Aruba 3000 and 6000/M3
21
FIPS 140-2 Level 2 Release Supplement
FIPS 140-2 Level 2 Features
Encryption Keys and Passwords
Key Encryption Key (KEK)The KEK is hard-coded in the image. The KEK
encrypts IKE RSA keys pairs, pre-shared keys, and User database. The KEK
can be zeroized by erasing the image.
Preshared keys can be used instead of certificates during IKE authentication.
The preshared key must be entered by the Crypto Officer with the username
being the IP address and the password being the preshared key. The
preshared keys are stored encrypted in flash and can be zeroized by either
overwriting them with new ones or by erasing the flash.
Data link
(Layer 2)
encryption
key
AES key (256 bit)
Derived during
the EAP-TLS
handshake
Stored in plaintext in
volatile memory.
Zeroized on reboot.
Used to
encrypt
tunneled
Layer 2
frames
Data link
(Layer 2)
integrity key
HMAC-SHA1 key
(160-bit)
Derived during
EAP-TLS
handshake
storage and
zeroization:
Stored in
plaintext in
volatile
memory
Zeroized on reboot.
Used to
integrity-prote
ct tunneled
Layer 2
frames
Passwords
6-character
password
External
Stored encrypted in
Flash with KEK.
Zeroized by either
deleting the
password
configuration file or
by overwriting the
password with a
new one.
Authenticatio
n for
accessing the
management
interfaces,
RADIUS
authentication
PRNG seeds
Seed key (24
bytes, Triple-DES
2-keying option)
and seed (8
bytes)
Seeded using
non-approved
OpenSSL
random
number
generator
In volatile memory
only. Zeroized on
reboot.
Seed PRNGs
TLS
pre-master
secret
48 byte secret
Externally
generated
Stored in plaintext in
volatile memory.
Zeroized when the
session is closed.
Key
agreement
during TLS
Table 2-6
CSPs Used in Aruba Mobility Controllers (Continued)
CSPs
CSPs type
Generation
Storage and
Zeroization
Use