Cisco 7206VXR NPE-400 User Manual
Page 14
14
FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM
OL-3959-01
Cryptographic Key Management
The module supports DES (only for legacy systems), 3DES, DES-MAC, TDES-MAC, AES, SHA-1,
HMAC SHA-1, MD5, MD4, HMAC MD5, Diffie-Hellman, RSA (for digital signatures and
encryption/decryption (for IKE authentication)) cryptographic algorithms. The MD5, HMAC MD5, and
MD4 algorithms are disabled when operating in FIPS mode.
The module supports three types of key management schemes:
•
Manual key exchange method that is symmetric. DES/3DES/AES key and HMAC-SHA-1 key are
exchanged manually and entered electronically.
•
Internet Key Exchange method with support for exchanging pre-shared keys manually and entering
electronically.
–
The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES,
3DES or AES keys.
–
The pre-shared key is also used to derive HMAC-SHA-1 key.
•
Internet Key Exchange with RSA-signature authentication.
All pre-shared keys are associated with the Crypto Officer role that created the keys, and the Crypto
Officer role is protected by a password. Therefore, the Crypto Officer password is associated with all the
pre-shared keys. The Crypto Officer needs to be authenticated to store keys. All Diffie-Hellman (DH)
keys agreed upon for individual tunnels are directly associated with that specific tunnel only via the IKE
protocol.