Page 26

FIPS 140-2 Level 2 Features

Aruba 3000 and 6000/M3

0510541-05

FIPS 140-2 Level 2 Release Supplement

November 2008

IPSec Session key are used to protect IKE phase 1 & 2 protocol messages.

Session keys are generated using the Diffi-Hellman key agreement. IPSec

session keys is visible only in process space, and zeroized when the session

is closed, in a matter of a few milliseconds.

The IKE Diffie-Hellman private key is generated during IKE for use for the key

establishment during IKE. The key is generated internally and is an ephemeral

key that is stored in plaintext in memory. The IKE Diffie-Hellman key pair can

be zerorized by using the OPENSSL_cleanse() function, followed by

OPENSSL_free() to free up the memory. The key pairs also can be zeroized in a

few milliseconds by rebooting the module.

The IKE User Diffie-Hellman public key is used during the IKE key

establishment. The public key is used by the module to establish a shared

secret with the user. The public key is an ephemeral key and is stored in

plaintext in memory. It can be zeroized by rebooting the module. IKE

Diffie-Hellman key pairs can be zerorized in a few milliseconds by using the

OPENSSL_cleanse() function, followed by OPENSSL_free() to free up the

memory.

SSH Session keys are used to protect SSH protocol messages. Session keys

are generated using the Diffi-Hellman key agreement. SSH session keys are

visible only in the process space, and zeroized in a matter of a few

milliseconds when the session is closed.

The SSH Diffie-Hellman private key is generated internally and is used during

the SSH key establishment. This key is an ephemeral key and is stored in

plaintext in memory. It can be zeroized by rebooting the module. The SSH

Diffie-Hellman key pair is zerorized in a few milliseconds by using the

OPENSSL_cleanse() function, followed by OPENSSL_free() to free up the

memory.

The SSH User Diffie-Hellman public key is used during the SSHv2 key

establishment. The public key is used by the module to establish a shared

secret with the user. The public key is an ephemeral key and is stored in

plaintext in memory. It can be zeroized by rebooting the module.

The TLS session keys are derived at the end of EAP-TLS handshake between

the wireless client (User role) and RADIUS server. After that, the RADIUS

server uses TLS session keys to derive the 802.11i Pairwise Master Key

(PMK) and then transport the PMK to the controller encrypted with an IPSec

session key. TLS keys are stored in plaintext in memory. They can be zeroized

by rebooting the module. Upon closing a session, the session keys are

zerorized by using the OPENSSL_cleanse() function, followed by

OPENSSL_free() to free up the memory.

The RSA public key is used primarily for user EAP-TLS authentication. The

public key is externally generated and stored in flash memory encrypted with

KEK.