Nokia IP265 Security Guide - Page 42
Key Establishment Methodologies
View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 42 highlights
APPENDIX B - ALGORITHM VALIDATION CERTIFICATE NUMBERS The module supports several independent implementations of the same FIPSApproved algorithms. The following table lists the certificate numbers for the validated FIPS-approved algorithms implemented in IPSO, the Check Point VPN-1 firmware, and the cryptographic accelerator chips. Accelerator cards (when used) accelerate the Check Point firmware DES, Triple-DES, or AES VPN functions as indicated. Accelerated DES and 1 key Triple DES are noncompliant. To remain in the FIPS Approved mode, only the FIPS approved Triple-DES and AES encryption algorithms should be used. AES DES1 3DES2 HMAC SHS DSA RSA RNG Nokia Firmware IPSO IPSO 3.9 4.1 N/A N/A #465 #207 #508 #181 #204 #166 #215 #229 Check Point Firmware NGX (R60) w/HFA-03 #442 #314 #466 #208 #509 N/A #167 #201 Cryptographic Accelerator Chips IP260 IP265 #226 #297 #317 #19 #291 N/A N/A N/A IP1220 IP1260 #91 --#204 #203 #500 N/A N/A N/A Key Establishment Methodologies: The following key establishment (Key Agreement or Key Wrapping) methodologies are employed by the module. The relative encryption strengths provided by the mechanisms described are calculated in accordance with FIPS 140-2 Implementation Guidance 7.5 and NIST Special Publication 800-57. Diffie-Hellman Key Agreement: • NGX (R60): provides between 70 and 128 bits of encryption strength • IPSO (3.9): provides between 57 and 112 bits of encryption strength RSA Key Wrapping: • SSHv1: provides between 57 and 80 bits of encryption strength (the default selection is 70 bits of strength) • SSHv2: provides between 80 and 112 bits of encryption strength • TLS: provides 80 bits of encryption strength Note that only methodologies providing 80 or more bits of encryption strength are FIPS Approved. Sections 3.1.5 and 3.1.6 include instructions for configuring the module into approved mode. 1 DES is a non-FIPS Approved algorithm (not to be used in FIPS mode) and should not be selected for use. See Section 3.1.6 for configuration instructions. 2 1 Key 3DES is non-compliant (not to be used in FIPS mode) and should not be selected for use. See Section 3.1.6 for configuration instructions. © Copyright 2005, 2006, 2007 Nokia Page 42 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.