Security Target, Version 3.9

March 18, 2008

 

 

6.1.2 Cryptographic Support

The TOE’s cryptographic functionality is provided by a FIPS 140-2-validated cryptographic module. All modules have received either a Level 1 or Level 2 FIPS 140-2 validation. Table 8 below indicates the modules and the validation levels achieved.

Table 8 - FIPS Validated Modules

 

Validation

 

Modules

 

FIPS 140-2 Certificate #

 

 

 

 

 

 

 

 

 

 

 

 

VPN Router 1750, 2700, 2750 and 5000 with Hardware

1068

 

 

 

Accelerator

 

Hardware modules

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FIPS 140-2 validated

 

VPN Router 1750, 2700, 2750 and 5000 with VPN Router Security

1073

 

at level 2

 

Accelerator

 

 

 

 

 

 

 

 

 

 

 

 

Nortel VPN Router 600, 1750, 2700, 2750 and 5000

1066

 

 

 

 

 

 

 

Hardware modules

 

 

 

 

 

FIPS 140-2 validated

 

Nortel VPN Router 1010, 1050 and 1100

1067

 

at level 1

 

 

 

 

 

 

 

 

 

 

 

Software module

 

 

 

 

 

being validated at

 

VPN Client Software

1032

 

level 1 of FIPS 140-2:

 

 

 

 

 

 

 

 

 

 

The TOE’s cryptographic module implements and utilizes the following FIPS-validated cryptographic algorithms:

Table 9 - FIPS-Validated Cryptographic Algorithms

 

Algorithm

 

Key Size(s) (bits)

 

Validated Against

 

FIPS Certificate #

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3DES

168

 

FIPS 46-3

641, 642, 644

 

 

 

 

 

 

 

 

AES

128,

256

 

FIPS 197

718, 719, 721

 

 

 

 

 

 

 

 

RSA5

1024,

2048

 

FIPS 186-2

338, 339

 

 

 

 

 

 

 

 

SHA-1

 

N/A

 

FIPS 180-2

738, 739, 740

 

 

 

 

 

 

 

HMAC-SHA-1

160

 

FIPS 1986

387, 388, 389

 

 

 

 

 

 

 

 

 

The TOE generates RSA keys for signature generation and verification. During the key generation process, all weak keys are discarded. The resultant strong RSA keys are used to perform key agreement and authentication in accordance with the Diffie-Hellman and IKE protocols.

The TOE performs encryption and decryption using the 3DES and AES algorithms. The TOE implements the HMAC-SHA-1 algorithm in order to perform data origin authentication and data integrity checks upon encrypted packets entering the TOE. The TOE implements SHA-1 algorithm in order to perform data integrity checks upon encrypted packets entering the TOE.

The TOE destroys keys when they are no longer needed by “zeroizing” them. Zeroization is performed by overwriting the memory location containing the keys with zeros before marking the memory location as being free

5

Via the RSA BSAFE library.

 

6

FIPS 198 is equivalent to RFC 2104.

 

 

 

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 45 of 67

 

© 2008 Nortel Networks

 

Page 45
Image 45
Nortel Networks 7.11, 7.05 manual Cryptographic Support, Fips Validated Modules, FIPS-Validated Cryptographic Algorithms