7: Networking
EMGâ„¢ Edge Management Gateway User Guide 134
cryptography) must use a RSA public key of 2048, 3072 or 4096 bits, with the SHA2 hashing
algorithm. SSH Keys exported by the console manager use a RSA public key of 2048, 3072 or
4096 bits, with the SHA2 (SHA256) hashing algorithm.
SNMP: only SNMPv3 can be used, and insecure algorithms (DES, MD5, SHA1) cannot be used.
The Security setting must be set to Auth/Encrypt (No Auth and No Encrypt cannot be used).
VPN: insecure algorithms (MD5, SHA1, DH Group 2, DH Group 5) cannot be used.
WiFi: the access point cannot use security of None (WPA or WPA2 is required). The WLAN client
cannot use a security suite of None or WEP (WPA-WPA2 mixed mode is required). WLAN profiles
are required to use an encryption algorithm of CCMP. If the console manager is booted in FIPS
mode with insecure access point settings or WLAN profile settings, the access point or WLAN
profile will be disabled.
ConsoleFlow: supported in FIPS mode.
When the console manager is running in FIPS mode, the following services will not be supported:
NIS, Kerberos, RADIUS, TACACS+, Telnet/WebTelnet, FTP, PPP, CIFS/Samba, TCP, UDP, and
unencrypted LDAP. If any of these protocols/functions are enabled prior to enabling FIPS mode,
they will be automatically disabled.
The following table shows the algorithms allowed in FIPS mode and how they are used:
Algorithm Usage Key Sizes
AES (CBC, CCM,
CFB, CTR, ECB,
GCM, OFB, XTS)
Symmetric encryption & decryption 128/192/256 bit key lengths
AES CMAC Generate & verify data integrity with
CMAC
128/192/256 bit key lengths
TDES / 3-Key (CBC,
CFB, ECB, OFB)
Symmetric encryption & decryption 112/168 bits key length
TDES / 3-Key CMAC Message Digests 112/168 bits key length
SHA2 Keyed Hash & Message Digests 224/256/384/512 bits key lengths
RSA Digital Signature and Asymmetric Key
Generation
2048 bit key length and longer, with
SHA2 with 256-bit to 512-bit key lengths
Diffie-Hellman (DH) Key Agreement / Exchange 2048 bit key lengths and longer
Elliptic Curve
Cryptography (ECC)
Key Agreement / Exchange All NIST defined B, K and P curves
except sizes 163 and 192
Elliptic Curve Diffie-
Hellman (ECDH); key
agreement algorithm
that is a variant of
Diffie-Hellman using
ECC
Key Agreement / Exchange 224-521 bits
Elliptic Curve Digital
Signature Algorithm
(ECDSA); digital
signature algorithm
that is a variant of
DSA using ECC
Digital Signature Key Generation 224-521 bits
Hash DRBG Random number generator V (440/888 bits) and C (440/888) bits
To Next Page
Loading...
Need help?
General
