Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentCISCO3825
21222324252627282930
© Copyright 2007 Cisco Systems, Inc.
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
21
3. RSA digital signatures based authentication is used for IKE, with Diffie-Hellman Key
agreement technique to derive AES or Triple-DES keys.
4. RSA encrypted nonces based authentication is used for IKE, with Diffie-Hellman Key
agreement technique to derive AES or Triple-DES keys.
5. RSA key transport is used to derive the Triple-DES or AES keys during SSLv3.1/TLS
handshake.
The module supports commercially available Diffie-Hellman and RSA key transport for key
establishment.
All pre-shared keys are associated with the CO role that created the keys, and the CO role is
protected by a password. Therefore, the CO password is associated with all the pre-shared keys.
The Crypto Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed
upon for individual tunnels are directly associated with that specific tunnel only via the IKE
protocol. RSA Public keys are entered into the modules using digital certificates which contain
relevant data such as the name of the public key's owner, which associates the key with the
correct entity. All other keys are associated with the user/role that entered them.
Key Zeroization:
Each key can be zeroized by sending the “no” command prior to the key function commands.
This will zeroize each key from the DRAM, the running configuration.
“Clear Crypto IPSec SA” will zeroize the IPSec Triple-DES/AES session key (which is derived
using the Diffie-Hellman key agreement technique) from the DRAM. This session key is only
available in the DRAM; therefore this command will completely zeroize this key. The following
command will zeroize the pre-shared keys from the DRAM:
no set session-key inbound ah spi hex-key-data
no set session-key outbound ah spi hex-key-data
no set session-key inbound esp spi cipher hex-key-data [authenticator hex-key-data]
no set session-key outbound esp spi cipher hex-key-data [authenticator hex-key-data]
no crypto isakmp key
The DRAM running configuration must be copied to the start-up configuration in NVRAM in
order to completely zeroize the keys.
The RSA keys are zeroized by issuing the CLI command “crypto key zeroize rsa".
All SSL/TLS session keys are zeroized automatically at the end of the SSL/TLS session.
The module supports the following keys and critical security parameters (CSPs).
Key/CSP
Name
Algorithm Description Storage
Location
Zeroization Method