Linux Kernel FIPS Object Module (KFOM) Cryptographic Module

Certificate #4744

Webpage information

Status active
Validation dates 29.07.2024
Sunset date 28-07-2029
Standard FIPS 140-3
Security level 1
Type Firmware-Hybrid
Embodiment Multi-Chip Stand Alone
Caveat No assurance of the minimum strength of generated SSPs (e.g., keys). No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
Exceptions
  • Non-invasive security: N/A
  • Mitigation of other attacks: N/A
Description The Cisco Linux Kernel FIPS Object Module (KFOM) is a firmware hybrid cryptographic library that serves the operating system kernel. It does not implement any security protocols, instead only allowing for Linux kernel applications access to using approved algorithms.
Version (Hardware) ARMv8 Cortex-A53, Intel Xeon Gold 6138
Version (Firmware) 1.0
Tested configurations
  • Linux 4.9 running on Cisco Meraki MX68CW with ARMv8 Cortex-A53 with PAA
  • Ubuntu 18.04 running on Cisco UCS C220 M5 with Intel Xeon Gold 6138 (Skylake) with PAA
Vendor Cisco Systems, Inc.
References

This certificate's webpage directly references 0 certificates, transitively this expands into 0 certificates.
Certificate
Webpage

Security policy

Security target PDF TXT

Symmetric Algorithms
AES, AES-128, AES-, AES-256, CAST, HMAC, CMAC
Hash functions
SHA-1
Schemes
MAC
Randomness
DRBG
Block cipher modes
ECB, CBC, CTR, GCM, CCM, XTS

Vendor
Cisco Systems, Inc, Cisco Systems, Cisco

Security level
Level 1, level 1

Standards
FIPS 140-3, FIPS 197, FIPS 180-4, SP 800-140, ISO/IEC 19790, ISO/IEC 24759

File metadata

Title CISCO 831 Security Policy
Subject FIPS 140-2 Security Policy
Author Scott Shorter
Creation date D:20240628170418-04'00'
Modification date D:20240628170431-04'00'
Pages 20
Creator Acrobat PDFMaker 24 for Word
Producer Adobe PDF Library 24.2.121

Heuristics

No heuristics are available for this certificate.

References

No references are available for this certificate.

Updates

  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate was first processed.

Raw data 

{
  "_type": "sec_certs.sample.fips.FIPSCertificate",
  "cert_id": 4744,
  "dgst": "fdba794336e0776e",
  "heuristics": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
    "algorithms": {
      "_type": "Set",
      "elements": [
        "Counter DRBGA1185",
        "AES-CMACA1185",
        "AES-CBCA1185",
        "Hash DRBGA1185",
        "SHA2-512A1185",
        "AES-GMACA1185",
        "AES-ECBA1185",
        "HMAC-SHA2-384A1185",
        "HMAC-SHA2-512A1185",
        "AES-XTSA1185",
        "SHA-1A1185",
        "HMAC DRBGA1185",
        "AES-CBC-CS3A1185",
        "SHA2-224A1185",
        "HMAC-SHA2-224A1185",
        "HMAC-SHA2-256A1185",
        "SHA2-256A1185",
        "AES-CCMA1185",
        "HMAC-SHA-1A1185",
        "SHA2-384A1185",
        "AES-GCMA1185",
        "AES-CTRA1185"
      ]
    },
    "cpe_matches": null,
    "direct_transitive_cves": null,
    "extracted_versions": {
      "_type": "Set",
      "elements": [
        "1.0"
      ]
    },
    "indirect_transitive_cves": null,
    "module_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "module_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "policy_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "policy_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "related_cves": null,
    "verified_cpe_matches": null
  },
  "pdf_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
    "keywords": {
      "asymmetric_crypto": {},
      "certification_process": {},
      "cipher_mode": {
        "CBC": {
          "CBC": 12
        },
        "CCM": {
          "CCM": 10
        },
        "CTR": {
          "CTR": 14
        },
        "ECB": {
          "ECB": 10
        },
        "GCM": {
          "GCM": 19
        },
        "XTS": {
          "XTS": 11
        }
      },
      "cplc_data": {},
      "crypto_engine": {},
      "crypto_library": {},
      "crypto_protocol": {},
      "crypto_scheme": {
        "MAC": {
          "MAC": 3
        }
      },
      "device_model": {},
      "ecc_curve": {},
      "eval_facility": {},
      "fips_cert_id": {
        "Cert": {
          "#3": 2
        }
      },
      "fips_certlike": {
        "Certlike": {
          "AES- 192": 1,
          "AES-128": 1,
          "AES-256": 1,
          "HMAC SHA-1": 2,
          "HMAC-SHA-1": 6,
          "PAA 2": 1,
          "SHA-1": 9,
          "SHA2-224": 2,
          "SHA2-256": 4,
          "SHA2-384": 4,
          "SHA2-512": 7
        }
      },
      "fips_security_level": {
        "Level": {
          "Level 1": 3,
          "level 1": 2
        }
      },
      "hash_function": {
        "SHA": {
          "SHA1": {
            "SHA-1": 9
          }
        }
      },
      "ic_data_group": {},
      "javacard_api_const": {},
      "javacard_packages": {},
      "javacard_version": {},
      "os_name": {},
      "pq_crypto": {},
      "randomness": {
        "PRNG": {
          "DRBG": 61
        }
      },
      "side_channel_analysis": {},
      "standard_id": {
        "FIPS": {
          "FIPS 140-3": 9,
          "FIPS 180-4": 1,
          "FIPS 197": 6
        },
        "ISO": {
          "ISO/IEC 19790": 6,
          "ISO/IEC 24759": 2
        },
        "NIST": {
          "SP 800-140": 1
        }
      },
      "symmetric_crypto": {
        "AES_competition": {
          "AES": {
            "AES": 65,
            "AES-": 1,
            "AES-128": 1,
            "AES-256": 1
          },
          "CAST": {
            "CAST": 1
          }
        },
        "constructions": {
          "MAC": {
            "CMAC": 4,
            "HMAC": 17
          }
        }
      },
      "tee_name": {},
      "tls_cipher_suite": {},
      "vendor": {
        "Cisco": {
          "Cisco": 3,
          "Cisco Systems": 1,
          "Cisco Systems, Inc": 22
        }
      },
      "vulnerability": {}
    },
    "policy_metadata": {
      "/Author": "Scott Shorter",
      "/Category": "FIPS 140-2 Submission Documentation",
      "/Comments": "",
      "/Company": "Orion Security Solutions",
      "/CreationDate": "D:20240628170418-04\u002700\u0027",
      "/Creator": "Acrobat PDFMaker 24 for Word",
      "/Keywords": "",
      "/ModDate": "D:20240628170431-04\u002700\u0027",
      "/Producer": "Adobe PDF Library 24.2.121",
      "/SourceModified": "D:20240628210405",
      "/Subject": "FIPS 140-2 Security Policy",
      "/Title": "CISCO 831 Security Policy",
      "pdf_file_size_bytes": 631367,
      "pdf_hyperlinks": {
        "_type": "Set",
        "elements": []
      },
      "pdf_is_encrypted": false,
      "pdf_number_of_pages": 20
    }
  },
  "state": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
    "module_download_ok": true,
    "module_extract_ok": true,
    "policy_convert_ok": true,
    "policy_download_ok": true,
    "policy_extract_ok": true,
    "policy_json_hash": null,
    "policy_pdf_hash": "40076fd0402fe7e9493eb5f219b781e1a64eb94478428125fbf8d93f6e14eef7",
    "policy_txt_hash": "f3823f78e10efee495dee577a4f78b433173be6e627405c153602c55e3b5fc90"
  },
  "web_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
    "caveat": "No assurance of the minimum strength of generated SSPs (e.g., keys). No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.",
    "certificate_pdf_url": "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/July 2024_010824_1146.pdf",
    "date_sunset": "2029-07-28",
    "description": "The Cisco Linux Kernel FIPS Object Module (KFOM) is a firmware hybrid cryptographic library that serves the operating system kernel. It does not implement any security protocols, instead only allowing for Linux kernel applications access to using approved algorithms.",
    "embodiment": "Multi-Chip Stand Alone",
    "exceptions": [
      "Non-invasive security: N/A",
      "Mitigation of other attacks: N/A"
    ],
    "fw_versions": "1.0",
    "historical_reason": null,
    "hw_versions": "ARMv8 Cortex-A53, Intel Xeon Gold 6138",
    "level": 1,
    "mentioned_certs": {},
    "module_name": "Linux Kernel FIPS Object Module (KFOM) Cryptographic Module",
    "module_type": "Firmware-Hybrid",
    "revoked_link": null,
    "revoked_reason": null,
    "standard": "FIPS 140-3",
    "status": "active",
    "sw_versions": null,
    "tested_conf": [
      "Linux 4.9 running on Cisco Meraki MX68CW with ARMv8 Cortex-A53 with PAA",
      "Ubuntu 18.04 running on Cisco UCS C220 M5 with Intel Xeon Gold 6138 (Skylake) with PAA"
    ],
    "validation_history": [
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2024-07-29",
        "lab": "Acumen Security",
        "validation_type": "Initial"
      }
    ],
    "vendor": "Cisco Systems, Inc.",
    "vendor_url": "https://www.cisco.com"
  }
}