Understanding FIPS Self-Tests

• kernel_kats—KAT for kernel cryptographic routines

• md_kats—KAT for libmd and libc

• openssl_kats—KAT for OpenSSL cryptographic implementation

• quicksec_kats—KAT for QuickSec Toolkit cryptographic implementation

• quicksec_7_0_kats—KAT for QuickSec_7_0 Toolkit cryptographic implementation

• ssh_ipsec_kats—KAT for SSH IPsec Toolkit cryptographic implementation

• octcrypto_kats—KAT for Octeon (branch SRX Series devices only)

• macsec_kats—KAT for Media Access Control Security

The KAT self-tests are performed automatically at startup and reboot, regardless of whether FIPS mode of operation is enabled on the device. Conditional self-tests are also performed automatically to verify digitally signed software packages, generated random numbers, RSA and DSA key pairs, and manually entered keys.

If the KATs are completed successfully, the system log (syslog) file is updated to display the tests that were executed.

If the device fails a KAT, the device writes the details to a system log file, enters FIPS error state (panic), and reboots.

The file show /var/log/messages command displays the system log.

Performing Power-On Self-Tests on the Device

Each time the cryptographic module is powered on, the module tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. Power-on self-tests are performed on demand by power cycling the module.

On powering on or resetting the device, the module performs the following self-tests. All KATs must be completed successfully prior to any other use of cryptography by the module. If one of the KATs fail, the module enters the Critical Failure error state.

The module displays the following status output for SRX345 devices while running the power-on self-tests: