Polycom VSX 3000 User Manual
Page 18
Non-Proprietary Security Policy, Version 1.0
June 15, 2007
Polycom VSX 3000, VSX 5000, and VSX 7000s
Page 18 of 23
© 2007 Polycom, Inc. -
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
Key
Key Type
Generation /
Input
Output
Storage
Zeroization
Use
x.509 certificate
(RSA Public
key)
1024 bits RSA
public key
Generated
externally, input
in plaintext
Output in
plaintext
Stored in Flash
in plaintext
Erasing the flash
image
Authenticates the
module during
TLS handshake
RSA Private key 1024 bits RSA
private key
Generated
externally, input
in plaintext
Never exits the
module
Stored in Flash
in plaintext
Erasing the flash
image
Authenticates the
module during
TLS handshake
Diffie-Hellman
public key
1024 bits
public key
Generated
internally
Output in
plaintext
Stored in
volatile
memory
Zerorized on
reboot.
Establishes a
session key (IP or
ISDN Encryption
Key) during
H.323 negotiation
Diffie-Hellman
private key
1024 bits
private key
Generated
internally
Never exits the
module
Stored in
volatile
memory
Zerorized on
reboot.
Establishes a
session key (IP or
ISDN Encryption
Key) during
H.323 negotiation
Integrity Check
Key
1024 bits DSA
Public key
Generated
externally,
inputted in
plaintext
Never exits the
module
Stored in Flash
in plaintext
Erasing the flash
image
Checks integrity
of the software at
power-up of the
module
Session Key
192 bits TDES
CBC key
Generated
internally during
TLS handshake
Exits in
encrypted form
(RSA key
transport)
Held in volatile
memory in
plaintext.
Zerorized on
reboot.
Encrypts TLS
traffic
IP Encryption
Key
128 bits AES
CBC key
Generated
internally during
Diffie-Hellman
key agreement
Never exits the
module
Held in volatile
memory in
plaintext.
Zerorized on
reboot.
Encrypts IP calls
ISDN
Encryption Key
128, 192, 256
bits AES OFB
keys
Generated
internally during
Diffie-Hellman
key agreement
Never exits the
module
Held in volatile
memory in
plaintext.
Zerorized on
reboot.
Encrypts ISDN
calls
PRNG seed
20 bytes of
seed value
Internally
generated
Never exits the
module
Held in volatile
memory only in
plaintext.
Zerorized on
reboot
Produce FIPS
approved random
number
1.7.1
Key Generation
The modules generate symmetric keys and FIPS-approved PRNG seeds internally. The symmetric keys (Session
Key, IP Encryption Key, and ISDN Encryption Key) and Diffie-Hellman key pair are generated using a FIPS-
approved 186-2 Appendix 3.1 algorithm. Twenty bytes of hardware generated noise is used to create a PRNG seed,
and RSA key pair is generated externally and input into the module in plaintext.
1.7.2
Key Input/Output
Rivest, Shamir, Adleman (RSA) key pair is generated externally and input to the modules in plaintext. The RSA
private key and DH private key never exit the module, while the public keys are output in plaintext. The Session key
exits the module in encrypted form during TLS handshakes (protected within RSA key transport). The IP Encryption
Key and ISDN Encryption Key are never output from the module. Other CSPs and keys, such as the Integrity Check
Key and PRNG seed are never output from the modules.