Cisco 2620 User Guide - Page 16

Key Zeroization:, Self-Tests, Self-tests performed by the IOS image: - specifications

Get Cisco 2620 PDF manuals and user guides
UPC - 746320181783
View all Cisco 2620 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 16 highlights

The 2621XM/2651XM Router The module supports three types of key management schemes: • Manual key exchange method that is symmetric. DES/3DES/AES key and HMAC-SHA-1 key are exchanged manually and entered electronically. • Internet Key Exchange method with support for exchanging pre-shared keys manually and entering electronically. - The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES, 3DES or AES keys. - The pre-shared key is also used to derive HMAC-SHA-1 key. • Internet Key Exchange with RSA-signature authentication. All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual tunnels are directly associated with that specific tunnel only via the IKE protocol. Key Zeroization: All of the keys and CSPs of the module can be zeroized. Please refer to the Description column of Table 4 for information on methods to zeroize each key and CSP. Self-Tests In order to prevent any secure data from being released, it is important to test the cryptographic components of a security module to insure all components are functioning correctly. The router includes an array of self-tests that are run during startup and periodically during operations. If any of the self-tests fail, the router transitions into an error state. Within the error state, all secure data transmission is halted and the router outputs status information indicating the failure. Note After the router recovers from failure of a power-up self-test performed by the AIM-VPN/EP, the router only allows plaintext traffic to pass through and no encrypted traffic is allowed. Self-tests performed by the IOS image: • Power-up tests - Firmware integrity test - RSA signature KAT (both signature and verification) - DES KAT - TDES KAT - AES KAT - SHA-1 KAT - PRNG KAT - Power-up bypass test - Diffie-Hellman self-test - HMAC SHA-1 KAT Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy 16 OL-6262-01

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
16
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
OL-6262-01
The 2621XM/2651XM Router
The module supports three types of key management schemes:
Manual key exchange method that is symmetric.
DES/3DES/AES key and HMAC-SHA-1 key are
exchanged manually and entered electronically.
Internet Key Exchange method with support for exchanging pre-shared keys manually and entering
electronically.
The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES,
3DES or AES keys.
The pre-shared key is also used to derive HMAC-SHA-1 key.
Internet Key Exchange with RSA-signature authentication.
All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected
by a password.
Therefore, the CO password is associated with all the pre-shared keys.
The Crypto
Officer needs to be authenticated to store keys.
All Diffie-Hellman (DH) keys agreed upon for individual
tunnels are directly associated with that specific tunnel only via the IKE protocol.
Key Zeroization:
All of the keys and CSPs of the module can be zeroized.
Please refer to the Description column of
Table 4
for information on methods to zeroize each key and CSP.
Self-Tests
In order to prevent any secure data from being released, it is important to test the cryptographic
components of a security module to insure all components are functioning correctly. The router includes
an array of self-tests that are run during startup and periodically during operations. If any of the self-tests
fail, the router transitions into an error state. Within the error state, all secure data transmission is halted
and the router outputs status information indicating the failure.
Note
After the router recovers from failure of a power-up self-test performed by the AIM-VPN/EP, the
router only allows plaintext traffic to pass through and no encrypted traffic is allowed.
Self-tests performed by the IOS image:
Power-up tests
Firmware integrity test
RSA signature KAT (both signature and verification)
DES KAT
TDES KAT
AES KAT
SHA-1 KAT
PRNG KAT
Power-up bypass test
Diffie-Hellman self-test
HMAC SHA-1 KAT