2.6
Self-Tests
In order to prevent any secure data from being released, it is important to test the cryptographic
components of a security module to insure all components are functioning correctly. The router
includes an array of self-tests that are run during startup and periodically during operations. All
self-tests are implemented by the software. An example of self-tests run at power-up is a
cryptographic known answer test (KAT) on each of the FIPS-approved cryptographic algorithms
and on the Diffie-Hellman algorithm. Examples of tests performed at startup are a software
integrity test using an EDC. Examples of tests run periodically or conditionally include: a bypass
mode test performed conditionally prior to executing IPSec, and a continuous random number
generator test. If any of the self-tests fail, the router transitions into an error state. In the error
state, all secure data transmission is halted and the router outputs status information indicating
the failure.
Examples of the errors that cause the system to transition to an error state:
IOS image integrity checksum failed
Microprocessor overheats and burns out
Known answer test failed
NVRAM module malfunction.
Temperature high warning
2.6.1 Self-tests performed by the IOS image
IOS Self Tests
o POST tests
o Conditional tests
2.6.2 Self-tests performed by NetGX Chip
o POST tests
© Copyright 2007 Cisco Systems, Inc.
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
AES Known Answer Test
RSA Signature Known Answer Test (both signature/verification)
Software/firmware test
Power up bypass test
RNG Known Answer Test
Diffie Hellman test
HMAC-SHA-1 Known Answer Test
SHA-1/256/12 Known Answer Test
Triple-DES Known Answer Test
Pairwise consistency test for RSA signature keys
Conditional bypass test
Continuous random number generation test for approved and non-
approved RNGs.
27