235
•
The SSL server only supports TLS1.0.
•
The SSH server does not support SSHv1 clients.
•
The generated RSA and DSA key pairs must have a modulus length of 2048 bits.
•
SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, and MD5 algorithms.
•
The keys must contain at least 15 characters and 4 compositions of uppercase and lowercase letters,
digits, and special characters. This requirement applies to the following passwords (the last two
passwords are used for password control):
{
AAA server's shared key.
{
IKE per-shared key.
{
SNMPv3 authentication key.
{
Password for a device management local user.
{
Password for switching user roles.
FIPS self-tests
To ensure the correct operation of cryptography modules, FIPS provides self-test mechanisms, including
power-up self-test and conditional self-test. You can also trigger a self-test. If the power-up self-test fails,
the device where the self-test process exists reboots. If the conditional self-test fails, the system outputs
self-test failure information.
NOTE:
If a self-test fails, contact H3C Support.
Power-up self-tests
The power-up self-test, also called "known-answer test", examines the availability of FIPS-allowed
cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is
already known. The calculated output is compared with the known answer. If they are not identical, the
known-answer test fails.
The power-up self-test examines the following cryptographic algorithms:
•
DSA (signature and authentication).
•
RSA (signature and authentication).
•
RSA (encryption and decryption).
•
AES.
•
3DES.
•
SHA1.
•
HMAC-SHA1.
•
Random number generator algorithms.
Conditional self-tests
A conditional self-test runs when an asymmetrical cryptographic module or a random number generator
module is invoked. Conditional self-tests include the following types: