Cryptographic Key Management - Cisco 2621XM Operations
Modular access routers with aim-vpn/ep fips 140-2 non-proprietary security policy
Hide thumbs
Also See for 2621XM:
- User manual (20 pages) ,
- Configuration manual (196 pages) ,
- Hardware installation manual (104 pages)
Table of Contents
Advertisement
The 2621XM/2651XM Router
Figure 6
The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any
attempt to open the router, remove Network Modules or WIC cards, or the front faceplate will damage
the tamper evidence seals or the painted surface and metal of the module cover. Since the tamper
evidence seals have non-repeated serial numbers, they may be inspected for damage and compared
against the applied serial numbers to verify that the module has not been tampered. Tamper evidence
seals can also be inspected for signs of tampering, which include the following: curled corners, bubbling,
crinkling, rips, tears, and slices. The word "OPEN" may appear if the label was peeled back.
Cryptographic Key Management
The router securely administers both cryptographic keys and other critical security parameters such as
passwords. The tamper evidence seals provide physical protection for all keys. All keys are also
protected by the password-protection on the Crypto Officer role login, and can be zeroized by the Crypto
Officer. Keys are exchanged manually and entered electronically via manual key exchange or Internet
Key Exchange (IKE).
The modules contain a cryptographic accelerator card (the AIM-VPN/EP), which provides DES (56-bit)
(only for legacy systems) and 3DES (168-bit) IPSec encryption at up to 15Mbps, MD5 and SHA-1
hashing, and has hardware support for DH and RSA key generation.
The module supports the following critical security parameters (CSPs):
Table 4
#
1
2
3
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
10
Cisco 2621XM and Cisco 2651XM Tamper Evidence Label Placement
W1
LINK
ETHERNET 1
ACT
RPS ACTIVITY
Critical Security Parameters
CSP
Description
Name
CSP 1
This is the seed key for X9.31 PRNG. This key is stored in DRAM
and updated periodically after the generation of 400 bites; hence,
it is zeroized periodically. Also, the operator can turn off the
router to zeroize this key.
CSP 2
The private exponent used in Diffie-Hellman (DH) exchange.
Zeroized after DH shared secret has been generated.
CSP 3
The shared secret within IKE exchange. Zeroized when IKE
session is terminated.
Cisco 2611
100-240V– 1A
50/60 Hz 47 W
W0
LINK
ETHERNET 0 ACT
CONSOLE
AUX
Cisco 2600
SERIES
Storage
DRAM
(plaintext)
DRAM
(plaintext)
DRAM
(plaintext)
OL-6262-01
Hide quick links:
Advertisement
Table of Contents
