Cisco 7609-S User Guide - Page 9

Services &amp, Access, Description, Keys & CSPs

Get Cisco 7609-S PDF manuals and user guides View all Cisco 7609-S manuals
Add to My Manuals
Save this manual to your list of manuals

Page 9 highlights

2.3.1 Authentication The module provides password based and digital signature based authentication. Crypto Officers are always authenticated using passwords whereas a User can be authenticated either via a password or digital signature. a. Password based Authentication The security policy stipulates that all user passwords and shared secrets must be 8 alphanumeric characters, so the password space is 2.8 trillion possible passwords. The possibility of randomly guessing a password is thus far less than one in one million. To exceed a one in 100,000 probability of a successful random password guess in one minute, an attacker would have to be capable of 28 million password attempts per minute, which far exceeds the operational capabilities of the module to support. b. Digital signature based Authentication When using RSA based authentication, RSA key pair has modulus size of 1024 bit to 2048 bit, thus providing between 80 bits and 112 bits of strength. Assuming the low end of that range, an attacker would have a 1 in 280 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability of a successful random key guess in one minute, an attacker would have to be capable of approximately 1.8x1021 attempts per minute, which far exceeds the operational capabilities of the modules to support. 2.3.2 Services a. User Services Users can access the system via the console port with a terminal program or SSH session to an Ethernet port. The IOS prompts the User for username and password. If the password is correct, the User is allowed entry to the IOS executive program. In addition to username/password combination, RSA digital certificates can be used to authenticate the user over the SSH session. The services available to the User role consist of the following: Services & Access Status Functions (r, x) Description View state of interfaces and protocols, version of IOS currently running. Keys & CSPs User password Network Connect to other network devices DRBG seed, DRBG V, DH © Copyright 2011 Cisco Systems, Inc. 9 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
© Copyright 2011 Cisco Systems, Inc.
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
9
2.3.1
Authentication
The module provides password based and digital signature based authentication. Crypto Officers
are always authenticated using passwords whereas a User can be authenticated either via a
password or digital signature.
a.
Password based Authentication
The security policy stipulates that all user passwords and shared secrets must be 8 alphanumeric
characters, so the password space is 2.8 trillion possible passwords. The possibility of randomly
guessing a password is thus far less than one in one million. To exceed a one in 100,000
probability of a successful random password guess in one minute, an attacker would have to be
capable of 28 million password attempts per minute, which far exceeds the operational
capabilities of the module to support.
b. Digital signature based Authentication
When using RSA based authentication, RSA key pair has modulus size of 1024 bit to 2048 bit,
thus providing between 80 bits and 112 bits of strength. Assuming the low end of that range, an
attacker would have a 1 in 2
80
chance of randomly obtaining the key, which is much stronger
than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability
of a successful random key guess in one minute, an attacker would have to be capable of
approximately 1.8x10
21
attempts per minute, which far exceeds the operational capabilities of the
modules to support.
2.3.2
Services
a. User Services
Users can access the system via the console port with a terminal program or SSH session to an
Ethernet port.
The IOS prompts the User for username and password.
If the password is correct,
the User is allowed entry to the IOS executive program. In addition to username/password
combination, RSA digital certificates can be used to authenticate the user over the SSH session.
The services available to the User role consist of the following:
Services &
Access
Description
Keys & CSPs
Status Functions
(r, x)
View state of interfaces and protocols,
version of IOS currently running.
User password
Network
Connect to other network devices
DRBG seed, DRBG V, DH