Aruba Networks FIPS 140-2 manual Gmk, Gtk

Page 34

			STORAGE
CSP	CSP TYPE	GENERATION	And	USE
			ZEROIZATI
			ON

802.11i Group Master Key	256-bit	Generated from approved	Stored in	Used to derive
(GMK)	secret used	RNG	plaintext in	Group
	to derive		volatile	Transient Key
	GTK		memory;	(GTK)
			zeroized on
			reboot

802.11i Group Transient	256-bit	Internally derived by AP	Stored in	Used to derive
Key (GTK)	shared secret	which assumes	plaintext in	multicast
	used to	“authenticator” role in	volatile	cryptographic
	derive group	handshake	memory;	keys
	(multicast)		zeroized on
	encryption		reboot
	and integrity
	keys

802.11i Group AES-CCM	128-bit	Derived from 802.11	Stored in	Used to protect
Data Encryption/MIC Key	AES-CCM	group key handshake	plaintext in	multicast
	key derived		volatile	message
	from GTK		memory;	confidentiality
			zeroized on	and integrity
			reboot	(AES-CCM)

RSA private Key	1024/2048-	Generated on the AP	Stored in and	Used for
	bit RSA	(remains in AP at all	protected by	IKEv1/IKEv2
	private key	times)	AP’s non-	authentication
			volatile	when AP is
			memory.	authenticating
			zeroized by the	using
			‘ap wipe out	certificate
			flash’	based
			command	authentication

34

Image 34

Contents Fips 140-2 Non-Proprietary Security Policy Page Aruba AP-120 Series ServicesAruba Dell Relationship Acronyms and Abbreviations Security Levels Physical SecurityPage Acronyms and Abbreviations IntroductionAruba Dell Relationship GHzLAN Physical Description Product OverviewAruba AP-120 Series Aruba Part Number Dell Corresponding Part NumberPWR Indicator LEDs Label Function Action StatusEnet Label Function Action Status Physical Security Module ObjectivesSecurity Levels Applying TELsAruba AP-124 TEL Placement AP-124 Front viewAP-124 Back view Aruba AP-125 TEL Placement AP-124 Bottom viewAP-125 Front view AP-125 Right view Inspection/Testing of Physical Security Mechanisms AP-125 Bottom viewConfiguring Remote AP Fips Mode Modes of OperationEnable Fips mode on the AP. This accomplished by going to Configuring Remote Mesh Portal Fips Mode Configuring Remote Mesh Point Fips Mode Verify that the module is in Fips mode Operational EnvironmentLogical Interfaces Fips 140-2 Logical Interfaces Module Physical InterfaceCrypto Officer Authentication Roles, Authentication and ServicesRoles Strength of Authentication Mechanisms User AuthenticationWireless Client Authentication Authentication Mechanism StrengthWPA2-PSK Service Description CSPs Accessed see section ServicesCrypto Officer Services WPA2 PSKService Description CSPs User ServicesService Wireless Client Services Unauthenticated Services ∙ FTP ∙ Tftp ∙ NTPCryptographic Algorithms Non-FIPS Approved AlgorithmsCritical Security Parameters HmacRNG PTK PSKAES-CCM GMK GTKSelf Tests For an AES Cavium hardware Post failure