Key zeroization, Self-tests – Cisco 7206VXR NPE-400 User Manual

15

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

OL-3959-01

Self-Tests

Key Zeroization

All of the keys and CSPs of the module can be zeroized. Please refer to the Description column of

Table 2

for information on methods to zeroize each key and CSP.

Self-Tests

To prevent secure data from being released, it is important to test the cryptographic components of a
security module to insure all components are functioning correctly. The router includes an array of
self-tests that are run during startup and periodically during operations. If any of the self-tests fail, the
router transitions into an error state. Within the error state, all secure data transmission is halted and the
router outputs status information indicating the failure.

Self-tests performed by the IOS image:

•

Power-up tests

–

Firmware integrity test

–

RSA signature KAT (both signature and verification)

–

DES KAT

–

TDES KAT

–

AES KAT

–

SHA-1 KAT

–

PRNG KAT

–

Power-up bypass test

–

Diffie-Hellman self-test

–

HMAC-SHA-1 KAT

•

Conditional tests

–

Conditional bypass test

–

Pairwise consistency test on RSA signature

–

Continuous random number generator tests

Self-tests performed by the VAM (cryptographic accelerator):

•

Power-up tests

–

Firmware integrity test

–

RSA signature KAT (both signature and verification)

–

DES KAT

–

TDES KAT

–

SHA-1 KAT

–

HMAC-SHA-1 KAT

–

PRNG KAT

•

Conditional tests

–

Pairwise consistency test on RSA signature