Cisco Integrated Services Router Security Policy Cisco 1941, 2901, 2911, 2921, 2951, 3925, 3945 and ISM Firmware Version: IOS 15.2(4)M5   FIPS 140-2 Non Proprietary Security Policy Level 2 Validation Version 0.6 April 2014 © Copyright 2014 Cisco Systems, Inc. This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table of Contents 1 INTRODUCTION .................................................................................................................. 3 1.1 PURPOSE ............................................................................................................................. 3 1.2 MODULE VALIDATION LEVEL ............................................................................................ 3 1.3 REFERENCES ....................................................................................................................... 3 1.4 TERMINOLOGY ................................................................................................................... 3 1.5 DOCUMENT ORGANIZATION ............................................................................................... 3 2 MODULE DESCRIPTION ................................................................................................... 5 2.1 MODULE INTERFACES ......................................................................................................... 7 2.2 CRYPTOGRAPHIC BOUNDARY ........................................................................................... 10 2.3 ROLES AND SERVICES ....................................................................................................... 10 2.4 UNAUTHENTICATED SERVICES ......................................................................................... 12 2.5 CRYPTOGRAPHIC KEY/CSP MANAGEMENT ...................................................................... 12 2.6 CRYPTOGRAPHIC ALGORITHMS ........................................................................................ 14 2.7 SELF-TESTS ...................................................................................................................... 15 2.8 PHYSICAL SECURITY ........................................................................................................ 16 2.9 MODULE OPACITY ............................................................................................................ 16 3 SECURE OPERATION ...................................................................................................... 26 3.1 INITIAL SETUP .................................................................................................................. 27 3.2 SYSTEM INITIALIZATION AND CONFIGURATION ................................................................ 27 3.3 IPSEC REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS ............................................ 27 3.4 SSLV3.1/TLS REQUIREMENTS AND CRYPTOGRAPHIC ALGORITHMS ............................... 28 3.5 ACCESS............................................................................................................................. 28 3.6 CISCO UNIFIED BORDER ELEMENT (CUBE) TLS CONFIGURATION.................................. 28 © Copyright 2014 Cisco Systems, Inc. 2 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1 Introduction Purpose 1.1 This is the non-proprietary Cryptographic Module Security Policy for the Cisco 1941, 2901, 2911, 2921, 2951, 3925 and 3945 Integrated Services Routers and ISM (Firmware Version: IOS 15.2(4)M5). This security policy describes how the modules meet the security requirements of FIPS 140-2 Level 2 and how to run the modules in a FIPS 140-2 mode of operation and may be freely distributed. FIPS 140-2 (Federal Information Processing Standards Publication 140-2 — Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the NIST website at http://csrc.nist.gov/groups/STM/index.html. Module Validation Level 1.2 The following table lists the level of validation for each area in the FIPS PUB 140-2. No. Area Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles, Services, and Authentication 3 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Key management 2 8 Electromagnetic Interface/Electromagnetic Compatibility 2 9 Self-Tests 2 10 Design Assurance 3 11 Mitigation of Other Attacks N/A Overall module validation level 2 Table 1: Module Validation Level References 1.3 This document deals only with the capabilities and operations of the Cisco 1941, 2901, 2911, 2921, 2951, 3925 and 3945 routers and the ISM in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the routers from the following sources: For answers to technical or sales related questions please refer to the contacts listed on the Cisco Systems website at www.cisco.com. The NIST Validated Modules website (http://csrc.nist.gov/groups/STM/cmvp/validation.html) contains contact information for answers to technical or sales-related questions for the module. Terminology 1.4 In this document, these Cisco Integrated Services Router models identified above are referred to as Integrated Services Router, ISR or the systems. Document Organization 1.5 The Security Policy document is part of the FIPS 140-2 Submission Package. In addition to this document, the Submission Package contains: © Copyright 2014 Cisco Systems, Inc. 3 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Vendor Evidence document Finite State Machine Other supporting documentation as additional references This document provides an overview of the routers and explains their secure configuration and operation. This introduction section is followed by Section 2, which details the general features and functionality of the router. Section 3 specifically addresses the required configuration for the FIPS-mode of operation. With the exception of this Non-Proprietary Security Policy, the FIPS 140-2 Validation Submission Documentation is Cisco-proprietary and is releasable only under appropriate non-disclosure agreements. For access to these documents, please contact Cisco Systems. © Copyright 2014 Cisco Systems, Inc. 4 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 2 Module Description Cisco Integrated Service Routers (ISRs) are multifunctional networking devices delivering fast, reliable, data transfers with a high standard in security. These routers offer full network security, and other capabilities to fill networking needs for a small to medium size network. The Cisco Integrated Services Router (ISR) provides a scalable, secure, manageable remote access server that meets FIPS 140-2 Level 2 requirements. The Cisco 1941, 2901, 2911, 2921, 2951, 3925 and 3945 ISR’s support the inclusion of the ISM module, an Internal Service Module (ISM) that can be inserted into an ISR Service Ready Engine (SRE) slot. These ISM-VPN-19 (Cisco 1941), ISM-VPN-29 (Cisco 2901, 2911, 2921 and 2951) and ISM-VPN-39 (Cisco 3925 and 3945) ISMs have their own processors (Octeon), hardware, and run their own code, which is downloaded from the IOS. The ISM has its own implementations for cryptographic services for IPsec, and GetVPN acceleration. The Cisco 2901, 2911, 2921, 2951, 3925 and 3945 ISR’s also incorporate the High-Density Packet Voice Digital signal processor (DSP) providing high-density voice connectivity, conferencing and transcoding capabilities (note the 1941 does not). Two types are part of this validation, the PVDM2 and PVDM3, (Packet Voice Video Digital Signal Processor Module) which are plugged into the router to provide some variant of the conferencing video services associated with the specific type. The high-density packet voice PVDM2 DSP’s are available in five versions: PVDM2-8, PVDM2-16, PVDM2-32, PVDM2-48, and PVDM2-64. The -8, -16, -32, -48 and -64 indicate the maximum number of packet fax and voice channels. While the high-density packet voice PVDM3 DSP modules are available in six versions: PVDM3-16 PVDM3-32, PVDM3-64, PVDM3-128, PVDM3-192, and PVDM3-256 supporting switched-only video with the -128 and higher also supporting video conferencing with transcoding and translating. The -16, -32, -64, -128, -192 and -256 indicate the number of participants. The following subsections describe the physical characteristics of the ISRs which contains a multiple-chip standalone cryptographic module. This module is used to supports SSH, TLS (VPN,Mgt), IPSec, GetVPN, SNMPv3 and CUBE/sRTP (only on 2901, 2911, 2921, 2951, 3925 and 3945). The cryptographic boundary of the module is defined as the device’s case along with any opacity shields associated with the system. All of the functionality discussed in this document is provided by components within this cryptographic boundary. The CF card that stored the IOS image is considered an internal memory module, because the IOS image stored in the card may not be modified or upgraded. The card itself must never be removed from the drive. Tamper evident seal will be placed over the card in the drive. The following table identifies the tested configurations. Model ISM PVDM Firmware version Cisco 1941 ISR ISM-VPN-19 N/A (Any one of the following:) Cisco 2901 ISR ISM-VPN-29 PVDM2-8 PVDM2-16 PVDM2-32 Cisco 2911 ISR ISM-VPN-29 PVDM2-48 IOS 15.2(4)M5 PVDM2-64 Cisco 2921 ISR ISM-VPN-29 PVDM3-16 PVDM3-32 Cisco 2951 ISR ISM-VPN-29 PVDM3-64 PVDM3-128 Cisco 3925 ISR ISM-VPN-39 PVDM3-192 PVDM3-256 Cisco 3945 ISR ISM-VPN-39 Table 2 Module Hardware Configurations The following pictures are representative each of the modules hardware model: © Copyright 2014 Cisco Systems, Inc. 5 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 1 - Cisco 1941 ISR Figure 2 - Cisco 2901 ISR Figure 3 - Cisco 2911 ISR Figure 4 - Cisco 2921 ISR Figure 5 - Cisco 2951 ISR Figure 6 - Cisco 3925 ISR © Copyright 2014 Cisco Systems, Inc. 6 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Figure 7 - Cisco 3945 ISR Module Interfaces 2.1 Each of ISRs is a multiple-chip standalone cryptographic module. The module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to the following FIPS 140-2 defined logical interfaces: data input, data output, control input, status output, and power. The module provided no power to external devices and takes in its power through normal power input/cord. The following table lists all possible logical interface configurations and their associated mapping for all of the various ISR systems detailed in this Security Policy. Physical Interfaces FIPS 140-2 Logical Interfaces EHWIC Slots (2) Data Input Interface GigE Ports (2) Console Port USB Console Port Auxiliary Port EHWIC Slots (2) Data Output Interface GigE Ports (2) Console Port USB Console Port Auxiliary Port EHWIC Slots (2) Control Input Interface GigE Ports (2) Console Port USB Console Port Auxiliary Port Activity LED Status Output Interface System LED GigE Link LED (1 per GigE port) GigE Speed LED (1 per GigE port) Compact Flash LED (2) WLAN LED RPS Boost LED Power LED (2) GigE ports (2) Console Port Auxiliary Port USB Console Port Power Plug Power interface PoE Port Table 3: Cisco 1941 ISR Interfaces Physical Interfaces FIPS 140-2 Logical Interfaces EHWIC Slots (4) Data Input Interface GigE Ports (2) Console Port USB Console Port Auxiliary Port EHWIC Slots (4) Data Output Interface GigE Ports (2) Console Port USB Console Port Auxiliary Port EHWIC Slots (4) Control Input Interface GigE Ports (2) Console Port USB Console Port Auxiliary Port Activity LED Status Output Interface System LED GigE Link LED (1 per GigE port) GigE Speed LED (1 per GigE port) Compact Flash LED (2) RPS Boost LED Power LED (2) © Copyright 2014 Cisco Systems, Inc. 7 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Physical Interfaces FIPS 140-2 Logical Interfaces GigE ports (2) Console Port Auxiliary Port USB Console Port Power Plug Power interface PoE Port Table 4: Cisco 2901 ISR Interfaces Physical Interfaces FIPS 140-2 Logical Interfaces EHWIC Slots (4) Data Input Interface SM Slot (1) GigE Ports (3) Console Port USB Console Port Auxiliary Port EHWIC Slots (4) Data Output Interface SM Slot (1) GigE Ports (3) Console Port USB Console Port Auxiliary Port EHWIC Slots (4) Control Input Interface SM Slot (1) GigE Ports (3) Console Port USB Console Port Auxiliary Port Activity LED Status Output Interface System LED GigE Link LED (1 per GigE port) GigE Speed LED (1 per GigE port) SM LED Compact Flash LED (2) RPS Boost LED Power LED (2) GigE ports (3) Console Port Auxiliary Port USB Console Port Power Plug Power interface PoE Port Table 5: Cisco 2911 ISR Interfaces Physical Interfaces FIPS 140-2 Logical Interfaces EHWIC Slots (4) Data Input Interface SM Slot (1) GigE Ports (3) Console Port USB Console Port Auxiliary Port EHWIC Slots (4) Data Output Interface SM Slot (1) GigE Ports (3) Console Port USB Console Port Auxiliary Port EHWIC Slots (4) Control Input Interface SM Slot (1) GigE Ports (3) Console Port USB Console Port Auxiliary Port Activity LED Status Output Interface System LED GigE Link LED (1 per GigE port) GigE Speed LED (1 per GigE port) © Copyright 2014 Cisco Systems, Inc. 8 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Physical Interfaces FIPS 140-2 Logical Interfaces SM LED Compact Flash LED (2) RPS Boost LED Power LED (2) GigE ports (3) Console Port Auxiliary Port USB Console Port Power Plug Power interface PoE Port Table 6: Cisco 2921 ISR Interfaces Physical Interfaces FIPS 140-2 Logical Interfaces EHWIC Slots (4) Data Input Interface GigE Ports (3) SM Slots (2) Console Port USB Console Port Auxiliary Port EHWIC Slots (4) Data Output Interface GigE Ports (3) SM Slots (2) Console Port USB Console Port Auxiliary Port EHWIC Slots (4) Control Input Interface GigE Ports (3) SM Slots (2) Console Port USB Console Port Auxiliary Port Activity LED Status Output Interface System LED GigE Link LED (1 per GigE port) GigE Speed LED (1 per GigE port) SM LED Compact Flash LED (2) RPS Boost LED Power LED (2) GigE ports (3) Console Port Auxiliary Port USB Console Port Power Plug Power interface Table 7: Cisco 2951 ISR Interfaces Physical Interfaces FIPS 140-2 Logical Interfaces EHWIC Slots (4) Data Input Interface SM Slots (2) GigE Ports (3) Console Port USB Console Port Auxiliary Port EHWIC Slots (4) Data Output Interface SM Slots (2) GigE Ports (3) Console Port USB Console Port Auxiliary Port EHWIC Slots (4) Control Input Interface SM Slots (2) GigE Ports (3) Console Port USB Console Port Auxiliary Port Activity LED Status Output Interface © Copyright 2014 Cisco Systems, Inc. 9 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Physical Interfaces FIPS 140-2 Logical Interfaces System LED GigE Link LED (1 per GigE port) GigE Speed LED (1 per GigE port) SM LED Compact Flash LED (2) RPS Boost LED Power LED (2) GigE ports (3) Console Port Auxiliary Port USB Console Port Power Plug Power interface Table 8: Cisco 3925/3945 ISR Interfaces NOTE: Each module includes two Type A USB ports and two compact flash slots. These ports and slots are disabled by covering with TELs while operating in FIPS-mode. Cryptographic Boundary 2.2 The cryptographic boundary for the Cisco 1941, 2901, 2911, 2921, 2951, 3925, 3945 with ISM installed is defined as the modules’ chassis along with the opacity shields. Roles and Services 2.3 Authentication is identity-based. Each user is authenticated upon initial access to the module. The module also supports RADIUS or TACACS+ for authentication. There are two roles in the router that operators can assume: the Crypto Officer role and the User role. The administrator of the router assumes the Crypto Officer role and associated services in order to configure the router, while the Users exercise only the basic User services. A complete description of all the management and configuration capabilities of the router can be found in the Performing Basic System Management manual or Configuration Guide Manual and in the online help for the routers. All CO/User passwords must be 8 characters up to 25 characters with a minimum of one letter and one number. If six (6) integers, one (1) special character and one (1) alphabet are used without repetition for an eight (8) digit PIN, the probability of randomly guessing the correct sequence is one (1) in 251,596,800 (this calculation is based on the assumption that the typical standard American QWERTY computer keyboard has 10 Integer digits, 52 alphabetic characters, and 32 special characters providing 94 characters to choose from in total. The calculation should be 10 x 9 x 8 x 7 x 6 x 5 x 32 x 52 = 251, 596, 800 ). Therefore, the associated probability of a successful random attempt is approximately 1 in 251,596,800, which is less than 1 in 1,000,000 required by FIPS 140-2. When using RSA based authentication, RSA key pair has modulus size of 2048 bit, thus providing 112 bits of strength. Therefore, an attacker would have a 1 in 2^112 chance of randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS 140-2. 2.3.1 User Services Users enter the system by accessing the console port through a terminal program or via IPSec protected telnet or SSH session to a LAN port. The IOS prompts the User for username and password. If the password is correct, the User is allowed entry to the IOS executive program. The services available to the User role consist of the following: Services and Access Description Keys and CSPs Status Functions (r) View state of interfaces and protocols, version of IOS currently running. User password Network Functions (r,w) Connect to other network devices through outgoing telnet, PPP, etc. and initiate User password diagnostic network services (i.e., ping, mtrace). Terminal Functions (r) Adjust the terminal session (e.g., lock the terminal, adjust flow control). User password Directory Services (r) Display directory of files kept in flash memory. User password Self-Tests (r) Execute the FIPS 140 start-up tests on demand N/A SSL VPN (TLSv1.0) (r, w, Negotiation and encrypted data transport via SSL VPN (TLSv1.0) User password d) © Copyright 2014 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Services and Access Description Keys and CSPs IPsec VPN (r, w, d) Negotiation and encrypted data transport via IPSec VPN User password GetVPN (GDOI) (r, w, d) Negotiation and encrypted data transport via GetVPN User password SSH Functions(r, w, d) Negotiation and encrypted data transport via SSH User password HTTPS Functions (TLS) (r, Negotiation and encrypted data transport via HTTPS User password w, d) SNMPv3 Functions(r, w, d) Negotiation and encrypted data transport via SNMPv3 User password CUBE/sRTP Functions (r, Negotiation and encrypted data transport via CUBE/sRTP User password w, d) Table 9: User Services (r = read w = write d = delete) 2.3.2 Crypto Officer Services During initial configuration of the router, the Crypto Officer password (the “enable” password) is defined. A Crypto Officer can assign permission to access the Crypto Officer role to additional accounts, thereby creating additional Crypto Officers. The Crypto Officer role is responsible for the configuration of the router. The Crypto Officer services consist of the following: Services and Access Description Keys and CSPs Configure the router (r,w) Define network interfaces and settings, create command ISAKMP pre-shared keys, IKE aliases, set the protocols the router will support, enable Authentication key, IKE Encryption Key, interfaces and network services, set system date and time, IPSec authentication keys, IPSec traffic and load authentication information. keys, User passwords, Enable password, Enable secret, Define Rules and Filters (r,w,d) Create packet Filters that are applied to User data streams on password each interface. Each Filter consists of a set of Rules, which define a set of packets to permit or deny based on characteristics such as protocol ID, addresses, ports, TCP connection establishment, or packet direction. View Status Functions (r) View the router configuration, routing tables, active password sessions, use gets to view SNMP MIB statistics, health, temperature, memory status, voltage, packet statistics, review accounting logs, and view physical interface status. Manage the router (r,w,d) Log off users, shutdown or reload the router, erase the flash password memory, manually back up router configurations, view complete configurations, manager user rights, and restore router configurations. SNMPv3 (r) Non security-related monitoring by the CO SnmpEngineID, SNMP v3 password, using SNMPv3. SNMP session key Configure Encryption/Bypass Set up the configuration tables for IP tunneling. Set ISAKMP pre-shared keys, IKE (r,w,d) preshared keys and algorithms to be used for each IP range Authentication key, IKE Encryption Key, or allow plaintext packets to be set from specified IP IPSec authentication keys, IPSec traffic address. keys, Enable secret, SSL VPN (TLSv1.0) (r,w,d) Configure SSL VPN parameters, provide entry and output TLS pre-master secret, TLS Traffic Keys of CSPs. SSH v2 (r, w, d) Configure SSH v2 parameter, provide entry and output of SSH Traffic Keys CSPs. sRTP/CUBE (r, w, d) Configure sRTP parameter, provide entry and output of sRTP Traffic Keys CSPs. IPsec VPN (r, w, d) Configure IPsec VPN parameters, provide entry and output skeyid, skeyid_d, IKE session encryption of CSPs. key, IKE session authentication key, ISAKMP pre-shared, IKE authentication private Key, IKE authentication public key, IPSec encryption key, IPSec authentication key GetVPN (GDOI) (r, w, d) Configure GetVPN parameters, provide entry and output of GDOI key encryption key (KEK), GDOI CSPs. traffic encryption key (TEK), GDOI TEK integrity key Self-Tests (r) Execute the FIPS 140 start-up tests on demand N/A User services (r,w,d) The Crypto Officer has access to all User services. Password Zeroization (d) Zeroize cryptographic keys All CSPs Table 10: Crypto Officer Services (r = read w = write d = delete) © Copyright 2014 Cisco Systems, Inc. 11 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Unauthenticated Services 2.4 The services available to unauthenticated users are:  Viewing the status output from the module’s LEDs  Powering the module on and off using the power switch  Sending packets in bypass Cryptographic Key/CSP Management 2.5 The router securely administers both cryptographic keys and other critical security parameters such as passwords. All keys are protected by the Crypto Officer role login password-protection, and these keys can be zeroized by the Crypto Officer. Zeroization consists of overwriting the memory that stored the key. The router is in the approved mode of operation only when FIPS 140-2 approved algorithms are used (except DH and RSA key transport which are allowed in the approved mode for key establishment despite being non-approved). All pre-shared keys are associated with the CO role that created the keys, and the CO role is protected by a password. Therefore, the CO password is associated with all the pre-shared keys. The Crypto Officer needs to be authenticated to store keys. All Diffie-Hellman (DH) keys agreed upon for individual tunnels are directly associated with that specific tunnel only via the Internet Key Exchange (IKE)/Group Domain of Interpretation (GDOI). RSA Public keys are entered into the modules using digital certificates which contain relevant data such as the name of the public key's owner, which associates the key with the correct entity. All other keys are associated with the user/role that entered them. The module supports the following keys and critical security parameters (CSPs). Key/CSP Name Algorithm Description Storage Zeroization Method Location DRBG entropy SP 800-90 This is the entropy for SP 800-90a RNG. SDRAM power cycle the device input CTR_DRBG (plaintext) (256-bits) DRBG seed SP 800-90 This is the seed for SP 800-90a RNG. SDRAM power cycle the device CTR_DRBG (plaintext) (384-bits) DRBG V SP 800-90 Internal V value used as part of SP SDRAM power cycle the device CTR_DRBG 800-90a CTR_DRBG (plaintext) (256-bits) DRBG key SP 800-90 Internal Key value used as part of SP SDRAM power cycle the device CTR_DRBG 800-90a CTR_DRBG (plaintext) (256-bits) Diffie-Hellman DH (224 – 379 The private key used in Diffie-Hellman (DH) SDRAM Automatically after shared private key bits) exchange. secret generated. Diffie-Hellman DH (2048 – 4096 The p used in Diffie-Hellman (DH) exchange. SDRAM Automatically after shared public key bits) secret generated. Diffie-Hellman DH (2048 – 4096 The shared key used in Diffie-Hellman (DH) SDRAM Zeroized upon deletion. shared secret bits) exchange. Created per the Diffie-Hellman protocol. EC Diffie- Hellman ECDH ( P-256/P- The private key used in Elliptic Curve Diffie- SDRAM Automatically after shared private key 384) Hellman (ECDH) exchange. secret generated. EC Diffie-Hellman ECDH (P-256/P- The p used in Elliptic Curve Diffie-Hellman SDRAM Automatically after shared public key 384) (ECDH) exchange. secret generated. EC Diffie-Hellman ECDH (P-256/P- The shared key used in Elliptic Curve Diffie- SDRAM Zeroized upon deletion. shared secret 384) Hellman (ECDH) exchange. Created per the Elliptic Curve Diffie-Hellman (ECDH) protocol. © Copyright 2014 Cisco Systems, Inc. 12 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key/CSP Name Algorithm Description Storage Zeroization Method Location skeyid HMAC-SHA-1 Value derived from the shared secret within SDRAM Automatically after IKE (160-bits) IKE exchange. Zeroized when IKE session is session terminated. terminated. skeyid_d HMAC-SHA-1 The IKE key derivation key for non ISAKMP SDRAM Automatically after IKE (160-bits) security associations. session terminated. IKE session Triple-DES (168- The IKE session encrypt key. SDRAM Automatically after IKE encryption key bits/AES session terminated. (128/196/256- bits) IKE session HMAC-SHA-1 The IKE session authentication key. SDRAM Automatically after IKE authentication key (160-bits) session terminated. ISAKMP pre- Shared secret ( 8 The key used to generate IKE skeyid during NVRAM “# no crypto isakmp key” shared – 25 characters) preshared-key authentication. IKE authentication RSA (2048/3072 RSA private key for IKE authentication. NVRAM “# crypto key zeroize rsa" private Key bits); ECDSA (P- 256/P-384) IKE authentication RSA (2048/3072 RSA public key for IKE authentication. SDRAM “# crypto key zeroize rsa" public key bits); ECDSA (P- 256/P-384) IPSec encryption Triple-DES (168- The IPSec encryption key. Zeroized when SDRAM “# Clear Crypto IPSec SA” key bits/AES IPSec session is terminated. (128/196/256- bits) IPSec HMAC-SHA-1 The IPSec authentication key. The zeroization SDRAM “# Clear Crypto IPSec SA” authentication key (160-bits) is the same as above. sRTP master AES Key used to generate sRTP session keys SDRAM upon end of call or device key (128/196/256 reset. bits) sRTP encryption AES Generated via the sRTP protocol. Key used to SDRAM upon end of call or device key (128/196/256 encrypt/decrypt sRTP packets reset. bits) sRTP HMAC-SHA-1 Generated via the sRTP protocol. Key used to SDRAM upon end of call or device authentication (160-bits) authenticate sRTP packets reset. key SSH RSA private RSA (2048/3072 The SSH v2 private key for the module. NVRAM “# crypto key zeroize rsa" key bits) SSH RSA public RSA (2048/3072 The SSH v2 public key for the module. SDRAM “# crypto key zeroize rsa" key bits) SSH session keys Triple-DES (168- This is the SSH v2 session key. It is zeroized SDRAM Automatically when SSH v2 bits/AES when the SSH v2 session is terminated. session terminated (128/196/256- bits) TLS server private RSA (2048/3072 Private key used for SSLv3.1/TLS. NVRAM “# crypto key zeroize rsa" key bit) TLS server public RSA (2048/3072 Public key used for SSLv3.1/TLS. NVRAM “# crypto key zeroize rsa" key bits) TLS pre-master Shared Secret Shared Secret created using asymmetric SDRAM Automatically when TLS secret (384-bits) cryptography from which new TLS session session is terminated keys can be created TLS session Triple-DES (168- Key used to encrypt TLS session data SDRAM Automatically when TLS encryption key bits/AES session is terminated (128/196/256- bits) © Copyright 2014 Cisco Systems, Inc. 13 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Key/CSP Name Algorithm Description Storage Zeroization Method Location TLS session HMAC-SHA-1 HMAC-SHA-1 used for TLS data integrity SDRAM Automatically when TLS integrity key (160-bits) protection session is terminated GDOI key AES (128, 192 This key is created using the “GROUPKEY- SDRAM Automatically when session encryption key and 256 bits) PULL” registration protocol with GDOI. It is (plaintext) terminated. (KEK) used protect GDOI rekeying data.” GDOI traffic Triple-DES (168- This key is created using the “GROUPKEY- SDRAM Automatically when session encryption key bits/AES PULL” registration protocol and updated using (plaintext) terminated. (TEK) (128/196/256- the “GROUPKEY-PUSH” registration protocol bits) with GDOI. It is used to encrypt data traffic between Get VPN peers GDOI TEK HMAC-SHA-1 This key is created using the “GROUPKEY- SDRAM Automatically when session integrity key (160-bits) PULL” registration protocol and updated using (plaintext) terminated. the “GROUPKEY-PUSH” registration protocol with GDOI. It is used to ensure data traffic integrity between Get VPN peers. snmpEngineID Shared Secret A unique string used to identify the SNMP NVRAM Overwrite with new engine (32-bits) engine. ID SNMP v3 password Shared Secret ( 8 The password use to setup SNMP v3 NVRAM Overwrite with new – 25 characters) connection. password SNMP session key AES Encryption key used to protect SNMP traffic. SDRAM Automatically when session (128 bits) (plaintext) terminated. User password Shared Secret ( 8 The password used to authenticate the User NVRAM Overwrite with new – 25 characters) role. password Enable secret Shared Secret ( 8 The password used to authenticate the CO role. NVRAM Overwrite with new – 25 characters) password RADIUS secret Shared Secret ( 8 The RADIUS shared secret. This shared secret NVRAM “# no radius-server key” – 25 characters) is zeroized by executing the “no radius-server key” command. TACACS+ secret Shared Secret ( 8 The TACACS+ shared secret. This shared NVRAM “# no tacacs-server key” – 25 characters) secret is zeroized by executing the “no tacacs- server key” command. Table 11: Keys/CSPs Table Cryptographic Algorithms 2.6 The router is in the approved mode of operation only when FIPS 140-2 approved/allowed algorithms are used. The module implements a variety of approved and non-approved algorithms. 2.6.1 Approved Cryptographic Algorithms The routers support the following FIPS 140-2 approved algorithm implementations:   IOS Portion on Router   Router HW Accelerator ISM Hardware  IOS Image Signing AES  #2620 #963, #1115 and #1536 #2343 N/A  Triple‐DES  #1566 #758 and #812 #1466 N/A  SHS  #2182 #934 and #1038 #2020 #2208 HMAC  #1606 #538 and #627 #1452 N/A RSA  #1338 N/A N/A #1347 ECDSA  #450 N/A N/A N/A  CVL  #231 N/A N/A N/A DRBG  #401 N/A N/A N/A  Table 12: Algorithm Certificates © Copyright 2014 Cisco Systems, Inc. 14 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Note:  RSA (Cert. #1338; non-compliant with the functions from the CAVP Historical RSA List). o FIPS186-4: 186-4KEY(gen): PGM(ProvPrimeCondition) (1024 SHA( 256 )) ALG[RSASSA-PKCS1_V1_5] SIG(gen) (1024 SHA( 1 , 256 )) (2048 SHA(1)) (3072 SHA(1)) 2.6.2 Non-FIPS Approved Algorithms Allowed in FIPS Mode  Diffie-Hellman (key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)  EC Diffie-Hellman (key establishment methodology provides between 128 and 192 bits of encryption strength)  RSA (key wrapping; key establishment methodology provides between 112 and 128 bits of encryption strength; non-compliant less than 112 bits of encryption strength)  GDOI (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength) 2.6.3 Non-FIPS Approved Algorithms Integrated Services Routers (ISRs) cryptographic module implements the following non-Approved algorithms:  MD5  DES,  HMAC-MD5  RC4 Self-Tests 2.7 In order to prevent any secure data from being released, it is important to test the cryptographic components of a security module to insure all components are functioning correctly. The router includes an array of self-tests that are run during startup and periodically during operations. In the error state, all secure data transmission is halted and the router outputs status information indicating the failure. 2.7.1 Power-On Self-Tests (POSTs)  IOS Algorithm Self-Tests o AES (encrypt/decrypt) Known Answer Tests o AES GCM Known Answer Test o DRBG Known Answer Test o ECDSA Sign/Verify o HMAC (SHA-1) Known Answer Test o RSA Known Answer Test o SHS (SHA-1/256/512) Known Answer Tests o Triple-DES (encrypt/decrypt) Known Answer Tests  Hardware Accelerator Self-Tests o AES (encrypt/decrypt) Known Answer Tests o Triple-DES (encrypt/decrypt) Known Answer Tests o HMAC (SHA-1) Known Answer Test  ISM Self-Tests o AES (encrypt/decrypt) Known Answer Tests o Triple-DES (encrypt/decrypt) Known Answer Tests o HMAC (SHA-1) Known Answer Test © Copyright 2014 Cisco Systems, Inc. 15 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.  Firmware Integrity Test o RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA-512 2.7.2 Conditional Tests  Conditional Bypass test  Continuous random number generation test for approved and non-approved RNGs  Pairwise consistency test for ECDSA  Pairwise consistency test for RSA Physical Security 2.8 The router is entirely encased by a metal, opaque case requiring tamper evidence labels and opacity shields. The exact physical make-up differs over models but once the routers have been configured to meet FIPS 140-2 Level 2 requirements, the routers cannot be accessed without signs of tampering. Any attempt to open the router will damage the tamper evidence seals or the material of the module cover. All Critical Security Parameters are stored and protected within each module's tamper evident enclosure. The Crypto Officer is responsible for properly placing all tamper evident labels. The security labels recommended for FIPS 140- 2 compliance are provided in the FIPS Kit (CISCO-FIPS-KIT=), Revision -B0. The FIPS kit includes 15 of the seals, as well as a document detailing the number of seals required per platform and placement information. Please be aware that the extra tamper evident labels/seals shall be securely stored by the Crypto Officer. These security labels are very fragile and cannot be removed without clear signs of damage to the labels. For models that leverage an opacity shield, the shield must be installed on each side of the router with the vent downward facing. Tamper Evident Labels must then be placed over the opacity shield. This is illustrated in the table 13 below. Tamper evidence seals can be inspected for signs of tampering, which include the following: curled corners, bubbling, crinkling, rips, tears, and slices. The word “OPEN” will appear if the label was peeled back. Model # labels Tamper Evident Labels Opacity Shields 1941 8 FIPS Kit (CISCO-FIPS-KIT=), Revision -B0 N/A 2901 10 FIPS Kit (CISCO-FIPS-KIT=), Revision -B0 FIPS-SHIELD-2901= 2911 20 FIPS Kit (CISCO-FIPS-KIT=), Revision -B0 FIPS-SHIELD-2911= 2921 20 FIPS Kit (CISCO-FIPS-KIT=), Revision -B0 FIPS-SHIELD-2921= 2951 20 FIPS Kit (CISCO-FIPS-KIT=), Revision -B0 FIPS-SHIELD-2951= 3925, 3945 20 FIPS Kit (CISCO-FIPS-KIT=), Revision -B0 FIPS-SHIELD-3900= Table 13: Tamper Evident Labels Module Opacity 2.9 To install the Tamper Evident Labels, please follow these steps 1 Clean the cover of any grease, dirt, or oil before applying the tamper evidence labels. Alcohol-based cleaning pads are recommended for this purpose. The temperature of the router should be above 10C. 2 The tamper evidence label should be placed over the CF card in the slot so that any attempt to remove the card will show sign of tampering. 3 The tamper evidence label should be placed as indicated in the pictures below associated with the actual unit. 4 Place tamper evident labels on the opacity shield when used. 5 The labels completely cure within five minutes. NOTE: Any unused TELs must be securely stored, accounted for, and maintained by the CO in a protected location. © Copyright 2014 Cisco Systems, Inc. 16 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. NOTE: These security labels are very fragile and cannot be removed without clear signs of damage to the labels. The Crypto-Officer should inspect the seals for evidence of tamper as determined by their deployment policies (every 30 days is recommended). If the seals show evidence of tamper, the Crypto-Officer should assume that the modules have been compromised and contact Cisco accordingly. The following figures identify the placement of each TEL for each hardware model: ISR 1941 Front Right Left Top © Copyright 2014 Cisco Systems, Inc. 17 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Bottom Back © Copyright 2014 Cisco Systems, Inc. 18 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table 14: ISR 1941 TELs ISR 2901 Front Right Left Top © Copyright 2014 Cisco Systems, Inc. 19 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Bottom Back © Copyright 2014 Cisco Systems, Inc. 20 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 1-Compact flash slots; 2-Auxiliary port; 3-Console port; 4-Type-B mini USB; 5-GigabitEthernet (GE) ports; 6- Type-A USB ports (disabled via TEL) Table 15: ISR 2901 TELs ISR 2911 Front Right Left Top © Copyright 2014 Cisco Systems, Inc. 21 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Bottom Back © Copyright 2014 Cisco Systems, Inc. 22 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Table 16: ISR 2911 TELs ISR 2921/2951 Front Right Left Top © Copyright 2014 Cisco Systems, Inc. 23 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Bottom Back © Copyright 2014 Cisco Systems, Inc. 24 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Cisco 2921 & 2951 ISRs are physically identical Table 17: ISR 2921/2951 TELs ISR 3925, 3945 3925, 3945 Front 3925, 3945 Right 3925, 3945 Left 3925, 3945 Top © Copyright 2014 Cisco Systems, Inc. 25 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. 3925, 3945 Bottom 3925 & 3945 Back Table 18: ISR 3925 and 3945 TELs 3 Secure Operation The Cisco 1941, 2901, 2911, 2921, 2951, 3925 and 3945 Integrated Services Routers and ISM meet all the Level 2 requirements for FIPS 140-2. Follow the setting instructions provided below to place the module in FIPS-approved mode. Operating this router without maintaining the following settings will remove the module from the FIPS approved mode of operation. © Copyright 2014 Cisco Systems, Inc. 26 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Initial Setup 3.1 1 The Crypto Officer must install opacity shields as described in Section 2.8 of this document 2 The Crypto Officer must apply tamper evidence labels as described in Section 2.8 of this document. 3 The Crypto Officer must disable IOS Password Recovery by executing the following commands: configure terminal no service password-recovery end show version NOTE: Once Password Recovery is disabled, administrative access to the module without the password will not be possible. System Initialization and Configuration 3.2 1 The Crypto Officer must perform the initial configuration. IOS 15.2(4)M5, Advanced Security build (advsecurity) is the only allowable image; no other image should be loaded. Once this image has been installed, no updates to software or firmware are permitted in FIPS mode of operations. 2 The value of the boot field must be 0x0102. This setting disables break from the console to the ROM monitor and automatically boots the IOS image. From the “configure terminal” command line, the Crypto Officer enters the following syntax: config-register 0x0102 3 The Crypto Officer must create the “enable” password for the Crypto Officer role. The password must be at least 8 characters (all digits; all lower and upper case letters; and all special characters except ‘?’ are accepted) and is entered when the Crypto Officer first engages the “enable” command. The Crypto Officer enters the following syntax at the “#” prompt: enable secret [PASSWORD] 4 The Crypto Officer must always assign passwords (of at least 8 characters) to users. Identification and authentication on the console port is required for Users. From the “configure terminal” command line, the Crypto Officer enters the following syntax: line con 0 password [PASSWORD] login local 5 RADIUS and TACACS+ shared secret key sizes must be at least 8 characters long. IPSec Requirements and Cryptographic Algorithms 3.3 1 The only type of key management protocol that is allowed in FIPS mode is Internet Key Exchange (IKE), although manual creation of security associations is also permitted. 2 Although the IOS implementation of IKE allows a number of algorithms, only the following algorithms are allowed in a FIPS 140-2 configuration:  ah-sha-hmac  esp-sha-hmac  esp-Triple-DES  esp-aes 3 The following algorithms are not FIPS approved and should not be used during FIPS-approved mode:  DES © Copyright 2014 Cisco Systems, Inc. 27 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.  MD-5 for signing  MD-5 HMAC SSLV3.1/TLS Requirements and Cryptographic Algorithms 3.4 When negotiating TLS cipher suites, only FIPS approved algorithms must be specified. All other versions of SSL except version 3.1 must not be used in FIPS mode of operation. The following algorithms are not FIPS approved and should not be used in the FIPS-approved mode:  MD5  RC4  DES Access 3.5 1 Telnet access to the module is only allowed via a secure IPSec tunnel between the remote system and the module. The Crypto officer must configure the module so that any remote connections via telnet are secured through IPSec, using FIPS-approved algorithms. Note that all users must still authenticate after remote access is granted. 2 SSH v2 access to the module is only allowed if SSH v2 is configured to use a FIPS-approved algorithm. The Crypto officer must configure the module so that SSH v2 uses only FIPS-approved algorithms. Note that all users must still authenticate after remote access is granted. 3 SNMP access is only allowed via when SNMP v3 is configured with AES encryption. Cisco Unified Border Element (CUBE) TLS Configuration 3.6 When configuring CUBE TLS connections, the following configuration command option must be executed to limit the TLS session options to FIPS-approved algorithms. sip-ua crypto signaling [strict-cipher] © Copyright 2014 Cisco Systems, Inc. 28 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.