Module Name
IOS Common Cryptographic Module (IC2M) Rel5
Historical Reason
SP 800-56Arev3 transition
Caveat
When operated in FIPS mode. No assurance of the minimum strength of generated keys
Security Level Exceptions
- Mitigation of Other Attacks: N/A
- Tested: Cisco ASR1K RP2 with processor Intel Xeon on IOS XE3.13
- Cisco ASR1K RP1 with processor Freescale SC8548H on IOS XE3.13
- Cisco ISR 2951 with processor Freescale 8752E on IOS 15.4
- Cisco ISR 1921 with processor Cavium CN5020 on IOS 15.4
- Cisco ISR 2921 with processor Cavium CN5220 on IOS 15.4
- Cisco ISR 891 with processor MPC8358E on IOS 15.4
- ESR 5940 with processor MPC8572C on IOS 15.4
Embodiment
Multi-chip standalone
Description
The IC2M module provides the FIPS validated cryptographic algorithms for services requiring those algorithms. The module does not implement any protocols directly. Instead, it provides the cryptographic primitives and functions to allow IOS to implement those various protocols.
Tested Configuration(s)
- Cisco ASR1K RP1 with processor Freescale SC8548H on IOS XE3.13
- Cisco ASR1K RP1 with processor Intel Xeon on IOS 16.3.2
- Cisco ASR1K RP2 with processor Intel Xeon on IOS XE3.13
- Cisco Catalyst 3560CX with processor PPC 465 on IOS 15.2(4)E
- Cisco Catalyst 3850 with processor MIPS64 on IOS-XE 16.3.2
- Cisco Catalyst 4000 with SUP8LE with processor PPC e5500 on IOS-XE 3.90E
- Cisco Catalyst 6000 with SUP6T with processor Intel Core i3 on IOS 15.4(1)SY1
- Cisco Catalyst 6840 with processor Intel Pentium on IOS 15.4
- Cisco Catalyst 6k with Sup2T with processor PPC e500 on IOS 15.4(1)SY1
- Cisco IE2000 with processor PPC 405 on IOS 15.2(4)E
- Cisco ISR 1921 with processor Cavium CN5020 on IOS 15.4
- Cisco ISR 2921 with processor Cavium CN5220 on IOS 15.4
- Cisco ISR 2951 with processor Freescale 8752E on IOS 15.4
- Cisco ISR 4321 with processor Intel Atom on IOS 16.3.2
- Cisco ISR 891 with processor MPC8358E on IOS 15.4
- ESR 5940 with processor MPC8572C on IOS 15.4
Approved Algorithms
AES |
Certs. #2783, #2817, #3278 and #4583 |
CVL |
Certs. #252, #253, #1257 and #1258 |
DRBG |
Certs. #481 and #1592 |
ECDSA |
Certs. #493 and #1122 |
HMAC |
Certs. #1764 and #3034 |
KBKDF |
Certs. #49 and #139 |
KTS |
AES Cert. #3278; key establishment methodology provides 128 bits of encryption strength |
KTS |
AES Cert. #4583; key establishment methodology provides 128 or 256 bits of encryption strength |
RSA |
Certs. #1471 and #2500 |
SHS |
Certs. #2338, #2361 and 3760 |
Triple-DES |
Certs. #1670, #1671, #1688 and #2436 |
Other Algorithms
Diffie-Hellman (CVL Certs. #252 and #1257, key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength); EC Diffie-Hellman (CVL Certs. #252 and #1257, key agreement; key establishment methodology provides 128 or 192 bits of encryption strength); NDRNG; RSA (key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength)