Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding FIPS Self-Tests

The cryptographic module enforces security rules to ensure that a device running the Juniper Networks Junos operating system (Junos OS) in FIPS mode of operation meets the security requirements of FIPS 140-3 Level 1. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the device performs the following series of known answer test (KAT) self-tests:

  • kernel—KAT for kernel cryptographic routines

  • MACSec—KAT for MACsec cryptographic implementation

  • libmd—KAT for libmd

  • OpenSSL v1.0.2—KAT for OpenSSL v1.0.2 cryptographic implementation

  • OpenSSL—KAT for OpenSSL cryptographic implementation

  • QuickSec 7.0—KAT for Quicksec 7.0 Toolkit cryptographic implementation

  • QuickSec—KAT for QuickSec Toolkit cryptographic implementation

  • SSH IPsec—KAT for SSH IPsec Toolkit cryptographic implementation

The KAT self-tests are performed automatically at startup and reboot when FIPS mode of operation is enabled on the device. Conditional self-tests are also performed automatically to verify digitally signed software packages, generated random numbers, RSA and DSA key pairs, and manually entered keys.

On demand, self tests can be executed by entering request system fips self-test at command line.

If the KATs are completed successfully, the system log (syslog) file is updated to display the tests that were executed.

If the device fails a KAT, the device writes the details to a system log file, enters FIPS error state (panic), and reboots.

The file show /var/log/messages command displays the system log. See FPT_TST_EXT.1 under Table 1.

Performing Power-On Self-Tests on the Device

Each time the cryptographic module is powered on, the module tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged.

The module displays the following status output while running the power-on self-tests:

Note:

The module implements cryptographic libraries and algorithms that are not utilized in the approved mode of operation.