Cisco 2651XM-V Operations - Page 16
Browse online or download pdf Operations for Switch Cisco 2651XM-V. Cisco 2651XM-V 25 pages. Modular access routers with aim-vpn/ep fips 140-2 non-proprietary security policy
The 2621XM/2651XM Router
The module supports three types of key management schemes:
•
•
•
All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected
by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto
Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual
tunnels are directly associated with that specific tunnel only via the IKE protocol.
Key Zeroization:
All of the keys and CSPs of the module can be zeroized. Please refer to the Description column of
Table 4
Self-Tests
In order to prevent any secure data from being released, it is important to test the cryptographic
components of a security module to insure all components are functioning correctly. The router includes
an array of self-tests that are run during startup and periodically during operations. If any of the self-tests
fail, the router transitions into an error state. Within the error state, all secure data transmission is halted
and the router outputs status information indicating the failure.
Note
After the router recovers from failure of a power-up self-test performed by the AIM-VPN/EP, the
router only allows plaintext traffic to pass through and no encrypted traffic is allowed.
Self-tests performed by the IOS image:
•
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
16
Manual key exchange method that is symmetric. DES/3DES/AES key and HMAC-SHA-1 key are
exchanged manually and entered electronically.
Internet Key Exchange method with support for exchanging pre-shared keys manually and entering
electronically.
–
The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES,
3DES or AES keys.
–
The pre-shared key is also used to derive HMAC-SHA-1 key.
Internet Key Exchange with RSA-signature authentication.
for information on methods to zeroize each key and CSP.
Power-up tests
Firmware integrity test
–
RSA signature KAT (both signature and verification)
–
DES KAT
–
TDES KAT
–
–
AES KAT
–
SHA-1 KAT
–
PRNG KAT
–
Power-up bypass test
–
Diffie-Hellman self-test
–
HMAC SHA-1 KAT
OL-6262-01