NSSCryptoModuleSpec/Section 9: Self Tests: Difference between revisions

Failure of any of the power-up, conditional, or operator-initiated self-tests causes the cryptographic module to enter the Error state ([http://wiki.mozilla.org/FIPSFSM#States State 3 ]). When the cryptographic module is in the Error state, most functions (including all the cryptographic functions) do nothing and return the error code <code>CKR_DEVICE_ERROR</code>. See also the [http://wiki.mozilla.org/Rolesandservices#Show_Status Show Status] service of the cryptographic module.

|'''CKR_DEVICE_ERROR''' ||  Cryptographic module is in or has entered the Error state.

||  

During the PKCS #11 initialization of the FIPS 140-2 module, any error return

from the battery of self-tests will put the module in the Error state.

 

The Error state will inhibit further cryptographic operations ([http://wiki.mozilla.org/ModuleInterfaces#In_Error_State In Error State ]).

 

Output from the cryptographic module is via two paths: 1) the return code of the cryptographic function and, 2) buffers and objects which are operated on by the function, the locations of which are passed as function arguments. In the Error state the return code is always <code>CKR_DEVICE_ERROR</code>. No action besides setting the return code is taken by the requested function, which prevents data output of the second type.

* Power-up self-tests

** Cryptographic algorithm tests: A known-answer test is conducted for all cryptographic functions (e.g., encryption, decryption, authentication and random number generation) of each Approved cryptographic algorithm implemented by the cryptographic module: RC2, RC4, DES, Triple DES, AES-128, AES-192, AES-256, MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, RSA, DSA, RNG, and ECDSA (see the [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/fipstest.c.html power-up self-tests source code]).<div class=note>'''Note:''' Cryptographic algorithms whose outputs vary for a given set of inputs (DSA and ECDSA) are tested using a known-answer test. The message digest algorithms have independent known-answer tests.</div>

* Conditional self-tests

** Pair-wise consistency test (for public and private keys)

** Continous random number generator test

PORT_Memcmp is used to compare the calculated

output with the known answer.  

 

The [http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf Digital Signature Algorithm (DSA)] is used as the Approved authentication technique ([http://csrc.nist.gov/cryptval/dss/dsaval.htm#172 validation certificate# 172]) for the integrity test of the software components. Software that is protected using the digital signatures is the softoken and freebl libraries (e.g., libsoftokn3.so and libfreebl3.so). When the softoken and freebl libraries are built, a DSA public/private key pair is generated, the private key is used to generate a DSA signature of the library, and the public key and signature are stored in a file with the name ''libraryname''.chk. When the self-test is initiated (e.g., at initialization for the FIPS mode), the module verifies the signatures (in the ''libraryname''.chk files) of the softoken and freebl libraries. If the signature verification fails, the self-test fails.

 

[http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/fipstokn.c.dep.html#FC_Initialize    FC_Initialize] calls [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/pkcs11.c.dep.html#nsc_CommonInitialize nsc_CommonInitialize] and then the DSA signature is verified before the library initialization is allowed to proceed.

 

| '''Critical Functions'''  

[http://wiki.mozilla.org/VE_09#VE.09.27.01 VE.09.27.01 ] 

[http://wiki.mozilla.org/VE_09#VE.09.28.01 VE.09.28.01 ]  

Random Number Generator Self tests are the  

[http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/freebl/prng_fips1861.c.dep.html#alg_fips186_1_x3_1 Continuous Pseudo-Random Number Self-Tests ]

[http://wiki.mozilla.org/VE_09#VE.09.31.01 VE.09.31.01 ]

[http://wiki.mozilla.org/VE_09#VE.09.32.01 VE.09.32.01 ]  

RSA encryption is the only FIPS approved key transport

method that VE.09.31.01 applies to. See [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/pkcs11c.c.dep.html#sftk_PairwiseConsistencyCheck sftk_PairwiseConsistencyCheck]

 

The other key transport/establishment methods either

(encrypting/wrapping with TDES or AES) or require

two public/private key pairs (Diffie-Hellman or

its elliptic curve variants).  

The [http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/softoken/pkcs11c.c.dep.html#sftk_PairwiseConsistencyCheck sftk_PairwiseConsistencyCheck] function of the module tests the pairwise consistency of the public and private keys used for digital signatures by the calculation and verification of a signature. If the signature cannot be verified, the test fails.

'''Manual Key Entry'''

|| (N/A) NSS does not implement manual Key entry ||

[http://www.mozilla.org/projects/security/pki/nss/fips/nss-source/mozilla/security/nss/lib/freebl/prng_fips1861.c.dep.html#alg_fips186_1_x3_1 Continuous Pseudo-Random Number Self-Tests ]

module in critical error state.

| '''ByPass Service'''  ||  

|| (N/A) NSS does not implement a ByPass service.