HP FIPS 140-2 User Manual

Page 17

Security Policy, version 1.0

January 31, 2008

HP StorageWorks Secure Key Manager

Page 17 of 26

This document may be freely reproduced in its original entirety.

Key

Key Type

Generation /

Input

Output

Storage

Zeroization

Use

KRsaPub

Server RSA public
key (1024- or 2048-
bit)

Generated by
ANSI X9.31
DRNG during
first-time
initialization

In plaintext
a X509
certificate.

In non-
volatile
memory

At operator
delete request

Client encrypts
Pre-MS. Client
verifies server
signatures

KRsaPriv

Server RSA private
key (1024- or 2048-
bit)

Generated by
ANSI X9.31
DRNG during
first-time
initialization

Never In

non-

volatile
memory

At operator
delete or
zeroize request

Server
decrypts Pre-
MS. Server
generates
signatures

CARsaPub Certificate

Authority

(CA) RSA public key
(1024- or 2048-bit)

Generated by
ANSI X9.31
DRNG during
first-time
initialization

In plaintext In non-

volatile
memory

At operator
delete request

Verify CA
signatures

CARsaPriv

CA RSA private key
(1024- or 2048-bit)

Generated by
ANSI X9.31
DRNG during
first-time
initialization

never In

non-

volatile
memory

At operator
delete or
zeroize request

Sign server
certificates

Cluster
Member
RsaPub

Cluster Member
RSA public key
(1024- or 2048-bit)

Input in plaintext

Never

In volatile
memory

Upon session
termination

Verify Cluster
Member
signatures

TLS Ks

TLS session AES or
3DES symmetric
key(s)

Derived from MS Never

In volatile
memory

Upon session
termination

Encrypt and
decrypt data

TLS Khmac

TLS session HMAC
key

Derived from MS Never

In volatile
memory

Upon session
termination

Authenticate
data

Table 13 details all cipher suites supported by the TLS protocol implemented by the module. The suite names in the
first column match the definitions in RFC 2246 and RFC 4346.

Table 13 – Cipher Suites Supported by the Module’s TLS Implementation in FIPS Mode

Suite Name

Authentication

Key

Transport

Symmetric

Cryptography

Hash

TLS_RSA_WITH_AES_256_CBC_SHA RSA

RSA

AES

(256-bit)

SHA-1

TLS_RSA_WITH_AES_128_CBC_SHA RSA

RSA

AES

(128-bit)

SHA-1

TLS_RSA_WITH_3DES_EDE_CBC_SHA

RSA RSA

3DES

(168-bit)

SHA-1

Other CSPs are tabulated in Table 14.

Table 14 – Other Cryptographic Keys, Cryptographic Key Components, and CSPs

Key

Key Type

Generation /

Input

Output

Storage

Zeroization

Use