NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy NetApp Cryptographic Security Module Module Version 1.0 FIPS 140-2 Level 1 Non-Proprietary Security Policy Document Version: 1.9 Last Updated: June 6th, 2021 Table of Contents 1 Introduction.......................................................................................................................3 2 Cryptographic Module Description..................................................................................4 2.1 Module Specification .................................................................................................................. 4 2.2 Module Block Diagram............................................................................................................... 4 2.3 Validation Level.......................................................................................................................... 5 2.4 Tested Platforms ......................................................................................................................... 6 3 Cryptographic Module Ports and Interfaces....................................................................8 4 Roles, Services and Authentication...................................................................................9 4.1 Roles........................................................................................................................................... 9 4.2 Services ...................................................................................................................................... 9 4.3 Authentication........................................................................................................................... 10 5 Physical Security .............................................................................................................11 6 Operational Environment ...............................................................................................12 7 Cryptographic Key Management ...................................................................................13 7.1 Cryptographic Algorithms......................................................................................................... 13 7.1.1 Approved Cryptographic Algorithms................................................................................................13 7.1.2 Non-FIPS Approved Algorithms Allowed in FIPS Mode ...................................................................16 7.1.3 Non-FIPS Approved Algorithms Not-Allowed in FIPS Mode ............................................................16 7.2 Key Generation ......................................................................................................................... 17 7.3 Key Storage .............................................................................................................................. 17 7.4 Key Access ............................................................................................................................... 17 7.5 Key Protection and Zeroization ................................................................................................. 17 7.6 AES GCM IV Generation.......................................................................................................... 17 7.7 CSP Information........................................................................................................................ 18 8 Electromagnetic Interference/Compatibility..................................................................20 9 Self-Tests..........................................................................................................................21 9.1 Power-On Self Tests (POST)..................................................................................................... 21 9.2 Conditional tests........................................................................................................................ 21 9.3 Critical Function Tests .............................................................................................................. 22 10 Design Assurance .........................................................................................................23 10.1 Secure Distribution and Installation....................................................................................... 23 10.2 Secure Operation................................................................................................................... 23 NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 3 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 1 Introduction This document is the non-proprietary Cryptographic Module Security Policy for the NetApp Cryptographic Security Module (NCSM). This security policy describes how the NCSM (Software Version: 1.0) meets the security requirements of FIPS 140-2, and how to operate it in a secure FIPS 140-2 mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation of the NetApp Cryptographic Security Module. This document provides an overview of the NetApp Cryptographic Security Module and explains the secure configuration and operation of the module. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is NetApp-proprietary and is releasable only under appropriate non- disclosure agreements. For access to these documents, please contact NetApp Inc. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/groups/STM/index.html. NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 4 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 2 Cryptographic Module Description The NetApp Cryptographic Security Module is a software library that provides cryptographic services to a vast array of NetApp's storage and networking products. The module provides FIPS 140-2 validated cryptographic algorithms for services such as IPSEC, SRTP, SSH, TLS, 802.1x, etc. The module does not directly implement any of these protocols, instead it provides the cryptographic primitives and functions to allow a developer to implement the various protocols. In this document, the NetApp Cryptographic Security Module is referred to as NCSM, the library, or the module. 2.1 Module Specification The module is a multi-chip standalone cryptographic module. For the purposes of the FIPS 140-2 level 1 validation, the NCSM is a single object module file named fipscanister.o. The object code in the object module file is incorporated into the runtime executable application at the time the binary executable is generated. The Module performs no communications other than with the consuming application (the process that invokes the Module services via the Module’s API). 2.2 Module Block Diagram The module’s logical block diagram is shown in Figure 1 below. The dashed red border denotes the logical cryptographic boundary of the module. The physical cryptographic boundary of the module is the enclosure of the system on which it is executing and is denoted by the solid red boundary. NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 5 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. Figure 1 – NCSM block diagram 2.3 Validation Level The following table lists the level of validation for each area in the FIPS PUB 140-2. No. Area Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 6 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. No. Area Title Level 3 Roles, Services, and Authentication 1 4 Finite State Model 1 5 Physical Security N/A 6 Operational Environment 1 7 Cryptographic Key management 1 8 Electromagnetic Interface/Electromagnetic Compatibility 1 9 Self-Tests 1 10 Design Assurance 3 11 Mitigation of Other Attacks N/A Overall module validation level 1 Table 1 – Module Validation Level 2.4 Tested Platforms This module was tested on the following platforms for the purposes of this FIPS validation: # Platform Operating System Processor 1 Fujitsu RX200S5 Scientific Linus 6.1 Intel Xeon E5-2609V4 (Broadwell) with PAA 2 Fujitsu RX300-S6 Scientific Linus 6.1 Intel Xeon E5645 (Westmere EP) without PAA 3 Fujitsu RX200S5 Debian Linux 8 Intel Xeon E5-2609V4 (Broadwell) with PAA 4 Fujitsu RX300-S6 Debian Linux 8 Intel Xeon E5645 (Westmere EP) without PAA 5 Fujitsu RX200S5 FreeBSD 9.1 Intel Xeon E5-2609V4 (Broadwell) with PAA 6 Fujitsu RX300-S6 FreeBSD 9.1 Intel XeonE5645 (Westmere EP) without PAA 7 Fujitsu RX200S5 SUSE Linux 11 Intel Xeon E5-2609V4 (Broadwell) with PAA 8 Fujitsu RX300-S6 SUSE Linux 11 Intel Xeon E5645 (Westmere EP) without PAA 9 NetApp AFF A800 ONTAP 9.7P6 Intel Xeon Platinum 8160 (Sky Lake- SP) with PAA NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 7 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. # Platform Operating System Processor Intel Xeon Platinum 8160 (Sky Lake- SP) without PAA 10 NetApp FAS2650 ONTAP 9.7P6 Intel Xeon D-1528 (Broadwell) with PAA Intel Xeon D-1528 (Broadwell) without PAA 11 NetApp FAS8300 ONTAP 9.7P6 Intel Xeon Silver 4210 (Cascade Lake) with PAA Intel Xeon Silver 4210 (Cascade Lake) without PAA 12 NetApp FAS9000 ONTAP 9.7P6 Intel Xeon E5-2697 (Broadwell) with PAA Intel Xeon E5-2697 (Broadwell) without PAA Table 2 – Tested Operational Environments (OEs) NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 8 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 3 Cryptographic Module Ports and Interfaces The physical ports of the Module are the same as the system on which it is executing. The logical interface is a C-language application program interface (API). The Data Input interface consists of the input parameters of the API functions. The Data Output interface consists of the output parameters of the API functions. The Control Input interface consists of the actual API functions. The Status Output interface includes the return values of the API functions. The module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to the following FIPS 140-2 defined logical interfaces: data input, data output, control input, status output, and power. The logical interfaces and their mapping are described in the following table: Interface Description Data Input API input parameters - plaintext and/or ciphertext data Data Output API output parameters - plaintext and/or ciphertext data Control Input API function calls - function calls, or input arguments that specify commands and control data used to control the operation of the module Status Output API return codes- function return codes, error codes, or output arguments that receive status information used to indicate the status of the module Table 3 – FIPS 140-2 Logical Interfaces NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 9 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 4 Roles, Services and Authentication 4.1 Roles The Module meets all FIPS 140-2 level 1 requirements for Roles and Services, implementing both Crypto-User and Crypto-Officer roles. The User and Crypto Officer roles are implicitly assumed by the entity accessing services implemented by the Module. The Crypto Officer can install and initialize the Module. The Crypto Officer role is implicitly entered when installing the Module or performing system administration functions on the host operating system. • User Role: Loading the Module and calling any of the API functions. This role has access to all of the services provided by the Module. • Crypto-Officer Role: All of the User Role functionality as well as installation of the Module on the host computer system. This role is assumed implicitly when the system administrator installs the Module library file. 4.2 Services Service Role CSP Access Module Installation Crypto Officer None N/A Symmetric encryption/decryption User, Crypto Officer Symmetric keys AES, Triple- DES Execute Symmetric Digest User, Crypto Officer AES CMAC key Execute Key transport User, Crypto Officer Asymmetric private key RSA Execute Key agreement User, Crypto Officer DH and ECDH private key Execute Digital signature User, Crypto Officer Asymmetric private key RSA, DSA, ECDSA Execute Key Generation (Asymmetric) User, Crypto Officer Asymmetric keys RSA, DSA, and ECDSA Write/execute Key Generation (Symmetric) User, Crypto Officer Symmetric keys AES, Triple- DES Write/execute Keyed Hash (HMAC) User, Crypto Officer HMAC key Execute Message digest (SHS) User, Crypto Officer None N/A Random Number Generation User, Crypto Officer Seed/entropy input, C, and V Write/execute Show status User, Crypto Officer None N/A Module initialization User, Crypto Officer None N/A Perform Self-test User, Crypto Officer None N/A Zeroization User, Crypto Officer All CSPs N/A NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 10 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. Table 4 – Roles, Services, and Keys 4.3 Authentication As allowed by FIPS 140-2, the Module does not support user authentication for the provided roles. Only one role may be active at a time and the Module does not allow concurrent operators. NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 11 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 5 Physical Security The module is comprised of software only and thus does not claim any physical security. NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 12 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 6 Operational Environment The Module operates in a modifiable operational environment. The tested operating systems segregate user processes into separate process spaces. Each process space is an independent virtual memory area that is logically separated from all other processes by the operating system software and hardware. The Module functions entirely within the process space of the process that invokes it, and thus satisfies the FIPS 140-2 requirement for a single user mode of operation. NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 13 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 7 Cryptographic Key Management 7.1 Cryptographic Algorithms The module implements a variety of approved and non-approved algorithms. 7.1.1 Approved Cryptographic Algorithms The module supports the following FIPS 140-2 approved algorithm implementations: Algorithm Supported Modes Algorithm Certificate Numbers AES ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); OFB (e/d; 128, 192, 256); CTR (ext only; 128, 192, 256) CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16) CMAC (Generation/Verification) (KS: 128; Block Size(s): Full / Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 2 Max: 16) (KS: 192; Block Size(s): Full / Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 2 Max: 16) (KS: 256; Block Size(s): Full / Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 2 Max: 16) GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96 64 32) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96 64 32) (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96 64 32) PT Lengths Tested: (0, 512, 1024, 504, 1016); AAD Lengths tested: (0, 512, 1024, 504, 1016); IV Lengths Tested: (256, 1024); 96BitIV_Supported; OtherIVLen_Supported GMAC_Supported 3593 A950 NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 14 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. Algorithm Supported Modes Algorithm Certificate Numbers Triple-DES 1 TECB(KO 1 e/d, KO 2 d only); TCBC(KO 1 e/d, KO 2 d only); TCFB1(KO 1 e/d, KO 2 d only); TCFB8(KO 1 e/d, KO 2 d only);TCFB64(KO 1 e/d, KO 2 d only); TOFB(KO 1 e/d, KO 2 d only) CMAC((KS: 3-Key; Generation/Verification; Block Size(s): Full / Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 2 Max: 8)) 2000 A950 SHS SHA-1 (BYTE-only) SHA-224 (BYTE-only) SHA-256 (BYTE-only) SHA-384 (BYTE-only) SHA-512 (BYTE-only) 2955 A950 HMAC HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) HMAC-SHA224 (Key Size Ranges Tested: KSBS) HMAC-SHA256 (Key Size Ranges Tested: KSBS) HMAC-SHA384 (Key Size Ranges Tested: KSBS) HMAC-SHA512 (Key Size Ranges Tested: KSBS) 2290 A950 DRBG Hash_Based DRBG: [Prediction Resistance Tested: Enabled and Not Enabled] HMAC_Based DRBG: [Prediction Resistance Tested: Enabled and Not Enabled] CTR_DRBG: [Prediction Resistance Tested: Enabled and Not Enabled; BlockCipher_Use_df] 928 A950 RSA FIPS186-4: 186-4KEY(gen): FIPS186-4_Random_e PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3) ALG[ANSIX9.31] Sig(Gen): (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512)) Sig(Ver): (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA 1847 A950 1 There is a limit of 2^16 encryptions with the same Triple-DES key. The user is responsible for ensuring the module does not surpass this limit. NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 15 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. Algorithm Supported Modes Algorithm Certificate Numbers (224, 256, 384, 512)) (3072 SHA(224, 256, 384, 512)) SIG(Ver) (1024 SHA(1, 224, 256, 384, 512)) (2048 SHA(1, 224, 256, 384, 512)) (3072 SHA(1, 224, 256, 384, 512)) [RSASSA-PSS]: Sig(Gen): (2048 SHA(224 SaltLen(16), 256 SaltLen(16), 384 SaltLen(16), 512 SaltLen(16))) (3072 SHA(224 SaltLen(16), 256 SaltLen(16), 384 SaltLen(16), 512 SaltLen(16))) Sig(Ver): (1024 SHA(1 SaltLen(16), 224 SaltLen(16), 256 SaltLen(16), 384 SaltLen(16), 512 SaltLen(16))) (2048 SHA(1 SaltLen(16), 224 SaltLen(16), 256 SaltLen(16), 384 SaltLen(16), 512 SaltLen(16))) (3072 SHA(1 SaltLen(16), 224 SaltLen(16), 256 SaltLen(16), 384 SaltLen(16), 512 SaltLen(16))) DSA FIPS186-4: PQG(gen)PARMS TESTED: [(2048, 224)SHA(224, 256, 384, 512); (2048,256)SHA(256, 384, 512); (3072,256) SHA(256, 384, 512)] PQG(ver)PARMS TESTED: [(1024,160) SHA(1, 224, 256, 384, 512); (2048,256) SHA(256, 384, 512); (3072,256) SHA(256, 384, 512)] KeyPairGen: [(2048,224); (2048,256); (3072,256)] SIG(gen)PARMS TESTED: [(2048,224) SHA(224, 256, 384, 512); (2048,256) SHA(256, 384, 512); (3072,256) SHA(256, 384, 512);] SIG(ver)PARMS TESTED: [(1024,160) SHA(1, 224, 256, 384, 512); (2048,224) SHA(1, 224, 256, 384, 512); (2048,256) SHA(1, 224, 256, 384, 512); (3072,256) SHA(1, 224, 256, 384, 512)] 998 A950 ECDSA FIPS186-4: PKG: CURVES(P-224 P-256 P-384 P-521 K-233 K- 283 K-409 K-571 B-233 B-283 B-409 B-571 ExtraRandomBits TestingCandidates) PKV: CURVES(P-224 P-256 P-384 P-521 K-233 K- 283 K-409 K-571 B-233 B-283 B-409 B-571) SigGen: CURVES(P-224: (SHA-224, 256, 384, 512) P- 256: (SHA-224, 256, 384, 512) P-384: (SHA-224, 256, 384, 512) P-521: (SHA-224, 256, 384, 512) K-233: (SHA-224, 256, 384, 512) K-283: (SHA-224, 256, 384, 512) K-409: (SHA-224, 256, 384, 512) K-571: (SHA- 224, 256, 384, 512) B-233: (SHA-224, 256, 384, 512) B- 732 A950 NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 16 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. Algorithm Supported Modes Algorithm Certificate Numbers 283: (SHA-224, 256, 384, 512) B-409: (SHA-224, 256, 384, 512) B-571: (SHA-224, 256, 384, 512)) SigVer: CURVES(P-192: (SHA-1, 224, 256, 384, 512) P-224: (SHA-1, 224, 256, 384, 512) P-256: (SHA-1, 224, 256, 384, 512) P-384: (SHA-1, 224, 256, 384, 512) P- 521: (SHA-1, 224, 256, 384, 512) K-163: (SHA-1, 224, 256, 384, 512) K-233: (SHA-1, 224, 256, 384, 512) K- 283: (SHA-1, 224, 256, 384, 512) K-409: (SHA-1, 224, 256, 384, 512) K-571: (SHA-1, 224, 256, 384, 512 B- 163: (SHA-1, 224, 256, 384, 512) B-233: (SHA-1, 224, 256, 384, 512) B-283: (SHA-1, 224, 256, 384, 512) B- 409: (SHA-1, 224, 256, 384, 512) B-571: (SHA-1, 224, 256, 384, 512)) CVL SP800-56A (ECDH) Curves tested: P-224 P-256 P-384 P-521 K- 233 K-283 K-409 K-571 B-233 B-283 B-409 B- 571 615 A950 CKG SP 800-133 Vendor Affirmed Table 5 – Approved Cryptographic Algorithms 7.1.2 Non-FIPS Approved Algorithms Allowed in FIPS Mode The module supports the following non-FIPS approved algorithms which are permitted for use in the FIPS approved mode: • Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 219 bits of encryption strength; non-compliant less than 112-bits of encryption strength) • EC Diffie-Hellman (CVL Certs. #615 and #A950, key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 128-bits of encryption strength) • RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112-bits of encryption strength) *Note: This is allowed per IG D.9 as long as the modulus is at least 2048 bits longs. 7.1.3 Non-FIPS Approved Algorithms Not-Allowed in FIPS Mode The module supports the following non-FIPS approved algorithms which are not permitted for use in the FIPS approved mode: • Diffie-Hellman with 1024-bit keys, NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 17 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. • EC Diffie-Hellman with B, K and P curves sizes 163 and 192, • RSA Signature Generation with 1024-bit keys, • Two-Key Triple-DES encryption. • AES XTS (non-compliant) 7.2 Key Generation The Module supports generation of AES, Triple-DES keys and DH, ECDH, DSA, RSA, and ECDSA public- private key pairs. The Module employs a NIST SP800-90A random number generator for creation of both symmetric keys and the seed for asymmetric key generation. The direct output, U, from the Approved DRBG is used as keying material as discussed in IG D.12 and SP 800-133. The module passively receives entropy from the calling application via the RAND_add() API. Because the amount of entropy loaded by the application is dependent on the “entropy” parameter used by the calling application, the minimum number of bits of entropy is considered equal to the “entropy” parameter selection of the calling application. The calling application must call the RAND_add() with the “entropy” parameter of at least 32-bytes (256-bits). 7.3 Key Storage The Module does not perform persistent storage of any keys entered into or generated by the module. 7.4 Key Access An authorized application as user (the Crypto-User) has access to all key data generated during the operation of the Module. 7.5 Key Protection and Zeroization Keys residing in internally allocated data structures can only be accessed using the Module defined API. The operating system protects memory and process space from unauthorized access. Zeroization of sensitive data is performed automatically by API function calls for intermediate data items. Only the process that creates or imports keys can use or export them. No persistent storage of key data is performed by the Module. All API functions are executed by the invoking process in a nonoverlapping sequence such that no two API functions will execute concurrently. All CSPs can be zeroized by power-cycling the module (with the exception of the Software Integrity key). 7.6 AES GCM IV Generation For AES-GCM IV generation, the method is user selectable and the value can be computed in more than one manner. For IG A.5 Scenario 1, following RFC 5288 for TLS 1.2, the module ensures that the 64-bit nonce_explicit part of the IV is a strictly increasing counter. When the IV exhausts the maximum number of possible values for a given session key, the first party, client or server, to encounter this NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 18 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. condition may either trigger a handshake to establish a new encryption key in accordance with RFC 5246, or fail. In either case, the module prevents and IV duplication and thus enforces the security property. The module is compliant to Section 3.3.1 for SP 800-52 rev2. The Module’s IV is generated internally by the Module’s Approved DRBG. The IV is 96 bits in length per NIST SP 800-38D, Section 8.2.2 and FIPS 140-2 IG A.5 Scenario 2. The selection of the IV construction method is the responsibility of the user of this Module. In the approved mode, users of the Module must not utilize GCM with an externally generated IV. In the event Module power is lost and restored the consuming application must ensure that any AES-GCM keys used for encryption or decryption are re-distributed. 7.7 CSP Information The module supports the following keys and critical security parameters (CSPs): ID Algorithm Size Description Symmetric Keys AES Triple-DES AES (ECB, CFB8, OFB, CTR, CCM, GCM): 128, 192, 256 bits Triple-DES (TECB, TCFB1, TCFB8, TCFB64, TOFB): 112, 168 bits Triple-DES Notes Related to use if Two-Key algorithm: Two-key Triple-DES may only be used to decrypt data. Two-key Triple-DES may not be used to encrypt data Used for symmetric encryption/decryption Asymmetric Keys RSA DSA ECDSA RSA (FIPS 186-4): 1,024-4,096 bits DSA (FIPS 186-4): 1,024, 2,048, 3,072 bits ECDSA (FIPS 186-4): P-192, P-224, P-256, P-384, P-521, K-233, K-283, K-409, K-571, B-233, B-283, B-409, B-571 Used for signature verification. RSA Keys: Also used for key transport. RSA 4096- bit keys are passed into the module via API and are only used for key transport. Asymmetric Keys RSA DSA ECDSA RSA (FIPS 186-4): 2,048-4,096 bits DSA (FIPS 186-4): 2,048, 3,072 bits ECDSA (FIPS 186-4): P-224, P-256, P-384, P-521, K-233, Used for signature generation with SHA-2 Used in key pair generation. NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 19 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. ID Algorithm Size Description K-283, K-409, K-571, B-233, B-283, B-409, B-571 RSA Keys: Also used for key transport. Note: RSA 4096-bit keys cannot be generated by the module. They are passed in via the API and are only used for key transport. Diffie-Hellman/ EC Diffie-Hellman private key DH ECDH DH: Public Key – 2,048-10,000 bits Private Key – 224-512 bits ECDH: P-224, P-256, P-384, P-521, K-233, K-283, K-409, K-571, B-233, B-283, B-409, B-571 Used for key agreement Hash_DRBG DRBG (as per NIST SP 800-90A) − V (440/888 bits) − C (440/888 bits) − entropy input (The length of the selected hash) CSPs as per NIST SP800- 90A. HMAC_DRBG DRBG (as per NIST SP 800-90A) − V (160/224/256/384/512 bits) − Key (160/224/256/384/512 bits) − entropy input (The length of the selected hash) CSPs as per NIST SP800- 90A. CTR_DRBG DRBG (as per NIST SP 800-90A) − V (128 bits) − Key (AES 128/192/256) − entropy input (The length of the selected AES) CSPs as per NIST SP800- 90A. Keyed Hash key HMAC All supported key sizes for HMAC (Keys must be a minimum 112-bits) Used for keyed hash Table 7 – Cryptographic Keys and CSPs NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 20 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 8 Electromagnetic Interference/Compatibility The Module only electromagnetic interference produced is that of the host platform on which the module resides and executes. FIPS 140-2 requires that the host systems on which FIPS 140-2 testing is performed meet the Federal Communications Commission (FCC) EMI and EMC requirements for business use as defined in Subpart B, Class A of FCC 47 Code of Federal Regulations Part 15. However, all systems sold in the United States must meet these applicable FCC requirements. NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 21 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 9 Self-Tests The Module performs both power-up self-tests at module initialization2 and continuous condition tests during operation. Input, output, and cryptographic functions cannot be performed while the Module is in a self-test or error state as the module is single threaded and will not return to the calling application until the power-up self-tests are complete. If the power-up self- tests fail subsequent calls to the module will fail and thus no further cryptographic operations are possible. The self-tests are called when initializing the module, or alternatively can be invoked at operator discretion using the FIPS_selftest() function call. 9.1 Power-On Self Tests (POST) • AES ECB Known Answer Test (Separate encrypt and decrypt) • AES-CCM Known Answer Test (Separate encrypt and decrypt) • AES-GCM Known Answer Test (Separate encrypt and decrypt) • AES-CMAC Known Answer Test • AES-XTS Known Answer Test (legacy test) • Triple-DES ECB Known Answer Test (Separate encrypt and decrypt) • RSA Sign/Verify Known Answer Test • DSA Sign/Verify Pairwise Consistency Test • FIPS 186-4 ECDSA Sign/Verify Pairwise Consistency Test • HMAC Known Answer Tests o HMAC-SHA1 Known Answer Test o HMAC-SHA224 Known Answer Test o HMAC-SHA256 Known Answer Test o HMAC-SHA384 Known Answer Test o HMAC-SHA512 Known Answer Test • DRBG Known Answer Tests o HASH_DRBG Known Answer Test o HMAC_DRBG Known Answer Test o CTR_DRBG Known Answer Test • KAS SP 800-56A ECDH Primitive “Z” KAT • Software Integrity Test (HMAC-SHA1) 9.2 Conditional tests • Pairwise consistency tests for RSA, DSA, and ECDSA • Continuous random number generation test for approved DRBG. 2 The FIPS mode initialization is performed when the application invokes the FIPS_mode_set() call which returns a “1” for success and “0” for failure NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 22 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 9.3 Critical Function Tests Applicable to the DRBG, as per SP800-90A, Section 11: • Instantiate Test • Generate Test • Reseed Test • Un-instantiate Test NetApp Cryptographic Security Module (NCSM) v1.0 FIPS 140-2 Security Policy Page 23 of 23 © 2021 NetApp, Inc. This document can be reproduced and distributed only whole and intact, including this copyright notice. 10 Design Assurance 10.1 Secure Distribution and Installation The NCSM is intended only for use by NetApp personnel and as such is accessible only from the secure NetApp internal web site. Only authorized employees have access to the module. A complete revision history of the source code from which the Module was generated is maintained in a version control database3 . The HMAC-SHA-1 of the Module distribution file as tested by the CSTL Laboratory is verified during inclusion of the Module into NetApp products. The module comes pre-installed on various NetApp products. No customer installation is necessary. 10.2 Secure Operation The module is architected to be compliant with all FIPS 140-2 power-on requirements. Upon invocation of the shared library or application into which the object module has been compiled, the module begins to execute a prescribed set of startup tasks including both an integrity test and the POSTs described in section 9.1 above. If any component of the module startup fails, an internal global error flag is set to prevent subsequent invocation of any cryptographic function calls. Any such startup failure is a hard error that can only be recovered by reinstalling the Module. Upon successful completion of all startup tasks, the Module is available to enter a FIPS mode of operation. The module is in the Approved mode of operation when only the algorithms listed in Section 7.1.1 and 7.1.2 are being used. If any of the algorithms listed in Section 7.1.3 are used the module enters the non-Approved mode of operation. The module contains a FIPS mode initialization function FIPS_mode_set(). This inhibits some of the non-Approved functionality, but not all of it. When the application invokes the FIPS_mode_set() call, it returns a “1” for success and “0” for failure. Interpretation of this return code is the responsibility of the host application. Prior to this invocation the Module is operating in the non-FIPS mode by default. None of algorithms identified in section 7.1.3 may be used in the FIPS-approved mode of operation. The operator must ensure that these are not chosen/selected. No operator intervention is required during the running of the self-tests. 3 This database is internal to NetApp since the source code is not distributed with NetApp products