DRBG V
SP 800‐90
Diffie
DH
Hellman
shared
secret
Diffie
DH
Hellman
private
exponent
SSH keys/CSPs
SSH
RSA
Private
key
SSH
Triple‐
session
DES/AES
key
2.7
Self-Tests
In order to prevent any secure data from being released, it is important to test the cryptographic
components of a security module to insure all components are functioning correctly. The router
includes an array of self-tests that are run during startup and periodically during operations.
2.7.1 Self-tests performed by the IOS image
• IOS Self Tests
o POST tests
© Copyright 2011 Cisco Systems, Inc.
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
256‐bits
This is the seed key for
SP 800‐90 DRBG.
1024‐4096 bits This is the shared
secret agreed upon as
part of DH exchange
1024‐4096 bits The private exponent
used in Diffie‐Hellman
(DH) exchange.
1024‐2048 bits This is the SSH private
key used to
authenticate the
module
3‐key Triple‐
This is the symmetric
DES
SSH key used to
128/192/256
protect SSH session
bits AES keys
Table 8 Cryptographic Keys and CSPs
AES Known Answer Test
RSA Signature Known Answer Test (both signature/verification)
Software/firmware test
generated from
entropy source via
the CTR_DRBG
derivation function
N/A
Generated using FIPS
approved DRBG
Generated or
entered like any RSA
key
Created as part of
SSH session set‐up
20
DRAM
power cycle
(plaintext)
the device
DRAM
Zeroized upon
(plaintext)
deletion
DRAM
Automatically
(plaintext)
after shared
secret
generated.
NVRAM
Zeroized by
(plaintext)
either deletion
(via # crypto
key zeroize
rsa) or by
overwriting
with a new
value of the
key
DRAM
Zeroized
(plaintext)
automatically
when SSH
session is
closed