Cisco 2811 Operations page 16
Integrated services router fips 140-2 non proprietary security policy
Hide thumbs
Also See for 2811:
- Installing and upgrading (14 pages) ,
- User manual (204 pages) ,
- Introduction manual (186 pages)
Table of Contents
Advertisement
Cisco 2811 and Cisco 2821 Routers
•
•
•
•
The DRAM running configuration must be copied to the start-up configuration in NVRAM in order to
completely zeroize the keys.
The following commands will zeroize the pre-shared keys from the DRAM:
•
•
The DRAM running configuration must be copied to the start-up configuration in NVRAM in order to
completely zeroize the keys.
The module supports the following keys and critical security parameters (CSPs). Note that keys stored
in NVRAM are in plaintext unless the configuration file encryption key is configured via the "key
config-key" command is used.
Table 9
Cryptographic Keys and CSPs
Name
Algorithm
PRNG Seed
X9.31
Diffie Hellman
DH
private
exponent
Diffie Hellman
DH
public key
skeyid
Keyed
SHA-1
skeyid_d
Keyed
SHA-1
skeyid_a
HMAC-
SHA-1 or
DES MAC
skeyid_e
DES/TDES
/AES
IKE session
DES/TDES
encrypt key
/AES
IKE session
HMAC-
authentication
SHA-1 or
key
DES MAC
Cisco 2811 and Cisco 2821 Integrated Services Router FIPS 140-2 Non Proprietary Security Policy
16
no set session-key inbound ah spi hex-key-data
no set session-key outbound ah spi hex-key-data
no set session-key inbound esp spi cipher hex-key-data [authenticator hex-key-data]
no set session-key outbound esp spi cipher hex-key-data [authenticator hex-key-data]
no crypto isakmp key key-string address peer-address
no crypto isakmp key key-string hostname peer-hostname
Description
This is the seed for X9.31 PRNG. This CSP is
stored in DRAM and updated periodically after
the generation of 400 bytes – after this it is
reseeded with router-derived entropy; hence, it is
zeroized periodically. Also, the operator can turn
off the router to zeroize this CSP.
The private exponent used in Diffie-Hellman
(DH) exchange. Zeroized after DH shared secret
has been generated.
The public key used in Diffie-Hellman (DH)
exchange as part of IKE. Zeroized after the DH
shared secret has been generated.
Value derived from the shared secret within IKE
exchange. Zeroized when IKE session is
terminated.
The IKE key derivation key for non ISAKMP
security associations.
The ISAKMP security association authentication
key.
The ISAKMP security association encryption key. DRAM
The IKE session encrypt key.
The IKE session authentication key.
Zeroization
Storage
Method
DRAM
Automatically every
(plaintext)
400 bytes, or turn off
the router.
DRAM
Automatically after
(plaintext)
shared secret generated.
DRAM
Automatically after
(plaintext)
shared secret generated.
DRAM
Automatically after IKE
(plaintext)
session terminated.
DRAM
Automatically after IKE
(plaintext)
session terminated.
DRAM
Automatically after IKE
(plaintext)
session terminated.
Automatically after IKE
(plaintext)
session terminated.
DRAM
Automatically after IKE
(plaintext)
session terminated.
DRAM
Automatically after IKE
(plaintext)
session terminated.
OL-8663-01
- Quick Links:
- Initial Setup
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco 2811
Related Products for Cisco 2811
- Cisco 2821 - Integrated Services Router Unified Communications Bundle
- Cisco 2851 - Integrated Services Router
- Cisco 2801 - Integrated Services Router
- Cisco 2800 Series
- Cisco 2811-AC-IP - 2811 Integrated Services Router
- Cisco 2811 - Voice Security Bundle Router
- Cisco 2851 Series
- Cisco 2509 - Router - EN