Copyright Skyhigh Security 2023 Document Version: 20230124 Page 1 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
Skyhigh Security OpenSSL Module
FIPS 140-2 Non-Proprietary Security Policy
Software Version: 1.1.1v
Date: January 24th, 2023
Skyhigh Security LLC
6000 Headquarters Drive
Plano, TX 75024
888.847.8766
https://www.skyhighsecurity.com/
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 2 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
Table of Contents
1. Introduction.......................................................................................................................................... 4
2. Cryptographic Module Specification .................................................................................................... 6
2.1 Cryptographic Boundary....................................................................................................................... 6
2.2 Ports and Interfaces.............................................................................................................................. 6
2.3 Mode of Operation............................................................................................................................... 6
3. Cryptographic Functionality ................................................................................................................. 7
3.1 Approved Cryptographic Algorithms.................................................................................................... 7
3.2 Non-Approved Algorithms Allowed in the Approved Mode of Operation......................................... 12
3.3 Non-Approved Algorithm Allowed in the Approved Mode of Operation with No Security Claimed 12
3.4 Non-Approved Algorithms.................................................................................................................. 12
3.5 Cryptographic Key Management........................................................................................................ 13
3.5.1 Key Generation........................................................................................................................... 13
3.5.2 Key Establishment ...................................................................................................................... 13
3.5.3 Key Zeroization........................................................................................................................... 14
3.6 Public Keys.......................................................................................................................................... 14
4. Roles, Authentication and Services .................................................................................................... 14
4.1 Roles and Authentication of Operators to Roles................................................................................ 14
4.2 Services............................................................................................................................................... 15
4.3 Authentication Methods .................................................................................................................... 16
5. Self-Tests............................................................................................................................................. 16
5.1 Power-Up Self Tests............................................................................................................................ 16
5.2 Conditional Self Tests ......................................................................................................................... 17
6. Physical Security ................................................................................................................................. 17
7. Operational Environment................................................................................................................... 17
8. Guidance and Secure Operation......................................................................................................... 17
8.1 Crypto Officer Guidance..................................................................................................................... 17
8.2 User Guidance .................................................................................................................................... 18
8.2.1 Use of AES-XTS............................................................................................................................ 18
8.2.2 AES-GCM IV................................................................................................................................. 18
8.2.3 Key derivation using SP800-132 PBKDF...................................................................................... 19
9. Mitigation of other Attacks ................................................................................................................ 19
10. References and Standards.................................................................................................................. 19
11. Acronyms and Definitions .................................................................................................................. 21
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 3 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
List of Tables
Table 1 - Cryptographic Module Components ...................................................................................................4
Table 2 - Tested Operational Environments.......................................................................................................4
Table 3 - Security Level Detail.............................................................................................................................5
Table 4 - Ports and Interfaces.............................................................................................................................6
Table 5 - Approved Algorithms and CAVP Certificates.....................................................................................12
Table 6 - Cryptographic Algorithms Allowed in FIPS Mode..............................................................................12
Table 7 - Cryptographic Algorithms Allowed in FIPS Mode of operation with no security claimed ................12
Table 8 - Non-FIPS-Approved Algorithms.........................................................................................................13
Table 9 - Private Keys and CSPs........................................................................................................................13
Table 10 - Public Keys .......................................................................................................................................14
Table 11 - Approved Services, Roles and Access Rights ...................................................................................15
Table 12 - Non-Approved Services and Roles...................................................................................................16
Table 13 - Power-On Self Tests.........................................................................................................................17
Table 14 - Conditional Self Tests ......................................................................................................................17
Table 15 – Module hmac values.......................................................................................................................18
Table 16 - References .......................................................................................................................................20
Table 17 - Acronyms.........................................................................................................................................22
List of Figures
Figure 1 - Logical and Physical Boundaries.........................................................................................................6
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 4 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
1. Introduction
This document is the non-proprietary security policy for the Skyhigh Security OpenSSL Module, hereafter
referred to as the cryptographic module, or Module.
The Module is a software library providing a C-language application program interface (API) for use by other
processes that require cryptographic functionality. The Module is classified by FIPS 140-2 as a software
module, multi-chip standalone module embodiment. The physical cryptographic boundary is the general
purpose computer on which the Module is installed. The logical cryptographic boundary of the Module are
the following sets of shared library files and their associated HMAC files for integrity checking.
OS Platform OE # Component Description
Linux 1,4,6 libcrypto.so.1.1.1 Shared library for cryptographic algorithms
libssl.so.1.1.1 Shared library for TLS/DTLS network protocols
libcrypto.so.1.1.1.hmac Integrity check HMAC value for libcrypto
libssl.so.1.1.1.hmac Integrity check HMAC value for libssl
Windows
32-bit
3 Libcrypto-1_1.dll Shared library for cryptographic algorithms
Libssl-1_1.dll Shared library for TLS/DTLS network protocols
Libcrypto-1_1.dll.hmac Integrity check HMAC value for libcrypto
Libssl-1_1.dll.hmac Integrity check HMAC value for libssl
Windows
64-bit
2 libcrypto-1_1-x64.dll Shared library for cryptographic algorithms
libssl-1_1-x64.dll Shared library for TLS/DTLS network protocols
libcrypto-1_1-x64.dll.hmac Integrity check HMAC value for libcrypto
libssl-1_1-x64.dll.hmac Integrity check HMAC value for libssl
Darwin 5 libcrypto.1.1.1.dylib Shared library for cryptographic algorithms
libssl. 1.1.1.dylib Shared library for TLS/DTLS network protocols
libcrypto.1.1.1.dylib.hmac Integrity check HMAC value for libcrypto
libssl.1.1.1.dylib.hmac Integrity check HMAC value for libssl
Table 1 - Cryptographic Module Components
The Module performs no communications other than with the calling application (the process that invokes
the Module services).
The Module is defined as multiple-chip standalone for the purposes of FIPS 140-2, and the Module executes
Software Version 1.1.1v and was tested on the following operational environments and platforms detailed
in the table below:
# Operational Environment Hardware Platform Processor PAA/Acceleration
1 McAfee Linux 3.8.0 on VMware
ESXi 6.7.0
Intel® Taylor Pass 2U Xeon®
DP Quad Board Server
Intel® Xeon®
E5-2699
with PAA and
without PAA
2 Windows Server 2019 H2 64-bit
on VMware ESXi 6.7.0
Intel® Taylor Pass 2U Xeon®
DP Quad Board Server
Intel® Xeon®
E5-2699
with PAA and
without PAA
3 Windows 10 Enterprise 20H2 32-
bit
HP EliteBook 860 G3 Intel® Core™
i5-6300U
with PAA and
without PAA
4 Ubuntu 20.04.03 LTS Dell PowerEdge R720xd Intel® Xeon®
E5-2620
with PAA and
without PAA
5 macOS 12.2.1 Apple MacBook Pro Intel® Core™
i7-7920HQ
with PAA and
without PAA
6 SUSE Linux 15 SP3 Enterprise on
VMware ESXi 6.7.0
Intel® Taylor Pass 2U Xeon®
DP Quad Board Server
Intel® Xeon®
E5-2699
with PAA and
without PAA
Table 2 - Tested Operational Environments
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 5 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
If applicable: The Module is also supported on the following operating environments for which operational
testing and algorithm testing was not performed:
• Ubuntu 18.04 LTS
• Red Hat Enterprise Linux 7 and 8
• CentOS Linux 7 and 8
• Windows 7, 8, and 11
• macOS Big Sur
As per FIPS 140-2 Implementation Guidance G.5, compliance is maintained by vendor or user affirmation
for other versions of the respective operational environments where the Module binary is unchanged.
The platforms used during testing met Federal Communications Commission (FCC) Electromagnetic
Interference (EMI) and Electromagnetic Compatibility (EMC) requirements for business use as defined by 47
Code of Federal Regulations, Part 15, Subpart B. FIPS 140-2 validation compliance is maintained when the
Module is operated on other versions of the operating system running in single user mode, assuming that
the requirements outlined in NIST IG G.5 are met.
The CMVP makes no statement as to the correct operation of the Module or the security strengths of the
generated keys when so ported if the specific operational environment is not listed on the validation
certificate.
The following table lists the level of validation for each area in FIPS 140-2:
FIPS 140-2 Section Title Level
1. Cryptographic Module Specification 1
2. Cryptographic Module Ports and Interfaces 1
3. Roles, Services, and Authentication 1
4. Finite State Model 1
5. Physical Security N/A
6. Operational Environment 1
7. Cryptographic Key Management 1
8. EMI/EMC 1
9. Self‐Tests 1
10. Design Assurance 1
11. Mitigation of Other Attacks N/A
Overall Level 1
Table 3 - Security Level Detail
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 6 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
2. Cryptographic Module Specification
2.1 Cryptographic Boundary
Figure 1 shows the logical relationship of the Module to the other software and hardware components of
the computer.
Figure 1 - Logical and Physical Boundaries
2.2 Ports and Interfaces
FIPS Interface Logical Interface Type
Data Input API input parameters
Data Output API output parameters
Control Input API function calls, API input parameters for control
Status Output API return values
Power Input N/A
Table 4 - Ports and Interfaces
As a software module, control of the physical ports is outside Module scope. However, when the Module is
performing self-tests, or is in an error state, all output on the logical data output interface is inhibited. The
Module is single-threaded and in error scenarios returns only an error value (no data output is returned).
2.3 Mode of Operation
The Module supports two modes of operation:
• FIPS mode (the Approved mode of operation): only approved or allowed security functions with
sufficient security strength can be used.
• Non-Approved mode (the non-Approved mode of operation): when non-approved security
functions are used.
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 7 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
The Module will be in FIPS-approved mode when all power up self-tests have completed successfully and
only Approved or Allowed algorithms are invoked. See Table 5 below for a list of the supported Approved
algorithms and Table 6 and 7 for allowed algorithms. The non-Approved mode is entered when a non-
Approved algorithm is invoked. See 8 for a list of non-Approved algorithms.
3. Cryptographic Functionality
The Module implements the FIPS Approved, Non-Approved but Allowed, and Non-Approved cryptographic
functions listed in the following tables.
3.1 Approved Cryptographic Algorithms
The approved and vendor affirmed security functions included in the Module and utilized by the Module’s
callable services or internal functions.
CAVP Cert Algorithm
[Standard]
Mode/Method Description / Key Size(s) / Keys
/ CSPs
A2366 AES
[FIPS 197]
[SP800-38B]
CBC, ECB, OFB, CFB1, CFB8,
CFB128
Encryption, Decryption
128/192/256 bits
A3012 AES
[FIPS 197]
[SP800-38B]
CTR
Encryption, Decryption
128/192/256 bits
A2366 AES
[FIPS 197]
[SP800-38B]
CMAC MAC length 128 bits
A2366 AES
[FIPS 197]
[SP800-38C]
CCM
Encryption, Decryption
128/192/256 bits
A2366 AES
[FIPS 197]
[SP800-38D]
GCM
Encryption, Decryption
128/192/256 bits
A2366 AES
[FIPS 197]
[SP800-38E]
XTS
Encryption, Decryption
128/256 bits
A2366 AES
[FIPS 197]
[SP800-38F]
KW, KWP
Encryption, Decryption
128/192/256 bits
A2366 DSA
[FIPS 186-4]
Domain Parameters
Generation and Verification,
Key Generation, Signature
Generation
DSA keys
L=2048, N=224
L=2048, N=256
L=3072, N=256
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 8 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
CAVP Cert Algorithm
[Standard]
Mode/Method Description / Key Size(s) / Keys
/ CSPs
A2366 DSA
[FIPS 186-4]
Signature Verification DSA keys
L=1024, N=160
L=2048, N=224
L=2048, N=256
L=3072, N=256
Note: 1024 bits DSA signature
verification is legacy use
A2366 RSA
[FIPS 186-4]
Appendix B.3.6
Key Generation RSA keys
2048, 3072, 4096 bits
A2366 RSA
[FIPS 186-4]
PKCS#1 v1.5 and
PSS with SHA2-
224, SHA2-256,
SHA2-384, SHA2-
512
Signature Generation RSA keys
2048, 3072, 4096 bits
A2366 RSA
[FIPS 186-4]
PKCS#1 v1.5 with
SHA-1, SHA2-224,
SHA2-256, SHA2-
384, SHA2-512
Signature Verification RSA keys
1024, 2048, 3072 bits
Note: 1024 bits RSA signature
verification is legacy use
A3012 RSA
[FIPS 186-4]
PKCS#1 v1.5 with
SHA-1, SHA2-224,
SHA2-256, SHA2-
384, SHA2-512
Signature Verification RSA key
4096 bits
A2366 RSA
[FIPS 186-4]
PKCSPSS with
SHA2-224, SHA2-
256, SHA2-384,
SHA2-512
Signature Generation RSA keys
2048, 3072, 4096 bits
A2366 RSA
[FIPS 186-4]
PKCSPSS with
SHA-1, SHA2-224,
SHA2-256, SHA2-
384, SHA2-512
Signature Verification RSA keys
1024, 2048, 3072 bits
Note: 1024 bits RSA signature
verification is legacy use
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 9 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
CAVP Cert Algorithm
[Standard]
Mode/Method Description / Key Size(s) / Keys
/ CSPs
A3012 RSA
[FIPS 186-4]
PKCSPSS with
SHA-1, SHA2-224,
SHA2-256, SHA2-
384, SHA2-512
Signature Verification RSA key
4096 bits
A2366 RSA
[FIPS 186-4]
ANSI X9.31 with
SHA2-256, SHA2-
384, SHA2-512
Signature Generation RSA keys
2048, 3072, 4096 bits
A2366 RSA
[FIPS 186-4]
ANSI X9.31 with
SHA-1, SHA2-256,
SHA2-384, SHA2-
512
Signature Verification RSA keys
1024, 2048, 3072 bits
Note: 1024 bits RSA signature
verification is legacy use
A3012 RSA
[FIPS 186-4]
ANSI X9.31 with
SHA-1, SHA2-256,
SHA2-384, SHA2-
512
Signature Verification RSA key
4096 bits
A2366 ECDSA
[FIPS 186-4]
Key Pair Generation and
Public Key Verification
ECDSA keys based on
B-233, B-283, B-409, B-571, K-
233,
K-283, K-409, K-571, P-224, P-
256,
P-384, P-521 curve
A2366 ECDSA with
SHA2-224, SHA2-
256, SHA2-384,
SHA2-512
[FIPS 186-4]
Signature Generation ECDSA keys based on
B-233, B-283, B-409, B-571, K-
233,
K-283, K-409, K-571, P-224, P-
256,
P-384, P-521 curve
A2366 ECDSA with SHA-
1, SHA2-224,
SHA2-256, SHA2-
384, SHA2-512
[FIPS 186-4]
Signature Verification ECDSA keys based on
B-233, B-283, B-409, B-571, K-
233,
K-283, K-409, K-571, P-224, P-
256,
P-384, P-521 curve
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 10 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
CAVP Cert Algorithm
[Standard]
Mode/Method Description / Key Size(s) / Keys
/ CSPs
A2366 DRBG
[SP800-90A]
CTR_DRBG (AES-128, AES-192,
AES-256)
Hash_DRBG, HMAC_DRBG
(SHA-1, SHA2-224, SHA2-256,
SHA2-384, SHA2-512)
CSPs: Entropy input string,
seed, C, V and Key
A2366 SHS
[FIPS 180-4]
SHA-1, SHA2-224, SHA2-256,
SHA2-384, SHA2-512
A2366 SHA3
[FIPS 202]
SHA3-224, SHA3-256, SHA3-
384, SHA3-512, SHAKE-128,
SHAKE-256
A2366 HMAC
[FIPS 198-1]
HMAC-SHA-1, HMAC-SHA-224,
HMAC-SHA-256, HMAC-SHA-
384, HMAC-SHA-512
112 bits or larger HMAC Key
A2366 HMAC
[FIPS 198-1]
HMAC-SHA3-224,
HMAC-SHA3-256,
HMAC-SHA3-384,
HMAC-SHA3-512)
112 bits or larger HMAC Key
A2366 CVL KDF TLS
[SP800-135rev1]
KDF TLS (TLS v1.0,
v1.1 and v1.2) with SHA2-256,
SHA2-384, SHA2-512
TLS Pre-Master Secret
and Master Secret
A2366 TLS 1.3 KDF
[RFC-8446]
TLS v1.3 KDF
(HMAC Algorithm: SHA2-256,
SHA2-384;
KDF Running Modes: DHE,
PSK, PSK-DHE)
TLS Pre-Master Secret
and Master Secret
A2366 KAS-FFC-SSC
[SP800-56Arev3]
Scheme: dhEphem
KAS Role: initiator, responder
MODP-2048, MODP-3072,
MODP-4096, MODP-6144,
MODP-8192
ffdhe2048, ffdhe3072,
ffdhe4096, ffdhe6144,
ffdhe8192
Public key size 2048 bits or
larger, and private key size 224
bits or 256 bits
Shared secret: MODP-2048,
MODP-3072, MODP-4096,
MODP-6144, MODP-8192;
ffdhe2048, ffdhe3072,
ffdhe4096, ffdhe6144,
ffdhe8192
KAS-FFC-SSC: Key
establishment methodology
provides between 112 and 200
bits of encryption strength
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 11 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
CAVP Cert Algorithm
[Standard]
Mode/Method Description / Key Size(s) / Keys
/ CSPs
A2366 KAS-ECC-SSC
[SP800-56Arev3]
Scheme: ephemeralUnified
KAS Role: initiator, responder
P-224, P-256, P-384, P-521
NIST curves P-224, P-256, P-
384, P-521
Shared secret: P-224, P-256, P-
384, P-521
KAS-ECC-SSC: Key
establishment methodology
provides between 112 and 256
bits of encryption strength
A2366 KAS (ECC/FFC)
KAS (KAS-SSC
Cert. #A2366,
CVL Cert.
#A2366);
[SP800-56Arev3]
[SP800-135rev1]
KAS (ECC):
Scheme: ephemeralUnified
KAS Role: initiator, responder
KAS (FFC):
Scheme: dhEphem
KAS Role: initiator, responder
Key Agreement Scheme
per SP800-56Arev3
with key derivation function
(SP800-135rev1)
Note: The module’s KAS
(ECC/FFC) implementation is
FIPS140-2 IG D.8 Scenario X1
(path 2) compliant
A2366 PBKDF
[SP800-132]
SHA-1, SHA-224, SHA-256,
SHA-512
PBKDF Password
PBKDF Derived Key
Please refer to section 8.2.3 for
more details
A2366 Safe Prime Key
Generation
[SP800-56Arev3]
Safe Prime Groups: ffdhe2048,
ffdhe3072, ffdhe4096,
ffdhe6144, ffdhe8192, MODP-
2048, MODP-3072, MODP-
4096, MODP-6144, MODP-
8192
FFC Key-Pair Domain
Parameters Generation
A2366 Safe Prime Key
Verification
[SP800-56Arev3]
Safe Prime Groups: ffdhe2048,
ffdhe3072, ffdhe4096,
ffdhe6144, ffdhe8192, MODP-
2048, MODP-3072, MODP-
4096, MODP-6144, MODP-
8192
FFC Key-Pair Domain
Parameters Verification
A2366 CVL SSH KDF
[SP800-135rev1]
KDF SSH (AES-128, AES-192,
AES-256; SHA-1, SHA2-224,
SHA2-256, SHA2-384, SHA2-
512)
SSH-KDF Derived Key
A2366 KTS
[SP800-38F]
AES KW, KWP
(128, 192, 256 bits)
AES CCM
(128, 192, 256 bits)
AES GCM
(128, 192, 256 bits)
AES Cert. #A2366; Key
establishment methodology
provides between 128 and 256
bits of encryption strength
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 12 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
CAVP Cert Algorithm
[Standard]
Mode/Method Description / Key Size(s) / Keys
/ CSPs
A2366 KTS
[SP800-38F]
AES and HMAC
(128, 192, 256 bits)
AES Cert. #A2366 and HMAC
Cert. #A2366; Key
establishment methodology
provides between 128 and 256
bits of encryption strength
Vendor
Affirmed
CKG
[SP800-133rev2]
Key Generation
SP800-133rev2, section 4
(Using the Output of a Random
Bit Generator),
SP800-133rev2, section 5 for
Asymmetric Key Generation
SP800-133rev2, section 6 for
Symmetric Key Generation
Table 5 - Approved Algorithms and CAVP Certificates
Notes:
1. No parts of TLS and SSH protocols, other than the KDF, have been tested by the CAVP and CMVP.
3.2 Non-Approved Algorithms Allowed in the Approved Mode of
Operation
The following cryptographic algorithm is not approved but is allowed to be used in a FIPS approved mode of
operation.
Algorithm Use / Function
RSA (encrypt, decrypt) with key size equal
or larger than 2048 bits up to 16384 bits
Key wrapping; key establishment methodology provides
between 112 and 256 bits of encryption strength
Table 6 - Cryptographic Algorithms Allowed in FIPS Mode
3.3 Non-Approved Algorithm Allowed in the Approved Mode of
Operation with No Security Claimed
The following cryptographic algorithm is not approved but is allowed to be used in a FIPS approved mode of
operation with no security claimed.
Algorithm Use / Function
MD5 Message Digest used only in TLS
Table 7 - Cryptographic Algorithms Allowed in FIPS Mode of operation with no security claimed
3.4 Non-Approved Algorithms
The Module supports the following non-FIPS-approved and not allowed algorithms. The use of the non-
conformant algorithms listed in Table will place the Module in a non-approved mode of operation.
Algorithm Use/Function
DSA with key sizes not listed in Table 5 sign, verify, and key generation
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 13 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
Algorithm Use/Function
Diffie-Hellman with key sizes not listed in Table 6 key agreement
AES-OCB authenticated encryption/decryption
DES encryption/decryption
KBKDF key derivation
Single-step KDF derived key key derivation
[RFC-3961] KDF key derivation
Table 8 - Non-FIPS-Approved Algorithms
3.5 Cryptographic Key Management
The table below provides a complete list of Private Keys and CSPs used by the Module:
Key/CSP Storage
AES Key Dynamic Memory
HMAC Key
CMAC Key Dynamic Memory
RSA Private Key Dynamic Memory
DSA Private Key
ECDSA Private Key
Diffie-Hellman Private Components Dynamic Memory
EC Diffie-Hellman Private Components
Shared secret Dynamic Memory
SP 800-90A DRBG seed and entropy input Dynamic Memory
SP 800-90A DRBG internal values (C, K, V values)
TLS Pre-Master Secret and Master Secret Dynamic Memory
PBKDF Password Dynamic Memory
PBKDF Derived Key Dynamic Memory
SSH-KDF Derived Key Dynamic Memory
Table 9 - Private Keys and CSPs
Notes:
1. Public and private keys are provided to the Module by the calling process and are destroyed when released
by the appropriate API function calls. The Module does not perform persistent storage of CSPs.
2. The key sizes under each algorithm, please refer to Table 5.
3.5.1 Key Generation
The Module implements SP 800-90A compliant DRBG services for creation of symmetric keys, and for
generation of DSA, elliptic curve, and RSA keys as shown in Table 5. The module directly uses the output of
the DRBG. The generated seed used in the asymmetric key generation is an unmodified output from DRBG.
The calling application is responsible for storage of generated keys returned by the module. For operation
in the Approved mode, Module users (the calling applications) shall use entropy sources that contain at
least 112 bits of entropy.
3.5.2 Key Establishment
The Module provides Diffie-Hellman and EC Diffie-Hellman key agreement. The Module also offers AES key
wrapping per [SP800-38F] (using GCM, CCM, AES-KW, AES-KWP and a combination of any approved block
chaining modes with HMAC for authentication), and RSA key wrapping (encapsulation) using public key
encryption and private key decryption primitives as allowed by [IG] D.9.
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 14 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
The module provides Diffie-Hellman shared secret computation (KAS-FFC-SSC) and EC Diffie-Hellman shared
secret computation (KAS-ECC-SSC) compliant with SP800-56Arev3, in accordance with scenario X1 (path 2)
of IG D.8. The module provides support for Diffie-Hellman and EC Diffie-Hellman key agreement schemes
compliant with SP800-56Arev3 by offering separate services for shared secret computation and the key
derivation using the SP800- 135 TLS/SSH KDF (for use within the TLS/SSH protocol), so that the user
application can implement the key agreement.
AES, RSA, KAS-FFC-SSC (Diffie-Hellman) and KAS-ECC-SSC (EC Diffie-Hellman) provide the following security
strengths:
• AES: key wrapping provides between 128 and 256 bits of encryption strength.
• RSA: key wrapping provides between 112 and 256 bits of encryption strength.
• Diffie-Hellman: key agreement provides between 112 and 200 bits of encryption strength.
• EC Diffie-Hellman: key agreement provides between 128 and 256 bits of encryption.
3.5.3 Key Zeroization
The application that uses the Module is responsible for appropriate destruction and zeroization of the key
material. The library provides functions for key allocation and destruction, which overwrites the memory
that is occupied by the key information with “zeros” before it is deallocated.
The memory occupied by keys is allocated by regular libc malloc/calloc() calls. The application is responsible
for calling the appropriate destruction functions from the OpenSSL API. The destruction functions then
overwrite the memory occupied by keys with pre-defined values and deallocates the memory with the
free() call. In case of abnormal termination, or swap in/out of a physical memory page of a process, the
keys in physical memory are overwritten before the physical memory is allocated to another process.
3.6 Public Keys
The table below provides a complete list of the Public Keys used by the Module:
Public Key Name Key Description and Usage
RSA SVK RSA (1024 to 16384 bits) signature verification public key
RSA KEK RSA (2048 to 16384 bits) key encryption (public key transport) key
DSA SVK [FIPS 186-4] DSA (2048/3072) signature verification key
ECDSA SVK ECDSA (All NIST defined B, K and P curves) signature verification key
DH Public Diffie-Hellman public key agreement key
EC DH Public EC DH (All NIST defined B, K and P curves) public key agreement key
Table 10 - Public Keys
4. Roles, Authentication and Services
4.1 Roles and Authentication of Operators to Roles
The Module has two roles: User and Crypto Officer which are implicitly assumed upon invoking services
offered by the Module. The application that is requesting services of the Module is the single user of the
Module.
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 15 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
4.2 Services
The Approved services supported by the Module and access rights within services accessible over the
Module’s public interface are listed in the table below.
Service Approved Security Functions / CSPs Roles Access rights to
Keys and/or CSPs
Symmetric
encryption/decryption
AES key User R, E
Asymmetric key
generation
RSA, DSA and ECDSA private key User R, G, W, E
Symmetric key
generation
AES Key, HMAC Key and CMAC Key User R, G, W, E
Digital signature
generation and
verification
RSA, DSA and ECDSA private key User R, G, E
TLS network protocol AES key, HMAC key User R, E
TLS key agreement AES key, RSA, DSA or ECDSA private
key, HMAC Key, Premaster Secret,
Master Secret, Diffie-Hellman
Private Components and EC Diffie-
Hellman Private Components
User R, G, W, E
SSH network protocol AES key, HMAC key User R, E
SSH key agreement AES key, RSA, DSA or ECDSA private
key, HMAC Key, SSH Exchange Hash,
SSH Session ID, Diffie-Hellman
Private Components and EC Diffie-
Hellman Private Components
User R, G, W, E
Shared secret
computation
Diffie-Hellman shared secret and EC
Diffie-Hellman shared secret
User R
RSA key wrapping RSA, private key User R, E
Certificate
Management /
Handling
RSA, DSA or ECDSA private key
parts of certificates
User R, W, E
Keyed Hash (HMAC) HMAC key User R, E
Keyed Hash (CMAC) CMAC key User R, E
Message digest (SHS) none User N/A
Random number
generation [800-90A]
DRBG
Entropy input string and seed (C, K
and V values)
User R, G, W, E
Key Derivation
(through PBKDF or SSH-
KDF or Single-step KDF)
PBKDF password and derived key
and SSH-KDF derived key
and Single-step KDF derived key
User R, W, E
Show status none User N/A
Module initialization none User N/A
Self-test none User N/A
Zeroize All CSPs User Z
Module installation none Crypto Officer N/A
Table 11 - Approved Services, Roles and Access Rights
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 16 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
G or Generate: The Module generates the CSP(s)
R or Read: The CSP is read from the Module (e.g. the CSP is output)
W or Write: The CSP is updated or written to the Module
E or Execute: Capability to execute or use the Critical Security Parameter
Z or Zeroize: The Module zeroizes the CSP
The Module also provides the following non-Approved services available in non-FIPS mode:
Service Role Access rights to
Keys and/or CSPs
Asymmetric encryption/decryption using non-Approved RSA key size User R, E
Symmetric encryption/decryption using non-Approved algorithms User R, E
Hash operation using non-Approved algorithms User R, E
Digital signature generation and verification using non-Approved
RSA and DSA private key sizes
User R, G, E
Digital signature generation using SHA-1 User R, G, E
TLS connection using keys established by Diffie-Hellman with non-
Approved key sizes
User R, G, W, E
TLS connection using keys established by RSA with key size less than
2048 bits
User R, G, W, E
Asymmetric key generation using non-Approved RSA and DSA key
sizes
User R, G, W, E
Random number generation using ANSI X9.31 RNG User R, G, W, E
KBKDF Key derivation [SP800-108] User R, E
Key derivation used in Kerberos 5 [RFC-3961] User R, E
Table 12 - Non-Approved Services and Roles
4.3 Authentication Methods
Authentication to a role is implicit upon entry.
5. Self-Tests
5.1 Power-Up Self Tests
The Module performs both power-up self-tests (at Module initialization) and conditional self-tests (during
operation). The power-up self-test starts with the integrity test, where the integrity of the runtime
executable is verified using a HMAC SHA-256 digest which is compared to a value computed at build time. If
this computed HMAC SHA-256 digest matches the stored, known digest, then the remainder of the power-
up self-tests (algorithm-specific pairwise consistency tests and known answer tests) are performed. Input,
output, and cryptographic functions cannot be performed while the Module is in a self-test or error state
because the Module is single-threaded and will not return to the calling application until the power-up self-
tests are complete. After successful completion of the power-up tests, the Module is loaded and
cryptographic functions are available for use. If the power-up self-tests fail the Module will enter the error
state, subsequent calls to the Module will fail and no further cryptographic operations are possible. The
Module performs the following power-up self-tests:
Algorithm Test
AES (ECB, KW, XTS modes) KAT, encryption and decryption are tested separately
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 17 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
Algorithm Test
AES (CMAC, CCM, GCM modes) KAT, authenticated encryption and decryption are tested
separately.
DSA Pairwise consistency test (PWCT), sign and verify
RSA KAT, signature generation and verification are tested separately
ECDSA PWCT, sign and verify
KAS-FFC-SSC (Diffie-Hellman) Primitive "Z" Computation KAT
KAS-ECC-SSC (EC Diffie-Hellman) Primitive "Z" Computation KAT
SP 800-90A DRBG (HASH_DRBG,
HMAC_DRBG and CTR_DRBG)
KAT (Health test per section 11.3 of SP 800-90A DRBG)
HMAC-SHA-1, HMAC-SHA-224
HMAC-SHA-256, HMAC-SHA-384,
HMAC-SHA-512
KAT
SHA-1, SHA-256, SHA-512 KAT
SHA3-256, SHA3-512, SHAKE-128,
SHAKE-256
KAT
PBKDF (SP800-132) KAT
SP800-135rev1 KDF (SSH, TLSv1.2) KAT
TLSv1.3 KDF KAT
Module Software integrity HMAC-SHA-256
Table 13 - Power-On Self Tests
5.2 Conditional Self Tests
The Module also performs the following conditional self-tests:
Algorithm Test
DSA Pairwise consistency test (PWCT):
signature generation and verification
RSA Pairwise consistency test (PWCT): signature generation and
verification, encryption and decryption
ECDSA Pairwise consistency test (PWCT):
signature generation and verification
Table 14 - Conditional Self Tests
6. Physical Security
The Module is comprised of software only and does not claim any physical security.
7. Operational Environment
The Module operates under the operating environments specified in Table 2.
8. Guidance and Secure Operation
8.1 Crypto Officer Guidance
The Skyhigh Security OpenSSL Module is available from the Product Certifications Team. To ensure
compliance with this Security Policy, the Crypto Officer must verify the HMAC values match those listed in
the table below.
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 18 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
The Module will be in FIPS-approved mode when all power up self-tests have completed successfully and
continues to operate in FIPS mode unless the User calls Algorithms listed in Table . There are no additional
installation, configuration, or usage instructions for operators intending to use the Skyhigh Security
OpenSSL Module.
Processor Architecture Component Hmac value
Linux libcrypto.so.1.1.1 057e6d933f75b30869cfa34e95fce1e4
f0f52e0f9f08dc21c1bb315b5a0bc0d7
libssl.so.1.1.1 a4707b1dbc1ba5d6eea85e11666285a2
c102035d761c511a18a867d04042fed4
Windows
32-bit
Libcrypto-1_1.dll 044d0e83d278fd1a0123816d4b1c3c15
f4ed1e592c9dc74656b809eabac259f2
Libssl-1_1.dll 20925704d707fce9392ce902509b5acb
45255b667e0dcee555402c6f3ad8b698
Windows
64-bit
libcrypto-1_1-x64.dll cf59f68b7483f63bdc64f688629ff89c
8264dfb009d8bd3ce3104c34d4aad754
libssl-1_1-x64.dll 9d351ab01c9575025d297b4b17220bd3
69c0766831c2d33dcd262210c5ca7bbc
Darwin libcrypto.1.1.1.dylib 435cc9811ffb581f85d416c4311e72d3
080c8ee82edbee44c4ce4d62bcf4e895
libssl. 1.1.1.dylib 31e824733b1a9d3e473a4ddcbf772cea
60d35a15761b9442222d156e7d310ecb
Table 15 – Module hmac values
8.2 User Guidance
The user should use FIPS approved services and their associated FIPS approved and FIPS allowed
cryptographic algorithms as identified in this Security Policy to operate the Module in a FIPS approved
mode.
8.2.1 Use of AES-XTS
According to SP 800-38E, the AES algorithm in XTS mode can be only used for the cryptographic protection
of data on storage devices, as specified in SP800-38E. The length of a single data unit encrypted or
decrypted with the XTS-AES shall not exceed 22
⁰ AES blocks that is 16MB of data per AES-XTS instance. An
XTS instance is defined in section 4 of SP800-38E.
8.2.2 AES-GCM IV
In case the module's power is lost and then restored, the key used for the AES GCM encryption or
decryption shall be redistributed. The nonce_explicit part of the IV does not exhaust the maximum number
of possible values for a given session key. The design of the TLS protocol in this module implicitly ensures
that the nonce_explicit, or counter portion of the IV will not exhaust all of its possible values. The AES GCM
IV generation is in compliance with the [RFC5288] and shall only be used for the TLS protocol version 1.2 to
be compliant with [FIPS140-2_IG] IG A.5, provision 1 (“TLS protocol IV generation”); thus, the module is
compliant with [SP800-52]. When a GCM IV is used for decryption, the responsibility for the IV generation
lies with the party that performs the AES GCM encryption and therefore there is no restriction on the IV
generation. The module supports the TLS GCM ciphersuites from SP800-52 Rev1, section 3.3.1.
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 19 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
8.2.3 Key derivation using SP800-132 PBKDF
The module provides password-based key derivation (PBKDF), compliant with SP800-132. The module
supports option 1a from section 5.4 of [SP800-132], in which the Master Key (MK) or a segment of it is used
directly as the Data Protection Key (DPK). In accordance to [SP800-132] and IG D.6, the following
requirements shall be met.
• Derived keys shall only be used in storage applications. The Master Key (MK) shall not be used for
other purposes. The length of the MK or DPK shall be of 112 bits or more.
• A portion of the salt, with a length of at least 128 bits, shall be generated randomly using the
SP800-90A DRBG.
• The iteration count shall be selected as large as possible, as long as the time required to generate
the key using the entered password is acceptable for the users. The minimum value shall be 1000.
• Passwords or passphrases, used as an input for the PBKDF, shall not be used as cryptographic keys.
The length of the password or passphrase shall be of at least 20 characters, and shall consist of
lower-case, upper-case and numeric characters. The probability of guessing the value is estimated
to be 1/6220
= 10-36
, which is less than 2-112
. The calling application shall also observe the rest of the
requirements and recommendations specified in [SP800-132].
9. Mitigation of other Attacks
The module is not designed to mitigate against attacks which are outside of the scope of FIPS 140-2.
10. References and Standards
The following Standards are referred to in this Security Policy.
Abbreviation Full Specification Name
[FIPS140-2] National Institute of Standards and Technology, Security Requirements for
Cryptographic Modules, May 25, 2001
[SP800-131A] National Institute of Standards and Technology, Transitions: Recommendation for
Transitioning the Use of Cryptographic Algorithms and Key Lengths, Special
Publication 800-131Arev2, March 2019
[IG] National Institute of Standards and Technology, Implementation Guidance for FIPS
PUB 140-2 and the Cryptographic Module Validation Program
[SP800-38B] National Institute of Standards and Technology, Recommendation for Block Cipher
Modes of Operation: the CMAC Mode for Authentication, Special Publication 800-
38B, May 2005 (updated 10/6/2016)
[SP800-38C] National Institute of Standards and Technology, Recommendation for Block Cipher
Modes of Operation: the CCM Mode for Authentication and Confidentiality, Special
Publication 800-38C, May 2004 (updated 7/20/2007)
[SP800-38D] National Institute of Standards and Technology, Recommendation for Block Cipher
Modes of Operation: Galois/Counter Mode (GCM) and GMAC, Special Publication
800- 38D, November 2007
[SP800-38E] National Institute of Standards and Technology, Recommendation for Block Cipher
Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices,
Special Publication 800-38E, January 2010
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 20 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
Abbreviation Full Specification Name
[SP800-38F] National Institute of Standards and Technology, Recommendation for Block Cipher
Modes of Operation: Methods for Key Wrapping, Special Publication 800-38F,
December 2012
[SP800-52] National Institute of Standards and Technology, Guidelines for the Selection,
Configuration, and Use of Transport Layer Security (TLS) Implementations, Special
Publication 800-52rev2, August 2019
[SP800-56Ar3] National Institute of Standards and Technology, Recommendation for Pair-Wise Key-
Establishment Schemes Using Discrete Logarithm Cryptography, Special Publication
800-56Arev3, April 2018
[SP800-56C] National Institute of Standards and Technology, Recommendation for Key-Derivation
Methods in Key-Establishment Schemes, Special Publication 800-56Crev2, August
2020
[SP800-90A] National Institute of Standards and Technology, Recommendation for Random
Number Generation Using Deterministic Random Bit Generators, Special Publication
800-90Arev1, June 2015.
[SP800-108] National Institute of Standards and Technology, Recommendation for Key Derivation
Using Pseudorandom Functions (Revised), Special Publication 800-108, October 2009
[FIPS 198-1] National Institute of Standards and Technology, The Keyed-Hash Message
AuthenticationCode (HMAC), Federal InformationProcessing StandardsPublication
198- 1, July, 2008
[SP800-132] National Institute of Standards and Technology, Recommendation for Password-
Based Key Derivation: Part 1: Storage Applications, Special Publication 800-132,
December 2010
[SP800-
133rev2]
National Institute of Standards and Technology, Recommendation for Cryptographic
Key Generation, Special Publication 800-133rev2, June 2020
[SP800-
135rev1]
National Institute of Standards and Technology, Recommendation for Existing
Application-Specific Key Derivation Functions, Special Publication 800-135rev1,
December 2011.
[FIPS 180-4] National Institute of Standards and Technology, Secure Hash Standard, Federal
Information Processing Standards Publication 180-4, August, 2015
[FIPS 186-4] National Institute of Standards and Technology, Digital Signature Standard (DSS),
Federal Information Processing Standards Publication 186-4, July, 2013.
[FIPS 197] National Institute of Standards and Technology, Advanced Encryption Standard
(AES), Federal Information Processing Standards Publication 197, November 26, 2001
[FIPS 202] National Institute of Standards and Technology, SHA-3 Standard: Permutation-Based
Hash and Extendable-Output Functions, Federal Information Processing Standards
Publication 202, August, 2015
[ANSI X9.31] ANSI X9.31, 1998 Edition, September 9, 1998 - DIGITAL SIGNATURES USING
REVERSIBLE PUBLIC KEY CRYPTOGRAPHY FOR THE FINANCIAL SERVICES INDUSTRY
(RDSA)
[RFC-3961] Internet Engineering Task Force, Encryption and Checksum Specifications for
Kerberos 5, RFC-3961, February 2005
[RFC-5288] Internet Engineering Task Force, AES Galois Counter Mode (GCM) Cipher Suites for
TLS, RFC-5288, August 2008
[RFC-8446] Internet Engineering Task Force, The Transport Layer Security (TLS) Protocol Version
1.3, August 2018
Table 16 - References
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 21 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
11. Acronyms and Definitions
The following Acronyms are referred to in this Security Policy.
Acronym Definition
AES Advanced Encryption Standard
ANSI American National Standards Institute
API Application Programming Interface
CAVP Cryptographic Algorithm Validation Program
CBC Cipher-Block Chaining
CCM Counter with CBC-MAC
CFB Cipher FeedBack
CMAC Cipher-based Message Authentication Code
CMVP Crypto Module Validation Program
CSP Critical Security Parameter
CTR Counter-mode
CVL Component Validation List
DES Data Encryption Standard
DH Diffie-Hellman
DLC Discrete Logarithm Cryptography
DPK Data Protection Key
DRBG Deterministic Random Bit Generator
DSA Digital Signature Standard
EC Elliptic Curve
ECB Electronic Code Book
ECDSA Elliptic Curve Digital Signature Algorithm
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
FCC Federal Communications Commission
FIPS Federal Information Processing Standard
GCM Galois/Counter Mode
HMAC key-Hashed Message Authentication Code
IG Implementation Guidance
IV Initialization Vector
KAS Key Agreement Scheme
KAT Known Answer Test
KDA Key Derivation Algorithm
KDF Key Derivation Function
KTS Key Transport Scheme
KW Key Wrap
KWP Key Wrap with Padding
L Length
MAC Message Authentication Code
MD2 Message Digest algorithm MD2
MD4 Message Digest algorithm MD4
MD5 Message Digest algorithm MD5
MK Master Key
MLOS McAfee Linux Operating System
N Modulus Length
Copyright Skyhigh Security 2023 Document Version: 20230124 Page 22 of 22
Skyhigh Security Public Material – May be reproduced only in its original entirety (without revision).
Acronym Definition
N/A Not Applicable
NIST National Institute of Standards and Technology
NDRNG Non Deterministic Random Number Generator
OFB Output FeedBack
OS Operating System
PBKDF Password-Based Key Derivation Function
PCT Pairwise Consistency Test
PKCS Public Key Cryptography Standards
RACE Research and development in Advanced Communications technologies in Europe
RC2 Rivest Cipher RC2
RC4 Rivest Cipher RC4
RC5 Rivest Cipher RC5
RFC Request for Comments
RIPE RACE Integrity Primitives Evaluation
RIPEMD RIPE Message Digest
RNG Random Number Generator
ROM Read-Only Memory
RSA Public-key encryption technology developed by RSA Data Security, Inc.
SSC Shared Secret Computation
SHA Secure Hash Algorithms
SHAKE Secure Hash Algorithm with KECCAK
SHS Secure Hash Standard
SPC Services Processing Card
SSH Secure Shell
TLS Transport Layer Security
XEX XOR Encrypt XOR
XTS XEX Tweakable block cipher with ciphertext Stealing
Table 17 - Acronyms