Aruba Networks FIPS 140-2 manual Psk, Ptk, Aes-Ccm

Page 33

 

 

 

STORAGE

 

CSP

CSP TYPE

GENERATION

And

USE

 

 

 

ZEROIZATI

 

 

 

 

ON

 

 

 

 

 

 

WPA2 PSK

16-64

CO configured

Encrypted in

Used to derive

 

character

 

flash using the

the PMK for

 

shared secret

 

KEK; zeroized

802.11i mesh

 

used to

 

by updating

connections

 

authenticate

 

through

between APs

 

mesh

 

administrative

and in

 

connections

 

interface, or by

advanced

 

and in

 

the ‘ap wipe

Remote AP

 

remote AP

 

out flash’

connections;

 

advanced

 

command.

programmed

 

configuration

 

 

into AP by the

 

 

 

 

controller over

 

 

 

 

the IPSec

 

 

 

 

session.

 

 

 

 

 

802.11i Pairwise Master

512-bit

 

In volatile

Used to derive

Key (PMK)

shared secret

Derived from WPA2

memory only;

802.11i

 

used to

zeroized on

Pairwise

 

PSK

 

derive

reboot

Transient Key

 

 

 

802.11i

 

 

(PTK)

 

session keys

 

 

 

 

 

 

 

 

802.11i Pairwise Transient

512-bit

Derived during 802.11i

In volatile

All session

Key (PTK)

shared secret

4-way handshake

memory only;

encryption/dec

 

from which

 

zeroized on

ryption keys

 

Temporal

 

reboot

are derived

 

Keys (TKs)

 

 

from the PTK

 

are derived

 

 

 

 

 

 

 

 

802.11i

128-bit

Derived from PTK

In volatile

Used for

EAPOL MIC Key

shared secret

 

memory only;

integrity

used to

 

zeroized on

validation in 4-

 

 

 

protect 4-

 

reboot

way

 

way (key)

 

 

handshake

 

handshake

 

 

 

 

 

 

 

 

802.11i EAPOL Encr Key

128-bit

Derived from PTK

In volatile

Used for

 

shared secret

 

memory only;

confidentiality

 

used to

 

zeroized on

in 4-way

 

protect 4-

 

reboot

handshake

 

way

 

 

 

 

handshakes

 

 

 

 

 

 

 

 

802.11i data AES-CCM

128-bit AES-

Derived from PTK

Stored in

Used for

encryption/MIC key

CCM key

 

plaintext in

802.11i packet

 

 

 

volatile

encryption and

 

 

 

memory;

integrity

 

 

 

zeroized on

verification

 

 

 

reboot

(this is the

 

 

 

 

CCMP or

 

 

 

 

AES-CCM

 

 

 

 

key)

 

 

 

 

 

33

Image 33
Contents Fips 140-2 Non-Proprietary Security Policy Page Aruba Dell Relationship Acronyms and Abbreviations ServicesAruba AP-120 Series Security Levels Physical SecurityPage Aruba Dell Relationship IntroductionAcronyms and Abbreviations GHzLAN Aruba AP-120 Series Product OverviewPhysical Description Aruba Part Number Dell Corresponding Part NumberIndicator LEDs Label Function Action Status PWREnet Label Function Action Status Security Levels Module ObjectivesPhysical Security Applying TELsAP-124 Front view Aruba AP-124 TEL PlacementAP-124 Back view AP-124 Bottom view Aruba AP-125 TEL PlacementAP-125 Front view AP-125 Right view AP-125 Bottom view Inspection/Testing of Physical Security MechanismsModes of Operation Configuring Remote AP Fips ModeEnable Fips mode on the AP. This accomplished by going to Configuring Remote Mesh Portal Fips Mode Configuring Remote Mesh Point Fips Mode Operational Environment Verify that the module is in Fips modeFips 140-2 Logical Interfaces Module Physical Interface Logical InterfacesRoles, Authentication and Services Crypto Officer AuthenticationRoles Wireless Client Authentication User AuthenticationStrength of Authentication Mechanisms Authentication Mechanism StrengthWPA2-PSK Crypto Officer Services ServicesService Description CSPs Accessed see section WPA2 PSKUser Services Service Description CSPsService Wireless Client Services ∙ FTP ∙ Tftp ∙ NTP Unauthenticated ServicesNon-FIPS Approved Algorithms Cryptographic AlgorithmsHmac Critical Security ParametersRNG PSK PTKAES-CCM GTK GMKSelf Tests For an AES Cavium hardware Post failure