Suite B Cryptographic Module - NIST · KeyW Corporation Suite B Cryptographic Module FIPS 140-2...

KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002

SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicy

Revision: 1.2 Preparedby: KeyWCorporation 7880MilestoneParkway Suite100 Hanover,MD21076 410-904-5200Phone 410-799-3479Fax


Page2of44

ContentsRevisionHistory............................................................................................................................................4

Acronyms......................................................................................................................................................5

1. Introduction..........................................................................................................................................7

1.1. Identification..................................................................................................................................7

1.2. Overview........................................................................................................................................7

1.3. FIPS140-2SecurityLevels..............................................................................................................7

2. SuiteBCryptographicModule..............................................................................................................8

2.1. CryptographicModuleSpecification..............................................................................................8

2.1.1. SecurityFunctions...................................................................................................................8

2.1.2. ModesofOperation..............................................................................................................13

2.1.3. CryptographicBoundary.......................................................................................................13

2.1.4. DeterminingModuleVersion................................................................................................14

2.2. CryptographicModulePortsandInterfaces................................................................................14

2.3. Roles,Services,andAuthentication.............................................................................................14

2.3.1. Roles......................................................................................................................................14

2.3.2. Services.................................................................................................................................15

2.3.3. Authentication......................................................................................................................27

2.4. FiniteStateModel........................................................................................................................27

2.5. PhysicalSecurity...........................................................................................................................27

2.6. OperationalEnvironment............................................................................................................28

2.7. CryptographicKeyManagement.................................................................................................28

2.7.1. KeyZeroization......................................................................................................................36

2.8. ElectromagneticInterferenceandCompatibility.........................................................................36

2.9. Self-Tests......................................................................................................................................37

2.9.1. InvokingSelf-Tests................................................................................................................41

2.9.2. Self-TestsResults..................................................................................................................41

2.10. DesignAssurance.......................................................................................................................42

2.11. MitigationofOtherAttacks.......................................................................................................42

3. ReferencedDocuments.......................................................................................................................43


Page3of44

TablesandFiguresTable1–SummaryofAchievedFIPS140-2SecurityLevels.........................................................................7Table2–FIPS-ApprovedandVendor-AffirmedSecurityFunctions...........................................................12Table3–FIPSNon-ApprovedbutAllowedSecurityFunctions..................................................................12Figure1–ModuleCryptographicBoundary..............................................................................................13Table4–ModuleLogicalInterfaces...........................................................................................................14Table5–ModuleServicesforCryptographicOfficerRole.........................................................................15Table6–ModuleServicesforUserRole....................................................................................................27Table7–ModuleAuthentication...............................................................................................................27Table8–OperationalEnvironments..........................................................................................................28Table9–ModuleCryptographicKeysandCriticalSecurityParameters...................................................36Table10–ModulePower-OnSelf-Tests....................................................................................................40Table11–ModuleConditionalSelf-Tests..................................................................................................41Table12–ModuleSelf-TestErrorCodes...................................................................................................42


Page4of44

RevisionHistory Revision Date Author Changes1.2 February9,2017 A.Seaman

D.MackieC.ConstantinescuD.Brown

Revised:Section2.1.1,Section2.1.1.1,Figure1,andTable9

1.1 January6,2017 A.SeamanD.MackieC.ConstantinescuD.Brown

AddedSecurityFunctions

1.0 July11,2014 R.GlennD.MackieC.ConstantinescuD.WolffE.Hufford

InitialRelease


Page5of44

AcronymsAAD Additional Authentication Data AES Advanced Encryption Standard AESAVS Advanced Encryption Standard Algorithm Validation Suite ANS American National Standard API Application Programming Interface CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CDH Cofactor Diffie-Hellman CM Cryptographic Module CMAC CBC Message Authentication Code CMACVS CBC Message Authentication Code Validation System CSP Critical Security Parameters CT Ciphertext CTR Counter CVL Component Validation List DAR Data At Rest DEP Default Entry Point DIT Data In Transit DKM Derived Keying Material DLL Dynamic Link Library DOC Department of Commerce DPI Double-Pipeline Iteration DPK Data Protection Key DRBG Deterministic Random Bit Generator DUNS Data Unit Sequence Number EC Elliptic Curve ECB Electronic CodeBook ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm ECDSA2VS Elliptic Curve Digital Signature Algorithm Validation System EMC Electromagnetic Compatibility EMI Electromagnetic Interference FB Feedback FFC Finite Field Cryptography FIPS Federal Information Processing Standard FSM Finite State Model GCM Galois/Counter Mode GCMVS Galois/Counter Mode Validation System GMAC Galois Message Authentication Code GPC General-purpose Computer HMAC Keyed-hash Message Authentication Code

HMACVS Keyed-hash Message Authentication Code Validation System I/O Input/Output IAW In Accordance With IETF Internet Engineering Task Force IV Initialization Vector KAS Key Agreement Scheme KASVS Key Agreement Schemes Validation System KAT Known Answer Test KBKDF Key-Based Key Derivation Function KBKDFVS Key-Based Key Derivation Function Validation System KC Key Confirmation KDF Key Derivation Function


Page6of44

KW Key Wrap KWP Key Wrap With Padding KWVS Key Wrap Validation System LED Light Emitting Diode MAC Message Authentication Code MK Master Key MQV Menezes-Qu-Vanstone NIST National Institute of Standards and Technology OS Operating System PBKDF Password-Based Key Derivation Function PKV Public Key Validation POST Power-On Self-Test PRF Pseudo-Random Function PT Plaintext RAM Random Access Memory RBG Random Bit Generator RFC Request For Comments S/MIME Secure/Multipurpose Internet Mail Extensions SHA Secure Hash Algorithm SHAVS Secure Hash Algorithm Validation System SHS Secure Hash Standard SO Shared Object SP Special Publication SSL Secure Sockets Layer TLS Transport Layer Security USB Universal Serial Bus USSOCOM United States Special Operations Command VS Validation Specification XTS XEX Tweakable Block Cipher with Ciphertext Stealing XTSVS XTS Validation System


Page7of44

1. Introduction

1.1. IdentificationThefollowinginformationidentifiesthisdocument:

• Title:SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicy• Version:1.2

1.2. OverviewKeyWCorporation,incoordinationwiththeUnitedStatesSpecialOperationsCommand(USSOCOM),hasdevelopedaFederalInformationProcessingStandard(FIPS)140-2Level1validated,standards-basedSuiteBCryptographicModulethatprovidesanadvancedlayerofencryptedDataInTransit(DIT)communicationsandDataAtRest(DAR)encryptionviaanApplicationProgrammingInterface(API).

TheSuiteBCryptographicModule,hereaftercollectivelyreferredtoastheModule,operatesasoneofseverallayersofplatformencryption.TheplatformencryptioncanbeinvokedautomaticallywhentheModuleisinitialized,providinganadditionallayerofencryptionandobfuscationabovetheModule.AdditionalencryptionattheapplicationlayercanbeaddedbyenablingS/MIMEencryptiononemails,contentprotectionencryptiononshareddata,andSSL/TLSencryptiononwebtraffic.

1.3. FIPS140-2SecurityLevelsTheModulemeetstheoverallrequirementsapplicabletoLevel1securityforFIPS140-2asshowninthetablebelow:

# FIPS140-2Section Level2.1 CryptographicModuleSpecification 12.2 CryptographicModulePortsandInterfaces 12.3 Roles,Services,andAuthentication 12.4 FiniteStateModel 12.5 PhysicalSecurity N/A2.6 OperationalEnvironment 12.7 CryptographicKeyManagement 12.8 EMI/EMC 12.9 Self-Tests 12.10 DesignAssurance 12.11 MitigationofOtherAttacks N/A

OverallLevel 1

Table1–SummaryofAchievedFIPS140-2SecurityLevels


Page8of44

2. SuiteBCryptographicModuleTheModulemeetstherequirementsoftheFIPS140-2SecurityLevel1specificationandprovidesthefollowingcryptographicservices:

• Dataencryptionanddecryption• Keyencryptionanddecryption• Messagedigestandauthenticationcodegeneration• Digitalsignaturegenerationandverification• Ellipticcurvekeyagreement• Keyderivation

2.1. CryptographicModuleSpecification

2.1.1. SecurityFunctionsTheModuleisimplementedentirelyinsoftwareandcontainsthefollowingFIPS-approvedandFIPSnon-approved,butallowedsecurityfunctions:

Algorithm Use Specification Mode/KeySize CAVPSpecification

CAVPCertificate

AES BlockCipher FIPS197,Nov2001(Ref.[1])

NISTSP800-38A,Dec2001(Ref.[2])

ECB-128 AESAVS,Nov2002(Ref.[16])

#3328ECB-192ECB-256CBC-128 #4312CBC-192CBC-256

NISTSP800-38B,May2005(Ref.[3])

CMAC-128 CMACVS,Aug2011(Ref.[17])

#4312CMAC-192CMAC-256

NISTSP800-38D,Nov2007(Ref.[4])

GCM-128GMAC-128

GCMVS,Aug2012(Ref.[18])

#3328

GCM-192GMAC-192GCM-256GMAC-256

NISTSP800-38E,Jan2010(Ref.[5])

XTS-128 XTSVS,Sep2013(Ref.[19])

#3328XTS-256

KeyStorage NISTSP800-38F,Dec2012(Ref.[6])

KW-128 KWVS,Jun2014(Ref.[20])

#3328KW-192KW-256

IETFRFC5649,Aug2009(Ref.[7])

KWP-128 #3328KWP-192KWP-256


Page9of44


CAVPCertificate

SHA SecureHashing FIPS180-4,Aug2015(Reference[8])

SHA-1(SHA-160) SHAVS,May2014(Ref.[21])

#2761SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256

CMAC MessageAuthentication

NISTSP800-38B,May2005(Ref.[3])

AES-128 CMACVS,Aug2011(Ref.[17])

#4312AES-192AES-256

GMAC NISTSP800-38D,Nov2007(Ref.[4])

AES-128 GCMVS,Aug2012(Ref.[18])

#3328AES-192AES-256

HMAC FIPS198-1,July2008(Reference[9])

SHA-1(SHA-160) HMACVS,July2012(Ref.[22])

#2119SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256

ECDSA DigitalSignaturePerNISTSP800-131A,P-192andSHA-1arenolongerconsideredsecureandshallnotbeusedtogeneratedigitalsignatures(Ref.[14]).

FIPS186-4,July2013(Reference[12])

P-192 SHA-1(SHA-160)

ECDSA2VS,Mar2014(Ref.[24])

#657

SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256

P-224 SHA-1(SHA-160)SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256

P-256 SHA-1(SHA-160)SHA-224SHA-256SHA-384SHA-512SHA-512/224


Page10of44


CAVPCertificate

SHA-512/256P-384 SHA-1

(SHA-160)SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256


ECCKAS KeyEstablishment

NISTSP800-56ARev2,May2013(Reference[15])

FullUnifiedKCEBP-224,SHA-224

KASVS,May2014(Ref.[25])

#55FullUnifiedKCEC

P-256,SHA-256FullUnifiedKCEDP-384,SHA-384FullUnifiedKCEEP-521,SHA-512FullMQVKCEBP-224,SHA-224FullMQVKCECP-256,SHA-256FullMQVKCEDP-384,SHA-384FullMQVKCEEP-521,SHA-512

ECCCDHPrimitive

SharedSecretEstablishment

NISTSP800-56ARev2,May2013(Reference[15],Section5.7.1.2)

P-224 KASVS,May2014(Ref.[25])

#484(CVL)P-256

P-384P-521

KBKDF-CMAC

KeyDerivation NISTSP800-108,Oct2009(Reference[10])

CTR CMAC-AES-128

KBKDFVS,Jan2016(Ref.[23])

#116

CMAC-AES-192CMAC-AES-256


Page11of44


CAVPCertificate

FB CMAC-AES-128CMAC-AES-192CMAC-AES-256

DPI CMAC-AES-128CMAC-AES-192CMAC-AES-256

KBKDF-HMAC

KeyDerivation NISTSP800-108,Oct2009(Reference[10])

CTR HMAC-SHA-1(SHA-160)

KBKDFVS,Jan2016(Ref.[23])

#116

HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512

FB HMAC-SHA-1(SHA-160)HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512

DPI HMAC-SHA-1(SHA-160)HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512

PBKDF KeyDerivation NISTSP800-132,Dec2010(Reference[11])

HMAC-SHA-1(SHA-160)

VSnotyetavailableasofJan.2017

Vendor-Affirmed

HMAC-SHA-224


Page12of44


CAVPCertificate

SeeSection2.1.1.1.

HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512

Table2–FIPS-ApprovedandVendor-AffirmedSecurityFunctions


CAVPCertificate

N/A N/A N/A N/A N/A N/A

Table3–FIPSNon-ApprovedbutAllowedSecurityFunctions

2.1.1.1. NISTSP800-132Password-BasedKeyDerivationFunction(PBKDF)PerNISTSP800-132,RecommendationforPassword-BasedKeyDerivation,December2010(Reference[11]),thecallingapplicationisresponsibleforselectingwhichoptionisusedtoderivetheDataProtectionKey(DPK)fromtheMasterKeyandshallonlyusekeysderivedfrompasswordsinstorageapplications.TheModuleAPIrestrictsthecallingapplicationtoselectapassword/passphrasethatisatleast10characterslonginaccordancewiththeguidelinesinNISTSP800-63-2,ElectronicAuthenticationGuideline,August2013(Reference[26])andNISTSP800-118,GuidetoEnterprisePasswordManagement(Draft),April2009(Reference[27]).Acceptablevaluesofotherparametersusedinkeyderivationaredetailedbelow.

PROTOTYPE: t_STATUS PBKDF(U8 *MK, U32 MKbytes, const U8 *Pswd, U32 Pbytes, const U8 *Salt, U32 Sbytes, U32 Icount);

ARGUMENTS: MK =pointertoabytestringrepresentingtheoutput(derived)masterkey MKbytes=lengthofderivedmasterkey,inbytes Pswd =inputpassword,abytestring Pbytes =passwordlength(atleast10bytes) Salt =inputdiversificationvalue,abytestring Sbytes =Saltlength(atleast16bytes) Icount =alargeiterationcount(determineshowmanyHMACiterationsareusedto generateoneblockoftheMK)RETURNS: SUCCESSifallinputparametersarevalid FAILUREotherwiseLIMITATIONS: MKbytes >= 14 Pbytes >= 10 Sbytes >= 16 Icount >= 1000

TheCountervalueshouldfitintoonebyte(i.e. MKbytes/DigestLenB < 256) DESCRIPTION:ImplementsthePassword-BasedKeyDerivationFunction(PBKDF),IAWNISTSP800-132(Reference[11]).AnappropriateSHAenvironment(SHA-1,SHA-224,SHA-256,SHA-384orSHA-512)mustbe


Page13of44

selectedinadvanceusingSHA_TypeSelect().ThereisneitheraValidationSysteminplace,norsampletestvectorspublishedbyCAVPforthePBKDFalgorithm,asofJanuary2017.

2.1.2. ModesofOperationTheModulemustbeinstalledontheFIPS140-2certifiedoperationalenvironmentlistedinSection2.6manually,andonceinstalleditrunsallalgorithmsinFIPS-approvedmodesinceitisexplicitlycompiledtoonlyruninFIPS-approvedmode.Therearenoalgorithmsor“expanded”cryptographicmodeswithintheModulethatarenotFIPS-approvedaslistedinTable2whencallingsecurityfunctionsintheModuleAPI.

TheoperationalenvironmentonwhichtheModulerunsshallbeconfiguredforFIPSmodewhenusingaFIPS-approvedplatform-providedDeterministicRandomBitGenerator(DRBG)inthefollowingways:

• WindowsServerOS:EnabletheFIPScompliantalgorithmsmodeviatheLocalSecurityPolicytoguaranteetheModulegeneratesFIPS-validatedrandombytes.

• BlackBerryOS:TheModuleconfinesitsmethodcallstoonlythosethathavebeenFIPS-approvedtoguaranteegeneratingFIPS-validatedrandombytes.

2.1.3. CryptographicBoundaryThephysicalboundaryoftheModuleisthephysicalboundaryoftheoperationalenvironmenthardwaredevicethatexecutestheModuleasshowninthefollowingfigure.ThefollowingfiguredepictsaFIPS-approvedDRBGthatisprovidedbytheoperationalenvironmentcryptographicModulelistedinSection2.6andthereforetheModuleisboundtoeithertheWindowsServerOScryptographicModuleorBlackBerryOScryptographicModule.

Figure1–ModuleCryptographicBoundary


Page14of44

2.1.4. DeterminingModuleVersionTheoperatormaydeterminetheversionoftheModulebyperformingthefollowingsteps:DynamicLinkLibrary(DLL)ModuleVersion

1. OnWindows,right-clicktheKEYWcryptoModule.dllfileandselectviewProperties2. SelectDetailstab3. TheFileversionpropertydisplaystheKEYWcryptoModuleversionasv3.0.0.0

SharedObject(SO)ModuleVersion

1. OnBlackBerry,runthefollowingconsolecommand:

objdump -p libKEYWcryptoModule.so.3 | grep SONAME

2. TheconsoledisplaystheKEYWcryptoModuleversionasv3

2.2. CryptographicModulePortsandInterfacesTheModuleportscorrespondtothephysicalportsoftheoperationalenvironmenthardwaredevicethatexecutestheModule:

• USBdevices[keyboardandmouse]• Videodevices[monitors,screens,camera,andLED]• Opticaldrives• Audiodevices[speakers,headset,andmicrophone]• Networkdevices[EthernetandWirelessadapters]• Batteryandpoweradapter

TheModuleinterfacescorrespondtotheModuleAPI,whichdonotinterfaceacrossanyofthephysicalportsoftheoperationalenvironment.ThefollowingtabledescribestheModulelogicalinterfaces.

FIPS140-2Interface LogicalInterfaceDataInput InputparametersofModuleconstructors

andfunctioncalls.DataOutput OutputparametersofModulefunction

callsandreturnvalues.ControlInput Modulefunctioncalls.StatusOutput ReturncodesofModulefunctioncalls.

Table4–ModuleLogicalInterfaces

2.3. Roles,Services,andAuthentication

2.3.1. RolesTheModulesupportsaCryptographicOfficerandUserrole.TheModuledoesnotsupportamaintenancerole.TheModuledoesnotsupportmultipleorconcurrentoperatorsandisintendedforusebyasingleoperator,thusitalwaysoperatesinasingle-usermodeofoperation.


Page15of44

2.3.2. ServicesTheservicesdescribedinthefollowingtablesareavailabletotheoperatorroles:

CryptographicOfficerRoleService Description Input/Output ReturnLoadModule PerformsModule

initializationimplicitlybytheoperationalenvironment.

[in]:DLL/SObinarypath[out]:VOID

Pass/Fail

Power-OnSelf-Test(POST)

Performssoftwareintegrityandcryptographicself-testsimplicitlyuponModuleload.

[in]:DLL/SObinarypath,DLL/SOchecksumpath[out]:VOID

Pass/Fail

Zeroize PerformsHMACIntegrityChecksumandKeyzeroizationimplicitlyafterModulePOSTpass/fail.TheHMACIntegrityChecksumandKeymayalsobezeroizedbypower-cyclingtheoperationalenvironmentandreloadingtheModule.

[in]:HMACIntegrityChecksum,HMACIntegrityCheckKey[out]:VOID

VOID

UnloadModule PerformsModuledestructionimplicitlybytheoperationalenvironment.

[in]:VOID[out]:VOID

VOID

Table5–ModuleServicesforCryptographicOfficerRole

UserRoleService Description Input/Output ReturnRunSelfTests Performscryptographicself-

testsfortheModule.[in]:VOID[out]:VOID

Pass/Fail

CM ShowTitle GetstitleinfofortheModule. [in]:VOID[out]:VOID

TitleInfo

VersionInfo GetsversioninfofortheModule.

[in]:VOID[out]:VOID

VersionInfo

SelfTestsDuration

Getcryptographicself-testsdurationfortheModule.

[in]:VOID[out]:VOID

Duration

AES Construct ConstructsanAESobject. [in]:AESbitmode,AESkey[out]:VOID

AESobject

CheckEncrypt/DecryptTables

Verifiesintegrityofencryption/decryptiontables.

[in]:VOID[out]:VOID

Pass/Fail

ReKey RekeysanAESobjectwithalternateAESkey.

[in]:AESbitmode,AESkey[out]:VOID

Pass/Fail

ECBEncrypt EncryptsPTdata. [in]:PTbuffer,PTblocklength[out]:CTbuffer

VOID

ECBDecrypt DecryptsCTdata. [in]:CTbuffer,PTblocklength[out]:PTbuffer

VOID

CBCEncrypt EncryptsPTdata. [in]:PTbuffer,IV,PTblock VOID


Page16of44

UserRoleService Description Input/Output Return

length[out]:CTbuffer

CBCDecrypt DecryptsCTdata. [in]:CTbuffer,IV,PTblocklength[out]:PTbuffer

VOID

CMACGenerate

GeneratesaMessageAuthenticationCode(MAC).

[in]:PTdata,PTlength[out]:CMACbuffer,CMAClength

VOID

KeyWrapEncrypt

EncryptsPTkeys. [in]:PTkeybuffer,PTlength,Inversecipherflag[out]:CTkeybuffer

VOID

KeyWrapDecrypt

DecryptsCTkeys. [in]:CTkeybuffer,CTlength,Inversecipherflag[out]:PTkeybuffer

Pass/Fail

KDFCTR/FB/DPI

Generatesaderivedkey. [in]:Label/IV,Labellength,Context,Contextlength,Counterlength,Counterlocation[out]:Derivedkey,Derivedkeylength

Pass/Fail

Destruct ZeroizesAESkey. [in]:VOID[out]:VOID

VOID

GCM Construct ConstructsaGCMobject. [in]:AESbitmode,AESkey[out]:VOID

GCMobject

ReKey RekeysaGCMobjectwithalternateAESkey.

[in]:AESbitmode,AESkey[out]:VOID

Pass/Fail

Encrypt EncryptsPTdata. [in]:Taglength,IV,IVlength,PTbuffer,PTlength,AAD,AADlength[out]:CTbuffer,Tag

Pass/Fail

Decrypt DecryptsCTdata. [in]:Tag,Taglength,IV,IVlength,CTbuffer,CTlength,AAD,AADlength[out]:PTbuffer

Pass/Fail

GMACEncrypt

GeneratesaMessageAuthenticationCode(MAC).

[in]:Taglength,IV,IVlength,AAD,AADlength[out]:Tag

Pass/Fail

GMACDecrypt

ValidatesaMessageAuthenticationCode(MAC).

[in]:Tag,Taglength,IV,IVlength,AAD,AADlength[out]:VOID

Pass/Fail

GCMDestruct ZeroizesAESkeyandhashkeytable.

[in]:VOID[out]:VOID

VOID

XTS Construct ConstructsanXTSobject. [in]:AESbitmode,ECBkey,Tweakkey,DUNSorTweakvalue

XTSobject


Page17of44


[out]:VOIDReKey RekeysanXTSobjectwith

alternateAESkey.[in]:AESbitmode,ECBkey,Tweakkey,DUNSorTweakvalue[out]:VOID

Pass/Fail

Encrypt EncryptsPTdata. [in]:AESbitmode,PTbuffer,Sectorbitlength,ECBkey,Tweakkey,DUNSorTweakvalue[out]:CTbuffer

Pass/Fail

Decrypt DecryptsCTdata. [in]:AESbitmode,CTbuffer,Sectorbitlength,ECBkey,Tweakkey,DUNSorTweakvalue[out]:PTbuffer

Pass/Fail

Destruct ZeroizesAESkeyandtweakvalue.

[in]:VOID[out]:VOID

VOID

ECC Construct ConstructsanECCobject. [in]:ECtype,SHAtype[out]:VOID

ECCobject

TypeSelect ChangestheECandSHAtypes.

[in]:ECtype,SHAtype[out]:VOID

Pass/Fail

CheckParams VerifiesECparameters. [in]:VOID[out]:VOID

Pass/Fail

IsPointAffine Determinesifpointisanaffinecoordinate.

[in]:ECAffinePoint[out]:VOID

Pass/Fail

IsPointValid Determinesifpointhascorrectorder.

[in]:ECAffinePoint[out]:VOID

Pass/Fail

Projectify Convertsaffinepointtoprojectivepoint.

[in]:ECAffinePoint[out]:ECProjectivePoint

VOID

Affinify Convertsprojectivepointtoaffinepoint.

[in]:ECProjectivePoint[out]:ECAffinePoint

Pass/Fail

Compress Convertsaffinepointtocompressedpoint.

[in]:ECAffinePoint[out]:ECCompressedPoint

VOID

Decompress Convertscompressedpointtoaffinepoint.

[in]:ECCompressedPoint[out]:ECAffinePoint

Pass/Fail

DoubleAffine Doublesanaffinepoint. [in]:ECAffinePoint[out]:ECAffinePoint

VOID

DoubleProjective

Doublesaprojectivepoint. [in]:ECProjectivePoint[out]:ECProjectivePoint

VOID

DoubleProjective

Doublesaprojectivepointin-place.

[inout]:ECProjectivePoint VOID

AddAffine Addsaffinepoints. [in]:ECAffinePoint,ECAffinePoint[out]:ECAffinePoint

VOID

Add Addsprojectivepoints. [in]:ECProjectivePoint,EC VOID


Page18of44


Projective

ProjectivePoint[out]:ECProjectivePoint

Multiply Multipliesaffinepointbyascalar.

[in]:Scalar,ECAffinePoint[out]:ECAffinePoint

Pass/Fail

MultiplyBase MultipliesECBasePointbyascalar.

[in]:Scalar[out]:ECAffinePoint

Pass/Fail

DoubleMultiply

Multipliestwoaffinepointsbytwoscalars.

[in]:Scalar,ECAffinePoint,Scalar,ECAffinePoint[out]:ECAffinePoint

Pass/Fail

ECDSAPublicKeyGen

ComputesthepublicECDSAkey.

[in]:PrivateKey[out]:ECPublicAffinePoint

Pass/Fail

ECDSASignatureGen

ComputestheECDSAsignature.

[in]:Message,Messagelength,PrivateKey,EphemeralKey[out]:Rcomponent,Scomponent

Pass/Fail

ECDSASignatureCheck

VerifiestheECDSAsignature. [in]:Message,Messagelength,Rcomponent,Scomponent,ECPublicAffinePoint[out]:VOID

Pass/Fail

ECDSASignatureCheckPrivate

VerifiestheECDSAsignature. [in]:Message,Messagelength,Rcomponent,Scomponent,PrivateKey[out]:VOID

Pass/Fail

Destruct ZeroizesECCbuffers. [in]:VOID[out]:VOID

VOID

FFC Construct ConstructsaFFCobject. [in]:VOID[out]:VOID

FFCObject

ExtDec2Hex Convertsanextendedprecision("big")numberfromdecimaltobinary(hexadecimal).

[in]:Decimalstringbuffer[out]:Wordbuffer,Wordbufferlength

Pass/Fail

ExtHex2Dec Convertsanextendedprecision("big")numberfrombinary(hexadecimal)todecimal.

[in]:Wordbuffer,Wordbufferlength[out]:Decimalstringbuffer

VOID

ExtCompare Compareswordbuffers. [in]:BufferA,BufferB,BufferA/Blength[out]:VOID

1:a==b2:A>B4:A<B

ExtMod Reducesthea-operandmodulothen-operand.

[in]:a-operand,alength,n-operand,nlength[out]:x-operand

VOID

ExtAdd Multi-precisionAddroutine [in]:a-operand,b-operand, Finalcarrybit


Page19of44


forunsignedintegers. a/b/xlength[out]:x-operand

ExtAdd Multi-precisionAddroutineforunsignedintegers.

[in]:b-operand,b/xlength[inout]:x-operand

Finalcarrybit

ExtSubtract Multi-precisionSubtractroutineforunsignedintegers.

[in]:a-operand,b-operand,a/b/xlength[out]:x-operand

Finalborrowbit

ExtSubtract Multi-precisionSubtractroutineforunsignedintegers.


Finalborrowbit

ExtAddImmed

Multi-precisionAddroutineofasingle-precision,signedintegertoamulti-precisionunsignedinteger.


Finalcarry

ExtModAdd Multi-precisionmodularAddroutineforunsignedintegers.

[in]:a-operand,b-operand,n-operand,a/b/n/xlength[out]:x-operand

VOID

ExtModAdd Multi-precisionmodularAddroutineforunsignedintegers.

[in]:b-operand,n-operand,b/n/xlength[inout]:x-operand

VOID

ExtModSubtract

Multi-precisionmodularSubtractroutineforunsignedintegers.


VOID

ExtModSubtract

Multi-precisionmodularSubtractroutineforunsignedintegers.


VOID

ExtModAddImmed

ModularAddroutineofasingle-precision,signedintegertoamulti-precisionunsignedinteger.


VOID

ExtShiftLeft Multi-precision1-bitLeftShiftroutineforunsignedintegers.

[in]:a-operand,Carrybit,a/xlength[inout]:x-operand

Finalcarry

ExtShiftLeft Multi-precision1-bitLeftShiftroutineforunsignedintegers.

[in]:xlength[inout]:x-operand

Finalcarry

ExtModShiftLeft

Performsamodularadditionofalongnumbertoitself.

[in]:a-operand,n-operand,a/n/xlength[out]:x-operand

VOID

ExtModShiftLeft

Performsamodularadditionofalongnumbertoitself.

[in]:n-operand,n/xlength[inout]:x-operand

VOID

ExtShiftRight Multi-precision1-bitRightShiftroutineforunsignedintegers.

[in]:a-operand,a/xlength[out]:x-operand

VOID

ExtShiftRight Multi-precision1-bitRightShiftroutineforunsignedintegers.

[in]:xlength[inout]:x-operand

VOID


Page20of44


ExtModShiftRight

Multi-precisionmodulardivide-by-2routineforunsignedintegers.

[in]:n-operand,n/xlength[inout]:x-operand

VOID

ExtShiftVar Multi-precision,multi-bitLeftorRightShiftroutineforunsignedintegers.

[in]:a-operand,signedshiftcount,a/xlength[out]:x-operand

VOID

ExtShiftVar Multi-precision,multi-bitLeftorRightShiftroutineforunsignedintegers.

[in]:signedshiftcount,xlength[inout]:x-operand

VOID

ExtBinModInverse

Performsmodularinversion1/awithrespecttoamodulusn(usuallyaprimenumber)inmultipleprecisionarithmetic.

[in]:a-operand,n-operand,a/nlength[out]:a-inverse-result

VOID

ExtBinModDivide

Performsmodulardivisionb/awithrespecttoamodulusn(usuallyaprimenumber)inmultipleprecisionarithmetic.

[in]:b-operand,a-operand,n-operand,b/a/nlength[out]:ba-dividend-result

VOID

ExtBinModInversev2

Performsmodularinversion1/awithrespecttoamodulusn(usuallyaprimenumber)inmultipleprecisionarithmetic.


VOID

ExtMultiply Multi-precisionmultiplicationroutineforunsignedintegersofthesamesize.

[in]:a-operand,b-operand,a/b/xlength[out]:x-operand

VOID

ExtMultiply Multi-precisionmultiplicationroutineforunsignedintegersofdifferentsizes.

[in]:a-operand,alength,b-operand,blength[out]:x-operand

VOID

ExtModMultiply

Multi-precisionmodularMultiplyroutineforunsignedintegers.


VOID

ExtSquare Multi-precisionsquaringroutineforunsignedintegers.

[in]:a-operand,alength[out]:x-operand

VOID

ExtModSquare

Multi-precisionmodularsquaringroutineforunsignedintegers.


VOID

ExtDivide Multi-precisiondivisionroutineforunsignedintegers.

[in]:a-operand,alength,n-operand,nlength[out]:q-operand,r-operand

VOID

ExtModInverse

Performsmodularinversion1/awithrespecttoamodulusn(usuallyaprimenumber)inmultipleprecision


VOID


Page21of44


arithmetic.ExtModDivide

Performsmodulardivisionb/awithrespecttoamodulusn(usuallyaprimenumber)inmultipleprecisionarithmetic.

[in]:b-operand,a-operand,n-operand,b/a/nlength[out]:ba-dividend-result

VOID

ExtSqrt Multi-precisionsquare-rootroutineforunsignedintegers.

[in]:a-operand,alength[out]:sqrt-result

Pass/Fail

ExtSqrtv0 Multi-precisionsquare-rootroutineforunsignedintegers.


Pass/Fail

ExtSqrtv1 Multi-precisionsquare-rootroutineforunsignedintegers.


Pass/Fail

Findn0Prime ComputestheMontgomeryarithmeticparametern0'.

[in]:LSWofmodulus[out]:VOID

Montgomeryarithmeticparameter

MontImagev0

ComputestheMontgomeryImage(aM)ofanunsignedintegerawithrespecttoamodulusn.


VOID

MontImage ComputestheMontgomeryImage(aM)ofanunsignedintegerawithrespecttoamodulusn.


VOID

MontProd Multi-precisionMontgomeryProductroutineforunsignedintegers.

[in]:a-operand,b-operand,n-operand,LSWofmodulus,a/b/n/xlength[out]:x-operand

VOID

MontSquare Multi-precisionMontgomerySquaringroutineforunsignedintegers.

[in]:a-operand,n-operand,LSWofmodulus,a/n/xlength[out]:x-operand

VOID

RevMontImage

Thisfunctionconvertsamulti-precisionintegerfromMontgomeryrepresentationtobinary(normal)representation.

[in]:a-operand,n-operand,LSWofmodulus,a/n/xlength[out]:x-operand

VOID

MontExp Multi-precisionMontgomeryExponentiationroutineforunsignedintegers.

[in]:b-operand,e-operand,elength,n-operand,b/nlength[out]:x-operand

VOID

MontModInverse

Computesa_inv=1/aop(modnop)usingFermat'sLittleTheorem.


VOID

MontModSqrt

Computesthesquarerootofamulti-precisionoperand(a)moduloaprimemodulus(n).

[in]:a-operand,n-operand,a/nlength[out]:a-sqrt-result

Pass/Fail

Barrett Calculatesthemodulus- [in]:n-operand,n/xlength VOID


Page22of44


Inverse dependentquantity. [out]:x-operandBarrettModMultiply

Multi-precisionmodularmultiplicationroutineforunsignedintegers.

[in]:a-operand,b-operand,n-operand,u-operand,a/b/n/xlength[out]:x-operand

VOID

BarrettExp Multi-precisionexponentiationroutineforunsignedintegers.

[in]:b-operand,e-operand,elength,n-operand,u-operand,b/nlength[out]:x-operand

VOID

BarrettModInverse

Computesa_inv=1/aop(modnop)usingFermat'sLittleTheorem.


VOID

BarrettModSqrt

Computesthesquarerootofamulti-precisionoperand(a)moduloaprimemodulus(n).


Pass/Fail

ProbabModSqrt

Generalprobabilisticalgorithmtocomputethesquarerootmoduloaprimenumber.


Pass/Fail

ProbabModSqrtv2



Pass/Fail

ProbabModSqrtv1



Pass/Fail

ProbabModSqrtv0



Pass/Fail

JacobiSymbol ComputestheJacobisymbolforanintegeraandanoddmodulusn

[in]:a-operand,n-operand,a/nlength[out]:VOID

1ifainQR(n),else-1/0

Destruct DestructstheFFCobject. [in]:VOID[out]:VOID

VOID

KASECC

Construct ConstructsaKASECCobject. [in]:KAStype,initiatorid,responderid,algorithmid,MACkeylength,MACtaglength[out]:VOID

KASECCobject

TypeSelect ChangestheKAStype. [in]:KAStype,initiatorid,responderid,algorithmid,MACkeylength,MACtaglength

Pass/Fail


Page23of44


[out]:VOIDECDHInit1 ComputesPhase1ofFull

UnifiedModeloninitiatorside.

[in]:Initiatorephemeralprivatekey[out]:Initiatorephemeralpublickey

Pass/Fail

ECDHResp1 ComputesPhase1ofFullUnifiedModelonresponderside.

[in]:Responderstaticprivatekey,Responderstaticpublickey,Responderephemeralprivatekey,Initiatorstaticpublickey,Initiatorephemeralpublickey,Nonce[out]:Responderephemeralpublickey,MACkey,AESinitiator/responderkeys,ResponderMACtag

Pass/Fail

ECDHInit2 ComputesPhase2ofFullUnifiedModeloninitiatorside.

[in]:Initiatorstaticprivatekey,Initiatorstaticpublickey,Initiatorephemeralprivatekey,Initiatorephemeralpublickey,Nonce,Responderstaticpublickey,Responderephemeralpublickey,ResponderMACtag,[out]:AESinitiator/responderkeys,InitiatorMACtag

Pass/Fail

ECDHResp2 ComputesPhase2ofFullUnifiedModelonresponderside.

[in]:Responderephemeralpublickey,MACkey,Initiatorephemeralpublickey,InitiatorMACtag[out]:VOID

Pass/Fail

MQVPrimitive

ComputesthefullformoftheECCMQVprimitive.

[in]:Initiatorstaticprivatekey,Initiatorephemeralprivatekey,Initiatorephemeralpublickey,Responderstaticpublickey,Responderephemeralpublickey[out]:Sharedsecret

Pass/Fail

MQVInit1 ComputesPhase1ofFullMQVModeloninitiatorside.

[in]:Initiatorephemeralprivatekey[out]:Initiatorephemeralpublickey

Pass/Fail

MQVResp1 ComputesPhase1ofFullMQVModelonresponderside.

[in]:Responderstaticprivatekey,Responderstaticpublickey,Responderephemeralprivatekey,Initiatorstatic

Pass/Fail


Page24of44


publickey,Initiatorephemeralpublickey,Nonce[out]:Responderephemeralpublickey,MACkey,AESinitiator/responderkeys,ResponderMACtag

MQVInit2 ComputesPhase2ofFullMQVModeloninitiatorside.

[in]:Initiatorstaticprivatekey,Initiatorstaticpublickey,Initiatorephemeralprivatekey,Initiatorephemeralpublickey,Nonce,Responderstaticpublickey,Responderephemeralpublickey,ResponderMACtag,[out]:AESinitiator/responderkeys,InitiatorMACtag

Pass/Fail

MQVResp2 ComputesPhase2ofFullMQVModelonresponderside.

[in]:Responderephemeralpublickey,MACkey,Initiatorephemeralpublickey,InitiatorMACtag[out]:VOID

Pass/Fail

Destruct DestructstheKASECCobject. [in]:VOID[out]:VOID

VOID

SHA Construct ConstructsaSHAobject. [in]:SHAtype[out]:VOID

SHAobject

TypeSelect ChangestheSHAtype. [in]:SHAtype[out]:VOID

Pass/Fail

ProcMessage Generatesamessagedigest. [in]:Message,Messagelength[out]:Digest

VOID

ProcMessage Generatesamessagedigest. [in]:SHAtype,Message,Messagelength[out]:Digest

VOID

ProcInit Initializesfirstmessagedigestsegment.

[in]:Message,Messagelength[out]:VOID

VOID

ProcInit Initializesfirstmessagedigestsegment.

[in]:SHAtype,Message,Messagelength[out]:VOID

VOID

ProcUpdate Updatesmiddlesegmentmessagedigestsegment.


VOID

ProcFinal Generatesfinalmessagedigest.

[in]:Message,Messagelength[out]:Digest

VOID

160ProcMessage

Generatesamessagedigest. [in]:Message,Messagelength,SHAmode[out]:Digest

VOID

HMACProc GeneratesaKeyed-Hash [in]:Message,Message VOID


Page25of44


Message MessageAuthenticationCode(HMAC)digest.

length,key,keylength[out]:Digest

HMACProcMessage

GeneratesaHMACtag. [in]:Message,Messagelength,key,keylength[out]:MACtag,MACtaglength

VOID

HMACProcInit

InitializesfirstHMACmessagedigestsegment.

[in]:Message,Messagelength,key,keylength[out]:VOID

VOID

HMACProcUpdate

UpdatesmiddleHMACsegmentmessagedigestsegment.


VOID

HMACProcFinal

GeneratesfinalHMACmessagedigest.

[in]:Message,Messagelength[out]:Digest

VOID

HMACProcFinal

GeneratesfinalHMACmessagedigest.

[in]:Message,Messagelength[out]:MACtag,MACtaglength

VOID

KDFCTR/FB/DPI

Generatesaderivedkey. [in]:Label/IV,Labellength,Context,Contextlength,Counterlength,Counterlocation[out]:Derivedkey,Derivedkeylength

VOID

PBKDF Generatesaderivedkeyfrompasswordandsalt.

[in]:Password,Passwordlength,Salt,Saltlength,iterationcount[inout]:Derivedkeylength[out]:Derivedkey

VOID

Destruct ZeroizesSHAbuffers. [in]:VOID[out]:VOID

VOID

Util’s Zeroize Zeroizesfixed-sizebuffers. [inout]:Buffer VOIDObfuscate Zeroizedfixed-sizebuffer

withrandomdatafromDRBG.

[inout]:Buffer VOID

WordStrClr Zeroizesbuffer. [in]:Bufferlength[inout]:Buffer

VOID

WordStrCpy Copiesbuffer. [in]:InputBuffer,Bufferlength[out]:Copiedbuffer

VOID

WordStrDiff Differencesbuffers. [in]:Buffera,Bufferb,a/blength[out]:VOID

Non-zerovalueindicatesdifference

WordStrCmp Comparesbuffers. [in]:Buffera,Bufferb,a/blength

Pass/Fail


Page26of44


[out]:VOIDWordStrCmpv0

Comparesbuffertozero. [in]:Buffer,Bufferlength[out]:VOID

Pass/Fail

WordStrCmpv1

Comparesbuffertozero. [in]:Buffer,Bufferlength[out]:VOID

Pass/Fail

MyMemCmpK

Comparesbytebuffertobyte.

[in]:Buffer,Bufferlength,bytevalue[out]:VOID

Pass/Fail

CleanUp Zeroizeswordbufferandverifieszeroed.

[in]:Bufferlength[inout]:Buffer

VOID

CleanUp Zeroizesbytebufferandverifieszeroed.

[in]:Bufferlength[inout]:Buffer

VOID

Words2Bytes Convertswordbuffertobytebuffer.

[in]:Wordbuffer,Wordbufferlength[out]:bytebuffer

VOID

Bytes2Words Convertsbytebuffertowordbuffer.

[in]:Bytebuffer,Wordbufferlength[out]:Wordbuffer

VOID

DWords2Bytes

Convertsdoublewordbuffertobytebuffer.

[in]:DWordbuffer,DWordbufferlength[out]:bytebuffer

VOID

Bytes2DWords

Convertsbytebuffertodoublewordbuffer.

[in]:Bytebuffer,DWordbufferlength[out]:DWordbuffer

VOID

QuickRandomBytes

Generatespseudo-randombytesfromDRBG.

[in]:Bufferlength[out]:Buffer

Pass/Fail

Stristr Case-insensitivesubstringsearch

[in]:Buffer,searchstring[out]:VOID

Substring

MyMemiCmp

Case-insensitivebytebuffercomparison

[in]:Buffera,Bufferb,a/blength[out]:VOID

Non-zerovalueindicatesdifference

ScanHexData Decodesabytestringbufferintoabytebuffer.

[in]:Stringbuffer[out]:Bytebuffer

Lengthofbytebuffer

ScanHexData Decodesabytestringbufferintoawordbuffer.

[in]:Stringbuffer[out]:Wordbuffer

Lengthofwordbuffer

ScanHexAlignRight

Decodesabytestringbufferintoawordbufferwithrightalignment.

[in]:Stringbuffer[inout]:Wordbufferlength[out]:Wordbuffer

VOID

ReadDecParam

Readsdecimalparameterfrominputfilestream.

[in]:Inputfilestream,Offsetheader[out]:VOID

Decimalparameter

ScanHexData Decodesabytestringfromaninputstreamintoawordbuffer.

[in]:Inputfilestream,Bitlength,Offsetheader[out]:Wordbuffer

VOID


Page27of44


ScanHexData Decodesabytestringfromaninputstreamintoabytebuffer.

[in]:Inputfilestream,Bitlength,Offsetheader[out]:Bytebuffer

VOID

ScanHexData Decodesabytestringfromaninputstreamintoawordbuffer.

[in]:Inputfilestream,Offsetheader[out]:Wordbuffer

Lengthofwordbuffer

ScanHexAlignRight

Decodesabytestringfromaninputstreamintoawordbufferwithrightalignment.

[in]:Inputfilestream,Wordbufferlength,Offsetheader[out]:Wordbuffer

Pass/Fail

WriteHexData

Encodeswordbufferintostringbuffer.

[in]:Stringbuffer,Wordbufferlength[out]:Wordbuffer

VOID

WriteHexData

Encodesbytebufferintostringbuffer.

[in]:Stringbuffer,Bytebufferlength[out]:Bytebuffer

VOID

WriteHexData

Writeswordbufferintooutputstreamasastring.

[in]:Outputfilestream,Wordbufferlength,Offsetheader,Skipzeros[out]:Wordbuffer

VOID

WriteHexData

Writesbytebufferintooutputstreamasastring.

[in]:Outputfilestream,Bytebufferlength,Offsetheader[out]:Bytebuffer

VOID

Table6–ModuleServicesforUserRole

2.3.3. AuthenticationTheModuledoesnotsupportoperatorauthentication.Rolesareselectedimplicitlybasedontheserviceperformedbytheoperator.

Role TypeofAuthentication AuthenticationDataCryptographicOfficer N/A N/AUser N/A N/A

Table7–ModuleAuthentication

2.4. FiniteStateModelTheFiniteStateModel(FSM)describestheoverallbehaviorandtransitionstheModuleundergoesbaseduponitscurrentstateandcommandsreceived.TheFSMwasreviewedaspartoftheoverallFIPS140-2validation.

2.5. PhysicalSecurityTheModuleisimplementedentirelyinsoftware,thusitisnotsubjecttotheFIPS140-2PhysicalSecurityrequirements.TheoperationalenvironmentthatexecutestheModuleshouldbelocatedonproduction-gradeequipmentandisexpectedtobesecuredbybestpractices.


Page28of44

2.6. OperationalEnvironmentTheModulerunsinasingle-userFIPS140-2certifiedoperationalenvironmentwhereeachcallingapplicationrunsinavirtuallyseparated,independentspaceandiscompatiblewiththeDRBGonwhichitrunsbaseduponconfiguration.TheModuleisimplementedentirelyinsoftware,andforFIPS140-2purposes,isclassifiedasmulti-chipstandalonepertheoperationalenvironmentonwhichitruns.

Module OperationalEnvironment CMVPCertificate

CAVPDRBGCertificate

KEYWcryptoModule.dll IntelXeonE5530w/MicrosoftWindowsServer2012R2(64-bit) #2357 #489,#523

libKEYWcryptoModule.so.3 QualcommSnapdragon801w/BlackBerryOS10.3 #1578 #81

libKEYWcryptoModule.so.3 QualcommSnapdragonS4w/BlackBerryOS10.3 #1578 #81

Table8–OperationalEnvironments

2.7. CryptographicKeyManagementThefollowingtabledescribesthecryptographickeys,keycomponentsandCriticalSecurityParameters(CSPs)utilizedexclusivelybytheModule.

Key/CSP Mode/Key/CSPSize Use Access

Type Input/Output Storage Destruction

HMACIntegrityCheckKey

SHA-512 SymmetrickeyusedforSoftwareIntegrityChecksum.

CryptoOfficerRole:Read&Write

SymmetrickeygeneratedduringeachModuleinitializationasinputwhereanewsymmetrickeyisgeneratedaftereachbuild.SeeSection2.9formoredetailsonSoftwareIntegrityPOST.

HeldinRAMasplaintexttemporarilyforsingle-useandisnotstoredduringModuleinitialization.

ZeroizedimmediatelyafterModuleinitializationviazeroizeservicefromModuleAPI.

HMACIntegrityChecksumCSP

SHA-512 ChecksumCSPusedinSoftwareIntegrityChecksum.

CryptoOfficerRole:Read&Write

ChecksumCSPenteredasinputduringeachModuleinitializationwhereanewChecksumCSPisgeneratedaftereachbuild.

HeldinRAMasplaintexttemporarilyforsingle-useandisnotstoredduringModuleinitialization.

ZeroizedimmediatelyafterModuleinitializationviazeroizeservicefromModuleAPI.

AES-ECBKeyECB-128 Symmetrickeyusedfor

UserRole:

Symmetrickeyentered,

HeldinRAMasplaintext.

CallingapplicationisECB-192


Page29of44



ECB-256 encryptionanddecryptionofuserdata.

Read&Write

established,orgeneratedbyoperationalenvironmentDRBGasinput.

responsibleforzeroizingsymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.

AES-CBCKeyCBC-128 Symmetrickeyusedforencryptionanddecryptionofuserdata.

UserRole:Read&Write

Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextasoutput.


CallingapplicationisresponsibleforzeroizingsymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.

CBC-192CBC-256

AES-CBCIVCSP

CBC-128 IVCSPusedinencryptionanddecryptionofuserdata.

UserRole:Read&Write

IVCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextasoutput.


CallingapplicationisresponsibleforzeroizingIVCSPviazeroizeservicefromModuleAPIorviaplatform-providedAPI.

CBC-192CBC-256

AES-GCMKey

GCM-128 Symmetrickeyusedforencryptionanddecryptionoftrafficdata.

UserRole:Read&Write

Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextwithTagasoutput.



GCM-192GCM-256

AES-GCMIVCSP

GCM-128 IVCSPusedinencryptionanddecryptionoftrafficdata.

UserRole:Read&Write

IVCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextor


CallingapplicationisresponsibleforzeroizingIVCSPviazeroizeservicefromModule

GCM-192GCM-256


Page30of44



ciphertextwithTagasoutput.

APIorviaplatform-providedAPI.

AES-XTSKeys

XTS-128 Symmetrickeysusedforencryptionanddecryptionofstoreddata.

UserRole:Read&Write

Symmetrickeysentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextasoutput.


CallingapplicationisresponsibleforzeroizingsymmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.

XTS-256

AES-XTSTweakValueCSP

XTS-128 TweakvalueCSPusedinencryptionanddecryptionofstoreddata.

UserRole:Read&Write

TweakvalueCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextasoutput.


CallingapplicationisresponsibleforzeroizingTweakvalueCSPviazeroizeservicefromModuleAPIorviaplatform-providedAPI.

XTS-256

AES-KW/KWPKey

KW-128 Symmetrickeyusedforencryptionanddecryptionofotherkeys.

UserRole:Read&Write

Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextasoutput.



KW-192KW-256KWP-128KWP-192KWP-256

CMACKey AES-128 Symmetrickeyusedformessageauthentication.

UserRole:Read&Write

Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandMACasoutput.



AES-192AES-256


Page31of44



GMACKey AES-128 Symmetrickeyusedformessageauthentication.

UserRole:Read&Write




AES-192AES-256

GMACIVCSP

AES-128 IVCSPusedformessageauthentication.

UserRole:Read&Write

IVCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandMACasoutput.



AES-192AES-256

HMACKey SHA-1(SHA-160) Symmetrickeyusedformessageauthentication.

UserRole:Read&Write





ECDSAKey P-192 SHA-1(SHA-160)

Asymmetrickeyusedfordigitalsignature.PerNISTSP800-131A,P-192andSHA-1arenolongerconsideredsecureandshallnotbeusedtogeneratedigital

UserRole:Read&Write

AsymmetrickeyenteredorgeneratedbyoperationalenvironmentDRBGasinputanddigitalsignaturescalarscomputedasoutput.


CallingapplicationisresponsibleforzeroizingasymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.


P-224 SHA-1(SHA-160)SHA-224SHA-256SHA-384SHA-512


Page32of44



SHA-512/224 signatures(Ref.[14]).SHA-512/256


P-384 SHA-1(SHA-160)


P-521 SHA-1(SHA-160)


ECCKASKeys


AsymmetrickeysandMACkeysusedforkeyestablishment.

UserRole:Read&Write

AsymmetrickeysandMACkeysenteredorgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeysderivedasoutput.


Callingapplicationisresponsibleforzeroizingasymmetric/symmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.

FullUnifiedKCECP-256,SHA-256FullUnifiedKCEDP-384,SHA-384FullUnifiedKCEEP-521,SHA-512FullMQVKCEBP-224,SHA-224FullMQVKCECP-256,SHA-256FullMQVKCEDP-384,SHA-384FullMQVKCEEP-521,SHA-512


Page33of44



ECCKASNonce&MACtagCSPs


NonceandMACtagCSPsusedinkeyestablishment.

UserRole:Read&Write

NonceandMACtagCSPsenteredorgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeysderivedasoutput.


CallingapplicationisresponsibleforzeroizingNonceandMACtagCSPsviazeroizeservicefromModuleAPIorviaplatform-providedAPI.


ECCKASSharedSecret&DKMCSPs


SharedSecretandDKMCSPsderivedduringkeyestablishment.

UserRole:N/A

SharedSecretandDKMCSPsderivedasoutputbetweenKASphases.

HeldinRAMasplaintexttemporarilyforsingle-useandisnotstoredbetweenKASphases.

ZeroizedimmediatelybetweenKASphasesviazeroizeservicefromModuleAPI.


ECCCDHPrimitiveKeys

P-224 AsymmetrickeysusedforsharedsecretCSPestablishment.

UserRole:Read&Write

Asymmetrickeys,enteredorgeneratedbyoperationalenvironmentDRBGasinputandsharedsecretCSPderivedasoutput.


CallingapplicationisresponsibleforzeroizingasymmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.

P-256P-384P-521

ECCCDHPrimitive

P-224 SharedsecretCSPsderived

UserRole:

SharedsecretCSPderivedas


CallingapplicationisP-256


Page34of44



SharedSecretCSPs

P-384 fromestablishment.

Read&Write

outputwhenasymmetrickeysenteredorgeneratedbyoperationalenvironmentDRBGasinput.

responsibleforzeroizingsharedsecretCSPsviazeroizeservicefromModuleAPIorviaplatform-providedAPI.

P-521

KBKDF-CMAC-CTRKeys

CMAC-AES-128 Symmetrickeyusedforkeyderivation.

UserRole:Read&Write

Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.




KBKDF-CMAC-FBKeys


UserRole:Read&Write





KBKDF-CMAC-FBIVCSP

CMAC-AES-128 IVCSPusedinkeyderivation.

UserRole:Read&Write

IVCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.




KBKDF-CMAC-DPIKeys


UserRole:Read&Write

Symmetrickeyentered,established,orgeneratedby


Callingapplicationisresponsibleforzeroizing



Page35of44



operationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.

symmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.

KBKDF-HMAC-CTRKeys

HMAC-SHA-1(SHA-160)

Symmetrickeyusedforkeyderivation.

UserRole:Read&Write





KBKDF-HMAC-FBKeys

HMAC-SHA-1(SHA-160)


UserRole:Read&Write





KBKDF-HMAC-FBIVCSP

HMAC-SHA-1(SHA-160)

IVCSPusedinkeyderivation.

UserRole:Read&Write

IVCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.




KBKDF-HMAC-DPIKeys

HMAC-SHA-1(SHA-160)


UserRole:Read&Write

Symmetrickeyentered,established,orgeneratedbyoperationalenvironment


Callingapplicationisresponsibleforzeroizingsymmetrickeysvia



Page36of44



DRBGasinputandsymmetrickeyderivedasoutput.

zeroizeservicefromModuleAPIorviaplatform-providedAPI.

PBKDFPasswordCSP

HMAC-SHA-1(SHA-160)

PasswordCSPusedinpassword-basedkeyderivation.

UserRole:Read&Write

PasswordCSPenteredbycallingapplicationasinputandsymmetrickeyderivedasoutput.


CallingapplicationisresponsibleforzeroizingPasswordCSPviazeroizeservicefromModuleAPIorviaplatform-providedAPI.


PBKDFKey HMAC-SHA-1(SHA-160)

Symmetrickeyderivedfrompassword-basedkeyderivation.

UserRole:Read&Write

SymmetrickeyderivedasoutputwhenPasswordCSPenteredbycallingapplicationasinput.




Table9–ModuleCryptographicKeysandCriticalSecurityParameters

2.7.1. KeyZeroizationTheModuleAPIleveragesfixed-sizebufferzeroizationviamemsetandpseudorandombufferfilling.TheCryptographicOfficeroperatormayrequestHMACIntegrityCheckKeyzeroizationatanytimebypower-cyclingtheoperationalenvironmentandreloadingtheModule.Also,theCryptographicOfficeroperatormaymanuallyuninstalltheModulefromtheoperationalenvironmentandreformat(i.e.overwriteatleastonce)theplatform’sharddriveorotherpermanentstoragemediawhileonlyperformingtheproceduraluninstallationoftheModuleisnotanacceptablekeyzeroizationmethod.TheUseroperatormustzeroizekeys/CSPsstoredintheoperationalenvironmentbycallingazeroizeserviceprovidedbytheModuleAPIorviaplatform-providedAPI.

2.8. ElectromagneticInterferenceandCompatibilityTheModulemeetstherequirementsoftheFIPS140-2EMI/EMCLevel1specificationastheoperationalenvironmentonwhichtheModulesoftwarerunspassedvalidationexecutinguponthegeneral-purposecomputer(GPC)thatconfirmstotheEMI/EMCrequirementsspecificby47CodeofFederalRegulations,Part15,SubpartB,UnintentionalRadiators,DigitalDevices,ClassA(i.e.,forbusinessuse).


Page37of44

2.9. Self-TestsTheModuleimplementsPower-OnSelf-Tests(POST)andconditionalself-teststhataredescribedinthefollowingtables:

Test DescriptionSoftwareIntegrity TheModulevalidatesitsownsoftwareintegrityuponloadofthe

ModuleDLL/SOfile.Theintegritycheckisatwo-stepprocessconsistingofanHMACverification(basedontheFIPS-approvedHMAC-512algorithm),appliedtothewholeModuleDLL/SOimageprocessedasabinarydatafile.Inthefirststep,the512-bit(64-byte)HMACkeyfortheHMACverificationisderivedviaaFIPS-approvedKBKDFfromseveralbuild-specificdatafieldsincludingthecurrentversionstringandbuilddate,whicharecompiledintotheModuleandarenotmodifiable.ThisHMACkeycustomizationisaimedatpreventingmaliciousModuleDLL/SOrebuildsandauthenticatingtheoriginalbuildonly.Inthesecondstep,the512-bitHMACkeyisusedtoperformanHMAC-512integritycheckofthewholeModuleDLL/SOimage.Thiscomputationproducesa512-bitchecksumthatiscomparedagainstahexadecimalvaluepre-storedinapropertiesfile.

AESCheckEncryption/DecryptionTables

Verifiestheintegrityofthepre-builtSboxsubstitutiontableandinverseSboxsubstitutiontable.TheSboxsubstitutiontableispre-convertedtofour32-bittables,inordertospeedupAESencryptionin32-bitprocessingmodewhiletheinverseSboxsubstitutiontableispre-convertedtofour32-bittables,inordertospeedupAESdecryptionin32-bitprocessingmode.

GCMEncrypt/DecryptKAT

ExercisesasetofKnownAnswerTests(KATs)extractedfromtheGCMtestvectorspublishedbyNISTintheGCMVSspecification(Reference[18])onallthreeGCMencryptionmodescorrespondingtoAESkeysizesof128,192and256bitsfeaturingthelargestcombinationsofPT,IVandAAD.ThecomprehensiveGCMKATsimplicitlyprovideassuranceaboutthevalidityoftheunderlyingAEScryptographicalgorithms.

SHAKAT ExercisesasetofKnownAnswerTests(KATs)extractedfromtheSHAtestvectorspublishedbyNISTintheSHAVSspecification(Reference[21])onallSHAversions(SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,SHA-512/224andSHA-512/256)specifiedinFIPSPublication180-4featuringmixedhash/digestsizecombinationswiththelongestinputdata.ThecomprehensiveSHAKATsimplicitlyprovideassuranceaboutthevalidityoftheKeyDerivationFunction(KDF)employedbytheECDHKeyAgreementScheme(asrecommendedinNISTSP800-56A–Reference[15],aSHA-basedconcatenationKDFisbeingused).


Page38of44

Test DescriptionHMACKAT ExercisesasetofKnownAnswerTests(KATs)extractedfromthe

HMACtestvectorspublishedbyNISTintheHMACVSspecification(Reference[22])featuringthelargestcombinationsofkeyandtagsizescoveringallversionsoftheunderlyinghashingalgorithm(SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,SHA-512/224andSHA-512/256).ThecomprehensiveHMACKATsimplicitlyprovideassuranceaboutthevalidityoftheBilateralKeyConfirmationmethodemployedbytheECDHKeyAgreementScheme(Reference[15],Section8.4).

ECDSAKeyPair/PKVKAT

ExercisesasetofKnownAnswerTests(KATs)adaptedfromtheECDSAKeyPair(private/publickeyverification)andPKV(PublicKeyValidation)testvectorspublishedbyNISTintheECDSA2VSspecification(Reference[24])coveringeachversionoftheunderlyingprime-fieldEC(P-192,P-224,P-256,P-384andP-521).TheECDSAKeyPairtestsincludemultipleKATverificationsofECCpointmultiplication,whichistheECCprimitiveusedforshared-secret(“Z”)computationbytheECDHKeyAgreementScheme.

ECDSASigGenKAT ExercisesasetofKnownAnswerTests(KATs)adaptedfromtheSigGentestvectorspublishedbyNISTintheECDSA2VSspecification(Reference[24]).Inthistestcategory,ECDSA2VSonlyprovidesthemessagetobesigned.Themodulegeneratesaprivatekey,computesthecorrespondingpublickey,generatesanECDSA“secretnumber”(ephemeralkey)fromtheDRBG,computesthemessagesignatureusingtheprivatekeyandverifiesthesignaturewiththepublickey.Forcompleteness,thesignatureisverifiedwiththeprivatekeyaswell.OnelongtestvectorisexercisedforeachcombinationofprimefieldEC(P-224,P-256,P-384andP-521)andhashingalgorithm(SHA-224,SHA-256,SHA-384,SHA-512,SHA-512/224andSHA-512/256).InthelatestNISTSuiteBspecificationsP-192ECandSHA-1arenolongerconsideredsuitableforsecureECDSAgeneration(Reference[14]).

ECDSASigVerKAT ExercisesasetofKnownAnswerTests(KATs)adaptedfromtheSigVertestvectorspublishedbyNISTintheECDSA2VSspecification(Reference[24]).ThesetestcasesareincompliancewiththelatestECDSAspecification(FIPS186-4,Reference[12]),whichallowsanyprime-fieldEC(P-192,P-224,P-256,P-384orP-521)tobecombinedwitheachSHAversionfromFIPS180-4(SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,SHA-512/224orSHA-512/256)inanECDSAcomputation.OnetestcasefromeachEC/SHAcombination,featuringthelongestmessage,isexercised.


Page39of44

Test DescriptionECDHFullUnifiedKeyAgreementScheme(KAS)KAT

ExercisesasetofKnownAnswerTests(KATs)adaptedfromtheECDHtestvectorspublishedbyNISTintheKASVSspecification(Reference[25])featuringtheFullUnifiedModelofECDHcoveringeachversionoftheunderlyingprime-fieldEC(P-224,P-256,P-384andP-521).EachtestrunincludesbothInitiator-sideandResponder-sidefunctions.TheunderlyingcryptographicalgorithmsusedduringECDHkeyagreementarefullyvalidatedviaindividualPOSTs:

• ECCpointmultiplicationisvalidatedviaECDSAKeyPairKATs• TheKeyDerivationFunctionisvalidatedviaSHAKATs• TheKeyConfirmationfunctionisvalidatedviaHMACKATs

ECDHFullMQVKeyAgreementScheme(KAS)KAT

ExercisesasetofKnownAnswerTests(KATs)adaptedfromtheECDHtestvectorspublishedbyNISTintheKASVSspecification(Reference[25])featuringtheFullMQVmodelofECDHcoveringeachversionoftheunderlyingprime-fieldEC(P-224,P-256,P-384andP-521).EachtestrunincludesbothInitiator-sideandResponder-sidefunctions.TheunderlyingcryptographicalgorithmsusedduringECDHkeyagreementarefullyvalidatedviaindividualPOSTs:

• ECCpointmultiplicationisvalidatedviaECDSAKeyPairKATs• TheKeyDerivationFunctionisvalidatedviaSHAKATs• TheKeyConfirmationfunctionisvalidatedviaHMACKATs

XTSEncrypt/DecryptKAT

ExercisesasetofKnownAnswerTests(KATs)extractedfromtheXTStestvectorspublishedbyNISTintheXTSVSspecification(Reference[19]).Bothformatsspecifiedforthetweakvalueinput(128-bithexadecimalstringor64-bitDataUnitSequenceNumber)arebeingtestedwithvarious,non-trivialDataUnitbitsizesinencryptanddecryptmode.ThecomprehensiveXTSKATsimplicitlyprovideassuranceaboutthevalidityoftheunderlyingAEScryptographicalgorithms.

KW/KWPEncrypt/DecryptKAT

ExercisesasetofKnownAnswerTests(KATs)extractedfromKWandKWPtestvectorspublishedbyNISTwiththeKeyWrapValidationSystem(KWVS)specification(Reference[20]).AllthreeencryptionmodesaretestedforKWandKWP,correspondingtoAESkeysizesof128,192and256bits.Also,theunderlyingAESblockcipheristestedineitherforwarddirectionorinversedirectionduringKW/KWPencryption.Twonon-trivialtestvectorsareexercisedforeachcombinationofAESkeysize,KW/KWPandforward/inverseblockcipher.ThecomprehensiveKW/KWPKATsimplicitlyprovideassuranceaboutthevalidityoftheunderlyingAEScryptographicalgorithms.


Page40of44

Test DescriptionKBKDFKAT ExercisesasetofKnownAnswerTests(KATs)extractedfromKDFtest

vectorspublishedbyNISTwiththeKeyDerivationusingPseudorandomFunctions(SP800-108)ValidationSystem(KBKDFVS)(Reference[23]).BothCMACandHMACalgorithmsareexercisedasunderlyingpseudo-randomfunction(PRF).ForeachPRF,SP800-108specifiesthreemodesofkeyderivationfromasetofinputs:CounterMode(CTR),FeedBackMode(FB)andDouble-PipelineIterationMode(DPI),whichareallrepresentedduringaKDFself-testrun.Atleastonenon-trivialtestcasehasbeenincludedforeachinputparametercombinationspecifiedinKBKDFVS,addingupto12KDFCTRtests,32KDFFBtestsand16KDFDPItests.

PBKDFKAT ThecomprehensiveHMACKATsimplicitlyprovideassuranceaboutthevalidityofthePassword-BasedKeyDerivationFunction(PBKDF)asrecommendedinIAWNISTSP800-132(Reference[11]).ThereisneitheraValidationSysteminplace,norsampletestvectorspublishedbyCAVPforthePBKDFalgorithm,asofJanuary2017.

Table10–ModulePower-OnSelf-Tests

Test DescriptionECCKAS(FullUnified,FullMQV)ConditionalPair-WiseConsistencySelf-Test

TheECCKASimplementationprovidesbuilt-inassurance(verification)ofthearithmeticvalidityofeachnewlygeneratedkeypairbyperformingapair-wiseconsistencyself-testwherethekeypairisusedinconjunctionwithasecondnewlygeneratedcompatiblekeypairtocalculatesharedvaluesforbothsidesofthekeyagreementalgorithmsuchthatiftheresultingsharedvaluesarenotequaltheself-testfails.EveryinvocationofECCKASinvolves(withintheclassconstructors)averificationofthearithmeticvalidityoftheselectedsetofECCdomainparameters(Reference[15],Section5.5.2).TheECCKASimplementationperformsafullECCpublickeyvalidationeachtimesuchakeyisbeingusedwhereeachsideverifiesbothownandoppositestaticpublickeys,eachsideverifiesoppositeside’sephemeralpublickey(Reference[15],Section5.6.2).Also,duringkeyagreement,eachsiderenewsitsassuranceofpossessingthecorrectprivatekeybyusingtheKeyRegenerationmethod(Reference[15],Section5.6.3),whiletheephemeral(generated)privatekeyissubjectedtotheconstraintsspecifiedinReference[15],Section5.6.1.2.


Page41of44

Test DescriptionECDSAConditionalPair-WiseConsistencySelf-Test

TheECDSAimplementationprovidesbuilt-inassurance(verification)ofthearithmeticvalidityofeachnewlygeneratedkeypairbyperformingapair-wiseconsistencyself-testwherethekeypairisusedtogenerateandverifyadigitalsignaturesuchthatifthedigitalsignaturecannotbeverifiedtheself-testfails.EveryinvocationofECDSAinvolves(withintheclassconstructors)averificationofthearithmeticvalidityoftheselectedsetofECCdomainparameters.TheECDSAimplementationperformsanECCpublickeyvalidationeachtimesuchakeyisusedduringdigitalsignaturegenerationandverification.

Table11–ModuleConditionalSelf-Tests

2.9.1. InvokingSelf-TestsTheCryptographicOfficeroperatorinvokesthePOSTautomaticallybyloadingtheModule.DuringloadtheoperationalenvironmentexecutesthefollowingModuleDefaultEntryPoint(DEP)automatically,whichinvokestheself-tests.TheModuledoesnotrelyonanyotherexternalservicetoinitiatethePOSTandalldataoutputviathedataoutputinterfaceisinhibitedwhenthePOSTisperformed.ThePOSTmaybeinvokedautomaticallyatanytimebypower-cyclingtheoperationalenvironmentandreloadingtheModule.

DynamicLinkLibrary(DLL)DefaultEntryPoint

BOOL APIENTRY DLLMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)

SharedObject(SO)DefaultEntryPoint void __attribute__((constructor)) runModulePOST(void)

2.9.2. Self-TestsResultsUponsuccessfulself-testcompletion,theModulewillcompleteitsinitializationandtransitiontotheidleoperationalstate.SubsequentModuleself-testsareexercisedautomaticallywhenanySuiteBcryptographicalgorithmsarecalledbytheoperator,eitherforcommunicationsencryption/decryption,dataencryption/decryption,and/orduringkeyestablishment.IntheeventtheSoftwareIntegrityand/orKATself-testfail,theModulewillnotcompleteloadingandwilltransitiontotheerrorstateandaspecificerrorcodewillbereturnedindicatingwhichself-testhasfailed.TheModulewillnotprovideanycryptographicserviceswhileinthiserrorstate.Recoveryfromtheerrorstateispossiblebypower-cyclingtheoperationalenvironmentandreloadingtheModule.

Self-Test ErrorCodeSoftwareIntegrity 441,444GCMEncrypt 2100+TestCountGCMDecrypt 2200+TestCountSHA 2300+TestCountHMAC 2400+TestCount


Page42of44

Self-Test ErrorCodeECDSAKey 2800+TestCountECDSASigGen 3300+TestCountECDSASigVer 3400+TestCountKASFullUnified 2500+TestCount(combinedindicator

oftheECtypeandfailingsub-test)KASFullMQV 3000+TestCountXTSEncrypt 2600+TestCountXTSDecrypt 2700+TestCountKWEncrypt 3100+TestCountKWDecrypt 3200+TestCountKBKDF 3500+TestCount

Table12–ModuleSelf-TestErrorCodes

2.10. DesignAssuranceTheModulemeetstherequirementsoftheFIPS140-2SecurityLevel1specificationandprovidesthefollowingCryptographicOfficerguidanceandUserguidance.TheCryptographicOfficerisresponsibleformanuallyinstallingtheModuleontheoperationalenvironmentandensuringFIPSmodeofoperationasdescribedinSection2.1.2.Also,theCryptographicOfficerisresponsibleforinitializingtheModulecausingthePOSTtorunautomaticallyasdescribedinSection2.9.TheUseroperatorisresponsibleforconfiningmethodcallstoonlyFIPS140-2approvedsecurityfunctionsaslistedinTable2whencallingtheModuleAPIaswellasconfiningmethodcallstoaFIPS140-2approvedDRBGfromtheoperationalenvironmentaslistedinSection2.6.

2.11. MitigationofOtherAttacksTheModulehasnotbeendesignedtomitigateanyspecificattacksoutsidethescopeoftheFIPS140-2requirements.TheModuleresideswithinaFIPS140-2operationalenvironment,whichprovidesanadditionallayerofprotectiontoattacksoftheModule.


Page43of44

3. ReferencedDocuments[1] FIPSPublication197,TheAdvancedEncryptionStandard(AES),U.S.DoC/NIST,November26,2001,

NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

[2] NISTSpecialPublication800-38A,RecommendationforBlockCipherModesofOperation:MethodsandTechniques,December2001,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf

[3] NISTSpecialPublication800-38B,RecommendationforBlockCipherModesofOperation:TheCMACModeforAuthentication,May2005,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf

[4] NISTSpecialPublication800-38D,RecommendationforBlockCipherModesofOperation:Galois/CounterMode(GCM)andGMAC,November2007,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

[5] NISTSpecialPublication800-38E,RecommendationforBlockCipherModesofOperation:theXTS-AESModeforConfidentialityonStorageDevices,January2010,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf

[6] NISTSpecialPublication800-38F,RecommendationforBlockCipherModesofOperation:MethodsofKeyWrapping,December2012,NationalInstituteofStandardsandTechnology,[Webpage],http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf

[7] RFC5649,AdvancedEncryptionStandard(AES)KeyWrapwithPaddingAlgorithm,August2009,NetworkWorkingGroup,[Webpage],https://tools.ietf.org/html/rfc5649

[8] FIPSPublication180-4,SecureHashStandard(SHS),August2015,NationalInstituteofStandardsandTechnology,[Webpage],http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf

[9] FIPSPublication198-1,TheKeyed-HashMessageAuthenticationCode(HMAC),July2008,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf

[10] NISTSpecialPublication800-108,RecommendationforKeyDerivationUsingPseudorandomFunctions,October2009,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf

[11] NISTSpecialPublication800-132,RecommendationforPassword-BasedKeyDerivation,December2010,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf

[12] FIPSPublication186-4,DigitalSignatureStandard(DSS),July2013,NationalInstituteofStandardsandTechnology,[Webpage],http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf

[13] ANSX9.62-2005:PublicKeyCryptographyfortheFinancialServicesIndustry:TheEllipticCurveDigitalSignatureAlgorithm(ECDSA),November2005

[14] NISTSpecialPublication800-131A,Transitions:RecommendationforTransitioningtheUseofCryptographicAlgorithmsandKeyLengths,January2011,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

[15] NISTSpecialPublication800-56A,RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography,Revision2,May2013,NationalInstituteofStandardsandTechnology,[Webpage],http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf

[16] TheAdvancedEncryptionStandardAlgorithmValidationSuite(AESAVS),November15,2002,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/aes/AESAVS.pdf


Page44of44

[17] TheCMACValidationSystem(CMACVS),UpdatedAugust23,2011,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/mac/CMACVS.pdf

[18] TheGalois/CounterMode(GCM)andGMACValidationSystem(GCMVS),NationalInstituteofStandardsandTechnology,Updated:August30,2012,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmvs.pdf

[19] TheXTS-AESValidationSystem(XTSVS),Updated:September5,2013,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSVS.pdf

[20] TheKeyWrapValidationSystem(KWVS),June20,2014,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/mac/KWVS.pdf

[21] TheSecureHashAlgorithmValidationSystem(SHAVS),Updated:May21,2014,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/shs/SHAVS.pdf

[22] TheKeyed-HashMessageAuthenticationCodeValidationSystem(HMACVS),Updated:July23,2012,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/mac/HMACVS.pdf

[23] KeyDerivationusingPseudorandomFunctions(SP800-108)ValidationSystem(KBKDFVS),UpdatedJanuary4,2016,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/KBKDF800-108/kbkdfvs.pdf

[24] TheFIPS186-4EllipticCurveDigitalSignatureAlgorithmValidationSystem(ECDSA2VS),Updated:March18,2014,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/dss2/ecdsa2vs.pdf

[25] TheKeyAgreementSchemesValidationSystem(KASVS),UpdatedMay22,2014,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/keymgmt/KASVS.pdf

[26] NISTSpecialPublication800-63-2,ElectronicAuthenticationGuideline,August2013,NationalInstituteofStandardsandTechnology[Webpage],http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

[27] NISTSpecialPublication800-118,GuidetoEnterprisePasswordManagement(Draft),April2009,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf

Date post:	29-Apr-2018
Category:	Documents
Upload:	dangthuan
View:	228 times
Download:	4 times