13
Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus
OL-8719-01
Cisco 1841 and Cisco 2801 Routers
–
DES (for legacy use only - transitional phase only – valid until May 19th, 2007)
–
3DES
–
SHA-1 hashing
–
HMAC-SHA-1
–
X9.31 PRNG
•
Onboard FPGA implementations
–
AES
–
DES (for legacy use only - transitional phase only – valid until May 19th, 2007)
–
3DES
–
SHA-1 hashing
–
HMAC-SHA-1
•
AIM module implementations
–
AES
–
DES (for legacy use only - transitional phase only – valid until May 19th, 2007)
–
3DES
–
SHA-1 hashing
–
HMAC-SHA-1
The routers also support the following algorithms which are not FIPS 140-2 approved: MD5,
MD5-HMAC, and DH.
The router is in the approved mode of operation only when FIPS 140-2 approved algorithms are used
(except DH which is allowed in the approved mode for key establishment despite being non-approved).
Note: The module supports DH key sizes of 1024 and 1536 bits. Therefore, DH provides 80-bit and
96-bit of encryption strength per NIST 800-57.
The following are not FIPS 140-2 approved algorithms: RC4, MD5, HMAC-MD5, RSA and DH;
however again DH is allowed for use in key establishment.
The module contains a HiFn 7814-W cryptographic accelerator chip, integrated in the AIM card. Unless
the AIM card is disabled by the Crypto Officer with the “no crypto engine aim” command, the HiFn
7814-W provides AES (128-bit, 192-bit, and 256-bit), DES (56-bit) (for legacy use only - transitional
phase only – valid until May 19th, 2007), and 3DES (168-bit) encryption; MD5 and SHA-1 hashing; and
hardware support for DH, RSA encryption, and RSA public key signature/verification. However, all
RSA operations are prohibited by policy
The module supports two types of key management schemes:
•
Pre-shared key exchange via electronic key entry. DES/3DES/AES key and HMAC-SHA-1 key are
exchanged and entered electronically.
•
Internet Key Exchange method with support for pre-shared keys exchanged and entered
electronically.
–
The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES,
3DES or AES keys.
–
The pre-shared key is also used to derive HMAC-SHA-1 key.
The module supports the commercially available Diffie-Hellman method of key establishment. See
Document 7A, Cisco IOS Reference Guide.