The concept of ikey authentication, Types of ikeys, Wrap keys for asa 310-fips clusters – Nortel Networks NN46120-104 User Manual
Page 30
30
Introducing the ASA 310-FIPS
The Concept of iKey Authentication
Access to sensitive data on a ASA 310-FIPS is protected by a combination
of hardware tokens (called iKeys), passwords, and encryption procedures.
The iKey is a cryptographic token that is used as part of the authentication
process for certain operations involving the HSM cards. Whenever you
perform an operation on the ASA 310-FIPS calling for iKey authentication,
you are prompted by the Command Line Interface to insert the requested
iKey into the USB port on the appropriate HSM card. (When prompted for
a particular iKey, a flashing LED always directs you to the correct HSM
card.)
Types of iKeys
For each HSM card there are two unique iKeys used for identity-based
authentication: the HSM-SO iKey, and the HSM-USER iKey. Each of
these iKeys define the two user roles available: Security Officer and User.
A password must be defined for each user role, and the passwords are
directly associated with the corresponding iKey. The ASA 310-FIPS is
equipped with two HSM cards, and you therefore need to maintain two
pairs of HSM-SO and HSM-USER iKeys with their associated passwords
for each single ASA 310-FIPS device.
After a HSM card has been initialized, that card will only accept the
HSM-SO and HSM-USER iKeys that were used when initializing that
particular card. You cannot create backup copies of the associated
HSM-SO iKey and HSM-USER iKey, and a lost HSM-SO or HSM-USER
password cannot be retrieved. It is therefore extremely important that you
establish routines for how the iKeys are handled.
Wrap Keys for ASA 310-FIPS Clusters
In addition to the HSM-SO and HSM-USER iKeys specific for each
HSM card, one pair of iKeys (the black HSM-CODE iKeys) need also be
maintained for each cluster of ASA 310-FIPS units.
Note:
You are strongly recommended to label two of the black
HSM-CODE iKeys "CODE-SO" and "CODE-USER" respectively; these
iKeys will be referred to as such both in the documentation and in the
Command Line Interface.
During the initialization of the first ASA 310-FIPS in a cluster, a wrap key is
automatically generated. The wrap key is a secret shared among all ASA
310-FIPS in the cluster. It encrypts and decrypts sensitive information
that is sent over the PCI bus within an ASA 310-FIPS, and over the
network among the ASA 310-FIPS devices in the cluster. By inserting
the CODE-SO iKey and the CODE-USER iKey in turns when requested
Nortel VPN Gateway
User Guide
NN46120-104
02.01
Standard
14 April 2008
Copyright © 2007-2008 Nortel Networks
.