© Copyright 2011 Cisco Systems, Inc.
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
9
2.3.1
Authentication
The module provides password based and digital signature based authentication. Crypto Officers
are always authenticated using passwords whereas a User can be authenticated either via a
password or digital signature.
a. Password based Authentication
The security policy stipulates that all user passwords and shared secrets must be 8 alphanumeric
characters, so the password space is 2.8 trillion possible passwords. The possibility of randomly
guessing a password is thus far less than one in one million. To exceed a one in 100,000
probability of a successful random password guess in one minute, an attacker would have to be
capable of 28 million password attempts per minute, which far exceeds the operational
capabilities of the module to support.
b. Digital signature based Authentication
When using RSA based authentication, RSA key pair has modulus size of 1024 bit to 2048 bit,
thus providing between 80 bits and 112 bits of strength. Assuming the low end of that range, an
attacker would have a 1 in 2
80
chance of randomly obtaining the key, which is much stronger
than the one in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability
of a successful random key guess in one minute, an attacker would have to be capable of
approximately 1.8x10
21
attempts per minute, which far exceeds the operational capabilities of the
modules to support.
2.3.2
Services
a. User Services
Users can access the system via the console port with a terminal program or SSH session to an
Ethernet port. The IOS prompts the User for username and password. If the password is correct,
the User is allowed entry to the IOS executive program. In addition to username/password
combination, RSA digital certificates can be used to authenticate the user over the SSH session.
The services available to the User role consist of the following:
Services &
Access
Description
Keys & CSPs
Status Functions
(r, x)
View state of interfaces and protocols,
version of IOS currently running.
User password
Network
Connect to other network devices
DRBG seed, DRBG V, DH