25
Catalyst 6509 Switch, Cisco 7606 Router, and Cisco 7609 Router with VPN Services Module Certification Note
OL-6334-01
Key Zeroization
Note
The MD-5, MD-5 HMAC, and MD-4 algorithms are disabled when operating in FIPS mode.
The module supports three types of key management schemes:
•
A symmetric manual key exchange method. DES and 3DES keys and HMAC-SHA-1 keys are
exchanged manually and entered electronically.
•
The IKE method with support for exchanging preshared keys manually and entering electronically.
–
The preshared keys are used with Diffie-Hellman key agreement technique to derive DES or
3DES keys.
–
The preshared key is also used to derive HMAC-SHA-1 key.
•
The IKE with RSA signature authentication.
All preshared keys are associated with the CO role that created the keys and the CO role is protected by
a password. Therefore, the CO password is associated with all the pre-shared keys. The crypto officer
needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual tunnels
are directly associated with that specific tunnel only through the IKE protocol.
Key Zeroization
All of the keys and CSPs of the module can be zeroized. Refer to the description column of
Table 3
for
information on methods to zeroize each key and CSP.
Self-Tests
To prevent any secure data from being released, it is important to test the cryptographic components of
a security module to ensure that all components are functioning correctly. The router or switch includes
an array of self-tests that are run during startup and periodically during operations. If any of the self-tests
fail, the router transitions into an error state. Within the error state, all secure data transmission is halted
and the router outputs status information indicating the failure.
Cisco IOS Software Self-Tests
•
Power-up tests
–
Firmware integrity test
–
RSA signature Known Answer Test (KAT) (both signature and verification)
–
DES KAT
–
TDES KAT
–
AES KAT
–
SHA-1 KAT