Cisco 7206VXR NPE-400 User Manual

Page 10

Advertising
background image

10

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

OL-3959-01

Cryptographic Key Management

The module supports the following critical security parameters (CSPs):

Table 2

Critical Security Parameters

#

CSP Name

Description

Storage

1

CSP 1

This is the seed key for X9.31 PRNG. This
key is stored in DRAM and updated
periodically after the generation of 400
bytes; hence, it is zeroized periodically.
Also, the operator can turn off the router to
zeroize this key.

DRAM
(plaintext)

2

CSP2

The private exponent used in Diffie-Hellman
(DH) exchange. Zeroized after DH shared
secret has been generated.

DRAM
(plaintext)

3

CSP3

The shared secret within IKE exchange.
Zeroized when IKE session is terminated.

DRAM
(plaintext)

4

CSP4

Same as above

DRAM
(plaintext)

5

CSP5

Same as above

DRAM
(plaintext)

6

CSP6

Same as above

DRAM
(plaintext)

7

CSP7

The IKE session encrypt key. The
zeroization is the same as above.

DRAM
(plaintext)

8

CSP8

The IKE session authentication key. The
zeroization is the same as above.

DRAM
(plaintext)

9

CSP9

The RSA private key. “crypto key zeroize”
command zeroizes this key.

NVRAM
(plaintext)

10

CSP10

The key used to generate IKE skeyid during
preshared-key authentication. The no crypto
isakmp key command zeroizes it. This key
can have two forms based on whether the key
is related to the hostname or the IP address.

NVRAM
(plaintext)

11

CSP11

This key generates keys 3, 4, 5 and 6. This
key is zeroized after generating those keys.

DRAM
(plaintext)

12

CSP12

The RSA public key used to validate
signatures within IKE. These keys are
expired either when CRL (certificate
revocation list) expires or 5 secs after if no
CRL exists. After above expiration happens
and before a new public key structure is
created this key is deleted. This key does not
need to be zeroized because it is a public key;
however, it is zeroized as mentioned here.

DRAM
(plaintext)

13

CSP13

The fixed key used in Cisco vendor ID
generation. This key is embedded in the
module binary image and can be deleted by
erasing the Flash.

NVRAM
(plaintext)

Advertising
See also other documents in the category Cisco Hardware: