Specifications

ManualsBrandsAruba ManualsComputer equipment620

Security Target Version 1.0 9/29/2014

indicate such a failure. An administrator must take action to manually re-synchronize the remote audit log

after the path is restored.

6.2 Cryptographic support

The TOE meets FIPS 140-2 requirements by allowing the administrator to enable a FIPS operating mode. The CC

evaluated configuration of the TOE requires the use of this FIPS operating mode. In this mode, only FIPS-approved

algorithms are allowed for cryptographic services (e.g., encryption, hashing, digital signature, etc.). All use of

cryptographic services (e.g., TLSv1, IPsec/IKE, SSHv2, etc.) can only utilize FIPS-approved algorithms for the

underlying algorithms. All models are FIPS-certified at overall Level 2. This ensures that tamper-evident seals are

placed around the enclosure (as specified by FIPS 140-2 requirements) to detect any tampering. In addition, at Level

2, any ventilation holes or slots must be small or obstructed to prevent probing of the inside.

The following functions have been FIPS certified in accordance with the identified standards.

Functions

Standards

Certificates

Symmetric key derivation

• WPA2 128-bit cryptographic key

derivation

PRF-384

802.11-2007

Cert #426, 1512, 1663,

1666

• Random number generation

NIST Special Publication 800-90

using [CTR_DRBG(any)

Cert #443

Asymmetric key generation

• Domain parameter generation

NIST Special Publication 800-56A

NIST Special Publication 800-56B

Cert #466, 1376, 1380

Key Distribution

• Pairwise Master Key reception from

an 802.1X Authorization Server

802.11-2007

IEEE 802.11i

Note: If RADIUS protocol is used

between the Authenticator and AS is

RADIUS. The MS-MPPE-Recv-Key

attribute (vendor-id = 17; see Section

2.4.3 in IETF RFC 2548-1999 [B30])

is used to transport the PMK to the

Authenticator.

N/A

• AES Key Wrap in an EAPOL-Key

frame for GTK

RFC 3394 for AES Key Wrap,

802.11-2007 for the packet format and

timing considerations

Cert #762, 779, 2479,

2680, 2677

• Group Key Handshake

IEEE 802.11i

Encryption/Decryption

• AES CCM and GCM (128-256 bits)

FIPS PUB 197

NIST SP 800-38C

NIST SP 800-38D

Cert #779, 1648, 2680,

2677

• AES CCMP (128 bits)

FIPS PUB 197

NIST SP 800-38C

IEEE 802.11-2007

Cert #779, 1648, 2680,

2677

Cryptographic signature services

• RSA Digital Signature Algorithm

(rDSA) (modulus 2048)

FIPS PUB 186-3

Cert #1376, 1379, 1380

• Elliptic Curve Digital Signature

Algorithm (ECDSA) (P-256 and P-

384)

FIPS PUB 186-3

Cert #466, 469

Cryptographic hashing

• SHA-1, SHA-256, and SHA-384

(digest sizes 160, 256, and 384 bits)

FIPS Pub 180-3

Cert #762, 781, 934,

2246, 2249, 2250

Keyed-hash message authentication

• HMAC-SHA-1, HMAC-SHA-256,

FIPS Pub 198-1

Cert #417, 416, 538,