| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 12/13/2030 |
| Caveat | When operated in approved mode |
| Vendor | Apple Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A5404 |
| AES-CCM | A5405 |
| AES-CFB128 | A5404 |
| AES-CFB8 | A5405 |
| AES-CMAC | A5407 |
| AES-CTR | A5405 |
| AES-ECB | A5404 |
| AES-GCM | A5405 |
| AES-KW | A5405 |
| AES-OFB | A5404 |
| AES-XTS Testing Revision 2.0 | A5404 |
| Counter DRBG | A5405 |
| ECDSA KeyGen (FIPS186-4) | A5407 |
| ECDSA KeyVer (FIPS186-4) | A5407 |
| ECDSA SigGen (FIPS186-4) | A5407 |
| ECDSA SigVer (FIPS186-4) | A5407 |
| HMAC-SHA-1 | A5407 |
| HMAC-SHA2-224 | A5407 |
| HMAC-SHA2-256 | A5407 |
| HMAC-SHA2-384 | A5407 |
| HMAC-SHA2-512 | A5407 |
| HMAC-SHA2-512/256 | A5407 |
| HMAC-SHA3-224 | A5407 |
| HMAC-SHA3-256 | A5407 |
| HMAC-SHA3-384 | A5407 |
| HMAC-SHA3-512 | A5407 |
| KAS-ECC-SSC Sp800-56Ar3 | A5407 |
| KAS-FFC-SSC Sp800-56Ar3 | A5407 |
| KDA HKDF SP800-56Cr2 | A5409 |
| KDF SP800-108 | A5407 |
| PBKDF | A5407 |
| RSA KeyGen (FIPS186-4) | A5407 |
| RSA SigGen (FIPS186-4) | A5407 |
| RSA SigVer (FIPS186-4) | A5407 |
| SHA-1 | A5407 |
| SHA2-224 | A5407 |
| SHA2-256 | A5407 |
| SHA2-384 | A5407 |
| SHA2-512 | A5407 |
| SHA2-512/256 | A5407 |
| SHA3-224 | A5407 |
| SHA3-256 | A5407 |
| SHA3-384 | A5407 |
| SHA3-512 | A5407 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
flowchart LR
%% Deterministic review-risk graph for Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>update</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Symmetric Encryption and Decryption<br/>Self-test<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>update</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Symmetric Encryption and Decryption<br/>Self-test<br/>Show Status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Apple Inc. Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Prepared for: Apple Inc. One Apple Park Way Cupertino, CA 95014 Prepared by: atsec information security corporation
Austin, TX 78759 This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table of Contents This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] List of Tables List of Figures This document may be reproduced and distributed only in its original entirely without revision.
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | N/A |
| Overall Level | Overall Level | 1 |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
This document is the non-proprietary FIPS 140-3 Security Policy for Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] cryptographic module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for
N/A N/A N/A Table 1: Security Levels This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
Purpose and Use: The Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] cryptographic module (hereafter referred to as “the module”) provides implementations of low-level cryptographic primitives to the Device OS’s (visionOS) Security Framework and Common Crypto. The module provides services intended to protect data in transit and at rest. The module is optimized for library use within the Device OS user space and does not contain any terminating assertions or exceptions. It is implemented as a Device OS dynamically loadable library. After the library is loaded, its cryptographic functions are made available to the Device OS application. Any internal error detected by the module is returned to the caller with an appropriate return code. The calling Device OS application must examine the return code and act accordingly. The module communicates any error status synchronously through the use of its documented return codes, thus indicating the module’s status. Caller-induced or internal errors do not reveal any sensitive material to callers. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The module cryptographic boundary is delineated by the dotted green rectangle in the Figure
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| corecrypto- 1638.100.62 | 14.1 | N/A | corecrypto- 1638.100.62 | HMAC-SHA256 | ||||||
| visionOS 1 | visionOS 1 | Apple Vision Pro | 14.1 | Apple M Series (ARMv8.6-A) M2 | Yes | NA | ||||
| visionOS 1 | visionOS 1 | Apple Vision Pro | 14.1 | Apple M Series (ARMv8.6-A) M2 | No | NA |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| corecrypto- 1638.100.62 | 14.1 | N/A | corecrypto- 1638.100.62 | HMAC-SHA256 | ||||||
| visionOS 1 | visionOS 1 | Apple Vision Pro | 14.1 | Apple M Series (ARMv8.6-A) M2 | Yes | NA | ||||
| visionOS 1 | visionOS 1 | Apple Vision Pro | 14.1 | Apple M Series (ARMv8.6-A) M2 | No | NA |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Figure 1: Block Diagram
Tested Module Identification
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non- Approved mode | Non-Approved mode of operation is entered when the module utilizes non- approved security functions in the Table Non-Approved Algorithms Not Allowed in the Approved Mode of Operation. | return any non-zero value from fips_allowed_mode() for block cipher functions and fips_allowed() for all other services to indicate the executed cryptographic algorithm was non- approved | Non- Approved |
| Name | CAVP Cert | Reference |
|---|---|---|
| AES-CBC | A5404 | SP 800-38A |
| AES-CBC | A5405 | SP 800-38A |
| AES-CBC | A5406 | SP 800-38A |
| AES-CBC | A5407 | SP 800-38A |
| AES-CCM | A5405 | SP 800-38C |
| AES-CCM | A5407 | SP 800-38C |
| AES-CCM | A5408 | SP 800-38C |
| AES-CFB128 | A5404 | SP 800-38A |
| AES-CFB128 | A5405 | SP 800-38A |
| AES-CFB128 | A5407 | SP 800-38A |
| AES-CFB8 | A5405 | SP 800-38A |
| AES-CFB8 | A5407 | SP 800-38A |
| AES-CMAC | A5407 | SP 800-38B |
| AES-CTR | A5405 | SP 800-38A |
| AES-CTR | A5407 | SP 800-38A |
| AES-CTR | A5408 | SP 800-38A |
| AES-ECB | A5404 | SP 800-38A |
| AES-ECB | A5405 | SP 800-38A |
| AES-ECB | A5407 | SP 800-38A |
| AES-ECB | A5408 | SP 800-38A |
| AES-GCM | A5405 | SP 800-38D |
| AES-GCM | A5407 | SP 800-38D |
| AES-GCM | A5408 | SP 800-38D |
| AES-KW | A5405 | SP 800-38F |
| AES-KW | A5407 | SP 800-38F |
| AES-OFB | A5404 | SP 800-38A |
| AES-OFB | A5405 | SP 800-38A |
| AES-OFB | A5407 | SP 800-38A |
| AES-XTS Testing Revision 2.0 | A5404 | SP 800-38E |
| AES-XTS Testing Revision 2.0 | A5405 | SP 800-38E |
| AES-XTS Testing Revision 2.0 | A5407 | SP 800-38E |
| Counter DRBG | A5405 | SP 800-90A Rev. 1 |
| Counter DRBG | A5407 | SP 800-90A Rev. 1 |
| Counter DRBG | A5408 | SP 800-90A Rev. 1 |
| ECDSA KeyGen (FIPS186-4) | A5407 | FIPS 186-4 |
| ECDSA KeyGen (FIPS186-4) | A5409 | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-4) | A5407 | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-4) | A5409 | FIPS 186-4 |
| ECDSA SigGen (FIPS186-4) | A5407 | FIPS 186-4 |
| ECDSA SigGen (FIPS186-4) | A5409 | FIPS 186-4 |
| ECDSA SigVer (FIPS186-4) | A5407 | FIPS 186-4 |
| ECDSA SigVer (FIPS186-4) | A5409 | FIPS 186-4 |
| HMAC-SHA-1 | A5407 | FIPS 198-1 |
| HMAC-SHA-1 | A5409 | FIPS 198-1 |
| HMAC-SHA2-224 | A5407 | FIPS 198-1 |
| HMAC-SHA2-224 | A5409 | FIPS 198-1 |
| HMAC-SHA2-256 | A5407 | FIPS 198-1 |
| HMAC-SHA2-256 | A5409 | FIPS 198-1 |
| HMAC-SHA2-256 | A5410 | FIPS 198-1 |
| HMAC-SHA2-384 | A5407 | FIPS 198-1 |
| HMAC-SHA2-384 | A5409 | FIPS 198-1 |
| HMAC-SHA2-512 | A5407 | FIPS 198-1 |
| HMAC-SHA2-512 | A5409 | FIPS 198-1 |
| HMAC-SHA2-512/256 | A5407 | FIPS 198-1 |
| HMAC-SHA2-512/256 | A5409 | FIPS 198-1 |
| HMAC-SHA3-224 | A5407 | FIPS 198-1 |
| HMAC-SHA3-224 | A5409 | FIPS 198-1 |
| HMAC-SHA3-256 | A5407 | FIPS 198-1 |
| HMAC-SHA3-256 | A5409 | FIPS 198-1 |
| HMAC-SHA3-384 | A5407 | FIPS 198-1 |
| HMAC-SHA3-384 | A5409 | FIPS 198-1 |
| HMAC-SHA3-512 | A5407 | FIPS 198-1 |
| HMAC-SHA3-512 | A5409 | FIPS 198-1 |
| KAS-ECC-SSC Sp800-56Ar3 | A5407 | SP 800-56A Rev. 3 |
| KAS-FFC-SSC Sp800-56Ar3 | A5407 | SP 800-56A Rev. 3 |
| KDA HKDF SP800-56Cr2 | A5409 | SP 800-56C Rev. 2 |
| KDF SP800-108 | A5407 | SP 800-108 Rev. 1 |
| KDF SP800-108 | A5409 | SP 800-108 Rev. 1 |
| PBKDF | A5407 | SP 800-132 |
| PBKDF | A5409 | SP 800-132 |
| RSA KeyGen (FIPS186-4) | A5407 | FIPS 186-4 |
| RSA KeyGen (FIPS186-4) | A5409 | FIPS 186-4 |
| RSA SigGen (FIPS186-4) | A5407 | FIPS 186-4 |
| RSA SigGen (FIPS186-4) | A5409 | FIPS 186-4 |
| RSA SigVer (FIPS186-4) | A5407 | FIPS 186-4 |
| RSA SigVer (FIPS186-4) | A5409 | FIPS 186-4 |
| Safe Primes Key Generation | A5407 | SP 800-56A Rev. 3 |
| SHA-1 | A5407 | FIPS 180-4 |
| SHA-1 | A5409 | FIPS 180-4 |
| SHA2-224 | A5407 | FIPS 180-4 |
| SHA2-224 | A5409 | FIPS 180-4 |
| SHA2-256 | A5407 | FIPS 180-4 |
| SHA2-256 | A5409 | FIPS 180-4 |
| SHA2-256 | A5410 | FIPS 180-4 |
| SHA2-384 | A5407 | FIPS 180-4 |
| SHA2-384 | A5409 | FIPS 180-4 |
| SHA2-512 | A5407 | FIPS 180-4 |
| SHA2-512 | A5409 | FIPS 180-4 |
| SHA2-512/256 | A5407 | FIPS 180-4 |
| SHA2-512/256 | A5409 | FIPS 180-4 |
| SHA3-224 | A5407 | FIPS 202 |
| SHA3-224 | A5409 | FIPS 202 |
| SHA3-256 | A5407 | FIPS 202 |
| SHA3-256 | A5409 | FIPS 202 |
| SHA3-384 | A5407 | FIPS 202 |
| SHA3-384 | A5409 | FIPS 202 |
| SHA3-512 | A5407 | FIPS 202 |
| SHA3-512 | A5409 | FIPS 202 |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
None for this module Modes List and Description: NonApproved Operation is assumed automatically without any specific configuration. If the device starts up successfully then the module has passed all self-tests and is operating in the Approved mode. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table 5: Approved Algorithms Vendor-Affirmed Algorithms: This document may be reproduced and distributed only in its original entirely without revision.
| Name | Approved Functions | Properties | |||
|---|---|---|---|---|---|
| Asymmetric CKG | Key Type:Asymmetric | N/A | SP800-133rev2 section 4 example 1 | ||
| MD5 | Message Digest (used as part of the TLS key establishment scheme v1.0, v1.1 only) | Allowed in Approved mode with no security claimed per IG 2.4.A Digest Size: 128-bit | |||
| ANSI X9.63 KDF | Hash based Key Derivation Function | ||||
| Blowfish | Encryption / Decryption | ||||
| CAST5 | Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit increments | ||||
| DES | Encryption / Decryption Key Size: 56-bits | ||||
| Diffie-Hellman | Shared Secret Computation using key size < 2048 | ||||
| ECDSA | PKG: Curve P-192; PKV: Curve P-192; compact point representation of points; Signature Generation: Curve P-192; Signature Verification: Curve P-192 | ||||
| EC Diffie-Hellman | Shared Secret Computation using curves < P-224 | ||||
| Ed25519 | Key Generation, Signature Generation, Signature Verification, X25519 Key agreement | ||||
| Integrated Encryption Scheme on elliptic curves | Encryption / Decryption | ||||
| MD2 | Message Digest size: 128-bit | ||||
| MD4 | Message Digest size: 128-bit | ||||
| MD5 | Message Digest (except in the TLS 1.0/1.1 context) | ||||
| OMAC (One-Key CBC MAC) | MAC generation | ||||
| RC2 | Encryption / Decryption Key Sizes 8 to 1024-bits | ||||
| RC4 | Encryption / Decryption Key Sizes 8 to 4096-bits | ||||
| RFC6637 | Key Derivation Function | ||||
| RIPEMD | Message Digest size: 160-bits | ||||
| RSA Keygen | ANSI X9.31 Key Pair Generation; keys < 2048-bits | ||||
| RSA Digital Signature | PKCS#1 v1.5 and PSS; Signature Generation Key Size < 2048; Signature Verification Key Size < 1024 | ||||
| RSA Key Wrapping | OAEP, PKCS#1 v1.5 and -PSS schemes | ||||
| Triple-DES [SP 800-67] | Encrypt/Decrypt; CBC, CTR, CFB64, ECB, CFB8, OFB |
| Name | Approved Functions | Properties | |||
|---|---|---|---|---|---|
| Asymmetric CKG | Key Type:Asymmetric | N/A | SP800-133rev2 section 4 example 1 | ||
| MD5 | Message Digest (used as part of the TLS key establishment scheme v1.0, v1.1 only) | Allowed in Approved mode with no security claimed per IG 2.4.A Digest Size: 128-bit | |||
| ANSI X9.63 KDF | Hash based Key Derivation Function | ||||
| Blowfish | Encryption / Decryption | ||||
| CAST5 | Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit increments | ||||
| DES | Encryption / Decryption Key Size: 56-bits | ||||
| Diffie-Hellman | Shared Secret Computation using key size < 2048 | ||||
| ECDSA | PKG: Curve P-192; PKV: Curve P-192; compact point representation of points; Signature Generation: Curve P-192; Signature Verification: Curve P-192 | ||||
| EC Diffie-Hellman | Shared Secret Computation using curves < P-224 | ||||
| Ed25519 | Key Generation, Signature Generation, Signature Verification, X25519 Key agreement | ||||
| Integrated Encryption Scheme on elliptic curves | Encryption / Decryption | ||||
| MD2 | Message Digest size: 128-bit | ||||
| MD4 | Message Digest size: 128-bit | ||||
| MD5 | Message Digest (except in the TLS 1.0/1.1 context) | ||||
| OMAC (One-Key CBC MAC) | MAC generation | ||||
| RC2 | Encryption / Decryption Key Sizes 8 to 1024-bits | ||||
| RC4 | Encryption / Decryption Key Sizes 8 to 4096-bits | ||||
| RFC6637 | Key Derivation Function | ||||
| RIPEMD | Message Digest size: 160-bits | ||||
| RSA Keygen | ANSI X9.31 Key Pair Generation; keys < 2048-bits | ||||
| RSA Digital Signature | PKCS#1 v1.5 and PSS; Signature Generation Key Size < 2048; Signature Verification Key Size < 1024 | ||||
| RSA Key Wrapping | OAEP, PKCS#1 v1.5 and -PSS schemes | ||||
| Triple-DES [SP 800-67] | Encrypt/Decrypt; CBC, CTR, CFB64, ECB, CFB8, OFB |
| Name | Description | Approved Functions | Type | Properties | |||
|---|---|---|---|---|---|---|---|
| Asymmetric CKG | Key Type:Asymmetric | N/A | SP800-133rev2 section 4 example 1 | ||||
| MD5 | Message Digest (used as part of the TLS key establishment scheme v1.0, v1.1 only) | Allowed in Approved mode with no security claimed per IG 2.4.A Digest Size: 128-bit | |||||
| ANSI X9.63 KDF | Hash based Key Derivation Function | ||||||
| Blowfish | Encryption / Decryption | ||||||
| CAST5 | Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit increments | ||||||
| DES | Encryption / Decryption Key Size: 56-bits | ||||||
| Diffie-Hellman | Shared Secret Computation using key size < 2048 | ||||||
| ECDSA | PKG: Curve P-192; PKV: Curve P-192; compact point representation of points; Signature Generation: Curve P-192; Signature Verification: Curve P-192 | ||||||
| EC Diffie-Hellman | Shared Secret Computation using curves < P-224 | ||||||
| Ed25519 | Key Generation, Signature Generation, Signature Verification, X25519 Key agreement | ||||||
| Integrated Encryption Scheme on elliptic curves | Encryption / Decryption | ||||||
| MD2 | Message Digest size: 128-bit | ||||||
| MD4 | Message Digest size: 128-bit | ||||||
| MD5 | Message Digest (except in the TLS 1.0/1.1 context) | ||||||
| OMAC (One-Key CBC MAC) | MAC generation | ||||||
| RC2 | Encryption / Decryption Key Sizes 8 to 1024-bits | ||||||
| RC4 | Encryption / Decryption Key Sizes 8 to 4096-bits | ||||||
| RFC6637 | Key Derivation Function | ||||||
| RIPEMD | Message Digest size: 160-bits | ||||||
| RSA Keygen | ANSI X9.31 Key Pair Generation; keys < 2048-bits | ||||||
| RSA Digital Signature | PKCS#1 v1.5 and PSS; Signature Generation Key Size < 2048; Signature Verification Key Size < 1024 | ||||||
| RSA Key Wrapping | OAEP, PKCS#1 v1.5 and -PSS schemes | ||||||
| Triple-DES [SP 800-67] | Encrypt/Decrypt; CBC, CTR, CFB64, ECB, CFB8, OFB | ||||||
| HPKE (Hybrid Public Key Encryption) [RFC9180] | Hybrid encryption scheme | ||||||
| Keccak | Message Digest | ||||||
| Symmetric Encryption and Decryption | Symmetric Encryption and Decryption | AES-CBC: (A5406, A5407, A5404, A5405) AES-CFB128: (A5407, A5404, A5405) AES-ECB: (A5407, A5408, A5404, A5405) AES-OFB: (A5407, A5404, A5405) AES-XTS Testing Revision 2.0: (A5407, A5404, A5405) AES-CCM: (A5407, A5408, A5405) AES-CFB8: (A5407, A5405) AES-CTR: (A5407, A5408, A5405) AES-GCM: (A5407, A5408, A5405) | BC-UnAuth BC-Auth | AES-CBC:Key Size / Key Strength: 128, 192, 256 bits AES- CFB128:Key Size / Key Strength: 128, 192, 256 bits AES-ECB:Key Size / Key Strength: 128, 192, 256 bits AES-OFB:Key Size / Key Strength: 128, 192, 256 bits AES-XTS Testing Revision 2.0:Key Size/ Key Strength: 128, 256 bits AES-CCM:Key Size / Key Strength: 128, 192, 256 bits AES-CFB8:Key Size / Key Strength: 128, 192, 256 bits AES-CTR:Key Size / Key Strength: 128, 192, 256 bits AES-GCM:Key Size / Key Strength: 128, 192, 256 bits | |||
| Key Wrapping | Key Wrapping | AES-KW: (A5407, A5405) | KTS-Wrap | AES-KW:Key Size / Key |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] N/A Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Not Allowed Algorithms: This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| HPKE (Hybrid Public Key Encryption) [RFC9180] | Hybrid encryption scheme | |||
| Keccak | Message Digest | |||
| Symmetric Encryption and Decryption | Symmetric Encryption and Decryption | AES-CBC: (A5406, A5407, A5404, A5405) AES-CFB128: (A5407, A5404, A5405) AES-ECB: (A5407, A5408, A5404, A5405) AES-OFB: (A5407, A5404, A5405) AES-XTS Testing Revision 2.0: (A5407, A5404, A5405) AES-CCM: (A5407, A5408, A5405) AES-CFB8: (A5407, A5405) AES-CTR: (A5407, A5408, A5405) AES-GCM: (A5407, A5408, A5405) | BC-UnAuth BC-Auth | AES-CBC:Key Size / Key Strength: 128, 192, 256 bits AES- CFB128:Key Size / Key Strength: 128, 192, 256 bits AES-ECB:Key Size / Key Strength: 128, 192, 256 bits AES-OFB:Key Size / Key Strength: 128, 192, 256 bits AES-XTS Testing Revision 2.0:Key Size/ Key Strength: 128, 256 bits AES-CCM:Key Size / Key Strength: 128, 192, 256 bits AES-CFB8:Key Size / Key Strength: 128, 192, 256 bits AES-CTR:Key Size / Key Strength: 128, 192, 256 bits AES-GCM:Key Size / Key Strength: 128, 192, 256 bits |
| Key Wrapping | Key Wrapping | AES-KW: (A5407, A5405) | KTS-Wrap | AES-KW:Key Size / Key |
| Random Number Generation | Random Number Generation | Counter DRBG: (A5407, A5408, A5405) | DRBG | Counter DRBG:Key Size/ Key Strength: 128, 256 bits |
| Message authentication (MAC) | Message authentication (MAC) | AES-CMAC: (A5407) HMAC-SHA-1: (A5407, A5409) HMAC-SHA2- 224: (A5407, A5409) HMAC-SHA2- 256: (A5410, A5407, A5409) HMAC-SHA2- 384: (A5407, A5409) HMAC-SHA2- 512: (A5407, A5409) HMAC-SHA2- 512/256: (A5407, A5409) HMAC-SHA3- 224: (A5407, A5409) HMAC-SHA3- 256: (A5407, A5409) HMAC-SHA3- 384: (A5407, A5409) HMAC-SHA3- 512: (A5407, A5409) | MAC | AES-CMAC:Key Size / Key Strength: 128, 192, 256 bits HMAC-SHA- 1:Key Size: 128 - 262144 bits; Key Strength: 128 bits HMAC-SHA2- 224:Key Size: 224 - 262144 bits; Key Strength: 224 bits HMAC-SHA2- 256:Key Size: 256 - 262144 bits; Key Strength: 256 bits HMAC-SHA2- 384:Key Size: 384 - 262144 bits; Key Strength: 384 bits HMAC-SHA2- 512:Key Size: 512 - 262144 bits; Key Strength: 512 bits HMAC-SHA2- 512/256:Key Size: 512 - 262144 bits; Key Strength: 256 bits |
| Asymmetric Key Generation | Asymmetric Key Generation | ECDSA KeyGen (FIPS186-4): (A5407, A5409) | AsymKeyPair- KeyGen | ECDSA KeyGen (FIPS186-4):Key Size(Curve): P- |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table 8: Non-Approved, Not Allowed Algorithms
AESCFB128:Key This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] AsymKeyPairKeyGen This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Role Access | Csps Accessed | Type |
|---|---|---|---|---|
| Asymmetric Key Validation | Asymmetric Key Validation | ECDSA KeyVer (FIPS186-4): (A5407, A5409) | ECDSA KeyVer (FIPS186-4):Key Size(Curve): P- 224, P-256, P- 384, P-521; Key Strength: from 112 to 256 bits | AsymKeyPair- KeyVer |
| Digital Signature Generation | Digital Signature Generation | ECDSA SigGen (FIPS186-4): (A5407, A5409) RSA SigGen (FIPS186-4): (A5407, A5409) Counter DRBG: (A5407, A5408, A5405) SHA2-224: (A5407, A5409) SHA2-256: (A5410, A5407, A5409) SHA2-384: (A5407, A5409) SHA2-512: (A5407, A5409) SHA3-224: (A5407, A5409) SHA3-256: (A5407, A5409) | ECDSA SigGen (FIPS186-4):Key Size(Curve): P- 224, P-256, P- 384, P-521; Key Strength: from 112 to 256 bits RSA SigGen (FIPS186-4):Key Size: 2048, 3072, 4096 bits; Key Strength: from 112 to 150 bits | DigSig-SigGen |
| Digital Signature Verification | Digital Signature Verification (usage of SHA1 is considered Legacy Use) | ECDSA SigVer (FIPS186-4): (A5407, A5409) RSA SigVer (FIPS186-4): (A5407, A5409) SHA-1: (A5407, A5409) SHA2-224: (A5407, A5409) SHA2-256: (A5410, A5407, A5409) SHA2-384: (A5407, A5409) SHA2-512: (A5407, A5409) SHA3-224: (A5407, A5409) SHA3-256: (A5407, A5409) SHA3-384: (A5407, A5409) SHA3-512: (A5407, A5409) | ECDSA SigVer (FIPS186-4):Key Size(Curve): P- 224, P-256, P- 384, P-521; Key Strength: from 112 to 256 bits RSA SigVer (FIPS186-4):Key Size: 1024, 2048, 3072, 4096 bits; Key Strength: from 80 to 150 bits | DigSig-SigVer |
| Shared Secret Computation | Shared Secret Computation | KAS-ECC-SSC Sp800-56Ar3: (A5407) KAS-FFC-SSC Sp800-56Ar3: (A5407) | KAS-ECC-SSC Sp800- 56Ar3:Key Size(Curve): P- 224, P-256, P- 384, P-521; Key Strength: from 112 to 256 bits KAS-FFC-SSC Sp800- 56Ar3:Key Size: 2048, 3072, 4096, 6144, 8192 bits; Key Strength: from 112 to 200 bits | KAS-SSC |
| Key Derivation HKDF | Key Derivation | KDA HKDF SP800-56Cr2: (A5409) | KDA HKDF SP800- 56Cr2:Shared | KAS-56CKDF |
| Secret Length: 224-2048 Increment 8; Derived Key Length: 2048 | HMAC-SHA-1: (A5409) HMAC-SHA2- 224: (A5409) HMAC-SHA2- 256: (A5409) HMAC-SHA2- 384: (A5409) HMAC-SHA2- 512: (A5409) HMAC-SHA3- 224: (A5409) HMAC-SHA3- 256: (A5409) HMAC-SHA3- 384: (A5409) HMAC-SHA3- 512: (A5409) | Secret Length: 224-2048 Increment 8; Derived Key Length: 2048 | ||
| Key Derivation CMAC KBKDF | Key Derivation | KDF SP800- 108: (A5407) AES-CMAC: (A5407) | KDF SP800- 108rev1 with AES-CMAC:Key Size / Key Strength: 128, 192, 256 bits; Supported Lengths: 8-4096 Increment 8; Fixed Data Order: Before Fixed Data; Counter Length: 8, 16, 24, 32 | KBKDF |
| Key Derivation HMAC KBKDF | Key Derivation | KDF SP800- 108: (A5407, A5409) HMAC-SHA-1: (A5407, A5409) HMAC-SHA2- 224: (A5407, A5409) HMAC-SHA2- 256: (A5407, A5409) HMAC-SHA2- 384: (A5407, A5409) HMAC-SHA2- 512: (A5407, | KDF SP800- 108rev1 with HMAC:Key Size: 8-262144 Increment 8; Supported Lengths: 8-4096 Increment 8; Fixed Data Order: Before Fixed Data; Counter Length: 32 | KBKDF |
| Key Derivation PBKDF | Key Derivation | PBKDF: (A5407, A5409) HMAC-SHA-1: (A5407, A5409) HMAC-SHA2- 224: (A5407, A5409) HMAC-SHA2- 256: (A5407, A5409) HMAC-SHA2- 384: (A5407, A5409) HMAC-SHA2- 512: (A5407, A5409) HMAC-SHA3- 224: (A5407, A5409) HMAC-SHA3- 256: (A5407, A5409) HMAC-SHA3- 384: (A5407, A5409) HMAC-SHA3- 512: (A5407, A5409) | PBKDF:Key Size: 128 - 262144; Key Strength: 128 - 256; Password length: 8- 128 bytes Increment 1; Salt Length: 128-4096 Increment 8; Iteration Count: 10-1000 Increment 1 | PBKDF |
| Message Digest | Message Digest | SHA-1: (A5407, A5409) SHA2-224: (A5407, A5409) SHA2-256: (A5410, A5407, A5409) | SHA-1:N/A SHA2-224:N/A SHA2-256:N/A SHA2-384:N/A SHA2-512:N/A SHA2- 512/256:N/A | SHA |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] AsymKeyPairKeyVer This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Sp80056Ar3:Key SP80056Cr2:Shared This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] SHA2512/256:N/A This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table 9: Security Function Implementations
GCM IV AES-GCM IV is constructed in compliance with IG C.H scenario 1 (TLS 1.2) and scenario 2 (IPsecv3). The GCM IV generation follows RFC 5288 shall only be used for the TLS protocol version 1.2. This implementation is compatible with acceptable AES-GCM ciphersuites from SP800-52r2 Section 3.3.1. The counter portion of the IV is set by the module within its cryptographic boundary. The module does not implement the TLS protocol. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the nonce_explicit, or counter portion of the IV will not exhaust all of its possible values. The GCM IV generation follows RFC 4106 and shall only be used for the IPsec-v3 protocol version 3. The counter portion of the IV is set by the module within its cryptographic boundary. The module does not implement the IPsec protocol. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the IPsec protocol implicitly ensures that the nonce_explicit, or counter portion of the IV will not exhaust all of its possible values. In compliance with IG C.H section 3, if the module's power is lost and then restored, the key used for the AES GCM encryption/ decryption shall be re-distributed. AES-XTS AES-XTS mode is only approved for hardware storage applications. The length of the AES-XTS data unit does not exceed 220 blocks. The module checks explicitly that Key_1 ≠ Key_2 before using the keys in the XTS-Algorithm to process data with them compliant with IG C.I. Key Derivation using SP 800-132 PBKDF2 The module implements a CAVP tested key derivation function compliant to SP800-132 and IG D.N. The service returns the key derived from the provided password to the caller. The length of the password used as input to PBKDFv2 shall be at least 8 characters and the worst-case probability of guessing the value is 10^8 assuming all characters are digits only. The user shall choose the password length and the iteration count in such a way that the combination will This document may be reproduced and distributed only in its original entirely without revision.
| Name | Type | Strength | Operational Environment | Conditioning Component | |
|---|---|---|---|---|---|
| Apple corecrypto physical entropy source | Physical | 256 bit | See Tested Operational Environment Table in section 2.2 | 256 bit | SHA-256 [ACVP cert. #C1223] |
| Apple corecrypto non- physical entropy source | Non- Physical | 18432 bits (576 32-bit samples) | See Tested Operational Environment Table in section 2.2 | 512 | SHA2-512 [ACVP cert #A5369] |
| Cert | Vendor | ||
|---|---|---|---|
| Number | Name | ||
| E113 | apple | ||
| E181 | apple |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] make the key derivation computationally intensive. PBKDFv2 is implemented to support the option 1a specified in section 5.4 of SP800-132. The derived keys may only be used in storage applications. KAS The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS. Digital signature generation using SHA-1 is non-approved and not allowed in approved services. Digital signature verification using SHA-1 is considered approved (“Legacy”). HMAC using SHA-1 are approved. The SHA-1 algorithm, as implemented by the module, will be non-approved for all purposes except signature verification, starting January 1, 2031. Note: Algorithms designated as “Legacy” can only be used on data that was generated prior to the Legacy Date specified in FIPS 140-3 IG C.M.
Table 10: Entropy Certificates corecrypto nonphysical NonPhysical Table 11: Entropy Sources Entropy sources: The random bits used to seed and reseed the module’s approved DRBG comes from a physical entropy source residing within the TOEPP. The entropy source includes a vetted conditioning component in the form of a SHA-256. The min-entropy rate at the output of the entropy source (h_out for the output of the conditioning component per Section 3.1.5 of SP 800-90B) is 256 bits per 256-bit output. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] The entropy source follows IG 9.3.A scenario 1.(b) i.e., the module is a software module and the entropy sources reside outside of the cryptographic boundary but inside module's TOEPP. DRBG(s): The module implements an SP 800-90ARev1 approved deterministic random bit generator (DRBG) in the form of a CTR_DRBG using AES-256 with derivation function and without prediction resistance. The module performs DRBG health tests according to SP800-90ARev1 section 11.3. DRBG Output: The output of CTR_DRBG provides up to 256-bits of security strength.
The module implements asymmetric key generation compliant to SP800-133r2 Section 4 examples 1 and is listed as a vendor affirmed algorithm per FIPS 140_3 IG D.H. The seed material used to generate the asymmetric key pairs is provided directly output from the module’s CTR_DRBG.
The module implements KAS-FFC-SSC and KAS-ECC-SSC compliant to [SP800-56Ar3] and is listed as an approved algorithm per FIPS 140_3 IG D.F scenario 2 path (1). The module only implements shared secret computation. All required assurances from Section 5.6.2 of SP 80056Arev3 are met by the module.
No parts of the TLS or IPsec protocols, other than those mentioned above, have been tested by the CAVP and CMVP. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input | Data inputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers |
| N/A | N/A | Data Output | Data outputs are provided in the variables passed in the API and callable service invocations, generally through caller-supplied buffers |
| N/A | N/A | Control Input | Control inputs which control the mode of the module are provided through dedicated parameters. |
| N/A | N/A | Status Output | Status output is provided in return codes and through messages. Documentation for each API lists possible return codes. A complete list of all return codes returned by the C language APIs within the module is provided in the header files and the API documentation. Messages are also documented in the API documentation. |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
N/A N/A N/A N/A Table 12: Ports and Interfaces This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | Crypto Officer | Role | None | ||||||
| AES Encryption/Decrypt ion | Execute AES-mode encrypt or decrypt operation | Crypto Officer - AES key: W,E | Symmetric Encryption and Decryption | 0 | plaintext data and key / ciphertex t data and key | ciphertext data / plaintext data | |||
| AES Key Wrapping / Key unwrapping | Execute AES-key wrapping or unwrappin g operation | Crypto Officer - AES key- wrapping key: W,E | Key Wrapping | 0 | AES key wrapping key, key to be wrapped / wrapped key, AES key wrapping key | wrapped key / unwrapp ed key | |||
| Secure Hash Generation | Generate a digest for the requested algorithm | Crypto Officer | Message Digest | 0 | message | digest |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | Crypto Officer | Role | None | ||||||
| AES Encryption/Decrypt ion | Execute AES-mode encrypt or decrypt operation | Crypto Officer - AES key: W,E | Symmetric Encryption and Decryption | 0 | plaintext data and key / ciphertex t data and key | ciphertext data / plaintext data | |||
| AES Key Wrapping / Key unwrapping | Execute AES-key wrapping or unwrappin g operation | Crypto Officer - AES key- wrapping key: W,E | Key Wrapping | 0 | AES key wrapping key, key to be wrapped / wrapped key, AES key wrapping key | wrapped key / unwrapp ed key | |||
| Secure Hash Generation | Generate a digest for the requested algorithm | Crypto Officer | Message Digest | 0 | message | digest | |||
| Message Authentication Generation | Generate a MAC digest using the requested SHA algorithm or AES algorithm | Crypto Officer - AES key: W,E - HMAC key: W,E | Message authenticati on (MAC) | 0 | message , MAC key, MAC algorithm | MAC | |||
| Message Authentication Verification | Verify a MAC digest | Crypto Officer - AES key: W,E - HMAC key: W,E | Message authenticati on (MAC) | 0 | MAC, message , MAC key, MAC algorithm | pass/fail | |||
| RSA signature generation and verification | Sign a message with a specified RSA private key. Verify the signature of a message with a specified RSA public key. | Crypto Officer - RSA key pair: W,E | Digital Signature Generation Digital Signature Verification | 0 | SigGen: private key, message , hash function; SigVer: public key, digital signature , message , hash function | SigGen: compute d signature ; SigVer: pass/fail result of digital signature verificatio n | |||
| ECDSA signature generation and verification | Sign a message with a specified ECDSA private key Verify the signature of a message with a specified ECDSA public key | Crypto Officer - ECDSA key pair: W,E | Digital Signature Generation Digital Signature Verification | 0 | SigGen: private key, message , hash function; SigVer: public key, digital signature , message , hash function | SigGen: compute d signature ; SigVer: pass/fail result of digital signature verificatio n | |||
| Random Number Generation | Generate random number | Crypto Officer - Entropy input string: E - DRBG seed, internal state V value, and key (IG D.L compliant ): G,W,E | Random Number Generation | 0 | requeste d number of bits | random bit-string | |||
| PBKDF | Derive key from password | Crypto Officer - PBKDF derived key: G,R - PBKDF password : W,E | Key Derivation PBKDF | 0 | Passwor d | PBKDF derived key | |||
| KBKDF | Derive key from key derivation key | Crypto Officer - KBKDF key derivatio n key: W,E - KBKDF derived key: G,R | Key Derivation CMAC KBKDF Key Derivation HMAC KBKDF | 0 | KBKDF key derivatio n key | KBKDF derived key | |||
| HKDF | Derive key from key derivation input keying material | Crypto Officer - HKDF input keying material: W,E - HKDF derived key: G,R,E | Key Derivation HKDF | 0 | HKDF input keying material | HKDF derived key | |||
| RSA key pair generation | Generate a keypair for a | Crypto Officer - DRBG seed, | Asymmetric Key Generation | 0 | key size | key pair |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
N/A for this module. FIPS 140-3 does not require an authentication mechanism for level 1 modules. Therefore, the module does not support an authentication mechanism for Crypto Officer. The Crypto Officer role is authorized to access all services provided by the module (see Table - Approved Services and Table - Non-Approved Services).
The module implements a dedicated API function to indicate if a requested service utilizes an approved security function. The approved service indicator utilizes one of two functions (fips_allowed and fips_allowed_mode) depending on the service in question. Calling fips_allowed_mode with any approved AES mode will return a zero to indicate it is an approved algorithm. Similarly, calling fips_allowed with any other approved algorithm will return zero. Calling either of these with an algorithm not listed in the Approved Algorithms Table will return a non-zero value, and as such indicates a non-approved service. g / keywrapping This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] , , d n W,E d n W,E This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] d ): G,W,E : W,E W,E W,E G,R,E This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Role Access | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| ECDSA key pair generation | Generate a keypair for a requested elliptic curve | Crypto Officer - DRBG seed, internal state V value, and key (IG D.L compliant ): W,E - ECDSA key pair: G,R | Asymmetric Key Generation Asymmetric Key Validation | 0 | curve size | key pair |
| Safe primes key generation | Generate a keypair for a requested 'safe' domain parameter | Crypto Officer - DRBG seed, internal state V value, and key (IG D.L compliant ): W,E - Diffie- Hellman key pair: G,R | Asymmetric Key Generation | 0 | key size | key pair |
| Diffie-Hellman shared secret computation | Generate a shared secret | Crypto Officer - Diffie- Hellman key pair: W,E - Diffie- Hellman | Shared Secret Computatio n | 0 | domain paramete r, received public key and possesse | shared secret |
| d private key | shared secret: G,R | d private key | ||||
| EC Diffie-Hellman shared secret computation | Generate a shared secret | Crypto Officer - EC Diffie Hellman key pair: W,E - EC Diffie- Hellman shared secret: G,R | Shared Secret Computatio n | 0 | domain paramete r, received public key and possesse d private key | shared secret |
| Self-test | execute pre operationa l self-tests and all conditional CASTs from section 10.2 | Crypto Officer | Symmetric Encryption and Decryption Key Wrapping Random Number Generation Message authenticati on (MAC) Asymmetric Key Generation Asymmetric Key Validation Digital Signature Generation Digital Signature Verification Shared Secret Computatio n Key Derivation PBKDF | N/A | power | pass/fail results |
| Show Status | Return the module status | Crypto Officer | None | N/A | N/A | Status output |
| Show module and version info | Return Module Base Name and Module Version Number | Crypto Officer | None | N/A | N/A | Module informati on |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] r, n ): W,E G,R ): W,E G,R ): W,E - DiffieHellman G,R - DiffieHellman W,E - DiffieHellman This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] r, n N/A n G,R W,E DiffieHellman G,R This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] of DiffieHellman DiffieHellman N/A N/A N/A N/A N/A keywrapping Z Z This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Roles | Csps Accessed | Approved Functions | Descripti | Indicat | Security | ||
|---|---|---|---|---|---|---|---|---|---|
| on | Access | on | or | Functions | |||||
| Hellman, all resources of asymmetri c crypto function context and all resources of key derivation function context are released | Hellman, all resources of asymmetri c crypto function context and all resources of key derivation function context are released | and key (IG D.L compliant ): Z - PBKDF derived key: Z - PBKDF password : Z - KBKDF key derivatio n key: Z - KBKDF derived key: Z - Diffie- Hellman key pair: Z - EC Diffie Hellman key pair: Z - Diffie- Hellman shared secret: Z - EC Diffie- Hellman shared secret: Z | |||||||
| ANSI X9.63 KDF | Hash based Key Derivation Function | CO | ANSI X9.63 KDF | ||||||
| Blowfish | Encryption / Decryption | CO | Blowfish | ||||||
| CAST5 | Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit increments | CO | CAST5 | ||||||
| DES | Encryption / Decryption Key Size: 56-bits | CO | DES | ||||||
| Diffie-Hellman | Shared Secret Computation using key size < 2048 | CO | Diffie-Hellman |
| Name | Description | Roles | Csps Accessed | Approved Functions | Descripti | Indicat | Security | ||
|---|---|---|---|---|---|---|---|---|---|
| on | Access | on | or | Functions | |||||
| Hellman, all resources of asymmetri c crypto function context and all resources of key derivation function context are released | Hellman, all resources of asymmetri c crypto function context and all resources of key derivation function context are released | and key (IG D.L compliant ): Z - PBKDF derived key: Z - PBKDF password : Z - KBKDF key derivatio n key: Z - KBKDF derived key: Z - Diffie- Hellman key pair: Z - EC Diffie Hellman key pair: Z - Diffie- Hellman shared secret: Z - EC Diffie- Hellman shared secret: Z | |||||||
| ANSI X9.63 KDF | Hash based Key Derivation Function | CO | ANSI X9.63 KDF | ||||||
| Blowfish | Encryption / Decryption | CO | Blowfish | ||||||
| CAST5 | Encryption / Decryption Key Sizes: 40 to 128 bits in 8-bit increments | CO | CAST5 | ||||||
| DES | Encryption / Decryption Key Size: 56-bits | CO | DES | ||||||
| Diffie-Hellman | Shared Secret Computation using key size < 2048 | CO | Diffie-Hellman |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] ): Z :Z - DiffieHellman Z Z - DiffieHellman DiffieHellman Table 14: Approved Services
This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Roles | Approved Functions |
|---|---|---|---|
| ECDSA | PKG: Curve P-192; PKV: Curve P-192; compact point representation of points; Signature Generation: Curve P-192; Signature Verification: Curve P-192 | CO | ECDSA |
| EC Diffie-Hellman | Shared Secret Computation using curves < P-224 | CO | EC Diffie-Hellman |
| Ed25519 | Key Generation, Signature Generation, Signature Verification, Key agreement | CO | Ed25519 |
| Integrated Encryption Scheme on elliptic curves | Encryption / Decryption | CO | Integrated Encryption Scheme on elliptic curves |
| MD2 | Message Digest size: 128-bit | CO | MD2 |
| MD4 | Message Digest size: 128-bit | CO | MD4 |
| MD5 | Message Digest (except in the TLS 1.0/1.1 context) | CO | MD5 |
| OMAC (One-Key CBC MAC) | MAC generation | CO | OMAC (One-Key CBC MAC) |
| RC2 | Encryption / Decryption Key Sizes 8 to 1024-bits | CO | RC2 |
| RC4 | Encryption / Decryption Key Sizes 8 to 4096-bits | CO | RC4 |
| RFC6637 | Key Derivation Function | CO | RFC6637 |
| RIPEMD | Message Digest size: 160-bits | CO | RIPEMD |
| RSA Keygen | ANSI X9.31 Key Pair Generation; keys < 2048-bits | CO | RSA Keygen |
| RSA Digital Signature | PKCS#1 v1.5 and PSS; Signature Generation Key Size < 2048; Signature Verification Key Size < 1024 | CO | RSA Digital Signature |
| RSA Key Wrapping | OAEP, PKCS#1 v1.5 and -PSS schemes | CO | RSA Key Wrapping |
| Triple-DES [SP 800-67] | Encrypt/Decrypt; CBC, CTR, CFB64, ECB, CFB8, OFB | CO | Triple-DES [SP 800-67] |
| HPKE (Hybrid Public Key Encryption) | Hybrid encryption scheme | CO | HPKE (Hybrid Public Key Encryption) [RFC9180] |
| Keccak | Message Digest | CO | Keccak |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table 15: Non-Approved Services
The module does not load any external software. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
A software integrity test is performed on the runtime image of the module. The HMAC-SHA256 implemented in the module is used as the approved algorithm for the integrity test. If the test fails, the module enters an error state where no cryptographic services are provided, and data output is prohibited i.e. the module is not operational.
The module’s integrity test can be performed on demand by power-cycling the computing platform. Integrity tests on demand is performed as part of the Pre-Operational Self-Tests. It is automatically executed at power-on. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
Type of Operational Environment: Modifiable
The module is supplied as part of Device OS, a commercially available general-purpose operating system executing on the computing platforms specified in section 2.2. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
The FIPS 140-3 physical security requirements do not apply to the Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] since it is a software module. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
Per IG 12.A, until the requirements of NIST SP 800-140F are defined, non-invasive mechanisms fall under ISO/IEC 19790:2012 Section 7.12 Mitigation of other attacks. The requirements of this area are not applicable to the module. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Type | Description |
|---|---|---|
| RAM | Dynamic | The module stores ephemeral SSPs in RAM provided by the operational environment. They are received for use or generated by the module only at the command of the calling application. The operating system protects all SSPs through the memory separation and protection mechanisms. No process other than the module itself can access the SSPs in its process' memory. |
| Name | Approved Functions | Type | From | To | Distributio n Type |
|---|---|---|---|---|---|
| API input parameter s | Electroni c | Plaintex t | Operator calling application (TOEPP) | Cryptographi c module | Manual |
| API output parameter s | Electroni c | Plaintex t | Cryptographi c module | Operator calling application (TOEPP) | Manual |
| Zeroization | Description | Rationale | Operator | ||
|---|---|---|---|---|---|
| Method | Initiation | ||||
| Context object destruction | SSPs are zeroised when the appropriate context object is destroyed | Zeroization when structure is deallocated | Invocation of zeroization function cc_clear | ||
| Power down | SSPs are zeroised when the system is powered down | SSPs are zeroised when the system is powered down | Operator can initiate power down | ||
| Intermediate value zeroization | Intermediate keygen values are zeroized before the module returns from the key generation function. | Intermediate keygen values are zeroized before the module returns from the key generation function. | N/A |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
s t c t c s m Table 17: SSP Input-Output Methods
N/A Table 18: SSP Zeroization Methods Data output interfaces are inhibited while zeroisation is performed. This document may be reproduced and distributed only in its original entirely without revision.
| Name | Type | Description | Strength | Generation | Establishment | Use | Size - Strengt h |
|---|---|---|---|---|---|---|---|
| AES key | Symmetric - CSP | AES key | 128 to 256 bits - 128 to 256 bits | Symmetric Encryption and Decryption Message authenticatio n (MAC) | |||
| AES key- wrapping key | symmetric - CSP | AES KW | 128 to 256 bits - 128 to 256 bits | Key Wrapping | |||
| HMAC key | MAC - CSP | HMAC key | 8 - 262144 bits - 112 to 256-bits | Message authenticatio n (MAC) | |||
| ECDSA key pair | Asymmetri c - CSP | ECDSA key pair (including intermediat e keygen values) | P-224, P-256, P-384, P-521 - 112 to 256 bits | Asymmetri c Key Generation | Digital Signature Generation Digital Signature Verification | ||
| RSA key pair | Asymmetri c - CSP | RSA key pair (including intermediat e keygen values) | 2048 - 4096 - 112 to 150 bits | Asymmetri c Key Generation | Digital Signature Generation Digital Signature Verification | ||
| Entropy input string | Entropy input string - CSP | Entropy input string | 256 bits - 256 bits | Random Number Generation | |||
| DRBG seed, internal state V value, and key (IG D.L compliant ) | DRBG - CSP | DRBG input parameters | 256 bits - 256 bits | Random Number Generation | Random Number Generation | ||
| PBKDF derived key | Storage key - CSP | PBKDF derived key | 128 to 256 bits - 128 to 256 bits | Key Derivation PBKDF | |||
| PBKDF password | Password - CSP | PBKDF password | 64 to 1024 bits - N/A | Key Derivation PBKDF | |||
| KBKDF key derivation key | Derivation key - CSP | KBKDF key derivation key | 128 to 256 bits - 128 to 256 bits | Key Derivation CMAC KBKDF Key Derivation HMAC KBKDF | |||
| KBKDF derived key | Derived key - CSP | KBKDF derived key | 128 to 256 bits - 128 to 256 bits | Key Derivation CMAC KBKDF Key Derivation HMAC KBKDF | |||
| HKDF input keying material | Derivation key - CSP | HKDF key derivation keying material | 128 to 256 bits - 128 to 256 bits | Key Derivation HKDF | |||
| HKDF derived key | Derived key - CSP | HKDF derived key | 128 to 256 bits - 128 to 256 bits | Key Derivation HKDF | |||
| Diffie- Hellman key pair | Asymmetri c - CSP | Diffie- Hellman key pair (including intermediat e keygen values) | MODP- 2048, MODP- 3072, MODP- 4096, MODP- 6144, MODP- 8192 - 112 to 200 bits | Asymmetri c Key Generation | Shared Secret Computation | ||
| Diffie- Hellman shared secret | Asymmetri c - CSP | Diffie- Hellman shared secret | MODP- 2048, MODP- 3072, MODP- 4096, | Shared Secret Computatio n | |||
| EC Diffie Hellman key pair | Asymmetri c - CSP | EC Diffie- Hellman key pair (including intermediat e keygen values) | P-224, P-256, P-384, P-521 - 112-256 bits | Asymmetri c Key Generation | Shared Secret Computation | ||
| EC Diffie- Hellman shared secret | Asymmetri c - CSP | EC Diffie- Hellman shared secret | P-224, P-256, P-384, P-521 - 112-256 bits | Shared Secret Computatio n | |||
| AES key | From service invocation to service completion | API input parameters | Context object destruction Power down | RAM:Plaintext | |||
| AES key- wrapping key | From service invocation to service completion | API input parameters | Context object destruction Power down | RAM:Plaintext | |||
| HMAC key | From service invocation to service completion | API input parameters | Context object destruction Power down | RAM:Plaintext | |||
| ECDSA key pair | From service invocation to service completion | API input parameters API output parameters | Context object destruction Power down Intermediate value zeroization | DRBG seed, internal state V value, and key (IG D.L compliant):Derived From | RAM:Plaintext | ||
| RSA key pair | From service invocation to service completion | API input parameters API output parameters | Context object destruction Power down Intermediate value zeroization | DRBG seed, internal state V value, and key (IG D.L compliant):Derived From | RAM:Plaintext | ||
| Entropy input string | Storage duration during the usage of the CSP | Power down | DRBG seed, internal state V value, and key (IG D.L compliant):Generates | RAM:Plaintext | |||
| DRBG seed, internal state V value, and key (IG D.L compliant) | Storage duration during the usage of the CSP | Power down | Entropy input string:Derived From | RAM:Plaintext | |||
| PBKDF derived key | From service invocation to service completion | API output parameters | Context object destruction Power down | PBKDF password:Derived From | RAM:Plaintext | ||
| PBKDF password | From service invocation to service completion | API input parameters | Context object destruction Power down | PBKDF derived key:Derives | RAM:Plaintext | ||
| KBKDF key derivation key | From service invocation to service completion | API input parameters | Context object destruction Power down | KBKDF derived key:Derives | RAM:Plaintext | ||
| KBKDF derived key | From service invocation to service completion | API output parameters | Context object destruction Power down | KBKDF key derivation key:Derived From | RAM:Plaintext | ||
| HKDF input keying material | From service invocation to service completion | API input parameters | Context object destruction Power down | HKDF derived key:Derives | RAM:Plaintext | ||
| HKDF derived key | From service invocation to service completion | API output parameters | Context object destruction Power down | HKDF input keying material:Derived From | RAM:Plaintext | ||
| Diffie- Hellman key pair | From service invocation to service completion | API input parameters API output parameters | Context object destruction Power down Intermediate value zeroization | Diffie-Hellman shared secret:Generates | RAM:Plaintext | ||
| Diffie- Hellman shared secret | From service invocation to service completion | API output parameters | Context object destruction Power down | Diffie- Hellman key pair:Derived From | RAM:Plaintext | ||
| EC Diffie Hellman key pair | From service invocation to service completion | API input parameters API output parameters | Context object destruction Power down Intermediate value zeroization | EC Diffie-Hellman shared secret:Generates | RAM:Plaintext | ||
| EC Diffie- Hellman shared secret | From service invocation to service completion | API output parameters | Context object destruction Power down | EC Diffie Hellman key pair:Derived From | RAM:Plaintext |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
n AES keywrapping ) h 8262144 This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] n h DiffieHellman DiffieHellman DiffieHellman DiffieHellman MODP2048, MODP3072, MODP4096, MODP6144, MODP2048, MODP3072, MODP4096, n This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] n EC DiffieHellman EC DiffieHellman EC DiffieHellman h MODP6144, n Table 19: SSP Table 1 AES keywrapping This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] D.L This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] DiffieHellman DiffieHellman EC DiffieHellman Table 20: SSP Table 2 This document may be reproduced and distributed only in its original entirely without revision.
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|
| HMAC- SHA2-256 (A5407) | HMAC- SHA2-256 (A5407) | Message Authentication | SW/FW Integrity | The HMAC-SHA2-256 value calculated at runtime is compared with the HMAC-SHA2- 256 value stored in the module, computed at compilation time. | 112-bit key | Module successful execution | |
| AES-GCM (A5407) | AES-GCM (A5407) | KAT | CAST | Symmetric operation | 128-bit key, encrypt | Module becomes operational | Test runs at power-on before the integrity test |
| AES-GCM (A5408) | AES-GCM (A5408) | KAT | CAST | Symmetric operation | 128-bit key, encrypt | Module becomes operational | Test runs at power-on before the integrity test |
| AES-GCM (A5405) | AES-GCM (A5405) | KAT | CAST | Symmetric operation | 128-bit key, encrypt | Module becomes operational | Test runs at power-on before the integrity test |
| Counter DRBG (A5407) | Counter DRBG (A5407) | KAT | CAST | Compliant with SP 800-90Ar1 | 128-bit key | Module becomes operational | Test runs at power-on before the integrity test |
| Counter DRBG (A5408) | Counter DRBG (A5408) | KAT | CAST | Compliant with SP 800-90Ar1 | 128-bit key | Module becomes operational | Test runs at power-on before the integrity test |
| Counter DRBG (A5405) | Counter DRBG (A5405) | KAT | CAST | Compliant with SP 800-90Ar1 | 128-bit key | Module becomes operational | Test runs at power-on |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|---|---|
| HMAC- SHA2-256 (A5407) | HMAC- SHA2-256 (A5407) | Message Authentication | SW/FW Integrity | The HMAC-SHA2-256 value calculated at runtime is compared with the HMAC-SHA2- 256 value stored in the module, computed at compilation time. | 112-bit key | Module successful execution | |||
| AES-GCM (A5407) | AES-GCM (A5407) | KAT | CAST | Symmetric operation | 128-bit key, encrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-GCM (A5408) | AES-GCM (A5408) | KAT | CAST | Symmetric operation | 128-bit key, encrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-GCM (A5405) | AES-GCM (A5405) | KAT | CAST | Symmetric operation | 128-bit key, encrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| Counter DRBG (A5407) | Counter DRBG (A5407) | KAT | CAST | Compliant with SP 800-90Ar1 | 128-bit key | Module becomes operational | Test runs at power-on before the integrity test | ||
| Counter DRBG (A5408) | Counter DRBG (A5408) | KAT | CAST | Compliant with SP 800-90Ar1 | 128-bit key | Module becomes operational | Test runs at power-on before the integrity test | ||
| Counter DRBG (A5405) | Counter DRBG (A5405) | KAT | CAST | Compliant with SP 800-90Ar1 | 128-bit key | Module becomes operational | Test runs at power-on | ||
| HMAC- SHA2-256 (A5410) | HMAC- SHA2-256 (A5410) | KAT | CAST | Message authentication | SHA2-256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA2-256 (A5407) | HMAC- SHA2-256 (A5407) | KAT | CAST | Message authentication | SHA2-256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA2-256 (A5409) | HMAC- SHA2-256 (A5409) | KAT | CAST | Message authentication | SHA2-256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA-1 (A5407) | HMAC- SHA-1 (A5407) | KAT | CAST | Message authentication | SHA-1 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA-1 (A5409) | HMAC- SHA-1 (A5409) | KAT | CAST | Message authentication | SHA-1 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA2-512 (A5407) | HMAC- SHA2-512 (A5407) | KAT | CAST | Message authentication | SHA2-512 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA2-512 (A5409) | HMAC- SHA2-512 (A5409) | KAT | CAST | Message authentication | SHA2-512 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA2- 512/256 (A5407) | HMAC- SHA2- 512/256 (A5407) | KAT | CAST | Message authentication | SHA2- 512/256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA2- 512/256 (A5409) | HMAC- SHA2- 512/256 (A5409) | KAT | CAST | Message authentication | SHA2- 512/256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA3-224 (A5407) | HMAC- SHA3-224 (A5407) | KAT | CAST | Message authentication | SHA3-224 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA3-224 (A5409) | HMAC- SHA3-224 (A5409) | KAT | CAST | Message authentication | SHA3-224 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA3-256 (A5407) | HMAC- SHA3-256 (A5407) | KAT | CAST | Message authentication | SHA3-256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA3-256 (A5409) | HMAC- SHA3-256 (A5409) | KAT | CAST | Message authentication | SHA3-256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA3-384 (A5407) | HMAC- SHA3-384 (A5407) | KAT | CAST | Message authentication | SHA3-384 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA3-384 (A5409) | HMAC- SHA3-384 (A5409) | KAT | CAST | Message authentication | SHA3-384 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA3-512 (A5407) | HMAC- SHA3-512 (A5407) | KAT | CAST | Message authentication | SHA3-512 | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC- SHA3-512 (A5409) | HMAC- SHA3-512 (A5409) | KAT | CAST | Message authentication | SHA3-512 | Module becomes operational | Test runs at power-on before the integrity test | ||
| RSA KeyGen (FIPS186-4) (A5407) | RSA KeyGen (FIPS186-4) (A5407) | PCT | PCT | Signature generation & verification | PCT with SHA2-256 | Successful key pair generation | Key pair generation | ||
| RSA KeyGen (FIPS186-4) (A5409) | RSA KeyGen (FIPS186-4) (A5409) | PCT | PCT | Signature generation & verification | PCT with SHA2-256 | Successful key pair generation | Key pair generation | ||
| RSA SigGen (FIPS186-4) (A5407) | RSA SigGen (FIPS186-4) (A5407) | KAT | CAST | Digital signature generation | PKCS#1 v1.5 with 2048 bit key and SHA2- 256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| RSA SigGen (FIPS186-4) (A5409) | RSA SigGen (FIPS186-4) (A5409) | KAT | CAST | Digital signature generation | PKCS#1 v1.5 with 2048 bit key and SHA2- 256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| RSA SigVer (FIPS186-4) (A5407) | RSA SigVer (FIPS186-4) (A5407) | KAT | CAST | Digital signature verification | PKCS#1 v1.5 with 2048 bit key and SHA2- 256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| RSA SigVer (FIPS186-4) (A5409) | RSA SigVer (FIPS186-4) (A5409) | KAT | CAST | Digital signature verification | PKCS#1 v1.5 with 2048 bit key and SHA2- 256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| ECDSA KeyGen (FIPS186-4) (A5407) | ECDSA KeyGen (FIPS186-4) (A5407) | PCT | PCT | ECDSA: Sign/Verify; ECDH: SP800- 56Arev3 section 5.6.2.1.4 | PCT with SHA2-256 | Successful key pair generation | Key pair generation | ||
| ECDSA KeyGen (FIPS186-4) (A5409) | ECDSA KeyGen (FIPS186-4) (A5409) | PCT | PCT | ECDSA: Sign/Verify; ECDH: SP800- 56Arev3 section 5.6.2.1.4 | PCT with SHA2-256 | Successful key pair generation | Key pair generation | ||
| ECDSA SigGen (FIPS186-4) (A5407) | ECDSA SigGen (FIPS186-4) (A5407) | KAT | CAST | Digital signature generation | P-224 with SHA-224 | Module becomes operational | Test runs at power-on before the integrity test | ||
| ECDSA SigGen (FIPS186-4) (A5409) | ECDSA SigGen (FIPS186-4) (A5409) | KAT | CAST | Digital signature generation | P-224 with SHA-224 | Module becomes operational | Test runs at power-on before the integrity test | ||
| ECDSA SigVer (FIPS186-4) (A5407) | ECDSA SigVer (FIPS186-4) (A5407) | KAT | CAST | Digital signature verification | P-224 with SHA-224 | Module becomes operational | Test runs at power-on before the integrity test | ||
| ECDSA SigVer (FIPS186-4) (A5409) | ECDSA SigVer (FIPS186-4) (A5409) | KAT | CAST | Digital signature verification | P-224 with SHA-224 | Module becomes operational | Test runs at power-on before the integrity test | ||
| KAS-ECC- SSC Sp800- 56Ar3 (A5407) | KAS-ECC- SSC Sp800- 56Ar3 (A5407) | KAT | CAST | Shared secret computation | P-224 curve | Module becomes operational | Test runs at power-on before the integrity test | ||
| KAS-FFC- SSC Sp800- 56Ar3 (A5407) | KAS-FFC- SSC Sp800- 56Ar3 (A5407) | KAT | CAST | Shared secret computation | MODP-2048 | Module becomes operational | Test runs at power-on before the integrity test | ||
| KDA HKDF SP800- 56Cr2 (A5409) | KDA HKDF SP800- 56Cr2 (A5409) | KAT | CAST | HMAC key derivation | 2048 bit key, SHA2- 256 | Module becomes operational | Test runs at power-on before the integrity test | ||
| KDF SP800-108 (A5407) | KDF SP800-108 (A5407) | KAT | CAST | Key-based key derivation | Counter mode using SHA-1, SHA-256, SHA-512 | Module becomes operational | Test runs at power-on before the integrity test | ||
| KDF SP800-108 (A5409) | KDF SP800-108 (A5409) | KAT | CAST | Key-based key derivation | Counter mode using SHA-1, SHA-256, SHA-512 | Module becomes operational | Test runs at power-on before the integrity test | ||
| PBKDF (A5407) | PBKDF (A5407) | KAT | CAST | Password- based key derivation | SHA-1, SHA-256, SHA-512 | Module becomes operational | Test runs at power-on before the integrity test | ||
| PBKDF (A5409) | PBKDF (A5409) | KAT | CAST | Password- based key derivation | SHA-1, SHA-256, SHA-512 | Module becomes operational | Test runs at power-on before the integrity test | ||
| Safe Primes Key Generation (A5407) | Safe Primes Key Generation (A5407) | PCT | PCT | SP 800- 56Arev3 Section 5.6.2.1.4 method 'b' 1 | MODP-2048 | Successful key pair generation | |||
| AES-CBC (A5406) | AES-CBC (A5406) | KAT | CAST | Symmetric operation | 128-bit key encrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-CBC (A5407) | AES-CBC (A5407) | KAT | CAST | Symmetric operation | 128-bit key encrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-CBC (A5404) | AES-CBC (A5404) | KAT | CAST | Symmetric operation | 128-bit key encrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-CBC (A5405) | AES-CBC (A5405) | KAT | CAST | Symmetric operation | 128-bit key encrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-ECB (A5407) | AES-ECB (A5407) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-ECB (A5408) | AES-ECB (A5408) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-ECB (A5404) | AES-ECB (A5404) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-ECB (A5405) | AES-ECB (A5405) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-XTS Testing Revision 2.0 (A5407) | AES-XTS Testing Revision 2.0 (A5407) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-XTS Testing Revision 2.0 (A5404) | AES-XTS Testing Revision 2.0 (A5404) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-XTS Testing Revision 2.0 (A5405) | AES-XTS Testing Revision 2.0 (A5405) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC-SHA2- 256 (A5407) | HMAC-SHA2- 256 (A5407) | Message Authentication | SW/FW Integrity | Whenever module is powered on | Upon every power on | ||||
| AES-GCM (A5407) | AES-GCM (A5407) | KAT | CAST | On Demand | Manually | ||||
| AES-GCM (A5408) | AES-GCM (A5408) | KAT | CAST | On Demand | Manually | ||||
| AES-GCM (A5405) | AES-GCM (A5405) | KAT | CAST | On Demand | Manually | ||||
| Counter DRBG (A5407) | Counter DRBG (A5407) | KAT | CAST | On Demand | Manually | ||||
| Counter DRBG (A5408) | Counter DRBG (A5408) | KAT | CAST | On Demand | Manually | ||||
| Counter DRBG (A5405) | Counter DRBG (A5405) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA2- 256 (A5410) | HMAC-SHA2- 256 (A5410) | KAT | CAST | On Demand | Manually |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
While the module is executing the self-tests, services are not available, and input and output are inhibited.
The module performs a pre-operational software integrity automatically when the module is loaded into memory (i.e., at power on) before the module transitions to the operational state. A used to perform the approved integrity technique. Prior to using HMAC-SHA-256, a Conditional Cryptographic Algorithm Self-Tests (CAST) is performed. HMACSHA2-256 Table 21: Pre-Operational Self-Tests
This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] HMACSHA2-256 HMACSHA2-256 HMACSHA2-256 HMACSHA-1 HMACSHA-1 HMACSHA2-512 HMACSHA2-512 HMACSHA2512/256 HMACSHA2512/256 HMACSHA3-224 SHA2512/256 SHA2512/256 HMACSHA3-224 This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] HMACSHA3-256 HMACSHA3-256 HMACSHA3-384 HMACSHA3-384 HMACSHA3-512 HMACSHA3-512 and SHA2256 and SHA2256 and SHA2256 This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] and SHA2256 KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 SP80056Cr2 ECDH: SP80056Arev3 5.6.2.1.4 ECDH: SP80056Arev3 5.6.2.1.4 key, SHA2256 This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Passwordbased key Passwordbased key SP 80056Arev3 5.6.2.1.4 This document may be reproduced and distributed only in its original entirely without revision.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|---|---|
| AES-ECB (A5404) | AES-ECB (A5404) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-ECB (A5405) | AES-ECB (A5405) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-XTS Testing Revision 2.0 (A5407) | AES-XTS Testing Revision 2.0 (A5407) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-XTS Testing Revision 2.0 (A5404) | AES-XTS Testing Revision 2.0 (A5404) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| AES-XTS Testing Revision 2.0 (A5405) | AES-XTS Testing Revision 2.0 (A5405) | KAT | CAST | Symmetric operation | 128-bit key decrypt | Module becomes operational | Test runs at power-on before the integrity test | ||
| HMAC-SHA2- 256 (A5407) | HMAC-SHA2- 256 (A5407) | Message Authentication | SW/FW Integrity | Whenever module is powered on | Upon every power on | ||||
| AES-GCM (A5407) | AES-GCM (A5407) | KAT | CAST | On Demand | Manually | ||||
| AES-GCM (A5408) | AES-GCM (A5408) | KAT | CAST | On Demand | Manually | ||||
| AES-GCM (A5405) | AES-GCM (A5405) | KAT | CAST | On Demand | Manually | ||||
| Counter DRBG (A5407) | Counter DRBG (A5407) | KAT | CAST | On Demand | Manually | ||||
| Counter DRBG (A5408) | Counter DRBG (A5408) | KAT | CAST | On Demand | Manually | ||||
| Counter DRBG (A5405) | Counter DRBG (A5405) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA2- 256 (A5410) | HMAC-SHA2- 256 (A5410) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA2- 256 (A5407) | HMAC-SHA2- 256 (A5407) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA2- 256 (A5409) | HMAC-SHA2- 256 (A5409) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA-1 (A5407) | HMAC-SHA-1 (A5407) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA-1 (A5409) | HMAC-SHA-1 (A5409) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA2- 512 (A5407) | HMAC-SHA2- 512 (A5407) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA2- 512 (A5409) | HMAC-SHA2- 512 (A5409) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA2- 512/256 (A5407) | HMAC-SHA2- 512/256 (A5407) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA2- 512/256 (A5409) | HMAC-SHA2- 512/256 (A5409) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA3- 224 (A5407) | HMAC-SHA3- 224 (A5407) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA3- 224 (A5409) | HMAC-SHA3- 224 (A5409) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA3- 256 (A5407) | HMAC-SHA3- 256 (A5407) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA3- 256 (A5409) | HMAC-SHA3- 256 (A5409) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA3- 384 (A5407) | HMAC-SHA3- 384 (A5407) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA3- 384 (A5409) | HMAC-SHA3- 384 (A5409) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA3- 512 (A5407) | HMAC-SHA3- 512 (A5407) | KAT | CAST | On Demand | Manually | ||||
| HMAC-SHA3- 512 (A5409) | HMAC-SHA3- 512 (A5409) | KAT | CAST | On Demand | Manually | ||||
| RSA KeyGen (FIPS186-4) (A5407) | RSA KeyGen (FIPS186-4) (A5407) | PCT | PCT | On Demand | Manually | ||||
| RSA KeyGen (FIPS186-4) (A5409) | RSA KeyGen (FIPS186-4) (A5409) | PCT | PCT | On Demand | Manually | ||||
| RSA SigGen (FIPS186-4) (A5407) | RSA SigGen (FIPS186-4) (A5407) | KAT | CAST | On Demand | Manually | ||||
| RSA SigGen (FIPS186-4) (A5409) | RSA SigGen (FIPS186-4) (A5409) | KAT | CAST | On Demand | Manually | ||||
| RSA SigVer (FIPS186-4) (A5407) | RSA SigVer (FIPS186-4) (A5407) | KAT | CAST | On Demand | Manually | ||||
| RSA SigVer (FIPS186-4) (A5409) | RSA SigVer (FIPS186-4) (A5409) | KAT | CAST | On Demand | Manually | ||||
| ECDSA KeyGen (FIPS186-4) (A5407) | ECDSA KeyGen (FIPS186-4) (A5407) | PCT | PCT | On Demand | Manually | ||||
| ECDSA KeyGen (FIPS186-4) (A5409) | ECDSA KeyGen (FIPS186-4) (A5409) | PCT | PCT | On Demand | Manually | ||||
| ECDSA SigGen (FIPS186-4) (A5407) | ECDSA SigGen (FIPS186-4) (A5407) | KAT | CAST | On Demand | Manually | ||||
| ECDSA SigGen (FIPS186-4) (A5409) | ECDSA SigGen (FIPS186-4) (A5409) | KAT | CAST | On Demand | Manually | ||||
| ECDSA SigVer (FIPS186-4) (A5407) | ECDSA SigVer (FIPS186-4) (A5407) | KAT | CAST | On Demand | Manually | ||||
| ECDSA SigVer (FIPS186-4) (A5409) | ECDSA SigVer (FIPS186-4) (A5409) | KAT | CAST | On Demand | Manually | ||||
| KAS-ECC-SSC Sp800-56Ar3 (A5407) | KAS-ECC-SSC Sp800-56Ar3 (A5407) | KAT | CAST | On Demand | Manually | ||||
| KAS-FFC-SSC Sp800-56Ar3 (A5407) | KAS-FFC-SSC Sp800-56Ar3 (A5407) | KAT | CAST | On Demand | Manually | ||||
| KDA HKDF SP800-56Cr2 (A5409) | KDA HKDF SP800-56Cr2 (A5409) | KAT | CAST | On Demand | Manually | ||||
| KDF SP800-108 (A5407) | KDF SP800-108 (A5407) | KAT | CAST | On Demand | Manually | ||||
| KDF SP800-108 (A5409) | KDF SP800-108 (A5409) | KAT | CAST | On Demand | Manually | ||||
| PBKDF (A5407) | PBKDF (A5407) | KAT | CAST | On Demand | Manually | ||||
| PBKDF (A5409) | PBKDF (A5409) | KAT | CAST | On Demand | Manually | ||||
| Safe Primes Key Generation (A5407) | Safe Primes Key Generation (A5407) | PCT | PCT | On Demand | Manually | ||||
| AES-CBC (A5406) | AES-CBC (A5406) | KAT | CAST | On Demand | Manually | ||||
| AES-CBC (A5407) | AES-CBC (A5407) | KAT | CAST | On Demand | Manually | ||||
| AES-CBC (A5404) | AES-CBC (A5404) | KAT | CAST | On Demand | Manually | ||||
| AES-CBC (A5405) | AES-CBC (A5405) | KAT | CAST | On Demand | Manually | ||||
| AES-ECB (A5407) | AES-ECB (A5407) | KAT | CAST | On Demand | Manually | ||||
| AES-ECB (A5408) | AES-ECB (A5408) | KAT | CAST | On Demand | Manually | ||||
| AES-ECB (A5404) | AES-ECB (A5404) | KAT | CAST | On Demand | Manually | ||||
| AES-ECB (A5405) | AES-ECB (A5405) | KAT | CAST | On Demand | Manually | ||||
| AES-XTS Testing Revision 2.0 (A5407) | AES-XTS Testing Revision 2.0 (A5407) | KAT | CAST | On Demand | Manually | ||||
| AES-XTS Testing Revision 2.0 (A5404) | AES-XTS Testing Revision 2.0 (A5404) | KAT | CAST | On Demand | Manually | ||||
| AES-XTS Testing Revision 2.0 (A5405) | AES-XTS Testing Revision 2.0 (A5405) | KAT | CAST | On Demand | Manually |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] Table 22: Conditional Self-Tests
Table 23: Pre-Operational Periodic Information This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] This document may be reproduced and distributed only in its original entirely without revision.
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| Error State | 1) The HMAC-SHA- 256 value computed over the module did not match the pre- computed value or 2) The computed value in the invoked Conditional CAST did not match the known value or 3) The signature failed to | 1) Pre- operationa l Software Integrity Test failure or 2) Conditiona l CAST failure 3) Conditiona l PCT failure | 1) Error message "FAILED: fipspost_post_integrity" send to caller or 2) Error message "FAILED:<event>" sent to caller (<event> refers to any of the cryptographic functions listed Table - Conditional Self-Tests 3) Error code "CCEC_GENERATE_KEY_CONSISTENC Y" returned for ECDSA and EC Diffie- Hellman Error code "CCRSA_GENERATE_KEY_CONSISTEN CY" returned for RSA Error code "CCDH_GENERATE_KEY_CONSISTEN CY" returned for Diffie-Hellman | Power cycle the device which results in the module being reloaded into memory and reperformin g the pre- operational software integrity test and the Conditional CASTs. |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
e s preConditiona 3) g the preoperational This document may be reproduced and distributed only in its original entirely without revision.
| Nam | Description | Condition | Recovery | Indicator |
|---|---|---|---|---|
| e | s | Method | ||
| generate/veri fy successfully in the Conditional PCT. No cryptographic services are provided, and data output is prohibited |
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1] e s Table 25: Error States
The module permits operators to initiate the pre-operational or conditional self-tests on demand for periodic testing of the module by rebooting the system (i.e., power-cycling). This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
Startup Procedures: The module is built into Device OS defined in section 2 and delivered/ installed with the respective Device OS. There is no standalone delivery of the module as a software library. Installation Process and Authentication Mechanisms: The vendor’s internal development process guarantees that the correct version of module goes with its intended Device OS version. For additional assurance, the module is digitally signed by vendor, and it is verified during the integration into Host Device OS. This digital signature-based integrity protection during the delivery/integration process is not to be confused with the HMAC-256 based integrity check performed by the module itself as part of its pre-operational self- tests.
The Approved mode of operation is configured in the system by default and can only be transitioned into the non-Approved mode by calling one of the non-Approved services listed in Table - Non-Approved Services. If the device starts up successfully, then the module has passed all self-tests and is operating in the Approved mode. Apple Platform Certifications guide (platform certifications) and Apple Platform Security guide (SEC) are provided by Apple which offers IT System Administrators with the necessary technical information to ensure FIPS 140-3 Compliance of the deployed systems. This guide walks the reader through the system’s assertion of cryptographic module integrity and the steps necessary if module integrity requires remediation.
The Crypto Officer shall consider the following requirements and restrictions when using the module.
All of the RSA modulus sizes used by the cryptographic module have been CAVP tested and the certificates are listed in the Approved Algorithms Table of this security policy. There are no untested RSA modulus sizes used by the cryptographic module. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
The module secure sanitization is accomplished by first powering the module down, which will zeroize all SSPs within volatile memory. Following the power-down, an uninstall by way of system wipe or system update will zeroize the corecrypto-1638.100.62 binary file listed in Table 2. This document may be reproduced and distributed only in its original entirely without revision.
Apple corecrypto Module v14.1 [Apple silicon, User, Software, SL1]
The module does not claim mitigation of other attacks. This document may be reproduced and distributed only in its original entirely without revision.