Cryptographic Key Management
Table 2 | Critical Security Parameters (Continued) |
| |
|
|
|
|
# | CSP Name | Description | Storage |
|
|
|
|
25 | CSP25 | This key is used by the router to authenticate | NVRAM |
|
| itself to the peer. The key is identical to #22 | (plaintext) |
|
| except that it is retrieved from the local |
|
|
| database (on the router itself). Issuing the no |
|
|
| username password command zeroizes the |
|
|
| password (that is used as this key) from the |
|
|
| local database. |
|
|
|
|
|
26 | CSP26 | This is the SSH session key. It is zeroized | DRAM |
|
| when the SSH session is terminated. | (plaintext) |
|
|
|
|
27 | CSP27 | The password of the User role. This | NVRAM |
|
| password is zeroized by overwriting it with a | (plaintext) |
|
| new password. |
|
|
|
|
|
28 | CSP28 | The plaintext password of the Crypto Officer | NVRAM |
|
| role. This password is zeroized by | (plaintext) |
|
| overwriting it with a new password. |
|
|
|
|
|
29 | CSP29 | The ciphertext password of the Crypto | NVRAM |
|
| Officer role. However, the algorithm used to | (plaintext) |
|
| encrypt this password is not FIPS approved. |
|
|
| Therefore, this password is considered |
|
|
| plaintext for FIPS purposes. This password |
|
|
| is zeroized by overwriting it with a new |
|
|
| password. |
|
|
|
|
|
30 | CSP30 | The RADIUS shared secret. This shared | DRAM |
|
| secret is zeroized by executing the “no” form | (plaintext), |
|
| of the RADIUS shared secret set command. | NVRAM |
|
|
| (plaintext) |
|
|
|
|
31 | CSP31 | The TACACS+ shared secret. This shared | DRAM |
|
| secret is zeroized by executing the “no” form | (plaintext), |
|
| of the TACACS+ shared secret set command. | NVRAM |
|
|
| (plaintext) |
|
|
|
|
The services accessing the CSPs, the type of access and which role accesses the CSPs are listed in the Figure 6.
FIPS
12 |
| |
|