Understanding FIPS Self-Tests
The cryptographic module enforces security rules to ensure that a device running the Juniper Networks Junos operating system (Junos OS) in FIPS mode of operation meets the security requirements of FIPS 140-3 Level 2. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the device performs the following series of known answer test (KAT) self-tests:
-
kernel_kats
—KAT for kernel cryptographic routines -
md_kats
—KAT for libmd and libc -
openssl_kats
—KAT for OpenSSL cryptographic implementation -
openssl-102_kats
—KAT for OpenSSL v1.0.2 cryptographic implementation -
quicksec_7_0_kats
—KAT for Quicksec_7_0Toolkit cryptographic implementation -
octcrypto_kats
—KAT for Octeon
The KAT self-tests are performed automatically at startup and reboot, when FIPS mode of operation is enabled on the device. Conditional self-tests are also performed automatically to verify digitally signed software packages, generated random numbers, RSA and ECDSA key pairs, and manually entered keys.
If the KATs are completed successfully, the system log (syslog) file is updated to display the tests that were executed.
If the device fails a KAT, the device writes the details to a system log file, enters FIPS error state (panic), and reboot.
The file show /var/log/messages
command displays the system log.
Proceed with normal operation after the reboot is complete. If an error occurs, please contact the Juniper Networks Technical Assistance Center (JTAC).
You must have administrative privileges to configure FIPS self-tests. The device must be running the evaluated version of Junos OS in FIPS mode software.
In this example, the FIPS self-test is executed at 9:00 AM in New York City, USA, every Wednesday.
Performing Power-On Self-Tests on the Device
Each time the cryptographic module is powered on, the module tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. Power-on self-tests are performed on demand by power cycling the module. On powering on or resetting the device, the module performs the following self-tests. All KATs must be completed successfully prior to any other use of cryptography by the module. If one of the KATs fail, the module enters the Critical Failure error state. The module displays the following status output for SRX5400 and SRX5800 devices while running the power-on self-tests:The module displays the following status output for SRX5400 and SRX5800 devices while failure of the power-on self-tests:
Testing kernel KATS: panic: pid 2121 (kernel_kats), uid 0, FIPS error 1: NIST 800-90 HMAC DRBG Known Answer Test: Failed Testing libmd KATS: panic: pid 91115 (md_kats), uid 0, FIPS error 1: HMAC-SHA1 Known Answer Test: Failed Testing OpenSSL v1.0.2 KATS: panic: pid 20121 (openssl-102_kats), uid 0, FIPS error 1: NIST 800-90 HMAC DRBG Known Answer Test: Failed Testing JSF Crypto (Octeon) KATs: panic: pid 2231 (jsf_crypto_octeon_k), uid 0, FIPS error 1: AES-GCM Known Answer Test: Failed Testing OpenSSL KATS: panic: pid 2340 (openssl_kats), uid 0, FIPS error 1: NIST 800-90 HMAC DRBG Known Answer Test: Failed Testing QuickSec 7.0 KATS: panic: pid 37538 (quicksec_7_0_kats), uid 0, FIPS error 1: NIST 800-90 HMAC DRBG Known Answer Test: Failed