This page was not yet optimized for use on mobile devices.
NITROXIII CNN35XX-NFBE HSM Family
Certificate #4700
Webpage information ?
Security policy ?
Symmetric Algorithms
AES, AES192, AES-, AES-256, CAST, DES, TDES, Triple-DES, HMAC, CMACAsymmetric Algorithms
RSA 1024, ECDH, ECDSA, ECC, Diffie-Hellman, DH, DSAHash functions
SHA-1, SHA1, SHA256, SHA-256, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHA3, MD5, PBKDFSchemes
MAC, Key agreement, Key AgreementProtocols
SSH, SSL, TLS, TLS v1.2, TLS 1.2, TLSv1.0Randomness
DRBG, RBGLibraries
OpenSSLElliptic Curves
P-521, P-224, P-256, P-384, P-192, K-233, K-283, K-409, K-571, B-233, B-409, B-571, B-283, B-163, brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1, brainpoolP160r1, FRP256v1, Curve25519Block cipher modes
ECB, CBC, CTR, GCMTLS cipher suites
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384Trusted Execution Environments
PSP, SSCSecurity level
Level 3, Level 1Side-channel analysis
physical tamperingCertification process
out of scope, HSM. The LiquidSecurity Appliance is outside the module’s cryptographic boundary and therefore out of scope of this validation. CNN35XX-NFBE-G Firmware: CNN35XX-NFBE-FW-2.09-0702 CNN35XX-NFBE-G SecureStandards
FIPS 140-3, FIPS 186-4, FIPS 202, FIPS 180-4, FIPS 198-1, FIPS PUB 186-4, FIPS PUB 140-3, SP 800-38B, SP 800-108, SP 800-38D, SP 800-38F, SP 800-56B, SP 800-90B, SP 800-90A, SP 800-132, SP 800-52, SP 800-38A, SP 800-38C, SP 800-38G, PKCS 1, PKCS #1, PKCS#1, RFC 5288, ISO/IEC 24759File metadata
| Creation date | D:20240509203024-04'00' |
|---|---|
| Modification date | D:20240509203024-04'00' |
| Pages | 120 |
References
Outgoing- 1311 - historical - NSA 3500
Heuristics ?
No heuristics are available for this certificate.
References ?
Updates ?
-
24.02.2025 The certificate data changed.
Certificate changed
The web extraction data was updated.
- The exceptions property was updated.
-
04.07.2024 The certificate was first processed.
New certificate
A new FIPS 140 certificate with the product name NITROXIII CNN35XX-NFBE HSM Family was processed.
Raw data
{
"_type": "sec_certs.sample.fips.FIPSCertificate",
"cert_id": 4700,
"dgst": "b3fa8714038b8943",
"heuristics": {
"_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
"algorithms": {
"_type": "Set",
"elements": [
"AES-GCMC839",
"AES-CCMC839",
"SHA2-256SHS 1780",
"DSA KeyGen (FIPS186-4)C823",
"KAS-ECC CDH-ComponentC829",
"AES-CTRC839",
"ECDSA KeyVer (FIPS186-4)C825",
"KAS-IFC-SSCA1193",
"HMAC-SHA2-512C839",
"KTS-IFCA1194",
"RSA KeyGen (FIPS186-4)C824",
"ECDSA SigGen (FIPS186-4)C829",
"SHAKE-256A1197",
"AES-ECBC839",
"AES-CBCC839",
"AES-KWPC1263",
"DSA PQGVer (FIPS186-4)C823",
"HMAC-SHA-1C839",
"KDA TwoStep Sp800-56Cr1A1192",
"RSA Decryption PrimitiveC839",
"DSA SigVer (FIPS186-4)C823",
"PBKDFA1196",
"Counter DRBGC821",
"DSA PQGGen (FIPS186-4)C823",
"ECDSA SigVer (FIPS186-4)C829",
"Hash DRBGC830",
"ECDSA KeyGen (FIPS186-4)C825",
"AES-KWC1263",
"HMAC-SHA2-256C839",
"KDF SP800-108C839",
"RSA SigGen (FIPS186-4)A1199",
"SHA3-224A1197",
"AES-GMACC839",
"HMAC-SHA2-224C839",
"KAS-ECC-SSC Sp800-56Ar3A2161",
"SHA2-512SHS 1780",
"DSA SigGen (FIPS186-4)C823",
"TDES-ECBTDES 1311",
"RSA SigVer (FIPS186-4)C824",
"KDA OneStep Sp800-56Cr1A1192",
"RSA SigGen (FIPS186-2)C824",
"SHA2-384SHS 1780",
"KDF TLSC840",
"KDA HKDF Sp800-56Cr1A1192",
"KAS-ECC Sp800-56Ar3A1219",
"RSA Signature PrimitiveC839",
"TDES-CBCTDES 1311",
"SHAKE-128A1197",
"KDF ANS 9.63C825",
"HMAC-SHA2-384C839",
"SHA2-224SHS 1780",
"SHA3-256A1197",
"SHA-1SHS 1780",
"TDES-KWC1263",
"AES-CMACC839",
"SHA3-512A1197"
]
},
"cpe_matches": null,
"direct_transitive_cves": null,
"extracted_versions": {
"_type": "Set",
"elements": [
"4.03",
"2.09",
"1.0",
"3.0",
"2.0"
]
},
"indirect_transitive_cves": null,
"module_processed_references": {
"_type": "sec_certs.sample.certificate.References",
"directly_referenced_by": null,
"directly_referencing": null,
"indirectly_referenced_by": null,
"indirectly_referencing": null
},
"module_prunned_references": {
"_type": "Set",
"elements": []
},
"policy_processed_references": {
"_type": "sec_certs.sample.certificate.References",
"directly_referenced_by": null,
"directly_referencing": {
"_type": "Set",
"elements": [
"1311"
]
},
"indirectly_referenced_by": null,
"indirectly_referencing": {
"_type": "Set",
"elements": [
"1311"
]
}
},
"policy_prunned_references": {
"_type": "Set",
"elements": [
"1311"
]
},
"related_cves": null,
"verified_cpe_matches": null
},
"pdf_data": {
"_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
"keywords": {
"asymmetric_crypto": {
"ECC": {
"ECC": {
"ECC": 15
},
"ECDH": {
"ECDH": 22
},
"ECDSA": {
"ECDSA": 79
}
},
"FF": {
"DH": {
"DH": 6,
"Diffie-Hellman": 1
},
"DSA": {
"DSA": 45
}
},
"RSA": {
"RSA 1024": 3
}
},
"certification_process": {
"OutOfScope": {
"HSM. The LiquidSecurity Appliance is outside the module\u2019s cryptographic boundary and therefore out of scope of this validation. CNN35XX-NFBE-G Firmware: CNN35XX-NFBE-FW-2.09-0702 CNN35XX-NFBE-G Secure": 1,
"out of scope": 1
}
},
"cipher_mode": {
"CBC": {
"CBC": 7
},
"CTR": {
"CTR": 1
},
"ECB": {
"ECB": 3
},
"GCM": {
"GCM": 10
}
},
"cplc_data": {},
"crypto_engine": {},
"crypto_library": {
"OpenSSL": {
"OpenSSL": 16
}
},
"crypto_protocol": {
"SSH": {
"SSH": 1
},
"TLS": {
"SSL": {
"SSL": 4
},
"TLS": {
"TLS": 43,
"TLS 1.2": 3,
"TLS v1.2": 1,
"TLSv1.0": 2
}
}
},
"crypto_scheme": {
"KA": {
"Key Agreement": 1,
"Key agreement": 7
},
"MAC": {
"MAC": 30
}
},
"device_model": {},
"ecc_curve": {
"ANSSI": {
"FRP256v1": 3
},
"Brainpool": {
"brainpoolP160r1": 1,
"brainpoolP224r1": 2,
"brainpoolP256r1": 2,
"brainpoolP320r1": 2,
"brainpoolP384r1": 2,
"brainpoolP512r1": 2
},
"Curve": {
"Curve25519": 1
},
"NIST": {
"B-163": 1,
"B-233": 8,
"B-283": 5,
"B-409": 4,
"B-571": 8,
"K-233": 8,
"K-283": 8,
"K-409": 8,
"K-571": 7,
"P-192": 6,
"P-224": 41,
"P-256": 46,
"P-384": 32,
"P-521": 40
}
},
"eval_facility": {},
"fips_cert_id": {
"Cert": {
"#1": 2,
"#1311": 10,
"#1780": 22,
"#2": 2
}
},
"fips_certlike": {
"Certlike": {
"# C839": 1,
"# SHS": 11,
"AES 128, 192": 1,
"AES 256": 2,
"AES-256": 2,
"AES-CBC Encrypt/Decrypt; 128": 1,
"AES-CTR Encrypt/Decrypt 128": 1,
"AES-GCM Encrypt/Decrypt; 128": 2,
"AES192": 1,
"DES (192": 1,
"HMAC-SHA-1": 32,
"PKCS #1": 4,
"PKCS 1": 5,
"PKCS#1": 4,
"RSA 1024": 3,
"RSA PKCS 1": 1,
"SHA- 1": 1,
"SHA- 1, 224": 1,
"SHA-1": 35,
"SHA-1, 224": 3,
"SHA-256": 2,
"SHA-512": 2,
"SHA1": 1,
"SHA2- 224": 5,
"SHA2- 256": 6,
"SHA2- 384": 9,
"SHA2- 512": 10,
"SHA2-224": 52,
"SHA2-256": 61,
"SHA2-384": 49,
"SHA2-512": 53,
"SHA256": 1,
"SHA3": 1,
"SHA3-224": 3,
"SHA3-256": 3,
"SHA3-384": 3,
"SHA3-512": 4,
"SHS #1780": 22,
"SHS 1780": 16,
"SHS#1780": 2
}
},
"fips_security_level": {
"Level": {
"Level 1": 1,
"Level 3": 7
}
},
"hash_function": {
"MD": {
"MD5": {
"MD5": 1
}
},
"PBKDF": {
"PBKDF": 12
},
"SHA": {
"SHA1": {
"SHA-1": 39,
"SHA1": 1
},
"SHA2": {
"SHA-256": 2,
"SHA-512": 2,
"SHA256": 1
},
"SHA3": {
"SHA3": 1,
"SHA3-224": 3,
"SHA3-256": 3,
"SHA3-384": 3,
"SHA3-512": 4
}
}
},
"ic_data_group": {},
"javacard_api_const": {},
"javacard_packages": {},
"javacard_version": {},
"os_name": {},
"pq_crypto": {},
"randomness": {
"PRNG": {
"DRBG": 123
},
"RNG": {
"RBG": 7
}
},
"side_channel_analysis": {
"FI": {
"physical tampering": 1
}
},
"standard_id": {
"FIPS": {
"FIPS 140-3": 7,
"FIPS 180-4": 112,
"FIPS 186-4": 158,
"FIPS 198-1": 55,
"FIPS 202": 13,
"FIPS PUB 140-3": 2,
"FIPS PUB 186-4": 1
},
"ISO": {
"ISO/IEC 24759": 2
},
"NIST": {
"SP 800-108": 27,
"SP 800-132": 8,
"SP 800-38A": 31,
"SP 800-38B": 8,
"SP 800-38C": 4,
"SP 800-38D": 29,
"SP 800-38F": 28,
"SP 800-38G": 1,
"SP 800-52": 1,
"SP 800-56B": 1,
"SP 800-90A": 1,
"SP 800-90B": 4
},
"PKCS": {
"PKCS #1": 2,
"PKCS 1": 3,
"PKCS#1": 2
},
"RFC": {
"RFC 5288": 2
}
},
"symmetric_crypto": {
"AES_competition": {
"AES": {
"AES": 64,
"AES-": 34,
"AES-256": 2,
"AES192": 1
},
"CAST": {
"CAST": 3
}
},
"DES": {
"3DES": {
"TDES": 8,
"Triple-DES": 30
},
"DES": {
"DES": 22
}
},
"constructions": {
"MAC": {
"CMAC": 13,
"HMAC": 29
}
}
},
"tee_name": {
"AMD": {
"PSP": 2
},
"IBM": {
"SSC": 14
}
},
"tls_cipher_suite": {
"TLS": {
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": 1,
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": 1,
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384": 1,
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": 1,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": 1,
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": 2,
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384": 1,
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": 2,
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256": 1,
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256": 1,
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384": 1,
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384": 1,
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256": 1,
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256": 1,
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384": 1,
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384": 1
}
},
"vendor": {},
"vulnerability": {}
},
"policy_metadata": {
"/CreationDate": "D:20240509203024-04\u002700\u0027",
"/MSIP_Label_c968a81f-7ed4-4faa-9408-9652e001dd96_ActionId": "2dea9a8f-9588-405c-8d92-d3aa0684778b",
"/MSIP_Label_c968a81f-7ed4-4faa-9408-9652e001dd96_ContentBits": "0",
"/MSIP_Label_c968a81f-7ed4-4faa-9408-9652e001dd96_Enabled": "true",
"/MSIP_Label_c968a81f-7ed4-4faa-9408-9652e001dd96_Method": "Standard",
"/MSIP_Label_c968a81f-7ed4-4faa-9408-9652e001dd96_Name": "Unrestricted",
"/MSIP_Label_c968a81f-7ed4-4faa-9408-9652e001dd96_SetDate": "2022-05-17T21:12:12Z",
"/MSIP_Label_c968a81f-7ed4-4faa-9408-9652e001dd96_SiteId": "b64da4ac-e800-4cfc-8931-e607f720a1b8",
"/ModDate": "D:20240509203024-04\u002700\u0027",
"pdf_file_size_bytes": 1397196,
"pdf_hyperlinks": {
"_type": "Set",
"elements": []
},
"pdf_is_encrypted": false,
"pdf_number_of_pages": 120
}
},
"state": {
"_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
"module_download_ok": true,
"module_extract_ok": true,
"policy_convert_garbage": false,
"policy_convert_ok": true,
"policy_download_ok": true,
"policy_extract_ok": true,
"policy_pdf_hash": "ac150683387e12ffe16e6f78add356f218e16af0563cf50dfc21cd0f54624908",
"policy_txt_hash": "038297154e7120ba8cf11a5a2db9e16e81bf42cbb1a43477fe84130f3c9ab43f"
},
"web_data": {
"_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
"caveat": "When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. The module generates SSPs whose strengths are modified by available entropy",
"certificate_pdf_url": "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/May 2024_030624_0800.pdf",
"date_sunset": "2029-05-29",
"description": "The NITROXIII CNN35XX-NFBE HSM Family module by Marvell (formerly Cavium Inc.) is a high-performance purpose-built security solution for crypto acceleration. The module provides a FIPS 140-3 overall Level 3 security solution. The module is deployed in a PCIe slot to provide crypto and TLS 1.0/1.1/1.2 acceleration in a secure manner to the system host. It is typically deployed in a server or an appliance to provide crypto offload. The module\u2019s functions are accessed over the PCIe interface via an API defined by the module.",
"embodiment": "Multi-Chip Embedded",
"exceptions": [
"Operational environment: N/A",
"Non-invasive security: N/A",
"Mitigation of other attacks: N/A"
],
"fw_versions": "CNN35XX-NFBE-FW-2.09-0702, CNN35XX-NFBE-SMW-2.09-0702, CNN35XX-UBOOT-4.03-03",
"historical_reason": null,
"hw_versions": "HW-1.0 (CNL3510-NFBE-G; CNL3510P-NFBE-G; CNL3530-NFBE-G; CNL3560-NFBE-G; CNL3560P-NFBE-G; CNN3510-NFBE-G; CNN3530-NFBE-G; CNN3560-NFBE-G; CNN3560P-NFBE-G); HW-2.0 (CNL3510-NFBE-2.0-G; CNL3510B-NFBE-2.0-G; CNL3510P-NFBE-2.0-G; CNL3510PB-NFBE-2.0-G; CNL3530-NFBE-2.0-G; CNL3530B-NFBE-2.0-G; CNL3560-NFBE-2.0-G; CNL3560B-NFBE-2.0-G; CNL3560P-NFBE-2.0-G; CNL3560PB-NFBE-2.0-G; CNN3505LP-NFBE-2.0-G; CNN3510-NFBE-2.0-G; CNN3510LP-NFBE-2.0-G; CNN3510LPB-NFBE-2.0-G; CNN3530-NFBE-2.0-G; CNN3560-NFBE-2.0-G; CNN3560P-NFBE-2.0-G); HW-3.0 (CNL3510-NFBE-3.0-G; CNL3510A-NFBE-3.0-G; CNL3510C-NFBE-3.0-G; CNL3510D-NFBE-3.0-G; CNL3510E-NFBE-3.0-G; CNL3510F-NFBE-3.0-G; CNL3510I-NFBE-3.0-G; CNL3510P-NFBE-3.0-G; CNL3530-NFBE-3.0-G; CNL3530A-NFBE-3.0-G; CNL3530B-NFBE-3.0-G; CNL3530C-NFBE-3.0-G; CNL3530D-NFBE-3.0-G; CNL3530E-NFBE-3.0-G; CNL3530F-NFBE-3.0-G; CNL3560-NFBE-3.0-G; CNL3560A-NFBE-3.0-G; CNL3560B-NFBE-3.0-G; CNL3560B-NFBE-3.0-G-FB; CNL3560C-NFBE-3.0-G; CNL3560D-NFBE-3.0-G; CNL3560E-NFBE-3.0-G; CNL3560F-NFBE-3.0-G; CNL3560P-NFBE-3.0-G; CNN3505LP-NFBE-3.0-G; CNN3505LPA-NFBE-3.0-G; CNN3505LPC-NFBE-3.0-G; CNN3505LPD-NFBE-3.0-G; CNN3505LPE-NFBE-3.0-G; CNN3505LPF-NFBE-3.0-G; CNN3510-NFBE-3.0-G; CNN3510A-NFBE-3.0-G; CNN3510C-NFBE-3.0-G; CNN3510D-NFBE-3.0-G; CNN3510E-NFBE-3.0-G; CNN3510F-NFBE-3.0-G; CNN3510LP-NFBE-3.0-G; CNN3510LPA-NFBE-3.0-G; CNN3510LPB-NFBE-3.0-G; CNN3510LPC-NFBE-3.0-G; CNN3510LPD-NFBE-3.0-G; CNN3510LPE-NFBE-3.0-G; CNN3510LPF-NFBE-3.0-G; CNN3530-NFBE-3.0-G; CNN3530A-NFBE-3.0-G; CNN3530C-NFBE-3.0-G; CNN3530D-NFBE-3.0-G; CNN3530E-NFBE-3.0-G; CNN3530F-NFBE-3.0-G; CNN3560-NFBE-3.0-G; CNN3560A-NFBE-3.0-G; CNN3560C-NFBE-3.0-G; CNN3560D-NFBE-3.0-G; CNN3560E-NFBE-3.0-G; CNN3560F-NFBE-3.0-G; CNN3560P-NFBE-3.0-G)",
"level": 3,
"mentioned_certs": {},
"module_name": "NITROXIII CNN35XX-NFBE HSM Family",
"module_type": "Hardware",
"revoked_link": null,
"revoked_reason": null,
"standard": "FIPS 140-3",
"status": "active",
"sw_versions": null,
"tested_conf": null,
"validation_history": [
{
"_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
"date": "2024-05-30",
"lab": "LEIDOS CSTL",
"validation_type": "Initial"
}
],
"vendor": "Marvell Semiconductor, Inc.",
"vendor_url": "http://www.marvell.com"
}
}