Manuals / Enterasys Networks / Computer Equipment / Network Router

Enterasys Networks XSR-1850, XSR-1805, XSR-3250 Session keys are stored in plaintext form in RAM

Models: XSR-3250 XSR-1850 XSR-1805

1 25
Download 25 pages 10.71 Kb
Page 19
Image 19

If the master encryption key is generated within the module, the module outputs the key to the console as soon as the key is generated in order for the Crypto Officer to note down and store the key securely outside of the module. This is required, since the Crypto Officer must enter the current key before changing or removing it. The master secret key can only be configured through the serial console or over an SSH tunnel.

Key Storage

The three-key Triple-DES key encryption key used to encrypt the master encryption key is hard-coded in plaintext form. The master encryption key is stored encrypted in the extended NVRAM of the Real Time Clock chip. This 3-key Triple-DES key is used to encrypt the user data, certificates, and host key database files (user.dat, cert.dat and hostkey.dat) stored in Flash. Hostkey.dat contains the DSA host key pair, cert.dat contains the certificates (including the module’s RSA key pair), and user.dat contains all other CSPs set for the users (pre-shared keys and passwords).

The master encryption key is also used to encrypt the load test HMAC SHA-1 key, which is also stored in the NVRAM of the Real Time Clock chip.

The CLI passwords are stored in plaintext form in the startup-config file in Flash. The SNMP passwords are stored in plaintext form in the private- config file in Flash. The Bootrom password is stored in NVRAM of the Real Time Clock.

Session keys are stored in plaintext form in RAM.

Key Zeroization

The CSPs contained within the database files and the load test HMAC SHA-1 key do not need to be zeroized, since they are encrypted with the master encryption key. The master encryption key can be zeroized by either overwriting the key with a new one, removing it through the CLI, or by pressing the default configuration button (XSR-18xx only) or entering the bootrom password incorrectly five times (XSR-3250). Pressing this button reboots the module and enforces default configuration. The hard- coded key encryption key used to encrypt the master encryption key can be zeroized by formatting the Flash file system or CompactFlash card.

Passwords can be zeroized by overwriting them with new ones or by pressing the default configuration button (XSR-18xx only).

Session keys can be zeroized by rebooting the module.

© Copyright 2003 Enterasys Networks Page 19 of 25

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

Page 18 Page 20
Page 19
Image 19
Enterasys Networks XSR-1850, XSR-1805, XSR-3250 manual Session keys are stored in plaintext form in RAM
Page 18 Page 20