Fips Self-Tests; Power-Up Self-Tests; Conditional Self-Tests - H3C S5830V2 Security Configuration Manual

The SSL server only supports TLS1.0.
•
• The SSH server does not support SSHv1 clients.
The generated RSA and DSA key pairs must have a modulus length of 2048 bits.
•
SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, and MD5 algorithms.
•
• The keys must contain at least 15 characters and 4 compositions of uppercase and lowercase letters,
digits, and special characters. This requirement applies to the following passwords (the last two
passwords are used for password control):
AAA server's shared key.
IKE per-shared key.
SNMPv3 authentication key.
Password for a device management local user.
Password for switching user roles.

FIPS self-tests

To ensure the correct operation of cryptography modules, FIPS provides self-test mechanisms, including
power-up self-test and conditional self-test. You can also trigger a self-test. If the power-up self-test fails,
the device where the self-test process exists reboots. If the conditional self-test fails, the system outputs
self-test failure information.
NOTE:
If a self-test fails, contact H3C Support.

Power-up self-tests

The power-up self-test, also called "known-answer test", examines the availability of FIPS-allowed
cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is
already known. The calculated output is compared with the known answer. If they are not identical, the
known-answer test fails.
The power-up self-test examines the following cryptographic algorithms:
• DSA (signature and authentication).
RSA (signature and authentication).
•
RSA (encryption and decryption).
•
AES.
•
3DES.
•
• SHA1.
HMAC-SHA1.
•
Random number generator algorithms.
•

Conditional self-tests

A conditional self-test runs when an asymmetrical cryptographic module or a random number generator
module is invoked. Conditional self-tests include the following types:
235