Cisco 2620 User Guide - Page 11

Table 4, Critical Security Parameters continued - flash

Get Cisco 2620 PDF manuals and user guides
UPC - 746320181783
View all Cisco 2620 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 11 highlights

The 2621XM/2651XM Router Table 4 Critical Security Parameters (continued) 4 CSP 4 5 CSP 5 6 CSP 6 7 CSP 7 8 CSP 8 9 CSP 9 10 CSP 10 11 CSP 11 12 CSP 12 13 CSP 13 14 CSP 14 15 CSP 15 16 CSP 16 17 CSP 17 Same as above DRAM (plaintext) Same as above DRAM (plaintext) Same as above DRAM (plaintext) The IKE session encrypt key. The zeroization is the same as above. DRAM (plaintext) The IKE session authentication key. The zeroization is the same DRAM as above. (plaintext) The RSA private key. "crypto key zeroize" command zeroizes this NVRAM key. (plaintext) The key used to generate IKE skeyid during preshared-key authentication. "no crypto isakmp key" command zeroizes it. This key can have two forms based on whether the key is related to the hostname or the IP address. NVRAM (plaintext) This key generates keys 3, 4, 5 and 6. This key is zeroized after DRAM generating those keys. (plaintext) The RSA public key used to validate signatures within IKE. These keys are expired either when CRL (certificate revocation list) expires or 5 secs after if no CRL exists. After above expiration happens and before a new public key structure is created this key is deleted. This key does not need to be zeroized because it is a public key; however, it is zeroized as mentioned here. DRAM (plaintext) The fixed key used in Cisco vendor ID generation. This key is embedded in the module binary image and can be deleted by erasing the Flash. NVRAM (plaintext) The IPSec encryption key. Zeroized when IPSec session is terminated. DRAM (plaintext) The IPSec authentication key. The zeroization is the same as above. DRAM (plaintext) The RSA public key of the CA. "no crypto ca trust " command invalidates the key and it frees the public key label which in essence prevent use of the key. This key does not need to be zeroized because it is a public key. NVRAM (plaintext) This key is a public key of the DNS server. Zeroized using the same mechanism as above. "no crypto ca trust " command invalidate the DNS server's public key and it frees the public key label which in essence prevent use of that key. This label is different from the label in the above key. This key does not need to be zeroized because it is a public key. NVRAM (plaintext) Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy OL-6262-01 11

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
11
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
OL-6262-01
The 2621XM/2651XM Router
4
CSP 4
Same as above
DRAM
(plaintext)
5
CSP 5
Same as above
DRAM
(plaintext)
6
CSP 6
Same as above
DRAM
(plaintext)
7
CSP 7
The IKE session encrypt key. The zeroization is the same as
above.
DRAM
(plaintext)
8
CSP 8
The IKE session authentication key. The zeroization is the same
as above.
DRAM
(plaintext)
9
CSP 9
The RSA private key. “crypto key zeroize” command zeroizes this
key.
NVRAM
(plaintext)
10
CSP 10
The key used to generate IKE skeyid during preshared-key
authentication. “no crypto isakmp key” command zeroizes it. This
key can have two forms based on whether the key is related to the
hostname or the IP address.
NVRAM
(plaintext)
11
CSP 11
This key generates keys 3, 4, 5 and 6. This key is zeroized after
generating those keys.
DRAM
(plaintext)
12
CSP 12
The RSA public key used to validate signatures within IKE. These
keys are expired either when CRL (certificate revocation list)
expires or 5 secs after if no CRL exists. After above expiration
happens and before a new public key structure is created this key
is deleted. This key does not need to be zeroized because it is a
public key; however, it is zeroized as mentioned here.
DRAM
(plaintext)
13
CSP 13
The fixed key used in Cisco vendor ID generation. This key is
embedded in the module binary image and can be deleted by
erasing the Flash.
NVRAM
(plaintext)
14
CSP 14
The IPSec encryption key. Zeroized when IPSec session is
terminated.
DRAM
(plaintext)
15
CSP 15
The IPSec authentication key. The zeroization is the same as
above.
DRAM
(plaintext)
16
CSP 16
The RSA public key of the CA. “no crypto ca trust <label>”
command invalidates the key and it frees the public key label
which in essence prevent use of the key. This key does not need to
be zeroized because it is a public key.
NVRAM
(plaintext)
17
CSP 17
This key is a public key of the DNS server. Zeroized using the
same mechanism as above. “no crypto ca trust <label>” command
invalidate the DNS server’s public key and it frees the public key
label which in essence prevent use of that key. This label is
different from the label in the above key. This key does not need
to be zeroized because it is a public key.
NVRAM
(plaintext)
Table 4
Critical Security Parameters (continued)