The concept of ikey authentication, Types of ikeys, Wrap keys for asa 310-fips clusters – Nortel Networks NN46120-104 User Manual

30

Introducing the ASA 310-FIPS

The Concept of iKey Authentication

Access to sensitive data on a ASA 310-FIPS is protected by a combination
of hardware tokens (called iKeys), passwords, and encryption procedures.

The iKey is a cryptographic token that is used as part of the authentication
process for certain operations involving the HSM cards. Whenever you
perform an operation on the ASA 310-FIPS calling for iKey authentication,
you are prompted by the Command Line Interface to insert the requested
iKey into the USB port on the appropriate HSM card. (When prompted for
a particular iKey, a flashing LED always directs you to the correct HSM
card.)

Types of iKeys

For each HSM card there are two unique iKeys used for identity-based
authentication: the HSM-SO iKey, and the HSM-USER iKey. Each of
these iKeys define the two user roles available: Security Officer and User.
A password must be defined for each user role, and the passwords are
directly associated with the corresponding iKey. The ASA 310-FIPS is
equipped with two HSM cards, and you therefore need to maintain two
pairs of HSM-SO and HSM-USER iKeys with their associated passwords
for each single ASA 310-FIPS device.

After a HSM card has been initialized, that card will only accept the
HSM-SO and HSM-USER iKeys that were used when initializing that
particular card. You cannot create backup copies of the associated
HSM-SO iKey and HSM-USER iKey, and a lost HSM-SO or HSM-USER
password cannot be retrieved. It is therefore extremely important that you
establish routines for how the iKeys are handled.

Wrap Keys for ASA 310-FIPS Clusters

In addition to the HSM-SO and HSM-USER iKeys specific for each
HSM card, one pair of iKeys (the black HSM-CODE iKeys) need also be
maintained for each cluster of ASA 310-FIPS units.

Note:

You are strongly recommended to label two of the black

HSM-CODE iKeys "CODE-SO" and "CODE-USER" respectively; these
iKeys will be referred to as such both in the documentation and in the
Command Line Interface.

During the initialization of the first ASA 310-FIPS in a cluster, a wrap key is
automatically generated. The wrap key is a secret shared among all ASA
310-FIPS in the cluster. It encrypts and decrypts sensitive information
that is sent over the PCI bus within an ASA 310-FIPS, and over the
network among the ASA 310-FIPS devices in the cluster. By inserting
the CODE-SO iKey and the CODE-USER iKey in turns when requested

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.