Key Zeroization - Cisco 2621XM Operations

Modular access routers with aim-vpn/ep fips 140-2 non-proprietary security policy

Hide thumbs Also See for 2621XM:

User manual (20 pages)

Configuration manual (196 pages)

Hardware installation manual (104 pages)

Table Of Contents

Table of Contents

The 2621XM/2651XM Router

The module supports three types of key management schemes:

•

All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected

by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto

Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual

tunnels are directly associated with that specific tunnel only via the IKE protocol.

Key Zeroization:

All of the keys and CSPs of the module can be zeroized. Please refer to the Description column of

Table 4

Self-Tests

In order to prevent any secure data from being released, it is important to test the cryptographic

components of a security module to insure all components are functioning correctly. The router includes

an array of self-tests that are run during startup and periodically during operations. If any of the self-tests

fail, the router transitions into an error state. Within the error state, all secure data transmission is halted

and the router outputs status information indicating the failure.

Note

After the router recovers from failure of a power-up self-test performed by the AIM-VPN/EP, the

router only allows plaintext traffic to pass through and no encrypted traffic is allowed.

Self-tests performed by the IOS image:

•

Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy

Manual key exchange method that is symmetric. DES/3DES/AES key and HMAC-SHA-1 key are

exchanged manually and entered electronically.

Internet Key Exchange method with support for exchanging pre-shared keys manually and entering

electronically.

–

The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES,

3DES or AES keys.

–

The pre-shared key is also used to derive HMAC-SHA-1 key.

Internet Key Exchange with RSA-signature authentication.

for information on methods to zeroize each key and CSP.

Power-up tests

Firmware integrity test

–

RSA signature KAT (both signature and verification)

–

DES KAT

–

TDES KAT

–

AES KAT

–

SHA-1 KAT

–

PRNG KAT

–

Power-up bypass test

–

Diffie-Hellman self-test

–

HMAC SHA-1 KAT

OL-6262-01

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

This manual is also suitable for:

2651xm 2620xm 2611 - router - en 2620 2621 2651xm-v ... Show all

Key Zeroization - Cisco 2621XM Operations

Key Zeroization:

Hide quick links:

Related Manuals for Cisco 2621XM

Related Content for Cisco 2621XM

This manual is also suitable for:

Table of Contents