Cryptographic Module Validation Program CMVP

Module Name

LS2 HSM Family

Standard

FIPS 140-3

Status

Active

Sunset Date

6/5/2029

Overall Level

3

Caveat

When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy

Security Level Exceptions

• Operational environment: N/A
• Non-invasive security: N/A
• Mitigation of other attacks: N/A

Module Type

Hardware

Embodiment

MultiChipEmbed

Description

The LS2 HSM module is a multi-chip Cryptographic Module with firmware and installed in Host CryptoBind HSM and CryptoBind DSS. It consists of multiple firmware components, including an operating system, applications exposing services and interfaces related to secure key management, crypto operations, and policy management of the module.

Tested Configuration(s)

• N/A

Approved Algorithms

Allowed Algorithms

AES (Cert A1947, Key unwrapping. Per IG D.G.; Legacy Key unwrap only • ECB mode: Decrypt; 128, 192, and 256-bit • CBC mode: Decrypt; 128, 192, and 256-bit);AES (Cert A1948, Key unwrapping. Per IG D.G; Legacy Key unwrap only • ECB mode: Decrypt; 128, 192, and 256-bit • CBC mode: Decrypt; 128, 192, and 256-bit);EC Diffie-Hellman with non-NIST recommended curves (Cert A1947, Provides between 112 and 256 bits of encryption strength. Per IGs D.F and C.A.; EC-DH Secp224k1(112 bits), Secp256K1 (128 bits) brainpoolP224r1(112 bits), brainpoolP256r1(128 bits), brainpoolP320r1(160 bits), brainpoolP384r1(192 bits), brainpoolP512r1(256 bits) FRP256v1 (128 bits) • Prime order curve, generated as per FIPS 186-4 Section 6.1.1 (SHA-1*, SHA2-224, SHA2-256, SHA2-384, SHA2-512));ECDSA with non-NIST recommended curves (Cert A1947, Provides between 112 and 256 bits of encryption strength. Per IG C.A.; EC Key generation, sign Secp256K1 (128 bits) brainpoolP224r1(112 bits), brainpoolP256r1(128 bits), brainpoolP320r1(160 bits), brainpoolP384r1(192 bits), brainpoolP512r1(256 bits) FRP256v1 (128 bits) • Prime order curve, generated as per FIPS 186-4 Section 6.1.1 (SHA-1*, SHA2-224, SHA2-256, SHA2-384, SHA2-512))

Entropy

ENT (P)

Hardware Versions

LS2-G-A050-B0; LS2-G-A100-B0; LS2-G-A200-B0; LS2-G-A300-B0; LS2-G-A400-B0

Firmware Versions

MARVELL-LS2-FW-10.02-1102, MARVELL-LS2-UBOOT-10.01-10; MARVELL-LS2-FW-10.02-1102, MARVELL-LS2-UBOOT-10.02-1200; MARVELL-LS2-FW-10.02-1102, MARVELL-LS2-UBOOT-10.23-1107-R01-SB; MARVELL-LS2-FW-10.02-1102, MARVELL-LS2-UBOOT-10.23-1107-R02-SB; MARVELL-LS2-FW-10.23-1107, MARVELL-LS2-UBOOT-10.01-10; MARVELL-LS2-FW-10.23-1107, MARVELL-LS2-UBOOT-10.02-1200; MARVELL-LS2-FW-10.23-1107, MARVELL-LS2-UBOOT-10.23-1107-R01-SB; MARVELL-LS2-FW-10.23-1107, MARVELL-LS2-UBOOT-10.23-1107-R02-SB; MARVELL-LS2-FW-10.23-1107, MARVELL-LS2-UBOOT-10.01-10, PIN-App:10.23-1107; MARVELL-LS2-FW-10.23-1107, MARVELL-LS2-UBOOT-10.02-1200, PIN-App:10.23-1107; MARVELL-LS2-FW-10.23-1107, MARVELL-LS2-UBOOT-10.23-1107-R01-SB, PIN-App:10.23-1107; MARVELL-LS2-FW-10.23-1107, MARVELL-LS2-UBOOT-10.23-1107-R02-SB, PIN-App:10.23-1107; MARVELL-LS2-FW-10.23-1150, MARVELL-LS2-UBOOT-10.01-10; MARVELL-LS2-FW-10.23-1150, MARVELL-LS2-UBOOT-10.02-1200-SB; MARVELL-LS2-FW-10.23-1150, MARVELL-LS2-UBOOT-10.23-1107-R01-SB; MARVELL-LS2-FW-10.23-1150, MARVELL-LS2-UBOOT-10.23-1107-R02-SB, PIN-App:10.23-1107; MARVELL-LS2-FW-10.23-1202, MARVELL-LS2-UBOOT-10.23-1107-R01-SB; MARVELL-LS2-FW-10.23-1202, MARVELL-LS2-UBOOT-10.23-1107-R02-SB, PIN-App:10.23-1107