All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Junos® OS Evolved OpenSSL Cryptographic Module

Certificate#4775StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorJuniper Networks, Inc.
High review priority  ·  exposes network crypto parser/protocol  ·  OpenSSL upstream has published 40 CVEs since this module's initial validation  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/2/2029
CaveatInterim Validation. When operated in approved mode with module Junos® OS Evolved Kernel Cryptographic Module version 2.0 validated to FIPS 140-3 under Cert. #4776 operating in the Approved mode. When installed, initialized and configured as specified in section 11 of the Security Policy. The module generates cryptographic keys whose strengths are modified by available entropy
VendorJuniper Networks, Inc.

Approved Algorithms (221)

AlgorithmACVP Cert
AES-CBCA4229
AES-CBCA4230
AES-CBCA4231
AES-CBC-CS1A4229
AES-CBC-CS1A4230
AES-CBC-CS1A4231
AES-CBC-CS2A4229
AES-CBC-CS2A4230
AES-CBC-CS2A4231
AES-CBC-CS3A4229
AES-CBC-CS3A4230
AES-CBC-CS3A4231
AES-CCMA4229
AES-CCMA4230
AES-CCMA4231
AES-CFB1A4229
AES-CFB1A4230
AES-CFB1A4231
AES-CFB128A4229
AES-CFB128A4230
AES-CFB128A4231
AES-CFB8A4229
AES-CFB8A4230
AES-CFB8A4231
AES-CMACA4229
AES-CMACA4230
AES-CMACA4231
AES-CTRA4229
AES-CTRA4230
AES-CTRA4231
AES-ECBA4229
AES-ECBA4230
AES-ECBA4231
AES-ECBA4232
AES-ECBA4233
AES-ECBA4234
AES-ECBA4235
AES-GCMA4237
AES-GCMA4238
AES-GCMA4239
AES-GCMA4240
AES-GCMA4241
AES-GCMA4242
AES-GCMA4243
AES-GCMA4244
AES-GCMA4245
AES-GMACA4237
AES-GMACA4238
AES-GMACA4239
AES-GMACA4240
AES-GMACA4241
AES-GMACA4242
AES-GMACA4243
AES-GMACA4244
AES-GMACA4245
AES-KWA4229
AES-KWA4230
AES-KWA4231
AES-KWPA4229
AES-KWPA4230
AES-KWPA4231
AES-OFBA4229
AES-OFBA4230
AES-OFBA4231
AES-XTS Testing Revision 2.0A4229
AES-XTS Testing Revision 2.0A4230
AES-XTS Testing Revision 2.0A4231
Counter DRBGA3599
Counter DRBGA3599
Counter DRBGA3599
Counter DRBGA3599
ECDSA KeyGen (FIPS186-4)A4225
ECDSA KeyGen (FIPS186-4)A4246
ECDSA KeyGen (FIPS186-4)A4247
ECDSA KeyGen (FIPS186-4)A4248
ECDSA KeyGen (FIPS186-4)A4249
ECDSA KeyVer (FIPS186-4)A4225
ECDSA KeyVer (FIPS186-4)A4246
ECDSA KeyVer (FIPS186-4)A4247
ECDSA KeyVer (FIPS186-4)A4248
ECDSA KeyVer (FIPS186-4)A4249
ECDSA SigGen (FIPS186-4)A4225
ECDSA SigGen (FIPS186-4)A4226
ECDSA SigGen (FIPS186-4)A4236
ECDSA SigGen (FIPS186-4)A4246
ECDSA SigGen (FIPS186-4)A4247
ECDSA SigGen (FIPS186-4)A4248
ECDSA SigGen (FIPS186-4)A4249
ECDSA SigVer (FIPS186-4)A4225
ECDSA SigVer (FIPS186-4)A4226
ECDSA SigVer (FIPS186-4)A4236
ECDSA SigVer (FIPS186-4)A4246
ECDSA SigVer (FIPS186-4)A4247
ECDSA SigVer (FIPS186-4)A4248
ECDSA SigVer (FIPS186-4)A4249
Hash DRBGA3599
Hash DRBGA3600
Hash DRBGA3601
Hash DRBGA3601
Hash DRBGA3601
Hash DRBGA3601
HMAC DRBGA3599
HMAC DRBGA3599
HMAC DRBGA3599
HMAC DRBGA3599
HMAC DRBGA3599
HMAC DRBGA3599
HMAC-SHA-1A4246
HMAC-SHA-1A4247
HMAC-SHA-1A4248
HMAC-SHA-1A4249
HMAC-SHA2-224A4246
HMAC-SHA2-224A4247
HMAC-SHA2-224A4248
HMAC-SHA2-224A4249
HMAC-SHA2-256A4246
HMAC-SHA2-256A4247
HMAC-SHA2-256A4248
HMAC-SHA2-256A4249
HMAC-SHA2-384A4246
HMAC-SHA2-384A4247
HMAC-SHA2-384A4248
HMAC-SHA2-384A4249
HMAC-SHA2-512A4246
HMAC-SHA2-512A4247
HMAC-SHA2-512A4248
HMAC-SHA2-512A4249
HMAC-SHA2-512/224A4246
HMAC-SHA2-512/224A4247
HMAC-SHA2-512/224A4248
HMAC-SHA2-512/224A4249
HMAC-SHA2-512/256A4246
HMAC-SHA2-512/256A4247
HMAC-SHA2-512/256A4248
HMAC-SHA2-512/256A4249
HMAC-SHA3-224A4236
HMAC-SHA3-256A4236
HMAC-SHA3-384A4236
HMAC-SHA3-512A4236
KAS-ECC-SSC Sp800-56Ar3A4227
KAS-ECC-SSC Sp800-56Ar3A4246
KAS-ECC-SSC Sp800-56Ar3A4247
KAS-ECC-SSC Sp800-56Ar3A4248
KAS-ECC-SSC Sp800-56Ar3A4249
KAS-FFC-SSC Sp800-56Ar3A4251
KDA HKDF Sp800-56Cr1A4228
KDA OneStep SP800-56Cr2A4224
KDF ANS 9.42A4236
KDF ANS 9.42A4246
KDF ANS 9.42A4247
KDF ANS 9.42A4248
KDF ANS 9.42A4249
KDF ANS 9.63A4246
KDF ANS 9.63A4247
KDF ANS 9.63A4248
KDF ANS 9.63A4249
KDF SP800-108A4250
KDF SSHA4232
KDF SSHA4233
KDF SSHA4234
KDF SSHA4235
KMAC-128A4236
KMAC-256A4236
PBKDFA4236
PBKDFA4246
PBKDFA4247
PBKDFA4248
PBKDFA4249
RSA KeyGen (FIPS186-4)A4246
RSA KeyGen (FIPS186-4)A4247
RSA KeyGen (FIPS186-4)A4248
RSA KeyGen (FIPS186-4)A4249
RSA SigGen (FIPS186-4)A4246
RSA SigGen (FIPS186-4)A4247
RSA SigGen (FIPS186-4)A4248
RSA SigGen (FIPS186-4)A4249
RSA SigVer (FIPS186-4)A4246
RSA SigVer (FIPS186-4)A4247
RSA SigVer (FIPS186-4)A4248
RSA SigVer (FIPS186-4)A4249
Safe Primes Key GenerationA4251
Safe Primes Key VerificationA4251
SHA-1A4246
SHA-1A4247
SHA-1A4248
SHA-1A4249
SHA2-224A4246
SHA2-224A4247
SHA2-224A4248
SHA2-224A4249
SHA2-256A4246
SHA2-256A4247
SHA2-256A4248
SHA2-256A4249
SHA2-384A4246
SHA2-384A4247
SHA2-384A4248
SHA2-384A4249
SHA2-512A4246
SHA2-512A4247
SHA2-512A4248
SHA2-512A4249
SHA2-512/224A4246
SHA2-512/224A4247
SHA2-512/224A4248
SHA2-512/224A4249
SHA2-512/256A4246
SHA2-512/256A4247
SHA2-512/256A4248
SHA2-512/256A4249
SHA3-224A4236
SHA3-256A4236
SHA3-384A4236
SHA3-512A4236
SHAKE-128A4236
SHAKE-256A4236
TLS v1.2 KDF RFC7627A4246
TLS v1.2 KDF RFC7627A4247
TLS v1.2 KDF RFC7627A4248
TLS v1.2 KDF RFC7627A4249
TLS v1.3 KDFA4228

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Sensitive Security Parameter Management1
Self-Tests1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Junos® OS Evolved OpenSSL Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status<br/>Self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Junos® OS Evolved OpenSSL Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status<br/>Self-test</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

JUNOS® OS EVOLVED OPENSSL CRYPTOGRAPHIC MODULE VERSION 3.0.8 Document Version 1.2 Last update: 2024-08-23 Prepared by: Prepared for: atsec information security corporation Juniper Networks, Inc.

9130 Jollyville Road, Suite 260
1133 Innovation Way

Austin, TX 78759 Sunnyvale, CA 94089 www.atsec.com www.juniper.net Juniper Networks, Inc.

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 2

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Table of Contents 1.1 1.2 1.3 2.1 2.2 2.3 2.4 2.5 NON-APPROVED ALGORITHMS ALLOWED IN THE APPROVED MODE OF OPERATION WITH NO SECURITY 2.6 2.7 2.8 4.1 4.2 4.3 5.1 5.2 6.1 6.2 9.1 9.2 9.3 9.4 9.5 9.6 10.1

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 3

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 4
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic Module Specification1
33Cryptographic Module Interfaces1
44Roles, Services, and Authentication1
55Software/Firmware Security1
66Operational Environment1
77Physical SecurityN/A
88Non-invasive SecurityN/A
99Sensitive Security Parameter Management1
1010Self-tests1
1111Life-cycle Assurance1
1212Mitigation of Other Attacks1

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 1.1 Overview This document is the non-proprietary FIPS 140-3 Security Policy for version 3.0.8 of the Junos® OS Evolved OpenSSL Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for a Security Level 1 software module. It has a one-to-one mapping to the [SP800-140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. including this notice. Other documentation is proprietary to their authors. 1.2 How this Security Policy was Prepared further consolidated into this document by atsec information security together with other vendorsupplied documentation. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. 1.3 Security Levels The following sections describe the cryptographic module and how it conforms to the FIPS 140-3 specification in each of the required areas. Table 1 - Security Levels N/A

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 5

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 6
Module configuration
NameOperating SystemHardware PlatformSoftware VersionProcessorPaa Pai#
1Junos® OS Evolved 22.4Juniper Networks®3.0.8Intel® Xeon® D-2163ITAES-NI, SHA Extensions (PAA)13.0.8
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
SHA-3#A4236SHA3-224, SHA3-256,N/AMessage Digest
[FIPS202]SHA3-384, SHA3-512
SHA-3#A4236SHAKE-128, SHAKE-256N/AXOF
KMAC#A4236KMAC-128, KMAC-256128, 256 bits with 128, 256MAC Generation
[SP800-185]bits of security strengthand Verification
AES#A4229,CBC, CTR, CFB1, CFB8,128, 192, 256 bits with 128,Symmetric
[FIPS197],#A4230,CFB128, OFB, CBC-CTS-192, 256 bits of securityEncryption and
[SP800-38A]#A4231CS1, CBC-CTS-CS2, CBC-strengthDecryption
AES#A4229,CMAC128, 192, 256 bits with 128,MAC Generation
[FIPS197],#A4230,192, 256 bits of securityand Verification
[SP800-38B]#A4231strength
AESCCM128, 192, 256 bits with 128,Symmetric
[FIPS197],192, 256 bits of securityEncryption and
[SP800-38C]strengthDecryption
AES#A4229,ECB128, 192, 256 bits with 128,Symmetric
[FIPS197],#A4230,192, 256 bits of securityEncryption and
[SP800-38A]#A4231,strengthDecryption
AES#A4237,GCM (external IV)128, 192, 256 bits with 128,Symmetric
[FIPS197],#A4238,192, 256 bits of securityDecryption
[SP800-38D]#A4239,strength
AES#A4240,GCM (internal IV)128, 192, 256 bits with 128,Symmetric
[FIPS197],#A4242,192, 256 bits of securityEncryption
[SP800-38D]#A4243,strength
AES#A4244,GMAC128, 192, 256 bits with 128,MAC Generation
[FIPS197],#A4245192, 256 bits of securityMAC Verification
[SP800-38D]strength
AES#A4229,XTS128, 256 bits with 128, 256Symmetric
[FIPS197],#A4230,bits of security strengthEncryption and
[SP800-38E]#A4231Decryption for
AESKW , KWP (KTS)128, 192, 256 bits with 128,Key Wrapping and
[FIPS197],192, 256 bits of securityUnwrapping
[SP800-38F]strength
HMAC#A4246,SHA-1, SHA2-224, SHA2-112-524288 bits with 112 toMAC Generation
[FIPS198-1]#A4247,384, SHA2-512, SHA2-256 bits of security strengthMAC Verification
#A4248,#A4248,512/224, SHA2-512/256
#A4236#A4236SHA3-224, SHA3-256,
#A4246,#A4246,SHA2-256MAC Generation
#A4247,#A4247,MAC Verification
#A4248,#A4248,Integrity Check
KBKDF#A4250Counter and feedback112-4096 bits with 112 to 256KBKDF Key
[SP 800-108r1]mode, using CMAC andbits of security strengthDerivation
KDA OneStep1#A4224(HMAC) SHA-1, SHA2-224,224 to 8192 bits with 112 toKDA OneStep Key
SHA2-256, SHA2-384,SHA2-256, SHA2-384,256 bits of security strengthDerivation
[SP 800-56Cr2]SHA2-512, SHA2-512/224,
KDA HKDF#A4228HMAC with SHA-1, SHA2-224 to 8192 bits with 112 toHKDF Key
[SP 800-56Cr2]224, SHA2-256, SHA2-384,256 bits of security strengthDerivation
ANS 9.42 KDFCVLANS 9.42 KDF224 to 8192 bits with 112 toANS X9.42 KDF
[SP 800-135r1]#A4236,AES KW with SHA-1, SHA2-256 bits of security strengthKey Derivation
#A4246,#A4246,224, SHA2-256, SHA2-384,
#A4247,#A4247,SHA2-512, SHA2-512/224,
#A4248,#A4248,SHA2-512/256, SHA3-224,
#A4249#A4249SHA3-256, SHA3-384,
ANS 9.63 KDFCVLANS 9.63 KDF224 to 8192 bits with 112 toANS 9.63 KDF Key
[SP 800-135r1]#A4246,SHA2-224, SHA2-256,256 bits of security strengthDerivation
#A4247,#A4247,SHA2-384, SHA2-512
SSH KDFCVLSSH KDF224 to 8192 bits with 112 toSSH KDF Key
[SP 800-135r1]#A4232,SHA-1, SHA2-256, SHA2-256 bits of security strengthDerivation
#A4233,#A4233,384, SHA2-512
TLS 1.2 KDFCVLTLS v1.2 KDF with224 to 8192 bits with 112 toTLS 1.2 KDF Key
[SP 800-135r1]#A4246,SHA2-256, SHA2-384,256 bits of security strengthDerivation
#A4247,#A4247,SHA2-512
TLS 1.3 KDFCVLTLS v1.3 KDF with224 to 8192 bits with 112 toTLS 1.3 KDF Key
[RFC 8446]#A4228SHA2-256, SHA2-384256 bits of security strengthDerivation
PBKDF2#A4236,Option 1a with SHA-1,N/APassword-based
[SP 800-132]#A4246,SHA2-224, SHA2-256,Key Derivation
#A4247,#A4247,SHA2-384, SHA2-512,
#A4248,#A4248,SHA2-512/224, SHA2-
#A4249#A4249512/256, SHA3-224, SHA3-
KAS-FFC-SSC#A4251dhEphemMODP-2048, MODP-3072,DH shared secret
[SP 800-56Ar3](initiator/responder)MODP-4096, MODP-6144,Computation
KAS-ECC-SSC#A4227,Ephemeral Unified ModelB-233, B-283, B-409, B-571,ECDH shared
[SP 800-56Ar3]#A4246,(initiator/responder)K-233, K-283, K-409, K-571,secret
#A4247,#A4247,P-224, P-256, P-384, P-521Computation
#A4248,#A4248,with 112, 128, 192, 256 bits of
#A4249#A4249security strength
RSA#A4246,B.3.6 Probable Primes2048-15360 bits with 112 toKey Pair
[FIPS186-4]#A4247,256 bits of security strengthGeneration
#A4248,#A4248,PKCS#1v1.5:2048-16384 bits with 112 toDigital Signature
SHA2-224, SHA2-256,SHA2-224, SHA2-256,256 bits of security strengthGeneration
ModulusModulusSHA2-512/224, SHA2-
sizes othersizes other512/256
and 4096and 4096SHA2-224, SHA2-256,
bits are notbits are notSHA2-384, SHA2-512,
CAVP testedCAVP testedSHA2-512/224, SHA2-
butbut512/256
per IG C.Fper IG C.FSHA-1, SHA2-224, SHA2-256 bits of security strengthVerification
ECDSA#A4225,FIPS 186-4 Appendix B.4.2B-233, B-283, B-409, B-571,Key Pair
[FIPS186-4]#A4246,Testing CandidatesK-233, K-283, K-409, K-571,Generation
#A4247,#A4247,N/AP-224, P-256, P-384, P-521Key Pair
#A4248,#A4248,with 112, 128, 192, 256 bits of
#A4249#A4249security strength
#A4225,#A4225,SHA2-224, SHA2-256,Signature
#A4226,#A4226,SHA2-384, SHA2-512,Generation
#A4236,#A4236,SHA2-512/224, SHA2-
#A4246,#A4246,512/256, SHA3-224, SHA3-
#A4247,#A4247,256, SHA3-384, SHA3-512
#A4248,#A4248,SHA-1, SHA2-224, SHA2-Signature
256, SHA2-384, SHA2-512,256, SHA2-384, SHA2-512,Verification
Safe primes#A4251[SP 800-56Ar3] SectionMODP-2048, MODP-3072,Key Pair
[SP 800-56Ar3]5.6.1.1.4 Testing CandidatesMODP-4096, MODP-6144,Generation
Safe primes[SP 800-56Ar3] SectionsMODP-8192, ffdhe2048,Key pair
[SP 800-56Ar3]5.6.2.1.2 and 5.6.2.1.4ffdhe6144, ffdhe8192 withVerification
CKGVendorSafe primesMODP-2048, MODP-3072,Key Pair
[SP 800-133r2AffirmedMODP-4096, MODP-6144,Generation
Section 4]MODP-8192, ffdhe2048,
RSARSA2048-15360 bits with 112 to
ECDSAECDSAB-233, B-283, B-409, B-571,
RSAPKCS#1v1.5:2048-16384 bits with 112 toSignature
[FIPS 186-4]SHA3-224, SHA3-256,256 bits of security strengthGeneration
PKCS#1v1.5:PKCS#1v1.5:1024-16384 bits with 80 toSignature
SHA3-224, SHA3-256,SHA3-224, SHA3-256,256 bits of security strengthVerification
Hash_DRBG#A3599SHA-1, SHA2-256, SHA2-N/ARandom Number
[SP 800-90Ar1]#A3600512Generation
#A3601#A3601with/without PR
HMAC_DRBG#A3599SHA-1, SHA2-256, SHA2-N/A
[SP 800-90Ar1]#A3600512
#A3601#A3601with/without PR
CTR_DRBG#A3599AES-128,128, 192, 256 bits with 128,
[SP 800-90Ar1]#A3600AES-192,192 and 256 bits of security
AES-256AES-256strength

Cryptographic Module Specification 2.1 Module Embodiment The Junos® OS Evolved OpenSSL Cryptographic Module (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It provides a C language application program interface (API) for use by other applications that require cryptographic functionality. The module consists of one software component, the “FIPS provider” (i.e. fips.so), which implements the FIPS requirements and the cryptographic functionality provided to the operator. 2.2 Tested Operational Environments The module has been tested on the following platforms with the corresponding module variants and configuration options: Table 2 - Tested Operational Environments # 3.0.8 2.3 Approved Algorithms Table 3 lists all the approved security functions of the module, including specific key strengths employed for approved services. Table 3 - Approved Algorithms #A4246, #A4247, #A4248, #A4249 SHS [FIPS180-4] N/A N/A

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 7

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. This algorithm is referred to as “Single Step KDF” or “SSKDF” by OpenSSL.

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 8

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 9

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 10

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A N/A

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 11

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 2.4 Non-Approved Algorithms Allowed in the Approved Mode of Operation The module does not implement non-approved algorithms that are allowed in the approved mode of operation. 2.5 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed The module does not implement non-approved algorithms allowed in the approved mode of operation with no security claimed. 2.6 Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Table 4 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Algorithm / Functions Use / Function AES GCM (external IV) Symmetric Encryption 2.7 Module Design and Components Figure 1 shows a block diagram that represents the design of the module when the module is operational and providing services to other user space applications. In this diagram, the physical perimeter of the operational environment (a general-purpose computer on which the module is installed) is indicated by a purple dashed line. The cryptographic boundary is represented by a shared library implementing the FIPS provider (fips.so) along with its HMAC value which resides within a configuration file called /etc/ssl/fipsmodule.cnf. Green lines indicate the flow of data between the cryptographic module and its operator application, through the logical interfaces defined in Section 3. Components in white are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). For Figure 1

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 12

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. example, the kernel is responsible for managing system calls issued by the module itself, as well as other applications using the module for cryptographic services. The module also uses the Junos OS Evolved Kernel Cryptographic Module Version 2.0 as a bound module (also referred to as “the bound Kernel Crypto API module”) for performing random number generation, relying on the Kernel DRBG. The Junos OS Evolved Kernel Cryptographic Module Version

2.0 is a FIPS 140-3 validated module with certificate #4776.

2.8 Rules of Operation In the operational state, the module accepts service requests from calling applications through its logical interfaces. At any point in the operational state, a calling application can end its process, thus causing the module to end its operation. The module supports two modes of operation:

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 13
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
iAs a software-only module, theData InputAPI input parametersi
module does not have physicalmodule does not have physicalData OutputAPI output parameters
nteract with the modulenteract with the moduleControl InputAPI function calls
through the API provided bythrough the API provided byStatus OutputAPI return codes, error messages
ports are interpreted to be theports are interpreted to be thePower InputN/APower InputN/A

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.

3 Cryptographic Module Interfaces

All data output via data output interface is inhibited when the module is performing pre-operational test or zeroization or when the module enters error state. Table 5 summarizes the logical interfaces: Table 5 - Ports and Interfaces N/A

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 14
Service
NameRolesOutputNput
Message DigestCryptoDigest valueCrypto OfficerMessage
XOFOfficerDigest valueMessage, output length
Symmetric EncryptionCiphertextPlaintext, AES key
Symmetric DecryptionPlaintextCiphertext, AES key
MAC GenerationMAC tagMessage, AES key, KMAC, orMAC GenerationMAC tag
MAC VerificationMessage, AES key, KMAC, orMAC VerificationPass/fail
KBKDF Key DerivationKBKDF derived keyKey-derivation key
KDA OneStep Key DerivationKDA OneStep derived keyDH or ECDH shared secret
HKDF Key DerivationHKDF derived keyDH or ECDH shared secret
ANS X9.42 KDF Key DerivationANS X9.42 KDF derived keyDH or ECDH shared secret
ANS X9.63 KDF Key DerivationANS X9.63 KDF derived keyDH or ECDH shared secret
SSH KDF Key DerivationSSH KDF derived keyDH or ECDH shared secret
TLS 1.2 KDF Key DerivationTLS 1.2 KDF derived keyDH or ECDH shared secret
TLS 1.3 KDF Key DerivationTLS 1.3 KDF derived keyDH or ECDH shared secret
Password-based Key DerivationPBKDF2 derived keyPassword, salt, iteration count
Key UnwrappingUnwrapped keyKey wrapping key, wrappedKey UnwrappingUnwrapped key
Key WrappingKey wrapping key, key to beKey WrappingWrapped key
Random Number GenerationRandom bytesOutput length
DH Shared Secret ComputationDH shared secretOwner private key, peerDH Shared Secret ComputationDH shared secret
ECDH Shared Secret ComputationOwner private key, peerECDH Shared Secret ComputationECDH shared secret

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Roles, Services and Authentication 4.1 Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for a maintenance role. Table 6 lists the roles supported by the module with corresponding services with input and output parameters. Table 6 - Role, Service Commands, Input and Output Input

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 15
Service
NameOutputNputI
Signature GenerationSignatureMessage, private key
Signature VerificationPass/failMessage, public key, signature
Key pair GenerationKey pairKey size
Key pair VerificationPass/failKey pair
Show VersionName and versionN/AShow VersionN/Ai
Show StatusModule statusN/A
Self-testPass/fail results of self-testsN/A

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 4.2 Input N/A information N/A N/A N/A Authentication The module does not support authentication for roles. 4.3 Services The module provides services to operators that assume the available role. All services are described in detail in the API documentation (manual pages). The next tables define the services that utilize approved and non-approved security functions in this module. For the respective tables, the convention below applies when specifying the access permissions (types) that the service has for each

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 16
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
MessageCompute aCON/ASHA-1,N/AEVP_Digest*
DigestmessageSHA2-224, SHA2-functions will
digestdigest256, SHA2-384,return 0
XOFCompute theCON/ASHAKE-128,N/AEVP_Digest*
output of anoutput of anSHAKE-256functions will
XOFXOFreturn 0
SymmetricEncrypt aCOAES keyAES ECB, CBC,W, EEVP_Encrypt*
EncryptionplaintextCBC-CTS-CS1,functions will
CBC-CTS-CS2,CBC-CTS-CS2,return 0
SymmetricEncrypt aCOAES keyAES GCMW, EERR_peek_last
Encryptionplaintext_error
(AES-GCM)function
SymmetricDecrypt aCOAES keyAES ECB, CBC,W, EEVP_Decrypt*
DecryptionciphertextCBC-CTS-CS1,functions will
CBC-CTS-CS2,CBC-CTS-CS2,return 0
Key WrappingPerform AES-COAES key wrapping keyAES-KW, AES-W,EEVP_Encrypt*
based keybased keyKWPfunctions will
wrappingwrappingreturn 0
Unwrappingbased keyKWPfunctions will
unwrappingunwrappingreturn 0
MACCompute aCOAES Key, KMAC key,AES CMACW, EEVP_MAC*
KMACKMACreturn 0
MACVerify a MACHMAC SHA-1,EVP_MAC*
VerificationtagSHA2-224, SHA2-functions will
256, SHA2-384,256, SHA2-384,return 0
KBKDF KeyDerive a keyCOKey-derivation keyKBKDFW, EEVP_KDF*
Derivationfrom a key-functions will
derivation keyderivation keyKBKDF derived keyG, Rreturn 0
W, EW, EEVP_KDF*
W, EW, Efunctions will
HKDF KeyDerive a key from a shared secretDH shared secretHKDFW, EEVP_KDF*
DerivationECDH shared secretW, Efunctions will
HKDF derived keyHKDF derived keyG, R
ANS X9.42Derive a key from a shared secretDH shared secretANS X 9.42 KDFW, EEVP_KDF*
KDF KeyECDH shared secretW, Efunctions will
Derivationreturn 0
ANS X9.42 KDF derivedANS X9.42 KDF derivedG, R
ANS X9.63Derive a key from a shared secretDH shared secretANS X 9.63 KDFW, EEVP_KDF*
KDF KeyECDH shared secretW, Efunctions will
Derivationreturn 0
ANS X9.63 KDF derivedANS X9.63 KDF derivedG, R
SSH KDF KeyDerive a keyDH shared secretSSH KDFW, EEVP_KDF*
Derivationfrom a sharedECDH shared secretW, Efunctions will
secretsecretreturn 0
SSH KDF derived keySSH KDF derived keyG, R
TLS 1.2 KDFDerive a keyDH shared secretTLS 1.2 KDFW, EEVP_KDF*
Key Derivationfrom a sharedECDH shared secretW, Efunctions will
secretsecretreturn 0
TLS 1.2 KDF derived keyTLS 1.2 KDF derived keyG, R
TLS 1.3 KDFDH shared secretTLS 1.3 KDFW, EEVP_KDF*
Key DerivationECDH shared secretW, Efunctions will
TLS 1.3 KDF derived keyTLS 1.3 KDF derived keyG, R
Password-Derive a keyCOPasswordPBKDF2W, EEVP_KDF*
based Keyfrom aPBKDF2 derived keyG, Rfunctions will
Derivationpasswordreturn 0
Compute aCompute aCODH private key (owner),KAS-FFC-SSCW, E
shared secretshared secretDH public key (peer)
DH SharedDH shared secretG, REVP_PKEY*
Secretfunctions will
Computationreturn 0
ECDH SharedEC private key (owner), ECKAS-ECC-SSCW, E
Secretpublic key (peer)
ComputationECDH shared secretG, R
SignatureGenerate aCORSA private keyRSA signatureW, EEVP_DigestSig
(PKCS#1 v1.5 and(PKCS#1 v1.5 andwill return 0
SignatureVerify aCORSA public keyRSA signatureW, EEVP_Digestve
VerificationsignatureEC public keyverificationrify* functions
(PKCS#1 v1.5 and(PKCS#1 v1.5 andwill return 0
Key pairGenerate aCODH private key, DH publicCKGG, REVP_PKEY*
pair generationRSA private key, RSApair generation
RSA key pairpublic keyRSA key pair
Key pairVerify a keyCODH private key, DH publicSafe primes keyWEVP_PKEY*
Verificationpairkeypair verificationwill return 0
ECDSA key pairEC private key, EC publicECDSA key pair
verificationkeyverification
RandomGenerateCOEntropy inputCTR_DRBG fromW, ERAND_bytes*
DRBG internal state (V,DRBG internal state (V,W, E, G
Hash_DRBG fromEntropy inputHash_DRBG fromW, E
Kernel boundDRBG seedKernel boundE, G
DRBG internal state (V, C)DRBG internal state (V, C)W, E, G
HMAC_DRBGEntropy inputHMAC_DRBGW, E
from KernelDRBG seedfrom KernelE, G
DRBG internal state (V, C)DRBG internal state (V, C)W, E, G
Show versionReturn theCONoneN/AN/AN/A
Show statusReturn theCONoneN/AN/AN/A
Self-testPerform theCONoneSHA-1, SHA2-N/AN/A
CASTs andCASTs and512, SHA3-256,
integrity testintegrity testSHA3-512, AES

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A N/A N/A N/A W, E W, E W, E W,E W,E W, E

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 17

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. W, E G, R KDA OneStep Derive a key KDA OneStep W, E W, E KDA OneStep derived key G, R W, E W, E G, R W, E W, E G, R W, E W, E G, R W, E W, E G, R W, E W, E G, R W, E W, E G, R Passwordbased Key

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100 W, E G, R W, E

Page 18

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. G, R W, E G, R W, E W, E G, R W W, E

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net E, G W, E, G W, E W, E E, G N/A o +1 408 745 2000 f +1 408 745 2100 E, G W, E, G W, E, G N/A N/A

Page 19

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. N/A N/A N/A SHA-1, SHA2None N/A N/A N/A Z N/A Table 8 - Non-Approved Services Symmetric Encryption Encrypt a plaintext AES GCM (external IV) ERR_peek_last_error() function returns 0x1C80012C

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 20

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 5.1 Software/Firmware security Integrity Techniques The integrity of the module is verified by comparing a HMAC SHA2-256 value calculated at run time with the HMAC SHA2-256 value stored in the /etc/ssl/fipsmodule.cnf file that was computed during installation of the module. 5.2 On-Demand Integrity Test Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity test may be invoked on-demand by unloading and subsequently reinitializing the module, or by calling the OSSL_PROVIDER_self_test function. This will perform (among others) the software integrity test.

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 21

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 6.1 Operational Environment Applicability The module operates in a modifiable operational environment per FIPS 140-3 level 1 specifications. The module runs on a commercially available general-purpose operating system executing on the hardware specified in Table 2. 6.2 Policy and Requirements The module shall be installed as stated in Section 11. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. The module does not support concurrent operators . The module does not have the capability of loading software or firmware from an external source. Instrumentation tools like the ptrace system call, gdb and strace utilities, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-tested operational environment.

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 22

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Physical Security The module is comprised of software only, and therefore this section is not applicable.

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 23

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Non-invasive Security This module does not implement any non-invasive security mechanism and therefore this section is not applicable.

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 24
Sensitive security parameter
NameGenerationEstablishmentUseStrenStora
Name/TyFunction andmentKeysgthge
peCert. Number
Name/TyFunction andmentKeysgthge
peCert. Number
Name/TyFunction andmentKeysgthge
peCert. Number
Name/TyFunction andmentKeysgthge
peCert. Number
Name/TyFunction andmentKeysgthge
peCert. Number
Name/TyFunction andmentKeysgthge
peCert. Number

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Sensitive Security Parameter Management Table 9 summarizes the Sensitive Security Parameters (SSPs) that are used by the cryptographic services implemented in the module in the approved services (Table 7). Notice that the table does not include SSPs related to the Random Number Generation service, which is implemented in the bound Kernel Crypto API module. Table 9 - SSPs AES key 128, 192, bits RAM EVP_CIPHE Use: R_CTX_free Symmetric EVP_MAC_C Encryption, Symmetric TX_free Decryption, MAC MAC Verification, Key Wrapping, Unwrapping Related SSPs: N/A HMAC 112256 bits AES AES CMAC AES GMAC #A4229, #A4230, #A4231, #A4232, #A4233, #A4234, #A4235, #A4237, #A4238, #A4239, #A4240, #A4241, #A4242, #A4243, #A4244, #A4245 N/A HMAC #A4236, #A4246, #A4247, #A4248, #A4249 N/A Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. RAM EVP_MAC_C Use: MAC TX_free MAC Verification Related SSPs: N/A KMAC 128256 bits KMAC #A4236 N/A Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. RAM EVP_MAC_C Use: MAC TX_free MAC Verification Related SSPs: N/A

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 25

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Key112derivation 256 bits KBKDF #A4250 N/A Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. RAM EVP_KDF_C Use: KBKDF TX_free Key Derivation Related SSPs: KBKDF derived key DH shared 112secret bits

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net KAS-FFC-SSC N/A KDA OneStep HKDF ANS 9.42 KDF ANS 9.63 KDF SSH KDF TLS 1.2 KDF TLS 1.3 KDF #A4224, #A4227, #A4228, #A4232, #A4233, #A4234, #A4235, #A4236, #A4246, #A4247, #A4248, #A4249, #A4251 o +1 408 745 2000 f +1 408 745 2100 Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Compute RAM EVP_KDF_C Use: DH d during TX_free Shared Secret DH Computation, shared KDA OneStep secret computati Derivation, on per HKDF Key [SP800Derivation, 56Ar3] ANS X9.42 KDF Key Export: CM to Derivation, TOEPP Path. ANS X9.63 Passed from KDF Key the module via Derivation, API parameters SSH KDF Key in plaintext (P) Derivation, format. TLS 1.2 KDF Derivation, TLS 1.3 KDF Key Derivation Related SSPs: DH private key, DH public key, KDA OneStep derived key, HKDF derived key, ANS X9.42 KDF derived key, ANS X9.63 KDF derived key, SSH KDF derived key, TLS 1.2 KDF derived key, TLS 1.3 KDF derived key

Page 26

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. ECDH shared secret 112256 bits Password N/A KAS-ECC-SSC N/A KDA OneStep HKDF ANS 9.42 KDF ANS 9.63 KDF SSH KDF TLS 1.2 KDF TLS 1.3 KDF #A4224, #A4227, #A4228, #A4232, #A4233, #A4234, #A4235, #A4236, #A4246, #A4247, #A4248, #A4249, #A4251 Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. PBKDF2 #A4236, #A4246, #A4247, #A4248, #A4249 Import: CM MD/EE from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. N/A Compute RAM EVP_KDF_C Use: ECDH d during TX_free Shared Secret ECDH Computation, shared KDA OneStep secret computati Derivation, on per HKDF Key [SP800Derivation, 56Ar3] ANS X9.42 KDF Key Export: CM to Derivation, TOEPP Path. ANS X9.63 Passed from KDF Key the module via Derivation, API parameters SSH KDF Key in plaintext (P) Derivation, format. TLS 1.2 KDF Derivation, TLS 1.3 KDF Key Derivation Related SSPs: ECDH private key, ECDH public key, KDA OneStep derived key, HKDF derived key, ANS X9.42 KDF derived key, ANS X9.63 KDF derived key, SSH KDF derived key, TLS 1.2 KDF derived key, TLS 1.3 KDF derived key RAM EVP_KDF_C Use: TX_free Passwordbased Key Derivation Related SSPs: PBKDF2 derived key

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 27

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. KBKDF derived 112256 bits KBKDF #A4250 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: KBKDF TX_free Key Derivation Related SSPs: Key-derivation KDA OneStep derived 112256 bits KDA OneStep [SP 800133r2], #A4224 Section 6.2 N/A RAM EVP_KDF_C Use: KDA TX_free OneStep Key Derivation Related SSPs: DH shared secret, ECDH shared secret HKDF derived 112256 bits KBKDF #A4228 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: HKDF TX_free Key Derivation Related SSPs: DH shared secret, ECDH shared secret ANS X9.42 KDF derived 112256 bits ANS X9.42 KDF #A4236 #A4246 #A4247 #A4248 #A4249 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: ANS TX_free X9.42 KDF Key Derivation Related SSPs: DH shared secret, ECDH shared secret ANS X9.63 KDF derived 112256 bits ANS X9.63 KDF #A4246 #A4247 #A4248 #A4249 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: ANS TX_free X9.63 KDF Key Derivation Related SSPs: DH shared secret, ECDH shared secret

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100 Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format.

Page 28

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. SSH KDF derived 112256 bits SSH KDF #A4246 #A4247 #A4248 #A4249 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: SSH KDF TX_free Key Derivation Related SSPs: DH shared secret, ECDH shared secret TLS 1.2 KDF derived 112256 bits TLS 1.2 KDF #A4246 #A4247 #A4248 #A4249 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: TLS 1.2 TX_free Key Derivation Related SSPs: DH shared secret, ECDH shared secret TLS 1.3 KDF derived 112256 bits TLS 1.3 KDF #A4228 [SP 800133r2], Section 6.2 N/A RAM EVP_KDF_C Use: TLS 1.3 TX_free KDF Key Derivation Related SSPs: DH shared secret, ECDH shared secret PBKDF2 derived 112256 bits PBKDF2 #A4236 #A4246 #A4247 #A4248 #A4249 [SP 800132], Section 6.2 N/A RAM EVP_KDF_C Use: TX_free Passwordbased Key Derivation Related SSPs: Password DH private 112200 bits KAS-FFC-SSC [SP 80056Ar3] #A4251 Section 5.6.1.1.4 Testing Candidates Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. RAM EVP_PKEY_f Use: DH ree Shared Secret Computation, Key pair verification Related SSPs: DH shared secret DH public 112key bits

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. o +1 408 745 2000 f +1 408 745 2100

Page 29

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Passed from the module via API parameters in plaintext (P) format. EC private 112, 128, 192, bits EC public 112, 128, 192, bits RSA private 112256 bits RSA 80public key 256 bits 9.1 KAS-ECC-SSC FIPS 186-4 ECDSA Appendix B.4.2 #A4227, Testing #A4246, Candidates #A4247, #A4248, #A4249 Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. RSA #A4246, #A4247, #A4248, #A4249 FIPS 186-4 Appendix B.3.6 Probable Primes with Conditions Based on Auxiliary Probable Primes Import: CM N/A from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. RAM EVP_PKEY_f Use: ECDH ree Shared Secret Computation Signature Key pair Verification Related SSPs: ECDH shared secret RAM EVP_PKEY_f Use: Signature ree N/A Use: Signature Verification Related SSPs: N/A Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Random Bit Generators The module does not implement any random number generator. Instead, it uses the Random Number Generation (RNG) service provided by the bound Kernel Crypto API module, which implements a Deterministic Random Bit Generator (DRBG) based on [SP 800-90Ar1]. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy.

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 30

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 9.2 SSP Generation The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with [SP 800-133r2]. When random values are required, they are obtained from the [SP 800-90Ar1] approved DRBG, compliant with Section 4, example 1 of [SP 800-133r2]. The following methods are implemented:

7919 (TLS). Note that the module only implements key pair generation, key pair verification, and

shared secret computation. No other part of the IKE or TLS protocols is implemented (with the exception of the TLS 1.2 and 1.3 KDFs):

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 31

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. • ◦ MODP-4096 (ID = 16) ◦ MODP-6144 (ID = 17) ◦ MODP-8192 (ID =

  1. TLS (RFC 7919) ◦ ffdhe2048 (ID = 256) ◦ ffdhe3072 (ID = 257) ◦ ffdhe4096 (ID = 258) ◦ ffdhe6144 (ID = 259) ◦ ffdhe8192 (ID = 260) For Elliptic Curve Diffie-Hellman, the module supports the NIST-defined B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, and P-521 curves. According to FIPS 140-3 IG D.B, the key sizes of DH and ECDH shared secret computation provide 112-200 and 112-256 bits of security strength respectively in approve mode of operation. The module also supports the AES KW and AES KWP key wrapping mechanisms. These algorithms can be used to wrap SSPs with a security strength of 128, 192, or 256 bits, depending on the wrapping key size. 9.4 SSP entry/output The module only supports SSP entry and output to and from the calling application running on the same operational environment. This corresponds to manual distribution, electronic entry/output (“CM Software to/from App via TOEPP Path”) per FIPS 140-3 IG 9.5.A Table
  2. There is no entry or output of cryptographically protected SSPs. SSPs can be entered into the module via API input parameters, when required by a service. SSPs can also be output from the module via API output parameters, immediately after generation of the SSP (see Section 9.2). 9.5 SSP storage SSPs are provided to the module by the calling application and are destroyed when released by the appropriate API function calls. The module does not perform persistent storage of SSPs. 9.6 SSP zeroization The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The operator application is responsible for calling the appropriate destruction functions provided in the module’s API. The destruction functions (listed in Table 9) overwrite the memory occupied by SSPs with zeroes and de-allocate the memory with the regular memory de-allocation operating system call. All data output is inhibited during zeroization.
1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 32
AlgorithmParametersConditionTypeTest

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.

10 Self-Tests

The module performs the pre-operational self-test and CASTs automatically when the module is loaded into memory. Pre-operational self-test ensure that the module is not corrupted, and the CASTs ensure that the cryptographic algorithms work as expected. While the module is executing the pre-operational test and the CASTs, the module services are not available, and input and output are inhibited. The module is not available for use by the calling application until the pre-operational self-test and the CASTs are completed successfully. After the pre-operational test and the CASTs succeed, the module becomes operational. If any of the pre-operational test or any of the CASTs fail an error message is returned, and the module transitions to the error state. All the self-tests are listed in Table 10, with the respective condition under which those tests are performed. Note that the pre-operational integrity test is only executed after all cryptographic algorithm self-tests (CASTs) executed successfully. Table 10

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 33
AlgorithmParametersConditionTypeTest

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. ANS X9.63 KDF SHA2-256 Initialization Cryptographic Algorithm Self-Test KAT key derivation SSH KDF SHA-1 Initialization Cryptographic Algorithm Self-Test KAT key derivation TLS 1.2 KDF SHA2-256 Initialization Cryptographic Algorithm Self-Test KAT key derivation TLS 1.3 KDF SHA2-256 Initialization Cryptographic Algorithm Self-Test KAT key derivation PBKDF2 SHA2-256 with 4096 iterations and 288-bit salt Initialization Cryptographic Algorithm Self-Test KAT passwordbased key derivation KAS-FFC-SSC ffdhe2048 Initialization Cryptographic Algorithm Self-Test KAT shared secret computation MODP-2048 Initialization Cryptographic Algorithm Self-Test KAT shared secret computation KAS-ECC-SSC P-256 Initialization Cryptographic Algorithm Self-Test KAT shared secret computation RSA PKCS#1 v1.5 with SHA2-256 and 2048-bit key Initialization Cryptographic Algorithm Self-Test KAT signature generation and verification ECDSA SHA2-256 and P-224, Initialization Cryptographic Algorithm Self-Test KAT signature generation and verification SHA2-256 and B-233 DH N/A DH key pair generation Pair-wise Consistency Section 5.6.2.1.42 pair-wise consistency RSA PKCS#1 v1.5 with SHA2-256 RSA key pair generation Pair-wise Consistency Sign/Verify pairwise consistency ECDSA SHA2-256 EC key pair generation Pair-wise Consistency Sign/Verify pairwise consistency Kernel Bound Module DRBG AES-128, AES-192 and AES-256 with and without PR Initialization Cryptographic Algorithm Self-Test KAT DRBG generation and reseed As mentioned in SP 800-56Ar3 section 5.6.2.1.4 - Owner Assurance of Pair-wise Consistency, the module recalculate the public key based on the private key and the domain parameters and then check if it matches the existing public key.

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 34
AlgorithmParametersConditionTypeTest

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. HMAC-SHA1, HMAC-SHA2-256 and SHA2-512 with and without PR Health test per section 11.3 of 90A SHA1, SHA2-256 and SHA2-512 with and without PR

10.1 Pre-Operational Tests

The module performs pre-operational tests automatically when the module is powered on. The preoperational self-tests ensure that the module is not corrupted. The module transitions to the operational state only after the pre-operational self-tests are passed successfully. The types of pre-operational self-tests are described in the next sub-sections.

10.1.1 Pre-Operational Software Integrity Test

The integrity of the shared library component of the module is verified by comparing an HMAC SHA2256 value calculated at run time with the HMAC SHA2-256 value stored in the /etc/ssl/fipsmodule.cnf file that was computed at installation time. If the software integrity test fails, the module transitions to the error state (Section 10.3). As mentioned previously, the HMAC and SHA2-256 algorithms go through their respective CASTs before the software integrity test is performed.

10.2 Conditional Self-Tests
10.2.1 Cryptographic Algorithm Self-Tests

The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in Table 10. Data output through the data output interface is inhibited during the self-tests. If any of these tests fails, the module transitions to the error state (Section 10.3).

10.2.2 Conditional Pair-Wise Consistency Test

Upon generation of a DH, RSA or EC key pair, the module will perform a pair-wise consistency test (PCT) as shown in Table 10, which provides some assurance that the generated key pair is well formed. For DH key pairs, this test consists of the PCT described in Section 5.6.2.1.4 of [SP 800-56Ar3]. For RSA and EC key pairs, this test consists of a signature generation and a signature verification operation. If the test fails, the module transitions to the error state (Section 10.3).

10.3 Error States

If the module fails any of the self-tests, the module enters the error state. In the error state, the module immediately stops functioning and ends the application process. Consequently, the data output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running).

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 35
Error StateCause of ErrorStatus Indicator

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. Table 11 lists the error states and the status indicator values that explain the error that has occurred. Table 11 - Error States Software integrity test failure Module will not load CAST failure Module will not load PCT failure Module stops functioning

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 36

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.

11 Life-cycle Assurance
11.1 Delivery and Operation
11.1.1 Module Installation

The binaries of the module are contained in the base Junos Evolved installation image. The Crypto Officer shall follow this Security Policy to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module.

11.1.2 End of Life Procedures

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory.

11.2 Crypto Office Guidance

In order to run in Approved mode, the module must be operated using the approved services, with their corresponding approved cryptographic algorithms provided in this Security Policy (see section 4.3). In addition, key sizes must comply with [SP 800-131Ar2].

11.2.1 Verification of the Module Installation

The operator is responsible to verify the correct installation of module which is already pre-installed on the image file (junos-evo-install-ptx-fixed-x86-64-22.4R2.11-S1-EVO.iso). The following steps are required:

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 37

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.

11.2.2 AES GCM IV

When no IV is explicitly provided, the AES GCM IV generation is performed in compliance with Scenario 2 of IG C.H (Random IV). The AES-GCM IV is generated randomly internal to the module using the approved DRBG provided by the bound kernel. The DRBG seeds itself from the entropy source of the kernel. The GCM IV is 96 bits in length.

11.2.3 AES XTS

The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP 800-38E]. The length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks that is 16MB of data. To meet the requirement in [FIPS140-3_IG] IG C.I, the module implements a check to ensure that the two AES keys used in XTS-AES algorithm are not identical.

11.2.4 Key Derivation using SP 800-132 PBKDF2

The module provides password-based key derivation (PBKDF2), compliant with [SP 800-132]. The module supports option 1a from section 5.4 of [SP 800-132], in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance to [SP 800-132] and FIPS IG D.N, the following requirements shall be met:

11.2.5 Compliance to SP 800-56Ar3 assurances

The module offers DH and ECDH shared secret computation services compliant to the [SP 800-56Ar3] and meeting IG D.F scenario 2 path (1). In order to meet the required assurances listed in section 5.6 of [SP 800-56Ar3], the module shall be used together with an application that implements the "TLS protocol" and the following steps shall be performed.

  1. The entity using the module, must use the module's "Key pair Generation" service for generating DH/ECDH ephemeral keys. This meets the assurances required by key pair owner defined in the section 5.6.2.1 of [SP 800-56Ar3].
  2. As part of the module's shared secret computation(SSC) service, the module internally performs the public key validation on the peer's public key passed in as input to the SSC function. This meets the public key validity assurance required by the sections 5.6.2.2.1/5.6.2.2.2 of [SP 800-56Ar3].
1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 38

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. 3. The module does not support static keys therefore the "assurance of peer's possession of private key" is not applicable.

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 39

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.

12 Mitigation of Other Attacks

Certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The module mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 40

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.

13 Appendix B - Glossary and Abbreviations

AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Program Interface APT Advanced Package Tool CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter Mode CTS Ciphertext Stealing DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EVP Envelope FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HKDF HMAC-based Key Derivation Function HMAC Hash Message Authentication Code IKE Internet Key Exchange IG Implementation Guidance KAS Key Agreement Schema KAT Known Answer Test KBKDF Key-based Key Derivation Function KDF Key Derivation Function

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 41

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. KW Key Wrap KWP Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OAEP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PCT Pair-wise Consistency Test PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards PSS Probabilistic Signature Scheme RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SHS Secure Hash Standard SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TLS Transport Layer Security XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with ciphertext Stealing

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 42

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc.

14 Appendix C - References

ANSI X9.422001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANSI X9.632001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program August 12, 2020 https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validationprogram/documents/fips 140-3/FIPS 140-3 IG.pdf FIPS 180-4 Secure Hash Standard (SHS) March 2012 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 197 Advanced Encryption Standard November 2001 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 43

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://tools.ietf.org/html/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38A Addendum NIST Special Publication 800-38A Addendum - Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode October 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38aadd.pdf SP 800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf SP 800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf SP 800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-38F

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf o +1 408 745 2000 f +1 408 745 2100

Page 44

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. SP 800-52 NIST Special Publication 800-52 Revision 2 - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf SP 800-56Ar3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP 800-56Cr2 NIST Special Publication 800-56C Revision 2 - Recommendation for KeyDerivation Methods in Key-Establishment Schemes August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP 800-57 NIST Special Publication 800-57 Part 1 Revision 5 - Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf SP 800-90Ar1 NIST Special Publication 800-90A - Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-108r1 NIST Special Publication 800-108r1 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf SP 800-131Ar2 NIST Special Publication 800-131A

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net o +1 408 745 2000 f +1 408 745 2100

Page 45

Junos® OS Evolved OpenSSL Cryptographic Module Version 3.0.8 Juniper Networks, Inc. SP 800-185

1133 Innovation Way

Sunnyvale, CA 94089 www.juniper.net NIST Special Publication 800-185 - SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash December 2016 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf o +1 408 745 2000 f +1 408 745 2100

Referenced URLs