CSP14, CSP15, CSP16, CSP17, CSP18 | Cisco Systems 7206VXR NPE-400

Cryptographic Key Management

		Table 2	Critical Security Parameters (Continued)

#			CSP Name	Description	Storage

14			CSP14	The IPSec encryption key. Zeroized when	DRAM
				IPSec session is terminated.	(plaintext)

15			CSP15	The IPSec authentication key. The	DRAM
				zeroization is the same as above.	(plaintext)

16			CSP16	The RSA public key of the CA. The no	NVRAM
				crypto ca trust <label> command	(plaintext)
				invalidates the key and it frees the public key
				label which in essence prevent use of the key.
				This key does not need to be zeroized
				because it is a public key.

17			CSP17	This key is a public key of the DNS server.	NVRAM
				Zeroized using the same mechanism as	(plaintext)
				above. The no crypto ca trust <label>
				command invalidates the DNS server public
				key and it frees the public key label which in
				essence prevent use of that key. This label is
				different from the label in the above key.
				This key does not need to be zeroized
				because it is a public key.

18			CSP18	The SSL session key. Zeroized when the SSL	DRAM
				connection is terminated.	(plaintext)

19			CSP19	The ARAP key that is hardcoded in the	Flash
				module binary image. This key can be	(plaintext)
				deleted by erasing the Flash.

20			CSP20	This is an ARAP user password used as an	DRAM
				authentication key. A function uses this key	(plaintext)
				in a DES algorithm for authentication.

21			CSP21	The key used to encrypt values of the	NVRAM
				configuration file. This key is zeroized when	(plaintext)
				the no key config-keycommand is issued.

22			CSP22	This key is used by the router to authenticate	DRAM
				itself to the peer. The router itself gets the	(plaintext)
				password (that is used as this key) from the
				AAA server and sends it onto the peer. The
				password retrieved from the AAA server is
				zeroized upon completion of the
				authentication attempt.

23			CSP23	The RSA public key used in SSH. Zeroized	DRAM
				after the termination of the SSH session.	(plaintext)
				This key does not need to be zeroized
				because it is a public key; However, it is
				zeroized as mentioned here.

24			CSP24	The authentication key used in PPP. This key	DRAM
				is in the DRAM and not zeroized at runtime.	(plaintext)
				One can turn off the router to zeroize this key
				because it is stored in DRAM.

			FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM


	OL-3959-01						11
	OL-3959-01						11

Image 11

Cisco Systems 7206VXR NPE-400 manual CSP14, CSP15, CSP16, CSP17, CSP18, CSP19, CSP20, CSP21, CSP22, CSP23, CSP24

Contents

Introduction Overview Fips 140-2 Submission Package Module Interfaces Cryptographic Module Indication Description IO Power OK LED Label Color State Function EnableBoot Error Router Physical Interface Fips 140-2 Logical Interface Roles and Services User Role Crypto Officer Role Physical Security Cryptographic Key Management Cryptographic Key Management CSP Name Description Storage CSP17 CSP14CSP15 CSP16 CSP28 CSP25CSP26 CSP27 Role and Service Access to CSPs Cryptographic Key Management HMAC-SHA-1 KAT Self-TestsKey Zeroization DES KAT Tdes KAT AES KAT SHA-1 KAT Prng KAT Secure Operation Initial SetupSystem Initialization and Configuration Protocols Remote AccessObtaining Documentation IPSec Requirements and Cryptographic Algorithms Ordering Documentation Documentation FeedbackObtaining Technical Assistance Cisco Technical Support Website Submitting a Service RequestDefinitions of Service Request Severity Obtaining Additional Publications and Information Obtaining Additional Publications and Information OL-3959-01