Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

Certificate #4700

Details

Module Name
NITROXIII CNN35XX-NFBE HSM Family
Standard
FIPS 140-3
Status
Active
Sunset Date
5/29/2029
Overall Level
3
Caveat
When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. The module generates SSPs whose strengths are modified by available entropy
Security Level Exceptions
  • Operational environment: N/A
  • Non-invasive security: N/A
  • Mitigation of other attacks: N/A
  • Documentation requirements: N/A
  • Cryptographic module security policy: N/A
Module Type
Hardware
Embodiment
Multi-Chip Embedded
Description
The NITROXIII CNN35XX-NFBE HSM Family module by Marvell (formerly Cavium Inc.) is a high-performance purpose-built security solution for crypto acceleration. The module provides a FIPS 140-3 overall Level 3 security solution. The module is deployed in a PCIe slot to provide crypto and TLS 1.0/1.1/1.2 acceleration in a secure manner to the system host. It is typically deployed in a server or an appliance to provide crypto offload. The module’s functions are accessed over the PCIe interface via an API defined by the module.
Tested Configuration(s)
  • N/A
Approved Algorithms
AES-CBC
AES-CBC
AES-CCM
AES-CMAC
AES-CMAC
AES-CMAC
AES-CTR
AES-ECB
AES-ECB
AES-GCM
AES-GCM
AES-GMAC
AES-KW
AES-KWP
Counter DRBG
DSA KeyGen (FIPS186-4)
DSA PQGGen (FIPS186-4)
DSA PQGVer (FIPS186-4)
DSA SigGen (FIPS186-4)
DSA SigVer (FIPS186-4)
ECDSA KeyGen (FIPS186-4)
ECDSA KeyVer (FIPS186-4)
ECDSA SigGen (FIPS186-4)
ECDSA SigGen (FIPS186-4)
ECDSA SigGen (FIPS186-4)
ECDSA SigVer (FIPS186-4)
ECDSA SigVer (FIPS186-4)
Hash DRBG
HMAC-SHA-1
HMAC-SHA-1
HMAC-SHA2-224
HMAC-SHA2-224
HMAC-SHA2-256
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-384
HMAC-SHA2-512
HMAC-SHA2-512
KAS-ECC CDH-Component
KAS-ECC Sp800-56Ar3
KAS-ECC-SSC Sp800-56Ar3
KAS-ECC-SSC Sp800-56Ar3
KAS-IFC-SSC
KDA HKDF Sp800-56Cr1
KDA OneStep Sp800-56Cr1
KDA TwoStep Sp800-56Cr1
KDF ANS 9.63
KDF SP800-108
KDF SP800-108
KDF SP800-108
KDF TLS
KTS-IFC
PBKDF
RSA Decryption Primitive
RSA Decryption Primitive
RSA KeyGen (FIPS186-4)
RSA KeyGen (FIPS186-4)
RSA SigGen (FIPS186-2)
RSA SigGen (FIPS186-4)
RSA Signature Primitive
RSA SigVer (FIPS186-4)
RSA SigVer (FIPS186-4)
RSA SigVer (FIPS186-4)
SHA-1
SHA-1
SHA2-224
SHA2-224
SHA2-256
SHA2-256
SHA2-256
SHA2-384
SHA2-384
SHA2-512
SHA2-512
SHA3-224
SHA3-256
SHA3-512
SHAKE-128
SHAKE-256
TDES-CBC
TDES-ECB
TDES-ECB
TDES-KW
Allowed Algorithms
AES (Cert. #C819, key unwrapping provides 128, 192 or 256 bits of encryption strength. Per IG D.G.; Key unwrap only N3FIPS-OpenSSL-1.1.1-AES ECB mode: Decrypt; 128, 192 and 256 bits CBC mode: Decrypt: 128, 192 and 256 bits *Legacy use only);EC Diffie-Hellman with non-NIST recommended curves (Cert. #C829, provides 112, 128, 160, 192 or 256 bits of encryption strength. Per IG C.A. ; EC-DH Secp224k1(112 bits), Secp256K1 (128 bits) • Prime order curve, generated as per FIPS 186-4 Section 6.1.1 brainpoolP224r1(112 bits), brainpoolP256r1(128 bits), brainpoolP320r1(160 bits), brainpoolP384r1(192 bits), brainpoolP512r1(256 bits) FRP256v1 (128 bits) • Prime order curve, generated as per FIPS 186-4 Section 6.1.1 (SHA-1*, SHA2-224, SHA2-256, SHA2-384, SHA2-512));ECDSA with non-NIST recommended curves (Cert. #C825, provides 112, 128, 160, 192 or 256 bits of encryption strength. Per IG C.A. ; EC Key generation, sign, verify Secp224k1(112 bits), Secp256K1 (128 bits) • Prime order curve, generated as per FIPS 186-4 Section 6.1.1 brainpoolP224r1(112 bits), brainpoolP256r1(128 bits), brainpoolP320r1(160 bits), brainpoolP384r1(192 bits), brainpoolP512r1(256 bits) FRP256v1 (128 bits) • Prime order curve, generated as per FIPS 186-4 Section 6.1.1 (SHA-1*, SHA2-224, SHA2-256, SHA2-384, SHA2-512))
Entropy
ENT (P)
Hardware Versions
HW-1.0 (CNL3510-NFBE-G; CNL3510P-NFBE-G; CNL3530-NFBE-G; CNL3560-NFBE-G; CNL3560P-NFBE-G; CNN3510-NFBE-G; CNN3530-NFBE-G; CNN3560-NFBE-G; CNN3560P-NFBE-G); HW-2.0 (CNL3510-NFBE-2.0-G; CNL3510B-NFBE-2.0-G; CNL3510P-NFBE-2.0-G; CNL3510PB-NFBE-2.0-G; CNL3530-NFBE-2.0-G; CNL3530B-NFBE-2.0-G; CNL3560-NFBE-2.0-G; CNL3560B-NFBE-2.0-G; CNL3560P-NFBE-2.0-G; CNL3560PB-NFBE-2.0-G; CNN3505LP-NFBE-2.0-G; CNN3510-NFBE-2.0-G; CNN3510LP-NFBE-2.0-G; CNN3510LPB-NFBE-2.0-G; CNN3530-NFBE-2.0-G; CNN3560-NFBE-2.0-G; CNN3560P-NFBE-2.0-G); HW-3.0 (CNL3510-NFBE-3.0-G; CNL3510A-NFBE-3.0-G; CNL3510C-NFBE-3.0-G; CNL3510D-NFBE-3.0-G; CNL3510E-NFBE-3.0-G; CNL3510F-NFBE-3.0-G; CNL3510I-NFBE-3.0-G; CNL3510P-NFBE-3.0-G; CNL3530-NFBE-3.0-G; CNL3530A-NFBE-3.0-G; CNL3530B-NFBE-3.0-G; CNL3530C-NFBE-3.0-G; CNL3530D-NFBE-3.0-G; CNL3530E-NFBE-3.0-G; CNL3530F-NFBE-3.0-G; CNL3560-NFBE-3.0-G; CNL3560A-NFBE-3.0-G; CNL3560B-NFBE-3.0-G; CNL3560B-NFBE-3.0-G-FB; CNL3560C-NFBE-3.0-G; CNL3560D-NFBE-3.0-G; CNL3560E-NFBE-3.0-G; CNL3560F-NFBE-3.0-G; CNL3560P-NFBE-3.0-G; CNN3505LP-NFBE-3.0-G; CNN3505LPA-NFBE-3.0-G; CNN3505LPC-NFBE-3.0-G; CNN3505LPD-NFBE-3.0-G; CNN3505LPE-NFBE-3.0-G; CNN3505LPF-NFBE-3.0-G; CNN3510-NFBE-3.0-G; CNN3510A-NFBE-3.0-G; CNN3510C-NFBE-3.0-G; CNN3510D-NFBE-3.0-G; CNN3510E-NFBE-3.0-G; CNN3510F-NFBE-3.0-G; CNN3510LP-NFBE-3.0-G; CNN3510LPA-NFBE-3.0-G; CNN3510LPB-NFBE-3.0-G; CNN3510LPC-NFBE-3.0-G; CNN3510LPD-NFBE-3.0-G; CNN3510LPE-NFBE-3.0-G; CNN3510LPF-NFBE-3.0-G; CNN3530-NFBE-3.0-G; CNN3530A-NFBE-3.0-G; CNN3530C-NFBE-3.0-G; CNN3530D-NFBE-3.0-G; CNN3530E-NFBE-3.0-G; CNN3530F-NFBE-3.0-G; CNN3560-NFBE-3.0-G; CNN3560A-NFBE-3.0-G; CNN3560C-NFBE-3.0-G; CNN3560D-NFBE-3.0-G; CNN3560E-NFBE-3.0-G; CNN3560F-NFBE-3.0-G; CNN3560P-NFBE-3.0-G)
Firmware Versions
CNN35XX-NFBE-FW-2.09-0702, CNN35XX-NFBE-SMW-2.09-0702, CNN35XX-UBOOT-4.03-03

Vendor

Marvell Semiconductor, Inc.
5488 Marvell Lane
Santa Clara, CA 95054
USA

Phanikumar Kancharla
pkkancharla@marvell.com
Phone: 408-943-7496

Validation History

Date Type Lab
5/30/2024 Initial LEIDOS CSTL