All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Triton 2 Cryptographic Module

Certificate#5105StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorST Engineering Urban Solutions Ltd.
Low review priority  ·  no TCB surface named  ·  last validated 4 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date12/10/2030
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys). No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorST Engineering Urban Solutions Ltd.

Approved Algorithms (69)

AlgorithmACVP Cert
AES-CBCA5154
AES-CBC-CS1A5154
AES-CBC-CS2A5154
AES-CBC-CS3A5154
AES-CCMA5154
AES-CFB1A5154
AES-CFB128A5154
AES-CFB8A5154
AES-CMACA5154
AES-CTRA5154
AES-ECBA5154
AES-GCMA5154
AES-GMACA5154
AES-KWA5154
AES-KWPA5154
AES-OFBA5154
AES-XTS Testing Revision 2.0A5154
Counter DRBGA5154
ECDSA KeyGen (FIPS186-5)A5154
ECDSA KeyVer (FIPS186-5)A5154
ECDSA SigGen (FIPS186-5)A5154
ECDSA SigVer (FIPS186-5)A5154
Hash DRBGA5154
HMAC DRBGA5154
HMAC-SHA-1A5154
HMAC-SHA2-224A5154
HMAC-SHA2-256A5154
HMAC-SHA2-384A5154
HMAC-SHA2-512A5154
HMAC-SHA2- 512/224A5154
HMAC-SHA2- 512/256A5154
HMAC-SHA3-224A5154
HMAC-SHA3-256A5154
HMAC-SHA3-384A5154
HMAC-SHA3-512A5154
KAS-ECC CDH- Component SP800-56Ar3 (CVL)A5154
KAS-ECC-SSC Sp800-56Ar3A5154
KAS-FFC-SSC Sp800-56Ar3A5154
KAS-IFC-SSCA5154
KDA HKDF SP800-56Cr2A5154
KDA OneStep SP800-56Cr2A5154
KDA TwoStep SP800-56Cr2A5154
KDF ANS 9.42 (CVL)A5154
KDF ANS 9.63 (CVL)A5154
KDF KMAC Sp800-108r1A5154
KDF SP800-108A5154
KDF SSH (CVL)A5154
KTS-IFCA5154
PBKDFA5154
RSA KeyGen (FIPS186-5)A5154
RSA SigGen (FIPS186-5)A5154
RSA Signature Primitive (CVL)A5154
RSA SigVer (FIPS186-4)A5154
RSA SigVer (FIPS186-5)A5154
SHA-1A5154
SHA2-224A5154
SHA2-256A5154
SHA2-384A5154
SHA2-512A5154
SHA2-512/224A5154
SHA2-512/256A5154
SHA3-224A5154
SHA3-256A5154
SHA3-384A5154
SHA3-512A5154
SHAKE-128A5154
SHAKE-256A5154
TLS v1.2 KDF RFC7627 (CVL)A5154
TLS v1.3 KDF (CVL)A5154

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Triton 2 Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>AES Encrypt/Decrypt<br/>Self-tests<br/>Show Status/Show Version</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Triton 2 Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>AES Encrypt/Decrypt<br/>Self-tests<br/>Show Status/Show Version</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

ST Engineering Urban Solutions Ltd. Triton 2 Cryptographic Module This document may be freely reproduced and distributed in its entirety without modification.

Page 2
Table of Contents
#SectionPage
1General4
1.1Overview4
1.2Security Levels5
1.3Additional Information5
2Cryptographic Module Specification6
2.1Description6
2.2Tested and Vendor Affirmed Module Version and Identification7
2.3Excluded Components8
2.4Modes of Operation8
2.5Algorithms9
2.6Security Function Implementations16
2.7Algorithm Specific Information27
2.8RBG and Entropy29
2.9Key Generation30
2.10Key Establishment30
2.11Industry Protocols31
3Cryptographic Module Interfaces31
3.1Ports and Interfaces31
4Roles, Services, and Authentication31
4.1Authentication Methods31
4.2Roles31
4.3Approved Services32
4.4Non-Approved Services52
4.5External Software/Firmware Loaded53
4.6Bypass Actions and Status53
4.7Cryptographic Output Actions and Status53
5Software/Firmware Security53
5.1Integrity Techniques53
5.2Initiate on Demand53
6Operational Environment54
6.1Operational Environment Type and Requirements54
6.2Configuration Settings and Restrictions54
7Physical Security54
8Non-Invasive Security54
9Sensitive Security Parameters Management54
9.1Storage Areas54
9.2SSP Input-Output Methods55
9.3SSP Zeroization Methods55
9.4SSPs55
9.5Transitions68
10Self-Tests69
10.1Pre-Operational Self-Tests69
10.2Conditional Self-Tests69
10.3Periodic Self-Test Information73
10.4Error States75
10.5Operator Initiation of Self-Tests76
11Life-Cycle Assurance76
11.1Installation, Initialization, and Startup Procedures76
11.2Administrator Guidance76
11.3Non-Administrator Guidance76
11.4Design and Rules77
11.5Maintenance Requirements77
11.6End of Life77
12Mitigation of Other Attacks77
12.1Attack List77
Page 3

This document may be freely reproduced and distributed in its entirety without modification.

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)8
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Modes List and Description8
Table 5: Approved Algorithms14
Table 6: Vendor-Affirmed Algorithms14
Table 7: Non-Approved, Allowed Algorithms15
Table 8: Non-Approved, Not Allowed Algorithms16
Table 9: Security Function Implementations27
Table 10: Ports and Interfaces31
Table 11: Roles32
Table 12: Approved Services51
Table 13: Non-Approved Services53
Table 14: Storage Areas54
Table 15: SSP Input-Output Methods55
Table 16: SSP Zeroization Methods55
Table 17: SSP Table 164
Table 18: SSP Table 268
Table 19: Pre-Operational Self-Tests69
Table 20: Conditional Self-Tests73
Table 21: Pre-Operational Periodic Information73
Table 22: Conditional Periodic Information75
Table 23: Error States76
Figure 1: Block Diagram7
Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance3
1212Mitigation of other attacks1
Overall LevelOverall Level1

Validated is the term given to a module that is documented and tested against the FIPS 140-3 criteria. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program. About this Document Module (hereafter referred to as “the Module”) from ST Engineering Urban Solutions Ltd. It contains specification of the security rules under which the Module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. This document may be freely reproduced and distributed whole and intact including this The following table lists the level of validation for each area in FIPS 140-3:

1.2 Security Levels
1.3 Additional Information

The Section 7.7 Physical Security and Section 7.8 Non-Invasive Security from ISO 19790 do not apply to the module. This document may be freely reproduced and distributed in its entirety without modification.

Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The module is intended to execute within the Triton 2 device and provide cryptographic services. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary is as depicted in Figure 1. No components are excluded from the cryptographic boundary. The module supports an Approved mode and a non-Approved mode of operation. The module does not support a degraded mode. Tested Operational Environment’s Physical Perimeter (TOEPP): The block diagram of the Module is depicted in Figure 1 (blue outlined). The Tested Operational Environment’s Physical Perimeter (TOEPP) is the underlying host platform i.e. Triton 2 device on which it runs. The operating environment of the module is modifiable since the platform does support modifications to it. This document may be freely reproduced and distributed in its entirety without modification.

Page 7
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
triton 2 (.elf)v9FIPS.2.807N/Atriton 2 (.elf)RSA mod 2048 SHA2-256
Embedded Linux 3.1.10Embedded Linux 3.1.10Triton 2v9FIPS.2.807Samsung S3C6410A, ARM1176JZF-S, 533MHzNoN/A
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
triton 2 (.elf)v9FIPS.2.807N/Atriton 2 (.elf)RSA mod 2048 SHA2-256
Embedded Linux 3.1.10Embedded Linux 3.1.10Triton 2v9FIPS.2.807Samsung S3C6410A, ARM1176JZF-S, 533MHzNoN/A
Service
NameDescriptionCsps AccessedType
non- Approved modeThe module transitions implicitly to the non- Approved mode upon usage of any Non- Approved Algorithms Not Allowed in the Approved ModeNoneNon- Approved

N/A Table 2: Tested Module Identification

2.3 Excluded Components

No components have been excluded. Modes List and Description: nonApproved NonApproved Table 4: Modes List and Description

  1. The module does not support manual SSP entry.
  2. The module inhibits data output during self-test execution, zeroisation, SSP generation and upon entry into the error state. This document may be freely reproduced and distributed in its entirety without modification.
Page 9
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA5154Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS1A5154Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS2A5154Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBC-CS3A5154Direction - decrypt, encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA5154Key Length - 128, 192, 256SP 800-38C
AES-CFB1A5154Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB128A5154Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CFB8A5154Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA5154Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA5154Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA5154Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-GCMA5154Direction - Decrypt, Encrypt IV Generation - External, InternalSP 800-38D
AES-GMACA5154Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256SP 800-38D
AES-KWA5154Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-KWPA5154Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38F
AES-OFBA5154Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-XTS Testing Revision 2.0A5154Direction - Decrypt, Encrypt Key Length - 128, 256SP 800-38E
Counter DRBGA5154Prediction Resistance - Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - No, YesSP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-5)A5154Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode - testing candidatesFIPS 186-5
ECDSA KeyVer (FIPS186-5)A5154Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521FIPS 186-5
ECDSA SigGen (FIPS186-5)A5154Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Component - No, YesFIPS 186-5
ECDSA SigVer (FIPS186-5)A5154Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-5
Hash DRBGA5154Prediction Resistance - Yes Mode - SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256SP 800-90A Rev. 1
HMAC DRBGA5154Prediction Resistance - Yes Mode - SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256SP 800-90A Rev. 1
HMAC-SHA-1A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-224A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-256A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-384A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2-512A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/224A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA2- 512/256A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-224A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-256A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-384A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
HMAC-SHA3-512A5154Key Length - Key Length: 8-524288 Increment 8FIPS 198-1
KAS-ECC CDH- Component SP800-56Ar3 (CVL)A5154Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521SP 800-56A Rev. 3
KAS-ECC-SSC Sp800-56Ar3A5154Domain Parameter Generation Methods - B- 233, B-283, B-409, B-571, K-233, K-283, K- 409, K-571, P-224, P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A5154Domain Parameter Generation Methods - FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP- 3072, MODP-4096, MODP-6144, MODP-8192 Scheme - dhEphem - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-IFC-SSCA5154Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KAS1 - KAS Role - initiator, responder KAS2 - KAS Role - initiator, responderSP 800-56A Rev. 3
KDA HKDF SP800-56Cr2A5154Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224,SP 800-56C Rev. 2
KDA OneStep SP800-56Cr2A5154Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8SP 800-56C Rev. 2
KDA TwoStep SP800-56Cr2A5154MAC Salting Methods - default, random KDF Mode - feedback Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8SP 800-56C Rev. 2
KDF ANS 9.42 (CVL)A5154KDF Type - DER Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8SP 800-135 Rev. 1
KDF ANS 9.63 (CVL)A5154Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512 Key Data Length - Key Data Length: 128, 4096SP 800-135 Rev. 1
KDF KMAC Sp800-108r1A5154Derived Key Length - Derived Key Length: 112- 4096 Increment 8SP 800-108 Rev. 1
KDF SP800-108A5154KDF Mode - Counter, Feedback Supported Lengths - Supported Lengths: 8, 72, 128, 776, 3456, 4096SP 800-108 Rev. 1
KDF SSH (CVL)A5154Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512SP 800-135 Rev. 1
KMAC-128A5154Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8SP 800-185
KMAC-256A5154Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8SP 800-185
KTS-IFCA5154Modulo - 2048, 3072, 4096, 6144 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KTS-OAEP-basic - KAS Role - initiator, responder Key Transport Method - Key Length - 1024SP 800-56B Rev. 2
PBKDFA5154Iteration Count - Iteration Count: 1-10000 Increment 1SP 800-132
RSA KeyGen (FIPS186-5)A5154Key Generation Mode - probable Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standardFIPS 186-5
RSA SigGen (FIPS186-5)A5154Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pssFIPS 186-5
RSA Signature Primitive (CVL)A5154Private Key Format - CRTFIPS 186-4
RSA SigVer (FIPS186-4)A5154Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS Modulo - 1024, 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-5)A5154Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5, pssFIPS 186-5
Safe Primes Key GenerationA5154Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192SP 800-56A Rev. 3
Safe Primes Key VerificationA5154Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192SP 800-56A Rev. 3
SHA-1A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-224A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-256A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-384A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/224A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA2-512/256A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 180-4
SHA3-224A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-256A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-384A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHA3-512A5154Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8FIPS 202
SHAKE-128A5154Output Length - Output Length: 16-65536 Increment 8FIPS 202
SHAKE-256A5154Output Length - Output Length: 16-65536 Increment 8FIPS 202
TLS v1.2 KDF RFC7627 (CVL)A5154Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512SP 800-135 Rev. 1
TLS v1.3 KDF (CVL)A5154HMAC Algorithm - SHA2-256, SHA2-384 KDF Running Modes - DHE, PSK, PSK-DHESP 800-135 Rev. 1
  1. In the event of a self-test failure, all calls made to the module to request services from it are rejected by the module. The Module is shipped with the Approved mode pre-enabled as noted in Section
  2. No further configuration is required. Mode Change Instructions and Status: The module is in the Approved mode of operation provided the Approved algorithms and NonApproved Algorithms Allowed in the Approved Mode are used. Usage of the non-Approved Algorithms Not Allowed in the Approved Mode causes the module to transition to the nonApproved mode. Degraded Mode Description: A degraded mode of operation is not supported by the module.
2.5 Algorithms

Approved Algorithms: This document may be freely reproduced and distributed in its entirety without modification.

Page 10

This document may be freely reproduced and distributed in its entirety without modification.

Page 11

This document may be freely reproduced and distributed in its entirety without modification.

Page 12

This document may be freely reproduced and distributed in its entirety without modification.

Page 13

This document may be freely reproduced and distributed in its entirety without modification.

Page 14
Service
NameProperties
CKG (6.3)Key Type:SymmetricN/ANIST SP 800-133rev2, Section 6.3: Symmetric Keys Produced by Combining Multiple Keys and Other Data
CKG (4)Key Type:Symmetric and AsymmetricN/ANIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 5.1: Key Pairs for Digital Signature Schemes; Section 5.2: Key Pairs for Key Establishment; Section 6.1: Direct Generation of Symmetric Keys; Section 6.2: Derivation of Symmetric keys
AESCert. A5154:key unwrapping per IG D.GTriton 2Symmetric key unwrapping per IG D.G Additional Comment 5
FIPS 186-4 RSA SigVer X9.31Cert. 5154:signature verificationTriton 2IG C.K

Table 5: Approved Algorithms Vendor-Affirmed Algorithms: (6.3) (4) N/A N/A Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: This document may be freely reproduced and distributed in its entirety without modification.

Page 15
Service
NameDescriptionApproved FunctionsTypeProperties
X448SSP Agreement
X25519SSP Agreement
FIPS 186-5 ECDSA SigVer ComponentCurve(s): P-192, P-224, P-256, P-384, P-521, B-163, B-233, B-283, B- 409, B-571, K-163, K-233, K-283, K-409, K-571, Function(s): SigVer
HMAC GenerateKey length(s): < 112 bits for MAC generation
HMAC DRBG/Hash DRBGPRF(s): SHA3 (all sizes)
ED448PRF: SHAKE256, Function(s): SigGen, SigVer
ED25519PRF: SHA2-512, Function(s): SigGen, SigVer
TDESMode(s): CBC and ECB, Function(s): Encrypt, Decrypt
FIPS 186-4 DSAKey size (strength): L = 1024, N = 160 (s < 112); L = 2048, N = 224 (s = 112); L = 2048, N = 256 (s = 112); L = 3072, N = 256 (s = 128); Function(s): KeyGen, SigGen, SigVer, PQGVer and PQGGen (SHA-1, SHA2 and SHA3 all sizes); SigVer and PQGVer disapproved per IG C.M 3.e
FIPS 186-2 RSA SignatureModulus: > 1024 bits, Function(s): SigGen, SigVer (per IG C.M 3.e. for SigVer)
FIPS 186-2 RSA Generate KeyModulus: >= 2048 bits, Function(s): KeyGen
KDA HKDF SP800- 56Cr1Key length(s): < 112 bits
KDA OneStep SP800-56Cr1PRF(s): SHAKE128 and SHAKE256
KDF ANS 9.42PRF(s): SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK- KMAC128 and KECCAK-KMAC256
KDF ANS 9.63PRF(s): SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK- KMAC128 and KECCAK-KMAC256
RSA PKCS1.5 (for KTS)Usage of RSA PKCS1.5 Encapsulation/decapsulation in the context of SSP Transport (KTS)
RSA Signature PrimitiveRSASP with modulus 3072, 4096 (since RSASP 2.0 is untested per CAVP Cert. #A5154)
FIPS 186-4 RSA KeyGen X9.31, FIPSRSA KeyGen, SigGen per X9.31 per IG C.K
SHA-1 for SigVerUsage of SHA-1 in the context of signature verification (per IG C.M 3.e)
AES Encrypt/DecryptEncryption and decryption using AES modesAES-CBC: (A5154) AES-CBC-CS1: (A5154) AES-CBC-CS2: (A5154) AES-CBC-CS3: (A5154) AES-CCM: (A5154) AES-CFB1: (A5154) AES-CFB128: (A5154) AES-CFB8: (A5154) AES-CMAC: (A5154) AES-CTR: (A5154) AES-ECB: (A5154) AES-GCM: (A5154) AES-GMAC: (A5154) AES-OFB: (A5154) AES-XTS Testing Revision 2.0: (A5154)BC-Auth BC-UnAuthKey Length:128, 192 and 256 bits Key Length (XTS):128 and 256 bits
AES Key WrappingKey WrappingAES-KW: (A5154) AES-KWP: (A5154)KTS-WrapKey Length:128, 192 and 256 bits

Table 7: Non-Approved, Allowed Algorithms Non-Approved, Allowed Algorithms with No Security Claimed: The module does not support any Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Not Allowed Algorithms: C.M 3.e This document may be freely reproduced and distributed in its entirety without modification.

Page 16
Service
NameDescriptionApproved FunctionsTypeProperties
SHA-1 for SigVerUsage of SHA-1 in the context of signature verification (per IG C.M 3.e)
AES Encrypt/DecryptEncryption and decryption using AES modesAES-CBC: (A5154) AES-CBC-CS1: (A5154) AES-CBC-CS2: (A5154) AES-CBC-CS3: (A5154) AES-CCM: (A5154) AES-CFB1: (A5154) AES-CFB128: (A5154) AES-CFB8: (A5154) AES-CMAC: (A5154) AES-CTR: (A5154) AES-ECB: (A5154) AES-GCM: (A5154) AES-GMAC: (A5154) AES-OFB: (A5154) AES-XTS Testing Revision 2.0: (A5154)BC-Auth BC-UnAuthKey Length:128, 192 and 256 bits Key Length (XTS):128 and 256 bits
AES Key WrappingKey WrappingAES-KW: (A5154) AES-KWP: (A5154)KTS-WrapKey Length:128, 192 and 256 bits

3.e) Table 8: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

This document may be freely reproduced and distributed in its entirety without modification.

Page 17
Service
NameDescriptionApproved FunctionsType
SHSHashingSHA-1: (A5154) SHA2-224: (A5154) SHA2-256: (A5154) SHA2-512: (A5154) SHA2-512/224: (A5154) SHA2-512/256: (A5154) SHA3-224: (A5154) SHA3-256: (A5154) SHA2-384: (A5154) SHA3-512: (A5154) SHAKE-128: (A5154) SHAKE-256: (A5154) SHA3-384: (A5154)SHA
MACMessage Authentication CodeHMAC-SHA-1: (A5154) HMAC-SHA2- 224: (A5154) HMAC-SHA2- 256: (A5154) HMAC-SHA2- 384: (A5154) HMAC-SHA2- 512: (A5154) HMAC-SHA2- 512/224: (A5154) HMAC-SHA2- 512/256: (A5154) HMAC-SHA3- 224: (A5154) HMAC-SHA3- 256: (A5154) HMAC-SHA3- 384: (A5154)BC-Auth MAC

This document may be freely reproduced and distributed in its entirety without modification.

Page 18
Service
NameDescriptionApproved FunctionsTypeProperties
RSA SigGen/SigVerRSA SigGen and SigVerRSA SigGen (FIPS186-5): (A5154) RSA SigVer (FIPS186-5): (A5154) RSA SigVer (FIPS186-4): (A5154)DigSig-SigGen DigSig-SigVerMode: PKCS 1.5 (SigGen):Modulus: 2048, 3072, 4096; Hash: SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256 Mode: PKCSPSS (SigGen):Modulus: 2048, 3072, 4096; Hash: SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256 Mode: ANSI X9.31 (SigVer only):Modulus: 1024, 2048, 3072, 4096; Hash: SHA2-256, SHA2- 384, SHA2-512 Mode: PKCS 1.5 (SigVer):Modulus: 1024, 2048, 3072, 4096; Hash: SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256 Mode: PKCSPSS (SigVer):Modulus: 1024, 2048, 3072, 4096; Hash: SHA2-256, SHA2- 384, SHA2-512,
ECDSA SigGen/SigVerECDSA SigGen and SigVerECDSA SigGen (FIPS186-5): (A5154) ECDSA SigVer (FIPS186-5): (A5154)DigSig-SigGen DigSig-SigVerSigGen:P-224, P- 256, P-384, P- 521, B-233, B- 283, B-409, B- 571, K-233, K- 283, K-409, K- 571; SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512 SigVer :P-192, P- 224, P-256, P- 384, P-521, B- 163, B-233, B- 283, B-409, B- 571, K-163, K- 233, K-283, K- 409, K-571; SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512
RSASPRSA signature primitiveRSA Signature Primitive: (A5154)DigSig-SigGen
Generate KeyKeypair generationECDSA KeyGen (FIPS186-5): (A5154) RSA KeyGen (FIPS186-5): (A5154) Safe Primes Key Generation: (A5154) Safe Primes KeyAsymKeyPair- KeyGen AsymKeyPair- KeyVer CKG

This document may be freely reproduced and distributed in its entirety without modification.

Page 19

AsymKeyPairKeyGen AsymKeyPairKeyVer SigGen:P-224, P256, P-384, P521, B-233, B283, B-409, B571, K-233, K283, K-409, K571; SHA2-224, SigVer :P-192, P224, P-256, P384, P-521, B163, B-233, B283, B-409, B571, K-163, K233, K-283, K409, K-571; This document may be freely reproduced and distributed in its entirety without modification.

Page 20
Service
NameDescriptionApproved FunctionsType
Random Bit GenerationRandom Number Generation - Hash_DRBG, CTR_DRBG and HMAC_DRBGCounter DRBG: (A5154) Hash DRBG: (A5154) HMAC DRBG: (A5154)DRBG
DeriveDerive Keying MaterialKDA HKDF SP800-56Cr2: (A5154) KDA OneStep SP800-56Cr2: (A5154) KDA TwoStep SP800-56Cr2: (A5154) KDF ANS 9.42: (A5154) KDF ANS 9.63: (A5154) KDF KMAC Sp800-108r1: (A5154) KDF SP800- 108: (A5154) KDF SSH: (A5154) PBKDF: (A5154) TLS v1.2 KDF RFC7627: (A5154) TLS v1.3 KDF: (A5154) CKG (4): () Key Type: Symmetric and AsymmetricCKG KAS-135KDF KAS-56CKDF KBKDF PBKDF

This document may be freely reproduced and distributed in its entirety without modification.

Page 21
Service
NameDescriptionApproved FunctionsTypeProperties
KAS-1Scheme: EphemeralUnified, KAS Role: Initiator, ResponderKAS-ECC-SSC Sp800-56Ar3: (A5154)KAS-SSCIG : IG D.F Scenario 2, path (1) Key confirmation:no Key derivation:no Caveat:Key establishment methodology provides between 112 and 256 bits of security strength
KAS-2Scheme: dhEphem. KAS Role: Initiator, ResponderKAS-FFC-SSC Sp800-56Ar3: (A5154)KAS-SSCIG:IG D.F Scenario 2, path (1) Key confirmation:no Key derivation:no Caveat:Key establishment methodology provides between 112 and 200 bits of security strength
KAS-3Scheme: KAS1, KAS2. KAS Role: Initiator, ResponderKAS-IFC-SSC: (A5154)KAS-SSCIG:IG D.F Scenario 1, path (1) Key confirmation:no Key derivation:no Caveat:Key establishment methodology provides between 112 and 200 bits of security strength
KTS-1Key Transport in compliance with [SP800- 38F] when approved using an Authenticated AES mode (AES CCM; AES GCM; AES KW, KWP)AES-CCM: (A5154) AES-GCM: (A5154) AES-KW: (A5154) AES-KWP: (A5154)KTS-WrapStandard:SP 800- 38F IG D.G:approved method from IG D.G Caveat:Key establishment methodology provides between
KTS-2Key Transport in compliance with [SP800- 38F] when approved AES (any mode) and approved HMAC are used in combinationAES-CBC: (A5154) AES-CBC-CS1: (A5154) AES-CBC-CS2: (A5154) AES-CBC-CS3: (A5154) AES-CCM: (A5154) AES-CFB1: (A5154) AES-CFB128: (A5154) AES-CFB8: (A5154) AES-CMAC: (A5154) AES-CTR: (A5154) AES-ECB: (A5154) AES-GCM: (A5154) AES-GMAC: (A5154) AES-KW: (A5154) AES-KWP: (A5154) AES-OFB: (A5154) AES-XTS Testing Revision 2.0: (A5154) HMAC-SHA-1: (A5154) HMAC-SHA2- 224: (A5154) HMAC-SHA2- 256: (A5154) HMAC-SHA2- 384: (A5154) HMAC-SHA2-KTS-WrapStandard:SP 800- 38F IG D.G:approved method from IG D.G Caveat:Key establishment methodology provides between 128 and 256 bits of security strength
KTS-3Key Transport in compliance with [SP800- 38F] when approved AES (any mode) and approved CMAC/GMAC are used in combinationAES-CBC: (A5154) AES-CBC-CS1: (A5154) AES-CBC-CS2: (A5154) AES-CBC-CS3: (A5154) AES-CCM: (A5154) AES-CFB1: (A5154) AES-CFB128: (A5154) AES-CFB8: (A5154) AES-CMAC: (A5154) AES-CTR: (A5154) AES-ECB: (A5154) AES-GCM: (A5154) AES-GMAC: (A5154) AES-KW: (A5154) AES-KWP: (A5154) AES-OFB: (A5154) AES-XTSKTS-WrapStandard:SP 800- 38F IG D.G:approved method from IG D.G Caveat:Key establishment methodology provides between 128 and 256 bits of security strength
KTS-4Key Transport; Scheme: KTS- OAEP-basic (no key confirmation): RSA-OAEP, RSADP, RSAEP, Key Encapsulation, Key Unencapsulation Key Generation Methods: rsakpg1-basic, rsakpg1-crt, rsakpg1-prime- factor, rsakpg2- basic, rsakpg2-crt, rsakpg2- prime- factorKTS-IFC: (A5154)KTS-EncapStandard:SP 800- 56Brev2 IG D.G:approved method per IG D.G Key confirmation:no Caveat:Key establishment methodology provides between 112 and 176 bits of security strength
KAS ECC ComponentKAS-ECC-SSC primitive (ECC CDH)KAS-ECC CDH- Component SP800-56Ar3: (A5154)KAS-SSC
Self-testsAll self-tests executed by the module at bootAES-ECB: (A5154) AES-GCM: (A5154) Hash DRBG: (A5154) Counter DRBG: (A5154) HMAC DRBG: (A5154) ECDSA SigGen (FIPS186-5): (A5154) ECDSA SigVer (FIPS186-5): (A5154) RSA SigGen (FIPS186-5): (A5154) RSA SigVerBC-Auth BC-UnAuth DigSig-SigGen DigSig-SigVer DRBG KAS-135KDF KAS-56CKDF KAS-SSC KBKDF MAC PBKDF SHA XOF

(1) (1) (1) D.G This document may be freely reproduced and distributed in its entirety without modification.

Page 22

D.G This document may be freely reproduced and distributed in its entirety without modification.

Page 23

D.G This document may be freely reproduced and distributed in its entirety without modification.

Page 24

D.G rsakpg2- primefactor CDHComponent This document may be freely reproduced and distributed in its entirety without modification.

Page 25
Service
NameDescriptionCsps AccessedType
TLS all algorithmsAll algorithms supported by the module for the TLS 1.2 protocol/serviceAES-GCM: (A5154) SHA2-384: (A5154) RSA SigGen (FIPS186-5):AsymKeyPair- KeyGen AsymKeyPair- KeyVer BC-Auth CKG

AsymKeyPairKeyGen AsymKeyPairKeyVer This document may be freely reproduced and distributed in its entirety without modification.

Page 26
Service
NameDescriptionApproved FunctionsTypeProperties
Software Integrity TestRSA mod 2048 bits SHA2-256 signature VerificationRSA SigVer (FIPS186-5): (A5154)DigSig-SigVer
KTS-5Key wrapping in the context of the TLS 1.2 IETF protocol using an AES GCM 256-bit keyAES-GCM: (A5154)KTS-WrapStandard:SP 800- 38F IG D.G :approved method from IG D.G Caveat:Key establishment methodology provides 256 bits of security strength
KAS-4Key agreement in the context of the TLS 1.2 IETF protocol; KAS- ECC-SSC P-384 used with KDF TLS 1.2KAS-ECC-SSC Sp800-56Ar3: (A5154) TLS v1.2 KDF RFC7627: (A5154)KAS-FullIG :IG D.F Scenario 2 path (2) Key confirmation :no Key derivation :IG 2.4.B SP 800- 135rev1 CVL Caveat:Key
Symmetric Key GenerationGeneration of symmetric keysCKG (4): () CKG (6.3): ()CKG

D.G (2) This document may be freely reproduced and distributed in its entirety without modification.

Page 27

Table 9: Security Function Implementations

2.7 Algorithm Specific Information

a. AES-GCM Usage The AES GCM IV computation must comply with IG C.H and NIST SP 800-38D Scenario 1(a), tested per option (ii) under C.H TLS 1.2 protocol IV generation per RFC7627, Scenario 1(d) SSHv2 per RFC4252, RFC4253 and RFC5647 and Scenario 5 TLS 1.3 per RFC8446. The Module does not implement the TLS 1.3 and SSH protocols itself, however, it provides the cryptographic functions required for implementing these protocols. The module does implement the TLS 1.2 protocol. AES GCM encryption is used in the context of the SSH and TLS protocol versions 1.2 and 1.3 and the IV computed shall only be used within the protocols. The module provides the primitives to support the AES GCM ciphersuites per NIST SP800-52r1 Section 3.3.1. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary in case of TLS 1.3 and SSH protocols. The application negotiates the protocol session’s keys and the 32-bit nonce value of the IV. When the IV exhausts the maximum number of possible values for a given session key (2^64 - 1), this results in a failure in encryption and a handshake to establish a new encryption key will be required. It is the responsibility of the user of the module, i.e., the first party, client or server, to encounter this condition, to trigger this handshake in accordance with the TLS/SSH protocol. The Module also supports internal IV generation using the module’s approved DRBG. The IV is at least 96 bits in length per NIST SP800-38D Section 8.2.2. Per IG C.H Scenario 2 and NIST SP800-38D, the approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2^-32. For all cases of IV generation, in the event that the module power is lost and restored the user must ensure that the AES GCM encryption/decryption keys are redistributed/re-established in accordance with IG C.H Scenario 3. The module does not support persistent storage of SSPs. The Module also supports importing of GCM IVs when an IV is not generated within the Module. In the approved mode, an IV must not be imported for encryption from outside the cryptographic boundary of the Module as this will result in a non-conformance. This This document may be freely reproduced and distributed in its entirety without modification.

Page 28

is in accordance with IG 2.4.A: “If the module operator (e.g., calling application) can do things outside of the module’s control/visibility that can take an otherwise approved algorithm and use it in a non-approved way (e.g., use PBKDF and/or AES XTS outside of storage applications), the corresponding module service may still be considered approved (and if so, shall have an approved indicator per AS02.24) and the Security Policy shall clarify how to use the service in an approved manner (per ISO 19790 B.2.2 on Overall security design and the rules of operation).” b. AES-XTS Usage Usage In accordance with NIST SP800-38E, the XTS-AES algorithm shall only be used for confidentiality on storage devices. The Module complies with IG C.I by explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS-AES algorithm to process data with them. The module implements CKG per NIST SP 800-133r2 Section 6.3. c. Legacy Usage The module supports the following implementations for legacy use/support per NIST SP 800-131Ar2:

Page 29

In accordance with NIST SP 800-132, passwords shorter than 10 characters are usually considered to be weak. There are many other properties that may render a password weak. For example, it is not advisable to use sequences of numbers or sequences of letters as passwords. Easily accessed personal information, such as the user’s name, phone number, and date of birth, should not be used directly as a password. Passphrases frequently consist solely of letters, but they make up for their lack of entropy by being much longer than passwords, typically 20 to 30 characters. Passphrases shorter than 20 characters are usually considered weak. f. FIPS 202 Usage Per IG C.C Resolution 2.a., each SHA-3 and SHAKE function has been tested and validated the module’s operational environment. g. RSA Usage

2.8 RBG and Entropy

The Module complies with IG 9.3.A Scenario 2. b. and relies on the use of a NIST SP800-90B compliant entropy source outside the cryptographic boundary. The onus is on the calling application to ensure the use of an NIST SP800-90B compliant entropy source and of sufficient entropy for the required security strength. The minimum number of bits of entropy, depending on the target security strength of generated SSPs is 128, 192 or 256 bits. If the Counter DRBG implementation without the derivation function enabled is used, ensure full entropy from the This document may be freely reproduced and distributed in its entirety without modification.

Page 30

entropy source is provided. The following caveat applies to the module: No assurance of the minimum strength of generated SSPs (e.g., keys).

2.9 Key Generation

The module contains NIST SP 800-90Ar1 DRBGs and supports the NIST SP 800-133r2 (CKG) sections 4, 5.1, 5.2, 6.1, 6.2 and 6.3.

2.10 Key Establishment

The module supports key agreement and key transport in the context of the TLS protocol. Apart from this, it also provides cryptographic primitives in support of key agreement and key transport where the onus is on the calling application to ensure that the primitives are used in the correct sequence. The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS (KTS-1, KTS-2, KTS-3 and KTS-4). In addition to the TLS case, the following applies to the module for SSP agreement: The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS (KAS-1, KAS-2 and KAS-3). Per IG D.F: The module supports Key Agreement Schemes per NIST SP800-56Ar3 and IG D.F Scenario 2 (path 1) and NIST SP800-56Br2 and IG D.F Scenario 1 (path 1). The KAS-1, KAS-2, KAS-3 in the SFI Table 10 have been documented accordingly. The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC and KAS-IFC-SSC) as individual entries. The Module obtains the IG D.F required key agreement assurances: NIST SP800-56Ar3 in accordance with Section 5.6.2. NIST SP800-56Br2 in accordance with Section 6.4. The module also supports key agreement in the context of the IETF TLS 1.2 protocol in accordance with IG D.F Scenario 2 (path 2) and the KAS-4 entry corresponds to the same. Per IG D.G: The module supports the Key Transport per NIST SP 800-56Br2 (RSA-OAEP) denoted by KTS4 in the SFI Table 10. This notation is in accordance with the IG D.G Additional Comment 4: “The FIPS 140-3 annotation details for the approved or allowed key transport schemes (KTS) can be found on SP 800-140B: CMVP Security Policy Requirements (see MIS Guidance “KTS”).” The module also supports the following untested approved moduli for KTS-4: 6144 < nlen <=16384, where nlen denotes the modulus. The RSA modulus sizes and key generation method have been documented in the table as well. The module can also optionally be used in the context of IEFT protocols and provide key transport using any approved AES mode(s) and an approved MAC. The corresponding entries KTS-1, KTS-2 and KTS-3 in the SFI Table 10 This document may be freely reproduced and distributed in its entirety without modification.

Page 31
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AControl InputAPI input
N/AN/AData InputAPI parameters passed by calling applications for use in services
N/AN/AStatus OutputAPI return code/status
N/AN/AData OutputAPI parameters returned to calling applications as a result of service execution

have been documented accordingly. All KTS entries have been documented in accordance with Additional Comment 4 in the IG. Finally, KTS-5 corresponds to the key transport (wrapping) supported by the module in the context of the IETF TLS 1.2 protocol supported by it. Per IG D.A and IG D.B: The strengths of the established key have been documented in accordance with IG D.A Additional Comment 4. and per the Resolution in IG D.B.

2.11 Industry Protocols

The module supports cryptographic primitives used in the context of SSH, TLS 1.2 and TLS 1.3. It also supports the TLS 1.2 protocol itself. The module does not support the SSH and TLS 1.3 protocols and thus the following in accordance with Resolution #3 applies to the module: No parts of the SSH and TLS 1.3 protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 10: Ports and Interfaces The module does not support control output and thus the Control Output interface is inapplicable.

4 Roles, Services, and Authentication
4.1 Authentication Methods

The Module does not support authentication.

4.2 Roles

This document may be freely reproduced and distributed in its entirety without modification.

Page 32
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto Officer (CO)Crypto OfficerRoleNone
Module initializationModule boot and initialization processCrypto Officer (CO) - Entrop y Input: G,W,E ,Z - State: G - Softw are Integri ty Key - RSA: ERandom Bit Generati on Software Integrity Test1Ctx passed into the functionReturn code 1 for success; 0 for failure
Show Status/Show VersionShow status; show versionCrypto Officer (CO)None1Ctx passed into the function fips_get_ paramsStatus and versioning information
Perform Self- TestsExecution of all self-testsCrypto Officer (CO)Self-tests Software Integrity Test1RebootReturn code 1 for success; 0 for failure
Key Transport (Perform approvedKey encapsulation andCrypto Officer (CO) - SSPKTS-4[KTS- IFC: RSA, 4, (2048,Encapsul ation: SSP TransportKey Transport Shared Secret
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto Officer (CO)Crypto OfficerRoleNone
Module initializationModule boot and initialization processCrypto Officer (CO) - Entrop y Input: G,W,E ,Z - State: G - Softw are Integri ty Key - RSA: ERandom Bit Generati on Software Integrity Test1Ctx passed into the functionReturn code 1 for success; 0 for failure
Show Status/Show VersionShow status; show versionCrypto Officer (CO)None1Ctx passed into the function fips_get_ paramsStatus and versioning information
Perform Self- TestsExecution of all self-testsCrypto Officer (CO)Self-tests Software Integrity Test1RebootReturn code 1 for success; 0 for failure
Key Transport (Perform approvedKey encapsulation andCrypto Officer (CO) - SSPKTS-4[KTS- IFC: RSA, 4, (2048,Encapsul ation: SSP TransportKey Transport Shared Secret
Encrypt/Decr ypt and Key Wrapping (Perform approved security functions)Encrypt or decrypt data and key wrapCrypto Officer (CO) - Symm etric Key: G,E - MAC Key: EAES Encrypt/ Decrypt AES Key Wrapping KTS-1 KTS-2 KTS-3 Symmetri c Key Generati on[AES- ECB: AES- 128- ECB, AES- 192- ECB, AES- 256- ECB]; [AES- CBC: AES- 128- CBC, AES- 192- CBC, AES- 256- CBC]; [AES- CBC- CS: AES- 128- CBC- CTS,Symmetri c Key and MAC Key (for wrapping)Plaintext/ciphert ext/wrapped key

Table 11: Roles The module supports the Crypto Officer (CO) role alone, assumed implicitly by the calling application. The module does not support a maintenance role, a bypass role or any unauthorized operators.

4.3 Approved Services

s Perform SelfTests [KTSIFC: This document may be freely reproduced and distributed in its entirety without modification. s y G,W,E ,Z G E

Page 33

[AESECB: AES128ECB, AES192ECB, AES256ECB]; [AESCBC: AES128CBC, AES192CBC, AES256CBC]; [AESCBCCS: AES128CBCCTS, s s E d :R G,E This document may be freely reproduced and distributed in its entirety without modification.

Page 34
Service
NameCsps AccessedOutput
sss
sss

s AES192CBCCTS, AES256CBCCTS]; [AESOFB: AES128OFB, AES192OFB, AES256OFB]; [AESCFB1: AES128CFB1, AES192CFB1, AES256CFB1]; [AESCFB8: AES128CFB8, AES192CFB8, AES256CFB8]; [AESCFB12 8: AES128CFB, This document may be freely reproduced and distributed in its entirety without modification. s

Page 35

s AES192CFB, AES256CFB]; [AESCTR: AES128CTR, AES192CTR, AES256CTR]; [AESCCM: AES128CCM, AES192CCM, AES256CCM]; [AESGCM: AES128GCM, AES192GCM, AES256GCM]; [AESXTS: AES128XTS, This document may be freely reproduced and distributed in its entirety without modification. s

Page 36
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
SSP Derivation (Perform approved security functions)Derivation of keying material (DKM)Crypto Officer (CO) - KAS Share d Secret : W,E - DKM: G,R - Key Trans port Share d Secret : W,EDerivePBKDF : PBKDF 2, (SHA- 1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/22 4, SHA2- 512/25 6, SHA3- 224, SHA3- 256, SHA3- 384, SHA3- 512)]; [TLS1- PRF, (SHA2- 256, SHA2- 384, SHA2- 512)];KAS Shared SecretDKM

[AESKW, AES128WRAP, AES256WRAP] : 2, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512)]; [TLS1PRF, (SHA2256, SHA2384, SHA2512)]; s s d : W,E G,R d : W,E This document may be freely reproduced and distributed in its entirety without modification.

Page 37
Service
NameCsps AccessedOutput
sss
sss
sss
sss
sss

s (SHA2256, SHA2384)]; [X963KDF, (SHA2224, SHA2256, SHA2384, SHA2512)]; DFASNI, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512)]; 800108r1 This document may be freely reproduced and distributed in its entirety without modification. s

Page 38

s , KMAC256)]; 800108r1 AES128CBC, AES192CBC, AES256CBC, HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2256, HMACSHA2384, This document may be freely reproduced and distributed in its entirety without modification. s

Page 39

s HMACSHA2512/22 4, HMACSHA2512/25 6, HMACSHA3224, HMACSHA3256, HMACSHA3384, HMACSHA3512]; F, SHA2224, SHA2256, SHA2384, SHA2512)]; , SHA2224, SHA2256, SHA2384, This document may be freely reproduced and distributed in its entirety without modification. s

Page 40

s SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512, HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/22 4, HMACSHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512, This document may be freely reproduced and distributed in its entirety without modification. s

Page 41

s KMAC128, KMAC256)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512]; SHA2224, SHA2256, SHA2384, SHA2512, This document may be freely reproduced and distributed in its entirety without modification. s

Page 42
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Key Agreement (Perform approved security functions)Shared secret computationCrypto Officer (CO) - SSP Agree ment Privat e FFC/E CC Key: E - SSP Agree ment Public FFC/E CC Key: E - KAS Share d Secret : GKAS-1 KAS-2 KAS-3 KAS ECC Compon ent[KAS- FFC- SSC: DHX]; [KAS- ECC- SSC: EC]SSP Agreeme nt Private FFC/ECC Key, SSP Agreeme nt Public FFC/ECC KeyKAS Shared Secret
Key Pair Generation (Perform approved security functions)ECC/DH/RSA/ SafePrime key pair generationCrypto Officer (CO) - Privat e Key: G - PublicGenerate Key[SafePr imes: DHX]; [RSA KeyGe n: RSA, (2048, 3072, 4096)];ECDSA: curve id. RSA: modulusKey pair returned to caller
[ECDS A KeyGe n: EC]Key: G[ECDS A KeyGe n: EC]
MAC Generation/V erification (Perform approved security functions)Keyed hash generation/veri ficationCrypto Officer (CO) - MAC Key: EMAC Symmetri c Key Generati on[HMAC : HMAC- SHA1, HMAC- SHA2- 224, HMAC- SHA2- 256, HMAC- SHA2- 384, HMAC- SHA2- 512, HMAC- SHA2- 512/22 4, HMAC- SHA2- 512/25 6, HMAC- SHA3- 224, HMAC- SHA3- 256, HMAC- SHA3- 384, HMAC- SHA3- 512]; [CMAC ]; [KMAC: KMAC- 128, KMAC-MAC KeyMAC value
Hash generation (Perform approved security functions)HashingCrypto Officer (CO)SHS[SHA- 1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/22 4, SHA2- 512/25 6, SHA3- 224, SHA3- 256, SHA3- 384, SHA3- 512, SHAKE -128, SHAKE -256]Message to be hashedHash value
Random Bit Generation (Perform approved security functions)Random bit generation using the DRBGCrypto Officer (CO) - Entrop y Input:Random Bit Generati on[Hash DRBG: HASH- DRBG, (SHA1, SHA2- 256,DRBG State; DRBG Entropy InputRandom bits
SHA2- 512)]; [HMAC - DRBG, (SHA1, SHA2- 256, SHA2- 512)]; [CTR- DRBG, (AES- 128- CTR, AES- 192- CTR, AES- 256- CTR)]E - Seed: E - State: ESHA2- 512)]; [HMAC - DRBG, (SHA1, SHA2- 256, SHA2- 512)]; [CTR- DRBG, (AES- 128- CTR, AES- 192- CTR, AES- 256- CTR)]
Digital Signature Generation/V erification (Perform approved security functions)RSA/ECDSA signature generation and verificationCrypto Officer (CO) - SigGe n Key: E - SigVe r Key: ERSA SigGen/S igVer ECDSA SigGen/S igVer RSASP[RSA SigGen : RSA, (2048, 3072, 4096), (SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/22 4, SHA2- 512/25 6)]; [RSA SigVer: RSA, (1024, 2048,Sign: SigGen Key; Verify: SigVer KeySignature value for SigGen, 1 or 0 respectively for success or failure in case of SigVer

SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512] [KASFFCSSC: [KASECCSSC: s s e d :G G This document may be freely reproduced and distributed in its entirety without modification.

Page 43

A : HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/22 4, HMACSHA2512/25 6, HMACSHA3224, HMACSHA3256, HMACSHA3384, HMACSHA3512]; ]; KMAC128, s s G This document may be freely reproduced and distributed in its entirety without modification.

Page 44

: AES128GCM, AES192GCM, AES256GCM] SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512, HASHDRBG, SHA2256, s s y This document may be freely reproduced and distributed in its entirety without modification.

Page 45

SHA2512)]; SHA2256, SHA2512)]; [CTRDRBG, (AES128CTR, AES192CTR, AES256CTR)] (SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6)]; s s E E E E E This document may be freely reproduced and distributed in its entirety without modification.

Page 46
Service
NameCsps AccessedOutput
sss

s SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6)]; m: A (SHA2224, SHA2256, SHA2384, SHA2512, SHA3224, SHA3256, SHA3384, This document may be freely reproduced and distributed in its entirety without modification. s

Page 47
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsInputOutput
Perform zeroisation* Zeroisation in the context of function calls * Restarting the host platform * TLS 1.2 Session Termination * Module uninstantiation1Crypto Officer (CO) - SigGe n Key: Z - SigVe r Key: Z - Privat e Key: Z - Public Key: ZNoneLocation of SSPReturn code 1

A SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6)]; A s s Z Z Z This document may be freely reproduced and distributed in its entirety without modification.

Page 48
Service
NameCsps AccessedOutput
sss
sss

s This document may be freely reproduced and distributed in its entirety without modification. s e d :Z Z Z d :Z y

Page 49

s This document may be freely reproduced and distributed in its entirety without modification. s Z Z Z r :Z Z A A Z Z

Page 50
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
HTTPS communicati ons with backend (Perform approved security functions)TLS v1.2 protocol usedCrypto Officer (CO) - TLS Maste r Secret : G,E,Z - TLS Pre- Maste r Secret : G,E,Z - TLS Sessi on Key: G,E,Z - KAS Privat e Key: G,E,Z - KAS Public Key: G,R,ETLS all algorithm s KTS-5 KAS-4Succes sful comple tion of the service, i.e. succes sful TLS 1.2 session negotia tion combin ed with the string "Check TCP flag 3" printed in the boot logsTLS Peer Public Key (KAS Peer Public Key)Packets transferred over TLS 1.2

s i.e. 1.2 s This document may be freely reproduced and distributed in its entirety without modification. s PreMaste r :Z Z r : G,E,Z PreMaste r : G,E,Z G,E,Z G,E,Z G,R,E

Page 51
Service
NameCsps AccessedIndicatorOutputOutputs
sss
SSP AgreementKAS-SSCX448 X25519Crypto Officer (CO)
FIPS 186-5 ECDSA SigVer ComponentSignature verificationFIPS 186-5 ECDSA SigVer ComponentCrypto Officer (CO)
HMAC GenerateMAC generation with key length < 112 bitsHMAC GenerateCrypto Officer (CO)
HMAC DRBG/Hash DRBGPRF(s): SHA3 (all sizes)HMAC DRBG/Hash DRBGCrypto Officer (CO)
TDES Encrypt/DecryptEncryption and decryptionTDESCrypto Officer (CO)
Digital Signature Generation/VerificationSignature generation and verificationED448 ED25519 FIPS 186-4 DSA FIPS 186-2 RSA SignatureCrypto Officer (CO)
FIPS 186-2 RSA Key GenerationRSA public/private key pair generation per FIPS 186-2FIPS 186-2 RSA Generate KeyCrypto Officer (CO)
DeriveKey derivationKDA HKDF SP800- 56Cr1 KDA OneStep SP800-56Cr1 KDF ANS 9.42 KDF ANS 9.63Crypto Officer (CO)
SSP TransportSSP transport using RSA PKCS1.5 paddingRSA PKCS1.5 (for KTS)Crypto Officer (CO)
RSA Signature PrimitiveSignature primitive function/signature generation with modulus 3072 and 4096RSA Signature PrimitiveCrypto Officer (CO)
FIPS 186-4 RSA X9.31 Key Generation and Signature GenerationKey generation and signature generation per ANS X9.31FIPS 186-4 RSA KeyGen X9.31,Crypto Officer (CO)
SHA-1 for Signature VerificationFIPS 186-5 RSA/ECDSA Signature Verification using SHA-1 (in accordance with IG C.M 3.e)SHA-1 for SigVerCrypto Officer (CO)

s s ,Z A G,R,E ,Z A G,E,Z G,R,E ,Z G,E,Z W,E,Z Table 12: Approved Services The following indicate the type of access: G = Generate: The service generates or derives the CSP/Public Key. W = Write/Input: The service inputs the CSP/Public Key. E = Execute: The Module executes using the CSP/Public Key. R = Read/Output: The service outputs the CSP/Public Key. CSP are always protected with the approved KTS. Z = Zeroise: The Module zeroizes the CSP/Public Key after usage. A zeroised CSP is not retrievable or reusable. The module provides service indicators in accordance with the FIPS 140-3 IG 2.4.C example 3. All CSPs are zeroised when they are no longer needed: - Temporary CSPs are zeroised within the relevant function calls per service. This document may be freely reproduced and distributed in its entirety without modification.

Page 52

The DRBG state is zeroised on Module instantiation The temporary underlying hash value generated as part of the RSA Signature Verification computed in the context of the integrity test performed, is zeroised prior to exiting the integrity test function. TLS 1.2 SSPs are zeroised upon TLS 1.2 session termination.

4.4 Non-Approved Services

This document may be freely reproduced and distributed in its entirety without modification.

Page 53

Table 13: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not support loading software from an external source.

4.6 Bypass Actions and Status

The module does not support bypass.

4.7 Cryptographic Output Actions and Status

The module supports self-initiated cryptographic output over the TLS 1.2 IETF protocol. Two internal actions are performed i.e. two distinct software flags are checked within the module prior to allowing output over TLS 1.2. The TLS 1.2 i.e. self-initiated cryptographic output capability is inherently active per the module’s design. The Crypto Officer only needs to power on the underlying platform, i.e., Triton 2 device. Successful negotiation of the TLS 1.2 session combined with the string "Check TCP flag 3" printed in the boot logs indicates that the selfinitiated cryptographic output capability is active.

5 Software/Firmware Security
5.1 Integrity Techniques

The Module uses RSA 2048 SHA2-256 as the approved integrity technique. The pre-calculated value of the approved digital signature is included with the module. The integrity test covers the entirety of the module software. If the value calculated at boot for the approved digital signature does not match the pre-calculated, stored value, the test fails. The RSA 2048 SHA2-256 CAST is performed prior to the software integrity test in accordance with the IG 10.2.A. The Module is provided in the executable form (.elf). The software integrity RSA mod 2048 public key used for signature verification is considered a non-SSP and stored within the module.

5.2 Initiate on Demand

This document may be freely reproduced and distributed in its entirety without modification.

Page 54
Sensitive security parameter
NameTypeDescription
RAMDynamicTemporary, plaintext storage
Stored in the module binaryStaticPersistent, plaintext storage

An operator of the module can perform the integrity test on demand by reloading the module. If the integrity test fails, module enters an error state. The module does not support loading of any additional software from an external source.

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The module is a Level 1 multi-chip standalone software module with a modifiable operational environment.

6.2 Configuration Settings and Restrictions

There are no restrictions on the operational environment of the module.

7 Physical Security

The Module is a software module thus the requirements per this section do not apply.

8 Non-Invasive Security

The Module is a software module thus the requirements per this section do not apply.

9 Sensitive Security Parameters Management
9.1 Storage Areas

Table 14: Storage Areas This document may be freely reproduced and distributed in its entirety without modification.

Page 55
Service
NameApproved FunctionsTypeFromToDistributio n Type
API inputElectroni cPlaintex tCalling applicationModuleManual
API outputElectroni cPlaintex tModuleCalling applicationManual
Stored at manufactur e - 1N/APlaintex tManufacture rStored in the module binaryN/A
Input during TLS 1.2 negotiationElectroni cPlaintex tTLS 1.2 peer/external endpointRAMAutomated
Output during TLS 1.2 negotiationElectroni cPlaintex tRAMTLS 1.2 peer/externa l endpointAutomated
ZeroizationDescriptionRationaleOperator
MethodInitiation
Zeroisation in the context of function callsTemporary CSPs are zeroised within the relevant function calls per serviceAutomatic zeroisation per module's design in the context of each function calledModule initiated
Restarting the host platformSSPs are stored temporarily in RAMRAM is cleansed via reboot of the underlying host; no copies of SSPs are maintained/stored within the module itselfOperator initiated
TLS 1.2 Session TerminationSSPs zeroised upon TLS 1.2 session terminationTLS 1.2 SSPs are stored ephemerally until session terminationModule initiated
Module uninstantiationDRBG state zeroisationUn-instantiation of the module zeroises the DRBG stateOperator initiated
9.2 SSP Input-Output Methods

t t t c c N/A t c t c e-1 1.2 r N/A m Table 15: SSP Input-Output Methods The module is compliant with IG 9.5.A MD/EE (CM Software to/from App via TOEPP Path) and with AD/EE in the context of the TLS 1.2 protocol.

9.3 SSP Zeroization Methods

Table 16: SSP Zeroization Methods This document may be freely reproduced and distributed in its entirety without modification.

Page 56
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentUseType - Catego ry
SigGen KeyPrivate key - CSPPrivate key for signature generationRSA: 2048, 3072 and 4096 bits ECDSA: B-233, K- 233, P- 224; B- 283, K- 283, P- 256; B- 409, K- 409, P- 384; B- 571, K- 571, P- 521 - RSA: 112, 128 or 152 ECDSA: 112, 128, 192, 521RSA SigGen/Sig Ver ECDSA SigGen/Sig Ver RSASP
SigVer KeyPublic key - PSPPublic key for signature verificationRSA: 1024, 2048, 3072 and 4096 bits ECDSA: ECDSA: B-233, K- 233, P- 224; B- 283, K- 283, P- 256; B- 409, K- 409, P- 384; B- 571, K- 571, P- 521 - RSA: 80, 112, 128 or 152 ECDSA:RSA SigGen/Sig Ver ECDSA SigGen/Sig Ver
Private KeyPrivate key - CSPPrivate key requested by calling application (purpose unknown)RSA: 2048, 3072, 4096 bits ECDSA: ECDSA: B-233, K- 233, P- 224; B- 283, K- 283, P- 256; B- 409, K- 409, P- 384; B- 571, K- 571, P- 521 - RSA: 112, 128 or 152 ECDSA: 112, 128, 192, 256Generat e Key Random Bit Generati on
Public KeyPublic key - PSPPublic key requested by calling application (purpose unknown)RSA: 2048, 3072, 4096 bits ECDSA: ECDSA: B-233, K- 233, P- 224; B- 283, K- 283, P- 256; B- 409, K- 409, P- 384; B- 571, K- 571, P- 521 - RSA: 112, 128Generat e Key Random Bit Generati on
SSP Agreem ent Private FFC/EC C KeyPrivate key - CSPPrivate key provided by the entity using the module for Diffie- Hellman shared secret generationFFC: FB, FC, MODP20 48, ffdhe204 8, MODP30 72, ffdhe307 2, MODP40 96, ffdhe409 6, MODP61 44, ffdhe614 4, MODP81 92, ffdhe 8192 ECC: B- 233, K- 233, P- 224, B- 283, K- 283, P- 256, B- 409, K- 409, P- 384, B- 571, K- 571, P- 521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 andGenerat e Key Random Bit Generati onKAS-1 KAS-2 KAS-3
SSP Agreem ent Public FFC/EC C KeyPublic key - PSPPublic key provided by the entity using the module for Diffie- Hellman shared secret generationFFC: FB, FC, MODP20 48, ffdhe204 8, MODP30 72, ffdhe307 2, MODP40 96, ffdhe409 6, MODP61 44, ffdhe614 4, MODP81 92, ffdhe 8192 ECC: B- 233, K- 233, P- 224, B- 283, K- 283, P- 256, B- 409, K- 409, P- 384, B- 571, K- 571, P- 521, IFC: k=2048, 3072, 4096, 6144, 8192 bitsGenerat e Key Random Bit Generati onKAS-1 KAS-2 KAS-3
KAS Shared SecretShared secret - CSPShared secret computation (z)FFC: FB, FC, MODP20 48, ffdhe204 8, MODP30 72, ffdhe307 2, MODP40 96, ffdhe409 6, MODP61 44, ffdhe614 4, MODP81 92, ffdhe 8192 ECC: B- 233, K- 233, P- 224, B- 283, K- 283, P- 256, B- 409, K- 409, P- 384, B- 571, K- 571, P- 521, IFC: k=2048, 3072,KAS-1 KAS-2 KAS-3
DKMDerived Keying Material - CSPKey Derivation derived keying materialHMAC PRF: 160, 224, 256, 384, 512 - HMAC PRF: 160, 224, 256, 384, 512Derive
MAC KeySymmet ric key - CSPKeyed Hash keyCMAC: 128, 192, 256 GMAC: 128, 192, 256 HMAC: 160, 256, 512. KMAC: 128, 256 - CMAC: 128, 192, 256 GMAC: 128, 192, 256 HMAC: 160, 256, 512. KMAC: 128, 256Random Bit Generati on Symmet ric Key Generati onMAC KTS-2
SSP Transpo rtPrivate key - CSPPrivate key (KDK) used for [SP800-2048, 3072, 4096 andKTS-4
Private Key56Br2] RSA key transport6144 bits - 112, 128, 152, 176
SSP Transpo rt Public keyPublic key - PSPPublic key (KEK) used for [SP800- 56Br2] RSA key transport2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176KTS-4
Key Transpo rt Shared SecretShared secret - CSPThe RSA key transport shared secret2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176KTS-4
Entropy InputEntropy input - CSPEntropy input from an external source used for DRBG seeding128 - 256 bits - 128 - 256 bitsRandom Bit Generation
SeedDRBG seed - CSPSeed generated from the entropy input for the DRBG128 - 256 bits - 128 - 256 bitsRandom Bit Generation
StateDRBG state - CSPDRBG stateHash DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, 256 - Hash DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224,Random Bit Generati onRandom Bit Generation
Symmet ric KeySymmet ric key - CSPAES Encryption/Decryptio n/Key Wrapping KeyAES: 128, 192, 256 AES CCM: 128, 192, 256 AES GCM: 128, 192, 256 AES XTS: 128, 256. - AES: 128, 192, 256 AES CCM: 128, 192, 256 AES GCM: 128, 192, 256 AES XTS: 128, 256Random Bit Generati on Symmet ric Key Generati onAES Encrypt/Dec rypt AES Key Wrapping KTS-1 KTS-2 KTS-3
TLS Master SecretShared secret - CSPTLS 1.2 Master Secret derived from the pre-master secret384 bits - 192 bitsDeriveTLS v1.2 KDF RFC7627 (A5154)
TLS Session KeySymmet ric key - PSPAES key used to encrypt the TLS session256 bits - 256 bitsDeriveKAS-4KTS-5
KAS Public KeyPublic key - PSPEC Diffie-Hellman i.e. KAS-ECC-SSC public key used in EC Diffie-Hellman Key Exchange for TLS 1.2P-384 - 192 bitsGenerat e Key Random Bit Generati onKAS-ECC- SSC Sp800- 56Ar3 (A5154)
KAS Private KeyPrivate key - CSPEC Diffie-Hellman i.e. KAS-ECC-SSC private key used in EC Diffie-Hellman Key Exchange for TLS 1.2P-384 - 192 bitsGenerat e Key Random Bit Generati onKAS-ECC- SSC Sp800- 56Ar3 (A5154)
ECDSA Public KeyPublic key - PSPECDSA public key used for TLS 1.2 authenticationP-384 - 192 bitsGenerat e Key Random Bit Generati onECDSA SigVer (FIPS186-5) (A5154)
ECDSA Private KeyPrivate key - CSPECDSA private key used for TLS 1.2 authenticationP-384 - 192 bitsGenerat e Key Random Bit Generati onECDSA SigGen (FIPS186-5) (A5154)
RSA Public KeyPublic key - PSPRSA public key used for TLS 1.2 authenticationRSA SigVer mod 2048 - 112 bitsGenerat e Key Random Bit Generati onRSA SigVer (FIPS186-5) (A5154)
RSA Private KeyPrivate key - CSPRSA private key used for TLS 1.2 authenticationRSA SigGen mod 2048 - 112 bitsGenerat e Key Random Bit Generati onRSA SigGen (FIPS186-5) (A5154)
TLS Pre- Master SecretShared secret - CSPTLS 1.2 pre-master secret computed (KAS-ECC-SSC)384 bits - 192 bitsKAS-4TLS v1.2 KDF RFC7627 (A5154)
KAS Peer Public KeyPublic key - PSPEC Diffie-Hellman i.e. KAS-ECC-SSC public key used in EC Diffie-Hellman Key Exchange for TLS 1.2 (TLS 1.2 peer key)P-384 - 192 bitsKAS-4
Softwar e Integrity Key - RSAPublic key - NeitherRSA key used to perform the Software Integrity Test2048 bits - 112 bitsRSA SigVer (FIPS186 -5) (A5154)Software Integrity Test
SigGen KeyRAM:Encrypte dAPI inputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nSigVer Key:Paired Withzeroised once no longer needed
SigVer KeyRAM:Encrypte dAPI inputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nSigGen Key:Paired Withzeroised once no longer needed
Private KeyRAM:Encrypte dAPI outputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nPublic Key:Paired Withzeroised once no longer needed
Public KeyRAM:Encrypte dAPI outputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nPrivate Key:Paired Withzeroised once no longer needed
SSP Agreemen t Private FFC/ECC KeyRAM:Encrypte dAPI inputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nSSP Agreement Public FFC/ECC Key:Paired Withzeroised once no longer needed
SSP Agreemen t Public FFC/ECC KeyRAM:Encrypte dAPI inputZeroisation in the context of function calls Restarting the host platform ModuleSSP Agreement Private FFC/ECC Key:Paired Withzeroised once no longer needed
KAS Shared SecretRAM:Encrypte dAPI outputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nSSP Agreement Private FFC/ECC Key:Establishe d using SSP Agreement Public FFC/ECC Key:Establishe d usingzeroised once no longer needed
DKMRAM:Encrypte dAPI outputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nzeroised once no longer needed
MAC KeyRAM:Encrypte dAPI inputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nzeroised once no longer needed
SSP Transport Private KeyRAM:Encrypte dAPI inputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nSSP Transport Public key:Paired Withzeroised once no longer needed
SSP Transport Public keyRAM:Encrypte dAPI inputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nSSP Transport Private Key:Paired Withzeroised once no longer needed
Key Transport Shared SecretRAM:Encrypte dAPI input API outputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nzeroised once no longer needed
Entropy InputRAM:Encrypte dAPI inputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nSeed:Used to derivezeroised once no longer needed
SeedRAM:Encrypte dZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nEntropy Input:Derived Fromzeroised once no longer needed
StateRAM:Encrypte dRestarting the host platform Module uninstantiatio nSeed:Derived FromUntil power- cycling of the underlying host platform
Symmetric KeyRAM:Encrypte dAPI input API outputZeroisation in the context of function calls Restarting the host platform Module uninstantiatio nzeroised once no longer needed
TLS Master SecretRAM:PlaintextZeroisation in the context of function callsTLS Pre- Master Secret:Derived Fromzeroised once no longer needed
TLS Session KeyRAM:PlaintextTLS 1.2 Session TerminationTLS Master Secret:Derived Fromzeroised once no longer needed
KAS Public KeyRAM:PlaintextOutput during TLSTLS 1.2 Session TerminationKAS Private Key:Paired Withzeroised once no longer needed
KAS Private KeyRAM:PlaintextTLS 1.2 Session TerminationKAS Public Key:Paired Withzeroised once no longer needed
ECDSA Public KeyRAM:PlaintextOutput during TLS 1.2 negotiationTLS 1.2 Session Terminationzeroised once no longer needed
ECDSA Private KeyRAM:PlaintextTLS 1.2 Session Terminationzeroised once no longer needed
RSA Public KeyRAM:PlaintextOutput during TLS 1.2 negotiationTLS 1.2 Session Terminationzeroised once no longer needed
RSA Private KeyRAM:PlaintextTLS 1.2 Session Terminationzeroised once no longer needed
TLS Pre- Master SecretRAM:PlaintextZeroisation in the context of function callsTLS Master Secret:Used to derivezeroised once no longer needed
KAS Peer Public KeyRAM:PlaintextInput during TLS 1.2 negotiationTLS 1.2 Session TerminationKAS Public Key:Used Withzeroised once no longer needed
Software Integrity Key - RSAStored in the module binary:Plaintex tStored at manufactur e - 1Module uninstantiatio nUntil module uninstantiatio n is performed

B-233, K233, P224; B283, K283, P256; B409, K409, P384; B571, K571, P521 RSA: B-233, K233, P224; B283, K283, P256; B409, K409, P384; B571, K571, P521 RSA: 80, This document may be freely reproduced and distributed in its entirety without modification.

Page 57

B-233, K233, P224; B283, K283, P256; B409, K409, P384; B571, K571, P521 RSA: B-233, K233, P224; B283, K283, P256; B409, K409, P384; B571, K571, P521 RSA: This document may be freely reproduced and distributed in its entirety without modification.

Page 58

8, 2, 6, 4, ECC: B233, K233, P224, B283, K283, P256, B409, K409, P384, B571, K571, P521, IFC: This document may be freely reproduced and distributed in its entirety without modification.

Page 59

[SP80056Br2]: 8, 2, 6, 4, ECC: B233, K233, P224, B283, K283, P256, B409, K409, P384, B571, K571, P521, IFC: This document may be freely reproduced and distributed in its entirety without modification.

Page 60

[SP80056Br2]: 8, 2, 6, 4, ECC: B233, K233, P224, B283, K283, P256, B409, K409, P384, B571, K571, P521, IFC: This document may be freely reproduced and distributed in its entirety without modification.

Page 61

This document may be freely reproduced and distributed in its entirety without modification.

Page 62

This document may be freely reproduced and distributed in its entirety without modification.

Page 63

KAS-ECCSSC Sp80056Ar3 KAS-ECCSSC Sp80056Ar3 This document may be freely reproduced and distributed in its entirety without modification.

Page 64

PreMaster e -5) Table 17: SSP Table 1 This document may be freely reproduced and distributed in its entirety without modification.

Page 65

d d d d d d n n n n n This document may be freely reproduced and distributed in its entirety without modification.

Page 66

d d d d d n n n n n n This document may be freely reproduced and distributed in its entirety without modification.

Page 67

d d d d n n n n n d TLS PreMaster This document may be freely reproduced and distributed in its entirety without modification.

Page 68
1.2 TLS PreMaster 1.2 n 1.2 e-1 t Table 18: SSP Table 2
9.5 Transitions

Conformance to FIPS 186-5 is mandatory as of February 4, 2024. The module claims conformance to FIPS 186-4 as allowed per the FIPS 140-3 IG C.K Additional Comment #2. Per the NIST SP 800-133Ar2/3 and the programmatic transitions defined by the CMVP, the following algorithm transitions apply to the module, and the algorithms have been designated allowed/non-approved accordingly in Section 2.5: a. SHA-1 for SigVer (per IG C.M 3.e) and SHA-1 used for SigGen is a non-approved, not allowed algorithm. Usage of SHA-1 for all other SigVer is allowed for legacy use only until 2030. Thereafter, all usage of SHA-1 will be considered a non-approved, not allowed algorithm. b. FIPS 186-2 RSA KeyGen and SigGen modes are non-approved, not allowed algorithms. This document may be freely reproduced and distributed in its entirety without modification.

Page 69
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicator
RSA SigVer (FIPS186-5) (A5154)RSA SigVer (FIPS186-5) (A5154)KATSW/FW IntegrityVerifyModulus: 2048 bits; Hash: SHA2-256Verified OK

c. RSA-based key transport schemes that only use PKCS#1-v1.5 padding are nonapproved, not allowed algorithms. d. FIPS 186-4 DSA Key Gen, Sig Gen, or PQG Gen; FIPS 186-4 X9.31 RSA Key Gen, RSA Sig Gen are non-approved, not allowed algorithms. e. Usage of FIPS 186-4 RSA SigVer X9.31 is allowed only for legacy use. f. Triple-DES decryption is allowed for legacy use only. g. Triple-DES encryption is non-approved, not allowed algorithm. h. Key agreement schemes that are not compliant with any version of SP 800-56A (X448, X25519) are non-approved, not allowed algorithms. i. Until January 1, 2031, the following algorithms will be considered deprecated: a. SHA-1, SHA-224 hash functions b. Hash_DRBG and HMAC_DRBG using SHA-1, SHA-224 hash functions c. Hash function and HMAC using SHA-1, SHA-224 hash functions d. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Generation j. As of January 1, 2031, the following algorithms will be considered deprecated/disallowed (i.e. non-approved, not allowed)/legacy use: a. SHA-1, SHA2-224 hash functions (disallowed) b. Use of the 112-bit security strength for classical digital signature and keyestablishment mechanisms (deprecated) c. Use of the 112-bit security strength for block ciphers (disallowed) d. Use of a security strength less than 128-bits but greater than 112 bits for ECDA KeyGen and RSA KeyGen (PKCS #1 v1.5 & PSS) (deprecated) e. Hash_DRBG and HMAC_DRBG using SHA-1, SHA-224 hash functions (disallowed) f. Hash function and HMAC using SHA-1, SHA-224 hash functions (legacy use) g. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Generation (disallowed) h. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Verification (legacy use)

10 Self-Tests
10.1 Pre-Operational Self-Tests

Table 19: Pre-Operational Self-Tests The pre-operational self-tests can be run on demand by reloading the module.

10.2 Conditional Self-Tests

This document may be freely reproduced and distributed in its entirety without modification.

Page 70
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
AES-ECB (A5154)AES-ECB (A5154)KATCASTDecryptKey Length: 128 bits1On reloading the module
AES-GCM (A5154) - Encrypt - 256 bitsAES-GCM (A5154) - Encrypt - 256 bitsKATCASTEncryptKey Length: 256 bits1On reloading the module
AES-GCM (A5154) - Decrypt - 256 bitsAES-GCM (A5154) - Decrypt - 256 bitsKATCASTDecryptKey Length: 256 bits1On reloading the module
Counter DRBG (A5154)Counter DRBG (A5154)KATCASTGenerate, Reseed, Instantiate functionsAES CTR (128 bits) with derivation function1On reloading the module
ECDSA SigGen (FIPS186- 5) (A5154) - P224ECDSA SigGen (FIPS186- 5) (A5154) - P224KATCASTSignCurve: P- 224; Hash: SHA2-5121On reloading the module
ECDSA SigVer (FIPS186- 5) (A5154) - P-224ECDSA SigVer (FIPS186- 5) (A5154) - P-224KATCASTVerifyCurve: P- 224; Hash: SHA2-5121On reloading the module
Hash DRBG (A5154)Hash DRBG (A5154)KATCASTGenerate, Reseed, Instantiate functionsPRF: SHA2-2561On reloading the module
HMAC DRBG (A5154)HMAC DRBG (A5154)KATCASTGenerate, Reseed, Instantiate functionsPRF: HMAC- SHA-11On reloading the module
HMAC- SHA2-256 (A5154)HMAC- SHA2-256 (A5154)KATCASTHMAC tag GenerationPRF: SHA2-2561On reloading the module
KAS- ECC-SSC Sp800- 56Ar3 (A5154)KAS- ECC-SSC Sp800- 56Ar3 (A5154)KATCASTKey Agreement - Shared Secret ComputationScheme: Ephemeral Unified, Curve: P- 2561On reloading the module
KAS-FFC- SSC Sp800- 56Ar3 (A5154)KAS-FFC- SSC Sp800- 56Ar3 (A5154)KATCASTKey Agreement - Shared Secret ComputationScheme: dhEphem; Modulus: L = 20481On reloading the module
KAS-IFC- SSC (A5154)KAS-IFC- SSC (A5154)KATCASTKey Agreement - Shared Secret ComputationSchemes: Basic, CRT, Modulus: L = 2048 bits1On reloading the module
KDF SP800- 108 (A5154)KDF SP800- 108 (A5154)KATCASTCounter Mode (HMAC- SHA2-256).Mode: Counter, PRF: HMAC- SHA2-2561On reloading the module
KDA OneStep SP800- 56Cr2 (A5154)KDA OneStep SP800- 56Cr2 (A5154)KATCASTKey DerivationAuxiliary Function, H = SHA2- 2241On reloading the module
KDA TwoStep SP800- 56Cr2 (A5154)KDA TwoStep SP800- 56Cr2 (A5154)KATCASTKey DerivationAuxiliary Function, H = HMAC- SHA2-2561On reloading the module
KTS-IFC (A5154) - BasicKTS-IFC (A5154) - BasicKATCASTEncryptSchemes: Basic Modulus: L = 2048 bits1On reloading the module
KTS-IFC (A5154) - CRTKTS-IFC (A5154) - CRTKATCASTDecryptSchemes: Basic, CRT, Modulus: L = 2048 bits1On reloading the module
PBKDF (A5154)PBKDF (A5154)KATCASTKey DerivationDerivation of the Master Key (MK), PRF: SHA2-2561On reloading the module
RSA SigGen (FIPS186- 5) (A5154)RSA SigGen (FIPS186- 5) (A5154)KATCASTSignScheme: PKCS#1, Modulus: L = 2048, Hash: SHA2-2561On reloading the module
RSA SigVer (FIPS186- 5) (A5154)RSA SigVer (FIPS186- 5) (A5154)KATCASTVerifyScheme: PKCS#1, Modulus: L = 2048,1On reloading the module
SHA-1 (A5154)SHA-1 (A5154)KATCASTHashSHA-11On reloading the module
SHA2-512 (A5154)SHA2-512 (A5154)KATCASTHashSHA2-5121On reloading the module
SHA3-256 (A5154)SHA3-256 (A5154)KATCASTHashSHA3-2561On reloading the module
KDF ANS 9.42 (A5154)KDF ANS 9.42 (A5154)KATCASTKey DerivationPRFs: AES KW (128 bits), SHA-11On reloading the module
KDF ANS 9.63 (A5154)KDF ANS 9.63 (A5154)KATCASTKey DerivationPRF: SHA2-2561On reloading the module
KDF SSH (A5154)KDF SSH (A5154)KATCASTKey DerivationPRF: SHA- 11On reloading the module
TLS v1.2 KDF RFC7627 (A5154)TLS v1.2 KDF RFC7627 (A5154)KATCASTKey DerivationPRF: SHA2-2561On reloading the module
TLS v1.3 KDF (A5154)TLS v1.3 KDF (A5154)KATCASTKey DerivationPRF: SHA2-2561On reloading the module
RSA KeyGen (FIPS186- 5) (A5154)RSA KeyGen (FIPS186- 5) (A5154)PCTPCTKey GenerationPerformed on key generation1On generating keys for Key Transport (KTS IFC)/Key Agreement (KAS IFC)/Signature Generation/Signature Verification
ECDSA KeyGen (FIPS186- 5) (A5154)ECDSA KeyGen (FIPS186- 5) (A5154)PCTPCTKey GenerationPerformed on key generation1On generating keys for Key Agreement (KAS ECC)/Signature Generation/Signature Verification
ECDSA SigGen (FIPS186- 5) (A5154) - K-233ECDSA SigGen (FIPS186- 5) (A5154) - K-233KATCASTSignCurve: K- 233; Hash: SHA2-5121On reloading the module
ECDSA SigVer (FIPS186- 5) (A5154) - K-233ECDSA SigVer (FIPS186- 5) (A5154) - K-233KATCASTVerifyCurve: K- 233; Hash: SHA2-5121On reloading the module
KAS-FFC- SSC Sp800- 56Ar3 (A5154) - PCTKAS-FFC- SSC Sp800- 56Ar3 (A5154) - PCTPCTPCTKey GenerationPerformed post key generation1On generating keys for Key Agreement (KAS FFC)
RSA SigVer (FIPS186-5) (A5154)RSA SigVer (FIPS186-5) (A5154)KATSW/FW IntegrityOn DemandManually by reloading the module
AES-ECB (A5154)AES-ECB (A5154)KATCASTOn DemandManually by reloading the module
AES-GCM (A5154) - Encrypt - 256 bitsAES-GCM (A5154) - Encrypt - 256 bitsKATCASTOn DemandManually by reloading the module
AES-GCM (A5154) - Decrypt - 256 bitsAES-GCM (A5154) - Decrypt - 256 bitsKATCASTOn DemandManually by reloading the module
Counter DRBG (A5154)Counter DRBG (A5154)KATCASTOn DemandManually by reloading the module
ECDSA SigGen (FIPS186-5) (A5154) - P224ECDSA SigGen (FIPS186-5) (A5154) - P224KATCASTOn DemandManually by reloading the module
ECDSA SigVer (FIPS186-5) (A5154) - P-224ECDSA SigVer (FIPS186-5) (A5154) - P-224KATCASTOn DemandManually by reloading the module
Hash DRBG (A5154)Hash DRBG (A5154)KATCASTOn DemandManually by reloading the module

HMACSHA-1 HMACSHA2-256 KASECC-SSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 Curve: P256 (FIPS1865) (A5154) (FIPS1865) (A5154) This document may be freely reproduced and distributed in its entirety without modification.

Page 71

KAS-IFCSSC SP800108 SP80056Cr2 SP80056Cr2 (FIPS1865) (A5154) (FIPS1865) (A5154) HMACSHA2-256 H = SHA2224 H= HMACSHA2-256 (HMACSHA2-256). This document may be freely reproduced and distributed in its entirety without modification.

Page 72

PRF: SHA1 (FIPS1865) (A5154) (FIPS1865) (A5154) (FIPS1865) (A5154) (FIPS1865) (A5154) This document may be freely reproduced and distributed in its entirety without modification.

Page 73
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
KAS-FFC- SSC Sp800- 56Ar3 (A5154) - PCTKAS-FFC- SSC Sp800- 56Ar3 (A5154) - PCTPCTPCTKey GenerationPerformed post key generation1On generating keys for Key Agreement (KAS FFC)
RSA SigVer (FIPS186-5) (A5154)RSA SigVer (FIPS186-5) (A5154)KATSW/FW IntegrityOn DemandManually by reloading the module
AES-ECB (A5154)AES-ECB (A5154)KATCASTOn DemandManually by reloading the module
AES-GCM (A5154) - Encrypt - 256 bitsAES-GCM (A5154) - Encrypt - 256 bitsKATCASTOn DemandManually by reloading the module
AES-GCM (A5154) - Decrypt - 256 bitsAES-GCM (A5154) - Decrypt - 256 bitsKATCASTOn DemandManually by reloading the module
Counter DRBG (A5154)Counter DRBG (A5154)KATCASTOn DemandManually by reloading the module
ECDSA SigGen (FIPS186-5) (A5154) - P224ECDSA SigGen (FIPS186-5) (A5154) - P224KATCASTOn DemandManually by reloading the module
ECDSA SigVer (FIPS186-5) (A5154) - P-224ECDSA SigVer (FIPS186-5) (A5154) - P-224KATCASTOn DemandManually by reloading the module
Hash DRBG (A5154)Hash DRBG (A5154)KATCASTOn DemandManually by reloading the module
HMAC DRBG (A5154)HMAC DRBG (A5154)KATCASTOn DemandManually by reloading the module
HMAC-SHA2- 256 (A5154)HMAC-SHA2- 256 (A5154)KATCASTOn DemandManually by reloading the module
KAS-ECC-SSC Sp800-56Ar3 (A5154)KAS-ECC-SSC Sp800-56Ar3 (A5154)KATCASTOn DemandManually by reloading the module
KAS-FFC-SSC Sp800-56Ar3 (A5154)KAS-FFC-SSC Sp800-56Ar3 (A5154)KATCASTOn DemandManually by reloading the module
KAS-IFC-SSC (A5154)KAS-IFC-SSC (A5154)KATCASTOn DemandManually by reloading the module
KDF SP800-108 (A5154)KDF SP800-108 (A5154)KATCASTOn DemandManually by reloading the module
KDA OneStep SP800-56Cr2 (A5154)KDA OneStep SP800-56Cr2 (A5154)KATCASTOn DemandManually by reloading the module
KDA TwoStep SP800-56Cr2 (A5154)KDA TwoStep SP800-56Cr2 (A5154)KATCASTOn DemandManually by reloading the module
KTS-IFC (A5154) - BasicKTS-IFC (A5154) - BasicKATCASTOn DemandManually by reloading the module
KTS-IFC (A5154) - CRTKTS-IFC (A5154) - CRTKATCASTOn DemandManually by reloading the module
PBKDF (A5154)PBKDF (A5154)KATCASTOn DemandManually by reloading the module
RSA SigGen (FIPS186-5) (A5154)RSA SigGen (FIPS186-5) (A5154)KATCASTOn DemandManually by reloading the module
RSA SigVer (FIPS186-5) (A5154)RSA SigVer (FIPS186-5) (A5154)KATCASTOn DemandManually by reloading the module
SHA-1 (A5154)SHA-1 (A5154)KATCASTOn DemandManually by reloading the module
SHA2-512 (A5154)SHA2-512 (A5154)KATCASTOn DemandManually by reloading the module
SHA3-256 (A5154)SHA3-256 (A5154)KATCASTOn DemandManually by reloading the module
KDF ANS 9.42 (A5154)KDF ANS 9.42 (A5154)KATCASTOn DemandManually by reloading the module
KDF ANS 9.63 (A5154)KDF ANS 9.63 (A5154)KATCASTOn DemandManually by reloading the module
KDF SSH (A5154)KDF SSH (A5154)KATCASTOn DemandManually by reloading the module
TLS v1.2 KDF RFC7627 (A5154)TLS v1.2 KDF RFC7627 (A5154)KATCASTOn DemandManually by reloading the module
TLS v1.3 KDF (A5154)TLS v1.3 KDF (A5154)KATCASTOn DemandManually by reloading the module
RSA KeyGen (FIPS186-5) (A5154)RSA KeyGen (FIPS186-5) (A5154)PCTPCTOn DemandOn generation of keys
ECDSA KeyGen (FIPS186-5) (A5154)ECDSA KeyGen (FIPS186-5) (A5154)PCTPCTOn DemandOn generation of keys
ECDSA SigGen (FIPS186-5) (A5154) - K-233ECDSA SigGen (FIPS186-5) (A5154) - K-233KATCASTOn DemandManually by reloading the module
ECDSA SigVer (FIPS186-5) (A5154) - K-233ECDSA SigVer (FIPS186-5) (A5154) - K-233KATCASTOn DemandManually by reloading the module
KAS-FFC-SSC Sp800-56Ar3 (A5154) - PCTKAS-FFC-SSC Sp800-56Ar3 (A5154) - PCTPCTPCTOn DemandOn generation of keys

KAS-FFCSSC Sp80056Ar3 Table 20: Conditional Self-Tests The conditional cryptographic algorithm self-tests can be run on demand by reloading the

10.3 Periodic Self-Test Information

Table 21: Pre-Operational Periodic Information This document may be freely reproduced and distributed in its entirety without modification.

Page 74

This document may be freely reproduced and distributed in its entirety without modification.

Page 75
Service
NameDescriptionRole AccessIndicator
Hard errorA failure in the pre- operational integrity test/one ofIf the pre- operational software integrity test failsPROV_R_FIPS_MODULE_IN_ERROR_ST ATE and ERR SUMReloadin g of the module

Table 22: Conditional Periodic Information

10.4 Error States

e the preoperational y This document may be freely reproduced and distributed in its entirety without modification.

Page 76
Service
NameDescriptionRole Access
the cryptographi c algorithm self-tests will cause the module to return an error and enter the Hard error statethe cryptographi c algorithm self-tests will cause the module to return an error and enter the Hard error stateIf one of the cryptographi c algorithm's self-test (a CAST, specifically, a Known Answer Test (KAT)) were to fail

e c y Table 23: Error States On instantiation, the Module performs the self-tests described in Table 22 and all CASTs. All KATs must complete successfully prior to any other use of cryptography by the Module. If one of the following indicator : “PROV_R_FIPS_MODULE_IN_ERROR_STATE” whereas if the integrity test fails, the module enters the Hard error state and returns the error code ERR SUM as well as “PROV_R_FIPS_MODULE_IN_ERROR_STATE”.

10.5 Operator Initiation of Self-Tests

The module can be reloaded on demand for running the Cryptographic Algorithm Self-tests (CASTs) as well as the pre-operational integrity test.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is shipped pre-installed in the Approved mode of operation with the Triton 2 device. The operator must power on the appliance upon delivery to cause it to automatically execute the pre-operational integrity tests and CASTs on all algorithms. Once the self-tests have completed successfully, the module is ready for use. The operator can verify the software version (v9FIPS.2.807) and the module identifier (triton 2) as this information is printed in the bootlogs.

11.2 Administrator Guidance

No additional guidance applies for the operation of the module apart from that specified in Section 2 and other subsections under this section.

11.3 Non-Administrator Guidance

This document may be freely reproduced and distributed in its entirety without modification.

Page 77

No additional guidance applies for the operation of the module apart from that specified in Section 2 and other subsections under this section.

11.4 Design and Rules

GitHub is used as the Configuration Management System. The module’s software is implemented using a high-level language and designed to avoid use of code, parameters or symbols not necessary for the module’s functionality and execution.

11.5 Maintenance Requirements

No maintenance requirements apply. The module’s software is protected from tampering as it is delivered securely within the Triton 2 device.

11.6 End of Life

The module can be uninstalled to end-of-life the module. The module can be securely sanitized by zeroising it.

12 Mitigation of Other Attacks
12.1 Attack List

The Module implements mitigations for some types of attacks using the constant-time implementations and blinding. This document may be freely reproduced and distributed in its entirety without modification.

Referenced URLs