Nokia IP265 Security Guide - Page 23

SSHv2. The FIPS-approved X9.31 PRNG is used to generate these keys.

Get Nokia IP265 - Security Appliance PDF manuals and user guides View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 23 highlights

CSPs Passwords (via IPSO) Note: SNMP is supported in IPSO v3.9 only CSPs type Six-character password (SNMPv3 requires at least eight characters) Generation External Storage Stored in plaintext on disk Use Authentication for accessing the management interfaces (CLI and SNMPv3); boot manager authentication; RADIUS authentication; TACPLUS authentication Note: 1. Only 1024-bit keys, or higher, should be used for RSA in FIPS mode. 1024-bit RSA keys provide 80-bit equivalent security as calculated by IG7.5. 2. Only 1024-bit public keys and 160-bit private keys, or higher, should be used for DSA and Diffie-Hellman in FIPS mode. 1024/160-bit DSA and Diffie-Hellman keys provide 80-bit equivalent security as calculated by IG7.5. 3. DES must not be used in FIPS mode. 2.8.1 Key Generation The only keys that can be generated by the modules are RSA public and private keys for SSHv1 and SSHv2, and DSA public and private keys for SSHv2. The FIPS-approved X9.31 PRNG is used to generate these keys. 2.8.2 Key Establishment The modules implement IKE, SSH, and the TLS handshake for automatic key establishment. Two types of key establishment techniques are employed by the modules: the Diffie-Hellman key agreement and the RSA key wrapping. The Diffie-Hellman key agreement establishes shared secrets during SSHv2 and IKE. The RSA key wrapping/key transport generates shared secrets during SSHv1 and TLS. 2.8.3 Key Entry and Output All private and secret keys entered into the module are electronically entered. No private or secret keys are output from the module. 2.8.4 Key Storage All RSA (except the server key) and DSA keys, pre-shared keys, and passwords are stored in plaintext on disk. The TLS session keys and the gathered entropy for the Check Point PRNG keys are cached to disk. All other keys are ephemeral keys and are stored in plaintext in memory. 2.8.5 Key Zeroization Ephemeral keys can be zeroized by rebooting. All other keys can be zeroized by overwriting or deleting them. © Copyright 2005, 2006, 2007 Nokia Page 23 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
CSPs
CSPs type
Generation
Storage
Use
Passwords
(via IPSO)
Note: SNMP is
supported in
IPSO v3.9 only
Six-character
password
(SNMPv3 requires
at least eight
characters)
External
Stored in plaintext
on disk
Authentication for
accessing the
management
interfaces (CLI and
SNMPv3); boot
manager
authentication;
RADIUS
authentication;
TACPLUS
authentication
Note:
1. Only 1024-bit keys, or higher, should be used for RSA in FIPS mode. 1024-bit
RSA keys provide 80-bit equivalent security as calculated by IG7.5.
2. Only 1024-bit public keys and 160-bit private keys, or higher, should be used for
DSA and Diffie-Hellman in FIPS mode. 1024/160-bit DSA and Diffie-Hellman
keys provide 80-bit equivalent security as calculated by IG7.5.
3. DES must not be used in FIPS mode.
2.8.1
Key Generation
The only keys that can be generated by the modules are RSA public and
private keys for SSHv1 and SSHv2, and DSA public and private keys for
SSHv2. The FIPS-approved X9.31 PRNG is used to generate these keys.
2.8.2
Key Establishment
The modules implement IKE, SSH, and the TLS handshake for automatic
key establishment. Two types of key establishment techniques are
employed by the modules: the Diffie-Hellman key agreement and the RSA
key wrapping. The Diffie-Hellman key agreement establishes shared
secrets during SSHv2 and IKE. The RSA key wrapping/key transport
generates shared secrets during SSHv1 and TLS.
2.8.3
Key Entry and Output
All private and secret keys entered into the module are electronically
entered. No private or secret keys are output from the module.
2.8.4
Key Storage
All RSA (except the server key) and DSA keys, pre-shared keys, and
passwords are stored in plaintext on disk. The TLS session keys and the
gathered entropy for the Check Point PRNG keys are cached to disk. All
other keys are ephemeral keys and are stored in plaintext in memory.
2.8.5
Key Zeroization
Ephemeral keys can be zeroized by rebooting. All other keys can be
zeroized by overwriting or deleting them.
© Copyright 2005, 2006, 2007
Nokia
Page 23 of 43
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.