FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G Introduction This is a non-proprietary Cryptographic Module Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G (7900 Series). This policy describes how the Cisco Unified IP Phone 7900 Series meet the requirements of FIPS 140-2. This document also includes instructions for configuring the phones in FIPS mode. This policy was prepared as part of the Level 1 FIPS 140-2 validation for the Cisco Unified IP Phone 7900 Series. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/groups/STM/index.html. This document may be copied in its entirety and without modification. All copies must include the Note copyright notice and statements on the last page. This document includes the following sections: FIPS 140-2 Submission Package • Overview • Physical Characteristics and Phone Interfaces • Roles and Services • Self-Tests • Mitigation of Other Attacks • Secure Operation • Non-FIPS Approved Algorithms • Obtaining Documentation • Documentation Feedback • Cisco Product Security Overview • Obtaining Technical Assistance • Obtaining Additional Publications and Information • v 1.2 FIPS 140-2 Submission Package The security policy document is one document in FIPS 140-2 Submission Package. In addition to this document, the complete submission package contains: Vendor Evidence • Finite State Machine • Other supporting documentation as additional references • With the exception of this non-proprietary security policy, the FIPS 140-2 validation documentation is proprietary to Cisco Systems, Inc. and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Cisco Systems, Inc. See Obtaining Technical Assistance for more information. Overview Today, more organizations can take advantage of Cisco Unified Communications, thanks to these affordable IP endpoints. The Cisco Unified IP Phones 7900 Series deliver cost-effective, full-featured voice communication services in a clutter-free and earth-friendly, ergonomic design. Cisco Unified IP Phones 7900 Series endpoints are earth-friendly. They are made with recyclable and reground plastics, so they are earth-responsible solutions. Hardware Versions Below you will find a listing of the FIPS approved hardware versions for the Cisco 7900 series endpoints Phone Model Hardware versions V01, V02, V03, V04, V05, V06, V07, V08, V09 CP-7906G V01, V02, V03, V04, V05, V06, V07, V08, V09 CP-7911G V01, V02, V03, V04, V05 CP-7931G V01, V02 CP-7941G V01, V02 CP-7961G V01 CP-7961GE V01, V02, V03, V04, V05, V06, V07, V08, V09, V10 CP-7942G V01, V02, V03, V04, V05, V06, V07, V08, V09, V10, V11 CP-7962G V01, V02, V03, V04, V05, V06, V07, V08, V09, V10, V11 CP-7945G V01, V02, V03, V04, V05, V06, V07, V08, V09, V10, V11 CP-7965G V01, V02 CP-7970G V01, V02, V03 CP-7971G V01, V02, V03 CP-7971GE V01, V02, V03, V04, V05, V06, V07, V08, V09, V10, V11, V12 CP-7975G Notice: The differences between Hardware versions on each module are very minor, such as the compliance stickers for various FCC testing, changes to label adhesives, etc. 2 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 The Data Sheet for the 7906G can be found on the Cisco website at http://goo.gl/vq5wI Figure 1 - The Cisco Unified IP Phone 7906G The Data Sheet for the 7911G can be found on the Cisco website at http://goo.gl/DeqRa Figure 2 - The Cisco Unified IP Phone 7911G 3 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 The Data Sheet for the 7931G can be found on the Cisco website at http://goo.gl/zzMKO Figure 3 - The Cisco Unified IP Phone 7931G The Data Sheet for the 7941G can be found on the Cisco website at http://goo.gl/0Hf53 4 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Figure 4 - The Cisco Unified IP Phone 7941G The Data Sheet for the 7942G can be found on the Cisco website at http://goo.gl/zbviD Figure 5 - The Cisco Unified IP Phone 7942G The Data Sheet for the 7945G can be found on the Cisco website at http://goo.gl/t7DOs 5 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Figure 6 - The Cisco Unified IP Phone 7945G The Data Sheet for the 7961G can be found on the Cisco website at http://goo.gl/SmeS4 Figure 7 - The Cisco Unified IP Phone 7961G The Data Sheet for the 7961G-GE can be found on the Cisco website at http://goo.gl/x2Hcm 6 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Figure 8 - The Cisco Unified IP Phone 7961G-GE The Data Sheet for the 7962G can be found on the Cisco website at http://goo.gl/OiXtq Figure 9 - The Cisco Unified IP Phone 7962G The Data Sheet for the 7965G can be found on the Cisco website at http://goo.gl/8SwP 7 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Figure 10 - The Cisco Unified IP Phone 7965G The Data Sheet for the 7970G can be found on the Cisco website at http://goo.gl/aGJIW Figure 11 - The Cisco Unified IP Phone 7970G The Data Sheet for the 7971G can be found on the Cisco website at http://goo.gl/fieLs 8 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Figure 12 - The Cisco Unified IP Phone 7971G The Data Sheet for the 7971G-GE can be found on the Cisco website at http://goo.gl/fieLs Figure 13 - The Cisco Unified IP Phone 7971G-GE The Data Sheet for the 7975G can be found on the Cisco website at http://goo.gl/ePJa8 9 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Figure 14 - The Cisco Unified IP Phone 7975G Cryptographic Module Validation Level Validation Level by Section lists the level of validation for each area in the FIPS PUB 140-2. Table 1 Validation Level by Section No. Area Title Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 1 4 Finite State Model 1 5 Physical Security 1 6 Operational Environment N/A 10 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 7 Cryptographic Key management 1 8 Electromagnetic Interface/Electromagnetic Compatibility 1 9 Self-Tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A Overall Level 1 Physical Characteristics and Phone Interfaces The logical interfaces and their mapping for the 7900 Series Phones are described in Table 2: Table 2 Cisco 7900 Series Physical Interface/Logical Interface Mapping Physical Interface FIPS 140-2 Logical Interface Phone Keypad, SW Network Port, PC Access Data Input Port , and Phone Microphone, Phone Speaker, SW Network Port, PC Access Data Output Port , and Display Phone Keypad, SW Network Port, and PC Control Input Access Port Phone Display, Phone Speaker, message waiting Status Output light, display, SW Network Port, and PC Access Port. 11 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Roles and Services The 7900 Series phones can be accessed by plugging the phone in. As required by FIPS 140-2, there are two main roles in the 7900 Series Phones that operators may assume: a Crypto Officer role and User role. The respective services for each role are described in the Crypto Officer Services, and the User Services. Crypto Officer Services The Crypto Officer role is responsible for the configuration and maintenance of the phones. For the purposes of this testing, the Crypto Officer will be defined as the operations and processes performed by the Cisco Unified Call Manager (CUCM). The authentication mechanism associated with the Crypto-Officer has not been tested for FIPS level one validation. The Crypto Officer services consist of the following: Establish TLS sessions for configuration • Perform configuration of the phone • Transport Keys to the phone • View Status of the phone • Restart the phone (Restart connection between the CUCM and Phone) • Reset the phone • Initiate Self-tests by rebooting the phone. • User Services A user initializes the phone by turning it on. There is no login interface for the phone, as level 1 allows for implicit role assumptions. Some services may require the menu key to access the features. The services available to the User role consist of the following: Make and Receive Calls (Encrypt/Decrypt data) • Run Self-Tests • Customize keypad parameters • View and Edit Network Profile Parameters (SSID, DHCP Server, TFTP Server, etc) • View and Edit System Configuration • View and Edit Device information (Network, LAN, HTTP, Locale, QoS, and UI information) • Display Model Information • View Phone Status (Phone Status, Network Statistics, Call Statistics, Firmware versions, etc) • 12 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Critical Security Parameters The services accessing the Critical Service Parameters (CSP)s, the type of access and which role accesses the CSPs are listed in Table 3. Table 3 Cisco 7900 Series Phones Validation Level by Section Critical Security Parameters CSP/Role/Service Access Policy CSP 10 CSP 11 CSP 1 CSP 2 CSP 3 CSP 4 CSP 5 CSP 6 CSP 7 CSP 8 CSP 9 Role/Service User Role Make and Receive Calls Run Self-Tests Customize Sound, Display, and keypad parameters View and Edit Network Profile Parameters View and Edit System Configuration View and Edit r r r r r r r r r r Device information Display Model r r r r r r r r r r Information View Phone Status r r r r r r r r r r Crypto-Officer Role Establish TLS rwd rwd rwd rwd rwd rwd rwd rwd rwd rwd rwd sessions for configuration 13 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Perform rwd rwd rwd rwd rwd rwd rwd rwd rwd rwd rwd configuration of the phone Transport Keys to rwd rwd rwd rwd rwd rwd rwd rwd rwd rwd rwd the phone View Status of the r r r r r r r r r r r phone Reboot the phone d d d d d d d d d Reset the phone d d d d d d d d d d d Initiate Self-tests d d d d d d d d d r = read w = write d = delete Cryptographic Key Management The phones use a variety of Critical Security Parameters during operation. Table 4 lists the cryptographic keys used by the 7900 Series Phones. Table 4 Secret and Private Cryptographic Keys Used by the 7900 Series Key/CSP Generation/ # Name Algorithm Description Storage Zeroization 1 Configuration Generated by the Key used to decrypt the Stored in volatile Power Cycle or Device File AES-128 CUCM configuration file once it memory Reset Key is on the phone 2 sRTP Master Generated by the Key used to generate Stored in volatile upon end of call or device Key (AES) CUCM and sent to sRTP session keys memory reset. phone in TLS session 3 sRTP Generated via the Key used to Stored in volatile upon end of call or device Encryption sRTP protocol encrypt/decrypt sRTP memory reset. key (AES) packets 4 sRTP Generated via the Key used to authenticate Stored in volatile upon end of call or device Authentication sRTP protocol sRTP packets memory reset. key (HMAC) 14 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 5 CUCM TLS Generated via the TLS sessions keys based Stored in volatile upon end of call or device Session TLS Protocol on the Locally Significant memory reset. Encryption Certificate (LSC) for key (AES) derivation 6 CUCM TLS Generated via the TLS sessions keys based Stored in volatile upon end of call or device Session TLS Protocol on the LSC for derivation memory reset. Authentication key (HMAC) Webserver TLS Generated via the TLS sessions keys based 7 Stored in volatile upon end of call or device Session TLS Protocol on the LSC for derivation memory reset Encryption key (AES/TDES) Webserver Generated via the TLS sessions keys based 8 Stored in volatile upon end of call or device TLS TLS Protocol on the LSC for derivation memory reset. Session Authentication key (HMAC) 9 RNG Seed Multiple data bytes Seed Key used to Stored in volatile Reset or loss of power Key (20-bytes) retrieved randomize the memory from a 128-byte initialization of the RNG Hardware based entropy source (time, clock, thermal noise, interrupts, and memory, etc). 10 RNG Seed Multiple data bytes Seed used to randomize Stored in volatile Reset or loss of power (20-bytes) retrieved the initialization of the memory from a 128-byte RNG Hardware based entropy source (time, clock, thermal noise, interrupts, and memory, etc). 11 LSC Private Generated by the Private key for locally Zeroized by resetting phone / Key (RSA) module but issued certificates. Used flash0/sec/lsc0/phone to default settings converted into a for TLS negotiation with Key.pvt certificate by the CUCM and Web Clients CAPF/CUCM (Note that the RSA keys generated must be at least a 1024 bit key) 15 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Self-Tests The 7900 Series Phones include an array of self-tests that are run during startup and periodically during operations to prevent any secure data from being released and to ensure all components are functioning correctly. Table 5 7900 Series Power-On Self-Tests Implementation Tests Performed sRTP Library AES KAT • HMAC-SHA-1 KAT • RSA SSL-Cme 1.1.0 RSA KAT (signature/verification) • AES KAT • Triple-DES KAT • HMAC SHA-1 KAT • RNG KAT • Module Firmware Firmware Integrity Test • The phone performs all power-on self-tests automatically at boot when FIPS mode is enabled. The power-on self-tests are performed after the cryptographic systems are initialized, and in the unlikely event that a power-on self-test fails, the module transitions into an error state and output an error message via its status output interface. Table 6 lists the conditional self-tests that the 7900 Series phones perform. Table 6 7900 Series Conditional Self-Tests Implementation Tests Performed sRTP Conditional Bypass test • RSA SSL-Cme 1.1.0 Pairwise consistency test for RSA • Continuous Random Number Generator Test for the • FIPS-approved RNG 16 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Mitigation of Other Attacks The 7900 Series do not claim to mitigate any attacks in a FIPS-approved mode of operation. Secure Operation The Cisco 7900 Series phones meet FIPS 140-2 Level 1 requirements. This section describes how to place and keep the phone in a FIPS-approved mode of operation. Operating the phone without maintaining the following settings will remove the phone from the FIPS-approved mode of operation. Crypto Officer Guidance – System Initialization The Crypto Officer must create a device security profile in Call manager. Below, find instructions on creating the device security profile. 1. Login to Call Manager 2. Navigate to System -> Security Profile -> Phone Security Profile. 3. Click the Add New button 4. Select the appropriate phone model from the drop down box and click next. 5. From the Drop down box, select SCCP for the security protocol profile and click next. 6. In the Name box, give an appropriate name such as “Cisco 79xx FIPS Security Profile”, or “Cisco 79xx FIPS Security Profile”, followed by an appropriate description. 7. In the section titled, “Phone Security Profile CAPF Information, Select the “Authentication Mode” to be “By Existing Certificate (Precedence to LSC), and select the key size to be 2048 bits. 8. While still in the “Phone Security Profile CAPF Information”, select the device security mode to “encrypted” 9. Click “Save” Crypto Officer Guidance – System Configuration The Cisco 7900 Series phones were validated with firmware version 9.2(1)SR2. The specific binaries are listed in Table 7 Below. Please note: These are the only allowable images for the FIPS-approved mode of operation. Table 7 FIPS Image names Phone Model(s) Image Name 7906/7911 SCCP11.9-2-1ES2S.loads 7931 SCCP31.9-2-1ES2S.loads 17 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 7941/7961 SCCP41.9-2-1ES2S.loads 7942/7962 SCCP42.9-2-1ES2S.loads 7945/7965 SCCP45.9-2-1ES2S.loads 7970/7971 SCCP70.9-2-1ES2S.loads 7975 SCCP75.9-2-1ES2S.loads The Crypto Officer must configure and enforce the following initialization steps: Login to Call Manager • Navigate to phone page • Select the 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, or 7975G in the list of phones • Click on the phone in question to navigate to the configuration page. • Find the section titled “Product Specific Configuration Layout” and make sure that both web access and SSH are disabled • Find the section titled “Protocol Specific Information” and select the device security profile that you created in the previous section above. • At the bottom of the list of configuration items, select to enable FIPS mode. • Save the configurations by clicking on save. • Reset the phone by clicking reset Approved Cryptographic Algorithms The Cisco 7900 Series phones support many different cryptographic algorithms; however, when configured for FIPS compliant operation, the module will only utilize FIPS-approved and FIPS allowed cryptographic algorithms. Table 8 lists all FIPS approved algorithms supported by the module Table 8 7900 Series Algorithm Certificates Algorithm sRTP Library RSA SSL CME AES 1745 1747 Triple-DES N/A 1132 SHA-1 1532 1534 HMAC SHA-1 1022 1024 RNG N/A 931 RSA N/A 868 18 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Non-FIPS Approved Algorithms The 7900 Series implement the following non-FIPS-approved cryptographic algorithms: MD5 • MD5 HMAC • RSA (allowed in FIPS mode for key transport) (key wrapping; key establishment methodology provides 80 or 112 bits of • encryption strength) Related Documentation This document deals only with operations and capabilities of the phone in the technical terms of a FIPS 140-2 cryptographic device security policy. More information is available on the phone from the sources listed in this section and from the following source: The NIST Cryptographic Module Validation Program website (http://csrc.nist.gov/cryptval/) contains contact • information for answers to technical or sales-related questions for the 7900 Series phones. Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation at this URL: http://www.cisco.com/techsupport You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml Product Documentation DVD Cisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product. The Product Documentation DVD is updated regularly and may be more current than printed documentation. The Product Documentation DVD is a comprehensive library of technical product documentation on portable media. The DVD enables you to access multiple versions of hardware and software installation, configuration, and command guides for Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation 19 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available. The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD=) from Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/ Ordering Documentation Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/ Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001. Documentation Feedback You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com. You can send comments about Cisco documentation to bug-doc@cisco.com. You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Cisco Product Security Overview Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html From this site, you can perform these tasks: Report security vulnerabilities in Cisco products. • Obtain assistance with security incidents that involve Cisco products. • Register to receive security information from Cisco. • A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt 20 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html Reporting Security Problems in Cisco Products Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT: Emergencies — security-alert@cisco.com • An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies. Nonemergencies — psirt@cisco.com • In an emergency, you can also reach PSIRT by telephone: 1 877 228-7302 • 1 408 525-6532 • We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive Tip information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x. Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html The link on this page has the current PGP key ID in use. Obtaining Technical Assistance Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller. Cisco Technical Support & Documentation Website The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL: http://www.cisco.com/techsupport 21 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call. Submitting a Service Request Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly. To open a service request by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447 For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation. Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation. Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels. Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations. 22 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit • Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced • users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. • Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL: http://www.cisco.com/packet iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can • use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL: http://www.cisco.com/go/iqmagazine or view the digital edition at this URL: http://ciscoiq.texterity.com/ciscoiq/sample/ Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in • designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL: • http://www.cisco.com/en/US/products/index.html Networking Professionals Connection is an interactive website for networking professionals to share questions, • suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL: http://www.cisco.com/discuss/networking World-class networking training is available from Cisco. You can view current offerings at this URL: • http://www.cisco.com/en/US/learning/index.html Definition List AES—Advanced Encryption Standard CMVP—Cryptographic Module Validation Program CUCM-Cisco Unified Call Manager 23 7 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0 CSP—Critical Security Parameter FIPS—Federal Information Processing Standard HMAC—Hash Message Authentication Code HTTP—Hyper Text Transfer Protocol KAT—Known Answer Test LED—Light Emitting Diode MAC—Message Authentication Code NIST—National Institute of Standards and Technology NVRAM—Non-Volatile Random Access Memory OSCP—Online Certificate Status Protocol RAM—Random Access Memory RNG—Random Number Generator RSA—Rivest Shamir and Adleman method for asymmetric encryption SHA—Secure Hash Algorithm SSL—Secure Sockets Layer Triple-DES—Triple Data Encryption Standard TLS—Transport Layer Security VOIP - Voice over IP Protocol This document is to be used inin conjunction with the documents listed in the“Related Documentation ” section. This document is to be used conjunction with the appropriate documentation that shipped with your router . CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, acket , PIX, Post-Routing, Pre-Routing, P ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, Strat aView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R) Copyright © 2007 Cisco Systems, Inc. All rights reserved. 24 8 FIPS 140-2 Non-Proprietary Security Policy for the Cisco Unified IP Phone 7906G, 7911G, 7931G, 7941G, 7942G, 7945G, 7961G, 7961GE, 7962G, 7965G, 7970G, 7971G, 7971GE, and 7975G v 1.0