFC/EC C Key | Private key - CSP | Private key provided by the entity using the module for Diffie- Hellman shared secret generation | FFC: FB, FC, MODP20 48, ffdhe204 8, MODP30 72, ffdhe307 2, MODP40 96, ffdhe409 6, MODP61 44, ffdhe614 4, MODP81 92, ffdhe 8192 ECC: B- 233, K- 233, P- 224, B- 283, K- 283, P- 256, B- 409, K- 409, P- 384, B- 571, K- 571, P- 521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and | Generat e Key Random Bit Generati on | KAS-1 KAS-2 KAS-3 | ||
| SSP Agreem ent Public FFC/EC C Key | Public key - PSP | Public key provided by the entity using the module for Diffie- Hellman shared secret generation | FFC: FB, FC, MODP20 48, ffdhe204 8, MODP30 72, ffdhe307 2, MODP40 96, ffdhe409 6, MODP61 44, ffdhe614 4, MODP81 92, ffdhe 8192 ECC: B- 233, K- 233, P- 224, B- 283, K- 283, P- 256, B- 409, K- 409, P- 384, B- 571, K- 571, P- 521, IFC: k=2048, 3072, 4096, 6144, 8192 bits | Generat e Key Random Bit Generati on | KAS-1 KAS-2 KAS-3 | ||
| KAS Shared Secret | Shared secret - CSP | Shared secret computation (z) | FFC: FB, FC, MODP20 48, ffdhe204 8, MODP30 72, ffdhe307 2, MODP40 96, ffdhe409 6, MODP61 44, ffdhe614 4, MODP81 92, ffdhe 8192 ECC: B- 233, K- 233, P- 224, B- 283, K- 283, P- 256, B- 409, K- 409, P- 384, B- 571, K- 571, P- 521, IFC: k=2048, 3072, | KAS-1 KAS-2 KAS-3 | |||
| DKM | Derived Keying Material - CSP | Key Derivation derived keying material | HMAC PRF: 160, 224, 256, 384, 512 - HMAC PRF: 160, 224, 256, 384, 512 | Derive | |||
| MAC Key | Symmet ric key - CSP | Keyed Hash key | CMAC: 128, 192, 256 GMAC: 128, 192, 256 HMAC: 160, 256, 512. KMAC: 128, 256 - CMAC: 128, 192, 256 GMAC: 128, 192, 256 HMAC: 160, 256, 512. KMAC: 128, 256 | Random Bit Generati on Symmet ric Key Generati on | MAC KTS-2 | ||
| SSP Transpo rt | Private key - CSP | Private key (KDK) used for [SP800- | 2048, 3072, 4096 and | KTS-4 | |||
| Private Key | 56Br2] RSA key transport | 6144 bits - 112, 128, 152, 176 | |||||
| SSP Transpo rt Public key | Public key - PSP | Public key (KEK) used for [SP800- 56Br2] RSA key transport | 2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176 | KTS-4 | |||
| Key Transpo rt Shared Secret | Shared secret - CSP | The RSA key transport shared secret | 2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176 | KTS-4 | |||
| Entropy Input | Entropy input - CSP | Entropy input from an external source used for DRBG seeding | 128 - 256 bits - 128 - 256 bits | Random Bit Generation | |||
| Seed | DRBG seed - CSP | Seed generated from the entropy input for the DRBG | 128 - 256 bits - 128 - 256 bits | Random Bit Generation | |||
| State | DRBG state - CSP | DRBG state | Hash DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, 256 - Hash DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, | Random Bit Generati on | Random Bit Generation | ||
| Symmet ric Key | Symmet ric key - CSP | AES Encryption/Decryptio n/Key Wrapping Key | AES: 128, 192, 256 AES CCM: 128, 192, 256 AES GCM: 128, 192, 256 AES XTS: 128, 256. - AES: 128, 192, 256 AES CCM: 128, 192, 256 AES GCM: 128, 192, 256 AES XTS: 128, 256 | Random Bit Generati on Symmet ric Key Generati on | AES Encrypt/Dec rypt AES Key Wrapping KTS-1 KTS-2 KTS-3 | ||
| TLS Master Secret | Shared secret - CSP | TLS 1.2 Master Secret derived from the pre-master secret | 384 bits - 192 bits | Derive | TLS v1.2 KDF RFC7627 (A5154) | ||
| TLS Session Key | Symmet ric key - PSP | AES key used to encrypt the TLS session | 256 bits - 256 bits | Derive | KAS-4 | KTS-5 | |
| KAS Public Key | Public key - PSP | EC Diffie-Hellman i.e. KAS-ECC-SSC public key used in EC Diffie-Hellman Key Exchange for TLS 1.2 | P-384 - 192 bits | Generat e Key Random Bit Generati on | KAS-ECC- SSC Sp800- 56Ar3 (A5154) | ||
| KAS Private Key | Private key - CSP | EC Diffie-Hellman i.e. KAS-ECC-SSC private key used in EC Diffie-Hellman Key Exchange for TLS 1.2 | P-384 - 192 bits | Generat e Key Random Bit Generati on | KAS-ECC- SSC Sp800- 56Ar3 (A5154) | ||
| ECDSA Public Key | Public key - PSP | ECDSA public key used for TLS 1.2 authentication | P-384 - 192 bits | Generat e Key Random Bit Generati on | ECDSA SigVer (FIPS186-5) (A5154) | ||
| ECDSA Private Key | Private key - CSP | ECDSA private key used for TLS 1.2 authentication | P-384 - 192 bits | Generat e Key Random Bit Generati on | ECDSA SigGen (FIPS186-5) (A5154) | ||
| RSA Public Key | Public key - PSP | RSA public key used for TLS 1.2 authentication | RSA SigVer mod 2048 - 112 bits | Generat e Key Random Bit Generati on | RSA SigVer (FIPS186-5) (A5154) | ||
| RSA Private Key | Private key - CSP | RSA private key used for TLS 1.2 authentication | RSA SigGen mod 2048 - 112 bits | Generat e Key Random Bit Generati on | RSA SigGen (FIPS186-5) (A5154) | ||
| TLS Pre- Master Secret | Shared secret - CSP | TLS 1.2 pre-master secret computed (KAS-ECC-SSC) | 384 bits - 192 bits | KAS-4 | TLS v1.2 KDF RFC7627 (A5154) | ||
| KAS Peer Public Key | Public key - PSP | EC Diffie-Hellman i.e. KAS-ECC-SSC public key used in EC Diffie-Hellman Key Exchange for TLS 1.2 (TLS 1.2 peer key) | P-384 - 192 bits | KAS-4 | |||
| Softwar e Integrity Key - RSA | Public key - Neither | RSA key used to perform the Software Integrity Test | 2048 bits - 112 bits | RSA SigVer (FIPS186 -5) (A5154) | Software Integrity Test | ||
| SigGen Key | RAM:Encrypte d | API input | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | SigVer Key:Paired With | zeroised once no longer needed | ||
| SigVer Key | RAM:Encrypte d | API input | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | SigGen Key:Paired With | zeroised once no longer needed | ||
| Private Key | RAM:Encrypte d | API output | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | Public Key:Paired With | zeroised once no longer needed | ||
| Public Key | RAM:Encrypte d | API output | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | Private Key:Paired With | zeroised once no longer needed | ||
| SSP Agreemen t Private FFC/ECC Key | RAM:Encrypte d | API input | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | SSP Agreement Public FFC/ECC Key:Paired With | zeroised once no longer needed | ||
| SSP Agreemen t Public FFC/ECC Key | RAM:Encrypte d | API input | Zeroisation in the context of function calls Restarting the host platform Module | SSP Agreement Private FFC/ECC Key:Paired With | zeroised once no longer needed | ||
| KAS Shared Secret | RAM:Encrypte d | API output | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | SSP Agreement Private FFC/ECC Key:Establishe d using SSP Agreement Public FFC/ECC Key:Establishe d using | zeroised once no longer needed | ||
| DKM | RAM:Encrypte d | API output | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | zeroised once no longer needed | |||
| MAC Key | RAM:Encrypte d | API input | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | zeroised once no longer needed | |||
| SSP Transport Private Key | RAM:Encrypte d | API input | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | SSP Transport Public key:Paired With | zeroised once no longer needed | ||
| SSP Transport Public key | RAM:Encrypte d | API input | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | SSP Transport Private Key:Paired With | zeroised once no longer needed | ||
| Key Transport Shared Secret | RAM:Encrypte d | API input API output | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | zeroised once no longer needed | |||
| Entropy Input | RAM:Encrypte d | API input | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | Seed:Used to derive | zeroised once no longer needed | ||
| Seed | RAM:Encrypte d | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | Entropy Input:Derived From | zeroised once no longer needed | |||
| State | RAM:Encrypte d | Restarting the host platform Module uninstantiatio n | Seed:Derived From | Until power- cycling of the underlying host platform | |||
| Symmetric Key | RAM:Encrypte d | API input API output | Zeroisation in the context of function calls Restarting the host platform Module uninstantiatio n | zeroised once no longer needed | |||
| TLS Master Secret | RAM:Plaintext | Zeroisation in the context of function calls | TLS Pre- Master Secret:Derived From | zeroised once no longer needed | |||
| TLS Session Key | RAM:Plaintext | TLS 1.2 Session Termination | TLS Master Secret:Derived From | zeroised once no longer needed | |||
| KAS Public Key | RAM:Plaintext | Output during TLS | TLS 1.2 Session Termination | KAS Private Key:Paired With | zeroised once no longer needed | ||
| KAS Private Key | RAM:Plaintext | TLS 1.2 Session Termination | KAS Public Key:Paired With | zeroised once no longer needed | |||
| ECDSA Public Key | RAM:Plaintext | Output during TLS 1.2 negotiation | TLS 1.2 Session Termination | zeroised once no longer needed | |||
| ECDSA Private Key | RAM:Plaintext | TLS 1.2 Session Termination | zeroised once no longer needed | ||||
| RSA Public Key | RAM:Plaintext | Output during TLS 1.2 negotiation | TLS 1.2 Session Termination | zeroised once no longer needed | |||
| RSA Private Key | RAM:Plaintext | TLS 1.2 Session Termination | zeroised once no longer needed | ||||
| TLS Pre- Master Secret | RAM:Plaintext | Zeroisation in the context of function calls | TLS Master Secret:Used to derive | zeroised once no longer needed | |||
| KAS Peer Public Key | RAM:Plaintext | Input during TLS 1.2 negotiation | TLS 1.2 Session Termination | KAS Public Key:Used With | zeroised once no longer needed | ||
| Software Integrity Key - RSA | Stored in the module binary:Plaintex t | Stored at manufactur e - 1 | Module uninstantiatio n | Until module uninstantiatio n is performed |
B-233, K233, P224; B283, K283, P256; B409, K409, P384; B571, K571, P521 RSA: B-233, K233, P224; B283, K283, P256; B409, K409, P384; B571, K571, P521 RSA: 80, This document may be freely reproduced and distributed in its entirety without modification.
B-233, K233, P224; B283, K283, P256; B409, K409, P384; B571, K571, P521 RSA: B-233, K233, P224; B283, K283, P256; B409, K409, P384; B571, K571, P521 RSA: This document may be freely reproduced and distributed in its entirety without modification.
8, 2, 6, 4, ECC: B233, K233, P224, B283, K283, P256, B409, K409, P384, B571, K571, P521, IFC: This document may be freely reproduced and distributed in its entirety without modification.
[SP80056Br2]: 8, 2, 6, 4, ECC: B233, K233, P224, B283, K283, P256, B409, K409, P384, B571, K571, P521, IFC: This document may be freely reproduced and distributed in its entirety without modification.
[SP80056Br2]: 8, 2, 6, 4, ECC: B233, K233, P224, B283, K283, P256, B409, K409, P384, B571, K571, P521, IFC: This document may be freely reproduced and distributed in its entirety without modification.
This document may be freely reproduced and distributed in its entirety without modification.
This document may be freely reproduced and distributed in its entirety without modification.
KAS-ECCSSC Sp80056Ar3 KAS-ECCSSC Sp80056Ar3 This document may be freely reproduced and distributed in its entirety without modification.
PreMaster e -5) Table 17: SSP Table 1 This document may be freely reproduced and distributed in its entirety without modification.
d d d d d d n n n n n This document may be freely reproduced and distributed in its entirety without modification.
d d d d d n n n n n n This document may be freely reproduced and distributed in its entirety without modification.
d d d d n n n n n d TLS PreMaster This document may be freely reproduced and distributed in its entirety without modification.
Conformance to FIPS 186-5 is mandatory as of February 4, 2024. The module claims conformance to FIPS 186-4 as allowed per the FIPS 140-3 IG C.K Additional Comment #2. Per the NIST SP 800-133Ar2/3 and the programmatic transitions defined by the CMVP, the following algorithm transitions apply to the module, and the algorithms have been designated allowed/non-approved accordingly in Section 2.5: a. SHA-1 for SigVer (per IG C.M 3.e) and SHA-1 used for SigGen is a non-approved, not allowed algorithm. Usage of SHA-1 for all other SigVer is allowed for legacy use only until 2030. Thereafter, all usage of SHA-1 will be considered a non-approved, not allowed algorithm. b. FIPS 186-2 RSA KeyGen and SigGen modes are non-approved, not allowed algorithms. This document may be freely reproduced and distributed in its entirety without modification.
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | Indicator |
|---|---|---|---|---|---|---|
| RSA SigVer (FIPS186-5) (A5154) | RSA SigVer (FIPS186-5) (A5154) | KAT | SW/FW Integrity | Verify | Modulus: 2048 bits; Hash: SHA2-256 | Verified OK |
c. RSA-based key transport schemes that only use PKCS#1-v1.5 padding are nonapproved, not allowed algorithms. d. FIPS 186-4 DSA Key Gen, Sig Gen, or PQG Gen; FIPS 186-4 X9.31 RSA Key Gen, RSA Sig Gen are non-approved, not allowed algorithms. e. Usage of FIPS 186-4 RSA SigVer X9.31 is allowed only for legacy use. f. Triple-DES decryption is allowed for legacy use only. g. Triple-DES encryption is non-approved, not allowed algorithm. h. Key agreement schemes that are not compliant with any version of SP 800-56A (X448, X25519) are non-approved, not allowed algorithms. i. Until January 1, 2031, the following algorithms will be considered deprecated: a. SHA-1, SHA-224 hash functions b. Hash_DRBG and HMAC_DRBG using SHA-1, SHA-224 hash functions c. Hash function and HMAC using SHA-1, SHA-224 hash functions d. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Generation j. As of January 1, 2031, the following algorithms will be considered deprecated/disallowed (i.e. non-approved, not allowed)/legacy use: a. SHA-1, SHA2-224 hash functions (disallowed) b. Use of the 112-bit security strength for classical digital signature and keyestablishment mechanisms (deprecated) c. Use of the 112-bit security strength for block ciphers (disallowed) d. Use of a security strength less than 128-bits but greater than 112 bits for ECDA KeyGen and RSA KeyGen (PKCS #1 v1.5 & PSS) (deprecated) e. Hash_DRBG and HMAC_DRBG using SHA-1, SHA-224 hash functions (disallowed) f. Hash function and HMAC using SHA-1, SHA-224 hash functions (legacy use) g. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Generation (disallowed) h. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Verification (legacy use)
Table 19: Pre-Operational Self-Tests The pre-operational self-tests can be run on demand by reloading the module.
This document may be freely reproduced and distributed in its entirety without modification.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|---|---|
| AES-ECB (A5154) | AES-ECB (A5154) | KAT | CAST | Decrypt | Key Length: 128 bits | 1 | On reloading the module | ||
| AES-GCM (A5154) - Encrypt - 256 bits | AES-GCM (A5154) - Encrypt - 256 bits | KAT | CAST | Encrypt | Key Length: 256 bits | 1 | On reloading the module | ||
| AES-GCM (A5154) - Decrypt - 256 bits | AES-GCM (A5154) - Decrypt - 256 bits | KAT | CAST | Decrypt | Key Length: 256 bits | 1 | On reloading the module | ||
| Counter DRBG (A5154) | Counter DRBG (A5154) | KAT | CAST | Generate, Reseed, Instantiate functions | AES CTR (128 bits) with derivation function | 1 | On reloading the module | ||
| ECDSA SigGen (FIPS186- 5) (A5154) - P224 | ECDSA SigGen (FIPS186- 5) (A5154) - P224 | KAT | CAST | Sign | Curve: P- 224; Hash: SHA2-512 | 1 | On reloading the module | ||
| ECDSA SigVer (FIPS186- 5) (A5154) - P-224 | ECDSA SigVer (FIPS186- 5) (A5154) - P-224 | KAT | CAST | Verify | Curve: P- 224; Hash: SHA2-512 | 1 | On reloading the module | ||
| Hash DRBG (A5154) | Hash DRBG (A5154) | KAT | CAST | Generate, Reseed, Instantiate functions | PRF: SHA2-256 | 1 | On reloading the module | ||
| HMAC DRBG (A5154) | HMAC DRBG (A5154) | KAT | CAST | Generate, Reseed, Instantiate functions | PRF: HMAC- SHA-1 | 1 | On reloading the module | ||
| HMAC- SHA2-256 (A5154) | HMAC- SHA2-256 (A5154) | KAT | CAST | HMAC tag Generation | PRF: SHA2-256 | 1 | On reloading the module | ||
| KAS- ECC-SSC Sp800- 56Ar3 (A5154) | KAS- ECC-SSC Sp800- 56Ar3 (A5154) | KAT | CAST | Key Agreement - Shared Secret Computation | Scheme: Ephemeral Unified, Curve: P- 256 | 1 | On reloading the module | ||
| KAS-FFC- SSC Sp800- 56Ar3 (A5154) | KAS-FFC- SSC Sp800- 56Ar3 (A5154) | KAT | CAST | Key Agreement - Shared Secret Computation | Scheme: dhEphem; Modulus: L = 2048 | 1 | On reloading the module | ||
| KAS-IFC- SSC (A5154) | KAS-IFC- SSC (A5154) | KAT | CAST | Key Agreement - Shared Secret Computation | Schemes: Basic, CRT, Modulus: L = 2048 bits | 1 | On reloading the module | ||
| KDF SP800- 108 (A5154) | KDF SP800- 108 (A5154) | KAT | CAST | Counter Mode (HMAC- SHA2-256). | Mode: Counter, PRF: HMAC- SHA2-256 | 1 | On reloading the module | ||
| KDA OneStep SP800- 56Cr2 (A5154) | KDA OneStep SP800- 56Cr2 (A5154) | KAT | CAST | Key Derivation | Auxiliary Function, H = SHA2- 224 | 1 | On reloading the module | ||
| KDA TwoStep SP800- 56Cr2 (A5154) | KDA TwoStep SP800- 56Cr2 (A5154) | KAT | CAST | Key Derivation | Auxiliary Function, H = HMAC- SHA2-256 | 1 | On reloading the module | ||
| KTS-IFC (A5154) - Basic | KTS-IFC (A5154) - Basic | KAT | CAST | Encrypt | Schemes: Basic Modulus: L = 2048 bits | 1 | On reloading the module | ||
| KTS-IFC (A5154) - CRT | KTS-IFC (A5154) - CRT | KAT | CAST | Decrypt | Schemes: Basic, CRT, Modulus: L = 2048 bits | 1 | On reloading the module | ||
| PBKDF (A5154) | PBKDF (A5154) | KAT | CAST | Key Derivation | Derivation of the Master Key (MK), PRF: SHA2-256 | 1 | On reloading the module | ||
| RSA SigGen (FIPS186- 5) (A5154) | RSA SigGen (FIPS186- 5) (A5154) | KAT | CAST | Sign | Scheme: PKCS#1, Modulus: L = 2048, Hash: SHA2-256 | 1 | On reloading the module | ||
| RSA SigVer (FIPS186- 5) (A5154) | RSA SigVer (FIPS186- 5) (A5154) | KAT | CAST | Verify | Scheme: PKCS#1, Modulus: L = 2048, | 1 | On reloading the module | ||
| SHA-1 (A5154) | SHA-1 (A5154) | KAT | CAST | Hash | SHA-1 | 1 | On reloading the module | ||
| SHA2-512 (A5154) | SHA2-512 (A5154) | KAT | CAST | Hash | SHA2-512 | 1 | On reloading the module | ||
| SHA3-256 (A5154) | SHA3-256 (A5154) | KAT | CAST | Hash | SHA3-256 | 1 | On reloading the module | ||
| KDF ANS 9.42 (A5154) | KDF ANS 9.42 (A5154) | KAT | CAST | Key Derivation | PRFs: AES KW (128 bits), SHA-1 | 1 | On reloading the module | ||
| KDF ANS 9.63 (A5154) | KDF ANS 9.63 (A5154) | KAT | CAST | Key Derivation | PRF: SHA2-256 | 1 | On reloading the module | ||
| KDF SSH (A5154) | KDF SSH (A5154) | KAT | CAST | Key Derivation | PRF: SHA- 1 | 1 | On reloading the module | ||
| TLS v1.2 KDF RFC7627 (A5154) | TLS v1.2 KDF RFC7627 (A5154) | KAT | CAST | Key Derivation | PRF: SHA2-256 | 1 | On reloading the module | ||
| TLS v1.3 KDF (A5154) | TLS v1.3 KDF (A5154) | KAT | CAST | Key Derivation | PRF: SHA2-256 | 1 | On reloading the module | ||
| RSA KeyGen (FIPS186- 5) (A5154) | RSA KeyGen (FIPS186- 5) (A5154) | PCT | PCT | Key Generation | Performed on key generation | 1 | On generating keys for Key Transport (KTS IFC)/Key Agreement (KAS IFC)/Signature Generation/Signature Verification | ||
| ECDSA KeyGen (FIPS186- 5) (A5154) | ECDSA KeyGen (FIPS186- 5) (A5154) | PCT | PCT | Key Generation | Performed on key generation | 1 | On generating keys for Key Agreement (KAS ECC)/Signature Generation/Signature Verification | ||
| ECDSA SigGen (FIPS186- 5) (A5154) - K-233 | ECDSA SigGen (FIPS186- 5) (A5154) - K-233 | KAT | CAST | Sign | Curve: K- 233; Hash: SHA2-512 | 1 | On reloading the module | ||
| ECDSA SigVer (FIPS186- 5) (A5154) - K-233 | ECDSA SigVer (FIPS186- 5) (A5154) - K-233 | KAT | CAST | Verify | Curve: K- 233; Hash: SHA2-512 | 1 | On reloading the module | ||
| KAS-FFC- SSC Sp800- 56Ar3 (A5154) - PCT | KAS-FFC- SSC Sp800- 56Ar3 (A5154) - PCT | PCT | PCT | Key Generation | Performed post key generation | 1 | On generating keys for Key Agreement (KAS FFC) | ||
| RSA SigVer (FIPS186-5) (A5154) | RSA SigVer (FIPS186-5) (A5154) | KAT | SW/FW Integrity | On Demand | Manually by reloading the module | ||||
| AES-ECB (A5154) | AES-ECB (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| AES-GCM (A5154) - Encrypt - 256 bits | AES-GCM (A5154) - Encrypt - 256 bits | KAT | CAST | On Demand | Manually by reloading the module | ||||
| AES-GCM (A5154) - Decrypt - 256 bits | AES-GCM (A5154) - Decrypt - 256 bits | KAT | CAST | On Demand | Manually by reloading the module | ||||
| Counter DRBG (A5154) | Counter DRBG (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| ECDSA SigGen (FIPS186-5) (A5154) - P224 | ECDSA SigGen (FIPS186-5) (A5154) - P224 | KAT | CAST | On Demand | Manually by reloading the module | ||||
| ECDSA SigVer (FIPS186-5) (A5154) - P-224 | ECDSA SigVer (FIPS186-5) (A5154) - P-224 | KAT | CAST | On Demand | Manually by reloading the module | ||||
| Hash DRBG (A5154) | Hash DRBG (A5154) | KAT | CAST | On Demand | Manually by reloading the module |
HMACSHA-1 HMACSHA2-256 KASECC-SSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 Curve: P256 (FIPS1865) (A5154) (FIPS1865) (A5154) This document may be freely reproduced and distributed in its entirety without modification.
KAS-IFCSSC SP800108 SP80056Cr2 SP80056Cr2 (FIPS1865) (A5154) (FIPS1865) (A5154) HMACSHA2-256 H = SHA2224 H= HMACSHA2-256 (HMACSHA2-256). This document may be freely reproduced and distributed in its entirety without modification.
PRF: SHA1 (FIPS1865) (A5154) (FIPS1865) (A5154) (FIPS1865) (A5154) (FIPS1865) (A5154) This document may be freely reproduced and distributed in its entirety without modification.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|---|---|
| KAS-FFC- SSC Sp800- 56Ar3 (A5154) - PCT | KAS-FFC- SSC Sp800- 56Ar3 (A5154) - PCT | PCT | PCT | Key Generation | Performed post key generation | 1 | On generating keys for Key Agreement (KAS FFC) | ||
| RSA SigVer (FIPS186-5) (A5154) | RSA SigVer (FIPS186-5) (A5154) | KAT | SW/FW Integrity | On Demand | Manually by reloading the module | ||||
| AES-ECB (A5154) | AES-ECB (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| AES-GCM (A5154) - Encrypt - 256 bits | AES-GCM (A5154) - Encrypt - 256 bits | KAT | CAST | On Demand | Manually by reloading the module | ||||
| AES-GCM (A5154) - Decrypt - 256 bits | AES-GCM (A5154) - Decrypt - 256 bits | KAT | CAST | On Demand | Manually by reloading the module | ||||
| Counter DRBG (A5154) | Counter DRBG (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| ECDSA SigGen (FIPS186-5) (A5154) - P224 | ECDSA SigGen (FIPS186-5) (A5154) - P224 | KAT | CAST | On Demand | Manually by reloading the module | ||||
| ECDSA SigVer (FIPS186-5) (A5154) - P-224 | ECDSA SigVer (FIPS186-5) (A5154) - P-224 | KAT | CAST | On Demand | Manually by reloading the module | ||||
| Hash DRBG (A5154) | Hash DRBG (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| HMAC DRBG (A5154) | HMAC DRBG (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| HMAC-SHA2- 256 (A5154) | HMAC-SHA2- 256 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KAS-ECC-SSC Sp800-56Ar3 (A5154) | KAS-ECC-SSC Sp800-56Ar3 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KAS-FFC-SSC Sp800-56Ar3 (A5154) | KAS-FFC-SSC Sp800-56Ar3 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KAS-IFC-SSC (A5154) | KAS-IFC-SSC (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KDF SP800-108 (A5154) | KDF SP800-108 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KDA OneStep SP800-56Cr2 (A5154) | KDA OneStep SP800-56Cr2 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KDA TwoStep SP800-56Cr2 (A5154) | KDA TwoStep SP800-56Cr2 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KTS-IFC (A5154) - Basic | KTS-IFC (A5154) - Basic | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KTS-IFC (A5154) - CRT | KTS-IFC (A5154) - CRT | KAT | CAST | On Demand | Manually by reloading the module | ||||
| PBKDF (A5154) | PBKDF (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| RSA SigGen (FIPS186-5) (A5154) | RSA SigGen (FIPS186-5) (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| RSA SigVer (FIPS186-5) (A5154) | RSA SigVer (FIPS186-5) (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| SHA-1 (A5154) | SHA-1 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| SHA2-512 (A5154) | SHA2-512 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| SHA3-256 (A5154) | SHA3-256 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KDF ANS 9.42 (A5154) | KDF ANS 9.42 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KDF ANS 9.63 (A5154) | KDF ANS 9.63 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KDF SSH (A5154) | KDF SSH (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| TLS v1.2 KDF RFC7627 (A5154) | TLS v1.2 KDF RFC7627 (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| TLS v1.3 KDF (A5154) | TLS v1.3 KDF (A5154) | KAT | CAST | On Demand | Manually by reloading the module | ||||
| RSA KeyGen (FIPS186-5) (A5154) | RSA KeyGen (FIPS186-5) (A5154) | PCT | PCT | On Demand | On generation of keys | ||||
| ECDSA KeyGen (FIPS186-5) (A5154) | ECDSA KeyGen (FIPS186-5) (A5154) | PCT | PCT | On Demand | On generation of keys | ||||
| ECDSA SigGen (FIPS186-5) (A5154) - K-233 | ECDSA SigGen (FIPS186-5) (A5154) - K-233 | KAT | CAST | On Demand | Manually by reloading the module | ||||
| ECDSA SigVer (FIPS186-5) (A5154) - K-233 | ECDSA SigVer (FIPS186-5) (A5154) - K-233 | KAT | CAST | On Demand | Manually by reloading the module | ||||
| KAS-FFC-SSC Sp800-56Ar3 (A5154) - PCT | KAS-FFC-SSC Sp800-56Ar3 (A5154) - PCT | PCT | PCT | On Demand | On generation of keys |
KAS-FFCSSC Sp80056Ar3 Table 20: Conditional Self-Tests The conditional cryptographic algorithm self-tests can be run on demand by reloading the
Table 21: Pre-Operational Periodic Information This document may be freely reproduced and distributed in its entirety without modification.
This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| Hard error | A failure in the pre- operational integrity test/one of | If the pre- operational software integrity test fails | PROV_R_FIPS_MODULE_IN_ERROR_ST ATE and ERR SUM | Reloadin g of the module |
Table 22: Conditional Periodic Information
e the preoperational y This document may be freely reproduced and distributed in its entirety without modification.
| Name | Description | Role Access |
|---|---|---|
| the cryptographi c algorithm self-tests will cause the module to return an error and enter the Hard error state | the cryptographi c algorithm self-tests will cause the module to return an error and enter the Hard error state | If one of the cryptographi c algorithm's self-test (a CAST, specifically, a Known Answer Test (KAT)) were to fail |
e c y Table 23: Error States On instantiation, the Module performs the self-tests described in Table 22 and all CASTs. All KATs must complete successfully prior to any other use of cryptography by the Module. If one of the following indicator : “PROV_R_FIPS_MODULE_IN_ERROR_STATE” whereas if the integrity test fails, the module enters the Hard error state and returns the error code ERR SUM as well as “PROV_R_FIPS_MODULE_IN_ERROR_STATE”.
The module can be reloaded on demand for running the Cryptographic Algorithm Self-tests (CASTs) as well as the pre-operational integrity test.
The module is shipped pre-installed in the Approved mode of operation with the Triton 2 device. The operator must power on the appliance upon delivery to cause it to automatically execute the pre-operational integrity tests and CASTs on all algorithms. Once the self-tests have completed successfully, the module is ready for use. The operator can verify the software version (v9FIPS.2.807) and the module identifier (triton 2) as this information is printed in the bootlogs.
No additional guidance applies for the operation of the module apart from that specified in Section 2 and other subsections under this section.
This document may be freely reproduced and distributed in its entirety without modification.
No additional guidance applies for the operation of the module apart from that specified in Section 2 and other subsections under this section.
GitHub is used as the Configuration Management System. The module’s software is implemented using a high-level language and designed to avoid use of code, parameters or symbols not necessary for the module’s functionality and execution.
No maintenance requirements apply. The module’s software is protected from tampering as it is delivered securely within the Triton 2 device.
The module can be uninstalled to end-of-life the module. The module can be securely sanitized by zeroising it.
The Module implements mitigations for some types of attacks using the constant-time implementations and blinding. This document may be freely reproduced and distributed in its entirety without modification.