NXP Semiconductors 2023 Version 1.5 Page 1 of 65 Public Material – May be reproduced only in its original entirety (without revision). FIPS 140-3 Non-Proprietary Security Policy JCOP 4.5 on P71D600 Document Version: 1.5 Date: 24 December 2023 NXP Semiconductors 2023 Version 1.5 Page 2 of 65 Public Material – May be reproduced only in its original entirety (without revision). Revision History: Version Date Changes 1.0 July 18, 2022 Full Release, added CAVP Cert. # to Table 3 1.1 June 14, 2023 Update after first round NIST comments 1.2 June 23, 2023 Update chapter 10 1.3 August 17, 2023 Update after CMVP comments 1.4 November 24, 2023 Update after CMVP comments 1.5 December 24, 2023 Update after CMVP comments NXP Semiconductors 2023 Version 1.5 Page 3 of 65 Public Material – May be reproduced only in its original entirety (without revision). Contents 1 General..................................................................................................................................................5 2 Cryptographic Module Specification.....................................................................................................7 3 Cryptographic Module Interfaces .......................................................................................................20 4 Roles, Services and Authentication.....................................................................................................21 5 Software/Firmware Security...............................................................................................................40 6 Operational Environment ...................................................................................................................41 7 Physical Security..................................................................................................................................42 8 Non-Invasive Security..........................................................................................................................43 9 Sensitive Security Parameter Management........................................................................................44 10 Self-Tests.............................................................................................................................................61 11 Life-Cycle Assurance............................................................................................................................63 12 Mitigation of Other Attacks ................................................................................................................64 List of Figures Figure 1 – P71D600............................................................................................................................................................16 Figure 2 – P71D600 Physical Form (Schematic).................................................................................................17 Figure 3 – Module Block Diagram..............................................................................................................................18 List of Table Table 1 – Security Levels........................................................................................................................................................6 Table 2 – Cryptographic Module Tested Configuration..............................................................................................7 Table 3 – Approved Algorithms..........................................................................................................................................15 Table 4 – Non-Approved Algorithms Allowed in Approved Mode of Operation...............................................15 Table 5 – Ports and Interfaces............................................................................................................................................20 Table 6 – Roles, Service Commands, Input and Output.............................................................................................25 Table 7 – Roles and Authentication .................................................................................................................................26 Table 8 – Approved Services ...............................................................................................................................................39 Table 9 – Physical Security Inspection Guidelines......................................................................................................42 Table 10 – EFP/EFT...............................................................................................................................................................42 Table 11 – Hardness Testing Temperature Ranges ...................................................................................................42 Table 12 – SSPs........................................................................................................................................................................59 NXP Semiconductors 2023 Version 1.5 Page 4 of 65 Public Material – May be reproduced only in its original entirety (without revision). Table 13 – Non-Deterministic Number Generator Specification...........................................................................60 NXP Semiconductors 2023 Version 1.5 Page 5 of 65 Public Material – May be reproduced only in its original entirety (without revision). Introduction Federal Information Processing Standards Publication 140-3 — Security Requirements for Cryptographic Modules specifies requirements for cryptographic modules to be deployed in a sensitive but unclassified (SBU) environment. The National Institute of Standards and Technology (NIST) and Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) run the FIPS 140-3 program. The National Voluntary Laboratory Accreditation Program (NVLAP) provides accreditation to independent testing labs performing FIPS 140-3 testing; the CMVP validates modules meeting FIPS 140-3 validation. Validated is the term given to a module that is documented and tested against the FIPS 140-3 criteria. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module- validation-program. About this Document This non-proprietary Cryptographic Module Security Policy for the NXP Semiconductors JCOP 4.5 on P71D600 provides an overview of the product and a high-level description of how it meets the overall Security Level 3 requirements of FIPS 140-3. The JCOP 4.5 on P71D600 may also be referred to as the “Secure Element” or “module” in this document. The module is available under several commercial type names addressing the different market segments relevant for NXP, such as: • JCOP 4.5 on P71D600 • JCOP ID 2 on P71D600 • SE052F • NCJ37B0HN Disclaimer The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. NXP Semiconductors shall have no liability for any error or damages of any kind resulting from the use of this document. Notices This document may be freely reproduced and distributed in its entirety without modification. 1 General NXP Semiconductors 2023 Version 1.5 Page 6 of 65 Public Material – May be reproduced only in its original entirety (without revision). The following table lists the level of validation for each area in FIPS 140-3: ISO/IEC 24759 Section 6 [Number Below] FIPS 140-3 Section Title Security Level 1 General 3 2 Cryptographic Module Specification 3 3 Cryptographic Module Interfaces 3 4 Roles, Services, and Authentication 3 5 Software/Firmware Security 3 6 Operational Environment N/A 7 Physical Security 4 8 Non-Invasive Security 3 9 Sensitive Security Parameter Management 3 10 Self-Tests 3 11 Life-Cycle Assurance 3 12 Mitigation of Other Attacks 3 Table 1 – Security Levels The module claims an Overall Security Level 3. NXP Semiconductors 2023 Version 1.5 Page 7 of 65 Public Material – May be reproduced only in its original entirety (without revision). The module, validated to FIPS 140-3 overall Level 3, is a hardware module with single chip embodiment named JCOP 4.5 on P71D600 implementing the GlobalPlatform operational environment (Card Manager (ISD/SSD)) and the applications: • NXP IoT applet v7.2.22 • NXP SEMS Lite applet v2.0.2.11 The module is designed for use in smart cards, IoT and automotive applications. Module Hardware [Part Number and Version] Firmware Version Distinguishing Features Platform ID ROM ID Patch ID Applets JCOP 4.5 on P71D600 N7122 A1 J3R6000373181200 B3375FE9B5508BC4 00000000 00000000 NXP IoT applet v7.2.22 and NXP SEMS Lite applet v2.0.2.11 The GlobalPlatform operational environment is identified with the Platform ID, the ROM ID, the Patch ID, and other information, describing the content in ROM, NVM and loaded patches; The Platform ID is a data string that allows the identification of the P71D600 Card Table 2 – Cryptographic Module Tested Configuration 2 Cryptographic Module Specification NXP Semiconductors 2023 Version 1.5 Page 8 of 65 Public Material – May be reproduced only in its original entirety (without revision). The module is validated at an Overall Security Level 3 with Physical Security at Level 4 and all other areas at Level 3. The Operational Environment requirements do not apply to the module given that it meets Physical Security Level 4 requirements. Cryptographic Boundary The module is designed to be used as a part of a larger system. It works as an auxiliary security device attached to a host controller. The physical form of the module is depicted in Figures 1 and 2 (to scale); the outline depicts the cryptographic boundary, representing the surface of the chip and the bond pads. The red outline in Figure 3 also depicts the cryptographic boundary. In production use, the module is delivered to either vendors or end user customers either on film frame carrier (FFC) or various packages such as PDM1.1, NXD6.2, MOB6/10 or HVQFN20 package. The package is outside the cryptographic boundary and thus excluded from the FIPS 140-3/ISO/IEC 19790 security testing. The contactless ports of the module require connection to an antenna. The module relies on [ISO 7816] and [ISO 14443] card readers as input/output devices, or a [NXP I2C] connection to a host controller. No components have been excluded from within the cryptographic boundary. Approved Mode of Operation The module only supports an Approved mode of operation. The NXP SEMS Lite applet can support the NIST P- 256 curve or thevendor Approved and NIST allowed Brainpool256r1 elliptic curve to perform the ECDSA or KAS- ECC operations. In the Approved mode of operation, the NXP SEMS Lite applet supports the Brainpool256r1 elliptic curve by default. The CO role may use SEMS Lite Module Management service to load NIST P-256 curve parameters. The P71D600 GlobalPlatform operational environment component can be identified by using the IDENTIFY APDU command (Info service). This command returns the card identification data, which includes a Platform ID, a Patch ID and other information that allows the identification of the content in ROM, NVM and loaded patches. The Platform ID is a data string that allows the identification of the P71D600 Card Manager component. The IDENTIFY APDU command is formatted as follows: Code Value Parameter settings CLA ‘80’ GlobalPlatform INS ‘CA’ GET DATA (IDENTIFY) - ISD P1 ‘00’ High order tag value P2 ‘FE’ Low order tag value - proprietary data Lc ‘02’ Length of data field Data ‘DF28’ Module identification data Le ‘00’ Length of response data NXP Semiconductors 2023 Version 1.5 Page 9 of 65 Public Material – May be reproduced only in its original entirety (without revision). The command answers the content of the DF28 file: • Tag 02 identifies the Patch ID (see Table 2) • Tag 03 identifies the Platform Build ID which is made up of the Platform ID (16 Bytes, see Table 2) and the platform build fingerprint (8 Bytes) • Tag 08 identified the ROM ID (see Table 2) To verify that the GlobalPlatform operational environment runs in the Approved mode of operation, use the IDENTIFY APDU (asdescribedabove). TheDF28 file tag‘05’contains the status ofthe Approved mode compliancy, where ‘00’ identifies Approved mode not active and ‘01’ - Approved mode active. Both NXP IoT applet and NXP SEMS Lite applet of the module are configured to always run in an Approved mode of operation. The personalized product shall have: • NXP IoT applet v7.2.22 identification: o Package ID: A00000039654530000000103000200H o Applet ID: A0000003965453000000010300000000H o Instance ID: A0000003965453000000010300000000H • NXP SEMS Lite applet v2.0.2.11 identification: o Package ID: A00000039654530000000103300000H o Applet ID: A0000003965453000000010330000000H o Instance ID: A0000003965453000000010330000000H The operator can verify that NXP IoT applet v7.2.22 is in an Approved mode of operation by sending the two (2) following commands to the module: 1. The SELECT APDU command (Context service) will be called with the following parameters: CLA = 00, INS = A4, P1 = 04, P2 = 00, Lc = 10, Incoming Data = A0000003965453000000010300000000, and Le = 00. The module shall answer 07021626F2FFFF followed by status code 9000. The response includes the BCD encoded applet version (070216) and the supported applet feature bitmap (26F2). This encoded applet version (070216) corresponds to the decimal version v7.2.22 of the IoT Applet as specified in Table 2 in this document and the module certificate. It is not possible in any way to modify the applet version or the supported features bitmap after the device leaves the factory. 2. The GetVersion APDU command (IoT Applet Management service) shall be called to get the extended feature bitmap. This command is 80040021 and shall return 26F20000011D81C1E101000E0000000F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F to be in Approved mode of operation. NXP Semiconductors 2023 Version 1.5 Page 10 of 65 Public Material – May be reproduced only in its original entirety (without revision). The operator can verify that NXP SEMS Lite applet v2.0.2.11 is an Approved mode of operation by sending the three (3) following commands to the module: 1. The SELECT APDU command (SEMS Lite General service) shall be called with the following parameters: CLA = 00, INS = A4, P1 = 04, P2 = 00, Lc = 10, Incoming Data = A0000003965453000000010330000000, and Le = 00. Return code shall be 90 00 (OK) 2. The GET DATA APDU command (SEMS Lite General service) shall be called with the following parameters: CLA = 80, INS = CA, P1 = 00, P2 = DE, and Le = 00.The command shall return DE04020002119000 with 02000211 indicating the NXP SEMS Lite applet version. This encoded applet version (02000211) corresponds to the decimal version v2.0.2.11 of the IoT Applet as specified in Table 2 in this document and the module certificate. 3. The GET DATA APDU command (SEMS Lite General service) shall be called with the following parameters: CLA = 80, INS = CA, P1 = 00, P2 = C6, and Le = 00. The command shall return C601019000 with C60101 indicating the NXP SEMS Lite applet is configured in Approved mode of operation. The module does not support a degraded operation. In addition to the configurations tested by the laboratory, vendor-affirmed testing was performed on the following platforms: • SE052 • NCJ37 Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys if the specific operational environment is not listed on the validation certificate. Cryptographic Algorithms The module implements the following Approved cryptographic algorithms. CAVP Cert Algorithm and Standard Mode/ Method Description/ Key Size(s)/ Key Strength(s) Use/Function A2713 AES-CBC AES-CBC AES-128, AES-192, AES-256 with 128, 192, 256- bit key strength Data Encryption/ Decryption NXP Semiconductors 2023 Version 1.5 Page 11 of 65 Public Material – May be reproduced only in its original entirety (without revision). CAVP Cert Algorithm and Standard Mode/ Method Description/ Key Size(s)/ Key Strength(s) Use/Function A2713 AES-CCM AES-CCM AES-128, AES-192, AES-256 with 128, 192, 256-bit key strength Authentication Encryption with AES CTR mode and CBC-MAC A2713 AES-CMAC AES-CMAC AES-128, AES-192, AES-256 with 128, 192, 256-bit key Strength Message Authentication; generation and verification SP800-108 KDF A2713 AES-CTR AES-CTR AES-128, AES-192, AES-256 with 128, 192, 256-bit key Strength Data Encryption/ Decryption A2713 AES-ECB AES-ECB AES-128, AES-192, AES-256 with 128, 192, 256-bit key strength Data Encryption/ Decryption A2713 Counter DRBG Counter DRBG AES-256 with 256-bit security strength Deterministic Random Bit Generation AES-256: RSA and ECDSA key generation A2713 ECDSA KeyGen (FIPS186-4) ECDSA KeyGen (FIPS186-4) P-224, P-256, P-384, P-521 with 112, 128, 192 and 256-bit key strength ECC Key Generation A2713 ECDSA SigGen (FIPS186-4) ECDSA SigGen (FIPS186-4) P-224: (SHA2-224, SHA2-256, SHA2-384, SHA2-512), P-256: (SHA2-256, SHA2- 384, SHA2-512), P- 384: (SHA2-384, SHA2-512), P-521: (SHA2-512) with 112, 128, 192 and 256-bit key strength Digital Signature Generation A2713 ECDSA SigVer (FIPS186-4) ECDSA SigVer (FIPS186-4) P-224: (SHA2-224, SHA2-256, SHA2-384, SHA2-512), P-256: (SHA2-256, SHA2- 384, SHA2-512), P- 384: (SHA2-384, SHA2-512), P-521: (SHA2-512) with 112, 128, 192 and 256-bit key strength Digital Signature Verification NXP Semiconductors 2023 Version 1.5 Page 12 of 65 Public Material – May be reproduced only in its original entirety (without revision). CAVP Cert Algorithm and Standard Mode/ Method Description/ Key Size(s)/ Key Strength(s) Use/Function A2713 HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA-1 with 128-bit key strength Message Authentication A2713 HMAC-SHA2-256 HMAC-SHA2- 256 HMAC-SHA-256 with 256-bit key strength Message Authentication A2713 HMAC-SHA2-384 HMAC-SHA2- 384 HMAC-SHA-384 with 256-bit key strength Message Authentication A2713 HMAC-SHA2-512 HMAC-SHA2- 512 HMAC-SHA-512 with 256-bit key strength Message Authentication A2713 KAS-ECC-SSC Sp800-56Ar3 OnePass EC Diffie-Hellman FIPS 140-3 IG D.F Scenario 2 Path 2 P-256 with 128-bit key strength ECKey session shared secret computation; SEMS Lite shared secret computation (with Brainpool256r1 curves); The module obtains assurances per Section 5.6.2 in NIST SP800-56Ar3 self-tests A2713 KDA HKDF Sp800-56Cr1 Two-step key derivation function HMAC-SHA1, HMAC- SHA2-256, HMAC- SHA2-384, HMAC- SHA2-512 with 128 and 256-bit key strength HKDF Operations – extract-then-expand A2713 KDF SP800-108 Counter AES-128, AES-192, AES-256 with 128, 192 and 256-bit key strength Deriving keys from existing keys A2713 KDF SP800-108 Feedback HMAC-SHA1, HMAC- SHA2-256, HMAC- SHA2-384, HMAC- SHA2-512 with 128 and 256-bit key strength HKDF Operations - expand only A2713 RSA Decryption Primitive RSA Decryption Primitive n=2048 with 112-bit decryption strength Decryption Primitive (standard and CRT) A2713 RSA KeyGen (FIPS186-4) RSA KeyGen (FIPS186-4) n=2048, 3072, 4096 with 112 and 128-bit key strength Key Generation (standard and CRT) A2713 RSA SigGen (FIPS186-4) RSA SigGen (FIPS186-4) n=2048, 3072, 4096 with PKCS v1.5 and PKCSPSS and SHA2- (224, 256, 384, 512) with 112, 128 and 152 bit key strength Signature Generation NXP Semiconductors 2023 Version 1.5 Page 13 of 65 Public Material – May be reproduced only in its original entirety (without revision). CAVP Cert Algorithm and Standard Mode/ Method Description/ Key Size(s)/ Key Strength(s) Use/Function A2713 RSA SigVer (FIPS186-4) RSA SigVer (FIPS186-4) n=2048, 3072, 4096 with PKCS v1.5 and PKCSPSS and SHA-1 , SHA2-(224, 256, 384, 512) with 112, 128 and 152 bit key strength Signature Verification A2713 RSA Signature Primitive RSA Signature Primitive n=2048 with 112-bit security strength Signature Primitive (standard and CRT) A2713 SHA-1 SHA-1 SHA-1 with 128-bit security strength Message Digest Generation, SEMS Lite command integrity A2713 SHA2-224 SHA2-224 SHA2-224 with 112- bit or 192-bit security strength Message Digest Generation, SEMS Lite command integrity A2713 SHA2-256 SHA2-256 SHA2-256 with 128 or 256-bit security strength Message Digest Generation, SEMS Lite command integrity A2713 SHA2-384 SHA2-384 SHA2-384 with 192 or 256-bit security strength Message Digest Generation, SEMS Lite command integrity A2713 SHA2-512 SHA2-512 SHA2-512 with 256- bit security strength Message Digest Generation, SEMS Lite command integrity A2714 AES-GCM AES-GCM AES-128, AES-192, AES-256 with 128, 192, 256-bit key strength Authentication Encryption with Associated Data MAC calculation, MAC verification A2714 AES-GMAC AES-GMAC AES-128, AES-192, AES-256 with 128, 192, 256-bit key strength Authentication Encryption with Associated Data MAC calculation, MAC verification A2714 AES-KW AES-KW AES-128, AES-192, AES-256 with 128, 192, 256-bit key strength Key Wrapping (Decryption) A2714 KDA OneStep Sp800-56Cr1 KDA OneStep Sp800-56Cr1 option 1 SHA-256 with 256-bit key strength EcKey Session Key Derivation NXP Semiconductors 2023 Version 1.5 Page 14 of 65 Public Material – May be reproduced only in its original entirety (without revision). CAVP Cert Algorithm and Standard Mode/ Method Description/ Key Size(s)/ Key Strength(s) Use/Function A2714 KDF TLS TLS version 1.2 Key Derivation SP800-135r1 HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512 with 256-bit key strength Key Derivation Function used in TLS 1.2 A2714 PBKDF PBKDF2 Option 1a acc. [SP800- 132r2] HMAC-SHA-1 with 128-bit key strength Password-based Key Derivation; This algorithm is provided as a service for module hosting the Module A2715 KDA OneStep Sp800-56Cr1 KDA OneStep Sp800-56Cr1 option 1 SHA-256 with 256-bit key strength SEMS Lite shared master key derivation Vendor Affirmed CKG SP800-133r2 Section 4: Symmetric keys and seeds used for generating the asymmetric keys are generated using methods described in Section 4 of SP800- 133r2 Section 5.1: Key Pairs for Digital Signature Schemes Section 6.2.1: Symmetric Keys Generated Using Key-Agreement Schemes Section 6.2.2: Symmetric Keys Derived from a Pre-existing Key Section 6.4: Distributing the Generated Symmetric Key Key Generation is based on unmodified output of the DRBG cert. #A2713 KAS-ECC-SSC Sp800- 56Ar3/A2713 KDA HKDF Sp800- 56Cr1/A2713 KAS-1 SP 800-56Arev3 KAS-ECC per IG D.F Scenario 2 path (2) P-256 curve providing 128 bits of encryption strength KAS (KAS-ECC-SSC Sp 800-56Ar3 with KDA (HKDF)) KAS-ECC-SSC Sp800- 56Ar3/A2713 KDA OneStep Sp800- 56Cr1/A2714 KAS-2 SP 800-56Arev3 KAS-ECC per IG D.F Scenario 2 path (2) P-256 curve providing 128 bits of encryption strength KAS (KAS-ECC-SSC Sp 800-56Ar3 with KDA (OneStep KDF)) KAS-ECC-SSC Sp800- 56Ar3/A2713 KDA OneStep Sp800- 56Cr1/A2715 KAS-3 SP 800- 56Arev3. KAS- ECC per IG D.F Scenario 2 path (2) P-256 curve providing 128 bits of encryption strength KAS (KAS-ECC-SSC Sp 800-56Ar3 with KDA (OneStep KDF)) NXP Semiconductors 2023 Version 1.5 Page 15 of 65 Public Material – May be reproduced only in its original entirety (without revision). CAVP Cert Algorithm and Standard Mode/ Method Description/ Key Size(s)/ Key Strength(s) Use/Function AES- CBC/A2713 AES- CMAC/A2713 KTS-1 AES CBC / AES CMAC AES-128, AES-192, AES-256 with 128, 192, 256-bit key strength SP 800-38D and SP 800-38F KTS (key wrapping) per IG D.G AES- KW/#A2714 KTS-2 KW AES-128, AES-192, AES-256 with 128, 192, 256-bit key strength SP 800-38F KTS (key wrapping) per IG D.G Table 3 – Approved Algorithms Algorithm Caveat Use/Function AES Cert. #A2713, key unwrapping; key establishment methodology provides between 128 and 256 bits of encryption strength Per IG D.G Symmetric key unwrapping (according to RFC3394) AES Cert. #A2713, key unwrapping; key establishment methodology provides 128 bits of encryption strength Per IG D.G Symmetric key unwrapping (according to GlobalPlatform Amendment-I) ECDSA with non- NIST recommended curves Provides between 112 and 256 bits of encryption strength Per IG C.A Signature Generation/Verification using non-NIST curves [Brainpool224r1, Brainpool256r1, Brainpool320r, Brainpool384r1, Brainpool512r1, Secp224k1, Secp256k1 with strengths ]112, 128, 192 and 256 bits] EC Diffie-Hellman with non-NIST recommended curves Provides between 112 and 256 bits of encryption strength Per IGs D.F and C.A Shared secret computation using non-NIST curves [Brainpool224r1, Brainpool256r1, Brainpool320r, Brainpool384r1, Brainpool512r1, Secp224k1, Secp256k1 with strengths ]112, 128, 192 and 256 bits] Table 4 – Non-Approved Algorithms Allowed in Approved Mode of Operation The following non-Approved but allowed EC curves (per IG C.A) are implemented by the module for use in ECDSA and KAS-ECC: EC Standard Strength Singular Field Co-Factor Brainpool224r1 [RFC5639] 112 No IFp 1 NXP Semiconductors 2023 Version 1.5 Page 16 of 65 Public Material – May be reproduced only in its original entirety (without revision). EC Standard Strength Singular Field Co-Factor Brainpool256r1 [RFC5639] 128 No IFp 1 Brainpool320r1 [RFC5639] 128 No IFp 1 Brainpool384r1 [RFC5639] 192 No IFp 1 Brainpool512r1 [RFC5639] 256 No IFp 1 Secp224k1 [SEC2] 112 No IFp 1 Secp256k1 [SEC2] 128 No IFp 1 The module does not support Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed and Non-Approved Algorithms Not Allowed in the Approved Mode of Operation. Figure 1 – P71D600 NXP Semiconductors 2023 Version 1.5 Page 17 of 65 Public Material – May be reproduced only in its original entirety (without revision). Figure 2 – P71D600 Physical Form (Schematic) Figure 3 below depicts the module operational environment. NXP Semiconductors 2023 Version 1.5 Page 18 of 65 Public Material – May be reproduced only in its original entirety (without revision). Figure 3 – Module Block Diagram The JavaCard and Global Platform APIs are internal interfaces available to applets. Only NXP applets and Card Manager (ISD/SSD) services are available at the card edge (the interfaces that cross the cryptographic boundary). The product is delivered with: • NXP IoT applet installed and configured before product’s delivery to customer. The end-user can personalize the module with its objects but cannot modify the configuration of the module, the Module always operates in an Approved mode of operation. • NXP SEMS Lite Applet installed and configured before product’s delivery to customer. The end- user cannot modify the configuration of the module, the module always operates in an Approved mode of operation. Thus, the end-user cannot bring unauthorized changes to the Approved configuration of the module. Card Manager (ISD/SSD) NXP SEMS Lite Applet NXP IoT Applet Firmware Platform VDD, VSS GND Power Mgmt RAM DES Engine Hardware CRC Timers CLK Clock Mgmt MMU AES Engine NXP T1I2C (I2C) SDA/SCL (I2C) CPU Sensors EEPROM RSA/ECC Engine ISO 7816 (UART) I/O (Contact) RST Reset Mgmt ROM HW RNG ISO 14443 (RF) LA/LB (RF) JCOP OS JavaCard API Global Platform API Flash NXP Semiconductors 2023 Version 1.5 Page 19 of 65 Public Material – May be reproduced only in its original entirety (without revision). Overall Security Design and Rules of Operation PBKDF Operation details • Password strength The password is stored in an APP-HMAC-KEY object as input to the PBKDF2 function. This key requires a minimum of 112 bits. The probability that a random attempt will end up with the same output is: • 1/(2^112) = 1.9E‐34 (using a minimum size for the password) • Iteration Count and Justification Iteration count should be at least 1000, following the recommendation in SP800-132r2. If an application desires less iterations, the iteration count can be lower than 1000, but in any case, the iteration count shall be 2 or more. • Storage Only Statement Output of PBKDF Operation service shall be used in storage applications. AES GCM IV The module enforces the use of an Approved DRBG in accordance with IG C.H scenario 2; the internal Approved CTR_DRBG, which has a security strength of 128 bits, is used to generate the 96-bit IV. TLS 1.2 Support The module supports the TLS KDF Functions service. This service provides support for TLS v1.2 calculations. It does not implement the TLS v1.2 protocol. Per FIPS 140-3 IG D.C, no parts of this protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. NXP Semiconductors 2023 Version 1.5 Page 20 of 65 Public Material – May be reproduced only in its original entirety (without revision). Physical Port Logical Interface Data that Passes over Port/Interface VSS, VDD Power interface These interfaces are used to supply power to the module in contact mode; The module starts when interface is powered VIN, VOUT Power interface These interfaces are used to supply power to the module in contact, contactless and I2C mode in case deep power-down mode is used RST_N Control input interface If a signal is sent on this interface on contact mode, the module will reboot (active low) CLK Control input interface The interface is used by an external device (ex: smartcard reader) to provide a clock signal to the IC in contact mode; The IC will derive its own clock from this signal IO1 Control input interface, Data input interface, Data output interface, Status output interface The interface is used to communicate with an external entity (ex: SmartCard reader) in contact mode; It also functions as I2C master SDA in I2C mode IO2 Control input interface, Data input interface, Data output interface, Status output interface The interface is used to communicate with an external entity (ex: SmartCard reader) in contact mode; It also functions as I2C master SCL in I2C mode or as SPI interface LA, LB Power interface, Control input interface, Data input interface, Data output interface, Status output interface The interface is used to communicate with an external entity (ex: smartcard reader) in contactless mode; This interface is also used to set the internal clock and to supply power to the module SDA Control input interface, Data input interface, Data output interface, Status output interface The interface is used to communicate with an external entity such as a host controller SCL Control input interface The interface is used by an external device (ex: host controller) to provide a clock signal to the I2C HW Table 5 – Ports and Interfaces The module does not support control output. 3 Cryptographic Module Interfaces NXP Semiconductors 2023 Version 1.5 Page 21 of 65 Public Material – May be reproduced only in its original entirety (without revision). The module supports the following roles: • Cryptographic Officer (CO): Manages module content and configuration, including management of module data via the SSD. Authenticated as described in Table 7 below. • User (the device Holder (applet user)): Performs Approved cryptographic operations. Authenticated as described in Table 7 below. Role Service Input Output ISD Services CO Manage Content APDU(s) used: DELETE LOAD INSTALL MANAGE CHANNEL Command parameters (data objects, SSPs) Status Word (Response APDU 9000) SSD Services CO Lifecycle (Show status and Perform zeroisation) APDU(s) used: SET STATUS GET STATUS Target status Status Word (Response APDU 9000) CO Manage Content APDU(s) used: PUT KEY STORE DATA Command parameters (data objects, SSPs) Status Word (Response APDU 9000) CO Privileged Info (Show module’s versioning information) APDU(s) used: GET DATA Command parameters (privileged data objects, but no SSPs) Requested information; Status Word (Response APDU 9000) CO Secure Channel APDU(s) used: INITIALIZE UPDATE EXTERNAL AUTHENTICATE Command parameters (data objects, SSPs) Status Word (Response APDU 9000) IoT Applet Services CO IoT Applet Management APDU(s) used: SetLockState, SetPlatformSCPRequest, DeleteAll, SetAppletFeatures, ImportExternalObject Authentication data to open an applet session Status Word (Response APDU 9000) 4 Roles, Services and Authentication NXP Semiconductors 2023 Version 1.5 Page 22 of 65 Public Material – May be reproduced only in its original entirety (without revision). Role Service Input Output User, CO Module Usage (Perform Self- Tests and Show module’s versioning information) APDU(s) used: DisableSecureObjectCreation, SendCardManagerCommand, TriggerSelfTest, I2CM_ExecuteCommandSet, GetVersion, GetTimestamp, GetFreeMemory, GetRandom, ReadState Command parameters (e.g. required length for GetRandom, memory type for GetFreeMemory, etc.) Requested information; Status Word (Response APDU 9000) User, CO Session Management APDU(s) used: CreateSession, VerifySessionUserID, SCPInitializeUpdate, SCPExternalAuthenticate, ECKeySessionInternalAuthenticate, ECKeySessionGetECKAPublicKey, ExchangeSessionData, ProcessSessionCmd, RefreshSession, CloseSession Session creation C-APDU; authentication data to open the applet session Status Word (Response APDU 9000) User, CO Secure Object Write Functionality APDU(s) used: WriteECKey/WriteRSAKey, WriteSymmKey, WriteBinary, WriteUserID, WriteCounter, WritePCR, ImportObject Object identifier; Secure Object characteristics (transient/persistent; Authentication rights or not; etc.); (optionally) Secure Object value; (optionally) Secure Object non-default policy (optionally) Secure Object version Status Word (Response APDU 9000) User, CO Secure Object Read Functionality APDU(s) used: ReadObject, ReadAttributes, ExportObject Object identifier Secure Object value (if non-secret) (optionally) Secure Object attributes Status Word (Response APDU 9000) NXP Semiconductors 2023 Version 1.5 Page 23 of 65 Public Material – May be reproduced only in its original entirety (without revision). Role Service Input Output User, CO Secure Object Management APDU(s) used: ReadType, ReadSize, ReadIDList, CheckObjectExists, DeleteSecureObject Object identifier Secure Object characteristics (type, size, exists, etc.) or listing of Secure Objects Status Word (Response APDU 9000) User, CO EC Curve Management (Perform approved security functions) APDU(s) used: CreateECCurve, SetECCurveParam, GetECCurveID, ReadECCurveList, DeleteECCurve Curve Identifier; (optionally) curve parameters Secure Object identifier (for GetECCurveID) Status Word (Response APDU 9000) Curve set indicators (for ReadECCurveList) Curve identifier (for GetECCurveID) User, CO Crypto Object Management APDU(s) used: CreateCryptoObject, ReadCryptoObjectList, DeleteCryptoObject Crypto object identifier; (optionally) Crypto Object characteristics Status Word (Response APDU 9000) List of Crypto Object identifiers (for ReadCyptoObjectList) User, CO EC Crypto Operations (Perform approved security functions) APDU(s) used: ECDSASign, ECDSAVerify Secure Object identifier; Input data (message/signature/exte rnal public key) Output data (signature, result of verification, shared secret) Status Word (Response APDU 9000) User, CO RSA Crypto Operations (Perform approved security functions) APDU(s) used: RSASign, RSAVerify, RSAEncrypt, RSADecrypt Secure Object identifier; Input data (message/signature) Output data (signature, result of verification, encrypted or decrypted data) Status Word (Response APDU 9000) User, CO Symmetric Cipher Crypto Operations (Perform approved security functions) APDU(s) used: CipherInit, CipherUpdate, CipherFinal, CipherOneShot Secure Object identifier or Crypto Object identifier Input data (message) Output data (encrypted or decrypted message) Status Word (Response APDU 9000) NXP Semiconductors 2023 Version 1.5 Page 24 of 65 Public Material – May be reproduced only in its original entirety (without revision). Role Service Input Output User, CO Authenticated Encryption Crypto Operations (Perform approved security functions) APDU(s) used: AEADInit, AEADUpdate, AEADFinal, AEADOneShot Secure Object identifier or Crypto Object identifier Input data (message, AAD, tag, etc.) Output data (encrypted or decrypted message, tag or result of tag verification) Status Word (Response APDU 9000) User, CO MAC Calculation Crypto Operations (Perform approved security functions) APDU(s) used: MACInit, MACUpdate, MACFinal, MACOneShot Secure Object identifier or Crypto Object identifier Input data (message, MAC (for verification)) Output data (MAC or result of MAC verification) Status Word (Response APDU 9000) User, CO HKDF operations (Perform approved security functions) APDU(s) used: HKDFExtractAndExpand, HKDFExpandOnly Secure Object identifier HKDF input parameters (digest type, message, requested length, salt, output object, etc.) Output data (derived data) if not stored on- chip Status Word (Response APDU 9000) User, CO PBKDF Operation (Perform approved security functions) APDU(s) used: PBKDF2DeriveKey Secure Object identifier PBKDF2 input data (salt, iteration count, requested length) Output data (derived data) Status Word (Response APDU 9000) User, CO TLS KDF Functions (Perform approved security functions) APDU(s) used: TLSGenerateRandom, TLSCalculatePremasterSecret, TLSPerformPRF Secure Object identifier(s) TLS KDF input data (digest type, label, random, requested length) Output data Status Word (Response APDU 9000) User, CO Secure Hash Crypto Operations (Perform approved security functions) APDU(s) used: DigestInit, DigestUpdate, DigestFinal, DigestOneShot Digest mode or Crypto Object identifier Input data (message) Output data (hashed message) Status Word (Response APDU 9000) SEMS Lite Applet Services NXP Semiconductors 2023 Version 1.5 Page 25 of 65 Public Material – May be reproduced only in its original entirety (without revision). Role Service Input Output User, CO SEMS Lite Authentication APDU(s) used: PROCESS, SCRIPT, COMMAND Authentication information or SEMS Secure channel Allow or reject SEMS Lite Manage Content service or SEMS Lite Root Key Update or Error code User, CO SEMS Lite Manage Content APDU(s) used: SEMS_SELECT, SEMS_APDU, SEMS_BEGIN_PERSO, SEMS_END_PERSO, SEMS_INSTALL_FOR_LOAD, SEMS_LOAD, SEMS_INSTALL_FOR_INSTALL, SEMS_DELETE, SEMS_BINDING_SE, BEGIN_MANAGE_ELF_UPGRADE, END_MANAGE_ELF_UPGRADE Content management commands wrapped in SEMS Secure channel Implicit indication via the successful completion of service CO SEMS Lite Root Key Update APDU(s) used: SEMS_KEY_ROTATION Key update commands wrapped in SEMS Secure channel Implicit indication via the successful completion of service CO, User, Unauthor ised Card Reset APDU(s) used: N/A Power cycle or reset the module Status Word (Response APDU 9000) CO, User, Unauthor ised Context APDU(s) used: SELECT. MANAGE CHANNEL Command parameters (data objects, SSPs) Status Word (Response APDU 9000) CO, User, Unauthor ised Info (Show status and Perform self- tests) APDU(s) used: GET DATA Command parameters (data objects, SSPs) Status Word (Response APDU 9000) CO, User, Unauthor ised SEMS Lite General (Show module’s versioning information) APDU(s) used: SEMS_SELECT, GET DATA Command parameters (data objects, SSPs) Status Word (Response APDU 9000) Table 6 – Roles, Service Commands, Input and Output NXP Semiconductors 2023 Version 1.5 Page 26 of 65 Public Material – May be reproduced only in its original entirety (without revision). Authentication of each operator and their access to roles and services is as described below, independent of logical channel usage (identity-based authentication methods implemented). • Only one operator at a time is permitted on a channel. • Applet de-selection (including Card Manager), card reset, or power down terminates the current authentication. Re-authentication is required after any of these events for access to authenticated services. • CO authentication method does not exchange plaintext CSP. • User authentication data is encrypted and authenticated during entry with GlobalPlatform SCP03, is stored encrypted with OS-MKEK and is only accessible by authenticated services. This includes user identifier (UserID) in case of UserID session method. Role Authentication Method Authentication Strength CO User SCP03 128 bits UserID Session 32 bits (minimum) AESKey Session 128 bits ECKey Session 128 bits SEMS Lite Applet 128 bits Table 7 – Roles and Authentication Platform Authentication (Secure Channel Protocol 03 Authentication Method) The Secure Channel Protocol authentication method is provided by the Secure Channel service. The SD-KENC and SD- KMAC keys are used to derive the SD-SENC, SD-SMAC, and SD-RMAC session keys. These sessions keys are used with AES-CBC and AES-CMAC to provide an end-to-end confidential and authenticated protected channel (Approved KTS) between the external entity (User) and the module. The external entity participating in the mutual authentication sends a 64-bit challenge to the Secure Element. The Secure Element generates its own challenge and computes a 64-bit cryptogram with SD-SMAC key and both challenges. The Secure Element cryptogram and challenge are sent to the external entity which checks the Secure Element cryptogram and creates its own 64-bit cryptogram with both challenges. A 64-bit message authentication code (MAC) is also computed on the command containing the external entity cryptogram with AES-CMAC and SD- SMAC key. The MAC is concatenated to the command, and the command is sent to the Secure Element. The Secure Element checks the message authentication code and compares the received cryptogram to the calculated cryptogram. If all of this succeeds, the two participants are mutually authenticated (the external entity is authenticated to the module). The probability that a random attempt will succeed using this authentication method is: • 1/(2^128) = 2.9E‐39 (MAC||cryptogram) using a 128‐bit block for authentication. This authentication method includes a counter of failed authentication called “velocity checking” by GlobalPlatform. The counter is decremented prior to any attempt to authenticate and is only reset to its threshold (maximum value) upon successful authentication. NXP Semiconductors 2023 Version 1.5 Page 27 of 65 Public Material – May be reproduced only in its original entirety (without revision). The module enforces a maximum of 60 failed Global Platform SCP03 authentication attempts before permanently blocking the card. The probability that a random attempt will succeed over a one-minute interval is (with the assumption here that one attempt is possible per second): • 60/(2^128) = 1.7E-37 (MAC||cryptogram), using a 128‐bit block for authentication IoT applet Authentication The applet allows creating an authenticated session using an Authentication Object which can be either UserID session, AESKey session, or ECKey session. An authenticated session allows users to protect and safeguard their credentials against third party use as only the authenticated user has proper rights on the credentials. This is ensured by applying correct policies to the credentials. A policy binds functional access to an Authentication Object where an Authentication Object represents a user. The different authentication methods are described in the sub-sections below. UserID Session An UserID session authentication method is provided by the Session management service. During a UserID session, the session user identifier (UserID) is verified in order to allow setting up a session. If the UserID is correct, the session establishment will succeed; otherwise, the session will not be opened. An UserID can be configured from a minimum of four (4) bytes up to a maximum of 16 bytes (128 bits). In the worst- case scenario, a 4-byte UserID is used, the probability that a random attempt will succeed using this authentication method is: • 1/(2^32) = 4.3E-9 The number of authentication attempts is configurable. It can be an infinite attempt number, or it can be limited by a counter comprised between 1 and 255 attempts. A maximum of 4700 authentications can be performed in one minute. In the worst-case scenario, the probability that a random attempt will succeed over a one-minute period is: • 4700/(2^32) = 1.0E-6. AESKey Session The AESKey session authentication method is provided by the Session management service. The APP-AES-KEY-AUTH key is used to derive the APP-SENC, APP-SMAC keys, and APP-RMAC. These sessions keys are used with AES-CBC and AES-CMAC to provide an end-to-end confidential and authenticated protected channel (Approved KTS) between the external entity (User) and the module. The external entity participating in the mutual authentication sends a 64-bit challenge to the Secure Element. The Secure Element generates its own challenge and computes a 64-bit cryptogram with APP-SMAC key and both NXP Semiconductors 2023 Version 1.5 Page 28 of 65 Public Material – May be reproduced only in its original entirety (without revision). challenges. The Secure Element cryptogram and challenge are sent to the external entity which checks the Secure Element cryptogram and creates its own 64-bit cryptogram with both challenges. A 64-bit message authentication code (MAC) is also computed on the command containing the external entity cryptogram with AES-CMAC and APP- SMAC key. The MAC is concatenated to the command, and the command is sent to the Secure Element. The Secure Element checks the message authentication code and compares the received cryptogram to the calculated cryptogram. If all of this succeeds, the two participants are mutually authenticated (the external entity is authenticated to the module in the CO/User role). The probability that a random attempt will succeed using this authentication method is: • 1/(2^128) = 2.9E‐39 (MAC||cryptogram, using a 128‐bit block for authentication) The number of authentication attempts is configurable. It can be an infinite attempt numbers or it can be limited by a counter comprised between 1 and 32767. A maximum of 4700 authentications can be performed in one minute. In the worst-case scenario, the probability that a random attempt will succeed over a one-minute period is: • 4700/(2^128) = 1.3E-35 (MAC||cryptogram, using a 128‐bit block for authentication). ECKey Session An ECKey session authentication method is provided by the Session management service. The ECKey session authentication method consists of verifying a P-256 ECDSA signature. The P-256 EC public key is either initially imported by the User (APP-EC-PUBLIC-KEY-USER) or provisioned during the manufacturing (APP-EC- PUBLIC-KEY-CO). The user will own the corresponding ECDSA private key. In addition to User’s authentication, ECKey session is used to establish APP-KAS-IOT-SS/APP-KAS-SEMS-SS with the Approved KAS algorithm. The shared secret is used to derive the AES-128 APP-AES-KEY-AUTH which is itself used to derive the APP-SENC, APP-SMAC and APP-RMAC session keys. These sessions keys are used with AES-CBC and AES-CMAC to provide an end-to-end confidential and authenticated protected channel (Approved KTS) between the external entity (User) and the module. First, the user requests the module public key, APP-KAS-SSC-EC-PUB-KEY; this key is signed with the private key APP- KAS-SSC-EC-PRIV-KEY by the module. Then, the User sends the ephemeral KAS public key signed with User’s ECDSA private key. Finally, the module verifies the ECDSA signature of the ephemeral key with either APP-EC-PUBLIC-KEY- USER or APP-EC-PUBLIC-KEY-CO before initiating the KAS shared secret computation. The probability that a random attempt will succeed using this authentication method is: • 1/(2^128) = 2.9E‐39 (using a 256‐bit EC key for authentication) The number of authentication attempts is configurable. It can be an infinite attempt numbers or it can be limited by a counter comprised between 1 and 32767. A maximum of 4700 authentications can be performed in one minute. In the worst-case scenario, the probability that a random attempt will succeed over a one-minute period is: • 4700/(2^128) = 1.4E-35 (using a 256-bit EC key for authentication) NXP Semiconductors 2023 Version 1.5 Page 29 of 65 Public Material – May be reproduced only in its original entirety (without revision). SEMS Lite Applet Authentication The SEMS Lite applet is provided by the SEMS Lite Authentication service. The service provides authentication, confidentiality, and integrity of each authenticated service. The SEMS Lite Applet authentication consists of verifying a Brainpool256r1 ECDSA signature computed on a 113-byte data generated off the module and the CO public key APP-ECC-RT-PUB-AUT, see section 5.1.4 of [GP] Amendment-I. The probability that a random attempt will succeed using this authentication method is: • 1/(2^128) = 2.9E‐39 (using a 256‐bit EC key for authentication) To keep the SEMS Lite Applet from blocking, an infinite number of attempts is allowed. A maximum of 4700 authentications can be performed in one minute. In the worst-case scenario, the probability that a random attempt will succeed over a one-minute period is: • 4700/(2^128) = 1.4E-35 (using a 256-bit EC key for authentication) The module does not support bypass or self-initiated cryptographic output capabilities. The module is a limited operational environment under the FIPS 140-3 definitions. The module includes a firmware load function to support necessary updates, but these are only limited to the vendor, NXP. New firmware versions within the scope of this validation must be validated through the CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-3 validation. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/ or SSPs Indicator ISD Services Manage Content Load keys and data N/A OS-SKEK SD-KENC SD-KMAC SD-KDEK DAP-DAPK CO E, W, Z Status Word (Response APDU 9000) SSD Services Lifecycle (Show status and Perform zeroisation) Get or modify the card or applet life cycle status N/A All CO E, Z Status Word (Response APDU 9000) Manage Content Load keys and data N/A OS-SKEK SD-KENC SD-KMAC SD-KDEK DAP-DAPK CO E, W, Z Status Word (Response APDU 9000) Privileged Info (Show module’s versioning information) Read Module data (privileged data objects, but no CSPs) N/A OS-MKEK SD-KENC SD-KMAC SD-SENC SD-SMAC SD-RMAC CO E Status Word (Response APDU 9000) Secure Channel Establish and use a secure communication channel CTR_DRBG (Cert. A2713) CKG (Vendor Affirmed) OS-DRBG-EI OS-DRBG-SEED OS-DRBG-STATE OS-DRBG-KEY OS-DRBG-V OS-DRBG-OUTPUT OS-MKEK SD-KENC SD-KMAC SD-SENC SD-SMAC SD-RMAC CO E, G, Z Status Word (Response APDU 9000) IoT Applet Services FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 31 of 65 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/ or SSPs Indicator IoT Applet Management This service manages the P71D600 applet AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) KDF SP800- 108 (Cert. A2713) ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) KAS-ECC (Cert. A2713) P-256 SHS (Cert. A2713) CKG (Vendor Affirmed) SD-SENC SD-SMAC SD-RMAC APP-ECC-RT-PRIV-KA APP-AES-RAM-K0-KEY APP-AES-RAM-Kn-KEY APP-EC-PUB-KEY-CO APP-EC-PUB-KEY-USER APP-ECC-RT-PUB-AUT APP-ECC-PUB-eKA APP-ECC-PUB-AUT APP-KAS-IOT-SS CO E, G, W Status Word (Response APDU 9000) FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 32 of 65 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/ or SSPs Indicator Module Usage (Perform Self-Tests and Show module’s versioning information) Perform Self-Tests and Show module’s versioning information All All CO, User E Status Word (Response APDU 9000) Session Management This service manages the applet sessions; Users can decide to open a session or not; Opening a session requires to authenticate to the applet using either an UserID, an AES128 key or an EC key depending on the session type AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) KDF SP800- 108 (Cert. A2713) ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) KAS-ECC (Cert. A2713) P-256 SHS (Cert. A2713) CKG (Vendor Affirmed) OS-DRBG-EI OS-DRBG-STATE OS-DRBG-KEY OS-DRBG-V OS-DRBG-OUTPUT OS-MKEK SD-KENC SD-KMAC SD-SENC SD-SMAC SD-RMAC APP-KAS-SSC-EC-PRIV- KEY APP-KAS-IOT-SS APP-AES-KEY-AUTH APP-SENC APP-SMAC APP-RMAC APP-USERID-FILE APP-EC-PRIV-KEY APP-AES-KEY APP-KAS-SSC-EC-PUB- KEY APP-EC-PUB-KEY-CO APP-EC-PUB-KEY-USER CO, User E, G, Z Status Word (Response APDU 9000) FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 33 of 65 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/ or SSPs Indicator Secure Object Write Functionality This service manages the generation (either an RSA or EC key pair) or transport (EC keys, RSA keys, symmetric keys, binary files, UserIDs, monotonic counters, PCRs) of Secure Objects. CTR_DRBG (A2713) AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) KDF SP800- 108 (Cert. A2713) ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) KAS-ECC (Cert. A2713) P-256 RSA (Cert. A2713)2048, 3072, 4096 bits SHS (Cert. A2713) CKG (Vendor Affirmed) OS-DRBG-EI OS-DRBG-STATE OS-DRBG-KEY OS-DRBG-V OS-DRBG-OUTPUT OS-MKEK SD-SENC SD-SMAC SD-RMAC APP-TRANSPORT- CIPHER APP-TRANSPORT-MAC APP-AES-KEY-AUTH APP-USERID-FILE APP-EC-PRIV-KEY APP-RSA-PRIV-KEY APP-AES-KEY APP-HMAC-KEY APP-EC-PUB-KEY-CO APP-EC-PUB-KEY-USER APP-EC-PUB-KEY APP-RSA-PUB-KEY CO, User E, G, R, W, Z Status Word (Response APDU 9000) FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 34 of 65 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/ or SSPs Indicator Secure Object Read Functionality This service manages the reading of Secure Objects or its attributes; Asymmetric private keys or symmetric keys can never be read in plaintext N/A OS-MKEK SD-SENC SD-SMAC SD-RMAC APP-TRANSPORT- CIPHER APP-TRANSPORT-MAC APP-EC-PRIV-KEY APP-RSA-PRIV-KEY APP-AES-KEY APP-HMAC-KEY APP-KAS-SSC-EC-PUB- KEY APP-EC-PUB-KEY-CO APP-EC-PUB-KEY-USER APP-EC-PUB-KEY APP-RSA-PUB-KEY CO, User E, R Status Word (Response APDU 9000) Secure Object Management This service manages the reading of Secure Object attributes AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) HMAC (Cert. A2713) ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) RSA (Cert. A2713)2048, 3072, 4096 bits SHS (Cert. A2713) CKG (Vendor Affirmed) OS-MKEK SD-SENC SD-SMAC SD-RMAC APP-AES-KEY-AUTH APP-USER-ID-FILE APP-RSA-PRIV-KEY APP-AES-KEY APP-HMAC-KEY APP-EC-PUB-KEY-USER APP-EC-PUB-KEY APP-RSA-PUB-KEY CO, User E, Z Status Word (Response APDU 9000) FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 35 of 65 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/ or SSPs Indicator EC Curve Management (Perform approved security functions) This service manages the EC curves that can be used during EC cryptographic operations ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) SD-SENC SD-SMAC SD-RMAC CO, User E Status Word (Response APDU 9000) Crypto Object Management This service manages the Crypto Objects that can be used. Crypto Objects allow to do operations in multiple steps (init/update/final) Supported Crypto Objects allow to use a digest, cipher or MAC algorithm to be used SHS (Cert. A2713) AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) HMAC (Cert. A2713) SD-SENC SD-SMAC SD-RMAC APP-AES-KEY APP-HMAC-KEY CO, User E Status Word (Response APDU 9000) EC Crypto Operations (Perform approved security functions) This service triggers OS API for ECDSA signature generation and verification, and for EC DH shared secret calculation according to [56Ar3] Section 5.7.1.2 ECDSA (Cert. A2713) P-256 KAS-SSC (Cert. A2713) P-256 SHS (Cert. A2713) CKG (Vendor Affirmed) OS-DRBG-EI OS-DRBG-STATE OS-DRBG-KEY OS-DRBG-V OS-DRBG-OUTPUT OS-MKEK SD-SENC SD-SMAC SD-RMAC APP-EC-PRIV-KEY APP-EC-PUB-KEY CO, User E, G, Z Status Word (Response APDU 9000) RSA Crypto Operations (Perform approved security functions) This service triggers OS API for RSA signature generation and verification, and for RSA encryption and decryption (components only) RSA (Cert. A2713)2048, 3072, 4096 bits SHS (Cert. A2713) CKG (Vendor Affirmed) OS-DRBG-EI OS-DRBG-STATE OS-DRBG-KEY OS-DRBG-V OS-DRBG-OUTPUT OS-MKEK SD-SENC SD-SMAC SD-RMAC APP-RSA-PRIV-KEY APP-RSA-PUB-KEY CO, User E, G, Z Status Word (Response APDU 9000) FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 36 of 65 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/ or SSPs Indicator Symmetric Cipher Crypto Operations (Perform approved security functions) This service triggers OS API for AES encryption and decryption AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) OS-MKEK SD-SENC SD-SMAC SD-RMAC APP-AES-KEY CO, User E Status Word (Response APDU 9000) Authenticate d Encryption Crypto Operations (Perform approved security functions) This service provides execution of the AEAD function using OS API primitives for AES GCM encryption and decryption, and DRBG for internal IV generation AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) CTR_DRBG (A2713) SD-SENC SD-SMAC SD-RMAC CO, User E Status Word (Response APDU 9000) MAC Calculation Crypto Operations (Perform approved security functions) This service triggers OS API for MAC Calculation CMAC (Cert. A2713) HMAC (Cert. A2713) OS-MKEK SD-SENC SD-SMAC SD-RMAC APP-HMAC-KEY CO, User E Status Word (Response APDU 9000) HKDF operations (Perform approved security functions) This service triggers OS API for HKDF operations (either Two Step Key Derivation using HMAC or the Key Derivation Function using Pseudorandom functions) HKDF (Certs. A2713 and A2714) OS-MKEK SD-SENC SD-SMAC SD-RMAC APP-HMAC-KEY CO, User E Status Word (Response APDU 9000) FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 37 of 65 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/ or SSPs Indicator PBKDF Operation (Perform approved security functions) This service provides execution of the Password-Based Key Derivation Function. The derived key is returned to the operator and not used by the module PBKDF2 (Cert. A2714) OS-MKEK SD-SENC SD-SMAC SD-RMAC CO, User E Status Word (Response APDU 9000) TLS KDF Functions (Perform approved security functions) This service provides support for TLS v1.2 calculations. It does not implement the TLS v1.2 protocol KDF (Cert. A2713) OS-MKEK SD-SENC SD-SMAC SD-RMAC CO, User E Status Word (Response APDU 9000) Secure Hash Crypto Operations (Perform approved security functions) This service triggers OS API for [FIPS 180-4] compliant hash algorithms SHA (Cert. A2713) OS-MKEK SD-SENC SD-SMAC SD-RMAC CO, User E Status Word (Response APDU 9000) SEMS Lite Applet Services SEMS Lite Authenticatio n The service provides the authenticated secure messaging AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) KAS-ECC (Cert. A2713) P-256 CKG (Vendor Affirmed) OS-MKEK APP-ECC-RT-PRIV-KA APP-AES-RAM-K0-KEY APP-AES-RAM-Kn-KEY APP-ECC-RT-PUB-AUT APP-ECC-PUB-eKA APP-ECC-PUB-AUT APP-CERT-KR-AUT APP-CERT-AUT DAP-DAPK CO, User E, G, W, Z Status Word (Response APDU 9000) FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 38 of 65 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/ or SSPs Indicator SEMS Lite Manage Content The service is used to load data. The data is wrapped in SEMS Lite Authentication AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) KAS-ECC (Cert. A2713) P-256 CKG (Vendor Affirmed) OS-MKEK APP-ECC-RT-PRIV-KA APP-AES-RAM-K0-KEY APP-AES-RAM-Kn-KEY APP-ECC-RT-PUB-AUT APP-ECC-PUB-eKA APP-ECC-PUB-AUT APP-CERT-KR-AUT APP-CERT-AUT DAP-DAPK CO, User E, G, W, Z Status Word (Response APDU 9000) SEMS Lite Root Key Update This service updates APP-ECC-RT-PRIV-KA and APP-ECC-RT-PUB- AUT keys wrapped in SEMS Lite Authentication AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) KAS-ECC (Cert. A2713) P-256 CKG (Vendor Affirmed) OS-MKEK APP-ECC-RT-PRIV-KA APP-AES-RAM-K0-KEY APP-AES-RAM-Kn-KEY APP-ECC-RT-PUB-AUT APP-ECC-PUB-eKA APP-ECC-PUB-AUT APP-CERT-KR-AUT APP-CERT-AUT CO E, G, W, Z Status Word (Response APDU 9000) FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 39 of 65 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/ or SSPs Indicator Card Reset Power cycle or reset the module N/A N/A CO, User, Unauth- orised N/A Status Word (Response APDU 9000) Context Select an applet or manage logical channels N/A N/A CO, User, Unauth- orised N/A Status Word (Response APDU 9000) Info Read unprivileged data objects, e.g., module configuration or status information (Show Status). This service includes the Pre- operational Self-Test on-demand N/A N/A CO, User, Unauth- orised N/A Status Word (Response APDU 9000) SEMS Lite General This service provides generic operations which are not required to be protected by applying security. It includes selecting the SEMS Lite applet, reading version of the SEMS Lite applet or APP-ECC-RT-PUB-AUT public key of SEMS Lite Applet N/A N/A CO, User, Unauth- orised N/A Status Word (Response APDU 9000) Table 8 – Approved Services The modes of access shown in the table above are defined as: • G = Generate: The service generates or derives the CSP/Public Key. • W = Write: The service inputs the CSP/Public Key. • E = Execute: The Module executes using the CSP/Public Key. • R = Read: The service outputs the CSP/Public Key. CSP are always protected with the approved KTS. • Z = Zeroize: The Module zeroizes the CSP/Public Key after usage. A zeroised CSP is not retrievable or reusable. FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 40 of 65 Public Material – May be reproduced only in its original entirety (without revision). The cryptographic module is considered a hardware module with firmware components. An error detection code (32-bit CRC performed over all code located in Flash) is applied to all firmware components within the module. If the integrity test fails, the module enters the hard error (MUTE) state. An operator of the module can perform the integrity test on demand with the GET DATA APDU command. As a single-chip hardware module, the executable form of the code, i.e., firmware is binary format. The module does not support loading of firmware from an external source. ROM endurance has been proven to be more than 10 years after manufactured date. Therefore, per FIPS 140-3 IG 5.A, no pre-operational ROM integrity self-test has been implemented. The module’s end- of-life procedures must be applied prior to the degradation of the ROM by setting the module to the TERMINATE state. All data and control inputs, and data and status outputs of the cryptographic module and services are directed through the module’s defined interfaces. 5 Software/Firmware Security FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 41 of 65 Public Material – May be reproduced only in its original entirety (without revision). The module claims to meet Physical Security Level 4 and thus the requirements per this section do not apply. 6 Operational Environment FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 42 of 65 Public Material – May be reproduced only in its original entirety (without revision). The module is a single-chip implementation that meets commercial-grade specifications for power, temperature, reliability, and shock/vibrations. The module uses standard passivation techniques. The module includes Environmental Failure Protection features such as temperature and voltage sensors. Fault Induction mitigation techniques are light sensors and spike sensors on the supply voltage lines. Identification of internal features such as sensitive components or interconnections is impeded by a fine mesh of metal shield lines that resides at the outermost layers of the chip. Delivery forms of the module are QFN package, contactless chip card module, or sawn wafer. Therefore, the module does not rely on any physical security based on a package. Physical Security Mechanism Recommended Frequency of Inspection/Test Inspection/Test Guidance Details N/A N/A N/A Table 9 – Physical Security Inspection Guidelines Temperature or voltage Measurement EFP or EFT Result (Shutdown/Zeroisation) Low Temperature -40°C EFP Shutdown High Temperature +105°C EFP Shutdown Low Voltage 1.62V EFP Shutdown High Voltage 6.0V EFP Shutdown Table 10 – EFP/EFT Hardness tested temperature measurement Low Temperature -45°C High Temperature +125°C Table 11 – Hardness Testing Temperature Ranges 7 Physical Security FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 43 of 65 Public Material – May be reproduced only in its original entirety (without revision). Please see Section 12 below for information regarding non-invasive security countermeasures. 8 Non-Invasive Security Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys OS-DRBG-EI CSP 384 bits CTR_DRBG (Cert. A2713) Internally via ENT (P) N/A N/A Temporarily stored in RAM in plaintext (does not persist beyond a power cycle); object identifier to entity association Power-off (temporarily stored in RAM) Random value from ENT (P) used to seed reciprocally and AES-256 DRBG OS-DRBG- STATE CSP 880 bits CTR_DRBG (Cert. A2713) Internally via SP800- 90Ar1 DRBG process N/A N/A Stored in NVM in plaintext; object identifier to entity association Destroyed by termination of the module (LifeCycle/ Perform Zeroisation service); overwritten with zeroes Current DRBG state value OS- DRBG- KEY CSP 256 bits CTR_DRBG (Cert. A2713) Internally via SP800- 90Ar1 DRBG process N/A N/A Stored in NVM in plaintext; object identifier to entity association Destroyed by terminate- on of the Module (LifeCycle/ Perform Zeroisation service); overwritt en with zeroes Current DRBG state value 9 Sensitive Security Parameter Management FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 45 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys OS-DRBG-V CSP 256 bits CTR_DRBG (Cert. A2713) Internally via SP800- 90Ar1 DRBG process N/A N/A Stored in NVM in plaintext; object identifier to entity association Destroyed by terminate- on of the Module (LifeCycle/ Perform Zeroisation service); overwritt en with zeroes Current DRBG state value OS-DRBG- OUTPUT CSP 256 bits CTR_DRBG (Cert. A2713) Internally via SP800- 90Ar1 DRBG process N/A N/A Stored in NVM in plaintext; object identifier to entity association Destroyed by termination of the module (LifeCycle/ Perform Zeroisation service); overwritten with zeroes Unmodified output from the DRBG used for SSP generation OS-SKEK CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) N/A Entered during manufact- uring/ personali- zation N/A Stored in NVM in plaintext; object identifier to entity association Destroyed by termination of the module (LifeCycle/ Perform Zeroisation service); overwritten with zeroes Used to build OS-MKEK OS-MKEK CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) OS-SKEK permutati on (xor between OS-SKEK and a constant value) N/A N/A Stored in NVM in plaintext; object identifier to entity association Destroyed by termination of the module (LifeCycle/Pe rform Zeroisation service); overwritten with zeroes Used to encrypt all secret and private key data stored in NVM FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 46 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys SD-KENC CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) N/A Entered during manufactu ring/ personali- zation Or AES-CBC (using SD- KDEK) encrypted (RFC 3394 method) and transporte d using platform SCP03 Exported using Approved KTS N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation Used to derive SD-SENC SD-KMAC CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) N/A Entered during manufactu ring/pers- onalization Or AES-CBC (using SD- KDEK) encrypted (RFC 3394 method) and transporte d using platform SCP03 Exported using Approved KTS N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation Used to derive SD-SMAC FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 47 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys SD-KDEK CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) N/A Entered during manufactu ring/perso nalization Or Entered encrypted with the previous SD-KDEK Exported using Approved KTS N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation Sensitive data decryption key used to decrypt CSPs SD-SENC CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) KDF SP800- 108 (Cert. A2713) CKG (Vendor Affirmed) N/A N/A Derived with Approved KDF SP800- 108 Temporarily stored in RAM in plaintext (does not persist beyond a power cycle); object identifier to entity association Power-off (temporarily stored in RAM) Session encryption key used to secure channel data FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 48 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys SD-SMAC CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) KDF SP800- 108 (Cert. A2713) CKG (Vendor Affirmed) N/A N/A Derived with Approved KDF SP800- 108 Temporarily stored in RAM in plaintext (does not persist beyond a power cycle); object identifier to entity association Power-off (temporarily stored in RAM) Session MAC key used to verify inbound secure channel data integrity SD-RMAC CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) KDF SP800- 108 (Cert. A2713) CKG (Vendor Affirmed) N/A N/A Derived with Approved KDF SP800- 108 Temporarily stored in RAM in plaintext (does not persist beyond a power cycle); object identifier to entity association Power-off (temporarily stored in RAM) Session MAC key used to verify outbound secure channel data integrity APP- TRANSPORT- CIPHER CSP 256 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) N/A Entered during manufactu ring/perso nalization Output: N/A N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation Used to encrypt either exported or imported Secure Objects or data FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 49 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP- TRANSPORT- MAC CSP 128 bits AES CMAC (Cert. A2713) N/A Entered during manufactu ring/perso nalization Output: N/A N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation Used to authenticate either exported or imported Secure Objects APP-KAS- SSC-EC-PRIV- KEY CSP 128 bits KAS-ECC-SSC P-256 (Cert. A2713) KDA (Cert. A2713) N/A Entered during manufactu ring/perso nalization Output: N/A N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation KAS Shared Secret computation private key APP-KAS- IOT-SS CSP 128 bits KAS-ECC-SSC P-256 (Cert. A2713) KDA (Cert. A2714) N/A N/A Established with the SP800- 56Arev3 KAS-ECC Temporarily stored in RAM in plaintext (does not persist beyond a power cycle); object identifier to entity association Power-off (temporarily stored in RAM) KAS-ECC Shared Secret FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 50 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP-AES- KEY-AUTH CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) or ECDSA (Cert. A2713) N/A Entered during manufactu ring/perso nalization Output: via Approved KTS Approved KTS Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation Used in AESKey session or ECKey session authentication methods APP-SENC CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) or ECDSA (Cert. A2713) KDF SP800- 108 (Cert. A2713) CKG (Vendor Affirmed) N/A N/A Derived with Approved KDF SP800- 108 Temporarily stored in RAM in plaintext (does not persist beyond a power cycle); object identifier to entity association Power-off (temporarily stored in RAM) AES Key or EC Key session encryption key used to encrypt / decrypt secure channel data FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 51 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP-SMAC CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) or ECDSA (Cert. A2713) KDF SP800- 108 (Cert. A2713) CKG (Vendor Affirmed) N/A N/A Derived with Approved KDF SP800- 108 Temporarily stored in RAM in plaintext (does not persist beyond a power cycle); object identifier to entity association Power-off (temporarily stored in RAM) AES Key or EC Key session MAC key used to verify inbound secure channel data integrity APP-RMAC CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) or ECDSA (Cert. A2713) KDF SP800- 108 (Cert. A2713) CKG (Vendor Affirmed) N/A N/A Derived with Approved KDF SP800- 108 Temporarily stored in RAM in plaintext (does not persist beyond a power cycle); object identifier to entity association Power-off (temporarily stored in RAM) AES Key or EC Key session MAC key used to generate response secure channel data MAC FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 52 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP-USERID- FILE CSP N/A N/A N/A Entered during manufactu ring/perso nalization Output: via Approved KTS Approved KTS Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation 4-byte up to 16-byte UserID authentication data APP-EC- PRIV-KEY CSP 112, 128, 192, 256 bits ECDSA Key Generation P-224, P- 256, P-384, P-521 (Cert. A2713) CKG (Vendor Affirmed) The Approved key pair generation method is compliant with FIPS 186-4, Sections B.43.23 (RSA) or B.4.2 (ECDSA), Key Pair Generatio n by Testing Candidates ; Generated on the module using Approved DRBG, AES-256 CTR_DRBG Entered: N/A Output: via Approved KTS N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation Elliptic curve key that allows to perform EC cryptographic operations FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 53 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP-RSA- PRIV-KEY CSP 112, 128, 152 bits RSA Key Generation 2048, 3072, 4096 bits (Cert. A2713) CKG (Vendor Affirmed) The Approved key pair generation method is compliant with FIPS 186-4, Sections B.43.23 (RSA) or B.4.2 (ECDSA), Key Pair Generatio n by Testing Candidates ; Generated on the module using Approved DRBG, AES-256 CTR_DRBG Entered: N/A Output: via Approved KTS N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation RSA key that allows to perform RSA cryptographic operations APP-AES-KEY CSP 128, 192, 256 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) N/A Entered during manufactu ring/perso nalization Output: via Approved KTS Approved KTS Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation. Used to perform AES cipher mode operations FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 54 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP-HMAC- KEY CSP 128 and 256 bits HMAC SHA-1, SHA2-256, 384, 512 (Cert. A2713) N/A Entered during manufactu ring/perso nalization Output: via Approved KTS Approved KTS Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation Used to perform KDF or HMAC operations APP-ECC-RT- PRIV-KA CSP 256 bits ECDSA (Cert. A2713) P-521 SHS (Cert. A2713) N/A Entered during manufactu ring/ personaliz ation or Imported in secure channel specified by GP- Amd-I Output: N/A N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association Destroyed because of OS-MKEK zeroisation Private static key used in key establishment (KAS-SSC) operations APP-KAS- SEMS-SS CSP 128 bits KAS-ECC- SSCP-256 (Cert. #A2713) KDA (Cert. A2715) N/A N/A Established with the SP800- 56Arev3 KAS Temporarily stored in RAM in plaintext (does not persist beyond a power cycle); object identifier to entity association Power-off (temporarily stored in RAM) KAS Shared Secret CSP FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 55 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP-AES- RAM-K0-Key CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) CKG (Vendor Affirmed) N/A N/A Established with the SP- 800-56A Rev3 KAS- SCC followed by SHA256 as One Pass KDF Temporarily stored in RAM (does not persist beyond a power cycle) Power-off (temporarily stored in RAM) Used as secret key material in the very first decryption operations as part of Authenticatio n and Secure Messaging service of SEMS Lite applet APP-AES- RAM-Kn-Key CSP 128 bits AES CBC, ECB, CTR, CCM, CMAC (Cert. A2713) GCM/GMAC (Cert. A2714) N/A Imported in secure channel specified by GP- Amd-I Output: N/A N/A Temporarily stored in RAM (does not persist beyond a power cycle) Power-off (temporarily stored in RAM) Used as secret key material in the subsequent n decryption operations as part of SEMS Lite Authenticatio n and Secure Messaging service DAP-DAPK PSP 256 bits ECDSA P-521 (Cert. A2713) N/A Entered during manufactu ring/ personaliz ation N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association N/A – Considered protected by ISO 19790 definition ECC public key used for Mandated DAP FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 56 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP-KAS- SSC-EC-PUB- KEY PSP 128 bits KAS-ECC-SSC P-256 (Cert. A2713) N/A Entered during manufactu ring/ personaliz ation Output: Approved KTS N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association N/A – Considered protected by ISO 19790 definition KAS Shared Secret computation public key APP-EC-PUB- KEY-CO PSP 128 bits ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) N/A Entered during manufactu ring/ personaliz ation Output: Approved KTS N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association N/A – Considered protected by ISO 19790 definition ECDSA public key used to authenticate the CO APP-EC-PUB- KEY-USER PSP 128 bits ECDSA (Cert. A2713) P-256 SHS (Cert. A2713) N/A Entered during manufactu ring/ personaliz ation Output: Approved KTS N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association N/A – Considered protected by ISO 19790 definition ECDSA public key used to authenticate as user FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 57 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP-EC-PUB- KEY PSP 128 bits ECDSA (Cert. A2713) P-256 CKG (Vendor Affirmed) The Approved key pair generation method is compliant with FIPS 186-4, Sections B.43.23 (RSA) or B.4.2 (ECDSA), Key Pair Generatio n by Testing Candidates ; Generated on the module using Approved DRBG, AES-256 CTR_DRBG Entered: N/A Output: Approved KTS N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association N/A – Considered protected by ISO 19790 definition Used to execute EC cryptographic operations FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 58 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP-RSA- PUB-KEY PSP 112, 128, 152 bits RSA (Cert. A2713)2048, 3072, 4096 bits CKG (Vendor Affirmed) The Approved key pair generation method is compliant with FIPS 186-4, Sections B.43.23 (RSA) or B.4.2 (ECDSA), Key Pair Generatio n by Testing Candidates ; Generated on the module using Approved DRBG, AES-256 CTR_DRBG Entered: N/A Output: Approved KTS N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association N/A – Considered protected by ISO 19790 definition Used to execute RSA cryptographic operations APP-ECC- PUB-eKA PSP 128 bits KAS-ECC-SSC P-256 (Cert. A2713) N/A Entered: Certificate is entered in plain text Output: N/A N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association N/A – Considered protected by ISO 19790 definition Ephemeral EC public key used in key establishment (KAS) operation FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 59 of 65 Public Material – May be reproduced only in its original entirety (without revision). Key /SSP Name /Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish- ment Storage Zero- isation Use & Related Keys APP-ECC-RT- PUB-AUT PSP 256 bits ECDSA (Cert. A2713) P-521 SHS (Cert. A2713) N/A Entered: Certificate is entered in plain text Output: In plaintext N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association N/A – Considered protected by ISO 19790 definition EC public key used in ECDSA verification operations APP-ECC- PUB-AUT PSP 256 bits ECDSA (Cert. A2713) P-521 SHS (Cert. A2713) N/A Entered: Certificate is entered in plain text Output: N/A N/A Stored in NVM encrypted with Approved AES CBC with OS- MKEK; key version to entity association N/A – Considered protected by ISO 19790 definition Static EC public key used in ECDSA verification operations APP-CERT- AUT PSP 256 bits ECDSA (Cert. A2713) P-521 SHS (Cert. A2713) N/A Entered: Certificate is entered in plain text Output: N/A N/A Stored in NVM in plaintext; object identifier to entity association N/A – Considered protected by ISO 19790 definition Certificate with EC public key providing authorization and authenticity to SEMS Lite applet APP-CERT- KR-AUT PSP 256-bits ECDSA (Cert. A2713) P-521 SHS (Cert. A2713) N/A Entered: Certificate is entered in plain text Output: N/A N/A Stored in NVM in plaintext; object identifier to entity association N/A – Considered ‘protected’ by ISO 19790 definition Certificate with 256-bit EC public key providing authorization and authenticity to SEMS Lite applet for SEMS Lite Root Key Update service Table 12 – SSPs FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 60 of 65 Public Material – May be reproduced only in its original entirety (without revision). The module implements a NIST SP800-90Ar1 Approved CTR_DRBG. The unmodified outputs of the DRBG are used for Cryptographic Key Generation (CKG) of Symmetric Keys and seeds for Asymmetric Key Generation as noted in Table 3 in this document per Section 4 in NIST SP800-133r2. Entropy sources Minimum Number of bits of entropy Details NIST SP800-90B ENT (P) – Used as entropy input to the Approved DRBG 256-bits of overall entropy for AES- 256 CTR_DRBG; 0.912949 per entropy source output bit Noise source based on hardware implementing an iterated Bernouli Shift Map Table 13 – Non-Deterministic Number Generator Specification Per FIPS 140-3 IG 9.5.A, the module supports AD/EE (Automated Distribution/Electronic Entry). FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 61 of 65 Public Material – May be reproduced only in its original entirety (without revision). On power-on or on demand, the module performs self-tests described below. The pre-operational self-test must be completed successfully prior to any other use of cryptography by the module. The Cryptographic Algorithm Self-Tests are either performed at boot or prior to first use. The conditional self-tests are performed when the corresponding conditions occur. If one of the self-tests fails, the system is halted and will start again after a reset. ROM endurance has been proven to be more than 10 years after manufactured date. Therefore, no pre-operational ROM integrity self-test has been implemented. The module’s end-of-life procedures must be applied prior to the degradation of the ROM by setting the module to the TERMINATE state, The Flash Firmware Integrity check is performed on every reset or on demand. Pre-operational Self-Tests • Firmware Integrity: 32-bit CRC performed over all code located in Flash. Conditional Self-Tests • Cryptographic Algorithm Self-Tests o AES CBC 128-bit Encrypt KAT o AES CBC 128-bit Decrypt KAT o AES CMAC 128-bit Encrypt KAT o AES CMAC 128-bit Decrypt KAT o CTR_DRBG 256-bit KAT (Health Tests: Generate, Reseed, Instantiate functions per Section 11 in NIST SP800-90Ar1) o ECDSA P-521 SHA-256 Signature Generation KAT o ECDSA P-521 SHA-256 Signature Verification KAT o HMAC-SHA2-256 KAT o KAS-ECC-SSC P-256 KAT o KDF TLS 1.2 KAT o KDA KAT (One-Step KDF per SP800-56Cr1 for both Cert. #A2714 and #A2715) o KDA KAT (Two-Step KDF KAT (HKDF) per SP800-56Cr1 for Cert.#A2713) o NIST KDF SP800-108 KAT (Counter mode with AES-128) o NIST KDF SP800-108 KAT (Feedback Mode with HMAC-SHA1) o NIST SP800-132 KDF KAT (with HMAC-SHA-1) o RSA 2048-bit SHA2-256 Signature Generation KAT o RSA 2048-bit SHA2-256 Signature Verification KAT o SHA-1 KAT (for both Cert. #A2713 and #A2714) o SHA2-256 KAT (for both Cert. #A2713 and #A2714 (inclusive of SHA2-224, per IG 10.3.A)) o SHA2-512 KAT (for both Cert. #A2713 and #A2714 (inclusive of SHA2-384, per IG 10.3.A)) 10 Self-Tests FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 62 of 65 Public Material – May be reproduced only in its original entirety (without revision). o NIST SP800-90B ENT (P) Repetition Count Test (RCT) performed on raw data o NIST SP800-90B ENT (P) Developer Defined Heath Test Transition Count Test performed on the raw data o NIST SP800-90B ENT (P) Developer Defined Heath Test Chi‐Square Test performed on the conditioned data o NIST SP800-90B ENT (P) Developer Defined Heath Test Amplitude Limiter Analog Test on the analog data • Pairwise Consistency Tests o Generate PCT: Pairwise consistency test performed when an asymmetric key pair is generated for RSA or ECC. The conditional test is implemented at the applet level o Signature PCT: Pairwise consistency test performed when a signature is generated for RSA or ECDSA • Firmware Load Test: Signature Verification based on ECDSA P-256 with SHA2-256 Note: The module does not support loading of external firmware by the operator (it is limited to the vendor, NXP Semiconductors, at factory pre-shipment of the module). The Firmware Load Test above is performed by the module in support of the same. All the Self-Tests can be performed on-demand with the GET DATA APDU command (Info service) with the following parameters: CLA = 80, INS = CA, P1 = 00, P2 = FE, Lc = 04, Incoming Data = DF4B0120, and Le = 00. The expected result is FE04DF4B0120. In case of a failure, the module enters a hard error (MUTE) state and returns a code/status indicator. The APDU code 9000 signifies success and 66A7 is the error indicator corresponding to the MUTE error state. The JCOP OS is intended to execute pre-operational self-tests (rather than conditional self- tests) periodically, since these tests are pre-defined to be executed post resets. The periodic time will thus always start from zero. RAM can be used to manage the periodic time interval which is the number of execution events e.g., number of APDUs/commands received (the tests are repeated after every 500,000 CAPDUs/commands). FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 63 of 65 Public Material – May be reproduced only in its original entirety (without revision). All configuration management items are managed using an automated configuration management system. The module is designed to allow the testing of all provided security-related services. All firmware is implemented using a high-level language and is designed in a manner that avoids the use of code, parameters, or symbols not necessary for the module’s functionality and execution. While the module can be delivered with the Approved mode enabled by default, customers also have the option to receive a module which is in the unconfigured state, i.e., non-Approved mode. To comply with and maintain the FIPS 140-3 validation, it would be the CO’s responsibility to enable the Approved mode of operation as follows (this information can also be found in the JCOP 4.5 User guidance and administrator manual document): 1. Install SEMS Lite applet to run in Approved mode of operation. 2. Install the IoT applet and configure the applet to run in Approved mode of operation. 3. Configure the Operation System to run in Approved mode of operation. In each of these steps, it is in the CO’s responsibility to apply proper security conditions and to ensure that once the device is put into Approved mode of operation, it will not be set into non-Approved mode of operation ever again. The operator can verify that the module is operating in the Approved mode by following instructions specified in Section 2 in this document. There are no specific maintenance requirements for this module. 11 Life-Cycle Assurance FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 64 of 65 Public Material – May be reproduced only in its original entirety (without revision). The module is protected against the following non-invasive attacks: SPA, DPA, Timing Analysis and Fault Induction using a combination of firmware and hardware countermeasures. Protection features include detection of out-of- range supply voltages, frequencies or temperatures, fault induction mitigations like light sensors, voltage glitch sensors and an active shield, and detection of illegal address or instruction. All cryptographic computations and sensitive operations such as critical data comparison provided by the module are designed to be resistant to timing and power analysis. Sensitive operations are performed in constant time, regardless of the execution context (parameters, keys, etc.), owing to a combination of hardware and firmware features. In addition to the non-invasive attacks, the module also uses standard passivation techniques and is protected by active shielding (a grid of top metal layer wires with tamper response) which qualifies for classification under mitigation of other attacks. 12 Mitigation of Other Attacks FIPS 140-3 Security Policy - JCOP 4.5 on P71D600 NXP Semiconductors 2023 Version 1.5 Page 65 of 65 Public Material – May be reproduced only in its original entirety (without revision). END OF DOCUMENT