Fips self-tests, Power-up self-tests – H3C Technologies H3C S6300 Series Switches User Manual
Page 366
351
To disable FIPS mode:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Disable FIPS mode.
undo fips mode enable
By default, the FIPS mode is
disabled.
FIPS self-tests
To ensure the correct operation of cryptography modules, FIPS provides self-test mechanisms, including
power-up self-test and conditional self-test. You can also trigger a self-test. If the power-up self-test fails,
the device where the self-test process exists reboots. If the conditional self-test fails, the system outputs
self-test failure information.
NOTE:
If a self-test fails, contact H3C Support.
Power-up self-tests
Power-up self-tests include the following types:
•
Known-answer test (KAT)
This test examines the availability of FIPS-allowed cryptographic algorithms. A cryptographic
algorithm is run on data for which the correct output is already known. The calculated output is
compared with the known answer. If they are not identical, the KAT test fails.
•
Pairwise conditional test (PWCT)
PWCT is available in Release 2311P04 and later versions.
{
Signature and authentication test—The test is run when a DSA, RSA, or ECDSA asymmetrical
key pair is generated. It uses the private key to sign the specific data, and it then uses the public
key to authenticate the signed data. If the authentication is successful, the test succeeds.
{
Encryption and decryption test—The test is run when an RSA asymmetrical key pair is
generated. It uses the public key to encrypt a plain text, and it then uses the private key to
decrypt the encrypted text. If the decryption is successful, the test succeeds.
The power-up self-test examines the cryptographic algorithms listed in
(for Release 2310)
or
(for Release 2311P04 and later versions).