002-010820-001 Revision E
SPCE Security Policy
Document is Uncontrolled When Printed.
Page 11 of 13
9. SELF-TESTS
The ProtectDrive Cryptographic Engine performs a number of power-up and conditional self-test to
ensure proper operation.
9.1
Power-On Self-Tests (POST)
When the SafeNet ProtectDrive Cryptographic Engine is initially powered-on, it executes a number of
power-on self-tests. If any of these tests fail, the module will enter an error state and prohibit an
operator from exercising the module's cryptographic functionality. No data is output by the module
while these tests are running. Table 12 lists the power-on self-tests:
Test
Function
FIPS 140-2 Required
Symmetric Cipher AES KAT
Performs encrypt/decrypt known answer
tests for AES for NetBSD INIT, CRYPdll and
SafeCGX
4
Yes
SHA-1 KAT
Performs known answer test for SHA-1 on
NetBSD INIT
Yes
RNG KAT
Performs known answer test for the RNG in
CryptoAPI_NT.dll
Yes
HMAC-SHA-1 KAT
Peforms separate known answer test for
HMAC-SHA-1 on SafeCGX.
Yes
HMAC-SHA-256 KAT
Performs known answer tests for HMAC-
SHA-256 on VxBIOS and CryptoAPI_NT.dll
Yes
Software Integrity Test
HMAC-SHA-256 for VxBIOS, NetBSD INIT,
and CRYPdll
HMAC-SHA-256 for CryptoAPI_NT.dll
HMAC-SHA-1 for SafeCGX
5
Yes
Table 12. Power-On Self-Tests
9.2
Conditional Self-Tests
Test
Function
FIPS 140-2 Required
Continuous RNG
Performs the FIPS 140-2 required continuous
RNG check each time the module's PRNG is used
to produce random data
Yes
Continuous Entropy Test
Performs a continuous entropy test on the
seeding material for the RNG. The test checks
that the previous seeding material is not the same
as the current seed material
Yes
Table 13. Conditional Self-Tests
4 AES KATs are performed separately by CRYPdll, NetBSD INIT, and SafeCGX for their respective AES
implementations
5 SafeCGX performs its own software integrity test separately from SPCE components