Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

FIPS Self-Tests Overview

The cryptographic module enforces security rules to ensure that the Juniper Networks Junos operating system (Junos OS) in FIPS mode meets the security requirements of FIPS 140-3 Level 1. To validate the output of cryptographic algorithms approved for FIPS and test the integrity of some system modules, the device performs the following series of known answer test (KAT) self-tests:

  • kernel_kats—KAT for kernel cryptographic routines

  • macsec_kats—KAT for MACsec cryptographic implementation

  • md_kats—KAT for libmd and libc

  • openssl_kats—KAT for OpenSSL cryptographic implementation

  • quicksec_kats—KAT for QuickSec Toolkit cryptographic implementation

Note:

For MACsec qualifications, the LC KATs has to perform on AES-GCM-128 and AES-GCM-256.

The KAT self-tests are performed automatically at startup. Conditional self-tests are also performed automatically to verify digitally signed software packages, generated random numbers, RSA and ECDSA key pairs, and manually entered keys.

If the KATs are completed successfully, the system log (syslog) file is updated to display the tests that were executed.

If one of the KATs fail, the device panics and reboot continuously. The device can be recovered using USB install.

The file show /var/log/messages command displays the system log.

Note:

The module implements cryptographic libraries and algorithms that are not utilized in the approved mode of operation.