Cisco Systems 7206VXR NPE-400 manual Cryptographic Key Management

Page 9

Cryptographic Key Management

Figure 4 Tamper Evidence Label Placement (Front View)

Port adapters

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6

5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ETHERNET 10BT

 

 

 

 

 

 

 

 

 

 

 

 

 

FAST ETHERNET

 

 

ENABLED

 

 

 

M

 

L

 

K

R

 

5

 

 

 

 

 

 

 

 

 

 

 

II

IN

J 4

 

 

 

 

 

4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FAST SERIAL

EN

 

 

 

 

 

 

 

 

 

 

 

 

ETHERNET-10BFL

 

X

 

 

 

TX

RX

TX

RX

 

 

 

TX

 

 

RX

TX

R

X

T

2

 

 

RX

 

 

 

 

 

4

 

1

 

 

0

 

1

2

 

 

 

 

 

 

 

3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Port adapter

Cisco 7200

 

 

 

SLOT

1

FE

MII

 

 

FAST ETHERNET INPUT/OUTPUT CONTROLLER

 

 

 

 

 

 

 

 

lever

Series

ENABLED

 

 

 

 

 

 

 

 

 

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PCMCIA

EJECT

SLOT

0

 

 

EN

EN

LINK

 

 

 

 

 

 

 

 

 

 

MII

RJ45

RJ45

 

 

I/O controller

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PC card slots

 

 

 

 

 

 

 

Auxiliary

Console

 

 

 

Optional Fast Ethernet port

port

port

 

 

 

(MII receptacle and RJ-45 receptacle)

 

119934

Figure 5 Tamper Evidence Label Placement (Rear View)

Chassis

Internal fans

grounding

 

receptacles

AC-input

Power supply

filler plate

receptacle

 

119933

 

NETWORK PROCESSING ENGINE-150

Network processing engine

AC-input

or network services engine

power supply

Power switch

Cryptographic Key Management

The router securely administers both cryptographic keys and other critical security parameters such as passwords. The tamper evidence seals provide physical protection for all keys. All keys are also protected by the password-protection on the Crypto Officer role login, and can be zeroized by the Crypto Officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet Key Exchange (IKE).

The modules contain a cryptographic accelerator card (VAM), which provides DES (56-bit) (only for legacy systems), and 3DES (168-bit) IPSec encryption, MD5 and SHA-1 hashing, and has hardware support for DH and RSA key generation.

The module supports the following critical security parameters (CSPs):

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM

 

OL-3959-01

9

 

 

 

Page 8 Page 10
Image 9
Page 8 Page 10
Contents Introduction Overview Fips 140-2 Submission PackageModule Interfaces Cryptographic ModuleIndication Description IO Power OKBoot EnableError LED Label Color State FunctionRouter Physical Interface Fips 140-2 Logical Interface Roles and ServicesUser Role Crypto Officer RolePhysical Security Cryptographic Key Management Cryptographic Key ManagementCSP Name Description Storage CSP15 CSP14CSP16 CSP17CSP26 CSP25CSP27 CSP28Role and Service Access to CSPs Cryptographic Key Management Key Zeroization Self-TestsDES KAT Tdes KAT AES KAT SHA-1 KAT Prng KAT HMAC-SHA-1 KATInitial Setup System Initialization and ConfigurationSecure Operation Obtaining Documentation Remote AccessIPSec Requirements and Cryptographic Algorithms ProtocolsDocumentation Feedback Obtaining Technical AssistanceOrdering Documentation Submitting a Service Request Definitions of Service Request SeverityCisco Technical Support Website Obtaining Additional Publications and Information Obtaining Additional Publications and Information OL-3959-01
Top Page Image Contents