Cisco 2821 Series Operations - Page 20
Browse online or download pdf Operations for Network Router Cisco 2821 Series. Cisco 2821 Series 31 pages. 2800 series integrated services routers
Also for Cisco 2821 Series: Installation And Upgrades (21 pages), Datasheet (20 pages), Operations (31 pages), Quick Start Manual (47 pages)
Key wrapping, key establishment methodology provides between 80-bits and 112-bits of
encryption strength per NIST 800-57.
The following are not FIPS 140-2 approved Algorithms: DES, RC4, MD5, HMAC-MD5, RSA
key wrapping and DH; however again DH and RSA are allowed for use in key establishment.
The module contains a HiFn 7814-W cryptographic accelerator chip, integrated in the AIM card.
Unless the AIM card is disabled by the Crypto Officer with the "no crypto engine aim"
command, the HiFn 7814-W provides AES (128-bit, 192-bit, and 256-bit) and Triple-DES (168-
bit) encryption; MD5 and SHA-1 hashing; and hardware support for DH, X9.31 RNG, RSA
encryption/decryption, and RSA public key signature/verification.
The module supports the following types of key management schemes:
1. Pre-shared key exchange via electronic key entry. Triple-DES/AES key and HMAC-
SHA-1 key are exchanged and entered electronically.
2. Internet Key Exchange method with support for pre-shared keys exchanged and entered
electronically.
The pre-shared keys are used with Diffie-Hellman key agreement technique to
derive Triple-DES or AES keys.
The pre-shared key is also used to derive HMAC-SHA-1 key.
RSA digital signatures based authentication is used for IKE, with Diffie-Hellman Key
3.
agreement technique to derive AES or Triple-DES keys.
RSA encrypted nonces based authentication is used for IKE, with Diffie-Hellman Key
4.
agreement technique to derive AES or Triple-DES keys.
5. RSA key transport is used to derive the Triple-DES or AES keys during SSLv3.1/TLS
handshake.
The module supports commercially available Diffie-Hellman and RSA key transport for key
establishment.
All pre-shared keys are associated with the CO role that created the keys, and the CO role is
protected by a password. Therefore, the CO password is associated with all the pre-shared keys.
The Crypto Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed
upon for individual tunnels are directly associated with that specific tunnel only via the IKE
protocol. RSA Public keys are entered into the modules using digital certificates which contain
relevant data such as the name of the public key's owner, which associates the key with the
correct entity. All other keys are associated with the user/role that entered them.
Key Zeroization:
Each key can be zeroized by sending the "no" command prior to the key function commands.
This will zeroize each key from the DRAM, the running configuration.
"Clear Crypto IPSec SA" will zeroize the Triple-DES/AES session key (which is derived using
the Diffie-Hellman key agreement technique) from the DRAM. This session key is only
© Copyright 2007 Cisco Systems, Inc.
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
20