HP A-Series Spezifikationen PDF herunterladen (Seite 46)

Security Target Version 1.02, 08/16/2013

Identifier

Name

Generation/

Algorithm

Purpose

Storage Location

Zeroization Summary

CSP13

IKE Encryption

Key

Generated using

IKE

(X9.31+HMAC-

SHA1+DH).

Algorithms:

3DES, AES,

SHA-1

Used to encrypt IKE

negotiations

RAM (plain text)

Keys in RAM will be

zeroized upon resetting or

rebooting the security

appliance.

CSP14

RADIUS

/TACACS+

shared secret

Keys

Shared Secret

Used for authenticating the

RADIUS server to the

security appliance and vice

versa. Entered by the

Security administrator in

plain text form and stored in

cipher text form.

FLASH (cipher text) and

RAM (plain text)

Keys exist in a FLASH start-

up configuration file and are

replaced when that file is

edited by an authorized

administrator.

Alternately, the keys will be

overwritten once with zeroes

when a clear FLASH

command is issued.

Keys in RAM will be

zeroized upon resetting or

rebooting the security

appliance.

CSP15

Usernames/

Passwords/

super

password

Secret

Critical security parameters

used to authenticate the

administrator login or

privilege promoting.

FLASH (cipher text) and

RAM (plain text)

Passwords exist in a FLASH

start-up configuration file

and are replaced when that

file is edited by an

authorized administrator.

Passwords in RAM will be

zeroized upon resetting or

rebooting the security

appliance.

CSP16

Certificates of

Certificate

Authorities

(CAs)

ANSI X9.31

Necessary to verify

certificates issued by the

CA. Install the CA's

certificate prior to installing

subordinate certificates.

FLASH (plain text) and

RAM (plain text)

CA certificates are removed

when FLASH is cleared, the

PKI domain is removed from

the FLASH configuration

file, when the ‘pki delete

certificate’ CLI command is

used.

CA certificates in RAM will

be zeroized upon resetting

or rebooting the security

appliance.

CSP17

PRNG Seed

Key

Entropy

Seed key for X9.31 PRNG

RAM (plain text)

Seed keys are zeroized and

overwritten with the

generation of new seed

Table 9 Key/CSP Zeroization Summary

These supporting cryptographic functions are included to support the SSHv2 (RFCs 4251, 4252, 4253, and 4254)

secure communication protocol.

The TOE supports SSHv2 with AES (CBC) 128 or 256 bit ciphers, in conjunction with HMAC-SHA-1 or HMAC-

SHA-1-96, and RSA (with diffie-hellman-group14-sha1 for the key exchange method). While DES and 3DES

(CBC), HMAC-MD5 and HMAC-MD5-96, as well as diffie-hellman-group-1 and diffie-hellman-exchange are all

implemented, they are disabled while the TOE is operating in FIPS mode.

SSHv2 connections are rekeyed prior to reaching 2

packets; the authentication timeout period is 90 seconds

allowing clients to retry only 3 times; both public-key and password based authentication can be configured; and

packets are limited to 256K bytes. The TOE manages a packet counter for each SSH session so it can initiate a new

key exchange when the 2

packet limit is reached. Whenever the timeout period or authentication retry limit is

reached, the TOE closes the applicable TCP connection and releases the SSH session resources. As SSH packets are

1 2 ... 41 42 43 44 45 46 47 48 49 50 51 ... 65 66

Kommentare zu diesen Handbüchern

Keine Kommentare

HP A-Series Spezifikationen Seite 46

Kommentare zu diesen Handbüchern

Verwandte Produkte und Handbücher für PC / Workstation Barebones HP A-Series