Nokia IP265 Security Guide - Page 17
Cryptographic Key Management
View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 17 highlights
purpose operating system nor do they provide a mechanism to load software. The module operator interacts with the module through customized interfaces that provide only specific command options. 2.8 Cryptographic Key Management Cryptographic algorithms are implemented in firmware by IPSO and Check Point VPN-1 and in hardware by the encryption accelerators. The IPSO operating system provides the capability to use SSHv1 or SSHv2 to secure the remote CLI management sessions. The implemented FIPS-approved algorithms include RSA (SSHv1 and SSHv2) and DSA (SSHv2) for authentication, Triple-DES for data encryption, SHA-1 for data hashing, and HMAC SHA-1 for data packet integrity. Key establishment is performed by using the RSA key transport for SSHv1 and the DiffieHellman key agreement for SSHv2. Check Point provides the capability to use TLSv1 to secure management sessions. The implemented FIPS-approved algorithms include RSA for authentication; DES, Triple-DES, and AES for data encryption; SHA-1 for data hashing; and HMAC SHA-1 for data packet integrity. Key establishment is performed by using RSA key wrapping. The embedded Check Point application supports IPSec/ESP for data encryption and IPSec/AH for data integrity. The Check Point module implements all IKE modes: main, aggressive, and quick, using ISAKMP according to the standard. IKE uses RSA signatures or pre-shared keys for authentication. Key establishment in IKE is performed by using the Diffie-Hellman key agreement technique. Enhanced VPN performance is achieved by accelerating DES, AES, Triple-DES, and Diffie-Hellman modular exponentiation processing implemented by the Check Point firmware. Hardware acceleration is accomplished either by hard-wired accelerator chips or by optional version-specific internal accelerator cards that are installed by the factory or reseller prior to delivery to the end-user. The IP380 and IP385 module hardware versions support an optional enhanced accelerator card in addition to a hard-wired, internal accelerator chip. If the optional accelerator card is installed, the hardwired chip is electrically bypassed. Accelerator chips differ only in performance. The module operating system automatically senses the accelerator chip at power on and performs power on self tests on all the functions provided by the appropriate accelerator chip as well as self-tests for all firmware-based cryptographic functions. Note that accelerated DES and 1 key Triple DES are non-compliant with FIPS 140-2. To remain in FIPS mode, only the FIPS approved Triple-DES and AES should be chosen as the VPN encryption algorithm. © Copyright 2005, 2006, 2007 Nokia Page 17 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.