Cisco 2621XM Operations - Page 16

Browse online or download pdf Operations for Gateway Cisco 2621XM. Cisco 2621XM 25 pages. Non-proprietary security policy
Also for Cisco 2621XM: User Manual (20 pages), User Manual (48 pages)

Print Page

The 2621XM/2651XM Router

The module supports three types of key management schemes:

•

All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected

by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto

Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual

tunnels are directly associated with that specific tunnel only via the IKE protocol.

Key Zeroization:

All of the keys and CSPs of the module can be zeroized. Please refer to the Description column of

Table 4

Self-Tests

In order to prevent any secure data from being released, it is important to test the cryptographic

components of a security module to insure all components are functioning correctly. The router includes

an array of self-tests that are run during startup and periodically during operations. If any of the self-tests

fail, the router transitions into an error state. Within the error state, all secure data transmission is halted

and the router outputs status information indicating the failure.

Note

After the router recovers from failure of a power-up self-test performed by the AIM-VPN/EP, the

router only allows plaintext traffic to pass through and no encrypted traffic is allowed.

Self-tests performed by the IOS image:

•

Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy

Manual key exchange method that is symmetric. DES/3DES/AES key and HMAC-SHA-1 key are

exchanged manually and entered electronically.

Internet Key Exchange method with support for exchanging pre-shared keys manually and entering

electronically.

–

The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES,

3DES or AES keys.

–

The pre-shared key is also used to derive HMAC-SHA-1 key.

Internet Key Exchange with RSA-signature authentication.

for information on methods to zeroize each key and CSP.

Power-up tests

Firmware integrity test

–

RSA signature KAT (both signature and verification)

–

DES KAT

–

TDES KAT

–

AES KAT

–

SHA-1 KAT

–

PRNG KAT

–

Power-up bypass test

–

Diffie-Hellman self-test

–

HMAC SHA-1 KAT

OL-6262-01