Manualshelf

User guide

ManualsBrandsAruba ManualsComputer equipment620
21222324252627282930
Aruba Networks Security Target
Page 23 of 67
FCS_CKM.1(2) Cryptographic Key Generation (for asymmetric keys IPSec)
FCS_CKM.1.1(2) The TSF shall generate asymmetric cryptographic keys used for key
establishment in accordance with:
NIST Special Publication 800-56A, “Recommendation for Pair-Wise
Key Establishment Schemes Using Discrete Logarithm
Cryptography” for finite field-based key establishment schemes;
NIST Special Publication 800-56A, “Recommendation for Pair-Wise
Key Establishment Schemes Using Discrete Logarithm
Cryptography” for elliptic curve-based key establishment schemes
and implementing “NIST curves” P-256, P-384 and no other curves
(as defined in FIPS PUB 186-3, “Digital Signature Standard”) and
NIST Special Publication 800-56B, “Recommendation for Pair-Wise
Key Establishment Schemes Using Integer Factorization
Cryptography” for RSA-based key establishment schemes
and specified cryptographic key sizes equivalent to, or greater than, a
symmetric key strength of 112 bits.
Application Note: This requirement is related to the use of Diffie-Hellman, RSA and/or
ECDSA in IPSec (depending on configuration for the multiple uses of
IPSec).
FCS_CKM.1(3) Cryptographic Key Generation (for asymmetric keys SSH)
FCS_CKM.1.1(3) The TSF shall generate asymmetric cryptographic keys used for key
establishment in accordance with:
NIST Special Publication 800-56A, “Recommendation for Pair-Wise
Key Establishment Schemes Using Discrete Logarithm
Cryptography” for finite field-based key establishment schemes;
and specified cryptographic key sizes equivalent to, or greater than, a
symmetric key strength of 112 bits.
Application Note: This requirement is related to the use of Diffie-Hellman in SSH.
FCS_CKM_EXT.4 Cryptographic Key Zeroization
FCS_CKM_EXT.4.1 The TSF shall zeroize all plaintext secret and private cryptographic keys
and CSPs when no longer required.
Application Note: “Cryptographic Critical Security Parameters” are defined in FIPS 140-2
as “security-related information (e.g., secret and private cryptographic
keys, and authentication data such as passwords and PINs) whose
disclosure or modification can compromise the security of a
cryptographic module.”
The zeroization indicated above applies to each intermediate storage
area for plaintext key/cryptographic critical security parameter (i.e., any
storage, such as memory buffers, that is included in the path of such
data) upon the transfer of the key/cryptographic critical security
parameter to another location.