All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Musarubra US LLC FIPS Provider based on the OpenSSL FIPS Provider

Certificate#5149StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorMusarubra US LLC
Medium review priority  ·  no TCB surface named  ·  OpenSSL upstream has published 38 CVEs since this module's initial validation  ·  last validated 6 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date3/10/2030
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys).
VendorMusarubra US LLC

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Musarubra US LLC FIPS Provider based on the OpenSSL FIPS Provider
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Musarubra US LLC FIPS Provider based on the OpenSSL FIPS Provider
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Musarubra US LLC Musarubra US LLC FIPS Provider based on the OpenSSL FIPS Provider Document Version 1.0 October 2025 Prepared by: www.lightshipsec.com

Page 2
Table of Contents
#SectionPage
Page 3

Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)7
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Modes List and Description9
Table 5: Approved Algorithms15
Table 6: Vendor-Affirmed Algorithms16
Table 7: Non-Approved, Allowed Algorithms16
Table 8: Non-Approved, Not Allowed Algorithms17
Table 9: Security Function Implementations30
Table 10: Ports and Interfaces36
Table 11: Roles37
Table 12: Approved Services55
Table 13: Non-Approved Services57
Table 14: Storage Areas62
Table 15: SSP Input-Output Methods62
Table 16: SSP Zeroization Methods63
Table 17: SSP Table 169
Table 18: SSP Table 272
Table 19: Pre-Operational Self-Tests74
Table 20: Conditional Self-Tests77
Table 21: Pre-Operational Periodic Information77
Table 22: Conditional Periodic Information82
Table 23: Error States82
Diagram7
Page 5
1 General
1.1 Overview

Introduction Federal Information Processing Standards Publication 140-3

1.2 Security Levels

The Module meets FIPS 140-3 overall Level 1 requirements, with security levels as follows: Section Title Security Level

1 General 1

2 Cryptographic module specification 1

Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 6

Section Title Security Level

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 3

12 Mitigation of other attacks 1

Overall Level 1 Table 1: Security Levels

1.3 Additional Information

In accordance with AS02.05, [ISO19790] §7.7 Physical Security is optional and does not apply to the Module. In accordance with current CMVP policy, [ISO19790] §7.8 Non-Invasive Security is not applicable. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Module is a cryptographic software library providing a C-language application program interface (API) for use by applications that require cryptographic functionality and is designated as a software module with a multi-chip standalone embodiment based on the descriptions of [ISO19790] AS02.03. The Module is intended for use by US and Canadian Federal agencies and other markets that require FIPS 140-3 validated cryptographic functionality. The Module’s formal name and version are “Musarubra US LLC FIPS Provider based on the OpenSSL FIPS Provider” and “3.1.2”, respectively. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: Figure 1 depicts the Module operational environment, with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per [ISO19790] AS02.03. The cryptographic boundary of the Module is the FIPS Provider, a dynamically loadable library. The Module performs no communication other than with the calling application via APIs that invoke the Module. The pre-operational approved integrity test is performed over all components within the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested Operational Environment’s Physical Perimeter (TOEPP) is the General Purpose Computer. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 8

Figure 1: Musarubra US LLC FIPS Provider based on the OpenSSL FIPS Provider Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 9

Operating System Hardware Processors PAA/PAI Hypervisor Version(s) Platform or Host OS Ubuntu Linux Dell Inspiron Intel i7- No N/A 3.1.2

22.04.1 Server 7573 8550U

Ubuntu Linux Dell Inspiron Intel i7- Yes N/A 3.1.2

22.04.1 Server 7573 8550U

Debian 11.5 Dell Inspiron Intel i7- No N/A 3.1.2

7573 8550U

Debian 11.5 Dell Inspiron Intel i7- Yes N/A 3.1.2

7573 8550U

FreeBSD 13.1 Dell Inspiron Intel i7- No N/A 3.1.2

7591 2 in 1 10510U

FreeBSD 13.1 Dell Inspiron Intel i7- Yes N/A 3.1.2

7591 2 in 1 10510U

Windows 10 Pro Dell Inspiron Intel i7- No N/A 3.1.2

7591 2 in 1 10510U

Windows 10 Pro Dell Inspiron Intel i7- Yes N/A 3.1.2

7591 2 in 1 10510U

macOS 11.5.2 Apple M1 Mac M1 No N/A 3.1.2 Mini macOS 11.5.2 Apple M1 Mac M1 Yes N/A 3.1.2 Mini macOS 11.5.2 Apple i7 Mac Intel i7 No N/A 3.1.2 Mini macOS 11.5.2 Apple i7 Mac Intel i7 Yes N/A 3.1.2 Mini Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. No operational environments are vendor affirmed.

2.3 Excluded Components

No components are excluded from [FIPS140-3] requirements.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Name Indicator Approved The module must be installed and configured per Approved fips=yes mode instructions provided in Section 11 of this document and the module is in the Approved mode by default as a result. The installation of the Module as described in Section 11 results in the settings described below this Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 10

Mode Description Type Status Name Indicator table, which are required for operation in the Approved mode Non- The module is in the Approved mode of operation by Non- fips=no Approved default. Use of the non-Approved Algorithms Not Approved mode Allowed in the Approved Mode will place the module in the non-approved mode of operation. Table 4: Modes List and Description The Module supports an Approved mode and a non-Approved mode of operation. The inherent properties of the Module are:

  1. Manual key entry is not supported.
  2. Data output is inhibited during self-tests, zeroisation, SSP generation and error states.
  3. The Module does not perform any cryptographic function if any self-test has failed. The conditions for using the Module in the [FIPS140-3] Approved mode of operation are:
  4. Installation of the Module as described in Section 11 results in the settings described below, which are required for operation in the Approved mode: a. security-checks = 1 Enforce minimum key strengths and approved curve names. b. conditional-errors = 1 Enforce the Module entering the error state on conditional test errors such as PCT failure. c. drbg-no-trunc-md=1 Disallow use of truncated digests with HASH and HMAC DRBGs (IG D.R) d. tls1-prf-ems-check=1 Enforce Extended Master Secret (EMS) use with TLS 1.2 (IG D.Q)
  5. The Module is a cryptographic library used by a calling application. The calling application is responsible for: a. Use of the primitives in the correct sequence. b. Use of keys in accordance with [SP800-140Dr2] (as the keys used by the Module for cryptographic purposes are provided over the call stack by the calling application). c. Use of a [SP800-90B] compliant entropy source. Entropy is supplied to the Module via callback functions. The callback functions return an error if the minimum entropy strength cannot be met. Mode Change Instructions and Status: Use of the Approved algorithms and Non-Approved Algorithms Allowed in the Approved Mode will ensure operation of the module in the Approved mode of operation. Use of the non-Approved Algorithms Not Allowed in the Approved Mode will place the module in the non-approved mode of operation. Degraded Mode Description: The module does not support a degraded mode of operation. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Page 11
2.5 Algorithms

Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3548 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3548 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3548 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3548 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3548 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A3548 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3548 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-KW A3548 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3548 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A3548 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A3548 Prediction Resistance - Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - No, Yes DSA KeyGen A3548 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 DSA PQGGen A3548 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 12

Algorithm CAVP Properties Reference Cert Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA PQGVer A3548 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA SigGen A3548 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA SigVer A3548 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 ECDSA KeyGen A3548 Curve - B-233, B-283, B-409, B-571, K-233, K- FIPS 186-4 (FIPS186-4) 283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode - Testing Candidates ECDSA KeyVer A3548 Curve - B-163, B-233, B-283, B-409, B-571, K- FIPS 186-4 (FIPS186-4) 163, K-233, K-283, K-409, K-571, P-192, P224, P-256, P-384, P-521 ECDSA SigGen A3548 Component - No, Yes FIPS 186-4 (FIPS186-4) Curve - B-233, B-283, B-409, B-571, K-233, K283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A3548 Component - No, Yes FIPS 186-4 (FIPS186-4) Curve - B-163, B-233, B-283, B-409, B-571, K163, K-233, K-283, K-409, K-571, P-192, P224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 Hash DRBG A3548 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-224, SHA2-256, SHA2- Rev. 1 384, SHA2-512, SHA2-512/224, SHA2512/256, SHA3-256, SHA3-512 HMAC DRBG A3548 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-224, SHA2-256, SHA2- Rev. 1 384, SHA2-512, SHA2-512/224, SHA2512/256, SHA3-256, SHA3-512 HMAC-SHA-1 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 13

Algorithm CAVP Properties Reference Cert HMAC-SHA2-224 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-256 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-384 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-512 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2- A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 512/224 8 HMAC-SHA2- A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 512/256 8 HMAC-SHA3-224 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-256 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-384 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-512 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 KAS-ECC CDH- A3548 Curve - B-233, B-283, B-409, B-571, K-233, K- SP 800-56A Component 283, K-409, K-571, P-224, P-256, P-384, P-521 Rev. 3 SP800-56Ar3 (CVL) KAS-ECC-SSC A3548 Domain Parameter Generation Methods - B- SP 800-56A Sp800-56Ar3 233, B-283, B-409, B-571, K-233, K-283, K- Rev. 3 409, K-571, P-224, P-256, P-384, P-521 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A3548 Domain Parameter Generation Methods - FB, SP 800-56A Sp800-56Ar3 FC, ffdhe2048, ffdhe3072, ffdhe4096, Rev. 3 ffdhe6144, ffdhe8192, MODP-2048, MODP3072, MODP-4096, MODP-6144, MODP-8192 Scheme dhEphem KAS Role - initiator, responder KAS-IFC-SSC A3548 Modulo - 2048, 3072, 4096, 6144, 8192 SP 800-56A Key Generation Methods - rsakpg1-basic, Rev. 3 rsakpg1-crt, rsakpg1-prime-factor, rsakpg2basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KAS1 KAS Role - initiator, responder KAS2 KAS Role - initiator, responder KDA HKDF A3548 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: Rev. 2 Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 14

Algorithm CAVP Properties Reference Cert 224-8192 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 KDA OneStep A3548 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: Rev. 2 224-8192 Increment 8 KDA TwoStep A3548 MAC Salting Methods - default, random SP 800-56C SP800-56Cr2 KDF Mode - feedback Rev. 2 Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 KDF ANS 9.42 A3548 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 A3548 Hash Algorithm - SHA2-224, SHA2-256, SHA2- SP 800-135 (CVL) 384, SHA2-512 Rev. 1 Key Data Length - Key Data Length: 128, 4096 KDF KMAC A3548 Derived Key Length - Derived Key Length: 112- SP 800-108 Sp800-108r1 4096 Increment 8 Rev. 1 KDF SP800-108 A3548 KDF Mode - Counter, Feedback SP 800-108 Supported Lengths - Supported Lengths: 8, 72, Rev. 1 128, 776, 3456, 4096 KDF SSH (CVL) A3548 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512 KMAC-128 A3548 Message Length - Message Length: 0-65536 SP 800-185 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A3548 Message Length - Message Length: 0-65536 SP 800-185 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 KTS-IFC A3548 Modulo - 2048, 3072, 4096, 6144 SP 800-56B Key Generation Methods - rsakpg1-basic, Rev. 2 rsakpg1-crt, rsakpg1-prime-factor, rsakpg2basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KTS-OAEP-basic KAS Role - initiator, responder Key Transport Method Key Length - 1024 Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 15

Algorithm CAVP Properties Reference Cert PBKDF A3548 Iteration Count - Iteration Count: 1-10000 SP 800-132 Increment 1 Password Length - Password Length: 8-128 Increment 8 RSA KeyGen A3548 Key Generation Mode - B.3.3, B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2, Table C.3 Private Key Format - Standard RSA SigGen A3548 Signature Type - ANSI X9.31, PKCS 1.5, FIPS 186-4 (FIPS186-4) PKCSPSS Modulo - 2048, 3072, 4096 RSA Signature A3548 Private Key Format - CRT FIPS 186-4 Primitive (CVL) RSA SigVer A3548 Signature Type - ANSI X9.31, PKCS 1.5, FIPS 186-4 (FIPS186-4) PKCSPSS Modulo - 1024, 2048, 3072, 4096 Safe Primes Key A3548 Safe Prime Groups - ffdhe2048, ffdhe3072, SP 800-56A Generation ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, Rev. 3 MODP-3072, MODP-4096, MODP-6144, MODP-8192 Safe Primes Key A3548 Safe Prime Groups - ffdhe2048, ffdhe3072, SP 800-56A Verification ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, Rev. 3 MODP-3072, MODP-4096, MODP-6144, MODP-8192 SHA-1 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A3548 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 Large Message Sizes - 1, 2, 4, 8 Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 16

Algorithm CAVP Properties Reference Cert SHA3-256 A3548 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A3548 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A3548 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHAKE-128 A3548 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 SHAKE-256 A3548 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 TLS v1.2 KDF A3548 Hash Algorithm - SHA2-256, SHA2-384, SHA2- SP 800-135 RFC7627 (CVL) 512 Rev. 1 TLS v1.3 KDF A3548 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 Table 5: Approved Algorithms The Module implements the Approved cryptographic functions listed in Table 5. Vendor-Affirmed Algorithms: Name Properties Implementation Reference DSA Key Size, Key Strength:L = OpenSSL Project Vendor affirmed per IG PQGGen 2048/N = 224 (s = 112), L = OpenSSL 3.x C.C and IG C.B [FIPS 186- 2048/N = 256 (s = 112) L = FIPS Provider Resolution (bullet point 4] 3072/N = 256 (s = 128) #3) Mode/Method:PQGGen using SHA3 DSA Key Size, Key Strength:L = OpenSSL Project Vendor affirmed per IG PQGVer 1024/N = 160 (s < 112) L = OpenSSL 3.x C.C and IG C.B [FIPS 186- 2048/N = 224 (s = 112), L = FIPS Provider Resolution (bullet point 4] 2048/N = 256 (s = 112) L = #3) 3072/N = 256 (s = 128) Mode/Method:PQGVer using SHA3 DSA Key Size, Key Strength:L = OpenSSL Project Vendor affirmed per IG SigGen 2048/N = 224 (s = 112), L = OpenSSL 3.x C.C and IG C.B [FIPS 186- 2048/N = 256 (s = 112) L = FIPS Provider Resolution (bullet point 4] 3072/N = 256 (s = 128) #3) Mode/Method:SigGen using SHA3 DSA Key Size, Key Strength:L = OpenSSL Project Vendor affirmed per IG SigVer 1024/N = 160 (s < 112) L = OpenSSL 3.x C.C and IG C.B [FIPS186- 2048/N = 224 (s = 112), L = FIPS Provider Resolution (bullet point 4] 2048/N = 256 (s = 112) L = #3) 3072/N = 256 (s = 128) Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 17

Name Properties Implementation Reference Mode/Method:SigVer using SHA3 CKG - Key Type :Asymmetric N/A NIST SP800-133r2 Section 4 Section 4: Using the and 5.1 Output of a Random Bit Generator; Section 5.1: Key Pairs for Digital Signature Schemes CKG - Key Type:Asymmetric N/A NIST SP800-133r2 Section 4 Section 4: Using the and 5.2 Output of a Random Bit Generator; Section 5.2: Key Pairs for Key Establishment CKG - Key Type:Symmetric N/A NIST SP800-133r2 Section 4 Section 4: Using the and Section Output of a Random

6.1 Bit Generator; Section

6.1: Direct Generation of Symmetric Keys CKG - Key Type:Symmetric N/A NIST SP 800-133r2 Section 6.2 Section 6.2: Derivation of Symmetric keys CKG - Key Type:Symmetric N/A NIST SP 800-133rev2, Section 6.3 Section 6.3: Symmetric Keys Produced by Combining Multiple Keys and Other Data CKG

Page 18

The module does not support any Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Not Allowed Algorithms: Name Use and Function Triple-DES Provides 3-Key ECB and CBC mode, but indicated as fips=no, Encryption, Decryption Ed448 SHAKE256, Ed448 provides 224 bits of security, Digital Signature Generation Ed25519 SHA2-512, Ed25519 provides 128 bits of security, Digital Signature Generation X448 Provides 224 bits of security, Key Agreement X25519 Provides 128 bits of security, Key Agreement ECDSA SigVer Provides between 80 and 256 bits for security, Curves: B-163, B-233, Component B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P224, P-256, P-384, P-521, Digital Signature Verification FIPS 186-2 RSA Provides >= 80 bits of security, RSA signature generation/verification SigGen/SigVer per FIPS 186-2 FIPS 186-2 RSA Provides >= 112 bits of security, RSA key generation per FIPS 186-2 KeyGen X942KDF- Usage of X942KDF-CONCAT with PRF SHA-1, SHA2-512/224, SHA2CONCAT 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256 X963KDF Usage of X963KDF with PRF SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256 HKDF Provides < 112 bits of security, Usage of HKDF with key length less than 112 bits OneStep KDF Usage of OneStep KDF with PRF SHAKE128, SHAKE256 HMAC Provides < 112 bits of security, Usage of HMAC with key length less than 112 bits for MAC generation Hash and HMAC Usage of Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, DRBG SHA2-512/224 and SHA2-512/256 Table 8: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Symmetric BC-Auth Symmetric Key Length:128, 192 AES-CBC Encryption BC-UnAuth Encryption and and 256 bits AES-CBCand Decryption Key Length CS1 Decryption (XTS):128 and 256 AES-CBCbits CS2 AES-CBCCS3 AES-CCM AES-CFB1 AES-CFB128 AES-CFB8 AES-CMAC Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 19

Name Type Description Properties Algorithms AES-CTR AES-ECB AES-GCM AES-GMAC AES-OFB AES-XTS Testing Revision 2.0 Message SHA Message Digest SHA-1 :(s = 160) SHA-1 Digest Large Message SHA2-224 Sizes: 1, 2, 4, SHA2-256 8gigabytes SHA2-384 SHA2:SHA2-224 (s = SHA2-512 224), SHA2-256 (s = SHA2-512/224 256), SHA2-384 (s = SHA3-224 384), SHA2-512 (s = SHA3-256 512), SHA2-512/224 SHA3-384 (s = 224), SHA2- SHA3-512 512/256 (s = 256). SHAKE-128 Large Message SHAKE-256 Sizes: 1, 2, 4, SHA2-512/256 8gigabytes SHA3:SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512). See Note 1. Large Message Sizes: 1, 2, 4, 8gigabytes SHAKE:SHAKE-128 (s = 128), SHAKE-

256 (s = 256). See

Note 1. Keyed Hash BC-Auth Keyed Hash HMAC-SHA-1 HMAC-SHA-1 MAC [FIPS198-1]:SHA-1 (s HMAC-SHA2= 160) 224 HMAC-SHA2 HMAC-SHA2[FIPS198-1]:SHA2- 256

224 (s = 224), SHA2- HMAC-SHA2-
256 (s = 256), SHA2- 384
384 (s = 384), SHA2- HMAC-SHA2-
512 (s = 512), SHA2- 512

512/224 (s = 224), HMAC-SHA2SHA2-512/256 (s = 512/224 256) HMAC-SHA2HMAC-SHA3 512/256 [FIPS198-1]:SHA3- HMAC-SHA3-

224 (s = 224), SHA3- 224
256 (s = 256), SHA3- HMAC-SHA3-

Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 20

Name Type Description Properties Algorithms

384 (s = 384), SHA3- 256
512 (s = 512) HMAC-SHA3-

KMAC:KMAC-128 384 (112 ≤ s ≤ 128), HMAC-SHA3KMAC-256 (112 ≤ s ≤ 512 256). See Note 8. AES-CMAC KMAC-128 KMAC-256 AES-GMAC RSA Digital DigSig- RSA Digital Signature type: ANSI RSA SigGen Signature SigGen Signature X9.31 tested with the (FIPS186-4) Generation DigSig-SigVer Generation and listed moduli and the RSA SigVer and Verification following hash (FIPS186-4) Verification algorithms: SHA2256, SHA2-384, SHA2-512:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCS 1.5 tested with the listed moduli and the following hash algorithms: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2512/256:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCSPSS tested with the listed moduli and the following hash algorithms: SHA2- 224, SHA2256, SHA2-384, SHA2- 512, SHA2512/224, SHA2512/256:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: ANSI X9.31 tested with the listed moduli and the following hash algorithms: SHA-1*, Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 21

Name Type Description Properties Algorithms SHA2-256, SHA2384, SHA2512:k=1024 (s ≤ 112), k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCS 1.5 tested with the listed moduli and the following hash algorithms: SHA-1*, SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2512/256:k=1024 (s ≤ 112), k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCSPSS tested with the listed moduli and the following hash algorithms: SHA-1*, SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2512/256:k=1024 (s ≤ 112), k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) ECDSA DigSig- ECDSA Signature SigGen (includes ECDSA Signature SigGen Generation and SigGen Component) SigGen Generation DigSig-SigVer Signature (tested with SHA2- (FIPS186-4) and Signature Verification 224, SHA2-256, ECDSA Verification SHA2-384, SHA2- SigVer 512, SHA2-512/224, (FIPS186-4) SHA2-512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512):B-233, K233, P-224 (s ~= 112); B-283, K-283, P-256 (s ~= 128); BMusarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 22

Name Type Description Properties Algorithms 409, K-409, P-384 (s ~= 192); B-571, K571, P-521 (s ~= 256) SigVer (tested with SHA-1*, SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512):B-163, K163, P-192 (s < 112); B-233, K-233, P-224 (s ~= 112); B-283, K283, P-256 (s ~= 128); B-409, K-409, P-384 (s ~= 192); B571, K-571, P-521 (s ~= 256) DSA Digital DigSig- DSA Digital SigGen (tested with DSA SigGen Signature SigGen Signature SHA2-224, SHA2- (FIPS186-4) Generation DigSig-SigVer Generation and 256, SHA2-384, DSA SigVer and Verification SHA2-512, SHA2- (FIPS186-4) Verification 512/224, SHA2- DSA SigGen 512/256); SigGen [FIPS 186-4] using SHA3; no Key Size, Key ACVP testing is Strength: L = available:L = 2048/N 2048/N = 224 = 224 (s = 112), L = (s = 112), L = 2048/N = 256 (s = 2048/N = 256 112) L = 3072/N = (s = 112) L =

256 (s = 128) 3072/N = 256

SigVer (tested with (s = 128) SHA-1, SHA2-224, Mode/Method: SHA2-256, SHA2- SigGen using 384, SHA2-512, SHA3 SHA2-512/224, DSA SigVer SHA2-512/256); [FIPS186-4] SigVer using SHA3; Key Size, Key no ACVP testing is Strength: L = available:L = 1024/N 1024/N = 160 = 160 (s < 112) L = (s < 112) L = 2048/N = 224 (s = 2048/N = 224 112), L = 2048/N = (s = 112), L =

256 (s = 112) L = 2048/N = 256

3072/N = 256 (s = (s = 112) L = 128) 3072/N = 256 (s = 128) Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 23

Name Type Description Properties Algorithms Mode/Method: SigVer using SHA3 RSA DigSig- Signature Private Key RSA Signature SigGen primitive format:CRT Signature Primitive Public Exponent Primitive Mode:Fixed : k = 2048 Asymmetric AsymKeyPair- Generation of RSA KeyGen:k=2048 RSA KeyGen Key Pair KeyGen asymmetric key (s ~= 112), k=3072 (s (FIPS186-4) Generation AsymKeyPair- pairs ~= 128), k=4096 (s DSA KeyGen KeyVer ~= 152) (FIPS186-4) DSA KeyGen:L = ECDSA 2048/N = 224 (s = KeyGen 112), L = 2048/N = (FIPS186-4)

256 (s = 112) L = Safe Primes

3072/N = 256 (s = Key 128) Generation ECDSA KeyGen: ECDSA Secret Generation KeyVer Mode: Testing (FIPS186-4) Candidates:B-233, K- Safe Primes 233, P-224 (s ~= Key 112); B-283, K-283, Verification P-256 (s ~= 128); B- CKG - Section 409, K-409, P-384 (s 4 and 5.1 ~= 192); B-571, K- Key Type : 571, P-521 (s ~= Asymmetric 256) CKG - Section Safe Primes Key 4 and 5.2 Generation, Safe Key Type: Primes Key Asymmetric Verification:ffdhe2048 DSA PQGGen (s = 112), ffdhe3072 (FIPS186-4) (112 ≤ s ≤ 128), DSA PQGVer ffdhe4096 (112 ≤ s ≤ (FIPS186-4) 152), ffdhe6144 (112 DSA PQGGen ≤ s ≤ 176), ffdhe8192 [FIPS 186-4] (112 ≤ s ≤ 200), Key Size, Key MODP-2048 (s = Strength: L = 112), MODP-3072 2048/N = 224 (112 ≤ s ≤ 128), (s = 112), L = MODP-4096 (112 ≤ s 2048/N = 256 ≤ 152), MODP-6144 (s = 112) L = (112 ≤ s ≤ 176), 3072/N = 256 MODP-8192 (112 ≤ s (s = 128) ≤ 200) Mode/Method: ECDSA KeyVer:B- PQGGen 163, K-163, P-192 (s using SHA3 < 112); B-233, K-233, DSA PQGVer Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 24

Name Type Description Properties Algorithms P-224 (s ~= 112); B- [FIPS 186-4] 283, K-283, P-256 (s Key Size, Key ~= 128); B-409, K- Strength: L = 409, P-384 (s ~= 1024/N = 160 192); B-571, K-571, (s < 112) L = P-521 (s ~= 256) 2048/N = 224 DSA PQGGen (s = 112), L = (FIPS186-4), DSA 2048/N = 256 PQGGen [FIPS 186- (s = 112) L = 4] (VA):L = 2048/N = 3072/N = 256

224 (s = 112), L = (s = 128)

2048/N = 256 (s = Mode/Method: 112) L = 3072/N = PQGVer using

256 (s = 128) SHA3

DSA PQGVer (FIPS186-4), DSA PQGVer [FIPS 186-4] (VA):L = 1024/N =

160 (s < 112) L =
256 (s = 112) L =

3072/N = 256 (s = 128) Random DRBG Random Number Counter DRBG Counter Number Generation - [SP800-90Ar1]:AES- DRBG Generation Hash_DRBG, 128 (s = 128), AES- Hash DRBG CTR_DRBG and 192 (s = 192), AES- HMAC DRBG HMAC_DRBG 256 (s = 256) CKG

1 (s = 160), SHA2-
256 (s = 256), SHA2-
512 (s = 512) SHA3-
256 (s = 256), SHA3-
512 (s = 512)

Key Derivation KBKDF Derive Keying KDA HKDF:SHA-1 (s KDA HKDF PBKDF Material = 160), SHA2-224 (s SP800-56Cr2 = 224), SHA2-256 (s KDA OneStep = 256), SHA2-384 (s SP800-56Cr2 = 384), SHA2-512 (s KDA TwoStep = 512), SHA2- SP800-56Cr2 512/224 (s = 224), KDF ANS 9.42 Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 25

Name Type Description Properties Algorithms SHA2-512/256 (s = KDF ANS 9.63 256), SHA3-224 (s = KDF KMAC 224), SHA3-256 (s = Sp800-108r1 256), SHA3-384 (s = KDF SP800384), SHA3-512 (s = 108 512) KDF SSH KDA OneStep:SHA-1 PBKDF (s = 160), SHA2-224 TLS v1.2 KDF (s = 224), SHA2-256 RFC7627 (s = 256), SHA2-384 TLS v1.3 KDF (s = 384), SHA2-512 CKG - Section (s = 512), SHA2- 6.2 512/224 (s = 224), Key Type: SHA2-512/256 (s = Symmetric 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512); HMAC-SHA-1 (s = 160), HMACSHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2-

384 (s = 384),

HMAC-SHA2-512 (s = 512), HMAC-SHA2512/224 (s = 224), HMAC-SHA2512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3-

256 (s = 256),

HMAC-SHA3-384 (s = 384), HMAC-SHA3-

512 (s = 512);

KMAC-128 (112 ≤ s ≤ 128), KMAC-256 (112 ≤ s ≤ 256) KDA TwoStep [SP80056Cr2]:HMAC-SHA-1 (s = 160), HMACSHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2-

384 (s = 384),

HMAC-SHA2-512 (s = 512), HMAC-SHA2512/224 (s = 224), HMAC-SHA2Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 26

Name Type Description Properties Algorithms 512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3-

256 (s = 256),

HMAC-SHA3-384 (s = 384), HMAC-SHA3-

512 (s = 512)

KDF ANS 9.42 [SP800-135r1]:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2512/224 (s = 224), SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512) KDF ANS 9.63 [SP800-135r1]:SHA2-

224 (s = 224), SHA2-
256 (s = 256), SHA2-
384 (s = 384), SHA2-
512 (s = 512)

KDF KMAC [SP800108r1]:KMAC-128 (112 ≤ s ≤ 128), KMAC-256 (112 ≤ s ≤ 256) KDF [SP800108r1]:CMACAES128 (s = 128), CMAC-AES192 (s = 192), CMAC-AES256 (s = 256), HMACSHA-1 (s = 160), HMAC-SHA2-224 (s = 224), HMAC-SHA2-

256 (s = 256),

HMAC-SHA2-384 (s = 384), HMAC-SHA2-

512 (s = 512),

HMAC-SHA2512/224 (s = 224), HMAC-SHA2512/256 (s = 256), HMAC-SHA3-224 (s Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 27

Name Type Description Properties Algorithms = 224), HMAC-SHA3-

256 (s = 256),

HMAC-SHA3-384 (s = 384), HMAC-SHA3-

512 (s = 512)

KDF SSH [SP800135r1]:AES-128 (s = 128), AES-192 (s = 192), AES-256 (s = 256); SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512) PBKDF [SP800132]:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2-512/224 (s = 224), SHA2512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512) TLS v1.2 KDF RFC7627: TLS [RFC7627] key derivation with Extended Master Secret (EMS) support, using the listed hash algorithms:SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512) TLS v1.3 KDF [RFC8446]:HMACSHA2-256 (s = 256), HMAC-SHA2-384 (s = 384) KAS-1 KAS-SSC Scheme: SP800-56Ar3 KAS- KAS-ECCEphemeralUnified, ECC-SSC per IG D.F SSC Sp800KAS Role: Scenario 2 path 56Ar3 Initiator, (1):B-233, K-233, PResponder 224, B-283, K-283, PMusarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 28

Name Type Description Properties Algorithms 256, B-409, K-409, P384, B-571, K-571, and P-521 curves providing 112, 128, 192, or 256 bits of encryption strength KAS-2 KAS-SSC Scheme: SP800-56Ar3 KAS- KAS-FFCdhEphem. KAS FFC-SSC IG D.F SSC Sp800Role: Initiator, Scenario 2 path 56Ar3 Responder (1):2048, 3072, 4096, 6144, and 8192-bit key providing 112, 128, 152, 176, or 200 bits of encryption strength KAS-3 KAS-SSC Scheme: KAS1, SP800-56Br2 KAS- KAS-IFC-SSC KAS2. KAS Role: IFC-SSC IG D.F Initiator, Scenario 1 path Responder (1):2048, 3072, 4096, 6144, and 8192-bit key providing 112, 128, 152, 176, or 200 bits of encryption strength KTS-1 KTS-Wrap Key Transport in SP 800-38F KTS AES-KW compliance with (key wrapping) per IG AES-KWP [SP800- 38F] D.G :128, 192, and when approved 256-bit keys using AES KW or providing 128, 192, or KWP 256 bits of encryption strength KTS-2 KTS-Wrap Key Transport in SP 800-38F KTS AES-CBC compliance with (key wrapping) per IG AES-CFB1 [SP800- 38F] D.G : 128, 192, and AES-CFB128 when approved 256-bit keys AES-CFB8 AES (any mode) providing 128, 192, or AES-CTR and approved 256 bits of encryption AES-ECB HMAC, KMAC, strength AES-OFB GMAC or CMAC AES-XTS are used in Testing combination Revision 2.0 AES-CBCCS2 AES-CBCCS3 AES-CCM AES-CMAC AES-GCM AES-GMAC Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 29

Name Type Description Properties Algorithms AES-KW AES-KWP HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2512/224 HMAC-SHA2512/256 HMAC-SHA3HMAC-SHA3HMAC-SHA3HMAC-SHA3KMAC-128 KMAC-256 AES-CBCCS1 KTS-3 KTS-Wrap Key Transport in SP 800-38F KTS AES-CCM compliance with (key wrapping) per IG AES-CMAC [SP800- 38F] D.G : 128, 192, and AES-GCM when approved 256-bit keys AES-GMAC using an providing 128, 192, or Authenticated 256 bits of encryption AES mode (AES strength CCM; AES GCM; AES GMAC; AES CMAC) KTS-4 KTS-Encap Key Transport; SP 800-56Brev2 KTS-IFC Scheme: KTS- KTS-IFC (key OAEP-basic (no encapsulation and key confirmation): un-encapsulation) per RSA-OAEP, Key IG D.G:2048, 3072, Encapsulation, 4096, and 6144-bit Key key providing 112, Unencapsulation 128, 152, or 176 bits Key Generation of encryption strength Methods: rsakpg1-basic, rsakpg1-crt, rsakpg1-primeMusarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 30

Name Type Description Properties Algorithms factor, rsakpg2basic, rsakpg2-crt, rsakpg2- primefactor KAS ECC KAS-SSC KAS-ECC-SSC Curves:B-233, K-233, KAS-ECC CDH primitive P-224 (s ~= 112); B- CDHComponent 283, K-283, P-256 (s Component ~= 128); B-409, K- SP800-56Ar3 409, P-384 (s ~= 192); B-571, K-571, P-521 (s ~= 256). Perform self- BC-Auth All self-tests AES-ECB tests (All) BC-UnAuth executed by the AES-GCM DigSig- module at boot Hash DRBG SigGen Counter DigSig-SigVer DRBG DRBG HMAC DRBG KAS-SSC DSA SigGen KBKDF (FIPS186-4) MAC DSA SigVer PBKDF (FIPS186-4) SHA ECDSA XOF SigGen (FIPS186-4) ECDSA SigVer (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigVer (FIPS186-4) HMAC-SHA2SHA-1 SHA3-256 SHA2-512 KDF ANS 9.42 KDF ANS 9.63 KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 KAS-IFC-SSC KDA OneStep SP800-56Cr2 KDA TwoStep SP800-56Cr2 KDF SSH Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 31

Name Type Description Properties Algorithms KDF SP800PBKDF TLS v1.2 KDF RFC7627 TLS v1.3 KDF Cryptographic CKG Direct generation CKG - Section Key of symmetric keys 4 and Section Generation per NIST SP 800- 6.1 (CKG) 133r2 Software MAC HMAC-SHA2-256 Key size: 256 bits HMAC-SHA2Integrity Test used to perform 256 the software integrity test Cryptographic CKG AES XTS Key Key size:128, 256 CKG - Section Key generated to bits 6.3 Generation comply with the (CKG) - AES approved key XTS generation guidelines of NIST SP 800-133rev2, Section 6.3, Symmetric Keys Produced by Combining Multiple Keys and Other Data KTS-5 KTS-Unwrap Key Unwrapping KTS (key AES-CBC using any non- unwrapping) per IG AES-CFB1 authenticated D.G:128, 192, and AES-CFB128 AES mode 256-bit keys AES-CFB8 providing 128, 192, or AES-CTR

256 bits of decryption AES-ECB

strength AES-OFB AES-CBCCS1 AES-CBCCS2 AES-CBCCS3 Table 9: Security Function Implementations Equivalent strength in bits is given for each key or algorithm type (as some algorithms do not use or produce keys). The term s is used throughout to indicate security strength, following the notation used in the majority of the sources. Note 1: Preimage resistance strength applies to hash algorithms used in DRBG, KDFs. Described also in [SP800-57P1r5] Table 3. Note 2: Elliptic curve strengths are annotated as approximate (i.e., s ~=) since [SP800-186] Table 1 provides approximate security strengths. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 32

Note 3: [SP800-186] (cited in [SP800-140Cr2]) and [FIPS140-3_IG] C.K indicate that the Binary (B-) and Koblitz (K-) curves are deprecated. Note 4: Approved elliptic curves for ECC key agreement are given in [SP800-56Ar3] Table

  1. Note 5: In Digital Signature applications, security strength is primarily associated with the asymmetric key pair specification. The hash function used must have equivalent strength equal to or greater than the security strength of the associated key pair. Note 6: Approved key types for FFC key agreement are given in [SP800-56Ar3] Tables 25,
  2. The group notation of Table 26 is used for consistency with CAVP algorithm listings and ACVP capability registration. Note 7: Approved key types for IFC key agreement are given in [SP800-56Br2] Table
  3. IFC key types approved for Digital Signature Generation and Verification are given also in [SP800-57P1r5] Table
  4. Equivalent strengths are annotated as approximate (i.e., s ~=) since [SP800-56Br2] Table 4 provides approximate security strengths. Note 8: Security strengths for KDA One Step are given in [SP800-56Cr2] Table 1 (hash), Table 2 (HMAC) and Table 3 (KMAC). Note 9: Security strength for L=2048/N=256 is determined in accordance with [FIPS140-3_IG] D.B Strength of SSP Establishment Methods as y = min(x, N/2), where x is 112 and therefore y = min(112, 128) = 112. Other reference sources for the strengths are as follows: • AES (AES-128, AES-192, AES-256): [SP800-57P1r5] Table 2. • ECC (B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P384, P-521): [SP800-186] Table 1. • FFC (L=1024/N=160, L=2048/N=224, L=2048/N=256, L=3072/N=256): [SP800-57P1r5] Table 2. • FFC (ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192): [SP800-56Ar3] Tables 25 and 26. • IFC (k=1024, k=2048, k=3072, k=4096, k=6144, k=8192): [SP800-56Br2] Table 4. • KMAC (KMAC128, KMAC256): [SP800-56Cr2] Table 3. • SHA-1, SHA2 (SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256): [SP800107] Table 1. • SHA3 (SHA3-224, SHA3-256, SHA3-384, SHA3-512): [SP800-57P1r5] Table 3. • SHAKE (SHAKE128, SHAKE256): [SP800-185] Section 8.1.
2.7 Algorithm Specific Information

a. AES-GCM Usage AES GCM IV generation must be compliant to [FIPS140-3_IG] C.H Key/IV Pair Uniqueness Requirements from SP 800-38D Scenario 1(a), tested per option (ii) under C.H TLS/DTLS 1.2 protocol IV generation per RFC7627, Scenario 1(d) SSHv2 per RFC4252, RFC4253 and RFC5647 and Scenario 5 TLS 1.3 per RFC8446. IV constructed in compliance with a protocol shall only be used in the context of the AES-GCM mode encryptions within the protocol. The Module does not implement the TLS and SSH protocols itself, however, it provides the cryptographic functions required for implementing the protocols. AES GCM encryption is used in the context of the SSH and TLS protocol versions 1.2 and 1.3. The module provides the primitives to support the AES GCM ciphersuites from [SP800-52r1] Section 3.3.1. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The application negotiates the protocol session’s keys and the 32-bit nonce value of the IV. When the IV exhausts the maximum number of possible values for a given session key (2^64 - 1), this results in a failure in encryption and a handshake to establish a new encryption key will be required. It is the responsibility of the user of the module, i.e., the first party, client or server, to encounter this condition, to trigger this handshake in accordance with the TLS/SSH protocol. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 33

The Module also supports internal IV generation using the module’s approved DRBG. The IV is at least 96 bits in length per [SP800-38D] Section 8.2.2. Per [FIPS140-3_IG] C.H Scenario 2 and [SP800-38D], the approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2^-32. In each case, in the event that the Module power is lost and restored the user must ensure that the AES GCM encryption/decryption keys are re-distributed in accordance with IG C.H Scenario 3. The module does not support persistent storage of SSPs. The Module also supports importing of GCM IVs when an IV is not generated within the Module. In the approved mode, an IV must not be imported for encryption from outside the cryptographic boundary of the Module as this will result in a non-conformance. This is in accordance with IG 2.4.A: If the module operator (e.g., calling application) can do things outside of the module’s control/visibility that can take an otherwise approved algorithm and use it in a non-approved way (e.g., use PBKDF and/or AES XTS outside of storage applications), the corresponding module service may still be considered approved (and if so, shall have an approved indicator per AS02.24) and the Security Policy shall clarify how to use the service in an approved manner (per ISO 19790 B.2.2 on Overall security design and the rules of operation). b. PBKDF Usage The lower limit on the supported length of a password/passphrase used in key derivation is 1character. The ASCII system comprises of 94 printable characters (letters, digits, punctuation, and symbols). For a 1-character password/passphrase chosen from 94 printable ASCII characters, the total combinations are: 94^1. Thus, the probability of guessing the correct password/passphrase on a random attempt is: 1/94^1 ~0.010. The module being a software module, does not restrict the usage of a password/string used as the password and input to the PBKDF. The onus is on the calling application to provide a password of an appropriate length based on the intended security strength (and size) of the key to be derived. In accordance with NIST SP 800-132, passwords shorter than 10 characters are usually considered to be weak. There are many other properties that may render a password weak. For example, it is not advisable to use sequences of numbers or sequences of letters as passwords. Easily accessed personal information, such as the user’s name, phone number, and date of birth, should not be used directly as a password. Passphrases frequently consist solely of letters, but they make up for their lack of entropy by being much longer than passwords, typically 20 to 30 characters. Passphrases shorter than 20 characters are usually considered weak. The module complies with NIST SP 800-132 Section 5.4 Option 1 a and IG D.N. The iteration count values used range from 1 to 10000 per NIST SP 800-132 Section 5.2 whereby the iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. Keys derived from passwords, as shown in SP 800132, may only be used in storage applications. The security strength of the derived key is at least

112 bits. The module implements CKG per NIST SP 800-133r2 Section 6.2.2.

c. AES-XTS Usage Usage In accordance with [SP800-38E], the XTS-AES algorithm shall only be used for confidentiality on storage devices. The Module complies with [FIPS140-3_IG] C.I by explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS-AES algorithm to process data with them. The module implements CKG per NIST SP 800-133r2 Section 6.3. d. Legacy Usage Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 34

The module supports the following implementations for legacy use/support per NIST SP 800131Ar2:

Page 35

The module implements SHA-1 for usage in the following (this can be vetted from the SFI Table 9 in the Security Policy): I. As a PRF in the KDFs X942 KDF-CONCAT, X963 KDF, KDA HKDF, KDA OneStep, KDF, ANS 9.42 [SP800-135r1], KDF SSH [SP800-135r1], PBKDF [SP800-132], II. As a standalone SHA-1 hash function III. As a PRF in HMAC-SHA-1 IV. As the underlying hash function for RSA SigVer, ECDSA SigVer and DSA SigVer for legacy use/support per NIST SP 800-131Ar2 as specified in the Security Policy Section 2.7 d. V. As the underlying hash function in Hash DRBG and HMAC DRBG

2.8 RBG and Entropy

The Module relies on the use of a [SP800-90B] compliant entropy source outside the Module boundary. The calling application is responsible for use of an [SP800-90B] compliant entropy source with sufficient entropy based on the required security strength. Entropy is supplied to the Module via callback functions (see Section 2.4 2. c). Minimum Number of Bits of Entropy, depending on the target security strength of generated SSPs are 128, 192 or 256 bits. When using the Counter DRBG implementation without the derivation function enabled, full entropy from the entropy source is required. The following caveat applies to the module: No assurance of the minimum strength of generated SSPs (e.g., keys). N/A for this module. N/A for this module.

2.9 Key Generation

The module implements NIST SP 800-90Ar1 DRBGs and supports the following sections per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2, 6.1, 6.2 and 6.3.

2.10 Key Establishment

Key Agreement Per IG D.F: The module supports Key Agreement Schemes per NIST SP800-56Ar3 and [FIPS140-3_IG] D.F Scenario 2 (path 1) and NIST SP 800-56Br2 and [FIPS140-3_IG] D.F Scenario 1 (path 1). The KAS-1, KAS-2, KAS-3 in the SFI Table 9 have been documented accordingly. The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC and KAS-IFC-SSC) as individual entries. The Module obtains the [FIPS140-3_IG] D.F required key agreement assurances: [SP800-56Ar3] in accordance with Section 5.6.2. [SP800-56Br2] in accordance with Section 6.4. Per IG C.F Additional Comment 1.e: The elliptic curve used in the key agreement scheme and the associated domain parameters provide more than 112 bits of security as seen in the KAS-1 entry per Table 9. Per IG C.F Additional Comment 2: Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 36

The KAS-ECC-SSC and KAS-FFC-SSC implementations each support a scheme of the Diffie-Helllman variety. Per IG D.G: The module supports the Key Transport per NIST SP 800-56Br2 (RSA-OAEP) denoted by KTS-4 in the SFI Table 9. The RSA modulus sizes and key generation method have been documented in the table as well. The module can also optionally be used in the context of IETF protocols and provide key transport using any approved AES mode(s) and an approved MAC. The corresponding entries KTS-1, KTS-2, KTS-3 and KTS-5 in the SFI Table 9 have been documented accordingly. All KTS entries have been documented in accordance with Additional Comment 4 in the IG. The module also supports the following untested approved moduli for KTS-4: 6144 < nlen <=16384, where nlen denotes the modulus. Per IG D.A and IG D.B: The strengths of the established key have been documented in accordance with IG D.A Additional Comment 4. and per the Resolution in IG D.B.

2.11 Industry Protocols

The Module conforms to Resolution 3 per [FIPS140-3_IG] D.C References to the Support of Industry Protocols: while it provides [SP800-56Ar3] conformant schemes and API entry points oriented to SSH and TLS usage, the Module does not contain the full implementation of SSH or TLS. The following caveat is required: No parts of the SSH and TLS protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 37
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Control Input API entry point: stack frame including non-sensitive parameters N/A Data Input API call parameters passed by reference or value for cryptographic service input N/A Status API return value: enumerated status resulting from call execution Output N/A Data Output API call parameters passed by reference for cryptographic service output Table 10: Ports and Interfaces Table 10 defines the Module’s [FIPS140-3] logical interfaces; the Module does not interact with physical ports. The Control Output logical interface is not applicable to the Module and is intentionally omitted from Table 10. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 38
4 Roles, Services, and Authentication
4.1 Authentication Methods

The Module does not provide an authentication or identification method of its own. The CO role is assumed by meeting the conditions of Section 11 of this document. N/A for this module.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role Crypto Officer None Table 11: Roles The Module supports the mandatory Cryptographic Officer (CO) operational role only (implicitly identified) and does not support a maintenance role or a bypass capability.

4.3 Approved Services

Name Description Indicato Inputs Outputs Security SSP r Function Access s Initialize Module FIPS_O Core Initializatio Random Crypto initialization K handle, n status (1 Number Officer dispatch = pass, 0 = Generatio in and fail) n DRBG_E out, I: provider G,W,E,Z context DRBG_S tate: G Software Integrity key: E Core (all except Show status; FIPS_O Provider Parameter None Crypto Teardown) Core K context, types Officer (Show Status, operations paramete (array) Show Version) dispatched by rs types with: FIPS provider: (array), Name, Metadata capability Version, (Gettable , callback BuildInfo, parameters; pointer Status, Get and SecurityCh parameters; argument ecks; Get s, Status capabilities); operation return, TLS Query; Self- ID group test capabilities , Null or array of available operations Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 39

Name Description Indicato Inputs Outputs Security SSP r Function Access s Core: Perform Run the self- FIPS_O Provider Status (1 = Perform Crypto self-tests test sequence K context pass, 0 = self-tests Officer fail) (All) Software Integrity Test Core: Uninstantiate FIPS_O Provider None None Crypto Teardown the module; K context Officer (Perform includes zeroisation) Zeroise DS_SGK :Z DS_SVK: Z GKP_Pri vate: Z GKP_Pu blic: Z KAS_Priv ate: Z KAS_Pu blic: Z KAS_SS: Z KD_DKM :Z KH_Key: Z KTS_KD K: Z KTS_KE K: Z KTS_SS: Z DRBG_E I: Z Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 40

Name Description Indicato Inputs Outputs Security SSP r Function Access s DRBG_S eed: Z DRBG_S tate: Z SC_EDK: Z Software Integrity key: Z Asymmetric Encapsulate [KTS- Encapsul Status KTS-4 Crypto cipher (Key or IFC: ate: Key return; Officer Transport) decapsulate RSA, 4, struct KTS_SS (Perform key material (2048, (KTS_KD KTS_KD approved on behalf of 3072, K); K: E security the calling 4096, Decapsul functions) process (does 6144, ate KTS_KE not establish 8192)] (KTS_KE K: E keys into the K) module) KTS_SS: R Cipher Encrypt or [AES- SC_EDK Status Symmetri Crypto (Encryption/Dec decrypt data, ECB: and return. c Officer ryption and Key including AES- KH_Key Plaintext or Encryptio Wrapping) AEAD modes 128- (for key ciphertext n and SC_EDK: (Perform (CCM, GCM) ECB, wrapping data, or Decryptio E approved and key wrap AES- ); flags wrapped n security (KW, KWP) 192- key Keyed KH_Key: functions) (CSPs are ECB, Hash E passed in by AES- KTS-1 the calling 256- KTS-2 process or ECB]; KTS-3 generated [AES- Cryptogra within the CBC: phic Key module) AES- Generatio 128- n (CKG) CBC, Cryptogra AES- phic Key 192- Generatio CBC, n (CKG) AES- AES XTS 256- KTS-5 CBC]; [AESCBCCS: Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 41

Name Description Indicato Inputs Outputs Security SSP r Function Access s AES128CBCCTS, AES192CBCCTS, AES256CBCCTS]; [AESOFB: AES128OFB, AES192OFB, AES256OFB]; [AESCFB1: AES128CFB1, AES192CFB1, AES256CFB1]; [AESCFB8: AES128CFB8, AES192CFB8, AES256CFB8]; [AESCFB128: AESMusarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 42

Name Description Indicato Inputs Outputs Security SSP r Function Access s 128CFB, AES192CFB, AES256CFB]; [AESCTR: AES128CTR, AES192CTR, AES256CTR]; [AESCCM: AES128CCM, AES192CCM, AES256CCM]; [AESGCM: AES128GCM, AES192GCM, AES256GCM]; [AESXTS: AES128XTS, AES256Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 43

Name Description Indicato Inputs Outputs Security SSP r Function Access s XTS]; [AESKW, KWP: AES128WRAP, AES256WRAP] Key derivation Derive keying [PBKDF: KAS_SS; Status Key Crypto (Perform material PBKDF2 flags return; Derivatio Officer approved , (SHA- KD_DKM n security 1, KAS_SS: functions) SHA2- W,E 224, SHA2- KD_DKM 256, : G,R SHA2- 384, KTS_SS: SHA2- W,E 512, - PBKDF SHA2- Passwor 512/224, d: W,E,Z SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512)]; [TLS1PRF, (SHA2256, SHA2384, SHA2512)]; [TLS13KDF, (SHA2256, SHA2384)]; Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 44

Name Description Indicato Inputs Outputs Security SSP r Function Access s [X963KDF, (SHA2224, SHA2256, SHA2384, SHA2512)]; [X942KD F-ASNI, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512)]; [NIST SP 800108r1 KDF KMAC: KBKDF, (KMAC128, KMAC256)]; [NIST SP 800108r1 KDF: KBKDF, Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 45

Name Description Indicato Inputs Outputs Security SSP r Function Access s MAC: CMAC, Cipher: AES128CBC, AES192CBC, AES256CBC, MAC: HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, HMACSHA3224, HMACSHA3256, HMACSHA3384, Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 46

Name Description Indicato Inputs Outputs Security SSP r Function Access s HMACSHA3512]; [KDF SSH: SSHKD F, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512)]; [OneSte p KDF: SSKDF, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, HMACSHA1, HMACSHA2224, HMACSHA2256, Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 47

Name Description Indicato Inputs Outputs Security SSP r Function Access s HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, KMAC128, KMAC256)]; [TwoSte p KDF: HKDF, MAC: HMAC, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 48

Name Description Indicato Inputs Outputs Security SSP r Function Access s SHA3512]; [HKDF: HKDF, MAC: HMAC, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512]; Key exchange Perform key [KAS- Key Status KAS-1 Crypto (Perform agreement FFC- structs return; KAS-2 Officer approved primitives on SSC: (KAS_Pri KAS_SS KAS-3 security behalf of the DHX]; vate and KAS ECC KAS_Priv functions) calling [KAS- KAS_Pu CDH ate: E process (does ECC- blic); Compone not establish SSC: flags nt KAS_Pu keys into the EC] blic: E module) KAS_SS: G Key Generate [SafePri ECDSA: Status Asymmet Crypto management asymmetric mes: curve return; Key ric Key Officer (Perform key pairs DHX]; identifier. struct Pair approved [RSA DSA/RS (GKP_Priv Generatio GKP_Pri security KeyGen: A: ate, n vate: G functions) RSA, modulus GKP_Publi (2048, size c) GKP_Pu 3072, blic: G 4096)]; [ECDSA Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 49

Name Description Indicato Inputs Outputs Security SSP r Function Access s KeyGen: EC]; [DSA KeyGen: DSA, (L=2048, N=28, 32), (L=3072, N=32)] Message Generate or [HMAC: KH_Key Status Keyed Crypto authentication verify data HMAC- return; Tag Hash Officer (Perform integrity. SHA1, value Cryptogra approved (CSPs are HMAC- phic Key KH_Key: security passed in by SHA2- Generatio E functions) the calling 224, n (CKG) process or HMACgenerated SHA2within the 256, module) HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, HMACSHA3224, HMACSHA3256, HMACSHA3384, HMACSHA3512]; [CMAC]; [KMAC: KMAC128, KMACMusarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 50

Name Description Indicato Inputs Outputs Security SSP r Function Access s 256]; [GMAC: AES128GCM, AES192GCM, AES256GCM] Message digest Generate a [SHA-1, Message Status Message Crypto (Perform message SHA2- ; flags return; Digest Officer approved digest 224, Hash value security SHA2functions) 256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, SHAKE128, SHAKE256] Random Generate [Hash DRBG Status Random Crypto (Perform random bits DRBG: struct return; Number Officer approved using the HASH- (RBG Random Generatio security DRBG DRBG, State); value n DRBG_E functions) (SHA1, DRBG_E I: E SHA2- I 256, DRBG_S SHA2- eed: E 512)]; [HMAC- DRBG_S DRBG, tate: E (SHA1, Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 51

Name Description Indicato Inputs Outputs Security SSP r Function Access s SHA2256, SHA2512)]; [CTRDRBG, (AES128CTR, AES192CTR, AES256CTR)] Signature Generate or [RSA Sign: Status RSA Crypto (Perform verify digital SigGen: Key return; Digital Officer approved signatures RSA, struct Signature Signature security (SSPs are (2048, (DS_SG value Generatio DS_SGK functions) passed in by 3072, K); n and :E the calling 4096), message Verificatio process) (SHA2- ; Verify: n DS_SVK: 224, signature ECDSA E SHA2- value; Signature 256, Key Generatio SHA2- struct n and 384, (DS_SV Signature SHA2- K); flags; Verificatio 512, sizes n SHA2- DSA 512/224, Digital SHA2- Signature 512/256) Generatio ]; [RSA n and SigVer: Verificatio RSA, n (1024, RSA 2048, Signature 3072, Primitive 4096), (SHA1, SHA2224, SHA2256, SHA2384, SHA2Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 52

Name Description Indicato Inputs Outputs Security SSP r Function Access s 512, SHA2512/224, SHA2512/256) ]; [RSA Signatur e Primitive : RSA, 2048, hash algorith m: (null)]; [ECDSA SigGen: EC, (SHA2224, SHA2256, SHA2384, SHA2512, SHA3224, SHA3256, SHA3384, SHA3512)]; [ECDSA SigVer: EC, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 53

Name Description Indicato Inputs Outputs Security SSP r Function Access s SHA2512/256) ]; [ECDSA SigGen Compon ent]: EC, hash: (null)]; [DSA, PQGGe n: DSA, (L= 2048, N=28, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) , (L=2048, 3072, N=32, =SHA2256, SHA2384, SHA2512, SHA2512/256) ]; [DSA PQGVer : DSA, N=20 bytes, bytes, bytes]; Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 54

Name Description Indicato Inputs Outputs Security SSP r Function Access s [DSA, SigGen: DSA, (L= 2048, 3072), (N=28, 32), (SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) ]; [DSA, SigVer: DSA, (L=1024, N=20), (L=2048, N=28, 32), (L=3072, N=28, 32), (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) ] Zeroise

Page 55

Name Description Indicato Inputs Outputs Security SSP r Function Access s zeroizes all DS_SGK Module scope :Z SSPs

Page 56

Name Description Indicato Inputs Outputs Security SSP r Function Access s Software Integrity key: Z Table 12: Approved Services Note: The Indicators in Table 12 above follow the format: [Algorithm name: Indicator 1, Indicator 2, etc.] where Indicator 1 is an algorithm identifier and Indicators 2, 3 etc. depending on the algorithm are the specifics i.e. modes/supported curves/SafePrime groups/PRFs, etc.) per algorithm. Each combination of the Indicator 1 along with Indicators 2, 3, etc. in the comma separated list can be observed when the corresponding modes/curves/SafePrimes, PRFs etc. are invoked for a given algorithm in the context of a given service. The service indicators must be requested by the calling applications as by calling the following EVP APIs of the module in the context of each service:

Page 57
4.4 Non-Approved Services

Name Description Algorithms Role Signature Generate or verify digital signatures Ed448 Crypto (SSPs are passed in by the calling Ed25519 Officer process) FIPS 186-2 RSA SigGen/SigVer Key Exchange Perform key agreement primitives X448 Crypto on behalf of the calling process X25519 Officer Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 58

Name Description Algorithms Role (does not establish keys into the module) Cipher Encrypt or decrypt data (CSPs are Triple-DES Crypto (Encryption/Decryption) passed in by the calling process) Officer ECDSA SigVer Verify ECDSA digital signatures ECDSA SigVer Crypto Component (SSPs are passed in by the calling Component Officer process) Key Derivation Derive keys (key derivation key X942KDF- Crypto passed in by the calling process) CONCAT Officer X963KDF HKDF OneStep KDF Key Generation Generate RSA public/private key FIPS 186-2 RSA Crypto pair per FIPS 186-2 KeyGen Officer Keyed Hash Generate HMAC using key length HMAC Crypto less than 112 bits Officer Random Generate random bits using the Hash and HMAC Crypto non-approved Hash and HMAC DRBG Officer DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256 Table 13: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not support loading of any additional software.

4.6 Bypass Actions and Status

The module does not support bypass.

4.7 Cryptographic Output Actions and Status

The module does not support self-initiated cryptographic output. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 59
5 Software/Firmware Security
5.1 Integrity Techniques

The Module uses HMAC-SHA2-256 as the approved integrity technique; the file fipsmodule.cnf contains the integrity reference value. The HMAC key used for the integrity test is considered a non-SSP. The HMAC-SHA2-256 CAST is performed prior to the software integrity test. The Module is provided in an executable form (as fips.so shared object for use in Linux environments, fips.dylib for use in Mac environments and fips.dll for use in Windows environments). The module does not support loading of any additional software.

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by calling fips_self_test (invoked using OSSL_PROVIDER_self_test called with the Module’s global handle) or reloading the Module.

5.3 Open-Source Parameters

In accordance with [ISO19790] Annex B, as the Module is open source, the tools used to build the Module as tested are:

Page 60
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The operational environment for the Module is modifiable as it runs in General Purpose Computers (GPC). The Module conforms to [FIPS140-3_IG] 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES-NI functions are identified by [FIPS140-3_IG] 2.3.C as a known PAA.

6.2 Configuration Settings and Restrictions

Table 3 lists the operational environments on which the Module was tested; no operational environment restrictions are required for operation in the approved mode. All conditions for operation of the Module in the approved mode are given in Section 2. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 61
7 Physical Security

Physical Security requirements are not applicable for this software Module. N/A for this module. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 62
8 Non-Invasive Security

In accordance with current CMVP policy, Non-Invasive Security is not applicable. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 63
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Area Name Description Persistence Type RAM Temporary, plaintext storage Dynamic Stored in the module's configuration file Persistent, plaintext storage Static Table 14: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distributio Entry SFI or Type n Type Type Algorith m CALL STACK Calling Module Plaintex Manual Electroni (API) INPUT application t c PARAMETER S CALL STACK Module Calling Plaintex Manual Electroni (API) application t c OUTPUT PARAMETER S Stored at Manufacture Stored in Plaintex N/A N/A manufacture r the t module's configuratio n file Table 15: SSP Input-Output Methods The module is complaint with FIPS 140-3 IG 9.5.A MD/EE (CM Software to/from App via TOEPP Path).

9.3 SSP Zeroization Methods

Zeroization Method Description Rationale Operator Initiation OPENSSL_cleanse Zeroisation of SSPs The OPENSSL_cleanse Module managed by the caller provides zeroisation of initiated SSPs managed by the caller cleared after use Temporary copies of CSPs with a lifetime Module CSPs are zeroised within associated with an initiated the relevant function for OpenSSL object will be the scope within which zeroized when reinitialized they are used Teardown This operation triggers CSPs with a lifetime Operator Module uninstantiation associated with the Module initiated are zeroised on Module uninstantiation Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 64

Zeroization Method Description Rationale Operator Initiation Restarting the RAM (memory) is used Restarting the general- Operator general-purpose for temporary storage of purpose computer clears all initiated computer SSPs SSPs in RAM Table 16: SSP Zeroization Methods

9.4 SSPs

Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y DS_SGK Private key RSA: 2048, Private RSA for 3072 and key - Digital signature 4096 bits CSP Signature generation DSA: 2048 Generatio and 3072 bits n and ECDSA: B- Verificatio 233, K-233, n P-224; B- ECDSA 283, K-283, Signature P-256; B- Generatio 409, K-409, n and P-384; B- Signature 571, K-571, Verificatio P-521 - n RSA: 112, DSA

128 or 152 Digital

128 ECDSA: Generatio

112, 128, n and 192, 521 Verificatio n RSA Signature Primitive DS_SVK Public key RSA: 1024, Public RSA for 2048, 3072 key - Digital signature and 4096 bits PSP Signature verification DSA: 1024, Generatio

2048 and n and

3072 bits Verificatio

ECDSA: n ECDSA: B- ECDSA 233, K-233, Signature P-224; B- Generatio 283, K-283, n and P-256; B- Signature 409, K-409, Verificatio P-384; B- n 571, K-571, DSA Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 65

Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y P-521 - Digital RSA: 80, Signature 112, 128 or Generatio

152 DSA: 80, n and

112 or 128 Verificatio

ECDSA: 112, n 128, 192, GKP_Priva Key pair RSA: 2048, Private Asymmetric te (Private: 3072, 4096 key - Key Pair DS_SGK, bits DSA: CSP Generation Public: 2048 and Random DS_SVK) 3072 bits Number generated ECDSA: Generation per caller ECDSA: Brequest; the 233, K-233, keypair P-224; Bpurpose is 283, K-283, unspecified P-256; B409, K-409, P-384; B571, K-571, P-521 RSA: 112,

128 or 152
128 ECDSA:

112, 128, 192, 256 GKP_Publi Key pair RSA: 2048, Public Asymmetric c (Private: 3072, 4096 key - Key Pair GPK_Privat bits DSA: PSP Generation e, Public: 2048 and Random GPK_Publi 3072 bits Number c) ECDSA: Generation generated ECDSA: Bper caller 233, K-233, request; the P-224; Bkeypair 283, K-283, purpose is P-256; Bunspecified 409, K-409, P-384; B571, K-571, P-521 RSA: 112,

128 or 152
128 ECDSA:

Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 66

Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y 112, 128, 192, 256 KAS_Privat Key pair FFC: FB, FC, Private Asymmetric KAS-1 e component MODP2048, key - Key Pair KAS-2 provided by ffdhe2048, CSP Generation KAS-3 the local MODP3072, Random participant, ffdhe3072, Number used for MODP4096, Generation Diffie- ffdhe4096, Hellman MODP6144, shared ffdhe6144, secret MODP8192, generation ffdhe 8192 ECC: B-233, K-233, P224, B-283, K-283, P256, B-409, K-409, P384, B-571, K-571, P521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192,

256 IFC

[SP80056Br2]: 112, KAS_Publi Key pair FFC: FB, FC, Public Asymmetric KAS-1 c component MODP2048, key - Key Pair KAS-2 provided by ffdhe2048, PSP Generation KAS-3 the local MODP3072, Random participant, ffdhe3072, Number used for MODP4096, Generation Diffie- ffdhe4096, Hellman MODP6144, shared ffdhe6144, secret MODP8192, generation ffdhe 8192 ECC: B-233, K-233, P224, B-283, Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 67

Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y K-283, P256, B-409, K-409, P384, B-571, K-571, P521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192,

256 IFC

[SP80056Br2]: 112, KAS_SS Shared FFC: FB, FC, Shared KAS-1 secret MODP2048, secret - KAS-2 calculation; ffdhe2048, CSP KAS-3 z output MODP3072, value is ffdhe3072, expected to MODP4096, be used by ffdhe4096, a KDF MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P224, B-283, K-283, P256, B-409, K-409, P384, B-571, K-571, P521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192,

256 IFC:

112, 128 Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 68

Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y KD_DKM Key HMAC PRF: Derived Key Derivation 160, 224, Keying Derivation derived 256, 384, Material keying 512 - HMAC CSP material PRF: 160, 224, 256, 384, 512 KH_Key Keyed CMAC: 128, Symmetr Random Keyed Hash key 192, 256 ic key - Number Hash GMAC: 128, CSP Generation KTS-2 192, 256 Cryptograph HMAC: 160, ic Key 256, 512. Generation KMAC: 128, (CKG)

256 - CMAC:
256 GMAC:
256 HMAC:

160, 256, 512. KMAC: 128, 256 KTS_KDK Private 2048, 3072, Private KTS-4 (KDK) 4096 and key component 6144 bits - CSP of an RSA 112, 128, key pair 152, 176 used for [SP80056Br2] RSA key transport KTS_KEK Public 2048, 3072, Public KTS-4 (KEK) 4096 and key component 6144 bits - PSP of an RSA 112, 128, key pair 152, 176 used for [SP80056Br2] RSA key transport KTS_SS The RSA 2048, 3072, Shared KTS-4 key 4096 and secret transport 6144 bits - CSP shared 112, 128, secret 152, 176 Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 69

Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y DRBG_EI Entropy 128

256 - Hash

DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, SC_EDK AES key AES: 128, Symmetr Random Symmetri used for 192, 256 ic key - Number c symmetric AES CCM: CSP Generation Encryptio encryption 128, 192, Cryptograph n and and 256 AES ic Key Decryptio decryption GCM: 128, Generation n (including 192, 256 (CKG) KTS-1 use in key AES XTS: Cryptograph KTS-2 wrapping) 128, 256. - ic Key KTS-3 AES: 128, Generation KTS-5 192, 256 (CKG) AES CCM: AES XTS 128, 192,

256 AES

Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 70

Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y GCM: 128, 192, 256 AES XTS: 128, 256 PBKDF Input Recommend Symmetr Key Password provided to ed size is ic key - Derivatio the PBKDF greater than CSP n characters for passwords and greater than 20 characters for passphrases - 112 bits or greater Software HMAC- 256 bits - 256 bits - Software Integrity SHA2-256 256 bits Neither Integrity key key used to Test perform the Software Integrity Test Table 17: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duratio n DS_SGK CALL RAM:Plaint cleared OPENSSL_clea DS_SVK:Paired STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer DS_SVK CALL RAM:Plaint cleared OPENSSL_clea DS_SGK:Paired STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 71

Name Input - Storage Storage Zeroization Related SSPs Output Duratio n GKP_Priv CALL RAM:Plaint cleared OPENSSL_clea GKP_Public:Paired ate STACK ext after nse With (API) use cleared after OUTPUT use PARAMETE Teardown RS Restarting the general-purpose computer GKP_Publ CALL RAM:Plaint cleared OPENSSL_clea GKP_Private:Paired ic STACK ext after nse With (API) use cleared after OUTPUT use PARAMETE Teardown RS Restarting the general-purpose computer KAS_Priva CALL RAM:Plaint cleared OPENSSL_clea KAS_Public:Paired te STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer KAS_Publi CALL RAM:Plaint cleared OPENSSL_clea KAS_Private:Paired c STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer KAS_SS RAM:Plaint cleared OPENSSL_clea KAS_Private:Establi ext after nse shed using use cleared after KAS_Public:Establis use hed using Teardown Restarting the general-purpose computer KD_DKM CALL RAM:Plaint cleared OPENSSL_clea STACK ext after nse (API) use cleared after OUTPUT use PARAMETE Teardown RS Restarting the Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 72

Name Input - Storage Storage Zeroization Related SSPs Output Duratio n general-purpose computer KH_Key CALL RAM:Plaint cleared OPENSSL_clea STACK ext after nse (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer KTS_KDK CALL RAM:Plaint cleared OPENSSL_clea KTS_KEK:Paired STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer KTS_KEK CALL RAM:Plaint cleared OPENSSL_clea KTS_KDK:Paired STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer KTS_SS CALL RAM:Plaint cleared OPENSSL_clea STACK ext after nse (API) INPUT use Teardown PARAMETE Restarting the RS general-purpose CALL computer STACK (API) OUTPUT PARAMETE RS DRBG_EI CALL RAM:Plaint cleared OPENSSL_clea DRBG_Seed:Used STACK ext after nse to derive (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 73

Name Input - Storage Storage Zeroization Related SSPs Output Duratio n DRBG_Se RAM:Plaint cleared OPENSSL_clea DRBG_EI:Derived ed ext after nse From use cleared after use Teardown Restarting the general-purpose computer DRBG_St RAM:Plaint Until Teardown DRBG_Seed:Derive ate ext power- Restarting the d From cycling general-purpose of the computer underlyi ng host platform SC_EDK CALL RAM:Plaint cleared OPENSSL_clea STACK ext after nse (API) INPUT use cleared after PARAMETE use RS Teardown CALL Restarting the STACK general-purpose (API) computer OUTPUT PARAMETE RS PBKDF CALL RAM:Plaint cleared OPENSSL_clea Password STACK ext after nse (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer Software Stored at Stored in Until Teardown Integrity manufacture the teardow key module's n configuratio operatio n file n is :Plaintext perform ed Table 18: SSP Table 2 All SSPs used by the Module are described in this section, arranged for consistency with Table 12; ‘--’ indicates the cell is intentionally empty, not applicable, or not relevant. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 74

Keys used for CASTs and the temporary value used in the integrity test are not SSPs; however, the latter is deleted after use as required by AS05.10. Equivalent strength is given for each key or algorithm type (as some algorithms do not use or produce keys). The Module maintains only the DRBG CSPs used for key generation as persistent CSPs; these are used exclusively for approved services. DRBG outputs are used internally to the Module for asymmetric key pair generation and used by calling applications to generate a random value (potentially for use as a symmetric key). The Module:

Page 75
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Test Test Indicator Details Test Properties Method Type HMAC-SHA2- Key Length: KAT SW/FW Success: All self- MAC (HMAC-

256 (A3548) 256 bits Integrity tests passed (as SHA2-256,

expected) A3548) Table 19: Pre-Operational Self-Tests The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known Answer Test (KAT) for the HMAC-SHA2-256 algorithm.

10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-ECB Key KAT CAST FIPS_OK Decrypt On reloading the (A3548) Length: module

128 bits

AES-GCM Key KAT CAST FIPS_OK Encrypt On reloading the (A3548) Length: module

256 bits

AES-GCM Key KAT CAST FIPS_OK Decrypt On reloading the (A3548) Length: module

256 bits

Counter AES CTR KAT CAST FIPS_OK Generate, On reloading the DRBG (128 bits) Reseed, module (A3548) with Instantiate derivation functions function DSA Modulus: KAT CAST FIPS_OK Sign On reloading the SigGen 2048 bits; module (FIPS186- Hash:

  1. (A3548) SHA2-384 DSA Modulus: KAT CAST FIPS_OK Verify On reloading the SigVer 2048 bits; module (FIPS186- Hash:
  2. (A3548) SHA2-384 ECDSA Curve: P- KAT CAST FIPS_OK Sign On reloading the SigGen 224; Hash: module (FIPS186- SHA2-512
  3. (A3548) ECDSA Curve: P- KAT CAST FIPS_OK Verify On reloading the SigVer 224; Hash: module (FIPS186- SHA2-512
  4. (A3548) Hash PRF: KAT CAST FIPS_OK Generate, On reloading the DRBG SHA2-256 Reseed, module (A3548) Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Page 76

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Instantiate functions HMAC PRF: KAT CAST FIPS_OK Generate, On reloading the DRBG HMAC- Reseed, module (A3548) SHA-1 Instantiate functions HMAC- PRF: KAT CAST FIPS_OK HMAC tag Performed prior to SHA2-256 SHA2-256 Generation the software integrity (A3548) test KAS- Scheme: KAT CAST FIPS_OK Key On reloading the ECC-SSC Ephemeral Agreement - module Sp800- Unified, Shared 56Ar3 Curve: P- Secret (A3548) 256 Computation KAS-FFC- Scheme: KAT CAST FIPS_OK Key On reloading the SSC dhEphem; Agreement - module Sp800- Modulus: L Shared 56Ar3 = 2048 Secret (A3548) bits, N = Computation

256 bit

KAS-IFC- Schemes: KAT CAST FIPS_OK Key On reloading the SSC Basic, Agreement - module (A3548) CRT, Shared Modulus: L Secret = 2048 bits Computation KDF Mode: KAT CAST FIPS_OK Counter On reloading the SP800- Counter, Mode module

108 PRF: (HMAC-

(A3548) HMAC- SHA2-256). SHA2-256 KDA Auxiliary KAT CAST FIPS_OK Key On reloading the OneStep Function, Derivation module SP800- H = SHA256Cr2 224 (A3548) KDA Auxiliary KAT CAST FIPS_OK Key On reloading the TwoStep Function, Derivation module SP800- H= 56Cr2 HMAC(A3548) SHA2-256 KTS-IFC Schemes: KAT CAST FIPS_OK Encrypt On reloading the (A3548) Basic module Modulus: L = 2048 bits KTS-IFC Schemes: KAT CAST FIPS_OK Decrypt On reloading the (A3548) Basic, module CRT, Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 77

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Modulus: L = 2048 bits PBKDF Derivation KAT CAST FIPS_OK Key On reloading the (A3548) of the Derivation module Master Key (MK), PRF: SHA2-256 RSA Scheme: KAT CAST FIPS_OK Sign On reloading the SigGen PKCS#1, module (FIPS186- Modulus: L

  1. (A3548) = 2048, Hash: SHA2-256 RSA Scheme: KAT CAST FIPS_OK Verify On reloading the SigVer PKCS#1, module (FIPS186- Modulus: L
  2. (A3548) = 2048, Hash: SHA2-256 SHA-1 SHA-1 KAT CAST FIPS_OK Hash On reloading the (A3548) module SHA2-512 SHA2-512 KAT CAST FIPS_OK Hash On reloading the (A3548) module SHA3-256 SHA3-256 KAT CAST FIPS_OK Hash On reloading the (A3548) module KDF ANS PRFs: KAT CAST FIPS_OK Key On reloading the

9.42 AES KW Derivation module

(A3548) (128 bits), SHA-1 KDF ANS PRF: KAT CAST FIPS_OK Key On reloading the

9.63 SHA2-256 Derivation module

(A3548) KDF SSH PRF: SHA- KAT CAST FIPS_OK Key On reloading the (A3548) 1 Derivation module TLS v1.2 PRF: KAT CAST FIPS_OK Key On reloading the KDF SHA2-256 Derivation module RFC7627 (A3548) TLS v1.3 PRF: KAT CAST FIPS_OK Key On reloading the KDF SHA2-256 Derivation module (A3548) RSA Performed PCT PCT FIPS_OK Key On generating keys KeyGen post key Generation for Key Transport (FIPS186- generation (KTS IFC)/Key 4) (A3548) Agreement (KAS IFC)/Signature Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 78

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Generation/Signature Verification ECDSA Performed PCT PCT FIPS_OK Key On generating keys KeyGen post key Generation for Key Agreement (FIPS186- generation (KAS ECC)/Signature

  1. (A3548) Generation/Signature Verification DSA Performed PCT PCT FIPS_OK Key On generating keys KeyGen post key Generation for Key Agreement (FIPS186- generation (KAS FFC)/Signature
  2. (A3548) Generation/Signature Verification ECDSA Curve: K- KAT CAST FIPS_OK Sign On reloading the SigGen 233; Hash: module (FIPS186- SHA2-512
  3. (A3548) ECDSA Curve: K- KAT CAST FIPS_OK Verify On reloading the SigVer 233; Hash: module (FIPS186- SHA2-512
  4. (A3548) Table 20: Conditional Self-Tests Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. On instantiation, the Module performs the pre-operational self-tests and all CASTs listed above. All KATs must complete successfully prior to any other use of cryptography by the Module.
10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT SW/FW Integrity On Demand Manually by

256 (A3548) reloading the

module or calling the fips_self_test function Table 21: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 79

Algorithm or Test Method Test Type Period Periodic Test Method AES-GCM KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function AES-GCM KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function Counter DRBG KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function DSA SigGen KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function DSA SigVer KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function ECDSA SigGen KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function ECDSA SigVer KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function Hash DRBG KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 80

Algorithm or Test Method Test Type Period Periodic Test Method HMAC DRBG KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function HMAC-SHA2- KAT CAST On Demand Manually by

256 (A3548) reloading the

module or calling the fips_self_test function KAS-ECC-SSC KAT CAST On Demand Manually by Sp800-56Ar3 reloading the (A3548) module or calling the fips_self_test function KAS-FFC-SSC KAT CAST On Demand Manually by Sp800-56Ar3 reloading the (A3548) module or calling the fips_self_test function KAS-IFC-SSC KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function KDF SP800-108 KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function KDA OneStep KAT CAST On Demand Manually by SP800-56Cr2 reloading the (A3548) module or calling the fips_self_test function KDA TwoStep KAT CAST On Demand Manually by SP800-56Cr2 reloading the (A3548) module or calling the fips_self_test function Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 81

Algorithm or Test Method Test Type Period Periodic Test Method KTS-IFC KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function KTS-IFC KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function PBKDF (A3548) KAT CAST On Demand Manually by reloading the module or calling the fips_self_test function RSA SigGen KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function RSA SigVer KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function SHA-1 (A3548) KAT CAST On Demand Manually by reloading the module or calling the fips_self_test function SHA2-512 KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function SHA3-256 KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 82

Algorithm or Test Method Test Type Period Periodic Test Method KDF ANS 9.42 KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function KDF ANS 9.63 KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function KDF SSH KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function TLS v1.2 KDF KAT CAST On Demand Manually by RFC7627 reloading the (A3548) module or calling the fips_self_test function TLS v1.3 KDF KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function RSA KeyGen PCT PCT On Demand On generation of (FIPS186-4) keys (A3548) ECDSA KeyGen PCT PCT On Demand On generation of (FIPS186-4) keys (A3548) DSA KeyGen PCT PCT On Demand On generation of (FIPS186-4) keys (A3548) ECDSA SigGen KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function ECDSA SigVer KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 83

Algorithm or Test Method Test Type Period Periodic Test Method calling the fips_self_test function Table 22: Conditional Periodic Information

10.4 Error States

Nam Description Conditi Recov Indicator e ons ery Metho d ERR

10.5 Operator Initiation of Self-Tests

The operator can reload the module or the fips_self_test function (inclusive of software integrity verification) can also be called on demand, fulfilling AS05.11. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 84
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The Module is provided to vendors who integrate it into their product, typically in a manufacturing environment, and is not provided directly to US or Canadian Federal agencies. Adherence to the instructions in this document maintains security throughout the distribution, build, installation and configuration processes. An authorized Cryptographic Officer is required to perform these steps on each platform where it is intended to be used. The config file output contains information about the Module (such as the self-test status and the Module checksum) and must not be manually modified without using the openssl fipsinstall command. Crypto Officer Guidance a. Installation and Usage Guidance The Module is installed as part of the OpenSSL 3.1.2 library. The source distribution package is located at https://www.openssl.org/source/openssl-3.1.2.tar.gz. The Musarubra US LLC FIPS Provider based on the OpenSSL FIPS Provider can be installed on the Tested Configurations listed in Table 3 by performing the following steps:

  1. Build and install OpenSSL 3.1.2 to the default location: The Musarubra US LLC FIPS Provider based on the OpenSSL FIPS Provider (i.e., the Module) does not get built and installed automatically. To install the Module automatically during the normal OpenSSL 3.1.2 installation process it must be enabled by configuring OpenSSL using the ‘enable-fips’ option. Unix/Linux/macOS: $ ./Configure enable-fips $ make $ make install Windows: $ perl Configure enable-fips $ nmake $ nmake install The ‘install_fips’ make target can also be invoked explicitly to install the FIPS Provider independently, without installing the rest of OpenSSL: $ make install_fips Note: The instructions for building and installing OpenSSL 3.1.2 on other platforms can be found in the platform-specific guidance provided in INSTALL.md and README-FIPS.md in the OpenSSL 3.1.2 distribution package. Please see Appendix A for further information on porting the Module to platforms apart from the Tested Configurations in Table 3.
  2. Verify the version: $ openssl version -v Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Page 85

The Installation of the Musarubra US LLC FIPS Provider based on the OpenSSL FIPS Provider that occurs as a result of Step 1 above ensures that the shared library and the configuration file containing information about the Module (e.g., the Module checksum) is copied to its installed location. To install the configuration file to a non-default location, this can be achieved by running the ‘fipsinstall’ command line application manually: $ openssl fipsinstall -pedantic Please see fipsinstall.html /docs/man3.1/man1/openssl-fipsinstall.html for options supported for the ‘openssl fipsinstall’ command. Note: The software integrity check (per Section 5 of this document) is performed using HMAC-SHA2-256 on the Module file to validate that the Module has not been modified. The integrity value is compared to a value written to the config file during installation. b. CVEs The publication of a CVE does not require immediate re-validation or maintenance in the CMVP process. The module may be updated in the field as needed depending on the severity or consequences of the CVE. The Module will be kept up to date with re-validation and maintenance as required, generally bundling fixes for known CVEs in a next release. The OpenSSL organization maintains a Vulnerabilities page which describes known vulnerabilities and potential resolution. These are reported to the NVD, where they are independently assessed. The OpenSSL group publishes fixes for these vulnerabilities according to their triage process. c. Miscellaneous The module performs run-time checks related to enforcement of security parameters such as the minimum-security strength of keys, valid key sizes, and usage of approved curves. These checks shall not be disabled (by using OPENSSL_NO_FIPS_SECURITYCHECKS or any other method). Validation of domain parameters prior to generating keys using functions provided by the module is the responsibility of the Cryptographic Officer and not enforced by the module itself.

11.2 Administrator Guidance

No additional guidance applies for the operation of the module apart from that specified in Sections 2, 3 of this document and other subsections under this section.

11.3 Non-Administrator Guidance

No additional guidance applies for the operation of the module apart from that specified in Sections 2, 3 of this document and other subsections under this section.

11.4 Design and Rules

No additional rules apply for the operation of the module apart from those specified in the remainder of this section and Section 2.4 of this document. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 86
11.5 Maintenance Requirements

No maintenance requirements apply for operation of the module in the Approved/non-Approved modes as defined above.

11.6 End of Life

Module Sanitization and Destruction Sanitization is defined in [ISO19790] as “... the process of removing sensitive information (e.g. SSPs, user data, etc.) from the module, so that it may either be distributed to other operators or disposed.” The Module itself does not manage persistent SSPs, authentication data or any user data. The Module may be securely sanitized by deletion of the folder in which the Module was located. There are no additional procedures required for secure destruction of the Module. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.

Page 87
12 Mitigation of Other Attacks
12.1 Attack List

The Module implements mitigations for some types of attacks using the constant-time implementations and blinding. Constant-time implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant-time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this, the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor, and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key. Musarubra US LLC. 2025 This document may be reproduced and distributed only in its original entirety without revision.