Non-Approved Algorithms in FIPS mode
Diffie-Hellman for IKE key exchanges - groups 2, 5, and 14
●
MD5 for Radius Client role and peer OSPF router authentication
●
HMAC-MD5-96 for SNMPv3 authentication
●
The cryptographic module relies on the implemented deterministic random number generator
(DRNG) that is compliant with X9.31 with 128-bit Key, 64-bit Seed for generation of all
cryptographic keys. The non-deterministic random seed generator is used for the periodic
re-seeding of the PRNG.
Setting the cryptographic module run mode
The user can determine if the cryptographic module is running in FIPS vs. non-FIPS mode via:
Execution of the show running-config command.
●
Verification that the configuration meets the requirements specified in
●
Procedures
Verification that the HW version and the firmware version of the module firmware code in
●
banks A and B are FIPS-approved versions.
Non-FIPS mode of operation
In non-FIPS mode, the cryptographic module provides non-FIPS-approved algorithms and uses
FIPS-approved algorithms in non-compliant ways, as shown in
Table 168: Non-FIPS-approved operations and algorithms
IKE
IPSEC
SNMPv3
SSH2
VoIP Bearer (Media)
Encryption
on page 721.
MD5
HMAC
PTLS
-SHA1
X
X
X
X
TDES
DES
AES
X
X
X
X
Administration
Table
168:
AEA
DH
RSA
decryption
Group 1
Group
786-
2048 bit
X
Issue 5 June 2008
DSS
1 of 2
707