Secure Operation in FIPS Mode

FIPS 140-2 Overview

The Federal Information Processing Standards (FIPS) Publication 140-2 (Security Requirements for Cryptographic Modules) details the U.S and Canadian governments' requirements for cryptographic modules. FIPS 140-2 specifies certain cryptographic algorithms as secure, and it also identifies which algorithms should be used if a cryptographic module is to be called FIPS compliant. For more information on the FIPS 140-2 standard and validation program, refer National Institute of Standards and Technology (NIST) website.

The FIPS 140-2 Compliance Review (CR) documents for Cisco Catalyst series switches are posted on the following website:

https://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-140.html

Click the link in the Certification Date column to view the CR Certificate.

Security Policy document describes the FIPS implementation, hardware installation, firmware initialization, and software configuration procedures for FIPS operation. You can access the FIPS 140-2 Consolidated Validation Certificate and Security Policy document on NIST Computer Security Resource Center. This website opens a Search window. In the Vendor field, enter "Cisco" and click Search. The resulting window provides a list of Cisco platforms that are FIPS Compliant. From the list, click the desired platform to obtain its Security Policy and Consolidated Certificate.


Important

This document describes FIPS mode behavior for Cisco Catalyst Switches in general. For more information on platform-specific FIPS 140-2 implementation, refer the FIPS 14-2 Security Policy document for the platform.

Configure FIPS 140-2

Following is a generic procedure to enable FIPS mode of operation for Cisco Catalyst Switches. For a detailed configuration procedure, refer FIPS 140-2 Security Policy document for the required device.

Procedure

Step 1

(Optional) Enable FIPS 140-2 logging.

Example:

Device(config)# logging console errors

Step 2

Configure Authorization key.

Example:

Device(config)# fips authorization-key key

Note

 

Enable secure stacking by configuring the same authorization key on each member of the stack.

Note that key is 128 bits, which is, 16 HEX byte key.

What to do next

After you enable FIPS, reboot the system to start operating in FIPS mode.

Key Zeroization

A critical FIPS requirement is the capability to zeroize keys and passwords in the event of unsafe state triggers during FIPS mode of operation.

You can delete the FIPS authorization keys using the no fips authorization-key command in global configuration mode. This command deletes the key from flash. A reboot takes the system out of FIPS mode of operation.

If there is a security breach, use the fips zeroize command to delete all data including the running configuration, Trust Anchor Module, FIPS authorization keys, all ISE Server certificates, and IOS image in flash.

The system reboots after this command is executed.


Caution

FIPS zeroization is a critical step where all data is lost. Use it with caution.

Session keys are zeroized by the protocols programmatically.

Device(config)#fips zeroize
 
**Critical Warning** - This command is irreversible
and will zeroize the FVPK by Deleting the IOS
image and config files, please use extreme
caution and confirm with Yes on each of three
iterations to complete. The system will reboot
after the command executes successfully
Proceed ?? (yes/[no]):

Disable FIPS Mode

You can disable FIPS mode using the no fips authorization-key command.

The no fips authorization-key command deletes the authorization key from flash. Note that the authorization key is operational until you reload the switch.

To completely remove the authorization key and disable FIPS mode, reload the switch.


Device> enable 
Device# config terminal
Device(config)# no fips authorization-key
Device(config)# end

Verify FIPS Configuration

Use the show fips status command to display the FIPS configuration information.

Use the show fips authorization-key command to display the hashed FIPS key.


Note

FIPS configuration information does not appear when you list the active configuration using the show running-config command or when you list the startup configuration using the show startup-config command.

The following are sample outputs of the show commands: 

Device# show fips authorization-key

FIPS: Stored key (16) : 11111111111111111111111111111111
 

Device#show romvar

ROMMON variables:
PS1="switch: "
BOARDID="24666"
SWITCH_NUMBER="1"
TERMLINES="0"
MOTHERBOARD_ASSEMBLY_NUM="73-18506-02"
MOTHERBOARD_REVISION_NUM="04"
MODEL_REVISION_NUM="P2A"
POE1_ASSEMBLY_NUM="73-16123-03"
POE1_REVISION_NUM="A0"
POE1_SERIAL_NUM="FOC21335EF2"
POE2_ASSEMBLY_NUM="73-16123-03"
POE2_REVISION_NUM="A0"
POE2_SERIAL_NUM="FOC21335EF3"
IMAGE_UPGRADE="no"
MAC_ADDR="F8:7B:20:77:F7:80"
MODEL_NUM="C9300-48UN"
MOTHERBOARD_SERIAL_NUM="FOC21351BC3"
BAUD="9600"
SYSTEM_SERIAL_NUM="FCW2138L0AF"
USB_SERIAL_NUM="FOC213609Y5"
STKPWR_SERIAL_NUM="FOC21360HTS"
STKPWR_ASSEMBLY_NUM="73-11956-08"
STKPWR_REVISION_NUM="B0"
USB_ASSEMBLY_NUM="73-16167-02"
USB_REVISION_NUM="A0"
TAN_NUM="68-101202-01"
TAN_REVISION_NUMBER="23"
VERSION_ID="P2A"
CLEI_CODE_NUMBER="ABCDEFGHIJ"
ECI_CODE_NUMBER="123456"
TAG_ID="E20034120133FC00062B0965"
IP_SUBNET_MASK="255.255.0.0"
TEMPLATE="access"
TFTP_BLKSIZE="8192"
ENABLE_BREAK="yes"
TFTP_SERVER="10.8.0.6"
DEFAULT_GATEWAY="10.8.0.1"
IP_ADDRESS="10.8.3.33"
CRASHINFO="crashinfo:crashinfo_RP_00_00_20180420-020851-PDT"
CALL_HOME_DEBUG="0000000000000"
IP_ADDR="172.21.226.35/255.255.255.0"
DEFAULT_ROUTER="10.5.49.254"
RET_2_RTS=""
FIPS_KEY="5AC9BCA165E85D9FA3F2E5FC96AD98E8F943FBAB79B93E78"
MCP_STARTUP_TRACEFLAGS="00000000:00000000"
AUTOREBOOT_RESTORE="0"
MANUAL_BOOT="yes"
<output truncated>
Device#

Stacking in FIPS Mode

A set of switches are stacked together to form a cluster, thereby increasing the aggregate port density, but retaining the management properties of a single switch. The switch that boots first in a stack is the master and the remaining switches are controlled by the master.

The following table summarizes the stacking behavior in FIPS mode.

Table 1. Stacking Behavior in FIPS Mode

Master Configuration

Member 1 Configuration

Member N Configuration

Scenario

Behavior

FIPS

FIPS

FIPS

All the switches are booted individually at the same time, with the same set of FIPS authorization key.

The stack comes up in FIPS mode.

FIPS

FIPS

FIPS (booted after the stack converges)

Boot the master and the member 1 at the same time. Then boot another member.

When a member is added to a Live Stack, the new member gets added.

FIPS

FIPS

FIPS

All the switches are booted individually at the same time, with the same set of FIPS authorization key.

Master is powered off.

Master failover. Another member gets elected as the master.

FIPS

FIPS (booted after Master boots as standalone)

FIPS (booted after Master boots as standalone)

Master is booted as standalone first. Then the other members are booted as standalone.

The switches do not stack up.

FIPS

FIPS

Non-FIPS

Boot the Master and Member 1 at the same time.

Then boot another member after the other switches form the stack

The whole stack reboots to prevent the safeguard of traffic channel on the unauthorized switch.

Non-FIPS

Non-FIPS

FIPS

Boot the Master and Member 1 at the same time in Non-FIPS mode; boot a new member in FIPS mode.

The FIPS member reboots.

Additional References for Secure Operation in FIPS Mode

Standards and RFCs

Standards/RFCs

Title

FIPS 140-2

Security Requirements for Cryptographic Modules

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html