Specifications
Cisco ISR-800 Security Target
51
TOE SFRs
How the SFR is Met
the buffer contents when connectivity to the syslog server is restored. This store is
separate from the local logging buffer, which could be set to a different level of
logging then what is to be sent via syslog.
Only Authorized Administrators are able to clear the local logs, and local audit
records are stored in a directory that does not allow administrators to modify the
contents.
FCS_CKM.1(1)
The TOE implements a random number generator for Diffie-Hellman and Elliptic
curve key establishment (conformant to NIST SP 800-56A), and for RSA key
establishment schemes (conformant to NIST SP 800-56B). The TOE complies
with section 5.6 and all subsections regarding asymmetric key pair generation and
key establishment in the NIST SP 800-56A. The TOE complies with section 6
and all subsections regarding RSA key pair generation and key establishment in
the NIST SP 800-56B. The TOE can create a RSA public-private key pair that can
be used to generate a Certificate Signing Request (CSR). Through use of Simple
Certificate Enrollment Protocol (SCEP), the TOE can: send the CSR to a
Certificate Authority (CA) for the CA to generate a certificate; and receive its
X.509v3 certificate from the CA. Integrity of the CSR and certificate during
transit are assured through use of digitally signatures (encrypting the hash of the
TOE’s public key contained in the CSR and certificate). The TOE can store and
distribute the certificate to external entities including Registration Authorities
(RA). The IOS Software supports embedded PKI client functions that provide
secure mechanisms for distributing, managing, and revoking certificates. In
addition, the IOS Software includes an embedded certificate server, allowing the
router to act as a certification authority on the network. The TOE can act as a
certification authority thus digitally signing and issuing certificates to both the
TOE and external entities. The TOE can also use the X.509v3 certificate for
securing IPsec and SSH sessions. The TOE provides cryptographic signature
services using ECDSA that meets FIPS 186-3, “Digital Signature Standard” with
NIST curves P-256 and P-384 and RSA that meets FIPS PUB 186-2 or FIPS 186-
3, “Digital Signature Standard”
FCS_CKM.1(2)
FCS_CKM_EXT.4
The TOE meets all requirements specified in FIPS 140-2 for destruction of keys
and Critical Security Parameters (CSPs) in that none of the symmetric keys, pre-
shared keys, or private keys are stored in plaintext form. See refer to
Table 18 for
more information on the key zeroization.
FCS_COP.1(1)
The TOE provides symmetric encryption and decryption capabilities using AES in
CBC and GCM mode (128 and 256 bits) as described in NIST SP 800-38A and
NIST SP 800-38D. Please see Table 5 for validation details. AES is implemented
in the following protocols: IPSEC and SSH.
FCS_COP.1(2)
The TOE provides cryptographic signature services using RSA Digital Signature
Algorithm with key size of 2048 and greater as specified in FIPS PUB 186-3,
“Digital Signature Standard” and FIPS PUB 186-2, “Digital Signature Standard”.
In addition, the TOE will provide cryptographic signature services using ECDSA
with key size of 256 or greater as specified in FIPS PUB 186-3, “Digital Signature
Standard”. The TOE provides cryptographic signature services using ECDSA that
meets FIPS 186-3, “Digital Signature Standard” with NIST curves P-256 and P-
384.
FCS_COP.1(3)
The TOE provides cryptographic hashing services using SHA-1, SHA-256, SHA-