beautypg.com

5 key destruction, 6 key archiving, 0 modes – Nortel Networks NN46120-104 User Manual

Page 250: 1 fips 140-1 mode

background image

250

HSM Security Policy

10.5 Key Destruction

Critical security parameters including plaintext private keys, symmetric
keys and intermediate values will be zeroized according to various
conditions as described in

Table 10 "Key Destruction" (page 250)

. It is

also possible for the security officer to command the board to un-initialize,
which causes the data stored in RAM, FLASH and BBRAM to be erased.

Table 10
Key Destruction

Voltage Applied

Storage

Tamper
Detected

Battery

PCI

BRAM

RAM and Other

Flash

NO

YES

YES

Retained

Retained

Retained

NO

YES

NO

Retained

Erased

Retained

NO

NO

YES

Retained

Retained

Retained

NO

NO

NO

Erased

Erased

Retained

YES

YES

YES

Erased

Erased

Retained

YES

YES

NO

Erased

Erased

Retained

YES

NO

YES

Erased

Erased

Retained

YES

NO

NO

Erased

Erased

Retained

10.6 Key Archiving

Under the control of the Rainbow Technologies key management utility,
it is also possible to archive keys. This may be done so that keys may
be stored on backup media such as tape or hard drives. The Rainbow
Technologies key management utility utilizes the "Wrap Key" command to
perform key archival. All archived keys are 3DES3KEY encrypted. Keys
may only be archived and restored between devices in the same family.

11.0 Modes

The HSM has two operating modes. These are the FIPS140-1 mode and
the non-FIPS140-1 mode. Before the HSM is initialized with the "Initialize
Card" command, it is in the non-FIPS140-1 mode. This command has
an input parameter that specifies the mode of the card after initialization.
Once initialized, the board remains in one of the two modes. If one
wishes to change the operating mode of the card, the card must first be
uninitialized using the "Uninitialize Card" command. Then, the card can be
initialized with a different operating mode. Uninitializing the card removes
all secrets from the card.

11.1 FIPS 140-1 Mode

In the FIPS 140-1 mode, the board may only perform FIPS approved
algorithms.
These are as follows:

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.