Cisco Cat4K NDPP ST 11 March 2014
EDCS-1228241
45
SHA 256, SHA-512] and message digest sizes [160, 256, 512]
bits that meet the following: FIPS Pub 180-3 “Secure Hash
Standard.”
5.2.2.6 FCS_COP.1(4): Cryptographic operation (for keyed-hash message
authentication)
FCS_COP.1.1(4) The TSF shall perform [keyed-hash message authentication] in
accordance with a specified cryptographic algorithm HMAC-
[SHA-1, SHA-256, SHA-512], key size [128, 192, 256 bits],
and message digest sizes [160, 256, 512] bits that meet the
following: FIPS Pub 198-1 “The Keyed-Hash Message
Authentication Code”, and FIPS PUB 180-3, “Secure Hash
Standard.”
5.2.2.7 FCS_RBG_EXT.1: Cryptographic operation (random bit generation)
FCS_RBG_EXT.1.1 The TSF shall perform all random bit generation (RBG)
services in accordance with [NIST Special Publication 800-
90 using CTR_DRBG (AES)] seeded by an entropy source
that accumulated entropy from at least one independent TSF-
hardware-based noise source.
FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded with a minimum of
[256 bits] of entropy at least equal to the greatest length of
the keys and authorization factors that it will generate.
5.2.2.8 FCS_COMM_PROT_EXT.1: Communications protection
FCS_COMM_PROT_EXT.1.1 The TSF shall protect communications using
[IPsec, SSH] and [no other protocol].
5.2.2.9 FCS_IPSEC_EXT.1: IPSEC
FCS_IPSEC_EXT.1.1 The TSF shall implement IPsec using the ESP protocol as
defined by RFC 4303 using the cryptographic algorithms
AES-CBC-128, AES-CBC-256 (both specified by RFC
3602), [no other algorithms] and using IKEv1 as defined
in RFCs 2407, 2408, 2409, and RFC 4109, [no other
methods] to establish the security association.
FCS_IPSEC_EXT.1.2 The TSF shall ensure that IKEv1 Phase 1 exchanges use
only main mode.
To Next Page
Loading...
