Specifications
© Copyright 2007 Cisco Systems, Inc. Page 24 of 26
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
5. RADIUS and TACACS+ shared secret key sizes must be at least 8 characters long.
3.3 IPSec Requirements and Cryptographic Algorithms
1. The only type of key management protocol that is allowed in FIPS mode is Internet Key
Exchange (IKE), although manual creation of security associations is also permitted.
2. Although the IOS implementation of IKE allows a number of algorithms, only the
following algorithms are allowed in a FIPS 140-2 configuration:
ah-sha-hmac
esp-sha-hmac
esp-Triple-DES
esp-aes
3. The following algorithms are not FIPS approved and should not be used during FIPS-
approved mode:
DES
MD-5 for signing
MD-5 HMAC
3.4 Protocols
1. SNMP v3 over a secure IPSec tunnel may be employed for authenticated, secure SNMP
gets and sets. Since SNMP v2C uses community strings for authentication, only gets are
allowed under SNMP v2C.
3.5 SSLv3.1/TLS Requirements and Cryptographic Algorithms
When negotiating SSLv3.1/TLS cipher suites, only FIPS approved algorithms must be
specified.
All other versions of SSL except version 3.1 must not be used in FIPS mode of operation.
The following algorithms are not FIPS approved and should not be used in the FIPS-
approved mode:
MD5
RC4
RC2
DES