FIPS セルフテストについて
この暗号化モジュールでは、FIPS 動作モードでジュニパーネットワークス Junos オペレーティング システム(Junos OS)を実行しているデバイスが FIPS 140-2 レベル 1 のセキュリティ要件を満たしていることを確認するためのセキュリティ ルールが適用されます。FIPS で承認された暗号アルゴリズムの出力を検証し、一部のシステム モジュールの整合性をテストするために、次の一連の既知の回答テスト(KAT)自己テストを実行します。
md_kats
- libmd および libc の KATopenssl_kats
- OpenSSL 暗号化実装用の KATkernel_kats
──カーネル暗号化ルーチン向け KAT
KAT セルフテストは、デバイスで FIPS 動作モードが有効になっているときに、起動時および再起動時に自動的に実行されます。条件付き自己テストは、デジタル署名されたソフトウェアパッケージ、生成された乱数、RSAおよびECDSAキーペア、および手動で入力されたキーを検証するために自動的に実行されます。
KAT が正常に完了すると、システム ログ(syslog)ファイルが更新され、実行されたテストが表示されます。
デバイスで KAT に障害が発生した場合、デバイスは詳細をシステム ログ ファイルに書き込み、FIPS エラー状態(パニック)に入り、再起動します。
コマンドは file show /var/log/messages
、システム ログを表示します。
デバイスでの電源オンセルフテストの実行
暗号化モジュールの電源が入る度に、モジュールは、暗号化アルゴリズムが正しく動作し、機密データが損傷されていないことをテストします。
このモジュールは、power-on セルフテストの実行中に、以下のステータス出力を表示します。
@ 1556787428 [2020-05-02 08:57:08 UTC] mgd start Creating initial configuration: ... mgd: Running FIPS Self-tests mgd: Testing kernel KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-384 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: AES128-CMAC Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing MACSec KATS: mgd: AES128-CMAC Known Answer Test: Passed mgd: AES256-CMAC Known Answer Test: Passed mgd: AES-ECB Known Answer Test: Passed mgd: AES-KEYWRAP Known Answer Test: Passed mgd: Testing libmd KATS: mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: Testing OpenSSL KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: FIPS ECDSA Known Answer Test: Passed mgd: FIPS ECDH Known Answer Test: Passed mgd: FIPS RSA Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-SSH-SHA256 Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing QuickSec 7.0 KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: SSH-ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing QuickSec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing SSH IPsec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: Testing file integrity: mgd: File integrity Known Answer Test: Passed mgd: Testing crypto integrity: mgd: Crypto integrity Known Answer Test: Passed mgd: Expect an everiexec: no fingerprint for file='/sbin/kats/cannot-exec' fsid=212 fileid=49356 gen=1 uid=0 pid=6480 xec Authentication error... mgd: /sbin/kats/run-tests: /sbin/kats/cannot-exec: Authentication error mgd: FIPS Self-tests Passed
このモジュールは、承認された運用モードでは使用されない暗号ライブラリとアルゴリズムを実装しています。