Manualshelf

Specifications

ManualsBrandsCisco ManualsNetworkingCISCO881W-GN-A-K9
31323334353637383940
Cisco ISR-800 Security Target
38
FCS_IPSEC_EXT.1.10 The TSF shall generate nonces used in IKE exchanges in a manner such
that the probability that a specific nonce value will be repeated during the life a specific IPsec
SA is less than 1 in 2^ [128].
FCS_IPSEC_EXT.1.11 The TSF shall ensure that all IKE protocols implement DH Groups 14
(2048-bit MODP), 19 (256-bit Random ECP), and [24 (2048-bit MODP with 256-bit POS), 20
(384-bit Random ECP), [15 (3072 bit MODP), and 16 (4096-bit MODP)]].
FCS_IPSEC_EXT.1.12 The TSF shall ensure that all IKE protocols perform peer authentication
using a [RSA, ECDSA] that use X.509v3 certificates that conform to RFC 4945 and [Pre-shared
Keys].
FCS_IPSEC_EXT.1.13 The TSF shall be able to ensure by default that the strength of the
symmetric algorithm (in terms of the number of bits in the key) negotiated to protect the [IKEv1
Phase 1, IKEv2 IKE_SA] connection is greater than or equal to the strength of the symmetric
algorithm (in terms of the number of bits in the key) negotiated to protect the [IKEv1 Phase 2,
IKEv2 CHILD_SA] connection.
5.3.2.9 FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation)
FCS_RBG_EXT.1.1 The TSF shall perform all random bit generation (RBG) services in
accordance with [NIST Special Publication 800-90 using CTR_DRBG (AES)] seeded by an
entropy source that accumulated entropy from a TSF-hardware based noise source, and [no other
noise source].
FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded with a minimum of [256 bits] of
entropy at least equal to the greatest security strength of the keys and hashes that it will generate.
5.3.2.10 FCS_SSH_EXT.1 Explicit: SSH
FCS_SSH_EXT.1.1 The TSF shall implement the SSH protocol that complies with RFCs 4251,
4252, 4253, 4254, and [no other RFCs
].
FCS_SSH_EXT.1.2 The TSF shall ensure that the SSH protocol implementation supports the
following authentication methods as described in RFC 4252: public key-based, password-based.
FCS_SSH_EXT.1.3 The TSF shall ensure that, as described in RFC 4253, packets greater than
[35000] bytes in an SSH transport connection are dropped.
FCS_SSH_EXT.1.4 The TSF shall ensure that the SSH transport implementation uses the
following encryption algorithms: AES-CBC-128, AES-CBC-256, [no other algorithms].
FCS_SSH_EXT.1.5 The TSF shall ensure that the SSH transport implementation uses
[SSH_RSA] and [no other public key algorithms] as its public key algorithm(s).