Allegro Software Development Corporation
Allegro Cryptographic Engine
FIPS 140-3 Non-Proprietary Security Policy
Document Revision 1.4
December 2025
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 2 of 57
Table of Contents
1 General................................................................................................................................... 5
1.1 Overview .......................................................................................................................... 5
1.2 Security Levels ................................................................................................................. 5
2 Cryptographic Module Specification........................................................................................ 5
2.1 Description ....................................................................................................................... 5
2.2 Tested and Vendor Affirmed Module Version and Identification........................................ 7
2.3 Excluded Components...................................................................................................... 8
2.4 Modes of Operation.......................................................................................................... 8
2.5 Algorithms ........................................................................................................................ 8
2.6 Security Function Implementations..................................................................................14
2.7 Algorithm Specific Information .........................................................................................19
2.8 RBG and Entropy ............................................................................................................21
2.9 Key Generation................................................................................................................21
2.10 Key Establishment.........................................................................................................21
2.11 Industry Protocols..........................................................................................................21
2.12 Additional Information....................................................................................................21
3 Cryptographic Module Interfaces............................................................................................21
3.1 Ports and Interfaces ........................................................................................................21
4 Roles, Services, and Authentication.......................................................................................22
4.1 Authentication Methods ...................................................................................................22
4.2 Roles...............................................................................................................................22
4.3 Approved Services ..........................................................................................................22
4.4 Non-Approved Services...................................................................................................34
4.5 External Software/Firmware Loaded................................................................................34
5 Software/Firmware Security ...................................................................................................34
5.1 Integrity Techniques ........................................................................................................34
5.2 Initiate on Demand ..........................................................................................................35
6 Operational Environment........................................................................................................35
6.1 Operational Environment Type and Requirements ..........................................................35
7 Physical Security....................................................................................................................35
8 Non-Invasive Security ............................................................................................................35
9 Sensitive Security Parameters Management..........................................................................35
9.1 Storage Areas .................................................................................................................35
9.2 SSP Input-Output Methods..............................................................................................35
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 3 of 57
9.3 SSP Zeroization Methods................................................................................................36
9.4 SSPs ...............................................................................................................................36
10 Self-Tests.............................................................................................................................45
10.1 Pre-Operational Self-Tests ............................................................................................45
10.2 Conditional Self-Tests....................................................................................................45
10.3 Periodic Self-Test Information........................................................................................50
10.4 Error States ...................................................................................................................55
10.5 Operator Initiation of Self-Tests .....................................................................................56
11 Life-Cycle Assurance ...........................................................................................................56
11.1 Installation, Initialization, and Startup Procedures..........................................................56
11.2 Administrator Guidance .................................................................................................56
11.3 Non-Administrator Guidance..........................................................................................56
11.4 End of Life .....................................................................................................................56
11.5 Additional Information....................................................................................................57
12 Mitigation of Other Attacks ...................................................................................................57
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 4 of 57
List of Tables
Table 1: Security Levels............................................................................................................. 5
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets).... 7
Table 3: Tested Operational Environments - Software, Firmware, Hybrid .................................. 8
Table 4: Modes List and Description .......................................................................................... 8
Table 5: Approved Algorithms - Cipher ...................................................................................... 9
Table 6: Approved Algorithms - Message Authentication ..........................................................10
Table 7: Approved Algorithms - Symmetric Key Wrap...............................................................11
Table 8: Approved Algorithms - Asymmetric Key Generation....................................................11
Table 9: Approved Algorithms - Asymmetric Key Verification....................................................11
Table 10: Approved Algorithms - Asymmetric Signature Generation.........................................11
Table 11: Approved Algorithms - Asymmetric Signature Verification.........................................11
Table 12: Approved Algorithms - Random Number Generation.................................................12
Table 13: Approved Algorithms - Shared Secret Computation ..................................................12
Table 14: Approved Algorithms - Key Derivation.......................................................................12
Table 15: Approved Algorithms - Safe Primes Generation ........................................................13
Table 16: Approved Algorithms - Safe Primes Verification ........................................................13
Table 17: Approved Algorithms - Hash Function .......................................................................13
Table 18: Vendor-Affirmed Algorithms ......................................................................................14
Table 19: Non-Approved, Allowed Algorithms with No Security Claimed...................................14
Table 20: Security Function Implementations............................................................................19
Table 21: Ports and Interfaces ..................................................................................................22
Table 22: Roles.........................................................................................................................22
Table 23: Approved Services ....................................................................................................34
Table 24: Storage Areas ...........................................................................................................35
Table 25: SSP Input-Output Methods........................................................................................36
Table 26: SSP Zeroization Methods..........................................................................................36
Table 27: SSP Table 1..............................................................................................................41
Table 28: SSP Table 2..............................................................................................................44
Table 29: Pre-Operational Self-Tests........................................................................................45
Table 30: Conditional Self-Tests ...............................................................................................50
Table 31: Pre-Operational Periodic Information.........................................................................50
Table 32: Conditional Periodic Information................................................................................55
Table 33: Error States...............................................................................................................55
List of Figures
Figure 1: Block Diagram............................................................................................................. 7
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 5 of 57
1 General
1.1 Overview
This document is a non-proprietary cryptographic module security policy for the Allegro
Cryptographic Engine (Software Version 6.50) from Allegro Software Development Corporation.
This security policy contains specification of the security rules, under which the cryptographic
module operates, including the security rules derived from the requirements of the FIPS 140-3
standard.
1.2 Security Levels
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Overall Level 1
Table 1: Security Levels
2 Cryptographic Module Specification
2.1 Description
Purpose and Use:
The Allegro Cryptographic Engine (also informally referred to as “ACE,” and in this security policy
as “the module”) is a software cryptographic module that runs on a general-purpose computer
(GPC). It provides FIPS 140-3 approved cryptography that can be used by calling applications via
a C language Application Programming Interface (API). The module meets the overall
requirements applicable to a multi-chip stand-alone embodiment at FIPS 140-3, Level 1. The
module is a shared cryptographic library providing symmetric and asymmetric encryption and
decryption, message digest, message authentication, random number generation, key
generation, digital signature generation and verification, and other cryptographic functionality.
As a software cryptographic module that executes on a general-purpose computer, the module
depends upon the physical characteristics of the host platform. The module’s physical perimeter
is defined by the enclosure around the host system on which it executes.
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 6 of 57
The logical interface of the module is its Application Programming Interface, which a calling
application must utilize to invoke the cryptographic services of the module, pass input data to the
module and receive output data and status from the module.
The module is packaged as a shared object for Linux 5.15 (Mint 21) and Windows 11 Pro. The
module also includes a data file that is used for verifying the integrity of the module. The module
has been validated on Linux 5.15 (Mint 21) and Windows 11 Pro.
The module meets the overall requirements applicable at Level 1 security of FIPS 140-3.
Module Type: Software
Module Embodiment: Multi-Chip Standalone
Module Characteristics:
Cryptographic Boundary:
The module’s cryptographic boundary is comprised of a single binary:
• On Linux 5.15 (Mint 21), the binary is Acelib.so with the associated digest in
AceLib.dat.
• On Windows 11 Pro, the binary is AceDll.dll with the associated digest in
AceDll.dll.dat.
Tested Operational Environment’s Physical Perimeter (TOEPP):
Figure 1 shows a block diagram of the module executing in memory, and its interactions with
surrounding software components, as well as the module’s cryptographic boundary. The module
supports an Application Programming Interface (API) which provides logical interfaces between
the calling application and the module’s services.
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 7 of 57
Figure 1: Block Diagram
2.2 Tested and Vendor Affirmed Module Version and Identification
Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets):
Package or File
Name
Software/ Firmware
Version
Features Integrity Test
Acelib.so (Linux 5.15)
(Mint 21) (PAA
Enabled)
6.50 PAA Enabled Binary HMAC-SHA2-256
(AceLib.dat)
AceDll.dll (Windows
11 Pro) (PAA
Enabled)
6.50 PAA Enabled Binary HMAC-SHA2-256
(AceDll.dll.dat)
Acelib.so (Linux 5.15)
(Mint 21) (PAA
Disabled)
6.50 PAA Disabled Binary HMAC-SHA2-256
(AceLib.dat)
AceDll.dll (Windows
11 Pro) (PAA
Disabled)
6.50 PAA Disabled Binary HMAC-SHA2-256
(AceDll.dll.dat)
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)
Tested Operational Environments - Software, Firmware, Hybrid:
Operating
System
Hardware
Platform
Processors PAA/PAI Hypervisor
or Host OS
Version(s)
Linux 5.15 (Mint
21)
Intel NUC Intel® CoreTM i7-
1260P
No N/A 6.50
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 8 of 57
Operating
System
Hardware
Platform
Processors PAA/PAI Hypervisor
or Host OS
Version(s)
Linux 5.15 (Mint
21)
Intel NUC Intel® CoreTM i7-
1260P
Yes N/A 6.50
Windows 11 Pro Intel NUC Intel® CoreTM i7-
1260P
No N/A 6.50
Windows 11 Pro Intel NUC Intel® CoreTM i7-
1260P
Yes N/A 6.50
Table 3: Tested Operational Environments - Software, Firmware, Hybrid
Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid:
N/A for this module.
2.3 Excluded Components
There are no components excluded from the module.
2.4 Modes of Operation
Modes List and Description:
Mode Name Description Type Status
Indicator
Approved
Mode
Mode of operation where only approved security
functions and services can be utilized
Approved Pass
Table 4: Modes List and Description
The module supports an approved mode of operation only.
2.5 Algorithms
Approved Algorithms:
Cipher
Algorit
hm
CAV
P
Cert
Properties Referen
ce
AES-
CBC
A33
32
Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-
38A
AES-
CCM
A33
32
Key Length - 128, 192, 256
Tag Length - 112, 128, 32, 48, 64, 80, 96
IV Length - IV Length: 56, 64, 72, 80, 88, 96, 104
Payload Length - Payload Length: 0
AAD Length - AAD Length: 0
SP 800-
38C
AES-
CFB1
A33
32
Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-
38A
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 9 of 57
Algorit
hm
CAV
P
Cert
Properties Referen
ce
AES-
CFB128
A33
32
Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-
38A
AES-
CFB8
A33
32
Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-
38A
AES-
CTR
A33
32
Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
Payload Length - Payload Length: 128
Supports Counter larger than maximum value - No
Incremental Counter - Yes
Counter Tests Performed - Yes
SP 800-
38A
AES-
ECB
A33
32
Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-
38A
AES-
FF1
A33
32
Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
Tweak Length - Tweak Length: 0-128 Increment 8
Alphabet -
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNO
PQRSTUVWXYZ
Radix - 62
Maximum Payload Length - 2048
Minimum Payload Length - 6
SP 800-
38G
AES-
GCM
A33
32
Direction - Decrypt, Encrypt
IV Generation - Internal
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
Tag Length - 112, 120, 128, 32, 64, 96
IV Length - IV Length: 96
Payload Length - Payload Length: 128, 136, 256, 264
AAD Length - AAD Length: 0, 128, 136, 256, 264
SP 800-
38D
AES-
OFB
A33
32
Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-
38A
AES-
XTS
Testing
Revisio
n 2.0
A33
32
Direction - Decrypt, Encrypt
Key Length - 128, 256
Payload Length - Payload Length: 128-16384 Increment 128
Tweak Mode - Hex
Data Unit Length Matches Payload Length - Yes
SP 800-
38E
Table 5: Approved Algorithms - Cipher
Message Authentication
Algorithm CAVP Cert Properties Reference
AES-CMAC A3332 Direction - Generation, Verification
Key Length - 128, 192, 256
MAC Length - MAC Length: 8-128 Increment 8
Message Length - Message Length: 0-524288
Increment 8
SP 800-38B
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 10 of 57
Algorithm CAVP Cert Properties Reference
AES-GMAC A3332 Direction - Decrypt, Encrypt
IV Generation - Internal
IV Generation Mode - 8.2.1
Key Length - 128, 192, 256
Tag Length - 104, 112, 120, 128, 32, 64, 96
IV Length - IV Length: 96
AAD Length - AAD Length: 0, 120, 128, 248,
1024
SP 800-38D
HMAC-SHA-1 A3332 MAC - MAC: 32-160 Increment 8
Key Length - Key Length: 256-448 Increment
8
FIPS 198-1
HMAC-SHA2-
224
A3332 MAC - MAC: 32-224 Increment 8
Key Length - Key Length: 256-448 Increment
8
FIPS 198-1
HMAC-SHA2-
256
A3332 MAC - MAC: 32-256 Increment 8
Key Length - Key Length: 256-448 Increment
8
FIPS 198-1
HMAC-SHA2-
384
A3332 MAC - MAC: 32-384 Increment 8
Key Length - Key Length: 256-448 Increment
8
FIPS 198-1
HMAC-SHA2-
512
A3332 MAC - MAC: 32-512 Increment 8
Key Length - Key Length: 256-448 Increment
8
FIPS 198-1
HMAC-SHA3-
224
A3332 MAC - MAC: 32-224 Increment 8
Key Length - Key Length: 256-448 Increment
8
FIPS 198-1
HMAC-SHA3-
256
A3332 MAC - MAC: 32-256 Increment 8
Key Length - Key Length: 256-448 Increment
8
FIPS 198-1
HMAC-SHA3-
384
A3332 MAC - MAC: 32-384 Increment 8
Key Length - Key Length: 256-448 Increment
8
FIPS 198-1
HMAC-SHA3-
512
A3332 MAC - MAC: 32-512 Increment 8
Key Length - Key Length: 256-448 Increment
8
FIPS 198-1
Table 6: Approved Algorithms - Message Authentication
Symmetric Key Wrap
Algorithm CAVP Cert Properties Reference
AES-KW A3332 Direction - Decrypt, Encrypt
Cipher - Cipher
Key Length - 128, 192, 256
Payload Length - Payload Length: 128, 192, 256,
320, 4096
SP 800-38F
AES-KWP A3332 Direction - Decrypt, Encrypt
Cipher - Cipher
Key Length - 128, 192, 256
SP 800-38F
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 11 of 57
Algorithm CAVP Cert Properties Reference
Payload Length - Payload Length: 8, 32, 72, 96,
808
Table 7: Approved Algorithms - Symmetric Key Wrap
Asymmetric Key Generation
Algorithm CAVP Cert Properties Reference
ECDSA KeyGen
(FIPS186-4)
A3332 Curve - P-224, P-256, P-384, P-521
Secret Generation Mode - Testing
Candidates
FIPS 186-4
RSA KeyGen (FIPS186-
4)
A3332 Key Generation Mode - B.3.6
Modulo - 2048, 3072, 4096
Primality Tests - Table C.3
Info Generated By Server - No
Public Exponent Mode - Random
Private Key Format - Standard
FIPS 186-4
Table 8: Approved Algorithms - Asymmetric Key Generation
Asymmetric Key Verification
Algorithm CAVP Cert Properties Reference
ECDSA KeyVer
(FIPS186-4)
A3332 Curve - P-192, P-224, P-256, P-384,
P-521
FIPS 186-4
Table 9: Approved Algorithms - Asymmetric Key Verification
Asymmetric Signature Generation
Algorithm CAVP
Cert
Properties Reference
ECDSA SigGen
(FIPS186-4)
A3332 Curve - P-224, P-256, P-384, P-521
Hash Algorithm - SHA2-224, SHA2-256,
SHA2-384, SHA2-512
FIPS 186-4
RSA SigGen
(FIPS186-4)
A3332 Signature Type - ANSI X9.31, PKCSPSS
Modulo - 2048, 3072, 4096
Hash Pair -
Hash Algorithm - SHA2-224
FIPS 186-4
Table 10: Approved Algorithms - Asymmetric Signature Generation
Asymmetric Signature Verification
Algorithm CAVP
Cert
Properties Reference
ECDSA SigVer
(FIPS186-4)
A3332 Curve - P-224, P-256, P-384, P-521
Hash Algorithm - SHA2-224, SHA2-256,
SHA2-384, SHA2-512
FIPS 186-4
RSA SigVer
(FIPS186-4)
A3332 Signature Type - ANSI X9.31, PKCSPSS
Modulo - 2048, 3072, 4096
Hash Pair -
Hash Algorithm - SHA-1
Public Exponent Mode - Random
FIPS 186-4
Table 11: Approved Algorithms - Asymmetric Signature Verification
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 12 of 57
Random Number Generation
Algorithm CAVP Cert Properties Reference
Hash DRBG A3332 Mode - SHA2-256, SHA2-512 SP 800-90A Rev. 1
Table 12: Approved Algorithms - Random Number Generation
Shared Secret Computation
Algorithm CAVP
Cert
Properties Reference
KAS-ECC-SSC
Sp800-56Ar3
A3332 Domain Parameter Generation Methods -
P-224, P-256, P-384, P-521
Hash Function Z - SHA2-512
Scheme -
ephemeralUnified -
KAS Role - initiator, responder
SP 800-56A
Rev. 3
KAS-FFC-SSC
Sp800-56Ar3
A3332 Domain Parameter Generation Methods -
MODP-2048, MODP-3072
SP 800-56A
Rev. 3
Table 13: Approved Algorithms - Shared Secret Computation
Key Derivation
Algorithm CAVP
Cert
Properties Reference
KDA HKDF
Sp800-56Cr1
A3332 Fixed Info Pattern - uPartyInfo||vPartyInfo
Fixed Info Encoding - concatenation
Derived Key Length - 2048
Shared Secret Length - Shared Secret Length:
224-2048 Increment 8
HMAC Algorithm - SHA2-224, SHA2-256,
SHA2-384, SHA2-512, SHA3-224, SHA3-256,
SHA3-384, SHA3-512
SP 800-56C
Rev. 2
KDF SSH (CVL) A3332 Cipher - AES-128, AES-192, AES-256
Hash Algorithm - SHA-1, SHA2-224, SHA2-256,
SHA2-384, SHA2-512
SP 800-135
Rev. 1
PBKDF A3332 Iteration Count - Iteration Count: 1000-100000
Increment 1
HMAC Algorithm - SHA-1
Password Length - Password Length: 8-128
Increment 1
Salt Length - Salt Length: 128-4096 Increment
128
Key Data Length - Key Data Length: 112-4096
Increment 8
SP 800-132
TLS v1.2 KDF
RFC7627 (CVL)
A3332 Hash Algorithm - SHA2-256, SHA2-384, SHA2-
512
SP 800-135
Rev. 1
TLS v1.3 KDF
(CVL)
A3332 HMAC Algorithm - SHA2-256, SHA2-384
KDF Running Modes - PSK-DHE
SP 800-135
Rev. 1
Table 14: Approved Algorithms - Key Derivation
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 13 of 57
Safe Primes Generation
Algorithm CAVP
Cert
Properties Reference
Safe Primes Key
Generation
A3332 Safe Prime Groups - modp-2048,
modp-3072
SP 800-56A
Rev. 3
Table 15: Approved Algorithms - Safe Primes Generation
Safe Primes Verification
Algorithm CAVP
Cert
Properties Reference
Safe Primes Key
Verification
A3332 Safe Prime Groups - modp-2048,
modp-3072
SP 800-56A
Rev. 3
Table 16: Approved Algorithms - Safe Primes Verification
Hash Function
Algorithm CAVP Cert Properties Reference
SHA-1 A3332 Message Length - Message Length: 0-65528
Increment 8
FIPS 180-4
SHA2-224 A3332 Message Length - Message Length: 0-65528
Increment 8
FIPS 180-4
SHA2-256 A3332 Message Length - Message Length: 0-65528
Increment 8
FIPS 180-4
SHA2-384 A3332 Message Length - Message Length: 0-65528
Increment 8
FIPS 180-4
SHA2-512 A3332 Message Length - Message Length: 0-65528
Increment 8
FIPS 180-4
SHA3-224 A3332 Message Length - Message Length: 0-65536
Increment 8
FIPS 202
SHA3-256 A3332 Message Length - Message Length: 0-65536
Increment 8
FIPS 202
SHA3-384 A3332 Message Length - Message Length: 0-65536
Increment 8
FIPS 202
SHA3-512 A3332 Message Length - Message Length: 0-65536
Increment 8
FIPS 202
SHAKE-
128
A3332 Supports Bit-Oriented Messages - No
Supports Empty Message - Yes
Supports Bit-Oriented Output - No
Output Length - Output Length: 16-65536
Increment 8
FIPS 202
SHAKE-
256
A3332 Supports Bit-Oriented Messages - No
Supports Empty Message - Yes
Supports Bit-Oriented Output - No
Output Length - Output Length: 16-65536
Increment 8
FIPS 202
Table 17: Approved Algorithms - Hash Function
Per NIST SP 800-131Ar2, SHA-1 is considered "legacy (approved)" for digital signature
verification, "acceptable" for non-digital-signature applications, and disallowed for digital signature
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 14 of 57
generation (except where specifically allowed by NIST protocol-specific guidance). This module
utilizes SHA-1 for message digest, RSA signature verification, and SSH key derivation.
Vendor-Affirmed Algorithms:
Name Properties Implementation Reference
CKG Key Type:Symmetric
& Asymmetric
N/A NIST SP 800-133 Rev. 2 (Section 4, Ex.
1) Generation of Symmetric Keys & Seed
for Asymmetric Keys
Table 18: Vendor-Affirmed Algorithms
The module includes vendor-affirmed Component Key Generation (CKG) per IG D.H and NIST
SP 800-133rev2. The CKG uses the method described in Sections 4 and 6.1 of SP 800-133rev2.
The module generates symmetric keys and seeds for asymmetric keys, from the direct output of
the DRBG.
Non-Approved, Allowed Algorithms:
N/A for this module.
Non-Approved, Allowed Algorithms with No Security Claimed:
Name Caveat Use and Function
MD5 Allowed in the approved mode with no security
claimed
Used for TLS 1.2
interoperability
Table 19: Non-Approved, Allowed Algorithms with No Security Claimed
Caveats:
• The module implements MD5 for use with TLS communications, which is allowed in the
Approved mode of operation.
• The module provides key derivation functions for use in TLS and SSHv2. No parts of the
TLS or SSHv2 protocols, other than the KDF, have been tested by the CAVP and CMVP.
Non-Approved, Not Allowed Algorithms:
N/A for this module.
2.6 Security Function Implementations
Name Type Description Properties Algorithms
DRBG DRBG Random Bit
Generation
Hash DRBG:
(A3332)
Message
Digest
SHA Create
Message
Digest
SHA-1:
(A3332)
SHA2-224:
(A3332)
SHA2-256:
(A3332)
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 15 of 57
Name Type Description Properties Algorithms
SHA2-384:
(A3332)
SHA2-512:
(A3332)
SHA3-224:
(A3332)
SHA3-256:
(A3332)
SHA3-384:
(A3332)
SHA3-512:
(A3332)
SHAKE-128:
(A3332)
SHAKE-256:
(A3332)
Generate
Digital
Signature
DigSig-SigGen Create Digital
Signatures
ECDSA
SigGen
(FIPS186-4):
(A3332)
RSA SigGen
(FIPS186-4):
(A3332)
SHA2-224:
(A3332)
SHA2-256:
(A3332)
SHA2-384:
(A3332)
SHA2-512:
(A3332)
Verify Digital
Signature
DigSig-SigVer Verify Digital
Signature
ECDSA SigVer
(FIPS186-4):
(A3332)
RSA SigVer
(FIPS186-4):
(A3332)
SHA-1:
(A3332)
SHA2-224:
(A3332)
SHA2-256:
(A3332)
SHA2-384:
(A3332)
SHA2-512:
(A3332)
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 16 of 57
Name Type Description Properties Algorithms
Generate Keys AsymKeyPair-
KeyGen
CKG
DRBG
Generate
Symmetric &
Asymmetric
Keys
CKG: ()
ECDSA
KeyGen
(FIPS186-4):
(A3332)
RSA KeyGen
(FIPS186-4):
(A3332)
Hash DRBG:
(A3332)
Shared Secret
Computation
(KAS-FFC-
SSC)
KAS-SSC Shared Secret
Computation
(KAS-FFC-
SSC)
Shared Secret
Computation:Provides
112 or 128 bits of
encryption strength
KAS-FFC-SSC
Sp800-56Ar3:
(A3332)
Safe Primes
Key
Generation:
(A3332)
Safe Primes
Key
Verification:
(A3332)
Shared Secret
Computation
(KAS-ECC-
SSC)
KAS-SSC NIST SP 800-
56Ar3 shared
secret
computation
(KAS-ECC-
SSC)
Shared Secret
Computation:Provides
between 112 and 256
bits of encryption
strength
KAS-ECC-SSC
Sp800-56Ar3:
(A3332)
ECDSA
KeyGen
(FIPS186-4):
(A3332)
ECDSA
SigGen
(FIPS186-4):
(A3332)
ECDSA SigVer
(FIPS186-4):
(A3332)
Hash DRBG:
(A3332)
Derive Key
(HKDF)
KAS-56CKDF
SHA
Key Derivation KDA HKDF
Sp800-56Cr1:
(A3332)
HMAC-SHA2-
224: (A3332)
HMAC-SHA2-
256: (A3332)
HMAC-SHA2-
384: (A3332)
HMAC-SHA2-
512: (A3332)
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 17 of 57
Name Type Description Properties Algorithms
HMAC-SHA3-
224: (A3332)
HMAC-SHA3-
256: (A3332)
HMAC-SHA3-
384: (A3332)
HMAC-SHA3-
512: (A3332)
Derive Key
(TLS 1.2)
KAS-135KDF
SHA
Key Derivation
for TLS 1.2
RFC 7627
TLS v1.2 KDF
RFC7627:
(A3332)
SHA2-256:
(A3332)
SHA2-384:
(A3332)
SHA2-512:
(A3332)
Derive Key
(TLS 1.3)
KAS-135KDF
SHA
Key Derivation
for TLS 1.3
TLS v1.3 KDF:
(A3332)
SHA2-256:
(A3332)
SHA2-384:
(A3332)
Derive Key
(SSH)
KAS-135KDF
SHA
Key Derivation
for SSH
KDF SSH:
(A3332)
SHA-1:
(A3332)
SHA2-224:
(A3332)
SHA2-256:
(A3332)
SHA2-384:
(A3332)
SHA2-512:
(A3332)
Derive Key
(PBKDF)
MAC
PBKDF
Password-
Based Key
Derivation
PBKDF:
(A3332)
HMAC-SHA-1:
(A3332)
Message
Authentication
MAC Message
Authentication
Algorithms
HMAC-SHA-1:
(A3332)
HMAC-SHA2-
224: (A3332)
HMAC-SHA2-
256: (A3332)
HMAC-SHA2-
384: (A3332)
HMAC-SHA2-
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 18 of 57
Name Type Description Properties Algorithms
512: (A3332)
HMAC-SHA3-
224: (A3332)
HMAC-SHA3-
256: (A3332)
HMAC-SHA3-
384: (A3332)
HMAC-SHA3-
512: (A3332)
AES-CMAC:
(A3332)
AES-GMAC:
(A3332)
Hash DRBG:
(A3332)
Symmetric
Cipher
BC-Auth
BC-UnAuth
Encryption &
Decryption
AES-CBC:
(A3332)
AES-CCM:
(A3332)
AES-CFB1:
(A3332)
AES-CFB128:
(A3332)
AES-CFB8:
(A3332)
AES-ECB:
(A3332)
AES-FF1:
(A3332)
AES-GCM:
(A3332)
AES-KW:
(A3332)
AES-KWP:
(A3332)
AES-OFB:
(A3332)
AES-XTS
Testing
Revision 2.0:
(A3332)
AES-CTR:
(A3332)
Verify
Asymmetric
Keys
AsymKeyPair-
KeyVer
Verify
Asymmetric
Keys
ECDSA
KeyVer
(FIPS186-4):
(A3332)
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 19 of 57
Name Type Description Properties Algorithms
Key Wrapping BC-Auth Key Wrapping
Method (SP
800-38F) (IG
D.G)
Standard:SP 800-38F
IG D.G:Approved
method from IG D.G
Caveat:Key
establishment
methodology provides
between 128 and 256
bits of security
strength
AES-KW:
(A3332)
AES-KWP:
(A3332)
Table 20: Security Function Implementations
2.7 Algorithm Specific Information
SHA-3 & SHAKE (IG C.C)
SHA-3 and SHAKE were tested and validated on all of the module’s operating environments.
RSA (IG C.F)
• Modulus lengths supported by the module for RSA signature generation are 2048, 3072,
and 4096 bits.
• The module supports the number of Miller-Rabin tests specified in Table C.3 of FIPS 186-
4.
• The RSA signature algorithm implementations are tested.
• For signature verification, the modulus size is at least 2048.
AES-GCM (IG C.H)
An AES-GCM key may either be generated internally or provided by application code to the
cryptographic module. The IV for AES-GCM encryption shall not be generated outside the
module. The probability that the authenticated encryption function will be invoked with the same
initialization vector and the same key on two or more distinct sets of input data shall be no greater
than 2-32
. If the module’s power is lost and then restored, a new key for use with AES-GCM
encryption/decryption must be established.
Per IG C.H Option 2, the module generates 96-bit GCM IVs randomly as specified in SP800-38D
section 8.2.2 using an approved DRBG (Cert. #A3332), that is internal to the module’s boundary.
The Module does not implement the TLS protocol itself; however, it provides the cryptographic
functions required for implementing the protocol. AES-GCM encryption is used in the context of
the TLS protocol versions 1.2 and 1.3 (per Scenario 1 and Scenario 5 in FIPS 140-3 C.H
respectively). For TLS v1.2, the mechanism for IV generation is compliant with RFC 5288. The
counter portion of the IV is strictly increasing. When the IV exhausts the maximum number of
possible values for a given session key, this results in a failure in encryption and a handshake to
establish a new encryption key will be required. It is the responsibility of the user of the module
i.e., the first party, client or server, to encounter this condition, to trigger this handshake in
accordance with RFC 5246. For TLS v1.3, the mechanism for IV generation is compliant with RFC
8446.
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 20 of 57
The TLS 1.2 AES-GCM cipher suites from Section 3.3.1 of SP 800-52 Rev2 supported by the
module are:
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC0, 0x2B);
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384 (0xC0, 0x2C);
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC0, 0x2F);
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC0, 0x30);
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x00, 0x9E);
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x00, 0x9F);
• TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00, 0xA2); and
• TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00, 0xA3).
AES-XTS (IG C.I)
AES-XTS shall only be used in storage applications. The module implements the Key_1 ≠ Key_2
check prior to the first use of the algorithm.
AES-FF1 (IG C.J)
The lengths of the following parameters from SP 800-38G:
• radix = 2 … 96;
• minlen = 6;
• maxlen = 2048; and
• maxTlen = 21.
SP 800-107 Requirements (IG C.L)
The Allegro Cryptographic Engine is a software module toolkit. The operator utilizing the
algorithms and schemes specified in IG C.L shall operate in accordance with the guidance.
PBKDF2 (IG D.N)
The Allegro Cryptographic Engine requires the password to be at least ten characters in length,
the iteration count at least 1000, the salt at least 128 bits in length, and that the master key output
from the PBKDF2 is at least 112 bits in length. Master keys may be used as Device Protection
Keys (Option 1(a) from Section 5.4 of NIST SP 800-132). Alternately, they may be used with a
key derivation function to produce a Device Protection Key (Option 1(b) from Section 5.4 of NIST
SP 800-132).
Passwords passed to the PBKDF2 implemented shall have a length of at least 10 characters and
shall consist of upper- and lower-case letters and numbers (52 letters) and digits (0-9) as well as
characters from the set ~!@#$%^&*. There are 71 different characters that can be used, in any
order. The probability of guessing this password at random is 7110
= 1: 3.3 * 1018
. This provides
a password search space of more than 60 bits. The length of the random salt used in PBKDF2
must be at least 128 bits. The iteration count used in PBKDF2 must be at least 1000 and should
be as large as is tolerable by the calling application. The length of the master key generated by
PBKDF2 must be at least 112 bits. The calling application may use the master key, the Data
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 21 of 57
Protection Key, or it may derive the Data Protection Key from the master key using a key
derivation function. The Data Protection Key shall be used for storage purposes only and shall
use only approved encryption algorithms.
Key Transport Scheme
The module does not establish SSPs using an approved key transport scheme (KTS). However,
it does offer approved authenticated algorithms that can be used by an external
operator/application as part of an approved KTS.
2.8 RBG and Entropy
N/A for this module.
N/A for this module.
The entropy for seeding the SP 800-90Ar1 DRBG is determined by the user of the module, which
is outside of the module’s cryptographic boundary. To be compliant, the target application shall
supply at least 256 bits of entropy in order to meet the security strength required for the random
number generation mechanism. Since entropy is loaded passively into the module, there is no
assurance of the minimum strength of generated SSPs (e.g., keys).
2.9 Key Generation
SSPs that are generated internally by the module are generated using the module's approved
DRBG.
2.10 Key Establishment
The module does not establish SSPs using an approved key agreement scheme (KAS).
However, it does offer some or all of the underlying KAS cryptographic functionality to be used
by an external operator/application as part of an approved KAS. The module also supports key
transport methods compliant with NIST SP 800-38F.
2.11 Industry Protocols
While the module does not implement the TLS or SSH protocols, it does implement the key
derivation functions for both, per NIST SP 800-135r1.
2.12 Additional Information
Please see Section 11 for details regarding the preparation of the operational environments,
and installation of the module.
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 22 of 57
Physical
Port
Logical
Interface(s)
Data That Passes
N/A Data Input Input data passed via API calls as function arguments or in
memory buffers referenced by function arguments
N/A Data Output Data returned by API calls using function arguments and related
memory buffers
N/A Control Input API function calls that initialize and control the operation of the
module
N/A Status
Output
Values returned from API calls
Table 21: Ports and Interfaces
As a software cryptographic module, the module’s physical and electrical characteristics, manual
controls and physical indicators are those of the host system. The host system provides physical
ports that the operating system or applications may use. The cryptographic module does not
access or control the physical interface ports or physical indicators of the GPC. The module does
not support a control output interface.
4 Roles, Services, and Authentication
4.1 Authentication Methods
N/A for this module.
The module does not identify or authenticate the operator. The Crypto Officer role is assumed
by the operator. Only one operator can operate the module at any time.
4.2 Roles
Name Type Operator Type Authentication Methods
CO Role Crypto Officer None
Table 22: Roles
The Allegro Cryptographic Engine supports only one role, which is the Crypto Officer role.
4.3 Approved Services
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
AcInit() Initialize
the module
for use in
Approved
mode
Succes
sful
Invocat
ion
(Pass)
N/A Invocation
Success
or
Invocation
Failure
None CO
AcDeInit() Zeroize all
keys and
CSPs and
disable
Succes
sful
Invocat
N/A Invocation
Success
or
None CO
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 23 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
crypto
services
ion
(Pass)
Invocation
Failure
AcRunSelfTest() Run
cryptograp
hic self-
tests on
demand
Succes
sful
Invocat
ion
(Pass)
N/A Invocation
Success
or
Invocation
Failure
DRBG
Message
Digest
Generate
Digital
Signature
Verify
Digital
Signature
Generate
Keys
Shared
Secret
Computat
ion (KAS-
FFC-
SSC)
Shared
Secret
Computat
ion (KAS-
ECC-
SSC)
Derive
Key
(HKDF)
Derive
Key (TLS
1.2)
Derive
Key (TLS
1.3)
Derive
Key
(SSH)
Derive
Key
(PBKDF)
Message
Authentic
ation
Symmetri
c Cipher
Verify
CO
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 24 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
Asymmet
ric Keys
AcAceLibraryInfo()
(Show Version)
Return the
module
name and
version
Succes
sful
Invocat
ion
(Pass)
N/A Module
Name,
Major
Version,
Minor
Version,
Build
Number,
Invocation
Success
or
Invocation
Failure
None CO
AcGenerateRandom
Numbers()
Generate
random
data
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Random
Number,
Invocation
Success
or
Invocation
Failure
DRBG CO
AcDigest()
AcDigestInit()
AcDigestUpdate()
AcDigestFinal()
Create
message
digest from
input data
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Hash,
Invocation
Success
or
Invocation
Failure
Message
Digest
CO
AcDigestClone() Duplicate
a message
digest
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Hash,
Invocation
Success
or
Invocation
Failure
None CO
AcKeyedDigestInit() Create a
keyed
message
digest of
input data
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Digest,
Invocation
Success
or
Invocation
Failure
Message
Digest
Message
Authentic
ation
CO
- HMAC
Key: R,E
- AES
GMAC
Key: R,E
- AES
CMAC
Key: R,E
AcSign() AcSignInit()
AcSignUpdate()
AcSignFinal()
Create a
Digital
Signature
Succes
sful
Invocat
API call
parame
ters
Signature,
Invocation
Success
Generate
Digital
Signature
CO
- RSA
Private
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 25 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
ion
(Pass)
or
Invocation
Failure
Key: R,E
- ECDSA
Private
Key: R,E
AcSignDigestBuffer() Create a
digital
signature
for a
previously
computed
message
digest
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Signature,
Invocation
Success
or
Invocation
Failure
Generate
Digital
Signature
CO
- RSA
Private
Key: R,E
- ECDSA
Private
Key: R,E
AcVerify()
AcVerifyInit()
AcVerifyUpdate()
AcVerifyFinal()
Verify a
digital
signature
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Signature,
Invocation
Success
or
Invocation
Failure
Verify
Digital
Signature
Verify
Asymmet
ric Keys
CO
- RSA
Public
Key: R,E
- ECDSA
Public
Key: R,E
AcVerifyDigestBuffer(
)
Verify a
digital
signature
for a
previously
computed
digest
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Signature,
Invocation
Success
or
Invocation
Failure
Verify
Digital
Signature
Verify
Asymmet
ric Keys
CO
- RSA
Public
Key: R,E
- ECDSA
Public
Key: R,E
AcEncryptInit() Encrypt or
decrypt a
block of
data
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Plaintext,
Ciphertext
,
Invocation
Success
or
Invocation
Failure
Symmetri
c Cipher
CO
- AES Key
: R,E
- AES
GCM Key:
R,E
- AES
GCM IV:
R,E
- AES
CCM Key:
R,E
- AES-
XTS
Testing
Revision
2.0 Key:
R,E
- AES
CMAC
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 26 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
Key: R,E
- AES
GMAC
Key: R,E
AcEncryptUpdate() Encrypt or
decrypt a
block of
data
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Plaintext,
Ciphertext
,
Invocation
Success
or
Invocation
Failure
Symmetri
c Cipher
CO
- AES Key
: R,E
- AES
GCM Key:
R,E
- AES
GCM IV:
R,E
- AES
CCM Key:
R,E
- AES-
XTS
Testing
Revision
2.0 Key:
R,E
- AES
CMAC
Key: R,E
- AES
GMAC
Key: R,E
AcEncryptFinal() Encrypt or
decrypt a
block of
data
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Plaintext,
Ciphertext
,
Invocation
Success
or
Invocation
Failure
Symmetri
c Cipher
CO
- AES Key
: R,E
- AES
GCM Key:
R,E
- AES
GCM IV:
R,E
- AES
CCM Key:
R,E
- AES-
XTS
Testing
Revision
2.0 Key:
R,E
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 27 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
- AES
CMAC
Key: R,E
- AES
GMAC
Key: R,E
AcGenerateKey() Generate
symmetric
keys
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Key,
Invocation
Success
or
Invocation
Failure
Generate
Keys
CO
- AES Key
: G,W
- AES
GCM Key:
G,W
- AES
CMAC
Key: G,W
- AES-
XTS
Testing
Revision
2.0 Key:
G,W
- Key
Encryption
Key
(KEK):
G,W
AcGenerateKeyPair() Generate
asymmetri
c key pairs
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
KeyPair,
Invocation
Success
or
Invocation
Failure
Generate
Keys
CO
- RSA
Private
Key: G,W
- RSA
Public
Key: G,W
- ECDSA
Private
Key: G,W
- ECDSA
Public
Key: G,W
- ECDH
Private
Compone
nts: G,W
- ECDH
Public
Compone
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 28 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
nts: G,W
- DH
Private
Compone
nts: G,W
- DH
Public
Compone
nts: G,W
AcBuildKeyPairFrom
Params()
Generate
asymmetri
c key pairs
using
specific
key
parameter
s
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
KeyPair,
Invocation
Success
or
Invocation
Failure
Generate
Keys
Shared
Secret
Computat
ion (KAS-
FFC-
SSC)
Shared
Secret
Computat
ion (KAS-
ECC-
SSC)
CO
- RSA
Private
Key: G,W
- RSA
Public
Key: G,W
- ECDSA
Private
Key: G,W
- ECDSA
Public
Key: G,W
- ECDH
Private
Compone
nts: G,W
- ECDH
Public
Compone
nts: G,W
- DH
Private
Compone
nts: G,W
- DH
Public
Compone
nts: G,W
AcExportKey() Wrap Key Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Key/KeyP
air,
Invocation
Success
or
Invocation
Failure
Key
Wrapping
CO
- Key
Encryption
Key
(KEK):
R,E
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 29 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
AcImportKey() Unwrap
Key
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Key/KeyP
air,
Invocation
Success
or
Invocation
Failure
Key
Wrapping
CO
- Key
Encryption
Key
(KEK):
W,E
AcKeySize() Return the
key size
for a
selected
Key
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Key Size,
Invocation
Success
or
Invocation
Failure
None CO
AcKeyExchange() Establish a
shared
secret
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Shared,
Secret,
Key,
Invocation
Success
or
Invocation
Failure
Shared
Secret
Computat
ion (KAS-
FFC-
SSC)
Shared
Secret
Computat
ion (KAS-
ECC-
SSC)
CO
- ECDH
Private
Compone
nts: R,E
- ECDH
Public
Compone
nts: R,E
- DH
Private
Compone
nts: R,E
- DH
Public
Compone
nts: R,E
- DH
Shared
Secret:
R,E
- ECDH
Shared
Secret:
R,E
AcDeriveKey() Derive a
key
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Key,
Invocation
Success
or
Invocation
Failure
Derive
Key
(HKDF)
Derive
Key (TLS
1.2)
Derive
Key (TLS
CO
- TLS
Session
Key: G,W
- PBKDF2
DPK: G,W
- AES Key
: G,W
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 30 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
1.3)
Derive
Key
(SSH)
Derive
Key
(PBKDF)
- TLS RSA
Premaster
Secret:
G,W
- TLS
Master
Secret:
G,W
- TLS
Integrity
Key: G,W
- PBKDF2
Password:
G,W
- TLS
Extended
Master
Secret:
G,W
AcReleaseHandle() Zeroize
Keys
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Invocation
Success
or
Invocation
Failure
None CO
- AES Key
: Z
- AES
GCM Key:
Z
- AES
GCM IV: Z
- AES
CCM Key:
Z
- AES-
XTS
Testing
Revision
2.0 Key: Z
- AES
CMAC
Key: Z
- AES
GMAC
Key: Z
- HMAC
Key: Z
- Key
Encryption
Key
(KEK): Z
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 31 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
- PBKDF2
DPK: Z
- PBKDF2
Password:
Z
- RSA
Private
Key: Z
- ECDSA
Private
Key: Z
- ECDH
Private
Compone
nts: Z
- TLS RSA
Premaster
Secret: Z
- TLS
Master
Secret: Z
- TLS
Session
Key: Z
- TLS
Integrity
Key: Z
- DRBG
Entropy
Input: Z
- DRBG
Seed: Z
- DRBG
'C' Value:
Z
- DRBG
'V' Value :
Z
- RSA
Public
Key: Z
- ECDSA
Public
Key: Z
- ECDH
Public
Compone
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 32 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
nts: Z
- TLS
Extended
Master
Secret: Z
- DH
Shared
Secret: Z
- ECDH
Shared
Secret: Z
AcAceLibraryStatus()
(Show Status)
Query
whether
library is in
the soft
error state
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Invocation
Success
or
Invocation
Failure
None CO
AcKeyedDigest() Message
authenticat
ion
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Invocation
Success
or
Invocation
Failure
Message
Digest
Message
Authentic
ation
CO
- HMAC
Key: R,E
- AES
CMAC
Key: R,E
- AES
GMAC
Key: R,E
AcDigestSize() Message
authenticat
ion digest
size
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Invocation
Success
or
Invocation
Failure
None CO
AcEncrypt() Encrypt
plaintext
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Ciphertext
,
Invocation
Success
or
Invocation
Failure
Message
Authentic
ation
Symmetri
c Cipher
CO
- AES Key
: R,E
- AES
GCM Key:
R,E
- AES
GCM IV:
R,E
- AES
CCM Key:
R,E
- AES-
XTS
Testing
Revision
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 33 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
2.0 Key:
R,E
- AES
CMAC
Key: R,E
- AES
GMAC
Key: R,E
AcEncryptBlockSize() Return
size of
ciphertext
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Invocation
Success
or
Invocation
Failure
None CO
AcSetOperationPara
meter()
Sets/Confi
gures non-
security
relevant
operational
parameter
s
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Invocation
Success
or
Invocation
Failure
None CO
AcGetVendorImplem
entation()
Returns
the
Module's
Algorithm
capabilities
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Invocation
Success
or
Invocation
Failure
None CO
AcAESFpeEncrypt( ) Encrypt
plaintext
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Ciphertext
,
Invocation
Success
or
Invocation
Failure
Symmetri
c Cipher
CO
- AES Key
: R,E
AsGetCryptoDataPtr(
)
Get Data
Pointer
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Data
Pointer,
Invocation
Success
or
Invocation
Failure
None CO
AcGetAceError() Get Error
Message
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Error
Message,
Invocation
Success
or
Invocation
Failure
None CO
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 34 of 57
Name Descriptio
n
Indicat
or
Inputs Outputs Security
Function
s
SSP
Access
AcGatherSystemNois
e()
Gather
Entropy
Input
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Entropy
Input,
Invocation
Success
or
Invocation
Failure
None CO
- DRBG
Entropy
Input:
G,W,E
- DRBG
'V' Value :
G,W,E
- DRBG
'C' Value:
G,W,E
AcGetPersonalization
Data()
Get DRBG
Personaliz
ation Data
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Personaliz
ation
Data,
Invocation
Success
or
Invocation
Failure
None CO
- DRBG
Personaliz
ation
String: R
- DRBG
Seed:
G,W,E
AcEncryptClone() Duplicate
an Encrypt
Operation
Succes
sful
Invocat
ion
(Pass)
API call
parame
ters
Encrypt
Operation,
Invocation
Success
or
Invocation
Failure
None CO
Table 23: Approved Services
4.4 Non-Approved Services
N/A for this module.
4.5 External Software/Firmware Loaded
The module does not support the external loading of software or firmware.
5 Software/Firmware Security
5.1 Integrity Techniques
The module, which is made up of a single component, is provided in the form of binary executable
code (Acelib.so for Linux and AceDll.dll for Windows). A software integrity test is performed on
the runtime image of the module. The HMAC-SHA2-256 (Cert. #A3332) implemented in the
module is used as an approved algorithm for the integrity test. If the test fails, the module enters
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 35 of 57
an error state where no cryptographic services are provided, and data output is prohibited. (the
module is not operational)
5.2 Initiate on Demand
The software integrity test is performed as part of the Pre-Operational self-tests. It is automatically
executed at power-on. It can also be invoked by powering-off and reloading the module or using
the AcRunSelfTest() service.
6 Operational Environment
6.1 Operational Environment Type and Requirements
Type of Operational Environment: Modifiable
How Requirements are Satisfied:
The module operates in a modifiable operational environment as described by the FIPS 140-3
definition. The operating systems on which the module was tested run user processes in logically
separate process spaces. When the module is present in memory, the operating system protects
the module’s memory space from unauthorized access. The module functions entirely within the
process space of the calling application.
7 Physical Security
The physical security requirements of FIPS 140-3 do not apply to software modules.
8 Non-Invasive Security
The module does not implement non-invasive attack mitigations.
9 Sensitive Security Parameters Management
9.1 Storage Areas
Storage
Area
Name
Description Persistence
Type
RAM Random Access Memory Dynamic
Table 24: Storage Areas
The module does not persistently store SSPs.
9.2 SSP Input-Output Methods
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 36 of 57
Name From To Format
Type
Distribution
Type
Entry
Type
SFI or
Algorithm
Input Calling
Process
Call stack
(API) input
parameters
Plaintext Manual Electronic
Output Call stack
(API) output
parameters
Calling
Process
Plaintext Manual Electronic
KTS
Output
Internal External Encrypted Manual Electronic Key
Wrapping
KTS
Input
External Internal Plaintext Manual Electronic Key
Wrapping
Table 25: SSP Input-Output Methods
Note: To prevent the inadvertent output of sensitive information, two independent internal
actions shall be required in order to output any plaintext CSP.
9.3 SSP Zeroization Methods
Zeroization
Method
Description Rationale Operator Initiation
Unload
Module
Unload module
from memory
SSPs no longer present in
memory after unload
Operator unloads
module
API Call API zeroize
instruction
SSPs no longer present in
memory after API call
AcDeInit()
AcReleaseHandle()
Remove
Power
Power removed
from host GPC
SSPs no longer present in
memory after GPC power
loss
Operator powers off
GPC
Table 26: SSP Zeroization Methods
SSPs are implicitly zeroized when unloading the module or removing power, and explicitly
zeroized when using AcDeInit() and AcReleaseHandle() where SSPs are overwritten with zeros.
9.4 SSPs
Name Descripti
on
Size -
Strengt
h
Type -
Category
Generated
By
Establish
ed By
Used By
AES Key AES-ECB,
AES-CBC,
AES-
CFB1,
AES-
CFB8,
AES-
CFB128,
AES-CTR,
AES-OFB,
AES-FF1
128,
192,
256 bits
- 128,
192,
256 bits
Symmetric -
CSP
Generate
Keys
Symmetric
Cipher
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 37 of 57
Name Descripti
on
Size -
Strengt
h
Type -
Category
Generated
By
Establish
ed By
Used By
AES GCM
Key
AES-GCM 128,
192,
256 bits
- 128,
192,
256 bits
Symmetric -
CSP
Generate
Keys
Symmetric
Cipher
AES GCM
IV
AES-GCM 96 bits
- 96
bits
Initialization
Vector -
CSP
DRBG Symmetric
Cipher
AES CCM
Key
AES-CCM 128,
192,
256 bits
- 128,
192,
256 bits
Symmetric -
CSP
Generate
Keys
Symmetric
Cipher
AES-XTS
Testing
Revision 2.0
Key
AES-XTS
Testing
Revision
2.0
128,
256 bits
- 128,
256 bits
Symmetric -
CSP
Generate
Keys
Symmetric
Cipher
AES CMAC
Key
AES-
CMAC
128,
192,
256 bits
- 128,
192,
256 bits
Message
Authenticatio
n - CSP
Generate
Keys
Message
Authenticati
on
AES GMAC
Key
AES-
GMAC
128,
192,
256 bits
- 128,
192,
256 bits
Message
Authenticatio
n - CSP
Generate
Keys
Message
Authenticati
on
HMAC Key HMAC-
SHA-1,
HMAC-
SHA2-
224,
HMAC-
SHA2-
256,
HMAC-
SHA2-
384,
HMAC-
SHA2-
512,
HMAC-
160,
224,
256,
384,
512 bits
- 160,
224,
256,
384,
512 bits
Message
Authenticatio
n - CSP
Message
Authenticati
on
Message
Authenticati
on
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 38 of 57
Name Descripti
on
Size -
Strengt
h
Type -
Category
Generated
By
Establish
ed By
Used By
SHA3-
224,
HMAC-
SHA3-
256,
HMAC-
SHA3-
384,
HMAC-
SHA3-512
Key
Encryption
Key (KEK)
AES-KW,
AES-KWP
128,
192,
256 bits
- 128,
192,
256 bits
Symmetric
Key
Wrapping
(KTS) - CSP
Generate
Keys
Key
Wrapping
PBKDF2
DPK
PBKDF 112 bits
- 112
bits
Data
Protection
Key - CSP
Derive Key
(PBKDF)
Derive Key
(PBKDF)
PBKDF2
Password
PBKDF
Password
Greater
than or
equal
to 80
bits of
data -
Greater
than or
equal
to 80
bits of
data
Password -
CSP
Derive Key
(PBKDF)
RSA Private
Key
RSA (186-
4)
2048,
3072,
4096
bits -
112,
128,
150 bits
Asymmetric
Private Key -
CSP
Generate
Keys
Generate
Digital
Signature
ECDSA
Private Key
ECDSA
(186-4)
P-224,
P-256,
P-384,
P-521 -
112,
128,
192,
256 bits
Asymmetric
Private Key -
CSP
Generate
Keys
Generate
Digital
Signature
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 39 of 57
Name Descripti
on
Size -
Strengt
h
Type -
Category
Generated
By
Establish
ed By
Used By
ECDH
Private
Components
KAS-ECC-
SSC
(NIST SP
800-
56Ar3)
P-224,
P-256,
P-384,
P-521 -
112,
128,
192,
256 bits
Asymmetric
Private Key -
CSP
Shared
Secret
Computatio
n (KAS-
ECC-SSC)
Shared
Secret
Computatio
n (KAS-
ECC-SSC)
TLS RSA
Premaster
Secret
Used to
derive the
master
secret
384 bits
- 384
bits
Premaster
Secret -
CSP
Derive Key
(TLS 1.2)
TLS Master
Secret
Used to
generate
the
session
keys
384 bits
- 384
bits
Master
Secret -
CSP
Derive
Key (TLS
1.2)
Derive
Key (TLS
1.3)
Derive Key
(TLS 1.2)
Derive Key
(TLS 1.3)
TLS Session
Key
Used for
data
encryption
128 or
256 bits
- 128 or
256 bits
Session Key
- CSP
Derive
Key (TLS
1.2)
Derive
Key (TLS
1.3)
Derive Key
(TLS 1.2)
Derive Key
(TLS 1.3)
TLS Integrity
Key
Used for
data
integrity
and
authenticit
y
160 bits
- 160
bits
Integrity Key
- CSP
Derive
Key (TLS
1.2)
Derive
Key (TLS
1.3)
Derive Key
(TLS 1.2)
Derive Key
(TLS 1.3)
DRBG
Entropy
Input
NIST SP
800-90A
DRBG
Entropy
Input
256 bits
- 256
bits
Entropy
Input - CSP
DRBG
DRBG Seed NIST SP
800-90A
DRBG
Seed
440-
888 bits
- 440-
888 bits
Seed - CSP DRBG
DRBG 'C'
Value
NIST SP
800-90A
DRBG 'C'
Value (IG
D.L)
440-
888 bits
- 440-
888 bits
Internal
State Value -
CSP
DRBG DRBG
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 40 of 57
Name Descripti
on
Size -
Strengt
h
Type -
Category
Generated
By
Establish
ed By
Used By
DRBG 'V'
Value
NIST SP
800-90A
DRBG 'V'
Value (IG
D.L)
440-
888 bits
- 440-
888 bits
Internal
State Value -
CSP
DRBG DRBG
RSA Public
Key
RSA
Public Key
2048,
3072,
4096
bits -
112,
128,
150 bits
Asymmetric
Public Key -
PSP
Generate
Keys
Verify
Digital
Signature
ECDSA
Public Key
ECDSA
Public Key
P-224,
P-256,
P-384,
P-521 -
112,
128,
192,
256 bits
Asymmetric
Public Key -
PSP
Generate
Keys
Verify
Digital
Signature
ECDH
Public
Components
ECDH
Public
Compone
nts
P-224,
P-256,
P-384,
P-521 -
112,
128,
192,
256 bits
Key
Agreement
Components
- PSP
Shared
Secret
Computatio
n (KAS-
ECC-SSC)
Shared
Secret
Computatio
n (KAS-
ECC-SSC)
TLS
Extended
Master
Secret
Binds the
master
secret to a
log of the
full
handshak
e
384-
bits -
384-
bits
Extended
Master
Secret -
CSP
Derive
Key (TLS
1.2)
Derive Key
(TLS 1.2)
DH Private
Components
Private
componen
ts for
KAS-FFC-
SSC
MODP
2048,
MODP
3072 -
112
bits,
128 bits
Asymmetric
Private Key -
CSP
Shared
Secret
Computatio
n (KAS-
FFC-SSC)
Shared
Secret
Computatio
n (KAS-
FFC-SSC)
DH Public
Components
Public
componen
ts for
MODP
2048,
MODP
3072 -
Asymmetric
Public Key -
PSP
Shared
Secret
Computatio
Shared
Secret
Computatio
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 41 of 57
Name Descripti
on
Size -
Strengt
h
Type -
Category
Generated
By
Establish
ed By
Used By
KAS-FFC-
SSC
112
bits,
128 bits
n (KAS-
FFC-SSC)
n (KAS-
FFC-SSC)
DRBG
Personalizati
on String
Optional
input to
the DRBG
instantiate
function
128 to
256 bits
- 128 to
256 bits
Personalizati
on String -
Neither
DRBG
DH Shared
Secret
Shared
Secret
from KAS-
FFC-SSC
Computati
on
112 bits
or 128
bits -
112 bits
or 128
bits
Shared
Secret -
CSP
Shared
Secret
Computati
on (KAS-
FFC-SSC)
Derive Key
(HKDF)
Derive Key
(TLS 1.2)
Derive Key
(TLS 1.3)
Derive Key
(SSH)
ECDH
Shared
Secret
Shared
Secret
from KAS-
ECC-SSC
Computati
on
112,
128,
192,
256 bits
- 112,
128,
192,
256 bits
Shared
Secret -
CSP
Shared
Secret
Computati
on (KAS-
ECC-
SSC)
Derive Key
(HKDF)
Derive Key
(TLS 1.2)
Derive Key
(TLS 1.3)
Derive Key
(SSH)
Table 27: SSP Table 1
Name Input -
Output
Storage Storage
Duration
Zeroization Related SSPs
AES Key Input RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
AES GCM Key Input RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
AES GCM IV:Used
With
AES GCM IV Output RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
AES GCM Key:Used
With
AES CCM Key Input RAM:Plaintext In volatile
memory
Unload
Module
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 42 of 57
Name Input -
Output
Storage Storage
Duration
Zeroization Related SSPs
until
zeroized
API Call
Remove
Power
AES-XTS
Testing
Revision 2.0
Key
Input RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
AES CMAC Key Input RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
AES GMAC Key Input RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
HMAC Key Input RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
Key Encryption
Key (KEK)
KTS
Output
KTS
Input
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
PBKDF2 DPK Output RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
PBKDF2
Password:Derived
From
PBKDF2
Password
Input RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
Remove
Power
PBKDF2 DPK:Used
With
RSA Private
Key
Input
Output
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
RSA Public
Key:Paired With
ECDSA Private
Key
Input
Output
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
ECDSA Public
Key:Paired With
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 43 of 57
Name Input -
Output
Storage Storage
Duration
Zeroization Related SSPs
ECDH Private
Components
Input
Output
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
ECDH Public
Components:Paired
With
TLS RSA
Premaster
Secret
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
TLS Master
Secret
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
TLS RSA Premaster
Secret:Derived From
TLS Session
Key
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
TLS Master
Secret:Derived From
TLS Integrity
Key
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
TLS Master
Secret:Derived From
DRBG Entropy
Input
Input RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
DRBG Seed:Used
With
DRBG Seed RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
Remove
Power
DRBG Entropy
Input:Derived From
DRBG 'C' Value RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
DRBG Seed:Derived
From
DRBG 'V' Value RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
DRBG Seed:Derived
From
RSA Public Key Input
Output
RAM:Plaintext In volatile
memory
Unload
Module
API Call
RSA Private
Key:Paired With
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 44 of 57
Name Input -
Output
Storage Storage
Duration
Zeroization Related SSPs
until
zeroized
Remove
Power
ECDSA Public
Key
Input
Output
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
ECDSA Private
Key:Paired With
ECDH Public
Components
Input
Output
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
ECDH Private
Components:Paired
With
TLS Extended
Master Secret
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
TLS RSA Premaster
Secret:Derived From
DH Private
Components
Input
Output
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
DH Public
Components
Input
Output
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
DRBG
Personalization
String
Input RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
DH Shared
Secret
Input
Output
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
ECDH Shared
Secret
Input
Output
RAM:Plaintext In volatile
memory
until
zeroized
Unload
Module
API Call
Remove
Power
Table 28: SSP Table 2
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 45 of 57
10 Self-Tests
The Allegro Cryptographic Engine performs power-up and conditional CASTs automatically
each time the module is loaded into memory. While the module is performing self-tests, all data
output interfaces are inhibited. (Data output can only exit the data output interface when the
commensurate API call is made.)
10.1 Pre-Operational Self-Tests
Algorithm or
Test
Test
Properties
Test
Method
Test
Type
Indicator Details
HMAC-SHA2-
256 (A3332)
HMAC-
SHA2-256
Software
Integrity
Test
SW/FW
Integrity
Pass Keyed hash
performed on
Acelib.so or
AceDll.dll
Table 29: Pre-Operational Self-Tests
The module performs the pre-operational software integrity test automatically upon every
instantiation. (A CAST for HMAC-SHA2-256 executes prior to the software integrity test.)
10.2 Conditional Self-Tests
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
AES-CBC
Encrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Encrypt Power-On
AES-CBC
Decrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Decrypt Power-On
AES-CCM
Encrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Encrypt Power-On
AES-CCM
Decrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Decrypt Power-On
AES-CFB1
Encrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Encrypt Power-On
AES-CFB
Decrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Decrypt Power-On
AES-CFB8
Encrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Encrypt Power-On
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 46 of 57
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
AES-CFB8
Decrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Decrypt Power-On
AES-
CFB128
Encrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Encrypt Power-On
AES-
CFB128
Decrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Decrypt Power-On
AES-CMAC
Encrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Encrypt Power-On
AES-CMAC
Decrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Decrypt Power-On
AES-CTR
Encrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Encrypt Power-On
AES-CTR
Decrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Decrypt Power-On
AES-ECB
Encrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Encrypt Power-On
AES-ECB
Decrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Decrypt Power-On
AES-FF1
Encrypt
(A3332)
128 bit Key KAT CAST Pass Encrypt Power-On
AES-GCM
Encrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Encrypt Power-On
AES-GCM
Decrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Decrypt Power-On
AES-OFB
Encrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Encrypt Power-On
AES-OFB
Decrypt
(A3332)
128, 192,
256 bit Key
KAT CAST Pass Decrypt Power-On
AES-XTS
Testing
Revision 2.0
128, 256 bit
Key
KAT CAST Pass Encrypt Power-On
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 47 of 57
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
Encrypt
(A3332)
AES-XTS
Testing
Revision 2.0
Decrypt
(A3332)
128, 256 bit
Key
KAT CAST Pass Decrypt Power-On
AES-GMAC
Encrypt
(A3332)
128, 192,
256
KAT CAST Pass Encrypt Power-On
AES-GMAC
Decrypt
(A3332)
128, 192,
256
KAT CAST Pass Decrypt Power-On
ECDSA
KeyGen
(FIPS186-4)
(A3332)
P-384 Pairwise
Consistency
Test
PCT Pass Sign & Verify Conditional
upon ECDSA
KeyPair
Generation
ECDSA
SigGen
(FIPS186-4)
(A3332)
P-384
Curve
KAT CAST Pass Sign Power-On
ECDSA
SigVer
(FIPS186-4)
(A3332)
P-384
Curve
KAT CAST Pass Verify Power-On
Hash DRBG
(A3332)
SHA2-256,
SHA2-512
(NIST SP
800-90A,
Section
11.3 Health
Tests)
KAT CAST Pass Hash_DRBG 1. Power On
2. Instantiate:
Any time that
a new DRBG
instance is
created 3.
Generate:
When new
random data
is generated
4. Reseed:
When the
reseed
counter has
reached its
pre-
determined
maximum
value and the
DRBG needs
to be
reseeded
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 48 of 57
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
HMAC-SHA-
1 (A3332)
160 bit
Hash
KAT CAST Pass Keyed Hash Power-On
HMAC-
SHA2-224
(A3332)
224 bit
Hash
KAT CAST Pass Keyed Hash Power-On
HMAC-
SHA2-256
(A3332)
256 bit
Hash
KAT CAST Pass Keyed Hash Power-On
HMAC-
SHA2-384
(A3332)
384 bit
Hash
KAT CAST Pass Keyed Hash Power-On
HMAC-
SHA2-512
(A3332)
512 bit
Hash
KAT CAST Pass Keyed Hash Power-On
HMAC-
SHA3-224
(A3332)
224 bit
Hash
KAT CAST Pass Keyed Hash Power-On
HMAC-
SHA3-256
(A3332)
256 bit
Hash
KAT CAST Pass Keyed Hash Power-On
HMAC-
SHA3-384
(A3332)
384 bit
Hash
KAT CAST Pass Keyed Hash Power-On
HMAC-
SHA3-512
(A3332)
512 bit
Hash
KAT CAST Pass Keyed Hash Power-On
KAS-ECC-
SSC Sp800-
56Ar3
(A3332)
P-384
Curve
KAT CAST Pass Primitive "Z" Power-On
KAS-FFC-
SSC Sp800-
56Ar3
(A3332)
MODP-
2048,
MODP-
3072
KAT CAST Pass Primitive "Z" Power-On
KDA HKDF
Sp800-
56Cr1
(A3332)
SHA2-256 KAT CAST Pass Hash Power-On
KDF SSH
(A3332)
AES-128,
AES-192,
AES-256,
SHA2-256
KAT CAST Pass Hash Power-On
PBKDF
(A3332)
160 bit
Keyed
Hash
KAT CAST Pass Keyed Hash Power-On
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 49 of 57
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
RSA
KeyGen
(FIPS186-4)
(A3332)
2048 bit
key
Pairwise
Consistency
Test
PCT Pass Sign & Verify Conditional
upon RSA
KeyPair
Generation
RSA SigGen
(FIPS186-4)
(A3332)
2048 bit
Key
KAT CAST Pass Sign Power-On
RSA SigVer
(FIPS186-4)
(A3332)
2048 bit
Key
KAT CAST Pass Verify Power-On
SHA-1
(A3332)
160 bit
Hash
KAT CAST Pass Hash Power-On
SHA2-224
(A3332)
224 bit
Hash
KAT CAST Pass Hash Power-On
SHA2-256
(A3332)
256 bit
Hash
KAT CAST Pass Hash Power-On
SHA2-384
(A3332)
384 bit
Hash
KAT CAST Pass Hash Power-On
SHA2-512
(A3332)
512 bit
Hash
KAT CAST Pass Hash Power-On
SHA3-224
(A3332)
224 bit
Hash
KAT CAST Pass Hash Power-On
SHA3-256
(A3332)
256 bit
Hash
KAT CAST Pass Hash Power-On
SHA3-384
(A3332)
384 bit
Hash
KAT CAST Pass Hash Power-On
SHA3-512
(A3332)
512 bit
Hash
KAT CAST Pass Hash Power-On
SHAKE-128
(A3332)
128 bits KAT CAST Pass Hash Power-On
SHAKE-256
(A3332)
256 bits KAT CAST Pass Hash Power-On
TLS v1.2
KDF
RFC7627
(A3332)
SHA2-256 KAT CAST Pass Hash Power-On
TLS v1.3
KDF
(A3332)
SHA2-256 KAT CAST Pass Hash Power-On
AES-XTS
Testing
Revision 2.0
(A3332)
128, 256 bit
key
Key_1
Key_2 (IG
C.I)
CAST Pass Check Conditional
upon first use
of AES-XTS
KAS-ECC-
SSC Sp800-
56Ar3
P-224, P-
256, P-384,
P-521
Public Key
Assurance
Test
CAST Pass Check Conditional
upon ECDSA
KeyPair
Generation
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 50 of 57
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details Conditions
Assurance
Test(A3332)
AES-KW
Encrypt
(A3332)
128, 192,
256
KAT CAST Pass Encrypt Power-On
AES-KW
Decrypt
(A3332)
128, 192,
256
KAT CAST Pass Decrypt Power-On
AES-KWP
Encrypt
(A3332)
128, 192,
256
KAT CAST Pass Encrypt Power-On
AES-KWP
Decrypt
(A3332)
128, 192,
256
KAT CAST Pass Decrypt Power-On
KAS-FFC-
SSC PCT
(A3332)
2048 Pairwise
Consistency
Test
PCT Pass Sign & verify Conditional
upon Safe
Prime KeyPair
Generation
Table 30: Conditional Self-Tests
Conditional CASTs are performed automatically upon every instantiation. The pairwise
consistency tests are performed on the condition that an asymmetric keypair is requested, and
the AES-XTS key validation test is performed prior to using the keys, per IG C.I. The DRBG health
tests required by NIST SP 800-90A, Section 11.3 (instantiate, generate, reseed) execute upon
instantiation of the module and also upon the following conditions:
1. Instantiate: Any time that a new DRBG instance is created.
2. Generate: When new random data is generated.
3. Reseed: When the reseed counter has reached its pre-determined maximum value and
the DRBG needs to be reseeded.
10.3 Periodic Self-Test Information
Algorithm or
Test
Test Method Test Type Period Periodic
Method
HMAC-SHA2-
256 (A3332)
Software
Integrity Test
SW/FW Integrity On Demand Reload Module
or
AcRunSelfTest()
Table 31: Pre-Operational Periodic Information
Algorithm or
Test
Test Method Test Type Period Periodic
Method
AES-CBC
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 51 of 57
Algorithm or
Test
Test Method Test Type Period Periodic
Method
AES-CBC
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CCM
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CCM
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CFB1
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CFB
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CFB8
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CFB8
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CFB128
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CFB128
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CMAC
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CMAC
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CTR
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-CTR
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-ECB
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-ECB
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 52 of 57
Algorithm or
Test
Test Method Test Type Period Periodic
Method
AES-FF1
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-GCM
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-GCM
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-OFB
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-OFB
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-XTS
Testing Revision
2.0 Encrypt
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-XTS
Testing Revision
2.0 Decrypt
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-GMAC
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-GMAC
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
ECDSA KeyGen
(FIPS186-4)
(A3332)
Pairwise
Consistency
Test
PCT N/A N/A
ECDSA SigGen
(FIPS186-4)
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
ECDSA SigVer
(FIPS186-4)
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
Hash DRBG
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
HMAC-SHA-1
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
HMAC-SHA2-
224 (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 53 of 57
Algorithm or
Test
Test Method Test Type Period Periodic
Method
HMAC-SHA2-
256 (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
HMAC-SHA2-
384 (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
HMAC-SHA2-
512 (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
HMAC-SHA3-
224 (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
HMAC-SHA3-
256 (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
HMAC-SHA3-
384 (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
HMAC-SHA3-
512 (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
KAS-ECC-SSC
Sp800-56Ar3
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
KAS-FFC-SSC
Sp800-56Ar3
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
KDA HKDF
Sp800-56Cr1
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
KDF SSH
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
PBKDF (A3332) KAT CAST On Demand Reload Module
or
AcRunSelfTest()
RSA KeyGen
(FIPS186-4)
(A3332)
Pairwise
Consistency
Test
PCT N/A N/A
RSA SigGen
(FIPS186-4)
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
RSA SigVer
(FIPS186-4)
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 54 of 57
Algorithm or
Test
Test Method Test Type Period Periodic
Method
SHA-1 (A3332) KAT CAST On Demand Reload Module
or
AcRunSelfTest()
SHA2-224
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
SHA2-256
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
SHA2-384
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
SHA2-512
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
SHA3-224
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
SHA3-256
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
SHA3-384
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
SHA3-512
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
SHAKE-128
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
SHAKE-256
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
TLS v1.2 KDF
RFC7627
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
TLS v1.3 KDF
(A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-XTS
Testing Revision
2.0 (A3332)
Key_1 Key_2
(IG C.I)
CAST N/A N/A
KAS-ECC-SSC
Sp800-56Ar3
Assurance
Test(A3332)
Public Key
Assurance Test
CAST N/A N/A
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 55 of 57
Algorithm or
Test
Test Method Test Type Period Periodic
Method
AES-KW
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-KW
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-KWP
Encrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
AES-KWP
Decrypt (A3332)
KAT CAST On Demand Reload Module
or
AcRunSelfTest()
KAS-FFC-SSC
PCT (A3332)
Pairwise
Consistency
Test
PCT N/A N/A
Table 32: Conditional Periodic Information
The pre-operational software integrity test and all conditional CASTs can be executed on-demand
by calling the AcRunSelfTest() service.
10.4 Error States
Name Description Conditions Recovery Method Indicator
Hard
Error
State
Non-recoverable
error state
Result of pre-operational
self-test failure
Result of CAST failure
Reload module /
Reinstall module
Fail
Soft Error
State
Recoverable error
state
Result of RSA pairwise
consistency test failure
Result of ECDSA pairwise
consistency test failure
Result of Key_1 Key_2 for
AES-XTS
Automatic Fail
Table 33: Error States
The module implements two error states. A hard error state, whereby recovery may be attempted
by restarting or reinstalling the module, and a software error state whereby conditional self-test
failures such as the pairwise tests and the AES-XTS key validation test may be recovered. Self-
tests in the module return an indication of whether the invocation passed or failed.
If any self-test fails, the module’s data output interfaces will be inhibited, and only control input
and status output commands will be allowed to execute. To correct an on-demand or conditional
self-test error, the module must be restarted by calling the AllegroTaskInit() service after the
module has been de-initialized. To correct a pre-operational self-test error, the module must be
reloaded into memory by terminating and restarting the host application. If the pre-operational
self-test fails after restarting the host application, it will be necessary to re-install the module.
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 56 of 57
10.5 Operator Initiation of Self-Tests
The pre-operational software integrity test and all conditional CASTs can be executed by the
operator using the API call AcRunSelfTest().
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures
When built and executed, the module automatically operates in the approved mode. (Additional
guidance is provided in Section 11.2.)
11.2 Administrator Guidance
Initial setup for the module consists of:
1. Installing the host operating system: Linux 5.15 (Mint 21) or Windows 11 Pro.
2. Creating a new user account on the Operating System (and providing that user account
with a password).
The host operating system will provide the operational environment required for the module to
meet FIPS 140-3, Level 1 security specifications. The Crypto Officer will create a new admin
account per the guidelines of the OS user manual. (The Crypto Officer shall refer to all
administrative and guidance documents in order to create a new user account on the Operating
System.)
The Crypto Officer is in charge of the secure management and handling of the module. The
Allegro Cryptographic Engine is shipped on a DVD and delivered via FedEx. A tracking number
is provided to the Crypto Officer in order to track the progress of the shipment and ensure secure
delivery. The Crypto Officer shall sign for the DVD upon arrival and shall maintain control of the
DVD throughout its lifetime. Following the secure delivery of the module, the Crypto Officer shall
first follow the steps outlined above.
After the operational environment has been prepared, the module can be built in any configuration
specified in Table 2 of this security policy, by consulting the build instructions provided in Chapter
5 of the ACE™ Allegro Cryptography Engine Programming Reference, Version 6.50,
included on the DVD.
During normal operation, the operator may check the status of the module by attempting to run a
service. If the service executes and does not return an error, the module is operating in the
approved mode.
11.3 Non-Administrator Guidance
The module supports the role of Crypto Officer only, which is an administrative role.
11.4 End of Life
(Allegro Software Development Corporation. © 2025) Version 1.0
Public Material – May be reproduced only in its original entirety (without revision).
Page 57 of 57
The module may be sanitized by uninstalling the binary and power-cycling the host GPC.
11.5 Additional Information
The operator shall adhere to the guidelines of this Security Policy. Operators in the Crypto Officer
role are able to use the approved services listed in this security policy. The operator is responsible
for monitoring the module for any irregular activity.
12 Mitigation of Other Attacks
The module does not attempt to mitigate specific attacks.