MNR S2500 Security Policy
Version 1.3, Revision Date: 1/13/2009
Page 5
Firmware Implementations
a. Triple-DES– CBC mode (112 and 168 bit) for IKE and SSHv2 encryption (Cert. #581)
b. AES - CBC (128, 192, 256 bit), ECB (128), and CFB (128) modes for IKE and SSHv2
encryption (Cert. #611)
c. HMAC-SHA-1 for IKE and SSHv2 authentication (Cert. # 322)
d. SHA-1 for message hash (Cert. # 659)
e. RSA v1.5 1024 bit – for public/private key pair generation and digital signatures (Cert.
#283)
f. DSA 1024 bit – for public/private key pair generation and digital signatures (Cert. #237)
g. ANSI X9.31 Deterministic Random Number Generator (DRNG) (Cert .#349)
The MNR S2500 router supports the commercially available IKE and Diffie-Hellman protocols
for key establishment, IPsec (ESP) and FRF.17 protocols to provide data confidentiality using
FIPS-approved encryption and authentication algorithms and SSHv2 for secure remote access.
Allowed Algorithms
• Diffie-Hellman: (allowed for key agreement per Annex D, key agreement methodology
provides 80 to 112 bits of encryption strength)
• Hardware non-deterministic RNG: Provides seed for approved deterministic RNG
• MD5: for hashing (Provides interoperability within supported protocols)
• HMAC-MD5
Non-FIPS approved algorithms
In a Non FIPS mode of operation, the cryptographic module provides non-FIPS Approved
algorithms as follows:
• DES for encryption/decryption
• Non approved SW RNG
• Diffie-Hellman (Group 1 - 768 bit)
To Next Page
Loading...
