| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 9/2/2029 |
| Caveat | Interim validation. When operated in the approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy with module Junos® OS Evolved OpenSSL Cryptographic Module version 3.0.8 validated to FIPS 140-3 under Cert. #4775 operating in the approved mode. The module generates random strings whose strengths are modified by available entropy. |
| Vendor | Juniper Networks, Inc. |
flowchart LR
%% Deterministic review-risk graph for Junos® OS Evolved Kernel Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery<br/>upgrade</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>library named: openssl<br/>library named: nss</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Junos® OS Evolved Kernel Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery<br/>upgrade</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>library named: openssl<br/>library named: nss</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Juniper Networks, Inc. Junos OS Evolved Kernel Cryptographic Module Document Version: 1.1 Last update: 08-28-2024 Prepared by: Prepared for: atsec information security corporation Juniper Networks, Inc.
Austin, TX 78759 Sunnyvale, CA 94089 www.atsec.com www.juniper.net Juniper Networks, Inc. o +1 408 745 2000 1
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Table of Contents Juniper Networks, Inc. o +1 408 745 2000 2
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Juniper Networks, Inc. o +1 408 745 2000 3
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Juniper Networks, Inc. o +1 408 745 2000 4
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. List of Tables Table 2: Tested Module Identification
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.
This document is the non-proprietary FIPS 140-3 Security Policy for version 2.0 of the Junos OS Evolved Kernel Cryptographic Module module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice. Other documentation is proprietary to their authors.
In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Purpose and Use: The Junos OS Evolved Kernel Cryptographic Module (hereafter referred to as “the module”) is a software module running as part of the operating system kernel that provides general purpose cryptographic services. It is bound to the Junos OS Evolved OpenSSL Cryptographic Module Version 3.0.8 validated under FIPS certificate #4775 to check the integrity of its static kernel binary file. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the fips_chk_hmac binary, which verifies the integrity of the static kernel binary using the bound OpenSSL module HMAC service. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP) [O]: The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Figure 1: Block Diagram Juniper Networks, Inc. o +1 408 745 2000 7
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.
Tested Module Identification
There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.
Modes List and Description: Juniper Networks, Inc. o +1 408 745 2000 8
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Mode Description Type Status Indicator Name Approved Automatically entered Approved Equivalent to the indicator of mode whenever an approved the requested service as service is requested defined in Section 4.3 Non- Automatically entered Non- Equivalent to the indicator of approved whenever a non-approved Approved the requested service as mode service is requested defined in Section 4.3 Table 4: Modes List and Description After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. Mode Change Instructions and Status [O]: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description [O]: The module does not implement a degraded mode of operation.
Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A3599 - SP 800-38A AES-CMAC A3599 - SP 800-38B AES-CTR A3599 - SP 800-38A AES-ECB A3599 - SP 800-38A AES-XTS Testing Revision 2.0 A3599 - SP 800-38E Counter DRBG A3599 - SP 800-90A Rev. 1 Hash DRBG A3599 - SP 800-90A Rev. 1 HMAC DRBG A3599 - SP 800-90A Rev. 1 HMAC-SHA-1 A3599 - FIPS 198-1 HMAC-SHA2-224 A3599 - FIPS 198-1 HMAC-SHA2-256 A3599 - FIPS 198-1 HMAC-SHA2-384 A3599 - FIPS 198-1 HMAC-SHA2-512 A3599 - FIPS 198-1 SHA-1 A3599 - FIPS 180-4 SHA2-224 A3599 - FIPS 180-4 SHA2-256 A3599 - FIPS 180-4 SHA2-384 A3599 - FIPS 180-4 SHA2-512 A3599 - FIPS 180-4 AES-CBC A3600 - SP 800-38A AES-CTR A3600 - SP 800-38A AES-ECB A3600 - SP 800-38A Juniper Networks, Inc. o +1 408 745 2000 9
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm CAVP Cert Properties Reference AES-XTS Testing Revision 2.0 A3600 - SP 800-38E Counter DRBG A3600 - SP 800-90A Rev. 1 Hash DRBG A3600 - SP 800-90A Rev. 1 HMAC DRBG A3600 - SP 800-90A Rev. 1 AES-CBC A3601 - SP 800-38A AES-CMAC A3601 - SP 800-38B AES-CTR A3601 - SP 800-38A AES-ECB A3601 - SP 800-38A AES-XTS Testing Revision 2.0 A3601 - SP 800-38E Counter DRBG A3601 - SP 800-90A Rev. 1 Hash DRBG A3601 - SP 800-90A Rev. 1 HMAC DRBG A3601 - SP 800-90A Rev. 1 AES-CBC A3602 - SP 800-38A AES-CMAC A3602 - SP 800-38B AES-CTR A3602 - SP 800-38A AES-ECB A3602 - SP 800-38A AES-XTS Testing Revision 2.0 A3602 - SP 800-38E Counter DRBG A3602 - SP 800-90A Rev. 1 Hash DRBG A3603 - SP 800-90A Rev. 1 HMAC DRBG A3603 - SP 800-90A Rev. 1 HMAC-SHA-1 A3603 - FIPS 198-1 HMAC-SHA2-224 A3603 - FIPS 198-1 HMAC-SHA2-256 A3603 - FIPS 198-1 HMAC-SHA2-384 A3603 - FIPS 198-1 HMAC-SHA2-512 A3603 - FIPS 198-1 SHA-1 A3603 - FIPS 180-4 SHA2-224 A3603 - FIPS 180-4 SHA2-256 A3603 - FIPS 180-4 SHA2-384 A3603 - FIPS 180-4 SHA2-512 A3603 - FIPS 180-4 Hash DRBG A3604 - SP 800-90A Rev. 1 HMAC DRBG A3604 - SP 800-90A Rev. 1 HMAC-SHA-1 A3604 - FIPS 198-1 HMAC-SHA2-224 A3604 - FIPS 198-1 HMAC-SHA2-256 A3604 - FIPS 198-1 HMAC-SHA2-384 A3604 - FIPS 198-1 HMAC-SHA2-512 A3604 - FIPS 198-1 SHA-1 A3604 - FIPS 180-4 SHA2-224 A3604 - FIPS 180-4 SHA2-256 A3604 - FIPS 180-4 SHA2-384 A3604 - FIPS 180-4 SHA2-512 A3604 - FIPS 180-4 Hash DRBG A3605 - SP 800-90A Rev. 1 HMAC DRBG A3605 - SP 800-90A Rev. 1 HMAC-SHA-1 A3605 - FIPS 198-1 HMAC-SHA2-224 A3605 - FIPS 198-1 HMAC-SHA2-256 A3605 - FIPS 198-1 HMAC-SHA2-384 A3605 - FIPS 198-1 Juniper Networks, Inc. o +1 408 745 2000 10
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm CAVP Cert Properties Reference HMAC-SHA2-512 A3605 - FIPS 198-1 SHA-1 A3605 - FIPS 180-4 SHA2-224 A3605 - FIPS 180-4 SHA2-256 A3605 - FIPS 180-4 SHA2-384 A3605 - FIPS 180-4 SHA2-512 A3605 - FIPS 180-4 HMAC-SHA2-256 A4249 - FIPS 198-1 HMAC-SHA2-256 A4246 - FIPS 198-1 HMAC-SHA2-256 A4247 - FIPS 198-1 HMAC-SHA2-256 A4248 - FIPS 198-1 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES- Authenticated Encryption and Decryption GCM RSA RSA Encryption and Decryption primitives RSA RSA Signature Verification RSA Signature Generation and Signature Verification primitives with PKCS#1 v1.5 padding Table 6: Non-Approved, Not Allowed Algorithms
Name Type Description Properties Algorithms Symmetric BC-UnAuth Symmetric AES-CBC:128, AES-CBC encryption encryption 192, 256-bit AES-CBC keys with 128- AES-CBC
strength AES-CTR AES-CTR:128, AES-CTR 192, 256-bit AES-CTR keys with 128- AES-CTR
strength AES-ECB AES-ECB:128, AES-ECB Juniper Networks, Inc. o +1 408 745 2000 11
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Type Description Properties Algorithms 192, 256-bit AES-ECB keys with 128- AES-XTS Testing
strength AES-XTS Testing AES-XTS Testing Revision 2.0 Revision AES-XTS Testing 2.0:128, 256-bit Revision 2.0 keys with 128, AES-XTS Testing
strength Message MAC Message AES-CMAC:128, AES-CMAC authentication authentication 192, 256-bit AES-CMAC keys with 128- AES-CMAC
strength HMAC-SHA-1 HMAC-SHA- HMAC-SHA-1 1:112-524288 HMAC-SHA-1 bit keys with HMAC-SHA2128-256 bits 224 key strength HMAC-SHA2HMAC-SHA2- 224 224:112-256 bit HMAC-SHA2keys with 128- 224
strength 224 HMAC-SHA2- HMAC-SHA2256:112-256 bit 256 keys with 128- HMAC-SHA2-
strength HMAC-SHA2HMAC-SHA2- 256 384:112-256 bit HMAC-SHA2keys with 128- 256
strength 384 HMAC-SHA2- HMAC-SHA2512:112-256 bit 384 keys with 128- HMAC-SHA2-
strength HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2Juniper Networks, Inc. o +1 408 745 2000 12
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Type Description Properties Algorithms Random DRBG Random Counter Counter DRBG number number DRBG:128, 192, Counter DRBG generation generation 256 bits Counter DRBG HMAC Counter DRBG DRBG:128, 256 HMAC DRBG bits HMAC DRBG Hash HMAC DRBG DRBG:128, 256 HMAC DRBG bits HMAC DRBG HMAC DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Message digest SHA Message digest SHA-1:N/A SHA-1 SHA2-224:N/A SHA-1 SHA2-256:N/A SHA-1 SHA2-384:N/A SHA-1 SHA2-512:N/A SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 Symmetric BC-UnAuth Symmetric AES-CBC:128, AES-CBC decryption decryption 192, 256-bit AES-CBC keys with 128- AES-CBC
strength AES-CTR AES-CTR:128, AES-CTR 192, 256-bit AES-CTR keys with 128- AES-CTR
strength AES-ECB AES-ECB:128, AES-ECB 192, 256-bit AES-ECB keys with 128- AES-XTS Testing
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Type Description Properties Algorithms strength AES-XTS Testing AES-XTS Testing Revision 2.0 Revision AES-XTS Testing 2.0:128, 256-bit Revision 2.0 keys with 128, AES-XTS Testing
strength Authenticated BC-Auth Encrypt and Key size(s):AES- AES-CBC encryption authenticate a CBC/AES-CTR: AES-CBC plaintext 128, 192, 256 AES-CBC bits with 128- AES-CBC
security AES-CTR strength; HMAC: AES-CTR 112-524288 bit AES-CTR keys with 128- HMAC-SHA-1
strength HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2Juniper Networks, Inc. o +1 408 745 2000 14
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Type Description Properties Algorithms HMAC-SHA2Authenticated BC-Auth Decrypt and Key size(s):AES- AES-CBC decryption authenticate a CBC/AES-CTR: AES-CBC ciphertext 128, 192, 256 AES-CBC bits with 128- AES-CBC
security AES-CTR strength; HMAC: AES-CTR 112-524288 bit AES-CTR keys with 128- HMAC-SHA-1
strength HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2(OpenSSL) MAC HMAC-SHA2- Key Size:256-bit HMAC-SHA2Message 256 used in Key 256 authentication fips_chk_hmac HMAC-SHA2integrity check 256 Juniper Networks, Inc. o +1 408 745 2000 15
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Type Description Properties Algorithms HMAC-SHA2HMAC-SHA2Table 7: Security Function Implementations
The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.
Cert Vendor Name Number E50 Juniper Networks, Inc. Table 8: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample SP 800-90B Non- Junos OS Evolved 64 bits 59.76 Linear-Feedback compliant Physical version 22.4 on Juniper bits Shift Register ENT(NP) (ESV Networks® Packet (LFSR) cert. E50) Transport Router Model PTX10001-36MR Table 9: Entropy Sources The module employs the Deterministic Random Bit Generator (DRBG) based on [SP80090Arev1] for the random number generation. The DRBG supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG mechanisms. The module obtains an entropy input string from the SP800-90B compliant ENT(NP), whose length depends on each DRBG mechanism, meeting the requirements of SP800-90Arev1 (128 to 384 bits). The module loads by default the DRBG using the HMAC_DRBG mechanism with SHA2-256 without prediction resistance. When instantiated, these DRBGs can be used to generate random numbers for external usage. The module uses the Kernel CPU Time Jitter RNG as an entropy source to seed the DRBG.
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. The module does not provide key generation.
The module does not provide key establishment.
The module does not claim cipher suites in compliance to industry protocols.
Physical Port Logical Data That Passes Interface(s) As a software-only module, the module Data Input API input parameters from does not have physical ports. Physical kernel system calls, AF_ALG ports are interpreted to be the physical type socket ports of the hardware platform on which it runs. As a software-only module, the module Data Output API output parameters from does not have physical ports. Physical kernel system calls, AF_ALG ports are interpreted to be the physical type socket ports of the hardware platform on which it runs. As a software-only module, the module Control Input API function calls, API input does not have physical ports. Physical parameters for control from ports are interpreted to be the physical kernel system calls, AF_ALG ports of the hardware platform on which type socket, kernel command it runs. line As a software-only module, the module Status API return codes, AF_ALG type does not have physical ports. Physical Output socket, kernel logs Ports are interpreted to be the physical ports of the hardware platform on which it runs. Table 10: Ports and Interfaces The logical interfaces are the API through which kernel components request services, and the AF_ALG type socket that allows the applications running in the user space to request cryptographic services from the module. These logical interfaces are logically separated from each other by the API design. Juniper Networks, Inc. o +1 408 745 2000 17
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.
The module does not implement a trusted channel.
The module does not implement a control output interface.
N/A for this module. The module does not implement authentication.
Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 11: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.
Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss Message Compute crypto_shash_init Message Digest Message Crypt digest SHA returns 0 value digest o hashes Office r Symmetric Perform crypto_skcipher_s AES key, Cipherte Symmetric Crypt encryption AES etkey returns 0 plaintext xt encryption o encryption Office r - AES key: W,E Juniper Networks, Inc. o +1 408 745 2000 18
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss Symmetric Perform crypto_skcipher_s AES key, Plaintext Symmetric Crypt decryption AES etkey returns 0 ciphertex decryption o decryption t Office r - AES key: W,E Random Generate crypto_rng_get_by Output Random Random Crypt number random tes returns 0 length bytes number o generation numbers generation Office r DRBG entro py input string : W,E DRBG seed: G,E DRBG intern al state (V, Key): G,W,E DRBG intern al state (V, C): G,W,E Message Compute crypto_shash_init AES: AES MAC tag Message Crypt authenticat HMAC/AES returns 0 key, authenticat o ion -based message ion Office CMAC ; HMAC: r HMAC - AES key, key: message W,E HMAC Juniper Networks, Inc. o +1 408 745 2000 19
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss key: W,E Authenticat Encrypt crypto_aead_setke AES key, Cipherte Authenticat Crypt ed and y returns 0 plaintext xt, MAC ed o encryption authentica tag encryption Office te a r plaintext - AES key: W,E HMAC key: W,E Authenticat Decrypt crypto_aead_setke AES key, Plaintext Authenticat Crypt ed and y returns 0 ciphertex or failure ed o decryption authentica t, MAC decryption Office te a tag r ciphertext - AES key: W,E HMAC key: W,E Error Compute None Message EDC None Crypt detection an EDC o code (crc32c, Office crct10dif) r Memory Copy None Source, Return None Crypt copy operation destinati codes o operation on, and/or Office offset, log r amount message s Generic Use the None Identifier Various None Crypt system call kernel to , various return o perform argumen values Office various ts r noncryptograp hic operations Show Return the None N/A Module None Crypt status module status o status Office r Self-tests Perform None N/A Pass/fail Symmetric Crypt the CASTs encryption
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss and the Message Office integrity authenticat r test ion Random number generation Message digest Symmetric decryption Authenticat ed encryption Authenticat ed decryption (OpenSSL) Message authenticat ion Zeroization Zeroize all None Any SSP N/A None Crypt SSPs
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss intern al state (V, C): Z DRBG seed: Z Show Return the None N/A Name None Crypt version module and o name and version Office version informati r on Table 12: Approved Services The table above lists the approved services. The following convention is used to specify access rights to SSPs:
Name Description Algorithms Role Authenticated encryption Perform AES-GCM encryption AES-GCM CO Authenticated decryption Perform AES-GCM decryption AES-GCM CO RSA encryption primitive Compute the raw RSA encryption of a RSA CO number RSA decryption primitive Compute the raw RSA decryption of a RSA CO number RSA signature generation Generate a digital signature for a pre- RSA CO primitive hashed message RSA signature verification Verify a digital signature for a pre- RSA CO primitive hashed message RSA signature verification Verify RSA-based signature RSA CO Table 13: Non-Approved Services
The module does not load external software or firmware.
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. The module does not implement a bypass capability.
The module does not implement a self-initiated cryptographic output capability.
The module verifies its integrity through the following mechanisms:
Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests.
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Type of Operational Environment: Modifiable How Requirements are Satisfied [O]: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.
The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environments. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment.
N/A for this module. The module is comprised of software only and therefore this section is not applicable.
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Temp/Voltage Temperature EFP Result Type or Voltage or EFT LowTemperature HighTemperature LowVoltage HighVoltage Table 14: EFP/EFT Information Not applicable.
Temperature Temperature Type LowTemperature HighTemperature Table 15: Hardness Testing Temperatures Not applicable.
This module does not implement any non-invasive security mechanism and therefore this section is not applicable.
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of Dynamic service execution. The module does not perform persistent storage of SSPs Table 16: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.
Name From To Format Distributio Entry SFI or Type n Type Type Algorith m API input Operator Cryptographi Plaintex Manual Electroni parameter calling c module t c s applicatio n (TOEPP) AF_ALG Operator Cryptographi Plaintex Manual Electroni type calling c module t c sockets applicatio (input) n (TOEPP) Table 17: SSP Input-Output Methods
Zeroization Description Rationale Operator Initiation Method Wipe and Zeroizes the Memory occupied by By calling the cipher related Free memory SSPs SSPs is overwritten zeroization APIs: appropriate block contained with zeroes and then zeroization functions: AES key: allocated within the it is released, which crypto_free_skcipher and cipher handle. renders the SSP crypto_free_aead; HMAC key: values irretrievable. crypto_free_shash and The completion of the crypto_free_ahash; DRBG zeroization routine entropy input string, DRBG indicates that the seed, DRBG internal state: zeroization procedure crypto_free_rng succeeded. Module Reset De-allocates Volatile memory used By unloading and reloading the the volatile by the module is module memory used overwritten within to store SSPs nanoseconds when power is removed. Table 18: SSP Zeroization Methods All data output is inhibited during zeroization. Juniper Networks, Inc. o +1 408 745 2000 26
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.
Name Description Size - Type - Generate Establishe Used By Strength Categor d By d By y AES AES key used 128, 192, Symmetri Symmetric key for 256 bits - c key - encryption encryption, 128, 192, CSP Symmetric decryption, 256 bits decryption and Message computing authenticati MAC tags. on Authenticate d encryption Authenticate d decryption HMAC HMAC key 112-524288 Symmetri Message key used for: bits - 112- c key - authenticati Message 256 bits CSP on authenticatio Authenticate n, d encryption Authenticate Authenticate d encryption, d decryption Authenticate d decryption. DRBG DRBG 128-384 Entropy Random entrop entropy input bits - 119- Input - number y input used for: 358 bits CSP generation string Random number generation. Compliant with IG D.L. DRBG DRBG seed CTR_DRBG: Seed - Random Random seed derived from 128, 192, CSP number number entropy 256 bits; generatio generation input. Hash_DRBG n Compliant : 128, 256 with IG D.L. bits; HMAC_DRB G: 128, 256 bits CTR_DRBG: 128, 192,
Hash_DRBG : 128, 256 bits; HMAC_DRB Juniper Networks, Inc. o +1 408 745 2000 27
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Description Size - Type - Generate Establishe Used By Strength Categor d By d By y G: 128, 256 bits DRBG DRBG CTR_DRBG: Internal Random Random intern internal state 128, 192, state - number number al (V, Key) for 256 bits; CSP generatio generation state HMAC and HMAC_DRB n (V, CTR DRBG. G: 128, 256 Key) Compliant bits with IG D.L. CTR_DRBG: 128, 192,
HMAC_DRB G: 128, 256 bits DRBG DRBG Hash_DRBG Internal Random Random intern internal state : 128, 256 state - number number al (V, C) for bits - CSP generatio generation state Hash DRBG. Hash_DRBG n (V, C) Compliant : 128, 256 with IG D.L. bits Table 19: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES key API input RAM:Plaintext Until cipher Wipe and Free parameters handled is memory block AF_ALG type freed or allocated sockets module Module Reset (input) powered off HMAC API input RAM:Plaintext Until cipher Wipe and Free key parameters handled is memory block AF_ALG type freed or allocated sockets module Module Reset (input) powered off DRBG RAM:Plaintext Until cipher Wipe and Free DRBG entropy handled is memory block seed:Derives input freed or allocated string module Module Reset powered off DRBG RAM:Plaintext Until cipher Wipe and Free DRBG entropy seed handled is memory block input freed or allocated string:Derived module Module Reset From powered off DRBG internal state (V, Key):Derives DRBG internal Juniper Networks, Inc. o +1 408 745 2000 28
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Input - Storage Storage Zeroization Related SSPs Output Duration state (V, C):Derives DRBG RAM:Plaintext Until cipher Wipe and Free DRBG internal handled is memory block seed:Derived state (V, freed or allocated From Key) module Module Reset powered off DRBG RAM:Plaintext Until cipher Wipe and Free DRBG internal handled is memory block seed:Derived state (V, freed or allocated From C) module Module Reset powered off Table 20: SSP Table 2
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes except signature verification, starting January 1, 2031.
Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- 128-bit key Message SW/FW Module Integrity test for SHA2-256 Authentication Integrity becomes static kernel (A4246) operational binary. and services are available for use. HMAC- 128-bit key Message SW/FW Module Integrity test for SHA2-256 Authentication Integrity becomes fips_chk_hmac. (A4246) operational and services are available for use. Table 21: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithms used for the integrity test (i.e., HMAC-SHA2-256) run their CASTs before the integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the pre-operational software integrity Juniper Networks, Inc. o +1 408 745 2000 29
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. self-tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.
Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A3599) messages becomes digest initialization operational SHA-1 0-8184 bit KAT CAST Module Message Module (A3603) messages becomes digest initialization operational SHA-1 0-8184 bit KAT CAST Module Message Module (A3604) messages becomes digest initialization operational SHA-1 0-8184 bit KAT CAST Module Message Module (A3605) messages becomes digest initialization operational SHA2-224 0-8184 bit KAT CAST Module Message Module (A3599) messages becomes digest initialization operational SHA2-224 0-8184 bit KAT CAST Module Message Module (A3603) messages becomes digest initialization operational SHA2-224 0-8184 bit KAT CAST Module Message Module (A3604) messages becomes digest initialization operational SHA2-224 0-8184 bit KAT CAST Module Message Module (A3605) messages becomes digest initialization operational SHA2-256 0-8184 bit KAT CAST Module Message Module (A3599) messages becomes digest initialization operational SHA2-256 0-8184 bit KAT CAST Module Message Module (A3603) messages becomes digest initialization operational SHA2-256 0-8184 bit KAT CAST Module Message Module (A3604) messages becomes digest initialization operational SHA2-256 0-8184 bit KAT CAST Module Message Module (A3605) messages becomes digest initialization operational SHA2-384 0-8184 bit KAT CAST Module Message Module (A3599) messages becomes digest initialization operational SHA2-384 0-8184 bit KAT CAST Module Message Module (A3603) messages becomes digest initialization operational Juniper Networks, Inc. o +1 408 745 2000 30
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA2-384 0-8184 bit KAT CAST Module Message Module (A3604) messages becomes digest initialization operational SHA2-384 0-8184 bit KAT CAST Module Message Module (A3605) messages becomes digest initialization operational SHA2-512 0-8184 bit KAT CAST Module Message Module (A3599) message becomes digest initialization operational SHA2-512 0-8184 bit KAT CAST Module Message Module (A3603) message becomes digest initialization operational SHA2-512 0-8184 bit KAT CAST Module Message Module (A3604) message becomes digest initialization operational SHA2-512 0-8184 bit KAT CAST Module Message Module (A3605) message becomes digest initialization operational AES-ECB 128, 192, KAT CAST Module Symmetric Module (A3599) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-ECB 128, 192, KAT CAST Module Symmetric Module (A3600) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-ECB 128, 192, KAT CAST Module Symmetric Module (A3601) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-ECB 128, 192, KAT CAST Module Symmetric Module (A3602) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CBC 128, 192, KAT CAST Module Symmetric Module (A3599) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CBC 128, 192, KAT CAST Module Symmetric Module (A3600) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CBC 128, 192, KAT CAST Module Symmetric Module (A3601) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CBC 128, 192, KAT CAST Module Symmetric Module (A3602) 256 bit keys; becomes operation initialization operational Juniper Networks, Inc. o +1 408 745 2000 31
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type encrypt and decrypt AES-CTR 128, 192, KAT CAST Module Symmetric Module (A3599) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CTR 128, 192, KAT CAST Module Symmetric Module (A3600) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CTR 128, 192, KAT CAST Module Symmetric Module (A3601) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CTR 128, 192, KAT CAST Module Symmetric Module (A3602) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-XTS 128 and 256 KAT CAST Module Symmetric Module Testing bit keys; becomes operation initialization Revision encrypt and operational
(A3599) AES-XTS 128 and 256 KAT CAST Module Symmetric Module Testing bit keys; becomes operation initialization Revision encrypt and operational
(A3600) AES-XTS 128 and 256 KAT CAST Module Symmetric Module Testing bit keys; becomes operation initialization Revision encrypt and operational
(A3601) AES-XTS 128 and 256 KAT CAST Module Symmetric Module Testing bit keys; becomes operation initialization Revision encrypt and operational
(A3602) AES-CMAC 128 and 256 KAT CAST Module Message Module (A3599) bit keys; becomes authentication initialization encrypt and operational decrypt AES-CMAC 128 and 256 KAT CAST Module Message Module (A3601) bit keys; becomes authentication initialization encrypt and operational decrypt AES-CMAC 128 and 256 KAT CAST Module Message Module (A3602) bit keys; becomes authentication initialization operational Juniper Networks, Inc. o +1 408 745 2000 32
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type encrypt and decrypt HMAC- SHA-1 with KAT CAST Module Message Module SHA-1 32-64 bit becomes authentication initialization (A3599) keys operational HMAC- SHA-1 with KAT CAST Module Message Module SHA-1 32-64 bit becomes authentication initialization (A3603) keys operational HMAC- SHA-1 with KAT CAST Module Message Module SHA-1 32-64 bit becomes authentication initialization (A3604) keys operational HMAC- SHA-1 with KAT CAST Module Message Module SHA-1 32-64 bit becomes authentication initialization (A3605) keys operational HMAC- SHA2-224 KAT CAST Module Message Module SHA2-224 with 32- becomes authentication initialization (A3599) 1048 bit operational keys HMAC- SHA2-224 KAT CAST Module Message Module SHA2-224 with 32- becomes authentication initialization (A3603) 1048 bit operational keys HMAC- SHA2-224 KAT CAST Module Message Module SHA2-224 with 32- becomes authentication initialization (A3604) 1048 bit operational keys HMAC- SHA2-224 KAT CAST Module Message Module SHA2-224 with 32- becomes authentication initialization (A3605) 1048 bit operational keys HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 32-64 becomes authentication initialization (A3599) bit keys operational HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 32-64 becomes authentication initialization (A3603) bit keys operational HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 32-64 becomes authentication initialization (A3604) bit keys operational HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 32-64 becomes authentication initialization (A3605) bit keys operational HMAC- SHA2-384 KAT CAST Module Message Module SHA2-384 with 32- becomes authentication initialization (A3599) 1048 bit operational keys HMAC- SHA2-384 KAT CAST Module Message Module SHA2-384 with 32- becomes authentication initialization (A3603) operational Juniper Networks, Inc. o +1 408 745 2000 33
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type
keys HMAC- SHA2-384 KAT CAST Module Message Module SHA2-384 with 32- becomes authentication initialization (A3604) 1048 bit operational keys HMAC- SHA2-384 KAT CAST Module Message Module SHA2-384 with 32- becomes authentication initialization (A3605) 1048 bit operational keys HMAC- SHA2-512 KAT CAST Module Message Module SHA2-512 with 32- becomes authentication initialization (A3599) 1048 bit operational keys HMAC- SHA2-512 KAT CAST Module Message Module SHA2-512 with 32- becomes authentication initialization (A3603) 1048 bit operational keys HMAC- SHA2-512 KAT CAST Module Message Module SHA2-512 with 32- becomes authentication initialization (A3604) 1048 bit operational keys HMAC- SHA2-512 KAT CAST Module Message Module SHA2-512 with 32- becomes authentication initialization (A3605) 1048 bit operational keys Counter 128, 192, KAT CAST Module Compliant with Module DRBG 256 bit keys becomes SP 800-90Ar1 initialization (A3599) With DF, operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Counter 128, 192, KAT CAST Module Compliant with Module DRBG 256 bit keys becomes SP 800-90Ar1 initialization (A3600) With DF, operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Counter 128, 192, KAT CAST Module Compliant with Module DRBG 256 bit keys becomes SP 800-90Ar1 initialization (A3601) With DF, operational With/without PR; Health Juniper Networks, Inc. o +1 408 745 2000 34
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type test per section 11.3 of SP 80090Arev1 Counter 128, 192, KAT CAST Module Compliant with Module DRBG 256 bit keys becomes SP 800-90Ar1 initialization (A3602) With DF, operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3599) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3600) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3601) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3603) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Juniper Networks, Inc. o +1 408 745 2000 35
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3604) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3605) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3599) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3600) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3601) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 Juniper Networks, Inc. o +1 408 745 2000 36
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3603) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3604) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3605) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 of SP 80090Arev1 ENT (NP) 1024 RCT CAST Module Entropy source Entropy samples becomes start-up test source operational initialization and services are available for use. ENT (NP) 1024 APT CAST Module Entropy source Entropy samples becomes start-up test source operational initialization and services are Juniper Networks, Inc. o +1 408 745 2000 37
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. ENT (NP) Cutoff C = RCT CAST Entropy Entropy source Continuously
operational test ENT (NP) Cutoff C = APT CAST Entropy Entropy source Continuously
operational test HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 256 bit becomes authentication. initialization. (A4249) key operational Makes use of Before and HMAC from integrity services bound test. are OpenSSL available module. for use. HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 256 bit becomes authentication. initialization. (A4248) key operational Makes use of Before and HMAC from integrity services bound test. are OpenSSL available module. for use. HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 256 bit becomes authentication. initialization. (A4247) key operational Makes use of Before and HMAC from integrity services bound test. are OpenSSL available module. for use. HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 256 bit becomes authentication. initialization. (A4246) key operational Makes use of Before and HMAC from integrity services bound test. are OpenSSL available module. for use. Table 22: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in the table above. Services are not available, and data output (via the data output interface) is inhibited during the conditional self-tests. If any of these tests fails, the module transitions to the Error State. Juniper Networks, Inc. o +1 408 745 2000 38
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.
Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Message SW/FW Integrity On demand Manually
HMAC-SHA2- Message SW/FW Integrity On demand Manually
Table 23: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method SHA-1 (A3599) KAT CAST On Demand Manually SHA-1 (A3603) KAT CAST On Demand Manually SHA-1 (A3604) KAT CAST On Demand Manually SHA-1 (A3605) KAT CAST On Demand Manually SHA2-224 KAT CAST On Demand Manually (A3599) SHA2-224 KAT CAST On Demand Manually (A3603) SHA2-224 KAT CAST On Demand Manually (A3604) SHA2-224 KAT CAST On Demand Manually (A3605) SHA2-256 KAT CAST On Demand Manually (A3599) SHA2-256 KAT CAST On Demand Manually (A3603) SHA2-256 KAT CAST On Demand Manually (A3604) SHA2-256 KAT CAST On Demand Manually (A3605) SHA2-384 KAT CAST On Demand Manually (A3599) SHA2-384 KAT CAST On Demand Manually (A3603) SHA2-384 KAT CAST On Demand Manually (A3604) SHA2-384 KAT CAST On Demand Manually (A3605) SHA2-512 KAT CAST On Demand Manually (A3599) SHA2-512 KAT CAST On Demand Manually (A3603) SHA2-512 KAT CAST On Demand Manually (A3604) SHA2-512 KAT CAST On Demand Manually (A3605) AES-ECB KAT CAST On Demand Manually (A3599) Juniper Networks, Inc. o +1 408 745 2000 39
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On Demand Manually (A3600) AES-ECB KAT CAST On Demand Manually (A3601) AES-ECB KAT CAST On Demand Manually (A3602) AES-CBC KAT CAST On Demand Manually (A3599) AES-CBC KAT CAST On Demand Manually (A3600) AES-CBC KAT CAST On Demand Manually (A3601) AES-CBC KAT CAST On Demand Manually (A3602) AES-CTR KAT CAST On Demand Manually (A3599) AES-CTR KAT CAST On Demand Manually (A3600) AES-CTR KAT CAST On Demand Manually (A3601) AES-CTR KAT CAST On Demand Manually (A3602) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3599) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3600) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3601) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3602) AES-CMAC KAT CAST On Demand Manually (A3599) AES-CMAC KAT CAST On Demand Manually (A3601) AES-CMAC KAT CAST On Demand Manually (A3602) HMAC-SHA-1 KAT CAST On Demand Manually (A3599) HMAC-SHA-1 KAT CAST On Demand Manually (A3603) HMAC-SHA-1 KAT CAST On Demand Manually (A3604) HMAC-SHA-1 KAT CAST On Demand Manually (A3605) Juniper Networks, Inc. o +1 408 745 2000 40
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
HMAC-SHA2- KAT CAST On Demand Manually
Counter DRBG KAT CAST On Demand Manually (A3599) Counter DRBG KAT CAST On Demand Manually (A3600) Counter DRBG KAT CAST On Demand Manually (A3601) Counter DRBG KAT CAST On Demand Manually (A3602) Hash DRBG KAT CAST On Demand Manually (A3599) Hash DRBG KAT CAST On Demand Manually (A3600) Hash DRBG KAT CAST On Demand Manually (A3601) Hash DRBG KAT CAST On Demand Manually (A3603) Juniper Networks, Inc. o +1 408 745 2000 41
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm or Test Method Test Type Period Periodic Test Method Hash DRBG KAT CAST On Demand Manually (A3604) Hash DRBG KAT CAST On Demand Manually (A3605) HMAC DRBG KAT CAST On Demand Manually (A3599) HMAC DRBG KAT CAST On Demand Manually (A3600) HMAC DRBG KAT CAST On Demand Manually (A3601) HMAC DRBG KAT CAST On Demand Manually (A3603) HMAC DRBG KAT CAST On Demand Manually (A3604) HMAC DRBG KAT CAST On Demand Manually (A3605) ENT (NP) RCT CAST On demand Manually ENT (NP) APT CAST On demand Manually ENT (NP) RCT CAST On demand Manually ENT (NP) APT CAST On demand Manually HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
HMAC-SHA2- KAT CAST On demand Manually
Table 24: Conditional Periodic Information
Name Description Conditions Recovery Indicator Method Error The Linux kernel immediately Any self-test Restart of the Kernel State stops executing failure module Panic Table 25: Error States In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running). The error can be recovered by a restart (i.e., powering off and powering on) of the module. Further details on how to recover from error state can be found in the evo-backup-snapshot documentation1.
1 URL: https://www.juniper.net/documentation/us/en/software/junos/junos-install-upgrade-
evo/topics/topic-map/evo-backup-snapshot.html Juniper Networks, Inc. o +1 408 745 2000 42
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.
All self-tests, with the exception of the continuous health tests, can be invoked on demand by unloading and subsequently re-initializing the module.
The module is pre-installed in the junos-evo-install-ptx-fixed-x86-64-22.4R2.11-S1-EVO.iso image. The procedures on how to mount and install the image are listed in the softwareinstall-and-upgrade-overview-evo documentation2. The Crypto Officer shall follow this Security Policy to configure the operational environment and to operate the module as a FIPS 140-3 validated module. To configure the operating environment to run in the approved mode, the following shall be performed with the root privilege:
In order to run in the Approved mode, the module must be operated using the approved services, with their corresponding approved and allowed cryptographic algorithms provided in this Security Policy. In addition, key sizes must comply with [SP800-131Ar2]. Once the OE is properly configured, the operator is responsible to verify that the installation and configuration is completed. For such purpose, the following command “cat /proc/sys/fips_version” must return: Junos OS Evolved Kernel Cryptographic Module 2.0
2 URL: https://www.juniper.net/documentation/us/en/software/junos/junos-install-upgrade-
evo/topics/concept/software-install-and-upgrade-overview-evo.html Juniper Networks, Inc. o +1 408 745 2000 43
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.
There is no non-administrator guidance.
Not applicable for this module.
There are no maintenance requirements.
As a first step for the secure sanitization, the module needs to be powered off which will erase the SSPs in the volatile memory. Then, the files listed related to the static kernel binary and fips_chk_hmac utility must be deleted using the command “shred -zu <file_name>”. Then, for the actual deprecation, the module will be upgraded to a newer version that is approved.
The module does not offer mitigation of other attacks and therefore this section is not applicable.
Not applicable. Juniper Networks, Inc. o +1 408 745 2000 44
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DRBG Deterministic Random Bit Generator ECB Electronic Code Book ENT (NP) Non-physical Entropy Source FIPS Federal Information Processing Standards GCM Galois Counter Mode HMAC Keyed-Hash Message Authentication Code KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing Juniper Networks, Inc. o +1 408 745 2000 45
Sunnyvale, CA 94089 www.juniper.net
Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Appendix B. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800- Transitioning the Use of Cryptographic Algorithms and Key 131Ar2 Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800131Ar2.pdf Juniper Networks, Inc. o +1 408 745 2000 46
Sunnyvale, CA 94089 www.juniper.net