Extended mode vs. fips mode, Fips140-1 level 3 security – Nortel Networks NN46120-104 User Manual

FIPS140-1 Level 3 Security

29

Extended Mode vs. FIPS Mode

When installing the very first ASA 310-FIPS into a new cluster, you can
choose to initialize the HSM cards in either Extended mode or FIPS mode.
Extended mode is the default selection, and is appropriate whenever your
security policy does not explicitly require that you conform to the FIPS
140-1, Level 3 standard (see the following for more information).

The main difference between Extended mode and FIPS mode involves
how private keys are handled. For both modes, all private keys are stored
encrypted in the database on the ASA 310 FIPS. When the HSM card is
initialized in Extended mode, the encrypted private key needed to perform
a specific operation is transferred to the HSM card over the PCI bus. The
private key is then decrypted on the HSM card itself, using the wrap key
that was generated during the initialization and because stored on the
card. The private key is thus never exposed in plain text outside the HSM
card.

When the HSM card is initialized in FIPS mode, the encrypted private key
needed to perform a specific operation is read from the database into
RAM, together with the wrap key from the HSM card. The private key
is then decrypted in RAM, where it remains accessible for subsequent
operations.

Also, when the ASA 310-FIPS is initialized in FIPS mode, all private keys
must be generated on the ASA 310-FIPS device itself. Importing private
keys, or certificate files that contain private keys, is not allowed due to
the FIPS security requirements. This means that certain CLI commands
that are used for importing certificates and keys through a copy and paste
operation, or through TFTP/FTP/SCP/SFTP, cannot be used when the
ASA 310-FIPS is initialized in FIPS mode.

FIPS140-1 Level 3 Security

The HSM card contains all of the security requirements specified by the
FIPS 140-1, Level 3 standards. FIPS 140-1 is a U.S. government standard
for implementations of cryptographic modules, that is, hardware or
software that encrypts and decrypts data or performs other cryptographic
operations (such as creating or verifying digital signatures).

FIPS 140-1 is binding on U.S. government agencies deploying applications
that use cryptography to secure sensitive but unclassified (SBU)
information, unless those agencies have been specifically exempted from
compliance by the relevant U.S. laws referenced in the standard.

For more information about the FIPS specification, visit http://csrc.nist.gov/
publications/fips/index.htmland scroll down to "FIPS 140-1".

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.