Enterasys Networks XSR-1805, XSR-1850, XSR-3250 manual Copyright 2003 Enterasys Networks Page 18

Page 18

IPSec session

56-bit DES, 168-bit

Established during

Stored in plaintext

Secure IPSec

keys

TDES, or

the Diffie-Hellman

in memory

traffic

 

128/192/256-bit

key agreement

 

 

 

AES keys; HMAC

 

 

 

 

SHA-1 key

 

 

 

Load test HMAC

80-bit HMAC

External

Stored encrypted

Compute and verify

SHA-1 key

SHA-1 key

 

in NVRAM of the

the HMAC SHA-1

 

 

 

real time clock

value for the

 

 

 

chip

software load test

Passwords

6-character

External

If stored in

Crypto Officer

 

password

 

configuration file,

authentication for

 

(SNMPv3 requires

 

passwords are

accessing the

 

at least 8

 

stored in plaintext

management

 

characters)

 

in Flash; if stored

interfaces (CLI,

 

 

 

in user.dat,

SNMPv3, and

 

 

 

passwords are

Bootrom Moniot

 

 

 

stored encrypted

Mode), RADIUS

 

 

 

in Flash; Bootrom

authentication

 

 

 

passwords are

 

 

 

 

stored in plaintext

 

 

 

 

in NVRAM of the

 

 

 

 

real time clock

 

 

Table 8 – Listing CSPs for the Module

 

Key Generation

The RSA key pair used during IKE, the DSA host key pair used during SSHv2, and the Diffie-Hellman key pairs used during IPSec and SSHv2 are all generated within the module. Additionally, each module gives the option to generate the 3-key Triple-DES master encryption key within the module. All keys that are generated within a module are generated using a FIPS-approved PRNG.

Key Establishment

The modules implement SSHv2 and IKE for automatic key establishment. These protocols implement the Diffie-Hellman key agreement to establish shared secrets.

Key Entry and Output

Three types of secret keys can be entered in plaintext form into the modules: the master encryption key, pre-shared keys, and the load test HMAC SHA-1 key. The master encryption key can either be specified or generated within the module. Pre-shared keys, if chosen as the authentication method for IKE, must always be entered into the module by the Crypto Officer. The HMAC SHA-1 key must be entered into the module before a valid software file is loaded into the module.

The three keys are entered electronically if the SSH or the Telnet over IPSec secured remote session is used or manually if the module is accessed locally through the console port. When these keys are manually entered, a manual key entry test is performed.

© Copyright 2003 Enterasys Networks Page 18 of 25

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Image 18
Contents Fips 140-2 Non-Proprietary Security Policy Table of Contents Document Organization PurposeReferences Copyright 2003 Enterasys Networks Page 3Copyright 2003 Enterasys Networks Page 4 Overview Copyright 2003 Enterasys Networks Page 5Cryptographic Module Copyright 2003 Enterasys Networks Page 7 Self-tests Design Assurance Mitigation of Other Attacks Module InterfacesEMI/EMC Copyright 2003 Enterasys Networks Page 8Copyright 2003 Enterasys Networks Page 9 Module Physical Ports Fips 140-2 Logical Interface Copyright 2003 Enterasys Networks Page 10Roles and Services Copyright 2003 Enterasys Networks Page 11SSH SnmpVPN Authenticate to the module during IKE. This IKECopyright 2003 Enterasys Networks Page 14 Operational Environment Algorithm using a 1024 bit key pairPhysical Security Mechanism is as strong as the RSACryptographic Key Management Fips 186-2 Prng Copyright 2003 Enterasys Networks Page 18 Copyright 2003 Enterasys Networks Page 19 Self-Tests Copyright 2003 Enterasys Networks Page 20Design Assurance Mitigation of Other AttacksCopyright 2003 Enterasys Networks Page 21 Crypto Officer Guidance Copyright 2003 Enterasys Networks Page 22Enter copy running-config startup-config Copyright 2003 Enterasys Networks Page 23User Guidance Copyright 2003 Enterasys Networks Page 24XSR Copyright 2003 Enterasys Networks Page 25