了解 FIPS 自测
加密模块会实施安全规则,以确保在 FIPS 操作模式下运行瞻博网络 Junos 操作系统 (Junos OS) 的设备满足 FIPS 140-2 级别 2 的安全要求。要验证 FIPS 批准的密码算法的输出并测试某些系统模块的完整性,设备会执行以下一系列已知答案测试 (KAT) 自测:
kernel_kats—内核加密例程的 KATmd_kats—用于 libmd 和 libc 的 KATopenssl_kats- KAT for OpenSSL 加密实施quicksec_7_0_kats— KAT for QuickSec Toolkit 加密实施octcrypto_kats— KAT for OcteonJSF_Crypto_(Octeon)_KATS— KAT for JSF 加密八位点
当设备上启用 FIPS 操作模式时,启动和重新启动时,将自动执行 KAT 自测试。系统也会自动执行有条件的自测试,以验证数字签名的软件包、生成的随机编号、RSA 和 DSA 密钥对以及手动输入的密钥。
如果成功完成 KAT,系统将更新系统日志 (syslog) 文件以显示所执行的测试。
如果设备无法通过 KAT,设备将详细信息写入系统日志文件,输入 FIPS 错误状态(崩溃),然后重新启动。
命令 file show /var/log/messages 将显示系统日志。
在设备上执行开机自测
每次加密模块开机时,模块都会测试加密算法是否仍然正常运行,以及敏感数据是否未损坏。通过对模块进行供电循环,按需执行上电自测试。
开机或重置设备时,模块会执行以下自测试。在模块以任何其他方式使用加密之前,必须成功完成所有 KAT。如果其中一个 KAT 出现故障,模块将进入严重故障错误状态。
在运行开机自测时,该模块会显示 SRX345 和 SRX380 设备的以下状态输出:
Verified jboot signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 Verified junos signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 veriexec: cannot update veriexec for /usr/lib/libext_db.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libpsu.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libxml2.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libyaml.so.3: Too many links veriexec: cannot update veriexec for /var/jailetc/mime.types: No such file or directory veriexec: cannot update veriexec for /var/jailetc/php_mod.ini: No such file or directory Verified junos-20.2 signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 Checking integrity of BSD labels: s1: Passed s2: Passed s3: Passed s4: Passed ** /dev/bo0s3e FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 599646 free (30 frags, 74952 blocks, 0.0% fragmentation) ** /dev/bo0s3f FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 18789959 free (471 frags, 2348686 blocks, 0.0% fragmentation) Checking integrity of licenses: DemoLabJUNOS634993695.lic: No recovery data DemoLabJUNOS747689902.lic: No recovery data DemoLabJUNOS867795690.lic: No recovery data Checking integrity of configuration: rescue.conf.gz: No recovery data LPC bus driver lpcbus0 on cpld0 tpm0: <Trusted Platform Module> on lpcbus0 tpm: IFX SLB 9660 TT 1.2 rev 0x10 Loading configuration ... mgd: warning: schema: dbs_remap_daemon_index: could not find daemon name 'ikemd'mgd: Running FIPS Self-tests mgd: Testing JSF Crypto (Octeon) KATs: mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: RSA-SIGN Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing kernel KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-384 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: AES128-CMAC Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing MACSec KATS: mgd: AES128-CMAC Known Answer Test: Passed mgd: AES256-CMAC Known Answer Test: Passed mgd: AES-ECB Known Answer Test: Passed mgd: AES-KEYWRAP Known Answer Test: Passed mgd: KBKDF Known Answer Test: Passed mgd: Testing libmd KATS: mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: Testing Octeon KATS: mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing OpenSSL KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: FIPS ECDSA Known Answer Test: Passed mgd: FIPS ECDH Known Answer Test: Passed mgd: FIPS RSA Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-SSH-SHA256 Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing QuickSec 7.0 KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passedmgd: HMAC-SHA2-512 Known Answveriexec: no fingerprint for file='/sbin/kats/cannot-exec' fsid=83 fileid=5048524 gen=1 uid=0 pid=1073 er Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: SSH-ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing QuickSec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing SSH IPsec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: Testing file integrity: mgd: File integrity Known Answer Test: Passed mgd: Testing crypto integrity: mgd: Crypto integrity Known Answer Test: Passed mgd: Expect an exec Authentication error... mgd: /sbin/kats/run-tests: /sbin/kats/cannot-exec: Authentication error mgd: FIPS Self-tests Passed
注意:
该模块实现未在批准的操作模式下使用的加密库和算法。