POST Tests - S ELF T ESTS - TECHNICAL NOTES

6. TECHNICAL NOTES

6.3 S ELF T ESTS

6.3.1 POST Tests

6.3.1.1 Integrity Test

The id field is set to FIPS_TEST_INTEGRITY. The remaining parameters are not used. This is indicated while incore integrity testing of the module itself is being performed. This operation performs an HMAC over sections of incore data and checks the value against an expected value set when the application is compiled [see §2.2 for a more comprehensive description of this operation].

If failure is being simulated an additional byte is HMACed in addition to the incore data to produce an HMAC value which will differ from the stored value.

Triggered by the integrity option to fips_test_suite.

6.3.1.2 DRBG Self Test

The id field is set to FIPS_TEST_DRBG. The subid field is set to the NID of the DRBG being tested and the "exstr" field is of type (int *) which points to the DRBG flags being tested.

An abbreviated KAT only test (not a full health check) is performed on each supported DRBG mechanism. Specifically, it is initialized in test mode, instantiated using known parameters, output is generated and the result compared with known good values.

If failure is being simulated the "additional input" parameter to the generate operation is perturbed by setting it to a shorter length than the KAT value. This will result in data being generated which does not match the expected value.

Currently the following DRBG mechanisms and primitives are tested as part of the POST:

a) CTR DRBG using 256 bit AES and a derivation function.

b) CTR DRBG using 256 bit AES without a derivation function.

c) Hash DRBG using SHA256.

d) HMAC DRBG using SHA256.

e) Dual EC DRBG using P-256 and SHA-256.

Triggered by the drbg option to fips_test_suite.

6.3.1.3 X9.31 PRNG Self Test

The id field is set to FIPS_TEST_X931. The subid field is set to the key length of the PRNG in bytes.

For the test the PRNG is set up in test mode. A known key, V (seed) and DT (date time vector) is supplied and the generated output (R) compared to an expected value.

If failure is being simulated the known V value is corrupted by incrementing the first byte. This will result in generated data which does not match the expected value.

Currently the POST tests the X9.31 PRNG using 128, 192 and 256 bit key lengths.

Triggered by the rng option to fips_test_suite.

6.3.1.4 Digest Test

The id field is set to FIPS_TEST_DIGEST. The subid field is set to the digest NID being tested. The "ex" argument is not used. Currently only SHA1 is tested in this way. Known data is digested and the resulting hash compared to a known good value.

If failure is being simulated an extra byte is digested in addition to the known data which will result in a digest which does not match the expected value.

Triggered by the sha1 option to fips_test_suite.

6.3.1.5 HMAC Test

The id field is set to FIPS_TEST_HMAC. The subid field is set to the associate digest NID being tested. The "ex" argument is not used.

Known data is HMACed and the resulting hash compared to a known good value.

If failure is being simulated an extra byte is HMACed in addition to the known data which will result in an HMAC which does not match the expected value.

The digests SHA1, SHA224, SHA256, SHA384 and SHA512 are tested in this way.

Triggered by the hmac option to fips_test_suite.

6.3.1.6 CMAC Test

The id field is set to FIPS_TEST_CMAC. The subid field is set to the associated cipher NID being tested. The "ex" argument is not used.

Known data is CMACed and the resulting CMAC compared to a known good value.

If failure is being simulated an extra byte is CMACed in addition to the known data which will

The triple DES cipher and AES using 128, 192 and 256 bytes is tested for CMAC.

Triggered by the cmac option to fips_test_suite.

6.3.1.7 Cipher Self Tests

The id field is set to FIPS_TEST_CIPHER. The subid field is set to the NID of the cipher being tested, "ex" is not used.

A known key, IV and plaintext is encrypted and the output ciphertext compared to a known good value.

The ciphertext is then decrypted using the same key and IV and the result compared to the original plaintext.

If a failure is being simulated the ciphertext is corrupted (first byte XORed with 0x1) before the decryption test.

AES in ECB mode with a 128 bit key and triple DES in ECB mode are tested.

Triggered by the aes, des options to fips_test_suite.

6.3.1.8 GCM Self Test

The id is field is set to FIPS_TEST_GCM. The subid field is set to the NID of the cipher being tested, "ex" is not used.

A known key, IV, AAD and plaintext is encrypted and the output ciphertext and tag compared to known good values.

The ciphertext and take is then decrypted using the same key, IV, AAD and expected tag and the result compared to the original plaintext.

If a failure is being simulated the tag is corrupted (first byte XORed with 0x1) before the decryption test.

AES in GCM mode with a 256 key is tested.

Triggered by the aesgcm option to fips_test_suite.

6.3.1.9 CCM Self Test

The id field is set to FIPS_TEST_CCM. The subid field is set to the NID of the cipher being tested, "ex" is not used. The test is otherwise identical to the CCM test.

AES in CCM mode with a 192 bit key is tested.

Triggered by the aesccm option to fips_test_suite.

6.3.1.10 XTS Self Test

The id field is set to FIPS_TEST_XTS. The test is otherwise identical to the cipher tests.

AES in XTS mode with a 128 and a 256 bit key is tested.

Triggered by the aesxts option to fips_test_suite.

6.3.1.11 Signature Algorithm Tests

The id field is set to FIPS_TEST_SIGNATURE. The subid field is set to the NID of the associated digest. The "ex" field is set to the EVP_PKEY structure of the key being used in the KAT. By examining exstr the type of key being tested can be determined.

A signature is calculated using a known private key and data to be signed.

For deterministic signature algorithms (i.e. RSA in some padding modes) the signature is compared to a known good value.

The signature is then verified using the same data used to create the signature.

If failure is being simulated an extra byte is digested in addition to the known data for signature creation only. This will result in a signature which does not match the expected value (if this test is being performed) or the verification will fail.

The following algorithms are tested:

a) RSA using PSS padding and SHA256 with a 2048 bit key.

b) ECDSA using P-224 and SHA512.

c) ECDSA using K-233 and SHA512 if binary fields are supported.

d) DSA using SHA384 and a 2048 bit key.

Triggered by the dsa, ecdsa, rsa option to fips_test_suite.

The id field is set to FIPS_TEST_ECDH. The subid field is set to the NID of the curve used. The

"ex" field is not used.

Known private and public ECDH keys are used to compute a shared secret (Z) value. This is compared to a known good value.

If failure is being simulated the computed shared secret is corrupted after generation. This will result in a mismatch with the expected value.

Triggered by the ecdh option to fips_test_suite.

In document User Guide. for the OpenSSL FIPS Object Module v2.0 (including v2.0.1, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7,2.0.8,2.0.9,2.0. (Page 80-85)