Nokia IP265 Security Guide - Page 16

Electromechanical Interference/Compatibility FCC Compliance, Physical Security, Operational

Get Nokia IP265 - Security Appliance PDF manuals and user guides View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 16 highlights

Authentication Type RSA-based authentication (IKE) Pre-shared key-based authentication (IKE) Password-based authentication Strength RSA signing and verification is used to authenticate to the module during IKE. This mechanism is as strong as the RSA algorithm using a 1024 bit key pair. Pre-shared keys must be at least six characters long and use at least four different characters. Even if only uppercase letters were used without repetition for a six character preshared key, the probability of randomly guessing the correct sequence is one in 165,765,600. HMAC SHA-1 verification is used for additional data packet integrity during IKE negotiations with pre-shared keys. Passwords are required to be at least six characters long. Numeric, alphabetic (upper and lowercase), and keyboard and extended characters can be used, which gives a total of 95 characters to choose from. Considering only the caseinsensitive alphabet using a password with repetition, the number of potential passwords is 26^6. Table 5 - Estimated Strength of Authentication Mechanisms 2.5 Electromechanical Interference/Compatibility (FCC Compliance) Each module hardware configuration was tested and found compliant with requirements for a Class A digital device, pursuant to Part 15 of the FCC rules and thus the FIPS 140-2 Level 2 EMI/EMC requirements. 2.6 Physical Security The Nokia VPN Appliances are multi-chip, standalone cryptographic modules. The modules are entirely contained within their respective hard metal enclosure. The enclosures are resistant to probing and are opaque within the visible spectrum. The front and side vent holes of all enclosures are baffled from the inside using lance wall inserts to prevent direct viewing of the module's interior components. Rear vent holes are likewise obscured by internal fan or power supply components. Serially numbered tamper-evident seals provide additional protection to those parts of the module chassis that can be opened or disassembled. The seals provide indications of attempts to tamper with the modules. The tamper-evident seals are affixed to the module by the Crypto Officer in numbers and locations that vary depending on the module hardware version. Specific quantities and locations are described in Section 3.1 "Crypto Officer Guidance" of this document. 2.7 Operational Environment The FIPS 140-2 operational environment requirements do not apply to these modules. The Nokia VPN Appliances do not provide a general© Copyright 2005, 2006, 2007 Nokia Page 16 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
Authentication
Type
Strength
RSA-based
authentication (IKE)
RSA signing and verification is used to authenticate to the
module during IKE. This mechanism is as strong as the RSA
algorithm using a 1024 bit key pair.
Pre-shared key-based
authentication (IKE)
Pre-shared keys must be at least six characters long and use
at least four different characters. Even if only uppercase
letters were used without repetition for a six character pre-
shared key, the probability of randomly guessing the correct
sequence is one in 165,765,600. HMAC SHA-1 verification is
used for additional data packet integrity during IKE
negotiations with pre-shared keys.
Password-based
authentication
Passwords are required to be at least six characters long.
Numeric, alphabetic (upper and lowercase), and keyboard
and extended characters can be used, which gives a total of
95 characters to choose from.
Considering only the case-
insensitive alphabet using a password with repetition, the
number of potential passwords is 26^6.
Table 5 – Estimated Strength of Authentication Mechanisms
2.5
Electromechanical Interference/Compatibility (FCC Compliance)
Each module hardware configuration was tested and found compliant with
requirements for a Class A digital device, pursuant to Part 15 of the FCC
rules and thus the FIPS 140-2 Level 2 EMI/EMC requirements.
2.6
Physical Security
The Nokia VPN Appliances are multi-chip, standalone cryptographic
modules. The modules are entirely contained within their respective hard
metal enclosure. The enclosures are resistant to probing and are opaque
within the visible spectrum. The front and side vent holes of all enclosures
are baffled from the inside using lance wall inserts to prevent direct
viewing of the module’s interior components. Rear vent holes are likewise
obscured by internal fan or power supply components.
Serially numbered tamper-evident seals provide additional protection to
those parts of the module chassis that can be opened or disassembled.
The seals provide indications of attempts to tamper with the modules. The
tamper-evident seals are affixed to the module by the Crypto Officer in
numbers and locations that vary depending on the module hardware
version. Specific quantities and locations are described in Section 3.1
“Crypto Officer Guidance” of this document.
2.7
Operational Environment
The FIPS 140-2 operational environment requirements do not apply to
these modules. The Nokia VPN Appliances do not provide a general-
© Copyright 2005, 2006, 2007
Nokia
Page 16 of 43
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.