Supported algorithms
The cryptographic module supports the following algorithms in FIPS mode:
Approved Algorithms:
RSA digital signature verification during firmware upgrades, and license file authentication.
●
Support for RSA defined in PKCS#1 standard. RSA implementation, as defined by
ANSI X9.31, is not supported.
Triple-DES CBC (three key) for IPSec and IKE encryption
●
AES (128, 192, and 256 bit) CBC for IPSec and IKE encryption
●
SHA-1 for hashing download image digest, license file digest
●
HMAC SHA-1 for message authentication codes for IKE and IPSEC
●
DES CBC for encryption of IPSec, and IKE (only supported for communication with legacy
●
VPN systems)
TDES CBC Encryption of the serial number date for Voice feature activation controlled by
●
the ICC CM server/external blade server
Non-Approved Algorithms:
Diffie-Hellman for IKE key exchanges - groups 2, 5, and 14
●
MD5 for Radius Client role and peer OSPF router authentication
●
HMAC-MD5-96 for SNMPv3 authentication
●
The cryptographic module relies on the implemented deterministic random number generator
(DRNG) that is compliant with X9.31 with 128-bit Key, 64-bit Seed for generation of all
cryptographic keys. The non-deterministic random seed generator is used for the periodic
re-seeding of the PRNG.
The cryptographic module may be configured for FIPS mode via execution of the configuration
procedure specified in
The user can determine if the cryptographic module is running in FIPS vs. non-FIPS mode via:
Execution of the show running-config command.
●
Verification that the configuration meets the requirements specified in
●
procedures
Verification that the HW version and the firmware version of the module firmware code in
●
banks A and B are FIPS-approved versions.
Administration procedures
on page 510.
on page 510.
Issue 1.1 June 2005
Overview
Administration
495