Grundlegendes zu FIPS-Selbsttests
Das kryptografische Modul erzwingt Sicherheitsregeln, um sicherzustellen, dass ein Gerät, auf dem das Juniper Networks Junos-Betriebssystem (Junos OS) im FIPS-Betriebsmodus ausgeführt wird, die Sicherheitsanforderungen von FIPS 140-2 Level 2 erfüllt. Um die Ausgabe von kryptografischen Algorithmen, die für FIPS zugelassen sind, zu validieren und die Integrität einiger Systemmodule zu testen, führt das Gerät die folgende Reihe von KAT-Selbsttests (Known Answer Test) durch:
kernel_kats—KAT für kryptographische Routinen des Kernelsmd_kats—KAT für libmd und libcopenssl_kats—KAT für die kryptografische Implementierung von OpenSSLquicksec_7_0_kats—KAT für die kryptografische Implementierung des QuickSec Toolkitoctcrypto_kats—KAT für OkteonJSF_Crypto_(Octeon)_KATS—KAT für JSF-Krypto-Okteon
Die KAT-Selbsttests werden automatisch beim Start und Neustart durchgeführt, wenn der FIPS-Betriebsmodus auf dem Gerät aktiviert ist. Bedingte Selbsttests werden auch automatisch durchgeführt, um digital signierte Softwarepakete, generierte Zufallszahlen, RSA- und DSA-Schlüsselpaare und manuell eingegebene Schlüssel zu verifizieren.
Wenn die KATs erfolgreich abgeschlossen wurden, wird die Systemprotokolldatei (Syslog) aktualisiert, um die ausgeführten Tests anzuzeigen.
Wenn das Gerät einen KAT ausfällt, schreibt das Gerät die Details in eine Systemprotokolldatei, wechselt in den FIPS-Fehlerstatus (Panik) und startet neu.
Der file show /var/log/messages Befehl zeigt das Systemprotokoll an.
Durchführen von Selbsttests beim Einschalten des Geräts
Jedes Mal, wenn das Kryptografiemodul eingeschaltet wird, testet es, ob die kryptografischen Algorithmen noch ordnungsgemäß funktionieren und ob sensible Daten nicht beschädigt wurden. Selbsttests beim Einschalten werden bei Bedarf durchgeführt, indem das Modul aus- und wieder eingeschaltet wird.
Beim Einschalten oder Zurücksetzen des Geräts führt das Modul die folgenden Selbsttests durch. Alle KATs müssen erfolgreich abgeschlossen werden, bevor das Modul Kryptographie verwenden kann. Wenn einer der KATs ausfällt, wechselt das Modul in den Fehlerstatus "Kritischer Fehler".
Das Modul zeigt die folgende Statusausgabe für SRX345- und SRX380-Geräte an, während die Selbsttests beim Einschalten ausgeführt werden:
Verified jboot signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 Verified junos signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 veriexec: cannot update veriexec for /usr/lib/libext_db.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libpsu.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libxml2.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libyaml.so.3: Too many links veriexec: cannot update veriexec for /var/jailetc/mime.types: No such file or directory veriexec: cannot update veriexec for /var/jailetc/php_mod.ini: No such file or directory Verified junos-20.2 signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 Checking integrity of BSD labels: s1: Passed s2: Passed s3: Passed s4: Passed ** /dev/bo0s3e FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 599646 free (30 frags, 74952 blocks, 0.0% fragmentation) ** /dev/bo0s3f FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 18789959 free (471 frags, 2348686 blocks, 0.0% fragmentation) Checking integrity of licenses: DemoLabJUNOS634993695.lic: No recovery data DemoLabJUNOS747689902.lic: No recovery data DemoLabJUNOS867795690.lic: No recovery data Checking integrity of configuration: rescue.conf.gz: No recovery data LPC bus driver lpcbus0 on cpld0 tpm0: <Trusted Platform Module> on lpcbus0 tpm: IFX SLB 9660 TT 1.2 rev 0x10 Loading configuration ... mgd: warning: schema: dbs_remap_daemon_index: could not find daemon name 'ikemd'mgd: Running FIPS Self-tests mgd: Testing JSF Crypto (Octeon) KATs: mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: RSA-SIGN Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing kernel KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-384 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: AES128-CMAC Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing MACSec KATS: mgd: AES128-CMAC Known Answer Test: Passed mgd: AES256-CMAC Known Answer Test: Passed mgd: AES-ECB Known Answer Test: Passed mgd: AES-KEYWRAP Known Answer Test: Passed mgd: KBKDF Known Answer Test: Passed mgd: Testing libmd KATS: mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: Testing Octeon KATS: mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing OpenSSL KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: FIPS ECDSA Known Answer Test: Passed mgd: FIPS ECDH Known Answer Test: Passed mgd: FIPS RSA Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-SSH-SHA256 Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing QuickSec 7.0 KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passedmgd: HMAC-SHA2-512 Known Answveriexec: no fingerprint for file='/sbin/kats/cannot-exec' fsid=83 fileid=5048524 gen=1 uid=0 pid=1073 er Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: SSH-ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing QuickSec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing SSH IPsec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: Testing file integrity: mgd: File integrity Known Answer Test: Passed mgd: Testing crypto integrity: mgd: Crypto integrity Known Answer Test: Passed mgd: Expect an exec Authentication error... mgd: /sbin/kats/run-tests: /sbin/kats/cannot-exec: Authentication error mgd: FIPS Self-tests Passed
Das Modul implementiert kryptographische Bibliotheken und Algorithmen, die im genehmigten Betriebsmodus nicht verwendet werden.