Specifications

ManualsBrandsCisco ManualsNetworkingCISCO881W-GN-A-K9

Cisco ISR-800 Security Target

7 ANNEX A: KEY ZEROIZATION

7.1 Key Zeroization

The following table describes the key zeroization referenced by FCS_CKM_EXT.4 provided by

the TOE.

Table 19: TOE Key Zeroization

Name

Description

Zeroization

Diffie-Hellman

Shared Secret

The value is zeroized after it has been given back to the

consuming operation. The value is overwritten by 0’s.

Automatically after

completion of DH

exchange.

Overwritten with: 0x00

Diffie Hellman

private exponent

The function returns the value to the RP and then calls the

function to perform the zeroization of the generated key pair

(p_dh_kepair) and then calls the standard Linux free (without the

poisoning). These values are automatically zeroized after

generation and once the value has been provided back to the

actual consumer.

Zeroized upon completion

of DH exchange.

Overwritten with: 0x00

skeyid

The function calls the operation ike_free_ike_sa_chunk, which

performs the zeroization of the IKE structure. This structure

contains all of the SA items, including the skeyid, skeyid_d, IKE

Session Encryption Key and IKE Session Authentication Key.

All values overwritten by 0’s.

Automatically after IKE

session terminated.

Overwritten with: 0x00

skeyid_d

The function calls the operation ike_free_ike_sa_chunk, which

performs the zeroization of the IKE structure. This structure

contains all of the SA items, including the skeyid, skeyid_d, IKE

Session Encryption Key and IKE Session Authentication Key.

All values overwritten by 0’s.

Automatically after IKE

session terminated.

Overwritten with: 0x00

IKE session

encrypt key

The function calls the operation ike_free_ike_sa_chunk, which

performs the zeroization of the IKE structure. This structure

contains all of the SA items, including the skeyid, skeyid_d, IKE

Session Encryption Key and IKE Session Authentication Key.

All values overwritten by 0’s.

Automatically after IKE

session terminated.

Overwritten with: 0x00

IKE session

authentication key

The function calls the operation ike_free_ike_sa_chunk, which

performs the zeroization of the IKE structure. This structure

contains all of the SA items, including the skeyid, skeyid_d, IKE

Session Encryption Key and IKE Session Authentication Key.

All values overwritten by 0’s.

Automatically after IKE

session terminated.

Overwritten with: 0x00

ISAKMP

preshared

The function calls the free operation with the poisoning

mechanism that overwrites the value with 0x0d.

Zeroized using the

following command:

# no crypto isakmp key

Overwritten with: 0x0d

IKE RSA Private

Key

The operation uses the free operation with the poisoning

mechanism that overwrites the value with 0x0d. (This function is

used by the module when zeroizing bad key pairs from RSA Key

generations.)

Zeroized using the

following command:

# crypto key zeroize rsa

Overwritten with: 0x0d

IPsec encryption

The function zeroizes an _ike_flow structure that includes the

Automatically when IPsec