Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Known Answer Test (KAT)

The cryptographic module enforces security rules to ensure that the Junos OS in FIPS mode meets the security requirements of FIPS 140-3 Level 1. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the device performs the following series of KAT self-tests:

  • kernel_kats—KAT for kernel cryptographic routines.

  • macsec_kats—KAT for MACsec cryptographic implementation.

  • md_kats—KAT for libmd and libc

  • openssl_kats—KAT for OpenSSL cryptographic implementation.

  • quicksec_kats—KAT for QuickSec Toolkit cryptographic implementation.

Note:

You must run the LC KATs using AES-GCM-128 and AES-GCM-256 to meet MACsec requirements.

The device automatically performs the KAT self-tests at startup. The device also performs the conditional self-tests automatically to verify digitally signed software packages, generated random numbers, RSA and ECDSA keypairs, and manually entered keys.

After successful completion of the KATs, the device updates the log (syslog) file with the executed tests.

If one of the KATs fail, the device reboots continuously. You can reboot the device using a USB install media package.

The file show /var/log/messages command displays the system log.

Note:

The device implements cryptographic libraries and algorithms that are not used in the FIPS-approved mode of operation.