A cryptographic module must perform power-up self-tests and conditional self-tests to ensure that it is functioning properly.
Power-up self-tests run automatically after the device powers up. A device goes into FIPS mode only after all self-tests are successfully completed. If any self-test fails, the device logs a system message and moves into an error state.
The device uses a cryptographic algorithm known-answer test (KAT) to test FIPS mode for each FIPS 140-2-approved cryptographic function (encryption, decryption, authentication, and random number generation) implemented on the device. The device applies the algorithm to data for which the correct output is already known. It then compares the calculated output to the previously generated output. If the calculated output does not equal the known answer, the KAT fails.
Conditional self-tests run automatically when an applicable security function or operation is invoked. Unlike the power-up self-tests, conditional self-tests are executed each time their associated function is accessed.
Conditional self-tests include the following:
The Cisco TrustSec manager also runs a bypass test to ensure that encrypted text is never sent as plain text.
- Pair-wise consistency test
This test is run when a public or private key-pair is generated.
- Continuous random number generator test
This test is run when a random number is generated.
A bypass test failure on CTS-enabled ports causes only those
corresponding ports to be shut down. The bypass test might fail because of packet drops
caused by data path congestion. In such cases, we recommend that you try
bringing up the port again.