Manualshelf

Router Instructions

ManualsBrandsCisco Systems ManualsNetwork Router7206VXR NPE-400
12345678910
10
FIPS 140-2 Nonproprietary Security Policy for Cisco 7206VXR NPE-400 Router with VAM
OL-3959-01
Cryptographic Key Management
The module supports the following critical security parameters (CSPs):
Table 2 Critical Security Parameters
# CSP Name Description Storage
1 CSP 1 This is the seed key for X9.31 PRNG. This
key is stored in DRAM and updated
periodically after the generation of 400
bytes; hence, it is zeroized periodically.
Also, the operator can turn off the router to
zeroize this key.
DRAM
(plaintext)
2 CSP2 The private exponent used in Diffie-Hellman
(DH) exchange. Zeroized after DH shared
secret has been generated.
DRAM
(plaintext)
3 CSP3 The shared secret within IKE exchange.
Zeroized when IKE session is terminated.
DRAM
(plaintext)
4 CSP4 Same as above DRAM
(plaintext)
5 CSP5 Same as above DRAM
(plaintext)
6 CSP6 Same as above DRAM
(plaintext)
7 CSP7 The IKE session encrypt key. The
zeroization is the same as above.
DRAM
(plaintext)
8 CSP8 The IKE session authentication key. The
zeroization is the same as above.
DRAM
(plaintext)
9 CSP9 The RSA private key. “crypto key zeroize”
command zeroizes this key.
NVRAM
(plaintext)
10 CSP10 The key used to generate IKE skeyid during
preshared-key authentication. The no crypto
isakmp key command zeroizes it. This key
can have two forms based on whether the key
is related to the hostname or the IP address.
NVRAM
(plaintext)
11 CSP11 This key generates keys 3, 4, 5 and 6. This
key is zeroized after generating those keys.
DRAM
(plaintext)
12 CSP12 The RSA public key used to validate
signatures within IKE. These keys are
expired either when CRL (certificate
revocation list) expires or 5 secs after if no
CRL exists. After above expiration happens
and before a new public key structure is
created this key is deleted. This key does not
need to be zeroized because it is a public key;
however, it is zeroized as mentioned here.
DRAM
(plaintext)
13 CSP13 The fixed key used in Cisco vendor ID
generation. This key is embedded in the
module binary image and can be deleted by
erasing the Flash.
NVRAM
(plaintext)