Cisco 3845 - Security Bundle Router 비독점 보안 정책 - 페이지 16
{카테고리_이름} Cisco 3845 - Security Bundle Router에 대한 비독점 보안 정책을 온라인으로 검색하거나 PDF를 다운로드하세요. Cisco 3845 - Security Bundle Router 30 페이지. Integrated services routers
Cisco 3845 - Security Bundle Router에 대해서도 마찬가지입니다: 빠른 시작 매뉴얼 (38 페이지), 문제 해결 매뉴얼 (15 페이지), 빠른 시작 매뉴얼 (40 페이지)
페이지 인쇄
Cisco 3825 and Cisco 3845 Routers
The routers support the following FIPS 140-2 approved algorithm implementations:
•
•
The router is in the approved mode of operation only when FIPS 140-2 approved algorithms are used
(except DH which is allowed for use in FIPS approved mode for key establishment). The following are
not FIPS 140-2 approved algorithms: RC4, MD5, HMAC-MD5, RSA and DH. DH is allowed for use in
key establishment. The key establishment methodology provides between 80-bits and 96-bits of
encryption strength.
The module supports two types of key management schemes:
•
•
The module supports commercially available methods of key establishment, including Diffie-Hellman
and IKE. See Document 7A, Cisco IOS Reference Guide.
All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected
by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto
Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual
tunnels are directly associated with that specific tunnel only via the IKE protocol.
Key Zeroization:
Each key can be zeroized by sending the "no" command prior to the key function commands. This will
zeroize each key from the DRAM, the running configuration.
"Clear Crypto IPSec SA" will zeroize the IPSec DES/3DES/AES session key (which is derived using
the Diffie-Hellman key agreement technique) from the DRAM. This session key is only available in the
DRAM; therefore this command will completely zeroize this key. The following command will zeroize
the pre-shared keys from the DRAM:
•
Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy
16
Software (IOS) implementations
AES
–
DES (for legacy use only)
–
3DES
–
SHA-1
–
HMAC-SHA-1
–
X9.31 PRNG
–
Onboard hardware implementations (Safenet chip)
AES
–
DES (for legacy use only)
–
3DES
–
SHA-1
–
HMAC-SHA-1
–
Pre-shared key exchange via electronic key entry. DES/3DES/AES key and HMAC-SHA-1 key are
exchanged and entered electronically.
Internet Key Exchange method with support for pre-shared keys exchanged and entered
electronically.
The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES,
–
3DES or AES keys.
The pre-shared key is also used to derive HMAC-SHA-1 key.
–
no set session-key inbound ah spi hex-key-data
OL-8662-01