© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
F5®
Device Cryptographic Module
FIPS 140-2 Non-Proprietary Security Policy
Hardware Versions:
BIG-IP i4000, BIG-IP i5000, BIG-IP i5820-DF, BIG-IP i7000,
BIG-IP i7820-DF, BIG-IP i10800, BIG-IP i11800-DS, BIG-IP i15800,
BIG-IP 5250v-F, BIG-IP 7200v-F, BIG-IP 10200v-F, BIG-IP 10350v-F,
VIPRION B2250 and VIPRION B4450
Firmware Version:
14.1.0.3 EHF
FIPS Security Level 2
document version 1.3
Document Revision: June 2022
Prepared by:
atsec information security corporation
9130 Jollyville Road, Suite 260
Austin, TX 78759
www.atsec.com
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
2 of 44
Table of Contents
1 Cryptographic Module Specification..................................................................... 6
1.1 Module Description ............................................................................................................ 6
1.2 FIPS 140-2 Validation Level................................................................................................ 8
1.3 Description of modes of operation..................................................................................... 9
1.4 Cryptographic Module Boundary...................................................................................... 12
2 Cryptographic Module Ports and Interfaces.........................................................14
3 Roles, Services and Authentication.....................................................................18
3.1 Roles................................................................................................................................ 18
3.2 Authentication ................................................................................................................. 19
3.3 Services ........................................................................................................................... 20
4 Physical Security ...............................................................................................25
4.1 Tamper Label Placement ................................................................................................. 25
5 Operational Environment ...................................................................................31
6 Cryptographic Key Management.........................................................................32
6.1 Key Generation ................................................................................................................ 32
6.2 Key Establishment ........................................................................................................... 32
6.3 Key Entry / Output ........................................................................................................... 33
6.4 Key / CSP Storage ............................................................................................................ 33
6.5 Key / CSP Zeroization....................................................................................................... 33
6.6 Random Number Generation ........................................................................................... 34
7 Self-Tests..........................................................................................................35
7.1 Power-Up Tests ................................................................................................................ 35
7.1.1 Integrity Tests .......................................................................................................... 35
7.1.2 Cryptographic algorithm tests.................................................................................. 35
7.2 On-Demand self-tests ...................................................................................................... 36
7.3 Conditional Tests ............................................................................................................. 36
8 Guidance...........................................................................................................38
8.1 Delivery and Operation.................................................................................................... 38
8.2 Crypto Officer Guidance................................................................................................... 38
8.2.1 Installing Tamper Evident Labels ............................................................................. 38
8.2.2 Install Device............................................................................................................ 38
8.2.3 Password Strength Requirement.............................................................................. 39
8.2.4 Additional Guidance ................................................................................................. 39
8.2.5 Version Configuration............................................................................................... 39
8.3 User Guidance ................................................................................................................. 40
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
3 of 44
9 Mitigation of Other Attacks ................................................................................41
Figure 1 – Hardware Block Diagram................................................................................................ 13
Figure 2 – BIG-IP i4000.................................................................................................................... 14
Figure 3 – BIG-IP i5000 / i5820-DF .................................................................................................. 15
Figure 4 – BIG-IP i7000 / i7820-DF .................................................................................................. 15
Figure 5 – BIG-IP i10800 / i11800-DS .............................................................................................. 15
Figure 6 – BIG-IP i15800.................................................................................................................. 15
Figure 7 – BIG-IP 5250v-F................................................................................................................ 16
Figure 8 – BIG-IP 7200v-F................................................................................................................ 16
Figure 9 – BIG-IP 10200v-F.............................................................................................................. 16
Figure 10 – BIG-IP 10350v-F............................................................................................................ 16
Figure 11 – VIPRION B2250............................................................................................................. 17
Figure 12 – VIPRION B4450............................................................................................................. 17
Figure 13 – BIG-IP i4000 (3 of 3 tamper labels)............................................................................... 26
Figure 14 – BIG-IP i5000 (3 of 3 tamper labels)............................................................................... 26
Figure 15 – BIG-IP i5820-DF (4 tamper labels shown) ..................................................................... 26
Figure 16 – BIG-IP i7000 (6 of 6 tamper labels shown) ................................................................... 26
Figure 17 – BIG-IP i7820-DF (4 tamper labels shown) ..................................................................... 27
Figure 18 – BIG-IP i10800 / i11800-DS (6 tamper labels shown)..................................................... 27
Figure 19 – BIG-IP i10800 / i11800-DS (tamper label 5 & 6) ........................................................... 27
Figure 20 – BIG-IP i15800 (Front tamper labels 1-3 labels shown).................................................. 28
Figure 21 – BIG-IP i15800 (Back tamper labels 4 and 5 labels shown)............................................ 28
Figure 22 – BIG-IP 5250v-F (4 tamper labels shown) ...................................................................... 28
Figure 23 – BIG-IP 7200v-F (5 tamper labels shown) ...................................................................... 28
Figure 24 – BIG-IP 10200v-F (Front tamper labels 1-3 shown) ........................................................ 29
Figure 25 – BIG-IP 10200v-F (Back tamper label 4 shown) ............................................................. 29
Figure 26 – VIPRION B2250 in chassis (1 of 6 tamper labels shown) .............................................. 29
Figure 27 – VIPRION B2250 top view (5 of 6 tamper labels shown) ................................................ 29
Figure 28 – VIPRION B4450 in chassis............................................................................................. 29
Figure 29 – VIPRION B4450 front (1 of 5 tamper labels shown) ...................................................... 29
Figure 30 – VIPRION B4450 top-view (4 of 5 tamper labels shown) ................................................ 30
Table 1 – Tested Modules.................................................................................................................. 8
Table 2 – Security Levels .................................................................................................................. 9
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
4 of 44
Table 3 – Approved Cryptographic Algorithms................................................................................ 11
Table 4 – Non-Approved but Allowed in FIPS mode Cryptographic Algorithms ............................... 11
Table 5 – Non-Approved and Non-Compliant Cryptographic Algorithms/Modes.............................. 12
Table 6 – Ports and Interfaces......................................................................................................... 14
Table 7 – FIPS 140-2 Roles .............................................................................................................. 19
Table 8 – Authentication of Roles.................................................................................................... 19
Table 9 – Non-Authenticated Services ............................................................................................ 20
Table 10 – Management Services ................................................................................................... 22
Table 11 – Crypto Services in FIPS mode of operation.................................................................... 23
Table 12 – Services in non-FIPS mode of operation ........................................................................ 24
Table 13 – Inspection of Tamper Evident Labels............................................................................. 25
Table 14 – Number of Tamper Evident Labels per hardware appliance .......................................... 25
Table 15 – Life cycle of CSPs........................................................................................................... 32
Table 16 – Self-Tests....................................................................................................................... 36
Table 17 – Conditional Tests ........................................................................................................... 37
Copyrights and Trademarks
F5® and BIG-IP® are registered trademarks of F5. Inc..
Intel® and Xeon® are registered trademarks of Intel® Corporation.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
5 of 44
Introduction
This document is the non-proprietary FIPS 140-2 Security Policy of F5® Device
Cryptographic Module with firmware version 14.1.0.3 EHF and hardware version listed in
table 1. It contains the security rules under which the module must operate and describes
how this module meets the requirements as specified in FIPS PUB 140-2 (Federal
Information Processing Standards Publication 140-2) for a Security Level 2 module.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
6 of 44
1 Cryptographic Module Specification
The following section describes the cryptographic module and how it conforms to the FIPS
140-2 specification in each of the required areas.
1.1 Module Description
The F5® Device Cryptographic Module (hereafter referred to as “the module”) is a smart
evolution of Application Delivery Controller (ADC) technology. Solutions built on this
platform are load balancers. They are full proxies that give visibility into, and the power
to control—inspect and encrypt or decrypt—all the traffic that passes through your
network.
Underlying all BIG-IP hardware and software is F5’s proprietary operating system, TMOS,
which provides unified intelligence, flexibility, and programmability. With its application
control plane architecture, TMOS gives you control over the acceleration, security, and
availability services your applications require. TMOS establishes a virtual, unified pool of
highly scalable, resilient, and reusable services that can dynamically adapt to the
changing conditions in data centers and virtual and cloud infrastructures.
The module has been tested on the following multichip standalone devices with the
firmware version 14.1.0.3 EHF.
Hardware Processor1 Operating
System
Specifications2
BIG-IP i4000 Intel® Xeon®
D
TMOS
14.1.0.3 EHF
• 1 x USB port
• 8 x 1GbE; 4 x 10GbE network ports
• 1 x Console port
• 1 x 1GbE management port
• 4 x LEDs
BIG-IP i5000 Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 8 x 1GbE; 4 x 40GbE network ports
• 1 x Console port
• 1 x GbE management port
• 4 x LEDs
BIG-IP i5820-DF Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 8 x 10GbE; 4 x 40GbE network ports
• 1 x Console port
• 1 x 1GbE management port
• 4 x LEDs
1 The modules make use of the AES-NI instruction provided by the underlying processor.
2 The USB port found on all platforms are specified as used only for exporting of audit logs.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
7 of 44
Hardware Processor1 Operating
System
Specifications2
BIG-IP i7000 Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 8 x 1GbE; 6 x 10GbE network ports
• 1 x Console port
• 1 x 1GbE management port
• 4 x LEDs
BIG-IP i7820-DF Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 8 x 10GbE; 4 x 40GbE network ports
• 1 x Console port
• 1 x 1GbE management port
• 4 x LEDs
BIG-IP i10800 Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 8 x 10GbE; 6 x 40GbE network ports
• 1 x Console port
• 1 x 1GbE management port
• 4 x LEDs
BIG-IP i11800-DS Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 8 x 10GbE; 6 x 40GbE network ports
• 1 x Console port
• 1 x 1GbE management port
• 4 x LEDs
BIG-IP i15800 Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 8 x 40GbE; 4 x 100GbE network ports
• 1 x Console port
• 1 x 1GbE management port
• 4 x LEDs
BIG-IP 5250v-F Intel® Xeon®
E3
TMOS
14.1.0.3 EHF
• 2 x USB port
• 4 x 1GbE; 8 x 10GbE network ports
• 1 x Console port
• 1 x GbE management port
• 4 x LEDs
BIG-IP 7200v-F Intel® Xeon®
E3
TMOS
14.1.0.3 EHF
• 2 x USB port
• 4 x 1GbE; 8 x 10GbE network ports
• 1 x Console port
• 1 x GbE management port
• 4 x LEDs
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
8 of 44
Hardware Processor1 Operating
System
Specifications2
BIG-IP 10200v-F Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 16 x 10GbE; 2 x 40GbE network ports
• 1 x Console port
• 1 x GbE management port
• 4 x LEDs
BIG-IP 10350v-F Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 16 x 10GbE; 2 x 40GbE network ports
• 1 x Console port
• 1 x GbE management port
• 4 x LEDs
VIPRION B2250 Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 4 x 40 GbE network ports
• 1 x Console port
• 1 x GbE management port
• 4 x LEDs
VIPRION B4450 Intel® Xeon®
E5
TMOS
14.1.0.3 EHF
• 1 x USB port
• 4 x 40 GbE; 2 x 100 GbE network ports
• 1 x Console port
• 1 x GbE management port
• 4 x LEDs
Table 1 – Tested Modules
1.2 FIPS 140-2 Validation Level
For the purpose of the FIPS 140-2 validation, the F5® Device Cryptographic Module is
defined as a multi-chip standalone hardware cryptographic module validated at overall
security level 2. The table below shows the security level claimed for each of the eleven
sections that comprise the FIPS 140-2 standard:
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
9 of 44
FIPS 140-2 Section Security
Level
1 Cryptographic Module Specification 2
2 Cryptographic Module Ports and Interfaces 2
3 Roles, Services and Authentication 2
4 Finite State Model 2
5 Physical Security 2
6 Operational Environment N/A
7 Cryptographic Key Management 2
8 EMI/EMC 2
9 Self-Tests 2
10 Design Assurance 2
11 Mitigation of Other Attacks N/A
Overall Level 2
Table 2 – Security Levels
1.3 Description of modes of operation
The module must be installed in the FIPS validated configuration as stated in Section 8 –
Guidance. In the operation mode the module supports two modes of operation:
• in "FIPS mode" (the FIPS Approved mode of operation) only approved or allowed
security functions with sufficient security strength can be used.
• in "non-FIPS mode" (the non-Approved mode of operation) only non-approved
security functions can be used.
The module enters operational mode after power-up tests succeed. Once the module is
operational, the mode of operation is implicitly assumed depending on the security
function invoked and the security strength of the cryptographic keys. Critical Security
Parameters (CSPs) used or stored in FIPS mode are not used in non-FIPS mode, and vice
versa.
In the FIPS Approved Mode, the cryptographic module will provide the following CAVP
certified cryptographic algorithms. Here the Control, or Management, plane refers to the
connection from an administrator to the BIG-IP for system management. The Data Plane
refers to the traffic passed between external entities and internal servers
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
10 of 44
Algorithm Usage Keys/CSPs Certificate Number
Control Plane3 Data Plane4
AES-ECB
AES-CBC
AES-GCM5
Encryption
and
Decryption
128/192/256-bit
AES key
C701 N/A
AES-CBC
AES-GCM5
128/256-bit AES
key
N/A C699, C700
SP800-90A
CTR_DRBG
Random
Number
Generation
Entropy input
string, V and Key
values
C701 C699, C700
FIPS 186-4 RSA Key
Pair Generation
RSA Key
Generation
RSA public and
private keys with
2048/3072-bit
modulus size
C701 N/A
PKCS#1 v1.5 RSA
Signature
Generation with
SHA-256 and SHA-
384 and Signature
Verification with
SHA-1, SHA-256 and
SHA-384
RSA Signature
Generation
and
Verification
RSA private key
with 2048/3072-bit
modulus
C701 C699, C700
FIPS 186-4 ECC Key
Pair Generation
(Appendix B.4.2)
ECDSA Key
Pair
Generation
ECDSA
public/private keys
for P-256 and P-
384 curves
C701 C699, C700
FIPS 186-4 ECDSA
Signature
Generation and
Signature
Verification
ECDSA
Signature
Generation
and
Verification
ECDSA private key
(P-256 P- 384
curves)
C701 C699, C700
SHA-1
SHA-256
SHA-384
Message
Digest
N/A C701 C699, C700
3 For control plane, the platforms BIG-IP i4000, BIG-IP i5000, BIG-IP i5820-DF, BIG-IP i7000, BIG-IP
i7820-DF, BIG-IP i10800, BIG-IP i11800-DS, BIG-IP i15800, BIG-IP 5250v-F, BIG-IP 7200v-F, BIG-IP
10200v-F, BIG-IP 10350v-F, VIPRION B2250, VIPRION B4450 with processors D, E3 and E5 share
the same CAVP certificate
4 For data plane, the platforms BIG-IP i11800-DS, BIG-IP 5250v-F, BIG-IP 7200v-F, BIG-IP 10200v-F,
BIG-IP 10350v-F and VIPRION B2250 with E3 and E5 processors share the same CAVP certificate.
The platforms BIG-IP i4000, BIG-IP i10800, BIG-IP i5000, BIG-IP i5820-DF, BIG-IP i7000, BIG-IP
i7820-DF, BIG-IP i15800 and VIPRION B4450, with D and E5 processors share the same CAVP
certificate.
5 Not all algorithms/modes tested are used within the module.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
11 of 44
HMAC-SHA-1
HMAC-SHA-256
HMAC-SHA-384
Message
Authentication
HMAC key
(>=112-bit)
C701 C699, C700
TLS6 1.0/1.1/1.2 with
SHA-256 and SHA-
384
C701 C699, C700
Table 3 – Approved Cryptographic Algorithms
The following table lists the non-Approved algorithms that are allowed in FIPS approved
mode along with their usage:
Algorithm Usage Keys/CSPs
Certificate Number
Control Plane Data Plane
PKCS#1 v1.5 RSA Key
Wrapping
Asymmetric
Encryption and
Decryption
RSA key pair Non-Approved
but Allowed
Non-Approved
but Allowed
NDRNG Seeding DRBG seed Non-Approved
but Allowed
Non-Approved
but Allowed
Table 4 – Non-Approved but Allowed in FIPS mode Cryptographic Algorithms
The following table lists the non-FIPS Approved algorithms along with their usage:
Algorithm Usage Notes
AES Symmetric Encryption
and Decryption
using OFB, CFB, CTR, XTS7 and KW modes
DES
RC4
Triple-DES
SM2/ SM4
n/a
RSA Asymmetric Encryption
and Decryption
using modulus sizes less than 2048-bits or
greater than 3072 bits
RSA Asymmetric Key
Generation
FIPS 186-4 less than 2048-bit modulus size
or greater than 3072 bits
DSA using any key size
ECDH using key pair for all P-curves, in Control
Plane implementation.
ECDSA using public/private key pair for curves
other than P-256 and P-384.
6 No parts of the TLS protocol except the KDF has been reviewed or tested by the CAVP and CMVP
7 The AES-XTS mode shall only be used for the cryptographic protection of data on storage
devices. The AES-XTS shall not be used for other purposes, such as the encryption of data in
transit.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
12 of 44
RSA Digital Signature
Generation and
Verification
PKCS#1 v1.5 using key sizes other than
2048 and 3072 bits
PKCS#1 v1.5 using SHA-1, SHA-224 and
SHA-512 and 2048/3072-bit key sizes
Used in the SSH protocol
Used in the TLS protocol with DH/ECDH key
exchange
using X9.31 standard
using Probabilistic Signature Scheme (PSS)
DSA using any key size and SHA variant
ECDSA FIPS 186-4 using curves other than P-256
and P-384
FIPS 186-4 using curves P-256 and P-384
with SHA-1, SHA-224 and SHA-512
SHA-224/ SHA-512
MD5
SM3
Message Digest N/A
HMAC-SHA-224
HMAC-SHA-512
AES-CMAC
Triple-DES-CMAC
Message Authentication N/A
Diffie-Hellman Key Agreement Scheme N/A
ECDH ECDH shared secret computation using all
P-curves
TLS KDF Key Derivation function Using SHA-1/SHA-224/SHA-512
SSH KDF using any SHA variant
SNMP KDF using any SHA variant
IKEv1 and IKEv2 KDF
Table 5 – Non-Approved and Non-Compliant Cryptographic Algorithms/Modes
1.4 Cryptographic Module Boundary
The cryptographic boundary of the module is defined by the exterior surface of the
appliance (red dotted line). The block diagram below shows the module, the flow of status
output (SO), control input (CI), data input (DI) and data output (DO), the module
interfaces with the operational environment and the delimitation of its logical boundary.
The Description of the ports and interfaces can be found in Table – Ports and Interfaces
below.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
13 of 44
Figure 1 – Hardware Block Diagram
Power
Interface
(PSU)
SSL
Accelerator
Memory
Interface
(RAM)
Central
Processing
Unit (CPU)
Storage
Interface
(SSD)
Display
Interface
(LCD, LED, USB)
Network
Interface
(Ethernet, Fiber)
- DO
- SO
- DI
- DO
- SO
- CI
- PI
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
14 of 44
2 Cryptographic Module Ports and Interfaces
For the purpose of the FIPS 140-2 validation, the physical ports are interpreted to be the
physical ports of the hardware platform on which it runs.
The logical interfaces are the commands through which users of the module request
services. The following table summarizes the four physical interfaces with details of the
FIPS 140-2 logical interfaces they correspond to:
Logical Interface Physical Interface Description
Data Input • Network Interface Depending on module, the network interface
consists of SFP, SFP+, and/or QSFP+ ports
(Ethernet and/or Fiber Optic) which allow transfer
speeds from 1Gbps to up to 100Gbps.
Data Output • Network Interface
• Display Interface
Depending on module, the network interface
consists of SFP, SFP+, and/or QSFP+ ports
(Ethernet and/or Fiber Optic) which allow transfer
speeds from 1Gbps to up to 100Gbps. In addition,
Status logs may be output to USB found in the
interface.
Control Input • Display Interface
• Network Interface
The control input found in the display interface
includes the power button and reset button. The
control input found in the network interface
includes the API which control system state (e.g.
reset system, power-off system).
Status Output • Display Interface Depending on model, the display interface can
consist of a LCD display, LEDs, and/or output to
STDOUT which provides system status information.
Power Input • Power Interface Removable PSU (x2)
Table 6 – Ports and Interfaces
The pictures below show the various modules that were tested. Please use the images to
familiarize yourself with the devices.
Figure 2 – BIG-IP i4000
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
15 of 44
Figure 3 – BIG-IP i5000 / i5820-DF
Figure 4 – BIG-IP i7000 / i7820-DF
Figure 5 – BIG-IP i10800 / i11800-DS
Figure 6 – BIG-IP i15800
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
16 of 44
Figure 7 – BIG-IP 5250v-F
Figure 8 – BIG-IP 7200v-F
Figure 9 – BIG-IP 10200v-F
Figure 10 – BIG-IP 10350v-F
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
17 of 44
Figure 11 – VIPRION B2250
Figure 12 – VIPRION B4450
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
18 of 44
3 Roles, Services and Authentication
3.1 Roles
The module supports roles-based authentication and the following FIPS 140-2 roles
defined:
• User role: Performs cryptographic services (in both FIPS mode and non-FIPS
mode), key zeroization, module status requests, and on-demand self-tests. The
FIPS140-2 role of User is mapped to multiple BIG-IP roles which are responsible
for different components of the system (e.g. auditing, certificate management,
user management, etc.). The user can access the module through Web
Interface described below.
• Crypto Officer (CO) role: Crypto officer is represented by the administrator of
the BIG-IP. This entity performs module installation and initialization. This role
has full access to the system and has the ability to create, delete, and manage
other user roles on the system.
The module supports concurrent operators belonging to different roles: one CO and one
User role, which creates two different authenticated sessions, achieving the separation
between the concurrent operators.
• One interface can be used to access the module: Web Interface: The Web
interface consists of HTTPS over TLS interface which provides a graphical
interface for system management tools. The web interface can be accessed
from a TLS-enabled web browser.
• Note: The module does not maintain authenticated sessions upon power
cycling. Power-cycling the system requires the authentication credentials to be
re-entered. Authentication data is protected against unauthorized disclosure,
modification and substitution by the Operating System. Additionally, when
entering authentication data through the Web interface, any character entered
will be obfuscated (i.e. replace the character entered with a dot on the entry
box).
FIPS 140-2
Role
BIG-IP Role Purpose of Role
Crypto
Officer
Administrator Main administrator of the of the BIG-IP system. This role has
complete access to all objects on the system. Entities with this role
cannot have other roles on the system.
User Auditor Entity who can view all configuration data on the system, including
logs and archives.
Certificate
Manager
Entity who manages digital certificates and keys.
Firewall
Manager
Grants a user permission to manage all firewall rules and supporting
objects. Notably, the Firewall Manager role has no permission to
create, update, or delete non-network firewall configurations,
including Application Security or Protocol Security policies.
iRule
Manager
Grants a user permission to create, modify, view, and delete iRules.
Users with this role cannot affect the way that an iRule is deployed.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
19 of 44
FIPS 140-2
Role
BIG-IP Role Purpose of Role
Operator Grants a user permission to enable or disable nodes and pool
members. When granted terminal access.
Resource
Manager
Grants a user access to all objects on the system except BIG-IP user
accounts. With respect to user accounts, a user with this role can
view a list of all user accounts on the system but cannot view or
change user account properties except for their own user account.
Users with this role cannot have other user roles on the system.
User
Manager
Entity who manages BIG-IP crypto officer accounts.
Table 7 – FIPS 140-2 Roles
3.2 Authentication
FIPS
140-2
Role
Authentication
type and data
Strength of Authentication (Single-
Attempt)
Strength of
Authentication
(Multiple-Attempt)
Crypto
Officer
Password based
(Web Interface)
The password must consist of minimum of 6
characters with at least one from each of the
three-character classes. Character classes are
defined as: digits (0-9), ASCII lowercase
letters (a-z), ASCII uppercase letters (A-Z)
Assuming a worst-case scenario where the
password contains four digits, one ASCII
lowercase letter and one ASCII uppercase
letter. The probability to guess every
character successfully is (1/10) ^4 * (1/26)^1
* (1/26)^1 = 1/6,760,000 which is much
smaller than 1/1,000,000.
The maximum number
of login attempts is
limited to 6 after which
the account is locked.
This means that at
worst case an attacker
has the probability of
guessing the password
in one minute as
6/6,760,000 which is
less than the
requirement of
1/100,000.
User Password based
(Web Interface)
The password must consist of minimum of 6
characters with at least one from each of the
three-character classes. Character classes are
defined as: digits (0-9), ASCII lowercase
letters (a-z), ASCII uppercase letters (A-Z)
Assuming a worst-case scenario where the
password contains four digits, one ASCII
lowercase letter and one ASCII uppercase
letter. The probability to guess every
character successfully is (1/10) ^4 * (1/26)^1
* (1/26)^1 = 1/6,760,000 which is much
smaller than 1/1,000,000.
The maximum number
of login attempts is
limited to 6 after which
the account is locked.
This means that at
worst case an attacker
has the probability of
guessing the password
in one minute as
6/6,760,000 which is
less than the
requirement of
1/100,000.
Table 8 – Authentication of Roles
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
20 of 44
3.3 Services
The module provides services to users that assume one of the available roles. All services
are described in detail in the user documentation.
Table 9 lists the module’s services that can be performed without authentication.
Service Access Type
(R, W, Z)
Usage/Notes
Show Status R Displays system status information over LCD screen (e.g.
network info, system operational status, etc.).
Self-Tests R When the BIG-IP system has been started, the Self-Tests are
performed. This includes the integrity check and Known
Answer Tests. On-Demand self-tests are initiated by manually
power cycling the system.
Table 9 – Non-Authenticated Services
Table 10 lists the Management Services which are only available after authentication has
succeeded. Use of any of the following services using non-approved algorithms will place
the module in non-approved mode.
Service Description Access Type
(Read (R)
/Write (W)/
Zeroize (Z)
Keys and CSP Authorization
Crypto
Officer
User
User Management Services
List Users Display list of users R None ü User
Manager
Resource
Manager
Create User Create additional
users
W None ü User
Manager
View Users View users R None ü User
Manager
Delete User Delete users from
module
W None ü User
Manager
Unlock User Remove Lock from
user who has
exceeded login
attempts
W, R None ü User
Manager
Update own
password
Update own password W User Password All Roles
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
21 of 44
Service Description Access Type
(Read (R)
/Write (W)/
Zeroize (Z)
Keys and CSP Authorization
Crypto
Officer
User
Update others
password
Update password for
user that is not self
W User Password ü User
Manager
Configure
Password
Policy
Set password policy
features
W None ü None
Certificate Management Services
Create SSL
Certificate
Generate a self-signed
certificate
W TLS RSA/ECDSA
Key Pair, DRBG V
and Key values
ü Certificate
Manager
Create SSL
Key
Generate SSL
Certificate key file
W TLS RSA/ECDSA
Key Pair, DRBG V
and Key values
ü Certificate
Manager
Check-Cert Examines certificate
and display or logs
expiration date of
installed certificates
R, W None ü Certificate
Manager
List
Certificates
Display certificates
installed
R None ü Certificate
Manager
Import SSL
Certificate
Import SSL certificate
into module
R None ü Certificate
Manager
Delete SSL
Certificate
Delete a certificate
from the module.
Z None ü Certificate
Manager
Export
Certificate File
Export SSL certificate
into module
W None ü Certificate
Manager
ssh-keyswap
utility service
Use ssh-keyswap
utility to create or
delete ssh keys
R, W SSH RSA/ECDSA
Key Pair
ü Certificate
Manager
Firewall Management Services
Configure
firewall
settings
Configure firewall
policy rules, and
address-lists for use
by firewall rules.
R, W None ü Firewall
Manager
Show firewall
state
Display the current
system-wide state of
firewall rules
R None ü Firewall
Manager
Show
statistics
Displays statistics of
firewall rules on the
BIG-IP system
R None ü Firewall
Manager
Audit Management Services
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
22 of 44
Service Description Access Type
(Read (R)
/Write (W)/
Zeroize (Z)
Keys and CSP Authorization
Crypto
Officer
User
View System
Audit Logs
Display various
service logs
R None ü Auditor
Export
Analytics Logs
Export system
analytics logs
W None ü Auditor
Enable/Disable
audition
Enables/Disables
system auditing
R None ü Auditor
System Management Services
Configure
Boot Options
Enable Quit boot,
manage boot
locations
R, W None ü Resource
Manager
Configure SSH
access options
Enable/Disable SSH
access, Configure IP
address whitelist
R, W None ü Resource
Manager
Update private key R, W SSH RSA/ ECDSA
Key Pair
ü User
Manager
Resource
Manager
Configure
Firewall Users
Manage firewall rules R, W None ü Firewall
Manager
Configure
nodes and
pool members
Enable/Disable nodes
and pool members
R, W None ü Operator
Configure
iRules
create, modify, view,
and delete iRules
R, W None ü iRule
Manager
Reboot
System
Restart cryptographic
module
W, Z None ü Resource
Manager
Secure Erase Full system
zeroization
W, Z All CSPs ü None
Table 10 – Management Services
Table 11 lists the crypto services available in FIPS mode of operation, the roles that can
request the service, the algorithms involved, the CSPs involved and how they are
accessed.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
23 of 44
Service Algorithms / Key Sizes Role Keys/CSPs Interface
TLS Services Data
Plane
Control
Plane
Establish TLS
session
Signature Generation and
Verification:
RSA or ECDSA with SHA-
256/SHA-384
User
CO
RSA, ECDSA key
pairs
Yes Yes
Key Exchange: RSA Key
wrapping (allowed)
RSA, TLS pre-master
secret and master
secret
Yes Yes
Maintaining TLS
session
Data Encryption: AES CBC,
GCM
Data Authentication: HMAC
SHA-1/SHA-256/SHA-384
User
CO
AES and HMAC Keys Yes Yes
Closing TLS
session
N/A User
CO
Session keys, secret Yes Yes
Table 11 – Crypto Services in FIPS mode of operation
Table 12 lists all of the non-approved services available in the non-FIPS-Approved mode
of operation.
Service Role Usage/Notes
TLS Services
Establishing TLS session User
CO
Signature generation and verification using
DSA or RSA/ECDSA with SHA-1/SHA-224/SHA-512
RSA with keys less than 2048
Key Exchange using:
Diffie-Hellman
ECDH shared secret computation with SP800-135 KDF
RSA Key wrapping with keys less than 2048
Maintain TLS session Data encryption using Triple-DES, AES-CTR, AES-GCM
Data authentication using HMAC SHA-224/SHA-512
SSH Services
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
24 of 44
Service Role Usage/Notes
Establish SSH session User
CO
Signature generation and verification using:
DSA, Ed25519
ECDSA with SHA-1/SHA-224/ SHA-256/ SHA-384 /SHA-
512 and all P-curves
RSA with key size less than 2048-bit and 2048/ 3072-
bits key sizes (SHA-1 and SHA-2)
Key exchange using
ECDH shared secret computation
Diffie-Hellman,
Ed25519
Key derivation
SP800-135 SSH KDF
Maintain SSH session Data encryption using
Triple-DES, AES-CBC
Data authentication using HMAC SHA-1/SHA-224/ SHA-
256/ SHA-384/ SHA-512
Other Services
IPsec User
CO
The configuration and usage of IPsec is not approved
iControl REST access Access to the system through REST using non-approved
crypto from BouncyCastle
Configuration using SNMP Management of the module via SNMP is not approved.
Table 12 – Services in non-FIPS mode of operation
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
25 of 44
4 Physical Security
All of the modules listed in Table 1: Tested Modules are enclosed in a hard-metallic
production grade case that provides obscurity from visual inspection of internal
components. Each module is fitted with tamper evident labels to provide physical
evidence of attempts to gain access inside the case. The tamper evident labels shall be
installed for the module to operate in approved mode of operation. The Crypto Officer is
responsible for inspecting the quality of the tamper labels on a regular basis to confirm
the modules have not been tampered with. In the event that the tamper evident labels
require replacement, a kit providing 25 tamper labels is available for purchase (P/N: F5-
ADD-BIG-FIPS140). The Crypto Officer shall be responsible for the storage of the label
kits.
Physical Security
Mechanism
Recommended
Inspection Frequency
Guidance
Tamper Evident Labels Once per month Check the quality of the tamper
evident labels for any sign of
removal, replacement, tearing, etc.
If any label is found to be damaged
or missing, contact the system
administrator immediately.
Table 13 – Inspection of Tamper Evident Labels
4.1 Tamper Label Placement
The details below show the location of all tamper evident labels for each hardware
appliances. Label application instructions are provided in the F5 Platforms: FIPS Kit
Installation guide delivered with each hardware appliances.
Hardware Appliance # of Tamper Labels Hardware Appliance # of Tamper Labels
BIG-IP i4000 3 BIG-IP i15800 5
BIG-IP i5000 3 BIG-IP 5250v-F 4
BIG-IP i5820-DF 4 BIG-IP 7200v-F 5
BIG-IP i7000 6 BIG-IP 10200v-F 4
BIG-IP i7820-DF 4 BIG-IP 10350v-F 4
BIG-IP i10800 6 VIPRION B2250 6
BIG-IP i11800-DS 6 VIPRION B4450 5
Table 14 – Number of Tamper Evident Labels per hardware appliance
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
26 of 44
Figure 13 – BIG-IP i4000 (3 of 3 tamper
labels) Figure 14 – BIG-IP i5000 (3 of 3 tamper labels)
Figure 15 – BIG-IP i5820-DF (4 tamper labels shown)
Figure 16 – BIG-IP i7000 (6 of 6 tamper labels shown)
Label
1 Label
2
Label
3
Label
1
Label
2
Label
3
Label
4
Label
5
Label
6
Label
1 Label
2
Label
3
Fron
t
Fron
t
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
27 of 44
Figure 17 – BIG-IP i7820-DF (4 tamper labels shown)
Figure 18 – BIG-IP i10800 / i11800-DS (6
tamper labels shown)
Figure 19 – BIG-IP i10800 / i11800-DS (tamper
label 5 & 6)
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
28 of 44
Figure 20 – BIG-IP i15800 (Front tamper labels
1-3 labels shown)
Figure 21 – BIG-IP i15800 (Back tamper labels 4
and 5 labels shown)
Figure 22 – BIG-IP 5250v-F (4 tamper labels shown)
Figure 23 – BIG-IP 7200v-F (5 tamper labels shown)
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
29 of 44
Figure 24 – BIG-IP 10200v-F (Front tamper
labels 1-3 shown)
Figure 25 – BIG-IP 10200v-F (Back tamper label
4 shown)
Figure 26 – VIPRION B2250 in chassis (1 of 6 tamper labels shown)
Figure 27 – VIPRION B2250 top view (5 of 6 tamper labels shown)
Figure 28 – VIPRION B4450 in chassis
Figure 29 – VIPRION B4450 front (1 of 5 tamper
labels shown)
Label
1
Label
2
Label
6
Label
4
Label
5
Label
3 Fron
t
Label
1
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
30 of 44
Figure 30 – VIPRION B4450 top-view (4 of 5 tamper labels shown)
Label
2
Label
3
Label
4
Label
5
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
31 of 44
5 Operational Environment
The module operates in a non-modifiable operational environment per FIPS 140-2 level 2
specifications and as such the operational environment requirements do not apply.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
32 of 44
6 Cryptographic Key Management
The following table summarizes the CSPs that are used by the cryptographic services
implemented in the module. Table 11 lists the services and the corresponding CSPs used
in each service. Table 10 provides a list of services for the management of the module
where, CSPs involved in User Management Services include user password.
Name Generation Storage Zeroization
DRBG entropy input
string
Obtained from NDRNG. RAM Zeroized by device reboot
DRBG V and Key values Derived from entropy string as
defined by [SP800-90A]
RAM
TLS RSA private key Generated using FIPS 186-4
Key generation method and
the random value used in the
key generation is generated
using SP800-90A DRBG.
Disk Zeroized when key file is
deleted or by secure erase
option at boot.
TLS RSA public key
TLS ECDSA private key
TLS ECDSA public key
TLS Pre-Master Secret
and Master Secret
Established during the TLS
handshake
RAM Zeroized by closing TLS
session or by or rebooting the
device.
Derived TLS session key
(AES, HMAC)
Derived from the master
secret via SP800-135 TLS KDF
User Password Entered by the user Disk Zeroized by secure erase
option at boot or overwritten
when password is changed
Table 15 – Life cycle of CSPs
The following sections describe how CSPs, in particular cryptographic keys, are managed
during its life cycle.
6.1 Key Generation
For generation of RSA and ECDSA keys, the module implements asymmetric key
generation services compliant with [FIPS186-4] and using DRBG compliant with [SP800-
90A]. A seed (i.e. the random value) used in asymmetric key generation is obtained from
[SP800-90A] DRBG.
The module does not implement symmetric key generation as an explicit service. The
symmetric keys used by the module are derived from shared secret by applying SP 800-
135 as part of the TLS protocol (section 6.2 SP 800-133r2).
In accordance with FIPS 140-2 IG D.12, the cryptographic module performs Cryptographic
Key Generation (CKG) for the seed used in the generation of asymmetric keys as per
SP800-133 (vendor affirmed).
6.2 Key Establishment
The module provides RSA Key wrapping scheme which is used as part of TLS protocol
with the key derivation implemented by SP 800-135 TLS KDF. The module also includes a
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
33 of 44
SP 800-38F key wrapping in the context of TLS protocol where a key may be within a
packet or message that is encrypted and authenticated using approved authenticated
encryption mode i.e. AES GCM or a combination method which includes approved
symmetric encryption algorithm i.e. AES together with approved authentication method
i.e. HMAC-SHA. These schemes provide the following security strength in FIPS mode:
• RSA key wrapping provides between 112 or 128-bits of encryption strength
• SP 800-38F key wrapping using approved authenticated encryption mode i.e.
AES GCM provides between 128 and 256 bits of encryption strength
• SP 800-38F key wrapping using a combination of approved AES encryption and
HMAC authentication method provides between 128 and 256 bits of encryption
strength
• SP 800-38F key wrapping using approved authenticated encryption mode i.e.
AES GCM provides 128 or 256 bits of encryption strength
• SP 800-38F key wrapping using a combination of approved AES encryption and
HMAC authentication method provides 128 or 256 bits of encryption strength
6.3 Key Entry / Output
The module does not support manual key entry or intermediate key generation key
output. During the TLS handshake, the keys that are entered or output to the module
over the network, includes RSA/ECDSA public keys and the TLS pre-master secret.
encrypted with RSA key only when using the RSA key exchange with TLS.
For TLS with RSA key exchange, when module acts as a TLS client, the TLS pre-master
secret is generated using DRBG and is output from the module wrapped with server’s
public RSA key. When module acts as a TLS server, the TLS pre-master secret encrypted
with module's RSA key is input into the module.
Once the TLS session is established, any key or data transfer performed thereafter is
protected by AES encryption.
6.4 Key / CSP Storage
As shown in the above table most of the keys are stored in the non-volatile memory in
plaintext form and are destroyed when released by the appropriate zeroization calls or
the system is rebooted. The keys stored in plaintext in non-volatile memory are static and
will remain on the system across power cycle and are only accessible to the
authenticated administrator.
6.5 Key / CSP Zeroization
The zeroization methods listed in the above Table, overwrites the memory occupied by
keys with “zeros”. Additionally, the user can enforce it by performing procedural
zeroization. For keys present in volatile memory, calling reboot command will clear the
RAM memory. For keys present in non-volatile memory, using secure erase option (can
only be triggered by the administrator during reboot of the device) will perform single
pass zero write erasing the disk contents.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
34 of 44
6.6 Random Number Generation
The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-
90A] for the generation of random value used in asymmetric keys, and for providing an
RNG service to calling applications. The Approved DRBG provided by the module is the
CTR_DRBG with AES-256. The DRBG is initialized during module initialization. The module
performs the health tests for the SP800-90A DRBG as defined per section 11.3 of SP800-
90A.
The module uses a Non-Deterministic Random Number Generator (NDRNG) to seed the
DRBG. A Continuous Random Number Generation Test (CRNGT) is performed on the
output of the NDRNG prior to seeding the DRBG and also on the DRBG output. The
NDRNG provides at least 256- bits of entropy to the DRBG during initialization (seed) and
reseeding (reseed). The NDRNG is within its physical boundary.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
35 of 44
7 Self-Tests
7.1 Power-Up Tests
The module performs power-up tests automatically during initialization when the device
is booted without requiring any operator intervention; power-up tests ensure that the
module’s firmware is not corrupted and that the cryptographic algorithms work as
expected.
During the execution of power-up tests, services are not available and input and output
are inhibited. Upon successful completion of the power-up tests, the module is initialized
and enters operational mode where it is accessible for use. If the module fails any of the
power-up tests, it enters into the ‘Halt Error’ state and halts the system. In this state, the
module will prohibit any data outputs and cryptographic operations and will not be
available for use. The module will be marked unusable and the administrator will need to
reinstall the module to continue.
7.1.1 Integrity Tests
The integrity of the module is verified by comparing the MD5 checksum value of the
installed binaries calculated at run time with the stored value computed at build time. If
the values do not match the system enters halt error state and the device will not be
accessible. In order to recover from this state, the module needs to be reinstalled.
7.1.2 Cryptographic algorithm tests
The module performs self-tests on all FIPS-Approved cryptographic algorithms supported
in the approved mode of operation and is done on the Data Plane as well as Control Plane
side, using the Known Answer Test (KAT) and Pair-wise Consistency Test (PCT) as listed in
the following table:
Algorithm8 Test
• Control Plane Self-tests
CTR_DRBG KAT using AES 256-bit with and without derivation function
AES KAT of AES encryption with GCM mode and 128-bit key
KAT of AES encryption/decryption9 with ECB mode and 128-bit key
RSA KAT of RSA PKCS#1 v1.5 signature generation with 2048 bit key and
SHA-256
KAT of RSA PKCS#1 v1.5 signature verification with 2048 bit key and
SHA-256
ECDSA PCT of ECDSA signature generation and verification with P-256 curve
8 The module also includes KATs for ECDH shared secret computation but it is a non-approved
algorithm hence it is not listed in this table.
9 Encryption and Decryption known answer tests are performed separately
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
36 of 44
Algorithm8 Test
HMAC-SHA-1,
HMAC-SHA-256,
HMAC-SHA-384
KAT of HMAC-SHA-1
KAT of HMAC-SHA-256
KAT of HMAC-SHA-384
SHA-1, SHA-256, SHA-384 Covered by respective HMAC KATs
• Data Plane Self-Tests
AES KAT of AES encryption with GCM mode and 128-bit key
KAT of AES decryption with CBC mode and 128-bit key
RSA KAT of RSA PKCS#1 v1.5 signature generation with 2048 bit key and
SHA-256
KAT of RSA PKCS#1 v1.5 signature verification with 2048 bit key and
SHA-256
ECDSA PCT of ECDSA signature generation and verification with P-256 curve
CTR_DRBG Covered by Control Plane Self-Tests. (Data Plane makes use of the
same DRBG implementation provided by Control Plane)
HMAC-SHA-1,
HMAC-SHA-256,
HMAC-SHA-384
KAT of HMAC-SHA-1
KAT of HMAC-SHA-256
KAT of HMAC-SHA-384
SHA-1, SHA-256, SHA-384 Covered by respective HMAC KATs
Table 16 – Self-Tests
7.2 On-Demand self-tests
The module does not explicitly provide the Self-Test service to perform on demand self-
tests. On demand self-tests can be invoked by powering-off and powering-on the system
in order to initiate the same cryptographic algorithm tests executed during power-up.
During the execution of the on-demand self-tests, crypto services are not available and
no data output or input is possible.
7.3 Conditional Tests
The module performs conditional tests on the cryptographic algorithms shown in the
following table. If the module fails any of these tests, the device reboots and enters into
the Halt Error state prohibiting any data output or cryptographic operations and the
module will be inoperable. The module must be re-installed in order to clear the error
condition.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
37 of 44
Algorithm Test
DRBG CRNGT on the output of the DRBG
NDRNG CRNGT on the output of the NDRNG prior to seeding the CTR_DRBG
RSA key generation PCT using SHA-256
ECDSA key generation PCT using SHA-256
Table 17 – Conditional Tests
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
38 of 44
8 Guidance
8.1 Delivery and Operation
The module is distributed as a part of a BIG-IP product which includes the hardware and
an installed copy of 14.1.0.3 EHF. The hardware devices are shipped directly from the
hardware manufacturer/authorized subcontractor via trusted carrier and tracked by that
carrier. The hardware is shipped in a sealed box that includes a packing slip with a list of
components inside, and with labels outside printed with the product nomenclature, sales
order number, and product serial number. Upon receipt of the hardware, the customer is
required to perform the following verifications:
• Ensure that the shipping label exactly identifies the correct customer name and
address as well as the hardware model.
• Inspect the packaging for tampering or other issues.
• Ensure that the external labels match the expected delivery and the shipped
product.
• Ensure that the components in the box match those on the documentation
shipped with the product.
• The hardware model can be verified by the model number given on the
shipping label as well as on the hardware device itself.
For FIPS compliance, the following steps defined in section 8.2 should be completed by
the Crypto Officer prior to access to the device is allowed.
8.2 Crypto Officer Guidance
8.2.1 Installing Tamper Evident Labels
Before the device is installed in the production environment, tamper-evident labels must
be installed in the location identified for each module in section 4.1. The following steps
should be taken when installing or replacing the tamper evident labels on the module.
The instructions are also included in F5 Platforms: FIPS Kit Installation provided with each
module.
• Use the provided alcohol wipes to clean the chassis cover and components of
dirt, grease, or oil before you apply the tamper evidence seals.
• After applying the seal, run your finger over the seal multiple times using extra
high pressure.
• The seals completely cure within 24 hours.
It is the responsibility of the Crypto Officer to inspect the tamper evident labels for
damage or any missing labels as specified in Section 4.
8.2.2 Install Device
• Follow the instructions in the "BIG-IP System: Initial Configuration" guide for the
initial setup and configuration of the device.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
39 of 44
• Add the FIPS license when prompted during the GUI setup wizard. Guidance on
Licensing the BIG-IP system can be found in
https://support.f5.com/csp/article/K7752.
8.2.3 Password Strength Requirement
The Crypto officer must modify the BIG-IP password policy to meet or exceed the
requirements defined in Table 7 – Authentication of Roles. Instructions for this can be
found in the “BIG-IP System: User Account Administration” guide. After assuming the role
for the first time, the Crypto Officer shall replace the default password with one matching
the password policy.
8.2.4 Additional Guidance
The Crypto Officer should verify that the following specific configuration rules are
followed in order to operate the module in the FIPS validated configuration:
• All command shells other than tmsh are not allowed. For example, bash and
other user-serviceable shells are excluded. Additionally note that the use of
tmsh is considered non-approved because it makes used of SSH protocol that is
marked as non-approved service in Table 12. Only access via GUI interface that
makes use of TLS channel is considered approved.
• Management of the module via the appliance's LCD display is not allowed.
• Usage of f5-rest-node and iAppLX and provisioning of iRulesLX is not allowed.
• Only the provisioning of AFM and LTM is included.
• Remote access to the Lights Out / Always On Management capabilities of the
system are not allowed.
• Serial port console should be disabled after the initial power on and
communications setup of the hardware.
• On the i11800-DS device, the Cavium Nitrox-V must be disabled using lspci |
grep -i encryption | awk ‘{print “device exclude “ $1;}’ >
tmm_init.tcl command since full support is not available.
8.2.5 Version Configuration
Once the device is installed, licensed and configured, the Crypto Officer should confirm
that the system is installed and licensed correctly.
8.2.5.1 Version Confirmation
The Crypto Officer should through the Big-IP Configuration Utility (Web interface) HTTPS
access, navigate within the GUI to Main -> System -> Configuration -> Device -> General
and verify the version shown with the approved version from Table 1 - Tested Modules.
Any firmware loaded into the module other than version 14.1.0.3 EHF is out of the scope
of this validation and will mean that the module is not operating as a FIPS validated
module.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
40 of 44
8.2.5.2 License Confirmation
The FIPS validated module activation requires installation of the license referred as ‘FIPS
license’. The Crypto Officer should through the Big-IP Configuration Utility (Web interface)
HTTPS access, navigate within the GUI to Main -> System -> License and verify that the
list of license flags includes the "FIPS 140-2 Compliant Mode”.
8.3 User Guidance
The module supports two modes of operation. Table 11 – Crypto Services in FIPS mode of
operation list the FIPS approved services and Table 12 – Services in non-FIPS mode of
operation lists the non-FIPS approved services. Using the services in Table 5 – Non-
Approved and Non-Compliant Cryptographic Algorithms/Modes means that the module
operates in non-FIPS Approved mode for the particular session of a particular service,
where the non-FIPS approved algorithm or mode was selected.
AES-GCM IV is constructed in accordance with SP800-38D in compliance with IG A.5
scenario 1. The implementation of the nonce_explicit management logic inside the
module ensures that when the IV exhausts the maximum number of possible values for a
given session key, the module triggers a new handshake request to establish a new key.
In case the module’s power is lost and then restored, the key used for the AES GCM
encryption or decryption shall be re-distributed. The AES GCM IV generation is follows
[RFC5288] and shall only be used for the TLS protocol version 1.2 to be compliant with
[FIPS140-2_IG] IG A.5; thus, the module is compliant with [SP800-52].
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
41 of 44
9 Mitigation of Other Attacks
The module does not implement security mechanisms to mitigate other attacks.
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
42 of 44
Appendix A. Glossary and Abbreviations
AES Advanced Encryption Standard
CBC Cipher Block Chaining
CFB Cipher Feedback
CSP Critical Security Parameter
CTR Counter Mode
CVL Component Validation List
DES Data Encryption Standard
DSA Digital Signature Algorithm
DRBG Deterministic Random Bit Generator
ECB Electronic Code Book
ECC Elliptic Curve Cryptography
FIPS Federal Information Processing Standards Publication
GCM Galois Counter Mode
HMAC Hash Message Authentication Code
KAS Key Agreement Scheme
KAT Known Answer Test
MAC Message Authentication Code
NIST National Institute of Science and Technology
NDRNG Non-Deterministic Random Number Generator
OFB Output Feedback
RNG Random Number Generator
RSA Rivest, Shamir, Adleman
SHA Secure Hash Algorithm
XTS XEX-based Tweaked-codebook mode with cipher text stealing
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
43 of 44
Appendix B. References
FIPS140-2 FIPS PUB 140-2 - Security Requirements For Cryptographic Modules
May 2001
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
FIPS140-2_IG Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module
Validation Program
May 2019
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf
FIPS180-4 Secure Hash Standard (SHS)
March 2012
http://csrc.nist.gov/publications/fips/fips180-4/fips 180-4.pdf
FIPS186-4 Digital Signature Standard (DSS)
July 2013
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
FIPS197 Advanced Encryption Standard
November 2001
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
FIPS198-1 The Keyed Hash Message Authentication Code (HMAC)
July 2008
http://csrc.nist.gov/publications/fips/fips198 1/FIPS-198 1_final.pdf
PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography
Specifications Version 2.1
February 2003
http://www.ietf.org/rfc/rfc3447.txt
SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of
Operation Methods and Techniques
December 2001
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC
November 2007
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
SP800-56A NIST Special Publication 800-56A - Recommendation for Pair-Wise Key
Establishment Schemes Using Discrete Logarithm Cryptography (Revised)
March 2007
http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-
2007.pdf
SP800-90A NIST Special Publication 800-90A - Recommendation for Random Number
Generation Using Deterministic Random Bit Generators
January 2012
http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
F5® Device Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
© 2022 F5. Inc. / atsec information security.
This document can be reproduced and distributed only whole and intact, including this copyright notice.
44 of 44
SP800-131A NIST Special Publication 800-131A - Transitions: Recommendation for
Transitioning the Use of Cryptographic Algorithms and Key Lengths
November 2015
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf