Cisco 7206VXR NPE-400 User Manual
Page 10
10
FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM
OL-3959-01
Cryptographic Key Management
The module supports the following critical security parameters (CSPs):
Table 2
Critical Security Parameters
#
CSP Name
Description
Storage
1
CSP 1
This is the seed key for X9.31 PRNG. This
key is stored in DRAM and updated
periodically after the generation of 400
bytes; hence, it is zeroized periodically.
Also, the operator can turn off the router to
zeroize this key.
DRAM
(plaintext)
2
CSP2
The private exponent used in Diffie-Hellman
(DH) exchange. Zeroized after DH shared
secret has been generated.
DRAM
(plaintext)
3
CSP3
The shared secret within IKE exchange.
Zeroized when IKE session is terminated.
DRAM
(plaintext)
4
CSP4
Same as above
DRAM
(plaintext)
5
CSP5
Same as above
DRAM
(plaintext)
6
CSP6
Same as above
DRAM
(plaintext)
7
CSP7
The IKE session encrypt key. The
zeroization is the same as above.
DRAM
(plaintext)
8
CSP8
The IKE session authentication key. The
zeroization is the same as above.
DRAM
(plaintext)
9
CSP9
The RSA private key. “crypto key zeroize”
command zeroizes this key.
NVRAM
(plaintext)
10
CSP10
The key used to generate IKE skeyid during
preshared-key authentication. The no crypto
isakmp key command zeroizes it. This key
can have two forms based on whether the key
is related to the hostname or the IP address.
NVRAM
(plaintext)
11
CSP11
This key generates keys 3, 4, 5 and 6. This
key is zeroized after generating those keys.
DRAM
(plaintext)
12
CSP12
The RSA public key used to validate
signatures within IKE. These keys are
expired either when CRL (certificate
revocation list) expires or 5 secs after if no
CRL exists. After above expiration happens
and before a new public key structure is
created this key is deleted. This key does not
need to be zeroized because it is a public key;
however, it is zeroized as mentioned here.
DRAM
(plaintext)
13
CSP13
The fixed key used in Cisco vendor ID
generation. This key is embedded in the
module binary image and can be deleted by
erasing the Flash.
NVRAM
(plaintext)