About FIPS
Federal Information Processing Standards (FIPS) was developed by theNational Institute of Standards and Technology (NIST) of the United States.FIPS specifies the requirements for cryptographic modules.
FIPS security levels
FIPS 140-2 defines four levels of security,named Level 1 to Level 4, from low to high. The device supports Level 2.
Unless otherwise noted, the term "FIPS"refers to Level-2 FIPS 140-2 in this document.
FIPS functionality
In FIPS mode, the device has strictsecurity requirements. It performs self-tests on cryptography modules to verifythat the modules are operating correctly.
A FIPS device also meets the functionality requirementsdefined in Network Device Protection Profile (NDPP) and Extended PackageStateful Traffic Filter Firewall of Common Criteria (CC).
FIPS self-tests
To ensure correct operation of cryptographymodules, FIPS provides self-test mechanisms, including power-up self-tests andconditional self-tests.
If a power-up self-test fails, the cardwhere the self-test process exists reboots. If a conditional self-test fails,the system outputs a self-test failure message.
| NOTE: If a self-test fails, contact H3C Support. |
Power-upself-tests
The power-up self-test examines theavailability of FIPS-allowed cryptographic algorithms.
The device supports the following types ofpower-up self-tests:
·Known-answer test (KAT)
A cryptographic algorithm is run on datafor which the correct output is already known. The calculated output iscompared with the known answer. If they are not identical, the KAT test fails.
·Pairwise conditional test (PWCT)
¡Signature and authentication test—Thetest is run when a DSA, RSA, or ECDSA asymmetrical key pair is generated. Thesystem uses the private key to sign the specific data, and then uses the publickey to authenticate the signed data. If the authentication is successful, thetest succeeds.
¡Encryption and decryption test—Thetest is run when an RSA asymmetrical key pair is generated. The system uses thepublic key to encrypt a plain text string, and then uses the private key todecrypt the encrypted text. If the decryption result is the same as the originalplain text string, the test succeeds.
The power-upself-test examines the cryptographic algorithms listed in Table 1.
Table 1 Power-up self-tests list
| Type | Operations |
| KAT | Tests the following algorithms: ·SHA1, SHA224, SHA256, SHA384, and SHA512. ·HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512. ·AES. ·RSA (signature and authentication). ·ECDH. ·DRBG. ·GCM. ·GMAC. |
| PWCT | Tests the following algorithms: ·RSA (signature and authentication). ·RSA (encryption and decryption). ·DSA (signature and authentication). ·ECDSA (signature and authentication). |
| Cryptographic engine self-test | Tests the following algorithms used by cryptographic engines: ·DSA (signature and authentication). ·RSA (signature and authentication). ·RSA (encryption and decryption). ·AES. ·3DES. ·SHA1. ·HMAC-SHA1. ·Random number generator algorithms. |
Conditionalself-tests
A conditional self-test runs when anasymmetrical cryptographic module or a random number generator module isinvoked. Conditional self-tests include the following types:
·PWCT signature andauthentication—This test is run when a DSA orRSA asymmetrical key pair is generated. The system uses the private key to signthe specific data, and then uses the public key to authenticate the signeddata. If the authentication is successful, the test succeeds.
·Continuous random numbergenerator test—Runs when a random number isgenerated. The system compares the generated random number with the previouslygenerated random number. If the two number are the same, the test fails. Thistest also runs when a DSA or RSA asymmetrical key pair is generated.
Software version requirement
When running a low-encryption levelsoftware version, the device does not support FIPS.
Restrictions and guidelines: FIPS
Requirements for keypairs and passwords
Before you reboot the device to enter FIPSmode, the system automatically removes all key pairs configured in non-FIPSmode and all FIPS-incompliant digital certificates. FIPS-incompliant digitalcertificates are MD5-based certificates with a key modulus length less than2048 bits. You cannot log in to the device through SSH after the device entersFIPS mode. To log in to the device in FIPS mode through SSH, log in to thedevice through a console or Async port and create a key pair for the SSHserver.
The password for entering the device inFIPS mode must comply with the password control policies, such as passwordlength, complexity, and aging policy. When the aging timer for a password expires,the system prompts you to change the password. If you adjust the system timeafter the device enters FIPS mode, the login password might expire before thenext login, because the original system time is typically much earlier than theactual time.
Configurationrollback guidelines
Configuration rollback is supported in FIPSmode and also during a switch between FIPS mode and non-FIPS mode. After a configurationrollback between FIPS mode and non-FIPS mode, perform the following tasks:
1.Delete the local user and configure a newlocal user. Local user attributes include password, user role, and service type.
2.Save the current configuration file.
3.Specify the current configuration file asthe startup configuration file.
4.Reboot the device. The new configurationtakes effect after the reboot. During this process, do not exit the system orperform other operations.
If a device enters FIPS or non-FIPS modethrough automatic reboot, configuration rollback fails. To supportconfiguration rollback, you must execute the save command after the device enters FIPS or non-FIPS mode.
IRF compatibility
All devices in an IRF fabric must beoperating in the same mode, whether in FIPS mode or non-FIPS mode.
To enable FIPS mode for an IRF fabric, youmust reboot the entire IRF fabric.
Feature changes inFIPS mode
After the system enters FIPS mode, thefollowing feature changes occur:
·The user login authentication mode can only bescheme.
·The FTP/TFTP server and client are disabled.
·The Telnet server and client are disabled.
·The HTTP server is disabled.
·SNMPv1 and SNMPv2c are disabled. Only SNMPv3 isavailable.
·The SSL server supports only TLS1.0, TLS1.1, andTLS1.2.
·The SSH server does not support SSHv1 clients orDSA key pairs.
·The generated RSA and DSA key pairs must have amodulus length of 2048 bits.
When the device acts as a server toauthenticate a client through the public key, the key pair for the client mustalso have a modulus length of 2048 bits.
·The generated ECDSA key pairs must have amodulus length of more than 256 bits.
When the device acts as a server toauthenticate a client through the public key, the key pair for the client mustalso have a modulus length of more than 256 bits.
·SSH, SNMPv3, IPsec, and SSL do not support DES,3DES, RC4, or MD5.
·The password control feature cannot be disabledglobally. The undo password-control enable command does not take effect.
·An AAA shared key, IKE pre-shared key, or SNMPv3authentication key must have at least 15 characters and must contain uppercaseand lowercase letters, digits, and special characters.
·The password for a device management local userand password for switching user roles must comply with the password control policies.By default, the password must have at least 15 characters and must containuppercase and lowercase letters, digits, and special characters.
Entering FIPS mode
About entering FIPS mode
For the device to enter FIPS mode, you can useone of the following methods:
·Automatic reboot—The system automatically performs the following operations:
a.Prompts you to specify the username andpassword for the next login.
b.Creates a default FIPS configuration filenamed fips-startup.cfg.
c.Specifies the default FIPS configuration fileas the startup configuration file.
d.Reboots and loads the default FIPSconfiguration file to enter the FIPS mode.
·Manual reboot—You must complete the required configuration tasks and reboot thedevice manually.
Restrictions and guidelines
After you execute the fips modeenable command, the system prompts you to choosea reboot method.
·If you do not make a choice within 30 seconds orpress Ctrl+C, thesystem enables FIPS mode and waits for you to manually complete the FIPS modeconfiguration tasks. You must complete the tasks or execute the undo fips modeenable command before saving the runningconfiguration and rebooting the device. If you fail to do so, the device entersFIPS mode after startup and you cannot log in to the device.
·If you select the automatic reboot method, youcan press Ctrl+C to abortboth the interactive FIPS mode configuration process and the fips modeenable command.
Using the automatic reboot method to enter FIPS mode
Prerequisites
To ensure login password effectivenessunder the password control policies, set the correct system time.
Procedure
1.Enter system view.
system-view
2.Enable FIPS mode.
fips mode enable
By default, the FIPS mode is disabled.
3.After the reboot method choice promptappears, enter Y within 30 minutes.
The system starts the interactive FIPSmode configuration process.
|
| CAUTION: A system reboot might interrupt the ongoing services. Use caution when you perform this operation. |
4.Enter the login username and password asprompted.
The password must have a minimum of 15 charactersand must contain uppercase and lowercase letters, digits, and special characters.After you enter the username and password, the device performs the followingoperations:
¡Createsa device management local user that uses the entered username and password.
¡Assignsthe user the terminal service and the network-admin user role.
¡Savesthe running configuration and specifies the configuration file as the startupconfiguration file.
¡Reboots,loads the startup configuration file, and enters FIPS mode.
To log in to the device, you must enter theconfigured username and password. After login, you are identified as the FIPSmode crypto officer.
Using the manual reboot method to enter FIPS mode
Prerequisites
1.To ensure login password effectiveness underthe password control policies, set the correct system time.
2.Configure the password control feature.
a.Enable the password control featureglobally.
b.Configure password control policies.
-Set the number of character types a password must contain to 4.
-Set the minimum number of characters for each type to one character.
-Set the minimum length for a user password to 15 characters.
For more information about the passwordcontrol feature, see password control in SecurityConfiguration Guide.
3.Configure a local user.
¡Createa device management local user.
¡Specifya password that complies with the password control policies.
¡Assignthe terminal service to the user.
¡Assignthe network-admin user role to the user.
Procedure
1.Enter system view.
system-view
2.Enable FIPS mode.
fips mode enable
By default, the FIPS mode is disabled.
3.After the reboot method choice promptappears, enter N.
The system enables FIPS mode and waitsfor you to complete the FIPS mode configuration tasks. Before rebooting thedevice to enter FIPS mode, do not execute any commands except for save and commands used to prepare for entering FIPS mode. If you executeany other commands, the commands might not take effect.
|
| CAUTION: ·A system reboot might interrupt the ongoing services. Use caution when you perform this operation. ·If you choose manual reboot, you must configure all settings required for login in FIPS mode before you reboot the device. If any settings are missing, you will be unable to log in to the device. |
4.Save the running configuration and specify theconfiguration file as the startup configuration file.
5.Delete the .mdb startup configuration file.
When loading a .mdb configuration file, thedevice loads all settings in the file. The settings that are not supported inFIPS mode might affect device operation.
6.Reboot the device.
The device reboots, loads the startupconfiguration file, and enters FIPS mode. To log in to the device, you mustenter the configured username and password. After login, you are identified as theFIPS mode crypto officer.
Manually triggeringself-tests
About this task
You can manually trigger FIPS self-tests toverify operation of cryptography modules anytime as required. The triggeredself-tests are the same as the power-up self-tests. If the self-tests fail, thedevice where the self-test process exists reboots.
Procedure
1.Enter system view.
system-view
2.Trigger self-tests.
fips self-test
|
| CAUTION: A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the device reboots. |
Exiting FIPS mode
About this task
After you disable FIPS mode and reboot thedevice, the device operates in non-FIPS mode.
For the device to exit FIPS mode, you canuse one of the following reboot methods:
·Automatic reboot—The system automatically creates a default non-FIPS configurationfile named non-fips-startup.cfg, specifies the fileas the startup configuration file, and reboots to enter non-FIPS mode. You canlog in to the device without providing username or password.
·Manual reboot—You must manually complete the configuration tasks for enteringnon-FIPS mode, and then reboot the device. To log in to the device after thereboot, you must enter user information as required by the authentication modesettings.
The following are the defaultauthentication mode settings:
¡VTY line—Password authentication.
¡Console line—Authentication isdisabled.
You can modify the authentication settingsas needed.
Using theautomatic reboot method to exit FIPS mode
1.Enter system view.
system-view
2.Disable FIPS mode.
undo fips mode enable
By default, the FIPS mode is disabled.
3.Select the automatic reboot method.
|
| CAUTION: A system reboot might interrupt the ongoing services. Use caution when you perform this operation. |
Using the manualreboot method to exit FIPS mode
1.Enter system view.
system-view
2.Disable FIPS mode.
undo fips mode enable
By default, the FIPS mode is disabled.
3.Select the manual reboot method.
|
| CAUTION: A system reboot might interrupt the ongoing services. Use caution when you perform this operation. |
4.Configure login authentication settings.
¡If youlogged in to the device through SSH, perform the following tasks without disconnectingthe current user line:
-Set the authentication mode to schemefor VTY lines.
-Specify the username and password. If you do not specify theusername or password, the device uses the current username and password.
¡Ifyou logged in to the device through a console or Async port, configure login authenticationsettings for the current type of user lines as described in the following table:
| Current login method | Login authentication requirements |
| Scheme | Set the authentication to scheme and specify the username and password. If you do not specify the username or password, the device uses the current username and password. |
| Password | Set the authentication to password and specify the password. If you do not specify the password, the device uses the current password. |
| None | Set the authentication to none. |
5.Save the running configuration and specifythe file as the startup configuration file.
6.Delete the .mdb startup configuration file.
7.Reboot the device.
Display and maintenance commands for FIPS
Execute display commands in any view.
| Task | Command |
| Display the version number of the device algorithm base. | display crypto version |
| Display the FIPS mode state. | display fips status |
FIPS configuration examples
Example: Entering FIPS mode through automatic reboot
Network configuration
Use the automatic reboot method to enterFIPS mode, and use a console or Async port to log in to the device in FIPSmode.
Procedure
# If you want tosave the current configuration, execute the save command before you enable FIPS mode.
# Enable FIPS mode and choose the automaticreboot method to enter FIPS mode. Set the username to rootand the password to 12345zxcvb!@#$%ZXCVB.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a devicereboot. Continue? [Y/N]:y
Reboot the device automatically?[Y/N]:y
The system will create a new startupconfiguration file for FIPS mode. After you set the login username and passwordfor FIPS mode, the device will reboot automatically.
Enter username(1-55 characters):root
Enter password(15-63 characters):
Confirm password:
Waiting for reboot... After reboot,the device will enter FIPS mode.
Verifying theconfiguration
After the device reboots, enter a usernameof root and a password of 12345zxcvb!@#$%ZXCVB.The system prompts you to configure a new password. After you configure the newpassword, the device enters FIPS mode. The new password must be different fromthe previous password. It must include at least 15 characters, and contain uppercaseand lowercase letters, digits, and special characters. For more informationabout the requirements for the password, see the system output.
Press ENTER to get started.
login: root
Password:
First login or password reset. Forsecurity reason, you need to change your password. Please enter your password.
old password:
new password:
confirm:
Updating user information. Pleasewait ... ...
…
<Sysname>
# Display the FIPS mode state.
<Sysname> display fips status
FIPS mode is enabled.
# Display the default configuration file.
<Sysname> more fips-startup.cfg
#
password-control enable
#
local-user root class manage
service-type terminal
authorization-attribute user-rolenetwork-admin
#
fips mode enable
#
return
<Sysname>
Example: Entering FIPS mode throughmanual reboot
Networkconfiguration
Use the manual reboot method to enter FIPSmode, and use a console or Async port to log in to the device in FIPS mode.
Procedure
# Enable the password control featureglobally.
<Sysname> system-view
[Sysname] password-control enable
# Set the number of character types apassword must contain to 4, and set the minimum number of characters for each typeto one character.
[Sysname] password-controlcomposition type-number 4 type-length 1
# Set the minimum length of user passwords to15 characters.
[Sysname] password-control length 15
# Add a local user account for devicemanagement, including a username of test, apassword of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.
[Sysname] local-user test classmanage
[Sysname-luser-manage-test] passwordsimple 12345zxcvb!@#$%ZXCVB
[Sysname-luser-manage-test]authorization-attribute user-role network-admin
[Sysname-luser-manage-test]service-type terminal
[Sysname-luser-manage-test] quit
# Enable FIPS mode, and choose the manualreboot method to enter FIPS mode.
[Sysname] fips mode enable
FIPS mode change requires a devicereboot. Continue? [Y/N]:y
Reboot the device automatically?[Y/N]:n
Change the configuration to meet FIPSmode requirements, save the configuration to the next-startup configurationfile, and then reboot to enter FIPS mode.
# Save the current configuration to theroot directory of the storage medium, and specify it as the startupconfiguration file.
[Sysname] save
The current configuration will bewritten to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filenameunchanged, press the enter key):
flash:/startup.cfg exists, overwrite?[Y/N]:y
Validating file. Please wait...
Saved the current configuration tomainboard device successfully.
[Sysname] quit
# Delete the startup configuration file inbinary format.
<Sysname> deleteflash:/startup.mdb
Delete flash:/startup.mdb?[Y/N]:y
Deleting fileflash:/startup.mdb...Done.
# Reboot the device.
<Sysname> reboot
Verifying theconfiguration
Press ENTER to get started.
login: test
Password:
First login or password reset. Forsecurity reason, you need to change your pass
word. Please enter your password.
old password:
new password:
confirm:
Updating user information. Pleasewait ... ...
…
<Sysname>
# Display the FIPS mode state.
<Sysname> display fips status
FIPS mode is enabled.
Example: Exiting FIPS mode through automatic reboot
Networkconfiguration
A user has logged in to the device in FIPSmode through a console or Async port.
Use the automatic reboot method to exitFIPS mode.
Procedure
# Disable FIPS mode.
[Sysname] undo fips mode enable
FIPS mode change requires a devicereboot. Continue? [Y/N]:y
The system will create a new startupconfiguration file for non-FIPS mode and then reboot automatically. Continue?[Y/N]:y
Waiting for reboot... After reboot,the device will enter non-FIPS mode.
Verifying theconfiguration
After the device reboots, you can enter thesystem.
<Sysname>
# Display the FIPS mode state.
<Sysname> display fips status
FIPS mode is disabled.
Example: Exiting FIPS mode through manual reboot
Networkconfiguration
After you log in to the device in FIPS modethrough a console or Async port, use the manual reboot method to exit FIPSmode.
Procedure
# Disable FIPS mode.
[Sysname] undo fips mode enable
FIPS mode change requires a devicereboot. Continue? [Y/N]:y
The system will create a new startupconfiguration file for non-FIPS mode, and then reboot automatically. Continue?[Y/N]:n
Change the configuration to meetnon-FIPS mode requirements, save the configuration to the next-startupconfiguration file, and then reboot to enter non-FIPS mode.
# Save the current configuration to theroot directory of the storage medium, and specify it as the startupconfiguration file.
[Sysname] save
The current configuration will bewritten to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filenameunchanged, press the enter key):
flash:/startup.cfg exists, overwrite?[Y/N]:y
Validating file. Please wait...
Saved the current configuration tomainboard device successfully.
[Sysname] quit
# Delete the startup configuration file inbinary format.
<Sysname> delete flash:/startup.mdb
Delete flash:/startup.mdb?[Y/N]:y
Deleting fileflash:/startup.mdb...Done.
# Reboot the device.
<Sysname> reboot
Verifying theconfiguration
After the device reboots, authentication isdisabled for console login by default. You can press Enterto enter non-FIPS mode.
# Display the FIPS mode state.
<Sysname> display fips status
FIPS mode is disabled.
