Brocade Communications Systems NetIron CER Series Specifications Page 44
- Page / 50
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
Brocade MLXe® and NetIron® Family Devices with Multi-Service IronWare R05.7.00
Security Target Version 1., July 15, 2014
Page 44 of 50
Key or CSP:
Zeroized upon:
Stored in:
Zeroized by:
DRBG Constant C
Every 100ms
RAM
Overwritten with new value
Table 7 Keys and CSPs
The TOE stores all persistent secret and private keys in FLASH and store all ephemeral keys in RAM (as
indicated in the above table). Additionally, the TOE is designed to zeroize secret and private keys when
they are no longer required by the TOE as detailed below. The TOE’s zeroization has been subjected to
FIPS 140 validation. Note that zeroization occurs as follows: 1) when deleted from FLASH, the previous
value is overwritten once with zeroes; 2) when added or changed in FLASH, any old value is overwritten
completely with the new value; and, 3) the zeroization of values in RAM is achieved by overwriting once
with zeroes.
The TOE supports the following different zeroization methods for its secret keys, private keys and CSPs (note that
no public keys appear in this list; they are public and thus need not be zeroizeable). For any given CSP in the table
above, there may be multiple zeroization methods available.
• command: fips zeroize all - The device zeros out the shared secrets use by various networking protocols
including host access passwords, SSH host keys, and HTTPS host keys with the digital signature.
• command: no fips enable or no fips enable common-criteria - Zeroizes shared secrets, SSH and HTTPS
host keys, and the HTTPS certificate based on the configured FIPS policy. Either of these commands will
take the TOE out of its evaluated configuration and zeroize the secrets assuming a default FIPS policy. An
administrator can use the prior command, fips zeroize all, to conclusively zeroize all CSPs, secret, and
private keys, irrespective of the configured FIPS policy.
• The SSH session key is transient. It zeroized at the end of a session and recreated at the beginning of a new
session.
• The TLS pre-master secret is generated during the TLS handshake. It is destroyed after it is used.
• The TLS session key is generated for every HTTPS session. The TLS session key is deleted after the
session is closed.
• The DRBG seed is recomputed periodically on 100 millisecond intervals.
• The DH private exponent is generated at the beginning of DH KEX. A new random number overwrites the
memory location used to store the value each time a new session is initiated.
• For SSH, the RSA private key is stored in a locally generated file on flash during the key generation
process. The file is removed during zeroization. The crypto key zeroize command removes the keys.
• For TLS, the RSA private key is stored in a locally generated file on flash during the key generation
process. The private and public key data is overwritten with space characters during zeroization. The
crypto-ssl zeroize command zeroes out the RSA key pair.
These supporting cryptographic functions are included to support the SSHv2 (compliant with RFCs 4251, 4252,
4253, and 4254) and TLSv1.0 (compliant with RFC 2246)/HTTPS (compliant with RFC 2818) secure
communication protocols.
The TOE supports TLSv1.0 with AES (CBC) 128 or 256 bit ciphers, in conjunction with SHA-1, and RSA. The
following cipher suites are implemented by the TOE: TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, and
TLS_DHE_RSA_WITH_AES_256_CBC_SHA.
The TOE supports SSHv2 with AES (CBC) 128 or 256 bit ciphers, in conjunction with HMAC-SHA-1, and RSA
(with diffie-hellman-group14-sha1 for the key exchange method). While other ciphers and hashes are implemented
in the product, they are disabled while the TOE is operating in Common Criteria or FIPS mode.
The TOE allows users to perform SSHv2 authentication using password based authentication.and allows users to
upload a public key for SSHv2 public key client authentication. The TOE’s SSHv2 implementation limits SSH
packets to a size of 256K bytes. Whenever the timeout period or authentication retry limit is reached, the TOE closes
the applicable TCP connection and releases the SSH session resources. As SSH packets are being received, the TOE
uses a buffer to build all packet information. Once complete, the packet is checked to ensure it can be appropriately
decrypted. However, if it is not complete when the buffer becomes full (256K bytes) the packet will be dropped and
the connection terminated.
- 1.2 TOE Reference 5
- 1.3 TOE Overview 6
- 1.4 TOE Description 6
- 1.4.1 TOE Architecture 7
- 1.4.2 TOE Documentation 10
- 2. Conformance Claims 11
- 3. Security Objectives 12
- 5. Security Requirements 15
- 5.1.1 Security Audit (FAU) 16
- 5.1.7 TOE access (FTA) 31
- 5.2.1 Development (ADV) 34
- 5.2.4 Tests (ATE) 37
- 6.1 Security Audit 41
- 6.2 Cryptographic support 42
- 6.3 User data protection 45
- 6.5 Security management 46
- 6.6 Protection of the TSF 48
- 6.7 TOE access 49
- 6.8 Trusted path/channels 49
Related products and manuals for Network switches Brocade Communications Systems NetIron CER Series
(116 pages)
(64 pages)© 2020, manymanuals.com. All rights reserved. | 1.945 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals