Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding FIPS Self-Tests

The cryptographic module enforces security rules to ensure that an NFX device running the Juniper Networks Junos operating system (Junos OS) in FIPS mode meets the security requirements of FIPS 140-3 Level 1. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the system performs the following series of known answer test (KAT) self-tests:

  • kernel_kats—KAT for kernel cryptographic routines

  • macsec_kats—KAT for MACsec cryptographic implementation

  • md_kats—KAT for libmd and libc

  • openssl-102_kats—KAT for OpenSSL v1.0.2 cryptographic implementation

  • openssl_kats—KAT for OpenSSL cryptographic implementation

  • quicksec-7_0_kats—KAT for QuickSec 7.0 Toolkit cryptographic implementation

  • quicksec_kats—KAT for QuickSec Toolkit cryptographic implementation

  • ssh_ipsec_kats—KAT for SSH IPsec Toolkit cryptographic implementation

The KAT self-tests are performed automatically at startup and reboot, regardless of whether FIPS mode is enabled on the NFX device. Conditional self-tests are also performed automatically to verify digitally signed software packages, generated random numbers, RSA key pairs, and manually entered keys.

If the KATs are completed successfully, the system log (syslog) file is updated to display the tests that were executed.

During bootup entropy health test is performed. The system software integrity check is done during bootup. Each software module is verified before being loaded. The messages pertaining to the entropy health check and software integrity checks can be viewed on the console during system bootup.

If any of the self-tests fails, the device panics and reboot continuously. The device can be recovered using a fresh USB installation of the image.

The file show /var/log/messages command displays the system log.