Cisco 2811 Security Policy - Page 21

no set session-key outbound esp spi cipher hex-key-data [authenticator hex-key-data]

Get Cisco 2811 - Voice Security Bundle Router PDF manuals and user guides
UPC - 882658101816
View all Cisco 2811 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 21 highlights

available in the DRAM; therefore this command will completely zeroize this key. The following command will zeroize the pre-shared keys from the DRAM: • no set session-key inbound ah spi hex-key-data • no set session-key outbound ah spi hex-key-data • no set session-key inbound esp spi cipher hex-key-data [authenticator hex-key-data] • no set session-key outbound esp spi cipher hex-key-data [authenticator hex-key-data] • no crypto isakmp key The DRAM running configuration must be copied to the start-up configuration in NVRAM in order to completely zeroize the keys. The RSA keys are zeroized by issuing the CLI command "crypto key zeroize rsa". All SSL/TLS session keys are zeroized automatically at the end of the SSL/TLS session. The module supports the following keys and critical security parameters (CSPs). Key/CSP Algorithm Description Storage Zeroization Method Name Location PRNG Seed X9.31 This is the seed for X9.31 PRNG. DRAM Automatically every 400 This CSP is stored in DRAM and bytes, or turn off the updated periodically after the router. generation of 400 bytes - after this it is reseeded with router-derived entropy; hence, it is zeroized periodically. Also, the operator can turn off the router to zeroize this CSP. PRNG Seed Key X9.31 This is the seed key for the PRNG. DRAM Turn off the router Diffie Hellman private exponent Diffie Hellman public key skeyid skeyid_d skeyid_a skeyid_e DH DH Keyed SHA-1 Keyed SHA-1 HMAC-SHA-1 TRIPLEDES/AES The private exponent used in Diffie-Hellman (DH) exchange as part of IKE. Zeroized after DH shared secret has been generated. The public key used in DiffieHellman (DH) exchange as part of IKE. Zeroized after the DH shared secret has been generated. Value derived from the shared secret within IKE exchange. Zeroized when IKE session is terminated. The IKE key derivation key for non ISAKMP security associations. DRAM DRAM DRAM DRAM The ISAKMP security association DRAM authentication key. The ISAKMP security association DRAM encryption key. Automatically after shared secret generated. Automatically after shared secret generated. Automatically after IKE session terminated. Automatically after IKE session terminated. Automatically after IKE session terminated. Automatically after IKE session terminated. © Copyright 2007 Cisco Systems, Inc. 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
© Copyright 2007 Cisco Systems, Inc.
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
21
available in the DRAM; therefore this command will completely zeroize this key.
The following
command will zeroize the pre-shared keys from the DRAM:
no set session-key inbound ah spi hex-key-data
no set session-key outbound ah spi hex-key-data
no set session-key inbound esp spi cipher hex-key-data [authenticator hex-key-data]
no set session-key outbound esp spi cipher hex-key-data [authenticator hex-key-data]
no crypto isakmp key
The DRAM running configuration must be copied to the start-up configuration in NVRAM in
order to completely zeroize the keys.
The RSA keys are zeroized by issuing the CLI command “crypto key zeroize rsa".
All SSL/TLS session keys are zeroized automatically at the end of the SSL/TLS session.
The module supports the following keys and critical security parameters (CSPs).
Key/CSP
Name
Algorithm
Description
Storage
Location
Zeroization Method
PRNG Seed
X9.31
This is the seed for X9.31 PRNG.
This CSP is stored in DRAM and
updated periodically after the
generation of 400 bytes – after this
it is reseeded with router-derived
entropy; hence, it is zeroized
periodically. Also, the operator can
turn off the router to zeroize this
CSP.
DRAM
Automatically every 400
bytes, or turn off the
router.
PRNG Seed
Key
X9.31
This is the seed key for the PRNG.
DRAM
Turn off the router
Diffie
Hellman
private
exponent
DH
The private exponent used in
Diffie-Hellman (DH) exchange as
part of IKE. Zeroized after DH
shared secret has been generated.
DRAM
Automatically after
shared secret generated.
Diffie
Hellman
public key
DH
The public key used in Diffie-
Hellman (DH) exchange as part of
IKE. Zeroized after the DH shared
secret has been generated.
DRAM
Automatically after
shared secret generated.
skeyid
Keyed SHA-1
Value derived from the shared
secret within IKE exchange.
Zeroized when IKE session is
terminated.
DRAM
Automatically after IKE
session terminated.
skeyid_d
Keyed SHA-1
The IKE key derivation key for non
ISAKMP security associations.
DRAM
Automatically after IKE
session terminated.
skeyid_a
HMAC-SHA-1
The ISAKMP security association
authentication key.
DRAM
Automatically after IKE
session terminated.
skeyid_e
TRIPLE-
DES/AES
The ISAKMP security association
encryption key.
DRAM
Automatically after IKE
session terminated.