14
Cisco 1841 Integrated Services Router with AIM-VPN/BPII-Plus and Cisco 2801 Integrated Services Router with AIM-VPN/EPII-Plus
OL-8719-01
Cisco 1841 and Cisco 2801 Routers
All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected
by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto
Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual
tunnels are directly associated with that specific tunnel only via the IKE protocol.
Key Zeroization:
Each key can be zeroized by sending the “no” command prior to the key function commands. This will
zeroize each key from the DRAM, the running configuration.
“Clear Crypto IPSec SA” will zeroize the IPSec DES/3DES/AES session key (which is derived using
the Diffie-Hellman key agreement technique) from the DRAM. This session key is only available in the
DRAM; therefore this command will completely zeroize this key. The following command will zeroize
the pre-shared keys from the DRAM:
•
no set session-key inbound ah spi hex-key-data
•
no set session-key outbound ah spi hex-key-data
•
no set session-key inbound esp spi cipher hex-key-data [authenticator hex-key-data]
•
no set session-key outbound esp spi cipher hex-key-data [authenticator hex-key-data]
The DRAM running configuration must be copied to the start-up configuration in NVRAM in order to
completely zeroize the keys.
The following commands will zeroize the pre-shared keys from the DRAM:
•
no crypto isakmp key key-string address peer-address
•
no crypto isakmp key key-string hostname peer-hostname
The DRAM running configuration must be copied to the start-up configuration in NVRAM in order to
completely zeroize the keys.
The module supports the following keys and critical security parameters (CSPs).
Table 8
Cryptographic Keys and CSPs
Name
Algorithm
Description
Storage
Zeroization
Method
PRNG Seed
X9.31
This is the seed for X9.31 PRNG. This CSP is
stored in DRAM and updated periodically after
the generation of 400 bytes – after this it is
reseeded with router-derived entropy; hence, it is
zeroized periodically. Also, the operator can turn
off the router to zeroize this CSP.
DRAM
(plaintext)
Automatically every 400
bytes, or turn off the router.
Diffie Hellman
private
exponent
DH
The private exponent used in Diffie-Hellman
(DH) exchange. Zeroized after DH shared secret
has been generated.
DRAM
(plaintext)
Automatically after shared
secret generated.
Diffie Hellman
public key
DH
The public key used in Diffie-Hellman (DH)
exchange. Zeroized after the DH shared secret
has been generated
DRAM
(plaintext)
Automatically after shared
secret generated.
skeyid
Keyed
SHA-1
Value derived from the shared secret within IKE
exchange. Zeroized when IKE session is
terminated.
DRAM
(plaintext)
Automatically after IKE
session terminated.
skeyid_d
Keyed
SHA-1
The IKE key derivation key for non ISAKMP
security associations.
DRAM
(plaintext)
Automatically after IKE
session terminated.
