240 HSM Security Policywhen the SO invokes the Create User service. It is written to an iKey tokenthrough the trusted USB interface. Refer to following section 9.2 for adescription of how this PIN is used for authentication.Key-Wrapping-Key (KWK) = A 3DES3KEY key created by either theSO or User role for the purpose of wrapping private RSA keys. TheKey-Wrapping-Key may be randomly generated using the GenerateKey service, or may be entered into the module using the Combine Keyservice, which combines two key shares entered through the trusted USBinterface. In the non-FIPS 140-1 mode, the Key-Wrapping-Key may alsobe created through the Derive Key service.PRNG3DES Key (PRNGKey)= This 3DES2Key is used for seeding theX9.17 Pseudo-random Number Generator (PRNG). The PRNG 3DES Keyis generated randomly using the hardware random number generator(RNG) within the FastMap processor. This key is generated every timea random number is needed for key generation or as a direct requestthrough the Generate Random Number service. The PRNG 3DES EDEKey is destroyed after each PRNG is generated.RSA Public and Private Key Pair (SPK, VPK)= This RSA key pair isgenerated by either the SO or User role for the purpose generating RSAdigital signatures through the RSA Sign service, or for verifying the samethrough the RSA Verify service. A key pair which is designated by theuser who created it cannot be used for any other purpose such as keyexchanges or encryption/decryption of data. The user may specify throughBoolean attributes whether the private key may be used for SignatureGeneration and/or Data Decryption, and whether the public key may beused for Signature Verification and/or Data Encryption. Hence, a givenkey pair may be used for both signatures/verifications as well as dataencryption/decryption. In FIPS 140-1 Mode, data encryption/decryption isnot available.RSA Encryption/Decryption Public and Private Key Pair (EPK, DPK)=This key pair is generated by either the SO or User role for the purpose ofencrypting and decrypting data. When creating this key pair, the user mayspecify through Boolean attributes whether the private key may be used forSignature Generation and/or Data Decryption, and whether the public keymay be used for Signature Verification and/or Data Encryption. Hence,a given key pair may be used for both signatures/verifications as well asdata encryption/decryption. Note that in the FIPS 140-1 Mode, althoughEncryption/Decryption key pairs may be generated, the RSA Encrypt andRSA Decrypt services are not available, and therefore, such keys are notusable in this mode.Key-Wrapping-Key Share (KWKShare) = Key share obtained by splittingthe KWK into two shares with the Split Key service. Two correspondingshares may be combined with the Combine Key service to enter the KWKinto the module.Nortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.