All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Junos® OS Evolved Kernel Cryptographic Module

Certificate#4776StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorJuniper Networks, Inc.
High review priority  ·  exposes kernel crypto consumer  ·  Linux kernel upstream has published 10212 CVEs since this module's initial validation  ·  last validated 22 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date9/2/2029
CaveatInterim validation. When operated in the approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy with module Junos® OS Evolved OpenSSL Cryptographic Module version 3.0.8 validated to FIPS 140-3 under Cert. #4775 operating in the approved mode. The module generates random strings whose strengths are modified by available entropy.
VendorJuniper Networks, Inc.

Approved Algorithms (75)

AlgorithmACVP Cert
AES-CBCA3599
AES-CBCA3600
AES-CBCA3601
AES-CBCA3602
AES-CMACA3599
AES-CMACA3601
AES-CMACA3602
AES-CTRA3599
AES-CTRA3600
AES-CTRA3601
AES-CTRA3602
AES-ECBA3599
AES-ECBA3600
AES-ECBA3601
AES-ECBA3602
AES-XTS Testing Revision 2.0A3599
AES-XTS Testing Revision 2.0A3600
AES-XTS Testing Revision 2.0A3601
AES-XTS Testing Revision 2.0A3602
Counter DRBGA3599
Counter DRBGA3600
Counter DRBGA3601
Counter DRBGA3602
Hash DRBGA3599
Hash DRBGA3600
Hash DRBGA3601
Hash DRBGA3603
Hash DRBGA3604
Hash DRBGA3605
HMAC DRBGA3599
HMAC DRBGA3600
HMAC DRBGA3601
HMAC DRBGA3603
HMAC DRBGA3604
HMAC DRBGA3605
HMAC-SHA-1A3599
HMAC-SHA-1A3603
HMAC-SHA-1A3604
HMAC-SHA-1A3605
HMAC-SHA2-224A3599
HMAC-SHA2-224A3603
HMAC-SHA2-224A3604
HMAC-SHA2-224A3605
HMAC-SHA2-256A3599
HMAC-SHA2-256A3603
HMAC-SHA2-256A3604
HMAC-SHA2-256A3605
HMAC-SHA2-384A3599
HMAC-SHA2-384A3603
HMAC-SHA2-384A3604
HMAC-SHA2-384A3605
HMAC-SHA2-512A3599
HMAC-SHA2-512A3603
HMAC-SHA2-512A3604
HMAC-SHA2-512A3605
SHA-1A3599
SHA-1A3603
SHA-1A3604
SHA-1A3605
SHA2-224A3599
SHA2-224A3603
SHA2-224A3604
SHA2-224A3605
SHA2-256A3599
SHA2-256A3603
SHA2-256A3604
SHA2-256A3605
SHA2-384A3599
SHA2-384A3603
SHA2-384A3604
SHA2-384A3605
SHA2-512A3599
SHA2-512A3603
SHA2-512A3604
SHA2-512A3605

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Junos® OS Evolved Kernel Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>Recovery<br/>upgrade</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>library named: openssl<br/>library named: nss</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Junos® OS Evolved Kernel Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>Recovery<br/>upgrade</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>library named: openssl<br/>library named: nss</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Juniper Networks, Inc. Junos OS Evolved Kernel Cryptographic Module Document Version: 1.1 Last update: 08-28-2024 Prepared by: Prepared for: atsec information security corporation Juniper Networks, Inc.

4516 Seton Center Pkwy, Suite 250 1133 Innovation Way

Austin, TX 78759 Sunnyvale, CA 94089 www.atsec.com www.juniper.net Juniper Networks, Inc. o +1 408 745 2000 1

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 2

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Table of Contents Juniper Networks, Inc. o +1 408 745 2000 2

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 3

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Juniper Networks, Inc. o +1 408 745 2000 3

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 4

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Juniper Networks, Inc. o +1 408 745 2000 4

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 5

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. List of Tables Table 2: Tested Module Identification

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 6

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.

1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 2.0 of the Junos OS Evolved Kernel Cryptographic Module module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. intact and including this notice. Other documentation is proprietary to their authors.

1.1.1 How this Security Policy was prepared

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.2 Security Levels
1 1
2 1
3 1
4 1
5 1
6 1
7 N/A
8 N/A
9 1
10 1
11 1
12 N/A
1.3 Additional Information [O]
2 Cryptographic Module Specification
2.1 Description
1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 7

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Purpose and Use: The Junos OS Evolved Kernel Cryptographic Module (hereafter referred to as “the module”) is a software module running as part of the operating system kernel that provides general purpose cryptographic services. It is bound to the Junos OS Evolved OpenSSL Cryptographic Module Version 3.0.8 validated under FIPS certificate #4775 to check the integrity of its static kernel binary file. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the module is defined as the kernel binary and the fips_chk_hmac binary, which verifies the integrity of the static kernel binary using the bound OpenSSL module HMAC service. In addition, the cryptographic boundary contains the .hmac files which store the expected integrity values for each of the software components. Tested Operational Environment’s Physical Perimeter (TOEPP) [O]: The TOEPP of the module is defined as the general-purpose computer on which the module is installed. Figure 1: Block Diagram Juniper Networks, Inc. o +1 408 745 2000 7

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 8

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Juniper Networks, Inc. o +1 408 745 2000 8

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 9

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Mode Description Type Status Indicator Name Approved Automatically entered Approved Equivalent to the indicator of mode whenever an approved the requested service as service is requested defined in Section 4.3 Non- Automatically entered Non- Equivalent to the indicator of approved whenever a non-approved Approved the requested service as mode service is requested defined in Section 4.3 Table 4: Modes List and Description After passing all pre-operational self-tests and cryptographic algorithm self-tests executed on start-up, the module automatically transitions to the approved mode. Mode Change Instructions and Status [O]: The module automatically switches between the approved and non-approved modes depending on the services requested by the operator. The status indicator of the mode of operation is equivalent to the indicator of the service that was requested. Degraded Mode Description [O]: The module does not implement a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Cert Properties Reference AES-CBC A3599 - SP 800-38A AES-CMAC A3599 - SP 800-38B AES-CTR A3599 - SP 800-38A AES-ECB A3599 - SP 800-38A AES-XTS Testing Revision 2.0 A3599 - SP 800-38E Counter DRBG A3599 - SP 800-90A Rev. 1 Hash DRBG A3599 - SP 800-90A Rev. 1 HMAC DRBG A3599 - SP 800-90A Rev. 1 HMAC-SHA-1 A3599 - FIPS 198-1 HMAC-SHA2-224 A3599 - FIPS 198-1 HMAC-SHA2-256 A3599 - FIPS 198-1 HMAC-SHA2-384 A3599 - FIPS 198-1 HMAC-SHA2-512 A3599 - FIPS 198-1 SHA-1 A3599 - FIPS 180-4 SHA2-224 A3599 - FIPS 180-4 SHA2-256 A3599 - FIPS 180-4 SHA2-384 A3599 - FIPS 180-4 SHA2-512 A3599 - FIPS 180-4 AES-CBC A3600 - SP 800-38A AES-CTR A3600 - SP 800-38A AES-ECB A3600 - SP 800-38A Juniper Networks, Inc. o +1 408 745 2000 9

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 10

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm CAVP Cert Properties Reference AES-XTS Testing Revision 2.0 A3600 - SP 800-38E Counter DRBG A3600 - SP 800-90A Rev. 1 Hash DRBG A3600 - SP 800-90A Rev. 1 HMAC DRBG A3600 - SP 800-90A Rev. 1 AES-CBC A3601 - SP 800-38A AES-CMAC A3601 - SP 800-38B AES-CTR A3601 - SP 800-38A AES-ECB A3601 - SP 800-38A AES-XTS Testing Revision 2.0 A3601 - SP 800-38E Counter DRBG A3601 - SP 800-90A Rev. 1 Hash DRBG A3601 - SP 800-90A Rev. 1 HMAC DRBG A3601 - SP 800-90A Rev. 1 AES-CBC A3602 - SP 800-38A AES-CMAC A3602 - SP 800-38B AES-CTR A3602 - SP 800-38A AES-ECB A3602 - SP 800-38A AES-XTS Testing Revision 2.0 A3602 - SP 800-38E Counter DRBG A3602 - SP 800-90A Rev. 1 Hash DRBG A3603 - SP 800-90A Rev. 1 HMAC DRBG A3603 - SP 800-90A Rev. 1 HMAC-SHA-1 A3603 - FIPS 198-1 HMAC-SHA2-224 A3603 - FIPS 198-1 HMAC-SHA2-256 A3603 - FIPS 198-1 HMAC-SHA2-384 A3603 - FIPS 198-1 HMAC-SHA2-512 A3603 - FIPS 198-1 SHA-1 A3603 - FIPS 180-4 SHA2-224 A3603 - FIPS 180-4 SHA2-256 A3603 - FIPS 180-4 SHA2-384 A3603 - FIPS 180-4 SHA2-512 A3603 - FIPS 180-4 Hash DRBG A3604 - SP 800-90A Rev. 1 HMAC DRBG A3604 - SP 800-90A Rev. 1 HMAC-SHA-1 A3604 - FIPS 198-1 HMAC-SHA2-224 A3604 - FIPS 198-1 HMAC-SHA2-256 A3604 - FIPS 198-1 HMAC-SHA2-384 A3604 - FIPS 198-1 HMAC-SHA2-512 A3604 - FIPS 198-1 SHA-1 A3604 - FIPS 180-4 SHA2-224 A3604 - FIPS 180-4 SHA2-256 A3604 - FIPS 180-4 SHA2-384 A3604 - FIPS 180-4 SHA2-512 A3604 - FIPS 180-4 Hash DRBG A3605 - SP 800-90A Rev. 1 HMAC DRBG A3605 - SP 800-90A Rev. 1 HMAC-SHA-1 A3605 - FIPS 198-1 HMAC-SHA2-224 A3605 - FIPS 198-1 HMAC-SHA2-256 A3605 - FIPS 198-1 HMAC-SHA2-384 A3605 - FIPS 198-1 Juniper Networks, Inc. o +1 408 745 2000 10

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 11

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm CAVP Cert Properties Reference HMAC-SHA2-512 A3605 - FIPS 198-1 SHA-1 A3605 - FIPS 180-4 SHA2-224 A3605 - FIPS 180-4 SHA2-256 A3605 - FIPS 180-4 SHA2-384 A3605 - FIPS 180-4 SHA2-512 A3605 - FIPS 180-4 HMAC-SHA2-256 A4249 - FIPS 198-1 HMAC-SHA2-256 A4246 - FIPS 198-1 HMAC-SHA2-256 A4247 - FIPS 198-1 HMAC-SHA2-256 A4248 - FIPS 198-1 Table 5: Approved Algorithms Vendor-Affirmed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: Name Use and Function AES- Authenticated Encryption and Decryption GCM RSA RSA Encryption and Decryption primitives RSA RSA Signature Verification RSA Signature Generation and Signature Verification primitives with PKCS#1 v1.5 padding Table 6: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Symmetric BC-UnAuth Symmetric AES-CBC:128, AES-CBC encryption encryption 192, 256-bit AES-CBC keys with 128- AES-CBC

256 bits key AES-CBC

strength AES-CTR AES-CTR:128, AES-CTR 192, 256-bit AES-CTR keys with 128- AES-CTR

256 bits key AES-ECB

strength AES-ECB AES-ECB:128, AES-ECB Juniper Networks, Inc. o +1 408 745 2000 11

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 12

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Type Description Properties Algorithms 192, 256-bit AES-ECB keys with 128- AES-XTS Testing

256 bits key Revision 2.0

strength AES-XTS Testing AES-XTS Testing Revision 2.0 Revision AES-XTS Testing 2.0:128, 256-bit Revision 2.0 keys with 128, AES-XTS Testing

256 bits key Revision 2.0

strength Message MAC Message AES-CMAC:128, AES-CMAC authentication authentication 192, 256-bit AES-CMAC keys with 128- AES-CMAC

256 bits key HMAC-SHA-1

strength HMAC-SHA-1 HMAC-SHA- HMAC-SHA-1 1:112-524288 HMAC-SHA-1 bit keys with HMAC-SHA2128-256 bits 224 key strength HMAC-SHA2HMAC-SHA2- 224 224:112-256 bit HMAC-SHA2keys with 128- 224

256 bits key HMAC-SHA2-

strength 224 HMAC-SHA2- HMAC-SHA2256:112-256 bit 256 keys with 128- HMAC-SHA2-

256 bits key 256

strength HMAC-SHA2HMAC-SHA2- 256 384:112-256 bit HMAC-SHA2keys with 128- 256

256 bits key HMAC-SHA2-

strength 384 HMAC-SHA2- HMAC-SHA2512:112-256 bit 384 keys with 128- HMAC-SHA2-

256 bits key 384

strength HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2Juniper Networks, Inc. o +1 408 745 2000 12

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 13

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Type Description Properties Algorithms Random DRBG Random Counter Counter DRBG number number DRBG:128, 192, Counter DRBG generation generation 256 bits Counter DRBG HMAC Counter DRBG DRBG:128, 256 HMAC DRBG bits HMAC DRBG Hash HMAC DRBG DRBG:128, 256 HMAC DRBG bits HMAC DRBG HMAC DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Hash DRBG Message digest SHA Message digest SHA-1:N/A SHA-1 SHA2-224:N/A SHA-1 SHA2-256:N/A SHA-1 SHA2-384:N/A SHA-1 SHA2-512:N/A SHA2-224 SHA2-224 SHA2-224 SHA2-224 SHA2-256 SHA2-256 SHA2-256 SHA2-256 SHA2-384 SHA2-384 SHA2-384 SHA2-384 SHA2-512 SHA2-512 SHA2-512 SHA2-512 Symmetric BC-UnAuth Symmetric AES-CBC:128, AES-CBC decryption decryption 192, 256-bit AES-CBC keys with 128- AES-CBC

256 bits key AES-CBC

strength AES-CTR AES-CTR:128, AES-CTR 192, 256-bit AES-CTR keys with 128- AES-CTR

256 bits key AES-ECB

strength AES-ECB AES-ECB:128, AES-ECB 192, 256-bit AES-ECB keys with 128- AES-XTS Testing

256 bits key Revision 2.0
1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 14

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Type Description Properties Algorithms strength AES-XTS Testing AES-XTS Testing Revision 2.0 Revision AES-XTS Testing 2.0:128, 256-bit Revision 2.0 keys with 128, AES-XTS Testing

256 bits key Revision 2.0

strength Authenticated BC-Auth Encrypt and Key size(s):AES- AES-CBC encryption authenticate a CBC/AES-CTR: AES-CBC plaintext 128, 192, 256 AES-CBC bits with 128- AES-CBC

256 bits of AES-CTR

security AES-CTR strength; HMAC: AES-CTR 112-524288 bit AES-CTR keys with 128- HMAC-SHA-1

256 bits key HMAC-SHA-1

strength HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2Juniper Networks, Inc. o +1 408 745 2000 14

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 15

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Type Description Properties Algorithms HMAC-SHA2Authenticated BC-Auth Decrypt and Key size(s):AES- AES-CBC decryption authenticate a CBC/AES-CTR: AES-CBC ciphertext 128, 192, 256 AES-CBC bits with 128- AES-CBC

256 bits of AES-CTR

security AES-CTR strength; HMAC: AES-CTR 112-524288 bit AES-CTR keys with 128- HMAC-SHA-1

256 bits key HMAC-SHA-1

strength HMAC-SHA-1 HMAC-SHA-1 HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2HMAC-SHA2(OpenSSL) MAC HMAC-SHA2- Key Size:256-bit HMAC-SHA2Message 256 used in Key 256 authentication fips_chk_hmac HMAC-SHA2integrity check 256 Juniper Networks, Inc. o +1 408 745 2000 15

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 16

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Type Description Properties Algorithms HMAC-SHA2HMAC-SHA2Table 7: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.

2.8 RBG and Entropy

Cert Vendor Name Number E50 Juniper Networks, Inc. Table 8: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample SP 800-90B Non- Junos OS Evolved 64 bits 59.76 Linear-Feedback compliant Physical version 22.4 on Juniper bits Shift Register ENT(NP) (ESV Networks® Packet (LFSR) cert. E50) Transport Router Model PTX10001-36MR Table 9: Entropy Sources The module employs the Deterministic Random Bit Generator (DRBG) based on [SP80090Arev1] for the random number generation. The DRBG supports the Hash_DRBG, HMAC_DRBG and CTR_DRBG mechanisms. The module obtains an entropy input string from the SP800-90B compliant ENT(NP), whose length depends on each DRBG mechanism, meeting the requirements of SP800-90Arev1 (128 to 384 bits). The module loads by default the DRBG using the HMAC_DRBG mechanism with SHA2-256 without prediction resistance. When instantiated, these DRBGs can be used to generate random numbers for external usage. The module uses the Kernel CPU Time Jitter RNG as an entropy source to seed the DRBG.

2.9 Key Generation
1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 17

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. The module does not provide key generation.

2.10 Key Establishment

The module does not provide key establishment.

2.11 Industry Protocols

The module does not claim cipher suites in compliance to industry protocols.

2.12 Additional Information [O]
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Port Logical Data That Passes Interface(s) As a software-only module, the module Data Input API input parameters from does not have physical ports. Physical kernel system calls, AF_ALG ports are interpreted to be the physical type socket ports of the hardware platform on which it runs. As a software-only module, the module Data Output API output parameters from does not have physical ports. Physical kernel system calls, AF_ALG ports are interpreted to be the physical type socket ports of the hardware platform on which it runs. As a software-only module, the module Control Input API function calls, API input does not have physical ports. Physical parameters for control from ports are interpreted to be the physical kernel system calls, AF_ALG ports of the hardware platform on which type socket, kernel command it runs. line As a software-only module, the module Status API return codes, AF_ALG type does not have physical ports. Physical Output socket, kernel logs Ports are interpreted to be the physical ports of the hardware platform on which it runs. Table 10: Ports and Interfaces The logical interfaces are the API through which kernel components request services, and the AF_ALG type socket that allows the applications running in the user space to request cryptographic services from the module. These logical interfaces are logically separated from each other by the API design. Juniper Networks, Inc. o +1 408 745 2000 17

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 18

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.

3.2 Trusted Channel Specification [O]

The module does not implement a trusted channel.

3.3 Control Interface Not Inhibited [O]

The module does not implement a control output interface.

3.4 Additional Information [O]
4 Roles, Services, and Authentication
4.1 Authentication Methods

N/A for this module. The module does not implement authentication.

4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 11: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. No support is provided for multiple concurrent operators.

4.3 Approved Services

Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss Message Compute crypto_shash_init Message Digest Message Crypt digest SHA returns 0 value digest o hashes Office r Symmetric Perform crypto_skcipher_s AES key, Cipherte Symmetric Crypt encryption AES etkey returns 0 plaintext xt encryption o encryption Office r - AES key: W,E Juniper Networks, Inc. o +1 408 745 2000 18

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 19

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss Symmetric Perform crypto_skcipher_s AES key, Plaintext Symmetric Crypt decryption AES etkey returns 0 ciphertex decryption o decryption t Office r - AES key: W,E Random Generate crypto_rng_get_by Output Random Random Crypt number random tes returns 0 length bytes number o generation numbers generation Office r DRBG entro py input string : W,E DRBG seed: G,E DRBG intern al state (V, Key): G,W,E DRBG intern al state (V, C): G,W,E Message Compute crypto_shash_init AES: AES MAC tag Message Crypt authenticat HMAC/AES returns 0 key, authenticat o ion -based message ion Office CMAC ; HMAC: r HMAC - AES key, key: message W,E HMAC Juniper Networks, Inc. o +1 408 745 2000 19

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 20

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss key: W,E Authenticat Encrypt crypto_aead_setke AES key, Cipherte Authenticat Crypt ed and y returns 0 plaintext xt, MAC ed o encryption authentica tag encryption Office te a r plaintext - AES key: W,E HMAC key: W,E Authenticat Decrypt crypto_aead_setke AES key, Plaintext Authenticat Crypt ed and y returns 0 ciphertex or failure ed o decryption authentica t, MAC decryption Office te a tag r ciphertext - AES key: W,E HMAC key: W,E Error Compute None Message EDC None Crypt detection an EDC o code (crc32c, Office crct10dif) r Memory Copy None Source, Return None Crypt copy operation destinati codes o operation on, and/or Office offset, log r amount message s Generic Use the None Identifier Various None Crypt system call kernel to , various return o perform argumen values Office various ts r noncryptograp hic operations Show Return the None N/A Module None Crypt status module status o status Office r Self-tests Perform None N/A Pass/fail Symmetric Crypt the CASTs encryption

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 21

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss and the Message Office integrity authenticat r test ion Random number generation Message digest Symmetric decryption Authenticat ed encryption Authenticat ed decryption (OpenSSL) Message authenticat ion Zeroization Zeroize all None Any SSP N/A None Crypt SSPs

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 22

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Descripti Indicator Inputs Outputs Security SSP on Functions Acce ss intern al state (V, C): Z DRBG seed: Z Show Return the None N/A Name None Crypt version module and o name and version Office version informati r on Table 12: Approved Services The table above lists the approved services. The following convention is used to specify access rights to SSPs:

4.4 Non-Approved Services

Name Description Algorithms Role Authenticated encryption Perform AES-GCM encryption AES-GCM CO Authenticated decryption Perform AES-GCM decryption AES-GCM CO RSA encryption primitive Compute the raw RSA encryption of a RSA CO number RSA decryption primitive Compute the raw RSA decryption of a RSA CO number RSA signature generation Generate a digital signature for a pre- RSA CO primitive hashed message RSA signature verification Verify a digital signature for a pre- RSA CO primitive hashed message RSA signature verification Verify RSA-based signature RSA CO Table 13: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not load external software or firmware.

4.6 Bypass Actions and Status [O]
1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 23

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. The module does not implement a bypass capability.

4.7 Cryptographic Output Actions and Status [O]

The module does not implement a self-initiated cryptographic output capability.

4.8 Additional Information [O]
5 Software/Firmware Security
5.1 Integrity Techniques

The module verifies its integrity through the following mechanisms:

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module, which will perform (among others) the software integrity tests.

5.3 Open-Source Parameters [O]
5.4 Additional Information [O]
6 Operational Environment
6.1 Operational Environment Type and Requirements
1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 24

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Type of Operational Environment: Modifiable How Requirements are Satisfied [O]: The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions [O]

The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environments. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment.

6.3 Additional Information [O]
7 Physical Security
7.1 Mechanisms and Actions Required [O]

N/A for this module. The module is comprised of software only and therefore this section is not applicable.

7.2 User Placed Tamper Seals [O]
7.3 Filler Panels [O]
7.4 Fault Induction Mitigation [O]
7.5 EFP/EFT Information [O]
1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 25

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Temp/Voltage Temperature EFP Result Type or Voltage or EFT LowTemperature HighTemperature LowVoltage HighVoltage Table 14: EFP/EFT Information Not applicable.

7.6 Hardness Testing Temperature Ranges [O]

Temperature Temperature Type LowTemperature HighTemperature Table 15: Hardness Testing Temperatures Not applicable.

7.7 Additional Information [O]
8 Non-Invasive Security
8.1 Mitigation Techniques [O]

This module does not implement any non-invasive security mechanism and therefore this section is not applicable.

8.2 Effectiveness [O]
8.3 Additional Information [O]
9 Sensitive Security Parameters Management
9.1 Storage Areas
1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 26

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of Dynamic service execution. The module does not perform persistent storage of SSPs Table 16: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Name From To Format Distributio Entry SFI or Type n Type Type Algorith m API input Operator Cryptographi Plaintex Manual Electroni parameter calling c module t c s applicatio n (TOEPP) AF_ALG Operator Cryptographi Plaintex Manual Electroni type calling c module t c sockets applicatio (input) n (TOEPP) Table 17: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Wipe and Zeroizes the Memory occupied by By calling the cipher related Free memory SSPs SSPs is overwritten zeroization APIs: appropriate block contained with zeroes and then zeroization functions: AES key: allocated within the it is released, which crypto_free_skcipher and cipher handle. renders the SSP crypto_free_aead; HMAC key: values irretrievable. crypto_free_shash and The completion of the crypto_free_ahash; DRBG zeroization routine entropy input string, DRBG indicates that the seed, DRBG internal state: zeroization procedure crypto_free_rng succeeded. Module Reset De-allocates Volatile memory used By unloading and reloading the the volatile by the module is module memory used overwritten within to store SSPs nanoseconds when power is removed. Table 18: SSP Zeroization Methods All data output is inhibited during zeroization. Juniper Networks, Inc. o +1 408 745 2000 26

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 27

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.

9.4 SSPs

Name Description Size - Type - Generate Establishe Used By Strength Categor d By d By y AES AES key used 128, 192, Symmetri Symmetric key for 256 bits - c key - encryption encryption, 128, 192, CSP Symmetric decryption, 256 bits decryption and Message computing authenticati MAC tags. on Authenticate d encryption Authenticate d decryption HMAC HMAC key 112-524288 Symmetri Message key used for: bits - 112- c key - authenticati Message 256 bits CSP on authenticatio Authenticate n, d encryption Authenticate Authenticate d encryption, d decryption Authenticate d decryption. DRBG DRBG 128-384 Entropy Random entrop entropy input bits - 119- Input - number y input used for: 358 bits CSP generation string Random number generation. Compliant with IG D.L. DRBG DRBG seed CTR_DRBG: Seed - Random Random seed derived from 128, 192, CSP number number entropy 256 bits; generatio generation input. Hash_DRBG n Compliant : 128, 256 with IG D.L. bits; HMAC_DRB G: 128, 256 bits CTR_DRBG: 128, 192,

256 bits;

Hash_DRBG : 128, 256 bits; HMAC_DRB Juniper Networks, Inc. o +1 408 745 2000 27

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 28

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Description Size - Type - Generate Establishe Used By Strength Categor d By d By y G: 128, 256 bits DRBG DRBG CTR_DRBG: Internal Random Random intern internal state 128, 192, state - number number al (V, Key) for 256 bits; CSP generatio generation state HMAC and HMAC_DRB n (V, CTR DRBG. G: 128, 256 Key) Compliant bits with IG D.L. CTR_DRBG: 128, 192,

256 bits;

HMAC_DRB G: 128, 256 bits DRBG DRBG Hash_DRBG Internal Random Random intern internal state : 128, 256 state - number number al (V, C) for bits - CSP generatio generation state Hash DRBG. Hash_DRBG n (V, C) Compliant : 128, 256 with IG D.L. bits Table 19: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration AES key API input RAM:Plaintext Until cipher Wipe and Free parameters handled is memory block AF_ALG type freed or allocated sockets module Module Reset (input) powered off HMAC API input RAM:Plaintext Until cipher Wipe and Free key parameters handled is memory block AF_ALG type freed or allocated sockets module Module Reset (input) powered off DRBG RAM:Plaintext Until cipher Wipe and Free DRBG entropy handled is memory block seed:Derives input freed or allocated string module Module Reset powered off DRBG RAM:Plaintext Until cipher Wipe and Free DRBG entropy seed handled is memory block input freed or allocated string:Derived module Module Reset From powered off DRBG internal state (V, Key):Derives DRBG internal Juniper Networks, Inc. o +1 408 745 2000 28

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 29

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Name Input - Storage Storage Zeroization Related SSPs Output Duration state (V, C):Derives DRBG RAM:Plaintext Until cipher Wipe and Free DRBG internal handled is memory block seed:Derived state (V, freed or allocated From Key) module Module Reset powered off DRBG RAM:Plaintext Until cipher Wipe and Free DRBG internal handled is memory block seed:Derived state (V, freed or allocated From C) module Module Reset powered off Table 20: SSP Table 2

9.5 Transitions [O]

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes except signature verification, starting January 1, 2031.

9.6 Additional Information [O]
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm Test Test Method Test Indicator Details or Test Properties Type HMAC- 128-bit key Message SW/FW Module Integrity test for SHA2-256 Authentication Integrity becomes static kernel (A4246) operational binary. and services are available for use. HMAC- 128-bit key Message SW/FW Module Integrity test for SHA2-256 Authentication Integrity becomes fips_chk_hmac. (A4246) operational and services are available for use. Table 21: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions into the operational state. The algorithms used for the integrity test (i.e., HMAC-SHA2-256) run their CASTs before the integrity test is performed. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the pre-operational software integrity Juniper Networks, Inc. o +1 408 745 2000 29

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 30

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. self-tests are successfully completed. The module transitions to the operational state only after the pre-operational self-tests are passed successfully.

10.2 Conditional Self-Tests

Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA-1 0-8184 bit KAT CAST Module Message Module (A3599) messages becomes digest initialization operational SHA-1 0-8184 bit KAT CAST Module Message Module (A3603) messages becomes digest initialization operational SHA-1 0-8184 bit KAT CAST Module Message Module (A3604) messages becomes digest initialization operational SHA-1 0-8184 bit KAT CAST Module Message Module (A3605) messages becomes digest initialization operational SHA2-224 0-8184 bit KAT CAST Module Message Module (A3599) messages becomes digest initialization operational SHA2-224 0-8184 bit KAT CAST Module Message Module (A3603) messages becomes digest initialization operational SHA2-224 0-8184 bit KAT CAST Module Message Module (A3604) messages becomes digest initialization operational SHA2-224 0-8184 bit KAT CAST Module Message Module (A3605) messages becomes digest initialization operational SHA2-256 0-8184 bit KAT CAST Module Message Module (A3599) messages becomes digest initialization operational SHA2-256 0-8184 bit KAT CAST Module Message Module (A3603) messages becomes digest initialization operational SHA2-256 0-8184 bit KAT CAST Module Message Module (A3604) messages becomes digest initialization operational SHA2-256 0-8184 bit KAT CAST Module Message Module (A3605) messages becomes digest initialization operational SHA2-384 0-8184 bit KAT CAST Module Message Module (A3599) messages becomes digest initialization operational SHA2-384 0-8184 bit KAT CAST Module Message Module (A3603) messages becomes digest initialization operational Juniper Networks, Inc. o +1 408 745 2000 30

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 31

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type SHA2-384 0-8184 bit KAT CAST Module Message Module (A3604) messages becomes digest initialization operational SHA2-384 0-8184 bit KAT CAST Module Message Module (A3605) messages becomes digest initialization operational SHA2-512 0-8184 bit KAT CAST Module Message Module (A3599) message becomes digest initialization operational SHA2-512 0-8184 bit KAT CAST Module Message Module (A3603) message becomes digest initialization operational SHA2-512 0-8184 bit KAT CAST Module Message Module (A3604) message becomes digest initialization operational SHA2-512 0-8184 bit KAT CAST Module Message Module (A3605) message becomes digest initialization operational AES-ECB 128, 192, KAT CAST Module Symmetric Module (A3599) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-ECB 128, 192, KAT CAST Module Symmetric Module (A3600) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-ECB 128, 192, KAT CAST Module Symmetric Module (A3601) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-ECB 128, 192, KAT CAST Module Symmetric Module (A3602) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CBC 128, 192, KAT CAST Module Symmetric Module (A3599) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CBC 128, 192, KAT CAST Module Symmetric Module (A3600) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CBC 128, 192, KAT CAST Module Symmetric Module (A3601) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CBC 128, 192, KAT CAST Module Symmetric Module (A3602) 256 bit keys; becomes operation initialization operational Juniper Networks, Inc. o +1 408 745 2000 31

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 32

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type encrypt and decrypt AES-CTR 128, 192, KAT CAST Module Symmetric Module (A3599) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CTR 128, 192, KAT CAST Module Symmetric Module (A3600) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CTR 128, 192, KAT CAST Module Symmetric Module (A3601) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-CTR 128, 192, KAT CAST Module Symmetric Module (A3602) 256 bit keys; becomes operation initialization encrypt and operational decrypt AES-XTS 128 and 256 KAT CAST Module Symmetric Module Testing bit keys; becomes operation initialization Revision encrypt and operational

2.0 decrypt

(A3599) AES-XTS 128 and 256 KAT CAST Module Symmetric Module Testing bit keys; becomes operation initialization Revision encrypt and operational

2.0 decrypt

(A3600) AES-XTS 128 and 256 KAT CAST Module Symmetric Module Testing bit keys; becomes operation initialization Revision encrypt and operational

2.0 decrypt

(A3601) AES-XTS 128 and 256 KAT CAST Module Symmetric Module Testing bit keys; becomes operation initialization Revision encrypt and operational

2.0 decrypt

(A3602) AES-CMAC 128 and 256 KAT CAST Module Message Module (A3599) bit keys; becomes authentication initialization encrypt and operational decrypt AES-CMAC 128 and 256 KAT CAST Module Message Module (A3601) bit keys; becomes authentication initialization encrypt and operational decrypt AES-CMAC 128 and 256 KAT CAST Module Message Module (A3602) bit keys; becomes authentication initialization operational Juniper Networks, Inc. o +1 408 745 2000 32

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 33

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type encrypt and decrypt HMAC- SHA-1 with KAT CAST Module Message Module SHA-1 32-64 bit becomes authentication initialization (A3599) keys operational HMAC- SHA-1 with KAT CAST Module Message Module SHA-1 32-64 bit becomes authentication initialization (A3603) keys operational HMAC- SHA-1 with KAT CAST Module Message Module SHA-1 32-64 bit becomes authentication initialization (A3604) keys operational HMAC- SHA-1 with KAT CAST Module Message Module SHA-1 32-64 bit becomes authentication initialization (A3605) keys operational HMAC- SHA2-224 KAT CAST Module Message Module SHA2-224 with 32- becomes authentication initialization (A3599) 1048 bit operational keys HMAC- SHA2-224 KAT CAST Module Message Module SHA2-224 with 32- becomes authentication initialization (A3603) 1048 bit operational keys HMAC- SHA2-224 KAT CAST Module Message Module SHA2-224 with 32- becomes authentication initialization (A3604) 1048 bit operational keys HMAC- SHA2-224 KAT CAST Module Message Module SHA2-224 with 32- becomes authentication initialization (A3605) 1048 bit operational keys HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 32-64 becomes authentication initialization (A3599) bit keys operational HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 32-64 becomes authentication initialization (A3603) bit keys operational HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 32-64 becomes authentication initialization (A3604) bit keys operational HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 32-64 becomes authentication initialization (A3605) bit keys operational HMAC- SHA2-384 KAT CAST Module Message Module SHA2-384 with 32- becomes authentication initialization (A3599) 1048 bit operational keys HMAC- SHA2-384 KAT CAST Module Message Module SHA2-384 with 32- becomes authentication initialization (A3603) operational Juniper Networks, Inc. o +1 408 745 2000 33

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 34

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type

1048 bit

keys HMAC- SHA2-384 KAT CAST Module Message Module SHA2-384 with 32- becomes authentication initialization (A3604) 1048 bit operational keys HMAC- SHA2-384 KAT CAST Module Message Module SHA2-384 with 32- becomes authentication initialization (A3605) 1048 bit operational keys HMAC- SHA2-512 KAT CAST Module Message Module SHA2-512 with 32- becomes authentication initialization (A3599) 1048 bit operational keys HMAC- SHA2-512 KAT CAST Module Message Module SHA2-512 with 32- becomes authentication initialization (A3603) 1048 bit operational keys HMAC- SHA2-512 KAT CAST Module Message Module SHA2-512 with 32- becomes authentication initialization (A3604) 1048 bit operational keys HMAC- SHA2-512 KAT CAST Module Message Module SHA2-512 with 32- becomes authentication initialization (A3605) 1048 bit operational keys Counter 128, 192, KAT CAST Module Compliant with Module DRBG 256 bit keys becomes SP 800-90Ar1 initialization (A3599) With DF, operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Counter 128, 192, KAT CAST Module Compliant with Module DRBG 256 bit keys becomes SP 800-90Ar1 initialization (A3600) With DF, operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Counter 128, 192, KAT CAST Module Compliant with Module DRBG 256 bit keys becomes SP 800-90Ar1 initialization (A3601) With DF, operational With/without PR; Health Juniper Networks, Inc. o +1 408 745 2000 34

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 35

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type test per section 11.3 of SP 80090Arev1 Counter 128, 192, KAT CAST Module Compliant with Module DRBG 256 bit keys becomes SP 800-90Ar1 initialization (A3602) With DF, operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3599) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3600) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3601) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3603) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Juniper Networks, Inc. o +1 408 745 2000 35

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 36

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3604) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 Hash SHA-1, KAT CAST Module Compliant with Module DRBG SHA2-256, becomes SP 800-90Ar1 initialization (A3605) SHA2-512 operational With/without PR; Health test per section 11.3 of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3599) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3600) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3601) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 Juniper Networks, Inc. o +1 408 745 2000 36

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 37

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3603) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3604) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 of SP 80090Arev1 HMAC HMAC-SHA- KAT CAST Module Compliant with Module DRBG 1, HMAC- becomes SP 800-90Ar1 initialization (A3605) SHA2-256, operational HMAC-SHA2With/without PR; Health test per section 11.3 of SP 80090Arev1 ENT (NP) 1024 RCT CAST Module Entropy source Entropy samples becomes start-up test source operational initialization and services are available for use. ENT (NP) 1024 APT CAST Module Entropy source Entropy samples becomes start-up test source operational initialization and services are Juniper Networks, Inc. o +1 408 745 2000 37

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 38

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm Test Test Test Indicator Details Conditions or Test Properties Method Type available for use. ENT (NP) Cutoff C = RCT CAST Entropy Entropy source Continuously

61 source is continuous

operational test ENT (NP) Cutoff C = APT CAST Entropy Entropy source Continuously

355 source is continuous

operational test HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 256 bit becomes authentication. initialization. (A4249) key operational Makes use of Before and HMAC from integrity services bound test. are OpenSSL available module. for use. HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 256 bit becomes authentication. initialization. (A4248) key operational Makes use of Before and HMAC from integrity services bound test. are OpenSSL available module. for use. HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 256 bit becomes authentication. initialization. (A4247) key operational Makes use of Before and HMAC from integrity services bound test. are OpenSSL available module. for use. HMAC- SHA2-256 KAT CAST Module Message Module SHA2-256 with 256 bit becomes authentication. initialization. (A4246) key operational Makes use of Before and HMAC from integrity services bound test. are OpenSSL available module. for use. Table 22: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in the table above. Services are not available, and data output (via the data output interface) is inhibited during the conditional self-tests. If any of these tests fails, the module transitions to the Error State. Juniper Networks, Inc. o +1 408 745 2000 38

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 39

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- Message SW/FW Integrity On demand Manually

256 (A4246) Authentication

HMAC-SHA2- Message SW/FW Integrity On demand Manually

256 (A4246) Authentication

Table 23: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method SHA-1 (A3599) KAT CAST On Demand Manually SHA-1 (A3603) KAT CAST On Demand Manually SHA-1 (A3604) KAT CAST On Demand Manually SHA-1 (A3605) KAT CAST On Demand Manually SHA2-224 KAT CAST On Demand Manually (A3599) SHA2-224 KAT CAST On Demand Manually (A3603) SHA2-224 KAT CAST On Demand Manually (A3604) SHA2-224 KAT CAST On Demand Manually (A3605) SHA2-256 KAT CAST On Demand Manually (A3599) SHA2-256 KAT CAST On Demand Manually (A3603) SHA2-256 KAT CAST On Demand Manually (A3604) SHA2-256 KAT CAST On Demand Manually (A3605) SHA2-384 KAT CAST On Demand Manually (A3599) SHA2-384 KAT CAST On Demand Manually (A3603) SHA2-384 KAT CAST On Demand Manually (A3604) SHA2-384 KAT CAST On Demand Manually (A3605) SHA2-512 KAT CAST On Demand Manually (A3599) SHA2-512 KAT CAST On Demand Manually (A3603) SHA2-512 KAT CAST On Demand Manually (A3604) SHA2-512 KAT CAST On Demand Manually (A3605) AES-ECB KAT CAST On Demand Manually (A3599) Juniper Networks, Inc. o +1 408 745 2000 39

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 40

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm or Test Method Test Type Period Periodic Test Method AES-ECB KAT CAST On Demand Manually (A3600) AES-ECB KAT CAST On Demand Manually (A3601) AES-ECB KAT CAST On Demand Manually (A3602) AES-CBC KAT CAST On Demand Manually (A3599) AES-CBC KAT CAST On Demand Manually (A3600) AES-CBC KAT CAST On Demand Manually (A3601) AES-CBC KAT CAST On Demand Manually (A3602) AES-CTR KAT CAST On Demand Manually (A3599) AES-CTR KAT CAST On Demand Manually (A3600) AES-CTR KAT CAST On Demand Manually (A3601) AES-CTR KAT CAST On Demand Manually (A3602) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3599) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3600) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3601) AES-XTS Testing KAT CAST On Demand Manually Revision 2.0 (A3602) AES-CMAC KAT CAST On Demand Manually (A3599) AES-CMAC KAT CAST On Demand Manually (A3601) AES-CMAC KAT CAST On Demand Manually (A3602) HMAC-SHA-1 KAT CAST On Demand Manually (A3599) HMAC-SHA-1 KAT CAST On Demand Manually (A3603) HMAC-SHA-1 KAT CAST On Demand Manually (A3604) HMAC-SHA-1 KAT CAST On Demand Manually (A3605) Juniper Networks, Inc. o +1 408 745 2000 40

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 41

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT CAST On Demand Manually

224 (A3599)

HMAC-SHA2- KAT CAST On Demand Manually

224 (A3603)

HMAC-SHA2- KAT CAST On Demand Manually

224 (A3604)

HMAC-SHA2- KAT CAST On Demand Manually

224 (A3605)

HMAC-SHA2- KAT CAST On Demand Manually

256 (A3599)

HMAC-SHA2- KAT CAST On Demand Manually

256 (A3603)

HMAC-SHA2- KAT CAST On Demand Manually

256 (A3604)

HMAC-SHA2- KAT CAST On Demand Manually

256 (A3605)

HMAC-SHA2- KAT CAST On Demand Manually

384 (A3599)

HMAC-SHA2- KAT CAST On Demand Manually

384 (A3603)

HMAC-SHA2- KAT CAST On Demand Manually

384 (A3604)

HMAC-SHA2- KAT CAST On Demand Manually

384 (A3605)

HMAC-SHA2- KAT CAST On Demand Manually

512 (A3599)

HMAC-SHA2- KAT CAST On Demand Manually

512 (A3603)

HMAC-SHA2- KAT CAST On Demand Manually

512 (A3604)

HMAC-SHA2- KAT CAST On Demand Manually

512 (A3605)

Counter DRBG KAT CAST On Demand Manually (A3599) Counter DRBG KAT CAST On Demand Manually (A3600) Counter DRBG KAT CAST On Demand Manually (A3601) Counter DRBG KAT CAST On Demand Manually (A3602) Hash DRBG KAT CAST On Demand Manually (A3599) Hash DRBG KAT CAST On Demand Manually (A3600) Hash DRBG KAT CAST On Demand Manually (A3601) Hash DRBG KAT CAST On Demand Manually (A3603) Juniper Networks, Inc. o +1 408 745 2000 41

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 42

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Algorithm or Test Method Test Type Period Periodic Test Method Hash DRBG KAT CAST On Demand Manually (A3604) Hash DRBG KAT CAST On Demand Manually (A3605) HMAC DRBG KAT CAST On Demand Manually (A3599) HMAC DRBG KAT CAST On Demand Manually (A3600) HMAC DRBG KAT CAST On Demand Manually (A3601) HMAC DRBG KAT CAST On Demand Manually (A3603) HMAC DRBG KAT CAST On Demand Manually (A3604) HMAC DRBG KAT CAST On Demand Manually (A3605) ENT (NP) RCT CAST On demand Manually ENT (NP) APT CAST On demand Manually ENT (NP) RCT CAST On demand Manually ENT (NP) APT CAST On demand Manually HMAC-SHA2- KAT CAST On demand Manually

256 (A4249)

HMAC-SHA2- KAT CAST On demand Manually

256 (A4248)

HMAC-SHA2- KAT CAST On demand Manually

256 (A4247)

HMAC-SHA2- KAT CAST On demand Manually

256 (A4246)

Table 24: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The Linux kernel immediately Any self-test Restart of the Kernel State stops executing failure module Panic Table 25: Error States In the Error State, the output interface is inhibited, and the module accepts no more inputs or requests (as the module is no longer running). The error can be recovered by a restart (i.e., powering off and powering on) of the module. Further details on how to recover from error state can be found in the evo-backup-snapshot documentation1.

1 URL: https://www.juniper.net/documentation/us/en/software/junos/junos-install-upgrade-

evo/topics/topic-map/evo-backup-snapshot.html Juniper Networks, Inc. o +1 408 745 2000 42

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 43

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.

10.5 Operator Initiation of Self-Tests [O]

All self-tests, with the exception of the continuous health tests, can be invoked on demand by unloading and subsequently re-initializing the module.

10.6 Additional Information [O]
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is pre-installed in the junos-evo-install-ptx-fixed-x86-64-22.4R2.11-S1-EVO.iso image. The procedures on how to mount and install the image are listed in the softwareinstall-and-upgrade-overview-evo documentation2. The Crypto Officer shall follow this Security Policy to configure the operational environment and to operate the module as a FIPS 140-3 validated module. To configure the operating environment to run in the approved mode, the following shall be performed with the root privilege:

  1. Enter CLI configuration mode.
  2. Configure FIPS level to 1: set system fips level 1
  3. Commit changes: commit
  4. Exit configuration mode to enter operational mode: exit
  5. Reboot the system with the new settings (answer yes to prompt): request system reboot The Crypto Officer should check the existence of the file, /proc/sys/crypto/fips_enabled, and that it contains “1”. If the file does not exist or does not contain “1”, the operating environment is not configured to operate properly in the approved mode.
11.2 Administrator Guidance

In order to run in the Approved mode, the module must be operated using the approved services, with their corresponding approved and allowed cryptographic algorithms provided in this Security Policy. In addition, key sizes must comply with [SP800-131Ar2]. Once the OE is properly configured, the operator is responsible to verify that the installation and configuration is completed. For such purpose, the following command “cat /proc/sys/fips_version” must return: Junos OS Evolved Kernel Cryptographic Module 2.0

2 URL: https://www.juniper.net/documentation/us/en/software/junos/junos-install-upgrade-

evo/topics/concept/software-install-and-upgrade-overview-evo.html Juniper Networks, Inc. o +1 408 745 2000 43

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 44

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc.

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 Design and Rules [O]

Not applicable for this module.

11.5 Maintenance Requirements [O]

There are no maintenance requirements.

11.6 End of Life [O]

As a first step for the secure sanitization, the module needs to be powered off which will erase the SSPs in the volatile memory. Then, the files listed related to the static kernel binary and fips_chk_hmac utility must be deleted using the command “shred -zu <file_name>”. Then, for the actual deprecation, the module will be upgraded to a newer version that is approved.

11.7 Additional Information [O]
12 Mitigation of Other Attacks
12.1 Attack List [O]

The module does not offer mitigation of other attacks and therefore this section is not applicable.

12.2 Mitigation Effectiveness [O]
12.3 Guidance and Constraints [O]
12.4 Additional Information [O]

Not applicable. Juniper Networks, Inc. o +1 408 745 2000 44

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 45

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Appendix A. Glossary and Abbreviations AES Advanced Encryption Standard API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DRBG Deterministic Random Bit Generator ECB Electronic Code Book ENT (NP) Non-physical Entropy Source FIPS Federal Information Processing Standards GCM Galois Counter Mode HMAC Keyed-Hash Message Authentication Code KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing Juniper Networks, Inc. o +1 408 745 2000 45

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net

Page 46

Junos OS Evolved Kernel Cryptographic Module Juniper Networks, Inc. Appendix B. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips140-3-ig-announcements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38E Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800- Transitioning the Use of Cryptographic Algorithms and Key 131Ar2 Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800131Ar2.pdf Juniper Networks, Inc. o +1 408 745 2000 46

1133 Innovation Way f +1 408 745 2100

Sunnyvale, CA 94089 www.juniper.net