9.0 Roles and Services 245Service FIPS140-1 Level 3 Mode Non- FIPS140-1 ModeNot authenticatedUserRoleSO Role Not authenticatedUserRoleSO Role SRDIs AccessedGenerate and Store RSAKey PairNO YES YES NO YES YES PRNGKey(create anddestroy), andcreate eitheror both of thefollowing pairs:(SPK, VPK) or(EPK, DPK)Store Public Object (PublicRSA Key, user data object)NO YES YES NO YES YES Enter and store:EPK or VPKStore Vendor-Defined DataObjectYES YES YES YES YES YES NoneStore Private Object (PrivateRSA Key) (note 4)NO NO NO NO YES YES Enter andStore: SPK orDPKGet Public Object (RSApublic key, user-defined dataobject)NO YES YES NO YES YES Read: SPK orDPKGet Vendor-Defined DataObjectYES YES YES YES YES YES NoneGet Object Information byObject IDYES YES YES YES YES YES NoneGet Object Count YES YES YES YES YES YES NoneNote 1 = The key for these commands is input through the PCI bus (data input interface)Note 2 = This is a PKCS 12 method for deriving a 3DES key from a password, salt and iteration count.Note 3 = The Exponentiation Using CRT and Exponentiation functions are generic math functions; allparameters are input through the PCI interface (data input interface).Note 4 = When operating in the FIPS140-1 mode, it is not possible for secret keys, private keys or criticalsecurity parameters to cross the PCI bus without being wrapped (encrypted) using the Key-WrappingKey.Note 5 = User Login is the process that takes the board from an unauthenticated state to the authenticatedstate. Only one user may be authenticated at a particular time. Consequently, the User Login processcannot be started from the authenticated state. Nonetheless, the User Login process cannot becompleted successfully without authentication.Note 6 = This command is used for generating the key-wrapping-key.Note 7 = When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitializethe board.Note 8 = These operations must access stored cryptographic keys. The keys may not be input through thePCI interface.Nortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.