MNR S2500 Security Policy
Version 1.3, Revision Date: 1/13/2009
Page
12
Definition of Critical Security Parameters (CSPs)
The following CSPs are contained within the module:
Key
Description/Usage
KEK
This is the master key that encrypts persistent CSPs stored within the module.
KEK-protected keys include PSK and passwords.
Encryption of keys uses AES128ECB
IKE Preshared Keys
Used to authenticate peer to peer during IKE session
SKEYID
Generated for IKE Phase 1 by hashing preshared keys with responder/receiver
nonce
SKEYID_d
Phase 1 key used to derive keying material for IKE SAs
SKEYID_a
Key used for integrity and authentication of the phase 1 exchange
SKEYID_e
Key used for TDES or AES data encryption of phase 1 exchange
Ephemeral DH Phase-1
private key (a)
Generated for IKE Phase 1 key establishment
Ephemeral DH Phase-2
private key (a)
Phase 2 Diffie Hellman private keys used in PFS for key renewal
IPSEC Session keys
128/192/256-bit AES-CBC and 168-bit TDES keys are used to encrypt and
authenticate IPSEC ESP packets
FRF.17 Session Keys
168-bit TDES-CBC and 128/192/256-bit AES-CBC keys are used to encrypt
and authenticate FRF.17 Mode 2
SSH-RSA Private Key
Key used to authenticate oneself to peer
SSH-DSA Private Key
Key used to authenticate oneself to peer
SSH Session Keys
168-bit TDES-CBC and 128/192/256-bit AES-CBC keys are used to encrypt
and authenticate SSH packets
SSH DH Private Key
Generated for SSH key establishment
RNG Seed
Initial seed for FIPS-approved deterministic RNG
Network Manager Password
(Root)
7 (to 15 ) character password used to authenticate to the CO Role
(
Crypto
Officer
)
User(Admin)
7 (to 15) character password used to authenticate to the User Role
User Accounts
7 (to 15) character password used to authenticate accounts created on the
module
Table 8 – Critical Security Parameters (CSPs)
