| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 12/10/2030 |
| Caveat | When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys). No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | ST Engineering Urban Solutions Ltd. |
flowchart LR
%% Deterministic review-risk graph for IPC Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for IPC Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3,C5,C6 clueLow;ST Engineering Urban Solutions Ltd. IPC Cryptographic Module This document may be freely reproduced and distributed in its entirety without modification.
| # | Section | Page |
|---|
This document may be freely reproduced and distributed in its entirety without modification.
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 8 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 4: Modes List and Description | 8 |
| Table 5: Approved Algorithms | 11 |
| Table 6: Vendor-Affirmed Algorithms | 11 |
| Table 7: Non-Approved, Allowed Algorithms | 12 |
| Table 8: Non-Approved, Not Allowed Algorithms | 13 |
| Table 9: Security Function Implementations | 24 |
| Table 10: Ports and Interfaces | 28 |
| Table 11: Roles | 29 |
| Table 12: Approved Services | 48 |
| Table 13: Non-Approved Services | 50 |
| Table 14: Storage Areas | 52 |
| Table 15: SSP Input-Output Methods | 52 |
| Table 16: SSP Zeroization Methods | 53 |
| Table 17: SSP Table 1 | 62 |
| Table 18: SSP Table 2 | 65 |
| Table 19: Pre-Operational Self-Tests | 67 |
| Table 20: Conditional Self-Tests | 70 |
| Table 21: Pre-Operational Periodic Information | 70 |
| Table 22: Conditional Periodic Information | 72 |
| Table 23: Error States | 73 |
| Figure 1: Block Diagram | 7 |
Validated is the term given to a module that is documented and tested against the FIPS 140-3 criteria. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program. About this Document (hereafter referred to as “the Module”) from ST Engineering Urban Solutions Ltd. It contains specifications of the security rules under which the Module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. This document may be freely reproduced and distributed whole and intact including this The following table lists the level of validation for each area in FIPS 140-3: Overall Security Rating of the module is level 1.
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 3
12 Mitigation of other attacks 1
Overall Level 1 Table 1: Security Levels
The Section 7.7 Physical Security and Section 7.8 Non-Invasive Security from ISO 19790 do not apply to the module.
This document may be freely reproduced and distributed in its entirety without modification.
Purpose and Use: The module is intended to execute within the IPC device and provide cryptographic services. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary is as depicted in Figure 1. No components are excluded from the cryptographic boundary. The module supports an Approved mode and a non-Approved mode of operation. The module does not support a degraded mode. Tested Operational Environment’s Physical Perimeter (TOEPP): The block diagram of the Module is depicted in Figure 1 (blue outlined). The Tested Operational Environment’s Physical Perimeter (TOEPP) is the underlying host platform i.e. IPC device on which it runs. The operating environment of the module is modifiable since the platform does support modifications to it. This document may be freely reproduced and distributed in its entirety without modification.
Tested Module Identification
Package or File Software/ Firmware Features Integrity Test Name Version IPC V9FIPS.1.0 N/A RSA mod 2048 SHA2-256 Table 2: Tested Module Identification
No components have been excluded.
Modes List and Description: Mode Description Type Status Indicator Name Approved The module is initialized into the Approved Approved "FIPS operation in mode mode of operation by default progress" printed in bootlogs non- The module transitions implicitly to the non- Non- None Approved Approved mode upon usage of any Non- Approved mode Approved Algorithms Not Allowed in the Approved Mode Table 4: Modes List and Description The Module supports an Approved mode and a non-Approved mode of operation. The following apply to the module:
Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A5153 - SP 800-38A AES-CBC-CS1 A5153 - SP 800-38A AES-CBC-CS2 A5153 - SP 800-38A AES-CBC-CS3 A5153 - SP 800-38A AES-CCM A5153 - SP 800-38C AES-CFB1 A5153 - SP 800-38A AES-CFB128 A5153 - SP 800-38A AES-CFB8 A5153 - SP 800-38A AES-CMAC A5153 - SP 800-38B AES-CTR A5153 - SP 800-38A AES-ECB A5153 - SP 800-38A AES-GCM A5153 - SP 800-38D AES-GMAC A5153 - SP 800-38D AES-KW A5153 - SP 800-38F AES-KWP A5153 - SP 800-38F AES-OFB A5153 - SP 800-38A AES-XTS Testing Revision 2.0 A5153 - SP 800-38E Counter DRBG A5153 - SP 800-90A Rev. ECDSA KeyGen (FIPS186-5) A5153 - FIPS 186-5 ECDSA KeyVer (FIPS186-5) A5153 - FIPS 186-5 ECDSA SigGen (FIPS186-5) A5153 - FIPS 186-5 ECDSA SigVer (FIPS186-5) A5153 - FIPS 186-5 This document may be freely reproduced and distributed in its entirety without modification.
Algorithm CAVP Cert Properties Reference Hash DRBG A5153 - SP 800-90A Rev. HMAC DRBG A5153 - SP 800-90A Rev. HMAC-SHA-1 A5153 - FIPS 198-1 HMAC-SHA2-224 A5153 - FIPS 198-1 HMAC-SHA2-256 A5153 - FIPS 198-1 HMAC-SHA2-384 A5153 - FIPS 198-1 HMAC-SHA2-512 A5153 - FIPS 198-1 HMAC-SHA2-512/224 A5153 - FIPS 198-1 HMAC-SHA2-512/256 A5153 - FIPS 198-1 HMAC-SHA3-224 A5153 - FIPS 198-1 HMAC-SHA3-256 A5153 - FIPS 198-1 HMAC-SHA3-384 A5153 - FIPS 198-1 HMAC-SHA3-512 A5153 - FIPS 198-1 KAS-ECC CDH-Component SP800-56Ar3 A5153 - SP 800-56A Rev. (CVL) 3 KAS-ECC-SSC Sp800-56Ar3 A5153 - SP 800-56A Rev. KAS-FFC-SSC Sp800-56Ar3 A5153 - SP 800-56A Rev. KAS-IFC-SSC A5153 - SP 800-56A Rev. KDA HKDF SP800-56Cr2 A5153 - SP 800-56C Rev. KDA OneStep SP800-56Cr2 A5153 - SP 800-56C Rev. KDA TwoStep SP800-56Cr2 A5153 - SP 800-56C Rev. KDF ANS 9.42 (CVL) A5153 - SP 800-135 Rev. KDF ANS 9.63 (CVL) A5153 - SP 800-135 Rev. KDF KMAC Sp800-108r1 A5153 - SP 800-108 Rev. KDF SP800-108 A5153 - SP 800-108 Rev. KDF SSH (CVL) A5153 - SP 800-135 Rev. KMAC-128 A5153 - SP 800-185 KMAC-256 A5153 - SP 800-185 KTS-IFC A5153 - SP 800-56B Rev. PBKDF A5153 - SP 800-132 RSA KeyGen (FIPS186-5) A5153 - FIPS 186-5 RSA SigGen (FIPS186-5) A5153 - FIPS 186-5 RSA Signature Primitive (CVL) A5153 - FIPS 186-4 This document may be freely reproduced and distributed in its entirety without modification.
Algorithm CAVP Cert Properties Reference RSA SigVer (FIPS186-4) A5153 - FIPS 186-4 RSA SigVer (FIPS186-5) A5153 - FIPS 186-5 Safe Primes Key Generation A5153 - SP 800-56A Rev. Safe Primes Key Verification A5153 - SP 800-56A Rev. SHA-1 A5153 - FIPS 180-4 SHA2-224 A5153 - FIPS 180-4 SHA2-256 A5153 - FIPS 180-4 SHA2-384 A5153 - FIPS 180-4 SHA2-512 A5153 - FIPS 180-4 SHA2-512/224 A5153 - FIPS 180-4 SHA2-512/256 A5153 - FIPS 180-4 SHA3-224 A5153 - FIPS 202 SHA3-256 A5153 - FIPS 202 SHA3-384 A5153 - FIPS 202 SHA3-512 A5153 - FIPS 202 SHAKE-128 A5153 - FIPS 202 SHAKE-256 A5153 - FIPS 202 TLS v1.2 KDF RFC7627 (CVL) A5153 - SP 800-135 Rev. TLS v1.3 KDF (CVL) A5153 - SP 800-135 Rev. Table 5: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key N/A NIST SP 800-133rev2, Section 6.3: (6.3) Type:Symmetric Symmetric Keys Produced by Combining Multiple Keys and Other Data CKG Key N/A NIST SP800-133r2 Section 4: Using the (4) Type:Symmetric Output of a Random Bit Generator; Section and Asymmetric 5.1: Key Pairs for Digital Signature Schemes; Section 5.2: Key Pairs for Key Establishment; Section 6.1: Direct Generation of Symmetric Keys; Section 6.2: Derivation of Symmetric keys Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: This document may be freely reproduced and distributed in its entirety without modification.
Name Properties Implementation Reference AES Cert. A5153:key IPC Symmetric key unwrapping unwrapping per IG D.G per IG D.G Additional Comment 5 FIPS 186-4 Cert. A5153:signature IPC IG C.K RSA SigVer verification X9.31 Table 7: Non-Approved, Allowed Algorithms Non-Approved, Allowed Algorithms with No Security Claimed: The module does not support any Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Not Allowed Algorithms: Name Use and Function X448 SSP Agreement X25519 SSP Agreement FIPS 186-5 ECDSA Curve(s): P-192, P-224, P-256, P-384, P-521, B-163, B-233, B-283, BSigVer Component 409, B-571, K-163, K-233, K-283, K-409, K-571, Function(s): SigVer HMAC Generate Key length(s): < 112 bits for MAC generation HMAC DRBG/Hash PRF(s): SHA3 (all sizes) DRBG ED448 PRF: SHAKE256, Function(s): SigGen, SigVer ED25519 PRF: SHA2-512, Function(s): SigGen, SigVer TDES Mode(s): CBC and ECB, Function(s): Encrypt, Decrypt FIPS 186-4 DSA Key size (strength): L = 1024, N = 160 (s < 112); L = 2048, N = 224 (s = 112); L = 2048, N = 256 (s = 112); L = 3072, N = 256 (s = 128); Function(s): KeyGen, SigGen, SigVer, PQGVer and PQGGen (SHA-1, SHA2 and SHA3 all sizes); SigVer and PQGVer disapproved per IG C.M 3.e FIPS 186-2 RSA Modulus: > 1024 bits, Function(s): SigGen, SigVer (per IG C.M 3.e. for Signature SigVer) FIPS 186-2 RSA Modulus: >= 2048 bits, Function(s): KeyGen Generate Key KDA HKDF SP800- Key length(s): < 112 bits 56Cr1 KDA OneStep PRF(s): SHAKE128 and SHAKE256 SP800-56Cr1 KDF ANS 9.42 PRF(s): SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAKKMAC128 and KECCAK-KMAC256 KDF ANS 9.63 PRF(s): SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAKKMAC128 and KECCAK-KMAC256 This document may be freely reproduced and distributed in its entirety without modification.
Name Use and Function RSA PKCS1.5 (for Usage of RSA PKCS1.5 Encapsulation/decapsulation in the context of KTS) SSP Transport (KTS) RSA Signature RSASP with modulus 3072, 4096 (since RSASP 2.0 is untested per Primitive CAVP Cert. #A5153) FIPS 186-4 RSA RSA KeyGen, SigGen per X9.31 per IG C.K KeyGen X9.31, FIPS 186-4 RSA SigGen X9.31 SHA-1 for SigVer Usage of SHA-1 in the context of signature verification (per IG C.M 3.e) Table 8: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms AES BC-Auth Encryption and Key Length:128, AES-CBC: Encrypt/Decrypt BC-UnAuth decryption using 192 and 256 bits (A5153) AES modes Key Length AES-CBC-CS1: (XTS):128 and (A5153)
(A5153) AES-CBC-CS3: (A5153) AES-CCM: (A5153) AES-CFB1: (A5153) AES-CFB128: (A5153) AES-CFB8: (A5153) AES-CMAC: (A5153) AES-CTR: (A5153) AES-ECB: (A5153) AES-GCM: (A5153) AES-GMAC: (A5153) AES-OFB: (A5153) AES-XTS Testing This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms Revision 2.0: (A5153) AES Key KTS-Wrap Key Wrapping Key Length:128, AES-KW: Wrapping 192 and 256 bits (A5153) AES-KWP: (A5153) SHS SHA Hashing SHA-1: (A5153) SHA2-224: (A5153) SHA2-256: (A5153) SHA2-384: (A5153) SHA2-512: (A5153) SHA2-512/224: (A5153) SHA2-512/256: (A5153) SHA3-224: (A5153) SHA3-256: (A5153) SHA3-384: (A5153) SHA3-512: (A5153) SHAKE-128: (A5153) SHAKE-256: (A5153) MAC BC-Auth Message HMAC-SHA-1: MAC Authentication (A5153) Code HMAC-SHA2224: (A5153) HMAC-SHA2256: (A5153) HMAC-SHA2384: (A5153) HMAC-SHA2512: (A5153) HMAC-SHA2512/224: (A5153) HMAC-SHA2512/256: (A5153) This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms HMAC-SHA3224: (A5153) HMAC-SHA3256: (A5153) HMAC-SHA3384: (A5153) HMAC-SHA3512: (A5153) AES-CMAC: (A5153) AES-GMAC: (A5153) KMAC-128: (A5153) KMAC-256: (A5153) RSA DigSig-SigGen RSA SigGen and Mode: PKCS 1.5 RSA SigGen SigGen/SigVer DigSig-SigVer SigVer (SigGen):Modulus: (FIPS186-5): 2048, 3072, 4096; (A5153) Hash: SHA2-224, RSA SigVer SHA2-256, SHA2- (FIPS186-5): 384, SHA2-512, (A5153) SHA2-512/224, RSA SigVer SHA2-512/256 (FIPS186-4): Mode: PKCSPSS (A5153) (SigGen):Modulus: 2048, 3072, 4096; Hash: SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256 Mode: ANSI X9.31 (SigVer only):Modulus: 1024, 2048, 3072, 4096; Hash: SHA2-256, SHA2384, SHA2-512 Mode: PKCS 1.5 (SigVer):Modulus: 1024, 2048, 3072, 4096; Hash: SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256 Mode: PKCSPSS This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms (SigVer):Modulus: 1024, 2048, 3072, 4096; Hash: SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA DigSig-SigGen ECDSA SigGen SigGen:P-224, P- ECDSA SigGen/SigVer DigSig-SigVer and SigVer 256, P-384, P- SigGen 521, B-233, B- (FIPS186-5): 283, B-409, B- (A5153) 571, K-233, K- ECDSA SigVer 283, K-409, K- (FIPS186-5): 571; SHA2-224, (A5153) SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512 SigVer :P-192, P224, P-256, P384, P-521, B163, B-233, B283, B-409, B571, K-163, K233, K-283, K409, K-571; SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512 RSASP DigSig-SigGen RSA signature RSA Signature primitive Primitive: (A5153) Generate Key AsymKeyPair- Keypair ECDSA KeyGen generation KeyGen AsymKeyPair- (FIPS186-5): KeyVer (A5153) CKG ECDSA KeyVer (FIPS186-5): (A5153) RSA KeyGen This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms (FIPS186-5): (A5153) Safe Primes Key Generation: (A5153) Safe Primes Key Verification: (A5153) CKG (4): () Key Type: Symmetric and Asymmetric Random Bit DRBG Random Number Hash DRBG: Generation Generation - (A5153) Hash_DRBG, HMAC DRBG: CTR_DRBG and (A5153) HMAC_DRBG Counter DRBG: (A5153) Derive CKG Derive Keying KDA HKDF KAS-135KDF Material SP800-56Cr2: KAS-56CKDF (A5153) KBKDF KDA OneStep PBKDF SP800-56Cr2: (A5153) KDA TwoStep SP800-56Cr2: (A5153) KDF ANS 9.42: (A5153) KDF ANS 9.63: (A5153) KDF KMAC Sp800-108r1: (A5153) KDF SP800108: (A5153) KDF SSH: (A5153) PBKDF: (A5153) TLS v1.2 KDF RFC7627: (A5153) TLS v1.3 KDF: (A5153) CKG (4): () This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms Key Type: Symmetric and Asymmetric KAS-1 KAS-SSC Scheme: IG : IG D.F KAS-ECC-SSC EphemeralUnified, Scenario 2, path Sp800-56Ar3: KAS Role: (1) (A5153) Initiator, Key Responder confirmation:no Key derivation:no Caveat:Key establishment methodology provides between
of security strength KAS-2 KAS-SSC Scheme: IG : IG D.F KAS-FFC-SSC dhEphem. KAS Scenario 2, path Sp800-56Ar3: Role: Initiator, (1) (A5153) Responder Key confirmation:no Key derivation:no Caveat: Key establishment methodology provides between
of security strength KAS-3 KAS-SSC Scheme: KAS1, IG:IG D.F KAS-IFC-SSC: KAS2. KAS Role: Scenario 1, path (A5153) Initiator, (1) Responder Key confirmation :no Key derivation:no Caveat :Key establishment methodology provides between
of security strength KTS-1 KTS-Wrap Key Transport in Standard :SP 800- AES-CCM: compliance with 38F (A5153) [SP800- 38F] IG D.G:approved AES-GCM: when approved method from IG (A5153) using an D.G AES-KW: Authenticated Caveat :Key (A5153) This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms AES mode (AES establishment AES-KWP: CCM; AES GCM; methodology (A5153) AES KW, KWP) provides between
of security strength KTS-2 KTS-Wrap Key Transport in Standard:SP 800- AES-CBC: compliance with 38F (A5153) [SP800- 38F] IG D.G:approved AES-CBC-CS1: when approved method from IG (A5153) AES (any mode) D.G AES-CBC-CS2: and approved Caveat :Key (A5153) HMAC are used in establishment AES-CBC-CS3: combination methodology (A5153) provides between AES-CCM:
of security AES-CFB1: strength (A5153) AES-CFB128: (A5153) AES-CFB8: (A5153) AES-CMAC: (A5153) AES-CTR: (A5153) AES-ECB: (A5153) AES-GCM: (A5153) AES-GMAC: (A5153) AES-KW: (A5153) AES-KWP: (A5153) AES-OFB: (A5153) AES-XTS Testing Revision 2.0: (A5153) HMAC-SHA-1: (A5153) HMAC-SHA2224: (A5153) HMAC-SHA2256: (A5153) This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms HMAC-SHA2384: (A5153) HMAC-SHA2512: (A5153) HMAC-SHA2512/224: (A5153) HMAC-SHA2512/256: (A5153) HMAC-SHA3224: (A5153) HMAC-SHA3256: (A5153) HMAC-SHA3384: (A5153) HMAC-SHA3512: (A5153) KTS-3 KTS-Wrap Key Transport in Standard:SP 800- AES-CBC: compliance with 38F (A5153) [SP800- 38F] IG D.G:approved AES-CBC-CS1: when approved method from IG (A5153) AES (any mode) D.G AES-CBC-CS2: and approved Caveat:Key (A5153) CMAC/GMAC are establishment AES-CBC-CS3: used in methodology (A5153) combination provides between AES-CCM:
of security AES-CFB1: strength (A5153) AES-CFB128: (A5153) AES-CFB8: (A5153) AES-CMAC: (A5153) AES-CTR: (A5153) AES-ECB: (A5153) AES-GCM: (A5153) AES-GMAC: (A5153) AES-KW: (A5153) AES-KWP: (A5153) This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms AES-OFB: (A5153) AES-XTS Testing Revision 2.0: (A5153) KTS-4 KTS-Encap Key Transport; Standard:SP 800- KTS-IFC: Scheme: KTS- 56Brev2 (A5153) OAEP-basic (no IG D.G:approved key confirmation): method per IG RSA-OAEP, D.G RSADP, RSAEP, Key Key confirmation:no Encapsulation, Caveat :Key Key establishment Unencapsulation methodology Key Generation provides between Methods: 112 and 176 bits rsakpg1-basic, of security rsakpg1-crt, strength rsakpg1-primefactor, rsakpg2basic, rsakpg2-crt, rsakpg2- primefactor KAS ECC KAS-SSC KAS-ECC-SSC KAS-ECC Component primitive (ECC CDHCDH) Component SP800-56Ar3: (A5153) Self-tests BC-Auth All self-tests AES-ECB: BC-UnAuth executed by the (A5153) DigSig-SigGen module at boot AES-GCM: DigSig-SigVer (A5153) DRBG Hash DRBG: KAS-135KDF (A5153) KAS-56CKDF Counter DRBG: KAS-SSC (A5153) KBKDF HMAC DRBG: MAC (A5153) PBKDF ECDSA SHA SigGen XOF (FIPS186-5): (A5153) ECDSA SigVer (FIPS186-5): (A5153) RSA SigGen This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms (FIPS186-5): (A5153) RSA SigVer (FIPS186-5): (A5153) HMAC-SHA2256: (A5153) SHA-1: (A5153) SHA3-256: (A5153) KDF ANS 9.42: (A5153) KDF ANS 9.63: (A5153) KAS-ECC-SSC Sp800-56Ar3: (A5153) KAS-FFC-SSC Sp800-56Ar3: (A5153) KAS-IFC-SSC: (A5153) KDA OneStep SP800-56Cr2: (A5153) KDA TwoStep SP800-56Cr2: (A5153) KDA HKDF SP800-56Cr2: (A5153) KDF SSH: (A5153) PBKDF: (A5153) KDF SP800108: (A5153) SHA2-512: (A5153) TLS v1.2 KDF RFC7627: (A5153) TLS v1.3 KDF: (A5153) TLS all AsymKeyPair- All algorithms AES-GCM: algorithms KeyGen supported by the (A5153) AsymKeyPair- module for the SHA2-384: This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms KeyVer TLS 1.2 (A5153) BC-Auth protocol/service RSA SigGen CKG (FIPS186-5): DigSig-SigGen (A5153) DigSig-SigVer RSA SigVer DRBG (FIPS186-5): KAS-135KDF (A5153) KTS-Wrap ECDSA SHA KeyGen (FIPS186-5): (A5153) Hash DRBG: (A5153) TLS v1.2 KDF RFC7627: (A5153) ECDSA SigGen (FIPS186-5): (A5153) ECDSA SigVer (FIPS186-5): (A5153) CKG (4): () Key Type: Symmetric and Asymmetric Software DigSig-SigVer RSA mod 2048 RSA SigVer Integrity Test bits SHA2-256 (FIPS186-5): signature (A5153) Verification KTS-5 KTS-Wrap Key wrapping in Standard:SP 800- AES-GCM: the context of the 38F (A5153) TLS 1.2 IETF IG D.G: approved protocol using an method from IG AES GCM 256-bit D.G key Caveat:Key establishment methodology provides 256 bits of security strength KAS-4 KAS-Full Key agreement in IG : IG D.F KAS-ECC-SSC the context of the Scenario 2 path Sp800-56Ar3: TLS 1.2 IETF (2) (A5153) protocol; KAS- Key TLS v1.2 KDF ECC-SSC P-384 confirmation:no RFC7627: Key derivation:IG (A5153) This document may be freely reproduced and distributed in its entirety without modification.
Name Type Description Properties Algorithms used with KDF 2.4.B SP 800TLS 1.2 135rev1 CVL Caveat :Key establishment methodology provides 192 bits of security strength Symmetric Key CKG Generation of CKG (4): () Generation symmetric keys CKG (6.3): () Table 9: Security Function Implementations
a. AES-GCM Usage The AES GCM IV computation must comply with IG C.H and NIST SP 800-38D Scenario 1(a), tested per option (ii) under C.H TLS 1.2 protocol IV generation per RFC7627, Scenario 1(d) SSHv2 per RFC4252, RFC4253 and RFC5647 and Scenario 5 TLS 1.3 per RFC8446. The Module does not implement the TLS 1.3 and SSH protocols itself, however, it provides the cryptographic functions required for implementing these protocols. The module does implement the TLS 1.2 protocol. AES GCM encryption is used in the context of the SSH and TLS protocol versions 1.2 and 1.3 and the IV computed shall only be used within the protocols. The module provides the primitives to support the AES GCM cipher suites per NIST SP800-52r1 Section 3.3.1. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary in case of TLS 1.3 and SSH protocols. The application negotiates the protocol session’s keys and the 32-bit nonce value of the IV. When the IV exhausts the maximum number of possible values for a given session key (2^64 - 1), this results in failure in encryption and a handshake to establish a new encryption key will be required. It is the responsibility of the user of the module, i.e., the first party, client or server, to encounter this condition, to trigger this handshake in accordance with the TLS/SSH protocol. The Module also supports internal IV generation using the module’s approved DRBG. The IV is at least 96 bits in length per NIST SP800-38D Section 8.2.2. Per IG C.H Scenario 2 and NIST SP800-38D, the approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2^-32. For all cases of IV generation, in the event that the module power is lost and restored the user must ensure that the AES GCM encryption/decryption keys are redistributed/re-established in accordance with IG C.H Scenario 3. The module does not support persistent storage of SSPs. This document may be freely reproduced and distributed in its entirety without modification.
The Module also supports importing of GCM IVs when an IV is not generated within the Module. In the approved mode, an IV must not be imported for encryption from outside the cryptographic boundary of the Module as this will result in a non-conformance. This is in accordance with IG 2.4.A: “If the module operator (e.g., calling application) can do things outside of the module’s control/visibility that can take an otherwise approved algorithm and use it in a non-approved way (e.g., use PBKDF and/or AES XTS outside of storage applications), the corresponding module service may still be considered approved (and if so, shall have an approved indicator per AS02.24) and the Security Policy shall clarify how to use the service in an approved manner (per ISO 19790 B.2.2 on Overall security design and the rules of operation).” b. AES-XTS Usage Usage In accordance with NIST SP800-38E, the XTS-AES algorithm shall only be used for confidentiality on storage devices. The Module complies with IG C.I by explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS-AES algorithm to process data with them. The module implements CKG per NIST SP 800-133r2 Section 6.3. c. Legacy Usage The module supports the following implementations for legacy use/support per NIST SP 800-131Ar2:
The module being a software module does not restrict the usage of a password/string used as the password and input to the PBKDF. The onus is on the calling application to provide a password of an appropriate length based on the intended security strength (and size) of the key to be derived. In accordance with NIST SP 800-132, passwords shorter than 10 characters are usually considered to be weak. There are many other properties that may render a password weak. For example, it is not advisable to use sequences of numbers or sequences of letters as passwords. Easily accessed personal information, such as the user’s name, phone number, and date of birth, should not be used directly as a password. Passphrases frequently consist solely of letters, but they make up for their lack of entropy by being much longer than passwords, typically 20 to 30 characters. Passphrases shorter than 20 characters are usually considered weak. f. FIPS 202 Usage Per IG C.C Resolution 2.a., each SHA-3 and SHAKE function has been tested and validated the module’s operational environment. g. RSA Usage
The Module complies with IG 9.3.A Scenario 2. b. and relies on the use of a NIST SP800-90B compliant entropy source outside the cryptographic boundary. The onus is on the calling This document may be freely reproduced and distributed in its entirety without modification.
application to ensure the use of an NIST SP800-90B compliant entropy source and of sufficient entropy for the required security strength. The minimum number of bits of entropy, depending on the target security strength of generated SSPs is 128, 192 or 256 bits. If the Counter DRBG implementation without the derivation function enabled is used, ensure full entropy from the entropy source is provided. The following caveat applies to the module: No assurance of the minimum strength of generated SSPs (e.g., keys).
The module contains NIST SP 800-90Ar1 DRBGs and supports the NIST SP 800-133r2 (CKG) sections 4, 5.1, 5.2, 6.1, 6.2 and 6.3.
The module supports key agreement and key transport in the context of the TLS protocol. Apart from this, it also provides cryptographic primitives in support of key agreement and key transport where the onus is on the calling application to ensure that the primitives are used in the correct sequence. The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS (KTS-1, KTS-2, KTS-3 and KTS-4). In addition to the TLS case, the following applies to the module for SSP agreement: The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS (KAS-1, KAS-2 and KAS-3). Per IG D.F: The module supports Key Agreement Schemes per NIST SP800-56Ar3 and IG D.F Scenario 2 (path 1) and NIST SP800-56Br2 and IG D.F Scenario 1 (path 1). The KAS-1, KAS-2, KAS-3 in the SFI Table 10 have been documented accordingly. The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC and KAS-IFC-SSC) as individual entries. The Module obtains the IG D.F required key agreement assurances: NIST SP800-56Ar3 in accordance with Section 5.6.2. NIST SP800-56Br2 in accordance with Section 6.4. The module also supports key agreement in the context of the IETF TLS 1.2 protocol in accordance with IG D.F Scenario 2 (path 2) and the KAS-4 entry corresponds to the same. Per IG D.G: The module supports the Key Transport per NIST SP 800-56Br2 (RSA-OAEP) denoted by KTS-
4 in the SFI Table 10. This notation is in accordance with the IG D.G Additional Comment 4:
“The FIPS 140-3 annotation details for the approved or allowed key transport schemes (KTS) can be found on SP 800-140B: CMVP Security Policy Requirements (see MIS Guidance “KTS”).”. This document may be freely reproduced and distributed in its entirety without modification.
The module also supports the following untested approved moduli for KTS-4: 6144 < nlen <=16384, where nlen denotes the modulus. The RSA modulus sizes and key generation method have been documented in the table as well. The module can also optionally be used in the context of IEFT protocols and provide key transport using any approved AES mode(s) and an approved MAC. The corresponding entries KTS-1, KTS-2 and KTS-3 in the SFI Table 10 have been documented accordingly. All KTS entries have been documented in accordance with Additional Comment 4 in the IG. Finally, KTS-5 corresponds to the key transport (wrapping) supported by the module in the context of the IETF TLS 1.2 protocol supported by it. Per IG D.A and IG D.B: The strengths of the established key have been documented in accordance with IG D.A Additional Comment 4. and per the Resolution in IG D.B.
The module supports cryptographic primitives used in the context of SSH, TLS 1.2 and TLS 1.3. It also supports the TLS 1.2 protocol itself. The module does not support the SSH and TLS 1.3 protocols and thus the following in accordance with Resolution #3 applies to the module: No parts of the SSH and TLS 1.3 protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.
Physical Logical Data That Passes Port Interface(s) N/A Control Input API input N/A Data Input API parameters passed by calling applications for use in services N/A Status API return code/status Output N/A Data Output API parameters returned to calling applications as a result of service execution Table 10: Ports and Interfaces The module does not support control output and thus the Control Output interface is inapplicable.
This document may be freely reproduced and distributed in its entirety without modification.
The Module does not support authentication.
Name Type Operator Type Authentication Methods Crypto Officer (CO) Role Crypto Officer None Table 11: Roles The module supports the Crypto Officer (CO) role alone, assumed implicitly by the calling application. The module does not support a maintenance role, a bypass role or any unauthorized operators.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s Module Module boot 1 Ctx Return code 1 Random Crypto initialization and passed for success; 0 Bit Officer initialization into the for failure Generati (CO) process function on Software Entrop Integrity y Test Input: G,W,E ,Z State: G Softw are Integri ty Key - RSA: E Show Show status; 1 Ctx Status and None Crypto Status/Show show version passed versioning Officer Version (version for into the information (CO) fips.dll) function fips_get_ params This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s Perform Self- Execution of 1 Reboot Return code 1 Self-tests Crypto Tests all self-tests for success; 0 Software Officer for failure Integrity (CO) Test Key Key [KTS- Encapsul Key Transport KTS-4 Crypto Transport encapsulation IFC: ation: Shared Secret Officer (Perform and RSA, 4, SSP (CO) approved unencapsulati (2048, Transport - SSP security on 3072, Private Trans functions) 4096, Key; port 6144, Decapsul Privat 8192)] atation: e Key: SSP E Transport - SSP Public Trans Key port Public key: E - Key Trans port Share d Secret :R Encrypt/Decr Encrypt or [AES- Symmetri Plaintext/ciphert AES Crypto ypt and Key decrypt data ECB: c Key and ext/wrapped key Encrypt/ Officer Wrapping and key wrap AES- MAC Key Decrypt (CO) (Perform 128- (for AES Key approved ECB, wrapping) Wrapping Symm security AES- KTS-1 etric functions) 192- KTS-2 Key: E ECB, KTS-3 - MAC AES- Symmetri Key: E 256- c Key ECB]; Generati [AES- on CBC: AES128CBC, AES192CBC, AES256This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s CBC]; [AESCBCCS: AES128CBCCTS, AES192CBCCTS, AES256CBCCTS]; [AESOFB: AES128OFB, AES192OFB, AES256OFB]; [AESCFB1: AES128CFB1, AES192CFB1, AES256CFB1]; [AESCFB8: AES128CFB8, AES192CFB8, This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s AES256CFB8]; [AESCFB12 8: AES128CFB, AES192CFB, AES256CFB]; [AESCTR: AES128CTR, AES192CTR, AES256CTR]; [AESCCM: AES128CCM, AES192CCM, AES256CCM]; [AESGCM: AES128GCM, AES192GCM, AES256This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s GCM]; [AESXTS: AES128XTS, AES256XTS]; [AESKW, KWP: AES128WRAP, AES256WRAP] SSP Derivation of PBKDF KAS DKM Derive Crypto Derivation keying : Shared Officer (Perform material PBKDF Secret (CO) approved (DKM) 2, - KAS security (SHA- Share functions) 1, d SHA2- Secret 224, : W,E SHA2- 256, DKM: SHA2- G,R 384, - Key SHA2- Trans 512, port SHA2- Share 512/22 d 4, Secret SHA2- : W,E 512/25 6, SHA3224, SHA3256, SHA3384, SHA3512)]; This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s [TLS1PRF, (SHA2256, SHA2384, SHA2512)]; [TLS13 -KDF, (SHA2256, SHA2384)]; [X963KDF, (SHA2224, SHA2256, SHA2384, SHA2512)]; [X942K DFASNI, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s SHA3384, SHA3512)]; [NIST SP 800108r1 KDF KMAC: KBKDF , (KMAC -128, KMAC256)]; [NIST SP 800108r1 KDF: KBKDF , MAC: CMAC, Cipher: AES128CBC, AES192CBC, AES256CBC, MAC: HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/22 4, HMACSHA2512/25 6, HMACSHA3224, HMACSHA3256, HMACSHA3384, HMACSHA3512]; [KDF SSH: SSHKD F, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512)]; [OneSt ep KDF: SSKDF This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s , (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512, HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/22 4, HMACSHA2512/25 6, This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s SHA3224, SHA3256, SHA3384, SHA3512, KMAC128, KMAC256)]; [TwoSt ep KDF: HKDF, MAC: HMAC, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512]; [HKDF: HKDF, MAC: HMAC, (SHA1, This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512] Key Shared secret [KAS- SSP KAS Shared KAS-1 Crypto Agreement computation FFC- Agreeme Secret KAS-2 Officer (Perform SSC: nt Private KAS-3 (CO) approved DHX]; FFC/ECC KAS - SSP security [KAS- Key, SSP ECC Agree functions) ECC- Agreeme Compon ment SSC: nt Public ent Privat EC] FFC/ECC e Key FFC/E CC Key: E - SSP Agree ment Public FFC/E CC Key: E - KAS Share d Secret :G This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s Key Pair ECC/DH/RSA/ [SafePr ECDSA: Key pair Generate Crypto Generation SafePrime key imes: curve id. returned to caller Key Officer (Perform pair generation DHX]; RSA: (CO) approved [RSA modulus security KeyGe Privat functions) n: RSA, e Key: (2048, G 3072, 4096)]; Public [ECDS Key: A G KeyGe n: EC] MAC Keyed hash [HMAC MAC Key MAC value MAC Crypto Generation/V generation/veri : Symmetri Officer erification fication HMAC- c Key (CO) (Perform SHA1, Generati - MAC approved HMAC- on Key: E security SHA2functions) 224, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/22 4, HMACSHA2512/25 6, HMACSHA3224, HMACSHA3256, HMACSHA3384, This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s HMACSHA3512]; [CMAC ]; [KMAC: KMAC128, KMAC256]; [GMAC : AES128GCM, AES192GCM, AES256GCM] Hash Hashing [SHA- Message Hash value SHS Crypto generation 1, to be Officer (Perform SHA2- hashed (CO) approved 224, security SHA2functions) 256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6, SHA3224, SHA3256, SHA3384, SHA3512, SHAKE -128, This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s SHAKE -256] Random Bit Random bit [Hash DRBG Random bits Random Crypto Generation generation DRBG: State; Bit Officer (Perform using the HASH- DRBG Generati (CO) approved DRBG DRBG, Entropy on security (SHA1, Input Entrop functions) SHA2- y 256, Input: SHA2- E 512)]; [HMAC Seed: - E DRBG, (SHA1, State: SHA2- E 256, SHA2512)]; [CTRDRBG, (AES128CTR, AES192CTR, AES256CTR)] Digital RSA/ECDSA [RSA Sign: Signature value RSA Crypto Signature signature SigGen SigGen for SigGen, 1 or SigGen/S Officer Generation/V generation and : RSA, Key; 0 respectively for igVer (CO) erification verification (2048, Verify: success or ECDSA (Perform 3072, SigVer failure in case of SigGen/S SigGe approved 4096), Key SigVer igVer n Key: security (SHA2- RSASP E functions) 224, SHA2- SigVe 256, r Key: SHA2- E 384, SHA2512, SHA2512/22 This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s 4, SHA2512/25 6)]; [RSA SigVer: RSA, (1024, 2048, 3072, 4096), (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6)]; [RSA Signatu re Primitiv e: RSA, 2048, hash algorith m: (null)]; [ECDS A SigGen : EC, (SHA2224, SHA2256, SHA2384, This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s SHA2512, SHA3224, SHA3256, SHA3384, SHA3512)]; [ECDS A SigVer: EC, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/22 4, SHA2512/25 6)]; [ECDS A SigGen Compo nent]: EC, hash: (null)] Perform * Zeroisation in 1 Location Return code 1 None Crypto zeroisation the context of of SSP Officer function calls * (CO) Restarting the host platform * SigGe TLS 1.2 n Key: Session Z Termination * SigVe This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s Module r Key: uninstantiation Z Privat e Key: Z Public Key: Z - SSP Agree ment Privat e FFC/E CC Key: Z - SSP Agree ment Public FFC/E CC Key: Z - KAS Share d Secret :Z DKM: Z - MAC Key: Z - SSP Trans port Privat e Key: Z - SSP Trans port Public key: Z - Key This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s Trans port Share d Secret :Z Entrop y Input: Z Seed: Z State: Z Symm etric Key: Z - TLS Maste r Secret :Z - TLS Sessi on Key: Z - KAS Public Key: Z - KAS Privat e Key: Z ECDS A Public Key: Z ECDS A Privat This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s e Key: Z - RSA Public Key: Z - RSA Privat e Key: Z - TLS PreMaste r Secret :Z - KAS Peer Public Key: Z Softw are Integri ty Key - RSA: Z HTTPS TLS v1.2 Succes TLS Peer Packets TLS all Crypto communicati protocol used sful Public transferred over algorithm Officer ons with comple Key (KAS TLS 1.2 s (CO) backend tion of Peer KTS-5 - TLS (Perform the Public KAS-4 Maste approved service, Key) r security i.e. Secret functions) succes : sful G,E,Z TLS - TLS
session Maste negotia r tion Secret : G,E,Z - TLS Sessi on Key: This document may be freely reproduced and distributed in its entirety without modification.
Name Description Indicat Inputs Outputs Security SSP or Function Acces s s G,E,Z - KAS Privat e Key: G,E,Z - KAS Public Key: G,R,E ,Z ECDS A Public Key: G,R,E ,Z ECDS A Privat e Key: G,E,Z - RSA Public Key: G,R,E ,Z - RSA Privat e Key: G,E,Z - KAS Peer Public Key: W,E,Z Table 12: Approved Services The following indicate the type of access: G = Generate: The service generates or derives the CSP/Public Key. W = Write/Input: The service inputs the CSP/Public Key. E = Execute: The Module executes using the CSP/Public Key. This document may be freely reproduced and distributed in its entirety without modification.
R = Read/Output: The service outputs the CSP/Public Key. CSP are always protected with the approved KTS. Z = Zeroise: The Module zeroizes the CSP/Public Key after usage. A zeroised CSP is not retrievable or reusable. The module provides service indicators in accordance with the FIPS 140-3 IG 2.4.C example 3. All CSPs are zeroised when they are no longer needed: - Temporary CSPs are zeroised within the relevant function calls per service. - The DRBG state is zeroised on Module instantiation - The temporary underlying hash value generated as part of the RSA Signature Verification in the context of the integrity test performed, is zeroised prior to exiting the integrity test function. - TLS 1.2 SSPs are zeroised upon TLS 1.2 session termination.
Name Description Algorithms Role SSP Agreement KAS-SSC X448 Crypto X25519 Officer (CO) FIPS 186-5 ECDSA SigVer Signature verification FIPS 186-5 ECDSA Crypto Component SigVer Component Officer (CO) HMAC Generate MAC generation with key HMAC Generate Crypto length < 112 bits Officer (CO) HMAC DRBG/Hash DRBG PRF(s): SHA3 (all sizes) HMAC DRBG/Hash Crypto DRBG Officer (CO) TDES Encrypt/Decrypt Encryption and decryption TDES Crypto Officer (CO) Digital Signature Signature generation and ED448 Crypto Generation/Verification verification ED25519 Officer FIPS 186-4 DSA (CO) FIPS 186-2 RSA Signature FIPS 186-2 RSA Key RSA public/private key pair FIPS 186-2 RSA Crypto Generation generation per FIPS 186-2 Generate Key Officer (CO) Derive Key derivation KDA HKDF SP800- Crypto 56Cr1 Officer KDA OneStep (CO) SP800-56Cr1 KDF ANS 9.42 KDF ANS 9.63 This document may be freely reproduced and distributed in its entirety without modification.
Name Description Algorithms Role SSP Transport SSP transport using RSA RSA PKCS1.5 (for Crypto PKCS1.5 padding KTS) Officer (CO) RSA Signature Primitive Signature primitive RSA Signature Crypto function/signature generation Primitive Officer with modulus 3072 and 4096 (CO) FIPS 186-4 RSA X9.31 Key Key generation and FIPS 186-4 RSA Crypto Generation and Signature signature generation per KeyGen X9.31, Officer Generation ANS X9.31 FIPS 186-4 RSA (CO) SigGen X9.31 SHA-1 for Signature FIPS 186-4/5 RSA/ECDSA SHA-1 for SigVer Crypto Verification Signature Verification using Officer SHA-1 (in accordance with (CO) IG C.M 3.e) Table 13: Non-Approved Services
The module does not support loading software from an external source.
The module does not support bypass.
The module supports self-initiated cryptographic output over the TLS 1.2 IETF protocol. Two internal actions are performed, i.e. software flags are checked within the module prior to allowing output over TLS 1.2. The TLS 1.2 i.e. self-initiated cryptographic output capability is inherently active per the module’s design. The Crypto Officer must only power on the underlying platform, i.e., IPC device. Successful negotiation of the TLS 1.2 session indicates that the selfinitiated cryptographic output capability is active.
The Module uses RSA 2048 SHA2-256 as the approved integrity technique. The pre-calculated value of the approved digital signature is included within the module. The integrity test covers the entirety of the module software. If the value calculated at boot for the approved digital signature does not match the pre-calculated, stored value, the test fails. This document may be freely reproduced and distributed in its entirety without modification.
The RSA 2048 SHA2-256 CAST is performed prior to the software integrity test in accordance with the IG 10.2.A. The Module is provided in the executable form (.exe). The software integrity RSA mod 2048 public key used for signature verification is considered non-SSP and stored within the module.
An operator of the module can perform the integrity test on demand by reloading the module. If the integrity test fails, module enters an error state. The module does not support loading any additional software from an external source.
Type of Operational Environment: Modifiable How Requirements are Satisfied: The module is a Level 1 multi-chip standalone software module with a modifiable operational environment.
There are no restrictions on the operational environment of the module.
The Module is a software module thus the requirements per this section do not apply.
The Module is a software module thus the requirements per this section do not apply.
This document may be freely reproduced and distributed in its entirety without modification.
Storage Area Name Description Persistence Type RAM Temporary, plaintext storage Dynamic Stored in the module binary Persistent, plaintext storage Static Table 14: Storage Areas
Name From To Format Distributio Entry SFI or Type n Type Type Algorith m API input Calling Module Plaintex Manual Electroni application t c API output Module Calling Plaintex Manual Electroni application t c Stored at Manufacture Stored in the Plaintex N/A N/A manufactur r module t e-1 binary Input during TLS 1.2 RAM Plaintex Automated Electroni TLS 1.2 peer/external t c negotiation endpoint Output RAM TLS 1.2 Plaintex Automated Electroni during TLS peer/externa t c
negotiation Table 15: SSP Input-Output Methods The module is compliant with IG 9.5.A MD/EE (CM Software to/from App via TOEPP Path) and with AD/EE in the context of the TLS 1.2 protocol.
Zeroization Description Rationale Operator Method Initiation Zeroisation in the Temporary CSPs are Automatic zeroisation per Module context of function zeroised within the module's design in the context of initiated calls relevant function calls each function called per service Restarting the host SSPs are stored RAM is cleansed via reboot of the Operator platform temporarily in RAM underlying host; no copies of initiated SSPs are maintained/stored within the module itself TLS 1.2 Session SSPs zeroised upon TLS 1.2 SSPs are stored Module Termination TLS 1.2 session ephemerally until session initiated termination termination This document may be freely reproduced and distributed in its entirety without modification.
Zeroization Description Rationale Operator Method Initiation Module DRBG state Un-instantiation of the module Operator uninstantiation zeroisation zeroises the DRBG state initiated Table 16: SSP Zeroization Methods
Name Description Size - Type - Generat Establish Used By Strength Catego ed By ed By ry SigGen Private key for RSA: Private RSA Key signature generation 2048, key - SigGen/Sig
ECDSA: SigGen/Sig B-233, K- Ver 233, P- RSASP 224; B283, K283, P256; B409, K409, P384; B571, K571, P-
RSA: 112, 128 or 152 ECDSA: 112, 128, 192, 521 SigVer Public key for RSA: Public RSA Key signature verification 1024, key - SigGen/Sig 2048, PSP Ver
ECDSA: Ver ECDSA: B-233, K233, P224; B283, K283, P256; BThis document may be freely reproduced and distributed in its entirety without modification.
Name Description Size - Type - Generat Establish Used By Strength Catego ed By ed By ry 409, K409, P384; B571, K571, P-
RSA: 80, 112, 128 or 152 ECDSA: 112, 128, 192, 256 Private Private key RSA: Private Generat Key requested by calling 2048, key - e Key application (purpose 3072, CSP Random unknown) 4096 bits Bit ECDSA: Generati ECDSA: on B-233, K233, P224; B283, K283, P256; B409, K409, P384; B571, K571, P-
RSA: 112, 128 or 152 ECDSA: 112, 128, 192, 256 Public Public key requested RSA: Public Generat Key by calling application 2048, key - e Key (purpose unknown) 3072, PSP Random
ECDSA: Generati ECDSA: on B-233, K233, P224; B283, KThis document may be freely reproduced and distributed in its entirety without modification.
Name Description Size - Type - Generat Establish Used By Strength Catego ed By ed By ry 283, P256; B409, K409, P384; B571, K571, P-
RSA: 112, 128 or 152 ECDSA: 112, 128, 192, 256 SSP Private key provided FFC: FB, Private Generat KAS-1 Agreem by the entity using FC, key - e Key KAS-2 ent the module for Diffie- MODP20 CSP Random KAS-3 Private Hellman shared 48, Bit FFC/EC secret generation ffdhe204 Generati C Key 8, on MODP30 72, ffdhe307 2, MODP40 96, ffdhe409 6, MODP61 44, ffdhe614 4, MODP81 92, ffdhe 8192 ECC: B233, K233, P224, B283, K283, P256, B409, K409, P384, B571, KThis document may be freely reproduced and distributed in its entirety without modification.
Name Description Size - Type - Generat Establish Used By Strength Catego ed By ed By ry 571, P521, IFC: k=2048, 3072, 4096, 6144,
112, 128, 192, 256 IFC [SP80056Br2]: 112, 128 SSP Public key provided FFC: FB, Public Generat KAS-1 Agreem by the entity using FC, key - e Key KAS-2 ent the module for Diffie- MODP20 PSP Random KAS-3 Public Hellman shared 48, Bit FFC/EC secret generation ffdhe204 Generati C Key 8, on MODP30 72, ffdhe307 2, MODP40 96, ffdhe409 6, MODP61 44, ffdhe614 4, MODP81 92, ffdhe 8192 ECC: B233, K233, P224, B283, K283, P256, B409, KThis document may be freely reproduced and distributed in its entirety without modification.
Name Description Size - Type - Generat Establish Used By Strength Catego ed By ed By ry 409, P384, B571, K571, P521, IFC: k=2048, 3072, 4096, 6144,
112, 128, 192, 256 IFC [SP80056Br2]: 112, 128 KAS Shared secret FFC: FB, Shared KAS-1 Shared computation (z) FC, secret - KAS-2 Secret MODP20 CSP KAS-3 48, ffdhe204 8, MODP30 72, ffdhe307 2, MODP40 96, ffdhe409 6, MODP61 44, ffdhe614 4, MODP81 92, ffdhe 8192 ECC: B233, K233, P224, B283, KThis document may be freely reproduced and distributed in its entirety without modification.
Name Description Size - Type - Generat Establish Used By Strength Catego ed By ed By ry 283, P256, B409, K409, P384, B571, K571, P521, IFC: k=2048, 3072, 4096, 6144,
112, 128, 192, 256 IFC: 112, DKM Key Derivation HMAC Derived Derive derived keying PRF: Keying material 160, 224, Material 256, 384, - CSP
HMAC PRF: 160, 224, 256, 384, MAC Keyed Hash key CMAC: Symmet Random MAC Key 128, 192, ric key - Bit KTS-2
HMAC: Generati 160, 256, on 512. KMAC: 128, 256 - CMAC: 128, 192, GMAC: This document may be freely reproduced and distributed in its entirety without modification.
Name Description Size - Type - Generat Establish Used By Strength Catego ed By ed By ry 128, 192, HMAC: 160, 256, 512. KMAC: 128, 256 SSP Private key (KDK) 2048, Private KTS-4 Transpo used for [SP800- 3072, key rt 56Br2] RSA key 4096 and CSP Private transport 6144 bits Key - 112, 128, 152, SSP Public key (KEK) 2048, Public KTS-4 Transpo used for [SP800- 3072, key rt Public 56Br2] RSA key 4096 and PSP key transport 6144 bits - 112, 128, 152, Key The RSA key 2048, Shared KTS-4 Transpo transport shared 3072, secret rt secret 4096 and CSP Shared 6144 bits Secret - 112, 128, 152, Entropy Entropy input from 128 - 256 Entropy Random Bit Input an external source bits - 128 input - Generation used for DRBG - 256 bits CSP seeding Seed Seed generated from 128 - 256 DRBG Random Bit the entropy input for bits - 128 seed - Generation the DRBG - 256 bits CSP State DRBG state Hash DRBG Random Random Bit DRBG: state - Bit Generation 160, 224, CSP Generati 256, 384, on HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: This document may be freely reproduced and distributed in its entirety without modification.
Name Description Size - Type - Generat Establish Used By Strength Catego ed By ed By ry 128, 192,
Hash DRBG: 160, 224, 256, 384, HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, Symmet AES AES: Symmet Random AES ric Key Encryption/Decryptio 128, 192, ric key - Bit Encrypt/Dec n/Key Wrapping Key 256 AES CSP Generati rypt CCM: on AES Key 128, 192, Symmet Wrapping
GCM: Generati KTS-2 128, 192, on KTS-3
XTS: 128, 256 TLS TLS 1.2 Master 384 bits - Shared Derive TLS v1.2 Master Secret derived from 192 bits secret - KDF Secret the pre-master CSP RFC7627 secret (A5153) TLS AES key used to 256 bits - Symmet Derive KAS-4 KTS-5 Session encrypt the TLS 256 bits ric key Key session PSP This document may be freely reproduced and distributed in its entirety without modification.
Name Description Size - Type - Generat Establish Used By Strength Catego ed By ed By ry KAS EC Diffie-Hellman P-384 - Public Generat KAS-ECCPublic i.e. KAS-ECC-SSC 192 bits key - e Key SSC Sp800Key public key used in PSP Random 56Ar3 EC Diffie-Hellman Bit (A5153) Key Exchange for Generati TLS 1.2 on KAS EC Diffie-Hellman P-384 - Private Generat KAS-ECCPrivate i.e. KAS-ECC-SSC 192 bits key - e Key SSC Sp800Key private key used in CSP Random 56Ar3 EC Diffie-Hellman Bit (A5153) Key Exchange for Generati TLS 1.2 on ECDSA ECDSA public key P-384 - Public Generat ECDSA Public used for TLS 1.2 192 bits key - e Key SigVer Key authentication PSP Random (FIPS186-5) Bit (A5153) Generati on ECDSA ECDSA private key P-384 - Private Generat ECDSA Private used for TLS 1.2 192 bits key - e Key SigGen Key authentication CSP Random (FIPS186-5) Bit (A5153) Generati on RSA RSA public key used RSA Public Generat RSA SigVer Public for TLS 1.2 SigVer key - e Key (FIPS186-5) Key authentication mod PSP Random (A5153)
on RSA RSA private key RSA Private Generat RSA SigGen Private used for TLS 1.2 SigGen key - e Key (FIPS186-5) Key authentication mod CSP Random (A5153)
on TLS TLS 1.2 pre-master 384 bits - Shared KAS-4 TLS v1.2 Pre- secret computed 192 bits secret - KDF Master (KAS-ECC-SSC) CSP RFC7627 Secret (A5153) KAS EC Diffie-Hellman P-384 - Public KAS-4 Peer i.e. KAS-ECC-SSC 192 bits key Public public key used in PSP Key EC Diffie-Hellman Key Exchange for This document may be freely reproduced and distributed in its entirety without modification.
Name Description Size - Type - Generat Establish Used By Strength Catego ed By ed By ry TLS 1.2 (TLS 1.2 peer key) Softwar RSA key used to 2048 bits Public RSA Software e perform the Software - 112 bits key - SigVer Integrity Integrity Integrity Test Neither (FIPS186 Test Key - -5) RSA (A5153) Table 17: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration SigGen API input RAM:Encrypte zeroised once Zeroisation in SigVer Key d no longer the context of Key:Paired needed function calls With Restarting the host platform Module uninstantiatio n SigVer API input RAM:Encrypte zeroised once Zeroisation in SigGen Key d no longer the context of Key:Paired needed function calls With Restarting the host platform Module uninstantiatio n Private API output RAM:Encrypte zeroised once Zeroisation in Public Key d no longer the context of Key:Paired needed function calls With Restarting the host platform Module uninstantiatio n Public Key API output RAM:Encrypte zeroised once Zeroisation in Private d no longer the context of Key:Paired needed function calls With Restarting the host platform Module uninstantiatio n This document may be freely reproduced and distributed in its entirety without modification.
Name Input - Storage Storage Zeroization Related SSPs Output Duration SSP API input RAM:Encrypte zeroised once Zeroisation in SSP Agreemen d no longer the context of Agreement t Private needed function calls Public FFC/ECC Restarting the FFC/ECC Key host platform Key:Paired Module With uninstantiatio n SSP API input RAM:Encrypte zeroised once Zeroisation in SSP Agreemen d no longer the context of Agreement t Public needed function calls Private FFC/ECC Restarting the FFC/ECC Key host platform Key:Paired Module With uninstantiatio n KAS API output RAM:Encrypte zeroised once Zeroisation in SSP Shared d no longer the context of Agreement Secret needed function calls Private Restarting the FFC/ECC host platform Key:Establishe Module d using uninstantiatio SSP n Agreement Public FFC/ECC Key:Establishe d using DKM API output RAM:Encrypte zeroised once Zeroisation in d no longer the context of needed function calls Restarting the host platform Module uninstantiatio n MAC Key API input RAM:Encrypte zeroised once Zeroisation in d no longer the context of needed function calls Restarting the host platform Module uninstantiatio n SSP API input RAM:Encrypte zeroised once Zeroisation in SSP Transport Transport d no longer the context of Public needed function calls This document may be freely reproduced and distributed in its entirety without modification.
Name Input - Storage Storage Zeroization Related SSPs Output Duration Private Restarting the key:Paired Key host platform With Module uninstantiatio n SSP API input RAM:Encrypte zeroised once Zeroisation in SSP Transport Transport d no longer the context of Private Public key needed function calls Key:Paired Restarting the With host platform Module uninstantiatio n Key API input RAM:Encrypte zeroised once Zeroisation in Transport API output d no longer the context of Shared needed function calls Secret Restarting the host platform Module uninstantiatio n Entropy API input RAM:Encrypte zeroised once Zeroisation in Seed:Used to Input d no longer the context of derive needed function calls Restarting the host platform Module uninstantiatio n Seed RAM:Encrypte zeroised once Zeroisation in Entropy d no longer the context of Input:Derived needed function calls From Restarting the host platform Module uninstantiatio n State RAM:Encrypte Until power- Restarting the Seed:Derived d cycling of the host platform From underlying Module host platform uninstantiatio n Symmetric API input RAM:Encrypte zeroised once Zeroisation in Key API output d no longer the context of needed function calls Restarting the host platform This document may be freely reproduced and distributed in its entirety without modification.
Name Input - Storage Storage Zeroization Related SSPs Output Duration Module uninstantiatio n TLS RAM:Plaintext zeroised once Zeroisation in TLS PreMaster no longer the context of Master Secret needed function calls Secret:Derived From TLS RAM:Plaintext zeroised once TLS 1.2 TLS Master Session no longer Session Secret:Derived Key needed Termination From KAS Output RAM:Plaintext zeroised once TLS 1.2 KAS Private Public Key during TLS no longer Session Key:Paired
1.2 needed Termination With
negotiation KAS RAM:Plaintext zeroised once TLS 1.2 KAS Public Private no longer Session Key:Paired Key needed Termination With ECDSA Output RAM:Plaintext zeroised once TLS 1.2 Public Key during TLS no longer Session
negotiation ECDSA RAM:Plaintext zeroised once TLS 1.2 Private no longer Session Key needed Termination RSA Output RAM:Plaintext zeroised once TLS 1.2 Public Key during TLS no longer Session
negotiation RSA RAM:Plaintext zeroised once TLS 1.2 Private no longer Session Key needed Termination TLS Pre- RAM:Plaintext zeroised once Zeroisation in TLS Master Master no longer the context of Secret:Used to Secret needed function calls derive KAS Peer Input during RAM:Plaintext zeroised once TLS 1.2 KAS Public Public Key TLS 1.2 no longer Session Key:Used With negotiation needed Termination Software Stored at Stored in the Until module Module Integrity manufactur module uninstantiatio uninstantiatio Key - RSA e-1 binary:Plaintex n is n t performed Table 18: SSP Table 2
This document may be freely reproduced and distributed in its entirety without modification.
Conformance to FIPS 186-5 is mandatory as of February 4, 2024. The module claims conformance to FIPS 186-4 as allowed per the FIPS 140-3 IG C.K Additional Comment #2. Per the NIST SP 800-133Ar2/3 and the programmatic transitions defined by the CMVP, the following algorithm transitions apply to the module, and the algorithms have been designated allowed/non-approved accordingly in Section 2.5: a. SHA-1 for SigVer (per IG C.M 3.e) and SHA-1 used for SigGen is a non-approved, not allowed algorithm. Usage of SHA-1 for all other SigVer is allowed for legacy use only until 2030. Thereafter, all usage of SHA-1 will be considered a non-approved, not allowed algorithm. b. FIPS 186-2 RSA KeyGen and SigGen modes are non-approved, not allowed algorithms. c. RSA-based key transport schemes that only use PKCS#1-v1.5 padding are nonapproved, not allowed algorithms. d. FIPS 186-4 DSA Key Gen, Sig Gen, or PQG Gen; FIPS 186-4 X9.31 RSA Key Gen, RSA Sig Gen are non-approved, not allowed algorithms. e. Usage of FIPS 186-4 RSA SigVer X9.31 is allowed only for legacy use. f. Triple-DES decryption is allowed for legacy use only. g. Triple-DES encryption is non-approved, not allowed algorithm. h. Key agreement schemes that are not compliant with any version of SP 800-56A (X448, X25519) are non-approved, not allowed algorithms. i. Until January 1, 2031, the following algorithms will be considered deprecated: a. SHA-1, SHA-224 hash functions b. Hash_DRBG and HMAC_DRBG using SHA-1, SHA-224 hash functions c. Hash function and HMAC using SHA-1, SHA-224 hash functions d. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Generation j. As of January 1, 2031, the following algorithms will be considered deprecated/disallowed (i.e. non-approved, not allowed)/legacy use: a. SHA-1, SHA2-224 hash functions (disallowed) b. Use of the 112-bit security strength for classical digital signature and keyestablishment mechanisms (deprecated) c. Use of the 112-bit security strength for block ciphers (disallowed) d. Use of a security strength less than 128-bits but greater than 112 bits for ECDA KeyGen and RSA KeyGen (PKCS #1 v1.5 & PSS) (deprecated) e. Hash_DRBG and HMAC_DRBG using SHA-1, SHA-224 hash functions (disallowed) f. Hash function and HMAC using SHA-1, SHA-224 hash functions (legacy use) g. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Generation (disallowed) h. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Verification (legacy use)
This document may be freely reproduced and distributed in its entirety without modification.
Algorithm or Test Test Properties Test Test Type Indicator Details Method RSA SigVer Modulus: 2048 bits; KAT SW/FW Verified Verify (FIPS186-5) (A5153) Hash: SHA2-256 Integrity OK Table 19: Pre-Operational Self-Tests The pre-operational self-tests can be run on demand by reloading the module.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-ECB Key KAT CAST 1 Decrypt On reloading the (A5153) Length: module
AES-GCM Key KAT CAST 1 Encrypt On reloading the (A5153) - Length: module Encrypt - 256 bits
AES-GCM Key KAT CAST 1 Decrypt On reloading the (A5153) - Length: module Decrypt - 256 bits
Counter AES CTR KAT CAST 1 Generate, On reloading the DRBG (128 bits) Reseed, module (A5153) with Instantiate derivation functions function ECDSA Curve: P- KAT CAST 1 Sign On reloading the SigGen 224; Hash: module (FIPS186- SHA2-512
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type HMAC- PRF: KAT CAST 1 HMAC tag On reloading the SHA2-256 SHA2-256 Generation module (A5153) KAS- Scheme: KAT CAST 1 Key On reloading the ECC-SSC Ephemeral Agreement - module Sp800- Unified, Shared 56Ar3 Curve: P- Secret (A5153) 256 Computation KAS-FFC- Scheme: KAT CAST 1 Key On reloading the SSC dhEphem; Agreement - module Sp800- Modulus: L Shared 56Ar3 = 2048 Secret (A5153) bits, N = Computation
KAS-IFC- Schemes: KAT CAST 1 Key On reloading the SSC Basic, Agreement - module (A5153) CRT, Shared Modulus: L Secret = 2048 bits Computation KDF Mode: KAT CAST 1 Counter On reloading the SP800- Counter, Mode module
(A5153) HMAC- SHA2-256). SHA2-256 KDA Auxiliary KAT CAST 1 Key On reloading the OneStep Function, Derivation module SP800- H = SHA256Cr2 224 (A5153) KDA Auxiliary KAT CAST 1 Key On reloading the TwoStep Function, Derivation module SP800- H= 56Cr2 HMAC(A5153) SHA2-256 KTS-IFC Schemes: KAT CAST 1 Encrypt On reloading the (A5153) - Basic module Basic Modulus: L = 2048 bits KTS-IFC Schemes: KAT CAST 1 Decrypt On reloading the (A5153) - Basic, module CRT CRT, Modulus: L = 2048 bits PBKDF Derivation KAT CAST 1 Key On reloading the (A5153) of the Derivation module Master Key (MK), This document may be freely reproduced and distributed in its entirety without modification.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type PRF: SHA2-256 RSA Scheme: KAT CAST 1 Sign On reloading the SigGen PKCS#1, module (FIPS186- Modulus: L
9.42 AES KW Derivation module
(A5153) (128 bits), SHA-1 KDF ANS PRF: KAT CAST 1 Key On reloading the
9.63 SHA2-256 Derivation module
(A5153) KDF SSH PRF: SHA- KAT CAST 1 Key On reloading the (A5153) 1 Derivation module TLS v1.2 PRF: KAT CAST 1 Key On reloading the KDF SHA2-256 Derivation module RFC7627 (A5153) TLS v1.3 PRF: KAT CAST 1 Key On reloading the KDF SHA2-256 Derivation module (A5153) RSA Performed PCT PCT 1 Key On generating keys KeyGen on key Generation for Key Transport (FIPS186- generation (KTS IFC)/Key
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Generation/Signature Verification ECDSA Curve: K- KAT CAST 1 Sign On reloading the SigGen 233; Hash: module (FIPS186- SHA2-512
Algorithm or Test Method Test Type Period Periodic Test Method RSA SigVer KAT SW/FW Integrity On Demand Manually by (FIPS186-5) reloading the (A5153) module Table 21: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On Demand Manually by (A5153) reloading the module AES-GCM KAT CAST On Demand Manually by (A5153) - reloading the Encrypt - 256 module bits AES-GCM KAT CAST On Demand Manually by (A5153) - reloading the Decrypt - 256 module bits This document may be freely reproduced and distributed in its entirety without modification.
Algorithm or Test Method Test Type Period Periodic Test Method Counter DRBG KAT CAST On Demand Manually by (A5153) reloading the module ECDSA SigGen KAT CAST On Demand Manually by (FIPS186-5) reloading the (A5153) - P-224 module ECDSA SigVer KAT CAST On Demand Manually by (FIPS186-5) reloading the (A5153) - P-224 module Hash DRBG KAT CAST On Demand Manually by (A5153) reloading the module HMAC DRBG KAT CAST On Demand Manually by (A5153) reloading the module HMAC-SHA2- KAT CAST On Demand Manually by
256 (A5153) reloading the
module KAS-ECC-SSC KAT CAST On Demand Manually by Sp800-56Ar3 reloading the (A5153) module KAS-FFC-SSC KAT CAST On Demand Manually by Sp800-56Ar3 reloading the (A5153) module KAS-IFC-SSC KAT CAST On Demand Manually by (A5153) reloading the module KDF SP800-108 KAT CAST On Demand Manually by (A5153) reloading the module KDA OneStep KAT CAST On Demand Manually by SP800-56Cr2 reloading the (A5153) module KDA TwoStep KAT CAST On Demand Manually by SP800-56Cr2 reloading the (A5153) module KTS-IFC KAT CAST On Demand Manually by (A5153) - Basic reloading the module KTS-IFC KAT CAST On Demand Manually by (A5153) - CRT reloading the module PBKDF (A5153) KAT CAST On Demand Manually by reloading the module This document may be freely reproduced and distributed in its entirety without modification.
Algorithm or Test Method Test Type Period Periodic Test Method RSA SigGen KAT CAST On Demand Manually by (FIPS186-5) reloading the (A5153) module RSA SigVer KAT CAST On Demand Manually by (FIPS186-5) reloading the (A5153) module SHA-1 (A5153) KAT CAST On Demand Manually by reloading the module SHA2-512 KAT CAST On Demand Manually by (A5153) reloading the module SHA3-256 KAT CAST On Demand Manually by (A5153) reloading the module KDF ANS 9.42 KAT CAST On Demand Manually by (A5153) reloading the module KDF ANS 9.63 KAT CAST On Demand Manually by (A5153) reloading the module KDF SSH KAT CAST On Demand Manually by (A5153) reloading the module TLS v1.2 KDF KAT CAST On Demand Manually by RFC7627 reloading the (A5153) module TLS v1.3 KDF KAT CAST On Demand Manually by (A5153) reloading the module RSA KeyGen PCT PCT On Demand On generation of (FIPS186-5) keys (A5153) ECDSA KeyGen PCT PCT On Demand On generation of (FIPS186-5) keys (A5153) ECDSA SigGen KAT CAST On Demand Manually by (FIPS186-5) reloading the (A5153) - K-233 module ECDSA SigVer KAT CAST On Demand Manually by (FIPS186-5) reloading the (A5153) - K-233 module KAS-FFC-SSC PCT PCT On Demand On generation of Sp800-56Ar3 keys (A5153) - PCT Table 22: Conditional Periodic Information This document may be freely reproduced and distributed in its entirety without modification.
Nam Description Conditions Recover Indicator e y Method Hard A failure in If the pre- Reloadin PROV_R_FIPS_MODULE_IN_ERROR_ST error the pre- operational g of the ATE and the string "signature not match" operational software module integrity integrity test test/one of fails the If one of the cryptographi cryptographi c algorithm c self-tests algorithm's will cause self-test (a the module CAST, to return an specifically, error and a Known enter the Answer Test Hard error (KAT)) were state to fail Table 23: Error States On instantiation, the Module performs the self-tests described in Table 22 and all CASTs. All KATs must complete successfully prior to any other use of cryptography by the Module. If one of the KATs fails, the Module enters the self-test failure state i.e. the Hard error state and returns the following indicator : “PROV_R_FIPS_MODULE_IN_ERROR_STATE” whereas if the integrity test fails, the module enters the Hard error state and returns the error string “signature not match” as well as “PROV_R_FIPS_MODULE_IN_ERROR_STATE”.
The module can be reloaded on demand for running the Cryptographic Algorithm Self-tests (CASTs) as well as the pre-operational integrity test.
The module is shipped pre-installed in the Approved mode of operation with the IPC device. The operator must power on the appliance upon delivery to cause it to automatically execute the pre-operational integrity tests and CASTs on all algorithms. Once the self-tests have completed successfully, the module is ready for use. The operator can verify the software version (V9FIPS.1.0) returned via an API call to the module and the module identifier (the string “IPC” printed in the boot logs). This document may be freely reproduced and distributed in its entirety without modification.
No additional guidance applies for the operation of the module apart from that specified in Section 2 and other subsections under this section.
No additional guidance applies for the operation of the module apart from that specified in Section 2 and other subsections under this section.
Azure is used as the Configuration Management System. The module’s software is implemented using high-level language and designed to avoid use of code, parameters or symbols that are not necessary for the module’s functionality and execution.
No maintenance requirements apply. The module’s software is protected from tampering as it is delivered securely within the IPC device.
The module can be uninstalled to end-of-life the module. The module can be securely sanitized by zeroising it.
The Module implements mitigations for some types of attacks using constant implementation and blinding. This document may be freely reproduced and distributed in its entirety without modification.