Cisco 7206VXR NPE-400 User Manual

14

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

OL-3959-01

Cryptographic Key Management

The module supports DES (only for legacy systems), 3DES, DES-MAC, TDES-MAC, AES, SHA-1,
HMAC SHA-1, MD5, MD4, HMAC MD5, Diffie-Hellman, RSA (for digital signatures and
encryption/decryption (for IKE authentication)) cryptographic algorithms. The MD5, HMAC MD5, and
MD4 algorithms are disabled when operating in FIPS mode.

The module supports three types of key management schemes:

•

Manual key exchange method that is symmetric. DES/3DES/AES key and HMAC-SHA-1 key are
exchanged manually and entered electronically.

•

Internet Key Exchange method with support for exchanging pre-shared keys manually and entering
electronically.

–

The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES,
3DES or AES keys.

–

The pre-shared key is also used to derive HMAC-SHA-1 key.

•

Internet Key Exchange with RSA-signature authentication.

All pre-shared keys are associated with the Crypto Officer role that created the keys, and the Crypto
Officer role is protected by a password. Therefore, the Crypto Officer password is associated with all the
pre-shared keys. The Crypto Officer needs to be authenticated to store keys. All Diffie-Hellman (DH)
keys agreed upon for individual tunnels are directly associated with that specific tunnel only via the IKE
protocol.