Reference Guide
26
Authentication
Mechanism
Mechanism Strength
RSA Certificate
based authentication
(CO role)
The module supports 2048-bit RSA keys. RSA 2048 bit keys correspond to
112 bits of security. Assuming the low end of that range, the associated
probability of a successful random attempt is 1 in 2^112, which is less than 1
in 1,000,000 required by FIPS 140-2.
ECDSA-based
authentication
(IKEv2)
ECDSA signing and verification is used to authenticate to the module during
IKEv2. Both P-256 and P-384 curves are supported. ECDSA P-256 provides
128 bits of equivalent security, and P-384 provides 192 bits of equivalent
security. Assuming the low end of that range, the associated probability of a
successful random attempt is 1 in 2^128, which is less than 1 in 1,000,000
required by FIPS 140-2.
4.2 Services
The module provides various services depending on role. These are described below.
4.2.1 Crypto Officer Services
The CO role in each of FIPS modes defined in section 3.3 has the same services.
Table 10 - Crypto Officer Services
Service Description CSPs Accessed (see section 6
below for complete description of
CSPs)
FIPS mode enable/disable The CO selects/de-selects FIPS
mode as a configuration option.
None.
Key Management The CO can configure/modify the
IKEv1/IKEv2 shared secret (The
RSA private key is protected by
non-volatile memory and cannot
be modified) and the WPA2 PSK
(used in advanced Remote AP
configuration). Also, the CO/User
implicitly uses the KEK to
read/write configuration to non-
volatile memory.
1 (read)
14, 23, 24, 25 (read/write)
Remotely reboot module The CO can remotely trigger a
reboot
1 (read)
Self-test triggered by CO/User
reboot
The CO can trigger a
programmatic reset leading to
self-test and initialization
1, 32 (read)
Update module firmware The CO can trigger a module
firmware update
32 (read)
Configure non-security related
module parameters
CO can configure various
operational parameters that do not
relate to security
None.