All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

Certificate#5108StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorApple Inc.
Low review priority  ·  no TCB surface named  ·  last validated 7 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date12/13/2030
CaveatWhen operated in approved mode
VendorApple Inc.

Approved Algorithms (44)

AlgorithmACVP Cert
AES-CBCA5404
AES-CCMA5405
AES-CFB128A5404
AES-CFB8A5405
AES-CMACA5407
AES-CTRA5405
AES-ECBA5404
AES-GCMA5405
AES-KWA5405
AES-OFBA5404
AES-XTS Testing Revision 2.0A5404
Counter DRBGA5405
ECDSA KeyGen (FIPS186-4)A5407
ECDSA KeyVer (FIPS186-4)A5407
ECDSA SigGen (FIPS186-4)A5407
ECDSA SigVer (FIPS186-4)A5407
HMAC-SHA-1A5407
HMAC-SHA2-224A5407
HMAC-SHA2-256A5407
HMAC-SHA2-384A5407
HMAC-SHA2-512A5407
HMAC-SHA2-512/256A5407
HMAC-SHA3-224A5407
HMAC-SHA3-256A5407
HMAC-SHA3-384A5407
HMAC-SHA3-512A5407
KAS-ECC-SSC Sp800-56Ar3A5407
KAS-FFC-SSC Sp800-56Ar3A5407
KDA HKDF SP800-56Cr2A5409
KDF SP800-108A5407
PBKDFA5407
RSA KeyGen (FIPS186-4)A5407
RSA SigGen (FIPS186-4)A5407
RSA SigVer (FIPS186-4)A5407
SHA-1A5407
SHA2-224A5407
SHA2-256A5407
SHA2-384A5407
SHA2-512A5407
SHA2-512/256A5407
SHA3-224A5407
SHA3-256A5407
SHA3-384A5407
SHA3-512A5407

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>update</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Symmetric Encryption and Decryption<br/>Self-test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>update</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Symmetric Encryption and Decryption<br/>Self-test<br/>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Apple Inc. Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Prepared for: Apple Inc. One Apple Park Way Cupertino, CA 95014 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 This document may be reproduced and distributed only in its original entirely without revision.

Page 2

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table of Contents This document may be reproduced and distributed only in its original entirely without revision.

Page 3

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] This document may be reproduced and distributed only in its original entirely without revision.

Page 4

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] List of Tables List of Figures This document may be reproduced and distributed only in its original entirely without revision.

Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
Overall LevelOverall Level1

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for

1.2 Security Levels

N/A N/A N/A Table 1: Security Levels This document may be reproduced and distributed only in its original entirely without revision.

Page 6

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] cryptographic module (hereafter referred to as “the module”) provides implementations of low-level cryptographic primitives to the Device OS’s (visionOS) Security Framework and Common Crypto. The module provides services intended to protect data in transit and at rest. The module is optimized for library use within the Device OS user space and does not contain any terminating assertions or exceptions. It is implemented as a Device OS dynamically loadable library. After the library is loaded, its cryptographic functions are made available to the Device OS application. Any internal error detected by the module is returned to the caller with an appropriate return code. The calling Device OS application must examine the return code and act accordingly. The module communicates any error status synchronously through the use of its documented return codes, thus indicating the module’s status. Caller-induced or internal errors do not reveal any sensitive material to callers. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The module cryptographic boundary is delineated by the dotted green rectangle in the Figure

  1. The module executes within the user space of the computing platforms and operating systems listed in the Tested Operational Environments Table section 2.2. Tested Operational Environment’s Physical Perimeter (TOEPP): The physical perimeter is represented by the most exterior black line in the block diagram Figure
  2. This document may be reproduced and distributed only in its original entirely without revision.
Page 7
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
corecrypto- 1638.100.6214.1N/Acorecrypto- 1638.100.62HMAC-SHA256
visionOS 1visionOS 1Apple Vision Pro14.1Apple M Series (ARMv8.6-A) M2YesNA
visionOS 1visionOS 1Apple Vision Pro14.1Apple M Series (ARMv8.6-A) M2NoNA
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
corecrypto- 1638.100.6214.1N/Acorecrypto- 1638.100.62HMAC-SHA256
visionOS 1visionOS 1Apple Vision Pro14.1Apple M Series (ARMv8.6-A) M2YesNA
visionOS 1visionOS 1Apple Vision Pro14.1Apple M Series (ARMv8.6-A) M2NoNA

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Figure 1: Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8
Service
NameDescriptionIndicatorType
Non- Approved modeNon-Approved mode of operation is entered when the module utilizes non- approved security functions in the Table Non-Approved Algorithms Not Allowed in the Approved Mode of Operation.return any non-zero value from fips_allowed_mode() for block cipher functions and fips_allowed() for all other services to indicate the executed cryptographic algorithm was non- approvedNon- Approved
Approved algorithm
NameCAVP CertReference
AES-CBCA5404SP 800-38A
AES-CBCA5405SP 800-38A
AES-CBCA5406SP 800-38A
AES-CBCA5407SP 800-38A
AES-CCMA5405SP 800-38C
AES-CCMA5407SP 800-38C
AES-CCMA5408SP 800-38C
AES-CFB128A5404SP 800-38A
AES-CFB128A5405SP 800-38A
AES-CFB128A5407SP 800-38A
AES-CFB8A5405SP 800-38A
AES-CFB8A5407SP 800-38A
AES-CMACA5407SP 800-38B
AES-CTRA5405SP 800-38A
AES-CTRA5407SP 800-38A
AES-CTRA5408SP 800-38A
AES-ECBA5404SP 800-38A
AES-ECBA5405SP 800-38A
AES-ECBA5407SP 800-38A
AES-ECBA5408SP 800-38A
AES-GCMA5405SP 800-38D
AES-GCMA5407SP 800-38D
AES-GCMA5408SP 800-38D
AES-KWA5405SP 800-38F
AES-KWA5407SP 800-38F
AES-OFBA5404SP 800-38A
AES-OFBA5405SP 800-38A
AES-OFBA5407SP 800-38A
AES-XTS Testing Revision 2.0A5404SP 800-38E
AES-XTS Testing Revision 2.0A5405SP 800-38E
AES-XTS Testing Revision 2.0A5407SP 800-38E
Counter DRBGA5405SP 800-90A Rev. 1
Counter DRBGA5407SP 800-90A Rev. 1
Counter DRBGA5408SP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-4)A5407FIPS 186-4
ECDSA KeyGen (FIPS186-4)A5409FIPS 186-4
ECDSA KeyVer (FIPS186-4)A5407FIPS 186-4
ECDSA KeyVer (FIPS186-4)A5409FIPS 186-4
ECDSA SigGen (FIPS186-4)A5407FIPS 186-4
ECDSA SigGen (FIPS186-4)A5409FIPS 186-4
ECDSA SigVer (FIPS186-4)A5407FIPS 186-4
ECDSA SigVer (FIPS186-4)A5409FIPS 186-4
HMAC-SHA-1A5407FIPS 198-1
HMAC-SHA-1A5409FIPS 198-1
HMAC-SHA2-224A5407FIPS 198-1
HMAC-SHA2-224A5409FIPS 198-1
HMAC-SHA2-256A5407FIPS 198-1
HMAC-SHA2-256A5409FIPS 198-1
HMAC-SHA2-256A5410FIPS 198-1
HMAC-SHA2-384A5407FIPS 198-1
HMAC-SHA2-384A5409FIPS 198-1
HMAC-SHA2-512A5407FIPS 198-1
HMAC-SHA2-512A5409FIPS 198-1
HMAC-SHA2-512/256A5407FIPS 198-1
HMAC-SHA2-512/256A5409FIPS 198-1
HMAC-SHA3-224A5407FIPS 198-1
HMAC-SHA3-224A5409FIPS 198-1
HMAC-SHA3-256A5407FIPS 198-1
HMAC-SHA3-256A5409FIPS 198-1
HMAC-SHA3-384A5407FIPS 198-1
HMAC-SHA3-384A5409FIPS 198-1
HMAC-SHA3-512A5407FIPS 198-1
HMAC-SHA3-512A5409FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A5407SP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A5407SP 800-56A Rev. 3
KDA HKDF SP800-56Cr2A5409SP 800-56C Rev. 2
KDF SP800-108A5407SP 800-108 Rev. 1
KDF SP800-108A5409SP 800-108 Rev. 1
PBKDFA5407SP 800-132
PBKDFA5409SP 800-132
RSA KeyGen (FIPS186-4)A5407FIPS 186-4
RSA KeyGen (FIPS186-4)A5409FIPS 186-4
RSA SigGen (FIPS186-4)A5407FIPS 186-4
RSA SigGen (FIPS186-4)A5409FIPS 186-4
RSA SigVer (FIPS186-4)A5407FIPS 186-4
RSA SigVer (FIPS186-4)A5409FIPS 186-4
Safe Primes Key GenerationA5407SP 800-56A Rev. 3
SHA-1A5407FIPS 180-4
SHA-1A5409FIPS 180-4
SHA2-224A5407FIPS 180-4
SHA2-224A5409FIPS 180-4
SHA2-256A5407FIPS 180-4
SHA2-256A5409FIPS 180-4
SHA2-256A5410FIPS 180-4
SHA2-384A5407FIPS 180-4
SHA2-384A5409FIPS 180-4
SHA2-512A5407FIPS 180-4
SHA2-512A5409FIPS 180-4
SHA2-512/256A5407FIPS 180-4
SHA2-512/256A5409FIPS 180-4
SHA3-224A5407FIPS 202
SHA3-224A5409FIPS 202
SHA3-256A5407FIPS 202
SHA3-256A5409FIPS 202
SHA3-384A5407FIPS 202
SHA3-384A5409FIPS 202
SHA3-512A5407FIPS 202
SHA3-512A5409FIPS 202

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

None for this module Modes List and Description: NonApproved Operation is assumed automatically without any specific configuration. If the device starts up successfully then the module has passed all self-tests and is operating in the Approved mode. This document may be reproduced and distributed only in its original entirely without revision.

Page 9

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] This document may be reproduced and distributed only in its original entirely without revision.

Page 10

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table 5: Approved Algorithms Vendor-Affirmed Algorithms: This document may be reproduced and distributed only in its original entirely without revision.

Page 11
Service
NameApproved FunctionsProperties
Asymmetric CKGKey Type:AsymmetricN/ASP800-133rev2 section 4 example 1
MD5Message Digest (used as part of the TLS key establishment scheme v1.0, v1.1 only)Allowed in Approved mode with no security claimed per IG 2.4.A Digest Size: 128-bit
ANSI X9.63 KDFHash based Key Derivation Function
BlowfishEncryption / Decryption
CAST5Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit increments
DESEncryption / Decryption Key Size: 56-bits
Diffie-HellmanShared Secret Computation using key size < 2048
ECDSAPKG: Curve P-192; PKV: Curve P-192; compact point representation of points; Signature Generation: Curve P-192; Signature Verification: Curve P-192
EC Diffie-HellmanShared Secret Computation using curves < P-224
Ed25519Key Generation, Signature Generation, Signature Verification, X25519 Key agreement
Integrated Encryption Scheme on elliptic curvesEncryption / Decryption
MD2Message Digest size: 128-bit
MD4Message Digest size: 128-bit
MD5Message Digest (except in the TLS 1.0/1.1 context)
OMAC (One-Key CBC MAC)MAC generation
RC2Encryption / Decryption Key Sizes 8 to 1024-bits
RC4Encryption / Decryption Key Sizes 8 to 4096-bits
RFC6637Key Derivation Function
RIPEMDMessage Digest size: 160-bits
RSA KeygenANSI X9.31 Key Pair Generation; keys < 2048-bits
RSA Digital SignaturePKCS#1 v1.5 and PSS; Signature Generation Key Size < 2048; Signature Verification Key Size < 1024
RSA Key WrappingOAEP, PKCS#1 v1.5 and -PSS schemes
Triple-DES [SP 800-67]Encrypt/Decrypt; CBC, CTR, CFB64, ECB, CFB8, OFB
Service
NameApproved FunctionsProperties
Asymmetric CKGKey Type:AsymmetricN/ASP800-133rev2 section 4 example 1
MD5Message Digest (used as part of the TLS key establishment scheme v1.0, v1.1 only)Allowed in Approved mode with no security claimed per IG 2.4.A Digest Size: 128-bit
ANSI X9.63 KDFHash based Key Derivation Function
BlowfishEncryption / Decryption
CAST5Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit increments
DESEncryption / Decryption Key Size: 56-bits
Diffie-HellmanShared Secret Computation using key size < 2048
ECDSAPKG: Curve P-192; PKV: Curve P-192; compact point representation of points; Signature Generation: Curve P-192; Signature Verification: Curve P-192
EC Diffie-HellmanShared Secret Computation using curves < P-224
Ed25519Key Generation, Signature Generation, Signature Verification, X25519 Key agreement
Integrated Encryption Scheme on elliptic curvesEncryption / Decryption
MD2Message Digest size: 128-bit
MD4Message Digest size: 128-bit
MD5Message Digest (except in the TLS 1.0/1.1 context)
OMAC (One-Key CBC MAC)MAC generation
RC2Encryption / Decryption Key Sizes 8 to 1024-bits
RC4Encryption / Decryption Key Sizes 8 to 4096-bits
RFC6637Key Derivation Function
RIPEMDMessage Digest size: 160-bits
RSA KeygenANSI X9.31 Key Pair Generation; keys < 2048-bits
RSA Digital SignaturePKCS#1 v1.5 and PSS; Signature Generation Key Size < 2048; Signature Verification Key Size < 1024
RSA Key WrappingOAEP, PKCS#1 v1.5 and -PSS schemes
Triple-DES [SP 800-67]Encrypt/Decrypt; CBC, CTR, CFB64, ECB, CFB8, OFB
Service
NameDescriptionApproved FunctionsTypeProperties
Asymmetric CKGKey Type:AsymmetricN/ASP800-133rev2 section 4 example 1
MD5Message Digest (used as part of the TLS key establishment scheme v1.0, v1.1 only)Allowed in Approved mode with no security claimed per IG 2.4.A Digest Size: 128-bit
ANSI X9.63 KDFHash based Key Derivation Function
BlowfishEncryption / Decryption
CAST5Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit increments
DESEncryption / Decryption Key Size: 56-bits
Diffie-HellmanShared Secret Computation using key size < 2048
ECDSAPKG: Curve P-192; PKV: Curve P-192; compact point representation of points; Signature Generation: Curve P-192; Signature Verification: Curve P-192
EC Diffie-HellmanShared Secret Computation using curves < P-224
Ed25519Key Generation, Signature Generation, Signature Verification, X25519 Key agreement
Integrated Encryption Scheme on elliptic curvesEncryption / Decryption
MD2Message Digest size: 128-bit
MD4Message Digest size: 128-bit
MD5Message Digest (except in the TLS 1.0/1.1 context)
OMAC (One-Key CBC MAC)MAC generation
RC2Encryption / Decryption Key Sizes 8 to 1024-bits
RC4Encryption / Decryption Key Sizes 8 to 4096-bits
RFC6637Key Derivation Function
RIPEMDMessage Digest size: 160-bits
RSA KeygenANSI X9.31 Key Pair Generation; keys < 2048-bits
RSA Digital SignaturePKCS#1 v1.5 and PSS; Signature Generation Key Size < 2048; Signature Verification Key Size < 1024
RSA Key WrappingOAEP, PKCS#1 v1.5 and -PSS schemes
Triple-DES [SP 800-67]Encrypt/Decrypt; CBC, CTR, CFB64, ECB, CFB8, OFB
HPKE (Hybrid Public Key Encryption) [RFC9180]Hybrid encryption scheme
KeccakMessage Digest
Symmetric Encryption and DecryptionSymmetric Encryption and DecryptionAES-CBC: (A5406, A5407, A5404, A5405) AES-CFB128: (A5407, A5404, A5405) AES-ECB: (A5407, A5408, A5404, A5405) AES-OFB: (A5407, A5404, A5405) AES-XTS Testing Revision 2.0: (A5407, A5404, A5405) AES-CCM: (A5407, A5408, A5405) AES-CFB8: (A5407, A5405) AES-CTR: (A5407, A5408, A5405) AES-GCM: (A5407, A5408, A5405)BC-UnAuth BC-AuthAES-CBC:Key Size / Key Strength: 128, 192, 256 bits AES- CFB128:Key Size / Key Strength: 128, 192, 256 bits AES-ECB:Key Size / Key Strength: 128, 192, 256 bits AES-OFB:Key Size / Key Strength: 128, 192, 256 bits AES-XTS Testing Revision 2.0:Key Size/ Key Strength: 128, 256 bits AES-CCM:Key Size / Key Strength: 128, 192, 256 bits AES-CFB8:Key Size / Key Strength: 128, 192, 256 bits AES-CTR:Key Size / Key Strength: 128, 192, 256 bits AES-GCM:Key Size / Key Strength: 128, 192, 256 bits
Key WrappingKey WrappingAES-KW: (A5407, A5405)KTS-WrapAES-KW:Key Size / Key

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] N/A Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Not Allowed Algorithms: This document may be reproduced and distributed only in its original entirely without revision.

Page 12
Service
NameDescriptionApproved FunctionsTypeProperties
HPKE (Hybrid Public Key Encryption) [RFC9180]Hybrid encryption scheme
KeccakMessage Digest
Symmetric Encryption and DecryptionSymmetric Encryption and DecryptionAES-CBC: (A5406, A5407, A5404, A5405) AES-CFB128: (A5407, A5404, A5405) AES-ECB: (A5407, A5408, A5404, A5405) AES-OFB: (A5407, A5404, A5405) AES-XTS Testing Revision 2.0: (A5407, A5404, A5405) AES-CCM: (A5407, A5408, A5405) AES-CFB8: (A5407, A5405) AES-CTR: (A5407, A5408, A5405) AES-GCM: (A5407, A5408, A5405)BC-UnAuth BC-AuthAES-CBC:Key Size / Key Strength: 128, 192, 256 bits AES- CFB128:Key Size / Key Strength: 128, 192, 256 bits AES-ECB:Key Size / Key Strength: 128, 192, 256 bits AES-OFB:Key Size / Key Strength: 128, 192, 256 bits AES-XTS Testing Revision 2.0:Key Size/ Key Strength: 128, 256 bits AES-CCM:Key Size / Key Strength: 128, 192, 256 bits AES-CFB8:Key Size / Key Strength: 128, 192, 256 bits AES-CTR:Key Size / Key Strength: 128, 192, 256 bits AES-GCM:Key Size / Key Strength: 128, 192, 256 bits
Key WrappingKey WrappingAES-KW: (A5407, A5405)KTS-WrapAES-KW:Key Size / Key
Random Number GenerationRandom Number GenerationCounter DRBG: (A5407, A5408, A5405)DRBGCounter DRBG:Key Size/ Key Strength: 128, 256 bits
Message authentication (MAC)Message authentication (MAC)AES-CMAC: (A5407) HMAC-SHA-1: (A5407, A5409) HMAC-SHA2- 224: (A5407, A5409) HMAC-SHA2- 256: (A5410, A5407, A5409) HMAC-SHA2- 384: (A5407, A5409) HMAC-SHA2- 512: (A5407, A5409) HMAC-SHA2- 512/256: (A5407, A5409) HMAC-SHA3- 224: (A5407, A5409) HMAC-SHA3- 256: (A5407, A5409) HMAC-SHA3- 384: (A5407, A5409) HMAC-SHA3- 512: (A5407, A5409)MACAES-CMAC:Key Size / Key Strength: 128, 192, 256 bits HMAC-SHA- 1:Key Size: 128 - 262144 bits; Key Strength: 128 bits HMAC-SHA2- 224:Key Size: 224 - 262144 bits; Key Strength: 224 bits HMAC-SHA2- 256:Key Size: 256 - 262144 bits; Key Strength: 256 bits HMAC-SHA2- 384:Key Size: 384 - 262144 bits; Key Strength: 384 bits HMAC-SHA2- 512:Key Size: 512 - 262144 bits; Key Strength: 512 bits HMAC-SHA2- 512/256:Key Size: 512 - 262144 bits; Key Strength: 256 bits
Asymmetric Key GenerationAsymmetric Key GenerationECDSA KeyGen (FIPS186-4): (A5407, A5409)AsymKeyPair- KeyGenECDSA KeyGen (FIPS186-4):Key Size(Curve): P-

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table 8: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

AESCFB128:Key This document may be reproduced and distributed only in its original entirely without revision.

Page 13

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] AsymKeyPairKeyGen This document may be reproduced and distributed only in its original entirely without revision.

Page 14
Service
NameDescriptionRole AccessCsps AccessedType
Asymmetric Key ValidationAsymmetric Key ValidationECDSA KeyVer (FIPS186-4): (A5407, A5409)ECDSA KeyVer (FIPS186-4):Key Size(Curve): P- 224, P-256, P- 384, P-521; Key Strength: from 112 to 256 bitsAsymKeyPair- KeyVer
Digital Signature GenerationDigital Signature GenerationECDSA SigGen (FIPS186-4): (A5407, A5409) RSA SigGen (FIPS186-4): (A5407, A5409) Counter DRBG: (A5407, A5408, A5405) SHA2-224: (A5407, A5409) SHA2-256: (A5410, A5407, A5409) SHA2-384: (A5407, A5409) SHA2-512: (A5407, A5409) SHA3-224: (A5407, A5409) SHA3-256: (A5407, A5409)ECDSA SigGen (FIPS186-4):Key Size(Curve): P- 224, P-256, P- 384, P-521; Key Strength: from 112 to 256 bits RSA SigGen (FIPS186-4):Key Size: 2048, 3072, 4096 bits; Key Strength: from 112 to 150 bitsDigSig-SigGen
Digital Signature VerificationDigital Signature Verification (usage of SHA1 is considered Legacy Use)ECDSA SigVer (FIPS186-4): (A5407, A5409) RSA SigVer (FIPS186-4): (A5407, A5409) SHA-1: (A5407, A5409) SHA2-224: (A5407, A5409) SHA2-256: (A5410, A5407, A5409) SHA2-384: (A5407, A5409) SHA2-512: (A5407, A5409) SHA3-224: (A5407, A5409) SHA3-256: (A5407, A5409) SHA3-384: (A5407, A5409) SHA3-512: (A5407, A5409)ECDSA SigVer (FIPS186-4):Key Size(Curve): P- 224, P-256, P- 384, P-521; Key Strength: from 112 to 256 bits RSA SigVer (FIPS186-4):Key Size: 1024, 2048, 3072, 4096 bits; Key Strength: from 80 to 150 bitsDigSig-SigVer
Shared Secret ComputationShared Secret ComputationKAS-ECC-SSC Sp800-56Ar3: (A5407) KAS-FFC-SSC Sp800-56Ar3: (A5407)KAS-ECC-SSC Sp800- 56Ar3:Key Size(Curve): P- 224, P-256, P- 384, P-521; Key Strength: from 112 to 256 bits KAS-FFC-SSC Sp800- 56Ar3:Key Size: 2048, 3072, 4096, 6144, 8192 bits; Key Strength: from 112 to 200 bitsKAS-SSC
Key Derivation HKDFKey DerivationKDA HKDF SP800-56Cr2: (A5409)KDA HKDF SP800- 56Cr2:SharedKAS-56CKDF
Secret Length: 224-2048 Increment 8; Derived Key Length: 2048HMAC-SHA-1: (A5409) HMAC-SHA2- 224: (A5409) HMAC-SHA2- 256: (A5409) HMAC-SHA2- 384: (A5409) HMAC-SHA2- 512: (A5409) HMAC-SHA3- 224: (A5409) HMAC-SHA3- 256: (A5409) HMAC-SHA3- 384: (A5409) HMAC-SHA3- 512: (A5409)Secret Length: 224-2048 Increment 8; Derived Key Length: 2048
Key Derivation CMAC KBKDFKey DerivationKDF SP800- 108: (A5407) AES-CMAC: (A5407)KDF SP800- 108rev1 with AES-CMAC:Key Size / Key Strength: 128, 192, 256 bits; Supported Lengths: 8-4096 Increment 8; Fixed Data Order: Before Fixed Data; Counter Length: 8, 16, 24, 32KBKDF
Key Derivation HMAC KBKDFKey DerivationKDF SP800- 108: (A5407, A5409) HMAC-SHA-1: (A5407, A5409) HMAC-SHA2- 224: (A5407, A5409) HMAC-SHA2- 256: (A5407, A5409) HMAC-SHA2- 384: (A5407, A5409) HMAC-SHA2- 512: (A5407,KDF SP800- 108rev1 with HMAC:Key Size: 8-262144 Increment 8; Supported Lengths: 8-4096 Increment 8; Fixed Data Order: Before Fixed Data; Counter Length: 32KBKDF
Key Derivation PBKDFKey DerivationPBKDF: (A5407, A5409) HMAC-SHA-1: (A5407, A5409) HMAC-SHA2- 224: (A5407, A5409) HMAC-SHA2- 256: (A5407, A5409) HMAC-SHA2- 384: (A5407, A5409) HMAC-SHA2- 512: (A5407, A5409) HMAC-SHA3- 224: (A5407, A5409) HMAC-SHA3- 256: (A5407, A5409) HMAC-SHA3- 384: (A5407, A5409) HMAC-SHA3- 512: (A5407, A5409)PBKDF:Key Size: 128 - 262144; Key Strength: 128 - 256; Password length: 8- 128 bytes Increment 1; Salt Length: 128-4096 Increment 8; Iteration Count: 10-1000 Increment 1PBKDF
Message DigestMessage DigestSHA-1: (A5407, A5409) SHA2-224: (A5407, A5409) SHA2-256: (A5410, A5407, A5409)SHA-1:N/A SHA2-224:N/A SHA2-256:N/A SHA2-384:N/A SHA2-512:N/A SHA2- 512/256:N/ASHA

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] AsymKeyPairKeyVer This document may be reproduced and distributed only in its original entirely without revision.

Page 15

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Sp80056Ar3:Key SP80056Cr2:Shared This document may be reproduced and distributed only in its original entirely without revision.

Page 16

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] This document may be reproduced and distributed only in its original entirely without revision.

Page 17

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] SHA2512/256:N/A This document may be reproduced and distributed only in its original entirely without revision.

Page 18

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table 9: Security Function Implementations

2.7 Algorithm Specific Information

GCM IV AES-GCM IV is constructed in compliance with IG C.H scenario 1 (TLS 1.2) and scenario 2 (IPsecv3). The GCM IV generation follows RFC 5288 shall only be used for the TLS protocol version 1.2. This implementation is compatible with acceptable AES-GCM ciphersuites from SP800-52r2 Section 3.3.1. The counter portion of the IV is set by the module within its cryptographic boundary. The module does not implement the TLS protocol. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the nonce_explicit, or counter portion of the IV will not exhaust all of its possible values. The GCM IV generation follows RFC 4106 and shall only be used for the IPsec-v3 protocol version 3. The counter portion of the IV is set by the module within its cryptographic boundary. The module does not implement the IPsec protocol. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the IPsec protocol implicitly ensures that the nonce_explicit, or counter portion of the IV will not exhaust all of its possible values. In compliance with IG C.H section 3, if the module's power is lost and then restored, the key used for the AES GCM encryption/ decryption shall be re-distributed. AES-XTS AES-XTS mode is only approved for hardware storage applications. The length of the AES-XTS data unit does not exceed 220 blocks. The module checks explicitly that Key_1 ≠ Key_2 before using the keys in the XTS-Algorithm to process data with them compliant with IG C.I. Key Derivation using SP 800-132 PBKDF2 The module implements a CAVP tested key derivation function compliant to SP800-132 and IG D.N. The service returns the key derived from the provided password to the caller. The length of the password used as input to PBKDFv2 shall be at least 8 characters and the worst-case probability of guessing the value is 10^8 assuming all characters are digits only. The user shall choose the password length and the iteration count in such a way that the combination will This document may be reproduced and distributed only in its original entirely without revision.

Page 19
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
Apple corecrypto physical entropy sourcePhysical256 bitSee Tested Operational Environment Table in section 2.2256 bitSHA-256 [ACVP cert. #C1223]
Apple corecrypto non- physical entropy sourceNon- Physical18432 bits (576 32-bit samples)See Tested Operational Environment Table in section 2.2512SHA2-512 [ACVP cert #A5369]
CertVendor
NumberName
E113apple
E181apple

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] make the key derivation computationally intensive. PBKDFv2 is implemented to support the option 1a specified in section 5.4 of SP800-132. The derived keys may only be used in storage applications. KAS The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS. Digital signature generation using SHA-1 is non-approved and not allowed in approved services. Digital signature verification using SHA-1 is considered approved (“Legacy”). HMAC using SHA-1 are approved. The SHA-1 algorithm, as implemented by the module, will be non-approved for all purposes except signature verification, starting January 1, 2031. Note: Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M.

2.8 RBG and Entropy

Table 10: Entropy Certificates corecrypto nonphysical NonPhysical Table 11: Entropy Sources Entropy sources: The random bits used to seed and reseed the module’s approved DRBG comes from a physical entropy source residing within the TOEPP. The entropy source includes a vetted conditioning component in the form of a SHA-256. The min-entropy rate at the output of the entropy source (h_out for the output of the conditioning component per Section 3.1.5 of SP 800-90B) is 256 bits per 256-bit output. This document may be reproduced and distributed only in its original entirely without revision.

Page 20

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] The entropy source follows IG 9.3.A scenario 1.(b) i.e., the module is a software module and the entropy sources reside outside of the cryptographic boundary but inside module's TOEPP. DRBG(s): The module implements an SP 800-90ARev1 approved deterministic random bit generator (DRBG) in the form of a CTR_DRBG using AES-256 with derivation function and without prediction resistance. The module performs DRBG health tests according to SP800-90ARev1 section 11.3. DRBG Output: The output of CTR_DRBG provides up to 256-bits of security strength.

2.9 Key Generation

The module implements asymmetric key generation compliant to SP800-133r2 Section 4 examples 1 and is listed as a vendor affirmed algorithm per FIPS 140_3 IG D.H. The seed material used to generate the asymmetric key pairs is provided directly output from the module’s CTR_DRBG.

2.10 Key Establishment

The module implements KAS-FFC-SSC and KAS-ECC-SSC compliant to [SP800-56Ar3] and is listed as an approved algorithm per FIPS 140_3 IG D.F scenario 2 path (1). The module only implements shared secret computation. All required assurances from Section 5.6.2 of SP 80056Arev3 are met by the module.

2.11 Industry Protocols

No parts of the TLS or IPsec protocols, other than those mentioned above, have been tested by the CAVP and CMVP. This document may be reproduced and distributed only in its original entirely without revision.

Page 21
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputData inputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers
N/AN/AData OutputData outputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers
N/AN/AControl InputControl inputs which control the mode of the module are provided through dedicated parameters.
N/AN/AStatus OutputStatus output is provided in return codes and through messages. Documentation for each API lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation.

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 12: Ports and Interfaces This document may be reproduced and distributed only in its original entirely without revision.

Page 22
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerRoleNone
AES Encryption/Decrypt ionExecute AES-mode encrypt or decrypt operationCrypto Officer - AES key: W,ESymmetric Encryption and Decryption0plaintext data and key / ciphertex t data and keyciphertext data / plaintext data
AES Key Wrapping / Key unwrappingExecute AES-key wrapping or unwrappin g operationCrypto Officer - AES key- wrapping key: W,EKey Wrapping0AES key wrapping key, key to be wrapped / wrapped key, AES key wrapping keywrapped key / unwrapp ed key
Secure Hash GenerationGenerate a digest for the requested algorithmCrypto OfficerMessage Digest0messagedigest
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCrypto OfficerRoleNone
AES Encryption/Decrypt ionExecute AES-mode encrypt or decrypt operationCrypto Officer - AES key: W,ESymmetric Encryption and Decryption0plaintext data and key / ciphertex t data and keyciphertext data / plaintext data
AES Key Wrapping / Key unwrappingExecute AES-key wrapping or unwrappin g operationCrypto Officer - AES key- wrapping key: W,EKey Wrapping0AES key wrapping key, key to be wrapped / wrapped key, AES key wrapping keywrapped key / unwrapp ed key
Secure Hash GenerationGenerate a digest for the requested algorithmCrypto OfficerMessage Digest0messagedigest
Message Authentication GenerationGenerate a MAC digest using the requested SHA algorithm or AES algorithmCrypto Officer - AES key: W,E - HMAC key: W,EMessage authenticati on (MAC)0message , MAC key, MAC algorithmMAC
Message Authentication VerificationVerify a MAC digestCrypto Officer - AES key: W,E - HMAC key: W,EMessage authenticati on (MAC)0MAC, message , MAC key, MAC algorithmpass/fail
RSA signature generation and verificationSign a message with a specified RSA private key. Verify the signature of a message with a specified RSA public key.Crypto Officer - RSA key pair: W,EDigital Signature Generation Digital Signature Verification0SigGen: private key, message , hash function; SigVer: public key, digital signature , message , hash functionSigGen: compute d signature ; SigVer: pass/fail result of digital signature verificatio n
ECDSA signature generation and verificationSign a message with a specified ECDSA private key Verify the signature of a message with a specified ECDSA public keyCrypto Officer - ECDSA key pair: W,EDigital Signature Generation Digital Signature Verification0SigGen: private key, message , hash function; SigVer: public key, digital signature , message , hash functionSigGen: compute d signature ; SigVer: pass/fail result of digital signature verificatio n
Random Number GenerationGenerate random numberCrypto Officer - Entropy input string: E - DRBG seed, internal state V value, and key (IG D.L compliant ): G,W,ERandom Number Generation0requeste d number of bitsrandom bit-string
PBKDFDerive key from passwordCrypto Officer - PBKDF derived key: G,R - PBKDF password : W,EKey Derivation PBKDF0Passwor dPBKDF derived key
KBKDFDerive key from key derivation keyCrypto Officer - KBKDF key derivatio n key: W,E - KBKDF derived key: G,RKey Derivation CMAC KBKDF Key Derivation HMAC KBKDF0KBKDF key derivatio n keyKBKDF derived key
HKDFDerive key from key derivation input keying materialCrypto Officer - HKDF input keying material: W,E - HKDF derived key: G,R,EKey Derivation HKDF0HKDF input keying materialHKDF derived key
RSA key pair generationGenerate a keypair for aCrypto Officer - DRBG seed,Asymmetric Key Generation0key sizekey pair

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

4 Roles, Services, and Authentication

N/A for this module. FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not support an authentication mechanism for Crypto Officer. The Crypto Officer role is authorized to access all services provided by the module (see Table - Approved Services and Table - Non-Approved Services).

4.2 Roles
4.3 Approved Services

The module implements a dedicated API function to indicate if a requested service utilizes an approved security function. The approved service indicator utilizes one of two functions (fips_allowed and fips_allowed_mode) depending on the service in question. Calling fips_allowed_mode with any approved AES mode will return a zero to indicate it is an approved algorithm. Similarly, calling fips_allowed with any other approved algorithm will return zero. Calling either of these with an algorithm not listed in the Approved Algorithms Table will return a non-zero value, and as such indicates a non-approved service. g / keywrapping This document may be reproduced and distributed only in its original entirely without revision.

Page 23

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] , , d n W,E d n W,E This document may be reproduced and distributed only in its original entirely without revision.

Page 24

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] d ): G,W,E : W,E W,E W,E G,R,E This document may be reproduced and distributed only in its original entirely without revision.

Page 25
Service
NameDescriptionRole AccessApproved FunctionsIndicatorInputOutput
ECDSA key pair generationGenerate a keypair for a requested elliptic curveCrypto Officer - DRBG seed, internal state V value, and key (IG D.L compliant ): W,E - ECDSA key pair: G,RAsymmetric Key Generation Asymmetric Key Validation0curve sizekey pair
Safe primes key generationGenerate a keypair for a requested 'safe' domain parameterCrypto Officer - DRBG seed, internal state V value, and key (IG D.L compliant ): W,E - Diffie- Hellman key pair: G,RAsymmetric Key Generation0key sizekey pair
Diffie-Hellman shared secret computationGenerate a shared secretCrypto Officer - Diffie- Hellman key pair: W,E - Diffie- HellmanShared Secret Computatio n0domain paramete r, received public key and possesseshared secret
d private keyshared secret: G,Rd private key
EC Diffie-Hellman shared secret computationGenerate a shared secretCrypto Officer - EC Diffie Hellman key pair: W,E - EC Diffie- Hellman shared secret: G,RShared Secret Computatio n0domain paramete r, received public key and possesse d private keyshared secret
Self-testexecute pre operationa l self-tests and all conditional CASTs from section 10.2Crypto OfficerSymmetric Encryption and Decryption Key Wrapping Random Number Generation Message authenticati on (MAC) Asymmetric Key Generation Asymmetric Key Validation Digital Signature Generation Digital Signature Verification Shared Secret Computatio n Key Derivation PBKDFN/Apowerpass/fail results
Show StatusReturn the module statusCrypto OfficerNoneN/AN/AStatus output
Show module and version infoReturn Module Base Name and Module Version NumberCrypto OfficerNoneN/AN/AModule informati on

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] r, n ): W,E G,R ): W,E G,R ): W,E - DiffieHellman G,R - DiffieHellman W,E - DiffieHellman This document may be reproduced and distributed only in its original entirely without revision.

Page 26

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] r, n N/A n G,R W,E DiffieHellman G,R This document may be reproduced and distributed only in its original entirely without revision.

Page 27

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] of DiffieHellman DiffieHellman N/A N/A N/A N/A N/A keywrapping Z Z This document may be reproduced and distributed only in its original entirely without revision.

Page 28
Service
NameDescriptionRolesCsps AccessedApproved FunctionsDescriptiIndicatSecurity
onAccessonorFunctions
Hellman, all resources of asymmetri c crypto function context and all resources of key derivation function context are releasedHellman, all resources of asymmetri c crypto function context and all resources of key derivation function context are releasedand key (IG D.L compliant ): Z - PBKDF derived key: Z - PBKDF password : Z - KBKDF key derivatio n key: Z - KBKDF derived key: Z - Diffie- Hellman key pair: Z - EC Diffie Hellman key pair: Z - Diffie- Hellman shared secret: Z - EC Diffie- Hellman shared secret: Z
ANSI X9.63 KDFHash based Key Derivation FunctionCOANSI X9.63 KDF
BlowfishEncryption / DecryptionCOBlowfish
CAST5Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit incrementsCOCAST5
DESEncryption / Decryption Key Size: 56-bitsCODES
Diffie-HellmanShared Secret Computation using key size < 2048CODiffie-Hellman
Service
NameDescriptionRolesCsps AccessedApproved FunctionsDescriptiIndicatSecurity
onAccessonorFunctions
Hellman, all resources of asymmetri c crypto function context and all resources of key derivation function context are releasedHellman, all resources of asymmetri c crypto function context and all resources of key derivation function context are releasedand key (IG D.L compliant ): Z - PBKDF derived key: Z - PBKDF password : Z - KBKDF key derivatio n key: Z - KBKDF derived key: Z - Diffie- Hellman key pair: Z - EC Diffie Hellman key pair: Z - Diffie- Hellman shared secret: Z - EC Diffie- Hellman shared secret: Z
ANSI X9.63 KDFHash based Key Derivation FunctionCOANSI X9.63 KDF
BlowfishEncryption / DecryptionCOBlowfish
CAST5Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit incrementsCOCAST5
DESEncryption / Decryption Key Size: 56-bitsCODES
Diffie-HellmanShared Secret Computation using key size < 2048CODiffie-Hellman

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] ): Z :Z - DiffieHellman Z Z - DiffieHellman DiffieHellman Table 14: Approved Services

4.4 Non-Approved Services

This document may be reproduced and distributed only in its original entirely without revision.

Page 29
Service
NameDescriptionRolesApproved Functions
ECDSAPKG: Curve P-192; PKV: Curve P-192; compact point representation of points; Signature Generation: Curve P-192; Signature Verification: Curve P-192COECDSA
EC Diffie-HellmanShared Secret Computation using curves < P-224COEC Diffie-Hellman
Ed25519Key Generation, Signature Generation, Signature Verification, Key agreementCOEd25519
Integrated Encryption Scheme on elliptic curvesEncryption / DecryptionCOIntegrated Encryption Scheme on elliptic curves
MD2Message Digest size: 128-bitCOMD2
MD4Message Digest size: 128-bitCOMD4
MD5Message Digest (except in the TLS 1.0/1.1 context)COMD5
OMAC (One-Key CBC MAC)MAC generationCOOMAC (One-Key CBC MAC)
RC2Encryption / Decryption Key Sizes 8 to 1024-bitsCORC2
RC4Encryption / Decryption Key Sizes 8 to 4096-bitsCORC4
RFC6637Key Derivation FunctionCORFC6637
RIPEMDMessage Digest size: 160-bitsCORIPEMD
RSA KeygenANSI X9.31 Key Pair Generation; keys < 2048-bitsCORSA Keygen
RSA Digital SignaturePKCS#1 v1.5 and PSS; Signature Generation Key Size < 2048; Signature Verification Key Size < 1024CORSA Digital Signature
RSA Key WrappingOAEP, PKCS#1 v1.5 and -PSS schemesCORSA Key Wrapping
Triple-DES [SP 800-67]Encrypt/Decrypt; CBC, CTR, CFB64, ECB, CFB8, OFBCOTriple-DES [SP 800-67]
HPKE (Hybrid Public Key Encryption)Hybrid encryption schemeCOHPKE (Hybrid Public Key Encryption) [RFC9180]
KeccakMessage DigestCOKeccak

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table 15: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not load any external software. This document may be reproduced and distributed only in its original entirely without revision.

Page 30

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

5 Software/Firmware Security
5.1 Integrity Techniques

A software integrity test is performed on the runtime image of the module. The HMAC-SHA256 implemented in the module is used as the approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e. the module is not operational.

5.2 Initiate on Demand

The module’s integrity test can be performed on demand by power-cycling the computing platform. Integrity tests on demand is performed as part of the Pre-Operational Self-Tests. It is automatically executed at power-on. This document may be reproduced and distributed only in its original entirely without revision.

Page 31

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable

6.2 Configuration Settings and Restrictions

The module is supplied as part of Device OS, a commercially available general-purpose operating system executing on the computing platforms specified in section 2.2. This document may be reproduced and distributed only in its original entirely without revision.

Page 32

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

7 Physical Security

The FIPS 140-3 physical security requirements do not apply to the Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] since it is a software module. This document may be reproduced and distributed only in its original entirely without revision.

Page 33

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

8 Non-Invasive Security

Per IG 12.A, until the requirements of NIST SP 800-140F are defined, non-invasive mechanisms fall under ISO/IEC 19790:2012 Section 7.12 Mitigation of other attacks. The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirely without revision.

Page 34
Sensitive security parameter
NameTypeDescription
RAMDynamicThe module stores ephemeral SSPs in RAM provided by the operational environment. They are received for use or generated by the module only at the command of the calling application. The operating system protects all SSPs through the memory separation and protection mechanisms. No process other than the module itself can access the SSPs in its process' memory.
Service
NameApproved FunctionsTypeFromToDistributio n Type
API input parameter sElectroni cPlaintex tOperator calling application (TOEPP)Cryptographi c moduleManual
API output parameter sElectroni cPlaintex tCryptographi c moduleOperator calling application (TOEPP)Manual
ZeroizationDescriptionRationaleOperator
MethodInitiation
Context object destructionSSPs are zeroised when the appropriate context object is destroyedZeroization when structure is deallocatedInvocation of zeroization function cc_clear
Power downSSPs are zeroised when the system is powered downSSPs are zeroised when the system is powered downOperator can initiate power down
Intermediate value zeroizationIntermediate keygen values are zeroized before the module returns from the key generation function.Intermediate keygen values are zeroized before the module returns from the key generation function.N/A

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

9 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input-Output Methods

s t c t c s m Table 17: SSP Input-Output Methods

9.3 SSP Zeroization Methods

N/A Table 18: SSP Zeroization Methods Data output interfaces are inhibited while zeroisation is performed. This document may be reproduced and distributed only in its original entirely without revision.

Page 35
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentUseSize - Strengt h
AES keySymmetric - CSPAES key128 to 256 bits - 128 to 256 bitsSymmetric Encryption and Decryption Message authenticatio n (MAC)
AES key- wrapping keysymmetric - CSPAES KW128 to 256 bits - 128 to 256 bitsKey Wrapping
HMAC keyMAC - CSPHMAC key8 - 262144 bits - 112 to 256-bitsMessage authenticatio n (MAC)
ECDSA key pairAsymmetri c - CSPECDSA key pair (including intermediat e keygen values)P-224, P-256, P-384, P-521 - 112 to 256 bitsAsymmetri c Key GenerationDigital Signature Generation Digital Signature Verification
RSA key pairAsymmetri c - CSPRSA key pair (including intermediat e keygen values)2048 - 4096 - 112 to 150 bitsAsymmetri c Key GenerationDigital Signature Generation Digital Signature Verification
Entropy input stringEntropy input string - CSPEntropy input string256 bits - 256 bitsRandom Number Generation
DRBG seed, internal state V value, and key (IG D.L compliant )DRBG - CSPDRBG input parameters256 bits - 256 bitsRandom Number GenerationRandom Number Generation
PBKDF derived keyStorage key - CSPPBKDF derived key128 to 256 bits - 128 to 256 bitsKey Derivation PBKDF
PBKDF passwordPassword - CSPPBKDF password64 to 1024 bits - N/AKey Derivation PBKDF
KBKDF key derivation keyDerivation key - CSPKBKDF key derivation key128 to 256 bits - 128 to 256 bitsKey Derivation CMAC KBKDF Key Derivation HMAC KBKDF
KBKDF derived keyDerived key - CSPKBKDF derived key128 to 256 bits - 128 to 256 bitsKey Derivation CMAC KBKDF Key Derivation HMAC KBKDF
HKDF input keying materialDerivation key - CSPHKDF key derivation keying material128 to 256 bits - 128 to 256 bitsKey Derivation HKDF
HKDF derived keyDerived key - CSPHKDF derived key128 to 256 bits - 128 to 256 bitsKey Derivation HKDF
Diffie- Hellman key pairAsymmetri c - CSPDiffie- Hellman key pair (including intermediat e keygen values)MODP- 2048, MODP- 3072, MODP- 4096, MODP- 6144, MODP- 8192 - 112 to 200 bitsAsymmetri c Key GenerationShared Secret Computation
Diffie- Hellman shared secretAsymmetri c - CSPDiffie- Hellman shared secretMODP- 2048, MODP- 3072, MODP- 4096,Shared Secret Computatio n
EC Diffie Hellman key pairAsymmetri c - CSPEC Diffie- Hellman key pair (including intermediat e keygen values)P-224, P-256, P-384, P-521 - 112-256 bitsAsymmetri c Key GenerationShared Secret Computation
EC Diffie- Hellman shared secretAsymmetri c - CSPEC Diffie- Hellman shared secretP-224, P-256, P-384, P-521 - 112-256 bitsShared Secret Computatio n
AES keyFrom service invocation to service completionAPI input parametersContext object destruction Power downRAM:Plaintext
AES key- wrapping keyFrom service invocation to service completionAPI input parametersContext object destruction Power downRAM:Plaintext
HMAC keyFrom service invocation to service completionAPI input parametersContext object destruction Power downRAM:Plaintext
ECDSA key pairFrom service invocation to service completionAPI input parameters API output parametersContext object destruction Power down Intermediate value zeroizationDRBG seed, internal state V value, and key (IG D.L compliant):Derived FromRAM:Plaintext
RSA key pairFrom service invocation to service completionAPI input parameters API output parametersContext object destruction Power down Intermediate value zeroizationDRBG seed, internal state V value, and key (IG D.L compliant):Derived FromRAM:Plaintext
Entropy input stringStorage duration during the usage of the CSPPower downDRBG seed, internal state V value, and key (IG D.L compliant):GeneratesRAM:Plaintext
DRBG seed, internal state V value, and key (IG D.L compliant)Storage duration during the usage of the CSPPower downEntropy input string:Derived FromRAM:Plaintext
PBKDF derived keyFrom service invocation to service completionAPI output parametersContext object destruction Power downPBKDF password:Derived FromRAM:Plaintext
PBKDF passwordFrom service invocation to service completionAPI input parametersContext object destruction Power downPBKDF derived key:DerivesRAM:Plaintext
KBKDF key derivation keyFrom service invocation to service completionAPI input parametersContext object destruction Power downKBKDF derived key:DerivesRAM:Plaintext
KBKDF derived keyFrom service invocation to service completionAPI output parametersContext object destruction Power downKBKDF key derivation key:Derived FromRAM:Plaintext
HKDF input keying materialFrom service invocation to service completionAPI input parametersContext object destruction Power downHKDF derived key:DerivesRAM:Plaintext
HKDF derived keyFrom service invocation to service completionAPI output parametersContext object destruction Power downHKDF input keying material:Derived FromRAM:Plaintext
Diffie- Hellman key pairFrom service invocation to service completionAPI input parameters API output parametersContext object destruction Power down Intermediate value zeroizationDiffie-Hellman shared secret:GeneratesRAM:Plaintext
Diffie- Hellman shared secretFrom service invocation to service completionAPI output parametersContext object destruction Power downDiffie- Hellman key pair:Derived FromRAM:Plaintext
EC Diffie Hellman key pairFrom service invocation to service completionAPI input parameters API output parametersContext object destruction Power down Intermediate value zeroizationEC Diffie-Hellman shared secret:GeneratesRAM:Plaintext
EC Diffie- Hellman shared secretFrom service invocation to service completionAPI output parametersContext object destruction Power downEC Diffie Hellman key pair:Derived FromRAM:Plaintext

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

9.4 SSPs

n AES keywrapping ) h 8262144 This document may be reproduced and distributed only in its original entirely without revision.

Page 36

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] n h DiffieHellman DiffieHellman DiffieHellman DiffieHellman MODP2048, MODP3072, MODP4096, MODP6144, MODP2048, MODP3072, MODP4096, n This document may be reproduced and distributed only in its original entirely without revision.

Page 37

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] n EC DiffieHellman EC DiffieHellman EC DiffieHellman h MODP6144, n Table 19: SSP Table 1 AES keywrapping This document may be reproduced and distributed only in its original entirely without revision.

Page 38

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] D.L This document may be reproduced and distributed only in its original entirely without revision.

Page 39

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] DiffieHellman DiffieHellman EC DiffieHellman Table 20: SSP Table 2 This document may be reproduced and distributed only in its original entirely without revision.

Page 40
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
HMAC- SHA2-256 (A5407)HMAC- SHA2-256 (A5407)Message AuthenticationSW/FW IntegrityThe HMAC-SHA2-256 value calculated at runtime is compared with the HMAC-SHA2- 256 value stored in the module, computed at compilation time.112-bit keyModule successful execution
AES-GCM (A5407)AES-GCM (A5407)KATCASTSymmetric operation128-bit key, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-GCM (A5408)AES-GCM (A5408)KATCASTSymmetric operation128-bit key, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-GCM (A5405)AES-GCM (A5405)KATCASTSymmetric operation128-bit key, encryptModule becomes operationalTest runs at power-on before the integrity test
Counter DRBG (A5407)Counter DRBG (A5407)KATCASTCompliant with SP 800-90Ar1128-bit keyModule becomes operationalTest runs at power-on before the integrity test
Counter DRBG (A5408)Counter DRBG (A5408)KATCASTCompliant with SP 800-90Ar1128-bit keyModule becomes operationalTest runs at power-on before the integrity test
Counter DRBG (A5405)Counter DRBG (A5405)KATCASTCompliant with SP 800-90Ar1128-bit keyModule becomes operationalTest runs at power-on
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
HMAC- SHA2-256 (A5407)HMAC- SHA2-256 (A5407)Message AuthenticationSW/FW IntegrityThe HMAC-SHA2-256 value calculated at runtime is compared with the HMAC-SHA2- 256 value stored in the module, computed at compilation time.112-bit keyModule successful execution
AES-GCM (A5407)AES-GCM (A5407)KATCASTSymmetric operation128-bit key, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-GCM (A5408)AES-GCM (A5408)KATCASTSymmetric operation128-bit key, encryptModule becomes operationalTest runs at power-on before the integrity test
AES-GCM (A5405)AES-GCM (A5405)KATCASTSymmetric operation128-bit key, encryptModule becomes operationalTest runs at power-on before the integrity test
Counter DRBG (A5407)Counter DRBG (A5407)KATCASTCompliant with SP 800-90Ar1128-bit keyModule becomes operationalTest runs at power-on before the integrity test
Counter DRBG (A5408)Counter DRBG (A5408)KATCASTCompliant with SP 800-90Ar1128-bit keyModule becomes operationalTest runs at power-on before the integrity test
Counter DRBG (A5405)Counter DRBG (A5405)KATCASTCompliant with SP 800-90Ar1128-bit keyModule becomes operationalTest runs at power-on
HMAC- SHA2-256 (A5410)HMAC- SHA2-256 (A5410)KATCASTMessage authenticationSHA2-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-256 (A5407)HMAC- SHA2-256 (A5407)KATCASTMessage authenticationSHA2-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-256 (A5409)HMAC- SHA2-256 (A5409)KATCASTMessage authenticationSHA2-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA-1 (A5407)HMAC- SHA-1 (A5407)KATCASTMessage authenticationSHA-1Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA-1 (A5409)HMAC- SHA-1 (A5409)KATCASTMessage authenticationSHA-1Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-512 (A5407)HMAC- SHA2-512 (A5407)KATCASTMessage authenticationSHA2-512Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2-512 (A5409)HMAC- SHA2-512 (A5409)KATCASTMessage authenticationSHA2-512Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2- 512/256 (A5407)HMAC- SHA2- 512/256 (A5407)KATCASTMessage authenticationSHA2- 512/256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA2- 512/256 (A5409)HMAC- SHA2- 512/256 (A5409)KATCASTMessage authenticationSHA2- 512/256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-224 (A5407)HMAC- SHA3-224 (A5407)KATCASTMessage authenticationSHA3-224Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-224 (A5409)HMAC- SHA3-224 (A5409)KATCASTMessage authenticationSHA3-224Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-256 (A5407)HMAC- SHA3-256 (A5407)KATCASTMessage authenticationSHA3-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-256 (A5409)HMAC- SHA3-256 (A5409)KATCASTMessage authenticationSHA3-256Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-384 (A5407)HMAC- SHA3-384 (A5407)KATCASTMessage authenticationSHA3-384Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-384 (A5409)HMAC- SHA3-384 (A5409)KATCASTMessage authenticationSHA3-384Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-512 (A5407)HMAC- SHA3-512 (A5407)KATCASTMessage authenticationSHA3-512Module becomes operationalTest runs at power-on before the integrity test
HMAC- SHA3-512 (A5409)HMAC- SHA3-512 (A5409)KATCASTMessage authenticationSHA3-512Module becomes operationalTest runs at power-on before the integrity test
RSA KeyGen (FIPS186-4) (A5407)RSA KeyGen (FIPS186-4) (A5407)PCTPCTSignature generation & verificationPCT with SHA2-256Successful key pair generationKey pair generation
RSA KeyGen (FIPS186-4) (A5409)RSA KeyGen (FIPS186-4) (A5409)PCTPCTSignature generation & verificationPCT with SHA2-256Successful key pair generationKey pair generation
RSA SigGen (FIPS186-4) (A5407)RSA SigGen (FIPS186-4) (A5407)KATCASTDigital signature generationPKCS#1 v1.5 with 2048 bit key and SHA2- 256Module becomes operationalTest runs at power-on before the integrity test
RSA SigGen (FIPS186-4) (A5409)RSA SigGen (FIPS186-4) (A5409)KATCASTDigital signature generationPKCS#1 v1.5 with 2048 bit key and SHA2- 256Module becomes operationalTest runs at power-on before the integrity test
RSA SigVer (FIPS186-4) (A5407)RSA SigVer (FIPS186-4) (A5407)KATCASTDigital signature verificationPKCS#1 v1.5 with 2048 bit key and SHA2- 256Module becomes operationalTest runs at power-on before the integrity test
RSA SigVer (FIPS186-4) (A5409)RSA SigVer (FIPS186-4) (A5409)KATCASTDigital signature verificationPKCS#1 v1.5 with 2048 bit key and SHA2- 256Module becomes operationalTest runs at power-on before the integrity test
ECDSA KeyGen (FIPS186-4) (A5407)ECDSA KeyGen (FIPS186-4) (A5407)PCTPCTECDSA: Sign/Verify; ECDH: SP800- 56Arev3 section 5.6.2.1.4PCT with SHA2-256Successful key pair generationKey pair generation
ECDSA KeyGen (FIPS186-4) (A5409)ECDSA KeyGen (FIPS186-4) (A5409)PCTPCTECDSA: Sign/Verify; ECDH: SP800- 56Arev3 section 5.6.2.1.4PCT with SHA2-256Successful key pair generationKey pair generation
ECDSA SigGen (FIPS186-4) (A5407)ECDSA SigGen (FIPS186-4) (A5407)KATCASTDigital signature generationP-224 with SHA-224Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigGen (FIPS186-4) (A5409)ECDSA SigGen (FIPS186-4) (A5409)KATCASTDigital signature generationP-224 with SHA-224Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186-4) (A5407)ECDSA SigVer (FIPS186-4) (A5407)KATCASTDigital signature verificationP-224 with SHA-224Module becomes operationalTest runs at power-on before the integrity test
ECDSA SigVer (FIPS186-4) (A5409)ECDSA SigVer (FIPS186-4) (A5409)KATCASTDigital signature verificationP-224 with SHA-224Module becomes operationalTest runs at power-on before the integrity test
KAS-ECC- SSC Sp800- 56Ar3 (A5407)KAS-ECC- SSC Sp800- 56Ar3 (A5407)KATCASTShared secret computationP-224 curveModule becomes operationalTest runs at power-on before the integrity test
KAS-FFC- SSC Sp800- 56Ar3 (A5407)KAS-FFC- SSC Sp800- 56Ar3 (A5407)KATCASTShared secret computationMODP-2048Module becomes operationalTest runs at power-on before the integrity test
KDA HKDF SP800- 56Cr2 (A5409)KDA HKDF SP800- 56Cr2 (A5409)KATCASTHMAC key derivation2048 bit key, SHA2- 256Module becomes operationalTest runs at power-on before the integrity test
KDF SP800-108 (A5407)KDF SP800-108 (A5407)KATCASTKey-based key derivationCounter mode using SHA-1, SHA-256, SHA-512Module becomes operationalTest runs at power-on before the integrity test
KDF SP800-108 (A5409)KDF SP800-108 (A5409)KATCASTKey-based key derivationCounter mode using SHA-1, SHA-256, SHA-512Module becomes operationalTest runs at power-on before the integrity test
PBKDF (A5407)PBKDF (A5407)KATCASTPassword- based key derivationSHA-1, SHA-256, SHA-512Module becomes operationalTest runs at power-on before the integrity test
PBKDF (A5409)PBKDF (A5409)KATCASTPassword- based key derivationSHA-1, SHA-256, SHA-512Module becomes operationalTest runs at power-on before the integrity test
Safe Primes Key Generation (A5407)Safe Primes Key Generation (A5407)PCTPCTSP 800- 56Arev3 Section 5.6.2.1.4 method 'b' 1MODP-2048Successful key pair generation
AES-CBC (A5406)AES-CBC (A5406)KATCASTSymmetric operation128-bit key encryptModule becomes operationalTest runs at power-on before the integrity test
AES-CBC (A5407)AES-CBC (A5407)KATCASTSymmetric operation128-bit key encryptModule becomes operationalTest runs at power-on before the integrity test
AES-CBC (A5404)AES-CBC (A5404)KATCASTSymmetric operation128-bit key encryptModule becomes operationalTest runs at power-on before the integrity test
AES-CBC (A5405)AES-CBC (A5405)KATCASTSymmetric operation128-bit key encryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A5407)AES-ECB (A5407)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A5408)AES-ECB (A5408)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A5404)AES-ECB (A5404)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A5405)AES-ECB (A5405)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
AES-XTS Testing Revision 2.0 (A5407)AES-XTS Testing Revision 2.0 (A5407)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
AES-XTS Testing Revision 2.0 (A5404)AES-XTS Testing Revision 2.0 (A5404)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
AES-XTS Testing Revision 2.0 (A5405)AES-XTS Testing Revision 2.0 (A5405)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
HMAC-SHA2- 256 (A5407)HMAC-SHA2- 256 (A5407)Message AuthenticationSW/FW IntegrityWhenever module is powered onUpon every power on
AES-GCM (A5407)AES-GCM (A5407)KATCASTOn DemandManually
AES-GCM (A5408)AES-GCM (A5408)KATCASTOn DemandManually
AES-GCM (A5405)AES-GCM (A5405)KATCASTOn DemandManually
Counter DRBG (A5407)Counter DRBG (A5407)KATCASTOn DemandManually
Counter DRBG (A5408)Counter DRBG (A5408)KATCASTOn DemandManually
Counter DRBG (A5405)Counter DRBG (A5405)KATCASTOn DemandManually
HMAC-SHA2- 256 (A5410)HMAC-SHA2- 256 (A5410)KATCASTOn DemandManually

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

10 Self-Tests

While the module is executing the self-tests, services are not available, and input and output are inhibited.

10.1 Pre-Operational Self-Tests

The module performs a pre-operational software integrity automatically when the module is loaded into memory (i.e., at power on) before the module transitions to the operational state. A used to perform the approved integrity technique. Prior to using HMAC-SHA-256, a Conditional Cryptographic Algorithm Self-Tests (CAST) is performed. HMACSHA2-256 Table 21: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

This document may be reproduced and distributed only in its original entirely without revision.

Page 41

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA-1 HMACSHA-1 HMACSHA2-512 HMACSHA2-512 HMACSHA2512/256 HMACSHA2512/256 HMACSHA3-224 SHA2512/256 SHA2512/256 HMACSHA3-224 This document may be reproduced and distributed only in its original entirely without revision.

Page 42

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] HMACSHA3-256 HMACSHA3-256 HMACSHA3-384 HMACSHA3-384 HMACSHA3-512 HMACSHA3-512 and SHA2256 and SHA2256 and SHA2256 This document may be reproduced and distributed only in its original entirely without revision.

Page 43

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] and SHA2256 KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 SP80056Cr2 ECDH: SP80056Arev3 5.6.2.1.4 ECDH: SP80056Arev3 5.6.2.1.4 key, SHA2256 This document may be reproduced and distributed only in its original entirely without revision.

Page 44

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Passwordbased key Passwordbased key SP 80056Arev3 5.6.2.1.4 This document may be reproduced and distributed only in its original entirely without revision.

Page 45
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
AES-ECB (A5404)AES-ECB (A5404)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
AES-ECB (A5405)AES-ECB (A5405)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
AES-XTS Testing Revision 2.0 (A5407)AES-XTS Testing Revision 2.0 (A5407)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
AES-XTS Testing Revision 2.0 (A5404)AES-XTS Testing Revision 2.0 (A5404)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
AES-XTS Testing Revision 2.0 (A5405)AES-XTS Testing Revision 2.0 (A5405)KATCASTSymmetric operation128-bit key decryptModule becomes operationalTest runs at power-on before the integrity test
HMAC-SHA2- 256 (A5407)HMAC-SHA2- 256 (A5407)Message AuthenticationSW/FW IntegrityWhenever module is powered onUpon every power on
AES-GCM (A5407)AES-GCM (A5407)KATCASTOn DemandManually
AES-GCM (A5408)AES-GCM (A5408)KATCASTOn DemandManually
AES-GCM (A5405)AES-GCM (A5405)KATCASTOn DemandManually
Counter DRBG (A5407)Counter DRBG (A5407)KATCASTOn DemandManually
Counter DRBG (A5408)Counter DRBG (A5408)KATCASTOn DemandManually
Counter DRBG (A5405)Counter DRBG (A5405)KATCASTOn DemandManually
HMAC-SHA2- 256 (A5410)HMAC-SHA2- 256 (A5410)KATCASTOn DemandManually
HMAC-SHA2- 256 (A5407)HMAC-SHA2- 256 (A5407)KATCASTOn DemandManually
HMAC-SHA2- 256 (A5409)HMAC-SHA2- 256 (A5409)KATCASTOn DemandManually
HMAC-SHA-1 (A5407)HMAC-SHA-1 (A5407)KATCASTOn DemandManually
HMAC-SHA-1 (A5409)HMAC-SHA-1 (A5409)KATCASTOn DemandManually
HMAC-SHA2- 512 (A5407)HMAC-SHA2- 512 (A5407)KATCASTOn DemandManually
HMAC-SHA2- 512 (A5409)HMAC-SHA2- 512 (A5409)KATCASTOn DemandManually
HMAC-SHA2- 512/256 (A5407)HMAC-SHA2- 512/256 (A5407)KATCASTOn DemandManually
HMAC-SHA2- 512/256 (A5409)HMAC-SHA2- 512/256 (A5409)KATCASTOn DemandManually
HMAC-SHA3- 224 (A5407)HMAC-SHA3- 224 (A5407)KATCASTOn DemandManually
HMAC-SHA3- 224 (A5409)HMAC-SHA3- 224 (A5409)KATCASTOn DemandManually
HMAC-SHA3- 256 (A5407)HMAC-SHA3- 256 (A5407)KATCASTOn DemandManually
HMAC-SHA3- 256 (A5409)HMAC-SHA3- 256 (A5409)KATCASTOn DemandManually
HMAC-SHA3- 384 (A5407)HMAC-SHA3- 384 (A5407)KATCASTOn DemandManually
HMAC-SHA3- 384 (A5409)HMAC-SHA3- 384 (A5409)KATCASTOn DemandManually
HMAC-SHA3- 512 (A5407)HMAC-SHA3- 512 (A5407)KATCASTOn DemandManually
HMAC-SHA3- 512 (A5409)HMAC-SHA3- 512 (A5409)KATCASTOn DemandManually
RSA KeyGen (FIPS186-4) (A5407)RSA KeyGen (FIPS186-4) (A5407)PCTPCTOn DemandManually
RSA KeyGen (FIPS186-4) (A5409)RSA KeyGen (FIPS186-4) (A5409)PCTPCTOn DemandManually
RSA SigGen (FIPS186-4) (A5407)RSA SigGen (FIPS186-4) (A5407)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A5409)RSA SigGen (FIPS186-4) (A5409)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A5407)RSA SigVer (FIPS186-4) (A5407)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A5409)RSA SigVer (FIPS186-4) (A5409)KATCASTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A5407)ECDSA KeyGen (FIPS186-4) (A5407)PCTPCTOn DemandManually
ECDSA KeyGen (FIPS186-4) (A5409)ECDSA KeyGen (FIPS186-4) (A5409)PCTPCTOn DemandManually
ECDSA SigGen (FIPS186-4) (A5407)ECDSA SigGen (FIPS186-4) (A5407)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A5409)ECDSA SigGen (FIPS186-4) (A5409)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A5407)ECDSA SigVer (FIPS186-4) (A5407)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A5409)ECDSA SigVer (FIPS186-4) (A5409)KATCASTOn DemandManually
KAS-ECC-SSC Sp800-56Ar3 (A5407)KAS-ECC-SSC Sp800-56Ar3 (A5407)KATCASTOn DemandManually
KAS-FFC-SSC Sp800-56Ar3 (A5407)KAS-FFC-SSC Sp800-56Ar3 (A5407)KATCASTOn DemandManually
KDA HKDF SP800-56Cr2 (A5409)KDA HKDF SP800-56Cr2 (A5409)KATCASTOn DemandManually
KDF SP800-108 (A5407)KDF SP800-108 (A5407)KATCASTOn DemandManually
KDF SP800-108 (A5409)KDF SP800-108 (A5409)KATCASTOn DemandManually
PBKDF (A5407)PBKDF (A5407)KATCASTOn DemandManually
PBKDF (A5409)PBKDF (A5409)KATCASTOn DemandManually
Safe Primes Key Generation (A5407)Safe Primes Key Generation (A5407)PCTPCTOn DemandManually
AES-CBC (A5406)AES-CBC (A5406)KATCASTOn DemandManually
AES-CBC (A5407)AES-CBC (A5407)KATCASTOn DemandManually
AES-CBC (A5404)AES-CBC (A5404)KATCASTOn DemandManually
AES-CBC (A5405)AES-CBC (A5405)KATCASTOn DemandManually
AES-ECB (A5407)AES-ECB (A5407)KATCASTOn DemandManually
AES-ECB (A5408)AES-ECB (A5408)KATCASTOn DemandManually
AES-ECB (A5404)AES-ECB (A5404)KATCASTOn DemandManually
AES-ECB (A5405)AES-ECB (A5405)KATCASTOn DemandManually
AES-XTS Testing Revision 2.0 (A5407)AES-XTS Testing Revision 2.0 (A5407)KATCASTOn DemandManually
AES-XTS Testing Revision 2.0 (A5404)AES-XTS Testing Revision 2.0 (A5404)KATCASTOn DemandManually
AES-XTS Testing Revision 2.0 (A5405)AES-XTS Testing Revision 2.0 (A5405)KATCASTOn DemandManually

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table 22: Conditional Self-Tests

10.3 Periodic Self-Test Information

Table 23: Pre-Operational Periodic Information This document may be reproduced and distributed only in its original entirely without revision.

Page 46

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] This document may be reproduced and distributed only in its original entirely without revision.

Page 47

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] This document may be reproduced and distributed only in its original entirely without revision.

Page 48
Service
NameDescriptionRole AccessIndicator
Error State1) The HMAC-SHA- 256 value computed over the module did not match the pre- computed value or 2) The computed value in the invoked Conditional CAST did not match the known value or 3) The signature failed to1) Pre- operationa l Software Integrity Test failure or 2) Conditiona l CAST failure 3) Conditiona l PCT failure1) Error message "FAILED: fipspost_post_integrity" send to caller or 2) Error message "FAILED:<event>" sent to caller (<event> refers to any of the cryptographic functions listed Table - Conditional Self-Tests 3) Error code "CCEC_GENERATE_KEY_CONSISTENC Y" returned for ECDSA and EC Diffie- Hellman Error code "CCRSA_GENERATE_KEY_CONSISTEN CY" returned for RSA Error code "CCDH_GENERATE_KEY_CONSISTEN CY" returned for Diffie-HellmanPower cycle the device which results in the module being reloaded into memory and reperformin g the pre- operational software integrity test and the Conditional CASTs.

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

10.4 Error States

e s preConditiona 3) g the preoperational This document may be reproduced and distributed only in its original entirely without revision.

Page 49
NamDescriptionConditionRecoveryIndicator
esMethod
generate/veri fy successfully in the Conditional PCT. No cryptographic services are provided, and data output is prohibited

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] e s Table 25: Error States

10.5 Operator Initiation of Self-Tests

The module permits operators to initiate the pre-operational or conditional self-tests on demand for periodic testing of the module by rebooting the system (i.e., power-cycling). This document may be reproduced and distributed only in its original entirely without revision.

Page 50

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Startup Procedures: The module is built into Device OS defined in section 2 and delivered/ installed with the respective Device OS. There is no standalone delivery of the module as a software library. Installation Process and Authentication Mechanisms: The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version. For additional assurance, the module is digitally signed by vendor, and it is verified during the integration into Host Device OS. This digital signature-based integrity protection during the delivery/integration process is not to be confused with the HMAC-256 based integrity check performed by the module itself as part of its pre-operational self- tests.

11.2 Administrator Guidance

The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table - Non-Approved Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. Apple Platform Certifications guide (platform certifications) and Apple Platform Security guide (SEC) are provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation.

11.3 Non-Administrator Guidance
11.4 Design and Rules

The Crypto Officer shall consider the following requirements and restrictions when using the module.

11.4.1 IG C.F Compliance

All of the RSA modulus sizes used by the cryptographic module have been CAVP tested and the certificates are listed in the Approved Algorithms Table of this security policy. There are no untested RSA modulus sizes used by the cryptographic module. This document may be reproduced and distributed only in its original entirely without revision.

Page 51

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

11.5 End of Life

The module secure sanitization is accomplished by first powering the module down, which will zeroize all SSPs within volatile memory. Following the power-down, an uninstall by way of system wipe or system update will zeroize the corecrypto-1638.100.62 binary file listed in Table 2. This document may be reproduced and distributed only in its original entirely without revision.

Page 52

Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]

12 Mitigation of Other Attacks

The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirely without revision.