425
Configuring FIPS
Overview
Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and
Technology (NIST) of the United States, specify the requirements for cryptography modules. FIPS 140-2
defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the switch
supports Level 2.
Unless otherwise noted, FIPS in the document refers to FIPS 140-2.
FIPS self-tests
When the device operates in FIPS mode, it has self-test mechanisms, including the power-up self-test and
conditional self-tests, to ensure the normal operation of cryptography modules. You can also trigger a
self-test. If a self-test fails, the device restarts.
CAUTION:
If the switch reboots repeatedly, it mi
ht be caused by software failures or hardware dama
es. Contact
technical support engineers to upgrade the software or repair the damaged hardware.
Power-up self-test
The power-up self-test, also called "known-answer test", examines the availability of FIPS-allowed
cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is
already known. The calculated output is compared with the known answer. If they are not identical, the
known-answer test fails.
Conditional self-tests
A conditional self-test runs when an asymmetrical cryptographic module or a random number generator
module is invoked. Conditional self-tests include the following types:
• Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It
uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If
the decryption is successful, the test succeeds. Otherwise, the test fails.
• Continuous random number generator test—This test is run when a random number is generated in
FIPS mode. If two consecutive random numbers are different, the test succeeds. Otherwise, the test
fails.
Triggering a self-test
To examine whether the cryptography modules operate normally, you can use a command to trigger a
self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test.
To Next Page
Loading...
Need help?
General