9.0 Roles and Services 243Service FIPS140-1 Level 3 Mode Non- FIPS140-1 ModeNot authenticatedUserRoleSO Role Not authenticatedUserRoleSO Role SRDIs AccessedModular Exponentiationusing CRT (note 3)YES YES YES YES YES Yes NoneModular Exponentiation(note 3)YES YES YES YES YES YES NoneRSA Encrypt (note 8) NO NO NO NO YES YES EPK (use)RSA Decrypt (note 8) NO NO NO NO YES YES DPK (use)Digital Signature StandardSign (note 1)NO NO NO YES YES YES NoneDigital Signature StandardVerification (note 1)NO NO NO YES YES YES NoneSelf-test YES YES YES YES YES YES NoneFirmware Update NO NO YES NO NO YES NoneGenerate Random Number YES YES YES YES YES YES PRNGKey (create, destroy)Get Configuration YES YES YES YES YES YES NoneGet Status YES YES YES YES YES YES NoneVerify Firmware Image NO NO YES NO NO YESSHA1 Hash NO YES YES YES YES YES NoneSHA1 HMAC (note 1) NO NO NO YES YES YES NoneMD5 Hash NO NO NO YES YES YES NoneMD5 HMAC (note 1) NO NO NO YES YES YES NoneNote 1 = The key for these commands is input through the PCI bus (data input interface)Note 2 = This is a PKCS 12 method for deriving a 3DES key from a password, salt and iteration count.Note 3 = The Exponentiation Using CRT and Exponentiation functions are generic math functions; allparameters are input through the PCI interface (data input interface).Note 4 = When operating in the FIPS140-1 mode, it is not possible for secret keys, private keys or criticalsecurity parameters to cross the PCI bus without being wrapped (encrypted) using the Key-WrappingKey.Note 5 = User Login is the process that takes the board from an unauthenticated state to the authenticatedstate. Only one user may be authenticated at a particular time. Consequently, the User Login processcannot be started from the authenticated state. Nonetheless, the User Login process cannot becompleted successfully without authentication.Note 6 = This command is used for generating the key-wrapping-key.Note 7 = When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitializethe board.Note 8 = These operations must access stored cryptographic keys. The keys may not be input through thePCI interface.Nortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.