| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 9/2/2029 |
| Caveat | Interim Validation. When operated in approved mode with module Junos® OS Evolved Kernel Cryptographic Module version 2.0 validated to FIPS 140-3 under Cert. #4776 operating in the Approved mode. When installed, initialized and configured as specified in section 11 of the Security Policy. The module generates cryptographic keys whose strengths are modified by available entropy |
| Vendor | Juniper Networks, Inc. |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Junos® OS Evolved OpenSSL Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status<br/>Self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Junos® OS Evolved OpenSSL Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status<br/>Self-test</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;JUNOS® OS EVOLVED OPENSSL CRYPTOGRAPHIC MODULE VERSION 3.0.8 Document Version 1.2 Last update: 2024-08-23 Prepared by: Prepared for: atsec information security corporation Juniper Networks, Inc.
Austin, TX 78759 Sunnyvale, CA 94089 www.atsec.com www.juniper.net Juniper Networks, Inc.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Table of Contents 1.1 1.2 1.3 2.1 2.2 2.3 2.4 2.5 NON-APPROVED ALGORITHMS ALLOWED IN THE APPROVED MODE OF OPERATION WITH NO SECURITY 2.6 2.7 2.8 4.1 4.2 4.3 5.1 5.2 6.1 6.2 9.1 9.2 9.3 9.4 9.5 9.6 10.1
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic Module Specification | 1 |
| 3 | 3 | Cryptographic Module Interfaces | 1 |
| 4 | 4 | Roles, Services, and Authentication | 1 |
| 5 | 5 | Software/Firmware Security | 1 |
| 6 | 6 | Operational Environment | 1 |
| 7 | 7 | Physical Security | N/A |
| 8 | 8 | Non-invasive Security | N/A |
| 9 | 9 | Sensitive Security Parameter Management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle Assurance | 1 |
| 12 | 12 | Mitigation of Other Attacks | 1 |
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 1.1 Overview This document is the non-proprietary FIPS 140-3 Security Policy for version 3.0.8 of the Junos® OS Evolved OpenSSL Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 1 software module. It has a one-to-one mapping to the [SP800-140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. including this notice. Other documentation is proprietary to their authors. 1.2 How this Security Policy was Prepared further consolidated into this document by atsec information security together with other vendorsupplied documentation. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. 1.3 Security Levels The following sections describe the cryptographic module and how it conforms to the FIPS 140-3 specification in each of the required areas. Table 1 - Security Levels N/A
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Name | Operating System | Hardware Platform | Software Version | Processor | Paa Pai | # | |
|---|---|---|---|---|---|---|---|
| 1 | Junos® OS Evolved 22.4 | Juniper Networks® | 3.0.8 | Intel® Xeon® D-2163IT | AES-NI, SHA Extensions (PAA) | 1 | 3.0.8 |
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| SHA-3 | #A4236 | SHA3-224, SHA3-256, | N/A | Message Digest |
| [FIPS202] | SHA3-384, SHA3-512 | |||
| SHA-3 | #A4236 | SHAKE-128, SHAKE-256 | N/A | XOF |
| KMAC | #A4236 | KMAC-128, KMAC-256 | 128, 256 bits with 128, 256 | MAC Generation |
| [SP800-185] | bits of security strength | and Verification | ||
| AES | #A4229, | CBC, CTR, CFB1, CFB8, | 128, 192, 256 bits with 128, | Symmetric |
| [FIPS197], | #A4230, | CFB128, OFB, CBC-CTS- | 192, 256 bits of security | Encryption and |
| [SP800-38A] | #A4231 | CS1, CBC-CTS-CS2, CBC- | strength | Decryption |
| AES | #A4229, | CMAC | 128, 192, 256 bits with 128, | MAC Generation |
| [FIPS197], | #A4230, | 192, 256 bits of security | and Verification | |
| [SP800-38B] | #A4231 | strength | ||
| AES | CCM | 128, 192, 256 bits with 128, | Symmetric | |
| [FIPS197], | 192, 256 bits of security | Encryption and | ||
| [SP800-38C] | strength | Decryption | ||
| AES | #A4229, | ECB | 128, 192, 256 bits with 128, | Symmetric |
| [FIPS197], | #A4230, | 192, 256 bits of security | Encryption and | |
| [SP800-38A] | #A4231, | strength | Decryption | |
| AES | #A4237, | GCM (external IV) | 128, 192, 256 bits with 128, | Symmetric |
| [FIPS197], | #A4238, | 192, 256 bits of security | Decryption | |
| [SP800-38D] | #A4239, | strength | ||
| AES | #A4240, | GCM (internal IV) | 128, 192, 256 bits with 128, | Symmetric |
| [FIPS197], | #A4242, | 192, 256 bits of security | Encryption | |
| [SP800-38D] | #A4243, | strength | ||
| AES | #A4244, | GMAC | 128, 192, 256 bits with 128, | MAC Generation |
| [FIPS197], | #A4245 | 192, 256 bits of security | MAC Verification | |
| [SP800-38D] | strength | |||
| AES | #A4229, | XTS | 128, 256 bits with 128, 256 | Symmetric |
| [FIPS197], | #A4230, | bits of security strength | Encryption and | |
| [SP800-38E] | #A4231 | Decryption for | ||
| AES | KW , KWP (KTS) | 128, 192, 256 bits with 128, | Key Wrapping and | |
| [FIPS197], | 192, 256 bits of security | Unwrapping | ||
| [SP800-38F] | strength | |||
| HMAC | #A4246, | SHA-1, SHA2-224, SHA2- | 112-524288 bits with 112 to | MAC Generation |
| [FIPS198-1] | #A4247, | 384, SHA2-512, SHA2- | 256 bits of security strength | MAC Verification |
| #A4248, | #A4248, | 512/224, SHA2-512/256 | ||
| #A4236 | #A4236 | SHA3-224, SHA3-256, | ||
| #A4246, | #A4246, | SHA2-256 | MAC Generation | |
| #A4247, | #A4247, | MAC Verification | ||
| #A4248, | #A4248, | Integrity Check | ||
| KBKDF | #A4250 | Counter and feedback | 112-4096 bits with 112 to 256 | KBKDF Key |
| [SP 800-108r1] | mode, using CMAC and | bits of security strength | Derivation | |
| KDA OneStep1 | #A4224 | (HMAC) SHA-1, SHA2-224, | 224 to 8192 bits with 112 to | KDA OneStep Key |
| SHA2-256, SHA2-384, | SHA2-256, SHA2-384, | 256 bits of security strength | Derivation | |
| [SP 800-56Cr2] | SHA2-512, SHA2-512/224, | |||
| KDA HKDF | #A4228 | HMAC with SHA-1, SHA2- | 224 to 8192 bits with 112 to | HKDF Key |
| [SP 800-56Cr2] | 224, SHA2-256, SHA2-384, | 256 bits of security strength | Derivation | |
| ANS 9.42 KDF | CVL | ANS 9.42 KDF | 224 to 8192 bits with 112 to | ANS X9.42 KDF |
| [SP 800-135r1] | #A4236, | AES KW with SHA-1, SHA2- | 256 bits of security strength | Key Derivation |
| #A4246, | #A4246, | 224, SHA2-256, SHA2-384, | ||
| #A4247, | #A4247, | SHA2-512, SHA2-512/224, | ||
| #A4248, | #A4248, | SHA2-512/256, SHA3-224, | ||
| #A4249 | #A4249 | SHA3-256, SHA3-384, | ||
| ANS 9.63 KDF | CVL | ANS 9.63 KDF | 224 to 8192 bits with 112 to | ANS 9.63 KDF Key |
| [SP 800-135r1] | #A4246, | SHA2-224, SHA2-256, | 256 bits of security strength | Derivation |
| #A4247, | #A4247, | SHA2-384, SHA2-512 | ||
| SSH KDF | CVL | SSH KDF | 224 to 8192 bits with 112 to | SSH KDF Key |
| [SP 800-135r1] | #A4232, | SHA-1, SHA2-256, SHA2- | 256 bits of security strength | Derivation |
| #A4233, | #A4233, | 384, SHA2-512 | ||
| TLS 1.2 KDF | CVL | TLS v1.2 KDF with | 224 to 8192 bits with 112 to | TLS 1.2 KDF Key |
| [SP 800-135r1] | #A4246, | SHA2-256, SHA2-384, | 256 bits of security strength | Derivation |
| #A4247, | #A4247, | SHA2-512 | ||
| TLS 1.3 KDF | CVL | TLS v1.3 KDF with | 224 to 8192 bits with 112 to | TLS 1.3 KDF Key |
| [RFC 8446] | #A4228 | SHA2-256, SHA2-384 | 256 bits of security strength | Derivation |
| PBKDF2 | #A4236, | Option 1a with SHA-1, | N/A | Password-based |
| [SP 800-132] | #A4246, | SHA2-224, SHA2-256, | Key Derivation | |
| #A4247, | #A4247, | SHA2-384, SHA2-512, | ||
| #A4248, | #A4248, | SHA2-512/224, SHA2- | ||
| #A4249 | #A4249 | 512/256, SHA3-224, SHA3- | ||
| KAS-FFC-SSC | #A4251 | dhEphem | MODP-2048, MODP-3072, | DH shared secret |
| [SP 800-56Ar3] | (initiator/responder) | MODP-4096, MODP-6144, | Computation | |
| KAS-ECC-SSC | #A4227, | Ephemeral Unified Model | B-233, B-283, B-409, B-571, | ECDH shared |
| [SP 800-56Ar3] | #A4246, | (initiator/responder) | K-233, K-283, K-409, K-571, | secret |
| #A4247, | #A4247, | P-224, P-256, P-384, P-521 | Computation | |
| #A4248, | #A4248, | with 112, 128, 192, 256 bits of | ||
| #A4249 | #A4249 | security strength | ||
| RSA | #A4246, | B.3.6 Probable Primes | 2048-15360 bits with 112 to | Key Pair |
| [FIPS186-4] | #A4247, | 256 bits of security strength | Generation | |
| #A4248, | #A4248, | PKCS#1v1.5: | 2048-16384 bits with 112 to | Digital Signature |
| SHA2-224, SHA2-256, | SHA2-224, SHA2-256, | 256 bits of security strength | Generation | |
| Modulus | Modulus | SHA2-512/224, SHA2- | ||
| sizes other | sizes other | 512/256 | ||
| and 4096 | and 4096 | SHA2-224, SHA2-256, | ||
| bits are not | bits are not | SHA2-384, SHA2-512, | ||
| CAVP tested | CAVP tested | SHA2-512/224, SHA2- | ||
| but | but | 512/256 | ||
| per IG C.F | per IG C.F | SHA-1, SHA2-224, SHA2- | 256 bits of security strength | Verification |
| ECDSA | #A4225, | FIPS 186-4 Appendix B.4.2 | B-233, B-283, B-409, B-571, | Key Pair |
| [FIPS186-4] | #A4246, | Testing Candidates | K-233, K-283, K-409, K-571, | Generation |
| #A4247, | #A4247, | N/A | P-224, P-256, P-384, P-521 | Key Pair |
| #A4248, | #A4248, | with 112, 128, 192, 256 bits of | ||
| #A4249 | #A4249 | security strength | ||
| #A4225, | #A4225, | SHA2-224, SHA2-256, | Signature | |
| #A4226, | #A4226, | SHA2-384, SHA2-512, | Generation | |
| #A4236, | #A4236, | SHA2-512/224, SHA2- | ||
| #A4246, | #A4246, | 512/256, SHA3-224, SHA3- | ||
| #A4247, | #A4247, | 256, SHA3-384, SHA3-512 | ||
| #A4248, | #A4248, | SHA-1, SHA2-224, SHA2- | Signature | |
| 256, SHA2-384, SHA2-512, | 256, SHA2-384, SHA2-512, | Verification | ||
| Safe primes | #A4251 | [SP 800-56Ar3] Section | MODP-2048, MODP-3072, | Key Pair |
| [SP 800-56Ar3] | 5.6.1.1.4 Testing Candidates | MODP-4096, MODP-6144, | Generation | |
| Safe primes | [SP 800-56Ar3] Sections | MODP-8192, ffdhe2048, | Key pair | |
| [SP 800-56Ar3] | 5.6.2.1.2 and 5.6.2.1.4 | ffdhe6144, ffdhe8192 with | Verification | |
| CKG | Vendor | Safe primes | MODP-2048, MODP-3072, | Key Pair |
| [SP 800-133r2 | Affirmed | MODP-4096, MODP-6144, | Generation | |
| Section 4] | MODP-8192, ffdhe2048, | |||
| RSA | RSA | 2048-15360 bits with 112 to | ||
| ECDSA | ECDSA | B-233, B-283, B-409, B-571, | ||
| RSA | PKCS#1v1.5: | 2048-16384 bits with 112 to | Signature | |
| [FIPS 186-4] | SHA3-224, SHA3-256, | 256 bits of security strength | Generation | |
| PKCS#1v1.5: | PKCS#1v1.5: | 1024-16384 bits with 80 to | Signature | |
| SHA3-224, SHA3-256, | SHA3-224, SHA3-256, | 256 bits of security strength | Verification | |
| Hash_DRBG | #A3599 | SHA-1, SHA2-256, SHA2- | N/A | Random Number |
| [SP 800-90Ar1] | #A3600 | 512 | Generation | |
| #A3601 | #A3601 | with/without PR | ||
| HMAC_DRBG | #A3599 | SHA-1, SHA2-256, SHA2- | N/A | |
| [SP 800-90Ar1] | #A3600 | 512 | ||
| #A3601 | #A3601 | with/without PR | ||
| CTR_DRBG | #A3599 | AES-128, | 128, 192, 256 bits with 128, | |
| [SP 800-90Ar1] | #A3600 | AES-192, | 192 and 256 bits of security | |
| AES-256 | AES-256 | strength |
Cryptographic Module Specification 2.1 Module Embodiment The Junos® OS Evolved OpenSSL Cryptographic Module (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It provides a C language application program interface (API) for use by other applications that require cryptographic functionality. The module consists of one software component, the “FIPS provider” (i.e. fips.so), which implements the FIPS requirements and the cryptographic functionality provided to the operator. 2.2 Tested Operational Environments The module has been tested on the following platforms with the corresponding module variants and configuration options: Table 2 - Tested Operational Environments # 3.0.8 2.3 Approved Algorithms Table 3 lists all the approved security functions of the module, including specific key strengths employed for approved services. Table 3 - Approved Algorithms #A4246, #A4247, #A4248, #A4249 SHS [FIPS180-4] N/A N/A
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. This algorithm is referred to as “Single Step KDF” or “SSKDF” by OpenSSL.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A N/A
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 2.4 Non-Approved Algorithms Allowed in the Approved Mode of Operation The module does not implement non-approved algorithms that are allowed in the approved mode of operation. 2.5 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed The module does not implement non-approved algorithms allowed in the approved mode of operation with no security claimed. 2.6 Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Table 4 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Algorithm / Functions Use / Function AES GCM (external IV) Symmetric Encryption 2.7 Module Design and Components Figure 1 shows a block diagram that represents the design of the module when the module is operational and providing services to other user space applications. In this diagram, the physical perimeter of the operational environment (a general-purpose computer on which the module is installed) is indicated by a purple dashed line. The cryptographic boundary is represented by a shared library implementing the FIPS provider (fips.so) along with its HMAC value which resides within a configuration file called /etc/ssl/fipsmodule.cnf. Green lines indicate the flow of data between the cryptographic module and its operator application, through the logical interfaces defined in Section 3. Components in white are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). For Figure 1
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. example, the kernel is responsible for managing system calls issued by the module itself, as well as other applications using the module for cryptographic services. The module also uses the Junos OS Evolved Kernel Cryptographic Module Version 2.0 as a bound module (also referred to as “the bound Kernel Crypto API module”) for performing random number generation, relying on the Kernel DRBG. The Junos OS Evolved Kernel Cryptographic Module Version
2.8 Rules of Operation In the operational state, the module accepts service requests from calling applications through its logical interfaces. At any point in the operational state, a calling application can end its process, thus causing the module to end its operation. The module supports two modes of operation:
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Name | Physical Port | Logical Interface | Data That Passes | |||
|---|---|---|---|---|---|---|
| i | As a software-only module, the | Data Input | API input parameters | i | ||
| module does not have physical | module does not have physical | Data Output | API output parameters | |||
| nteract with the module | nteract with the module | Control Input | API function calls | |||
| through the API provided by | through the API provided by | Status Output | API return codes, error messages | |||
| ports are interpreted to be the | ports are interpreted to be the | Power Input | N/A | Power Input | N/A |
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.
All data output via data output interface is inhibited when the module is performing pre-operational test or zeroization or when the module enters error state. Table 5 summarizes the logical interfaces: Table 5 - Ports and Interfaces N/A
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Name | Roles | Output | Nput | |||
|---|---|---|---|---|---|---|
| Message Digest | Crypto | Digest value | Crypto Officer | Message | ||
| XOF | Officer | Digest value | Message, output length | |||
| Symmetric Encryption | Ciphertext | Plaintext, AES key | ||||
| Symmetric Decryption | Plaintext | Ciphertext, AES key | ||||
| MAC Generation | MAC tag | Message, AES key, KMAC, or | MAC Generation | MAC tag | ||
| MAC Verification | Message, AES key, KMAC, or | MAC Verification | Pass/fail | |||
| KBKDF Key Derivation | KBKDF derived key | Key-derivation key | ||||
| KDA OneStep Key Derivation | KDA OneStep derived key | DH or ECDH shared secret | ||||
| HKDF Key Derivation | HKDF derived key | DH or ECDH shared secret | ||||
| ANS X9.42 KDF Key Derivation | ANS X9.42 KDF derived key | DH or ECDH shared secret | ||||
| ANS X9.63 KDF Key Derivation | ANS X9.63 KDF derived key | DH or ECDH shared secret | ||||
| SSH KDF Key Derivation | SSH KDF derived key | DH or ECDH shared secret | ||||
| TLS 1.2 KDF Key Derivation | TLS 1.2 KDF derived key | DH or ECDH shared secret | ||||
| TLS 1.3 KDF Key Derivation | TLS 1.3 KDF derived key | DH or ECDH shared secret | ||||
| Password-based Key Derivation | PBKDF2 derived key | Password, salt, iteration count | ||||
| Key Unwrapping | Unwrapped key | Key wrapping key, wrapped | Key Unwrapping | Unwrapped key | ||
| Key Wrapping | Key wrapping key, key to be | Key Wrapping | Wrapped key | |||
| Random Number Generation | Random bytes | Output length | ||||
| DH Shared Secret Computation | DH shared secret | Owner private key, peer | DH Shared Secret Computation | DH shared secret | ||
| ECDH Shared Secret Computation | Owner private key, peer | ECDH Shared Secret Computation | ECDH shared secret |
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Roles, Services and Authentication 4.1 Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for a maintenance role. Table 6 lists the roles supported by the module with corresponding services with input and output parameters. Table 6 - Role, Service Commands, Input and Output Input
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Name | Output | Nput | I | ||
|---|---|---|---|---|---|
| Signature Generation | Signature | Message, private key | |||
| Signature Verification | Pass/fail | Message, public key, signature | |||
| Key pair Generation | Key pair | Key size | |||
| Key pair Verification | Pass/fail | Key pair | |||
| Show Version | Name and version | N/A | Show Version | N/A | i |
| Show Status | Module status | N/A | |||
| Self-test | Pass/fail results of self-tests | N/A |
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 4.2 Input N/A information N/A N/A N/A Authentication The module does not support authentication for roles. 4.3 Services The module provides services to operators that assume the available role. All services are described in detail in the API documentation (manual pages). The next tables define the services that utilize approved and non-approved security functions in this module. For the respective tables, the convention below applies when specifying the access permissions (types) that the service has for each
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Message | Compute a | CO | N/A | SHA-1, | N/A | EVP_Digest* |
| Digest | message | SHA2-224, SHA2- | functions will | |||
| digest | digest | 256, SHA2-384, | return 0 | |||
| XOF | Compute the | CO | N/A | SHAKE-128, | N/A | EVP_Digest* |
| output of an | output of an | SHAKE-256 | functions will | |||
| XOF | XOF | return 0 | ||||
| Symmetric | Encrypt a | CO | AES key | AES ECB, CBC, | W, E | EVP_Encrypt* |
| Encryption | plaintext | CBC-CTS-CS1, | functions will | |||
| CBC-CTS-CS2, | CBC-CTS-CS2, | return 0 | ||||
| Symmetric | Encrypt a | CO | AES key | AES GCM | W, E | ERR_peek_last |
| Encryption | plaintext | _error | ||||
| (AES-GCM) | function | |||||
| Symmetric | Decrypt a | CO | AES key | AES ECB, CBC, | W, E | EVP_Decrypt* |
| Decryption | ciphertext | CBC-CTS-CS1, | functions will | |||
| CBC-CTS-CS2, | CBC-CTS-CS2, | return 0 | ||||
| Key Wrapping | Perform AES- | CO | AES key wrapping key | AES-KW, AES- | W,E | EVP_Encrypt* |
| based key | based key | KWP | functions will | |||
| wrapping | wrapping | return 0 | ||||
| Unwrapping | based key | KWP | functions will | |||
| unwrapping | unwrapping | return 0 | ||||
| MAC | Compute a | CO | AES Key, KMAC key, | AES CMAC | W, E | EVP_MAC* |
| KMAC | KMAC | return 0 | ||||
| MAC | Verify a MAC | HMAC SHA-1, | EVP_MAC* | |||
| Verification | tag | SHA2-224, SHA2- | functions will | |||
| 256, SHA2-384, | 256, SHA2-384, | return 0 | ||||
| KBKDF Key | Derive a key | CO | Key-derivation key | KBKDF | W, E | EVP_KDF* |
| Derivation | from a key- | functions will | ||||
| derivation key | derivation key | KBKDF derived key | G, R | return 0 | ||
| W, E | W, E | EVP_KDF* | ||||
| W, E | W, E | functions will | ||||
| HKDF Key | Derive a key from a shared secret | DH shared secret | HKDF | W, E | EVP_KDF* | |
| Derivation | ECDH shared secret | W, E | functions will | |||
| HKDF derived key | HKDF derived key | G, R | ||||
| ANS X9.42 | Derive a key from a shared secret | DH shared secret | ANS X 9.42 KDF | W, E | EVP_KDF* | |
| KDF Key | ECDH shared secret | W, E | functions will | |||
| Derivation | return 0 | |||||
| ANS X9.42 KDF derived | ANS X9.42 KDF derived | G, R | ||||
| ANS X9.63 | Derive a key from a shared secret | DH shared secret | ANS X 9.63 KDF | W, E | EVP_KDF* | |
| KDF Key | ECDH shared secret | W, E | functions will | |||
| Derivation | return 0 | |||||
| ANS X9.63 KDF derived | ANS X9.63 KDF derived | G, R | ||||
| SSH KDF Key | Derive a key | DH shared secret | SSH KDF | W, E | EVP_KDF* | |
| Derivation | from a shared | ECDH shared secret | W, E | functions will | ||
| secret | secret | return 0 | ||||
| SSH KDF derived key | SSH KDF derived key | G, R | ||||
| TLS 1.2 KDF | Derive a key | DH shared secret | TLS 1.2 KDF | W, E | EVP_KDF* | |
| Key Derivation | from a shared | ECDH shared secret | W, E | functions will | ||
| secret | secret | return 0 | ||||
| TLS 1.2 KDF derived key | TLS 1.2 KDF derived key | G, R | ||||
| TLS 1.3 KDF | DH shared secret | TLS 1.3 KDF | W, E | EVP_KDF* | ||
| Key Derivation | ECDH shared secret | W, E | functions will | |||
| TLS 1.3 KDF derived key | TLS 1.3 KDF derived key | G, R | ||||
| Password- | Derive a key | CO | Password | PBKDF2 | W, E | EVP_KDF* |
| based Key | from a | PBKDF2 derived key | G, R | functions will | ||
| Derivation | password | return 0 | ||||
| Compute a | Compute a | CO | DH private key (owner), | KAS-FFC-SSC | W, E | |
| shared secret | shared secret | DH public key (peer) | ||||
| DH Shared | DH shared secret | G, R | EVP_PKEY* | |||
| Secret | functions will | |||||
| Computation | return 0 | |||||
| ECDH Shared | EC private key (owner), EC | KAS-ECC-SSC | W, E | |||
| Secret | public key (peer) | |||||
| Computation | ECDH shared secret | G, R | ||||
| Signature | Generate a | CO | RSA private key | RSA signature | W, E | EVP_DigestSig |
| (PKCS#1 v1.5 and | (PKCS#1 v1.5 and | will return 0 | ||||
| Signature | Verify a | CO | RSA public key | RSA signature | W, E | EVP_Digestve |
| Verification | signature | EC public key | verification | rify* functions | ||
| (PKCS#1 v1.5 and | (PKCS#1 v1.5 and | will return 0 | ||||
| Key pair | Generate a | CO | DH private key, DH public | CKG | G, R | EVP_PKEY* |
| pair generation | RSA private key, RSA | pair generation | ||||
| RSA key pair | public key | RSA key pair | ||||
| Key pair | Verify a key | CO | DH private key, DH public | Safe primes key | W | EVP_PKEY* |
| Verification | pair | key | pair verification | will return 0 | ||
| ECDSA key pair | EC private key, EC public | ECDSA key pair | ||||
| verification | key | verification | ||||
| Random | Generate | CO | Entropy input | CTR_DRBG from | W, E | RAND_bytes* |
| DRBG internal state (V, | DRBG internal state (V, | W, E, G | ||||
| Hash_DRBG from | Entropy input | Hash_DRBG from | W, E | |||
| Kernel bound | DRBG seed | Kernel bound | E, G | |||
| DRBG internal state (V, C) | DRBG internal state (V, C) | W, E, G | ||||
| HMAC_DRBG | Entropy input | HMAC_DRBG | W, E | |||
| from Kernel | DRBG seed | from Kernel | E, G | |||
| DRBG internal state (V, C) | DRBG internal state (V, C) | W, E, G | ||||
| Show version | Return the | CO | None | N/A | N/A | N/A |
| Show status | Return the | CO | None | N/A | N/A | N/A |
| Self-test | Perform the | CO | None | SHA-1, SHA2- | N/A | N/A |
| CASTs and | CASTs and | 512, SHA3-256, | ||||
| integrity test | integrity test | SHA3-512, AES |
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A N/A N/A N/A W, E W, E W, E W,E W,E W, E
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. W, E G, R KDA OneStep Derive a key KDA OneStep W, E W, E KDA OneStep derived key G, R W, E W, E G, R W, E W, E G, R W, E W, E G, R W, E W, E G, R W, E W, E G, R W, E W, E G, R Passwordbased Key
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100 W, E G, R W, E
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. G, R W, E G, R W, E W, E G, R W W, E
Sunnyvale, CA 94089 www.juniper.net E, G W, E, G W, E W, E E, G N/A o +1 408 745 2000 f +1 408 745 2100 E, G W, E, G W, E, G N/A N/A
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A N/A N/A SHA-1, SHA2None N/A N/A N/A Z N/A Table 8 - Non-Approved Services Symmetric Encryption Encrypt a plaintext AES GCM (external IV) ERR_peek_last_error() function returns 0x1C80012C
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 5.1 Software/Firmware security Integrity Techniques The integrity of the module is verified by comparing a HMAC SHA2-256 value calculated at run time with the HMAC SHA2-256 value stored in the /etc/ssl/fipsmodule.cnf file that was computed during installation of the module. 5.2 On-Demand Integrity Test Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity test may be invoked on-demand by unloading and subsequently reinitializing the module, or by calling the OSSL_PROVIDER_self_test function. This will perform (among others) the software integrity test.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 6.1 Operational Environment Applicability The module operates in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module runs on a commercially available general-purpose operating system executing on the hardware specified in Table 2. 6.2 Policy and Requirements The module shall be installed as stated in Section 11. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. The module does not support concurrent operators . The module does not have the capability of loading software or firmware from an external source. Instrumentation tools like the ptrace system call, gdb and strace utilities, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-tested operational environment.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Physical Security The module is comprised of software only, and therefore this section is not applicable.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Non-invasive Security This module does not implement any non-invasive security mechanism and therefore this section is not applicable.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Name | Generation | Establishment | Use | Stren | Stora |
|---|---|---|---|---|---|
| Name/Ty | Function and | ment | Keys | gth | ge |
| pe | Cert. Number | ||||
| Name/Ty | Function and | ment | Keys | gth | ge |
| pe | Cert. Number | ||||
| Name/Ty | Function and | ment | Keys | gth | ge |
| pe | Cert. Number | ||||
| Name/Ty | Function and | ment | Keys | gth | ge |
| pe | Cert. Number | ||||
| Name/Ty | Function and | ment | Keys | gth | ge |
| pe | Cert. Number | ||||
| Name/Ty | Function and | ment | Keys | gth | ge |
| pe | Cert. Number |
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Sensitive Security Parameter Management Table 9 summarizes the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module in the approved services (Table 7). Notice that the table does not include SSPs related to the Random Number Generation service, which is implemented in the bound Kernel Crypto API module. Table 9 - SSPs AES key 128, 192, bits RAM EVP_CIPHE Use: R_CTX_free Symmetric EVP_MAC_C Encryption, Symmetric TX_free Decryption, MAC MAC Verification, Key Wrapping, Unwrapping Related SSPs: N/A HMAC 112256 bits AES AES CMAC AES GMAC #A4229, #A4230, #A4231, #A4232, #A4233, #A4234, #A4235, #A4237, #A4238, #A4239, #A4240, #A4241, #A4242, #A4243, #A4244, #A4245 N/A HMAC #A4236, #A4246, #A4247, #A4248, #A4249 N/A Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. RAM EVP_MAC_C Use: MAC TX_free MAC Verification Related SSPs: N/A KMAC 128256 bits KMAC #A4236 N/A Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. RAM EVP_MAC_C Use: MAC TX_free MAC Verification Related SSPs: N/A
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Key112derivation 256 bits KBKDF #A4250 N/A Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. RAM EVP_KDF_C Use: KBKDF TX_free Key Derivation Related SSPs: KBKDF derived key DH shared 112secret bits
Sunnyvale, CA 94089 www.juniper.net KAS-FFC-SSC N/A KDA OneStep HKDF ANS 9.42 KDF ANS 9.63 KDF SSH KDF TLS 1.2 KDF TLS 1.3 KDF #A4224, #A4227, #A4228, #A4232, #A4233, #A4234, #A4235, #A4236, #A4246, #A4247, #A4248, #A4249, #A4251 o +1 408 745 2000 f +1 408 745 2100 Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Compute RAM EVP_KDF_C Use: DH d during TX_free Shared Secret DH Computation, shared KDA OneStep secret computati Derivation, on per HKDF Key [SP800Derivation, 56Ar3] ANS X9.42 KDF Key Export: CM to Derivation, TOEPP Path. ANS X9.63 Passed from KDF Key the module via Derivation, API parameters SSH KDF Key in plaintext (P) Derivation, format. TLS 1.2 KDF Derivation, TLS 1.3 KDF Key Derivation Related SSPs: DH private key, DH public key, KDA OneStep derived key, HKDF derived key, ANS X9.42 KDF derived key, ANS X9.63 KDF derived key, SSH KDF derived key, TLS 1.2 KDF derived key, TLS 1.3 KDF derived key
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. ECDH shared secret 112256 bits Password N/A KAS-ECC-SSC N/A KDA OneStep HKDF ANS 9.42 KDF ANS 9.63 KDF SSH KDF TLS 1.2 KDF TLS 1.3 KDF #A4224, #A4227, #A4228, #A4232, #A4233, #A4234, #A4235, #A4236, #A4246, #A4247, #A4248, #A4249, #A4251 Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. PBKDF2 #A4236, #A4246, #A4247, #A4248, #A4249 Import: CM MD/EE from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. N/A Compute RAM EVP_KDF_C Use: ECDH d during TX_free Shared Secret ECDH Computation, shared KDA OneStep secret computati Derivation, on per HKDF Key [SP800Derivation, 56Ar3] ANS X9.42 KDF Key Export: CM to Derivation, TOEPP Path. ANS X9.63 Passed from KDF Key the module via Derivation, API parameters SSH KDF Key in plaintext (P) Derivation, format. TLS 1.2 KDF Derivation, TLS 1.3 KDF Key Derivation Related SSPs: ECDH private key, ECDH public key, KDA OneStep derived key, HKDF derived key, ANS X9.42 KDF derived key, ANS X9.63 KDF derived key, SSH KDF derived key, TLS 1.2 KDF derived key, TLS 1.3 KDF derived key RAM EVP_KDF_C Use: TX_free Passwordbased Key Derivation Related SSPs: PBKDF2 derived key
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. KBKDF derived 112256 bits KBKDF #A4250 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: KBKDF TX_free Key Derivation Related SSPs: Key-derivation KDA OneStep derived 112256 bits KDA OneStep [SP 800133r2], #A4224 Section 6.2 N/A RAM EVP_KDF_C Use: KDA TX_free OneStep Key Derivation Related SSPs: DH shared secret, ECDH shared secret HKDF derived 112256 bits KBKDF #A4228 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: HKDF TX_free Key Derivation Related SSPs: DH shared secret, ECDH shared secret ANS X9.42 KDF derived 112256 bits ANS X9.42 KDF #A4236 #A4246 #A4247 #A4248 #A4249 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: ANS TX_free X9.42 KDF Key Derivation Related SSPs: DH shared secret, ECDH shared secret ANS X9.63 KDF derived 112256 bits ANS X9.63 KDF #A4246 #A4247 #A4248 #A4249 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: ANS TX_free X9.63 KDF Key Derivation Related SSPs: DH shared secret, ECDH shared secret
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100 Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format.
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. SSH KDF derived 112256 bits SSH KDF #A4246 #A4247 #A4248 #A4249 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: SSH KDF TX_free Key Derivation Related SSPs: DH shared secret, ECDH shared secret TLS 1.2 KDF derived 112256 bits TLS 1.2 KDF #A4246 #A4247 #A4248 #A4249 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: TLS 1.2 TX_free Key Derivation Related SSPs: DH shared secret, ECDH shared secret TLS 1.3 KDF derived 112256 bits TLS 1.3 KDF #A4228 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: TLS 1.3 TX_free KDF Key Derivation Related SSPs: DH shared secret, ECDH shared secret PBKDF2 derived 112256 bits PBKDF2 #A4236 #A4246 #A4247 #A4248 #A4249 [SP 800132], Section 6.2 N/A RAM EVP_KDF_C Use: TX_free Passwordbased Key Derivation Related SSPs: Password DH private 112200 bits KAS-FFC-SSC [SP 80056Ar3] #A4251 Section 5.6.1.1.4 Testing Candidates Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. RAM EVP_PKEY_f Use: DH ree Shared Secret Computation, Key pair verification Related SSPs: DH shared secret DH public 112key bits
Sunnyvale, CA 94089 www.juniper.net Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Passed from the module via API parameters in plaintext (P) format. EC private 112, 128, 192, bits EC public 112, 128, 192, bits RSA private 112256 bits RSA 80public key 256 bits 9.1 KAS-ECC-SSC FIPS 186-4 ECDSA Appendix B.4.2 #A4227, Testing #A4246, Candidates #A4247, #A4248, #A4249 Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. RSA #A4246, #A4247, #A4248, #A4249 FIPS 186-4 Appendix B.3.6 Probable Primes with Conditions Based on Auxiliary Probable Primes Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. RAM EVP_PKEY_f Use: ECDH ree Shared Secret Computation Signature Key pair Verification Related SSPs: ECDH shared secret RAM EVP_PKEY_f Use: Signature ree N/A Use: Signature Verification Related SSPs: N/A Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Random Bit Generators The module does not implement any random number generator. Instead, it uses the Random Number Generation (RNG) service provided by the bound Kernel Crypto API module, which implements a Deterministic Random Bit Generator (DRBG) based on [SP 800-90Ar1]. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 9.2 SSP Generation The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with [SP 800-133r2]. When random values are required, they are obtained from the [SP 800-90Ar1] approved DRBG, compliant with Section 4, example 1 of [SP 800-133r2]. The following methods are implemented:
7919 (TLS). Note that the module only implements key pair generation, key pair verification, and
shared secret computation. No other part of the IKE or TLS protocols is implemented (with the exception of the TLS 1.2 and 1.3 KDFs):
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. • ◦ MODP-4096 (ID = 16) ◦ MODP-6144 (ID = 17) ◦ MODP-8192 (ID =
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Algorithm | Parameters | Condition | Type | Test |
|---|
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.
The module performs the pre-operational self-test and CASTs automatically when the module is loaded into memory. Pre-operational self-test ensure that the module is not corrupted, and the CASTs ensure that the cryptographic algorithms work as expected. While the module is executing the pre-operational test and the CASTs, the module services are not available, and input and output are inhibited. The module is not available for use by the calling application until the pre-operational self-test and the CASTs are completed successfully. After the pre-operational test and the CASTs succeed, the module becomes operational. If any of the pre-operational test or any of the CASTs fail an error message is returned, and the module transitions to the error state. All the self-tests are listed in Table 10, with the respective condition under which those tests are performed. Note that the pre-operational integrity test is only executed after all cryptographic algorithm self-tests (CASTs) executed successfully. Table 10
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Algorithm | Parameters | Condition | Type | Test |
|---|
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. ANS X9.63 KDF SHA2-256 Initialization Cryptographic Algorithm Self-Test KAT key derivation SSH KDF SHA-1 Initialization Cryptographic Algorithm Self-Test KAT key derivation TLS 1.2 KDF SHA2-256 Initialization Cryptographic Algorithm Self-Test KAT key derivation TLS 1.3 KDF SHA2-256 Initialization Cryptographic Algorithm Self-Test KAT key derivation PBKDF2 SHA2-256 with 4096 iterations and 288-bit salt Initialization Cryptographic Algorithm Self-Test KAT passwordbased key derivation KAS-FFC-SSC ffdhe2048 Initialization Cryptographic Algorithm Self-Test KAT shared secret computation MODP-2048 Initialization Cryptographic Algorithm Self-Test KAT shared secret computation KAS-ECC-SSC P-256 Initialization Cryptographic Algorithm Self-Test KAT shared secret computation RSA PKCS#1 v1.5 with SHA2-256 and 2048-bit key Initialization Cryptographic Algorithm Self-Test KAT signature generation and verification ECDSA SHA2-256 and P-224, Initialization Cryptographic Algorithm Self-Test KAT signature generation and verification SHA2-256 and B-233 DH N/A DH key pair generation Pair-wise Consistency Section 5.6.2.1.42 pair-wise consistency RSA PKCS#1 v1.5 with SHA2-256 RSA key pair generation Pair-wise Consistency Sign/Verify pairwise consistency ECDSA SHA2-256 EC key pair generation Pair-wise Consistency Sign/Verify pairwise consistency Kernel Bound Module DRBG AES-128, AES-192 and AES-256 with and without PR Initialization Cryptographic Algorithm Self-Test KAT DRBG generation and reseed As mentioned in SP 800-56Ar3 section 5.6.2.1.4 - Owner Assurance of Pair-wise Consistency, the module recalculate the public key based on the private key and the domain parameters and then check if it matches the existing public key.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Algorithm | Parameters | Condition | Type | Test |
|---|
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. HMAC-SHA1, HMAC-SHA2-256 and SHA2-512 with and without PR Health test per section 11.3 of 90A SHA1, SHA2-256 and SHA2-512 with and without PR
The module performs pre-operational tests automatically when the module is powered on. The preoperational self-tests ensure that the module is not corrupted. The module transitions to the operational state only after the pre-operational self-tests are passed successfully. The types of pre-operational self-tests are described in the next sub-sections.
The integrity of the shared library component of the module is verified by comparing an HMAC SHA2256 value calculated at run time with the HMAC SHA2-256 value stored in the /etc/ssl/fipsmodule.cnf file that was computed at installation time. If the software integrity test fails, the module transitions to the error state (Section 10.3). As mentioned previously, the HMAC and SHA2-256 algorithms go through their respective CASTs before the software integrity test is performed.
The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in Table 10. Data output through the data output interface is inhibited during the self-tests. If any of these tests fails, the module transitions to the error state (Section 10.3).
Upon generation of a DH, RSA or EC key pair, the module will perform a pair-wise consistency test (PCT) as shown in Table 10, which provides some assurance that the generated key pair is well formed. For DH key pairs, this test consists of the PCT described in Section 5.6.2.1.4 of [SP 800-56Ar3]. For RSA and EC key pairs, this test consists of a signature generation and a signature verification operation. If the test fails, the module transitions to the error state (Section 10.3).
If the module fails any of the self-tests, the module enters the error state. In the error state, the module immediately stops functioning and ends the application process. Consequently, the data output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
| Error State | Cause of Error | Status Indicator |
|---|
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Table 11 lists the error states and the status indicator values that explain the error that has occurred. Table 11 - Error States Software integrity test failure Module will not load CAST failure Module will not load PCT failure Module stops functioning
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.
The binaries of the module are contained in the base Junos Evolved installation image. The Crypto Officer shall follow this Security Policy to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory.
In order to run in Approved mode, the module must be operated using the approved services, with their corresponding approved cryptographic algorithms provided in this Security Policy (see section 4.3). In addition, key sizes must comply with [SP 800-131Ar2].
The operator is responsible to verify the correct installation of module which is already pre-installed on the image file (junos-evo-install-ptx-fixed-x86-64-22.4R2.11-S1-EVO.iso). The following steps are required:
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.
When no IV is explicitly provided, the AES GCM IV generation is performed in compliance with Scenario 2 of IG C.H (Random IV). The AES-GCM IV is generated randomly internal to the module using the approved DRBG provided by the bound kernel. The DRBG seeds itself from the entropy source of the kernel. The GCM IV is 96 bits in length.
The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP 800-38E]. The length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks that is 16MB of data. To meet the requirement in [FIPS140-3_IG] IG C.I, the module implements a check to ensure that the two AES keys used in XTS-AES algorithm are not identical.
The module provides password-based key derivation (PBKDF2), compliant with [SP 800-132]. The module supports option 1a from section 5.4 of [SP 800-132], in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance to [SP 800-132] and FIPS IG D.N, the following requirements shall be met:
The module offers DH and ECDH shared secret computation services compliant to the [SP 800-56Ar3] and meeting IG D.F scenario 2 path (1). In order to meet the required assurances listed in section 5.6 of [SP 800-56Ar3], the module shall be used together with an application that implements the "TLS protocol" and the following steps shall be performed.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 3. The module does not support static keys therefore the "assurance of peer's possession of private key" is not applicable.
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.
Certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The module mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.
AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Program Interface APT Advanced Package Tool CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode CTS Ciphertext Stealing DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EVP Envelope FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Hash Message Authentication Code IKE Internet Key Exchange IG Implementation Guidance KAS Key Agreement Schema KAT Known Answer Test KBKDF Key-based Key Derivation Function KDF Key Derivation Function
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. KW Key Wrap KWP Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PCT Pair-wise Consistency Test PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards PSS Probabilistic Signature Scheme RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TLS Transport Layer Security XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with ciphertext Stealing
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.
ANSI X9.422001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANSI X9.632001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program August 12, 2020 https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validationprogram/documents/fips 140-3/FIPS 140-3 IG.pdf FIPS 180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://tools.ietf.org/html/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Addendum NIST Special Publication 800-38A Addendum - Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38aadd.pdf SP 800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP 800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F
Sunnyvale, CA 94089 www.juniper.net NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. SP 800-52 NIST Special Publication 800-52 Revision 2 - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP 800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP 800-56Cr2 NIST Special Publication 800-56C Revision 2 - Recommendation for KeyDerivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP 800-57 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf SP 800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-108r1 NIST Special Publication 800-108r1 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800-131Ar2 NIST Special Publication 800-131A
Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100
Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. SP 800-185
Sunnyvale, CA 94089 www.juniper.net NIST Special Publication 800-185 - SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash December 2016 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf o +1 408 745 2000 f +1 408 745 2100