Cisco 1841 Integrated Services Routers with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Routers with AIM-VPN/EPII-Plus FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 1.6 September 8, 2008 © Copyright 2007 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Table of Contents 1 INTRODUCTION.................................................................................................................. 3 1.1 PURPOSE ............................................................................................................................. 3 1.2 REFERENCES ....................................................................................................................... 3 1.3 TERMINOLOGY .....................................................................
1 Introduction 1.1 Purpose This document is the non-proprietary Cryptographic Module Security Policy for the Cisco 1841 and 2801 Integrated Services Routers with AIM-VPN/BPII-Plus installed. This security policy describes how the Cisco 1841 and 2801 Integrated Services Routers (Hardware Version: 1841 or 2801; Firmware Version: IOS 12.4 (15) T3) meet the security requirements of FIPS 140-2, and how to operate the router in a secure FIPS 140-2 mode.
and functionality of the router. Section 3 specifically addresses the required configuration for the FIPS-mode of operation. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate nondisclosure agreements. For access to these documents, please contact Cisco Systems. © Copyright 2007 Cisco Systems, Inc.
2 Cisco 1841 and 2801 Routers Branch office networking requirements are dramatically evolving, driven by web and ecommerce applications to enhance productivity and merging the voice and data infrastructure to reduce costs. The Cisco 1841 and 2801 routers provide a scalable, secure, manageable remote access server that meets FIPS 140-2 Level 2 requirements. This section describes the general features and functionality provided by the routers.
The 1841 router supports AIM-VPN/BPII-Plus card and two fast Ethernet connections. Figure 2 shows the rear panel. The front panel contains 2 LEDs that output status data about the system status (SYS OK) and system activity (SYS ACT). The back panel consists of 8 LEDs: two duplex LEDs, two speed LEDs, two link LEDs, CF LED and AIM LED.
Duplex Speed Link Solid Green Off Solid Green Off Solid Green Off Full-Duplex Half-Duplex 100 Mbps 10 Mbps Ethernet link is established No link established Table 3 – 1841 Ethernet Indicators The physical interfaces are separated into the logical interfaces from FIPS 140-2 as described in the following table: Router Physical Interface 10/100 Ethernet LAN Ports HWIC/WIC/VIC Ports Console Port Auxiliary Port USB port 10/100 Ethernet LAN Ports HWIC/WIC/VIC Ports Console Port Auxiliary Port USB Port 10/100 E
Figure 3 – Cisco 2801 router case The 2801 router is a multiple-chip standalone cryptographic module. The router has a processing speed of 240MHz. Depending on configuration, either the installed AIM-VPN/BPII-Plus module or the internal Giove FPGA or the IOS software is used for cryptographic operations. The cryptographic boundary of the module is the device’s case, shown in Figure 3. All of the functionality discussed in this document is provided by components within this cryptographic boundary.
two link LEDs, two PVDM LEDs, two AIM LEDs, system status LED (SYS OK), system activity (SYS ACT) LED, inline power LED, and CF LED. The back panel has the power inlet and on/off switch.
AIM0 Off Solid Green Solid Orange Off AIM1 not installed. AIM0 installed and initialized. AIM0 installed and initialized error. AIM0 not installed.
The CF card that stored the IOS image is considered an internal memory module. The reason is the IOS image stored in the card cannot be modified or upgraded. The card itself must never be removed from the drive. Tamper evident seal will be placed over the card in the drive. 2.3 Roles and Services Authentication in Cisco 1841 and 2801 is role-based. There are two main roles in the router that operators can assume: the Crypto Officer role and the User role.
Define Rules and Filters Create packet Filters that are applied to User data streams on each interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based on characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction.
When using RSA based authentication, RSA key pair has modulus size of 1024 bit to 2048 bit, thus providing between 80 bits and 112 bits of strength. Assuming the low end of that range, an attacker would have a 1 in 280 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability of a successful random key guess in one minute, an attacker would have to be capable of approximately 1.
Figure 7 Tamper evident labels attached on the opacity shield of Router 1841 Figure 8 Opacity shield attached on the side panel of router 2801 Figure 9 Tamper evident label attached on the opacity shield of Router 2801 © Copyright 2007 Cisco Systems, Inc. 14 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Figure 10 Tamper evident label attached on the opacity shield of Router 2801 Once the router has been configured in to meet FIPS 140-2 Level 2 requirements, the router cannot be accessed without signs of tampering. To seal the system, apply serialized, tamperevidence labels as follows: For Cisco 1841 router: 1. Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose.
Figure 11 – Cisco 1841 Tamper Evident Label Placement (Back View) Figure 12 – Cisco 1841 Tamper Evident Label Placement (Front View) For Cisco 2801 router: 1. Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10°C. 2. The tamper evidence label should be placed so that one half of the label covers the front panel and the other half covers the enclosure. 3.
Figure 13 – Cisco 2801 Tamper Evident Label Placement (Back View) Figure 14 – Cisco 2801 Tamper Evident Label Placement (Front View) The tamper evidence seals are produced from a special thin gauge vinyl with self-adhesive backing. Any attempt to open the router will damage the tamper evidence seals or the material of the module cover.
X9.31 PRNG RSA 456 379 Onboard FPGA Implementations AES Triple-DES SHA-1 HMAC-SHA-1 181 283 267 27 AIM Module Implementations AES Triple-DES SHA-1 HMAC-SHA-1 X9.31 PRNG RSA 100 213 401 38 80 383 The router is in the approved mode of operation only when FIPS 140-2 approved algorithms are used (except DH and RSA key transport which are allowed in the approved mode for key establishment despite being non-approved).
4. RSA encrypted nonces based authentication is used for IKE, with Diffie-Hellman Key agreement technique to derive AES or Triple-DES keys. 5. RSA key transport is used to derive the Triple-DES or AES keys during SSLv3.1/TLS handshake. The module supports commercially available Diffie-Hellman and RSA key transport for key establishment. All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected by a password.
PRNG Seed X9.31 This is the seed for X9.31 PRNG. This CSP is stored in DRAM and updated periodically after the generation of 400 bytes – after this it is reseeded with router-derived entropy; hence, it is zeroized periodically. Also, the operator can turn off the router to zeroize this CSP. DRAM Automatically every 400 bytes, or turn off the router. PRNG Seed Key X9.31 This is the seed key for the PRNG.
IKE RSA Authentication Public Key RSA RSA public key for IKE authentication. Generated or entered like any RSA key, set as IKE RSA Authentication Key with the “crypto keyring” or “ca trust-point” command. NVRAM “# crypto key zeroize rsa" IKE RSA Encrypted Nonce Private Key RSA RSA private key for IKE encrypted nonces. Generated like any RSA, with the “usagekeys” parameter included. NVRAM “# crypto key zeroize rsa" IKE RSA Encrypted Nonce Public Key RSA RSA public key for IKE encrypted nonces.
Enable secret Shared Secret The ciphertext password of the CO role. However, the algorithm used to encrypt this password is not FIPS approved. Therefore, this password is considered plaintext for FIPS purposes. This password is zeroized by overwriting it with a new password. NVRAM Overwrite with new password RADIUS secret Shared Secret The RADIUS shared secret. This shared secret is zeroized by executing the “no radius-server key” command.
Diffie Hellman private exponent r Diffie Hellman public key r skeyid r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r w d r skeyid_d r skeyid_a r skeyid_e r IKE session encrypt key r IKE session authentication key r ISAKMP preshared r IKE hash key r IKE RSA Authentication private Key IKE RSA Authentication Public Key IKE RSA Encrypted Nonce Private Key IKE RSA Encrypted Nonce Public Key r r r r IPSec encryption key r IPSec authentication key r Configuration en
PPP authentication key r Router authentication key 2 d r w r w d r SSH session key r w d r User password r w d r w d r w d r w d r Enable password Enable secret RADIUS secret secret_1_0_0 r w d TACACS+ secret TLS server private key r TLS server public key r TLS pre-master secret r TLS Encryption Key r TLS Integrity Key r r w d r w d r w d r w d r w d r w r w Table 9 – Role and Service Access to CSP © Copyright 2007 Cisco Systems, Inc.
2.6 Self-Tests In order to prevent any secure data from being released, it is important to test the cryptographic components of a security module to insure all components are functioning correctly. The router includes an array of self-tests that are run during startup and periodically during operations. All self-tests are implemented by the software.
2.6.
3 Secure Operation of the Cisco 1841 or 2801 router The Cisco 1841 and 2801 routers meet all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS-approved mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation. 3.1 Initial Setup 1. The Crypto Officer must apply tamper evidence labels as described in Section 2.4 of this document. 2.
3.3 IPSec Requirements and Cryptographic Algorithms 1. The only type of key management that is allowed in FIPS mode is Internet Key Exchange (IKE). 2. Although the IOS implementation of IKE allows a number of algorithms, only the following algorithms are allowed in a FIPS 140-2 configuration: ah-sha-hmac esp-sha-hmac esp-Triple-DES esp-aes 3. The following algorithms are not FIPS approved and should not be used during FIPSapproved mode: MD-5 for signing MD-5 HMAC DES 3.4 Protocols 1.
approved algorithms. Note that all users must still authenticate after remote access is granted. © Copyright 2007 Cisco Systems, Inc. 29 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
CISCO EDITOR’S NOTE: You may now include all standard Cisco information included in all documentation produced by Cisco. Be sure that the following line is in the legal statements at the end of the document: By printing or making a copy of this document, the user agrees to use this information for product evaluation purposes only. Sale of this information in whole or in part is not authorized by Cisco Systems. © Copyright 2007 Cisco Systems, Inc.
