Authentication; Physical Security; Operational Environment; Cryptographic Key Management - Polycom VSX 3000 Manual

Non-Proprietary Security Policy, Version 1.0
Service Description
Secured call on IP Placing secured call on
network IP network via LAN
port
Secured call on ISDN Placing secured call on
ISDN
port
1.4.3

Authentication

The modules were not tested for role-based or identity-based authentication requirement as level 1 modules.
However, the modules authenticate Crypto-Officer with x.509 certificate during TLS handshake. The users do not
authenticate themselves to the module.

1.5 Physical Security

The VSX 3000, VSX 5000, and VSX 7000s are multi-chip standalone cryptographic modules. The modules'
hardware is composed of production-grade components and the modules are entirely enclosed in solid metal cases.
These cases enclose all of the modules' internal components and serve as the cryptographic boundaries for the
modules.
The VSX systems were tested and found conformant to the Electromagnetic Interference/Electromagnetic
Compatibility (EMI/EMC) requirements specified by 47 Code of Federal Regulations, Part 15, Subpart B,
Unintentional Radiators, Digital Devices, Class A (i.e., for business use).

1.6 Operational Environment

The operational environment requirements do not apply to the VSX 3000, VSX 5000, and VSX 7000s. The modules
do not provide a general purpose Operating System (OS) and only allow the updating of image components after
checking a Digital Signature Algorithm (DSA) signature on new software images.

1.7 Cryptographic Key Management

The VSX modules implement the following FIPS-approved algorithms:
AES (CBC, OFB) - key sizes 128, 192, 256 (Cert #431)
FIPS 186-2 Appendix 3.1 PRNG (Cert #224)
Secure Hashing Algorithm (SHA-1) – Byte oriented (Cert #501)
TDES (CBC) 1, 2, 3 keying options (Cert #460)
DSA (verify) 1024 bits (Cert #178)
Additionally, the module utilizes the following non-FIPS-approved algorithm implementation:
Diffie-Hellman (key agreement, key establishment methodology provides 80-bits of encryption strength)
RSA (key wrapping, key establishment methodology provides 80-bits of encryption strength)
Hardware Random Number Generator (RNG) – for seeding the FIPS-approved deterministic RNG
The module supports the following critical security parameters:
Table 9 - List of Cryptographic Keys, Cryptographic Key Components, and CSPs
Key Key Type
Polycom VSX 3000, VSX 5000, and VSX 7000s
© 2007 Polycom, Inc. -
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Input
Command and calling
information
Command and calling
via BRI/PRI information
Generation / Output
Input
Output
Connection established
Connection established
Storage Zeroization
June 15, 2007
CSP and Access
Control
Diffie-Hellman key
pairs – Read
IP Encryption Key –
Read/Write
Diffie-Hellman key
pairs – Read
ISDN Encryption Key
– Read/Write
Use
Page 17 of 23