R3303-HP HSR6800 Routers Security Configuration Guide
60
T
yp
e O
p
erations
Cryptographic engine self-tests
Test the following algorithms used by cryptographic engines:
• DSA (signature and authentication)
• RSA (signature and authentication)
• RSA (encryption and decryption)
• AES
• 3DES
• SHA1
• HMAC-SHA1
• Random number generator algorithms
Conditional self-tests
A conditional self-test runs when an asymmetrical cryptographic module or a random number generator
module is invoked. Conditional self-tests include the following types:
• Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It
uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If
the decryption is successful, the test succeeds. Otherwise, the test fails.
• Continuous random number generator test—This test is run when a random number is generated.
If two consecutive random numbers are different, the test succeeds. Otherwise, the test fails. This test
can also be run when a DSA/RSA asymmetrical key-pair is generated.
Triggering a self-test
To examine whether the cryptography modules operate correctly, you can use a command to trigger a
self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the
self-test fails, the device automatically reboots.
To trigger a self-test:
Ste
p
Command
1. Enter system view.
system-view
2. Trigger a self-test.
fips self-test
Configuration changes in FIPS mode
After you enable FIPS mode and restart the device, the following changes occur:
• The FTP/TFTP server is disabled.
• The Telnet server is disabled.
• The HTTP server is disabled.
• SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
• The SSL server only supports TLS1.0.
• The SSH server does not support SSHv1 clients.