Cryptographic Key Management
The module supports DES (only for legacy systems), 3DES, DES-MAC, TDES-MAC, AES, SHA-1, HMAC SHA-1, MD5, MD4, HMAC MD5, Diffie-Hellman, RSA (for digital signatures and encryption/decryption (for IKE authentication)) cryptographic algorithms. The MD5, HMAC MD5, and MD4 algorithms are disabled when operating in FIPS mode.
The module supports three types of key management schemes:
•Manual key exchange method that is symmetric. DES/3DES/AES key and HMAC-SHA-1 key are exchanged manually and entered electronically.
•Internet Key Exchange method with support for exchanging pre-shared keys manually and entering electronically.
–The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES, 3DES or AES keys.
–The pre-shared key is also used to derive HMAC-SHA-1 key.
•Internet Key Exchange with RSA-signature authentication.
All pre-shared keys are associated with the Crypto Officer role that created the keys, and the Crypto Officer role is protected by a password. Therefore, the Crypto Officer password is associated with all the pre-shared keys. The Crypto Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual tunnels are directly associated with that specific tunnel only via the IKE protocol.
FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM
