Cisco Systems 7206VXR NPE-400 manual Self-Tests, Key Zeroization

Self-Tests

Key Zeroization

All of the keys and CSPs of the module can be zeroized. Please refer to the Description column of Table 2 for information on methods to zeroize each key and CSP.

Self-Tests

To prevent secure data from being released, it is important to test the cryptographic components of a security module to insure all components are functioning correctly. The router includes an array of self-tests that are run during startup and periodically during operations. If any of the self-tests fail, the router transitions into an error state. Within the error state, all secure data transmission is halted and the router outputs status information indicating the failure.

Self-tests performed by the IOS image:

•Power-up tests

–Firmware integrity test

–RSA signature KAT (both signature and verification)

–DES KAT

–TDES KAT

–AES KAT

–SHA-1 KAT

–PRNG KAT

–Power-up bypass test

–Diffie-Hellman self-test

–HMAC-SHA-1 KAT

•Conditional tests

–Conditional bypass test

–Pairwise consistency test on RSA signature

–Continuous random number generator tests

Self-tests performed by the VAM (cryptographic accelerator):

•Power-up tests

–Firmware integrity test

–RSA signature KAT (both signature and verification)

–DES KAT

–TDES KAT

–SHA-1 KAT

–HMAC-SHA-1 KAT

–PRNG KAT

•Conditional tests

–Pairwise consistency test on RSA signature

FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM