11
Cisco 2621XM and Cisco 2651XM Modular Access Routers with AIM-VPN/EP FIPS 140-2 Non-Proprietary Security Policy
OL-6262-01
The 2621XM/2651XM Router
4 CSP 4 Same as above DRAM
(plaintext)
5 CSP 5 Same as above DRAM
(plaintext)
6 CSP 6 Same as above DRAM
(plaintext)
7 CSP 7 The IKE session encrypt key. The zeroization is the same as
above.
DRAM
(plaintext)
8 CSP 8 The IKE session authentication key. The zeroization is the same
as above.
DRAM
(plaintext)
9 CSP 9 The RSA private key. “crypto key zeroize” command zeroizes this
key.
NVRAM
(plaintext)
10 CSP 10 The key used to generate IKE skeyid during preshared-key
authentication. “no crypto isakmp key” command zeroizes it. This
key can have two forms based on whether the key is related to the
hostname or the IP address.
NVRAM
(plaintext)
11 CSP 11 This key generates keys 3, 4, 5 and 6. This key is zeroized after
generating those keys.
DRAM
(plaintext)
12 CSP 12 The RSA public key used to validate signatures within IKE. These
keys are expired either when CRL (certificate revocation list)
expires or 5 secs after if no CRL exists. After above expiration
happens and before a new public key structure is created this key
is deleted. This key does not need to be zeroized because it is a
public key; however, it is zeroized as mentioned here.
DRAM
(plaintext)
13 CSP 13 The fixed key used in Cisco vendor ID generation. This key is
embedded in the module binary image and can be deleted by
erasing the Flash.
NVRAM
(plaintext)
14 CSP 14 The IPSec encryption key. Zeroized when IPSec session is
terminated.
DRAM
(plaintext)
15 CSP 15 The IPSec authentication key. The zeroization is the same as
above.
DRAM
(plaintext)
16 CSP 16 The RSA public key of the CA. “no crypto ca trust <label>”
command invalidates the key and it frees the public key label
which in essence prevent use of the key. This key does not need to
be zeroized because it is a public key.
NVRAM
(plaintext)
17 CSP 17 This key is a public key of the DNS server. Zeroized using the
same mechanism as above. “no crypto ca trust <label>” command
invalidate the DNS server’s public key and it frees the public key
label which in essence prevent use of that key. This label is
different from the label in the above key. This key does not need
to be zeroized because it is a public key.
NVRAM
(plaintext)
Table 4 Critical Security Parameters (continued)
To Next Page
Loading...
Need help?
General
