Cisco 3825 Non Proprietary Security Policy page 18

Cisco 3825 and Cisco 3845 Routers
Table 8 Cryptographic Keys and CSPs (Continued)
ISAKMP Secret
preshared
IKE hash key SHA-1
HMAC
secret_1_0_0
IPSec DES/TDES
encryption key /AES
IPSec SHA-1
authentication HMAC or
key DES MAC
Configuration AES
encryption key
Router Shared
authentication secret
key 1
PPP RFC 1334
authentication
key
Router Shared
authentication Secret
key 2
SSH session Various
key symmetric
User password Shared
Secret
Enable Shared
password Secret
Cisco 3825 and Cisco 3845 Integrated Services Routers FIPS 140-2 Non Proprietary Security Policy
18
The key used to generate IKE skeyid during
preshared-key authentication. "no crypto isakmp
key" command zeroizes it. This key can have two
forms based on whether the key is related to the
hostname or the IP address.
This key generates the IKE shared secret keys.
This key is zeroized after generating those keys.
The fixed key used in Cisco vendor ID generation.
This key is embedded in the module binary image
and can be deleted by erasing the Flash.
The IPSec encryption key. Zeroized when IPSec
session is terminated.
The IPSec authentication key. The zeroization is
the same as above.
The key used to encrypt values of the
configuration file. This key is zeroized when the
"no key config-key" is issued. Note that this
command does not decrypt the configuration file,
so zeroize with care.
This key is used by the router to authenticate itself
to the peer. The router itself gets the password
(that is used as this key) from the AAA server and
sends it onto the peer. The password retrieved
from the AAA server is zeroized upon completion
of the authentication attempt.
The authentication key used in PPP. This key is in
the DRAM and not zeroized at runtime. One can
turn off the router to zeroize this key because it is
stored in DRAM.
This key is used by the router to authenticate itself
to the peer. The key is identical to Router
authentication key 1 except that it is retrieved
from the local database (on the router itself).
Issuing the "no username password" zeroizes the
password (that is used as this key) from the local
database.
This is the SSH session key. It is zeroized when
the SSH session is terminated.
The password of the User role. This password is
zeroized by overwriting it with a new password.
The plaintext password of the CO role. This
password is zeroized by overwriting it with a new
password.
NVRAM "# no crypto isakmp
(plaintext or key"
encrypted)
DRAM
(plaintext)
NVRAM
(plaintext or
encrypted)
DRAM Automatically when
(plaintext) IPSec session
terminated.
DRAM Automatically when
(plaintext) IPSec session
terminated.
NVRAM "# no key config-key"
(plaintext or
encrypted)
DRAM Automatically upon
(plaintext) completion of
authentication attempt.
DRAM Turn off the router.
(plaintext)
NVRAM "# no username
(plaintext or password"
encrypted)
DRAM Automatically when
(plaintext) SSH session terminated
NVRAM Overwrite with new
(plaintext or password
encrypted)
NVRAM Overwrite with new
(plaintext or password
encrypted)
OL-8662-01