suite b cryptographic module - csrc · keyw corporation suite b cryptographic module fips 140-2...
Post on 20-Jul-2020
6 Views
Preview:
TRANSCRIPT
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicy
Revision: 1.2 Preparedby: KeyWCorporation 7880MilestoneParkway Suite100 Hanover,MD21076 410-904-5200Phone 410-799-3479Fax
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page2of44
ContentsRevisionHistory............................................................................................................................................4
Acronyms......................................................................................................................................................5
1. Introduction..........................................................................................................................................7
1.1. Identification..................................................................................................................................7
1.2. Overview........................................................................................................................................7
1.3. FIPS140-2SecurityLevels..............................................................................................................7
2. SuiteBCryptographicModule..............................................................................................................8
2.1. CryptographicModuleSpecification..............................................................................................8
2.1.1. SecurityFunctions...................................................................................................................8
2.1.2. ModesofOperation..............................................................................................................13
2.1.3. CryptographicBoundary.......................................................................................................13
2.1.4. DeterminingModuleVersion................................................................................................14
2.2. CryptographicModulePortsandInterfaces................................................................................14
2.3. Roles,Services,andAuthentication.............................................................................................14
2.3.1. Roles......................................................................................................................................14
2.3.2. Services.................................................................................................................................15
2.3.3. Authentication......................................................................................................................27
2.4. FiniteStateModel........................................................................................................................27
2.5. PhysicalSecurity...........................................................................................................................27
2.6. OperationalEnvironment............................................................................................................28
2.7. CryptographicKeyManagement.................................................................................................28
2.7.1. KeyZeroization......................................................................................................................36
2.8. ElectromagneticInterferenceandCompatibility.........................................................................36
2.9. Self-Tests......................................................................................................................................37
2.9.1. InvokingSelf-Tests................................................................................................................41
2.9.2. Self-TestsResults..................................................................................................................41
2.10. DesignAssurance.......................................................................................................................42
2.11. MitigationofOtherAttacks.......................................................................................................42
3. ReferencedDocuments.......................................................................................................................43
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page3of44
TablesandFiguresTable1–SummaryofAchievedFIPS140-2SecurityLevels.........................................................................7Table2–FIPS-ApprovedandVendor-AffirmedSecurityFunctions...........................................................12Table3–FIPSNon-ApprovedbutAllowedSecurityFunctions..................................................................12Figure1–ModuleCryptographicBoundary..............................................................................................13Table4–ModuleLogicalInterfaces...........................................................................................................14Table5–ModuleServicesforCryptographicOfficerRole.........................................................................15Table6–ModuleServicesforUserRole....................................................................................................27Table7–ModuleAuthentication...............................................................................................................27Table8–OperationalEnvironments..........................................................................................................28Table9–ModuleCryptographicKeysandCriticalSecurityParameters...................................................36Table10–ModulePower-OnSelf-Tests....................................................................................................40Table11–ModuleConditionalSelf-Tests..................................................................................................41Table12–ModuleSelf-TestErrorCodes...................................................................................................42
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page4of44
RevisionHistory Revision Date Author Changes1.2 February9,2017 A.Seaman
D.MackieC.ConstantinescuD.Brown
Revised:Section2.1.1,Section2.1.1.1,Figure1,andTable9
1.1 January6,2017 A.SeamanD.MackieC.ConstantinescuD.Brown
AddedSecurityFunctions
1.0 July11,2014 R.GlennD.MackieC.ConstantinescuD.WolffE.Hufford
InitialRelease
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page5of44
AcronymsAAD Additional Authentication Data AES Advanced Encryption Standard AESAVS Advanced Encryption Standard Algorithm Validation Suite ANS American National Standard API Application Programming Interface CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CDH Cofactor Diffie-Hellman CM Cryptographic Module CMAC CBC Message Authentication Code CMACVS CBC Message Authentication Code Validation System CSP Critical Security Parameters CT Ciphertext CTR Counter CVL Component Validation List DAR Data At Rest DEP Default Entry Point DIT Data In Transit DKM Derived Keying Material DLL Dynamic Link Library DOC Department of Commerce DPI Double-Pipeline Iteration DPK Data Protection Key DRBG Deterministic Random Bit Generator DUNS Data Unit Sequence Number EC Elliptic Curve ECB Electronic CodeBook ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm ECDSA2VS Elliptic Curve Digital Signature Algorithm Validation System EMC Electromagnetic Compatibility EMI Electromagnetic Interference FB Feedback FFC Finite Field Cryptography FIPS Federal Information Processing Standard FSM Finite State Model GCM Galois/Counter Mode GCMVS Galois/Counter Mode Validation System GMAC Galois Message Authentication Code GPC General-purpose Computer HMAC Keyed-hash Message Authentication Code
HMACVS Keyed-hash Message Authentication Code Validation System I/O Input/Output IAW In Accordance With IETF Internet Engineering Task Force IV Initialization Vector KAS Key Agreement Scheme KASVS Key Agreement Schemes Validation System KAT Known Answer Test KBKDF Key-Based Key Derivation Function KBKDFVS Key-Based Key Derivation Function Validation System KC Key Confirmation KDF Key Derivation Function
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page6of44
KW Key Wrap KWP Key Wrap With Padding KWVS Key Wrap Validation System LED Light Emitting Diode MAC Message Authentication Code MK Master Key MQV Menezes-Qu-Vanstone NIST National Institute of Standards and Technology OS Operating System PBKDF Password-Based Key Derivation Function PKV Public Key Validation POST Power-On Self-Test PRF Pseudo-Random Function PT Plaintext RAM Random Access Memory RBG Random Bit Generator RFC Request For Comments S/MIME Secure/Multipurpose Internet Mail Extensions SHA Secure Hash Algorithm SHAVS Secure Hash Algorithm Validation System SHS Secure Hash Standard SO Shared Object SP Special Publication SSL Secure Sockets Layer TLS Transport Layer Security USB Universal Serial Bus USSOCOM United States Special Operations Command VS Validation Specification XTS XEX Tweakable Block Cipher with Ciphertext Stealing XTSVS XTS Validation System
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page7of44
1. Introduction
1.1. IdentificationThefollowinginformationidentifiesthisdocument:
• Title:SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicy• Version:1.2
1.2. OverviewKeyWCorporation,incoordinationwiththeUnitedStatesSpecialOperationsCommand(USSOCOM),hasdevelopedaFederalInformationProcessingStandard(FIPS)140-2Level1validated,standards-basedSuiteBCryptographicModulethatprovidesanadvancedlayerofencryptedDataInTransit(DIT)communicationsandDataAtRest(DAR)encryptionviaanApplicationProgrammingInterface(API).
TheSuiteBCryptographicModule,hereaftercollectivelyreferredtoastheModule,operatesasoneofseverallayersofplatformencryption.TheplatformencryptioncanbeinvokedautomaticallywhentheModuleisinitialized,providinganadditionallayerofencryptionandobfuscationabovetheModule.AdditionalencryptionattheapplicationlayercanbeaddedbyenablingS/MIMEencryptiononemails,contentprotectionencryptiononshareddata,andSSL/TLSencryptiononwebtraffic.
1.3. FIPS140-2SecurityLevelsTheModulemeetstheoverallrequirementsapplicabletoLevel1securityforFIPS140-2asshowninthetablebelow:
# FIPS140-2Section Level2.1 CryptographicModuleSpecification 12.2 CryptographicModulePortsandInterfaces 12.3 Roles,Services,andAuthentication 12.4 FiniteStateModel 12.5 PhysicalSecurity N/A2.6 OperationalEnvironment 12.7 CryptographicKeyManagement 12.8 EMI/EMC 12.9 Self-Tests 12.10 DesignAssurance 12.11 MitigationofOtherAttacks N/A
OverallLevel 1
Table1–SummaryofAchievedFIPS140-2SecurityLevels
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page8of44
2. SuiteBCryptographicModuleTheModulemeetstherequirementsoftheFIPS140-2SecurityLevel1specificationandprovidesthefollowingcryptographicservices:
• Dataencryptionanddecryption• Keyencryptionanddecryption• Messagedigestandauthenticationcodegeneration• Digitalsignaturegenerationandverification• Ellipticcurvekeyagreement• Keyderivation
2.1. CryptographicModuleSpecification
2.1.1. SecurityFunctionsTheModuleisimplementedentirelyinsoftwareandcontainsthefollowingFIPS-approvedandFIPSnon-approved,butallowedsecurityfunctions:
Algorithm Use Specification Mode/KeySize CAVPSpecification
CAVPCertificate
AES BlockCipher FIPS197,Nov2001(Ref.[1])
NISTSP800-38A,Dec2001(Ref.[2])
ECB-128 AESAVS,Nov2002(Ref.[16])
#3328ECB-192ECB-256CBC-128 #4312CBC-192CBC-256
NISTSP800-38B,May2005(Ref.[3])
CMAC-128 CMACVS,Aug2011(Ref.[17])
#4312CMAC-192CMAC-256
NISTSP800-38D,Nov2007(Ref.[4])
GCM-128GMAC-128
GCMVS,Aug2012(Ref.[18])
#3328
GCM-192GMAC-192GCM-256GMAC-256
NISTSP800-38E,Jan2010(Ref.[5])
XTS-128 XTSVS,Sep2013(Ref.[19])
#3328XTS-256
KeyStorage NISTSP800-38F,Dec2012(Ref.[6])
KW-128 KWVS,Jun2014(Ref.[20])
#3328KW-192KW-256
IETFRFC5649,Aug2009(Ref.[7])
KWP-128 #3328KWP-192KWP-256
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page9of44
Algorithm Use Specification Mode/KeySize CAVPSpecification
CAVPCertificate
SHA SecureHashing FIPS180-4,Aug2015(Reference[8])
SHA-1(SHA-160) SHAVS,May2014(Ref.[21])
#2761SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
CMAC MessageAuthentication
NISTSP800-38B,May2005(Ref.[3])
AES-128 CMACVS,Aug2011(Ref.[17])
#4312AES-192AES-256
GMAC NISTSP800-38D,Nov2007(Ref.[4])
AES-128 GCMVS,Aug2012(Ref.[18])
#3328AES-192AES-256
HMAC FIPS198-1,July2008(Reference[9])
SHA-1(SHA-160) HMACVS,July2012(Ref.[22])
#2119SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
ECDSA DigitalSignaturePerNISTSP800-131A,P-192andSHA-1arenolongerconsideredsecureandshallnotbeusedtogeneratedigitalsignatures(Ref.[14]).
FIPS186-4,July2013(Reference[12])
P-192 SHA-1(SHA-160)
ECDSA2VS,Mar2014(Ref.[24])
#657
SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
P-224 SHA-1(SHA-160)SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
P-256 SHA-1(SHA-160)SHA-224SHA-256SHA-384SHA-512SHA-512/224
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page10of44
Algorithm Use Specification Mode/KeySize CAVPSpecification
CAVPCertificate
SHA-512/256P-384 SHA-1
(SHA-160)SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
P-521 SHA-1(SHA-160)SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
ECCKAS KeyEstablishment
NISTSP800-56ARev2,May2013(Reference[15])
FullUnifiedKCEBP-224,SHA-224
KASVS,May2014(Ref.[25])
#55FullUnifiedKCEC
P-256,SHA-256FullUnifiedKCEDP-384,SHA-384FullUnifiedKCEEP-521,SHA-512FullMQVKCEBP-224,SHA-224FullMQVKCECP-256,SHA-256FullMQVKCEDP-384,SHA-384FullMQVKCEEP-521,SHA-512
ECCCDHPrimitive
SharedSecretEstablishment
NISTSP800-56ARev2,May2013(Reference[15],Section5.7.1.2)
P-224 KASVS,May2014(Ref.[25])
#484(CVL)P-256
P-384P-521
KBKDF-CMAC
KeyDerivation NISTSP800-108,Oct2009(Reference[10])
CTR CMAC-AES-128
KBKDFVS,Jan2016(Ref.[23])
#116
CMAC-AES-192CMAC-AES-256
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page11of44
Algorithm Use Specification Mode/KeySize CAVPSpecification
CAVPCertificate
FB CMAC-AES-128CMAC-AES-192CMAC-AES-256
DPI CMAC-AES-128CMAC-AES-192CMAC-AES-256
KBKDF-HMAC
KeyDerivation NISTSP800-108,Oct2009(Reference[10])
CTR HMAC-SHA-1(SHA-160)
KBKDFVS,Jan2016(Ref.[23])
#116
HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512
FB HMAC-SHA-1(SHA-160)HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512
DPI HMAC-SHA-1(SHA-160)HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512
PBKDF KeyDerivation NISTSP800-132,Dec2010(Reference[11])
HMAC-SHA-1(SHA-160)
VSnotyetavailableasofJan.2017
Vendor-Affirmed
HMAC-SHA-224
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page12of44
Algorithm Use Specification Mode/KeySize CAVPSpecification
CAVPCertificate
SeeSection2.1.1.1.
HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512
Table2–FIPS-ApprovedandVendor-AffirmedSecurityFunctions
Algorithm Use Specification Mode/KeySize CAVPSpecification
CAVPCertificate
N/A N/A N/A N/A N/A N/A
Table3–FIPSNon-ApprovedbutAllowedSecurityFunctions
2.1.1.1. NISTSP800-132Password-BasedKeyDerivationFunction(PBKDF)PerNISTSP800-132,RecommendationforPassword-BasedKeyDerivation,December2010(Reference[11]),thecallingapplicationisresponsibleforselectingwhichoptionisusedtoderivetheDataProtectionKey(DPK)fromtheMasterKeyandshallonlyusekeysderivedfrompasswordsinstorageapplications.TheModuleAPIrestrictsthecallingapplicationtoselectapassword/passphrasethatisatleast10characterslonginaccordancewiththeguidelinesinNISTSP800-63-2,ElectronicAuthenticationGuideline,August2013(Reference[26])andNISTSP800-118,GuidetoEnterprisePasswordManagement(Draft),April2009(Reference[27]).Acceptablevaluesofotherparametersusedinkeyderivationaredetailedbelow.
PROTOTYPE: t_STATUS PBKDF(U8 *MK, U32 MKbytes, const U8 *Pswd, U32 Pbytes, const U8 *Salt, U32 Sbytes, U32 Icount);
ARGUMENTS: MK =pointertoabytestringrepresentingtheoutput(derived)masterkey MKbytes=lengthofderivedmasterkey,inbytes Pswd =inputpassword,abytestring Pbytes =passwordlength(atleast10bytes) Salt =inputdiversificationvalue,abytestring Sbytes =Saltlength(atleast16bytes) Icount =alargeiterationcount(determineshowmanyHMACiterationsareusedto generateoneblockoftheMK)RETURNS: SUCCESSifallinputparametersarevalid FAILUREotherwiseLIMITATIONS: MKbytes >= 14 Pbytes >= 10 Sbytes >= 16 Icount >= 1000
TheCountervalueshouldfitintoonebyte(i.e. MKbytes/DigestLenB < 256) DESCRIPTION:ImplementsthePassword-BasedKeyDerivationFunction(PBKDF),IAWNISTSP800-132(Reference[11]).AnappropriateSHAenvironment(SHA-1,SHA-224,SHA-256,SHA-384orSHA-512)mustbe
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page13of44
selectedinadvanceusingSHA_TypeSelect().ThereisneitheraValidationSysteminplace,norsampletestvectorspublishedbyCAVPforthePBKDFalgorithm,asofJanuary2017.
2.1.2. ModesofOperationTheModulemustbeinstalledontheFIPS140-2certifiedoperationalenvironmentlistedinSection2.6manually,andonceinstalleditrunsallalgorithmsinFIPS-approvedmodesinceitisexplicitlycompiledtoonlyruninFIPS-approvedmode.Therearenoalgorithmsor“expanded”cryptographicmodeswithintheModulethatarenotFIPS-approvedaslistedinTable2whencallingsecurityfunctionsintheModuleAPI.
TheoperationalenvironmentonwhichtheModulerunsshallbeconfiguredforFIPSmodewhenusingaFIPS-approvedplatform-providedDeterministicRandomBitGenerator(DRBG)inthefollowingways:
• WindowsServerOS:EnabletheFIPScompliantalgorithmsmodeviatheLocalSecurityPolicytoguaranteetheModulegeneratesFIPS-validatedrandombytes.
• BlackBerryOS:TheModuleconfinesitsmethodcallstoonlythosethathavebeenFIPS-approvedtoguaranteegeneratingFIPS-validatedrandombytes.
2.1.3. CryptographicBoundaryThephysicalboundaryoftheModuleisthephysicalboundaryoftheoperationalenvironmenthardwaredevicethatexecutestheModuleasshowninthefollowingfigure.ThefollowingfiguredepictsaFIPS-approvedDRBGthatisprovidedbytheoperationalenvironmentcryptographicModulelistedinSection2.6andthereforetheModuleisboundtoeithertheWindowsServerOScryptographicModuleorBlackBerryOScryptographicModule.
Figure1–ModuleCryptographicBoundary
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page14of44
2.1.4. DeterminingModuleVersionTheoperatormaydeterminetheversionoftheModulebyperformingthefollowingsteps:DynamicLinkLibrary(DLL)ModuleVersion
1. OnWindows,right-clicktheKEYWcryptoModule.dllfileandselectviewProperties2. SelectDetailstab3. TheFileversionpropertydisplaystheKEYWcryptoModuleversionasv3.0.0.0
SharedObject(SO)ModuleVersion
1. OnBlackBerry,runthefollowingconsolecommand:
objdump -p libKEYWcryptoModule.so.3 | grep SONAME
2. TheconsoledisplaystheKEYWcryptoModuleversionasv3
2.2. CryptographicModulePortsandInterfacesTheModuleportscorrespondtothephysicalportsoftheoperationalenvironmenthardwaredevicethatexecutestheModule:
• USBdevices[keyboardandmouse]• Videodevices[monitors,screens,camera,andLED]• Opticaldrives• Audiodevices[speakers,headset,andmicrophone]• Networkdevices[EthernetandWirelessadapters]• Batteryandpoweradapter
TheModuleinterfacescorrespondtotheModuleAPI,whichdonotinterfaceacrossanyofthephysicalportsoftheoperationalenvironment.ThefollowingtabledescribestheModulelogicalinterfaces.
FIPS140-2Interface LogicalInterfaceDataInput InputparametersofModuleconstructors
andfunctioncalls.DataOutput OutputparametersofModulefunction
callsandreturnvalues.ControlInput Modulefunctioncalls.StatusOutput ReturncodesofModulefunctioncalls.
Table4–ModuleLogicalInterfaces
2.3. Roles,Services,andAuthentication
2.3.1. RolesTheModulesupportsaCryptographicOfficerandUserrole.TheModuledoesnotsupportamaintenancerole.TheModuledoesnotsupportmultipleorconcurrentoperatorsandisintendedforusebyasingleoperator,thusitalwaysoperatesinasingle-usermodeofoperation.
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page15of44
2.3.2. ServicesTheservicesdescribedinthefollowingtablesareavailabletotheoperatorroles:
CryptographicOfficerRoleService Description Input/Output ReturnLoadModule PerformsModule
initializationimplicitlybytheoperationalenvironment.
[in]:DLL/SObinarypath[out]:VOID
Pass/Fail
Power-OnSelf-Test(POST)
Performssoftwareintegrityandcryptographicself-testsimplicitlyuponModuleload.
[in]:DLL/SObinarypath,DLL/SOchecksumpath[out]:VOID
Pass/Fail
Zeroize PerformsHMACIntegrityChecksumandKeyzeroizationimplicitlyafterModulePOSTpass/fail.TheHMACIntegrityChecksumandKeymayalsobezeroizedbypower-cyclingtheoperationalenvironmentandreloadingtheModule.
[in]:HMACIntegrityChecksum,HMACIntegrityCheckKey[out]:VOID
VOID
UnloadModule PerformsModuledestructionimplicitlybytheoperationalenvironment.
[in]:VOID[out]:VOID
VOID
Table5–ModuleServicesforCryptographicOfficerRole
UserRoleService Description Input/Output ReturnRunSelfTests Performscryptographicself-
testsfortheModule.[in]:VOID[out]:VOID
Pass/Fail
CM ShowTitle GetstitleinfofortheModule. [in]:VOID[out]:VOID
TitleInfo
VersionInfo GetsversioninfofortheModule.
[in]:VOID[out]:VOID
VersionInfo
SelfTestsDuration
Getcryptographicself-testsdurationfortheModule.
[in]:VOID[out]:VOID
Duration
AES Construct ConstructsanAESobject. [in]:AESbitmode,AESkey[out]:VOID
AESobject
CheckEncrypt/DecryptTables
Verifiesintegrityofencryption/decryptiontables.
[in]:VOID[out]:VOID
Pass/Fail
ReKey RekeysanAESobjectwithalternateAESkey.
[in]:AESbitmode,AESkey[out]:VOID
Pass/Fail
ECBEncrypt EncryptsPTdata. [in]:PTbuffer,PTblocklength[out]:CTbuffer
VOID
ECBDecrypt DecryptsCTdata. [in]:CTbuffer,PTblocklength[out]:PTbuffer
VOID
CBCEncrypt EncryptsPTdata. [in]:PTbuffer,IV,PTblock VOID
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page16of44
UserRoleService Description Input/Output Return
length[out]:CTbuffer
CBCDecrypt DecryptsCTdata. [in]:CTbuffer,IV,PTblocklength[out]:PTbuffer
VOID
CMACGenerate
GeneratesaMessageAuthenticationCode(MAC).
[in]:PTdata,PTlength[out]:CMACbuffer,CMAClength
VOID
KeyWrapEncrypt
EncryptsPTkeys. [in]:PTkeybuffer,PTlength,Inversecipherflag[out]:CTkeybuffer
VOID
KeyWrapDecrypt
DecryptsCTkeys. [in]:CTkeybuffer,CTlength,Inversecipherflag[out]:PTkeybuffer
Pass/Fail
KDFCTR/FB/DPI
Generatesaderivedkey. [in]:Label/IV,Labellength,Context,Contextlength,Counterlength,Counterlocation[out]:Derivedkey,Derivedkeylength
Pass/Fail
Destruct ZeroizesAESkey. [in]:VOID[out]:VOID
VOID
GCM Construct ConstructsaGCMobject. [in]:AESbitmode,AESkey[out]:VOID
GCMobject
ReKey RekeysaGCMobjectwithalternateAESkey.
[in]:AESbitmode,AESkey[out]:VOID
Pass/Fail
Encrypt EncryptsPTdata. [in]:Taglength,IV,IVlength,PTbuffer,PTlength,AAD,AADlength[out]:CTbuffer,Tag
Pass/Fail
Decrypt DecryptsCTdata. [in]:Tag,Taglength,IV,IVlength,CTbuffer,CTlength,AAD,AADlength[out]:PTbuffer
Pass/Fail
GMACEncrypt
GeneratesaMessageAuthenticationCode(MAC).
[in]:Taglength,IV,IVlength,AAD,AADlength[out]:Tag
Pass/Fail
GMACDecrypt
ValidatesaMessageAuthenticationCode(MAC).
[in]:Tag,Taglength,IV,IVlength,AAD,AADlength[out]:VOID
Pass/Fail
GCMDestruct ZeroizesAESkeyandhashkeytable.
[in]:VOID[out]:VOID
VOID
XTS Construct ConstructsanXTSobject. [in]:AESbitmode,ECBkey,Tweakkey,DUNSorTweakvalue
XTSobject
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page17of44
UserRoleService Description Input/Output Return
[out]:VOIDReKey RekeysanXTSobjectwith
alternateAESkey.[in]:AESbitmode,ECBkey,Tweakkey,DUNSorTweakvalue[out]:VOID
Pass/Fail
Encrypt EncryptsPTdata. [in]:AESbitmode,PTbuffer,Sectorbitlength,ECBkey,Tweakkey,DUNSorTweakvalue[out]:CTbuffer
Pass/Fail
Decrypt DecryptsCTdata. [in]:AESbitmode,CTbuffer,Sectorbitlength,ECBkey,Tweakkey,DUNSorTweakvalue[out]:PTbuffer
Pass/Fail
Destruct ZeroizesAESkeyandtweakvalue.
[in]:VOID[out]:VOID
VOID
ECC Construct ConstructsanECCobject. [in]:ECtype,SHAtype[out]:VOID
ECCobject
TypeSelect ChangestheECandSHAtypes.
[in]:ECtype,SHAtype[out]:VOID
Pass/Fail
CheckParams VerifiesECparameters. [in]:VOID[out]:VOID
Pass/Fail
IsPointAffine Determinesifpointisanaffinecoordinate.
[in]:ECAffinePoint[out]:VOID
Pass/Fail
IsPointValid Determinesifpointhascorrectorder.
[in]:ECAffinePoint[out]:VOID
Pass/Fail
Projectify Convertsaffinepointtoprojectivepoint.
[in]:ECAffinePoint[out]:ECProjectivePoint
VOID
Affinify Convertsprojectivepointtoaffinepoint.
[in]:ECProjectivePoint[out]:ECAffinePoint
Pass/Fail
Compress Convertsaffinepointtocompressedpoint.
[in]:ECAffinePoint[out]:ECCompressedPoint
VOID
Decompress Convertscompressedpointtoaffinepoint.
[in]:ECCompressedPoint[out]:ECAffinePoint
Pass/Fail
DoubleAffine Doublesanaffinepoint. [in]:ECAffinePoint[out]:ECAffinePoint
VOID
DoubleProjective
Doublesaprojectivepoint. [in]:ECProjectivePoint[out]:ECProjectivePoint
VOID
DoubleProjective
Doublesaprojectivepointin-place.
[inout]:ECProjectivePoint VOID
AddAffine Addsaffinepoints. [in]:ECAffinePoint,ECAffinePoint[out]:ECAffinePoint
VOID
Add Addsprojectivepoints. [in]:ECProjectivePoint,EC VOID
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page18of44
UserRoleService Description Input/Output Return
Projective
ProjectivePoint[out]:ECProjectivePoint
Multiply Multipliesaffinepointbyascalar.
[in]:Scalar,ECAffinePoint[out]:ECAffinePoint
Pass/Fail
MultiplyBase MultipliesECBasePointbyascalar.
[in]:Scalar[out]:ECAffinePoint
Pass/Fail
DoubleMultiply
Multipliestwoaffinepointsbytwoscalars.
[in]:Scalar,ECAffinePoint,Scalar,ECAffinePoint[out]:ECAffinePoint
Pass/Fail
ECDSAPublicKeyGen
ComputesthepublicECDSAkey.
[in]:PrivateKey[out]:ECPublicAffinePoint
Pass/Fail
ECDSASignatureGen
ComputestheECDSAsignature.
[in]:Message,Messagelength,PrivateKey,EphemeralKey[out]:Rcomponent,Scomponent
Pass/Fail
ECDSASignatureCheck
VerifiestheECDSAsignature. [in]:Message,Messagelength,Rcomponent,Scomponent,ECPublicAffinePoint[out]:VOID
Pass/Fail
ECDSASignatureCheckPrivate
VerifiestheECDSAsignature. [in]:Message,Messagelength,Rcomponent,Scomponent,PrivateKey[out]:VOID
Pass/Fail
Destruct ZeroizesECCbuffers. [in]:VOID[out]:VOID
VOID
FFC Construct ConstructsaFFCobject. [in]:VOID[out]:VOID
FFCObject
ExtDec2Hex Convertsanextendedprecision("big")numberfromdecimaltobinary(hexadecimal).
[in]:Decimalstringbuffer[out]:Wordbuffer,Wordbufferlength
Pass/Fail
ExtHex2Dec Convertsanextendedprecision("big")numberfrombinary(hexadecimal)todecimal.
[in]:Wordbuffer,Wordbufferlength[out]:Decimalstringbuffer
VOID
ExtCompare Compareswordbuffers. [in]:BufferA,BufferB,BufferA/Blength[out]:VOID
1:a==b2:A>B4:A<B
ExtMod Reducesthea-operandmodulothen-operand.
[in]:a-operand,alength,n-operand,nlength[out]:x-operand
VOID
ExtAdd Multi-precisionAddroutine [in]:a-operand,b-operand, Finalcarrybit
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page19of44
UserRoleService Description Input/Output Return
forunsignedintegers. a/b/xlength[out]:x-operand
ExtAdd Multi-precisionAddroutineforunsignedintegers.
[in]:b-operand,b/xlength[inout]:x-operand
Finalcarrybit
ExtSubtract Multi-precisionSubtractroutineforunsignedintegers.
[in]:a-operand,b-operand,a/b/xlength[out]:x-operand
Finalborrowbit
ExtSubtract Multi-precisionSubtractroutineforunsignedintegers.
[in]:b-operand,b/xlength[inout]:x-operand
Finalborrowbit
ExtAddImmed
Multi-precisionAddroutineofasingle-precision,signedintegertoamulti-precisionunsignedinteger.
[in]:b-operand,b/xlength[inout]:x-operand
Finalcarry
ExtModAdd Multi-precisionmodularAddroutineforunsignedintegers.
[in]:a-operand,b-operand,n-operand,a/b/n/xlength[out]:x-operand
VOID
ExtModAdd Multi-precisionmodularAddroutineforunsignedintegers.
[in]:b-operand,n-operand,b/n/xlength[inout]:x-operand
VOID
ExtModSubtract
Multi-precisionmodularSubtractroutineforunsignedintegers.
[in]:a-operand,b-operand,n-operand,a/b/n/xlength[out]:x-operand
VOID
ExtModSubtract
Multi-precisionmodularSubtractroutineforunsignedintegers.
[in]:b-operand,n-operand,b/n/xlength[inout]:x-operand
VOID
ExtModAddImmed
ModularAddroutineofasingle-precision,signedintegertoamulti-precisionunsignedinteger.
[in]:b-operand,n-operand,b/n/xlength[inout]:x-operand
VOID
ExtShiftLeft Multi-precision1-bitLeftShiftroutineforunsignedintegers.
[in]:a-operand,Carrybit,a/xlength[inout]:x-operand
Finalcarry
ExtShiftLeft Multi-precision1-bitLeftShiftroutineforunsignedintegers.
[in]:xlength[inout]:x-operand
Finalcarry
ExtModShiftLeft
Performsamodularadditionofalongnumbertoitself.
[in]:a-operand,n-operand,a/n/xlength[out]:x-operand
VOID
ExtModShiftLeft
Performsamodularadditionofalongnumbertoitself.
[in]:n-operand,n/xlength[inout]:x-operand
VOID
ExtShiftRight Multi-precision1-bitRightShiftroutineforunsignedintegers.
[in]:a-operand,a/xlength[out]:x-operand
VOID
ExtShiftRight Multi-precision1-bitRightShiftroutineforunsignedintegers.
[in]:xlength[inout]:x-operand
VOID
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page20of44
UserRoleService Description Input/Output Return
ExtModShiftRight
Multi-precisionmodulardivide-by-2routineforunsignedintegers.
[in]:n-operand,n/xlength[inout]:x-operand
VOID
ExtShiftVar Multi-precision,multi-bitLeftorRightShiftroutineforunsignedintegers.
[in]:a-operand,signedshiftcount,a/xlength[out]:x-operand
VOID
ExtShiftVar Multi-precision,multi-bitLeftorRightShiftroutineforunsignedintegers.
[in]:signedshiftcount,xlength[inout]:x-operand
VOID
ExtBinModInverse
Performsmodularinversion1/awithrespecttoamodulusn(usuallyaprimenumber)inmultipleprecisionarithmetic.
[in]:a-operand,n-operand,a/nlength[out]:a-inverse-result
VOID
ExtBinModDivide
Performsmodulardivisionb/awithrespecttoamodulusn(usuallyaprimenumber)inmultipleprecisionarithmetic.
[in]:b-operand,a-operand,n-operand,b/a/nlength[out]:ba-dividend-result
VOID
ExtBinModInversev2
Performsmodularinversion1/awithrespecttoamodulusn(usuallyaprimenumber)inmultipleprecisionarithmetic.
[in]:a-operand,n-operand,a/nlength[out]:a-inverse-result
VOID
ExtMultiply Multi-precisionmultiplicationroutineforunsignedintegersofthesamesize.
[in]:a-operand,b-operand,a/b/xlength[out]:x-operand
VOID
ExtMultiply Multi-precisionmultiplicationroutineforunsignedintegersofdifferentsizes.
[in]:a-operand,alength,b-operand,blength[out]:x-operand
VOID
ExtModMultiply
Multi-precisionmodularMultiplyroutineforunsignedintegers.
[in]:a-operand,b-operand,n-operand,a/b/n/xlength[out]:x-operand
VOID
ExtSquare Multi-precisionsquaringroutineforunsignedintegers.
[in]:a-operand,alength[out]:x-operand
VOID
ExtModSquare
Multi-precisionmodularsquaringroutineforunsignedintegers.
[in]:a-operand,n-operand,a/n/xlength[out]:x-operand
VOID
ExtDivide Multi-precisiondivisionroutineforunsignedintegers.
[in]:a-operand,alength,n-operand,nlength[out]:q-operand,r-operand
VOID
ExtModInverse
Performsmodularinversion1/awithrespecttoamodulusn(usuallyaprimenumber)inmultipleprecision
[in]:a-operand,n-operand,a/nlength[out]:a-inverse-result
VOID
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page21of44
UserRoleService Description Input/Output Return
arithmetic.ExtModDivide
Performsmodulardivisionb/awithrespecttoamodulusn(usuallyaprimenumber)inmultipleprecisionarithmetic.
[in]:b-operand,a-operand,n-operand,b/a/nlength[out]:ba-dividend-result
VOID
ExtSqrt Multi-precisionsquare-rootroutineforunsignedintegers.
[in]:a-operand,alength[out]:sqrt-result
Pass/Fail
ExtSqrtv0 Multi-precisionsquare-rootroutineforunsignedintegers.
[in]:a-operand,alength[out]:sqrt-result
Pass/Fail
ExtSqrtv1 Multi-precisionsquare-rootroutineforunsignedintegers.
[in]:a-operand,alength[out]:sqrt-result
Pass/Fail
Findn0Prime ComputestheMontgomeryarithmeticparametern0'.
[in]:LSWofmodulus[out]:VOID
Montgomeryarithmeticparameter
MontImagev0
ComputestheMontgomeryImage(aM)ofanunsignedintegerawithrespecttoamodulusn.
[in]:a-operand,n-operand,a/n/xlength[out]:x-operand
VOID
MontImage ComputestheMontgomeryImage(aM)ofanunsignedintegerawithrespecttoamodulusn.
[in]:a-operand,n-operand,a/n/xlength[out]:x-operand
VOID
MontProd Multi-precisionMontgomeryProductroutineforunsignedintegers.
[in]:a-operand,b-operand,n-operand,LSWofmodulus,a/b/n/xlength[out]:x-operand
VOID
MontSquare Multi-precisionMontgomerySquaringroutineforunsignedintegers.
[in]:a-operand,n-operand,LSWofmodulus,a/n/xlength[out]:x-operand
VOID
RevMontImage
Thisfunctionconvertsamulti-precisionintegerfromMontgomeryrepresentationtobinary(normal)representation.
[in]:a-operand,n-operand,LSWofmodulus,a/n/xlength[out]:x-operand
VOID
MontExp Multi-precisionMontgomeryExponentiationroutineforunsignedintegers.
[in]:b-operand,e-operand,elength,n-operand,b/nlength[out]:x-operand
VOID
MontModInverse
Computesa_inv=1/aop(modnop)usingFermat'sLittleTheorem.
[in]:a-operand,n-operand,a/nlength[out]:a-inverse-result
VOID
MontModSqrt
Computesthesquarerootofamulti-precisionoperand(a)moduloaprimemodulus(n).
[in]:a-operand,n-operand,a/nlength[out]:a-sqrt-result
Pass/Fail
Barrett Calculatesthemodulus- [in]:n-operand,n/xlength VOID
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page22of44
UserRoleService Description Input/Output Return
Inverse dependentquantity. [out]:x-operandBarrettModMultiply
Multi-precisionmodularmultiplicationroutineforunsignedintegers.
[in]:a-operand,b-operand,n-operand,u-operand,a/b/n/xlength[out]:x-operand
VOID
BarrettExp Multi-precisionexponentiationroutineforunsignedintegers.
[in]:b-operand,e-operand,elength,n-operand,u-operand,b/nlength[out]:x-operand
VOID
BarrettModInverse
Computesa_inv=1/aop(modnop)usingFermat'sLittleTheorem.
[in]:a-operand,n-operand,a/nlength[out]:a-inverse-result
VOID
BarrettModSqrt
Computesthesquarerootofamulti-precisionoperand(a)moduloaprimemodulus(n).
[in]:a-operand,n-operand,a/nlength[out]:a-sqrt-result
Pass/Fail
ProbabModSqrt
Generalprobabilisticalgorithmtocomputethesquarerootmoduloaprimenumber.
[in]:a-operand,n-operand,a/nlength[out]:a-sqrt-result
Pass/Fail
ProbabModSqrtv2
Generalprobabilisticalgorithmtocomputethesquarerootmoduloaprimenumber.
[in]:a-operand,n-operand,a/nlength[out]:a-sqrt-result
Pass/Fail
ProbabModSqrtv1
Generalprobabilisticalgorithmtocomputethesquarerootmoduloaprimenumber.
[in]:a-operand,n-operand,a/nlength[out]:a-sqrt-result
Pass/Fail
ProbabModSqrtv0
Generalprobabilisticalgorithmtocomputethesquarerootmoduloaprimenumber.
[in]:a-operand,n-operand,a/nlength[out]:a-sqrt-result
Pass/Fail
JacobiSymbol ComputestheJacobisymbolforanintegeraandanoddmodulusn
[in]:a-operand,n-operand,a/nlength[out]:VOID
1ifainQR(n),else-1/0
Destruct DestructstheFFCobject. [in]:VOID[out]:VOID
VOID
KASECC
Construct ConstructsaKASECCobject. [in]:KAStype,initiatorid,responderid,algorithmid,MACkeylength,MACtaglength[out]:VOID
KASECCobject
TypeSelect ChangestheKAStype. [in]:KAStype,initiatorid,responderid,algorithmid,MACkeylength,MACtaglength
Pass/Fail
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page23of44
UserRoleService Description Input/Output Return
[out]:VOIDECDHInit1 ComputesPhase1ofFull
UnifiedModeloninitiatorside.
[in]:Initiatorephemeralprivatekey[out]:Initiatorephemeralpublickey
Pass/Fail
ECDHResp1 ComputesPhase1ofFullUnifiedModelonresponderside.
[in]:Responderstaticprivatekey,Responderstaticpublickey,Responderephemeralprivatekey,Initiatorstaticpublickey,Initiatorephemeralpublickey,Nonce[out]:Responderephemeralpublickey,MACkey,AESinitiator/responderkeys,ResponderMACtag
Pass/Fail
ECDHInit2 ComputesPhase2ofFullUnifiedModeloninitiatorside.
[in]:Initiatorstaticprivatekey,Initiatorstaticpublickey,Initiatorephemeralprivatekey,Initiatorephemeralpublickey,Nonce,Responderstaticpublickey,Responderephemeralpublickey,ResponderMACtag,[out]:AESinitiator/responderkeys,InitiatorMACtag
Pass/Fail
ECDHResp2 ComputesPhase2ofFullUnifiedModelonresponderside.
[in]:Responderephemeralpublickey,MACkey,Initiatorephemeralpublickey,InitiatorMACtag[out]:VOID
Pass/Fail
MQVPrimitive
ComputesthefullformoftheECCMQVprimitive.
[in]:Initiatorstaticprivatekey,Initiatorephemeralprivatekey,Initiatorephemeralpublickey,Responderstaticpublickey,Responderephemeralpublickey[out]:Sharedsecret
Pass/Fail
MQVInit1 ComputesPhase1ofFullMQVModeloninitiatorside.
[in]:Initiatorephemeralprivatekey[out]:Initiatorephemeralpublickey
Pass/Fail
MQVResp1 ComputesPhase1ofFullMQVModelonresponderside.
[in]:Responderstaticprivatekey,Responderstaticpublickey,Responderephemeralprivatekey,Initiatorstatic
Pass/Fail
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page24of44
UserRoleService Description Input/Output Return
publickey,Initiatorephemeralpublickey,Nonce[out]:Responderephemeralpublickey,MACkey,AESinitiator/responderkeys,ResponderMACtag
MQVInit2 ComputesPhase2ofFullMQVModeloninitiatorside.
[in]:Initiatorstaticprivatekey,Initiatorstaticpublickey,Initiatorephemeralprivatekey,Initiatorephemeralpublickey,Nonce,Responderstaticpublickey,Responderephemeralpublickey,ResponderMACtag,[out]:AESinitiator/responderkeys,InitiatorMACtag
Pass/Fail
MQVResp2 ComputesPhase2ofFullMQVModelonresponderside.
[in]:Responderephemeralpublickey,MACkey,Initiatorephemeralpublickey,InitiatorMACtag[out]:VOID
Pass/Fail
Destruct DestructstheKASECCobject. [in]:VOID[out]:VOID
VOID
SHA Construct ConstructsaSHAobject. [in]:SHAtype[out]:VOID
SHAobject
TypeSelect ChangestheSHAtype. [in]:SHAtype[out]:VOID
Pass/Fail
ProcMessage Generatesamessagedigest. [in]:Message,Messagelength[out]:Digest
VOID
ProcMessage Generatesamessagedigest. [in]:SHAtype,Message,Messagelength[out]:Digest
VOID
ProcInit Initializesfirstmessagedigestsegment.
[in]:Message,Messagelength[out]:VOID
VOID
ProcInit Initializesfirstmessagedigestsegment.
[in]:SHAtype,Message,Messagelength[out]:VOID
VOID
ProcUpdate Updatesmiddlesegmentmessagedigestsegment.
[in]:Message,Messagelength[out]:VOID
VOID
ProcFinal Generatesfinalmessagedigest.
[in]:Message,Messagelength[out]:Digest
VOID
160ProcMessage
Generatesamessagedigest. [in]:Message,Messagelength,SHAmode[out]:Digest
VOID
HMACProc GeneratesaKeyed-Hash [in]:Message,Message VOID
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page25of44
UserRoleService Description Input/Output Return
Message MessageAuthenticationCode(HMAC)digest.
length,key,keylength[out]:Digest
HMACProcMessage
GeneratesaHMACtag. [in]:Message,Messagelength,key,keylength[out]:MACtag,MACtaglength
VOID
HMACProcInit
InitializesfirstHMACmessagedigestsegment.
[in]:Message,Messagelength,key,keylength[out]:VOID
VOID
HMACProcUpdate
UpdatesmiddleHMACsegmentmessagedigestsegment.
[in]:Message,Messagelength[out]:VOID
VOID
HMACProcFinal
GeneratesfinalHMACmessagedigest.
[in]:Message,Messagelength[out]:Digest
VOID
HMACProcFinal
GeneratesfinalHMACmessagedigest.
[in]:Message,Messagelength[out]:MACtag,MACtaglength
VOID
KDFCTR/FB/DPI
Generatesaderivedkey. [in]:Label/IV,Labellength,Context,Contextlength,Counterlength,Counterlocation[out]:Derivedkey,Derivedkeylength
VOID
PBKDF Generatesaderivedkeyfrompasswordandsalt.
[in]:Password,Passwordlength,Salt,Saltlength,iterationcount[inout]:Derivedkeylength[out]:Derivedkey
VOID
Destruct ZeroizesSHAbuffers. [in]:VOID[out]:VOID
VOID
Util’s Zeroize Zeroizesfixed-sizebuffers. [inout]:Buffer VOIDObfuscate Zeroizedfixed-sizebuffer
withrandomdatafromDRBG.
[inout]:Buffer VOID
WordStrClr Zeroizesbuffer. [in]:Bufferlength[inout]:Buffer
VOID
WordStrCpy Copiesbuffer. [in]:InputBuffer,Bufferlength[out]:Copiedbuffer
VOID
WordStrDiff Differencesbuffers. [in]:Buffera,Bufferb,a/blength[out]:VOID
Non-zerovalueindicatesdifference
WordStrCmp Comparesbuffers. [in]:Buffera,Bufferb,a/blength
Pass/Fail
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page26of44
UserRoleService Description Input/Output Return
[out]:VOIDWordStrCmpv0
Comparesbuffertozero. [in]:Buffer,Bufferlength[out]:VOID
Pass/Fail
WordStrCmpv1
Comparesbuffertozero. [in]:Buffer,Bufferlength[out]:VOID
Pass/Fail
MyMemCmpK
Comparesbytebuffertobyte.
[in]:Buffer,Bufferlength,bytevalue[out]:VOID
Pass/Fail
CleanUp Zeroizeswordbufferandverifieszeroed.
[in]:Bufferlength[inout]:Buffer
VOID
CleanUp Zeroizesbytebufferandverifieszeroed.
[in]:Bufferlength[inout]:Buffer
VOID
Words2Bytes Convertswordbuffertobytebuffer.
[in]:Wordbuffer,Wordbufferlength[out]:bytebuffer
VOID
Bytes2Words Convertsbytebuffertowordbuffer.
[in]:Bytebuffer,Wordbufferlength[out]:Wordbuffer
VOID
DWords2Bytes
Convertsdoublewordbuffertobytebuffer.
[in]:DWordbuffer,DWordbufferlength[out]:bytebuffer
VOID
Bytes2DWords
Convertsbytebuffertodoublewordbuffer.
[in]:Bytebuffer,DWordbufferlength[out]:DWordbuffer
VOID
QuickRandomBytes
Generatespseudo-randombytesfromDRBG.
[in]:Bufferlength[out]:Buffer
Pass/Fail
Stristr Case-insensitivesubstringsearch
[in]:Buffer,searchstring[out]:VOID
Substring
MyMemiCmp
Case-insensitivebytebuffercomparison
[in]:Buffera,Bufferb,a/blength[out]:VOID
Non-zerovalueindicatesdifference
ScanHexData Decodesabytestringbufferintoabytebuffer.
[in]:Stringbuffer[out]:Bytebuffer
Lengthofbytebuffer
ScanHexData Decodesabytestringbufferintoawordbuffer.
[in]:Stringbuffer[out]:Wordbuffer
Lengthofwordbuffer
ScanHexAlignRight
Decodesabytestringbufferintoawordbufferwithrightalignment.
[in]:Stringbuffer[inout]:Wordbufferlength[out]:Wordbuffer
VOID
ReadDecParam
Readsdecimalparameterfrominputfilestream.
[in]:Inputfilestream,Offsetheader[out]:VOID
Decimalparameter
ScanHexData Decodesabytestringfromaninputstreamintoawordbuffer.
[in]:Inputfilestream,Bitlength,Offsetheader[out]:Wordbuffer
VOID
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page27of44
UserRoleService Description Input/Output Return
ScanHexData Decodesabytestringfromaninputstreamintoabytebuffer.
[in]:Inputfilestream,Bitlength,Offsetheader[out]:Bytebuffer
VOID
ScanHexData Decodesabytestringfromaninputstreamintoawordbuffer.
[in]:Inputfilestream,Offsetheader[out]:Wordbuffer
Lengthofwordbuffer
ScanHexAlignRight
Decodesabytestringfromaninputstreamintoawordbufferwithrightalignment.
[in]:Inputfilestream,Wordbufferlength,Offsetheader[out]:Wordbuffer
Pass/Fail
WriteHexData
Encodeswordbufferintostringbuffer.
[in]:Stringbuffer,Wordbufferlength[out]:Wordbuffer
VOID
WriteHexData
Encodesbytebufferintostringbuffer.
[in]:Stringbuffer,Bytebufferlength[out]:Bytebuffer
VOID
WriteHexData
Writeswordbufferintooutputstreamasastring.
[in]:Outputfilestream,Wordbufferlength,Offsetheader,Skipzeros[out]:Wordbuffer
VOID
WriteHexData
Writesbytebufferintooutputstreamasastring.
[in]:Outputfilestream,Bytebufferlength,Offsetheader[out]:Bytebuffer
VOID
Table6–ModuleServicesforUserRole
2.3.3. AuthenticationTheModuledoesnotsupportoperatorauthentication.Rolesareselectedimplicitlybasedontheserviceperformedbytheoperator.
Role TypeofAuthentication AuthenticationDataCryptographicOfficer N/A N/AUser N/A N/A
Table7–ModuleAuthentication
2.4. FiniteStateModelTheFiniteStateModel(FSM)describestheoverallbehaviorandtransitionstheModuleundergoesbaseduponitscurrentstateandcommandsreceived.TheFSMwasreviewedaspartoftheoverallFIPS140-2validation.
2.5. PhysicalSecurityTheModuleisimplementedentirelyinsoftware,thusitisnotsubjecttotheFIPS140-2PhysicalSecurityrequirements.TheoperationalenvironmentthatexecutestheModuleshouldbelocatedonproduction-gradeequipmentandisexpectedtobesecuredbybestpractices.
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page28of44
2.6. OperationalEnvironmentTheModulerunsinasingle-userFIPS140-2certifiedoperationalenvironmentwhereeachcallingapplicationrunsinavirtuallyseparated,independentspaceandiscompatiblewiththeDRBGonwhichitrunsbaseduponconfiguration.TheModuleisimplementedentirelyinsoftware,andforFIPS140-2purposes,isclassifiedasmulti-chipstandalonepertheoperationalenvironmentonwhichitruns.
Module OperationalEnvironment CMVPCertificate
CAVPDRBGCertificate
KEYWcryptoModule.dll IntelXeonE5530w/MicrosoftWindowsServer2012R2(64-bit) #2357 #489,#523
libKEYWcryptoModule.so.3 QualcommSnapdragon801w/BlackBerryOS10.3 #1578 #81
libKEYWcryptoModule.so.3 QualcommSnapdragonS4w/BlackBerryOS10.3 #1578 #81
Table8–OperationalEnvironments
2.7. CryptographicKeyManagementThefollowingtabledescribesthecryptographickeys,keycomponentsandCriticalSecurityParameters(CSPs)utilizedexclusivelybytheModule.
Key/CSP Mode/Key/CSPSize Use Access
Type Input/Output Storage Destruction
HMACIntegrityCheckKey
SHA-512 SymmetrickeyusedforSoftwareIntegrityChecksum.
CryptoOfficerRole:Read&Write
SymmetrickeygeneratedduringeachModuleinitializationasinputwhereanewsymmetrickeyisgeneratedaftereachbuild.SeeSection2.9formoredetailsonSoftwareIntegrityPOST.
HeldinRAMasplaintexttemporarilyforsingle-useandisnotstoredduringModuleinitialization.
ZeroizedimmediatelyafterModuleinitializationviazeroizeservicefromModuleAPI.
HMACIntegrityChecksumCSP
SHA-512 ChecksumCSPusedinSoftwareIntegrityChecksum.
CryptoOfficerRole:Read&Write
ChecksumCSPenteredasinputduringeachModuleinitializationwhereanewChecksumCSPisgeneratedaftereachbuild.
HeldinRAMasplaintexttemporarilyforsingle-useandisnotstoredduringModuleinitialization.
ZeroizedimmediatelyafterModuleinitializationviazeroizeservicefromModuleAPI.
AES-ECBKeyECB-128 Symmetrickeyusedfor
UserRole:
Symmetrickeyentered,
HeldinRAMasplaintext.
CallingapplicationisECB-192
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page29of44
Key/CSP Mode/Key/CSPSize Use Access
Type Input/Output Storage Destruction
ECB-256 encryptionanddecryptionofuserdata.
Read&Write
established,orgeneratedbyoperationalenvironmentDRBGasinput.
responsibleforzeroizingsymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
AES-CBCKeyCBC-128 Symmetrickeyusedforencryptionanddecryptionofuserdata.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
CBC-192CBC-256
AES-CBCIVCSP
CBC-128 IVCSPusedinencryptionanddecryptionofuserdata.
UserRole:Read&Write
IVCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingIVCSPviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
CBC-192CBC-256
AES-GCMKey
GCM-128 Symmetrickeyusedforencryptionanddecryptionoftrafficdata.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextwithTagasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
GCM-192GCM-256
AES-GCMIVCSP
GCM-128 IVCSPusedinencryptionanddecryptionoftrafficdata.
UserRole:Read&Write
IVCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextor
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingIVCSPviazeroizeservicefromModule
GCM-192GCM-256
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page30of44
Key/CSP Mode/Key/CSPSize Use Access
Type Input/Output Storage Destruction
ciphertextwithTagasoutput.
APIorviaplatform-providedAPI.
AES-XTSKeys
XTS-128 Symmetrickeysusedforencryptionanddecryptionofstoreddata.
UserRole:Read&Write
Symmetrickeysentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
XTS-256
AES-XTSTweakValueCSP
XTS-128 TweakvalueCSPusedinencryptionanddecryptionofstoreddata.
UserRole:Read&Write
TweakvalueCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingTweakvalueCSPviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
XTS-256
AES-KW/KWPKey
KW-128 Symmetrickeyusedforencryptionanddecryptionofotherkeys.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandplaintextorciphertextasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
KW-192KW-256KWP-128KWP-192KWP-256
CMACKey AES-128 Symmetrickeyusedformessageauthentication.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandMACasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
AES-192AES-256
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page31of44
Key/CSP Mode/Key/CSPSize Use Access
Type Input/Output Storage Destruction
GMACKey AES-128 Symmetrickeyusedformessageauthentication.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandMACasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
AES-192AES-256
GMACIVCSP
AES-128 IVCSPusedformessageauthentication.
UserRole:Read&Write
IVCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandMACasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingIVCSPviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
AES-192AES-256
HMACKey SHA-1(SHA-160) Symmetrickeyusedformessageauthentication.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandMACasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
ECDSAKey P-192 SHA-1(SHA-160)
Asymmetrickeyusedfordigitalsignature.PerNISTSP800-131A,P-192andSHA-1arenolongerconsideredsecureandshallnotbeusedtogeneratedigital
UserRole:Read&Write
AsymmetrickeyenteredorgeneratedbyoperationalenvironmentDRBGasinputanddigitalsignaturescalarscomputedasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingasymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
P-224 SHA-1(SHA-160)SHA-224SHA-256SHA-384SHA-512
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page32of44
Key/CSP Mode/Key/CSPSize Use Access
Type Input/Output Storage Destruction
SHA-512/224 signatures(Ref.[14]).SHA-512/256
P-256 SHA-1(SHA-160)SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
P-384 SHA-1(SHA-160)
SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
P-521 SHA-1(SHA-160)
SHA-224SHA-256SHA-384SHA-512SHA-512/224SHA-512/256
ECCKASKeys
FullUnifiedKCEBP-224,SHA-224
AsymmetrickeysandMACkeysusedforkeyestablishment.
UserRole:Read&Write
AsymmetrickeysandMACkeysenteredorgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeysderivedasoutput.
HeldinRAMasplaintext.
Callingapplicationisresponsibleforzeroizingasymmetric/symmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
FullUnifiedKCECP-256,SHA-256FullUnifiedKCEDP-384,SHA-384FullUnifiedKCEEP-521,SHA-512FullMQVKCEBP-224,SHA-224FullMQVKCECP-256,SHA-256FullMQVKCEDP-384,SHA-384FullMQVKCEEP-521,SHA-512
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page33of44
Key/CSP Mode/Key/CSPSize Use Access
Type Input/Output Storage Destruction
ECCKASNonce&MACtagCSPs
FullUnifiedKCEBP-224,SHA-224
NonceandMACtagCSPsusedinkeyestablishment.
UserRole:Read&Write
NonceandMACtagCSPsenteredorgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeysderivedasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingNonceandMACtagCSPsviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
FullUnifiedKCECP-256,SHA-256FullUnifiedKCEDP-384,SHA-384FullUnifiedKCEEP-521,SHA-512FullMQVKCEBP-224,SHA-224FullMQVKCECP-256,SHA-256FullMQVKCEDP-384,SHA-384FullMQVKCEEP-521,SHA-512
ECCKASSharedSecret&DKMCSPs
FullUnifiedKCEBP-224,SHA-224
SharedSecretandDKMCSPsderivedduringkeyestablishment.
UserRole:N/A
SharedSecretandDKMCSPsderivedasoutputbetweenKASphases.
HeldinRAMasplaintexttemporarilyforsingle-useandisnotstoredbetweenKASphases.
ZeroizedimmediatelybetweenKASphasesviazeroizeservicefromModuleAPI.
FullUnifiedKCECP-256,SHA-256FullUnifiedKCEDP-384,SHA-384FullUnifiedKCEEP-521,SHA-512FullMQVKCEBP-224,SHA-224FullMQVKCECP-256,SHA-256FullMQVKCEDP-384,SHA-384FullMQVKCEEP-521,SHA-512
ECCCDHPrimitiveKeys
P-224 AsymmetrickeysusedforsharedsecretCSPestablishment.
UserRole:Read&Write
Asymmetrickeys,enteredorgeneratedbyoperationalenvironmentDRBGasinputandsharedsecretCSPderivedasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingasymmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
P-256P-384P-521
ECCCDHPrimitive
P-224 SharedsecretCSPsderived
UserRole:
SharedsecretCSPderivedas
HeldinRAMasplaintext.
CallingapplicationisP-256
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page34of44
Key/CSP Mode/Key/CSPSize Use Access
Type Input/Output Storage Destruction
SharedSecretCSPs
P-384 fromestablishment.
Read&Write
outputwhenasymmetrickeysenteredorgeneratedbyoperationalenvironmentDRBGasinput.
responsibleforzeroizingsharedsecretCSPsviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
P-521
KBKDF-CMAC-CTRKeys
CMAC-AES-128 Symmetrickeyusedforkeyderivation.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
CMAC-AES-192CMAC-AES-256
KBKDF-CMAC-FBKeys
CMAC-AES-128 Symmetrickeyusedforkeyderivation.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
CMAC-AES-192CMAC-AES-256
KBKDF-CMAC-FBIVCSP
CMAC-AES-128 IVCSPusedinkeyderivation.
UserRole:Read&Write
IVCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingIVCSPviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
CMAC-AES-192CMAC-AES-256
KBKDF-CMAC-DPIKeys
CMAC-AES-128 Symmetrickeyusedforkeyderivation.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedby
HeldinRAMasplaintext.
Callingapplicationisresponsibleforzeroizing
CMAC-AES-192CMAC-AES-256
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page35of44
Key/CSP Mode/Key/CSPSize Use Access
Type Input/Output Storage Destruction
operationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.
symmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
KBKDF-HMAC-CTRKeys
HMAC-SHA-1(SHA-160)
Symmetrickeyusedforkeyderivation.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512
KBKDF-HMAC-FBKeys
HMAC-SHA-1(SHA-160)
Symmetrickeyusedforkeyderivation.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeysviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512
KBKDF-HMAC-FBIVCSP
HMAC-SHA-1(SHA-160)
IVCSPusedinkeyderivation.
UserRole:Read&Write
IVCSPentered,established,orgeneratedbyoperationalenvironmentDRBGasinputandsymmetrickeyderivedasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingIVCSPviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512
KBKDF-HMAC-DPIKeys
HMAC-SHA-1(SHA-160)
Symmetrickeyusedforkeyderivation.
UserRole:Read&Write
Symmetrickeyentered,established,orgeneratedbyoperationalenvironment
HeldinRAMasplaintext.
Callingapplicationisresponsibleforzeroizingsymmetrickeysvia
HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page36of44
Key/CSP Mode/Key/CSPSize Use Access
Type Input/Output Storage Destruction
DRBGasinputandsymmetrickeyderivedasoutput.
zeroizeservicefromModuleAPIorviaplatform-providedAPI.
PBKDFPasswordCSP
HMAC-SHA-1(SHA-160)
PasswordCSPusedinpassword-basedkeyderivation.
UserRole:Read&Write
PasswordCSPenteredbycallingapplicationasinputandsymmetrickeyderivedasoutput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingPasswordCSPviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512
PBKDFKey HMAC-SHA-1(SHA-160)
Symmetrickeyderivedfrompassword-basedkeyderivation.
UserRole:Read&Write
SymmetrickeyderivedasoutputwhenPasswordCSPenteredbycallingapplicationasinput.
HeldinRAMasplaintext.
CallingapplicationisresponsibleforzeroizingsymmetrickeyviazeroizeservicefromModuleAPIorviaplatform-providedAPI.
HMAC-SHA-224HMAC-SHA-256HMAC-SHA-384HMAC-SHA-512
Table9–ModuleCryptographicKeysandCriticalSecurityParameters
2.7.1. KeyZeroizationTheModuleAPIleveragesfixed-sizebufferzeroizationviamemsetandpseudorandombufferfilling.TheCryptographicOfficeroperatormayrequestHMACIntegrityCheckKeyzeroizationatanytimebypower-cyclingtheoperationalenvironmentandreloadingtheModule.Also,theCryptographicOfficeroperatormaymanuallyuninstalltheModulefromtheoperationalenvironmentandreformat(i.e.overwriteatleastonce)theplatform’sharddriveorotherpermanentstoragemediawhileonlyperformingtheproceduraluninstallationoftheModuleisnotanacceptablekeyzeroizationmethod.TheUseroperatormustzeroizekeys/CSPsstoredintheoperationalenvironmentbycallingazeroizeserviceprovidedbytheModuleAPIorviaplatform-providedAPI.
2.8. ElectromagneticInterferenceandCompatibilityTheModulemeetstherequirementsoftheFIPS140-2EMI/EMCLevel1specificationastheoperationalenvironmentonwhichtheModulesoftwarerunspassedvalidationexecutinguponthegeneral-purposecomputer(GPC)thatconfirmstotheEMI/EMCrequirementsspecificby47CodeofFederalRegulations,Part15,SubpartB,UnintentionalRadiators,DigitalDevices,ClassA(i.e.,forbusinessuse).
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page37of44
2.9. Self-TestsTheModuleimplementsPower-OnSelf-Tests(POST)andconditionalself-teststhataredescribedinthefollowingtables:
Test DescriptionSoftwareIntegrity TheModulevalidatesitsownsoftwareintegrityuponloadofthe
ModuleDLL/SOfile.Theintegritycheckisatwo-stepprocessconsistingofanHMACverification(basedontheFIPS-approvedHMAC-512algorithm),appliedtothewholeModuleDLL/SOimageprocessedasabinarydatafile.Inthefirststep,the512-bit(64-byte)HMACkeyfortheHMACverificationisderivedviaaFIPS-approvedKBKDFfromseveralbuild-specificdatafieldsincludingthecurrentversionstringandbuilddate,whicharecompiledintotheModuleandarenotmodifiable.ThisHMACkeycustomizationisaimedatpreventingmaliciousModuleDLL/SOrebuildsandauthenticatingtheoriginalbuildonly.Inthesecondstep,the512-bitHMACkeyisusedtoperformanHMAC-512integritycheckofthewholeModuleDLL/SOimage.Thiscomputationproducesa512-bitchecksumthatiscomparedagainstahexadecimalvaluepre-storedinapropertiesfile.
AESCheckEncryption/DecryptionTables
Verifiestheintegrityofthepre-builtSboxsubstitutiontableandinverseSboxsubstitutiontable.TheSboxsubstitutiontableispre-convertedtofour32-bittables,inordertospeedupAESencryptionin32-bitprocessingmodewhiletheinverseSboxsubstitutiontableispre-convertedtofour32-bittables,inordertospeedupAESdecryptionin32-bitprocessingmode.
GCMEncrypt/DecryptKAT
ExercisesasetofKnownAnswerTests(KATs)extractedfromtheGCMtestvectorspublishedbyNISTintheGCMVSspecification(Reference[18])onallthreeGCMencryptionmodescorrespondingtoAESkeysizesof128,192and256bitsfeaturingthelargestcombinationsofPT,IVandAAD.ThecomprehensiveGCMKATsimplicitlyprovideassuranceaboutthevalidityoftheunderlyingAEScryptographicalgorithms.
SHAKAT ExercisesasetofKnownAnswerTests(KATs)extractedfromtheSHAtestvectorspublishedbyNISTintheSHAVSspecification(Reference[21])onallSHAversions(SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,SHA-512/224andSHA-512/256)specifiedinFIPSPublication180-4featuringmixedhash/digestsizecombinationswiththelongestinputdata.ThecomprehensiveSHAKATsimplicitlyprovideassuranceaboutthevalidityoftheKeyDerivationFunction(KDF)employedbytheECDHKeyAgreementScheme(asrecommendedinNISTSP800-56A–Reference[15],aSHA-basedconcatenationKDFisbeingused).
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page38of44
Test DescriptionHMACKAT ExercisesasetofKnownAnswerTests(KATs)extractedfromthe
HMACtestvectorspublishedbyNISTintheHMACVSspecification(Reference[22])featuringthelargestcombinationsofkeyandtagsizescoveringallversionsoftheunderlyinghashingalgorithm(SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,SHA-512/224andSHA-512/256).ThecomprehensiveHMACKATsimplicitlyprovideassuranceaboutthevalidityoftheBilateralKeyConfirmationmethodemployedbytheECDHKeyAgreementScheme(Reference[15],Section8.4).
ECDSAKeyPair/PKVKAT
ExercisesasetofKnownAnswerTests(KATs)adaptedfromtheECDSAKeyPair(private/publickeyverification)andPKV(PublicKeyValidation)testvectorspublishedbyNISTintheECDSA2VSspecification(Reference[24])coveringeachversionoftheunderlyingprime-fieldEC(P-192,P-224,P-256,P-384andP-521).TheECDSAKeyPairtestsincludemultipleKATverificationsofECCpointmultiplication,whichistheECCprimitiveusedforshared-secret(“Z”)computationbytheECDHKeyAgreementScheme.
ECDSASigGenKAT ExercisesasetofKnownAnswerTests(KATs)adaptedfromtheSigGentestvectorspublishedbyNISTintheECDSA2VSspecification(Reference[24]).Inthistestcategory,ECDSA2VSonlyprovidesthemessagetobesigned.Themodulegeneratesaprivatekey,computesthecorrespondingpublickey,generatesanECDSA“secretnumber”(ephemeralkey)fromtheDRBG,computesthemessagesignatureusingtheprivatekeyandverifiesthesignaturewiththepublickey.Forcompleteness,thesignatureisverifiedwiththeprivatekeyaswell.OnelongtestvectorisexercisedforeachcombinationofprimefieldEC(P-224,P-256,P-384andP-521)andhashingalgorithm(SHA-224,SHA-256,SHA-384,SHA-512,SHA-512/224andSHA-512/256).InthelatestNISTSuiteBspecificationsP-192ECandSHA-1arenolongerconsideredsuitableforsecureECDSAgeneration(Reference[14]).
ECDSASigVerKAT ExercisesasetofKnownAnswerTests(KATs)adaptedfromtheSigVertestvectorspublishedbyNISTintheECDSA2VSspecification(Reference[24]).ThesetestcasesareincompliancewiththelatestECDSAspecification(FIPS186-4,Reference[12]),whichallowsanyprime-fieldEC(P-192,P-224,P-256,P-384orP-521)tobecombinedwitheachSHAversionfromFIPS180-4(SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,SHA-512/224orSHA-512/256)inanECDSAcomputation.OnetestcasefromeachEC/SHAcombination,featuringthelongestmessage,isexercised.
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page39of44
Test DescriptionECDHFullUnifiedKeyAgreementScheme(KAS)KAT
ExercisesasetofKnownAnswerTests(KATs)adaptedfromtheECDHtestvectorspublishedbyNISTintheKASVSspecification(Reference[25])featuringtheFullUnifiedModelofECDHcoveringeachversionoftheunderlyingprime-fieldEC(P-224,P-256,P-384andP-521).EachtestrunincludesbothInitiator-sideandResponder-sidefunctions.TheunderlyingcryptographicalgorithmsusedduringECDHkeyagreementarefullyvalidatedviaindividualPOSTs:
• ECCpointmultiplicationisvalidatedviaECDSAKeyPairKATs• TheKeyDerivationFunctionisvalidatedviaSHAKATs• TheKeyConfirmationfunctionisvalidatedviaHMACKATs
ECDHFullMQVKeyAgreementScheme(KAS)KAT
ExercisesasetofKnownAnswerTests(KATs)adaptedfromtheECDHtestvectorspublishedbyNISTintheKASVSspecification(Reference[25])featuringtheFullMQVmodelofECDHcoveringeachversionoftheunderlyingprime-fieldEC(P-224,P-256,P-384andP-521).EachtestrunincludesbothInitiator-sideandResponder-sidefunctions.TheunderlyingcryptographicalgorithmsusedduringECDHkeyagreementarefullyvalidatedviaindividualPOSTs:
• ECCpointmultiplicationisvalidatedviaECDSAKeyPairKATs• TheKeyDerivationFunctionisvalidatedviaSHAKATs• TheKeyConfirmationfunctionisvalidatedviaHMACKATs
XTSEncrypt/DecryptKAT
ExercisesasetofKnownAnswerTests(KATs)extractedfromtheXTStestvectorspublishedbyNISTintheXTSVSspecification(Reference[19]).Bothformatsspecifiedforthetweakvalueinput(128-bithexadecimalstringor64-bitDataUnitSequenceNumber)arebeingtestedwithvarious,non-trivialDataUnitbitsizesinencryptanddecryptmode.ThecomprehensiveXTSKATsimplicitlyprovideassuranceaboutthevalidityoftheunderlyingAEScryptographicalgorithms.
KW/KWPEncrypt/DecryptKAT
ExercisesasetofKnownAnswerTests(KATs)extractedfromKWandKWPtestvectorspublishedbyNISTwiththeKeyWrapValidationSystem(KWVS)specification(Reference[20]).AllthreeencryptionmodesaretestedforKWandKWP,correspondingtoAESkeysizesof128,192and256bits.Also,theunderlyingAESblockcipheristestedineitherforwarddirectionorinversedirectionduringKW/KWPencryption.Twonon-trivialtestvectorsareexercisedforeachcombinationofAESkeysize,KW/KWPandforward/inverseblockcipher.ThecomprehensiveKW/KWPKATsimplicitlyprovideassuranceaboutthevalidityoftheunderlyingAEScryptographicalgorithms.
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page40of44
Test DescriptionKBKDFKAT ExercisesasetofKnownAnswerTests(KATs)extractedfromKDFtest
vectorspublishedbyNISTwiththeKeyDerivationusingPseudorandomFunctions(SP800-108)ValidationSystem(KBKDFVS)(Reference[23]).BothCMACandHMACalgorithmsareexercisedasunderlyingpseudo-randomfunction(PRF).ForeachPRF,SP800-108specifiesthreemodesofkeyderivationfromasetofinputs:CounterMode(CTR),FeedBackMode(FB)andDouble-PipelineIterationMode(DPI),whichareallrepresentedduringaKDFself-testrun.Atleastonenon-trivialtestcasehasbeenincludedforeachinputparametercombinationspecifiedinKBKDFVS,addingupto12KDFCTRtests,32KDFFBtestsand16KDFDPItests.
PBKDFKAT ThecomprehensiveHMACKATsimplicitlyprovideassuranceaboutthevalidityofthePassword-BasedKeyDerivationFunction(PBKDF)asrecommendedinIAWNISTSP800-132(Reference[11]).ThereisneitheraValidationSysteminplace,norsampletestvectorspublishedbyCAVPforthePBKDFalgorithm,asofJanuary2017.
Table10–ModulePower-OnSelf-Tests
Test DescriptionECCKAS(FullUnified,FullMQV)ConditionalPair-WiseConsistencySelf-Test
TheECCKASimplementationprovidesbuilt-inassurance(verification)ofthearithmeticvalidityofeachnewlygeneratedkeypairbyperformingapair-wiseconsistencyself-testwherethekeypairisusedinconjunctionwithasecondnewlygeneratedcompatiblekeypairtocalculatesharedvaluesforbothsidesofthekeyagreementalgorithmsuchthatiftheresultingsharedvaluesarenotequaltheself-testfails.EveryinvocationofECCKASinvolves(withintheclassconstructors)averificationofthearithmeticvalidityoftheselectedsetofECCdomainparameters(Reference[15],Section5.5.2).TheECCKASimplementationperformsafullECCpublickeyvalidationeachtimesuchakeyisbeingusedwhereeachsideverifiesbothownandoppositestaticpublickeys,eachsideverifiesoppositeside’sephemeralpublickey(Reference[15],Section5.6.2).Also,duringkeyagreement,eachsiderenewsitsassuranceofpossessingthecorrectprivatekeybyusingtheKeyRegenerationmethod(Reference[15],Section5.6.3),whiletheephemeral(generated)privatekeyissubjectedtotheconstraintsspecifiedinReference[15],Section5.6.1.2.
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page41of44
Test DescriptionECDSAConditionalPair-WiseConsistencySelf-Test
TheECDSAimplementationprovidesbuilt-inassurance(verification)ofthearithmeticvalidityofeachnewlygeneratedkeypairbyperformingapair-wiseconsistencyself-testwherethekeypairisusedtogenerateandverifyadigitalsignaturesuchthatifthedigitalsignaturecannotbeverifiedtheself-testfails.EveryinvocationofECDSAinvolves(withintheclassconstructors)averificationofthearithmeticvalidityoftheselectedsetofECCdomainparameters.TheECDSAimplementationperformsanECCpublickeyvalidationeachtimesuchakeyisusedduringdigitalsignaturegenerationandverification.
Table11–ModuleConditionalSelf-Tests
2.9.1. InvokingSelf-TestsTheCryptographicOfficeroperatorinvokesthePOSTautomaticallybyloadingtheModule.DuringloadtheoperationalenvironmentexecutesthefollowingModuleDefaultEntryPoint(DEP)automatically,whichinvokestheself-tests.TheModuledoesnotrelyonanyotherexternalservicetoinitiatethePOSTandalldataoutputviathedataoutputinterfaceisinhibitedwhenthePOSTisperformed.ThePOSTmaybeinvokedautomaticallyatanytimebypower-cyclingtheoperationalenvironmentandreloadingtheModule.
DynamicLinkLibrary(DLL)DefaultEntryPoint
BOOL APIENTRY DLLMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
SharedObject(SO)DefaultEntryPoint void __attribute__((constructor)) runModulePOST(void)
2.9.2. Self-TestsResultsUponsuccessfulself-testcompletion,theModulewillcompleteitsinitializationandtransitiontotheidleoperationalstate.SubsequentModuleself-testsareexercisedautomaticallywhenanySuiteBcryptographicalgorithmsarecalledbytheoperator,eitherforcommunicationsencryption/decryption,dataencryption/decryption,and/orduringkeyestablishment.IntheeventtheSoftwareIntegrityand/orKATself-testfail,theModulewillnotcompleteloadingandwilltransitiontotheerrorstateandaspecificerrorcodewillbereturnedindicatingwhichself-testhasfailed.TheModulewillnotprovideanycryptographicserviceswhileinthiserrorstate.Recoveryfromtheerrorstateispossiblebypower-cyclingtheoperationalenvironmentandreloadingtheModule.
Self-Test ErrorCodeSoftwareIntegrity 441,444GCMEncrypt 2100+TestCountGCMDecrypt 2200+TestCountSHA 2300+TestCountHMAC 2400+TestCount
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page42of44
Self-Test ErrorCodeECDSAKey 2800+TestCountECDSASigGen 3300+TestCountECDSASigVer 3400+TestCountKASFullUnified 2500+TestCount(combinedindicator
oftheECtypeandfailingsub-test)KASFullMQV 3000+TestCountXTSEncrypt 2600+TestCountXTSDecrypt 2700+TestCountKWEncrypt 3100+TestCountKWDecrypt 3200+TestCountKBKDF 3500+TestCount
Table12–ModuleSelf-TestErrorCodes
2.10. DesignAssuranceTheModulemeetstherequirementsoftheFIPS140-2SecurityLevel1specificationandprovidesthefollowingCryptographicOfficerguidanceandUserguidance.TheCryptographicOfficerisresponsibleformanuallyinstallingtheModuleontheoperationalenvironmentandensuringFIPSmodeofoperationasdescribedinSection2.1.2.Also,theCryptographicOfficerisresponsibleforinitializingtheModulecausingthePOSTtorunautomaticallyasdescribedinSection2.9.TheUseroperatorisresponsibleforconfiningmethodcallstoonlyFIPS140-2approvedsecurityfunctionsaslistedinTable2whencallingtheModuleAPIaswellasconfiningmethodcallstoaFIPS140-2approvedDRBGfromtheoperationalenvironmentaslistedinSection2.6.
2.11. MitigationofOtherAttacksTheModulehasnotbeendesignedtomitigateanyspecificattacksoutsidethescopeoftheFIPS140-2requirements.TheModuleresideswithinaFIPS140-2operationalenvironment,whichprovidesanadditionallayerofprotectiontoattacksoftheModule.
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page43of44
3. ReferencedDocuments[1] FIPSPublication197,TheAdvancedEncryptionStandard(AES),U.S.DoC/NIST,November26,2001,
NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
[2] NISTSpecialPublication800-38A,RecommendationforBlockCipherModesofOperation:MethodsandTechniques,December2001,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
[3] NISTSpecialPublication800-38B,RecommendationforBlockCipherModesofOperation:TheCMACModeforAuthentication,May2005,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
[4] NISTSpecialPublication800-38D,RecommendationforBlockCipherModesofOperation:Galois/CounterMode(GCM)andGMAC,November2007,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
[5] NISTSpecialPublication800-38E,RecommendationforBlockCipherModesofOperation:theXTS-AESModeforConfidentialityonStorageDevices,January2010,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf
[6] NISTSpecialPublication800-38F,RecommendationforBlockCipherModesofOperation:MethodsofKeyWrapping,December2012,NationalInstituteofStandardsandTechnology,[Webpage],http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
[7] RFC5649,AdvancedEncryptionStandard(AES)KeyWrapwithPaddingAlgorithm,August2009,NetworkWorkingGroup,[Webpage],https://tools.ietf.org/html/rfc5649
[8] FIPSPublication180-4,SecureHashStandard(SHS),August2015,NationalInstituteofStandardsandTechnology,[Webpage],http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
[9] FIPSPublication198-1,TheKeyed-HashMessageAuthenticationCode(HMAC),July2008,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
[10] NISTSpecialPublication800-108,RecommendationforKeyDerivationUsingPseudorandomFunctions,October2009,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf
[11] NISTSpecialPublication800-132,RecommendationforPassword-BasedKeyDerivation,December2010,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
[12] FIPSPublication186-4,DigitalSignatureStandard(DSS),July2013,NationalInstituteofStandardsandTechnology,[Webpage],http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
[13] ANSX9.62-2005:PublicKeyCryptographyfortheFinancialServicesIndustry:TheEllipticCurveDigitalSignatureAlgorithm(ECDSA),November2005
[14] NISTSpecialPublication800-131A,Transitions:RecommendationforTransitioningtheUseofCryptographicAlgorithmsandKeyLengths,January2011,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
[15] NISTSpecialPublication800-56A,RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography,Revision2,May2013,NationalInstituteofStandardsandTechnology,[Webpage],http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
[16] TheAdvancedEncryptionStandardAlgorithmValidationSuite(AESAVS),November15,2002,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/aes/AESAVS.pdf
KeyWCorporation SuiteBCryptographicModuleFIPS140-2Non-ProprietarySecurityPolicyAdvancedCyberOperationsSector KXD002
Page44of44
[17] TheCMACValidationSystem(CMACVS),UpdatedAugust23,2011,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/mac/CMACVS.pdf
[18] TheGalois/CounterMode(GCM)andGMACValidationSystem(GCMVS),NationalInstituteofStandardsandTechnology,Updated:August30,2012,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmvs.pdf
[19] TheXTS-AESValidationSystem(XTSVS),Updated:September5,2013,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSVS.pdf
[20] TheKeyWrapValidationSystem(KWVS),June20,2014,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/mac/KWVS.pdf
[21] TheSecureHashAlgorithmValidationSystem(SHAVS),Updated:May21,2014,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/shs/SHAVS.pdf
[22] TheKeyed-HashMessageAuthenticationCodeValidationSystem(HMACVS),Updated:July23,2012,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/mac/HMACVS.pdf
[23] KeyDerivationusingPseudorandomFunctions(SP800-108)ValidationSystem(KBKDFVS),UpdatedJanuary4,2016,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/KBKDF800-108/kbkdfvs.pdf
[24] TheFIPS186-4EllipticCurveDigitalSignatureAlgorithmValidationSystem(ECDSA2VS),Updated:March18,2014,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/dss2/ecdsa2vs.pdf
[25] TheKeyAgreementSchemesValidationSystem(KASVS),UpdatedMay22,2014,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/groups/STM/cavp/documents/keymgmt/KASVS.pdf
[26] NISTSpecialPublication800-63-2,ElectronicAuthenticationGuideline,August2013,NationalInstituteofStandardsandTechnology[Webpage],http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
[27] NISTSpecialPublication800-118,GuidetoEnterprisePasswordManagement(Draft),April2009,NationalInstituteofStandardsandTechnology,[Webpage],http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
top related