Cryptographic Key Management
|
| Table 2 | Critical Security Parameters (Continued) |
|
|
|
| |
|
|
|
|
|
| |||
# | CSP Name | Description | Storage |
| ||||
|
|
|
|
|
| |||
14 | CSP14 | The IPSec encryption key. Zeroized when | DRAM |
| ||||
|
|
|
| IPSec session is terminated. | (plaintext) |
| ||
|
|
|
|
|
| |||
15 | CSP15 | The IPSec authentication key. The | DRAM |
| ||||
|
|
|
| zeroization is the same as above. | (plaintext) |
| ||
|
|
|
|
|
| |||
16 | CSP16 | The RSA public key of the CA. The no | NVRAM |
| ||||
|
|
|
| crypto ca trust <label> command | (plaintext) |
| ||
|
|
|
| invalidates the key and it frees the public key |
|
|
|
|
|
|
|
| label which in essence prevent use of the key. |
|
|
|
|
|
|
|
| This key does not need to be zeroized |
|
|
|
|
|
|
|
| because it is a public key. |
|
|
|
|
|
|
|
|
|
| |||
17 | CSP17 | This key is a public key of the DNS server. | NVRAM |
| ||||
|
|
|
| Zeroized using the same mechanism as | (plaintext) |
| ||
|
|
|
| above. The no crypto ca trust <label> |
|
|
|
|
|
|
|
| command invalidates the DNS server public |
|
|
|
|
|
|
|
| key and it frees the public key label which in |
|
|
|
|
|
|
|
| essence prevent use of that key. This label is |
|
|
|
|
|
|
|
| different from the label in the above key. |
|
|
|
|
|
|
|
| This key does not need to be zeroized |
|
|
|
|
|
|
|
| because it is a public key. |
|
|
|
|
|
|
|
|
|
| |||
18 | CSP18 | The SSL session key. Zeroized when the SSL | DRAM |
| ||||
|
|
|
| connection is terminated. | (plaintext) |
| ||
|
|
|
|
|
| |||
19 | CSP19 | The ARAP key that is hardcoded in the | Flash |
| ||||
|
|
|
| module binary image. This key can be | (plaintext) |
| ||
|
|
|
| deleted by erasing the Flash. |
|
|
|
|
|
|
|
|
|
| |||
20 | CSP20 | This is an ARAP user password used as an | DRAM |
| ||||
|
|
|
| authentication key. A function uses this key | (plaintext) |
| ||
|
|
|
| in a DES algorithm for authentication. |
|
|
|
|
|
|
|
|
|
| |||
21 | CSP21 | The key used to encrypt values of the | NVRAM |
| ||||
|
|
|
| configuration file. This key is zeroized when | (plaintext) |
| ||
|
|
|
| the no key |
|
|
|
|
|
|
|
|
|
| |||
22 | CSP22 | This key is used by the router to authenticate | DRAM |
| ||||
|
|
|
| itself to the peer. The router itself gets the | (plaintext) |
| ||
|
|
|
| password (that is used as this key) from the |
|
|
|
|
|
|
|
| AAA server and sends it onto the peer. The |
|
|
|
|
|
|
|
| password retrieved from the AAA server is |
|
|
|
|
|
|
|
| zeroized upon completion of the |
|
|
|
|
|
|
|
| authentication attempt. |
|
|
|
|
|
|
|
|
|
| |||
23 | CSP23 | The RSA public key used in SSH. Zeroized | DRAM |
| ||||
|
|
|
| after the termination of the SSH session. | (plaintext) |
| ||
|
|
|
| This key does not need to be zeroized |
|
|
|
|
|
|
|
| because it is a public key; However, it is |
|
|
|
|
|
|
|
| zeroized as mentioned here. |
|
|
|
|
|
|
|
|
|
| |||
24 | CSP24 | The authentication key used in PPP. This key | DRAM |
| ||||
|
|
|
| is in the DRAM and not zeroized at runtime. | (plaintext) |
| ||
|
|
|
| One can turn off the router to zeroize this key |
|
|
|
|
|
|
|
| because it is stored in DRAM. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| FIPS |
|
|
| ||
|
|
|
|
| ||||
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
| ||
|
|
|
|
|
| |||