Motorola S2500 User Manual

MNR S2500 Security Policy

Version 1.2, Revision Date: 8/8/2008

Page

12

Definition of Critical Security Parameters (CSPs)

The following CSPs are contained within the module:

Key

Description/Usage

KEK

This is the master key that encrypts persistent CSPs stored within the module.

KEK-protected keys include PSK and passwords.

Encryption of keys uses AES128ECB

IKE Preshared Keys

Used to authenticate peer to peer during IKE session

SKEYID

Generated for IKE Phase 1 by hashing preshared keys with responder/receiver
nonce

SKEYID_d

Phase 1 key used to derive keying material for IKE SAs

SKEYID_a

Key used for integrity and authentication of the phase 1 exchange

SKEYID_e

Key used for TDES or AES data encryption of phase 1 exchange

Ephemeral DH Phase-1
private key (a)

Generated for IKE Phase 1 key establishment

Ephemeral DH Phase-2
private key (a)

Phase 2 Diffie Hellman private keys used in PFS for key renewal

IPSEC Session keys

128/192/256-bit AES-CBC and 168-bit TDES keys are used to encrypt and
authenticate IPSEC ESP packets

FRF.17 Session Keys

168-bit TDES-CBC and 128/192/256-bit AES-CBC keys are used to encrypt
and authenticate FRF.17 Mode 2

SSH-RSA Private Key

Key used to authenticate oneself to peer

SSH-DSA Private Key

Key used to authenticate oneself to peer

SSH Session Keys

168-bit TDES-CBC and 128/192/256-bit AES-CBC keys are used to encrypt
and authenticate SSH packets

SSH DH Private Key

Generated for SSH key establishment

RNG Seed

Initial seed for FIPS-approved deterministic RNG

Network Manager Password
(Root)

7 (to 15 ) character password used to authenticate to the CO Role

(

Crypto

Officer

)

User(Admin)

7 (to 15) character password used to authenticate to the User Role

User Accounts

7 (to 15) character password used to authenticate accounts created on the
module

Table 8 – Critical Security Parameters (CSPs)