Extended Mode Vs. Fips Mode; Fips140-1 Level 3 Security - Avaya VPN Gateway User Manual

Introducing the ASA 310-FIPS

Extended Mode vs. FIPS Mode

When installing the very first ASA 310-FIPS into a new cluster, you can choose to initialize the
HSM cards in either Extended mode or FIPS mode. Extended mode is the default selection,
and is appropriate whenever your security policy does not explicitly require that you conform
to the FIPS 140-1, Level 3 standard (see the following for more information).
The main difference between Extended mode and FIPS mode involves how private keys are
handled. For both modes, all private keys are stored encrypted in the database on the ASA
310 FIPS. When the HSM card is initialized in Extended mode, the encrypted private key
needed to perform a specific operation is transferred to the HSM card over the PCI bus. The
private key is then decrypted on the HSM card itself, using the wrap key that was generated
during the initialization and because stored on the card. The private key is thus never exposed
in plain text outside the HSM card.
When the HSM card is initialized in FIPS mode, the encrypted private key needed to perform
a specific operation is read from the database into RAM, together with the wrap key from the
HSM card. The private key is then decrypted in RAM, where it remains accessible for
subsequent operations.
Also, when the ASA 310-FIPS is initialized in FIPS mode, all private keys must be generated
on the ASA 310-FIPS device itself. Importing private keys, or certificate files that contain private
keys, is not allowed due to the FIPS security requirements. This means that certain CLI
commands that are used for importing certificates and keys through a copy and paste
operation, or through TFTP/FTP/SCP/SFTP, cannot be used when the ASA 310-FIPS is
initialized in FIPS mode.

FIPS140-1 Level 3 Security

The HSM card contains all of the security requirements specified by the FIPS 140-1, Level 3
standards. FIPS 140-1 is a U.S. government standard for implementations of cryptographic
modules, that is, hardware or software that encrypts and decrypts data or performs other
cryptographic operations (such as creating or verifying digital signatures).
FIPS 140-1 is binding on U.S. government agencies deploying applications that use
cryptography to secure sensitive but unclassified (SBU) information, unless those agencies
have been specifically exempted from compliance by the relevant U.S. laws referenced in the
standard.
For more information about the FIPS specification, visit http://csrc.nist.gov/publications/fips/
index.htmland scroll down to "FIPS 140-1".
32 User Guide
Comments? infodev@avaya.com
April 2013