manualshive.com logo in svg

Hewlett Packard Enterprise Aruba 7 Series, Руководство пользователя, Страница: 28 / 44

Поделиться
Скачать
Hewlett Packard Enterprise Aruba 7 Series Скачать руководство пользователя страница 28

 

Table 6 CSPs/Keys Used in the module   

34 

SNMPv3 session key 

AES-CFB key (128 
bits) 

This key is derived via 
a key derivation 
function defined in 
SP800-135 KDF 
(SNMPv3). Used for 
SNMPv3 traffics 
protection. 

Stored in SDRAM 
memory (plaintext). 

Zeroized by rebooting 
the module 

802.11i 

35 

802.11i Pre-Shared 
Key (PSK) 

Shared secret  
(8-63 characters)  

Entered by CO role. 
Used for 802.11i 
client/server 
authentication 

Stored in Flash 
memory encrypted 
with KEK.  

Zeroized by using 
command ‘write erase 
all’ or  by overwriting 
with a new secret 

36 

802.11i Pair-Wise 
Master key (PMK) 

Shared secret  
(256 bits) 

The PMK is transferred 
to the module, 
protected by IPSec 
secure tunnel. Used to 
derive the Pairwise 
Transient Key (PTK) 
for 802.11i 
communications. 

Stored in SDRAM 
(plaintext).  

Zeroized by rebooting 
the module 

37 

802.11i Pairwise 
Transient Key (PTK)  

Shared secret  
(512 bits)   

This key is used to 
derive 802.11i session 
key by using the KDF 
defined in SP800-108. 

Stored in SDRAM 
memory (plaintext)  

Zeroized by rebooting 
the module 

38 

802.11i session key 

AES-CCM   
(128 bits) 

Derived during 802.11i 
4-way handshake by 
using the KDF defined 
in SP800-108. 

Stored in SDRAM 
memory (plaintext). 

Zeroized by rebooting 
the module 

 

Note: Key size of DH Group 1 (768 bits) and Group 2 (1024 bits) are not allowed in FIPS mode. 

 

Self-Tests

 

The module performs Power On Self-Tests regardless the modes (non-FIPS mode and FIPS mode). In 
addition, the module also performs Conditional tests after being configured into the FIPS mode.  In the 
event any self-test fails, the module will enter an error state, log the error, and reboot automatically. 

 

 

 

 

 

28

|

 

Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy

 

 

Содержание Aruba 7 Series

Страница 1: ...Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware Non Proprietary Security Policy FIPS 140 2 Level 2 Version 1 17 June 2016 Aruba 7200 Series Controllers FIPS 140 2 Level 2 Security Policy...

Страница 2: ...forms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and i...

Страница 3: ...ation Mechanisms 18 Unauthenticated Services 19 Non Approved Services 19 Cryptographic Key Management 19 Implemented Algorithms 19 Critical Security Parameters 22 Alternating Bypass State 30 Installin...

Страница 4: ...ting Up Your Controller 43 Enabling FIPS Mode 43 Enabling FIPS Mode with the WebUI 43 Enabling FIPS Mode with the CLI 43 Disabling the LCD 44 Disallowed FIPS Mode Configurations 44 4 Aruba 7XXX Series...

Страница 5: ...les details the U S Government requirements for cryptographic modules More information about the FIPS 140 2 standard and validation program is available on the National Institute of Standards and Tech...

Страница 6: ...ctions IPv4 and IPv6 services the Aruba Policy Enforcement Firewall with AppRF Technology Aruba Adaptive Radio Management and Aruba RFprotect spectrum analysis and wireless intrusion protection The Ar...

Страница 7: ...graphic boundary of the module The cryptographic boundary is defined as encompassing the top front left right rear and bottom surfaces of the chassis Figure 1 The Aruba 7005 controller Figure 1 shows...

Страница 8: ...actor Pluggable SFP Uplink ports Two Type A USB ports LINK ACT and Status LEDs Management Status LED LCD Panel Navigation Buttons Functionally disabled in FIPS mode Console Connections RJ 45 and Mini...

Страница 9: ...ns RJ 45 and Mini USB Disabled in FIPS mode by TELs Figure 4 The Aruba 7030 controller chassis Figure 4 shows the front of the Aruba 7030 Controller and illustrates the following Eight 10 100 1000 Eth...

Страница 10: ...tatus LED LCD Panel Navigation Buttons Functionally disabled in FIPS mode Console Connections RJ 45 and Mini USB Disabled in FIPS mode by TELs Intended Level of Security The 7XXX Controller and associ...

Страница 11: ...ident Labels TELs to allow the detection of the opening of the chassis cover and to block the Serial console port To protect the Aruba 7XXX Controller from any tampering with the product TELs should b...

Страница 12: ...ing functionality of the modules Control input consists of manual control inputs for power and reset through the power and reset switch It also consists of all of the data that is entered into the con...

Страница 13: ...PS mode the serial port is disabled Web Interface The Crypto Officer can use the Web Interface as an alternative to the CLI The Web Interface provides a highly intuitive graphical interface for a comp...

Страница 14: ...guration data 32 33 read 34 delete Configuring Module Platform Define the platform subsystem firmware of the module by entering Bootrom Monitor Mode File System fault report message logging and other...

Страница 15: ...atus of certificates commands and configuration 15 16 17 18 write delete HTTPS over TLS Secure browser connection over Transport Layer Security acting as a Crypto Officer service web management interf...

Страница 16: ...ith APs using IPSec and issue self signed certificates to APs Commands and configuration data IKEv1 IKEv2 inputs and data IPSec inputs commands and data Status of commands IKEv1 IKEv2 outputs status a...

Страница 17: ...ata 29 30 31 delete EAP TLS termination Provide EAP TLS termination EAP TLS inputs commands and data EAP TLS outputs status and data 29 30 31 read delete 802 11i Shared Key Mode Access the module s 80...

Страница 18: ...32 x 52 251 595 800 Therefore the associated probability of a successful random attempt during a one minute period is approximate 1 in 251 596 800 which is less than 1 in 100 000 required by FIPS 140...

Страница 19: ...024 bit moduli DES HMAC MD5 and MD5 SSHv1 using RC4 Please note that all CSPs will be zeroized automatically when switching from FIPS mode to non FIPS mode or from non FIPS mode to FIPS mode Cryptogra...

Страница 20: ...g FIPS Approved Algorithms o AES Cert 2884 o SP800 135rev1 KDF CVL Cert 314 1 o ECDSA Cert 519 o HMAC Cert 1818 o RSA Cert 1518 o SHS Cert 2425 o Triple DES Cert 1720 ArubaOS UBOOT Bootloader library...

Страница 21: ...ss than 112 bits of encryption strength HMAC MD5 MD5 RC4 NOTE IKEv1 IKEv2 TLS SSH and SNMP protocols have not been reviewed or tested by the CAVP and CMVP Aruba 7XXX Series Controllers FIPS 140 2 Leve...

Страница 22: ...ed Stored in SDRAM memory plaintext Zeroized by rebooting the module 3 DRBG seed SP 800 90a CTR_DRBG 384 bits Input to the DRBG that determines the internal state of the DRBG Generated using DRBG deri...

Страница 23: ...red in SDRAM memory plaintext Zeroized by rebooting the module 9 EC Diffie Hellman private key EC Diffie Hellman Curves P 256 or P 384 Generated internally by calling FIPS approved DRBG cert 528 durin...

Страница 24: ...ate key This key is generated by calling FIPS approved DRBG cert 528 in the module Used for IKEv1 IKEv2 TLS OCSP signing OCSP messages and EAP TLS peers authentication Stored in Flash memory plaintext...

Страница 25: ...to IKE peers It was established via key derivation function defined in SP800 135 KDF IKEv1 Used for deriving other keys in IKE protocol implementation Stored in SDRAM memory plaintext Zeroized by rebo...

Страница 26: ...tion keys Triple DES 192 bits AES and AES GCM 128 192 256 bits The IPsec IKE phase II encryption key This key is derived via a key derivation function defined in SP800 135 KDF IKEv1 IKEv2 Used for IPS...

Страница 27: ...aintext Zeroized by rebooting the module 31 TLS session authentication key HMAC SHA 1 256 384 160 256 384 bits This key is derived via a key derivation function defined in SP800 135 KDF TLS Used for T...

Страница 28: ...s Stored in SDRAM plaintext Zeroized by rebooting the module 37 802 11i Pairwise Transient Key PTK Shared secret 512 bits This key is used to derive 802 11i session key by using the KDF defined in SP8...

Страница 29: ...HMAC SHA512 KAT o RSA sign KAT o RSA verify KAT o ECDSA Pairwise Consistency Test ArubaOS Uboot BootLoader library Firmware o Firmware Integrity Test RSA PKCS 1 v1 5 2048 bits signature verification...

Страница 30: ...dated AES256 HMAC SHA1 hash failed AES256 Encrypt failed AES256 Decrypt Failed 3DES HMAC SHA1 hash failed 3DES Encrypt failed 3DES Decrypt Failed DES HMAC SHA1 hash failed DES Encrypt failed DES Decry...

Страница 31: ...onent even when the power supplies have been turned off unplugged or removed Main power is fully disconnected from the controller only by unplugging all power cords from their power outlets For safety...

Страница 32: ...nts The product carton should include the following 7XXX Controller Rack mounting kit optional Aruba User Documentation CD Tamper Evident Labels 32 Aruba 7XXX Series Controllers FIPS 140 2 Level 2 Sec...

Страница 33: ...he tamper evident labels shall be installed for the module to operate in a FIPS Approved mode of operation Aruba Provides double the required amount of TELs If a customer requires replacement TELs ple...

Страница 34: ...o labels spanning the RJ 45 and mini USB serial ports as shown in figure 8 Press down on this label to ensure that it adheres to a sufficient area of the front bezel The RJ 45 port is raised relative...

Страница 35: ...3 4 5 and 6 To Detect Access to Restricted Ports One label label 2 spanning the RJ 45 and mini USB serial ports as shown in Figure 10 Press down on this label to ensure that it adheres to a sufficien...

Страница 36: ...ure 10 Required TELs for the Aruba 7010 Mobility Controller Front Figure 11 Required TELs for the Aruba 7010 Mobility Controller Bottom 36 Aruba 7XXX Series Controllers FIPS 140 2 Level 2 Security Pol...

Страница 37: ...l port and one spanning the mini USB port label 2 as shown in Figure 14 and 15 labels 2 3 Press down on this label to ensure that it adheres to a sufficient area of the front bezel The RJ 45 port is r...

Страница 38: ...the bottom and the chassis lid as shown in Figures 16 and 18 Labels 3 4 5 and 6 To Detect Access to Restricted Ports One label label 2 spanning the RJ 45 and mini USB serial ports as shown in figure 1...

Страница 39: ...gure 16 Required TELs for the Aruba 7030 Mobility Controller Top Figure 17 Required TELs for the Aruba 7030 Mobility Controller Front Aruba 7XXX Series Controllers FIPS 140 2 Level 2 Security Policy 3...

Страница 40: ...e bottom and the chassis lid as shown in Figures 19 and 21 Labels 3 4 5 and 6 To Detect Access to Restricted Ports One label label 2 spanning the RJ 45 and mini USB serial ports as shown in Figure 20...

Страница 41: ...7205 Mobility Controller Top Figure 20 Required TELs for the Aruba 7205 Mobility Controller Front Figure 21 Required TELs for the Aruba 7205 Mobility Controller Bottom Aruba 7XXX Series Controllers F...

Страница 42: ...use the controller see Enabling FIPS Mode on page 37 The admin role must be root Passwords must be at least eight characters long VPN services can only be provided by IPsec or L2TP over IPsec Access...

Страница 43: ...t Guide Enabling FIPS Mode For FIPS compliance users cannot be allowed to access the controller until the CO changes the mode of operation to FIPS mode There are two ways to enable FIPS mode Use the W...

Страница 44: ...led To disable the LCD screen enter the Enable mode and use the following CLI commands host configure terminal host config lcd menu host lcd menu disable menu Disallowed FIPS Mode Configurations When...

Отзывы:

Нет отзывов