2016 Symantec Corporation This document may be freely reproduced & distributed whole & intact including this copyright
notice.
40
SV3800, SV3800B, and SV3800B-20 Security Policy
Key
Key Type
Generation/
Input
Output
Storage
Use
SP 800-90A
CTR_DRBG
Seed
48 bytes
Internally
generated using
entropy from
NDRNG
Never exits the
module
Plaintext in
volatile
memory
Seeding the FIPS
approved DRBG
SP 800-90A
CTR_DRBG
key value
Internal state
value
Internally
Generated
Never exits the
module
Plaintext in
volatile
memory
FIPS approved
DRBG internal
state value
SP 800-90A
CTR_DRBG V
value
Internal state
value
Internally
generated
Never exits the
module
Plaintext in
volatile
memory
FIPS approved
DRBG internal
state value
SNMP Privacy
Key
AES CFB128
128 bit key
Derived
internally
Exported in
encrypted
backup
Encrypted with
associated
object
encryption key
and stored on
internal disk
Encrypting
SNMPv3 packets
SNMP
Authentication
Key
HMAC-SHA-
1
Derived
internally
Exported in
encrypted
backup
Encrypted with
associated
object
encryption key
and stored on
internal disk
Authenticating
SNMPv3 packets
Firmware
update key
RSA 2048 bit
key
Externally
generated
Never exits the
module
Plaintext on
internal disk
Verifying the
integrity of
firmware updates
During the bootstrap process, you may select to have an AES-256 bit key (KEK1)
stored on a removable USB drive. If the option is chosen, KEK1 is encrypted using
an AES-256 bit key (KEK0) derived from the PIN prior to being stored on the USB
drive. Whenever the device is power cycled or restarted, it will require this drive
to be plugged in and the PIN to be input from the front panel keypad. Only with
both the USB drive and the correct PIN can the master keys be unlocked to gain
access the secure store. If the option is not chosen, KEK1 is derived from the PIN
directly and no KEK0 is created.