Nokia IP265 Security Guide - Page 23
SSHv2. The FIPS-approved X9.31 PRNG is used to generate these keys.
View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 23 highlights
CSPs Passwords (via IPSO) Note: SNMP is supported in IPSO v3.9 only CSPs type Six-character password (SNMPv3 requires at least eight characters) Generation External Storage Stored in plaintext on disk Use Authentication for accessing the management interfaces (CLI and SNMPv3); boot manager authentication; RADIUS authentication; TACPLUS authentication Note: 1. Only 1024-bit keys, or higher, should be used for RSA in FIPS mode. 1024-bit RSA keys provide 80-bit equivalent security as calculated by IG7.5. 2. Only 1024-bit public keys and 160-bit private keys, or higher, should be used for DSA and Diffie-Hellman in FIPS mode. 1024/160-bit DSA and Diffie-Hellman keys provide 80-bit equivalent security as calculated by IG7.5. 3. DES must not be used in FIPS mode. 2.8.1 Key Generation The only keys that can be generated by the modules are RSA public and private keys for SSHv1 and SSHv2, and DSA public and private keys for SSHv2. The FIPS-approved X9.31 PRNG is used to generate these keys. 2.8.2 Key Establishment The modules implement IKE, SSH, and the TLS handshake for automatic key establishment. Two types of key establishment techniques are employed by the modules: the Diffie-Hellman key agreement and the RSA key wrapping. The Diffie-Hellman key agreement establishes shared secrets during SSHv2 and IKE. The RSA key wrapping/key transport generates shared secrets during SSHv1 and TLS. 2.8.3 Key Entry and Output All private and secret keys entered into the module are electronically entered. No private or secret keys are output from the module. 2.8.4 Key Storage All RSA (except the server key) and DSA keys, pre-shared keys, and passwords are stored in plaintext on disk. The TLS session keys and the gathered entropy for the Check Point PRNG keys are cached to disk. All other keys are ephemeral keys and are stored in plaintext in memory. 2.8.5 Key Zeroization Ephemeral keys can be zeroized by rebooting. All other keys can be zeroized by overwriting or deleting them. © Copyright 2005, 2006, 2007 Nokia Page 23 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.