Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipment2851 - Integrated Services Router
11121314151617181920
© Copyright 2007 Cisco Systems, Inc. Page 15 of 26
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
The Crypto Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed
upon for individual tunnels are directly associated with that specific tunnel only via the IKE
protocol. RSA Public keys are entered into the modules using digital certificates which contain
relevant data such as the name of the public key's owner, which associates the key with the
correct entity. All other keys are associated with the user/role that entered them.
Key Zeroization:
Each key can be zeroized by sending the “no” command prior to the key function commands.
This will zeroize each key from the DRAM, the running configuration.
“Clear Crypto IPSec SA” will zeroize the DES/Triple-DES/AES session key (which is derived
using the Diffie-Hellman key agreement technique) from the DRAM. This session key is only
available in the DRAM; therefore this command will completely zeroize this key. The following
command will zeroize the pre-shared keys from the DRAM:
no set session-key inbound ah spi hex-key-data
no set session-key outbound ah spi hex-key-data
no set session-key inbound esp spi cipher hex-key-data [authenticator hex-key-data]
no set session-key outbound esp spi cipher hex-key-data [authenticator hex-key-data]
no crypto isakmp key
The DRAM running configuration must be copied to the start-up configuration in NVRAM in
order to completely zeroize the keys.
The RSA keys are zeroized by issuing the CLI command “crypto key zeroize rsa".
All SSL/TLS session keys are zeroized automatically at the end of the SSL/TLS session.
The module supports the following keys and critical security parameters (CSPs).
Key/CSP
Name
Algorithm Description Storage
Location
Zeroization Method
PRNG Seed X9.31 This is the seed for X9.31 PRNG.
This CSP is stored in DRAM and
updated periodically after the
generation of 400 bytes – after this
it is reseeded with router-derived
entropy; hence, it is zeroized
periodically. Also, the operator can
turn off the router to zeroize this
CSP.
DRAM Automatically every 400
bytes, or turn off the
router.
PRNG Seed
Key
X9.31 This is the ssed key for X9.31
PRNG.
DRAM Turn off the router.