Nokia IP265 Security Guide - Page 42

A

PPENDIX

B

–

A

LGORITHM

V

ALIDATION

C

ERTIFICATE

N

UMBERS

The module supports several independent implementations of the same FIPS-

Approved algorithms. The following table lists the certificate numbers for the

validated FIPS-approved algorithms implemented in IPSO, the Check Point

VPN-1 firmware, and the cryptographic accelerator chips. Accelerator cards

(when used) accelerate the Check Point firmware DES, Triple-DES, or AES VPN

functions as indicated. Accelerated DES and 1 key Triple DES are non-

compliant. To remain in the FIPS Approved mode, only the FIPS approved

Triple-DES and AES encryption algorithms should be used.

Nokia

Firmware

Check Point

Firmware

Cryptographic

Accelerator Chips

IPSO

3.9

IPSO

4.1

NGX (R60)

w/

HFA-03

IP260

IP265

IP1220

IP1260

AES

N/A

#442

#226

#91

DES

1

N/A

#314

#297

---

3DES

2

#465

#466

#317

#204

HMAC

#207

#208

#19

#203

SHS

#508

#509

#291

#500

DSA

#181

#204

N/A

N/A

N/A

RSA

#166

#215

#167

N/A

N/A

RNG

#229

#201

N/A

N/A

Key Establishment Methodologies:

The following key establishment (Key Agreement or Key Wrapping) methodologies are

employed by the module. The relative encryption strengths provided by the mechanisms

described are calculated in accordance with FIPS 140-2 Implementation Guidance 7.5

and NIST Special Publication 800-57.

Diffie-Hellman Key Agreement:

•

NGX (R60):

provides between 70 and 128 bits of encryption strength

•

IPSO (3.9):


RSA Key Wrapping:

•

SSHv1:


(the

default selection

is 70 bits of strength)

•

SSHv2:


•

TLS:

provides 80 bits of encryption strength

Note that only methodologies providing 80 or more bits of encryption strength are FIPS

Approved. Sections 3.1.5 and 3.1.6 include instructions for configuring the module into

approved mode.

1

DES is a non-FIPS Approved algorithm (not to be used in FIPS mode) and should not be selected for use. See

Section 3.1.6 for configuration instructions.

© Copyright 2005, 2006, 2007

Nokia

Page 42 of 43

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

2

1 Key 3DES is non-compliant (not to be used in FIPS mode) and should not be selected for use. See Section 3.1.6

for configuration instructions.

Section	Page
Introduction	3
Purpose	3
References	3
Nokia VPN Appliance	4
Overview	4
Cryptographic Module	5
Module Interfaces	7
Roles and Services	8
Crypto Officer Role	8
User Role	13
Authentication Mechanisms	13
Crypto Officer Authentication	14
User Authentication	15
Estimated Strength of the Authentication Mechanisms	15
Electromechanical Interference/Compatibility (FCC Compliance)	16
Physical Security	16
Operational Environment	16
Cryptographic Key Management	17
Key Generation	23
Key Establishment	23
Key Entry and Output	23
Key Storage	23
Key Zeroization	23
Self-Tests	24
Design Assurance	25
Mitigation of Other Attacks	25
Secure Operation (Approved Mode)	26
Crypto Officer Guidance	26
Hardware Setup	26
Applying the Tamper-Evident Seal(s)	26
Module Initialization	28
Installing, Upgrading or Downgrading the Module Firmware	28
SCENARIO 1 – Upgrade Check Point VPN-1 module to	29
SCENARIO 2 – Upgrade both the IPSO and Check Poin	30
Initializing Check Point Modules	31
Setting the Module to FIPS Mode	32
Initializing the Remote Management of the Module	32
Management and Monitoring	33
User Guidance	39
APPENDIX A – Disabled Mechanisms	41
Appendix B – Algorithm Validation Certificate Num	42

Nokia IP265 Security Guide - Page 42

Key Establishment Methodologies

Page 42 highlights