HP VPN Firewall Appliances Access Control Configuration Guide

284

Settings changed by enabling FIPS mode

After you enable FIPS mode and restart the device, the following changes occur.

• The FTP/TFTP server is disabled.

• The Telnet server is disabled.

• The HTTP server is disabled.

• SNMP v1 and SNMP v2c are disabled. Only SNMP v3 is available.

• The SSL server only supports TLS1.0.

• The SSH server does not support SSHv1 clients

• The SSH only supports RSA.

• RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus

length from 1024 to 2048 bits.

• SSH, SNMPv3, IPsec and SSL do not support DES, RC4, 3DES, or MD5.

FIPS self-tests

When the device enters FIPS mode, power-up self-tests and conditional self-tests automatically run to

ensure the correct operation of cryptography modules. If either type of tests fails, the device will restart.

Power-up self-tests

Power-up self-tests, also called “known-answer tests”, check the availability of FIPS-allowed cryptographic

algorithms. A cryptographic algorithm runs on data for which the correct output is already known. The

calculated output is compared with the known answer. If they are not identical, the known-answer test

fails.

Power-up self-tests include the following types.

Table 59 List of power-up self-tests

e O

erations

Cryptographic algorithm

self-tests

Test the following algorithms

• DSA (signature and authentication)

• RSA (signature and authentication)

• RSA (encryption and decryption)

• AES

• 3DES

• SHA1

• SHA256

• HMAC-SHA1

• Random number generator algorithms