Motorola S2500 User Manual

MNR S2500 Security Policy

Version 1.2, Revision Date: 8/8/2008

Page

5

Firmware Implementations

a. Triple-DES– CBC mode (112 and 168 bit) for IKE and SSHv2 encryption (Cert. #581)

b. AES - CBC (128, 192, 256 bit), ECB (128), and CFB (128) modes for IKE and SSHv2

encryption (Cert. #611)

c. HMAC-SHA-1 for IKE and SSHv2 authentication (Cert. # 322)

d. SHA-1 for message hash (Cert. # 659)

e. RSA v1.5 1024 bit – for public/private key pair generation and digital signatures (Cert.

#283)

f. DSA 1024 bit – for public/private key pair generation and digital signatures (Cert. #237)

g. ANSI X9.31 Deterministic Random Number Generator (DRNG) (Cert .#349)

The MNR S2500 router supports the commercially available IKE and Diffie-Hellman protocols
for key establishment, IPsec (ESP) and FRF.17 protocols to provide data confidentiality using
FIPS-approved encryption and authentication algorithms and SSHv2 for secure remote access.

Allowed Algorithms

• Diffie-Hellman: (allowed for key agreement per Annex D, key agreement methodology

provides 80 to 112 bits of encryption strength)

• Hardware non-deterministic RNG: Provides seed for approved deterministic RNG
• MD5: for hashing (Provides interoperability within supported protocols)
• HMAC-MD5

Non-FIPS approved algorithms

In a Non FIPS mode of operation, the cryptographic module provides non-FIPS Approved
algorithms as follows:

• DES for encryption/decryption
• Non approved SW RNG
• Diffie-Hellman (Group 1 - 768 bit)