41
Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, and 3745 Modular Access Routers and 7206-VXR NPE-400 Router FIPS 140-2 Non-Proprietary
OL-6083-01
The Cisco 1721, 1760, 2621XM, 2651XM, 2691, 3725, 3745, and 7206 VXR NPE-400 Routers
The module supports DES (only for legacy systems), 3DES, DES-MAC, TDES-MAC, AES, SHA-1,
HMAC-SHA-1, MD5, MD4, HMAC MD5, Diffie-Hellman, RSA (for digital signatures and
encryption/decryption (for IKE authentication)), cryptographic algorithms. The MD5, HMAC MD5, and
MD4 algorithms are disabled when operating in FIPS mode.
The module supports three types of key management schemes:
• Manual key exchange method that is symmetric. DES/3DES/AES key and HMAC-SHA-1 key are
exchanged manually and entered electronically.
• Internet Key Exchange method with support for exchanging pre-shared keys manually and entering
electronically.
–
The pre-shared keys are used with Diffie-Hellman key agreement technique to derive DES,
3DES or AES keys.
–
The pre-shared key is also used to derive HMAC-SHA-1 key.
• Internet Key Exchange with RSA-signature authentication.
All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected
by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto
Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual
tunnels are directly associated with that specific tunnel only via the IKE protocol.
CSP 27
r r
w
d
CSP 28
r
w
d
CSP 29
r
w
d
CSP 30
r
w
d
CSP 31
r
w
d
Table 19 Role and Service Access to CSPs (Continued)
SRDI/Role/Service Access Policy
Role/Service
User Role
Status Functions
Network Functions
Terminal Functions
Directory Services
Crypto-Officer Role
Configure the Router
Define Rules and Filters
Status Functions
Manage the Router
Set Encryptions/Bypass
Change WAN Interface Cards