Cryptographic Key Management - Cisco 7606 User Manual
User guide
Hide thumbs
Also See for 7606:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
The tamper evidence seals are made from a special thin-gauge vinyl with self-adhesive backing. Any
attempt to open the chassis, remove the modules or power supplies, or remove the opacity shield will
damage the tamper evidence seals or the painted surface and metal of the chassis. Because the tamper
evidence seals have nonrepeated serial numbers, they may be inspected for damage and compared
against the applied serial numbers to verify that the module has not been tampered with. Tamper
evidence seals can also be inspected for signs of tampering, which include the following: curled corners,
bubbling, crinkling, rips, tears, and slices. The word "OPEN" may appear if the label was peeled back.
Cryptographic Key Management
The switch or the router securely administers both cryptographic keys and other critical security
parameters such as passwords. The tamper evidence seals provide physical protection for all keys. Keys
are also password protected and can be zeroized by the crypto officer. Keys are exchanged manually and
entered electronically using manual key exchange or Internet Key Exchange (IKE).
Chassis containing the VPN Services Module and a cryptographic accelerator card support DES (56-bit)
(only for legacy systems) and 3DES (168-bit) IPsec encryption, MD5 and SHA-1 hashing, and hardware
support for RSA signature generation.
The module supports the critical security parameters (CSPs) as described in
Table 3
CSP
Number
1
2
3
4
5
6
7
8
9
OL-6334-01
Critical Security Parameters
Key or CSP Name
.key
secret_number
skeyid
skeyid_d
skeyid_a
skeyid_e
transform_key1
transform_key2
crypto_private_key The RSA private key. The crypto key zeroize command
Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note
Description
This is the seed key for X9.31 PRNG. This key is stored
in DRAM and updated periodically after 400 bytes are
generated; hence, it is zeroized periodically. The operator
also can turn off the router to zeroize this key.
The private exponent used in Diffie-Hellman (DH)
exchange. It is zeroized after a DH shared secret has been
generated.
The shared secret within IKE exchange. It is zeroized
when an IKE session is terminated.
The shared secret within IKE exchange. It is zeroized
when an IKE session is terminated.
The shared secret within IKE exchange. It is zeroized
when an IKE session is terminated.
The shared secret within IKE exchange. It is zeroized
when an IKE session is terminated.
The IKE session encrypt key. It is zeroized when an IKE
session is terminated.
The IKE session authentication key. It is zeroized when
an IKE session is terminated.
zeroizes this key.
Cryptographic Key Management
Table
3.
Storage
DRAM
(plaintext)
DRAM
(plaintext)
DRAM
(plaintext)
DRAM
(plaintext)
DRAM
(plaintext)
DRAM
(plaintext)
DRAM
(plaintext)
DRAM
(plaintext)
NVRAM
(plaintext)
21
- Quick Links:
- Catalyst 6509 Switch and Cisco 7606...
Hide quick links:
Advertisement
Table of Contents
