Motorola S2500 manual Firmware Implementations, Allowed Algorithms, Non-FIPS approved algorithms

MNR S2500 Security Policy

Version 1.3, Revision Date: 1/13/2009

Firmware Implementations

a.Triple-DES– CBC mode (112 and 168 bit) for IKE and SSHv2 encryption (Cert. #581)

b.AES - CBC (128, 192, 256 bit), ECB (128), and CFB (128) modes for IKE and SSHv2 encryption (Cert. #611)

c.HMAC-SHA-1 for IKE and SSHv2 authentication (Cert. # 322)

d.SHA-1 for message hash (Cert. # 659)

e.RSA v1.5 1024 bit – for public/private key pair generation and digital signatures (Cert. #283)

f.DSA 1024 bit – for public/private key pair generation and digital signatures (Cert. #237)

g.ANSI X9.31 Deterministic Random Number Generator (DRNG) (Cert .#349)

The MNR S2500 router supports the commercially available IKE and Diffie-Hellman protocols for key establishment, IPsec (ESP) and FRF.17 protocols to provide data confidentiality using FIPS-approved encryption and authentication algorithms and SSHv2 for secure remote access.

Allowed Algorithms

•Diffie-Hellman: (allowed for key agreement per Annex D, key agreement methodology provides 80 to 112 bits of encryption strength)

•Hardware non-deterministic RNG: Provides seed for approved deterministic RNG

•MD5: for hashing (Provides interoperability within supported protocols)

•HMAC-MD5

Non-FIPS approved algorithms

In a Non FIPS mode of operation, the cryptographic module provides non-FIPS Approved algorithms as follows:

•DES for encryption/decryption

•Non approved SW RNG

•Diffie-Hellman (Group 1 - 768 bit)

Page 5