All modules
CMVP Validated Module · FIPS 140-3 Security Policy

SE052F

Certificate#5139StandardFIPS 140-3Level3TypeHardwareEmbodimentSingle ChipStatusActiveVendorNXP Semiconductors, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 6 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level3
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date3/10/2029
CaveatWhen installed, initialized and configured as specified in Section 11 of the Security Policy.
VendorNXP Semiconductors, Inc.

Approved Algorithms (34)

AlgorithmACVP Cert
AES-CBCA2713
AES-CCMA2713
AES-CMACA2713
AES-CTRA2713
AES-ECBA2713
AES-GCMA2714
AES-GMACA2714
AES-KWA2714
Counter DRBGA2713
ECDSA KeyGen (FIPS186-4)A2713
ECDSA SigGen (FIPS186-4)A2713
ECDSA SigVer (FIPS186-4)A2713
HMAC-SHA-1A2713
HMAC-SHA2-256A2713
HMAC-SHA2-384A2713
HMAC-SHA2-512A2713
KAS-ECC-SSC Sp800-56Ar3A2713
KDA HKDF Sp800-56Cr1A2713
KDA OneStep Sp800-56Cr1A2714
KDA OneStep Sp800-56Cr1A2715
KDF SP800-108A2713
KDF SP800-108A2713
KDF TLSA2714
PBKDFA2714
RSA Decryption PrimitiveA2713
RSA KeyGen (FIPS186-4)A2713
RSA SigGen (FIPS186-4)A2713
RSA Signature PrimitiveA2713
RSA SigVer (FIPS186-4)A2713
SHA-1A2713
SHA2-224A2713
SHA2-256A2713
SHA2-384A2713
SHA2-512A2713

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for SE052F
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status output<br/>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for SE052F
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Status output<br/>Show status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

FIPS 140-3 Security Policy

Page 2

FIPS 140-3 Security Policy

1.0 July 18, 2022 Full Release, added CAVP Cert. # to Table 3

1.1 June 14, 2023 Update after first round NIST comments
1.2 June 23, 2023 Update chapter 10
1.3 August 17, 2023 Update after CMVP comments
1.4 November 24, 2023 Update after CMVP comments
1.5 December 24, 2023 Update after CMVP comments

1.6 March 20, 2025 Minor updates to Section 2 to remove vendor affirmation claims based

1.7 July 31, 2025 Rebranded from JCOP 4.5 on P71D600 to SE052F

Public Material

Page 3

FIPS 140-3 Security Policy

Page 4

FIPS 140-3 Security Policy

Page 5

FIPS 140-3 Security Policy

1 General

Introduction Federal Information Processing Standards Publication 140-3

Page 6

FIPS 140-3 Security Policy

1 General 3

2 Cryptographic Module Specification 3

3 Cryptographic Module Interfaces 3

4 Roles, Services, and Authentication 3

5 Software/Firmware Security 3

6 Operational Environment N/A

7 Physical Security 4

8 Non-Invasive Security 3

9 Sensitive Security Parameter Management 3

10 Self-Tests 3

11 Life-Cycle Assurance 3

12 Mitigation of Other Attacks 3

Table 1

Page 7

FIPS 140-3 Security Policy

2 Cryptographic Module Specification

The module, validated to FIPS 140-3 overall Level 3, is a hardware module with single chip embodiment named SE052F implementing the GlobalPlatform operational environment (Card Manager (ISD/SSD)) and the applications:

00000000 the content in

SE052F N7122 A1 J3R6000373181200 B3375FE9B5508BC4 NXP

00000000 ROM,

SEMS NVM and Lite loaded applet patches; v2.0.2.11 The Platform ID is a data string that allows the identification of the P71D600 Card Table 2

Page 8

FIPS 140-3 Security Policy

256 curve or the vendor Approved and NIST allowed Brainpool256r1 elliptic curve to perform the ECDSA or

KASECC operations. In the Approved mode of operation, the NXP SEMS Lite applet supports the Brainpool256r1 elliptic curve by default. The CO role may use SEMS Lite Module Management service to load NIST P-256 curve parameters. The P71D600 GlobalPlatform operational environment component can be identified by using the IDENTIFY APDU command (Info service). This command returns the card identification data, which includes a Platform ID, a Patch ID and other information that allows the identification of the content in ROM, NVM and loaded patches. The Platform ID is a data string that allows the identification of the P71D600 Card Manager component. The IDENTIFY APDU command is formatted as follows: Code Value Parameter settings CLA ‘80’ GlobalPlatform INS ‘CA’ GET DATA (IDENTIFY) - ISD P1 ‘00’ High order tag value P2 ‘FE’ Low order tag value - proprietary data Lc ‘02’ Length of data field Data ‘DF28’ Module identification data Public Material

Page 9

FIPS 140-3 Security Policy – SE052F Le ‘00’ Length of response data The command answers the content of the DF28 file: • Tag 02 identifies the Patch ID (see Table 2) • Tag 03 identifies the Platform Build ID which is made up of the Platform ID (16 Bytes, see Table 2) and the platform build fingerprint (8 Bytes) • Tag 08 identified the ROM ID (see Table

  1. To verify that the GlobalPlatform operational environment runs in the Approved mode of operation, use the IDENTIFY APDU (as described above). The DF28 file tag ‘05’ contains the status of the Approved mode compliancy, where ‘00’ identifies Approved mode not active and ‘01’ - Approved mode active. Both NXP IoT applet and NXP SEMS Lite applet of the module are configured to always run in an Approved mode of operation. The personalized product shall have: • NXP IoT applet v7.2.22 identification: o Package ID: A00000039654530000000103000200H o Applet ID: A0000003965453000000010300000000H o Instance ID: A0000003965453000000010300000000H • NXP SEMS Lite applet v2.0.2.11 identification: o Package ID: A00000039654530000000103300000H o Applet ID: A0000003965453000000010330000000H o Instance ID: A0000003965453000000010330000000H The operator can verify that NXP IoT applet v7.2.22 is in an Approved mode of operation by sending the two (2) following commands to the module:
  2. The SELECT APDU command (Context service) will be called with the following parameters: CLA = 00, INS = A4, P1 = 04, P2 = 00, Lc = 10, Incoming Data = A0000003965453000000010300000000, and Le =
  3. The module shall answer 07021626F2FFFF followed by status code 9000. The response includes the BCD encoded applet version (070216) and the supported applet feature bitmap (26F2). This encoded applet version (070216) corresponds to the decimal version v7.2.22 of the IoT Applet as specified in Table 2 in this document and the module certificate. It is not possible in any way to modify the applet version or the supported features bitmap after the device leaves the factory.
  4. The GetVersion APDU command (IoT Applet Management service) shall be called to get the extended feature bitmap. This command is 80040021 and shall return 26F20000011D81C1E101000E0000000F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F to be in Approved mode of operation. Public Material – May be reproduced only in its original entirety (without revision).
Page 10

FIPS 140-3 Security Policy – SE052F The operator can verify that NXP SEMS Lite applet v2.0.2.11 is an Approved mode of operation by sending the three (3) following commands to the module:

  1. The SELECT APDU command (SEMS Lite General service) shall be called with the following parameters: CLA = 00, INS = A4, P1 = 04, P2 = 00, Lc = 10, Incoming Data = A0000003965453000000010330000000, and Le =
  2. Return code shall be 90 00 (OK)
  3. The GET DATA APDU command (SEMS Lite General service) shall be called with the following parameters: CLA = 80, INS = CA, P1 = 00, P2 = DE, and Le = 00.The command shall return DE04020002119000 with 02000211 indicating the NXP SEMS Lite applet version. This encoded applet version (02000211) corresponds to the decimal version v2.0.2.11 of the IoT Applet as specified in Table
2 in this document and the module certificate.
  1. The GET DATA APDU command (SEMS Lite General service) shall be called with the following parameters: CLA = 80, INS = CA, P1 = 00, P2 = C6, and Le =
  2. The command shall return C601019000 with C60101 indicating the NXP SEMS Lite applet is configured in Approved mode of operation. The module does not support a degraded operation. Public Material – May be reproduced only in its original entirety (without revision).
Page 11

FIPS 140-3 Security Policy

Page 12

FIPS 140-3 Security Policy

Page 13

FIPS 140-3 Security Policy

192 and 256-bit key existing keys

strength HMAC-SHA1, HMAC-SHA2-256, HMACHKDF Operations A2713 KDF SP800-108 Feedback SHA2-384, HMACexpand only SHA2-512 with 128 and 256-bit key strength RSA Decryption RSA Decryption n=2048 with 112-bit Decryption Primitive (standard A2713 Primitive Primitive decryption strength and CRT) n=2048, 3072, 4096 RSA KeyGen Key Generation (standard and A2713 RSA KeyGen (FIPS186-4) with 112 and 128-bit (FIPS186-4) CRT) key strength n=2048, 3072, 4096 with PKCS v1.5 and RSA SigGen PKCSPSS and SHA2A2713 RSA SigGen (FIPS186-4) Signature Generation (FIPS186-4) (224, 256, 384, 512) with 112, 128 and

152 bit key strength

Public Material

Page 14

FIPS 140-3 Security Policy

128 and 152 bit key

strength RSA Signature n=2048 with 112-bit Signature Primitive (standard A2713 RSA Signature Primitive Primitive security strength andCRT) Message Digest SHA-1 with 128-bit Generation, SEMS A2713 SHA-1 SHA-1 security strength Lite command integrity Message Digest SHA2-224 with Generation, SEMS A2713 SHA2-224 SHA2-224 112bit or 192-bit Lite command security strength integrity Message Digest SHA2-256 with 128 Generation, SEMS A2713 SHA2-256 SHA2-256 or 256-bit security Lite command strength integrity Message Digest SHA2-384 with 192 Generation, SEMS A2713 SHA2-384 SHA2-384 or 256-bit security Lite command strength integrity Message Digest SHA2-512 with 256Generation, SEMS A2713 SHA2-512 SHA2-512 bit security Lite command strength integrity AES-128, AES-192, Authentication Encryption with AES-256 with 128, Associated Data MAC A2714 AES-GCM AES-GCM 192, 256-bit key calculation, MAC strength verification AES-128, AES-192, Authentication Encryption with AES-256 with 128, Associated Data MAC A2714 AES-GMAC AES-GMAC 192, 256-bit key calculation, MAC strength verification Public Material

Page 15

FIPS 140-3 Security Policy

Page 16

FIPS 140-3 Security Policy

192 and 256 bits]

Public Material

Page 17

FIPS 140-3 Security Policy

Page 18

FIPS 140-3 Security Policy

Page 19

FIPS 140-3 Security Policy

Page 20

FIPS 140-3 Security Policy

112 bits. The probability that a random attempt will end up with the same output is:

Page 21

FIPS 140-3 Security Policy

3 Cryptographic Module Interfaces

Physical Port Logical Interface Data that Passes over Port/Interface VSS, VDD Power interface These interfaces are used to supply power to the module in contact mode; The module starts when interface is powered VIN, VOUT Power interface These interfaces are used to supply power to the module in contact, contactless and I2C mode in case deep power-down mode is used RST_N Control input interface If a signal is sent on this interface on contact mode, the module will reboot (active low) CLK Control input interface The interface is used by an external device (ex: smartcard reader) to provide a clock signal to the IC in contact mode; The IC will derive its own clock from this signal IO1 Control input interface, Data The interface is used to communicate with an external entity (ex: input interface, Data output SmartCard reader) in contact mode; It also functions as I2C master interface, Status output interface SDA in I2C mode IO2 Control input interface, Data The interface is used to communicate with an external entity (ex: input interface, Data output SmartCard reader) in contact mode; It also functions as I2C master interface, Status output interface SCL in I2C mode or as SPI interface LA, LB Power interface, Control input The interface is used to communicate with an external entity (ex: interface, Data input interface, smartcard reader) in contactless mode; This interface is also used to Data output interface, Status set the internal clock and to supply power to the module output interface SDA Control input interface, Data The interface is used to communicate with an external entity such as input interface, Data output a host controller interface, Status output interface SCL Control input interface The interface is used by an external device (ex: host controller) to provide a clock signal to the I2C HW Table 5

Page 22

FIPS 140-3 Security Policy

4 Roles, Services and Authentication

The module supports the following roles:

Page 23

FIPS 140-3 Security Policy

Page 24

FIPS 140-3 Security Policy

Page 25

FIPS 140-3 Security Policy

Page 26

FIPS 140-3 Security Policy

Page 27

FIPS 140-3 Security Policy

Page 28

FIPS 140-3 Security Policy

Page 29

FIPS 140-3 Security Policy

Page 30

FIPS 140-3 Security Policy

Page 31

Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights Functions to Keys and/ or SSPs ISD Services Manage Load keys and data N/A OS-SKEK CO E, W, Z Status Content SD-KENC Word SD-KMAC (Response SD-KDEK APDU DAP-DAPK 9000) SSD Services Lifecycle Get or modify the card N/A All CO E, Z Status (Show status or applet life cycle Word and Perform status (Response zeroisation) APDU 9000) Manage Load keys and data N/A OS-SKEK CO E, W, Z Status Content SD-KENC Word SD-KMAC SD- (Response KDEK APDU DAP-DAPK 9000) Privileged Read Module data N/A OS-MKEK CO E Status Info (privileged data objects, SD-KENC Word (Show but no CSPs) SD-KMAC (Response module’s SD-SENC APDU versioning SD-SMAC 9000) information) SD-RMAC Secure Establish and use a CTR_DRBG OS-DRBG-EI CO E, G, Z Status Channel secure communication (Cert. OS-DRBG-SEED Word channel A2713) OS-DRBG-STATE (Response CKG OS-DRBG-KEY APDU (Vendor OS-DRBG-V 9000) Affirmed) OS-DRBG-OUTPUT OS-MKEK SD-KENC SD-KMAC SD-SENC SD-SMAC SD-RMAC IoT Applet Services Public Material

Page 32

FIPS 140-3 Security Policy

108 (Cert. APP-ECC-PUB-AUT

A2713) APP-KAS-IOT-SS ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) KASECC (Cert. A2713) P-256 SHS (Cert. A2713) CKG (Vendor Affirmed) Module Perform Self-Tests and All All CO, E Status Usage Show module’s User Word (Perform versioning information (Response Self-Tests APDU and Show 9000) module’s versioning information) Public Material

Page 33

FIPS 140-3 Security Policy

Page 34

FIPS 140-3 Security Policy

108 (Cert. APP-TRANSPORT-MAC

A2713) APP-AES-KEY-AUTH ECDSA (Cert. APP-USERID-FILE A2713) APP-EC-PRIV-KEY P-256 SHS APP-RSA-PRIV-KEY (Cert. APP-AES-KEY A2713) KASAPP-HMAC-KEY ECC (Cert. APP-EC-PUB-KEY-CO A2713) APP-EC-PUB-KEY-USER P-256 RSA APP-EC-PUB-KEY (Cert. APP-RSA-PUB-KEY A2713)2048, 3072,

4096 bits

SHS (Cert. A2713) CKG (Vendor Affirmed) Public Material

Page 35

FIPS 140-3 Security Policy

4096 bits

SHS (Cert. A2713) CKG (Vendor Affirmed) Public Material

Page 36

FIPS 140-3 Security Policy

Page 37

FIPS 140-3 Security Policy

Page 38

FIPS 140-3 Security Policy

Page 39

FIPS 140-3 Security Policy

Page 40

FIPS 140-3 Security Policy

Page 41

FIPS 140-3 Security Policy

Page 42

FIPS 140-3 Security Policy

5 Software/Firmware Security

The cryptographic module is considered a hardware module with firmware components. An error detection code (32-bit CRC performed over all code located in Flash) is applied to all firmware components within the module. If the integrity test fails, the module enters the hard error (MUTE) state. An operator of the module can perform the integrity test on demand with the GET DATA APDU command. As a single-chip hardware module, the executable form of the code, i.e., firmware is binary format. The module does not support loading of firmware from an external source. ROM endurance has been proven to be more than 10 years after manufactured date. Therefore, per FIPS 140-3 IG 5.A, no pre-operational ROM integrity self-test has been implemented. The module’s endof-life procedures must be applied prior to the degradation of the ROM by setting the module to the TERMINATE state. All data and control inputs, and data and status outputs of the cryptographic module and services are directed through the module’s defined interfaces. Public Material

Page 43

FIPS 140-3 Security Policy

6 Operational Environment

The module claims to meet Physical Security Level 4 and thus the requirements per this section do not apply. Public Material

Page 44

FIPS 140-3 Security Policy

7 Physical Security

The module is a single-chip implementation that meets commercial-grade specifications for power, temperature, reliability, and shock/vibrations. The module uses standard passivation techniques. The module includes Environmental Failure Protection features such as temperature and voltage sensors. Fault Induction mitigation techniques are light sensors and spike sensors on the supply voltage lines. Identification of internal features such as sensitive components or interconnections is impeded by a fine mesh of metal shield lines that resides at the outermost layers of the chip. Delivery forms of the module are QFN package, contactless chip card module, or sawn wafer. Therefore, the module does not rely on any physical security based on a package. Physical Security Mechanism Recommended Frequency of Inspection/Test Guidance Details Inspection/Test N/A N/A N/A Table 9

Page 45

FIPS 140-3 Security Policy

8 Non-Invasive Security

Please see Section 12 below for information regarding non-invasive security countermeasures. Public Material

Page 46

FIPS 140-3 Security Policy

9 Sensitive Security Parameter Management

Key Security Establ /SSP Function Import Use & Related Strength Generation ishm Storage Zeroisation Name and Cert. /Export Keys ent /Type Number

384 bits CTR_DRB Internally via N/A N/A Temporarily Power-off Random value

G ENT (P) stored in RAM (temporarily from ENT (P) (Cert. in plaintext stored in used to seed A2713) (does not RAM) reciprocally OSpersist beyond and AES-256 DRBGa power cycle); DRBG EI CSP object identifier to entity association

880 bits CTR_DRB Internally via N/A N/A Stored in Destroyed Current DRBG

G SP800- NVM in by state value (Cert. 90Ar1 plaintext; termination A2713) DRBG object of the OSprocess identifier to module DRBGentity (LifeCycle/ STATE association Perform CSP Zeroisation service); overwritten with zeroes

256 bits CTR_DRB Internally via N/A N/A Stored in Destroyed Current DRBG

G SP800- NVM in by state value OS- (Cert. 90Ar1 plaintext; termination A2713) DRBG object of the DRBGprocess identifier to Module KEY entity (LifeCycle/ CSP association Perform Zeroisation service); overwritten with zeroes

256 bits CTR_DRB Internally via N/A N/A Stored in Destroyed Current DRBG

G SP800- NVM in by state value OS- (Cert. 90Ar1 plaintext; termination A2713) DRBG object of the DRBGprocess identifier to Module V entity (LifeCycle/ CSP association Perform Zeroisation service); Public Material

Page 47

FIPS 140-3 Security Policy

256 bits CTR_DRB Internally via N/A N/A Stored in Destroyed Unmodified

G SP800- NVM in by output from (Cert. 90Ar1 plaintext; termination the DRBG A2713) DRBG object of the used for SSP OSprocess identifier to module generation DRBGentity (LifeCycle/ OUTPU association Perform T CSP Zeroisation service); overwritten with zeroes

128 bits AES N/A Entered N/A Stored in Destroyed Used to build

CBC, during NVM in by OS-MKEK ECB, manufactu plaintext; termination CTR, ring/ object of the CCM, personaliz identifier to module CMAC ation entity (LifeCycle/ (Cert. association Perform Zeroisation A2713) service); GCM/G OS- overwritten MAC SKEK with zeroes (Cert. CSP A2714)

128 bits AES OS-SKEK N/A N/A Stored in Destroyed Used to

CBC, permutation NVM in by encrypt all ECB, (xor plaintext; termination secret and CTR, between object of the private key CCM, OS-SKEK and identifier to module data stored in OS- a (LifeCycle/Pe CMAC entity NVM MKEK constant association rform (Cert. CSP value) Zeroisation A2713) service); GCM/G overwritten MAC with zeroes (Cert. A2714)

128 bits AES N/A Entered N/A Stored in Destroyed Used to derive

SDCBC, during NVM because of SD-SENC KENC manufactu OS-MKEK ECB, encrypted with CSP ring/ zeroisation CTR, Public Material

Page 48

FIPS 140-3 Security Policy

128 bits AES N/A Entered N/A Stored in Destroyed Used to derive

CBC, during NVM because of SD-SMAC ECB, Manufac- encrypted with OS-MKEK CTR, turing/per- Approved AES zeroisation CCM, sonalizat- CBC with OSCMAC ion MKEK; key Or version to (Cert. AES-CBC entity A2713) GCM/G (using SD- association SD- MAC KDEK) (Cert. encrypted KMAC A2714) (RFC 3394 CSP method) and transportted using platform SCP03 Exported using Approved KTS

128 bits AES N/A Entered N/A Stored in Destroyed Sensitive data

CBC, during NVM because of decryption ECB, manufac- encrypted with OS-MKEK key used to SD- CTR, turing/per- Approved AES zeroisation decrypt CSPs CCM, sonaliza- CBC with OSKDEK CMAC tion MKEK; key CSP Or version to (Cert. Entered entity encrypted association with the Public Material

Page 49

FIPS 140-3 Security Policy

128 bits AES N/A N/A Deri- Temporarily Power-off Session

CBC, ved stored in (temporarily encryption ECB, with RAM in stored in key used to CTR, Appr plaintext RAM) secure CCM, - (does not channel data CMAC oved persist beyond a (Cert. KDF SP power cycle); A2713) GCM/G 800- object SD- MAC 108 identifier to SENC (Cert. entity A2714) association CSP KDF SP800(Cert. A2713) CKG (Vendor Affirmed )

128 bits AES N/A N/A Deri- Temporarily Power-off Session MAC

CBC, ved stored in (temporarily key used to ECB, with RAM in stored in verify inbound CTR, Appr plaintext RAM) secure CCM, - (does not channel data CMAC oved persist integrity beyond a (Cert. KDF power cycle); A2713) SP object GCM/G 800SD- identifier to MAC 108 (Cert. entity SMAC association CSP A2714) KDF SP800(Cert. A2713) CKG (Vendor Affirmed) Public Material

Page 50

FIPS 140-3 Security Policy

128 bits AES N/A N/A Der- Temporarily Power-off Session MAC

CBC, ived stored in (temporarily key used to ECB, with RAM in stored in verify CTR, Appr plaintext RAM) outbound CCM, - (does not secure CMAC persist channel data oved beyond a integrity (Cert. KDF power cycle); A2713) SP object GCM/G 800- identifier to SD- MAC 108 entity RMAC (Cert. association CSP A2714) KDF SP800(Cert. A2713) CKG (Vendor Affirmed) APP- 256 bits AES N/A Entered N/A Stored in Destroyed Used to TRANS CBC, during NVM because of encrypt either PORT- ECB, manufac- encrypted with OS-MKEK exported or CIPHER CTR, turing/per- Approved AES zeroisation imported CSP CCM, sonaliza- CBC with OS- Secure CMAC tion MKEK; key Objects or (Cert. version to data A2713) Output: entity GCM/G N/A association MAC (Cert. A2714) APP- 128 bits AES N/A Entered N/A Stored in Destroyed Used to TRANS CMAC during NVM because of authenticate PORT- (Cert. Manufac- encrypted with OS-MKEK either MAC A2713) turing/per- Approved AES zeroisation exported or CSP sonaliza- CBC with OS- imported tion MKEK; key Secure version to Objects Output: entity N/A association APP- 128 bits KAS-ECC- N/A Entered N/A Stored in Destroyed KAS Shared KAS- SSC P- during NVM because of Secret SSC-EC- 256 Manufac- encrypted with OS-MKEK computation PRIV- (Cert. turing/per- Approved AES zeroisation private key KEY A2713) sonaliza- CBC with OSCSP KDA tion MKEK; key (Cert. version to Public Material

Page 51

FIPS 140-3 Security Policy

128 bits AES N/A N/A Der- Temporarily Power-off AES Key or EC

CBC, ived stored in (temporarily Key session ECB, with RAM in stored in encryption CTR, Appr- plaintext RAM) key used to CCM, oved (does not encrypt / CMAC KDF persist decrypt beyond a secure (Cert. SP power cycle); channel data A2713) 800object GCM/G 108 APP- identifier to MAC SENC entity (Cert. association CSP A2714) or ECDSA (Cert. A2713) KDF SP800(Cert. A2713) CKG Public Material

Page 52

FIPS 140-3 Security Policy

128 bits AES N/A N/A Der- Temporarily Power-off AES Key or EC

CBC, ived stored in (temporarily Key session ECB, with RAM in stored in MAC key used CTR, Appr plaintext RAM) to verify CCM, - (does not inbound CMAC oved persist secure beyond a channel data (Cert. KDF power cycle); integrity A2713) SP object GCM/G 800- identifier to MAC 108 entity (Cert. APP- association A2714) SMAC or ECDSA CSP (Cert. A2713) KDF SP800(Cert. A2713) CKG (Vendor Affirmed)

128 bits AES N/A N/A Der- Temporarily Power-off AES Key or EC

CBC, ived stored in (temporarily Key session ECB, with RAM in stored in MAC key used CTR, Appr plaintext RAM) to generate CCM, - (does not response CMAC oved persist secure beyond a channel data (Cert. KDF power cycle); MAC A2713) SP object GCM/G 800APP- identifier to MAC 108 RMAC entity (Cert. association CSP A2714) or ECDSA (Cert. A2713) KDF SP800(Cert. A2713) CKG Public Material

Page 53

FIPS 140-3 Security Policy

4096 bits with FIPS version to

(Cert. 186-4, entity A2713) Sections association CKG B.43.23 (Vendor (RSA) or B.4.2 Public Material

Page 54

FIPS 140-3 Security Policy

512 sonaliz- CBC with OS-

(Cert. ation MKEK; key A2713) version to Output: via entity Approved association KTS APP- 256 bits ECDSA N/A Entered N/A Stored in Destroyed Private static ECC- (Cert. during NVM because of key used in RT- A2713) Manufac- encrypted with OS-MKEK key establishPRIV- P-521 turing/ Approved AES zeroisation ment KA CSP SHS Personali- CBC with OS- (KAS-SSC) (Cert. zation or MKEK; key operations A2713) Imported version to in secure entity channel association specified by GPAmd-I Output: Public Material

Page 55

FIPS 140-3 Security Policy

128 bits AES N/A N/A Esta- Temporarily Power-off Used as secret

CBC, blish- stored in (temporarily key material ECB, ed RAM (does stored in in the very CTR, with not persist RAM) first CCM, the beyond a decryption CMAC SP power cycle) operations as 800- part of (Cert. 56A AuthenticaAPP- A2713) GCM/G rev3 tion and AESMAC KAS- Secure RAM- Messaging (Cert. SCC K0-Key service of A2714) follCSP owed SEMS Lite CKG (Vendor by applet Affirmed SHA2 ) -256 as One Pass KDF

128 bits AES CBC, N/A Imported N/A Temporarily Power-off Used as secret

ECB, CTR, in secure stored in (temporarily key material CCM, channel RAM (does stored in in the CMAC specified not persist RAM) subsequent APP- (Cert. by GP- beyond a decryption AES- A2713) Amd-I power cycle) operations as RAM- GCM/G part of SEMS Kn-Key MAC Output: Lite CSP (Cert. N/A AuthenticaA2714) tion and Secure Messaging service DAP- 256 bits ECDSA N/A Entered N/A Stored in N/A

Page 56

FIPS 140-3 Security Policy

128 bits ECDSA The Entered: N/A Stored in N/A

(Cert. Approved key N/A NVM Considered execute EC A2713) pair encrypted with protected by cryptographic P-256 generation Output: Approved AES ISO 19790 operations APP- CKG method is Approved CBC with OS- definition EC- (Vendor compliant KTS MKEK; key PUBKE Affirm- with FIPS version to Y 186-4, entity ed) PSP Sections association B.43.23 (RSA) or B.4.2 (ECDSA), Key Pair Public Material

Page 57

FIPS 140-3 Security Policy

152 bits A2713) pair encrypted with protected by cryptographic

2048, generation Output: Approved AES ISO 19790 operations 3072, method is Approved CBC with OS- definition

4096 bits compliant KTS MKEK; key

CKG with FIPS version to (Vendor 186-4, entity Affirm- Sections association ed) B.43.23 APP(RSA) or B.4.2 RSA(ECDSA), Key PUBPair KEY Generation PSP by Testing Candidates; Generated on the module using Approved DRBG, AES-256 CTR_DRBG

128 bits KAS- N/A Entered: N/A Stored in N/A

ECC- Certifi-cate NVM Considered public key APP- SSC is entered encrypted with protected by used in key ECC- P-256 in plain- Approved AES ISO 19790 establishPUB- (Cert. text CBC with OS- definition ment eKA A2713) MKEK; key (KAS) PSP Output: version to operation N/A entity association APP- 256 bits ECDSA N/A Entered: N/A Stored in N/A

Page 58

FIPS 140-3 Security Policy

256 bits ECDSA N/A Entered: N/A Stored in N/A

(Cert. Certificate NVM Considered public key APP- A2713) is entered encrypted with protected by used in ECDSA ECC- P-521 in plain- Approved AES ISO 19790 verification PUB- SHS text CBC with OS- definition operations AUT (Cert. MKEK; key PSP A2713) Output: version to N/A entity association

256 bits ECDSA N/A Entered: N/A Stored in N/A

(Cert. Certificate NVM in Considered with EC public A2713) is entered plaintext; protected by key providing APPP-521 in plain- object ISO 19790 authorization CERT- text and SHS identifier to definition AUT authenticity to (Cert. entity PSP Output: SEMS Lite A2713) association N/A applet 256-bits ECDSA N/A Entered: N/A Stored in N/A

0.912949 per entropy source output

bit Table 13

Page 59

FIPS 140-3 Security Policy

Page 60

FIPS 140-3 Security Policy

10 Self-Tests

On power-on or on demand, the module performs self-tests described below. The pre-operational self-test must be completed successfully prior to any other use of cryptography by the module. The Cryptographic Algorithm Self-Tests are either performed at boot or prior to first use. The conditional self-tests are performed when the corresponding conditions occur. If one of the self-tests fails, the system is halted and will start again after a reset. ROM endurance has been proven to be more than 10 years after manufactured date. Therefore, no pre-operational ROM integrity self-test has been implemented. The module’s end-of-life procedures must be applied prior to the degradation of the ROM by setting the module to the TERMINATE state, The Flash Firmware Integrity check is performed on every reset or on demand. Pre-operational Self-Tests

Page 61

FIPS 140-3 Security Policy

Page 62

FIPS 140-3 Security Policy

11 Life-Cycle Assurance

All configuration management items are managed using an automated configuration management system. The module is designed to allow the testing of all provided security-related services. All firmware is implemented using a high-level language and is designed in a manner that avoids the use of code, parameters, or symbols not necessary for the module’s functionality and execution. While the module can be delivered with the Approved mode enabled by default, customers also have the option to receive a module which is in the unconfigured state, i.e., non-Approved mode. To comply with and maintain the FIPS 140-3 validation, it would be the CO’s responsibility to enable the Approved mode of operation as follows (this information can also be found in the JCOP 4.5 User guidance and administrator manual document):

  1. Install SEMS Lite applet to run in Approved mode of operation.
  2. Install the IoT applet and configure the applet to run in Approved mode of operation.
  3. Configure the Operation System to run in Approved mode of operation. In each of these steps, it is in the CO’s responsibility to apply proper security conditions and to ensure that once the device is put into Approved mode of operation, it will not be set into non-Approved mode of operation ever again. The operator can verify that the module is operating in the Approved mode by following instructions specified in Section 2 in this document. There are no specific maintenance requirements for this module. Public Material – May be reproduced only in its original entirety (without revision).
Page 63

FIPS 140-3 Security Policy

12 Mitigation of Other Attacks

The module is protected against the following non-invasive attacks: SPA, DPA, Timing Analysis and Fault Induction using a combination of firmware and hardware countermeasures. Protection features include detection of outofrange supply voltages, frequencies or temperatures, fault induction mitigations like light sensors, voltage glitch sensors and an active shield, and detection of illegal address or instruction. All cryptographic computations and sensitive operations such as critical data comparison provided by the module are designed to be resistant to timing and power analysis. Sensitive operations are performed in constant time, regardless of the execution context (parameters, keys, etc.), owing to a combination of hardware and firmware features. In addition to the non-invasive attacks, the module also uses standard passivation techniques and is protected by active shielding (a grid of top metal layer wires with tamper response) which qualifies for classification under mitigation of other attacks. Public Material

Page 64

FIPS 140-3 Security Policy