3
Introduction
The FalconStor Cryptographic Module (FCM) is derived from the NSS Cryptographic
Module version 3.12.4, an open-source, general-purpose cryptographic library, with an
API based on the industry standard PKCS #11 version 2.20 [1]. It is available for free
under the Mozilla Public License, the GNU General Public License, and the GNU Lesser
General Public License. The NSS cryptographic module was jointly developed by Red
Hat and Sun engineers and is used in Mozilla Firefox, Thunderbird, and many server
applications from Red Hat and Sun. The security policy contents are directly inherited
from the original NSS Cryptographic Module version 3.11.4, FIPS 140-2 Non-
Proprietary Security Policy Level 1 and 2 Validation, Document version 1.19.
The FCM has two modes of operation: the FIPS Approved mode and non-FIPS Approved
mode. By default, the module operates in the non-FIPS Approved mode. To operate the
module in the FIPS Approved mode, an application must adhere to the security rules in
the Security Rules section and initialize the module properly. If an application initializes
the FCM by calling the standard PKCS #11 function C_GetFunctionList and
calls the API functions via the function pointers in that list, it selects the non-FIPS
Approved mode. To operate the FCM in the FIPS Approved mode, an application must
call the API functions via an alternative set of function pointers. Rule 7 of the Security
Rules section specifies how to do this.
This document may be freely reproduced and distributed in its entirety.
Platform List
FIPS 140-2 conformance testing of the FCM was performed on the platform listed
below.
Security Level 1
Dell PowerEdge SC440 (x64), Oracle Enterprise Linux 5.3.
The FCM supports many other platforms. If you would like to have the module
validated on other platforms, please contact us.
Note on Calling the API Functions
The FCM has two parallel sets of API functions, FC_xxx and NSC_xxx, that implement
the FIPS Approved and non-FIPS Approved modes of operation, respectively. For
example, FC_Initialize initializes the module's library for the FIPS Approved
mode of operation, whereas its counterpart NSC_ Initialize initializes the library