FIPS セルフテストについて
この暗号化モジュールでは、FIPS 動作モードでジュニパーネットワークス Junos オペレーティング システム(Junos OS)を実行しているデバイスが FIPS 140-2 レベル 2 のセキュリティ要件を満たしていることを確認するためのセキュリティ ルールが適用されます。FIPS で承認された暗号アルゴリズムの出力を検証し、一部のシステム モジュールの整合性をテストするために、次の一連の既知の回答テスト(KAT)自己テストを実行します。
kernel_kats
カーネル暗号化ルーチン用の KATmd_kats
- libmd および libc の KATopenssl_kats
- OpenSSL 暗号化実装用の KATquicksec_7_0_kats
- QuickSec Toolkit 暗号化実装のための KAToctcrypto_kats
—Octeon 向け KATJSF_Crypto_(Octeon)_KATS
- JSF暗号化オクテオンの KAT
KAT セルフテストは、デバイスで FIPS 動作モードが有効になっているときに、起動時および再起動時に自動的に実行されます。条件付き自己テストは、デジタル署名されたソフトウェアパッケージ、生成された乱数、RSAおよびDSAキーペア、および手動で入力されたキーを検証するために自動的に実行されます。
KAT が正常に完了すると、システム ログ(syslog)ファイルが更新され、実行されたテストが表示されます。
デバイスで KAT に障害が発生した場合、デバイスは詳細をシステム ログ ファイルに書き込み、FIPS エラー状態(パニック)に入り、再起動します。
コマンドは file show /var/log/messages
、システム ログを表示します。
デバイスでの電源オンセルフテストの実行
暗号化モジュールの電源が入る度に、モジュールは、暗号化アルゴリズムが正しく動作し、機密データが損傷されていないことをテストします。電源オンの自己テストは、モジュールの電源サイクリングによってオンデマンドで実行されます。
デバイスの電源投入時またはリセット時に、モジュールは次の自己テストを実行します。モジュールによる他の暗号化を使用する前に、すべての KAT を正常に完了させる必要があります。KAT の 1 つに障害が発生した場合、モジュールは重大障害エラー状態になります。
このモジュールは、電源オンのセルフテスト実行中に、SRX345 および SRX380 デバイスの次のステータス出力を表示します。
Verified jboot signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 Verified junos signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 veriexec: cannot update veriexec for /usr/lib/libext_db.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libpsu.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libxml2.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libyaml.so.3: Too many links veriexec: cannot update veriexec for /var/jailetc/mime.types: No such file or directory veriexec: cannot update veriexec for /var/jailetc/php_mod.ini: No such file or directory Verified junos-20.2 signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 Checking integrity of BSD labels: s1: Passed s2: Passed s3: Passed s4: Passed ** /dev/bo0s3e FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 599646 free (30 frags, 74952 blocks, 0.0% fragmentation) ** /dev/bo0s3f FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 18789959 free (471 frags, 2348686 blocks, 0.0% fragmentation) Checking integrity of licenses: DemoLabJUNOS634993695.lic: No recovery data DemoLabJUNOS747689902.lic: No recovery data DemoLabJUNOS867795690.lic: No recovery data Checking integrity of configuration: rescue.conf.gz: No recovery data LPC bus driver lpcbus0 on cpld0 tpm0: <Trusted Platform Module> on lpcbus0 tpm: IFX SLB 9660 TT 1.2 rev 0x10 Loading configuration ... mgd: warning: schema: dbs_remap_daemon_index: could not find daemon name 'ikemd'mgd: Running FIPS Self-tests mgd: Testing JSF Crypto (Octeon) KATs: mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: RSA-SIGN Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing kernel KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-384 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: AES128-CMAC Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing MACSec KATS: mgd: AES128-CMAC Known Answer Test: Passed mgd: AES256-CMAC Known Answer Test: Passed mgd: AES-ECB Known Answer Test: Passed mgd: AES-KEYWRAP Known Answer Test: Passed mgd: KBKDF Known Answer Test: Passed mgd: Testing libmd KATS: mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: Testing Octeon KATS: mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing OpenSSL KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: FIPS ECDSA Known Answer Test: Passed mgd: FIPS ECDH Known Answer Test: Passed mgd: FIPS RSA Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-SSH-SHA256 Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing QuickSec 7.0 KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passedmgd: HMAC-SHA2-512 Known Answveriexec: no fingerprint for file='/sbin/kats/cannot-exec' fsid=83 fileid=5048524 gen=1 uid=0 pid=1073 er Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: SSH-ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing QuickSec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing SSH IPsec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: Testing file integrity: mgd: File integrity Known Answer Test: Passed mgd: Testing crypto integrity: mgd: Crypto integrity Known Answer Test: Passed mgd: Expect an exec Authentication error... mgd: /sbin/kats/run-tests: /sbin/kats/cannot-exec: Authentication error mgd: FIPS Self-tests Passed
このモジュールは、承認された運用モードでは使用されない暗号ライブラリとアルゴリズムを実装しています。