Key zeroization, Self-tests – Cisco 7206VXR NPE-400 User Manual
Page 15
15
FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM
OL-3959-01
Self-Tests
Key Zeroization
All of the keys and CSPs of the module can be zeroized. Please refer to the Description column of
for information on methods to zeroize each key and CSP.
Self-Tests
To prevent secure data from being released, it is important to test the cryptographic components of a
security module to insure all components are functioning correctly. The router includes an array of
self-tests that are run during startup and periodically during operations. If any of the self-tests fail, the
router transitions into an error state. Within the error state, all secure data transmission is halted and the
router outputs status information indicating the failure.
Self-tests performed by the IOS image:
•
Power-up tests
–
Firmware integrity test
–
RSA signature KAT (both signature and verification)
–
DES KAT
–
TDES KAT
–
AES KAT
–
SHA-1 KAT
–
PRNG KAT
–
Power-up bypass test
–
Diffie-Hellman self-test
–
HMAC-SHA-1 KAT
•
Conditional tests
–
Conditional bypass test
–
Pairwise consistency test on RSA signature
–
Continuous random number generator tests
Self-tests performed by the VAM (cryptographic accelerator):
•
Power-up tests
–
Firmware integrity test
–
RSA signature KAT (both signature and verification)
–
DES KAT
–
TDES KAT
–
SHA-1 KAT
–
HMAC-SHA-1 KAT
–
PRNG KAT
•
Conditional tests
–
Pairwise consistency test on RSA signature