F5, Inc.
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
Cryptographic Module for BIG-IP®
Module Version 14.1.4.2
FIPS 140-2 Non-Proprietary Security Policy
document version 1.2
last update: October 2022
Prepared by:
atsec information security corporation
9130 Jollyville Road, Suite 260
Austin, TX 78759
www.atsec.com
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
2 of 25
Table of Contents
1. Introduction ........................................................................................................4
2. Cryptographic Module Specification .....................................................................5
2.1. Module Overview ............................................................................................................... 5
2.2. FIPS 140-2 Validation......................................................................................................... 6
2.3. Modes of operation ............................................................................................................ 7
3. Cryptographic Module Ports and Interfaces ..........................................................9
4. Roles, Services and Authentication.....................................................................10
4.1. Roles................................................................................................................................ 10
4.2. Services ........................................................................................................................... 10
4.3. Operator Authentication .................................................................................................. 13
5. Physical Security ...............................................................................................14
6. Operational Environment ...................................................................................15
6.1. Applicability ..................................................................................................................... 15
6.2. Policy ............................................................................................................................... 15
7. Cryptographic Key Management.........................................................................16
7.1. Key Generation................................................................................................................ 17
7.2. Key Establishment ........................................................................................................... 17
7.3. Key Entry / Output ........................................................................................................... 17
7.4. Key / CSP Storage ............................................................................................................ 17
7.5. Key / CSP Zeroization....................................................................................................... 18
7.6. Random Number Generation ........................................................................................... 18
8. Self-Tests..........................................................................................................19
8.1. Power-Up Tests................................................................................................................ 19
8.1.1. Integrity Tests .......................................................................................................... 19
8.1.2. Cryptographic algorithm tests.................................................................................. 19
8.2. On-Demand self-tests ...................................................................................................... 20
8.3. Conditional Tests ............................................................................................................. 20
9. Guidance...........................................................................................................21
9.1. Delivery ........................................................................................................................... 21
9.2. Crypto Officer Guidance .................................................................................................. 21
9.3. User Guidance ................................................................................................................. 21
10. Mitigation of Other Attacks.............................................................................23
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
3 of 25
Copyrights and Trademarks
F5® and BIG-IP® are registered trademarks of F5, Inc..
Intel® Xeon® is a registered trademark of Intel® Corporation.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
4 of 25
1. Introduction
This document is the non-proprietary FIPS 140-2 Security Policy of Cryptographic
Module for BIG-IP with software version 14.1.4.2. It contains the security rules
under which the module must operate and describes how this module meets the
requirements as specified in FIPS PUB 140-2 (Federal Information Processing
Standards Publication 140-2 [FIPS140-2]) for a Security Level 1 module.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
5 of 25
2. Cryptographic Module Specification
The following section describes the cryptographic module and how it conforms to
the FIPS 140-2 specification in each of the required areas.
2.1. Module Overview
The Cryptographic Module for BIG-IP (hereafter referred to as “the module”) is a
software library implementing general purpose cryptographic algorithms.
The software module provides cryptographic services to applications through an
Application Program Interface (API). The module also interacts with the underlying
operating system via system calls.
The software block diagram below shows the module, its interfaces with the
operational environment and the delimitation of its logical boundary:
Figure 1 - Software Block Diagram
The module is implemented as a shared library. The cryptographic logical
boundary consists of a shared library and the integrity check file used for integrity
tests.
Filename Purpose
libcrypto.so.1.0.2s The binary for cryptographic implementations.
.libcrypto.so.1.0.2s.hmac The integrity check file for libcrypto.so binary.
Table 1 - Cryptographic Module Components
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
6 of 25
The module is aimed to run on a general-purpose computer; the physical
boundary is the surface of the case of the target platform, as shown with dotted
lines in the diagram below:
Figure 2 - Cryptographic Module Physical Boundary
2.2. FIPS 140-2 Validation
The module is a software-only, cryptographic module, runnning on multi-chip
standalone device and validated at overall security level 1. The table below shows
the security level claimed for each of the eleven sections that comprise the FIPS
140-2 standard:
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
7 of 25
FIPS 140-2 Section Security
Level
1 Cryptographic Module Specification 1
2 Cryptographic Module Ports and Interfaces 1
3 Roles, Services and Authentication 1
4 Finite State Model 1
5 Physical Security N/A
6 Operational Environment 1
7 Cryptographic Key Management 1
8 EMI/EMC 1
9 Self-Tests 1
10 Design Assurance 1
11 Mitigation of Other Attacks N/A
Overall Level 1
Table 2 - Security Levels
The module has been tested on the following multichip standalone platform with
the corresponding module variant and configuration options:
Module
Version
Hardware Processor PAA function Operating
System
14.1.4.2 VELOS BX110 Blade
running F5OS v1.1.1
Intel® Xeon® D-
2177NT Skylake
with and without
AES-NI
BIG-IP 14.1.4.2
Table 3 - Tested Platforms
2.3. Modes of operation
The module supports two modes of operation:
• in "FIPS mode" (the FIPS Approved mode of operation) only approved
security functions with sufficient security strength can be used as specified
in Table 5.
• in "non-FIPS mode" (the non-Approved mode of operation) only non-
approved security functions can be used (Table 6).
The module enters FIPS mode after power-up tests succeed. Once the module is
operational, the mode of operation is implicitly assumed depending on the
security function invoked and the security strength of the cryptographic keys.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
8 of 25
Using any service in the Table 5 will implicitly put the module in FIPS mode and
utilizing any non-approved service from Table 6 will put the module in non-FIPS
mode implicitly. Critical Security Parameters (CSPs) used or stored in FIPS mode
are not used in non-FIPS mode, and vice versa.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
9 of 25
3. Cryptographic Module Ports and Interfaces
As a software-only module, the module does not have physical ports. For the
purpose of the FIPS 140-2 validation, the physical ports are interpreted to be the
physical ports of the hardware platform on which it runs.
The logical interfaces are the API through which the applications request services.
The following table summarizes the four logical interfaces:
Logical Interface Description
Data Input API input parameters for data.
Data Output API output parameters for data.
Control Input API function calls for control.
Status Output API return codes, error messages.
Table 4 - Ports and Interfaces
The Data Input interface consists of the input parameters of the API functions. The
Data Output interface consists of the output parameters of the API functions. The
Control Input interface consists of the API function calls used to control the
behavior of the module. The Status Output interface includes the return values of
the API functions and error messages.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
10 of 25
4. Roles, Services and Authentication
4.1. Roles
The module supports the following roles:
• User role: performs all services (in both FIPS mode and non-FIPS mode of
operation), except module initialization.
• Crypto Officer role: performs module initialization.
The User and Crypto Officer roles are implicitly assumed by the entity accessing
the module services.
4.2. Services
The module provides services to users that assume one of the available roles. All
services are described in detail in the user documentation.
The following Table 5 lists the Approved services in FIPS mode of operation, the
roles that can request the service, the algorithms involved with their
corresponding ACVT certificate numbers (if applicable), the CSPs involved and
how they are accessed:
Service Algorithms and Standards CAVP
Cert.
Role Keys and CSPs Access
AES
encryption and
decryption
[FIPS197], [FIPS800-38A],
[FIPS800-38D],
AES with ECB and CBC modes, in
AES-NI implementation
A1588 User 128/192/256-bit AES key Read
AES with ECB and CBC modes, in
assembler implementation
A1587
Message
Authentication
Code (MAC)
[AES FIPS197] ,[SP800-38D]
AES with GMAC mode in AES-NI
implementation
A1588 User 128/192/256-bit AES key Read
AES with GMAC mode in
assembler implementation
A1587
AES key
wrapping
[FIPS800-38F]
AES-GCM, in AES-NI
implementation
A1588 User 128 and 256-bit AES key Read
[FIPS800-38F]
AES-GCM, in assembler
implementation
A1587
Random Number
Generation
[SP800-90A] CTR_DRBG with AES-
256 using AES-NI
A1588 User Seed, values V and Key Read,
Write
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
11 of 25
Service Algorithms and Standards CAVP
Cert.
Role Keys and CSPs Access
[SP800-90A] CTR_DRBG with AES-
256 in assembler
A1587
compliant SP800-90B Entropy
source used to seed module’s
DRBG.
ENT
(NP)
Entropy input string Read
RSA key pair
generation
[FIPS186-4 Appendix B.3.3] RSA
key generation
A1587 User RSA key pair with
2048/3072-bit modulus size
Write
RSA signature
generation
PKCS#1 v1.5 RSA signature
generation with SHA-256 and SHA-
384
RSA private key with 2048/
3072-bit modulus size
Read
RSA signature
verification
PKCS#1 v1.5 RSA signature
verification with SHA1, SHA-256
and SHA-384
RSA public key with 2048/
3072-bit modulus size
Read
ECDSA key pair
generation / EC
Diffie-Hellman
key pair
generation
[FIPS186-4 Appendix
B.4.2] ECC key pair generation
A1587 User ECDSA/ECDH key pair for P-
256 and P-384 curves
Write
ECDSA key
verification
[FIPS186-4] Public Key Verification
(PKV)
ECDSA public key for P-256
and P-384 curves
Read
ECDSA signature
generation
ECDSA signature generation with
SHA-256 and SHA-384
ECDSA private key according
to P-256 and P-384 curves
Read
ECDSA signature
verification
ECDSA signature verification with
SHA-1, SHA-256 and SHA-384
ECDSA public key according
to P-256 and P-384.
Read
EC Diffie-Hellman
shared secret
computation
IG D.8 scenario
X1 (path 1)
[SP800-56ARev3] KAS ECC SSC,
Schemes:
Ephemeral Unified
A1587 User EC Diffie-Hellman Key pair
with P-256 and P-384 curves
shared secret
Read,
Write
KTS (IG D.9) AES-GCM A1587,
A1588
User 128 and 256 bits Read
Message digest SHA-1 with SSSE3 implementation A1588 User n/a n/a
[FIPS180-4] SHA-1, SHA-256, SHA-
384 in assembler implementation
A1587
Message
authentication
HMAC-SHA-1 in SSSE3
implementation
A1588 User At least 112-bit of strength
for the HMAC key
Read
[FIPS198-1] HMAC-SHA-1, HMAC-
SHA-256, HMAC-SHA-384 in
assembler implementation
A1587
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
12 of 25
Service Algorithms and Standards CAVP
Cert.
Role Keys and CSPs Access
Show Status n/a n/a User n/a n/a
Self-Tests n/a n/a User HMAC-SHA-256 key for
module integrity test
Read
Zeroization n/a n/a User All Keys/ CSPs (see table 7) Zeroize
Module
initialization
n/a n/a CO n/a n/a
Table 5 - Services in FIPS mode of operation
The following Table 6 lists the services only available in non-FIPS mode of
operation.
Service Role Usage/Notes
Symmetric Encryption and decryption User Using AES with OFB, CFB, CTR, XTS, CCM, KW
modes
Using Blowfish, Camellia, CAST, DES, IDEA, RC2,
RC4, SEED, SM2, SM4, Triple-DES algorithms
Message digest User SHA-224, SHA-512, SM3, MD4, MD5, MDC2,
RIPEMD, Whirlpool
Message authentication User HMAC-SHA224, HMAC-SHA512, CMAC with AES,
CMAC with Triple-DES
Key generation User RSA with key sizes other than 2048 and 3072 bits.
ECDSA/ EC Diffie-Hellman with public/private key
pair for curves other than P-256 and P-384
RSA signature generation and
verification
User Using PKCS #1 v1.5 scheme with key sizes other
than 2048 and 3072 bits, for all SHA sizes,
User Using PSS, X9.31 schemes
User Using PKCS #1 v1.5 scheme with modulus size
2048 and 3072 bits with SHA sizes:
SHA-1, SHA-224 and SHA-512 (RSA Sig Gen)
SHA-224 and SHA-512 (RSA Sig Ver)
ECDSA signature generation &
verification
User Using curves other than P-256 and P-384
Using curves P-256 and P-384 with SHA sizes:
SHA-1, SHA-224 and SHA-512 (ECDSA Sig Gen)
SHA-224 and SHA-512 (ECDSA Sig Ver)
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
13 of 25
Service Role Usage/Notes
Using SM2 algorithm
RSA encrypt/decrypt User With modulus sizes up to 16384 bits
DSA domain parameter generation,
domain parameter verification, key
pair generation, signature generation
and verification
User With all key and SHA sizes
Random Number Generation User Using HMAC_DRBG and Hash_DRBG for all SHA
sizes
User CTR_DRBG with AES-128 or AES-192
User ANSI X9.31 RNG
Key Agreement User J-PAKE, SRP, EC Diffie-Hellman SSC with curves
other than P-256 and P-384
Table 6 - Services in non-FIPS mode of operation
4.3. Operator Authentication
The module does not implement authentication. The role is implicitly assumed
based on the service requested.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
14 of 25
5. Physical Security
The module is comprised of software only and therefore this security policy does
not make any claims on physical security.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
15 of 25
6. Operational Environment
6.1. Applicability
The module operates in a modifiable operational environment per FIPS 140-2 level
1 specifications. The module runs on hardware and hypervisor specified in Table 3
- Tested Platforms with F5OS 1.1.1. as the host operating system. BIG-IP consists
of a Linux based operating system customized for performance that runs directly
on the hardware or in virtual environment.
6.2. Policy
The operating system is restricted to a single operator; concurrent operators are
explicitly excluded.
The application that requests cryptographic services is the single user of the
module.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
16 of 25
7. Cryptographic Key Management
The following Table 7 summarizes the keys and CSPs that are used by the
cryptographic services implemented in the module:
Name Strength Generation Storage Zeroization
AES Key 128, 192 and 256
bits
N/A. Input as API
parameter
RAM Zeroized by
FIPS_cipher_ctx_cleanup()
AES Key
wrapping Key
128 and 256 bits N/A. Input as API
parameter
RAM Zeroized by
FIPS_cipher_ctx_cleanup()
HMAC Key >= 112 bits N/A. Input as API
parameter
RAM Zeroized by
HMAC_CTX_cleanup()
RSA Key Pair Modulus (max-
security
strengths):
2048 (112 bits)
3072 (128 bits)
Generated conformant to
SP800-133r2 (CKG) using
[FIPS 186-4] Key
generation method, and
the random value used in
the key generation is
obtained using [SP800-
90A] DRBG.
RAM Zeroized by
FIPS_rsa_free()
ECDSA Key
Pair
Curves (max-
security
strengths):
P256 (128 bits)
P384 (192 bits)
Generated conformant to
SP800-133r2 (CKG) using
[FIPS 186-4] Key
generation method, and
the random value used in
the key generation is
obtained using [SP800-
90A] DRBG.
RAM Zeroized by EC_KEY_free()
EC Diffie-
Hellman Key
pair
Curves (security
strengths):
P256 (128 bits)
P384 (192 bits)
Generated conformant to
SP800-133r2 (CKG) using
[FIPS 186-4] Key
generation method and
the random value used in
the key generation is
obtained using [SP800-
90A] DRBG
RAM Zeroized by EC_KEY_free()
ECDH shared
secret
Curves (security
strengths):
P256 (128 bits)
P384 (192 bits)
Internally generated via
SP800-56ARev3 ECC CDH
shared secret
computation
RAM Zeroized by EC_KEY_free()
entropy input
string
256 bits Obtained from ENT (NP)
([SP800-90B] compliant)
RAM Zeroized by
FIPS_drbg_free()
DRBG seed,
values V, and
Key
- Derived from entropy
string as defined by
[SP800-90A]
RAM Zeroized by
FIPS_drbg_free ()
Table 7 - Life cycle of keys and CSPs
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
17 of 25
7.1. Key Generation
For generating RSA and ECDSA and EC Diffie-Hellman keys, the module
implements asymmetric key generation services compliant with [FIPS186-4], and
using a DRBG compliant with [SP800-90A]. A seed (i.e. the random value) used in
asymmetric key generation is obtained from [SP800-90A] DRBG. In accordance
with [FIPS 140-2 IG D.12], the cryptographic module performs Cryptographic Key
Generation (CKG) for asymmetric keys as per SP800-133 (vendor affirmed).
The module does not implement symmetric key generation.
7.2. Key Establishment
The module implements EC Diffie-Hellman shared secret computation, compliant
with SP800-56ARev3 and scenario X1 (path 1) in [FIPS 140-2 IG D.8]. The module
provides EC Diffie-Hellman shared secret computation with curves P-256 or P-384,
providing 128- or 192-bit equivalent security strength, respectively.
The module also provides key wrapping in the context of the TLS protocol to send
and receive key material in the payload. The key wrapping methods are provided
by the TLS record layer using an approved authenticated encryption mode (i.e.
AES GCM). The TLS protocol has not been reviewed or tested by the CAVP or
CMVP. The key wrapping method using AES GCM is an approved key transport
method according to IG D.9. AES in GCM mode provides 128 or 256 bits of
encryption strength.
7.3. Key Entry / Output
The module does not support manual key entry or intermediate key generation
key output. In addition, the module does not produce key output outside its
physical boundary. The keys can be entered or output from the module in
plaintext form via API parameters, to and from the calling application only. This is
allowed by [FIPS 140-2_IG] IG 7.7 Table 1, according to the “CM Software to/from
App Software via GPC INT Path” entry which refers to keys communicated within
the physical boundary of the GPC.
7.4. Key / CSP Storage
Public and private keys are provided to the module by the calling process, and are
destroyed when released by the appropriate API function calls.
The module does not perform persistent storage of keys. The only exception is the
HMAC-SHA-256 key used for integrity test, which is stored in the module and
relies on the operating system for protection.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
18 of 25
7.5. Key / CSP Zeroization
The memory occupied by keys is allocated by regular memory allocation
operating system calls. The application is responsible for calling the appropriate
destruction functions provided in the module's API. The destruction functions
overwrite the memory occupied by keys with “zeros” and deallocate the memory
with the regular memory deallocation operating system call.
7.6. Random Number Generation
The module employs a Deterministic Random Bit Generator (DRBG) based on
[SP800-90A] for the generation of random value used in asymmetric keys, and for
providing a RNG service to calling applications.
The Approved DRBG provided by the module is the CTR_DRBG with AES-256. The
DRBG is initialized during module initialization.
The module uses a SP800-90B compliant Non-Physical entropy source (ENT (NP))
to seed the DRBG. The ENT (NP) generates at least 256 bits of entropy to the
DRBG during initialization (seed) and reseeding (reseed). The ENT (NP) is outside
of the module’s logical boundary but within its physical boundary.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
19 of 25
8. Self-Tests
8.1. Power-Up Tests
The module performs power-up tests automatically when the module is loaded
into memory; power-up tests ensure that the module is not corrupted and that the
cryptographic algorithms work as expected.
While the module is executing the power-up tests, services are not available, and
input and output are inhibited. The module does not return control to the calling
application until the power-up tests are completed. On successful completion of
the power-up tests, the module enters operational mode and cryptographic
services are available. If the module fails any of the power-up tests, it will return
an error code and enter into the Error state to prohibit any further cryptographic
operations. The module must be re-loaded in order to clear the error condition.
8.1.1. Integrity Tests
The integrity of the module is verified by comparing an HMAC-SHA-256 value
calculated at run time with the HMAC value stored in the module that was
computed at build time.
8.1.2. Cryptographic algorithm tests
The module performs self-tests on all FIPS-Approved cryptographic algorithms
supported in the approved mode of operation, using the Known Answer Test (KAT)
and Pair-wise Consistency Test (PCT) as shown in the following Table 8:
Algorithm Test
CTR_DRBG KAT with AES 256 bits with and without derivation function
AES KAT of AES encryption with AES-GCM mode and 128 bit key
KAT of AES decryption with ECB mode and 128 bit key
RSA KAT of RSA PKCS#1 v1.5 signature generation with 2048 bit
key and SHA-256
KAT of RSA PKCS#1 v1.5 signature verification with 2048 bit
key and SHA-256
ECDSA PCT of ECDSA signature generation and verification with P-256
curve
KAS SSC (EC Diffie-Hellman) KAT of “Z” computation with P-256 curve
SHA-1, SHA-256, SHA-384 The SHA KATs are covered by the HMAC-SHA KATs (for all the
SHA sizes) complying with IG 9.2
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
20 of 25
Algorithm Test
HMAC-SHA-1, HMAC-SHA-256,
HMAC-SHA-384
KAT of HMAC-SHA-1
KAT of HMAC-SHA-256
KAT of HMAC-SHA-384
Table 8- Self-Tests
8.2. On-Demand self-tests
The module provides the Self-Test service to perform self-tests on demand. On
demand self-tests can be invoked by powering-off and reloading the module. This
service performs the same cryptographic algorithm tests executed during power-
up. During the execution of the on-demand self-tests, crypto services are not
available, and no data output or input is possible.
8.3. Conditional Tests
The module performs conditional tests on the cryptographic algorithms shown in
the following Table 9. If the module fails any of these tests, it will enter into the
Error state to prohibit any further cryptographic operations. The module must be
re-loaded to clear the error condition.
Algorithm Test
RSA key generation PCT using SHA-256
ECDSA and EC Diffie-Hellman key generation PCT using SHA-256 and P-256
Table 9 - Conditional Tests
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
21 of 25
9. Guidance
9.1. Delivery
The module is distributed as a part of BIG-IP product in the tenant software image
files (BIGIP-14.1.2.1.<disk-size-tag>-VELOS.qcow2.zip.bundle) from the F5
downloads site (downloads.f5.com). The module i.e. libcrypto.so binary gets
installed together with the product. The FIPS validated module activation requires
installation of the ‘FIPS 140-2 Compliant Mode’ add-on license.
9.2. Crypto Officer Guidance
On the BIG-IP product the Crypto Officer should run the command ‘tmsh show
sys version1‘ to ensure that Sys::version shows the information below.
module version 14.1.4.2
Sys::Version
Main Package
Product BIG-IP
Version 14.1.4.2
Build: 0.0.5
Edition Point Release 2
The Crypto Officer should also verify the FIPS validated module license activation
by running the command: ‘tmsh show sys license’ which should list ‘FIPS 140-2
Compliant Mode, CX410,’ under the ‘Active Modules’ list. After the FIPS validated
module license is installed, the command prompt will change to ‘REBOOT
REQUIRED’. The Crypto Officer must reboot the BIG-IP for all FIPS-compliant
changes to take effect.
The Crypto Officer shall verify that the application layer shall not be configured to
use the Intel SSL acceleration card in order to operate the module in the FIPS
validated configuration.
9.3. User Guidance
The module supports two modes of operation. Table 5 lists the FIPS approved
services. Using the services in Table 6 will put the module in non-FIPS mode
implicitly.
1 The Sys::Licensed information shown with command line ‘tmsh show sys license’ shows a Licensed Version
of 1.1.2 that is the first released number and not the current Sys:: Version number of 14.1.4.2
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
22 of 25
The user shall consider the following requirements and restrictions when using the
module.
• For TLS 1.2, the module offers the AES-GCM implementation and uses the
context of Scenario 1 of IG A.5. The module is compliant with SP800-52Rev2
section 3.3.1 and the mechanism for IV generation is compliant with RFC5288.
• The module does not implement the TLS protocol. The module’s
implementation of AES-GCM is used together with an application that runs
outside the module’s cryptographic boundary The design of the TLS protocol
implicitly ensures that the counter (the nonce_explicit part of the IV) does not
exhaust the maximum number of possible values for a given session key.
• In the event the module’s power is lost and restored, the consuming
application must ensure that a new key for use with the AES-GCM key
encryption or decryption under this scenario shall be established.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
23 of 25
10. Mitigation of Other Attacks
The module does not implement security mechanisms to mitigate other attacks.
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
24 of 25
Appendix A. Glossary and Abbreviations
AES Advanced Encryption Standard
AES-NI Advanced Encryption Standard New Instructions
CBC Cipher Block Chaining
CFB Cipher Feedback
CSP Critical Security Parameter
CTR Counter Mode
CVL Component Validation List
DES Data Encryption Standard
DSA Digital Signature Algorithm
DRBG Deterministic Random Bit Generator
ECB Electronic Code Book
ECC Elliptic Curve Cryptography
FIPS Federal Information Processing Standards Publication
GCM Galois Counter Mode
HMAC Hash Message Authentication Code
J-PAKE Password Authentication Key exchange by Juggling
KAS Key Agreement Scheme
KAT Known Answer Test
MAC Message Authentication Code
NIST National Institute of Science and Technology
NDRNG Non-Deterministic Random Number Generator
OFB Output Feedback
PAA Processor Algorithm Accelerators
PSS Probabilistic Signature Scheme
RNG Random Number Generator
RSA Rivest, Shamir, Adleman
SHA Secure Hash Algorithm
SSSE3 Supplemental Streaming SIMD Extensions 3
XTS XEX-based Tweaked-codebook mode with cipher text stealing
Cryptographic Module for BIG-IP FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5, Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
25 of 25
Appendix B. References Selection
FIPS140-2 FIPS PUB 140-2 - Security Requirements for Cryptographic Modules
May 2001
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
FIPS140-2_IG Implementation Guidance for FIPS PUB 140-2 and the Cryptographic
Module Validation Program
Aug 2020
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-
program/documents/fips140-2/fips1402ig.pdf
FIPS180-4 Secure Hash Standard (SHS)
Aug 2015
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
FIPS186-4 Digital Signature Standard (DSS)
July 2013
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
FIPS197 Advanced Encryption Standard
November 2001
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
FIPS198-1 The Keyed Hash Message Authentication Code (HMAC)
July 2008
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.198-1.pdf
PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography
https://tools.ietf.org/html/rfc8017
SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher
Modes of Operation Methods and Techniques
December 2001
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf
SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher
Modes of Operation: Galois/Counter Mode (GCM) and GMAC
November 2007
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
SP800-56A NIST Special Publication 800-56A - Recommendation for Pair-Wise Key
Establishment Schemes Using Discrete Logarithm Cryptography
Apr 2018, rev3
https://doi.org/10.6028/NIST.SP.800-56Ar3
SP800-90A NIST Special Publication 800-90A - Recommendation for Random
Number Generation Using Deterministic Random Bit Generators
Jun 2015
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf