beautypg.com

Nortel Networks NN46120-104 User Manual

Page 236

background image

236

HSM Security Policy

Algorithm

How it is used by the HSM module

Used in
FIPS 140-1
Mode?

3DES

Used to generate Pseudo-random numbers using the X9.17
Appendix C PRNG algorithm for the purposes of key generation of
RSA and 3DES keys.
Encryption/decryption of every key stored in persistence storage
within the module using the Master Key. Wrapping (encryption)
of Private RSA Keys using the Key-Wrapping-Key for archival
purposes. Unwrapping (decryption) of Private RSA Keys using the
Key-Wrapping-Key for the purpose of restoring an archived key.
Note: The 3DES Encrypt and Decrypt services are not available for
this algorithm in FIPS mode because keys are entered in plaintext.

Yes

RSA Si
gnature/
Verification

Generation and verification of digital signatures using the RSA
algorithm, in accordance with the PKCS #1 specification. Keys
pairs of modulus size in the range 192 through 1024 bits, in 64
bit increments. Note: The message digest operation of the digital
signature and verification function is performed outside of the
cryptographic boundary for performance reasons. After the digest
is computed outside the module, the module formats and pads the
message digest according to the PKCS #1 standard and then uses
the RSA algorithm to compute the digital signature.

Yes

SHA-1

Hashing of host-provided data. Hashing for the purpose of verifying
the RSA digital signature of a firmware image. Hashing a 3DES key
for the purpose of checking its integrity after it is split and then the
corresponding shares combined.

Yes

MD5

The module provides services to compute an MD5 message digest.
As this algorithm is not FIPS-approved, the corresponding services
are not available in the FIPS 140-1 Mode.

No

HMAC
(SHA-1)

The module provides a service to compute HMAC using SHA-1. As
currently implemented, the service requires the MAC key to be input
unencrypted through the PCI interface, and therefore this service is
not available in the FIPS 140-1 Mode.

No

HMAC
(MD5)

The module provides a service to compute HMAC using MD5.
Because MD5 is not a FIPS-approved algorithm, this service is not
available in the FIPS 140-1 Mode.

No

RC4

The module provides services for encryption/decryption with RC4.
Because RC4 is not a FIPS-approved algorithm, the corresponding
services are not available in the FIPS 140-1 Mode.

No

DSA

The module provides services for generating and verifying DSA
signatures. As currently implemented, the private key for signature
generation must be input through the PCI interface. Therefore,
this algorithm is not available in the FIPS 140-1 Mode. Keys pairs
of modulus size in the range 512 through 1024 bits, in 64 bit
increments.

No

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.