Specifications
Cisco Aggregation Services Router (ASR) 901 Series Security Target
Page 29 of 50
112 bits.
5.2.2.2 FCS_CKM_EXT.4 Cryptographic Key Zeroization
FCS_CKM_EXT.4.1 The TSF shall zeroize all plaintext secret and private cryptographic keys
and CSPs when no longer required.
5.2.2.3 FCS_COP.1(1) Cryptographic Operation (for data encryption/decryption)
FCS_COP.1.1(1) Refinement: The TSF shall perform [encryption and decryption] in
accordance with a specified cryptographic algorithm [AES operating in [CBC] and cryptographic
key sizes 128-bits and 256-bits that meets the following:
FIPS PUB 197, “Advanced Encryption Standard (AES)”
[NIST SP 800-38A, NIST SP 800-38D]
5.2.2.4 FCS_COP.1(2) Cryptographic Operation (for cryptographic signature)
FCS_COP.1.1(2) Refinement: The TSF shall perform cryptographic signature services in
accordance with a [(2) RSA Digital Signature Algorithm (rDSA) with a key size (modulus) of
2048 bits or greater] that meets the following:
[Case: Digital Signature Algorithm
FIPS PUB 186-3, “Digital Signature Standard”].
5.2.2.5 FCS_COP.1(3) Cryptographic Operation (for cryptographic hashing)
FCS_COP.1.1(3) Refinement: The TSF shall perform [cryptographic hashing services] in
accordance with a specified cryptographic algorithm [SHA-1, SHA-256, SHA-384, SHA-512]
and message digest sizes [160, 256, 384, 512] bits that meet the following: FIPS Pub 180-3,
“Secure Hash Standard.”
5.2.2.6 FCS_COP.1(4) Cryptographic Operation (for keyed-hash message authentication)
FCS_COP.1.1(4) Refinement: The TSF shall perform [keyed-hash message authentication] in
accordance with a specified cryptographic algorithm HMAC-[SHA-1], key size [160 bits], and
message digest sizes [160] bits that meet the following: FIPS Pub 198-1, "The Keyed-Hash
Message Authentication Code, and FIPS Pub 180-3, “Secure Hash Standard.”
5.2.2.7 FCS_IPSEC_EXT.1 Explicit: IPSEC
FCS_IPSEC_EXT.1.1 The TSF shall implement the IPsec architecture as specified in RFC
4301.
FCS_IPSEC_EXT.1.2 The TSF shall implement [tunnel mode].