FIPS 자체 테스트 이해하기
암호화 모듈은 FIPS 운영 모드에서 주니퍼 네트웍스 Junos 운영체제(Junos OS)를 실행하는 디바이스가 FIPS 140-2 레벨 1의 보안 요구 사항을 충족하도록 보안 규칙을 적용합니다. FIPS에 승인된 암호화 알고리즘의 출력을 확인하고 일부 시스템 모듈의 무결성을 테스트하기 위해 디바이스는 다음 일련의 알려진 응답 테스트(KAT) 자가 테스트를 수행합니다.
md_kats—LIBMD 및 libc용 KATopenssl_kats—OpenSSL 암호화 구현을 위한 KATkernel_kats—- 커널 암호화 루틴을 위한 KAT
KAT 자체 테스트는 FIPS 작동 모드가 디바이스에서 활성화된 경우 시작 및 재부팅 시 자동으로 수행됩니다. 조건부 자체 테스트는 또한 자동으로 수행되어 디지털 서명된 소프트웨어 패키지, 생성된 난수, RSA 및 ECDSA 키 쌍 및 수동으로 입력된 키를 확인합니다.
KAT가 성공적으로 완료되면, 시스템 로그(syslog) 파일이 업데이트되어 실행된 테스트를 표시합니다.
디바이스가 KAT에 실패하면 디바이스는 시스템 로그 파일에 세부 정보를 작성하고 FIPS 오류 상태(공황)를 입력하고 재부팅합니다.
file show /var/log/messages 명령은 시스템 로그를 표시합니다.
디바이스에서 전원 켜기 자체 테스트 수행
암호화 모듈에 전원을 공급할 때마다 모듈은 암호화 알고리즘이 여전히 올바르게 작동하고 민감한 데이터가 손상되지 않았음을 테스트합니다.
모듈은 전원 켜기 자체 테스트를 실행하는 동안 다음 상태 출력을 표시합니다.
@ 1556787428 [2020-05-02 08:57:08 UTC] mgd start Creating initial configuration: ... mgd: Running FIPS Self-tests mgd: Testing kernel KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-384 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: AES128-CMAC Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: Testing MACSec KATS: mgd: AES128-CMAC Known Answer Test: Passed mgd: AES256-CMAC Known Answer Test: Passed mgd: AES-ECB Known Answer Test: Passed mgd: AES-KEYWRAP Known Answer Test: Passed mgd: Testing libmd KATS: mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: SHA-2-512 Known Answer Test: Passed mgd: Testing OpenSSL KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: FIPS ECDSA Known Answer Test: Passed mgd: FIPS ECDH Known Answer Test: Passed mgd: FIPS RSA Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-SSH-SHA256 Known Answer Test: Passed mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Known Answer Test: Passed mgd: KAS-FFC-EPHEM-NOKC Known Answer Test: Passed mgd: Testing QuickSec 7.0 KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: SSH-ECDSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing QuickSec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-224 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: HMAC-SHA2-384 Known Answer Test: Passed mgd: HMAC-SHA2-512 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: AES-GCM Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: KDF-IKE-V2 Known Answer Test: Passed mgd: Testing SSH IPsec KATS: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed mgd: DES3-CBC Known Answer Test: Passed mgd: HMAC-SHA1 Known Answer Test: Passed mgd: HMAC-SHA2-256 Known Answer Test: Passed mgd: AES-CBC Known Answer Test: Passed mgd: SSH-RSA-ENC Known Answer Test: Passed mgd: SSH-RSA-SIGN Known Answer Test: Passed mgd: KDF-IKE-V1 Known Answer Test: Passed mgd: Testing file integrity: mgd: File integrity Known Answer Test: Passed mgd: Testing crypto integrity: mgd: Crypto integrity Known Answer Test: Passed mgd: Expect an everiexec: no fingerprint for file='/sbin/kats/cannot-exec' fsid=212 fileid=49356 gen=1 uid=0 pid=6480 xec Authentication error... mgd: /sbin/kats/run-tests: /sbin/kats/cannot-exec: Authentication error mgd: FIPS Self-tests Passed
참고:
이 모듈은 승인된 운영 모드에서 사용되지 않는 암호화 라이브러리와 알고리즘을 구현합니다.