Specifications

ManualsBrandsCisco ManualsComputer equipmentA9014CFD

Cisco Aggregation Services Router (ASR) 901 Series Security Target

Page 47 of 50

1 ANNEX A: KEY ZEROIZATION

1.1 Key Zeroization

The following table describes the key zeroization referenced by FCS_CKM_EXT.4 provided by the TOE.

Table 20: TOE Key Zeroization

Name

Description

Zeroization

Diffie-Hellman

Shared Secret

The value is zeroized after it has been given back

to the consuming operation. The value is

overwritten by 0’s. This key is stored in DRAM.

Automatically after

completion of DH

exchange.

Overwritten with: 0x00

Diffie Hellman

private exponent

The function returns the value to the RP and then

calls the function to perform the zeroization of the

generated key pair (p_dh_kepair) and then calls

the standard Linux free (without the poisoning).

These values are automatically zeroized after

generation and once the value has been provided

back to the actual consumer. This key is stored in

DRAM.

Zeroized upon completion

of DH exchange.

Overwritten with: 0x00

skeyid

The function calls the operation

ike_free_ike_sa_chunk, which performs the

zeroization of the IKE structure. This structure

contains all of the SA items, including the skeyid,

skeyid_d, IKE Session Encryption Key and IKE

Session Authentication Key. All values

overwritten by 0’s. This information and keys are

stored in DRAM.

Automatically after IKE

session terminated.

Overwritten with: 0x00

skeyid_d

The function calls the operation

ike_free_ike_sa_chunk, which performs the

zeroization of the IKE structure. This structure

contains all of the SA items, including the skeyid,

skeyid_d, IKE Session Encryption Key and IKE

Session Authentication Key. All values

overwritten by 0’s. This information and keys are

stored in DRAM.

Automatically after IKE

session terminated.

Overwritten with: 0x00

IKE session encrypt

key

The function calls the operation

ike_free_ike_sa_chunk, which performs the

zeroization of the IKE structure. This structure

contains all of the SA items, including the skeyid,

skeyid_d, IKE Session Encryption Key and IKE

Session Authentication Key. All values

overwritten by 0’s. This key is stored in DRAM.

Automatically after IKE

session terminated.

Overwritten with: 0x00

IKE session

authentication key

The function calls the operation

ike_free_ike_sa_chunk, which performs the

zeroization of the IKE structure. This structure

contains all of the SA items, including the skeyid,

Automatically after IKE

session terminated.

Overwritten with: 0x00