All modules
CMVP Validated Module · FIPS 140-3 Security Policy

HID Global Cryptographic Module

Certificate#5123StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorHID Global Corporation
Medium review priority  ·  exposes network crypto parser/protocol  ·  last validated 6 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/28/2029
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys).
VendorHID Global Corporation

Approved Algorithms (83)

AlgorithmACVP Cert
AES-CBCA6047
AES-CBC-CS1A6047
AES-CBC-CS2A6047
AES-CBC-CS3A6047
AES-CCMA6047
AES-CFB128A6047
AES-CFB8A6047
AES-CMACA6047
AES-CTRA6047
AES-ECBA6047
AES-FF1A6047
AES-GCMA6047
AES-GMACA6047
AES-KWA6047
AES-KWPA6047
AES-OFBA6047
Counter DRBGA6047
cSHAKE-128A6047
cSHAKE-256A6047
DSA KeyGen (FIPS186-4)A6047
DSA PQGGen (FIPS186-4)A6047
DSA PQGVer (FIPS186-4)A6047
DSA SigGen (FIPS186-4)A6047
DSA SigVer (FIPS186-4)A6047
ECDSA KeyGen (FIPS186-4)A6047
ECDSA KeyVer (FIPS186-4)A6047
ECDSA SigGen (FIPS186-4)A6047
ECDSA SigVer (FIPS186-4)A6047
Hash DRBGA6047
HMAC DRBGA6047
HMAC-SHA-1A6047
HMAC-SHA2-224A6047
HMAC-SHA2-256A6047
HMAC-SHA2-384A6047
HMAC-SHA2-512A6047
HMAC-SHA2-512/224A6047
HMAC-SHA2-512/256A6047
HMAC-SHA3-224A6047
HMAC-SHA3-256A6047
HMAC-SHA3-384A6047
HMAC-SHA3-512A6047
KAS-ECC Sp800-56Ar3A6047
KAS-FFC Sp800-56Ar3A6047
KAS-IFCA6047
KDA HKDF SP800-56Cr2A6047
KDA OneStep SP800-56Cr2A6047
KDA TwoStep SP800-56Cr2A6047
KDF ANS 9.63A6047
KDF IKEv2A6047
KDF SNMPA6047
KDF SP800-108A6047
KDF SRTPA6047
KDF SSHA6047
KDF TLSA6047
KMAC-128A6047
KMAC-256A6047
KTS-IFCA6047
ParallelHash-128A6047
ParallelHash-256A6047
PBKDFA6047
RSA Decryption PrimitiveA6047
RSA KeyGen (FIPS186-4)A6047
RSA SigGen (FIPS186-4)A6047
RSA Signature PrimitiveA6047
RSA SigVer (FIPS186-2)A6047
RSA SigVer (FIPS186-4)A6047
Safe Primes Key GenerationA6047
Safe Primes Key VerificationA6047
SHA-1A6047
SHA2-224A6047
SHA2-256A6047
SHA2-384A6047
SHA2-512A6047
SHA2-512/224A6047
SHA2-512/256A6047
SHA3-224A6047
SHA3-256A6047
SHA3-384A6047
SHA3-512A6047
SHAKE-128A6047
SHAKE-256A6047
TupleHash-128A6047
TupleHash-256A6047

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Non-Invasive SecurityN/A
Sensitive Security Parameter Management1
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for HID Global Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for HID Global Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

HID Global Corporation HID Global Cryptographic Module Software Version 4.0.0 Document Version 1.0 April 08, 2025 Prepared For: Prepared By: HID Global Corporation

611 Center Ridge Drive

Austin, TX 78753 USA https://www.hidglobal.com/ SafeLogic, Inc.

8300 Boone Blvd., Suite 500

Vienna, VA 22182 USA www.safelogic.com Document Version 1.0 ©HID Global Corporation

Page 2
Table of Contents
#SectionPage
1General Information5
1.1Overview5
1.2Security Levels6
2Cryptographic Module Specification7
2.1Description7
2.2Tested and Vendor Affirmed Module Version and Identification8
2.3Excluded Components14
2.4Modes of Operation14
2.5Algorithms14
2.6Algorithm Specific Information24
2.7RBG and Entropy27
2.8Key Generation28
2.9Key Establishment29
2.10Industry Protocols29
3Cryptographic Module Ports and Interfaces30
3.1Ports and Interfaces30
3.2Additional Information30
4Roles, Services, and Authentication31
4.1Authentication Methods31
4.2Roles31
4.3Approved Services32
4.4Non-Approved Services45
5Software/Firmware Security46
5.1Integrity Techniques46
5.2Initiate on Demand46
6Operational Environment47
6.1Configuration Settings and Restrictions47
7Physical Security48
8Non-Invasive Security49
9Sensitive Security Parameter Management50
9.1SSPs51
10Self-Tests62
10.1Pre-Operational Self-Tests62
10.2Conditional Self-Tests62
10.3Error States64
10.4Operator Initiation of Self-Tests64
11Life-Cycle Assurance65
11.1Installation, Initialization, and Startup Procedures65
11.2Basic Guidance65
11.3Use of the JVM with a Java SecurityManager65
11.4Design and Rules67
11.5Vulnerabilities68
12Mitigation of Other Attacks69
Appendix: References and Acronyms70
Page 3
11.2 11.3 11.4 11.5 Document Version 1.0 ©HID Global Corporation
Page 4
List of Tables
ItemPage
Table 1 - Security Levels6
Table 2 - Executable Code Sets8
Table 3 - Tested Operational Environments – Software/Firmware/Hybrid9
Table 4 - Vendor Affirmed Operational Environments – Software/Firmware/Hybrid10
Table 5 - Modes of Operation14
Table 6 - Approved Algorithms, CAVP Tested15
Table 7 - Vendor Affirmed Algorithms21
Table 8 - Non-Approved, Allowed Algorithms with No Security Claimed22
Table 9 - Non-Approved, Not Allowed Algorithms22
Table 10 - SP 800-38G Format-Preserving Encryption Constraints26
Table 11 – Non-Deterministic Random Number Generation Specification27
Table 12 – Ports and Interfaces30
Table 13 - Roles31
Table 14 – Approved Services32
Table 15 - Non-Approved Services45
Table 16 - Sensitive Security Parameters (SSPs) Key Table51
Table 17 – Conditional Algorithm Self-Tests62
Table 18 – Pairwise Consistency Tests63
Table 19 - Available Java Permissions for SecurityManager66
Table 20 - References70
Table 21 - Acronyms72
Figure 1 - Module Block Diagram8
Page 5
1 General Information
1.1 Overview

This document provides a non-proprietary FIPS 140-3 Security Policy for HID Global Cryptographic Module.

1.1.1 About FIPS 140

Federal Information Processing Standards Publication 140-3, Security Requirements for Cryptographic Modules, (FIPS 140-3) specifies the latest requirements for cryptographic modules utilized to protect sensitive but unclassified information. The National Institute of Standards and Technology (NIST) and Canadian Centre for Cyber Security (CCCS) collaborate to run the Cryptographic Module Validation Program (CMVP), which assesses conformance to FIPS 140. NIST (through NVLAP) accredits independent testing labs to perform FIPS 140 testing. The CMVP reviews and validates modules tested against FIPS

140 criteria. Validated is the term given to a module that has successfully gone through this FIPS 140

validation process. Validated modules receive a validation certificate that is posted on the CMVP’s website. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program.

1.1.2 About this Document

This non-proprietary cryptographic module Security Policy for HID Global Cryptographic Module from HID Global Corporation (HID Global) provides an overview of the product and a high-level description of how it meets the security requirements of FIPS 140-3. This document includes details on the module’s cryptographic capabilities, services, sensitive security parameters, and self-tests. This Security Policy also includes guidance on operating the module while maintaining compliance with FIPS 140-3. HID Global Cryptographic Module may also be referred to as “the module” in this document.

1.1.3 External Resources

The HID Global website (https://www.hidglobal.com/) contains information on HID Global services and products. The CMVP website maintains this FIPS 140 certificate for HID Global and the certificate includes HID Global contact information.

1.1.4 Notices

This document may be freely reproduced and distributed, but only in its entirety and without modification. Document Version 1.0 ©HID Global Corporation

Page 6
Security level
NameISO SectionLevel
Section 1 – General InformationSection 1 – General Information1
Section 2 – Cryptographic Module SpecificationSection 2 – Cryptographic Module Specification1
Section 3 – Cryptographic Module InterfacesSection 3 – Cryptographic Module Interfaces1
Section 4 – Roles, Services, and AuthenticationSection 4 – Roles, Services, and Authentication1
Section 5 – Software/Firmware SecuritySection 5 – Software/Firmware Security1
Section 6 – Operational EnvironmentSection 6 – Operational Environment1
Section 7 – Physical SecuritySection 7 – Physical SecurityN/A
Section 8 – Non-Invasive SecuritySection 8 – Non-Invasive SecurityN/A
Section 9 – Sensitive Security Parameter ManagementSection 9 – Sensitive Security Parameter Management1
Section 10 – Self-TestsSection 10 – Self-Tests1
Section 11 – Life-Cycle AssuranceSection 11 – Life-Cycle Assurance1
Section 12 – Mitigation of Other AttacksSection 12 – Mitigation of Other Attacks1
1.2 Security Levels

Table 1 lists the module’s level of validation for each area in FIPS 140-3. Table 1 - Security Levels N/A N/A Document Version 1.0 ©HID Global Corporation

Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: HID Global Cryptographic Module is a cryptographic engine for mobile devices. The module delivers core cryptographic functions to some of HID Global’s mobile app solutions for multifactor authentication such as the HID Approve mobile app and HID Approve mobile SDK. HID Global Cryptographic Module is used by supported HID Global products, including HID Approve mobile app and SDK. The module delivers cryptographic services to host applications through a Java language Application Programming Interface (API). Module Type: Software Module Embodiment: Multi-Chip Stand Alone Cryptographic Boundary: The cryptographic boundary is the Java Archive (JAR) file, ccj-4.0.0.jar. The module is the only component within the cryptographic boundary and the only component that carries out cryptographic functions covered by FIPS 140-3. The module classes are executed on the Java Virtual Machine (JVM) using the classes of the Java Runtime Environment (JRE). The JVM is the interface to the computer’s Operating System (OS), which is the interface to the various physical components of the general purpose computer (GPC). As a software cryptographic module, the module operates within the Tested Operational Environment’s Physical Perimeter (TOEPP). The TOEPP physical perimeter is the physical perimeter of the GPC that the module operates on. The TOEPP includes the JVM/JRE, OS, and the GPC. The TOEPP includes the Operational Environment (OE) that the module operates in, the module itself, and all other applications that operate within the OE, including the host application for the module. The external entropy source used by the module is also within the TOEPP. The module’s block diagram is provided in Figure 1, which shows the cryptographic boundary and the logical relationship of the cryptographic module to the other software and hardware components of the TOEPP. The module’s logical interfaces are defined by its API. Document Version 1.0 ©HID Global Corporation

Page 8
Module configuration
NameFirmware VersionPackageIntegrity Test
NamesVersionNamesImplemented
ccj-4.0.0.jar4.0.0ccj-4.0.0.jarHMAC-SHA-256

Figure 1 - Module Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 9
Module configuration
NameOperating SystemHardware Platform
Environment v17 onEnvironment v17 onPowerEdge
VMware Photon OS 5.0VMware Photon OS 5.0R830

Confirming the Module Checksum, Functionality, and Versioning The module checksum, functionality, and versioning can be confirmed by executing the command: java -cp ccj-4.0.0.jar com.safelogic.cryptocomply.util.DumpInfo which should display: Version Info: CryptoComply® for Java version v4.0.0 FIPS Ready Status: READY Module SHA-256 HMAC: c5f6e9c3593f67ea87f08b91590c7531c53ac2540685b921807c9e82581911ee This display indicates that the JAR represents the software release ccj-4.0.0, that it has successfully passed all its startup tests, and that the software release is confirmed to have the HMAC listed above. Tested Operational Environments - Software, Firmware, Hybrid: The module operates in a modifiable operational environment under the FIPS 140-3 definitions. The cryptographic module was tested on the following operational environments on the GPC platforms detailed in Table 3. Table 3 - Tested Operational Environments

Page 10
Module configuration
NameOperating SystemHardware Platform#Operating System
1.Java SE Runtime Environment v8 (1.8) with HP-UXGeneric Hardware1.1.Java SE Runtime Environment v8 (1.8) with HP-UX
2.Java SE Runtime Environment v11 (1.11) with HP-UX2.Generic Hardware Platform
3.Java SE Runtime Environment v17 (1.17) with HP-UXGeneric Hardware3.
4.Java SE Runtime Environment v21 (21) with HP-UX4.Generic Hardware Platform
5.Java SE Runtime Environment v8 (1.8) with Linux CentOSGeneric Hardware5.
6.Java SE Runtime Environment v11 (1.11) with Linux CentOS6.Generic Hardware Platform
7.Java SE Runtime Environment v17 (1.17) with Linux CentOSGeneric Hardware7.
8.Java SE Runtime Environment v21 (21) with Linux CentOS8.Generic Hardware Platform
9.Generic Hardware9.Java SE Runtime Environment v8 (1.8) with Red Hat Enterprise
LinuxPlatformLinux
10.Java SE Runtime Environment v11 (1.11) with Red Hat Enterprise Linux10.Generic Hardware Platform
11.Generic Hardware11.Java SE Runtime Environment v17 (1.17) with Red Hat Enterprise
LinuxPlatformLinux
12.Java SE Runtime Environment v21 (21) with Red Hat Enterprise Linux12.Generic Hardware Platform
13.Java SE Runtime Environment v8 (1.8) with Linux DebianGeneric Hardware13.
14.Java SE Runtime Environment v11 (1.11) with Linux Debian14.Generic Hardware Platform
15.Java SE Runtime Environment v17 (1.17) with Linux DebianGeneric Hardware15.
16.Java SE Runtime Environment v21 (21) with Linux Debian16.Generic Hardware Platform
17.Java SE Runtime Environment v8 (1.8) with Linux FedoraGeneric Hardware17.
18.Java SE Runtime Environment v11 (1.11) with Linux Fedora18.Generic Hardware Platform
19.Java SE Runtime Environment v17 (1.17) with Linux FedoraGeneric Hardware19.
20.Java SE Runtime Environment v21 (21) with Linux Fedora20.Generic Hardware Platform
21.Java SE Runtime Environment v8 (1.8) with Linux Oracle RHCGeneric Hardware21.
22.Java SE Runtime Environment v11 (1.11) with Linux Oracle RHC22.Generic Hardware Platform
23.Java SE Runtime Environment v17 (1.17) with Linux Oracle RHCGeneric Hardware23.
24.Java SE Runtime Environment v21 (21) with Linux Oracle RHC24.Generic Hardware Platform
25.Java SE Runtime Environment v8 (1.8) with Linux Oracle UEKGeneric Hardware25.
26.Java SE Runtime Environment v11 (1.11) with Linux Oracle UEK26.Generic Hardware Platform
27.Java SE Runtime Environment v17 (1.17) with Linux Oracle UEKGeneric Hardware27.
28.Java SE Runtime Environment v21 (21) with Linux Oracle UEK28.Generic Hardware Platform
29.Java SE Runtime Environment v17 (1.8) with Linux PhotonGeneric Hardware29.
30.Java SE Runtime Environment v11 (1.11) with Linux Photon30.Generic Hardware Platform
31.Java SE Runtime Environment v17 (1.17) with Linux PhotonGeneric Hardware31.
32.Java SE Runtime Environment v21 (21) with Linux Photon32.Generic Hardware Platform
33.Java SE Runtime Environment v8 (1.8) with Linux SUSEGeneric Hardware33.
34.Java SE Runtime Environment v11 (1.11) with Linux SUSE34.Generic Hardware Platform
35.Java SE Runtime Environment v17 (1.17) with Linux SUSEGeneric Hardware35.
36.Java SE Runtime Environment v21 (21) with Linux SUSE36.Generic Hardware Platform
37.Java SE Runtime Environment v8 (1.8) with Linux UbuntuGeneric Hardware37.
38.Java SE Runtime Environment v11 (1.11) with Linux Ubuntu38.Generic Hardware Platform
39.Java SE Runtime Environment v17 (1.17) with Linux UbuntuGeneric Hardware39.
40.Java SE Runtime Environment v21 (21) with Linux Ubuntu40.Generic Hardware Platform
41.Java SE Runtime Environment v8 (1.8) with Mac OS XGeneric Hardware41.41.Java SE Runtime Environment v8 (1.8) with Mac OS X
42.Java SE Runtime Environment v11 (1.11) with Mac OS X42.Generic Hardware Platform
43.Java SE Runtime Environment v8 (1.8) with Microsoft WindowsGeneric Hardware43.
44.Java SE Runtime Environment v11 (1.11) with Microsoft Windows44.Generic Hardware Platform
45.Java SE Runtime Environment v17 (1.17) with Microsoft WindowsGeneric Hardware45.
46.Java SE Runtime Environment v21 (21) with Microsoft Windows46.Generic Hardware Platform
47.Generic Hardware47.Java SE Runtime Environment v8 (1.8) with Microsoft Windows
ServerPlatformServer
48.Java SE Runtime Environment v11 (1.11) with Microsoft Windows Server48.Generic Hardware Platform
49.Generic Hardware49.Java SE Runtime Environment v17 (1.17) with Microsoft Windows
ServerPlatformServer
50.Java SE Runtime Environment v21 (21) with Microsoft Windows Server50.Generic Hardware Platform
51.Java SE Runtime Environment v8 (1.8) with Microsoft Windows XPGeneric Hardware51.
52.Java SE Runtime Environment v11 (1.11) with Microsoft Windows XP52.Generic Hardware Platform
53.Generic Hardware53.Java SE Runtime Environment v17 (1.17) with Microsoft Windows
XPPlatformXP
54.Java SE Runtime Environment v21 (21) with Microsoft Windows XP54.Generic Hardware Platform
55.Java SE Runtime Environment v8 (1.8) with SolarisGeneric Hardware55.
56.Java SE Runtime Environment v11 (1.11) with Solaris56.Generic Hardware Platform
57.Java SE Runtime Environment v17 (1.17) with SolarisGeneric Hardware57.
58.Java SE Runtime Environment v21 (21) with Solaris58.Generic Hardware Platform
59.Java SE Runtime Environment v8 (1.8) with AIXGeneric Hardware59.
60.Java SE Runtime Environment v11 (1.11) with AIX60.Generic Hardware Platform
61.Java SE Runtime Environment v17 (1.17) with AIXGeneric Hardware61.
62.Java SE Runtime Environment v21 (21) with AIX62.Generic Hardware Platform
63.Java SE Runtime Environment v17 (1.17) with Red Hat Enterprise LinuxGeneric Hardware63.63.Java SE Runtime Environment v17 (1.17) with Red Hat Enterprise
LinuxPlatform with IntelLinux
64.Java SE Runtime Environment v21 (21) with Red Hat Enterprise Linux64.Generic Hardware Platform with Intel Cascade Lakes
65.Java SE Runtime Environment v17 (1.17) with Red Hat Enterprise LinuxGeneric Hardware65.
66.Java SE Runtime Environment v21 (21) with Red Hat Enterprise Linux66.Generic Hardware Platform with Intel Sapphire Rapids
67.Java SE Runtime Environment v17 (1.17) with UbuntuGeneric Hardware67.
68.Java SE Runtime Environment v21 (21) with Ubuntu68.Generic Hardware Platform with Intel Cascade Lakes
69.Java SE Runtime Environment v17 (1.17) with UbuntuGeneric Hardware69.
70.Java SE Runtime Environment v21 (21) with Ubuntu70.Generic Hardware Platform with Intel Sapphire Rapids
71.Java SE Runtime Environment v17 (1.17) with ClevOSGeneric Hardware71.
72.Java SE Runtime Environment v21 (21) with ClevOS72.Generic Hardware Platform with Intel Cascade Lakes
73.Java SE Runtime Environment v17 (1.17) with ClevOSGeneric Hardware73.
74.Java SE Runtime Environment v21 (21) with ClevOS74.Generic Hardware Platform with Intel Sapphire Rapids
75.Java SE Runtime Environment v17 (1.17) with ClevOSGeneric Hardware75.
76.Java SE Runtime Environment v21 (21) with ClevOS76.Generic Hardware Platform with Intel Haswell
77.Java SE Runtime Environment v17 (1.17) with ClevOSGeneric Hardware77.
78.Java SE Runtime Environment v21 (21) with ClevOS78.Generic Hardware Platform with Intel Broadwell
Page 11

# Document Version 1.0 ©HID Global Corporation

Page 12

# Document Version 1.0 ©HID Global Corporation

Page 13

# Document Version 1.0 ©HID Global Corporation

Page 14
Service
NameDescriptionIndicatorType
Non- approved modePermits operations that are not approvedCryptoServicesRegistrar.IsInApprovedOnlyMode() can be called to determine the mode of operation. This method will return false for non- approved mode.Non- Approved
2.3 Excluded Components

Not applicable. Modes List and Description: Table 5 - Modes of Operation Nonapproved NonApproved Mode Change Instructions and Status: In default operation the module will start with all algorithms and services enabled. If the module detects that the system property com.safelogic.cryptocomply.fips.approved_only is set to true the module will start in approved mode and non-approved mode functionality will not be available. The module optionally uses the Java SecurityManager. If the underlying JVM is running with a Java SecurityManager installed the module starts in approved mode by default with secret and private key export disabled. When the module is not used within the context of the Java SecurityManager, it will start by default in the non-approved mode. Refer to Security Policy Section 11.3 for additional information about the Java SecurityManager. Refer to Security Policy Section 11.4.1 for additional information on the module’s mode of operation rules.

2.5 Algorithms

The module implements the algorithms specified in the tables below. The module supports both an Approved mode and a Non-approved mode of operation. Please see Security Policy Section 2.4 for additional details on the modes of operation and the configuration of the Approved mode of operation. Please see Security Policy Section 11.1 for Initialization steps. Document Version 1.0 ©HID Global Corporation

Page 15
Approved algorithm
NameCAVP CertPropertiesUse FunctionReference
AESA6047Modes: CBC, CFB8, CFB128, CTR, ECB, FF1, OFB Key sizes: 128, 192, 256 bitsEncryption, DecryptionAESA6047AES [FIPS 197,
AES CBC Ciphertext Stealing (CS)Modes: CBC-CS1, CBC-CS2, CBC-CS3 Key sizes: 128, 192, 256 bitsEncryption, Decryption[Addendum to SP 800-38A, Oct 2010]AES CBC Ciphertext Stealing (CS)A6047
AES CCMKey sizes: 128, 192, 256 bits[SP 800-38C]AES CCMA6047Generation,
AES CMACKey sizes: 128, 192, 256 bitsGeneration, Authentication[SP 800-38B]AES CMACA6047
AES GCM/GMAC1Key sizes: 128, 192, 256 bits[SP 800-38D]AES GCM/GMAC1A6047Generation,
AES KW, KWP (KTS: Key Wrapping Using AES2)Modes: AES KW, KWP Key sizes: 128, 192, 256 bits (key establishment methodology providing 128, 192 or 256 bits of encryption strength)Key Wrapping[SP 800-38F]AES KW, KWP (KTS: Key Wrapping Using AES2)A6047
DRBG, CounterAES 128, AES 192, AES 256[SP 800-90Ar1]A6047Random Bit
DRBGGeneration
DRBG, Hash DRBGSHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA2-512, SHA-512/224, SHA2-512/256Random Bit Generation[SP 800-90Ar1]DRBG, Hash DRBGA6047
DRBG, HMAC DRBGRandom Bit Generation[SP 800-90Ar1]DRBG, HMAC DRBGA6047SHA sizes: SHA-1, SHA-224,
2.5.1 Approved Algorithms

The module implements the following approved algorithms that have been tested by the Cryptographic Algorithm Validation Program (CAVP). There are algorithms, modes, and keys that have been CAVP tested but not used by the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by the module. Table 6 - Approved Algorithms, CAVP Tested GCM encryption with an internally generated IV, see Security Policy Section 2.6.1 concerning external IVs. IV generation is compliant with IG C.H. Keys are not established directly into the module using key agreement or key transport algorithms. Document Version 1.0 ©HID Global Corporation

Page 16
Approved algorithm
NamePropertiesUse FunctionReference
DSA3Key sizes: 10244, 2048, 3072 bitsKey Pair Generation, PQG Generation, PQG Verification, Signature Generation, Signature Verification[FIPS 186-4]DSA3A6047
ECDSACurves/Key sizes: P-224, P-256, P-384, P-521, K-233, K-283, K- 409, K-571, B-233, B-283, B- 409, B-571[FIPS 186-5]ECDSAA6047Key
ECDSACurves/Key sizes: P-192, K-163, B-1635Key Verification, Signature Verification[FIPS 186-4]ECDSAA6047
HMACGeneration, Authentication[FIPS 198-1]HMACA6047SHA sizes: SHA-1, SHA-224,

DSA signature generation with SHA-1 is only for use with protocols. Key size only used for Signature Verification Legacy testing for signatures not specified under FIPS 186-5. Document Version 1.0 ©HID Global Corporation

Page 17
Approved algorithm
NamePropertiesUse FunctionReferenceAlgorithm Properties
KAS-ECC6Key Agreement[SP 800-56Ar3]KAS-ECC6A6047Domain Parameter Generation Methods/Schemes: P-224, P-256, P-384, P-521, K- 233, K-283, K-409, K-571, B- 233, B-283, B-409, B-571 ephemeralUnified, fullMqv, fullUnified, onePassDh, onePassMqv, onePassUnified, staticUnified Curves specified above providing between 112 and 256 bits of encryption strength
KAS-FFC6Domain Parameter GenerationKey Agreement[SP 800-56Ar3]KAS-FFC6A6047
KAS-IFCKey Agreement[SP 800-56Br2, Section 7.2.1]KAS-IFCA6047RSASVE with, and without, key confirmation. Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strength
KDA, HKDFPRFs: HMAC-SHA-1, HMACKey Derivation[SP 800-56Cr2]KDA, HKDFA6047

Keys are not established directly into the module using key agreement or key transport algorithms. Document Version 1.0 ©HID Global Corporation

Page 18
Approved algorithm
NameCAVP CertPropertiesUse FunctionReferenceAlgorithm Properties
KDA, One StepKey Derivation[SP 800-56Cr2]KDA, One StepA6047PRFs: SHA-1, SHA-224, SHA- 256, SHA-384, SHA-512, SHA- 512/224, SHA-512/256, SHA3- 224, SHA3-256, SHA3-384, SHA3-512, HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA- 256, HMAC-SHA-384, HMAC- SHA-512, HMAC-SHA-512/224, HMAC-SHA-512/256, HMAC- SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3- 512, KMAC-128, KMAC-256
KDA, Two StepPRFs: HMAC-SHA-1, HMAC-Key Derivation[SP 800-56Cr2]KDA, Two StepA6047
KDF, using Pseudorandom Functions7Key Derivation[SP 800-108]KDF, using Pseudorandom Functions7A6047Modes: Counter Mode, Feedback Mode, Double- Pipeline Iteration Mode Types: CMAC-based KBKDF with AES (128, 192, 256) HMAC-based KBKDF with SHA- 1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512
KDF, Existing Application- Specific8ANSI X9.63 KDF[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047Key Derivation
KDF, Existing Application- Specific8Key Derivation[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047IKEv2 KDF SHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
KDF, ExistingCVL[SP 800-135r1]CVL A6047SNMP KDF Password Length: 64, 8192Key Derivation
Application-A6047
KDF, Existing Application- Specific8[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047SRTP KDF AES: 128, 192, 256Key Derivation
KDF, Existing Application- Specific8SSH KDF[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047Key Derivation
KDF, Existing Application- Specific8[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047TLS v1.0/1.1 KDF SHA sizes: SHA2-256, SHA2- 384, SHA2-512Key Derivation
KDF, Existing Application- Specific8TLS 1.2 KDF[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047Key Derivation
KTS-IFC[SP 800-56Br2, Section 7.2.2]KTS-IFCA6047RSA-OAEP with, and without, key confirmation. Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strength Key Generation Method: rsakpg2-crtKey Transport
PBKDF, Password- basedOptions: PBKDF with Option 1a[SP 800-132]PBKDF, Password- basedA6047Key Derivation
RSA[FIPS 186-5, ANSI X9.31- 1998 and PKCS #1 v2.1 (PSS and PKCS1.5)]RSAA6047Key sizes: 2048, 3072, 4096Key Pair Generation
RSA[FIPS 186-5,RSAA6047Key sizes: 2048, 3072, 4096Signature Generation
RSA[FIPS 186-4, ANSI X9.31- 1998]RSAA6047Key sizes: 2048, 3072, 4096Signature Generation
RSAA6047Signature Verification[FIPS 186-5,RSAA6047Key sizes: 2048, 3072, 4096
RSA[FIPS 186-4, ANSI X9.31- 1998 and PKCS #1 v2.1 (PSS and PKCS1.5)]Signature VerificationRSAA6047Key sizes: 1024, 2048, 3072, 40969
RSASignature Verification[FIPS 186-2,RSAA6047Key sizes: 1024, 1536, 2048, 3072, 4096
RSA Decryption Primitive[SP 800-56Br2]Component TestRSA Decryption PrimitiveCVL A6047Key size: 2048
RSA Signature Primitive[FIPS 186-4]RSA Signature PrimitiveCVL A6047Key size: 2048Component
Safe Primes[SP 800-56Ar3]Key Generation, Key VerificationSafe PrimesA6047Parameter sets: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP-3072, MODP- 4096, MODP-6144, MODP- 8192
SHA-3, SHAKE[FIPS 202]SHA-3, SHAKEA6047SHA3-224, SHA3-256, SHA3- 384, SHA3-512, SHAKE128, SHAKE256Digital

ApplicationSpecific8 ApplicationSpecific8 Note: CAVP testing is not provided for use of the PRFs SHA-512/224 and SHA-512/256. These must not be used in approved mode. Document Version 1.0 ©HID Global Corporation

Page 19

ApplicationSpecific8 ApplicationSpecific8 ApplicationSpecific8 ApplicationSpecific8 ApplicationSpecific8 PBKDF, Passwordbased No parts of the protocols (TLS, SNMPv3, SSHv2, X9.63, IKEv2, SRTP), other than the approved cryptographic algorithms and the KDFs, have been reviewed or tested by the CAVP and CMVP Document Version 1.0 ©HID Global Corporation

Page 20

Legacy testing for signatures not specified under FIPS 186-5 (all moduli for ANSI X9.31, and testing with 1024 or Document Version 1.0 ©HID Global Corporation

Page 21
Approved algorithm
NamePropertiesUse FunctionReferenceUse/FunctionImplementation
SHA-3 Derived FunctionsTypes: cSHAKE-128, cSHAKE- 256, KMAC-128, KMAC-256, ParallelHash-128, ParallelHash- 256, TupleHash-128, TupleHash-256[SP 800-185]SHA-3 Derived FunctionsA6047Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications
SHSSHA sizes: SHA-1, SHA-224,Digital[FIPS 180-4]SHSA6047
SHA-256, SHA-384, SHA-512,SHA-256, SHA-384, SHA-512,Signature
CKGUsed for the[SP 800-133r2]CKGUsed for the generation of symmetric keys and asymmetric seedsOther Cryptographic key generation
symmetric keys andsymmetric keys andCKG using output from DRBG,
asymmetric seedsasymmetric seedsVendor Affirmed per IG D.H.
Approved algorithm
NamePropertiesUse FunctionReferenceUse/FunctionImplementation
SHA-3 Derived FunctionsTypes: cSHAKE-128, cSHAKE- 256, KMAC-128, KMAC-256, ParallelHash-128, ParallelHash- 256, TupleHash-128, TupleHash-256[SP 800-185]SHA-3 Derived FunctionsA6047Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications
SHSSHA sizes: SHA-1, SHA-224,Digital[FIPS 180-4]SHSA6047
SHA-256, SHA-384, SHA-512,SHA-256, SHA-384, SHA-512,Signature
CKGUsed for the[SP 800-133r2]CKGUsed for the generation of symmetric keys and asymmetric seedsOther Cryptographic key generation
symmetric keys andsymmetric keys andCKG using output from DRBG,
asymmetric seedsasymmetric seedsVendor Affirmed per IG D.H.

Table 7 - Vendor Affirmed Algorithms

Page 22
Approved algorithm
NameUse FunctionUse/FunctionAlgorithm
MD5 within TLSAllowed per IG 2.4.A, no security claimedMD5 used within a TLS handshake
AES (non-compliant10)Non-approved modes for AESAES (non-compliant10)
ARC4 (RC4)ARC4/RC4 stream cipher
BlowfishBlowfish block cipherBlowfish
CamelliaCamellia block cipher
CAST5CAST5 block cipherCAST5
ChaCha20ChaCha20 stream cipher
ChaCha20-Poly1305AEAD ChaCha20 using Poly1305 as the MACChaCha20-Poly1305
DESDES block cipher
Diffie-Hellman KAS (non-compliant11)non-compliant key agreement methodsDiffie-Hellman KAS (non-compliant11)
DSA (non-compliant12)non-FIPS digest signatures using DSA
DSTU4145DSTU4145 EC algorithmDSTU4145
ECDSA (non-compliant13)non-FIPS digest signatures using ECDSA
EdDSAEd25519 and Ed448 signature algorithmsEdDSA
ElGamalElGamal key transport algorithm
FF3-1Format Preserving Encryption – AES FF3-1FF3-1
GOST28147GOST-28147 block cipher
GOST3410-1994GOST-3410-1994 algorithmGOST3410-1994
GOST3410-2001GOST-3410-2001 EC algorithm
GOST3410-2012GOST-3410-2012 EC algorithmGOST3410-2012
GOST3411GOST-3411-1994 message digest
GOST3411-2012-256GOST-3411-2012 256-bit message digestGOST3411-2012-256
GOST3411-2012-512GOST-3411-2012 512-bit message digest
HMAC-GOST3411GOST-3411 HMACHMAC-GOST3411
HMAC-MD5MD5 HMAC
HMAC-RIPEMD128RIPEMD128 HMACHMAC-RIPEMD128
HMAC-RIPEMD160RIPEMD160 HMAC
HMAC-RIPEMD256RIPEMD256HMACHMAC-RIPEMD256
HMAC-RIPEMD320RIPEMD320 HMAC
HMAC-TIGERTIGER HMAC
HMAC-WHIRLPOOLWHIRLPOOL HMAC
HSSHSS signature scheme (RFC 8708)HSS
IDEAIDEA block cipher
KAS14 using SHA-512/224 or SHA-512/256Key Agreement using SHA-512/224 and SHA-KAS14 using SHA-512/224 or SHA-512/256
(non-compliant)512/256 based KDFs(non-compliant)
KBKDF using SHA-512/224 or SHA-512/256 (non-compliant)KBKDF2 using the PRFs SHA-512/224 and SHA- 512/256
LMSLMS signature scheme (RFC 8708)LMS
MD5MD5 message digest
OpenSSL PBKDF (non-compliant)OpenSSL PBE key derivation schemeOpenSSL PBKDF (non-compliant)
PKCS#12 PBKDF (non-compliant)PKCS#12 PBE key derivation scheme
PKCS#5 Scheme 1 PBKDF (non-compliant)PKCS#5 PBE key derivation schemePKCS#5 Scheme 1 PBKDF (non-compliant)
Poly1305Poly1305 message MAC
PRNG X9.31X9.31 PRNGPRNG X9.31
RC2RC2 block cipher
RIPEMD128RIPEMD128 message digestRIPEMD128
RIPEMD160RIPEMD160 message digest
RIPEMD256RIPEMD256 message digestRIPEMD256
RIPEMD320RIPEMD320 message digest
RSA (non-compliant15)Non-compliant RSA signature schemesRSA (non-compliant15)
RSA KTS (non-compliant16)Non-compliant RSA key transport schemes
SCrypt (non-compliant)SCrypt using non-compliant PBKDF2SCrypt (non-compliant)
SEEDSEED block cipher
SerpentSerpent block cipherSerpent
SipHashSipHash MAC
SHACAL-2SHACAL2 block cipherSHACAL-2
TIGERTIGER message digest
Triple-DESTriple-DES cipherTriple-DES
TwofishTwofish block cipher
WHIRLPOOLWHIRLPOOL message digest
XDHX25519 and X448 key agreement algorithms

Not applicable. These algorithms are Allowed in Approved mode. Table 9 - Non-Approved, Not Allowed Algorithms Support for additional modes of operation. Support for additional key sizes and the establishment of keys of less than 112 bits of security strength. Deterministic signature calculation, support for additional digests, and key sizes. Deterministic signature calculation, support for additional digests, and key sizes. Document Version 1.0 ©HID Global Corporation

Page 23

Keys are not directly established into the module using key agreement or transport techniques. Document Version 1.0 ©HID Global Corporation

Page 24
2.6 Algorithm Specific Information
2.6.1 Enforcement and Guidance for GCM IVs (IG C.H conformance)

IVs for GCM can be generated randomly, or via a FipsNonceGenerator. IV generation is compliant with IG C.H. Where an IV is not generated within the module the module supports the importing of GCM IVs. In approved mode, importing a GCM IV for encryption that originates from outside the module is nonconformant. In approved mode, when a GCM IV is generated randomly, the module enforces the use of an approved DRBG in line with Section 8.2.2 of SP 800-38D. Support for additional digests and signature formats, PKCS#1 1.5 key wrapping, support for additional key sizes. Support for additional key sizes and the establishment of keys of less than 112 bits of security strength. Document Version 1.0 ©HID Global Corporation

Page 25

In approved mode, when a GCM IV is generated using the FipsNonceGenerator, a counter is used as the basis for the nonce and the IV is generated in accordance with TLS protocol. Rollover of the counter in the FipsNonceGenerator will result in an IllegalStateException indicating the FipsNonceGenerator is exhausted and (as per IG C.H) where used for TLS 1.2, rollover will terminate any TLS session in process using the current key and the exception can only be recovered from by using a new handshake and creating a new FipsNonceGenerator. A service indicator for IV usage is provided in the module through Java logging. Setting the logging level to Level.FINE for the named logger com.safelogic.cryptocomply.jcajce.provider.BaseCipher will produce a log message when an IV which may have been produced outside the module and/or not from a compliant source is detected. The log message will be of the standard form including the detail: FINE: Passed in GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Setting the logging level to Level.FINER will produce an additional log message for any GCM IV which is used if the previous Level.FINE message is not activated. Log messages in this case will show the detail as: FINER: GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Per IG C.H, this Security Policy also states that in the event module power is lost and restored the consuming application must ensure that any of its AES GCM keys used for encryption or decryption are re-distributed. The AES GCM mode falls under:

2.6.2 Enforcement and Guidance for Use of the Approved PBKDF (IG D.N conformance)

The PBKDF aligns with Option 1a in Section 5.4 of SP 800-132. In line with the requirements for SP 800-132, keys generated using the approved PBKDF must only be used for storage applications. Any other use of the approved PBKDF is non-conformant. In approved mode the module enforces that any password used must encode to at least 14 bytes (112 bits) and that the salt is at least 16 bytes (128 bits) long. The iteration count associated with the PBKDF should be as large as practical. Document Version 1.0 ©HID Global Corporation

Page 26
FF1FF3-1
radixin range of 2 … 216in range of 2 … 216
radixminlen≥ 1,000,000≥ 1,000,000

As the module is a general purpose software module, it is not possible to anticipate all the levels of use for the PBKDF, however a user of the module should also note that a password should at least contain enough entropy to be unguessable and also contain enough entropy to reflect the security strength required for the key being generated. In the event a password encoding is simply based on ASCII, a 14byte password is unlikely to contain sufficient entropy for most purposes. The standard set of printable characters only allows for as much as 6 bits of entropy per byte. For a 14-byte password, this yields a key that has been generated using 14 * 6 bits of entropy, giving only 84 bits of security, which is well below what is required for a key with the same level of hardness as a 112-bit one. Users are referred to Appendix A (Security Considerations) of SP 800-132 for further information on password, salt, and iteration count selection. The iteration count value is provided by the user and should be appropriate to the way the algorithm is being used. (The memory hard augmentation of PBKDF provided by SCRYPT uses an iteration count of 1). For straight PBKDF with no memory hard support, the iteration count provided by the user should be at point of maximum cost bearable by the user carrying out the key derivation in the normal course of usage. To ensure sufficient whitening of the password in both cases, the module enforces a salt size of

128 bits in approved mode.

For users interested in introducing memory hardness as a layer on top of the PBKDF the SCrypt augmentation to PBDKF based on HMAC-SHA-256 (as described in RFC 7914) is also available in nonapproved mode.

2.6.3 Rules for Setting the N and the S String in cSHAKE

To customize the output of the cSHAKE function, the cSHAKE algorithm permits the operator to input strings for the Function-Name input (N) and the Customization String (S). The Function-Name input (N) is reserved for values specified by NIST and should only be set to the appropriate NIST specified value. Any other use of N is non-conformant. The Customization String (S) is available to allow users to customize the cSHAKE function as they wish. The length of S is limited to the available size of a byte array in the JVM running the module.

2.6.4 Guidance for the Use of Format-Preserving Encryption

The module supports both FF1 and, in non-approved mode, FF3-1 format preserving encryption. Both are modes of AES. Table 10 shows the parameter constraints applicable to the module's implementation, as required by IG C.J. Table 10 - SP 800-38G Format-Preserving Encryption Constraints Document Version 1.0 ©HID Global Corporation

Page 27
FF1FF3-1
minlen≥ 2 octets2 octets
maxlen< 232 octets2 * floor(log (296)) octets radix
maxTlen≥ 0 octets8 octets (fixed)
Entropy SourcesMinimumDetails
number of bits
of entropy
Passive Entropy128128As per FIPS 140-3 IG 9.3.A Section 2b, a minimum of 16 bytes (128
bits) is required from the source configured for seed generation for
the JVM. The entropy reader will block until the seed generator has
provided the minimum number of bytes.

An attempt to use the FF1 or FF3-1 without meeting the radixminlen constraint or by exceeding maxlen will result in an IllegalArgumentException. Note: only FF1 should be used in approved mode.

2.6.5 TLS 1.2 KDF (IG D.Q Conformance)

As indicated under CAVP certificate A6047, the module supports TLS 1.2 KDF per RFC 5246, i.e. without using the extended master secret.

2.6.6 Truncated HMACs

Approved HMAC algorithms can produce truncated versions of the specified HMAC. The right-most bits are truncated as per the NIST SP 800-107r1 (see also IG C.L and IG C.D).

2.7 RBG and Entropy

The module does not include an entropy source. The module's use of an external Random Number Generator (RNG) is determined by the settings described in the subsections below. Table 11

2.7.1 Use of External RNG

The module makes use of the JVM's configured SecureRandom entropy source to provide entropy when required. The module will request entropy as appropriate to the security strength and seeding configuration for the DRBG that is using it and for the default DRBG will request a minimum of 256 bits of entropy. In approved mode the minimum amount of entropy that can be requested by a DRBG is 112 bits. The module will wait until the SecureRandom.generateSeed() returns the requested amount of entropy, blocking if necessary. Document Version 1.0 ©HID Global Corporation

Page 28

The JVM’s entropy source can be configured through setting the security property securerandom.strongAlgorithms in the JVM's java.security file.

2.7.2 Guidance for the Use of DRBGs and Configuring the JVM's Entropy Source

A user can instantiate the default Approved DRBG for the module explicitly by using SecureRandom.getInstance("DEFAULT", "CCJ"), or by using a CryptoComplyFipsProvider object instead of the provider name as appropriate. This will seed the Approved DRBG from the live entropy source of the JVM with a number of bits of entropy appropriate to the security level of the default Approved DRBG configured for the module. The JVM's entropy source is checked according to SP 800-90B, Section 4.4 using the suggested C values for the Repetition Count Test (Section 4.4.1) and the Adaptive Proportion Test (Section 4.4.2) by default. These values can also be configured using the security property com.safelogic.cryptocomply.entropy.factors. This property takes a comma separated list of C values: one for 4.4.1, one for 4.4.2, and a value of H. For the default, the property would be set as: com.safelogic.cryptocomply.entropy.factors: 4, 13, 8.0 in the java.security property file. An additional option is available using the Approved Hash DRBG and the process outlined in SP 800-90A, Section 8.6.5. This can be turned on by following the instructions in Section 2.3 of the User Guide. The two DRBGs are instantiated in a chain as a "Source DRBG" to seed the "Target DRBG" in accordance with Section 7 of Draft NIST SP 800-90C, where the Target DRBG is the default Approved DRBG used by the module. The initial seed and the subsequent reseeds for the DRBG chain come from the live entropy source configured for the JVM. The DRBG chain will reseed automatically by pausing for 20 requests (which will usually equate to 5120 bytes). An entropy gathering thread reseeds the DRBG chain when it has gathered sufficient entropy (currently 256 bits) from the live entropy source. Once reseeded, the request counter is reset and the reseed process begins again. The “Source DRBG” in the chain is internal to the module and inaccessible to the user to ensure it is only used for generating seeds for the default Approved DRBG of the module. The user shall ensure that the entropy source is configured per Section 2.7.1 of this Security Policy and will block, or fail, if it is unable to provide the amount of entropy requested.

2.8 Key Generation

The module performs Cryptographic Key Generation in conformance to FIPS 140-3 IG D.H. The CKG for symmetric keys and seeds used for generating asymmetric keys is performed as per Section 4 of the SP 800-133r2 (using the output of a random bit generator) and is compliant with FIPS 186-5 and SP 800Document Version 1.0 ©HID Global Corporation

Page 29

90Ar1 for DRBG. The seed used in asymmetric key generation is the direct output of SP 800-90Ar1 DRBG. Refer to Section 9.1 of the Security Policy for SSP generation details.

2.9 Key Establishment

The module does not perform automatic SSP establishment, it only provides the components to the calling application, which can be used in SSP establishment.

2.10 Industry Protocols

The module implements KDFs from SP 800-135r1 (Recommendation for Existing Application-Specific Key Derivation Functions). These KDFs have been validated by the CAVP and received CVL certificates (A6047). No parts of these protocols, other than the CAVP tested components, have been reviewed or tested by the CAVP and CMVP. Document Version 1.0 ©HID Global Corporation

Page 30
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData OutputAPI output parameters and return values – plaintext and/or ciphertext data.
N/AN/AControl InputAPI method calls – method calls or input parameters that
N/AN/AControl OutputN/A, not implemented
N/AN/AStatus OutputAPI output parameters and return/error codes that provide
N/AN/APowerN/A for software modules
3 Cryptographic Module Ports and Interfaces
3.1 Ports and Interfaces

As a software cryptographic module, the module supports logical interfaces only and not physical ports. All access to the module is through the module’s API. The API provides and defines the module’s logical interfaces. is also not applicable. The mapping of the FIPS 140-3 logical interfaces to the module is described in Table 12. Table 12

3.2 Additional Information

All interfaces are logically separated by the module’s API. When the module performs self-tests, is in an error state, is generating keys, or performing zeroization, the module prevents all output on the logical data output interface as only the thread performing the operation has access to the data. The module is single-threaded, and in an error state, the module does not return any output data, only an error value. Document Version 1.0 ©HID Global Corporation

Page 31
Sensitive security parameter
NameTypeStrengthOperator TypeAuthentication Type
CORoleN/ACORoleCOCON/A – Authentication notN/A
UserUserRoleUserN/AN/A – Authentication not required for Level 1
4 Roles, Services, and Authentication
4.1 Authentication Methods

Not applicable. The module does not support authentication.

4.2 Roles

The module supports two distinct operator roles, which are the User and Cryptographic Officer (CO). The cryptographic module implicitly maps the two roles to the services. An operator is considered the owner of the thread that instantiates the module and, therefore, only one concurrent operator is allowed. The module does not support a maintenance role and/or bypass capability. Table 13 lists all operator roles supported by the module. Table 13 - Roles Document Version 1.0 ©HID Global Corporation N/A N/A

Page 32
Service
NameDescriptionRolesCsps AccessedAccessIndicatorInputOutputApproved
InitializeThe JRE will call the static constructor for self-tests on module initializationCO / UserN/AN/AFlagN/AException in case of failureN/AN/A
4.3 Approved Services

Table 14 lists the module services and corresponding details. The modes of SSP access shown in the table are defined as:

Page 33
Service
NameDescriptionRolesCsps AccessedAccessIndicatorInputOutput
Show StatusA user can call FipsStatus.IsReady() at any time to determine if the module is ready. CryptoServicesRegistrar.IsI nApprovedOnlyMode() can be called to determine the approved mode of operationCO / UserN/AN/AFlagN/ABooleanN/A
Info ServiceCO / UserN/AN/AFlagN/AModule name and version, checksum, and statusN/AA user can call
Zeroize / Power-offThe module uses the JVM garbage collector on thread terminationCO / UserAll SSPsZFlagN/AShutdown indicationN/A

Indicator Document Version 1.0 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Z ©HID Global Corporation

Page 34
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
Data EncryptionUsed to encrypt dataCO / UserAES Encryption KeyAES CBC, AESEFlagKey, PlaintextCiphertext
Data DecryptionUsed to decrypt dataCO / UserAES Decryption KeyEFlagKey, CiphertextPlaintextAES CBC, AES CFB8, AES CFB128, AES CTR, AES ECB, AES FF1, AES OFB, AES CBC-CS1, AES CBC-CS2, AES CBC-CS3, AES CCM, AES GCM
MAC CalculationCO / UserEFlagKey, MessageMACAES CMAC, AES GMACUsed to calculate dataAES Authentication
integrity codes withintegrity codes withKey

Indicator Document Version 1.0 ©HID Global Corporation E E E

Page 35
Service
NameDescriptionRolesCsps AccessedAccessIndicatorInputOutputKeys / SSPs
Signature GenerationUsed to generate digital signaturesCO / UserEFlagKey, MessageSignatureDSA, ECDSA, RSADSA Signing Key, EC Signing Key, RSA Signing Key
Signature VerificationUsed to verify digital signaturesCO / UserDSA VerificationEFlagKey, Message SignatureBooleanDSA, ECDSA, RSA

Document Version 1.0 Indicator ©HID Global Corporation E E

Page 36
DRBG (SP 800-90Ar1) outputUsed to generate random numbers, IVs and keysFlagN/ADataCounter DRBG Hash DRBG HMAC DRBGAES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DRBG Seed, Internal State V and C value, and DRBG Key, DSA Signing Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Key Transport Private Key, RSA Key Transport Public KeyCO / User CO / UserG E

Document Version 1.0 N/A ©HID Global Corporation G E

Page 37
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
Message HashingUsed to generate a message digest, SHAKE outputCO / UserN/ASHS, SHA-3,N/AFlagMessageHash
Keyed Message HashingUsed to calculate data integrity codes with HMAC and KMACCO / UserHMAC Authentication Key, KMAC Authentication KeyEFlagKey, MessageHashHMAC, SHA-3 Derived Functions (KMAC)
TLS Key Derivation FunctionUsed to calculate a value suitable to be used for a master secret in TLSCO / UserTLS KDF Secret ValueHKDF,EFlagTLS ParametersData
SP 800- 108r1 KDFUsed to calculate a value suitable to be used for a secret keyCO / UserSP 800-108r1 KDF Secret ValueEFlagKDF ParametersDataKBKDF using Pseudorando m Functions
SSH Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO / UserSSH KDF Secret ValueExistingE:FlagSSH ParametersData
X9.63 Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO / User CO / UserDH Agreement Private Key, EC Agreement Private Key, RSA Signing Key X9.63 KDF Secret ValueG EFlagX9.63 ParametersDataExisting Application- Specific (X9.63 KDF)

Indicator Document Version 1.0 ©HID Global Corporation ApplicationSpecific (TLS N/A N/A E E

Page 38

Indicator m ApplicationSpecific (SSH ApplicationSpecific E E: G E Document Version 1.0 ©HID Global Corporation

Page 39
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutputKeys / SSPs
SP 800- 56Cr2 OneStep/ TwoStep Key Derivation Function (KDM)Used to calculate a value suitable to be used for a secret keyCO / User CO / UserDH AgreementHKDF, KDFG EFlagKDM ParametersDataHKDF, KDF One Step, KDF Two Step
One Step,Private Key,One Step,
KDF TwoEC AgreementKDF Two
StepPrivate Key,Step
IKEv2 Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO / UserEFlagIKEv2 ParametersDataExisting Application- Specific (IKEv2 KDF)IKEv2 KDF Secret Value
SRTP Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO / UserExistingEFlagSRTP ParametersDataSRTP KDF Secret Value

SP 80056Cr2 Document Version 1.0 Indicator ©HID Global Corporation ApplicationSpecific ApplicationSpecific G E E E

Page 40
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
PBKDFUsed to generate a key using an encoding of a password and a message hashCO / User CO / UserHMAC Authentication Key, KMAC Authentication Key HMAC Authentication Key, KMAC Authentication Key, PBKDF Secret ValueKDF Password- BasedG EFlagPassword, PBKDF ParametersData

Indicator PasswordBased G E Document Version 1.0 ©HID Global Corporation

Page 41
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutputRoles
Key Agreement SchemesUsed to calculate key agreement valuesAES EncryptionKAS-ECC,G EFlagKey Agreement keys, ParametersDataKAS-ECC, KAS-FFC, KAS-IFC, Safe PrimesCO / User CO / User
KAS-FFC,Key,KAS-FFC,
KAS-IFC,AES DecryptionKAS-IFC,
Safe PrimesKey,Safe Primes
Key WrappingUsed to encrypt a key valueAES Wrapping Key, HMAC Authentication Key, KMAC Authentication Key, RSA Key Transport Private KeyEFlagWrapping key, KeyWrapped keyAES KW, AES KWP, KTS-IFCCO / User

Document Version 1.0 Indicator ©HID Global Corporation G E E

Page 42
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
Key UnwrappingUsed to decrypt a key valueCO / UserAES KW, AESEFlagUnwrappin g key, Wrapped keyKeyAES KW, AES KWP, KTS-IFCAES Wrapping Key,
KWP, KTS-IFCKWP, KTS-IFCHMAC
VerificationKeyVerEC Verification KeyVerificationUser
Entropy CallbackGathers entropy in a passive manner from a user-provided functionCO / UserDRBG Seed, Internal State V and C value, and DRBG KeyGFlagN/ARandom bitsDRBG, CKG
DRBG Health TestsCO / UserN/AN/AFlagN/AN/ADRBGUsed to perform checks of

Indicator N/A N/A N/A Document Version 1.0 ©HID Global Corporation N/A E E E N/A G

Page 43
SSP Export OperationReturns a CSP as data that can be used for later outputFlagSSPDataN/AAES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Key Transport Private Key, RSA Key Transport Public KeyCO / UserR

Document Version 1.0 ©HID Global Corporation N/A R

Page 44
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
UtilityMiscellaneous utilityUserN/AN/AN/AFlagN/AN/AN/A

Document Version 1.0 Indicator N/A N/A ©HID Global Corporation N/A N/A N/A

Page 45
Service
NameData Encryption
CalculationCalculationwith CMAC
4.4 Non-Approved Services

Table 15 - Non-Approved Services Flag is accessed by calling the method CryptoServicesRegistrar.isInApprovedOnlyMode() - this method will return true if the thread is running in approved-only mode, false otherwise. Refer also to Section 2.4 of this Security Policy. Document Version 1.0 ©HID Global Corporation

Page 46
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity technique used by the module is HMAC-SHA-256. The integrity technique has received CAVP certificate A6047. The integrity technique is implemented by the module itself. The HMAC of the module JAR file, excluding directories and metadata, is calculated and compared to the expected value embedded within the module’s properties. If the calculated value does not match the expected value, the module raises an error and fails to load. The integrity test can be performed on demand by power cycling the host platform.

5.2 Initiate on Demand

Each time the module is powered up, it runs the pre-operational tests to ensure that the integrity of the module has been maintained. Self-tests are available on demand by power cycling the module. Document Version 1.0 ©HID Global Corporation

Page 47
6 Operational Environment

The module operates in a modifiable operational environment under the FIPS 140-3 definitions. The module runs on a GPC running one of the operating systems specified in the approved operational environment list (refer to Section 2.2 of this Security Policy). Each approved operating system manages processes and threads in a logically separated manner. The module’s operator is considered the owner of the calling application that instantiates the module within the process space of the Java Virtual Machine.

6.1 Configuration Settings and Restrictions

The module must be installed as described in Security Policy Section 11.1. No specific configuration options are required for the operational environments. No security rules, settings, or restrictions to the configuration of the operational environment are needed for the module to function in a FIPS-conformant manner. Document Version 1.0 ©HID Global Corporation

Page 48
7 Physical Security

The requirements of this section are not applicable to the module. The module is a software module and does not implement any physical security mechanisms. Document Version 1.0 ©HID Global Corporation

Page 49
8 Non-Invasive Security

The requirements of this section are not applicable to the module. Document Version 1.0 ©HID Global Corporation

Page 50
9 Sensitive Security Parameter Management

All Sensitive Security Parameters (SSPs) used by the module are described in this section in Table 16. All usage of these SSPs by the module (including all SSP lifecycle states) is described in the services detailed in Section 4.3 - Approved Services. Please note that the module does not perform automatic SSP establishment, it only provides the components to the calling application, which can be used in SSP establishment. Document Version 1.0 ©HID Global Corporation

Page 51
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
AES encryption23128, 192, 256 bitsAES CBC,DRBG20N/AN/AImport21, Export22AES Encryption Keydestroy() service call or host platform power cycle
9.1 SSPs

Table 16 - Sensitive Security Parameters (SSPs) Key Table AES CBCCS1, AES AES CBCCS3, AES N/A N/A The module does not provide persistent storage Key generator used in conjunction with an approved DRBG Import done via key constructor and/or factory (Electronic Entry) Export done via key recovery using getEncoded() method and followed by separate step to export key details as either plaintext or encrypted (Electronic Entry) Document Version 1.0 ©HID Global Corporation

Page 52
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
AES decryption128, 192, 256 bitsDRBG20N/AN/AImport21, Export22AES Decryption KeyAES CBC, AES CFB8, AES CFB128, AES CTR, AES ECB, AES FF1, AES OFB, AES CBC- CS1, AES CBC-CS2, AES CBC- CS3, AES CCM, AES GCM, CKG A6047destroy() service call or host platform power cycle
AES CMAC/GMAC128, 192, 256 bitsAES CMAC,DRBG20N/AN/AImport21, Export22AES Authentication Keydestroy() service call or host platform power cycle

AES CBCCS1, AES AES CBCCS3, AES N/A N/A N/A N/A The AES GCM key and IV is generated randomly per IG C.H, and the Initialization Vector (IV) is a minimum of 96 bits. In the event module power is lost and restored, the consuming application must ensure that any of its AES GCM keys used for encryption or decryption are re-distributed. Refer to Section 2.6.1 of the Security Policy. Document Version 1.0 ©HID Global Corporation

Page 53
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
AES (128/192/256) key wrapping key for KTS128, 192, 256 bitsDRBG20N/AN/AImport21, Export22AES Wrapping KeyAES KW, AES KWP, CKG A6047destroy() service call or host platform power cycle
DH Agreement Private Key112, 128, 152, 176, 200 bitsDRBG20N/AN/AImport21, Export22DH Agreement Private KeyKAS-FFC, CKG A6047destroy() service call or host platform power cycleDiffie-Hellman
Diffie-Hellman (ffdhe and MODP) key agreement May be paired with DH Agreement Private Key112, 128, 152, 176, 200 bitsDRBG20N/AN/AImport21, Export22DH Agreement Public KeyKAS-FFC, CKG A6047Not zeroized, public key value known outside of module
DSA Signing Key112, 128 bitsDSADRBG20N/AN/AImport21, Export22DSA Signing KeyDSA Signature Generation, CKG A6047destroy() service call or host platform power cycleDSA signature
SignatureSignaturegeneration
CKGCKGMay be paired
A6047A6047Verification
DSA signature verification May be paired with DSA Signing Key80, 112, 128 bitsDRBG20N/AN/AImport21, Export22DSA Verification KeyDSA Signature Verification, CKG A6047Not zeroized, public key value known outside of module
EC Agreement Private Key112, 128, 192, 256 bitsDRBG20N/AN/AImport21, Export22EC Agreement Private KeyKAS-ECC, CKG A6047destroy() service call or host platform power cycleEC key
EC key agreement May be paired with EC Agreement Private Key112, 128, 192, 256 bitsDRBG20N/AN/AImport21, Export22EC Agreement Public KeyKAS-ECC, CKG A6047Not zeroized, public key value known outside of module
EC Signing Key112, 128, 192, 256 bitsDRBG20N/AN/AImport21, Export22EC Signing KeyECDSA Signature Generation, CKG A6047destroy() service call or host platform power cycleECDSA
ECDSA signature verification. May be paired with EC Signing Key112, 128, 192, 256 bitsDRBG20N/AN/AImport21, Export22EC Verification KeyECDSA Signature Verification, CKG A6047Not zeroized, public key value known outside of module
Keyed-Hash Calculation112-256 bitsHMAC-SHA-DRBG20N/AN/AImport21, Export22HMAC Authentication Keydestroy() service call or host platform power cycle
Keyed-Hash Calculation112-256 bitsDRBG20N/AN/AImport21, Export22KMAC Authentication KeyKMAC, CKG A6047destroy() service call or host platform power cycle
RSA Signing Key112, 128, 152 bitsDRBG20N/AN/AImport21, Export22RSA Signing KeyRSA Signature Generation, CKG A6047destroy() service call or host platform power cycleRSA signature
RSA signature verification May be paired with RSA Signing Key80, 112, 128, 152 bitsDRBG20N/AN/AImport21, Export22RSA Verification KeyRSA Signature Verification, CKG A6047Not zeroized, public key value known outside of module

N/A N/A N/A N/A N/A N/A Document Version 1.0 ©HID Global Corporation

Page 54

N/A N/A Document Version 1.0 ©HID Global Corporation N/A N/A N/A N/A

Page 55

N/A N/A N/A N/A Document Version 1.0 ©HID Global Corporation N/A N/A

Page 56

HMAC-SHA1, HMACSHA-2, N/A N/A N/A N/A N/A N/A Document Version 1.0 ©HID Global Corporation N/A N/A

Page 57
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
RSA Key Transport Private Key24112, 128, 152 bitsKTS-IFC,DRBG20N/AN/AImport21, Export22RSA Key Transport Private Key24KTS-IFC, CKG A6047destroy() service call or host platform power cycleRSA key
CKGCKGtransport and
RSA key transport May be paired with RSA Key Transport Private Key112, 128, 152 bitsDRBG20N/AN/AImport21, Export22RSA Key Transport Public Key24KTS-IFC, CKG A6047Not zeroized, public key value known outside of module
Key Derivation112, 128, 192, 256 bitsN/AN/AN/AIKEv2 KDF Secret ValueKDF IKEv2 A6047destroy() service call or host platform power cycleGenerated as
Key Derivation112-256 bitsGenerated as output of a PBE key and a PRFN/AN/AN/APBKDF Secret ValuePBKDF A6047destroy() service call or host platform power cycle

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A RSA key transport using PKCS#1 1.5 padding is deprecated through 2023 and disallowed after 2023. Document Version 1.0 ©HID Global Corporation

Page 58
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
Key Derivation112, 128, 192, 256 bitsKDAGenerated as output of an agreement schemeN/AN/AN/ASP 800-56Cr2 OneStep/ TwoStep KDF Secret Valuedestroy() service call or host platform power cycle
Key Derivation112, 128, 192, 256 bitsGenerated as output of an agreement schemeN/AN/AN/ASP 800-108r1 KDF Secret Valuedestroy() service call or host platform power cycleKDF SP 800- 108 A6047
Key Derivation128, 192, 256 bitsN/AN/AN/ASRTP KDF Secret Valuedestroy() service call or host platform power cycleKDF SRTP A6047Generated as
Key Derivation80, 112, 128, 192, 256 bitsGenerated as output of an SSH agreement schemeN/AN/AN/ASSH KDF Secret Valuedestroy() service call or host platform power cycleKDF SSH A6047

Document Version 1.0 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A ©HID Global Corporation

Page 59
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
Used to derive keys using TLS KDF384 bitsKDF TLSN/AN/AImport21, Export22TLS Premaster Secret ValueKDF TLS A6047Protocoldestroy() service call or host platform power cycle
A6047A6047bytes) and 46
Key Derivation112, 128, 192, 256 bitsGenerated as output of TLS agreement schemeN/AN/AN/ATLS KDF Secret ValueKDF TLS A6047destroy() service call or host platform power cycle
Key Derivation112, 128, 192, 256 bitsKDF ANSN/AN/AN/AX9.63 KDF Secret ValueGenerated asdestroy() service
9.639.63output of ancall or host
agreementagreementplatform power
A6047A6047schemecycle
Random Number Generation>128 bitsN/AN/AN/AObtained from the entropy sourceEntropy Input StringN/Adestroy() service call or host platform power cycle
Internal use128, 192, 256 bitsN/AN/AN/ACTR DRBG SeedN/AImmediatelyFrom
externalafter use or hostexternal
entropyplatform powerentropy
sourcecyclesource
Internal use128 bitsFrom seed valueN/AN/AN/ACTR DRBG V ValueN/Areseed() service call or host platform power cycle

N/A N/A N/A N/A N/A Document Version 1.0 ©HID Global Corporation N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Page 60
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
Internal use128, 192, 256 bitsN/AFrom DRBG V valueN/AN/AN/ACTR DRBG KeyN/Areseed() service
Internal use112, 128, 192, 256 bitsN/AN/AN/AFrom external entropy sourceHash DRBG SeedN/AImmediately after use or host platform power cycle
Internal use112, 128, 192, 256 bitsFrom seed valueN/AN/AN/AHash DRBG V ValueN/Areseed() service
Internal use112, 128, 192, 256 bitsFrom DRBG V valueN/AN/AN/AHash DRBG C ValueN/Areseed() service call or host platform power cycle
Internal use112, 128, 192, 256 bitsN/AN/AN/AHMAC DRBG SeedN/AImmediatelyFrom
externalafter use or hostexternal
entropyplatform powerentropy
sourcecyclesource
Internal use112, 128, 192, 256 bitsFrom seed valueN/AN/AN/AHMAC DRBG V ValueN/Areseed() service call or host platform power cycle

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Document Version 1.0 ©HID Global Corporation

Page 61
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
Internal use112, 128, 192, 256 bitsN/AFrom DRBG V valueN/AN/AN/AHMAC DRBG KeyN/Areseed() service
Used as seed for asymmetric key generation or for symmetric key generation128, 192, 256 bitsDRBGN/AN/AN/ADRBG OutputN/Adestroy() service call or host platform power cycle

Document Version 1.0 N/A N/A N/A N/A N/A N/A N/A N/A ©HID Global Corporation

Page 62
Approved algorithm
NameMode MethodKey Size
Test TargetTest TargetDescription
AES ECBAES ECBEncryption KAT (128 bits)
AES ECBDecryption KAT (128 bits)
AES CCMAES CCMEncryption KAT (128 bits)
AES CCMDecryption KAT (128 bits)
AES CMACAES CMACGeneration KAT (128 bits)
AES CMACVerification KAT (128 bits)
AES GCMAES GCMEncrypt KAT (128 bits)
AES GCMDecrypt KAT (128 bits)
HASH DRBGSHA2-256 KAT (Health Tests: Generate, Reseed, Instantiate
HMAC DRBGHMAC-SHA2-256 KAT (Health Tests: Generate, Reseed, Instantiate functions per Section 11.3 of SP 800-90Ar1)
CTR DRBGAES CTR 256 bits KAT (Health Tests: Generate, Reseed, Instantiate
DSASignature Generation KAT (2048 bits)
DSADSASignature Verification KAT (2048 bits)
Test TargetTest TargetDescription
ECDSASignature Generation KAT (P-256)
ECDSAECDSASignature Verification KAT (P-256)
HMAC-SHA2-256HMAC-SHA2-256 KAT
HMAC-SHA2-512HMAC-SHA2-512HMAC-SHA2-512 KAT
HMAC-SHA3-256HMAC-SHA3-256 KAT
KAS-ECCKAS-ECCPrimitive “Z” Computation KAT (P-256)
KAS-ECCPrimitive “Z” Computation KAT (B-233)
KAS-FFCKAS-FFCPrimitive “Z” Computation KAT (ffdhe2048)
KBKDFKBKDF KAT (Counter, Feedback, Double Pipeline)
KDA OneStepKDA OneStepKDA OneStep KAT
KDA TwoStepKDA TwoStep KAT
PBKDFPBKDFPBKDF KAT (HMAC-SHA2-256)
RSASignature Generation KAT (2048 bits)
RSARSASignature Verification KAT (2048 bits)
RSA EncryptionRSA Encryption KAT SP 800-56Br2 (2048 bits)
RSA DecryptionRSA DecryptionRSA Decryption KAT SP 800-56Br2 (2048 bits)
SHA-1SHA-1 KAT
SHA2-256SHA2-256SHA2-256 KAT
SHA2-512SHA2-512 KAT
SHA-3SHA-3SHA-3 KAT (cSHAKE-128)
SHAKE256SHAKE256 KAT
ANS 9.63 KDFANS 9.63 KDFANS 9.63 KDF KAT
IKEv2 KDFIKEv2 KDF KAT
SNMP KDFSNMP KDFSNMP KDF KAT
SRTP KDFSRTP KDF KAT
SSH KDFSSH KDFSSH KDF KAT
TLS 1.0 KDFTLS 1.0 KDF KAT
TLS 1.1 KDFTLS 1.1 KDFTLS 1.1 KDF KAT
TLS 1.2 KDFTLS 1.2 KDF KAT
Test TargetTest TargetDescription
DHDHDH Pairwise Consistency Test
DSADSA Pairwise Consistency Test
EC DHEC DHEC DH Pairwise Consistency Test
ECDSAECDSA Pairwise Consistency Test
RSARSARSA Pairwise Consistency Test
10 Self-Tests

Cryptographic Algorithm Self-Tests (CASTs) are performed prior to the first use of services related to the test target. CASTs also run periodically on service invocation. Pairwise Consistency Tests (PCTs) are performed on the corresponding key pairs.

10.1 Pre-Operational Self-Tests

Each time the module is powered up, it performs the pre-operational self-tests to confirm that sensitive data has not been damaged. The pre-operational tests include the software integrity test, which verifies the module using HMACSHA-256. Pre-operational tests also include the HMAC and SHS CASTs that are run prior to the software integrity test to ensure the correctness of the HMAC used. Pre-operational self-tests are available on demand by power cycling the module.

10.2 Conditional Self-Tests

The module performs conditional self-tests when the conditions specified for cryptographic algorithm self-test and pair-wise consistency tests occur. The self-tests implemented are specified below. Table 17

Page 63

Table 18

Page 64
10.3 Error States

If any of the above-mentioned self-tests fail, the module enters an error state called “Hard Error” state. Upon entering the error state, the module outputs status by way of an exception. An example exception for AES Encryption failure is: “Failed self-test on encryption: AES” The module can be recovered by power cycling, which results in execution of pre-operational self-tests and conditional cryptographic algorithm self-tests. If the tests pass, then the module will be available for use.

10.4 Operator Initiation of Self-Tests

Each time the module is powered up, it runs the pre-operational tests to ensure that the integrity of the module has been maintained. Pre-operational self-tests are available on demand by power cycling the module. Initial CAST self-tests are available on demand by power cycling the module and then invoking the service related to the test target. Document Version 1.0 ©HID Global Corporation

Page 65
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module exists as part of the running JVM, and as such:

11.2 Basic Guidance

The JAR file representing the module needs to be installed in a JVM's class path in a manner appropriate to its use in applications running on the JVM. Functionality in the module is provided in two ways. At the lowest level there are distinct classes that provide access to the approved and non-approved services provided by the module. A more abstract level of access can also be gained by using strings providing operation names passed into the module's Java cryptography provider through the APIs described in the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE). When the module is used in approved mode, classes providing implementations of algorithms that are not approved or allowed are explicitly disabled. SSPs such as private and secret keys implement the Destroyable interface. Where appropriate these SSPs can be zeroized on demand by invoking the destroy() method. The return of the destroy() method indicates that the zeroization is complete.

11.3 Use of the JVM with a Java SecurityManager

If the underlying JVM is running with a Java SecurityManager installed, the module will be running in approved mode with secret and private key export disabled. Document Version 1.0 ©HID Global Corporation

Page 66
PermissionSettingsRequiredUsage
RuntimePermissionRuntimePermissiongetProtectionDomaingetProtectionDomainYesYesAllows checksum to be
carried out on JAR.
RuntimePermissionaccessDeclaredMembersYesAllows use of reflection API within the provider.
PropertyPermissionjava.runtime.name,NoOnly if configuration
readproperties are used.
SecurityPermissionputProviderProperty.CCJNoOnly if provider installed during execution.
CryptoServicesPermissionunapprovedModeEnabledNoOnly if non-approved mode
algorithms required.
CryptoServicesPermissionchangeToApprovedModeEnabledNoOnly if threads allowed to change modes.
CryptoServicesPermissionexportSecretKeyNoTo allow export of secret
keys only.
CryptoServicesPermissionexportPrivateKeyNoTo allow export of private keys only.
CryptoServicesPermissionexportKeysYesRequired to be applied for
the module itself. Optional
for any other codebase.
CryptoServicesPermissiontlsNullDigestEnabledNoOnly required for TLS digest calculations.
CryptoServicesPermissiontlsPKCS15KeyWrapEnabledNoOnly required if TLS is used
with RSA encryption.
11.3.1 Additional Enforcement with a Java SecurityManager

In the presence of a Java SecurityManager approved mode services specific to a context, such as DSA and ECDSA for use in TLS, require specific policy permissions to be configured in the JVM configuration by the Cryptographic Officer or User. The SecurityManager can also be used to restrict the ability of particular code bases to examine CSPs. In the absence of a Java SecurityManager specific services related to protocols such as TLS are available, however must only be used in relation to those protocols.

11.3.2 Permissions for Java SecurityManager

Use of the module with a Java SecurityManager requires the setting of some basic permissions to allow the module HMAC-SHA-256 software integrity test to take place as well as to allow the module itself to examine secret and private keys. The basic permissions required for the module to operate correctly with a Java SecurityManager are indicated by the Required column of Table 19. Table 19 - Available Java Permissions for SecurityManager Document Version 1.0 ©HID Global Corporation

Page 67
PermissionSettingsRequiredUsage
CryptoServicesPermissiontlsAlgorithmsEnabledNoEnables both NullDigest and PKCS15KeyWrap.
CryptoServicesPermissiondefaultRandomConfigNoAllows setting of default
SecureRandom.
CryptoServicesPermissionthreadLocalConfigNoRequired to set a thread local property in the CryptoServicesRegistrar.
CryptoServicesPermissionglobalConfigNoRequired to set a global
property in the
CryptoServicesRegistrar.
11.4 Design and Rules

The module design corresponds to the module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module.

  1. The module provides two distinct operator roles: User and Cryptographic Officer.
  2. The module does not provide authentication.
  3. The operator may command the module to perform the self-tests by cycling power or resetting the module.
  4. Self-tests do not require any operator action.
  5. Data output is inhibited during self-tests, zeroization, and error states. Output related to keys and their use is inhibited until the key concerned has been fully generated.
  6. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  7. There are no restrictions on which keys or CSPs are zeroized by the zeroization service.
  8. The module does not support concurrent operators.
  9. The module does not have any external input/output devices used for entry/output of data.
  10. The module does not enter or output plaintext CSPs from the module’s physical boundary.
  11. The module does not output intermediate key values.
11.4.1 Mode of Operation Rules

When the module is used within the context of Java Security Manager or the system/security property com.safelogic.cryptocomply.fips.approved_only is set to true, the module will start in approved mode and non-approved services are not accessible in this mode. When the module is not used within the context of Java Security Manager, the module will start in non-approved mode by default. Refer to Security Policy Section 2.4 for additional details. Document Version 1.0 ©HID Global Corporation

Page 68
11.4.1.1 From Non-Approved Mode to Approved Mode

The transition from non-approved mode to approved mode is a combination of granted permission (a) and request to change mode (b): a) com.safelogic.cryptocomply.crypto.CryptoServicesPermission “changeToApprovedModeEnabled” b) CryptoServicesRegistrar.setApprovedMode(true) The CSPs made available in non-approved mode will not be accessible once the thread transitions into approved mode. The CSPs generated using the non-approved mode cannot be passed or shared with algorithms operating in approved mode, and vice-versa. This is done by an indicator within the class (object) instantiating the key that the key was created in an approved mode or non-approved mode. Any attempt by a thread within the module to use the key in an opposite mode will result in an exception being generated by the module. For example, if an RSA private key has been created in either approved or non-approved mode, then any request to access that key will first need to confirm if the thread making the request is in the same mode.

11.4.1.2 From Approved Mode to Non-Approved Mode

The module cannot transition from approved mode to non-approved mode. To initiate the module in non-approved mode, either it should not be used in the context of Java Security Manager, or the module should have the permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission unapprovedModeEnabled granted by the Java Security Manager.

11.5 Vulnerabilities

Vulnerabilities found in the module will be reported on the National Vulnerability Database, located at the following link: https://nvd.nist.gov/ Researchers and users are encouraged to report any security related concerns to HID Global. Contact information can be found on the FIPS 140 certificate for this module. Document Version 1.0 ©HID Global Corporation

Page 69
12 Mitigation of Other Attacks

The module implements basic protections to mitigate against timing-based attacks against its internal implementations. There are two countermeasures used. The first countermeasure is Constant Time Comparisons, which protect the digest and integrity algorithms by strictly avoiding “fast fail” comparison of MACs, signatures, and digests so the time taken to compare a MAC, signature, or digest is constant regardless of whether the comparison passes or fails. The second countermeasure is made up of Numeric Blinding and decryption/signing verification which both protect the RSA algorithm. Numeric Blinding prevents timing attacks against RSA decryption and signing by providing a random input into the operation which is subsequently eliminated when the result is produced. The random input makes it impossible for a third party observing the private key operation to attempt a timing attack on the operation as they do not have knowledge of the random input and consequently the time taken for the operation tells them nothing about the private value of the RSA key. Decryption/signing verification is carried out by calculating a primitive encryption or signature verification operation after a corresponding decryption or signing operation before the result of the decryption or signing operation is returned. The purpose of this is to protect against Lenstra's CRT attack by verifying the correctness of the private key calculations involved. Lenstra's CRT attack takes advantage of undetected errors in the use of RSA private keys with CRT values and, if exploitable, can be used to discover the private value of the RSA key. Document Version 1.0 ©HID Global Corporation

Page 70
Acronyms
NameTermDefinition
ANSI X9.31ANSI X9.31X9.31-1998, Digital Signatures using Reversible Public Key Cryptography for theANSI X9.31
FIPS 140-3FIPS 140-3Security Requirements for Cryptographic modules, March 22, 2019
FIPS 180-4FIPS 180-4Secure Hash Standard (SHS)
FIPS 186-2FIPS 186-2Digital Signature Standard (DSS)
FIPS 186-4FIPS 186-4Digital Signature Standard (DSS)
FIPS 186-5FIPS 186-5Digital Signature Standard (DSS)
FIPS 197FIPS 197Advanced Encryption Standard
FIPS 198-1FIPS 198-1The Keyed-Hash Message Authentication Code (HMAC)
FIPS 202FIPS 202SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
IGIGImplementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program
PKCS#1 v2.1PKCS#1 v2.1RSA Cryptography Standard
PKCS#5PKCS#5Password-Based Cryptography Standard
PKCS#12Personal Information Exchange Syntax Standard -Recommendation for the Triple DataPKCS#12
SP 800-38ASP 800-38ARecommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
SP 800-38BRecommendation for Block Cipher Modes of Operation: The CMAC Mode forSP 800-38B
SP 800-38CSP 800-38CRecommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality
SP 800-38DRecommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM)SP 800-38D
SP 800-38FSP 800-38FRecommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
SP 800-38GRecommendation for Block Cipher Modes of Operation: Methods for Format-SP 800-38G
SP 800-56Ar3SP 800-56Ar3Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
SP 800-56Br2Recommendation for Pair-Wise Key Establishment Schemes Using Integer FactorizationSP 800-56Br2
SP 800-56Cr2SP 800-56Cr2Recommendation for Key Derivation through Extraction-then-Expansion
SP 800-67r2SP 800-67r2Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
SP 800-89SP 800-89Recommendation for Obtaining Assurances for Digital Signature Applications
SP 800-90ARecommendation for Random Number Generation Using Deterministic Random BitSP 800-90A
SP 800-90BSP 800-90BRecommendation for the Entropy Sources Used for Random Bit Generation
SP 800-108r1SP 800-108r1Recommendation for Key Derivation Using Pseudorandom Functions
SP 800-131ASP 800-131ATransitioning the Use of Cryptographic Algorithms and Key Lengths
SP 800-132SP 800-132Recommendation for Password-Based Key Derivation
SP 800-133r2SP 800-133r2Recommendation for Cryptographic Key Generation
SP 800-135r1SP 800-135r1Recommendation for Existing Application – Specific Key Derivation Functions
SP 800-185SP 800-185SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
AcronymAcronymDefinition
AESAESAdvanced Encryption Standard
APIAPIApplication Programming Interface
CASTCASTCryptographic Algorithm Self-Test
CBCCBCCipher-Block Chaining
CCMCCMCounter with CBC-MAC
CCCSCCCSCanadian Centre for Cyber Security
CDHCDHComputational Diffie-Hellman
CFBCFBCipher Feedback Mode
CMACCMACCipher-based Message Authentication Code
CMVPCMVPCryptographic Module Validation Program
COCOCryptographic Officer
CPUCPUCentral Processing Unit
CSCSCiphertext Stealing
CTRCTRCounter Mode
CVLCVLComponent Validation List
DESDESData Encryption Standard
DHDHDiffie-Hellman
DRAMDRAMDynamic Random Access Memory
DRBGDRBGDeterministic Random Bit Generator
DSADSADigital Signature Algorithm
DSTU4145DSTU4145Ukrainian DSTU-4145-2002 Elliptic Curve Scheme
ECECElliptic Curve
ECBECBElectronic Code Book
ECCECCElliptic Curve Cryptography
ECDSAECDSAElliptic Curve Digital Signature Algorithm
EdDSAEdDSAEdwards Curve DSA using Ed25519, Ed448
EMCEMCElectromagnetic Compatibility
EMIEMIElectromagnetic Interference
FIPSFIPSFederal Information Processing Standard
GCMGCMGalois/Counter Mode
GMACGMACGalois Message Authentication Code
GOSTGosudarstvennyi Standard Soyuza SSR/Government Standard of the Union of Soviet SocialistGOST
GPCGPCGeneral Purpose Computer
HMACHMAC(Keyed) Hashed Message Authentication Code
IGIGImplementation Guidance, see References
IVIVInitialization Vector
JARJARJava ARchive
AcronymAcronymDefinition
JCAJCAJava Cryptography Architecture
JCEJCEJava Cryptography Extension
JDKJDKJava Development Kit
JREJREJava Runtime Environment
JVMJVMJava Virtual Machine
KASKASKey Agreement Scheme
KATKATKnown Answer Test
KDFKDFKey Derivation Function
KWKWKey Wrap
KWPKWPKey Wrap with Padding
KMACKMACKECCAK Message Authentication Code
MACMACMessage Authentication Code
MD5MD5Message Digest algorithm MD5
N/AN/ANot Applicable
OCBOCBOffset Codebook Mode
OFBOFBOutput Feedback
OSOSOperating System
PBKDFPBKDFPassword-Based Key Derivation Function
PKCSPKCSPublic Key Cryptography Standards
PQGPQGDiffie-Hellman Parameters P, Q and G
RCRCRivest Cipher, Ron’s Code
RIPEMDRIPEMDRACE Integrity Primitives Evaluation Message Digest
RSARSARivest Shamir Adleman
SHASHASecure Hash Algorithm
TLSTLSTransport Layer Security
USBUSBUniversal Serial Bus
XDHXDHEdwards Curve Diffie-Hellman using X25519, X448
XOFXOFExtendable-Output Function

Appendix: References and Acronyms The following standards are referred to in this Security Policy. Table 20 - References Document Version 1.0 ©HID Global Corporation

Page 71

Document Version 1.0 ©HID Global Corporation

Page 72

The following acronyms are used in this Security Policy. Table 21 - Acronyms Document Version 1.0 ©HID Global Corporation

Page 73

N/A Document Version 1.0 ©HID Global Corporation

Page 74

Prepared By: SafeLogic, Inc. Website: www.safelogic.com Email: sales@safelogic.com Phone: 844-436-2797

8300 Boone Blvd., Suite 500

Vienna, VA 22182 Document Version 1.0 ©HID Global Corporation

Referenced URLs