R3303-HP HSR6800 Routers Security Configuration Guide

Configuring FIPS

Overview

Federal Information Processing Standards (FIPS), developed by the National Institute of Standard and

Technology (NIST) of the United States, specify the security requirements for cryptographic modules. FIPS

140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. Currently, the

device supports Level 2.

Unless otherwise noted, FIPS in the document refers to FIPS 140-2.

FIPS self-tests

CAUTION:

If the device reboots repeatedly, it mi

ht be caused by software failures or hardware dama

es. Contact

technical support engineers to upgrade the software or repair the damaged hardware.

When the switch operates in FIPS mode, it has self-test mechanisms, including the power-up self-test and

conditional self-tests, to ensure the normal operation of cryptography modules.

Power-up self-tests

The power-up self-test, also called "known-answer test", examines the availability of FIPS-allowed

cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is

already known. The calculated output is compared with the known answer. If they are not identical, the

known-answer test fails.

The power-up self-test examines the following cryptographic algorithms:

Table 16 List of power-up self-tests

e O

erations

Cryptographic algorithm

self-tests

Test the following algorithms:

• DSA (signature and authentication)

• RSA (signature and authentication)

• RSA (encryption and decryption)

• AES

• 3DES

• SHA1

• SHA256

• SHA512

• HMAC-SHA1

• Random number generator algorithms