Specifications
Cisco Aggregation Services Router (ASR) 900 Series Security Target
Page 42 of 52
TOE SFRs
How the SFR is Met
discovers it can no longer communicate with its configured syslog server, and will
transmit the buffer contents when connectivity to the syslog server is restored.
This buffer store is separate from the local logging buffer, which could be set to a
different level of logging then what is to be sent via syslog.
Only Authorized Administrators are able to clear the local logs, and local audit
records are stored in a directory that does not allow administrators to modify the
contents.
FCS_CKM.1
The TOE implements a random number generator for RSA key establishment
schemes (conformant to NIST SP 800-56B).
The TOE can create a RSA public-private key pair that can be used to generate a
Certificate Signing Request (CSR). Through use of Simple Certificate Enrollment
Protocol (SCEP), the TOE can: send the CSR to a Certificate Authority (CA) for the
CA to generate a certificate; and receive its certificate from the CA. Integrity of the
CSR and certificate during transit are assured through use of digitally signatures
(encrypting the hash of the TOE’s public key contained in the CSR and
certificate). The TOE can store and distribute the certificate to external entities
including Registration Authorities (RA).
The key pair generation portions of “The RSA Validation System” for FIPS 186-2
were used as a guide in testing the FCS_CKM.1 during the FIPS validation.
FCS_CKM_EXT.4
The TOE meets all requirements specified in FIPS 140-2 for destruction of keys
and Critical Security Parameters (CSPs) in that none of the symmetric keys, pre-
shared keys, or private keys are stored in plaintext form. See 1.1 Key Zeroization
for more information on the key zeroization.
FCS_COP.1(1)
The TOE provides symmetric encryption and decryption capabilities using AES in
CBC mode (128, 256 bits) as described in NIST SP 800-38A and NIST SP 800-
38D. AES is implemented in the following protocols: IPSEC and SSH. The
relevant FIPS certificate numbers are listed in Section 1.6.2
FCS_COP.1(2)
The TOE provides cryptographic signature services using RSA Digital Signature
Algorithm with key size of 2048 and greater as specified in FIPS PUB 186-3,
“Digital Signature Standard” and FIPS PUB 186-3, “Digital Signature Standard”.
The relevant FIPS certificate numbers are listed in Section 1.6.2
FCS_COP.1(3)
The TOE provides cryptographic hashing services using SHA-1, SHA-256, SHA-
384, and SHA-512 as specified in FIPS Pub 180-3 “Secure Hash Standard.” For
IKE (ISAKMP) hashing, administrators can select any of SHA-1, SHA-256,
SHA-384, and/or SHA-512 (with message digest sizes of 160, 256, 384, and 512
bits respectively) to be used with remote IPsec endpoints. Both SHA-1 and SHA-
256 hashing are used for verification of software image integrity. The relevant
FIPS certificate numbers are listed in Section 1.6.2
FCS_COP.1(4)
The TOE provides keyed-hashing message authentication services using HMAC-
SHA-1 as specified in FIPS Pub 198-1, "The Keyed-Hash Message Authentication
Code,” and FIPS 180-3, “Secure Hash Standard.”
FCS_IPSEC_EXT.1
The TOE implements IPsec to provide authentication and encryption services to
prevent unauthorized viewing or modification of data as it travels over the
external network. The TOE implementation of the IPsec standard (in accordance
with the RFCs noted in the SFR) uses the Encapsulating Security Payload (ESP)
protocol in tunnel mode to provide authentication, encryption and anti-replay