beautypg.com

Configuring fips, Overview, Fips self-tests – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 358: Power-up self-tests, Conditional self-tests, Triggered self-test

background image

344

Configuring FIPS

Overview

The Federal Information Processing Standard (FIPS) 140-2, developed by the National Institute of

Standard and Technology (NIST) of the United States, specifies the security requirements for
cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4"

from low to high. Currently, the device supports Level 2.
Unless otherwise noted, FIPS in the document refers to FIPS 140-2.

FIPS self-tests

When the device operates in FIPS mode, it has self-test mechanisms, including power-up self-tests and

conditional self-tests, to ensure the normal operation of cryptography modules. If either type of tests fails,

the device restarts.

Power-up self-tests

Power-up self-tests, also called "known-answer tests", check the availability of FIPS-allowed

cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is

already known. The calculated output is compared with the known answer. If they are not identical, the
known-answer test fails.
Power-up self-tests check the following cryptographic algorithms: DSA (signature and authentication),

RSA (signature and authentication), RSA (encryption and decryption), AES, 3DES, SHA1, HMAC-SHA1,

and random number generator algorithms.

Conditional self-tests

Conditional self-tests are run when an asymmetrical cryptographic module or a random number
generator module is invoked. Conditional self-tests include the following:

Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It
uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If

the decryption is successful, the test succeeds. Otherwise, the test fails.

Continuous random number generator test—This test is run when a random number is generated.
If two consecutive random numbers are different, the test succeeds. Otherwise, the test fails. This test

is also run when a DSA/RSA asymmetrical key pair is generated.

Triggered self-test

To examine whether the cryptography modules operate normally, you can use a command to trigger a

self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test.