Configuring FIPS· 1

FIPS overview·· 1

Configuring FIPS· 1

Prerequisites 1

Enabling FIPS mode· 1

Settings changed by enabling FIPS mode· 1

FIPS self-tests 2

Power-up self-tests 2

Conditional self-tests 2

Triggered self-test 2

Displaying and maintaining FIPS· 2

FIPS overview

The Federal Information Processing Standard (FIPS) 140-2, developed by the National Institute of Standard and Technology (NIST) of the United States, specifies the security requirements for cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. The device supports Level 2.

Unless otherwise noted, FIPS in the document refers to FIPS 140-2.

Configuring FIPS

After you enable FIPS mode, the system has strict security requirements, and performs self-test on cryptography modules to make sure that they work normally.

Prerequisites

Before enabling FIPS mode, complete the following tasks:

·     Configure the login username and password.

The password must comprise no less than 6 characters and must contain uppercase and lowercase letters, digits, and special characters.

·     Delete all MD5-based digital certificates.

·     Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.

Enabling FIPS mode

After enabling FIPS mode, you must restart the device to validate the configuration.

To enable FIPS mode:

Settings changed by enabling FIPS mode

After you enable FIPS mode and restart the device, the following changes occur:

·     The FTP/TFTP server is disabled.

·     The Telnet server is disabled.

·     The HTTP server is disabled.

·     SNMP v1 and SNMP v2c are disabled. Only SNMP v3 is available.

·     The SSL server only supports TLS1.0.

·     The SSH server does not support SSHv1 clients

·     Generated RSA/DSA key pairs have a modulus length from 1024 to 2048 bits.

·     SSH, SNMPv3, IPsec and SSL do not support DES, RC4, or MD5.

FIPS self-tests

When the device works in FIPS mode, it has self-test mechanisms, including power-up self-tests and conditional self-tests, to ensure the normal operation of cryptography modules. If either type of tests fails, the device restarts.

Power-up self-tests

Power-up self-tests, also called “known-answer tests”, check the availability of FIPS-allowed cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer. If they are not identical, the known-answer test fails.

Power-up self-tests check the following cryptographic algorithms: DSA (signature and authentication), RSA (signature and authentication), RSA (encryption and decryption), AES, 3DES, SHA1, HMAC-SHA1, and random number generator algorithms.

Conditional self-tests

Conditional self-tests are run when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following:

·     Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If the decryption is successful, the test succeeds. Otherwise, the test fails.

·     Continuous random number generator test—This test is run when a random number is generated. If two consecutive random numbers are different, the test succeeds. Otherwise, the test fails. This test is also run when a DSA/RSA asymmetrical key pair is generated.

Triggered self-test

To verify whether the cryptography modules operate normally, use this command to trigger a self-test on the password algorithms. The triggered self-test is the same as the power-up self-test when the device starts up.

If the self-test fails, the device automatically reboots.

To trigger a self-test:

Displaying and maintaining FIPS