Key Zeroization - Cisco 1841 User Manual
Integrated services router with aim-vpn/bpii-plus integrated services router with aim-vpn/epii-plus fips 140-2 non proprietary security policy
Hide thumbs
Also See for 1841:
- Hardware installation manual (100 pages) ,
- Datasheet (11 pages) ,
- User manual (9 pages)
Table of Contents
Advertisement
Cisco 1841 and Cisco 2801 Routers
All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected
by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto
Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual
tunnels are directly associated with that specific tunnel only via the IKE protocol.
Key Zeroization:
Each key can be zeroized by sending the "no" command prior to the key function commands. This will
zeroize each key from the DRAM, the running configuration.
"Clear Crypto IPSec SA" will zeroize the IPSec DES/3DES/AES session key (which is derived using
the Diffie-Hellman key agreement technique) from the DRAM. This session key is only available in the
DRAM; therefore this command will completely zeroize this key. The following command will zeroize
the pre-shared keys from the DRAM:
•
•
•
•
The DRAM running configuration must be copied to the start-up configuration in NVRAM in order to
completely zeroize the keys.
The following commands will zeroize the pre-shared keys from the DRAM:
•
•
The DRAM running configuration must be copied to the start-up configuration in NVRAM in order to
completely zeroize the keys.
The module supports the following keys and critical security parameters (CSPs).
Table 8
Cryptographic Keys and CSPs
Name
Algorithm
PRNG Seed
X9.31
Diffie Hellman
DH
private
exponent
Diffie Hellman
DH
public key
skeyid
Keyed
SHA-1
skeyid_d
Keyed
SHA-1
Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus
14
no set session-key inbound ah spi hex-key-data
no set session-key outbound ah spi hex-key-data
no set session-key inbound esp spi cipher hex-key-data [authenticator hex-key-data]
no set session-key outbound esp spi cipher hex-key-data [authenticator hex-key-data]
no crypto isakmp key key-string address peer-address
no crypto isakmp key key-string hostname peer-hostname
Description
This is the seed for X9.31 PRNG. This CSP is
stored in DRAM and updated periodically after
the generation of 400 bytes – after this it is
reseeded with router-derived entropy; hence, it is
zeroized periodically. Also, the operator can turn
off the router to zeroize this CSP.
The private exponent used in Diffie-Hellman
(DH) exchange. Zeroized after DH shared secret
has been generated.
The public key used in Diffie-Hellman (DH)
exchange. Zeroized after the DH shared secret
has been generated
Value derived from the shared secret within IKE
exchange. Zeroized when IKE session is
terminated.
The IKE key derivation key for non ISAKMP
security associations.
Zeroization
Storage
Method
DRAM
Automatically every 400
(plaintext)
bytes, or turn off the router.
DRAM
Automatically after shared
(plaintext)
secret generated.
DRAM
Automatically after shared
(plaintext)
secret generated.
DRAM
Automatically after IKE
(plaintext)
session terminated.
DRAM
Automatically after IKE
(plaintext)
session terminated.
OL-8719-01
Hide quick links:
Advertisement
Table of Contents
