Cisco Cat4K NDPP ST
11 March 2014
EDCS-1228241
68
TOE SFRs
How the SFR is Met
The TOE implements a NIST-approved AES-CTR Deterministic
Random Bit Generator (DRBG), as specified in SP 800-90.
The entropy source used to seed the Deterministic Random Bit
Generator (e.g. based on SP 800-90A/B/C) is a random set of bits
or bytes that are regularly supplied to the DRBG from the internal
Quack (ACT) processor which produces a minimum of 256 bits
of entropy.
All RNG entropy source samplings are continuously health tested
by the NIST DRBG as per SP 900-90A before using them as a
seed. Though related to this, the tests are part of the FIPS
validation procedures for the DBRG and are part of the NIST
validations for FIPS 140-2 for the products. Any initialization or
system errors during bring-up or processing of this system causes
a reboot as necessary to be FIPS compliant. Finally, the system
will be zeroizing any entropy seeding bytes, which will not be
available after the current collection.
FCS_COMM_PRO
T_EXT.1
The TOE implements SSHv2 and IPsec either of which can be
used to protect communications for remote administration. IPsec
is also used to protect communications with external servers (e.g.,
syslog server, NTP and if configured an external authentication
server).
FCS_SSH_EXT.1
The TOE implements SSHv2 (telnet is disabled in the evaluated
configuration) in compliance with RFCs 4251, 4252, 4253, and
4254; using SSH RSA public key algorithm.
SSHv2 sessions are limited to a configurable session timeout
period of 120 seconds, a maximum number of failed
authentication attempts limited to 3, and will be rekeyed upon
request from the SSH client (no more than 2
28
packets). SSH
connections will be dropped if the TOE receives a packet larger
than 35,000 bytes.
The TOE’s implementation of SSHv2 supports hashing
algorithms hmac-sha1, hmac-sha1-96, hmac-md5-96.
The TOE can also be configured to use only one of the identified
DH groups for key exchange. The available groups include Diffie
Hellmen, group 14 (2048 bits) and group 16 (4096 bits).
The network traffic between the remote admin console and the
TOE establish and operate an encrypted session using AES in
CBC mode with key sizes 128 or 256 bits (FIPS 197) supporting
both public key-based and password-based authentication