All modules
CMVP Validated Module · FIPS 140-3 Security Policy

CLEAR Cryptosystem

Certificate#5126StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorQuantum Knight, INC.
Low review priority  ·  no TCB surface named  ·  last validated 4 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/28/2029
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys).
VendorQuantum Knight, INC.

Approved Algorithms (83)

AlgorithmACVP Cert
AES-CBCA6047
AES-CBC-CS1A6047
AES-CBC-CS2A6047
AES-CBC-CS3A6047
AES-CCMA6047
AES-CFB128A6047
AES-CFB8A6047
AES-CMACA6047
AES-CTRA6047
AES-ECBA6047
AES-FF1A6047
AES-GCMA6047
AES-GMACA6047
AES-KWA6047
AES-KWPA6047
AES-OFBA6047
Counter DRBGA6047
cSHAKE-128A6047
cSHAKE-256A6047
DSA KeyGen (FIPS186-4)A6047
DSA PQGGen (FIPS186-4)A6047
DSA PQGVer (FIPS186-4)A6047
DSA SigGen (FIPS186-4)A6047
DSA SigVer (FIPS186-4)A6047
ECDSA KeyGen (FIPS186-4)A6047
ECDSA KeyVer (FIPS186-4)A6047
ECDSA SigGen (FIPS186-4)A6047
ECDSA SigVer (FIPS186-4)A6047
Hash DRBGA6047
HMAC DRBGA6047
HMAC-SHA-1A6047
HMAC-SHA2-224A6047
HMAC-SHA2-256A6047
HMAC-SHA2-384A6047
HMAC-SHA2-512A6047
HMAC-SHA2-512/224A6047
HMAC-SHA2-512/256A6047
HMAC-SHA3-224A6047
HMAC-SHA3-256A6047
HMAC-SHA3-384A6047
HMAC-SHA3-512A6047
KAS-ECC Sp800-56Ar3A6047
KAS-FFC Sp800-56Ar3A6047
KAS-IFCA6047
KDA HKDF SP800-56Cr2A6047
KDA OneStep SP800-56Cr2A6047
KDA TwoStep SP800-56Cr2A6047
KDF ANS 9.63A6047
KDF IKEv2A6047
KDF SNMPA6047
KDF SP800-108A6047
KDF SRTPA6047
KDF SSHA6047
KDF TLSA6047
KMAC-128A6047
KMAC-256A6047
KTS-IFCA6047
ParallelHash-128A6047
ParallelHash-256A6047
PBKDFA6047
RSA Decryption PrimitiveA6047
RSA KeyGen (FIPS186-4)A6047
RSA SigGen (FIPS186-4)A6047
RSA Signature PrimitiveA6047
RSA SigVer (FIPS186-2)A6047
RSA SigVer (FIPS186-4)A6047
Safe Primes Key GenerationA6047
Safe Primes Key VerificationA6047
SHA-1A6047
SHA2-224A6047
SHA2-256A6047
SHA2-384A6047
SHA2-512A6047
SHA2-512/224A6047
SHA2-512/256A6047
SHA3-224A6047
SHA3-256A6047
SHA3-384A6047
SHA3-512A6047
SHAKE-128A6047
SHAKE-256A6047
TupleHash-128A6047
TupleHash-256A6047

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Non-Invasive SecurityN/A
Sensitive Security Parameter Management1
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for CLEAR Cryptosystem
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for CLEAR Cryptosystem
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Quantum Knight, INC. CLEAR Cryptosystem Software Version 4.0.0 Document Version 1.1 January 21, 2026 Prepared For: Prepared By: Quantum Knight, INC.

3175 Hanover Street

Palo Alto, CA 94304 USA https://www.quantumknight.io/ SafeLogic, Inc.

8300 Boone Blvd., Suite 500

Vienna, VA 22182 USA www.safelogic.com Document Version 1.1 ©Quantum Knight, INC.

Page 2
Table of Contents
#SectionPage
1General Information5
1.1Overview5
1.2Security Levels6
2Cryptographic Module Specification7
2.1Description7
2.2Tested and Vendor Affirmed Module Version and Identification8
2.3Excluded Components20
2.4Modes of Operation20
2.5Algorithms20
2.6Algorithm Specific Information30
2.7RBG and Entropy33
2.8Key Generation34
2.9Key Establishment35
2.10Industry Protocols35
3Cryptographic Module Ports and Interfaces36
3.1Ports and Interfaces36
3.2Additional Information36
4Roles, Services, and Authentication37
4.1Authentication Methods37
4.2Roles37
4.3Approved Services38
4.4Non-Approved Services51
5Software/Firmware Security52
5.1Integrity Techniques52
5.2Initiate on Demand52
6Operational Environment53
6.1Configuration Settings and Restrictions53
7Physical Security54
8Non-Invasive Security55
9Sensitive Security Parameter Management56
9.1SSPs57
10Self-Tests68
10.1Pre-Operational Self-Tests68
10.2Conditional Self-Tests68
10.3Error States70
10.4Operator Initiation of Self-Tests70
11Life-Cycle Assurance71
11.1Installation, Initialization, and Startup Procedures71
11.2Basic Guidance71
11.3Use of the JVM with a Java SecurityManager71
11.4Design and Rules73
11.5Vulnerabilities74
12Mitigation of Other Attacks75
Appendix: References and Acronyms76
Page 3
11.2 11.3 11.4 11.5 Document Version 1.1 ©Quantum Knight, INC.
Page 4
List of Tables
ItemPage
Table 1 - Security Levels6
Table 2 - Executable Code Sets8
Table 3 - Tested Operational Environments – Software/Firmware/Hybrid9
Table 4 - Vendor Affirmed Operational Environments – Software/Firmware/Hybrid10
Table 5 - Modes of Operation20
Table 6 - Approved Algorithms, CAVP Tested21
Table 7 - Vendor Affirmed Algorithms27
Table 8 - Non-Approved, Allowed Algorithms with No Security Claimed28
Table 9 - Non-Approved, Not Allowed Algorithms28
Table 10 - SP 800-38G Format-Preserving Encryption Constraints32
Table 11 – Non-Deterministic Random Number Generation Specification33
Table 12 – Ports and Interfaces36
Table 13 - Roles37
Table 14 – Approved Services38
Table 15 - Non-Approved Services51
Table 16 - Sensitive Security Parameters (SSPs) Key Table57
Table 17 – Conditional Algorithm Self-Tests68
Table 18 – Pairwise Consistency Tests69
Table 19 - Available Java Permissions for SecurityManager72
Table 20 - References76
Table 21 - Acronyms78
Figure 1 - Module Block Diagram8
Page 5
1 General Information
1.1 Overview

This document provides a non-proprietary FIPS 140-3 Security Policy for CLEAR Cryptosystem.

1.1.1 About FIPS 140

Federal Information Processing Standards Publication 140-3, Security Requirements for Cryptographic Modules, (FIPS 140-3) specifies the latest requirements for cryptographic modules utilized to protect sensitive but unclassified information. The National Institute of Standards and Technology (NIST) and Canadian Centre for Cyber Security (CCCS) collaborate to run the Cryptographic Module Validation Program (CMVP), which assesses conformance to FIPS 140. NIST (through NVLAP) accredits independent testing labs to perform FIPS 140 testing. The CMVP reviews and validates modules tested against FIPS

140 criteria. Validated is the term given to a module that has successfully gone through this FIPS 140

validation process. Validated modules receive a validation certificate that is posted on the CMVP’s website. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program.

1.1.2 About this Document

This non-proprietary cryptographic module Security Policy for CLEAR Cryptosystem from Quantum Knight, INC. (Quantum Knight) provides an overview of the product and a high-level description of how it meets the security requirements of FIPS 140-3. This document includes details on the module’s cryptographic capabilities, services, sensitive security parameters, and self-tests. This Security Policy also includes guidance on operating the module while maintaining compliance with FIPS 140-3. CLEAR Cryptosystem may also be referred to as “the module” in this document.

1.1.3 External Resources

The Quantum Knight website (https://www.quantumknight.io/) contains information on Quantum Knight services and products. The CMVP website maintains this FIPS 140 certificate for Quantum Knight and the certificate includes Quantum Knight contact information.

1.1.4 Notices

This document may be freely reproduced and distributed, but only in its entirety and without modification. Document Version 1.1 ©Quantum Knight, INC.

Page 6
Security level
NameISO SectionLevel
Section 1 – General InformationSection 1 – General Information1
Section 2 – Cryptographic Module SpecificationSection 2 – Cryptographic Module Specification1
Section 3 – Cryptographic Module InterfacesSection 3 – Cryptographic Module Interfaces1
Section 4 – Roles, Services, and AuthenticationSection 4 – Roles, Services, and Authentication1
Section 5 – Software/Firmware SecuritySection 5 – Software/Firmware Security1
Section 6 – Operational EnvironmentSection 6 – Operational Environment1
Section 7 – Physical SecuritySection 7 – Physical SecurityN/A
Section 8 – Non-Invasive SecuritySection 8 – Non-Invasive SecurityN/A
Section 9 – Sensitive Security Parameter ManagementSection 9 – Sensitive Security Parameter Management1
Section 10 – Self-TestsSection 10 – Self-Tests1
Section 11 – Life-Cycle AssuranceSection 11 – Life-Cycle Assurance1
Section 12 – Mitigation of Other AttacksSection 12 – Mitigation of Other Attacks1
1.2 Security Levels

Table 1 lists the module’s level of validation for each area in FIPS 140-3. Table 1 - Security Levels N/A N/A Document Version 1.1 ©Quantum Knight, INC.

Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: CLEAR Cryptosystem is a standards-based cryptographic engine that enables the protection of data requiring absolute compliance with federal standards. The module delivers core cryptographic functions for boosting the strength and speed of cryptographic protection while guaranteeing data integrity, data at rest encryption, and streaming data transmissions. CLEAR Cryptosystem provides flexible modes of operation that include multi-factor authentication (MFA) and embedded access control lists (ACL) for controlled access to data. The module delivers cryptographic services to host applications through a Java language Application Programming Interface (API). Module Type: Software Module Embodiment: Multi-Chip Stand Alone Cryptographic Boundary: The cryptographic boundary is the Java Archive (JAR) file, ccj-4.0.0.jar. The module is the only component within the cryptographic boundary and the only component that carries out cryptographic functions covered by FIPS 140-3. The module classes are executed on the Java Virtual Machine (JVM) using the classes of the Java Runtime Environment (JRE). The JVM is the interface to the computer’s Operating System (OS), which is the interface to the various physical components of the general purpose computer (GPC). As a software cryptographic module, the module operates within the Tested Operational Environment’s Physical Perimeter (TOEPP). The TOEPP physical perimeter is the physical perimeter of the GPC that the module operates on. The TOEPP includes the JVM/JRE, OS, and the GPC. The TOEPP includes the Operational Environment (OE) that the module operates in, the module itself, and all other applications that operate within the OE, including the host application for the module. The external entropy source used by the module is also within the TOEPP. The module’s block diagram is provided in Figure 1, which shows the cryptographic boundary and the logical relationship of the cryptographic module to the other software and hardware components of the TOEPP. The module’s logical interfaces are defined by its API. Document Version 1.1 ©Quantum Knight, INC.

Page 8
Module configuration
NameFirmware VersionPackageIntegrity Test
NamesVersionNamesImplemented
ccj-4.0.0.jar4.0.0ccj-4.0.0.jarHMAC-SHA-256

Figure 1 - Module Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 9
Module configuration
NameOperating SystemHardware Platform
Environment v17 onEnvironment v17 onPowerEdge
VMware Photon OS 5.0VMware Photon OS 5.0R830

Confirming the Module Checksum, Functionality, and Versioning The module checksum, functionality, and versioning can be confirmed by executing the command: java -cp ccj-4.0.0.jar com.safelogic.cryptocomply.util.DumpInfo which should display: Version Info: CryptoComply® for Java version v4.0.0 FIPS Ready Status: READY Module SHA-256 HMAC: c5f6e9c3593f67ea87f08b91590c7531c53ac2540685b921807c9e82581911ee This display indicates that the JAR represents the software release ccj-4.0.0, that it has successfully passed all its startup tests, and that the software release is confirmed to have the HMAC listed above. Tested Operational Environments - Software, Firmware, Hybrid: The module operates in a modifiable operational environment under the FIPS 140-3 definitions. The cryptographic module was tested on the following operational environments on the GPC platforms detailed in Table 3. Table 3 - Tested Operational Environments

Page 10
Module configuration
NameOperating SystemHardware Platform#
1.Compatible Java Runtime Environment on Windows XPIntel Pentium, Intel Core 21.1.Compatible Java Runtime Environment on Windows XP
2.2.Compatible Java Runtime Environment on Windows VistaIntel Core 2 Duo, Intel Core 2 Quad, AMD Athlon 64 X2, AMD Phenom II, Intel Xeon
3.Intel Core i3, Intel Core i5,3.Compatible Java Runtime Environment on Windows 7
4.4.Compatible Java Runtime Environment on Windows 8Intel Core i3, Intel Core i5, Intel Core i7, AMD Ryzen 3, AMD Ryzen 5
5.Intel Core i3, Intel Core i5,5.Compatible Java Runtime Environment on Windows 8.1
6.6.Compatible Java Runtime Environment on Windows 10Intel Core i3, Intel Core i5, Intel Core i7, AMD Ryzen 5, AMD Ryzen 7
7.Intel Core i5, Intel Core i7,7.Compatible Java Runtime Environment on Windows 11
8.8.Compatible Java Runtime Environment on OS X Mavericks (10.9)Intel Core i5, Intel Core i7, Intel Core 2 Duo, Intel Xeon, Intel Core i3
9.Intel Core i5, Intel Core i7,9.Compatible Java Runtime Environment on OS X Yosemite (10.10)
10.10.Compatible Java Runtime Environment on OS X El Capitan (10.11)Intel Core i5, Intel Core i7, Intel Core 2 Duo, Intel Xeon, Intel Core i3
11.Intel Core i5, Intel Core i7,11.Compatible Java Runtime Environment on macOS Sierra (10.12)
12.12.Compatible Java Runtime Environment on macOS High Sierra (10.13)Intel Core i5, Intel Core i7, Intel Core 2 Duo, Intel Xeon, Intel Core i3
13.Intel Core i5, Intel Core i7,13.Compatible Java Runtime Environment on macOS Mojave (10.14)
14.14.Compatible Java Runtime Environment on macOS Catalina (10.15)Intel Core i5, Intel Core i7, Intel Core i9, Intel Xeon, Intel Core m3
15.Intel Core i5, Intel Core i7,15.Compatible Java Runtime Environment on macOS Big Sur (11)
16.16.Compatible Java Runtime Environment on macOS Monterey (12)Intel Core i5, Intel Core i7, Intel Core i9, Apple M1, Apple M1 Pro
17.Intel Core i5, Intel Core i7,17.Compatible Java Runtime Environment on macOS Ventura (13)
18.18.Compatible Java Runtime Environment on macOS Sonoma (14)Intel Core i5, Intel Core i7, Intel Core i9, Apple M1, Apple M2
19.Intel Xeon, AMD Opteron,19.Compatible Java Runtime Environment on Red Hat Enterprise Linux 7
20.20.Compatible Java Runtime Environment on Red Hat Enterprise Linux 8Intel Xeon, AMD EPYC, ARM Cortex-A72, IBM Power9, IBM z14
21.Intel Xeon, AMD EPYC,21.Compatible Java Runtime Environment on Red Hat Enterprise Linux 9
22.22.Compatible Java Runtime Environment on Ubuntu 12.04 LTS (Precise Pangolin)Intel Core 2 Duo, Intel Core i3, AMD Athlon 64, ARM CortexA8, PowerPC G4
23.Intel Core 2 Duo, Intel23.Compatible Java Runtime Environment on Ubuntu 12.10 (Quantal Quetzal)
24.24.Compatible Java Runtime Environment on Ubuntu 13.04 (Raring Ringtail)Intel Core 2 Duo, Intel Core i3, AMD Athlon 64, ARM Cortex-A8, PowerPC G4
25.Intel Core 2 Duo, Intel25.Compatible Java Runtime Environment on Ubuntu 13.10 (Saucy Salamander)
26.26.Compatible Java Runtime Environment on Ubuntu 14.04 LTS (Trusty Tahr)Intel Core i3, Intel Core i5, AMD Athlon 64, ARM Cortex-A9, PowerPC G5
27.Intel Core i3, Intel Core i5,27.Compatible Java Runtime Environment on Ubuntu 14.10 (Utopic Unicorn)
28.28.Compatible Java Runtime Environment on Ubuntu 15.04 (Vivid Vervet)Intel Core i3, Intel Core i5, AMD Athlon 64, ARM Cortex-A9, PowerPC G5
29.Intel Core i3, Intel Core i5,29.Compatible Java Runtime Environment on Ubuntu 15.10 (Wily Werewolf)
30.30.Compatible Java Runtime Environment on Ubuntu 16.04 LTS (Xenial Xerus)Intel Core i5, Intel Core i7, AMD Ryzen 5, ARM Cortex-A53, PowerPC G5
31.Intel Core i5, Intel Core i7,31.Compatible Java Runtime Environment on Ubuntu 16.10 (Yakkety Yak)
32.32.Compatible Java Runtime Environment on Ubuntu 17.04 (Zesty Zapus)Intel Core i5, Intel Core i7, AMD Ryzen 5, ARM Cortex-A53, PowerPC G5
33.Intel Core i5, Intel Core i7,33.Compatible Java Runtime Environment on Ubuntu 17.10 (Artful Aardvark)
34.34.Compatible Java Runtime Environment on Ubuntu 18.04 LTS (Bionic Beaver)Intel Core i5, Intel Core i7, AMD Ryzen 5, ARM Cortex-A53, PowerPC G5
35.Intel Core i5, Intel Core i7,35.Compatible Java Runtime Environment on Ubuntu 18.10 (Cosmic Cuttlefish)
36.36.Compatible Java Runtime Environment on Ubuntu 19.04 (Disco Dingo)Intel Core i5, Intel Core i7, AMD Ryzen 5, ARM Cortex-A53, PowerPC G5
37.Intel Core i5, Intel Core i7,37.Compatible Java Runtime Environment on Ubuntu 19.10 (Eoan Ermine)
38.38.Compatible Java Runtime Environment on Ubuntu 20.04 LTS (Focal Fossa)Intel Core i5, Intel Core i7, AMD Ryzen 5, ARM Cortex-A53, PowerPC G5
39.Intel Core i5, Intel Core i7,39.Compatible Java Runtime Environment on Ubuntu 20.10 (Groovy Gorilla)
40.40.Compatible Java Runtime Environment on Ubuntu 21.04 (Hirsute Hippo)Intel Core i5, Intel Core i7, AMD Ryzen 5, ARM Cortex-A53, PowerPC G5
41.Compatible Java Runtime Environment on Ubuntu 21.10 (ImpishIntel Core i5, Intel Core i7,41.41.Compatible Java Runtime Environment on Ubuntu 21.10 (Impish Indri)
Indri)Indri)AMD Ryzen 5, ARM
42.42.Compatible Java Runtime Environment on Ubuntu 22.04 LTS (Jammy Jellyfish)Intel Core i5, Intel Core i7, AMD Ryzen 7, ARM Cortex-A55, PowerPC G5
43.Intel Core i5, Intel Core i7,43.Compatible Java Runtime Environment on Ubuntu 22.10 (Kinetic Kudu)
44.44.Compatible Java Runtime Environment on Ubuntu 23.04 (Lunar Lobster)Intel Core i5, Intel Core i7, AMD Ryzen 7, ARM Cortex-A55, PowerPC G5
45.Intel Core i5, Intel Core i7,45.Compatible Java Runtime Environment on Ubuntu 23.10 (Mantic Minotaur)
46.46.Compatible Java Runtime Environment on CentOS 6.8Intel Core 2 Duo, Intel Core i3, AMD Athlon 64, ARM Cortex-A8, PowerPC G4
47.Intel Core 2 Duo, Intel47.Compatible Java Runtime Environment on CentOS 6.9
48.48.Compatible Java Runtime Environment on CentOS 6.10Intel Core 2 Duo, Intel Core i3, AMD Athlon 64, ARM Cortex-A8, PowerPC G4
49.Intel Core i3, Intel Core i5,49.Compatible Java Runtime Environment on CentOS 7.1
50.50.Compatible Java Runtime Environment on CentOS 7.2Intel Core i3, Intel Core i5, AMD Athlon 64, ARM Cortex-A9, PowerPC G5
51.Intel Core i3, Intel Core i5,51.Compatible Java Runtime Environment on CentOS 7.3
52.52.Compatible Java Runtime Environment on CentOS 7.4Intel Core i3, Intel Core i5, AMD Athlon 64, ARM Cortex-A9, PowerPC G5
53.Intel Core i3, Intel Core i5,53.Compatible Java Runtime Environment on CentOS 7.5
54.54.Compatible Java Runtime Environment on CentOS 7.6Intel Core i3, Intel Core i5, AMD Athlon 64, ARM Cortex-A9, PowerPC G5
55.Compatible Java Runtime Environment on CentOS 7.7Intel Core i3, Intel Core i5,55.55.Compatible Java Runtime Environment on CentOS 7.7
56.56.Compatible Java Runtime Environment on CentOS 7.8Intel Core i3, Intel Core i5, AMD Athlon 64, ARM Cortex-A9, PowerPC G5
57.Intel Core i3, Intel Core i5,57.Compatible Java Runtime Environment on CentOS 7.9
58.58.Compatible Java Runtime Environment on CentOS 8.0Intel Core i5, Intel Core i7, AMD Ryzen 5, ARM Cortex-A53, PowerPC G5
59.Intel Core i5, Intel Core i7,59.Compatible Java Runtime Environment on CentOS 8.1
60.60.Compatible Java Runtime Environment on CentOS 8.2Intel Core i5, Intel Core i7, AMD Ryzen 5, ARM Cortex-A53, PowerPC G5
61.Intel Core i5, Intel Core i7,61.Compatible Java Runtime Environment on CentOS 8.3
62.62.Compatible Java Runtime Environment on CentOS 8.4Intel Core i5, Intel Core i7, AMD Ryzen 5, ARM Cortex-A53, PowerPC G5
63.Intel Core i5, Intel Core i7,63.Compatible Java Runtime Environment on CentOS 8.5
64.64.Compatible Java Runtime Environment on CentOS Stream 8Intel Core i5, Intel Core i7, AMD Ryzen 5, ARM Cortex-A53, PowerPC G5
65.Intel Core i5, Intel Core i7,65.Compatible Java Runtime Environment on CentOS Stream 9
66.66.Compatible Java Runtime Environment on Debian 7 (Wheezy)Intel Core 2 Duo, Intel Core i3, AMD Athlon 64, ARM Cortex-A8, PowerPC G4
67.Intel Core 2 Duo, Intel67.Compatible Java Runtime Environment on Debian 8 (Jessie)
68.68.Compatible Java Runtime Environment on Debian 9 (Stretch)Intel Core i3, Intel Core i5, AMD Athlon 64, ARM Cortex-A9, PowerPC G5
69.Compatible Java Runtime Environment on Debian 10 (Buster)Intel Core i5, Intel Core i7,69.69.Compatible Java Runtime Environment on Debian 10 (Buster)
70.70.Compatible Java Runtime Environment on Debian 11 (Bullseye)Intel Core i5, Intel Core i7, AMD Ryzen 7, ARM Cortex-A55, PowerPC G5
71.Intel Core i5, Intel Core i7,71.Compatible Java Runtime Environment on Debian 12 (Bookworm)
72.72.Compatible Java Runtime Environment on Oracle Solaris 11.1SPARC T5, SPARC M6, Intel Xeon E5, Intel Xeon E7, Intel Xeon E3
73.SPARC T5, SPARC M6, Intel73.Compatible Java Runtime Environment on Oracle Solaris 11.2
74.74.Compatible Java Runtime Environment on Oracle Solaris 11.3SPARC T5, SPARC M6, Intel Xeon E5, Intel Xeon E7, Intel Xeon E3
75.SPARC T5, SPARC M7, Intel75.Compatible Java Runtime Environment on Oracle Solaris 11.4
76.76.Compatible Java Runtime Environment on HP-UX 11i v3PA-RISC 8800, PA-RISC 8900, Itanium 9300, Itanium 9500, PA-RISC 8700
77.PA-RISC 8800, PA-RISC77.Compatible Java Runtime Environment on HP-UX 11i v4
78.78.Compatible Java Runtime Environment on AIX 7.1IBM Power7, IBM Power8, IBM Power9, IBM Power10, IBM Power6
79.IBM Power7, IBM Power8,79.Compatible Java Runtime Environment on AIX 7.2
80.80.Compatible Java Runtime Environment on AIX 7.3IBM Power7, IBM Power8, IBM Power9, IBM Power10, IBM Power6
81.ARM Cortex-A7, ARM81.Compatible Java Runtime Environment on Raspbian Jessie
82.82.Compatible Java Runtime Environment on Raspbian StretchARM Cortex-A7, ARM Cortex-A53, ARM Cortex- A72, ARM Cortex-A76, ARM Cortex-A57
83.Compatible Java Runtime Environment on Raspberry Pi OS BusterARM Cortex-A7, ARM83.83.Compatible Java Runtime Environment on Raspberry Pi OS Buster
84.84.Compatible Java Runtime Environment on Raspberry Pi OS BullseyeARM Cortex-A7, ARM Cortex-A53, ARM Cortex- A72, ARM Cortex-A76, ARM Cortex-A57
85.Generic Hardware85.Java SE Runtime Environment v8 (1.8) with HP-UX
86.86.Java SE Runtime Environment v11 (1.11) with HP-UXGeneric Hardware Platform
87.Generic Hardware87.Java SE Runtime Environment v17 (1.17) with HP-UX
88.88.Java SE Runtime Environment v21 (21) with HP-UXGeneric Hardware Platform
89.Generic Hardware89.Java SE Runtime Environment v8 (1.8) with Linux CentOS
90.90.Java SE Runtime Environment v11 (1.11) with Linux CentOSGeneric Hardware Platform
91.Generic Hardware91.Java SE Runtime Environment v17 (1.17) with Linux CentOS
92.92.Java SE Runtime Environment v21 (21) with Linux CentOSGeneric Hardware Platform
93.Java SE Runtime Environment v8 (1.8) with Red Hat EnterpriseGeneric Hardware93.
LinuxLinuxPlatform
94.94.Java SE Runtime Environment v11 (1.11) with Red Hat Enterprise LinuxGeneric Hardware Platform
95.Java SE Runtime Environment v17 (1.17) with Red Hat EnterpriseGeneric Hardware95.
LinuxLinuxPlatform
96.96.Java SE Runtime Environment v21 (21) with Red Hat Enterprise LinuxGeneric Hardware Platform
97.Generic Hardware97.Java SE Runtime Environment v8 (1.8) with Linux Debian
98.98.Java SE Runtime Environment v11 (1.11) with Linux DebianGeneric Hardware Platform
99.Generic Hardware99.Java SE Runtime Environment v17 (1.17) with Linux Debian
100.100.Java SE Runtime Environment v21 (21) with Linux DebianGeneric Hardware Platform
101.Generic Hardware101.Java SE Runtime Environment v8 (1.8) with Linux Fedora
102.102.Java SE Runtime Environment v11 (1.11) with Linux FedoraGeneric Hardware Platform
103.Generic Hardware103.Java SE Runtime Environment v17 (1.17) with Linux Fedora
104.104.Java SE Runtime Environment v21 (21) with Linux FedoraGeneric Hardware Platform
105.Generic Hardware105.Java SE Runtime Environment v8 (1.8) with Linux Oracle RHC
106.106.Java SE Runtime Environment v11 (1.11) with Linux Oracle RHCGeneric Hardware Platform
107.Generic Hardware107.Java SE Runtime Environment v17 (1.17) with Linux Oracle RHC
108.108.Java SE Runtime Environment v21 (21) with Linux Oracle RHCGeneric Hardware Platform
109.Generic Hardware109.Java SE Runtime Environment v8 (1.8) with Linux Oracle UEK
110.110.Java SE Runtime Environment v11 (1.11) with Linux Oracle UEKGeneric Hardware Platform
111.Generic Hardware111.Java SE Runtime Environment v17 (1.17) with Linux Oracle UEK
112.112.Java SE Runtime Environment v21 (21) with Linux Oracle UEKGeneric Hardware Platform
113.Generic Hardware113.Java SE Runtime Environment v17 (1.8) with Linux Photon
114.114.Java SE Runtime Environment v11 (1.11) with Linux PhotonGeneric Hardware Platform
115.Generic Hardware115.Java SE Runtime Environment v17 (1.17) with Linux Photon
116.116.Java SE Runtime Environment v21 (21) with Linux PhotonGeneric Hardware Platform
117.Generic Hardware117.Java SE Runtime Environment v8 (1.8) with Linux SUSE
118.118.Java SE Runtime Environment v11 (1.11) with Linux SUSEGeneric Hardware Platform
119.Generic Hardware119.Java SE Runtime Environment v17 (1.17) with Linux SUSE
120.120.Java SE Runtime Environment v21 (21) with Linux SUSEGeneric Hardware Platform
121.Generic Hardware121.Java SE Runtime Environment v8 (1.8) with Linux Ubuntu
122.122.Java SE Runtime Environment v11 (1.11) with Linux UbuntuGeneric Hardware Platform
123.Generic Hardware123.Java SE Runtime Environment v17 (1.17) with Linux Ubuntu
124.124.Java SE Runtime Environment v21 (21) with Linux UbuntuGeneric Hardware Platform
125.Generic Hardware125.Java SE Runtime Environment v8 (1.8) with Mac OS X
126.126.Java SE Runtime Environment v11 (1.11) with Mac OS XGeneric Hardware Platform
127.Java SE Runtime Environment v8 (1.8) with Microsoft WindowsGeneric Hardware127.127.Java SE Runtime Environment v8 (1.8) with Microsoft Windows
128.128.Java SE Runtime Environment v11 (1.11) with Microsoft WindowsGeneric Hardware Platform
129.Generic Hardware129.Java SE Runtime Environment v17 (1.17) with Microsoft Windows
130.130.Java SE Runtime Environment v21 (21) with Microsoft WindowsGeneric Hardware Platform
131.Java SE Runtime Environment v8 (1.8) with Microsoft WindowsGeneric Hardware131.
ServerServerPlatform
132.132.Java SE Runtime Environment v11 (1.11) with Microsoft Windows ServerGeneric Hardware Platform
133.Java SE Runtime Environment v17 (1.17) with Microsoft WindowsGeneric Hardware133.
ServerServerPlatform
134.134.Java SE Runtime Environment v21 (21) with Microsoft Windows ServerGeneric Hardware Platform
135.Generic Hardware135.Java SE Runtime Environment v8 (1.8) with Microsoft Windows XP
136.136.Java SE Runtime Environment v11 (1.11) with Microsoft Windows XPGeneric Hardware Platform
137.Java SE Runtime Environment v17 (1.17) with Microsoft WindowsGeneric Hardware137.
XPXPPlatform
138.138.Java SE Runtime Environment v21 (21) with Microsoft Windows XPGeneric Hardware Platform
139.Generic Hardware139.Java SE Runtime Environment v8 (1.8) with Solaris
140.140.Java SE Runtime Environment v11 (1.11) with SolarisGeneric Hardware Platform
141.Generic Hardware141.Java SE Runtime Environment v17 (1.17) with Solaris
142.142.Java SE Runtime Environment v21 (21) with SolarisGeneric Hardware Platform
143.Generic Hardware143.Java SE Runtime Environment v8 (1.8) with AIX
144.144.Java SE Runtime Environment v11 (1.11) with AIXGeneric Hardware Platform
145.Generic Hardware145.Java SE Runtime Environment v17 (1.17) with AIX
146.146.Java SE Runtime Environment v21 (21) with AIXGeneric Hardware Platform
147.Generic Hardware147.Java SE Runtime Environment v17 (1.17) with Red Hat Enterprise Linux
148.148.Java SE Runtime Environment v21 (21) with Red Hat Enterprise LinuxGeneric Hardware Platform with Intel Cascade Lakes
149.Java SE Runtime Environment v17 (1.17) with Red Hat EnterpriseGeneric Hardware149.149.Java SE Runtime Environment v17 (1.17) with Red Hat Enterprise Linux
LinuxLinuxPlatform with Intel
150.150.Java SE Runtime Environment v21 (21) with Red Hat Enterprise LinuxGeneric Hardware Platform with Intel Sapphire Rapids
151.Generic Hardware151.Java SE Runtime Environment v17 (1.17) with Ubuntu
152.152.Java SE Runtime Environment v21 (21) with UbuntuGeneric Hardware Platform with Intel Cascade Lakes
153.Generic Hardware153.Java SE Runtime Environment v17 (1.17) with Ubuntu
154.154.Java SE Runtime Environment v21 (21) with UbuntuGeneric Hardware Platform with Intel Sapphire Rapids
155.Generic Hardware155.Java SE Runtime Environment v17 (1.17) with ClevOS
156.156.Java SE Runtime Environment v21 (21) with ClevOSGeneric Hardware Platform with Intel Cascade Lakes
157.Generic Hardware157.Java SE Runtime Environment v17 (1.17) with ClevOS
158.158.Java SE Runtime Environment v21 (21) with ClevOSGeneric Hardware Platform with Intel Sapphire Rapids
159.Generic Hardware159.Java SE Runtime Environment v17 (1.17) with ClevOS
160.160.Java SE Runtime Environment v21 (21) with ClevOSGeneric Hardware Platform with Intel Haswell
161.Generic Hardware161.Java SE Runtime Environment v17 (1.17) with ClevOS
162.162.Java SE Runtime Environment v21 (21) with ClevOSGeneric Hardware Platform with Intel Broadwell
Page 11

# Document Version 1.1 ©Quantum Knight, INC.

Page 12

# Document Version 1.1 ©Quantum Knight, INC.

Page 13

# Document Version 1.1 ©Quantum Knight, INC.

Page 14

# Document Version 1.1 ©Quantum Knight, INC.

Page 15

# Document Version 1.1 ©Quantum Knight, INC.

Page 16

# Document Version 1.1 ©Quantum Knight, INC.

Page 17

# Document Version 1.1 ©Quantum Knight, INC.

Page 18

# Document Version 1.1 ©Quantum Knight, INC.

Page 19

# Document Version 1.1 ©Quantum Knight, INC.

Page 20
Service
NameDescriptionIndicatorType
Non- approved modePermits operations that are not approvedCryptoServicesRegistrar.IsInApprovedOnlyMode() can be called to determine the mode of operation. This method will return false for non- approved mode.Non- Approved
2.3 Excluded Components

Not applicable. Modes List and Description: Table 5 - Modes of Operation Nonapproved NonApproved Mode Change Instructions and Status: In default operation the module will start with all algorithms and services enabled. If the module detects that the system property com.safelogic.cryptocomply.fips.approved_only is set to true the module will start in approved mode and non-approved mode functionality will not be available. The module optionally uses the Java SecurityManager. If the underlying JVM is running with a Java SecurityManager installed the module starts in approved mode by default with secret and private key export disabled. When the module is not used within the context of the Java SecurityManager, it will start by default in the non-approved mode. Refer to Security Policy Section 11.3 for additional information about the Java SecurityManager. Refer to Security Policy Section 11.4.1 for additional information on the module’s mode of operation rules.

2.5 Algorithms

The module implements the algorithms specified in the tables below. The module supports both an Approved mode and a Non-approved mode of operation. Please see Security Policy Section 2.4 for additional details on the modes of operation and the configuration of the Approved mode of operation. Please see Security Policy Section 11.1 for Initialization steps. Document Version 1.1 ©Quantum Knight, INC.

Page 21
Approved algorithm
NameCAVP CertPropertiesUse FunctionReference
AESA6047Modes: CBC, CFB8, CFB128, CTR, ECB, FF1, OFB Key sizes: 128, 192, 256 bitsEncryption, DecryptionAESA6047AES [FIPS 197,
AES CBC Ciphertext Stealing (CS)Modes: CBC-CS1, CBC-CS2, CBC-CS3 Key sizes: 128, 192, 256 bitsEncryption, Decryption[Addendum to SP 800-38A, Oct 2010]AES CBC Ciphertext Stealing (CS)A6047
AES CCMKey sizes: 128, 192, 256 bits[SP 800-38C]AES CCMA6047Generation,
AES CMACKey sizes: 128, 192, 256 bitsGeneration, Authentication[SP 800-38B]AES CMACA6047
AES GCM/GMAC1Key sizes: 128, 192, 256 bits[SP 800-38D]AES GCM/GMAC1A6047Generation,
AES KW, KWP (KTS: Key Wrapping Using AES2)Modes: AES KW, KWP Key sizes: 128, 192, 256 bits (key establishment methodology providing 128, 192 or 256 bits of encryption strength)Key Wrapping[SP 800-38F]AES KW, KWP (KTS: Key Wrapping Using AES2)A6047
DRBG, CounterAES 128, AES 192, AES 256[SP 800-90Ar1]A6047Random Bit
DRBGGeneration
DRBG, Hash DRBGSHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA2-512, SHA-512/224, SHA2-512/256Random Bit Generation[SP 800-90Ar1]DRBG, Hash DRBGA6047
DRBG, HMAC DRBGRandom Bit Generation[SP 800-90Ar1]DRBG, HMAC DRBGA6047SHA sizes: SHA-1, SHA-224,
2.5.1 Approved Algorithms

The module implements the following approved algorithms that have been tested by the Cryptographic Algorithm Validation Program (CAVP). There are algorithms, modes, and keys that have been CAVP tested but not used by the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by the module. Table 6 - Approved Algorithms, CAVP Tested GCM encryption with an internally generated IV, see Security Policy Section 2.6.1 concerning external IVs. IV generation is compliant with IG C.H. Keys are not established directly into the module using key agreement or key transport algorithms. Document Version 1.1 ©Quantum Knight, INC.

Page 22
Approved algorithm
NamePropertiesUse FunctionReference
DSA3Key sizes: 10244, 2048, 3072 bitsKey Pair Generation, PQG Generation, PQG Verification, Signature Generation, Signature Verification[FIPS 186-4]DSA3A6047
ECDSACurves/Key sizes: P-224, P-256, P-384, P-521, K-233, K-283, K- 409, K-571, B-233, B-283, B- 409, B-571[FIPS 186-5]ECDSAA6047Key
ECDSACurves/Key sizes: P-192, K-163, B-1635Key Verification, Signature Verification[FIPS 186-4]ECDSAA6047
HMACGeneration, Authentication[FIPS 198-1]HMACA6047SHA sizes: SHA-1, SHA-224,

DSA signature generation with SHA-1 is only for use with protocols. Key size only used for Signature Verification Legacy testing for signatures not specified under FIPS 186-5. Document Version 1.1 ©Quantum Knight, INC.

Page 23
Approved algorithm
NamePropertiesUse FunctionReferenceAlgorithm Properties
KAS-ECC6Key Agreement[SP 800-56Ar3]KAS-ECC6A6047Domain Parameter Generation Methods/Schemes: P-224, P-256, P-384, P-521, K- 233, K-283, K-409, K-571, B- 233, B-283, B-409, B-571 ephemeralUnified, fullMqv, fullUnified, onePassDh, onePassMqv, onePassUnified, staticUnified Curves specified above providing between 112 and 256 bits of encryption strength
KAS-FFC6Domain Parameter GenerationKey Agreement[SP 800-56Ar3]KAS-FFC6A6047
KAS-IFCKey Agreement[SP 800-56Br2, Section 7.2.1]KAS-IFCA6047RSASVE with, and without, key confirmation. Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strength
KDA, HKDFPRFs: HMAC-SHA-1, HMACKey Derivation[SP 800-56Cr2]KDA, HKDFA6047

Keys are not established directly into the module using key agreement or key transport algorithms. Document Version 1.1 ©Quantum Knight, INC.

Page 24
Approved algorithm
NameCAVP CertPropertiesUse FunctionReferenceAlgorithm Properties
KDA, One StepKey Derivation[SP 800-56Cr2]KDA, One StepA6047PRFs: SHA-1, SHA-224, SHA- 256, SHA-384, SHA-512, SHA- 512/224, SHA-512/256, SHA3- 224, SHA3-256, SHA3-384, SHA3-512, HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA- 256, HMAC-SHA-384, HMAC- SHA-512, HMAC-SHA-512/224, HMAC-SHA-512/256, HMAC- SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3- 512, KMAC-128, KMAC-256
KDA, Two StepPRFs: HMAC-SHA-1, HMAC-Key Derivation[SP 800-56Cr2]KDA, Two StepA6047
KDF, using Pseudorandom Functions7Key Derivation[SP 800-108]KDF, using Pseudorandom Functions7A6047Modes: Counter Mode, Feedback Mode, Double- Pipeline Iteration Mode Types: CMAC-based KBKDF with AES (128, 192, 256) HMAC-based KBKDF with SHA- 1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512
KDF, Existing Application- Specific8ANSI X9.63 KDF[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047Key Derivation
KDF, Existing Application- Specific8Key Derivation[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047IKEv2 KDF SHA sizes: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
KDF, ExistingCVL[SP 800-135r1]CVL A6047SNMP KDF Password Length: 64, 8192Key Derivation
Application-A6047
KDF, Existing Application- Specific8[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047SRTP KDF AES: 128, 192, 256Key Derivation
KDF, Existing Application- Specific8SSH KDF[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047Key Derivation
KDF, Existing Application- Specific8[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047TLS v1.0/1.1 KDF SHA sizes: SHA2-256, SHA2- 384, SHA2-512Key Derivation
KDF, Existing Application- Specific8TLS 1.2 KDF[SP 800-135r1]KDF, Existing Application- Specific8CVL A6047Key Derivation
KTS-IFC[SP 800-56Br2, Section 7.2.2]KTS-IFCA6047RSA-OAEP with, and without, key confirmation. Key sizes: 2048, 3072, 4096 providing between 112 and 152 bits of encryption strength Key Generation Method: rsakpg2-crtKey Transport
PBKDF, Password- basedOptions: PBKDF with Option 1a[SP 800-132]PBKDF, Password- basedA6047Key Derivation
RSA[FIPS 186-5, ANSI X9.31- 1998 and PKCS #1 v2.1 (PSS and PKCS1.5)]RSAA6047Key sizes: 2048, 3072, 4096Key Pair Generation
RSA[FIPS 186-5,RSAA6047Key sizes: 2048, 3072, 4096Signature Generation
RSA[FIPS 186-4, ANSI X9.31- 1998]RSAA6047Key sizes: 2048, 3072, 4096Signature Generation
RSAA6047Signature Verification[FIPS 186-5,RSAA6047Key sizes: 2048, 3072, 4096
RSA[FIPS 186-4, ANSI X9.31- 1998 and PKCS #1 v2.1 (PSS and PKCS1.5)]Signature VerificationRSAA6047Key sizes: 1024, 2048, 3072, 40969
RSASignature Verification[FIPS 186-2,RSAA6047Key sizes: 1024, 1536, 2048, 3072, 4096
RSA Decryption Primitive[SP 800-56Br2]Component TestRSA Decryption PrimitiveCVL A6047Key size: 2048
RSA Signature Primitive[FIPS 186-4]RSA Signature PrimitiveCVL A6047Key size: 2048Component
Safe Primes[SP 800-56Ar3]Key Generation, Key VerificationSafe PrimesA6047Parameter sets: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP-3072, MODP- 4096, MODP-6144, MODP- 8192
SHA-3, SHAKE[FIPS 202]SHA-3, SHAKEA6047SHA3-224, SHA3-256, SHA3- 384, SHA3-512, SHAKE128, SHAKE256Digital

ApplicationSpecific8 ApplicationSpecific8 Note: CAVP testing is not provided for use of the PRFs SHA-512/224 and SHA-512/256. These must not be used in approved mode. Document Version 1.1 ©Quantum Knight, INC.

Page 25

ApplicationSpecific8 ApplicationSpecific8 ApplicationSpecific8 ApplicationSpecific8 ApplicationSpecific8 PBKDF, Passwordbased No parts of the protocols (TLS, SNMPv3, SSHv2, X9.63, IKEv2, SRTP), other than the approved cryptographic algorithms and the KDFs, have been reviewed or tested by the CAVP and CMVP Document Version 1.1 ©Quantum Knight, INC.

Page 26

Legacy testing for signatures not specified under FIPS 186-5 (all moduli for ANSI X9.31, and testing with 1024 or Document Version 1.1 ©Quantum Knight, INC.

Page 27
Approved algorithm
NamePropertiesUse FunctionReferenceUse/FunctionImplementation
SHA-3 Derived FunctionsTypes: cSHAKE-128, cSHAKE- 256, KMAC-128, KMAC-256, ParallelHash-128, ParallelHash- 256, TupleHash-128, TupleHash-256[SP 800-185]SHA-3 Derived FunctionsA6047Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications
SHSSHA sizes: SHA-1, SHA-224,Digital[FIPS 180-4]SHSA6047
SHA-256, SHA-384, SHA-512,SHA-256, SHA-384, SHA-512,Signature
CKGUsed for the[SP 800-133r2]CKGUsed for the generation of symmetric keys and asymmetric seedsOther Cryptographic key generation
symmetric keys andsymmetric keys andCKG using output from DRBG,
asymmetric seedsasymmetric seedsVendor Affirmed per IG D.H.
Approved algorithm
NamePropertiesUse FunctionReferenceUse/FunctionImplementation
SHA-3 Derived FunctionsTypes: cSHAKE-128, cSHAKE- 256, KMAC-128, KMAC-256, ParallelHash-128, ParallelHash- 256, TupleHash-128, TupleHash-256[SP 800-185]SHA-3 Derived FunctionsA6047Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications
SHSSHA sizes: SHA-1, SHA-224,Digital[FIPS 180-4]SHSA6047
SHA-256, SHA-384, SHA-512,SHA-256, SHA-384, SHA-512,Signature
CKGUsed for the[SP 800-133r2]CKGUsed for the generation of symmetric keys and asymmetric seedsOther Cryptographic key generation
symmetric keys andsymmetric keys andCKG using output from DRBG,
asymmetric seedsasymmetric seedsVendor Affirmed per IG D.H.

Table 7 - Vendor Affirmed Algorithms

Page 28
Approved algorithm
NameUse FunctionUse/FunctionAlgorithm
MD5 within TLSAllowed per IG 2.4.A, no security claimedMD5 used within a TLS handshake
AES (non-compliant10)Non-approved modes for AESAES (non-compliant10)
ARC4 (RC4)ARC4/RC4 stream cipher
BlowfishBlowfish block cipherBlowfish
CamelliaCamellia block cipher
CAST5CAST5 block cipherCAST5
ChaCha20ChaCha20 stream cipher
ChaCha20-Poly1305AEAD ChaCha20 using Poly1305 as the MACChaCha20-Poly1305
DESDES block cipher
Diffie-Hellman KAS (non-compliant11)non-compliant key agreement methodsDiffie-Hellman KAS (non-compliant11)
DSA (non-compliant12)non-FIPS digest signatures using DSA
DSTU4145DSTU4145 EC algorithmDSTU4145
ECDSA (non-compliant13)non-FIPS digest signatures using ECDSA
EdDSAEd25519 and Ed448 signature algorithmsEdDSA
ElGamalElGamal key transport algorithm
FF3-1Format Preserving Encryption – AES FF3-1FF3-1
GOST28147GOST-28147 block cipher
GOST3410-1994GOST-3410-1994 algorithmGOST3410-1994
GOST3410-2001GOST-3410-2001 EC algorithm
GOST3410-2012GOST-3410-2012 EC algorithmGOST3410-2012
GOST3411GOST-3411-1994 message digest
GOST3411-2012-256GOST-3411-2012 256-bit message digestGOST3411-2012-256
GOST3411-2012-512GOST-3411-2012 512-bit message digest
HMAC-GOST3411GOST-3411 HMACHMAC-GOST3411
HMAC-MD5MD5 HMAC
HMAC-RIPEMD128RIPEMD128 HMACHMAC-RIPEMD128
HMAC-RIPEMD160RIPEMD160 HMAC
HMAC-RIPEMD256RIPEMD256HMACHMAC-RIPEMD256
HMAC-RIPEMD320RIPEMD320 HMAC
HMAC-TIGERTIGER HMAC
HMAC-WHIRLPOOLWHIRLPOOL HMAC
HSSHSS signature scheme (RFC 8708)HSS
IDEAIDEA block cipher
KAS14 using SHA-512/224 or SHA-512/256Key Agreement using SHA-512/224 and SHA-KAS14 using SHA-512/224 or SHA-512/256
(non-compliant)512/256 based KDFs(non-compliant)
KBKDF using SHA-512/224 or SHA-512/256 (non-compliant)KBKDF2 using the PRFs SHA-512/224 and SHA- 512/256
LMSLMS signature scheme (RFC 8708)LMS
MD5MD5 message digest
OpenSSL PBKDF (non-compliant)OpenSSL PBE key derivation schemeOpenSSL PBKDF (non-compliant)
PKCS#12 PBKDF (non-compliant)PKCS#12 PBE key derivation scheme
PKCS#5 Scheme 1 PBKDF (non-compliant)PKCS#5 PBE key derivation schemePKCS#5 Scheme 1 PBKDF (non-compliant)
Poly1305Poly1305 message MAC
PRNG X9.31X9.31 PRNGPRNG X9.31
RC2RC2 block cipher
RIPEMD128RIPEMD128 message digestRIPEMD128
RIPEMD160RIPEMD160 message digest
RIPEMD256RIPEMD256 message digestRIPEMD256
RIPEMD320RIPEMD320 message digest
RSA (non-compliant15)Non-compliant RSA signature schemesRSA (non-compliant15)
RSA KTS (non-compliant16)Non-compliant RSA key transport schemes
SCrypt (non-compliant)SCrypt using non-compliant PBKDF2SCrypt (non-compliant)
SEEDSEED block cipher
SerpentSerpent block cipherSerpent
SipHashSipHash MAC
SHACAL-2SHACAL2 block cipherSHACAL-2
TIGERTIGER message digest
Triple-DESTriple-DES cipherTriple-DES
TwofishTwofish block cipher
WHIRLPOOLWHIRLPOOL message digest
XDHX25519 and X448 key agreement algorithms

Not applicable. These algorithms are Allowed in Approved mode. Table 9 - Non-Approved, Not Allowed Algorithms Support for additional modes of operation. Support for additional key sizes and the establishment of keys of less than 112 bits of security strength. Deterministic signature calculation, support for additional digests, and key sizes. Deterministic signature calculation, support for additional digests, and key sizes. Document Version 1.1 ©Quantum Knight, INC.

Page 29

Keys are not directly established into the module using key agreement or transport techniques. Document Version 1.1 ©Quantum Knight, INC.

Page 30
2.6 Algorithm Specific Information
2.6.1 Enforcement and Guidance for GCM IVs (IG C.H conformance)

IVs for GCM can be generated randomly, or via a FipsNonceGenerator. IV generation is compliant with IG C.H. Where an IV is not generated within the module the module supports the importing of GCM IVs. In approved mode, importing a GCM IV for encryption that originates from outside the module is nonconformant. In approved mode, when a GCM IV is generated randomly, the module enforces the use of an approved DRBG in line with Section 8.2.2 of SP 800-38D. Support for additional digests and signature formats, PKCS#1 1.5 key wrapping, support for additional key sizes. Support for additional key sizes and the establishment of keys of less than 112 bits of security strength. Document Version 1.1 ©Quantum Knight, INC.

Page 31

In approved mode, when a GCM IV is generated using the FipsNonceGenerator, a counter is used as the basis for the nonce and the IV is generated in accordance with TLS protocol. Rollover of the counter in the FipsNonceGenerator will result in an IllegalStateException indicating the FipsNonceGenerator is exhausted and (as per IG C.H) where used for TLS 1.2, rollover will terminate any TLS session in process using the current key and the exception can only be recovered from by using a new handshake and creating a new FipsNonceGenerator. A service indicator for IV usage is provided in the module through Java logging. Setting the logging level to Level.FINE for the named logger com.safelogic.cryptocomply.jcajce.provider.BaseCipher will produce a log message when an IV which may have been produced outside the module and/or not from a compliant source is detected. The log message will be of the standard form including the detail: FINE: Passed in GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Setting the logging level to Level.FINER will produce an additional log message for any GCM IV which is used if the previous Level.FINE message is not activated. Log messages in this case will show the detail as: FINER: GCM nonce detected: <IV value> where <IV value> is a HEX representation of the IV in use. Per IG C.H, this Security Policy also states that in the event module power is lost and restored the consuming application must ensure that any of its AES GCM keys used for encryption or decryption are re-distributed. The AES GCM mode falls under:

2.6.2 Enforcement and Guidance for Use of the Approved PBKDF (IG D.N conformance)

The PBKDF aligns with Option 1a in Section 5.4 of SP 800-132. In line with the requirements for SP 800-132, keys generated using the approved PBKDF must only be used for storage applications. Any other use of the approved PBKDF is non-conformant. In approved mode the module enforces that any password used must encode to at least 14 bytes (112 bits) and that the salt is at least 16 bytes (128 bits) long. The iteration count associated with the PBKDF should be as large as practical. Document Version 1.1 ©Quantum Knight, INC.

Page 32
FF1FF3-1
radixin range of 2 … 216in range of 2 … 216
radixminlen≥ 1,000,000≥ 1,000,000

As the module is a general purpose software module, it is not possible to anticipate all the levels of use for the PBKDF, however a user of the module should also note that a password should at least contain enough entropy to be unguessable and also contain enough entropy to reflect the security strength required for the key being generated. In the event a password encoding is simply based on ASCII, a 14byte password is unlikely to contain sufficient entropy for most purposes. The standard set of printable characters only allows for as much as 6 bits of entropy per byte. For a 14-byte password, this yields a key that has been generated using 14 * 6 bits of entropy, giving only 84 bits of security, which is well below what is required for a key with the same level of hardness as a 112-bit one. Users are referred to Appendix A (Security Considerations) of SP 800-132 for further information on password, salt, and iteration count selection. The iteration count value is provided by the user and should be appropriate to the way the algorithm is being used. (The memory hard augmentation of PBKDF provided by SCRYPT uses an iteration count of 1). For straight PBKDF with no memory hard support, the iteration count provided by the user should be at point of maximum cost bearable by the user carrying out the key derivation in the normal course of usage. To ensure sufficient whitening of the password in both cases, the module enforces a salt size of

128 bits in approved mode.

For users interested in introducing memory hardness as a layer on top of the PBKDF the SCrypt augmentation to PBDKF based on HMAC-SHA-256 (as described in RFC 7914) is also available in nonapproved mode.

2.6.3 Rules for Setting the N and the S String in cSHAKE

To customize the output of the cSHAKE function, the cSHAKE algorithm permits the operator to input strings for the Function-Name input (N) and the Customization String (S). The Function-Name input (N) is reserved for values specified by NIST and should only be set to the appropriate NIST specified value. Any other use of N is non-conformant. The Customization String (S) is available to allow users to customize the cSHAKE function as they wish. The length of S is limited to the available size of a byte array in the JVM running the module.

2.6.4 Guidance for the Use of Format-Preserving Encryption

The module supports both FF1 and, in non-approved mode, FF3-1 format preserving encryption. Both are modes of AES. Table 10 shows the parameter constraints applicable to the module's implementation, as required by IG C.J. Table 10 - SP 800-38G Format-Preserving Encryption Constraints Document Version 1.1 ©Quantum Knight, INC.

Page 33
FF1FF3-1
minlen≥ 2 octets2 octets
maxlen< 232 octets2 * floor(log (296)) octets radix
maxTlen≥ 0 octets8 octets (fixed)
Entropy SourcesMinimumDetails
number of bits
of entropy
Passive Entropy128128As per FIPS 140-3 IG 9.3.A Section 2b, a minimum of 16 bytes (128
bits) is required from the source configured for seed generation for
the JVM. The entropy reader will block until the seed generator has
provided the minimum number of bytes.

An attempt to use the FF1 or FF3-1 without meeting the radixminlen constraint or by exceeding maxlen will result in an IllegalArgumentException. Note: only FF1 should be used in approved mode.

2.6.5 TLS 1.2 KDF (IG D.Q Conformance)

As indicated under CAVP certificate A6047, the module supports TLS 1.2 KDF per RFC 5246, i.e. without using the extended master secret.

2.6.6 Truncated HMACs

Approved HMAC algorithms can produce truncated versions of the specified HMAC. The right-most bits are truncated as per the NIST SP 800-107r1 (see also IG C.L and IG C.D).

2.7 RBG and Entropy

The module does not include an entropy source. The module's use of an external Random Number Generator (RNG) is determined by the settings described in the subsections below. Table 11

2.7.1 Use of External RNG

The module makes use of the JVM's configured SecureRandom entropy source to provide entropy when required. The module will request entropy as appropriate to the security strength and seeding configuration for the DRBG that is using it and for the default DRBG will request a minimum of 256 bits of entropy. In approved mode the minimum amount of entropy that can be requested by a DRBG is 112 bits. The module will wait until the SecureRandom.generateSeed() returns the requested amount of entropy, blocking if necessary. Document Version 1.1 ©Quantum Knight, INC.

Page 34

The JVM’s entropy source can be configured through setting the security property securerandom.strongAlgorithms in the JVM's java.security file.

2.7.2 Guidance for the Use of DRBGs and Configuring the JVM's Entropy Source

A user can instantiate the default Approved DRBG for the module explicitly by using SecureRandom.getInstance("DEFAULT", "CCJ"), or by using a CryptoComplyFipsProvider object instead of the provider name as appropriate. This will seed the Approved DRBG from the live entropy source of the JVM with a number of bits of entropy appropriate to the security level of the default Approved DRBG configured for the module. The JVM's entropy source is checked according to SP 800-90B, Section 4.4 using the suggested C values for the Repetition Count Test (Section 4.4.1) and the Adaptive Proportion Test (Section 4.4.2) by default. These values can also be configured using the security property com.safelogic.cryptocomply.entropy.factors. This property takes a comma separated list of C values: one for 4.4.1, one for 4.4.2, and a value of H. For the default, the property would be set as: com.safelogic.cryptocomply.entropy.factors: 4, 13, 8.0 in the java.security property file. An additional option is available using the Approved Hash DRBG and the process outlined in SP 800-90A, Section 8.6.5. This can be turned on by following the instructions in Section 2.3 of the User Guide. The two DRBGs are instantiated in a chain as a "Source DRBG" to seed the "Target DRBG" in accordance with Section 7 of Draft NIST SP 800-90C, where the Target DRBG is the default Approved DRBG used by the module. The initial seed and the subsequent reseeds for the DRBG chain come from the live entropy source configured for the JVM. The DRBG chain will reseed automatically by pausing for 20 requests (which will usually equate to 5120 bytes). An entropy gathering thread reseeds the DRBG chain when it has gathered sufficient entropy (currently 256 bits) from the live entropy source. Once reseeded, the request counter is reset and the reseed process begins again. The “Source DRBG” in the chain is internal to the module and inaccessible to the user to ensure it is only used for generating seeds for the default Approved DRBG of the module. The user shall ensure that the entropy source is configured per Section 2.7.1 of this Security Policy and will block, or fail, if it is unable to provide the amount of entropy requested.

2.8 Key Generation

The module performs Cryptographic Key Generation in conformance to FIPS 140-3 IG D.H. The CKG for symmetric keys and seeds used for generating asymmetric keys is performed as per Section 4 of the SP 800-133r2 (using the output of a random bit generator) and is compliant with FIPS 186-5 and SP 800Document Version 1.1 ©Quantum Knight, INC.

Page 35

90Ar1 for DRBG. The seed used in asymmetric key generation is the direct output of SP 800-90Ar1 DRBG. Refer to Section 9.1 of the Security Policy for SSP generation details.

2.9 Key Establishment

The module does not perform automatic SSP establishment, it only provides the components to the calling application, which can be used in SSP establishment.

2.10 Industry Protocols

The module implements KDFs from SP 800-135r1 (Recommendation for Existing Application-Specific Key Derivation Functions). These KDFs have been validated by the CAVP and received CVL certificates (A6047). No parts of these protocols, other than the CAVP tested components, have been reviewed or tested by the CAVP and CMVP. Document Version 1.1 ©Quantum Knight, INC.

Page 36
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData OutputAPI output parameters and return values – plaintext and/or ciphertext data.
N/AN/AControl InputAPI method calls – method calls or input parameters that
N/AN/AControl OutputN/A, not implemented
N/AN/AStatus OutputAPI output parameters and return/error codes that provide
N/AN/APowerN/A for software modules
3 Cryptographic Module Ports and Interfaces
3.1 Ports and Interfaces

As a software cryptographic module, the module supports logical interfaces only and not physical ports. All access to the module is through the module’s API. The API provides and defines the module’s logical interfaces. is also not applicable. The mapping of the FIPS 140-3 logical interfaces to the module is described in Table 12. Table 12

3.2 Additional Information

All interfaces are logically separated by the module’s API. When the module performs self-tests, is in an error state, is generating keys, or performing zeroization, the module prevents all output on the logical data output interface as only the thread performing the operation has access to the data. The module is single-threaded, and in an error state, the module does not return any output data, only an error value. Document Version 1.1 ©Quantum Knight, INC.

Page 37
Sensitive security parameter
NameTypeStrengthOperator TypeAuthentication Type
CORoleN/ACORoleCOCON/A – Authentication notN/A
UserUserRoleUserN/AN/A – Authentication not required for Level 1
4 Roles, Services, and Authentication
4.1 Authentication Methods

Not applicable. The module does not support authentication.

4.2 Roles

The module supports two distinct operator roles, which are the User and Cryptographic Officer (CO). The cryptographic module implicitly maps the two roles to the services. An operator is considered the owner of the thread that instantiates the module and, therefore, only one concurrent operator is allowed. The module does not support a maintenance role and/or bypass capability. Table 13 lists all operator roles supported by the module. Table 13 - Roles Document Version 1.1 ©Quantum Knight, INC. N/A N/A

Page 38
Service
NameDescriptionRolesCsps AccessedAccessIndicatorInputOutputApproved
InitializeThe JRE will call the static constructor for self-tests on module initializationCO / UserN/AN/AFlagN/AException in case of failureN/AN/A
4.3 Approved Services

Table 14 lists the module services and corresponding details. The modes of SSP access shown in the table are defined as:

Page 39
Service
NameDescriptionRolesCsps AccessedAccessIndicatorInputOutput
Show StatusA user can call FipsStatus.IsReady() at any time to determine if the module is ready. CryptoServicesRegistrar.IsI nApprovedOnlyMode() can be called to determine the approved mode of operationCO / UserN/AN/AFlagN/ABooleanN/A
Info ServiceCO / UserN/AN/AFlagN/AModule name and version, checksum, and statusN/AA user can call
Zeroize / Power-offThe module uses the JVM garbage collector on thread terminationCO / UserAll SSPsZFlagN/AShutdown indicationN/A

Indicator Document Version 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Z ©Quantum Knight, INC.

Page 40
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
Data EncryptionUsed to encrypt dataCO / UserAES Encryption KeyAES CBC, AESEFlagKey, PlaintextCiphertext
Data DecryptionUsed to decrypt dataCO / UserAES Decryption KeyEFlagKey, CiphertextPlaintextAES CBC, AES CFB8, AES CFB128, AES CTR, AES ECB, AES FF1, AES OFB, AES CBC-CS1, AES CBC-CS2, AES CBC-CS3, AES CCM, AES GCM
MAC CalculationCO / UserEFlagKey, MessageMACAES CMAC, AES GMACUsed to calculate dataAES Authentication
integrity codes withintegrity codes withKey

Indicator Document Version 1.1 ©Quantum Knight, INC. E E E

Page 41
Service
NameDescriptionRolesCsps AccessedAccessIndicatorInputOutputKeys / SSPs
Signature GenerationUsed to generate digital signaturesCO / UserEFlagKey, MessageSignatureDSA, ECDSA, RSADSA Signing Key, EC Signing Key, RSA Signing Key
Signature VerificationUsed to verify digital signaturesCO / UserDSA VerificationEFlagKey, Message SignatureBooleanDSA, ECDSA, RSA

Document Version 1.1 Indicator ©Quantum Knight, INC. E E

Page 42
DRBG (SP 800-90Ar1) outputUsed to generate random numbers, IVs and keysFlagN/ADataCounter DRBG Hash DRBG HMAC DRBGAES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DRBG Seed, Internal State V and C value, and DRBG Key, DSA Signing Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Key Transport Private Key, RSA Key Transport Public KeyCO / User CO / UserG E

Document Version 1.1 N/A ©Quantum Knight, INC. G E

Page 43
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
Message HashingUsed to generate a message digest, SHAKE outputCO / UserN/ASHS, SHA-3,N/AFlagMessageHash
Keyed Message HashingUsed to calculate data integrity codes with HMAC and KMACCO / UserHMAC Authentication Key, KMAC Authentication KeyEFlagKey, MessageHashHMAC, SHA-3 Derived Functions (KMAC)
TLS Key Derivation FunctionUsed to calculate a value suitable to be used for a master secret in TLSCO / UserTLS KDF Secret ValueHKDF,EFlagTLS ParametersData
SP 800- 108r1 KDFUsed to calculate a value suitable to be used for a secret keyCO / UserSP 800-108r1 KDF Secret ValueEFlagKDF ParametersDataKBKDF using Pseudorando m Functions
SSH Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO / UserSSH KDF Secret ValueExistingE:FlagSSH ParametersData
X9.63 Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO / User CO / UserDH Agreement Private Key, EC Agreement Private Key, RSA Signing Key X9.63 KDF Secret ValueG EFlagX9.63 ParametersDataExisting Application- Specific (X9.63 KDF)

Indicator Document Version 1.1 ©Quantum Knight, INC. ApplicationSpecific (TLS N/A N/A E E

Page 44

Indicator m ApplicationSpecific (SSH ApplicationSpecific E E: G E Document Version 1.1 ©Quantum Knight, INC.

Page 45
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutputKeys / SSPs
SP 800- 56Cr2 OneStep/ TwoStep Key Derivation Function (KDM)Used to calculate a value suitable to be used for a secret keyCO / User CO / UserDH AgreementHKDF, KDFG EFlagKDM ParametersDataHKDF, KDF One Step, KDF Two Step
One Step,Private Key,One Step,
KDF TwoEC AgreementKDF Two
StepPrivate Key,Step
IKEv2 Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO / UserEFlagIKEv2 ParametersDataExisting Application- Specific (IKEv2 KDF)IKEv2 KDF Secret Value
SRTP Derivation FunctionUsed to calculate a value suitable to be used for a secret keyCO / UserExistingEFlagSRTP ParametersDataSRTP KDF Secret Value

SP 80056Cr2 Document Version 1.1 Indicator ©Quantum Knight, INC. ApplicationSpecific ApplicationSpecific G E E E

Page 46
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
PBKDFUsed to generate a key using an encoding of a password and a message hashCO / User CO / UserHMAC Authentication Key, KMAC Authentication Key HMAC Authentication Key, KMAC Authentication Key, PBKDF Secret ValueKDF Password- BasedG EFlagPassword, PBKDF ParametersData

Indicator PasswordBased G E Document Version 1.1 ©Quantum Knight, INC.

Page 47
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutputRoles
Key Agreement SchemesUsed to calculate key agreement valuesAES EncryptionKAS-ECC,G EFlagKey Agreement keys, ParametersDataKAS-ECC, KAS-FFC, KAS-IFC, Safe PrimesCO / User CO / User
KAS-FFC,Key,KAS-FFC,
KAS-IFC,AES DecryptionKAS-IFC,
Safe PrimesKey,Safe Primes
Key WrappingUsed to encrypt a key valueAES Wrapping Key, HMAC Authentication Key, KMAC Authentication Key, RSA Key Transport Private KeyEFlagWrapping key, KeyWrapped keyAES KW, AES KWP, KTS-IFCCO / User

Document Version 1.1 Indicator ©Quantum Knight, INC. G E E

Page 48
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
Key UnwrappingUsed to decrypt a key valueCO / UserAES KW, AESEFlagUnwrappin g key, Wrapped keyKeyAES KW, AES KWP, KTS-IFCAES Wrapping Key,
KWP, KTS-IFCKWP, KTS-IFCHMAC
VerificationKeyVerEC Verification KeyVerificationUser
Entropy CallbackGathers entropy in a passive manner from a user-provided functionCO / UserDRBG Seed, Internal State V and C value, and DRBG KeyGFlagN/ARandom bitsDRBG, CKG
DRBG Health TestsCO / UserN/AN/AFlagN/AN/ADRBGUsed to perform checks of

Indicator N/A N/A N/A Document Version 1.1 ©Quantum Knight, INC. N/A E E E N/A G

Page 49
SSP Export OperationReturns a CSP as data that can be used for later outputFlagSSPDataN/AAES Encryption Key, AES Decryption Key, AES Authentication Key, AES Wrapping Key, DH Agreement Private Key, DH Agreement Public Key, DSA Signing Key, DSA Verification Key, EC Agreement Private Key, EC Agreement Public Key, EC Signing Key, EC Verification Key, HMAC Authentication Key, KMAC Authentication Key, RSA Signing Key, RSA Key Transport Private Key, RSA Key Transport Public KeyCO / UserR

Document Version 1.1 ©Quantum Knight, INC. N/A R

Page 50
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicatorInputOutput
UtilityMiscellaneous utilityUserN/AN/AN/AFlagN/AN/AN/A

Document Version 1.1 Indicator N/A N/A ©Quantum Knight, INC. N/A N/A N/A

Page 51
Service
NameData Encryption
CalculationCalculationwith CMAC
4.4 Non-Approved Services

Table 15 - Non-Approved Services Flag is accessed by calling the method CryptoServicesRegistrar.isInApprovedOnlyMode() - this method will return true if the thread is running in approved-only mode, false otherwise. Refer also to Section 2.4 of this Security Policy. Document Version 1.1 ©Quantum Knight, INC.

Page 52
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity technique used by the module is HMAC-SHA-256. The integrity technique has received CAVP certificate A6047. The integrity technique is implemented by the module itself. The HMAC of the module JAR file, excluding directories and metadata, is calculated and compared to the expected value embedded within the module’s properties. If the calculated value does not match the expected value, the module raises an error and fails to load. The integrity test can be performed on demand by power cycling the host platform.

5.2 Initiate on Demand

Each time the module is powered up, it runs the pre-operational tests to ensure that the integrity of the module has been maintained. Self-tests are available on demand by power cycling the module. Document Version 1.1 ©Quantum Knight, INC.

Page 53
6 Operational Environment

The module operates in a modifiable operational environment under the FIPS 140-3 definitions. The module runs on a GPC running one of the operating systems specified in the approved operational environment list (refer to Section 2.2 of this Security Policy). Each approved operating system manages processes and threads in a logically separated manner. The module’s operator is considered the owner of the calling application that instantiates the module within the process space of the Java Virtual Machine.

6.1 Configuration Settings and Restrictions

The module must be installed as described in Security Policy Section 11.1. No specific configuration options are required for the operational environments. No security rules, settings, or restrictions to the configuration of the operational environment are needed for the module to function in a FIPS-conformant manner. Document Version 1.1 ©Quantum Knight, INC.

Page 54
7 Physical Security

The requirements of this section are not applicable to the module. The module is a software module and does not implement any physical security mechanisms. Document Version 1.1 ©Quantum Knight, INC.

Page 55
8 Non-Invasive Security

The requirements of this section are not applicable to the module. Document Version 1.1 ©Quantum Knight, INC.

Page 56
9 Sensitive Security Parameter Management

All Sensitive Security Parameters (SSPs) used by the module are described in this section in Table 16. All usage of these SSPs by the module (including all SSP lifecycle states) is described in the services detailed in Section 4.3 - Approved Services. Please note that the module does not perform automatic SSP establishment, it only provides the components to the calling application, which can be used in SSP establishment. Document Version 1.1 ©Quantum Knight, INC.

Page 57
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
AES encryption23128, 192, 256 bitsAES CBC,DRBG20N/AN/AImport21, Export22AES Encryption Keydestroy() service call or host platform power cycle
9.1 SSPs

Table 16 - Sensitive Security Parameters (SSPs) Key Table AES CBCCS1, AES AES CBCCS3, AES N/A N/A The module does not provide persistent storage Key generator used in conjunction with an approved DRBG Import done via key constructor and/or factory (Electronic Entry) Export done via key recovery using getEncoded() method and followed by separate step to export key details as either plaintext or encrypted (Electronic Entry) Document Version 1.1 ©Quantum Knight, INC.

Page 58
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
AES decryption128, 192, 256 bitsDRBG20N/AN/AImport21, Export22AES Decryption KeyAES CBC, AES CFB8, AES CFB128, AES CTR, AES ECB, AES FF1, AES OFB, AES CBC- CS1, AES CBC-CS2, AES CBC- CS3, AES CCM, AES GCM, CKG A6047destroy() service call or host platform power cycle
AES CMAC/GMAC128, 192, 256 bitsAES CMAC,DRBG20N/AN/AImport21, Export22AES Authentication Keydestroy() service call or host platform power cycle

AES CBCCS1, AES AES CBCCS3, AES N/A N/A N/A N/A The AES GCM key and IV is generated randomly per IG C.H, and the Initialization Vector (IV) is a minimum of 96 bits. In the event module power is lost and restored, the consuming application must ensure that any of its AES GCM keys used for encryption or decryption are re-distributed. Refer to Section 2.6.1 of the Security Policy. Document Version 1.1 ©Quantum Knight, INC.

Page 59
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
AES (128/192/256) key wrapping key for KTS128, 192, 256 bitsDRBG20N/AN/AImport21, Export22AES Wrapping KeyAES KW, AES KWP, CKG A6047destroy() service call or host platform power cycle
DH Agreement Private Key112, 128, 152, 176, 200 bitsDRBG20N/AN/AImport21, Export22DH Agreement Private KeyKAS-FFC, CKG A6047destroy() service call or host platform power cycleDiffie-Hellman
Diffie-Hellman (ffdhe and MODP) key agreement May be paired with DH Agreement Private Key112, 128, 152, 176, 200 bitsDRBG20N/AN/AImport21, Export22DH Agreement Public KeyKAS-FFC, CKG A6047Not zeroized, public key value known outside of module
DSA Signing Key112, 128 bitsDSADRBG20N/AN/AImport21, Export22DSA Signing KeyDSA Signature Generation, CKG A6047destroy() service call or host platform power cycleDSA signature
SignatureSignaturegeneration
CKGCKGMay be paired
A6047A6047Verification
DSA signature verification May be paired with DSA Signing Key80, 112, 128 bitsDRBG20N/AN/AImport21, Export22DSA Verification KeyDSA Signature Verification, CKG A6047Not zeroized, public key value known outside of module
EC Agreement Private Key112, 128, 192, 256 bitsDRBG20N/AN/AImport21, Export22EC Agreement Private KeyKAS-ECC, CKG A6047destroy() service call or host platform power cycleEC key
EC key agreement May be paired with EC Agreement Private Key112, 128, 192, 256 bitsDRBG20N/AN/AImport21, Export22EC Agreement Public KeyKAS-ECC, CKG A6047Not zeroized, public key value known outside of module
EC Signing Key112, 128, 192, 256 bitsDRBG20N/AN/AImport21, Export22EC Signing KeyECDSA Signature Generation, CKG A6047destroy() service call or host platform power cycleECDSA
ECDSA signature verification. May be paired with EC Signing Key112, 128, 192, 256 bitsDRBG20N/AN/AImport21, Export22EC Verification KeyECDSA Signature Verification, CKG A6047Not zeroized, public key value known outside of module
Keyed-Hash Calculation112-256 bitsHMAC-SHA-DRBG20N/AN/AImport21, Export22HMAC Authentication Keydestroy() service call or host platform power cycle
Keyed-Hash Calculation112-256 bitsDRBG20N/AN/AImport21, Export22KMAC Authentication KeyKMAC, CKG A6047destroy() service call or host platform power cycle
RSA Signing Key112, 128, 152 bitsDRBG20N/AN/AImport21, Export22RSA Signing KeyRSA Signature Generation, CKG A6047destroy() service call or host platform power cycleRSA signature
RSA signature verification May be paired with RSA Signing Key80, 112, 128, 152 bitsDRBG20N/AN/AImport21, Export22RSA Verification KeyRSA Signature Verification, CKG A6047Not zeroized, public key value known outside of module

N/A N/A N/A N/A N/A N/A Document Version 1.1 ©Quantum Knight, INC.

Page 60

N/A N/A Document Version 1.1 ©Quantum Knight, INC. N/A N/A N/A N/A

Page 61

N/A N/A N/A N/A Document Version 1.1 ©Quantum Knight, INC. N/A N/A

Page 62

HMAC-SHA1, HMACSHA-2, N/A N/A N/A N/A N/A N/A Document Version 1.1 ©Quantum Knight, INC. N/A N/A

Page 63
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
RSA Key Transport Private Key24112, 128, 152 bitsKTS-IFC,DRBG20N/AN/AImport21, Export22RSA Key Transport Private Key24KTS-IFC, CKG A6047destroy() service call or host platform power cycleRSA key
CKGCKGtransport and
RSA key transport May be paired with RSA Key Transport Private Key112, 128, 152 bitsDRBG20N/AN/AImport21, Export22RSA Key Transport Public Key24KTS-IFC, CKG A6047Not zeroized, public key value known outside of module
Key Derivation112, 128, 192, 256 bitsN/AN/AN/AIKEv2 KDF Secret ValueKDF IKEv2 A6047destroy() service call or host platform power cycleGenerated as
Key Derivation112-256 bitsGenerated as output of a PBE key and a PRFN/AN/AN/APBKDF Secret ValuePBKDF A6047destroy() service call or host platform power cycle

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A RSA key transport using PKCS#1 1.5 padding is deprecated through 2023 and disallowed after 2023. Document Version 1.1 ©Quantum Knight, INC.

Page 64
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
Key Derivation112, 128, 192, 256 bitsKDAGenerated as output of an agreement schemeN/AN/AN/ASP 800-56Cr2 OneStep/ TwoStep KDF Secret Valuedestroy() service call or host platform power cycle
Key Derivation112, 128, 192, 256 bitsGenerated as output of an agreement schemeN/AN/AN/ASP 800-108r1 KDF Secret Valuedestroy() service call or host platform power cycleKDF SP 800- 108 A6047
Key Derivation128, 192, 256 bitsN/AN/AN/ASRTP KDF Secret Valuedestroy() service call or host platform power cycleKDF SRTP A6047Generated as
Key Derivation80, 112, 128, 192, 256 bitsGenerated as output of an SSH agreement schemeN/AN/AN/ASSH KDF Secret Valuedestroy() service call or host platform power cycleKDF SSH A6047

Document Version 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A ©Quantum Knight, INC.

Page 65
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
Used to derive keys using TLS KDF384 bitsKDF TLSN/AN/AImport21, Export22TLS Premaster Secret ValueKDF TLS A6047Protocoldestroy() service call or host platform power cycle
A6047A6047bytes) and 46
Key Derivation112, 128, 192, 256 bitsGenerated as output of TLS agreement schemeN/AN/AN/ATLS KDF Secret ValueKDF TLS A6047destroy() service call or host platform power cycle
Key Derivation112, 128, 192, 256 bitsKDF ANSN/AN/AN/AX9.63 KDF Secret ValueGenerated asdestroy() service
9.639.63output of ancall or host
agreementagreementplatform power
A6047A6047schemecycle
Random Number Generation>128 bitsN/AN/AN/AObtained from the entropy sourceEntropy Input StringN/Adestroy() service call or host platform power cycle
Internal use128, 192, 256 bitsN/AN/AN/ACTR DRBG SeedN/AImmediatelyFrom
externalafter use or hostexternal
entropyplatform powerentropy
sourcecyclesource
Internal use128 bitsFrom seed valueN/AN/AN/ACTR DRBG V ValueN/Areseed() service call or host platform power cycle

N/A N/A N/A N/A N/A Document Version 1.1 ©Quantum Knight, INC. N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Page 66
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
Internal use128, 192, 256 bitsN/AFrom DRBG V valueN/AN/AN/ACTR DRBG KeyN/Areseed() service
Internal use112, 128, 192, 256 bitsN/AN/AN/AFrom external entropy sourceHash DRBG SeedN/AImmediately after use or host platform power cycle
Internal use112, 128, 192, 256 bitsFrom seed valueN/AN/AN/AHash DRBG V ValueN/Areseed() service
Internal use112, 128, 192, 256 bitsFrom DRBG V valueN/AN/AN/AHash DRBG C ValueN/Areseed() service call or host platform power cycle
Internal use112, 128, 192, 256 bitsN/AN/AN/AHMAC DRBG SeedN/AImmediatelyFrom
externalafter use or hostexternal
entropyplatform powerentropy
sourcecyclesource
Internal use112, 128, 192, 256 bitsFrom seed valueN/AN/AN/AHMAC DRBG V ValueN/Areseed() service call or host platform power cycle

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Document Version 1.1 ©Quantum Knight, INC.

Page 67
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportSSP Name / TypeZeroisation
Internal use112, 128, 192, 256 bitsN/AFrom DRBG V valueN/AN/AN/AHMAC DRBG KeyN/Areseed() service
Used as seed for asymmetric key generation or for symmetric key generation128, 192, 256 bitsDRBGN/AN/AN/ADRBG OutputN/Adestroy() service call or host platform power cycle

Document Version 1.1 N/A N/A N/A N/A N/A N/A N/A N/A ©Quantum Knight, INC.

Page 68
Approved algorithm
NameMode MethodKey Size
Test TargetTest TargetDescription
AES ECBAES ECBEncryption KAT (128 bits)
AES ECBDecryption KAT (128 bits)
AES CCMAES CCMEncryption KAT (128 bits)
AES CCMDecryption KAT (128 bits)
AES CMACAES CMACGeneration KAT (128 bits)
AES CMACVerification KAT (128 bits)
AES GCMAES GCMEncrypt KAT (128 bits)
AES GCMDecrypt KAT (128 bits)
HASH DRBGSHA2-256 KAT (Health Tests: Generate, Reseed, Instantiate
HMAC DRBGHMAC-SHA2-256 KAT (Health Tests: Generate, Reseed, Instantiate functions per Section 11.3 of SP 800-90Ar1)
CTR DRBGAES CTR 256 bits KAT (Health Tests: Generate, Reseed, Instantiate
DSASignature Generation KAT (2048 bits)
DSADSASignature Verification KAT (2048 bits)
Test TargetTest TargetDescription
ECDSASignature Generation KAT (P-256)
ECDSAECDSASignature Verification KAT (P-256)
HMAC-SHA2-256HMAC-SHA2-256 KAT
HMAC-SHA2-512HMAC-SHA2-512HMAC-SHA2-512 KAT
HMAC-SHA3-256HMAC-SHA3-256 KAT
KAS-ECCKAS-ECCPrimitive “Z” Computation KAT (P-256)
KAS-ECCPrimitive “Z” Computation KAT (B-233)
KAS-FFCKAS-FFCPrimitive “Z” Computation KAT (ffdhe2048)
KBKDFKBKDF KAT (Counter, Feedback, Double Pipeline)
KDA OneStepKDA OneStepKDA OneStep KAT
KDA TwoStepKDA TwoStep KAT
PBKDFPBKDFPBKDF KAT (HMAC-SHA2-256)
RSASignature Generation KAT (2048 bits)
RSARSASignature Verification KAT (2048 bits)
RSA EncryptionRSA Encryption KAT SP 800-56Br2 (2048 bits)
RSA DecryptionRSA DecryptionRSA Decryption KAT SP 800-56Br2 (2048 bits)
SHA-1SHA-1 KAT
SHA2-256SHA2-256SHA2-256 KAT
SHA2-512SHA2-512 KAT
SHA-3SHA-3SHA-3 KAT (cSHAKE-128)
SHAKE256SHAKE256 KAT
ANS 9.63 KDFANS 9.63 KDFANS 9.63 KDF KAT
IKEv2 KDFIKEv2 KDF KAT
SNMP KDFSNMP KDFSNMP KDF KAT
SRTP KDFSRTP KDF KAT
SSH KDFSSH KDFSSH KDF KAT
TLS 1.0 KDFTLS 1.0 KDF KAT
TLS 1.1 KDFTLS 1.1 KDFTLS 1.1 KDF KAT
TLS 1.2 KDFTLS 1.2 KDF KAT
Test TargetTest TargetDescription
DHDHDH Pairwise Consistency Test
DSADSA Pairwise Consistency Test
EC DHEC DHEC DH Pairwise Consistency Test
ECDSAECDSA Pairwise Consistency Test
RSARSARSA Pairwise Consistency Test
10 Self-Tests

Cryptographic Algorithm Self-Tests (CASTs) are performed prior to the first use of services related to the test target. CASTs also run periodically on service invocation. Pairwise Consistency Tests (PCTs) are performed on the corresponding key pairs.

10.1 Pre-Operational Self-Tests

Each time the module is powered up, it performs the pre-operational self-tests to confirm that sensitive data has not been damaged. The pre-operational tests include the software integrity test, which verifies the module using HMACSHA-256. Pre-operational tests also include the HMAC and SHS CASTs that are run prior to the software integrity test to ensure the correctness of the HMAC used. Pre-operational self-tests are available on demand by power cycling the module.

10.2 Conditional Self-Tests

The module performs conditional self-tests when the conditions specified for cryptographic algorithm self-test and pair-wise consistency tests occur. The self-tests implemented are specified below. Table 17

Page 69

Table 18

Page 70
10.3 Error States

If any of the above-mentioned self-tests fail, the module enters an error state called “Hard Error” state. Upon entering the error state, the module outputs status by way of an exception. An example exception for AES Encryption failure is: “Failed self-test on encryption: AES” The module can be recovered by power cycling, which results in execution of pre-operational self-tests and conditional cryptographic algorithm self-tests. If the tests pass, then the module will be available for use.

10.4 Operator Initiation of Self-Tests

Each time the module is powered up, it runs the pre-operational tests to ensure that the integrity of the module has been maintained. Pre-operational self-tests are available on demand by power cycling the module. Initial CAST self-tests are available on demand by power cycling the module and then invoking the service related to the test target. Document Version 1.1 ©Quantum Knight, INC.

Page 71
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module exists as part of the running JVM, and as such:

11.2 Basic Guidance

The JAR file representing the module needs to be installed in a JVM's class path in a manner appropriate to its use in applications running on the JVM. Functionality in the module is provided in two ways. At the lowest level there are distinct classes that provide access to the approved and non-approved services provided by the module. A more abstract level of access can also be gained by using strings providing operation names passed into the module's Java cryptography provider through the APIs described in the Java Cryptography Architecture (JCA) and the Java Cryptography Extension (JCE). When the module is used in approved mode, classes providing implementations of algorithms that are not approved or allowed are explicitly disabled. SSPs such as private and secret keys implement the Destroyable interface. Where appropriate these SSPs can be zeroized on demand by invoking the destroy() method. The return of the destroy() method indicates that the zeroization is complete.

11.3 Use of the JVM with a Java SecurityManager

If the underlying JVM is running with a Java SecurityManager installed, the module will be running in approved mode with secret and private key export disabled. Document Version 1.1 ©Quantum Knight, INC.

Page 72
PermissionSettingsRequiredUsage
RuntimePermissionRuntimePermissiongetProtectionDomaingetProtectionDomainYesYesAllows checksum to be
carried out on JAR.
RuntimePermissionaccessDeclaredMembersYesAllows use of reflection API within the provider.
PropertyPermissionjava.runtime.name,NoOnly if configuration
readproperties are used.
SecurityPermissionputProviderProperty.CCJNoOnly if provider installed during execution.
CryptoServicesPermissionunapprovedModeEnabledNoOnly if non-approved mode
algorithms required.
CryptoServicesPermissionchangeToApprovedModeEnabledNoOnly if threads allowed to change modes.
CryptoServicesPermissionexportSecretKeyNoTo allow export of secret
keys only.
CryptoServicesPermissionexportPrivateKeyNoTo allow export of private keys only.
CryptoServicesPermissionexportKeysYesRequired to be applied for
the module itself. Optional
for any other codebase.
CryptoServicesPermissiontlsNullDigestEnabledNoOnly required for TLS digest calculations.
CryptoServicesPermissiontlsPKCS15KeyWrapEnabledNoOnly required if TLS is used
with RSA encryption.
11.3.1 Additional Enforcement with a Java SecurityManager

In the presence of a Java SecurityManager approved mode services specific to a context, such as DSA and ECDSA for use in TLS, require specific policy permissions to be configured in the JVM configuration by the Cryptographic Officer or User. The SecurityManager can also be used to restrict the ability of particular code bases to examine CSPs. In the absence of a Java SecurityManager specific services related to protocols such as TLS are available, however must only be used in relation to those protocols.

11.3.2 Permissions for Java SecurityManager

Use of the module with a Java SecurityManager requires the setting of some basic permissions to allow the module HMAC-SHA-256 software integrity test to take place as well as to allow the module itself to examine secret and private keys. The basic permissions required for the module to operate correctly with a Java SecurityManager are indicated by the Required column of Table 19. Table 19 - Available Java Permissions for SecurityManager Document Version 1.1 ©Quantum Knight, INC.

Page 73
PermissionSettingsRequiredUsage
CryptoServicesPermissiontlsAlgorithmsEnabledNoEnables both NullDigest and PKCS15KeyWrap.
CryptoServicesPermissiondefaultRandomConfigNoAllows setting of default
SecureRandom.
CryptoServicesPermissionthreadLocalConfigNoRequired to set a thread local property in the CryptoServicesRegistrar.
CryptoServicesPermissionglobalConfigNoRequired to set a global
property in the
CryptoServicesRegistrar.
11.4 Design and Rules

The module design corresponds to the module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module.

  1. The module provides two distinct operator roles: User and Cryptographic Officer.
  2. The module does not provide authentication.
  3. The operator may command the module to perform the self-tests by cycling power or resetting the module.
  4. Self-tests do not require any operator action.
  5. Data output is inhibited during self-tests, zeroization, and error states. Output related to keys and their use is inhibited until the key concerned has been fully generated.
  6. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  7. There are no restrictions on which keys or CSPs are zeroized by the zeroization service.
  8. The module does not support concurrent operators.
  9. The module does not have any external input/output devices used for entry/output of data.
  10. The module does not enter or output plaintext CSPs from the module’s physical boundary.
  11. The module does not output intermediate key values.
11.4.1 Mode of Operation Rules

When the module is used within the context of Java Security Manager or the system/security property com.safelogic.cryptocomply.fips.approved_only is set to true, the module will start in approved mode and non-approved services are not accessible in this mode. When the module is not used within the context of Java Security Manager, the module will start in non-approved mode by default. Refer to Security Policy Section 2.4 for additional details. Document Version 1.1 ©Quantum Knight, INC.

Page 74
11.4.1.1 From Non-Approved Mode to Approved Mode

The transition from non-approved mode to approved mode is a combination of granted permission (a) and request to change mode (b): a) com.safelogic.cryptocomply.crypto.CryptoServicesPermission “changeToApprovedModeEnabled” b) CryptoServicesRegistrar.setApprovedMode(true) The CSPs made available in non-approved mode will not be accessible once the thread transitions into approved mode. The CSPs generated using the non-approved mode cannot be passed or shared with algorithms operating in approved mode, and vice-versa. This is done by an indicator within the class (object) instantiating the key that the key was created in an approved mode or non-approved mode. Any attempt by a thread within the module to use the key in an opposite mode will result in an exception being generated by the module. For example, if an RSA private key has been created in either approved or non-approved mode, then any request to access that key will first need to confirm if the thread making the request is in the same mode.

11.4.1.2 From Approved Mode to Non-Approved Mode

The module cannot transition from approved mode to non-approved mode. To initiate the module in non-approved mode, either it should not be used in the context of Java Security Manager, or the module should have the permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission unapprovedModeEnabled granted by the Java Security Manager.

11.5 Vulnerabilities

Vulnerabilities found in the module will be reported on the National Vulnerability Database, located at the following link: https://nvd.nist.gov/ Researchers and users are encouraged to report any security related concerns to Quantum Knight. Contact information can be found on the FIPS 140 certificate for this module. Document Version 1.1 ©Quantum Knight, INC.

Page 75
12 Mitigation of Other Attacks

The module implements basic protections to mitigate against timing-based attacks against its internal implementations. There are two countermeasures used. The first countermeasure is Constant Time Comparisons, which protect the digest and integrity algorithms by strictly avoiding “fast fail” comparison of MACs, signatures, and digests so the time taken to compare a MAC, signature, or digest is constant regardless of whether the comparison passes or fails. The second countermeasure is made up of Numeric Blinding and decryption/signing verification which both protect the RSA algorithm. Numeric Blinding prevents timing attacks against RSA decryption and signing by providing a random input into the operation which is subsequently eliminated when the result is produced. The random input makes it impossible for a third party observing the private key operation to attempt a timing attack on the operation as they do not have knowledge of the random input and consequently the time taken for the operation tells them nothing about the private value of the RSA key. Decryption/signing verification is carried out by calculating a primitive encryption or signature verification operation after a corresponding decryption or signing operation before the result of the decryption or signing operation is returned. The purpose of this is to protect against Lenstra's CRT attack by verifying the correctness of the private key calculations involved. Lenstra's CRT attack takes advantage of undetected errors in the use of RSA private keys with CRT values and, if exploitable, can be used to discover the private value of the RSA key. Document Version 1.1 ©Quantum Knight, INC.

Page 76
Acronyms
NameTermDefinition
ANSI X9.31ANSI X9.31X9.31-1998, Digital Signatures using Reversible Public Key Cryptography for theANSI X9.31
FIPS 140-3FIPS 140-3Security Requirements for Cryptographic modules, March 22, 2019
FIPS 180-4FIPS 180-4Secure Hash Standard (SHS)
FIPS 186-2FIPS 186-2Digital Signature Standard (DSS)
FIPS 186-4FIPS 186-4Digital Signature Standard (DSS)
FIPS 186-5FIPS 186-5Digital Signature Standard (DSS)
FIPS 197FIPS 197Advanced Encryption Standard
FIPS 198-1FIPS 198-1The Keyed-Hash Message Authentication Code (HMAC)
FIPS 202FIPS 202SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
IGIGImplementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program
PKCS#1 v2.1PKCS#1 v2.1RSA Cryptography Standard
PKCS#5PKCS#5Password-Based Cryptography Standard
PKCS#12Personal Information Exchange Syntax Standard -Recommendation for the Triple DataPKCS#12
SP 800-38ASP 800-38ARecommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
SP 800-38BRecommendation for Block Cipher Modes of Operation: The CMAC Mode forSP 800-38B
SP 800-38CSP 800-38CRecommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality
SP 800-38DRecommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM)SP 800-38D
SP 800-38FSP 800-38FRecommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
SP 800-38GRecommendation for Block Cipher Modes of Operation: Methods for Format-SP 800-38G
SP 800-56Ar3SP 800-56Ar3Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
SP 800-56Br2Recommendation for Pair-Wise Key Establishment Schemes Using Integer FactorizationSP 800-56Br2
SP 800-56Cr2SP 800-56Cr2Recommendation for Key Derivation through Extraction-then-Expansion
SP 800-67r2SP 800-67r2Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
SP 800-89SP 800-89Recommendation for Obtaining Assurances for Digital Signature Applications
SP 800-90ARecommendation for Random Number Generation Using Deterministic Random BitSP 800-90A
SP 800-90BSP 800-90BRecommendation for the Entropy Sources Used for Random Bit Generation
SP 800-108r1SP 800-108r1Recommendation for Key Derivation Using Pseudorandom Functions
SP 800-131ASP 800-131ATransitioning the Use of Cryptographic Algorithms and Key Lengths
SP 800-132SP 800-132Recommendation for Password-Based Key Derivation
SP 800-133r2SP 800-133r2Recommendation for Cryptographic Key Generation
SP 800-135r1SP 800-135r1Recommendation for Existing Application – Specific Key Derivation Functions
SP 800-185SP 800-185SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
AcronymAcronymDefinition
AESAESAdvanced Encryption Standard
APIAPIApplication Programming Interface
CASTCASTCryptographic Algorithm Self-Test
CBCCBCCipher-Block Chaining
CCMCCMCounter with CBC-MAC
CCCSCCCSCanadian Centre for Cyber Security
CDHCDHComputational Diffie-Hellman
CFBCFBCipher Feedback Mode
CMACCMACCipher-based Message Authentication Code
CMVPCMVPCryptographic Module Validation Program
COCOCryptographic Officer
CPUCPUCentral Processing Unit
CSCSCiphertext Stealing
CTRCTRCounter Mode
CVLCVLComponent Validation List
DESDESData Encryption Standard
DHDHDiffie-Hellman
DRAMDRAMDynamic Random Access Memory
DRBGDRBGDeterministic Random Bit Generator
DSADSADigital Signature Algorithm
DSTU4145DSTU4145Ukrainian DSTU-4145-2002 Elliptic Curve Scheme
ECECElliptic Curve
ECBECBElectronic Code Book
ECCECCElliptic Curve Cryptography
ECDSAECDSAElliptic Curve Digital Signature Algorithm
EdDSAEdDSAEdwards Curve DSA using Ed25519, Ed448
EMCEMCElectromagnetic Compatibility
EMIEMIElectromagnetic Interference
FIPSFIPSFederal Information Processing Standard
GCMGCMGalois/Counter Mode
GMACGMACGalois Message Authentication Code
GOSTGosudarstvennyi Standard Soyuza SSR/Government Standard of the Union of Soviet SocialistGOST
GPCGPCGeneral Purpose Computer
HMACHMAC(Keyed) Hashed Message Authentication Code
IGIGImplementation Guidance, see References
IVIVInitialization Vector
JARJARJava ARchive
AcronymAcronymDefinition
JCAJCAJava Cryptography Architecture
JCEJCEJava Cryptography Extension
JDKJDKJava Development Kit
JREJREJava Runtime Environment
JVMJVMJava Virtual Machine
KASKASKey Agreement Scheme
KATKATKnown Answer Test
KDFKDFKey Derivation Function
KWKWKey Wrap
KWPKWPKey Wrap with Padding
KMACKMACKECCAK Message Authentication Code
MACMACMessage Authentication Code
MD5MD5Message Digest algorithm MD5
N/AN/ANot Applicable
OCBOCBOffset Codebook Mode
OFBOFBOutput Feedback
OSOSOperating System
PBKDFPBKDFPassword-Based Key Derivation Function
PKCSPKCSPublic Key Cryptography Standards
PQGPQGDiffie-Hellman Parameters P, Q and G
RCRCRivest Cipher, Ron’s Code
RIPEMDRIPEMDRACE Integrity Primitives Evaluation Message Digest
RSARSARivest Shamir Adleman
SHASHASecure Hash Algorithm
TLSTLSTransport Layer Security
USBUSBUniversal Serial Bus
XDHXDHEdwards Curve Diffie-Hellman using X25519, X448
XOFXOFExtendable-Output Function

Appendix: References and Acronyms The following standards are referred to in this Security Policy. Table 20 - References Document Version 1.1 ©Quantum Knight, INC.

Page 77

Document Version 1.1 ©Quantum Knight, INC.

Page 78

The following acronyms are used in this Security Policy. Table 21 - Acronyms Document Version 1.1 ©Quantum Knight, INC.

Page 79

N/A Document Version 1.1 ©Quantum Knight, INC.

Page 80

Prepared By: SafeLogic, Inc. Website: www.safelogic.com Email: sales@safelogic.com Phone: 844-436-2797

8300 Boone Blvd., Suite 500

Vienna, VA 22182 Document Version 1.1 ©Quantum Knight, INC.

Referenced URLs