Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding FIPS Self-Tests

    The cryptographic module enforces security rules to ensure that a device running the Juniper Networks Junos operating system (Junos OS) in FIPS-approved mode of operation meets the security requirements of FIPS 140-2 Level 1. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the device performs the following series of known answer test (KAT) self-tests:

    • kernel_kats—KAT for kernel cryptographic routines
    • md_kats—KAT for libmd and libc
    • openssl_kats—KAT for OpenSSL cryptographic implementation
    • quicksec_kats—KAT for QuickSec Toolkit cryptographic implementation
    • ssh_ipsec_kats—KAT for SSH IPsec Toolkit cryptographic implementation
    • jsf_crypto_spu_xlr_kats—KAT for JSF Crypto SPU XLR (SRX5000 line of devices only)
    • jsf_crypto_octeon_kats—KAT for JSF Crypto Octeon (branch SRX Series devices only)
    • octcrypto_kats—KAT for Octeon (branch SRX Series devices only)

    The KAT self-tests are performed automatically at startup and reboot, regardless of whether FIPS-approved mode of operation is enabled on the device. Conditional self-tests are also performed automatically to verify digitally signed software packages, generated random numbers, RSA and DSA key pairs, and manually entered keys.

    If the KATs are completed successfully, the system log (syslog) file is updated to display the tests that were executed.

    If the device fails a KAT, the device writes the details to a system log file, enters FIPS error state (panic), and reboots.

    The file show /var/log/messages command displays the system log.

    Performing Power-On Self-Tests on the Device

    Each time the cryptographic module is powered on, the module tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. Power-on self-tests are performed on demand by power cycling the module.

    On powering on or resetting the device, the module performs the following self-tests. All KATs must be completed successfully prior to any other use of cryptography by the module. If one of the KATs fail, the module enters the Critical Failure error state.

    The module displays the following status output for high-end SRX Series devices while running the power-on self-tests:

    FIPS Software Integrity tests...
    Verified junos signed by PackageProductionEc_2016 method ECDSA
    Verified jboot signed by PackageProductionEc_2016 method ECDSA
    Verified junos-12.3X48-D30.10-fips signed by PackageProductionEc_2016 method ECDSA
    Testing file integrity:
      File integrity Known Answer Test:                Passed
    FIPS Algorithm tests...
    Testing kernel KATS:
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      SHA-2 Known Answer Test:                         Passed
      AES128-CMAC Known Answer Test:                   Passed
      AES-CBC Known Answer Test:                       Passed
    Testing libmd KATS:
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
    Testing OpenSSL KATS:
      FIPS RNG Known Answer Test:                      Passed
      NIST 800-90 HMAC DRBG Known Answer Test:         Passed
      FIPS ECDSA Known Answer Test:                    Passed
      FIPS ECDH Known Answer Test:                     Passed
      FIPS RSA Known Answer Test:                      Passed
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      HMAC-SHA2-384 Known Answer Test:                 Passed
      HMAC-SHA2-512 Known Answer Test:                 Passed
      SHA-2 Known Answer Test:                         Passed
      AES-CBC Known Answer Test:                       Passed
      ECDSA-SIGN Known Answer Test:                    Passed
      KDF-IKE-V1 Known Answer Test:                    Passed
      KDF-SSH Known Answer Test:                       Passed
    Testing QuickSec KATS:
      NIST 800-90 HMAC DRBG Known Answer Test:         Passed
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-224 Known Answer Test:                 Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      HMAC-SHA2-384 Known Answer Test:                 Passed
      HMAC-SHA2-512 Known Answer Test:                 Passed
      AES-CBC Known Answer Test:                       Passed
      AES-GCM Known Answer Test:                       Passed
      SSH-RSA-ENC Known Answer Test:                   Passed
      SSH-RSA-SIGN Known Answer Test:                  Passed
      KDF-IKE-V1 Known Answer Test:                    Passed
      KDF-IKE-V2 Known Answer Test:                    Passed
    Testing SSH IPsec KATS:
      NIST 800-90 HMAC DRBG Known Answer Test:         Passed
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      SHA-2 Known Answer Test:                         Passed
      AES-CBC Known Answer Test:                       Passed
      SSH-RSA-ENC Known Answer Test:                   Passed
      SSH-RSA-SIGN Known Answer Test:                  Passed
      KDF-IKE-V1 Known Answer Test:                    Passed
    Testing crypto integrity:
      Crypto integrity Known Answer Test:              Passed
    FIPS Crivtical Function teests...
    expectring an exec erroir:
    exec: no fingerprint for file='/sbin/kats/cannot-exec' fsid=85 fileid=71884 uid=0 pid=188
    /etc/rc.fips: /sbin/kats/cannot-exec: Authentication error
    FIPS self tests completed.
    

    The module displays the following status output for branch SRX Series devices while running the power-on self-tests:

    FIPS Software Integrity tests...
    Verified junos signed by PackageProductionEc_2016 method ECDSA
    Verified jboot signed by PackageProductionEc_2016 method ECDSA
    Verified junos-12.3X48-D30.10-fips signed by PackageProductionEc_2016 method ECDSA
    Testing file integrity:
      File integrity Known Answer Test:                Passed
    FIPS Algorithm tests...
    Testing JSF Crypto (Octeon) KATs:
      AES-CBC Known Answer Test:                       Passed
      AES-GCM Known Answer Test:                       Passed
      RSA-SIGN Known Answer Test:                      Passed
      ECDSA-SIGN Known Answer Test:                    Passed
    Testing kernel KATS:
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      SHA-2 Known Answer Test:                         Passed
      AES128-CMAC Known Answer Test:                   Passed
      AES-CBC Known Answer Test:                       Passed
    Testing libmd KATS:
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
    Testing Octeon KATS:
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      AES-CBC Known Answer Test:                       Passed
    Testing OpenSSL KATS:
      FIPS RNG Known Answer Test:                      Passed
      NIST 800-90 HMAC DRBG Known Answer Test:         Passed
      FIPS ECDSA Known Answer Test:                    Passed
      FIPS ECDH Known Answer Test:                     Passed
      FIPS RSA Known Answer Test:                      Passed
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      HMAC-SHA2-384 Known Answer Test:                 Passed
      HMAC-SHA2-512 Known Answer Test:                 Passed
      SHA-2 Known Answer Test:                         Passed
      AES-CBC Known Answer Test:                       Passed
      ECDSA-SIGN Known Answer Test:                    Passed
      KDF-IKE-V1 Known Answer Test:                    Passed
      KDF-SSH Known Answer Test:                       Passed
    Testing QuickSec KATS:
      NIST 800-90 HMAC DRBG Known Answer Test:         Passed
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-224 Known Answer Test:                 Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      HMAC-SHA2-384 Known Answer Test:                 Passed
      HMAC-SHA2-512 Known Answer Test:                 Passed
      AES-CBC Known Answer Test:                       Passed
      AES-GCM Known Answer Test:                       Passed
      SSH-RSA-ENC Known Answer Test:                   Passed
      SSH-RSA-SIGN Known Answer Test:                  Passed
      KDF-IKE-V1 Known Answer Test:                    Passed
      KDF-IKE-V2 Known Answer Test:                    Passed
    Testing SSH IPsec KATS:
      NIST 800-90 HMAC DRBG Known Answer Test:         Passed
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      SHA-2 Known Answer Test:                         Passed
      AES-CBC Known Answer Test:                       Passed
      SSH-RSA-ENC Known Answer Test:                   Passed
      SSH-RSA-SIGN Known Answer Test:                  Passed
      KDF-IKE-V1 Known Answer Test:                    Passed
    Testing JSF Crypto (Octeon) KATs:
      AES-CBC Known Answer Test:                       Passed
      AES-GCM Known Answer Test:                       Passed
      RSA-SIGN Known Answer Test:                      Passed
      ECDSA-SIGN Known Answer Test:                    Passed
    Testing kernel KATS:
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      SHA-2 Known Answer Test:                         Passed
      AES128-CMAC Known Answer Test:                   Passed
      AES-CBC Known Answer Test:                       Passed
    Testing libmd KATS:
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
    Testing Octeon KATS:
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      AES-CBC Known Answer Test:                       Passed
    Testing OpenSSL KATS:
      FIPS RNG Known Answer Test:                      Passed
      NIST 800-90 HMAC DRBG Known Answer Test:         Passed
      FIPS ECDSA Known Answer Test:                    Passed
      FIPS ECDH Known Answer Test:                     Passed
      FIPS RSA Known Answer Test:                      Passed
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      HMAC-SHA2-384 Known Answer Test:                 Passed
      HMAC-SHA2-512 Known Answer Test:                 Passed
      SHA-2 Known Answer Test:                         Passed
      AES-CBC Known Answer Test:                       Passed
      ECDSA-SIGN Known Answer Test:                    Passed
      KDF-IKE-V1 Known Answer Test:                    Passed
      KDF-SSH Known Answer Test:                       Passed
    Testing QuickSec KATS:
      NIST 800-90 HMAC DRBG Known Answer Test:         Passed
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-224 Known Answer Test:                 Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      HMAC-SHA2-384 Known Answer Test:                 Passed
      HMAC-SHA2-512 Known Answer Test:                 Passed
      AES-CBC Known Answer Test:                       Passed
      AES-GCM Known Answer Test:                       Passed
      SSH-RSA-ENC Known Answer Test:                   Passed
      SSH-RSA-SIGN Known Answer Test:                  Passed
      KDF-IKE-V1 Known Answer Test:                    Passed
      KDF-IKE-V2 Known Answer Test:                    Passed
    Testing SSH IPsec KATS:
      NIST 800-90 HMAC DRBG Known Answer Test:         Passed
      DES3-CBC Known Answer Test:                      Passed
      HMAC-SHA1 Known Answer Test:                     Passed
      HMAC-SHA2-256 Known Answer Test:                 Passed
      SHA-2 Known Answer Test:                         Passed
      AES-CBC Known Answer Test:                       Passed
      SSH-RSA-ENC Known Answer Test:                   Passed
      SSH-RSA-SIGN Known Answer Test:                  Passed
      KDF-IKE-V1 Known Answer Test:                    Passed
    Testing crypto integrity:
      Crypto integrity Known Answer Test:              Passed
    FIPS Critical Function tests...
    expecting an exec error:
    veriexec: no fingerprint for file='/sbin/kats/cannot-exec.real' fsid=74 fileid=74064 uid=0 pid=305
    FIPS self tests completed.

    Note: The module implements cryptographic libraries and algorithms that are not utilized in the approved mode of operation.

    Modified: 2016-07-14