Aruba Networks FIPS 140-2 manual Self Tests

Page 35

7Self Tests

The module performs the following Self Tests after being configured into either Remote AP mode or Remote Mesh Portal mode. The module performs both power-up and conditional self-tests. In the event any self-test fails, the module enters an error state, logs the error, and reboots automatically.

The module performs the following power-up self-tests:

Aruba Hardware known Answer tests: o AES KAT

o HMAC-SHA1 KAT o Triple-DES KAT

ArubaOS OpenSSL AP Module

oAES KAT

oHMAC (HMAC-SHA1, HMAC-SHA256 and HMAC SHA384) KAT

oRNG KAT

oRSA KAT

oSHA (SHA1, SHA256 and SHA384) KAT

oTriple-DES KAT

ArubaOS Cryptographic Module

oAES KAT

oHMAC (HMAC-SHA1, HMAC-SHA256, HMAC SHA384, and HMAC512) KAT

oFIPS 186-2 RNG KAT

oRSA (sign/verify)

oSHA (SHA1, SHA256, SHA384, and SHA512) KAT

oTriple-DES KAT

ArubaOS Uboot Bootloader Module

oFirmware Integrity Test: RSA 2048-bit Signature Validation The following Conditional Self-tests are performed in the module:

Continuous Random Number Generator Test–This test is run upon generation of random data by the module's random number generators to detect failure to a constant value. The module stores the first random number for subsequent comparison, and the module compares the value of the new random number with the random number generated in the previous round and enters an error state if the comparison is successful. The test is performed for the approved as well as non- approved RNGs.

RSA pairwise Consistency Test

Firmware load test

These self-tests are run for the Cavium hardware cryptographic implementation as well as for the Aruba OpenSSL AP and ArubaOS cryptographic module implementations.

Self-test results are written to the serial console.

In the event of a KATs failure, the AP logs different messages, depending on the error.

35

Image 35
Contents Fips 140-2 Non-Proprietary Security Policy Page Security Levels Physical Security ServicesAruba Dell Relationship Acronyms and Abbreviations Aruba AP-120 SeriesPage GHz IntroductionAruba Dell Relationship Acronyms and AbbreviationsLAN Aruba Part Number Dell Corresponding Part Number Product OverviewAruba AP-120 Series Physical DescriptionEnet Indicator LEDs Label Function Action StatusPWR Label Function Action Status Applying TELs Module ObjectivesSecurity Levels Physical SecurityAP-124 Front view Aruba AP-124 TEL PlacementAP-124 Back view AP-124 Bottom view Aruba AP-125 TEL PlacementAP-125 Front view AP-125 Right view AP-125 Bottom view Inspection/Testing of Physical Security MechanismsModes of Operation Configuring Remote AP Fips ModeEnable Fips mode on the AP. This accomplished by going to Configuring Remote Mesh Portal Fips Mode Configuring Remote Mesh Point Fips Mode Operational Environment Verify that the module is in Fips modeFips 140-2 Logical Interfaces Module Physical Interface Logical InterfacesRoles Roles, Authentication and ServicesCrypto Officer Authentication Authentication Mechanism Strength User AuthenticationWireless Client Authentication Strength of Authentication MechanismsWPA2-PSK WPA2 PSK ServicesCrypto Officer Services Service Description CSPs Accessed see sectionService User ServicesService Description CSPs Wireless Client Services ∙ FTP ∙ Tftp ∙ NTP Unauthenticated ServicesNon-FIPS Approved Algorithms Cryptographic AlgorithmsHmac Critical Security ParametersRNG AES-CCM PSKPTK GTK GMKSelf Tests For an AES Cavium hardware Post failure