| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 3/10/2030 |
| Caveat | When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys). |
| Vendor | Digi International Inc. |
flowchart LR
%% Deterministic review-risk graph for Digi DAL OS based on the OpenSSL FIPS Provider
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Digi DAL OS based on the OpenSSL FIPS Provider
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3,C5,C6 clueLow;Digi International Inc. Digi DAL OS based on the OpenSSL FIPS Provider Document Version 1.0 August 2025 Prepared by: www.lightshipsec.com
| # | Section | Page |
|---|
Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 7 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid | 9 |
| Table 5: Modes List and Description | 9 |
| Table 6: Approved Algorithms | 16 |
| Table 7: Vendor-Affirmed Algorithms | 17 |
| Table 8: Non-Approved, Allowed Algorithms | 17 |
| Table 9: Non-Approved, Not Allowed Algorithms | 18 |
| Table 10: Security Function Implementations | 33 |
| Table 11: Ports and Interfaces | 38 |
| Table 12: Roles | 39 |
| Table 13: Approved Services | 57 |
| Table 14: Non-Approved Services | 59 |
| Table 15: Storage Areas | 64 |
| Table 16: SSP Input-Output Methods | 64 |
| Table 17: SSP Zeroization Methods | 65 |
| Table 18: SSP Table 1 | 71 |
| Table 19: SSP Table 2 | 74 |
| Table 20: Pre-Operational Self-Tests | 76 |
| Table 21: Conditional Self-Tests | 79 |
| Table 22: Pre-Operational Periodic Information | 79 |
| Table 23: Conditional Periodic Information | 84 |
| Table 24: Error States | 84 |
| Figure 1: Digi DAL OS based on the OpenSSL FIPS Provider Block Diagram | 7 |
Introduction Federal Information Processing Standards Publication 140-3
The Module meets FIPS 140-3 overall Level 1 requirements, with security levels as follows: Section Title Security Level
1 General 1
2 Cryptographic module specification 1
Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Section Title Security Level
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 3
12 Mitigation of other attacks 1
Overall Level 1 Table 1: Security Levels
In accordance with AS02.05, [ISO19790] §7.7 Physical Security is optional and does not apply to the Module. In accordance with current CMVP policy, [ISO19790] §7.8 Non-Invasive Security is not applicable. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Purpose and Use: The Module is a cryptographic software library providing a C-language application program interface (API) for use by applications that require cryptographic functionality and is designated as a software module with a multi-chip standalone embodiment based on the descriptions of [ISO19790] AS02.03. The Module is intended for use by US and Canadian Federal agencies and other markets that require FIPS 140-3 validated cryptographic functionality. The Module’s formal name and version are “Digi DAL OS based on the OpenSSL FIPS Provider” and “3.1.2”, respectively. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Module Type: Software Module Embodiment: Multi-Chip Standalone Cryptographic Boundary: Figure 1 depicts the Module operational environment, with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per [ISO19790] AS02.03. The cryptographic boundary of the Module is the FIPS Provider, a dynamically loadable library. The Module performs no communication other than with the calling application via APIs that invoke the Module. The pre-operational approved integrity test is performed over all components within the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested Operational Environment’s Physical Perimeter (TOEPP) is the General Purpose Computer. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Figure 1: Digi DAL OS based on the OpenSSL FIPS Provider Block Diagram
Tested Module Identification
Operating System Hardware Processors PAA/PAI Hypervisor Version(s) Platform or Host OS Ubuntu Linux Dell Inspiron Intel i7- No N/A 3.1.2
Ubuntu Linux Dell Inspiron Intel i7- Yes N/A 3.1.2
Debian 11.5 Dell Inspiron Intel i7- No N/A 3.1.2
Debian 11.5 Dell Inspiron Intel i7- Yes N/A 3.1.2
FreeBSD 13.1 Dell Inspiron Intel i7- No N/A 3.1.2
FreeBSD 13.1 Dell Inspiron Intel i7- Yes N/A 3.1.2
Windows 10 Pro Dell Inspiron Intel i7- No N/A 3.1.2
Windows 10 Pro Dell Inspiron Intel i7- Yes N/A 3.1.2
macOS 11.5.2 Apple M1 Mac M1 No N/A 3.1.2 Mini macOS 11.5.2 Apple M1 Mac M1 Yes N/A 3.1.2 Mini macOS 11.5.2 Apple i7 Mac Intel i7 No N/A 3.1.2 Mini macOS 11.5.2 Apple i7 Mac Intel i7 Yes N/A 3.1.2 Mini Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: Operating Hardware Platform System Digi DAL OS Digi AnywhereUSB2 Plus Digi DAL OS Digi AnywhereUSB24 Plus Digi DAL OS Digi AnywhereUSB24W Plus Digi DAL OS Digi AnywhereUSB8 Plus Digi DAL OS Digi AnywhereUSB8W Plus Digi DAL OS Digi Connect EZ Mini Digi DAL OS Digi Connect EZ 2 Digi DAL OS Digi Connect EZ 4 Digi DAL OS Digi Connect EZ 8 Digi DAL OS Digi Connect EZ 16 Digi DAL OS Digi Connect EZ 32 Digi DAL OS Digi ConnectIT-Mini Digi DAL OS Digi ConnectIT16 Digi DAL OS Digi ConnectIT4 Digi DAL OS Digi ConnectIT48 Digi DAL OS Digi EX12 Digi DAL OS Digi EX15 Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Operating Hardware Platform System Digi DAL OS Digi EX15W Digi DAL OS Digi EX50 Digi DAL OS Digi IX10 Digi DAL OS Digi IX15 Digi DAL OS Digi IX20 Digi DAL OS Digi IX20W Digi DAL OS Digi IX30 Digi DAL OS Digi IX40 Digi DAL OS Digi LR54 Digi DAL OS Digi TX40 Digi DAL OS Digi TX54 Digi DAL OS Digi TX64 Digi DAL OS Digi TX64-Rail Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.
No components are excluded from [FIPS140-3] requirements.
Modes List and Description: Mode Description Type Status Name Indicator Approved The module must be installed and configured per Approved fips=yes mode instructions provided in Section 11 of this document and the module is in the Approved mode by default as a result. The installation of the Module as described in Section 11 results in the settings described below this table, which are required for operation in the Approved mode Non- The module is in the Approved mode of operation by Non- fips=no Approved default. Use of the non-Approved Algorithms Not Approved mode Allowed in the Approved Mode will place the module in the non-approved mode of operation. Table 5: Modes List and Description The Module supports an Approved mode and a non-Approved mode of operation. The inherent properties of the Module are:
Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS1 A3548 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS2 A3548 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC-CS3 A3548 Direction - decrypt, encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A3548 Key Length - 128, 192, 256 SP 800-38C AES-CFB1 A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm CAVP Properties Reference Cert AES-CFB8 A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A3548 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A3548 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-GMAC A3548 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 AES-KW A3548 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-KWP A3548 Direction - Decrypt, Encrypt SP 800-38F Key Length - 128, 192, 256 AES-OFB A3548 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A3548 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Counter DRBG A3548 Prediction Resistance - Yes SP 800-90A Mode - AES-128, AES-192, AES-256 Rev. 1 Derivation Function Enabled - No, Yes DSA KeyGen A3548 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 DSA PQGGen A3548 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA PQGVer A3548 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA SigGen A3548 L - 2048, 3072 FIPS 186-4 (FIPS186-4) N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256 DSA SigVer A3548 L - 1024, 2048, 3072 FIPS 186-4 (FIPS186-4) N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm CAVP Properties Reference Cert ECDSA KeyGen A3548 Curve - B-233, B-283, B-409, B-571, K-233, K- FIPS 186-4 (FIPS186-4) 283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode - Testing Candidates ECDSA KeyVer A3548 Curve - B-163, B-233, B-283, B-409, B-571, K- FIPS 186-4 (FIPS186-4) 163, K-233, K-283, K-409, K-571, P-192, P224, P-256, P-384, P-521 ECDSA SigGen A3548 Component - No, Yes FIPS 186-4 (FIPS186-4) Curve - B-233, B-283, B-409, B-571, K-233, K283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A3548 Component - No, Yes FIPS 186-4 (FIPS186-4) Curve - B-163, B-233, B-283, B-409, B-571, K163, K-233, K-283, K-409, K-571, P-192, P224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 Hash DRBG A3548 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-224, SHA2-256, SHA2- Rev. 1 384, SHA2-512, SHA2-512/224, SHA2512/256, SHA3-256, SHA3-512 HMAC DRBG A3548 Prediction Resistance - Yes SP 800-90A Mode - SHA-1, SHA2-224, SHA2-256, SHA2- Rev. 1 384, SHA2-512, SHA2-512/224, SHA2512/256, SHA3-256, SHA3-512 HMAC-SHA-1 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-224 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-256 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-384 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2-512 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA2- A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 512/224 8 HMAC-SHA2- A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 512/256 8 HMAC-SHA3-224 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-256 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm CAVP Properties Reference Cert HMAC-SHA3-384 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 HMAC-SHA3-512 A3548 Key Length - Key Length: 8-524288 Increment FIPS 198-1 KAS-ECC CDH- A3548 Curve - B-233, B-283, B-409, B-571, K-233, K- SP 800-56A Component 283, K-409, K-571, P-224, P-256, P-384, P-521 Rev. 3 SP800-56Ar3 (CVL) KAS-ECC-SSC A3548 Domain Parameter Generation Methods - B- SP 800-56A Sp800-56Ar3 233, B-283, B-409, B-571, K-233, K-283, K- Rev. 3 409, K-571, P-224, P-256, P-384, P-521 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A3548 Domain Parameter Generation Methods - FB, SP 800-56A Sp800-56Ar3 FC, ffdhe2048, ffdhe3072, ffdhe4096, Rev. 3 ffdhe6144, ffdhe8192, MODP-2048, MODP3072, MODP-4096, MODP-6144, MODP-8192 Scheme dhEphem KAS Role - initiator, responder KAS-IFC-SSC A3548 Modulo - 2048, 3072, 4096, 6144, 8192 SP 800-56A Key Generation Methods - rsakpg1-basic, Rev. 3 rsakpg1-crt, rsakpg1-prime-factor, rsakpg2basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KAS1 KAS Role - initiator, responder KAS2 KAS Role - initiator, responder KDA HKDF A3548 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: Rev. 2 224-8192 Increment 8 HMAC Algorithm - SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 KDA OneStep A3548 Derived Key Length - 2048 SP 800-56C SP800-56Cr2 Shared Secret Length - Shared Secret Length: Rev. 2 224-8192 Increment 8 KDA TwoStep A3548 MAC Salting Methods - default, random SP 800-56C SP800-56Cr2 KDF Mode - feedback Rev. 2 Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 KDF ANS 9.42 A3548 KDF Type - DER SP 800-135 (CVL) Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512, SHA2-512/224, Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm CAVP Properties Reference Cert SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8 KDF ANS 9.63 A3548 Hash Algorithm - SHA2-224, SHA2-256, SHA2- SP 800-135 (CVL) 384, SHA2-512 Rev. 1 Key Data Length - Key Data Length: 128, 4096 KDF KMAC A3548 Derived Key Length - Derived Key Length: 112- SP 800-108 Sp800-108r1 4096 Increment 8 Rev. 1 KDF SP800-108 A3548 KDF Mode - Counter, Feedback SP 800-108 Supported Lengths - Supported Lengths: 8, 72, Rev. 1 128, 776, 3456, 4096 KDF SSH (CVL) A3548 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-224, SHA2- Rev. 1 256, SHA2-384, SHA2-512 KMAC-128 A3548 Message Length - Message Length: 0-65536 SP 800-185 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 KMAC-256 A3548 Message Length - Message Length: 0-65536 SP 800-185 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 KTS-IFC A3548 Modulo - 2048, 3072, 4096, 6144 SP 800-56B Key Generation Methods - rsakpg1-basic, Rev. 2 rsakpg1-crt, rsakpg1-prime-factor, rsakpg2basic, rsakpg2-crt, rsakpg2-prime-factor Scheme KTS-OAEP-basic KAS Role - initiator, responder Key Transport Method Key Length - 1024 PBKDF A3548 Iteration Count - Iteration Count: 1-10000 SP 800-132 Increment 1 Password Length - Password Length: 8-128 Increment 8 RSA KeyGen A3548 Key Generation Mode - B.3.3, B.3.6 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2, Table C.3 Private Key Format - Standard RSA SigGen A3548 Signature Type - ANSI X9.31, PKCS 1.5, FIPS 186-4 (FIPS186-4) PKCSPSS Modulo - 2048, 3072, 4096 RSA Signature A3548 Private Key Format - CRT FIPS 186-4 Primitive (CVL) RSA SigVer A3548 Signature Type - ANSI X9.31, PKCS 1.5, FIPS 186-4 (FIPS186-4) PKCSPSS Modulo - 1024, 2048, 3072, 4096 Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm CAVP Properties Reference Cert Safe Primes Key A3548 Safe Prime Groups - ffdhe2048, ffdhe3072, SP 800-56A Generation ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, Rev. 3 MODP-3072, MODP-4096, MODP-6144, MODP-8192 Safe Primes Key A3548 Safe Prime Groups - ffdhe2048, ffdhe3072, SP 800-56A Verification ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, Rev. 3 MODP-3072, MODP-4096, MODP-6144, MODP-8192 SHA-1 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A3548 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A3548 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A3548 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A3548 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A3548 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 Large Message Sizes - 1, 2, 4, 8 SHAKE-128 A3548 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 SHAKE-256 A3548 Output Length - Output Length: 16-65536 FIPS 202 Increment 8 TLS v1.2 KDF A3548 Hash Algorithm - SHA2-256, SHA2-384, SHA2- SP 800-135 RFC7627 (CVL) 512 Rev. 1 Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm CAVP Properties Reference Cert TLS v1.3 KDF A3548 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 Table 6: Approved Algorithms The Module implements the Approved cryptographic functions listed in Table 5. Vendor-Affirmed Algorithms: Name Properties Implementation Reference DSA Key Size, Key Strength:L = OpenSSL Project Vendor affirmed per IG PQGGen 2048/N = 224 (s = 112), L = OpenSSL 3.x C.C and IG C.B [FIPS 186- 2048/N = 256 (s = 112) L = FIPS Provider Resolution (bullet point 4] 3072/N = 256 (s = 128) #3) Mode/Method:PQGGen using SHA3 DSA Key Size, Key Strength:L = OpenSSL Project Vendor affirmed per IG PQGVer 1024/N = 160 (s < 112) L = OpenSSL 3.x C.C and IG C.B [FIPS 186- 2048/N = 224 (s = 112), L = FIPS Provider Resolution (bullet point 4] 2048/N = 256 (s = 112) L = #3) 3072/N = 256 (s = 128) Mode/Method:PQGVer using SHA3 DSA Key Size, Key Strength:L = OpenSSL Project Vendor affirmed per IG SigGen 2048/N = 224 (s = 112), L = OpenSSL 3.x C.C and IG C.B [FIPS 186- 2048/N = 256 (s = 112) L = FIPS Provider Resolution (bullet point 4] 3072/N = 256 (s = 128) #3) Mode/Method:SigGen using SHA3 DSA Key Size, Key Strength:L = OpenSSL Project Vendor affirmed per IG SigVer 1024/N = 160 (s < 112) L = OpenSSL 3.x C.C and IG C.B [FIPS186- 2048/N = 224 (s = 112), L = FIPS Provider Resolution (bullet point 4] 2048/N = 256 (s = 112) L = #3) 3072/N = 256 (s = 128) Mode/Method:SigVer using SHA3 CKG - Key Type :Asymmetric N/A NIST SP800-133r2 Section 4 Section 4: Using the and 5.1 Output of a Random Bit Generator; Section 5.1: Key Pairs for Digital Signature Schemes CKG - Key Type:Asymmetric N/A NIST SP800-133r2 Section 4 Section 4: Using the and 5.2 Output of a Random Bit Generator; Section 5.2: Key Pairs for Key Establishment Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Properties Implementation Reference CKG - Key Type:Symmetric N/A NIST SP800-133r2 Section 4 Section 4: Using the and Section Output of a Random
6.1 Bit Generator; Section
6.1: Direct Generation of Symmetric Keys CKG - Key Type:Symmetric N/A NIST SP 800-133r2 Section 6.2 Section 6.2: Derivation of Symmetric keys CKG - Key Type:Symmetric N/A NIST SP 800-133rev2, Section 6.3 Section 6.3: Symmetric Keys Produced by Combining Multiple Keys and Other Data CKG
Name Use and Function FIPS 186-2 RSA Provides >= 80 bits of security, RSA signature generation/verification SigGen/SigVer per FIPS 186-2 FIPS 186-2 RSA Provides >= 112 bits of security, RSA key generation per FIPS 186-2 KeyGen X942KDF- Usage of X942KDF-CONCAT with PRF SHA-1, SHA2-512/224, SHA2CONCAT 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256 X963KDF Usage of X963KDF with PRF SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256 HKDF Provides < 112 bits of security, Usage of HKDF with key length less than 112 bits OneStep KDF Usage of OneStep KDF with PRF SHAKE128, SHAKE256 HMAC Provides < 112 bits of security, Usage of HMAC with key length less than 112 bits for MAC generation Hash and HMAC Usage of Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, DRBG SHA2-512/224 and SHA2-512/256 Table 9: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Symmetric BC-Auth Symmetric Key Length:128, 192 AES-CBC: Encryption BC-UnAuth Encryption and and 256 bits (A3548) and Decryption Key Length AES-CBCDecryption (XTS):128 and 256 CS1: (A3548) bits AES-CBCCS2: (A3548) AES-CBCCS3: (A3548) AES-CCM: (A3548) AES-CFB1: (A3548) AES-CFB128: (A3548) AES-CFB8: (A3548) AES-CMAC: (A3548) AES-CTR: (A3548) AES-ECB: (A3548) AES-GCM: (A3548) AES-GMAC: (A3548) AES-OFB: Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms (A3548) AES-XTS Testing Revision 2.0: (A3548) Message SHA Message Digest SHA-1 :(s = 160) SHA-1: Digest Large Message (A3548) Sizes: 1, 2, 4, SHA2-224: 8gigabytes (A3548) SHA2:SHA2-224 (s = SHA2-256: 224), SHA2-256 (s = (A3548) 256), SHA2-384 (s = SHA2-384: 384), SHA2-512 (s = (A3548) 512), SHA2-512/224 SHA2-512: (s = 224), SHA2- (A3548) 512/256 (s = 256). SHA2Large Message 512/224: Sizes: 1, 2, 4, (A3548) 8gigabytes SHA3-224: SHA3:SHA3-224 (s = (A3548) 224), SHA3-256 (s = SHA3-256: 256), SHA3-384 (s = (A3548) 384), SHA3-512 (s = SHA3-384: 512). See Note 1. (A3548) Large Message SHA3-512: Sizes: 1, 2, 4, (A3548) 8gigabytes SHAKE-128: SHAKE:SHAKE-128 (A3548) (s = 128), SHAKE- SHAKE-256:
Note 1. SHA2512/256: (A3548) Keyed Hash BC-Auth Keyed Hash HMAC-SHA-1 HMAC-SHA-1: MAC [FIPS198-1]:SHA-1 (s (A3548) = 160) HMAC-SHA2HMAC-SHA2 224: (A3548) [FIPS198-1]:SHA2- HMAC-SHA2-
512/224 (s = 224), 512: (A3548) SHA2-512/256 (s = HMAC-SHA2256) 512/224: HMAC-SHA3 (A3548) [FIPS198-1]:SHA3- HMAC-SHA2-
Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms
KMAC:KMAC-128 HMAC-SHA3(112 ≤ s ≤ 128), 256: (A3548) KMAC-256 (112 ≤ s ≤ HMAC-SHA3256). See Note 8. 384: (A3548) HMAC-SHA3512: (A3548) AES-CMAC: (A3548) KMAC-128: (A3548) KMAC-256: (A3548) AES-GMAC: (A3548) RSA Digital DigSig- RSA Digital Signature type: ANSI RSA SigGen Signature SigGen Signature X9.31 tested with the (FIPS186-4): Generation DigSig-SigVer Generation and listed moduli and the (A3548) and Verification following hash RSA SigVer Verification algorithms: SHA2- (FIPS186-4): 256, SHA2-384, (A3548) SHA2-512:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCS 1.5 tested with the listed moduli and the following hash algorithms: SHA2-224, SHA2256, SHA2-384, SHA2-512, SHA2512/224, SHA2512/256:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCSPSS tested with the listed moduli and the following hash algorithms: SHA2- 224, SHA2256, SHA2-384, SHA2- 512, SHA2512/224, SHA2512/256:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms ~= 152) Signature type: ANSI X9.31 tested with the listed moduli and the following hash algorithms: SHA-1*, SHA2-256, SHA2384, SHA2512:k=1024 (s ≤ 112), k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCS 1.5 tested with the listed moduli and the following hash algorithms: SHA-1*, SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2512/256:k=1024 (s ≤ 112), k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCSPSS tested with the listed moduli and the following hash algorithms: SHA-1*, SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2512/256:k=1024 (s ≤ 112), k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) ECDSA DigSig- ECDSA Signature SigGen (includes ECDSA Signature SigGen Generation and SigGen Component) SigGen Generation DigSig-SigVer Signature (tested with SHA2- (FIPS186-4): and Signature Verification 224, SHA2-256, (A3548) Verification SHA2-384, SHA2- ECDSA 512, SHA2-512/224, SigVer SHA2-512/256, Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms SHA3-224, SHA3- (FIPS186-4): 256, SHA3-384, (A3548) SHA3-512):B-233, K233, P-224 (s ~= 112); B-283, K-283, P-256 (s ~= 128); B409, K-409, P-384 (s ~= 192); B-571, K571, P-521 (s ~= 256) SigVer (tested with SHA-1*, SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3256, SHA3-384, SHA3-512):B-163, K163, P-192 (s < 112); B-233, K-233, P-224 (s ~= 112); B-283, K283, P-256 (s ~= 128); B-409, K-409, P-384 (s ~= 192); B571, K-571, P-521 (s ~= 256) DSA Digital DigSig- DSA Digital SigGen (tested with DSA SigGen Signature SigGen Signature SHA2-224, SHA2- (FIPS186-4): Generation DigSig-SigVer Generation and 256, SHA2-384, (A3548) and Verification SHA2-512, SHA2- DSA SigVer Verification 512/224, SHA2- (FIPS186-4): 512/256); SigGen (A3548) using SHA3; no DSA SigGen ACVP testing is [FIPS 186-4]: available:L = 2048/N () = 224 (s = 112), L = Key Size, Key 2048/N = 256 (s = Strength: L = 112) L = 3072/N = 2048/N = 224
SigVer (tested with 2048/N = 256 SHA-1, SHA2-224, (s = 112) L = SHA2-256, SHA2- 3072/N = 256 384, SHA2-512, (s = 128) SHA2-512/224, Mode/Method: SHA2-512/256); SigGen using SigVer using SHA3; SHA3 no ACVP testing is DSA SigVer available:L = 1024/N [FIPS186-4]: () = 160 (s < 112) L = Key Size, Key Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms 2048/N = 224 (s = Strength: L = 112), L = 2048/N = 1024/N = 160
3072/N = 256 (s = 2048/N = 224 128) (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method: SigVer using SHA3 RSA DigSig- Signature Private Key RSA Signature SigGen primitive format:CRT Signature Primitive Public Exponent Primitive: Mode:Fixed : k = (A3548) 2048 Asymmetric AsymKeyPair- Generation of RSA KeyGen:k=2048 RSA KeyGen Key Pair KeyGen asymmetric key (s ~= 112), k=3072 (s (FIPS186-4): Generation AsymKeyPair- pairs ~= 128), k=4096 (s (A3548) KeyVer ~= 152) DSA KeyGen DSA KeyGen:L = (FIPS186-4): 2048/N = 224 (s = (A3548) 112), L = 2048/N = ECDSA
3072/N = 256 (s = (FIPS186-4): 128) (A3548) ECDSA KeyGen: Safe Primes Secret Generation Key Mode: Testing Generation: Candidates:B-233, K- (A3548) 233, P-224 (s ~= ECDSA 112); B-283, K-283, KeyVer P-256 (s ~= 128); B- (FIPS186-4): 409, K-409, P-384 (s (A3548) ~= 192); B-571, K- Safe Primes 571, P-521 (s ~= Key 256) Verification: Safe Primes Key (A3548) Generation, Safe CKG - Section Primes Key 4 and 5.1: () Verification:ffdhe2048 Key Type : (s = 112), ffdhe3072 Asymmetric (112 ≤ s ≤ 128), CKG - Section ffdhe4096 (112 ≤ s ≤ 4 and 5.2: () 152), ffdhe6144 (112 Key Type: ≤ s ≤ 176), ffdhe8192 Asymmetric (112 ≤ s ≤ 200), DSA PQGGen MODP-2048 (s = (FIPS186-4): 112), MODP-3072 (A3548) Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms (112 ≤ s ≤ 128), DSA PQGVer MODP-4096 (112 ≤ s (FIPS186-4): ≤ 152), MODP-6144 (A3548) (112 ≤ s ≤ 176), DSA PQGGen MODP-8192 (112 ≤ s [FIPS 186-4]: ≤ 200) () ECDSA KeyVer:B- Key Size, Key 163, K-163, P-192 (s Strength: L = < 112); B-233, K-233, 2048/N = 224 P-224 (s ~= 112); B- (s = 112), L = 283, K-283, P-256 (s 2048/N = 256 ~= 128); B-409, K- (s = 112) L = 409, P-384 (s ~= 3072/N = 256 192); B-571, K-571, (s = 128) P-521 (s ~= 256) Mode/Method: DSA PQGGen PQGGen (FIPS186-4), DSA using SHA3 PQGGen [FIPS 186- DSA PQGVer 4] (VA):L = 2048/N = [FIPS 186-4]:
2048/N = 256 (s = Key Size, Key 112) L = 3072/N = Strength: L =
DSA PQGVer (s < 112) L = (FIPS186-4), DSA 2048/N = 224 PQGVer [FIPS 186-4] (s = 112), L = (VA):L = 1024/N = 2048/N = 256
3072/N = 256 (s = PQGVer using 128) SHA3 Random DRBG Random Number Counter DRBG Counter Number Generation - [SP800-90Ar1]:AES- DRBG: Generation Hash_DRBG, 128 (s = 128), AES- (A3548) CTR_DRBG and 192 (s = 192), AES- Hash DRBG: HMAC_DRBG 256 (s = 256) (A3548) Hash DRBG [SP800- HMAC DRBG: 90Ar1]:SHA-1 (s = (A3548) 160), SHA2-256 (s = CKG
Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms
Key Derivation KBKDF Derive Keying KDA HKDF:SHA-1 (s KDA HKDF PBKDF Material = 160), SHA2-224 (s SP800-56Cr2: = 224), SHA2-256 (s (A3548) = 256), SHA2-384 (s KDA OneStep = 384), SHA2-512 (s SP800-56Cr2: = 512), SHA2- (A3548) 512/224 (s = 224), KDA TwoStep SHA2-512/256 (s = SP800-56Cr2: 256), SHA3-224 (s = (A3548) 224), SHA3-256 (s = KDF ANS 256), SHA3-384 (s = 9.42: (A3548) 384), SHA3-512 (s = KDF ANS 512) 9.63: (A3548) KDA OneStep:SHA-1 KDF KMAC (s = 160), SHA2-224 Sp800-108r1: (s = 224), SHA2-256 (A3548) (s = 256), SHA2-384 KDF SP800(s = 384), SHA2-512 108: (A3548) (s = 512), SHA2- KDF SSH: 512/224 (s = 224), (A3548) SHA2-512/256 (s = PBKDF: 256), SHA3-224 (s = (A3548) 224), SHA3-256 (s = TLS v1.2 KDF 256), SHA3-384 (s = RFC7627: 384), SHA3-512 (s = (A3548) 512); HMAC-SHA-1 TLS v1.3 KDF: (s = 160), HMAC- (A3548) SHA2-224 (s = 224), CKG - Section HMAC-SHA2-256 (s 6.2: () = 256), HMAC-SHA2- Key Type:
HMAC-SHA2-512 (s = 512), HMAC-SHA2512/224 (s = 224), HMAC-SHA2512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3-
HMAC-SHA3-384 (s = 384), HMAC-SHA3-
KMAC-128 (112 ≤ s ≤ 128), KMAC-256 (112 ≤ s ≤ 256) KDA TwoStep [SP80056Cr2]:HMAC-SHA-1 Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms (s = 160), HMACSHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2-
HMAC-SHA2-512 (s = 512), HMAC-SHA2512/224 (s = 224), HMAC-SHA2512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3-
HMAC-SHA3-384 (s = 384), HMAC-SHA3-
KDF ANS 9.42 [SP800-135r1]:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2512/224 (s = 224), SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512) KDF ANS 9.63 [SP800-135r1]:SHA2-
KDF KMAC [SP800108r1]:KMAC-128 (112 ≤ s ≤ 128), KMAC-256 (112 ≤ s ≤ 256) KDF [SP800108r1]:CMACAES128 (s = 128), CMAC-AES192 (s = 192), CMAC-AES256 (s = 256), HMACSHA-1 (s = 160), HMAC-SHA2-224 (s = 224), HMAC-SHA2Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms
HMAC-SHA2-384 (s = 384), HMAC-SHA2-
HMAC-SHA2512/224 (s = 224), HMAC-SHA2512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3-
HMAC-SHA3-384 (s = 384), HMAC-SHA3-
KDF SSH [SP800135r1]:AES-128 (s = 128), AES-192 (s = 192), AES-256 (s = 256); SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512) PBKDF [SP800132]:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2-512/224 (s = 224), SHA2512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512) TLS v1.2 KDF RFC7627: TLS [RFC7627] key derivation with Extended Master Secret (EMS) support, using the listed hash algorithms:SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512) TLS v1.3 KDF Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms [RFC8446]:HMACSHA2-256 (s = 256), HMAC-SHA2-384 (s = 384) KAS-1 KAS-SSC Scheme: SP800-56Ar3 KAS- KAS-ECCEphemeralUnified, ECC-SSC per IG D.F SSC Sp800KAS Role: Scenario 2 path 56Ar3: Initiator, (1):B-233, K-233, P- (A3548) Responder 224, B-283, K-283, P256, B-409, K-409, P384, B-571, K-571, and P-521 curves providing 112, 128, 192, or 256 bits of encryption strength KAS-2 KAS-SSC Scheme: SP800-56Ar3 KAS- KAS-FFCdhEphem. KAS FFC-SSC IG D.F SSC Sp800Role: Initiator, Scenario 2 path 56Ar3: Responder (1):2048, 3072, 4096, (A3548) 6144, and 8192-bit key providing 112, 128, 152, 176, or 200 bits of encryption strength KAS-3 KAS-SSC Scheme: KAS1, SP800-56Br2 KAS- KAS-IFCKAS2. KAS Role: IFC-SSC IG D.F SSC: (A3548) Initiator, Scenario 1 path Responder (1):2048, 3072, 4096, 6144, and 8192-bit key providing 112, 128, 152, 176, or 200 bits of encryption strength KTS-1 KTS-Wrap Key Transport in SP 800-38F KTS AES-KW: compliance with (key wrapping) per IG (A3548) [SP800- 38F] D.G :128, 192, and AES-KWP: when approved 256-bit keys (A3548) using AES KW or providing 128, 192, or KWP 256 bits of encryption strength KTS-2 KTS-Wrap Key Transport in SP 800-38F KTS AES-CBC: compliance with (key wrapping) per IG (A3548) [SP800- 38F] D.G : 128, 192, and AES-CFB1: when approved 256-bit keys (A3548) AES (any mode) providing 128, 192, or AES-CFB128: and approved 256 bits of encryption (A3548) HMAC, KMAC, strength AES-CFB8: GMAC or CMAC (A3548) AES-CTR: Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms are used in (A3548) combination AES-ECB: (A3548) AES-OFB: (A3548) AES-XTS Testing Revision 2.0: (A3548) AES-CBCCS2: (A3548) AES-CBCCS3: (A3548) AES-CCM: (A3548) AES-CMAC: (A3548) AES-GCM: (A3548) AES-GMAC: (A3548) AES-KW: (A3548) AES-KWP: (A3548) HMAC-SHA-1: (A3548) HMAC-SHA2224: (A3548) HMAC-SHA2256: (A3548) HMAC-SHA2384: (A3548) HMAC-SHA2512: (A3548) HMAC-SHA2512/224: (A3548) HMAC-SHA2512/256: (A3548) HMAC-SHA3224: (A3548) HMAC-SHA3256: (A3548) HMAC-SHA3384: (A3548) HMAC-SHA3512: (A3548) KMAC-128: Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms (A3548) KMAC-256: (A3548) AES-CBCCS1: (A3548) KTS-3 KTS-Wrap Key Transport in SP 800-38F KTS AES-CCM: compliance with (key wrapping) per IG (A3548) [SP800- 38F] D.G : 128, 192, and AES-CMAC: when approved 256-bit keys (A3548) using an providing 128, 192, or AES-GCM: Authenticated 256 bits of encryption (A3548) AES mode (AES strength AES-GMAC: CCM; AES GCM; (A3548) AES GMAC; AES CMAC) KTS-4 KTS-Encap Key Transport; SP 800-56Brev2 KTS-IFC: Scheme: KTS- KTS-IFC (key (A3548) OAEP-basic (no encapsulation and key confirmation): un-encapsulation) per RSA-OAEP, Key IG D.G:2048, 3072, Encapsulation, 4096, and 6144-bit Key key providing 112, Unencapsulation 128, 152, or 176 bits Key Generation of encryption strength Methods: rsakpg1-basic, rsakpg1-crt, rsakpg1-primefactor, rsakpg2basic, rsakpg2-crt, rsakpg2- primefactor KAS ECC KAS-SSC KAS-ECC-SSC Curves:B-233, K-233, KAS-ECC CDH primitive P-224 (s ~= 112); B- CDHComponent 283, K-283, P-256 (s Component ~= 128); B-409, K- SP800-56Ar3: 409, P-384 (s ~= (A3548) 192); B-571, K-571, P-521 (s ~= 256). Perform self- BC-Auth All self-tests AES-ECB: tests (All) BC-UnAuth executed by the (A3548) DigSig- module at boot AES-GCM: SigGen (A3548) DigSig-SigVer Hash DRBG: DRBG (A3548) KAS-SSC Counter KBKDF DRBG: MAC (A3548) PBKDF HMAC DRBG: Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms SHA (A3548) XOF DSA SigGen (FIPS186-4): (A3548) DSA SigVer (FIPS186-4): (A3548) ECDSA SigGen (FIPS186-4): (A3548) ECDSA SigVer (FIPS186-4): (A3548) RSA SigGen (FIPS186-4): (A3548) RSA SigVer (FIPS186-4): (A3548) HMAC-SHA2256: (A3548) SHA-1: (A3548) SHA3-256: (A3548) SHA2-512: (A3548) KDF ANS 9.42: (A3548) KDF ANS 9.63: (A3548) KAS-ECCSSC Sp80056Ar3: (A3548) KAS-FFCSSC Sp80056Ar3: (A3548) KAS-IFCSSC: (A3548) KDA OneStep SP800-56Cr2: (A3548) KDA TwoStep SP800-56Cr2: (A3548) KDF SSH: Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms (A3548) KDF SP800108: (A3548) PBKDF: (A3548) TLS v1.2 KDF RFC7627: (A3548) TLS v1.3 KDF: (A3548) Cryptographic CKG Direct generation CKG - Section Key of symmetric keys 4 and Section Generation per NIST SP 800- 6.1: () (CKG) 133r2 Software MAC HMAC-SHA2-256 Key size: 256 bits HMAC-SHA2Integrity Test used to perform 256: (A3548) the software integrity test Cryptographic CKG AES XTS Key Key size:128, 256 CKG - Section Key generated to bits 6.3: () Generation comply with the (CKG) - AES approved key XTS generation guidelines of NIST SP 800-133rev2, Section 6.3, Symmetric Keys Produced by Combining Multiple Keys and Other Data KTS-5 KTS-Unwrap Key Unwrapping KTS (key AES-CBC: using any non- unwrapping) per IG (A3548) authenticated D.G:128, 192, and AES-CFB1: AES mode 256-bit keys (A3548) providing 128, 192, or AES-CFB128:
strength AES-CFB8: (A3548) AES-CTR: (A3548) AES-ECB: (A3548) AES-OFB: (A3548) AES-CBCCS1: (A3548) AES-CBCCS2: (A3548) Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Type Description Properties Algorithms AES-CBCCS3: (A3548) Table 10: Security Function Implementations Equivalent strength in bits is given for each key or algorithm type (as some algorithms do not use or produce keys). The term s is used throughout to indicate security strength, following the notation used in the majority of the sources. Note 1: Preimage resistance strength applies to hash algorithms used in DRBG, KDFs. Described also in [SP800-57P1r5] Table
a. AES-GCM Usage AES GCM IV generation must be compliant to [FIPS140-3_IG] C.H Key/IV Pair Uniqueness Requirements from SP 800-38D Scenario 1(a), tested per option (ii) under C.H TLS/DTLS 1.2 protocol IV generation per RFC7627, Scenario 1(d) SSHv2 per RFC4252, RFC4253 and RFC5647 and Scenario 5 TLS 1.3 per RFC8446. IV constructed in compliance with a protocol shall only be used in the context of the AES-GCM mode encryptions within the protocol. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
The Module does not implement the TLS and SSH protocols itself, however, it provides the cryptographic functions required for implementing the protocols. AES GCM encryption is used in the context of the SSH and TLS protocol versions 1.2 and 1.3. The module provides the primitives to support the AES GCM ciphersuites from [SP800-52r1] Section 3.3.1. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The application negotiates the protocol session’s keys and the 32-bit nonce value of the IV. When the IV exhausts the maximum number of possible values for a given session key (2^64 - 1), this results in a failure in encryption and a handshake to establish a new encryption key will be required. It is the responsibility of the user of the module, i.e., the first party, client or server, to encounter this condition, to trigger this handshake in accordance with the TLS/SSH protocol. The Module also supports internal IV generation using the module’s approved DRBG. The IV is at least 96 bits in length per [SP800-38D] Section 8.2.2. Per [FIPS140-3_IG] C.H Scenario 2 and [SP800-38D], the approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2^-32. In each case, in the event that the Module power is lost and restored the user must ensure that the AES GCM encryption/decryption keys are re-distributed in accordance with IG C.H Scenario 3. The module does not support persistent storage of SSPs. The Module also supports importing of GCM IVs when an IV is not generated within the Module. In the approved mode, an IV must not be imported for encryption from outside the cryptographic boundary of the Module as this will result in a non-conformance. This is in accordance with IG 2.4.A: If the module operator (e.g., calling application) can do things outside of the module’s control/visibility that can take an otherwise approved algorithm and use it in a non-approved way (e.g., use PBKDF and/or AES XTS outside of storage applications), the corresponding module service may still be considered approved (and if so, shall have an approved indicator per AS02.24) and the Security Policy shall clarify how to use the service in an approved manner (per ISO 19790 B.2.2 on Overall security design and the rules of operation). b. PBKDF Usage The lower limit on the supported length of a password/passphrase used in key derivation is 1character. The ASCII system comprises of 94 printable characters (letters, digits, punctuation, and symbols). For a 1-character password/passphrase chosen from 94 printable ASCII characters, the total combinations are: 94^1. Thus, the probability of guessing the correct password/passphrase on a random attempt is: 1/94^1 ~0.010. The module being a software module, does not restrict the usage of a password/string used as the password and input to the PBKDF. The onus is on the calling application to provide a password of an appropriate length based on the intended security strength (and size) of the key to be derived. In accordance with NIST SP 800-132, passwords shorter than 10 characters are usually considered to be weak. There are many other properties that may render a password weak. For example, it is not advisable to use sequences of numbers or sequences of letters as passwords. Easily accessed personal information, such as the user’s name, phone number, and date of birth, should not be used directly as a password. Passphrases frequently consist solely of letters, but they make up for their lack of entropy by being much longer than passwords, typically 20 to 30 characters. Passphrases shorter than 20 characters are usually considered weak. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
The module complies with NIST SP 800-132 Section 5.4 Option 1 a and IG D.N. The iteration count values used range from 1 to 10000 per NIST SP 800-132 Section 5.2 whereby the iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. Keys derived from passwords, as shown in SP 800132, may only be used in storage applications. The security strength of the derived key is at least
c. AES-XTS Usage Usage In accordance with [SP800-38E], the XTS-AES algorithm shall only be used for confidentiality on storage devices. The Module complies with [FIPS140-3_IG] C.I by explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS-AES algorithm to process data with them. The module implements CKG per NIST SP 800-133r2 Section 6.3. d. Legacy Usage The module supports the following implementations for legacy use/support per NIST SP 800131Ar2:
i. DRBG Usage Per IG D.R, the Hash_DRBG and HMAC_DRBG implementations use SHA-1, SHA2-256, SHA2512, SHA3-256 and SHA3-512. j. NIST SP 800-108 KDF Usage The SP 800-108 KDF is not used to generate asymmetric keys directly in that the module restricts generation of keys to approved methods only. For keys passed into the module, the onus lies on the calling application to ensure correct generation of such keys using approved mechanisms. The module implements CKG per NIST SP 800-133r2 Section 6.2.3. k. SHA-1 Usage: The module implements SHA-1 for usage in the following (this can be vetted from the SFI Table 9 in the Security Policy): I. As a PRF in the KDFs X942 KDF-CONCAT, X963 KDF, KDA HKDF, KDA OneStep, KDF, ANS 9.42 [SP800-135r1], KDF SSH [SP800-135r1], PBKDF [SP800-132], II. As a standalone SHA-1 hash function III. As a PRF in HMAC-SHA-1 IV. As the underlying hash function for RSA SigVer, ECDSA SigVer and DSA SigVer for legacy use/support per NIST SP 800-131Ar2 as specified in the Security Policy Section 2.7 d. V. As the underlying hash function in Hash DRBG and HMAC DRBG
The Module relies on the use of a [SP800-90B] compliant entropy source outside the Module boundary. The calling application is responsible for use of an [SP800-90B] compliant entropy source with sufficient entropy based on the required security strength. Entropy is supplied to the Module via callback functions (see Section 2.4 2. c). Minimum Number of Bits of Entropy, depending on the target security strength of generated SSPs are 128, 192 or 256 bits. When using the Counter DRBG implementation without the derivation function enabled, full entropy from the entropy source is required. The following caveat applies to the module: No assurance of the minimum strength of generated SSPs (e.g., keys). N/A for this module. N/A for this module.
The module implements NIST SP 800-90Ar1 DRBGs and supports the following sections per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2, 6.1, 6.2 and 6.3.
Key Agreement Per IG D.F: The module supports Key Agreement Schemes per NIST SP800-56Ar3 and [FIPS140-3_IG] D.F Scenario 2 (path 1) and NIST SP 800-56Br2 and [FIPS140-3_IG] D.F Scenario 1 (path 1). The KAS-1, KAS-2, KAS-3 in the SFI Table 9 have been documented accordingly. The Approved Algorithm list Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC and KAS-IFC-SSC) as individual entries. The Module obtains the [FIPS140-3_IG] D.F required key agreement assurances: [SP800-56Ar3] in accordance with Section 5.6.2. [SP800-56Br2] in accordance with Section 6.4. Per IG C.F Additional Comment 1.e: The elliptic curve used in the key agreement scheme and the associated domain parameters provide more than 112 bits of security as seen in the KAS-1 entry per Table
The Module conforms to Resolution 3 per [FIPS140-3_IG] D.C References to the Support of Industry Protocols: while it provides [SP800-56Ar3] conformant schemes and API entry points oriented to SSH and TLS usage, the Module does not contain the full implementation of SSH or TLS. The following caveat is required: No parts of the SSH and TLS protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Physical Logical Data That Passes Port Interface(s) N/A Control Input API entry point: stack frame including non-sensitive parameters N/A Data Input API call parameters passed by reference or value for cryptographic service input N/A Status API return value: enumerated status resulting from call execution Output N/A Data Output API call parameters passed by reference for cryptographic service output Table 11: Ports and Interfaces Table 10 defines the Module’s [FIPS140-3] logical interfaces; the Module does not interact with physical ports. The Control Output logical interface is not applicable to the Module and is intentionally omitted from Table 10. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
The Module does not provide an authentication or identification method of its own. The CO role is assumed by meeting the conditions of Section 11 of this document. N/A for this module.
Name Type Operator Type Authentication Methods Crypto Officer Role Crypto Officer None Table 12: Roles The Module supports the mandatory Cryptographic Officer (CO) operational role only (implicitly identified) and does not support a maintenance role or a bypass capability.
Name Description Indicato Inputs Outputs Security SSP r Function Access s Initialize Module FIPS_O Core Initializatio Random Crypto initialization K handle, n status (1 Number Officer dispatch = pass, 0 = Generatio in and fail) n DRBG_E out, I: provider G,W,E,Z context DRBG_S tate: G Software Integrity key: E Core (all except Show status; FIPS_O Provider Parameter None Crypto Teardown) Core K context, types Officer (Show Status, operations paramete (array) Show Version) dispatched by rs types with: FIPS provider: (array), Name, Metadata capability Version, (Gettable , callback BuildInfo, parameters; pointer Status, Get and SecurityCh parameters; argument ecks; Get s, Status capabilities); operation return, TLS Query; Self- ID group test capabilities , Null or array of available operations Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s Core: Perform Run the self- FIPS_O Provider Status (1 = Perform Crypto self-tests test sequence K context pass, 0 = self-tests Officer fail) (All) Software Integrity Test Core: Uninstantiate FIPS_O Provider None None Crypto Teardown the module; K context Officer (Perform includes zeroisation) Zeroise DS_SGK :Z DS_SVK: Z GKP_Pri vate: Z GKP_Pu blic: Z KAS_Priv ate: Z KAS_Pu blic: Z KAS_SS: Z KD_DKM :Z KH_Key: Z KTS_KD K: Z KTS_KE K: Z KTS_SS: Z DRBG_E I: Z Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s DRBG_S eed: Z DRBG_S tate: Z SC_EDK: Z Software Integrity key: Z Asymmetric Encapsulate [KTS- Encapsul Status KTS-4 Crypto cipher (Key or IFC: ate: Key return; Officer Transport) decapsulate RSA, 4, struct KTS_SS (Perform key material (2048, (KTS_KD KTS_KD approved on behalf of 3072, K); K: E security the calling 4096, Decapsul functions) process (does 6144, ate KTS_KE not establish 8192)] (KTS_KE K: E keys into the K) module) KTS_SS: R Cipher Encrypt or [AES- SC_EDK Status Symmetri Crypto (Encryption/Dec decrypt data, ECB: and return. c Officer ryption and Key including AES- KH_Key Plaintext or Encryptio Wrapping) AEAD modes 128- (for key ciphertext n and SC_EDK: (Perform (CCM, GCM) ECB, wrapping data, or Decryptio E approved and key wrap AES- ); flags wrapped n security (KW, KWP) 192- key Keyed KH_Key: functions) (CSPs are ECB, Hash E passed in by AES- KTS-1 the calling 256- KTS-2 process or ECB]; KTS-3 generated [AES- Cryptogra within the CBC: phic Key module) AES- Generatio 128- n (CKG) CBC, Cryptogra AES- phic Key 192- Generatio CBC, n (CKG) AES- AES XTS 256- KTS-5 CBC]; [AESCBCCS: Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s AES128CBCCTS, AES192CBCCTS, AES256CBCCTS]; [AESOFB: AES128OFB, AES192OFB, AES256OFB]; [AESCFB1: AES128CFB1, AES192CFB1, AES256CFB1]; [AESCFB8: AES128CFB8, AES192CFB8, AES256CFB8]; [AESCFB128: AESDigi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s 128CFB, AES192CFB, AES256CFB]; [AESCTR: AES128CTR, AES192CTR, AES256CTR]; [AESCCM: AES128CCM, AES192CCM, AES256CCM]; [AESGCM: AES128GCM, AES192GCM, AES256GCM]; [AESXTS: AES128XTS, AES256Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s XTS]; [AESKW, KWP: AES128WRAP, AES256WRAP] Key derivation Derive keying [PBKDF: KAS_SS; Status Key Crypto (Perform material PBKDF2 flags return; Derivatio Officer approved , (SHA- KD_DKM n security 1, KAS_SS: functions) SHA2- W,E 224, SHA2- KD_DKM 256, : G,R SHA2- 384, KTS_SS: SHA2- W,E 512, - PBKDF SHA2- Passwor 512/224, d: W,E,Z SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512)]; [TLS1PRF, (SHA2256, SHA2384, SHA2512)]; [TLS13KDF, (SHA2256, SHA2384)]; Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s [X963KDF, (SHA2224, SHA2256, SHA2384, SHA2512)]; [X942KD F-ASNI, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512)]; [NIST SP 800108r1 KDF KMAC: KBKDF, (KMAC128, KMAC256)]; [NIST SP 800108r1 KDF: KBKDF, Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s MAC: CMAC, Cipher: AES128CBC, AES192CBC, AES256CBC, MAC: HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, HMACSHA3224, HMACSHA3256, HMACSHA3384, Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s HMACSHA3512]; [KDF SSH: SSHKD F, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512)]; [OneSte p KDF: SSKDF, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, HMACSHA1, HMACSHA2224, HMACSHA2256, Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, KMAC128, KMAC256)]; [TwoSte p KDF: HKDF, MAC: HMAC, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s SHA3512]; [HKDF: HKDF, MAC: HMAC, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512]; Key exchange Perform key [KAS- Key Status KAS-1 Crypto (Perform agreement FFC- structs return; KAS-2 Officer approved primitives on SSC: (KAS_Pri KAS_SS KAS-3 security behalf of the DHX]; vate and KAS ECC KAS_Priv functions) calling [KAS- KAS_Pu CDH ate: E process (does ECC- blic); Compone not establish SSC: flags nt KAS_Pu keys into the EC] blic: E module) KAS_SS: G Key Generate [SafePri ECDSA: Status Asymmet Crypto management asymmetric mes: curve return; Key ric Key Officer (Perform key pairs DHX]; identifier. struct Pair approved [RSA DSA/RS (GKP_Priv Generatio GKP_Pri security KeyGen: A: ate, n vate: G functions) RSA, modulus GKP_Publi (2048, size c) GKP_Pu 3072, blic: G 4096)]; [ECDSA Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s KeyGen: EC]; [DSA KeyGen: DSA, (L=2048, N=28, 32), (L=3072, N=32)] Message Generate or [HMAC: KH_Key Status Keyed Crypto authentication verify data HMAC- return; Tag Hash Officer (Perform integrity. SHA1, value Cryptogra approved (CSPs are HMAC- phic Key KH_Key: security passed in by SHA2- Generatio E functions) the calling 224, n (CKG) process or HMACgenerated SHA2within the 256, module) HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, HMACSHA3224, HMACSHA3256, HMACSHA3384, HMACSHA3512]; [CMAC]; [KMAC: KMAC128, KMACDigi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s 256]; [GMAC: AES128GCM, AES192GCM, AES256GCM] Message digest Generate a [SHA-1, Message Status Message Crypto (Perform message SHA2- ; flags return; Digest Officer approved digest 224, Hash value security SHA2functions) 256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, SHAKE128, SHAKE256] Random Generate [Hash DRBG Status Random Crypto (Perform random bits DRBG: struct return; Number Officer approved using the HASH- (RBG Random Generatio security DRBG DRBG, State); value n DRBG_E functions) (SHA1, DRBG_E I: E SHA2- I 256, DRBG_S SHA2- eed: E 512)]; [HMAC- DRBG_S DRBG, tate: E (SHA1, Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s SHA2256, SHA2512)]; [CTRDRBG, (AES128CTR, AES192CTR, AES256CTR)] Signature Generate or [RSA Sign: Status RSA Crypto (Perform verify digital SigGen: Key return; Digital Officer approved signatures RSA, struct Signature Signature security (SSPs are (2048, (DS_SG value Generatio DS_SGK functions) passed in by 3072, K); n and :E the calling 4096), message Verificatio process) (SHA2- ; Verify: n DS_SVK: 224, signature ECDSA E SHA2- value; Signature 256, Key Generatio SHA2- struct n and 384, (DS_SV Signature SHA2- K); flags; Verificatio 512, sizes n SHA2- DSA 512/224, Digital SHA2- Signature 512/256) Generatio ]; [RSA n and SigVer: Verificatio RSA, n (1024, RSA 2048, Signature 3072, Primitive 4096), (SHA1, SHA2224, SHA2256, SHA2384, SHA2Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s 512, SHA2512/224, SHA2512/256) ]; [RSA Signatur e Primitive : RSA, 2048, hash algorith m: (null)]; [ECDSA SigGen: EC, (SHA2224, SHA2256, SHA2384, SHA2512, SHA3224, SHA3256, SHA3384, SHA3512)]; [ECDSA SigVer: EC, (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s SHA2512/256) ]; [ECDSA SigGen Compon ent]: EC, hash: (null)]; [DSA, PQGGe n: DSA, (L= 2048, N=28, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) , (L=2048, 3072, N=32, =SHA2256, SHA2384, SHA2512, SHA2512/256) ]; [DSA PQGVer : DSA, N=20 bytes, bytes, bytes]; Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Indicato Inputs Outputs Security SSP r Function Access s [DSA, SigGen: DSA, (L= 2048, 3072), (N=28, 32), (SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) ]; [DSA, SigVer: DSA, (L=1024, N=20), (L=2048, N=28, 32), (L=3072, N=28, 32), (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) ] Zeroise
Name Description Indicato Inputs Outputs Security SSP r Function Access s zeroizes all DS_SGK Module scope :Z SSPs
Name Description Indicato Inputs Outputs Security SSP r Function Access s Software Integrity key: Z Table 13: Approved Services Note: The Indicators in Table 12 above follow the format: [Algorithm name: Indicator 1, Indicator 2, etc.] where Indicator 1 is an algorithm identifier and Indicators 2, 3 etc. depending on the algorithm are the specifics i.e. modes/supported curves/SafePrime groups/PRFs, etc.) per algorithm. Each combination of the Indicator 1 along with Indicators 2, 3, etc. in the comma separated list can be observed when the corresponding modes/curves/SafePrimes, PRFs etc. are invoked for a given algorithm in the context of a given service. The service indicators must be requested by the calling applications as by calling the following EVP APIs of the module in the context of each service:
Name Description Algorithms Role Signature Generate or verify digital signatures Ed448 Crypto (SSPs are passed in by the calling Ed25519 Officer process) FIPS 186-2 RSA SigGen/SigVer Key Exchange Perform key agreement primitives X448 Crypto on behalf of the calling process X25519 Officer Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Description Algorithms Role (does not establish keys into the module) Cipher Encrypt or decrypt data (CSPs are Triple-DES Crypto (Encryption/Decryption) passed in by the calling process) Officer ECDSA SigVer Verify ECDSA digital signatures ECDSA SigVer Crypto Component (SSPs are passed in by the calling Component Officer process) Key Derivation Derive keys (key derivation key X942KDF- Crypto passed in by the calling process) CONCAT Officer X963KDF HKDF OneStep KDF Key Generation Generate RSA public/private key FIPS 186-2 RSA Crypto pair per FIPS 186-2 KeyGen Officer Keyed Hash Generate HMAC using key length HMAC Crypto less than 112 bits Officer Random Generate random bits using the Hash and HMAC Crypto non-approved Hash and HMAC DRBG Officer DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256 Table 14: Non-Approved Services
The module does not support loading of any additional software.
The module does not support bypass.
The module does not support self-initiated cryptographic output. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
The Module uses HMAC-SHA2-256 as the approved integrity technique; the file fipsmodule.cnf contains the integrity reference value. The HMAC key used for the integrity test is considered a non-SSP. The HMAC-SHA2-256 CAST is performed prior to the software integrity test. The Module is provided in an executable form (as fips.so shared object for use in Linux environments, fips.dylib for use in Mac environments and fips.dll for use in Windows environments). The module does not support loading of any additional software.
The operator can initiate the integrity test on demand by calling fips_self_test (invoked using OSSL_PROVIDER_self_test called with the Module’s global handle) or reloading the Module.
In accordance with [ISO19790] Annex B, as the Module is open source, the tools used to build the Module as tested are:
Type of Operational Environment: Modifiable How Requirements are Satisfied: The operational environment for the Module is modifiable as it runs in General Purpose Computers (GPC). The Module conforms to [FIPS140-3_IG] 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES-NI functions are identified by [FIPS140-3_IG] 2.3.C as a known PAA.
Table 3 lists the operational environments on which the Module was tested; no operational environment restrictions are required for operation in the approved mode. All conditions for operation of the Module in the approved mode are given in Section 2. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Physical Security requirements are not applicable for this software Module. N/A for this module. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
In accordance with current CMVP policy, Non-Invasive Security is not applicable. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Storage Area Name Description Persistence Type RAM Temporary, plaintext storage Dynamic Stored in the module's configuration file Persistent, plaintext storage Static Table 15: Storage Areas
Name From To Format Distributio Entry SFI or Type n Type Type Algorith m CALL STACK Calling Module Plaintex Manual Electroni (API) INPUT application t c PARAMETER S CALL STACK Module Calling Plaintex Manual Electroni (API) application t c OUTPUT PARAMETER S Stored at Manufacture Stored in Plaintex N/A N/A manufacture r the t module's configuratio n file Table 16: SSP Input-Output Methods The module is complaint with FIPS 140-3 IG 9.5.A MD/EE (CM Software to/from App via TOEPP Path).
Zeroization Method Description Rationale Operator Initiation OPENSSL_cleanse Zeroisation of SSPs The OPENSSL_cleanse Module managed by the caller provides zeroisation of initiated SSPs managed by the caller cleared after use Temporary copies of CSPs with a lifetime Module CSPs are zeroised within associated with an initiated the relevant function for OpenSSL object will be the scope within which zeroized when reinitialized they are used Teardown This operation triggers CSPs with a lifetime Operator Module uninstantiation associated with the Module initiated are zeroised on Module uninstantiation Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Zeroization Method Description Rationale Operator Initiation Restarting the RAM (memory) is used Restarting the general- Operator general-purpose for temporary storage of purpose computer clears all initiated computer SSPs SSPs in RAM Table 17: SSP Zeroization Methods
Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y DS_SGK Private key RSA: 2048, Private RSA for 3072 and key - Digital signature 4096 bits CSP Signature generation DSA: 2048 Generatio and 3072 bits n and ECDSA: B- Verificatio 233, K-233, n P-224; B- ECDSA 283, K-283, Signature P-256; B- Generatio 409, K-409, n and P-384; B- Signature 571, K-571, Verificatio P-521 - n RSA: 112, DSA
128 or 152 Digital
128 ECDSA: Generatio
112, 128, n and 192, 521 Verificatio n RSA Signature Primitive DS_SVK Public key RSA: 1024, Public RSA for 2048, 3072 key - Digital signature and 4096 bits PSP Signature verification DSA: 1024, Generatio
2048 and n and
3072 bits Verificatio
ECDSA: n ECDSA: B- ECDSA 233, K-233, Signature P-224; B- Generatio 283, K-283, n and P-256; B- Signature 409, K-409, Verificatio P-384; B- n 571, K-571, DSA Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y P-521 - Digital RSA: 80, Signature 112, 128 or Generatio
152 DSA: 80, n and
112 or 128 Verificatio
ECDSA: 112, n 128, 192, GKP_Priva Key pair RSA: 2048, Private Asymmetric te (Private: 3072, 4096 key - Key Pair DS_SGK, bits DSA: CSP Generation Public: 2048 and Random DS_SVK) 3072 bits Number generated ECDSA: Generation per caller ECDSA: Brequest; the 233, K-233, keypair P-224; Bpurpose is 283, K-283, unspecified P-256; B409, K-409, P-384; B571, K-571, P-521 RSA: 112,
112, 128, 192, 256 GKP_Publi Key pair RSA: 2048, Public Asymmetric c (Private: 3072, 4096 key - Key Pair GPK_Privat bits DSA: PSP Generation e, Public: 2048 and Random GPK_Publi 3072 bits Number c) ECDSA: Generation generated ECDSA: Bper caller 233, K-233, request; the P-224; Bkeypair 283, K-283, purpose is P-256; Bunspecified 409, K-409, P-384; B571, K-571, P-521 RSA: 112,
Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y 112, 128, 192, 256 KAS_Privat Key pair FFC: FB, FC, Private Asymmetric KAS-1 e component MODP2048, key - Key Pair KAS-2 provided by ffdhe2048, CSP Generation KAS-3 the local MODP3072, Random participant, ffdhe3072, Number used for MODP4096, Generation Diffie- ffdhe4096, Hellman MODP6144, shared ffdhe6144, secret MODP8192, generation ffdhe 8192 ECC: B-233, K-233, P224, B-283, K-283, P256, B-409, K-409, P384, B-571, K-571, P521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192,
[SP80056Br2]: 112, KAS_Publi Key pair FFC: FB, FC, Public Asymmetric KAS-1 c component MODP2048, key - Key Pair KAS-2 provided by ffdhe2048, PSP Generation KAS-3 the local MODP3072, Random participant, ffdhe3072, Number used for MODP4096, Generation Diffie- ffdhe4096, Hellman MODP6144, shared ffdhe6144, secret MODP8192, generation ffdhe 8192 ECC: B-233, K-233, P224, B-283, Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y K-283, P256, B-409, K-409, P384, B-571, K-571, P521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192,
[SP80056Br2]: 112, KAS_SS Shared FFC: FB, FC, Shared KAS-1 secret MODP2048, secret - KAS-2 calculation; ffdhe2048, CSP KAS-3 z output MODP3072, value is ffdhe3072, expected to MODP4096, be used by ffdhe4096, a KDF MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P224, B-283, K-283, P256, B-409, K-409, P384, B-571, K-571, P521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192,
112, 128 Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y KD_DKM Key HMAC PRF: Derived Key Derivation 160, 224, Keying Derivation derived 256, 384, Material keying 512 - HMAC CSP material PRF: 160, 224, 256, 384, 512 KH_Key Keyed CMAC: 128, Symmetr Random Keyed Hash key 192, 256 ic key - Number Hash GMAC: 128, CSP Generation KTS-2 192, 256 Cryptograph HMAC: 160, ic Key 256, 512. Generation KMAC: 128, (CKG)
160, 256, 512. KMAC: 128, 256 KTS_KDK Private 2048, 3072, Private KTS-4 (KDK) 4096 and key component 6144 bits - CSP of an RSA 112, 128, key pair 152, 176 used for [SP80056Br2] RSA key transport KTS_KEK Public 2048, 3072, Public KTS-4 (KEK) 4096 and key component 6144 bits - PSP of an RSA 112, 128, key pair 152, 176 used for [SP80056Br2] RSA key transport KTS_SS The RSA 2048, 3072, Shared KTS-4 key 4096 and secret transport 6144 bits - CSP shared 112, 128, secret 152, 176 Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y DRBG_EI Entropy 128
DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, SC_EDK AES key AES: 128, Symmetr Random Symmetri used for 192, 256 ic key - Number c symmetric AES CCM: CSP Generation Encryptio encryption 128, 192, Cryptograph n and and 256 AES ic Key Decryptio decryption GCM: 128, Generation n (including 192, 256 (CKG) KTS-1 use in key AES XTS: Cryptograph KTS-2 wrapping) 128, 256. - ic Key KTS-3 AES: 128, Generation KTS-5 192, 256 (CKG) AES CCM: AES XTS 128, 192,
Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Descriptio Size - Type - Generated Establish Used By n Strength Categor By ed By y GCM: 128, 192, 256 AES XTS: 128, 256 PBKDF Input Recommend Symmetr Key Password provided to ed size is ic key - Derivatio the PBKDF greater than CSP n characters for passwords and greater than 20 characters for passphrases - 112 bits or greater Software HMAC- 256 bits - 256 bits - Software Integrity SHA2-256 256 bits Neither Integrity key key used to Test perform the Software Integrity Test Table 18: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duratio n DS_SGK CALL RAM:Plaint cleared OPENSSL_clea DS_SVK:Paired STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer DS_SVK CALL RAM:Plaint cleared OPENSSL_clea DS_SGK:Paired STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Input - Storage Storage Zeroization Related SSPs Output Duratio n GKP_Priv CALL RAM:Plaint cleared OPENSSL_clea GKP_Public:Paired ate STACK ext after nse With (API) use cleared after OUTPUT use PARAMETE Teardown RS Restarting the general-purpose computer GKP_Publ CALL RAM:Plaint cleared OPENSSL_clea GKP_Private:Paired ic STACK ext after nse With (API) use cleared after OUTPUT use PARAMETE Teardown RS Restarting the general-purpose computer KAS_Priva CALL RAM:Plaint cleared OPENSSL_clea KAS_Public:Paired te STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer KAS_Publi CALL RAM:Plaint cleared OPENSSL_clea KAS_Private:Paired c STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer KAS_SS RAM:Plaint cleared OPENSSL_clea KAS_Private:Establi ext after nse shed using use cleared after KAS_Public:Establis use hed using Teardown Restarting the general-purpose computer KD_DKM CALL RAM:Plaint cleared OPENSSL_clea STACK ext after nse (API) use cleared after OUTPUT use PARAMETE Teardown RS Restarting the Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Input - Storage Storage Zeroization Related SSPs Output Duratio n general-purpose computer KH_Key CALL RAM:Plaint cleared OPENSSL_clea STACK ext after nse (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer KTS_KDK CALL RAM:Plaint cleared OPENSSL_clea KTS_KEK:Paired STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer KTS_KEK CALL RAM:Plaint cleared OPENSSL_clea KTS_KDK:Paired STACK ext after nse With (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer KTS_SS CALL RAM:Plaint cleared OPENSSL_clea STACK ext after nse (API) INPUT use Teardown PARAMETE Restarting the RS general-purpose CALL computer STACK (API) OUTPUT PARAMETE RS DRBG_EI CALL RAM:Plaint cleared OPENSSL_clea DRBG_Seed:Used STACK ext after nse to derive (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Name Input - Storage Storage Zeroization Related SSPs Output Duratio n DRBG_Se RAM:Plaint cleared OPENSSL_clea DRBG_EI:Derived ed ext after nse From use cleared after use Teardown Restarting the general-purpose computer DRBG_St RAM:Plaint Until Teardown DRBG_Seed:Derive ate ext power- Restarting the d From cycling general-purpose of the computer underlyi ng host platform SC_EDK CALL RAM:Plaint cleared OPENSSL_clea STACK ext after nse (API) INPUT use cleared after PARAMETE use RS Teardown CALL Restarting the STACK general-purpose (API) computer OUTPUT PARAMETE RS PBKDF CALL RAM:Plaint cleared OPENSSL_clea Password STACK ext after nse (API) INPUT use cleared after PARAMETE use RS Teardown Restarting the general-purpose computer Software Stored at Stored in Until Teardown Integrity manufacture the teardow key module's n configuratio operatio n file n is :Plaintext perform ed Table 19: SSP Table 2 All SSPs used by the Module are described in this section, arranged for consistency with Table 12; ‘--’ indicates the cell is intentionally empty, not applicable, or not relevant. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Keys used for CASTs and the temporary value used in the integrity test are not SSPs; however, the latter is deleted after use as required by AS05.10. Equivalent strength is given for each key or algorithm type (as some algorithms do not use or produce keys). The Module maintains only the DRBG CSPs used for key generation as persistent CSPs; these are used exclusively for approved services. DRBG outputs are used internally to the Module for asymmetric key pair generation and used by calling applications to generate a random value (potentially for use as a symmetric key). The Module:
Algorithm or Test Test Test Indicator Details Test Properties Method Type HMAC-SHA2- Key Length: KAT SW/FW Success: All self- MAC (HMAC-
256 (A3548) 256 bits Integrity tests passed (as SHA2-256,
expected) A3548) Table 20: Pre-Operational Self-Tests The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known Answer Test (KAT) for the HMAC-SHA2-256 algorithm.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type AES-ECB Key KAT CAST FIPS_OK Decrypt On reloading the (A3548) Length: module
AES-GCM Key KAT CAST FIPS_OK Encrypt On reloading the (A3548) Length: module
AES-GCM Key KAT CAST FIPS_OK Decrypt On reloading the (A3548) Length: module
Counter AES CTR KAT CAST FIPS_OK Generate, On reloading the DRBG (128 bits) Reseed, module (A3548) with Instantiate derivation functions function DSA Modulus: KAT CAST FIPS_OK Sign On reloading the SigGen 2048 bits; module (FIPS186- Hash:
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Instantiate functions HMAC PRF: KAT CAST FIPS_OK Generate, On reloading the DRBG HMAC- Reseed, module (A3548) SHA-1 Instantiate functions HMAC- PRF: KAT CAST FIPS_OK HMAC tag Performed prior to SHA2-256 SHA2-256 Generation the software integrity (A3548) test KAS- Scheme: KAT CAST FIPS_OK Key On reloading the ECC-SSC Ephemeral Agreement - module Sp800- Unified, Shared 56Ar3 Curve: P- Secret (A3548) 256 Computation KAS-FFC- Scheme: KAT CAST FIPS_OK Key On reloading the SSC dhEphem; Agreement - module Sp800- Modulus: L Shared 56Ar3 = 2048 Secret (A3548) bits, N = Computation
KAS-IFC- Schemes: KAT CAST FIPS_OK Key On reloading the SSC Basic, Agreement - module (A3548) CRT, Shared Modulus: L Secret = 2048 bits Computation KDF Mode: KAT CAST FIPS_OK Counter On reloading the SP800- Counter, Mode module
(A3548) HMAC- SHA2-256). SHA2-256 KDA Auxiliary KAT CAST FIPS_OK Key On reloading the OneStep Function, Derivation module SP800- H = SHA256Cr2 224 (A3548) KDA Auxiliary KAT CAST FIPS_OK Key On reloading the TwoStep Function, Derivation module SP800- H= 56Cr2 HMAC(A3548) SHA2-256 KTS-IFC Schemes: KAT CAST FIPS_OK Encrypt On reloading the (A3548) Basic module Modulus: L = 2048 bits KTS-IFC Schemes: KAT CAST FIPS_OK Decrypt On reloading the (A3548) Basic, module CRT, Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Modulus: L = 2048 bits PBKDF Derivation KAT CAST FIPS_OK Key On reloading the (A3548) of the Derivation module Master Key (MK), PRF: SHA2-256 RSA Scheme: KAT CAST FIPS_OK Sign On reloading the SigGen PKCS#1, module (FIPS186- Modulus: L
9.42 AES KW Derivation module
(A3548) (128 bits), SHA-1 KDF ANS PRF: KAT CAST FIPS_OK Key On reloading the
9.63 SHA2-256 Derivation module
(A3548) KDF SSH PRF: SHA- KAT CAST FIPS_OK Key On reloading the (A3548) 1 Derivation module TLS v1.2 PRF: KAT CAST FIPS_OK Key On reloading the KDF SHA2-256 Derivation module RFC7627 (A3548) TLS v1.3 PRF: KAT CAST FIPS_OK Key On reloading the KDF SHA2-256 Derivation module (A3548) RSA Performed PCT PCT FIPS_OK Key On generating keys KeyGen post key Generation for Key Transport (FIPS186- generation (KTS IFC)/Key 4) (A3548) Agreement (KAS IFC)/Signature Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Generation/Signature Verification ECDSA Performed PCT PCT FIPS_OK Key On generating keys KeyGen post key Generation for Key Agreement (FIPS186- generation (KAS ECC)/Signature
Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT SW/FW Integrity On Demand Manually by
256 (A3548) reloading the
module or calling the fips_self_test function Table 22: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm or Test Method Test Type Period Periodic Test Method AES-GCM KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function AES-GCM KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function Counter DRBG KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function DSA SigGen KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function DSA SigVer KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function ECDSA SigGen KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function ECDSA SigVer KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function Hash DRBG KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm or Test Method Test Type Period Periodic Test Method HMAC DRBG KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function HMAC-SHA2- KAT CAST On Demand Manually by
256 (A3548) reloading the
module or calling the fips_self_test function KAS-ECC-SSC KAT CAST On Demand Manually by Sp800-56Ar3 reloading the (A3548) module or calling the fips_self_test function KAS-FFC-SSC KAT CAST On Demand Manually by Sp800-56Ar3 reloading the (A3548) module or calling the fips_self_test function KAS-IFC-SSC KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function KDF SP800-108 KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function KDA OneStep KAT CAST On Demand Manually by SP800-56Cr2 reloading the (A3548) module or calling the fips_self_test function KDA TwoStep KAT CAST On Demand Manually by SP800-56Cr2 reloading the (A3548) module or calling the fips_self_test function Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm or Test Method Test Type Period Periodic Test Method KTS-IFC KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function KTS-IFC KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function PBKDF (A3548) KAT CAST On Demand Manually by reloading the module or calling the fips_self_test function RSA SigGen KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function RSA SigVer KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function SHA-1 (A3548) KAT CAST On Demand Manually by reloading the module or calling the fips_self_test function SHA2-512 KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function SHA3-256 KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm or Test Method Test Type Period Periodic Test Method KDF ANS 9.42 KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function KDF ANS 9.63 KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function KDF SSH KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function TLS v1.2 KDF KAT CAST On Demand Manually by RFC7627 reloading the (A3548) module or calling the fips_self_test function TLS v1.3 KDF KAT CAST On Demand Manually by (A3548) reloading the module or calling the fips_self_test function RSA KeyGen PCT PCT On Demand On generation of (FIPS186-4) keys (A3548) ECDSA KeyGen PCT PCT On Demand On generation of (FIPS186-4) keys (A3548) DSA KeyGen PCT PCT On Demand On generation of (FIPS186-4) keys (A3548) ECDSA SigGen KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or calling the fips_self_test function ECDSA SigVer KAT CAST On Demand Manually by (FIPS186-4) reloading the (A3548) module or Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
Algorithm or Test Method Test Type Period Periodic Test Method calling the fips_self_test function Table 23: Conditional Periodic Information
Nam Description Conditi Recov Indicator e ons ery Metho d ERR
The operator can reload the module or the fips_self_test function (inclusive of software integrity verification) can also be called on demand, fulfilling AS05.11. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
The Module is provided to vendors who integrate it into their product, typically in a manufacturing environment, and is not provided directly to US or Canadian Federal agencies. Adherence to the instructions in this document maintains security throughout the distribution, build, installation and configuration processes. An authorized Cryptographic Officer is required to perform these steps on each platform where it is intended to be used. The config file output contains information about the Module (such as the self-test status and the Module checksum) and must not be manually modified without using the openssl fipsinstall command. Crypto Officer Guidance a. Installation and Usage Guidance The Module is installed as part of the OpenSSL 3.1.2 library. The source distribution package is located at https://www.openssl.org/source/openssl-3.1.2.tar.gz. The Digi DAL OS based on the OpenSSL FIPS Provider can be installed on the Tested Configurations listed in Table 3 by performing the following steps:
The Installation of the Digi DAL OS based on the OpenSSL FIPS Provider that occurs as a result of Step
1 above ensures that the shared library and the configuration file containing information about the Module
(e.g., the Module checksum) is copied to its installed location. To install the configuration file to a non-default location, this can be achieved by running the ‘fipsinstall’ command line application manually: $ openssl fipsinstall -pedantic Please see fipsinstall.html /docs/man3.1/man1/openssl-fipsinstall.html for options supported for the ‘openssl fipsinstall’ command. Note: The software integrity check (per Section 5 of this document) is performed using HMAC-SHA2-256 on the Module file to validate that the Module has not been modified. The integrity value is compared to a value written to the config file during installation. b. CVEs The publication of a CVE does not require immediate re-validation or maintenance in the CMVP process. The module may be updated in the field as needed depending on the severity or consequences of the CVE. The Module will be kept up to date with re-validation and maintenance as required, generally bundling fixes for known CVEs in a next release. The OpenSSL organization maintains a Vulnerabilities page which describes known vulnerabilities and potential resolution. These are reported to the NVD, where they are independently assessed. The OpenSSL group publishes fixes for these vulnerabilities according to their triage process. c. Miscellaneous The module performs run-time checks related to enforcement of security parameters such as the minimum-security strength of keys, valid key sizes, and usage of approved curves. These checks shall not be disabled (by using OPENSSL_NO_FIPS_SECURITYCHECKS or any other method). Validation of domain parameters prior to generating keys using functions provided by the module is the responsibility of the Cryptographic Officer and not enforced by the module itself.
No additional guidance applies for the operation of the module apart from that specified in Sections 2, 3 of this document and other subsections under this section.
No additional guidance applies for the operation of the module apart from that specified in Sections 2, 3 of this document and other subsections under this section.
No additional rules apply for the operation of the module apart from those specified in the remainder of this section and Section 2.4 of this document. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
No maintenance requirements apply for operation of the module in the Approved/non-Approved modes as defined above.
Module Sanitization and Destruction Sanitization is defined in [ISO19790] as “... the process of removing sensitive information (e.g. SSPs, user data, etc.) from the module, so that it may either be distributed to other operators or disposed.” The Module itself does not manage persistent SSPs, authentication data or any user data. The Module may be securely sanitized by deletion of the folder in which the Module was located. There are no additional procedures required for secure destruction of the Module. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
The Module implements mitigations for some types of attacks using the constant-time implementations and blinding. Constant-time implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant-time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this, the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor, and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key. Digi International Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.