Module Name

NITROXIII CNN35XX-NFBE HSM Family

Standard

FIPS 140-2

Status

Active

Sunset Date

8/1/2023

Validation Dates

08/02/2018;08/17/2018;10/09/2018;01/30/2019;04/02/2019;06/13/2019;07/15/2019;07/18/2019;08/12/2019;11/18/2019;07/01/2020;07/10/2020;12/01/2020

Overall Level

3

Caveat

When operated in FIPS mode and initialized and configured per Section 10 of the Security Policy. The module generates cryptographic keys whose strengths are modified by available entropy

Security Level Exceptions

• Mitigation of Other Attacks: N/A

Module Type

Hardware

Embodiment

Multi-Chip Embedded

Description

CNN35XX-NFBE HSM Family is a high performance purpose built solution for key management and crypto acceleration compliance to FIPS 140-2. The module supports flexible key store that can be partitioned up to 32 individually managed and isolated partitions. This is a SRIOV capable PCIe adapter and can be used in a virtualization environment to extend services like virtual key management, crypto and TLS offloads to VMs in dedicated I/O channels. This product is suitable for PKI vendors, SSL servers/load balancers.

Tested Configuration(s)

• N/A

FIPS Algorithms

AES	Certs. #2033, #2034, #2035, #3205, #3206 and #4104
CKG	vendor affirmed
CVL	Certs. #167 and #563
DRBG	Cert. #680
DSA	Cert. #916
ECDSA	Cert. #589
HMAC	Certs. #1233 and #2019
KAS	Cert. #53
KAS	SP 800-56B, vendor affirmed
KBKDF	Cert. #65
KTS	AES Cert. #2035; key establishment methodology provides between 128 and 256 bits of encryption strength
KTS	AES Cert. #3206
KTS	AES Cert. #4104; key establishment methodology provides 128 or 192 bits of encryption strength
KTS	Triple-DES Cert. #2242; key establishment methodology provides 112 bits of encryption strength
RSA	Certs. #1634 and #2218
RSA	Cert. #1634, SP 800-56B, vendor affirmed
SHS	Certs. #1780 and #2652
Triple-DES	Certs. #1311 and #2242

Allowed Algorithms

EC Curve Secp256k1; EC Diffie-Hellman (CVL Certs. #167 and #563, key agreement; key establishment methodology provides 128 bits of encryption strength); MD5; NDRNG; RSA (key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength)

Hardware Versions

P/Ns CNL3560P-NFBE-G [1, 2, 3, 4, 5, 6], CNL3560P-NFBE-2.0-G [1, 2, 3, 4], CNL3560P-NFBE-3.0-G [1, 2, 3, 4], CNL3560B-NFBE-2.0-G [1, 2, 3, 4], CNL3560B-NFBE-3.0-G [1, 2, 3, 4], CNL3560-NFBE-G [1, 2, 3, 4, 5, 6], CNL3560-NFBE-2.0-G [1, 2, 3, 4], CNL3560-NFBE-3.0-G [1, 2, 3, 4], CNL3560A-NFBE-3.0-G [1, 2, 3, 4], CNL3560C-NFBE-3.0-G [1, 2, 3, 4], CNL3560D-NFBE-3.0-G [1, 2, 3, 4], CNL3560E-NFBE-3.0-G [1, 2, 3, 4], CNL3560F-NFBE-3.0-G [1, 2, 3, 4], CNL3530-NFBE-G [1, 2, 3, 4, 5, 6], CNL3530-NFBE-2.0-G [1, 2, 3, 4], CNL3530-NFBE-3.0-G [1, 2, 3, 4], CNL3530B-NFBE-2.0-G [1, 2, 3, 4], CNL3530B-NFBE-3.0-G [1, 2, 3, 4], CNL3530A-NFBE-3.0-G [1, 2, 3, 4], CNL3530C-NFBE-3.0-G [1, 2, 3, 4], CNL3530D-NFBE-3.0-G [1, 2, 3, 4], CNL3530E-NFBE-3.0-G [1, 2, 3, 4], CNL3530F-NFBE-3.0-G [1, 2, 3, 4], CNL3510-NFBE-G [1, 2, 3, 4, 5, 6], CNL3510-NFBE-2.0-G [1, 2, 3, 4], CNL3510-NFBE-3.0-G [1, 2, 3, 4], CNL3510B-NFBE-2.0-G [1, 2, 3, 4], CNL3510P-NFBE-G [1, 2, 3, 4, 5, 6], CNL3510P-NFBE-2.0-G [1, 2, 3, 4], CNL3510P-NFBE-3.0-G [1, 2, 3, 4], CNL3510PB-NFBE-2.0-G [1, 2, 3, 4], CNL3560PB-NFBE-2.0-G [1, 2, 3, 4], CNL3510A-NFBE-3.0-G [1, 2, 3, 4], CNL3510C-NFBE-3.0-G [1, 2, 3, 4], CNL3510D-NFBE-3.0-G [1, 2, 3, 4], CNL3510E-NFBE-3.0-G [1, 2, 3, 4], CNL3510F-NFBE-3.0-G [1, 2, 3, 4], CNN3560P-NFBE-G [1, 2, 3, 4, 5, 6], CNN3560P-NFBE-2.0-G [1, 2, 3, 4], CNN3560P-NFBE-3.0-G [1, 2, 3, 4], CNN3560-NFBE-G [1, 2, 3, 4, 5, 6], CNN3560-NFBE-2.0-G [1, 2, 3, 4], CNN3560-NFBE-3.0-G [1, 2, 3, 4], CNN3560A-NFBE-3.0-G [1, 2, 3, 4], CNN3560C-NFBE-3.0-G [1, 2, 3, 4], CNN3560D-NFBE-3.0-G [1, 2, 3, 4], CNN3560E-NFBE-3.0-G [1, 2, 3, 4], CNN3560F-NFBE-3.0-G [1, 2, 3, 4], CNN3530-NFBE-G [1, 2, 3, 4, 5, 6], CNN3530-NFBE-2.0-G [1, 2, 3, 4], CNN3530-NFBE-3.0-G [1, 2, 3, 4], CNN3530A-NFBE-3.0-G [1, 2, 3, 4], CNN3530C-NFBE-3.0-G [1, 2, 3, 4], CNN3530D-NFBE-3.0-G [1, 2, 3, 4], CNN3530E-NFBE-3.0-G [1, 2, 3, 4], CNN3530F-NFBE-3.0-G [1, 2, 3, 4], CNN3510-NFBE-G [1, 2, 3, 4, 5, 6], CNN3510-NFBE-2.0-G [1, 2, 3, 4], CNN3510-NFBE-3.0-G [1, 2, 3, 4], CNN3510A-NFBE-3.0-G [1, 2, 3, 4], CNN3510C-NFBE-3.0-G [1, 2, 3, 4], CNN3510D-NFBE-3.0-G [1, 2, 3, 4], CNN3510E-NFBE-3.0-G [1, 2, 3, 4], CNN3510F-NFBE-3.0-G [1, 2, 3, 4], CNN3510LP-NFBE-2.0-G [1, 2, 3, 4], CNN3510LP-NFBE-3.0-G [1, 2, 3, 4], CNN3510LPB-NFBE-2.0-G [1, 2, 3, 4], CNN3510LPB-NFBE-3.0-G [1, 2, 3, 4], CNN3510LPA-NFBE-3.0-G [1, 2, 3, 4], CNN3510LPC-NFBE-3.0-G [1, 2, 3, 4], CNN3510LPD-NFBE-3.0-G [1, 2, 3, 4], CNN3510LPE-NFBE-3.0-G [1, 2, 3, 4], CNN3510LPF-NFBE-3.0-G [1, 2, 3, 4], CNN3505LP-NFBE-2.0-G [1, 2, 3, 4], CNN3505LP-NFBE-3.0-G [1, 2, 3, 4], CNN3505LPA-NFBE-3.0-G [1, 2, 3, 4], CNN3505LPC-NFBE-3.0-G [1, 2, 3, 4], CNN3505LPD-NFBE-3.0-G [1, 2, 3, 4], CNN3505LPE-NFBE-3.0-G [1, 2, 3, 4] and CNN3505LPF-NFBE-3.0-G [1, 2, 3, 4]

Firmware Versions

CNN35XX-NFBE-FW-2.04 build 48 [1], CNN35XX-NFBE-FW-2.04 build 49 [2], CNN35XX-NFBE-FW-2.04 build 50 [3], CNN35XX-NFBE-FW-2.04 build 52 [4], CNN35XX-NFBE-FW-2.05 build 15 [5] and CNN35XX-NFBE-FW-2.05 build 18 [6]