Aruba Networks FIPS 140-2 manual Crypto Officer Services, WPA2 PSK, Kek

Page 26

4.2 Services

The module provides various services depending on role. These are described below.

4.2.1 Crypto Officer Services

The CO role in each of FIPS modes defined in section 3.3 has the same services.

Service

Description

CSPs Accessed (see section 6

 

 

below for complete description of

 

 

CSPs)

 

 

 

 

 

FIPS mode enable/disable

The CO selects/de-selects FIPS

None.

 

 

mode as a configuration option.

 

 

 

 

 

 

Key Management

The CO can configure/modify the

IKE shared secret

 

IKE shared secret (The RSA

WPA2 PSK

 

private key is protected by non-

 

 

 

 

volatile memory and cannot be

KEK

 

modified) and the WPA2 PSK

 

 

 

(used in advanced Remote AP

 

 

 

configuration). Also, the CO/User

 

 

 

implicitly uses the KEK to

 

 

 

read/write configuration to non-

 

 

 

volatile memory.

 

 

 

 

 

Remotely reboot module

The CO can remotely trigger a

KEK is accessed when

 

reboot

configuration is read during

 

 

reboot. The firmware verification

 

 

key and firmware verification CA

 

 

key are accessed to validate

 

 

firmware prior to boot.

 

 

 

Self-test triggered by CO/User

The CO can trigger a

KEK is accessed when

reboot

programmatic reset leading to

configuration is read during

 

self-test and initialization

reboot. The firmware verification

 

 

key and firmware verification CA

 

 

key are accessed to validate

 

 

firmware prior to boot.

 

 

 

Update module firmware

The CO can trigger a module

The firmware verification key

 

firmware update

and firmware verification CA key

 

 

are accessed to validate firmware

 

 

prior to writing to flash.

 

 

 

 

Configure non-security related

CO can configure various

None.

 

module parameters

operational parameters that do not

 

 

 

relate to security

 

 

 

 

 

 

26

Image 26
Contents Fips 140-2 Non-Proprietary Security Policy Page Aruba AP-120 Series ServicesAruba Dell Relationship Acronyms and Abbreviations Security Levels Physical SecurityPage Acronyms and Abbreviations IntroductionAruba Dell Relationship GHzLAN Physical Description Product OverviewAruba AP-120 Series Aruba Part Number Dell Corresponding Part NumberEnet Indicator LEDs Label Function Action StatusPWR Label Function Action Status Physical Security Module ObjectivesSecurity Levels Applying TELsAruba AP-124 TEL Placement AP-124 Front viewAP-124 Back view Aruba AP-125 TEL Placement AP-124 Bottom viewAP-125 Front view AP-125 Right view Inspection/Testing of Physical Security Mechanisms AP-125 Bottom viewConfiguring Remote AP Fips Mode Modes of OperationEnable Fips mode on the AP. This accomplished by going to Configuring Remote Mesh Portal Fips Mode Configuring Remote Mesh Point Fips Mode Verify that the module is in Fips mode Operational EnvironmentLogical Interfaces Fips 140-2 Logical Interfaces Module Physical InterfaceRoles Roles, Authentication and ServicesCrypto Officer Authentication Strength of Authentication Mechanisms User AuthenticationWireless Client Authentication Authentication Mechanism StrengthWPA2-PSK Service Description CSPs Accessed see section ServicesCrypto Officer Services WPA2 PSKService User ServicesService Description CSPs Wireless Client Services Unauthenticated Services ∙ FTP ∙ Tftp ∙ NTPCryptographic Algorithms Non-FIPS Approved AlgorithmsCritical Security Parameters HmacRNG AES-CCM PSKPTK GMK GTKSelf Tests For an AES Cavium hardware Post failure