Nortel Networks NN46120-104 User Manual

Page 240

Advertising
background image

240

HSM Security Policy

when the SO invokes the Create User service. It is written to an iKey token
through the trusted USB interface. Refer to following section 9.2 for a
description of how this PIN is used for authentication.
Key-Wrapping-Key (KWK) = A 3DES3KEY key created by either the
SO or User role for the purpose of wrapping private RSA keys. The
Key-Wrapping-Key may be randomly generated using the Generate
Key service, or may be entered into the module using the Combine Key
service, which combines two key shares entered through the trusted USB
interface. In the non-FIPS 140-1 mode, the Key-Wrapping-Key may also
be created through the Derive Key service.
PRNG3DES Key (PRNGKey)= This 3DES2Key is used for seeding the
X9.17 Pseudo-random Number Generator (PRNG). The PRNG 3DES Key
is generated randomly using the hardware random number generator
(RNG) within the FastMap processor. This key is generated every time
a random number is needed for key generation or as a direct request
through the Generate Random Number service. The PRNG 3DES EDE
Key is destroyed after each PRNG is generated.
RSA Public and Private Key Pair (SPK, VPK)= This RSA key pair is
generated by either the SO or User role for the purpose generating RSA
digital signatures through the RSA Sign service, or for verifying the same
through the RSA Verify service. A key pair which is designated by the
user who created it cannot be used for any other purpose such as key
exchanges or encryption/decryption of data. The user may specify through
Boolean attributes whether the private key may be used for Signature
Generation and/or Data Decryption, and whether the public key may be
used for Signature Verification and/or Data Encryption. Hence, a given
key pair may be used for both signatures/verifications as well as data
encryption/decryption. In FIPS 140-1 Mode, data encryption/decryption is
not available.
RSA Encryption/Decryption Public and Private Key Pair (EPK, DPK)=
This key pair is generated by either the SO or User role for the purpose of
encrypting and decrypting data. When creating this key pair, the user may
specify through Boolean attributes whether the private key may be used for
Signature Generation and/or Data Decryption, and whether the public key
may be used for Signature Verification and/or Data Encryption. Hence,
a given key pair may be used for both signatures/verifications as well as
data encryption/decryption. Note that in the FIPS 140-1 Mode, although
Encryption/Decryption key pairs may be generated, the RSA Encrypt and
RSA Decrypt services are not available, and therefore, such keys are not
usable in this mode.
Key-Wrapping-Key Share (KWKShare) = Key share obtained by splitting
the KWK into two shares with the Split Key service. Two corresponding
shares may be combined with the Combine Key service to enter the KWK
into the module.

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.

Advertising
Popular Brands
Popular manuals