Specifications

This document may be freely reproduced and distributed whole and intact including this Copyright Notice.

2.6 Self-Tests

In order to prevent any secure data from being released, it is important to test the cryptographic

components of a security module to insure all components are functioning correctly. The router

includes an array of self-tests that are run during startup and periodically during operations. All

self-tests are implemented by the software. An example of self-tests run at power-up is a

cryptographic known answer test (KAT) on each of the FIPS-approved cryptographic algorithms

and on the Diffie-Hellman algorithm. Examples of tests run periodically or conditionally include:

a bypass mode test performed conditionally prior to executing IPSec, and a continuous random

number generator test. If any of the self-tests fail, the router transitions into an error state. In the

error state, all secure data transmission is halted and the router outputs status information

indicating the failure.

Examples of the errors that cause the system to transition to an error state:

• IOS image integrity checksum failed

• Microprocessor overheats and burns out

• Known answer test failed

• NVRAM module malfunction.

• Temperature high warning

2.6.1 Self-tests performed by the IOS image

• IOS Self Tests

o POST tests

 AES Known Answer Test

 RSA Signature Known Answer Test (both signature/verification)

 Software/firmware test

 Power up bypass test

 RNG Known Answer Test

 Diffie Hellman test

 HMAC-SHA-1 Known Answer Test

 SHA-1/256/512 Known Answer Test

 Triple-DES Known Answer Test

o Conditional tests

 Pairwise consistency test for RSA signature keys

 Conditional bypass test

 Continuous random number generation test for approved and non-

approved RNGs

2.6.2 Self-tests performed by Safenet

• Safenet Self Tests

o POST tests

 AES Known Answer Test