Self-Tests - Nortel Contivity Secure IP Services Gateway 4600 Owner's Manual
Fips 140-1 non-proprietary cryptographic module security policy
Hide thumbs
Also See for Contivity Secure IP Services Gateway 4600:
- Install manual (218 pages) ,
- Installing (72 pages) ,
- Installing (158 pages)
Table of Contents
Advertisement
contained on the floppy disk via the module's management interface. The
format utility then causes the firmware of the module to be erased
RSA keys: These RSA public/private key-pairs are used for generating and
verifying digital signatures for authentication of users during IPSec tunneling
sessions. The module's keys are generated internally by the PKCS#1 standard
using a pseudo-random number generator. The keys are stored in uniquely
named directories in PKCS#5 and PKCS#8 formats, respectively. All RSA
keys can be zeroized by the administrator by entering commands to delete and
zeroize the key directories. The private key is never output from the module
while the module's public key is output to obtain a certificate from a third
party Certificate Authority (CA).
RSA Certificates: These public key based certificates are used to authenticate
users for IPSec tunnel sessions. In addition, the module has its own certificate
that it uses to authenticate to users. These X.509 certificates are issued by a
third party CA and stored in the internal LDAP.
2.6
Self-tests
It is important to test the cryptographic components of a security module to insure all
components are functioning correctly. The Contivity Switch includes an array of self-tests
that are run during startup and periodically during operations. The self-tests run at
power-up include a cryptographic known answer tests (KAT) on the FIPS-approved
cryptographic algorithms implemented in both Hardware and Software (DES, 3DES), on
the message digest (SHA-1), and on signatures (RSA with SHA-1). Additional self-tests
performed at startup include software integrity tests using a DES MAC per FIPS 113 and
a continuous random number generator test. Other tests are run periodically or
conditionally such as a software load test for FIPS-approved upgrades using a DES MAC
and the continuous random number generator test. In addition, there are checksum tests
on the flash memory that are updated with flash changes.
If any of these self-test fail the switch will transition into an error state. Within the error
state, all secure data transmission is halted and the switch outputs status information
indicating the failure.
14
Advertisement
Table of Contents
