Enterasys Networks XSR-3250, XSR-1805, XSR-1850 manual Fips 186-2 Prng

Page 17

the encryption accelerators. The encryption accelerators implement the following FIPS-approved algorithms:

XSR-18xxTriple-DES, DES, and HMAC SHA-1

XSR-3250 – AES, Triple-DES, DES, and HMAC SHA-1

Cryptographic processing is performed during SSHv2, SNMPv3, IKE, IPSec, and when accessing and storing database files.

The module supports the following critical and non-critical security parameters:

CSPs and non-

CSPs and non-

Generation

Storage

Use

critical SPs

critical SPs type

 

 

 

Key encryption

168-bit TDES key

External

Hard-coded in

Encrypts master

key

 

 

plaintext

encryption key

Master encryption

168-bit TDES key

Internal – using

Stored encrypted

Encrypts user data,

key

 

FIPS 186-2 PRNG

in NVRAM of the

certificates, and

 

 

Or

Dallas DS1687

DSA host key, and

 

 

External

real time clock

the load test HMAC

 

 

 

chip

SHA-1 key

DSA host key pair

160-bit DSA

Internal – using

Stored encrypted

Module

 

private key and

FIPS 186-2 PRNG

in Flash

authentication

 

1024-bit DSA

 

 

during SSHv2

 

public key

 

 

 

IKE RSA key pair

1024-bit RSA

Internal – using

Stored encrypted

Module

 

private/public key

FIPS 186-2 PRNG

in Flash

authentication

 

pair

 

 

during IKE

IKE User RSA

1024-bit RSA

External

Stored encrypted

User authentication

public keys

public key

 

in Flash

during IKE

Pre-shared keys

6-character pre-

External

Stored encrypted

User and module

 

shared key

 

in Flash

authentication

 

 

 

 

during IKE

IKE Diffie-Hellman

768/1024/1536-bit

Internal – using

Stored in plaintext

Key agreement

key pair

Diffie-Hellman

FIPS 186-2 PRNG

in memory

during IKE

 

private/public key

 

 

 

 

pair

 

 

 

IKE User Diffie-

768/1024/1536-bit

External

Stored in plaintext

Key agreement

Hellman public key

Diffie-Hellman

 

in memory

during IKE

 

public key

 

 

 

SSHv2 Diffie-

768/1024/1536-bit

Internal – using

Stored in plaintext

Key agreement

Hellman key pair

Diffie-Hellman

FIPS 186-2 PRNG

in memory

during SSHv2

 

private/public key

 

 

 

 

pair

 

 

 

SSHv2 User Diffie-

768/1024/1536-bit

External

Stored in plaintext

Key agreement

Hellman public key

Diffie-Hellman

 

in memory

during SSHv2

 

public key

 

 

 

SSHv2 session

168-bit TDES or

Established during

Stored in plaintext

Secure SSH traffic

keys

128/192/256-bit

the SSH key

in memory

 

 

AES keys; HMAC

exchange using

 

 

 

SHA-1 keys

the Diffie-Hellman

 

 

 

 

key agreement

 

 

© Copyright 2003 Enterasys Networks Page 17 of 25

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Image 17
Contents Fips 140-2 Non-Proprietary Security Policy Table of Contents References PurposeDocument Organization Copyright 2003 Enterasys Networks Page 3Copyright 2003 Enterasys Networks Page 4 Copyright 2003 Enterasys Networks Page 5 OverviewCryptographic Module Copyright 2003 Enterasys Networks Page 7 EMI/EMC Module InterfacesSelf-tests Design Assurance Mitigation of Other Attacks Copyright 2003 Enterasys Networks Page 8Copyright 2003 Enterasys Networks Page 9 Copyright 2003 Enterasys Networks Page 10 Module Physical Ports Fips 140-2 Logical InterfaceCopyright 2003 Enterasys Networks Page 11 Roles and ServicesSnmp SSHVPN Copyright 2003 Enterasys Networks Page 14 Authenticate to the module during IKE. ThisIKE Physical Security Algorithm using a 1024 bit key pairOperational Environment Mechanism is as strong as the RSACryptographic Key Management Fips 186-2 Prng Copyright 2003 Enterasys Networks Page 18 Copyright 2003 Enterasys Networks Page 19 Copyright 2003 Enterasys Networks Page 20 Self-TestsCopyright 2003 Enterasys Networks Page 21 Design AssuranceMitigation of Other Attacks Copyright 2003 Enterasys Networks Page 22 Crypto Officer GuidanceCopyright 2003 Enterasys Networks Page 23 Enter copy running-config startup-configCopyright 2003 Enterasys Networks Page 24 User GuidanceCopyright 2003 Enterasys Networks Page 25 XSR