Zeroization functions
Explicit zeroization can be done at the discretion of the security administrator. These functions clear the
passwords and the shared secrets. The following table lists the various keys used in the system that will be
zeroized in a FIPS compliant FOS module.
Table 40
Zeroization behavior
Keys
DH Private keys
FCSP Challenge
Handshake
Authentication Protocol
(CHAP) Secret
FCAP Private Key
SSH Session Key
SSH RSA private Key
RNG Seed Key
Passwords
TLS private keys
TLS pre-master secret
TLS session key
TLS authentication key
RADIUS secret
Power-up self tests
The self tests are invoked by powering on the switch in FIPS mode and do not require any operator
intervention. These tests can also be invoked by the user through a CLI interface.
NOTE:
Perform power-on self-tests. If any of KAT tests fail, the switch goes into a FIPS Error state which is
to reboot the system to single-user mode. You will need to perform a recovery procedure by booting into
single-user mode to recover the system.
128 Configuring advanced security features
Zeroization CLI
No CLI required
secauthsecret –-remove
pkiremove
No CLI required
No CLI required
No CLI required
passwddefault
fipscfg –-zeroize
seccertutil delkey
No CLI required
No CLI required
No CLI required
aaaconfig –-remove
Description
Keys will be zeroized within code before they are
released from memory.
The secauthsecret -remove is used to
remove/zeroize the keys.
The pkicreate command creates the keys, and
'pkiremove' removes/zeroizes the keys.
This is generated for each SSH session that is
established to and from the host. It automatically
zeroizes on session termination.
Key based SSH authentication is not used for SSH
sessions.
/dev/urandom is used as the initial source of seed
for RNG. RNG seed key is zeroized on every
random number generation.
This will remove user defined accounts in addition
to default passwords for the root, admin, and user
default accounts. However only root has
permissions for this command. So securityadmin
and admin roles need to use fipscfg
–-zeroize which in addition to removing user
accounts and resetting passwords, also does the
complete zerioization of the system.
The command seccertutil delkey is used to
zeroize these keys.
Automatically zeroized on session termination
Automatically zeroized on session termination
Automatically zeroized on session termination
The aaaconfig --remove zeroizes the secret
and deletes a configured server