FIPS 자체 테스트 이해
암호화 모듈은 FIPS 운영 모드에서 주니퍼 네트웍스 Junos 운영 체제(Junos OS)를 실행하는 디바이스가 FIPS 140-2 레벨 2의 보안 요구 사항을 충족하도록 보안 규칙을 적용합니다. FIPS에 대해 승인된 암호화 알고리즘의 출력을 검증하고 일부 시스템 모듈의 무결성을 테스트하기 위해 디바이스는 다음과 같은 일련의 알려진 답변 테스트(KAT) 자체 테스트를 수행합니다.
kernel_kats—커널 암호화 루틴의 경우 KATmd_kats—libmd 및 libc의 경우 KATopenssl_kats—OpenSSL 암호화 구현을 위한 KATquicksec_7_0_kats—QuickSec Toolkit 암호화 구현을 위한 KAToctcrypto_kats—KAT for OcteonJSF_Crypto_(Octeon)_KATS—JSF 크립토 옥테온을 위한 KAT
KAT 자체 테스트는 장치에서 FIPS 작동 모드가 활성화된 경우 시작 및 재부팅 시 자동으로 수행됩니다. 조건부 자체 테스트도 자동으로 수행되어 디지털 서명된 소프트웨어 패키지, 생성된 난수, RSA 및 DSA 키 쌍, 수동으로 입력한 키를 확인합니다.
KAT가 성공적으로 완료되면 시스템 로그(syslog) 파일이 업데이트되어 실행된 테스트가 표시됩니다.
디바이스가 KAT에 실패하면 디바이스는 시스템 로그 파일에 세부 정보를 기록하고 FIPS 오류 상태(패닉)로 전환한 후 재부팅합니다.
명령은 file show /var/log/messages 시스템 로그를 표시합니다.
디바이스에서 전원 켜기 자체 테스트 수행
암호화 모듈의 전원을 켤 때마다 모듈은 암호화 알고리즘이 여전히 올바르게 작동하고 중요한 데이터가 손상되지 않았는지 테스트합니다. 전원 켜기 자체 테스트는 모듈의 전원을 껐다가 켜서 요청 시 수행됩니다.
장치의 전원을 켜거나 재설정할 때 모듈은 다음과 같은 자체 테스트를 수행합니다. 모듈에서 암호화를 사용하기 전에 모든 KAT를 성공적으로 완료해야 합니다. KAT 중 하나가 실패하면 모듈은 심각한 오류 상태로 들어갑니다.
모듈은 전원 공급 자체 테스트를 실행하는 동안 SRX345 및 SRX380 디바이스에 대해 다음과 같은 상태 출력을 표시합니다.
Verified jboot signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 Verified junos signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 veriexec: cannot update veriexec for /usr/lib/libext_db.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libpsu.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libxml2.so.3: Too many links veriexec: cannot update veriexec for /usr/lib/libyaml.so.3: Too many links veriexec: cannot update veriexec for /var/jailetc/mime.types: No such file or directory veriexec: cannot update veriexec for /var/jailetc/php_mod.ini: No such file or directory Verified junos-20.2 signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 Checking integrity of BSD labels: s1: Passed s2: Passed s3: Passed s4: Passed ** /dev/bo0s3e FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 599646 free (30 frags, 74952 blocks, 0.0% fragmentation) ** /dev/bo0s3f FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 18789959 free (471 frags, 2348686 blocks, 0.0% fragmentation) Checking integrity of licenses: DemoLabJUNOS634993695.lic: No recovery data DemoLabJUNOS747689902.lic: No recovery data DemoLabJUNOS867795690.lic: No recovery data Checking integrity of configuration: rescue.conf.gz: No recovery data LPC bus driver lpcbus0 on cpld0 tpm0: <Trusted Platform Module> on lpcbus0 tpm: IFX SLB 9660 TT 1.2 rev 0x10 Loading configuration ... mgd: warning: schema: dbs_remap_daemon_index: could not find daemon name 'ikemd'mgd: Running FIPS Self-tests mgd: Testing JSF Crypto (Octeon) KATs: mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: RSA-SIGN Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing kernel KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-384 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: AES128-CMAC Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing MACSec KATS: mgd: AES128-CMAC Known Answer Test: Passed mgd: AES256-CMAC Known Answer Test: Passed mgd: AES-ECB Known Answer Test: Passed mgd: AES-KEYWRAP Known Answer Test: Passed mgd: KBKDF Known Answer Test: Passed mgd: Testing libmd KATS: mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: Testing Octeon KATS: mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing OpenSSL KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: FIPS ECDSA Known Answer Test: Passed mgd: FIPS ECDH Known Answer Test: Passed mgd: FIPS RSA Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-SSH-SHA256 Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing QuickSec 7.0 KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passedmgd: HMAC-SHA2-512 Known Answveriexec: no fingerprint for file='/sbin/kats/cannot-exec' fsid=83 fileid=5048524 gen=1 uid=0 pid=1073 er Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: SSH-ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing QuickSec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing SSH IPsec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: Testing file integrity: mgd: File integrity Known Answer Test: Passed mgd: Testing crypto integrity: mgd: Crypto integrity Known Answer Test: Passed mgd: Expect an exec Authentication error... mgd: /sbin/kats/run-tests: /sbin/kats/cannot-exec: Authentication error mgd: FIPS Self-tests Passed
참고:
이 모듈은 승인된 작동 모드에서 활용되지 않는 암호화 라이브러리 및 알고리즘을 구현합니다.