Nokia IP265 Security Guide - Page 24

Power-up Self-tests, Conditional Self-tests

Get Nokia IP265 - Security Appliance PDF manuals and user guides View all Nokia IP265 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 24 highlights

2.9 Self-Tests The modules perform a set of self-tests to ensure proper operation in compliance with FIPS 140-2. These self-tests are run during power-up (power-up self-tests) or when certain conditions are met (conditional selftests). Self tests are performed by both IPSO and the Check Point VPN-1 firmware components as appropriate. IPSO also implements self tests on the algorithms provided by the hardware encryption accelerator chips. All module versions were functionally tested during FIPS 140-2 conformance testing. Power-up Self-tests: • Integrity tests: the modules use a CRC-32 to check the integrity of its various firmware components, including verifying the integrity of the Check Point VPN-1 binary code. • Cryptographic algorithm tests: o AES-CBC KAT o DES-CBC KAT o Triple-DES-CBC KAT o ANSI X9.31 PRNG KAT o RSA sign/verify and encrypt/decrypt KAT o DSA sign/verify KAT o SHA-1 KAT o HMAC SHA-1 KAT • Policy file integrity test (bypass mode test): the module performs a SHA-1 check value verification to ensure that the policy files are not modified. Conditional Self-tests: • RSA pair-wise consistency test: this test is performed when RSA keys are generated for SSHv1. • DSA pair-wise consistency test: this test is performed when DSA keys are generated for SSHv2. • Continuous random number generator tests: these tests are constantly run to detect failure of the random number generators of the module. © Copyright 2005, 2006, 2007 Nokia Page 24 of 43 This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
2.9
Self-Tests
The modules perform a set of self-tests to ensure proper operation in
compliance with FIPS 140-2. These self-tests are run during power-up
(power-up self-tests) or when certain conditions are met (conditional self-
tests). Self tests are performed by both IPSO and the Check Point VPN-1
firmware components as appropriate. IPSO also implements self tests on
the algorithms provided by the hardware encryption accelerator chips. All
module versions were functionally tested during FIPS 140-2 conformance
testing.
Power-up Self-tests
:
Integrity tests:
the modules use a CRC-32 to check the integrity of
its various firmware components, including verifying the integrity of
the Check Point VPN-1 binary code.
Cryptographic algorithm tests:
o
AES-CBC KAT
o
DES-CBC KAT
o
Triple-DES-CBC KAT
o
ANSI X9.31 PRNG KAT
o
RSA sign/verify and encrypt/decrypt KAT
o
DSA sign/verify KAT
o
SHA-1 KAT
o
HMAC SHA-1 KAT
Policy file integrity test (bypass mode test):
the module performs a
SHA-1 check value verification to ensure that the policy files are not
modified.
Conditional Self-tests
:
RSA pair-wise consistency test:
this test is performed when RSA
keys are generated for SSHv1.
DSA pair-wise consistency test:
this test is performed when DSA
keys are generated for SSHv2.
Continuous random number generator tests:
these tests are
constantly run to detect failure of the random number generators of
the module.
© Copyright 2005, 2006, 2007
Nokia
Page 24 of 43
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.