FIPS self-tests

To ensure correct operation of cryptography modules, FIPS provides self-test mechanisms, including power-up self-tests and conditional self-tests.

If a power-up self-test fails, the device where the self-test process exists reboots. If a conditional self-test fails, the system outputs a self-test failure message.

NOTE:

If a self-test fails, contact Hewlett Packard Enterprise Support.

Power-up self-tests

The power-up self-test examines the availability of FIPS-allowed cryptographic algorithms.

The device supports the following types of power-up self-tests:

Known-answer test (KAT)
A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer. If they are not identical, the KAT test fails.
Pairwise conditional test (PWCT)
- Signature and authentication test—The test is run when a DSA, RSA, or ECDSA asymmetrical key pair is generated. The system uses the private key to sign the specific data, and then uses the public key to authenticate the signed data. If the authentication is successful, the test succeeds.
- Encryption and decryption test—The test is run when an RSA asymmetrical key pair is generated. The system uses the public key to encrypt a plain text string, and then uses the private key to decrypt the encrypted text. If the decryption result is the same as the original plain text string, the test succeeds.

The power-up self-test examines the cryptographic algorithms listed in Table 32.

Table 32: Power-up self-tests list

Type	Operations
KAT	Tests the following algorithms: SHA1, SHA224, SHA256, SHA384, and SHA512. HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512. AES. RSA (signature and authentication). ECDH. DRBG. GCM. GMAC.
PWCT	Tests the following algorithms: RSA (signature and authentication). RSA (encryption and decryption). DSA (signature and authentication). ECDSA (signature and authentication).

Type

Operations

KAT

Tests the following algorithms:

SHA1, SHA224, SHA256, SHA384, and SHA512.
HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512.
AES.
RSA (signature and authentication).
ECDH.
DRBG.
GCM.
GMAC.

PWCT

Tests the following algorithms:

RSA (signature and authentication).
RSA (encryption and decryption).
DSA (signature and authentication).
ECDSA (signature and authentication).

Conditional self-tests

A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following types:

PWCT signature and authentication—This test is run when a DSA or RSA asymmetrical key pair is generated. The system uses the private key to sign the specific data, and then uses the public key to authenticate the signed data. If the authentication is successful, the test succeeds.
Continuous random number generator test—Runs when a random number is generated. The system compares the generated random number with the previously generated random number. If the two number are the same, the test fails. This test also runs when a DSA or RSA asymmetrical key pair is generated.

prev	up	next
FIPS functionality	home	Restrictions and guidelines: FIPS