Samsung OpenSSL Cryptographic Module
FIPS 140-2 Security Policy
© 2013 Samsung/atsec information security. This document can be reproduced and distributed only whole and intact,
including this copyright notice.
15 of 24
8. Cryptographic Key Management
8.1. Random Number Generation
The Module employs an ANSI X9.31 compliant random number generator for creation of
cryptographic keys and CSPs. For more details on the RNG please refer to the Functional Design
document.
Caveat: The encryption strength of AES keys are modified by available entropy of seeds that are
provided to the RNG. The RNG uses seed source from dev/random which provides entropy of 192
bits. Therefore, the maximum encryption strength of AES keys is 192 bits.
8.2. Key Entry and Output
The module does not support manual key entry or key output. Keys or other CSPs can only be
exchanged between the module and the calling application using appropriate API calls.
8.3. Key Storage
Keys are not stored inside crypto module. A pointer to plaintext key is passed through.
Intermediate/temporary key storages are immediately zeroized.
8.4. Zeroization Procedure
In order to zeroize, keys and other CSPs free() is called which in turn calls another API function that
overwrites the memory with an algorithm that depends on the pointer to the value, but not the
value itself.
In regards to key generation, the external application must call the respective zeroization
functions. Intermediate key storages are immediately assigned to Zero. For more details on
zeroization and related APIs, please refer to the Functional Design document.