Cisco Cisco IOS Software Release 12.4(23)
5. IT Security Requirements
Document Organization
20
Security Target For Cisco IOS IPSec
5.1.3. Enforced proof of origin (FCO_NRO.2)
The TSF shall enforce the generation of evidence of origin for transmitted [IP packets protected by the
information flow control policy] at all times.
information flow control policy] at all times.
FCO_NRO.2.1
The TSF shall be able to relate the [IPSec SA peer] of the originator of the information, and the [digital
signature] of the information to which the evidence applies.
signature] of the information to which the evidence applies.
FCO_NRO.2.2
The TSF shall provide a capability to verify the evidence of origin of information to [the receiving TOE]
given [the successful establishment of an IPSec SA with the transmitting TOE].
given [the successful establishment of an IPSec SA with the transmitting TOE].
FCO_NRO.2.3
5.1.4. Cryptographic key generation (FCS_CKM.1) (1) RSA
The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation
algorithm [RSA] and specified cryptographic key sizes [512, 1024 bits] that meet the following:
[PKCS #1].
algorithm [RSA] and specified cryptographic key sizes [512, 1024 bits] that meet the following:
[PKCS #1].
FCS_CKM.1.1
5.1.5. Cryptographic key generation (FCS_CKM.1) (2) Diffie-Hellman
The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation
algorithm [Diffie-Hellman key agreement] and specified cryptographic key sizes [56 bit, 168 bit] that
meet the following: [PKCS #3].
algorithm [Diffie-Hellman key agreement] and specified cryptographic key sizes [56 bit, 168 bit] that
meet the following: [PKCS #3].
FCS_CKM.1.1
5.1.6 - Cryptographic key destruction (FCS_CKM.4)
The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction
method [overwrite] that meets the following: [no standard].
method [overwrite] that meets the following: [no standard].
FCS_CKM.4.1
5.1.7 - Cryptographic operation (FCS_COP.1(1)) – Encryption
The TSF shall perform [bulk encryption and decryption] in accordance with a specified cryptographic
algorithms [3DES, AES] and cryptographic key sizes [168 bit (3DES) and 128, 192, or 256 bit (AES)]
that meet the following: [FIPS 46-3, FIPS 197].
algorithms [3DES, AES] and cryptographic key sizes [168 bit (3DES) and 128, 192, or 256 bit (AES)]
that meet the following: [FIPS 46-3, FIPS 197].
FCS_COP.1.1
5.1.8 - Cryptographic operation (FCS_COP.1(2)) – Signing
The TSF shall perform [digital signing and signature verification] in accordance with a specified
cryptographic algorithm [SHA-1, MD5] and cryptographic key sizes [160 bit, 128 bit] that meet the
following: [RFC 2404, RFC 2403].
cryptographic algorithm [SHA-1, MD5] and cryptographic key sizes [160 bit, 128 bit] that meet the
following: [RFC 2404, RFC 2403].
FCS_COP.1.1
5.1.9 - Subset information flow control (FDP_IFC.1)
The TSF shall enforce the [information flow control SFP] on [
Subject: instances of the TOE
Information: packet flows
Operations: IP packet forwarding, secure remote management].
FDP_IFC.1.1