2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright
notice.
39
Key
Key Type
Generation/
Input
Output
Storage
Use
TLS / SSH
4
session key
AES CBC,
GCM 128, 256
bit key
Triple-DES
CBC keying
option 1
Internally
generated using
DRBG
Never exits the
module
Stored in
volatile
memory
Encrypting
SSH/TLS session
data
TLS / SSH
5
session
authentication
keys
HMAC SHA-
1, -256, -384, -
512
Internally
generated
Never exits the
module
Stored in
volatile
memory
Data
authentication for
SSH/TLS sessions
Backup
password
Minimum of 8
characters
Entered over a
secure remote
session
Never exits the
module
Stored in
volatile
memory
Derive backup
object key
Backup object
key
AES CBC 256
bit key
Derived from
backup
password using
PBKDFv2
Never exits the
module
Stored in
volatile
memory
Encrypting
backup data
PIN; or “master
key password”
1-16
characters
Keypad entry
by Crypto
Officer
Never exits the
module
Stored in
volatile
memory
Used to derive
KEK0 if USB is
used.
Used to derive
KEK1 if USB is not
used.
Integrity Test
Public key
RSA 2048 bit
key
Externally
generated
Never exits the
module
Plaintext on
internal disk
Verifying the
integrity of the
system image
during startup
Operator
password
Minimum of 8
characters
Enters over a
secure remote
session
Never exits the
module
Encrypted with
associated
object
encryption key
and stored on
internal disk
Authenticating
administrative
access
4
SSH supports only AES CBC keys.
5
SSH supports HMAC-SHA-1, -256 and -512 only. TLS does not support HMAC-SHA-512