Configuring fips, Overview, Fips self-tests – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 358: Power-up self-tests, Conditional self-tests, Triggered self-test
344
Configuring FIPS
Overview
The Federal Information Processing Standard (FIPS) 140-2, developed by the National Institute of
Standard and Technology (NIST) of the United States, specifies the security requirements for
cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4"
from low to high. Currently, the device supports Level 2.
Unless otherwise noted, FIPS in the document refers to FIPS 140-2.
FIPS self-tests
When the device operates in FIPS mode, it has self-test mechanisms, including power-up self-tests and
conditional self-tests, to ensure the normal operation of cryptography modules. If either type of tests fails,
the device restarts.
Power-up self-tests
Power-up self-tests, also called "known-answer tests", check the availability of FIPS-allowed
cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is
already known. The calculated output is compared with the known answer. If they are not identical, the
known-answer test fails.
Power-up self-tests check the following cryptographic algorithms: DSA (signature and authentication),
RSA (signature and authentication), RSA (encryption and decryption), AES, 3DES, SHA1, HMAC-SHA1,
and random number generator algorithms.
Conditional self-tests
Conditional self-tests are run when an asymmetrical cryptographic module or a random number
generator module is invoked. Conditional self-tests include the following:
•
Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It
uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If
the decryption is successful, the test succeeds. Otherwise, the test fails.
•
Continuous random number generator test—This test is run when a random number is generated.
If two consecutive random numbers are different, the test succeeds. Otherwise, the test fails. This test
is also run when a DSA/RSA asymmetrical key pair is generated.
Triggered self-test
To examine whether the cryptography modules operate normally, you can use a command to trigger a
self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test.
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000