Nokia IP265 Security Guide - Page 17

Cryptographic Key Management

Get Nokia IP265 - Security Appliance PDF manuals and user guides View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 17 highlights

purpose operating system nor do they provide a mechanism to load software. The module operator interacts with the module through customized interfaces that provide only specific command options. 2.8 Cryptographic Key Management Cryptographic algorithms are implemented in firmware by IPSO and Check Point VPN-1 and in hardware by the encryption accelerators. The IPSO operating system provides the capability to use SSHv1 or SSHv2 to secure the remote CLI management sessions. The implemented FIPS-approved algorithms include RSA (SSHv1 and SSHv2) and DSA (SSHv2) for authentication, Triple-DES for data encryption, SHA-1 for data hashing, and HMAC SHA-1 for data packet integrity. Key establishment is performed by using the RSA key transport for SSHv1 and the DiffieHellman key agreement for SSHv2. Check Point provides the capability to use TLSv1 to secure management sessions. The implemented FIPS-approved algorithms include RSA for authentication; DES, Triple-DES, and AES for data encryption; SHA-1 for data hashing; and HMAC SHA-1 for data packet integrity. Key establishment is performed by using RSA key wrapping. The embedded Check Point application supports IPSec/ESP for data encryption and IPSec/AH for data integrity. The Check Point module implements all IKE modes: main, aggressive, and quick, using ISAKMP according to the standard. IKE uses RSA signatures or pre-shared keys for authentication. Key establishment in IKE is performed by using the Diffie-Hellman key agreement technique. Enhanced VPN performance is achieved by accelerating DES, AES, Triple-DES, and Diffie-Hellman modular exponentiation processing implemented by the Check Point firmware. Hardware acceleration is accomplished either by hard-wired accelerator chips or by optional version-specific internal accelerator cards that are installed by the factory or reseller prior to delivery to the end-user. The IP380 and IP385 module hardware versions support an optional enhanced accelerator card in addition to a hard-wired, internal accelerator chip. If the optional accelerator card is installed, the hardwired chip is electrically bypassed. Accelerator chips differ only in performance. The module operating system automatically senses the accelerator chip at power on and performs power on self tests on all the functions provided by the appropriate accelerator chip as well as self-tests for all firmware-based cryptographic functions. Note that accelerated DES and 1 key Triple DES are non-compliant with FIPS 140-2. To remain in FIPS mode, only the FIPS approved Triple-DES and AES should be chosen as the VPN encryption algorithm. © Copyright 2005, 2006, 2007 Nokia Page 17 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
purpose operating system nor do they provide a mechanism to load
software.
The module operator interacts with the module through
customized interfaces that provide only specific command options.
2.8
Cryptographic Key Management
Cryptographic algorithms are implemented in firmware by IPSO and
Check Point VPN-1 and in hardware by the encryption accelerators.
The IPSO operating system provides the capability to use SSHv1 or
SSHv2 to secure the remote CLI management sessions. The implemented
FIPS-approved algorithms include RSA (SSHv1 and SSHv2) and DSA
(SSHv2) for authentication, Triple-DES for data encryption, SHA-1 for data
hashing, and HMAC SHA-1 for data packet integrity. Key establishment is
performed by using the RSA key transport for SSHv1 and the Diffie-
Hellman key agreement for SSHv2.
Check Point provides the capability to use TLSv1 to secure management
sessions. The implemented FIPS-approved algorithms include RSA for
authentication; DES, Triple-DES, and AES for data encryption; SHA-1 for
data hashing; and HMAC SHA-1 for data packet integrity. Key
establishment is performed by using RSA key wrapping. The embedded
Check Point application supports IPSec/ESP for data encryption and
IPSec/AH for data integrity. The Check Point module implements all IKE
modes: main, aggressive, and quick, using ISAKMP according to the
standard.
IKE uses RSA signatures or pre-shared keys for authentication.
Key establishment in IKE is performed by using the Diffie-Hellman key
agreement technique.
Enhanced VPN performance is achieved by accelerating DES, AES,
Triple-DES, and Diffie-Hellman modular exponentiation processing
implemented by the Check Point firmware. Hardware acceleration is
accomplished either by hard-wired accelerator chips or by optional
version-specific internal accelerator cards that are installed by the factory
or reseller prior to delivery to the end-user. The IP380 and IP385 module
hardware versions support an optional enhanced accelerator card in
addition to a hard-wired, internal accelerator chip. If the optional
accelerator card is installed, the hardwired chip is electrically bypassed.
Accelerator chips differ only in performance.
The module operating
system automatically senses the accelerator chip at power on and
performs power on self tests on all the functions provided by the
appropriate accelerator chip as well as self-tests for all firmware-based
cryptographic functions.
Note that accelerated DES and 1 key Triple DES are non-compliant with
FIPS 140-2. To remain in FIPS mode, only the FIPS approved Triple-DES
and AES should be chosen as the VPN encryption algorithm.
© Copyright 2005, 2006, 2007
Nokia
Page 17 of 43
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.