Cisco Systems 5760 Wireless LAN Controller FIPS 140-2 Non Proprietary Security Policy Level 1 Validation Version 1.2 April 10, 2015 © Copyright 2014 Cisco Systems, Inc. 1 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table of Contents 1 INTRODUCTION .................................................................................................................. 3 1.1 PURPOSE ............................................................................................................................. 3 1.2 MODEL ............................................................................................................................... 3 1.3 MODULE VALIDATION LEVEL ............................................................................................ 3 1.4 REFERENCES ....................................................................................................................... 3 1.5 TERMINOLOGY ................................................................................................................... 4 1.6 DOCUMENT ORGANIZATION ............................................................................................... 4 2 CISCO SYSTEMS 5760 WIRELESS LAN CONTROLLER ............................................ 5 2.1 CRYPTOGRAPHIC MODULE PHYSICAL CHARACTERISTICS .................................................. 5 2.2 MODULE INTERFACES ......................................................................................................... 5 2.3 ROLES, SERVICES AND AUTHENTICATION .......................................................................... 7 2.4 UNAUTHENTICATED SERVICES ......................................................................................... 10 2.5 SERVICES AVAILABLE IN A NON-FIPS MODE OF OPERATION .......................................... 10 2.6 CRYPTOGRAPHIC ALGORITHMS ........................................................................................ 10 2.7 CRYPTOGRAPHIC KEY/CSP MANAGEMENT ...................................................................... 11 2.8 SELF-TESTS ...................................................................................................................... 15 3 SECURE OPERATION ...................................................................................................... 16 3.1 SYSTEM INITIALIZATION AND CONFIGURATION ................................................................ 16 © Copyright 2014 Cisco Systems, Inc. 2 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 Introduction 1.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the Cisco Systems 5760 Wireless LAN Controller with firmware version IOS XE 03.06.00aE that form part of the NGWC (Next Generation Wiring Closet) product portfolio, referred to in this document as switch, controller or the module. This security policy describes how the module meets the security requirements of FIPS 140-2 Level 1 and how to run the module in a FIPS 140-2 mode of operation and may be freely distributed. 1.2 Model  Cisco Systems 5760 Wireless LAN Controller FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/groups/STM/index.html. 1.3 Module Validation Level The following table lists the level of validation for each area in the FIPS PUB 140-2. No. Area Title 5760 Level 1 Cryptographic Module Specification 1 2 Cryptographic Module Ports and Interfaces 1 3 Roles, Services, and Authentication 2 4 Finite State Model 1 5 Physical Security 1 6 Operational Environment N/A 7 Cryptographic Key management 1 8 Electromagnetic Interface/Electromagnetic Compatibility 1 9 Self-Tests 1 10 Design Assurance 1 11 Mitigation of Other Attacks N/A Overall module validation level 1 Table 1 – Module Validation Level 1.4 References This document deals only with operations and capabilities of the Cisco Systems 5760 Wireless LAN Controller in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the routers from the following sources: The Cisco Systems website contains information on the full line of Cisco Systems © Copyright 2014 Cisco Systems, Inc. 3 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Security. Please refer to the following website: http://www.cisco.com/en/US/products/ For answers to technical or sales related questions please refer to the contacts listed on the Cisco Systems website at www.cisco.com. The NIST Validated Modules website (http://csrc.nist.gov/groups/STM/cmvp/validation.html) contains contact information for answers to technical or sales-related questions for the module. 1.5 Terminology In this document, the Cisco Systems 5760 Wireless LAN Controller is referred to as switch, controller, the cryptographic module, or the module. 1.6 Document Organization The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the Cisco Systems 5760 Wireless LAN Controller and explains the secure configuration and operation of the module. This introduction section is followed by Section 2, which details the general features and functionality of the appliances. Section 3 specifically addresses the required configuration for the FIPS-mode of operation. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate non- disclosure agreements. For access to these documents, please contact Cisco Systems. © Copyright 2014 Cisco Systems, Inc. 4 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 Cisco Systems 5760 Wireless LAN Controller The Next Generation Wiring Closet (NGWC) program is a game changing architecture for converged services at the access layer. Wireless is one of the many services being integrated within the switch. The wireless service ensures that the access layer terminates the data plane, delivering on the promise of Cisco’s unified architecture. Unification implies that services are provided to both wireless and wired stations. The introduction of wireless in the system means that the system must also support an integrated mobility architecture. The Cisco Systems 5760 Wireless LAN Controller is designed for maximum 802.11ac performance and offers scalability for medium to large-scale enterprise and Government wireless deployments. The module supports Control and Provisioning of Wireless Access Points (CAPWAP) and Wi-Fi Protected Access 2 (WPA2) security. CAPWAP uses DTLS to provide a secure link over which CAPWAP control messages are sent and supports data DTLS to provide a secure link for CAPWAP data traffic. DTLS is essentially TLS, but over datagram (UDP) transport. WPA2 is the approved Wi-Fi Alliance interoperable implementation of the IEEE 802.11i standard. In addition to the above features, the module also provides functionality that supports the wired- wireless convergence. These features provide the ability to terminate Access Point (AP) tunnels at the access switch port that enables common wired-wireless policies and high capacity for ubiquitous wireless deployments. The module automatically detects, authorizes and configures access points, setting them up to comply with the centralized security policies of the wireless LAN. In a wireless network operating in this mode, WPA2 protects all wireless communications between the wireless client and other trusted networked devices on the wired network with AES-CCMP encryption. CAPWAP protects all control and bridging traffic between trusted network access points and the module with DTLS encryption. Optional CAPWAP data DTLS is also supported by the module. The module supports RADIUS, TACACS+, IKE/IPSec, TLS, DTLS, SESA (Symmetric Early Stacking Authentication), SNMPv3, 802.11i, and SSHv2. 2.1 Cryptographic Module Physical Characteristics The module is a multiple-chip standalone cryptographic module. The cryptographic boundary is defined as encompassing the “top,” “front,” “left,” “right,” and “bottom” surfaces of the chassis for the switch and the casing for the controller. 2.2 Module Interfaces The module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to the following FIPS 140-2 defined logical © Copyright 2014 Cisco Systems, Inc. 5 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. interfaces: data input, data output, control input, status output, and power. The logical interfaces and their mapping are described in the following table. Physical Interface FIPS 140-2 Logical Interface SFP/SFP+ ports Data Input Interface Stack Interfaces Management port Console port USB port SFP/SFP+ ports Data Output Interface Stack Interfaces Management port Console port USB port SFP/SFP+ ports Control Input Stack Interfaces Management port Interface Console port Reset switch SFP/SFP+ ports Status Output Stack Interfaces Management port Interface Console port USB port LEDs Power/RPS (Redundancy Power Supply) Power Interface AC Power Table 2 – 5760 Wireless LAN Controller Physical Interface/Logical Interface Mapping © Copyright 2014 Cisco Systems, Inc. 6 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 1 -5760 Wireless LAN Controller Front Panel, Rear Panel diagrams 2.3 Roles, Services and Authentication The module supports these four roles:  AP Role—This role is filled by an access point associated with the controller.  Client Role—This role is filled by a wireless client associated with the controller.  User Role—This role performs general security services including cryptographic operations and other approved security functions. The product documentation refers to this role as a management user with read-only privileges.  Crypto Officer (CO) Role—This role performs the cryptographic initialization and management operations. In particular, it performs the loading of optional certificates and key-pairs and the zeroization of the module. The product documentation refers to this role as a management user with read-write privileges. Authentication is role-based. Each role is authenticated upon initial access to the module. The module also supports RADIUS or TACACS+ for authentication. All passwords must be 8 characters up to 25 characters with a minimum of one letter and one number. If six (6) integers, one (1) special character and one (1) alphabet are used without repetition for an eight (8) digit PIN, the probability of randomly guessing the correct sequence is one (1) in 251,596,800 (this calculation is based on the assumption that the typical standard American QWERTY computer keyboard has 10 Integer digits, 52 alphabetic characters, and 32 special characters providing 94 characters to choose from in total. The calculation should be 10 x9 x 8 x 7 x 6 x 5 x 32 x 52 = 251, 596, 800 ). Therefore, the associated probability of a successful random attempt is approximately 1 in 251,596,800, which is less than 1 in 1,000,000 required by FIPS 140-2. © Copyright 2014 Cisco Systems, Inc. 7 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. When using RSA based authentication, RSA key pair has modulus size of 2048 bit, thus providing 112 bits of strength. Therefore, an attacker would have a 1 in 2^112 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140-2. This Module does not support a Maintenance Role User Services The services available to the User role consist of the following: Services Description CSPs and Access - read (r)/write (w)/delete (d) System Status The LEDs show the network activity and N/A overall operational status and the command line status commands output system status. User & CO authentication to the module using TACACS+ User Password – r TACACS+. TACACS+ secret – r Secure communications between controller and IPSec skeyid, skeyid_d, IKE session RADIUS encryption key, IKE session authentication key, ISAKMP preshared, skeyid, skeyid_d, IPSec session encryption key, IPSec session authentication key - r Establishment and subsequent receive 802.11i RADIUS Key Wrap RADIUS secret, RADIUS Key wrap PMK from the RADIUS server. key – r Table 3 - User Services Crypto Officer Services The Crypto Officer services consist of the following: Services & Access Description Keys & CSPs Self-Test and Initialization Cryptographic algorithm tests, firmware N/A integrity tests, module initialization. System Status The LEDs show the network activity and N/A overall operational status and the command line status commands output system status. TACACS+ User & CO authentication to the module User Password – r, w, d using TACACS+. TACACS+ secret – r, w, d IPSec Secure communications between controller skeyid, skeyid_d, IKE session and RADIUS. encryption key, IKE session authentication key, ISAKMP preshared, skeyid, skeyid_d, IPSec session encryption key, IPSec session authentication key – r, w, d Key Management Key and parameter entry, output, and DH public key, DH private key, Zeroization SSH RSA public key, SSH RSA private key – r, w, d TLS Establishment and subsequent data transfer of TLS Server RSA public key, TLS © Copyright 2014 Cisco Systems, Inc. 8 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. a TLS session for use between the module Server RSA private key, TLS pre- and the CO. master secret, TLS session key – r, w, d Protection of syslog messages. DTLS Data Encrypt Enabling optional DTLS data path encryption DTLS Master Secret, CAPWAP for Office Extended APs. session keys, DTLS Session Integrity Keys – r, w, d RADIUS Key Wrap Establishment and subsequent receipt of RADIUS secret, RADIUS Key 802.11i PMK from the RADIUS server. wrap key – r, w, d SSH Establishment and subsequent data transfer of Diffie-Hellman (DH) public key, a SSH session for use between the module DH private key, SSH RSA public and the CO. key, SSH RSA private key – r DH Shared Secret, , SSH session key, SSH session authentication key – r, w, d SNMPv3 Non-security related monitoring by the CO snmpEngineID, SNMPv3 using SNMPv3 Password, SNMP session key – r, w, d SESA (Symmetric Early Setting secure stacking. SESA Authorization Key, SESA Stacking Authentication) Master Session Key, SESA Derived Session Keys – r, w, d Module Configuration Selection of non-cryptographic configuration N/A settings. Zeroization Zeroize cryptographic keys All keys & CSPs will be destroyed Table 4 - Crypto Officer Services AP and Client Services The AP and the client services are listed in tables 5 and 6, respectively. Both the roles make use us 802.11i standard. Services Description CSPs and Access – read (r) / write (w) / delete (d) Management Frame Protection (MFP)  MFP Generation and subsequent distribution of MFP key – r key to the AP over a CAPWAP session. 802.11i Establishment and subsequent data transfer of an 802.11i Pairwise Transient Key, 802.11i session for use between the client and 802.11i Pairwise Master Key, 802.11i the access point Temporal Key, 802.11i Group Master Key, 802.11i Group Temporal Key – r, w RADIUS Key Wrap Establishment and subsequent receipt of 802.11i RADIUS secret, RADIUS Key wrap PMK from the RADIUS server. key – r Table 5 - AP Services Services Description CSPs and Access – read (r) / write (w) / delete (d) Establishment of EAP-TLS or EAP-FAST based 802.11i Pairwise Transient Key, EAP Authenticator authentication between the client and the 802.11i Pairwise Master Key, 802.11i Controller. Temporal Key, 802.11i Group Master © Copyright 2014 Cisco Systems, Inc. 9 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key, 802.11i Group Temporal Key – r, w Establishment and subsequent receipt of 802.11i RADIUS secret, RADIUS Key wrap RADIUS Key Wrap PMK from the RADIUS server. key – r Table 6 – Client Services 2.4 Unauthenticated Services An unauthenticated operator may observe the System Status by viewing the LEDs on the module, which show network activity and overall operational status. A solid green LED indicates normal operation and the successful completion of self-tests. The module does not support a bypass capability in the approved mode of operations. 2.5 Services Available in a Non-FIPS Mode of Operation  SSL 3.0  IPSec/IKE with Diffie-Hellman 768-bit/1024-bit modulus 2.6 Cryptographic Algorithms The module implements a variety of approved and non-approved algorithms. Approved Cryptographic Algorithms The controller supports the following FIPS-2 approved algorithm implementations: IOS Common  CiscoSSL FIPS Object Module  Doppler ASIC  IOS XE  Algorithms Cryptographic  (Assembler)  Module (IC2M) AES 2817 2685 2879 N/A CVL 253 N/A N/A N/A DRBG 481 435 N/A N/A HMAC 1764 1672 1815 N/A KBKDF N/A N/A N/A 28 RSA 1471 N/A N/A N/A SHS 2361 2256 2420 N/A Triple-DES 1688 N/A N/A N/A Table 7 - Algorithm Certificates Non-FIPS Approved Algorithms Allowed in FIPS Mode  Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)  RSA (key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength; non-compliant less than 112 bits of encryption strength) © Copyright 2014 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.  AES (Cert. #2817, key wrapping; key establishment methodology provides 128 bits of encryption strength)  NDRNG Non-FIPS Approved Algorithms The cryptographic module implements the following non-Approved algorithms:  MD5  HMAC-MD5  RC4 2.7 Cryptographic Key/CSP Management The module securely administers both cryptographic keys and other critical security parameters such as passwords. All keys are also protected by the password-protection on the CO role login, and can be zeroized by the CO. Keys are exchanged and entered electronically. Persistent keys are entered by the CO via the console port CLI, transient keys are generated or established and stored in DRAM. Note that the command ‘fips zeroize’ will zeroize all Keys/CSPs stored in DRAM. This command essentially results in a device reboot and therefore forces a Power cycle, zeroizing all the CSPs/Keys listed below with “Power cycle” in the Zeroization Method column. Table 8 lists the secret and private cryptographic keys and CSPs used by the module. ID Algorithm Size Description Storage Zeroization Method General Keys/CSPs  DRBG V  800‐90  128‐bits   The DRBG V is one of the critical  DRAM (plaintext)  ‘fips zeroize’  CTR_DRBG  values of the internal state upon  command or Power  which the security of this DRBG  cycle  mechanism depends. Generated  first during DRBG instantiation and  then subsequently updated using  the DRBG update function.     DRBG key  SP 800‐90  256‐bits   This is the 256‐bit DRBG key used  DRAM (plaintext)  ‘fips zeroize’  CTR_DRBG   for SP 800‐90 CTR_DRBG  command or Power  cycle  DRBG  SP 800‐90  256‐bits  HW based entropy source output  DRAM (plaintext)  ‘fips zeroize’  entropy  CTR_DRBG  used to construct seed  command or Power  input  cycle  © Copyright 2014 Cisco Systems, Inc. 11 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. DRBG seed  SP 800‐90  384‐bits  The seed material used to  DRAM (plaintext)  ‘fips zeroize’  CTR_DRBG  determine a seed for instantiation  command or Power  consists of entropy input, a nonce  cycle  and an optional personalization  string. Entropy input is always be  used in the construction of a seed.  User  Password  Variable (8+  Used to authenticate local users  NVRAM (plaintext)  Zeroized by  password  characters)  overwriting with new  password  Enable  Password  Variable (8+  Used to authenticate local users at a  NVRAM (plaintext)  Zeroized by  secret  characters)  higher privilege level  overwriting with new  password  RADIUS  Shared  Variable (8+  The RADIUS Shared Secret  NVRAM (plaintext)  ‘# no radius‐server  secret  Secret  characters)  key’  RADIUS key  AES  128 bits  Used to protect SAK  NVRAM (plaintext)  Zeroized by  wrap key  overwriting with new  key  TACACS+  Shared  Variable (8+  The TACACS+ shared secret  NVRAM (plaintext)  ‘# no tacacs‐server  secret  Secret  characters)  key’  Diffie‐ DH  2048‐4096 bits  The public exponent used in Diffie‐ DRAM (plaintext)  ‘fips zeroize’  Hellman  Hellman (DH) exchange.  command or Power  public key  cycle  Diffie‐  DH  224‐379 bits  The private exponent used in Diffie‐ DRAM (plaintext)  ‘fips zeroize’  Hellman  Hellman (DH) exchange.   command or Power  private key  cycle  Diffie‐  DH  2048‐4096 bits  This is the shared secret agreed  DRAM (plaintext)  ‘fips zeroize’  Hellman  upon as part of DH exchange  command or Power  shared  cycle  secret  SSH   SSH RSA  RSA  2048‐3072   SSH public key used in SSH session  DRAM (plaintext)  ‘fips zeroize’  public key  bits modulus  establishment  command or Power  cycle  SSH RSA  RSA  2048‐3072   SSH private key used in SSH session  NVRAM (plaintext)  ‘# crypto key zeroize  private key  bits modulus  establishment  rsa’  SSH session  Triple‐ 168‐bits/256‐ This is the SSH session symmetric  DRAM (plaintext)  ‘fips zeroize’  key  DES/AES  bits  key.   command or Power    cycle  TLS  TLS server  RSA  2048‐3072 bits  RSA public key used in TLS  DRAM (plaintext)  ‘fips zeroize’  RSA public  modulus  negotiations.  command or Power  key  cycle  © Copyright 2014 Cisco Systems, Inc. 12 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. TLS server  RSA  2048‐3072 bits  Identity certificates for module itself  NVRAM (plaintext)  ‘# crypto key zeroize  RSA private  modulus  and also used in TLS negotiations.  rsa’  key  TLS pre‐ Shared  384‐bits  Shared secret created using  DRAM (plaintext)  ‘fips zeroize’  master  Secret  asymmetric cryptography from  command or Power  secret   which new HTTPS session keys can  cycle  be created.  TLS session  Triple‐ 168‐bits/256‐ This is the TLS session key  DRAM (plaintext)  ‘fips zeroize’  key  DES/AES  bits  command or Power    cycle  SESA  SESA  AES  128 bits  Used to authorize members of a  NVRAM (plaintext)  ‘no fips authorization‐ authorizatio single stack on Incredible Units.   key’  n key  Used as input to SP800‐108  derivation methods to derive four  additional 128 fields to transfer the  Master Session Key and additional  aggressive exchange material   SESA master  AES  128 bits  Used to derive SESA session key  DRAM (plaintext)  ‘fips zeroize’  session Key  command or Power  cycle  SESA  AES   128 bits and  Used to protect traffic over stacking  DRAM (plaintext)  ‘fips zeroize’  derived  192 bits  ports  command or Power  session key  cycle  DTLS  DTLS master  DTLS  384‐bits  Generated by approved DRBG for  DRAM (plaintext)  ‘fips zeroize’  secret  generating the DTLS encryption key  command or Power  cycle  DTLS session  AES‐CBC  128‐256 bits  Session Keys used to e/d CAPWAP  DRAM (plaintext)  ‘fips zeroize’  encryption/ control messages  command or Power  decryption  cycle  key  (CAPWAP  session key)  DTLS session  HMAC‐SHA1  160 bits  Session keys used for integrity  DRAM (plaintext)  ‘fips zeroize’  integrity key  checks on CAPWAP control  command or Power  messages  cycle  SNMPv3  snmpEngine Shared  32‐bits  Unique string to identify the SNMP  NVRAM (plaintext)  ‘# no snmp‐server  ID  secret  engine  engineID local  engineid‐string’,   overwriitten  with new  engine ID  SNMPv3  shared  256 bits  This secret is used to derive HMAC‐ DRAM (plaintext)  ‘fips zeroize’  password  secret  SHA1 key for SNMPv3  command or Power  Authentication  cycle  © Copyright 2014 Cisco Systems, Inc. 13 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. SNMP  AES  128‐bit  Encrypts SNMP traffic  DRAM (plaintext)  ‘fips zeroize’  session key  command or Power  cycle  802.11i  802.11i Pre‐ Shared  Variable (8+  The PSK is used to derive the PMK  NVRAM  Zeroized by  shared  secret  characters)  for 802.11i  (plaintext)  overwriting with new  Key (PSK)  communications  key  802.11i  HMAC SHA‐ 512‐bits  The PMK is a secret shared between  DRAM (plaintext)   fips zeroize’ command  Pairwise  1  an 802.11 supplicant and  or  Master Key  authenticator, and is used to  (PMK)  establish the other 802.11i keys.  802.11i  AES‐CCM  256‐bits  The PTK, also known as the CCMP  DRAM (plaintext)  ‘fips zeroize’  Pairwise  key, is the 802.11i session key for  command or Power  Transient  unicast communications.  cycle  Key (PTK)  802.11i  AES‐CCM  128‐bits  Encrypt/decrypt unicast traffic  DRAM (plaintext)  ‘fips zeroize’  Temporal  command or Power  Key (TK)  cycle  802.11i  HMAC SHA‐ 256 bits  The secret shared between an  DRAM (plaintext)   ‘fips zeroize’  Group  1  802.11 supplicant and authenticator  command or Power  Master Key  for broadcast or multicast  cycle  (GTK)   communications.  802.11i  AES‐CCM  128‐bits  802.11i session key for broadcast or  DRAM (plaintext)  ‘fips zeroize’  Group  multicast traffic  command or Power  Temporal  cycle  Key (GTK)  IPSec  skeyid  Shared  160 bits  Used for key agreement in IKE. This  DRAM (plaintext)  ‘fips zeroize’  Secret  key was derived in the module  command or Power  cycle  skeyid_d  Shared  160 bits  Used for key agreement in IKE  DRAM (plaintext)  ‘fips zeroize’  Secret  command or Power  cycle  IKE session  TRIPLE‐ 168‐bit  Derived in the module used for IKE  DRAM (plaintext)  ‘fips zeroize’  encryption  DES/AES  TRIPLE‐DES or  payload integrity verification  command or Power  key  a 256‐bit AES  cycle  IKE session  HMAC‐SHA1  160 bits  HMAC‐SHA1 key  DRAM (plaintext)  ‘fips zeroize’  authenticati command or Power  on key cycle  ISAKMP  pre‐shared  Variable (8+  This key was configured by CO and  NVRAM (plaintext)  ‘fips zeroize’  preshared key  characters)  used for User role authentication  command or Power  using IKE Pre‐shared key based  cycle  authentication mechanism  IPSec  TRIPLE‐ 168‐bit  Derived in the module used for IKE  DRAM (plaintext)  ‘fips zeroize’  session  DES/AES  TRIPLE‐DES or  payload integrity verification  command or Power  encryption  a 256‐bit AES  cycle  key © Copyright 2014 Cisco Systems, Inc. 14 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. IPSec  HMAC‐SHA1  160 bits  HMAC‐SHA1 key  DRAM (plaintext)  ‘fips zeroize’  session  command or Power  authenticati cycle  on key Table 8 - Cryptographic Keys and CSPs 2.8 Self-Tests The module includes an array of self-tests that are run during startup and periodically during operations to prevent any secure data from being released and to insure all components are functioning correctly. 2.7.1 Power-On Self-Tests (POSTs)  IC2M Algorithm Implementation Known Answer Tests: o AES (encrypt/decrypt) KATs o AES-GCM KAT o DRBG KAT o Firmware Integrity Test (RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA-256) o HMAC (SHA-1/256) KATs o RSA (sign/verify) KATs o Triple-DES (encrypt/decrypt) KATs  CiscoSSL FIPS Object Module Algorithm Implementation Known Answer Tests: o AES (encrypt/decrypt) KATs o DRBG KAT o HMAC (SHA-1/256) KATs  Doppler ASIC Hardware Algorithm Implementation Known Answer Tests: o AES (encrypt/decrypt) KATs o HMAC-SHA1 KAT 2.7.2 Conditional Tests  Conditional Bypass test  Conditional Random Number Generation test for approved RNGs  Conditional Random Number Generation test for non-approved RNG  Pairwise consistency test for RSA © Copyright 2014 Cisco Systems, Inc. 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. The devices perform all power-on self-tests automatically at boot. All power-on self-tests must be passed before each role can starts to perform services. The power-on self-tests are performed after the cryptographic systems are initialized but prior to the initialization of the LAN’s interfaces; this prevents the AP’s from passing any data during a power-on self-test failure. 3 Secure Operation The switch meets all the overall Level 1 requirements for FIPS 140-2. Follow the setup instructions provided below to place the module in FIPS-approved mode. Operating this Switch without maintaining the following settings will remove the module from the FIPS approved mode of operation. 3.1 System Initialization and Configuration 1. The value of the boot field must be 0x0102. This setting disables break from the console to the ROM monitor and automatically boots. From the “configure terminal” command line, the CO enters the following syntax: config-register 0x0F 2. The CO must create the “enable” password for the CO role. Procedurally, the password must be at least 8 characters, including at least one letter and at least one number, and is entered when the CO first engages the “enable” command. The CO enters the following syntax at the “#” prompt: Switch(config)# enable secret [PASSWORD] 3. The CO must always assign passwords (of at least 8 characters, including at least one letter and at least one number) to users. Identification and authentication on the console/auxiliary port is required for Users. From the “configure terminal” command line, the CO enters the following syntax: Switch(config)# line con 0 Switch(config)# password [PASSWORD] Switch(config)# login local 4. To ensure all FIPS 140-2 logging is received, set the log level: Switch(config)# logging console error 5. The CO enables secure stacking (SESA) but configuring the Authorization key: Switch(config)# fips authorization-key <128 bit, i.e, 16 hex byte key> 6. The CO may configure the module to use RADIUS or TACACS+ for authentication. If the module is configured to use RADIUS, the Crypto Officer must define RADIUS or shared secret keys that are at least 8 characters long, including at least one letter and at least one number. © Copyright 2014 Cisco Systems, Inc. 16 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 7. The CO shall only assign users to a privilege level 1 (the default). 8. The CO shall not assign a command to any privilege level other than its default. © Copyright 2014 Cisco Systems, Inc. 17 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.