0 capabilities – Nortel Networks NN46120-104 User Manual
Page 235
4.0 Capabilities
235
secret is a Key-Wrapping-Key. When two or more boards contain the
same Key-Wrapping-Key, they are said to be in the same family. The
Key-Wrapping-Key is used to encrypt other keys. These encrypted keys
can then be transmitted between boards over untrusted paths under the
control of a Rainbow Technologies key management utility. This allows
boards to share keys as be appropriate for load distribution or redundancy
needs.
The key wrapping key also makes it possible for keys to be stored in
encrypted form on backup tapes or hard drives for archival purposes. The
keys encrypted with the Key-Wrapping-Key need never exist in plaintext
form outside of an HSM.
When an operator uses an HSM, he will be assisted by a key management
utility. This utility will prompt the operator when it is time to plug a
particular token into a particular HSM. A particular host system may
contain one or more HSM’s. So that there is no confusion, the key
management utility will control an LED on each HSM to alert the operator
to know where to insert a particular token.
1. The HSM can detect attempts to penetrate its cryptographic envelope.
If it detects a tamper attempt, the HSM will erase all of the critical security
parameters that it contains.
The HSM is controlled through its PCI interface. Commands are entered
through the PCI bus, and status is read from the PCI bus. Also, both
plaintext and encrypted data is transmitted over the PCI interface. The
serial port is disabled in the production version of the HSM. A primary
function of the HSM is to securely generate, store, and use private keys
(particularly for signing operations).
4.0 Capabilities
The HSM is capable of performing a wide variety of cryptographic
calculations including DES, SHA-1, DSA, 3DES, RSA exponentiation, RC4
and HMAC. When in the FIPS 140-1 mode, the board can perform DES,
3DES, RSA Signatures, RSA Signature Verifications and SHA-1 functions.
When in the non-FIPS 140-1 mode, the board can also perform the RSA
exponentiation, RC4, MD5, HMAC (SHA-1 and MD5) and DSA.
The RSA signature and verification implementation is compliant with the
PKCS #1 standard. The following table describes how each cryptographic
algorithm is used by our module while operating in the FIPS 140-1 Mode:
Algorithm
How it is used by the HSM module
Used in
FIPS 140-1
Mode?
DES
The module provides services for encryption/decryption. As currently
implemented, the plaintext key must be input through the PCI
interface. Therefore, this algorithm is not accessible in the FIPS
140-1 Mode. The self-tests perform a known answer test on this
algorithm in FIPS 140-1 Mode.
No
Nortel VPN Gateway
User Guide
NN46120-104
02.01
Standard
14 April 2008
Copyright © 2007-2008 Nortel Networks
.