Manualshelf

Specifications

ManualsBrandsCisco ManualsNetworkingCISCO881W-GN-A-K9
31323334353637383940
Cisco ISR-800 Security Target
37
5.3.2.7 FCS_COP.1(4) Cryptographic Operation (for keyed-hash message authentication)
FCS_COP.1.1(4) Refinement: The TSF shall perform [keyed-hash message authentication] in
accordance with a specified cryptographic algorithm HMAC-[SHA-1, SHA-256, SHA-384,
SHA-512], key size [160], and message digest sizes [160, 256, 384, 512] bits that meet the
following: FIPS Pub 198-1, "The Keyed-Hash Message Authentication Code, and FIPS Pub 180-
3, “Secure Hash Standard.”
5.3.2.8 FCS_IPSEC_EXT.1 Explicit: IPSEC
FCS_IPSEC_EXT.1.1 The TSF shall implement the IPsec architecture as defined by RFC 4301.
FCS_IPSEC_EXT.1.2 The TSF shall implement [tunnel mode, transport mode]
FCS_IPSEC_EXT.1.3 The TSF shall have a nominal, final entry in the SPD that matches
anything that is otherwise unmatched, and discards it.
FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC
4303 using the cryptographic algorithms AES-GCM-128, AES-GCM-256 as specified in RFC
4106, [AES-CBC-128, AES-CBC-256 (both specified by RFC 3602) together with a Secure
Hash Algorithm (SHA)-based HMAC].
FCS_IPSEC_EXT.1.5 The TSF shall implement the protocol: [IKEv1 as defined in RFCs 2407,
2408, 2409, RFC 4109, [no other RFCs for extended sequence numbers] and [RFC 4868 for hash
functions]; IKEv2 as defined in RFCs 5996 (with mandatory support for NAT traversal as
specified in section 2.23) and [RFC 4868 for hash functions
]].
FCS_IPSEC_EXT.1.6 The TSF shall ensure the encrypted payload in the [IKEv1, IKEv2]
protocol uses the cryptographic algorithms AES-CBC-128, AES-CBC-256 as specified in RFC
6379 and [no other algorithms]
.
FCS_IPSEC_EXT.1.7 The TSF shall ensure that IKEv1 Phase 1 exchanges use only main
mode.
FCS_IPSEC_EXT.1.8 The TSF shall ensure that [IKEv2 SA lifetimes can be configured by an
Administrator based on number of packets or length of time, where the time values can be
limited to: 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs, IKEv1 SA lifetimes can be
configured by an Administrator based on number of packets or length of time, where the time
values can be limited to: 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs].
FCS_IPSEC_EXT.1.9 The TSF shall generate the secret value x used in the IKE Diffie-
Hellman key exchange (“x” in g
x
mod p) using the random bit generator specified in
FCS_RBG_EXT.1, and having a length of at least [320 (for DH Group 14), 256 (for DH Group
19), 256 (for DH Group 24), 384 (for DH Group 20), 424 (for DH Group 15), and 480 (bits for
DH Group 16)] bits.