Print
this page
Email this topic
Feedback
View PDF
Download EPUBCritical Security Parameter (CSP) Zeroization and Read-Verify
Critical Security Parameter (CSP) comprises information that is either user- or system-defined and is used to operate a cryptography module in processing encryption functions including cryptographic keys and authentication data, such as passwords (the disclosure or modification of which can compromise the security of a cryptographic module or the security of the information protected by the module).
CSP zeroization applies to flash memory, SSH private keys, and SSH session keys (present in volatile memory) stored in a switch.
Zeroization of Flash
Flash memory mounted in /config and /scratch directories are zeroized currently after using the command unconfigure switch erase all. As part of this feature, read-verify is done before rebooting switch to bootrom.
Zeroization of SSH Keys
SSH private keys are first stored temporarily in /etc/ directory for converting it into correct format, and allowing Openssh to parse key file. After this is completed, and private key is loaded in key data structure (key file in /etc directory is zeroized). The key file is compared with /dev/zero to verify zeroization. After this is done, the key file is removed. An EMS appears if read-verify fails. Final keys are saved in EEPROM when you execute save configuration. This is zeroized and deleted by running same the command unconfigure switch erase all. Zeroization is verified by reading wkninfo object stored in EEPROM for SSH key, which should not have any data. Zeroization of SSH keys saved in EEPROM can also be accplished using the commands unconfigure switch all or unconfigure switch.
Zeroization of Session Keys in RAM
Zeroization of SSH session keys (stored in RAM) was already being accomplished in earlier versions of ExtremeXOS. This feature makes no changes to this.
Supported Platforms
Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X620, X440-G2 series switches.