All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Juniper Networks QFX10002, QFX10008 and QFX10016

Certificate#4882StandardFIPS 140-3Level1TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorJuniper Networks, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/17/2026
CaveatInterim validation. When operated in Approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorJuniper Networks, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Juniper Networks QFX10002, QFX10008 and QFX10016
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load<br/>upgrade<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>library named: openssl</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Juniper Networks QFX10002, QFX10008 and QFX10016
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load<br/>upgrade<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Show status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>library named: openssl</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Juniper Networks, Inc. Juniper Networks QFX10002, QFX10008 and QFX10016

Page 2
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Hardware11
Table 3: Modes List and Description11
Table 4: Approved Algorithms - Kernel12
Table 5: Approved Algorithms - LibMD12
Table 6: Approved Algorithms - OpenSSL14
Table 7: Approved Algorithms -14
Table 8: Vendor-Affirmed Algorithms14
Table 9: Non-Approved, Allowed Algorithms with No Security Claimed15
Table 10: Non-Approved, Not Allowed Algorithms15
Table 11: Security Function Implementations18
Table 12: Entropy Certificates18
Table 13: Entropy Sources18
Table 14: Ports and Interfaces20
Table 15: Authentication Methods22
Table 16: Roles23
Table 17: Approved Services37
Table 18: Non-Approved Services39
Table 19: Storage Areas41
Table 20: SSP Input-Output Methods41
Table 21: SSP Zeroization Methods42
Table 22: SSP Table 146
Table 23: SSP Table 249
Table 24: Pre-Operational Self-Tests49
Table 25: Conditional Self-Tests54
Table 26: Pre-Operational Periodic Information54
Table 27: Conditional Periodic Information56
Table 28: Error States56
Figure 1: Front view of QFX10002-36Q, QFX10002-72Q and QFX10002-60C7
Figure 2: Rear view for QFX10002-36Q7
Figure 3: Rear view of QFX10002-72Q7
Figure 4: Rear view of QFX10002-60C8
Figure 5: Front view of QFX100088
Figure 6: Rear view of QFX100088
Figure 7: Front view of QFX1000169
Figure 8: Rear view image QFX1000169
Figure 9 – High-level Block Diagram for QFX10002/QFX10008/QFX1001610
Page 5
1 General
1.1 Overview

Introduction Federal Information Processing Standards Publication 140-3

1.2 Security Levels

Section Title Security Level

1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 3
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security 1
Page 6

Section Title Security Level

8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels

1.3 Additional Information

The module claims an overall Security Level of 1 with all individual sections at a Security Level

1 with the exceptions of Roles, Services and Authentication (claimed at Security Level 3). The

module does not implement any non-invasive security mitigations or mitigations of other attacks and thus the requirements per these sections are inapplicable.

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The cryptographic module provides for an encrypted connection, using SSH, between the management station and itself, i.e., the QFX switch. Module Type: Hardware Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic module’s operational environment is a limited operational environment. The cryptographic boundary of the hardware module is the entirety of the module/chassis (demarked with a black outline in the figures below). This includes the Routing Engine (RE). No components have been excluded from the cryptographic boundary of the module. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested Operational Environment’s Physical Perimeter (TOEPP) is the entirety of the module chassis.

Page 7

Figure 1: Front view of QFX10002-36Q, QFX10002-72Q and QFX10002-60C Figure 2: Rear view for QFX10002-36Q Figure 3: Rear view of QFX10002-72Q

Page 8

Figure 4: Rear view of QFX10002-60C Figure 5: Front view of QFX10008 Figure 6: Rear view of QFX10008

Page 9

Figure 7: Front view of QFX100016 Figure 8: Rear view image QFX100016

Page 10

Figure 9

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 11

Model Hardware Version Firmware Processors Features and/or Part Version Number QFX10008 QFX10008 with Junos OS Intel Xeon E3- QFX10000-PWR-AC QFX10000 Control 22.3R1-S2.3 1125V2 QFX10000-PWR-DC board QFX10016 QFX10016 with Junos OS Intel Xeon E3- QFX10000-PWR-AC QFX10000 Control 22.3R1-S2.3 1125V2 QFX10000-PWR-DC board Table 2: Tested Module Identification

2.3 Excluded Components

No components have been excluded from the cryptographic boundary of the module.

2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name Approved

Page 12

The hardware versions contained in Table 2, with Junos OS 22.3R1-S2.3 installed, contain one Approved mode of operation and a non-Approved mode of operation. The Junos OS 22.3R1S2.3 firmware image must first be installed on the module. The module is configured during initialization by the Crypto Officer to operate in the Approved mode or the non-Approved mode. When operated in the non-Approved mode of operation, the module supports non-Approved algorithms as well as the algorithms supported in the Approved mode of operation. The module is in a non-compliant state by default and the Crypto Officer can place the module into the nonApproved mode of operation by following the instructions in Section 11 Life-Cyle Assurance in this document. Mode Change Instructions and Status: The module must always be zeroised when switching between the Approved mode of operation and the non-Approved mode of operation and vice versa. Degraded Mode Description: The module does not support a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: Kernel Algorithm CAVP Properties Reference Cert HMAC DRBG A3337 Prediction Resistance - Yes SP 800-90A Mode - SHA2-256 Rev. 1 HMAC-SHA2- A3337 Key Length - Key Length: 256 FIPS 198-1 SHA2-256 A3337 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

Table 4: Approved Algorithms - Kernel LibMD Algorithm CAVP Cert Properties Reference SHA2-512 A3348 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Table 5: Approved Algorithms - LibMD OpenSSL Algorithm CAVP Properties Reference Cert AES-CBC A3349 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A3349 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256

Page 13

Algorithm CAVP Properties Reference Cert AES-ECB A3349 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 ECDSA KeyGen A3349 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A3349 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3349 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 ECDSA SigVer A3349 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 HMAC DRBG A3349 Prediction Resistance - Yes SP 800-90A Mode - SHA2-256 Rev. 1 HMAC-SHA-1 A3349 Key Length - Key Length: 160 FIPS 198-1 HMAC-SHA2-256 A3349 Key Length - Key Length: 256 FIPS 198-1 HMAC-SHA2-512 A3349 Key Length - Key Length: 512 FIPS 198-1 KAS-ECC-SSC A3349 Domain Parameter Generation Methods SP 800-56A Sp800-56Ar3 - P-256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A3349 Domain Parameter Generation Methods SP 800-56A Sp800-56Ar3 - FC, MODP-2048 Rev. 3 Scheme dhEphem KAS Role - initiator KDF SSH (CVL) A3349 Cipher - AES-128, AES-192, AES-256, SP 800-135 TDES Rev. 1 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512 RSA KeyGen A3349 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A3349 Signature Type - PKCS 1.5 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A3349 Signature Type - PKCS 1.5 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 SHA-1 A3349 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-256 A3349 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

SHA2-512 A3349 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8
Page 14

Table 6: Approved Algorithms - OpenSSL Algorithm CAVP Properties Reference Cert SHA2-512 A3337 Message Length - Message Length: 0- FIPS 180-4

65536 Increment 8

Safe Primes Key A3349 Safe Prime Groups - MODP-2048 SP 800-56A Generation Rev. 3 Safe Primes Key A3349 Safe Prime Groups - MODP-2048 SP 800-56A Verification Rev. 3 Table 7: Approved Algorithms The following protocol is supported by the module in the Approved mode: SSHv2 (EC Diffie-Hellman P-256, P-384, P-521; Diffie-Hellman MODP2048; RSA 2048, 3072

4096 bits; ECDSA P-256, P-384, P-521; AES CBC 128, 192, 256 bits; AES CTR 128, 192, 256

bits, HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512) The SSH protocol allows independent selection of key exchange, authentication, cipher and integrity algorithms. Please note that there are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in the table above are used by an approved service of the module. Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG - Key N/A NIST SP800-133r2 Section 4: Section 4 Type:Asymmetric Asymmetric seed generation using an and 5.1 unmodified output from an Approved DRBG; Section 5.1: Key Pairs for Digital Signature Schemes CKG - Key N/A NIST SP800-133r2 Section 4: Section 4 Type:Asymmetric Asymmetric seed generation using an and 5.2 unmodified output from an Approved DRBG; Section 5.2: Key Pairs for Key Establishment CKG - Key N/A NIST SP800-133r2 Section 6.2.1: Section Type:Symmetric Derivation of symmetric keys 6.2.1 Table 8: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: The module does not support any non-Approved algorithms in the Approved mode, i.e., it does not support Non-Approved Algorithms Allowed in the Approved Mode of Operation.

Page 15

Non-Approved, Allowed Algorithms with No Security Claimed: Name Caveat Use and Function SHA2-256 (JUNOS 22.3R1 no Used to store operator passwords in hashed form, QFX10K-LibMD security per IG 2.4.A: Use of a non-approved cryptographic Implementation) claimed algorithm to “obfuscate” a CSP SHA-1 (JUNOS 22.3R1 no Used for an extraneous check in the Kernel, per IG QFX10K-Kernel) security 2.4.A: Use of an approved, non-approved or claimed proprietary algorithm for a purpose that is not security relevant Table 9: Non-Approved, Allowed Algorithms with No Security Claimed The module does not support any non-Approved algorithms in the Approved mode, i.e., it does not support Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. Non-Approved, Not Allowed Algorithms: Name Use and Function RSA with key size less than 2048 SSH ECDSA with ed25519 curve SSH EC Diffie-Hellman with ed25519 curve SSH ARCFOUR SSH Blowfish SSH CAST SSH DSA (SignGen, SigVer, non-compliant) SSH HMAC-MD5 SSH HMAC-RIPEMD160 SSH UMAC SSH Table 10: Non-Approved, Not Allowed Algorithms In addition to the above non-Approved Algorithms Not Allowed in the Approved Mode of Operation, all Approved algorithms supported in the Approved mode of operation are also supported in the non-Approved mode.

2.6 Security Function Implementations

Name Type Description Properties Algorithms KAS1 KAS-135KDF Key Agreement SP 800-56Arev3 KAS-ECC-SSC KAS-SSC for SSHv2 KAS-ECC per IG Sp800-56Ar3 D.F Scenario 2 KDF SSH path (2):size: P256, P-384, P-

521 curves;
Page 16

Name Type Description Properties Algorithms 192, 256 bits; strength caveat: SSP establishment methodology provides between 128 and 256 bits of encryption strength KAS2 AsymKeyPair- Key Agreement SP800-56Arev3 KAS-FFC-SSC KeyGen for SSHv2 KAS-FFC per IG Sp800-56Ar3 AsymKeyPair- D.F Scenario 2 KDF SSH KeyVer path (2):size: Safe Primes Key KAS-135KDF MODP 2048; Generation KAS-SSC encryption Safe Primes Key strength: SSP Verification establishment methodology provides 112 bits of encryption strength KTS1 KTS-Wrap Key Transport SP800-38A AES AES-CBC for SSHv2 CBC, CTR and AES-CTR HMAC 198 per AES-ECB IG D.G:size: HMAC-SHA-1 128, 192, and HMAC-SHA2256-bit keys; 256 SSP HMAC-SHA2establishment 512 methodology SHA-1 provides SHA2-256 between 128 SHA2-512 and 256 bits of encryption strength ECDSA SigVer DigSig-SigVer ECDSA FIPS 186-4 ECDSA SigVer Signature :size: P-256, (FIPS186-4) Verification used encryption for firmware strength: 128 integrity bits ECDSA SigVer2 DigSig-SigVer ECDSA FIPS 186-4:size: ECDSA SigVer Signature P-256, P-384, P- (FIPS186-4) Verification used 521 curves, 128, for identity- 192 and 256 bits based public key authentication

Page 17

Name Type Description Properties Algorithms DRBG DRBG Kernel DRBG HMAC DRBG providing HMAC-SHA2random bits to 256 the DRBG2 for SHA2-256 SSP generation in the user/application space DRBG2 DRBG SSP generation HMAC DRBG in HMAC-SHA2user/application 256 space SHA2-256 Entropy Souce ENT-Cond Non-Physical SHA2-512 Entropy Source ECDSA KeyGen AsymKeyPair- Generation of ECDSA KeyGen KeyGen SSH host keys (FIPS186-4) ECDSA AsymKeyPair- SSP Agreement ECDSA KeyGen KeyGen2 KeyGen in the context of (FIPS186-4) SSH ECDSA KeyVer AsymKeyPair- Verification of ECDSA KeyVer KeyVer keys generated (FIPS186-4) ECDSA SigGen DigSig-SigGen Signature ECDSA SigGen Generation (FIPS186-4) using ECDSA in the context of SSH RSA KeyGen AsymKeyPair- Generation of RSA KeyGen KeyGen SSH host keys (FIPS186-4) RSA SigGen DigSig-SigGen Signature RSA SigGen Generation (FIPS186-4) using RSA in the context of SSH RSA SigVer DigSig-SigVer Signature RSA SigVer Verification (FIPS186-4) using RSA for public key authentication Password Hash SHA Used to store SHA2-512 passwords in hashed form CKG CKG Cryptographic CKG - Section Key Generation 6.2.1 (CKG) Key Type: Symmetric CASTs on boot BC-UnAuth List of AES-CBC DigSig-SigGen algorithms for HMAC DRBG DigSig-SigVer which Known HMAC-SHA-1 DRBG Answer Tests HMAC-SHA2ENT-Cond (CASTs) have 256

Page 18

Name Type Description Properties Algorithms KAS-135KDF been HMAC-SHA2MAC implemented in 512 SHA the module and KAS-ECC-SSC perform on each Sp800-56Ar3 boot KAS-FFC-SSC Sp800-56Ar3 KDF SSH ECDSA SigGen (FIPS186-4) ECDSA SigVer (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigVer (FIPS186-4) HMAC DRBG HMAC-SHA2SHA2-512 SHA2-512 Table 11: Security Function Implementations

2.7 Algorithm Specific Information

The module only supports testable RSA moduli/key sizes (2048, 3072 and 4096 bits) and thus the requirements per FIPS 140-3 IG C.F do not apply.

2.8 RBG and Entropy

Cert Vendor Name Number E89 Juniper Networks Table 12: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample Junos OS Non- Non- Intel Xeon E3- 8 bits 0.83 bits SHA2-512 (CAVP Physical Entropy Physical 1125v2 Cert. #A3337) Source Table 13: Entropy Sources

2.9 Key Generation
Page 19

The module implements two NIST SP 800-90Ar1 DRBGs and supports the following sections per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2 and 6.2.1.

2.10 Key Establishment

Per IG D.F: The module implements full KAS (KAS-ECC-SSC, KAS-FFC-SSC per NIST SP 800-56Ar3 and KDF SSH per NIST SP 800-135r1; IG D.F Scenario 2 (path 2 option 2, separate testing of the SSC and SP800-135r1 KDF). The KAS1 and KAS2 in the SFI Table have been documented in accordance with this requirement. KAS1: KAS (KAS-ECC-SSC Cert.#A3349 and CVL Cert. #A3349; SSP establishment methodology provides between 128 and 256 bits of encryption strength) KAS2: KAS (KAS-FFC-SSC Cert.#A3349 and CVL Cert. #A3349; SSP establishment methodology provides 112 bits of encryption strength) The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC and KDF SSH) as individual entries. Per IG D.G: The module supports the IETF SSH protocol and thus implements key transport in the context of the protocol (per the KTS1 entry in the SFI table of the Security Policy). The module implements the following approved KTS using approved AES modes: AES CBC and CTR: KTS (AES Cert. #A3349 and HMAC Cert. #A3349; key establishment methodology provides between 128 and 256 bits of encryption strength)

2.11 Industry Protocols

No parts of the SSH protocol, other than the KDF, have been tested by the CAVP or CMVP.

2.12 Additional Information

The module design corresponds to the security rules below. The term shall in this context specifically refers to a requirement for correct usage of the module in the Approved mode; all other statements indicate a security rule implemented by the module.

  1. The module clears previous authentications on power cycle.
  2. When the module has not been placed in a valid role, the operator does not have access to any cryptographic services.
  3. Self-tests do not require any operator action.
  4. Data output is inhibited during SSP generation, self-test execution, zeroisation, and error states.
  5. Status information does not contain SSPs or sensitive data that if misused could lead to a compromise of the module.
  6. There are no restrictions on which SSPs are zeroised by the zeroisation service.
Page 20
  1. The module does not support a maintenance interface or role.
  2. The module does not output intermediate key values.
  3. The module does not output plaintext CSPs.
  4. The Crypto officer shall verify that the firmware image to be loaded on the module is a FIPS 140-3 validated image. If any non-validated firmware image is loaded the module will no longer be a validated module.
  5. The Crypto Officer shall retain control of the module while zeroisation is in process.
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) Ethernet Data Input LAN Communications (QFX10002-36Q(40: 2 MGMT, 36 Data Output QSFP+, 1 ETH), QFX10002-72Q(80: 2 MGMT, 72 QSFP+, 1 Control ETH), QFX10002-60C (63: 2 MGMT, 60 QSFP+, 1 ETH), Input QFX10008(12: 4 MGMT, 8 SFP+), QFX10016(12: 4 MGMT, 8 Status SFP+)) Output Serial Control Serial Console Port (QFX10002(1), QFX10008(2), Input QFX10016(2)) Status Output USB Data Input Load Junos OS image/configuration (QFX10002(1), Control QFX10008(2), QFX10016(2)) Input Power Power Power connector (QFX10002-36Q(4), QFX10002-72Q(4), QFX10002-60C(4), QFX10008(6), QFX10016(10)) LED Status Status indicator lighting (QFX10002(4) QFX10008(13) Output QFX10016(13)) Reset Control Reset (QFX10002(1) QFX10008(2) QFX10016(2)) Input SMB Control PTP Connectors (QFX10002(2) QFX10008(8) QFX10016(8)) Input Status Output Backplane Data Input Line card interface (QFX10008(8) QFX10016(16)) Line Card Data Output Interface Control Input Status Output Table 14: Ports and Interfaces The module does not support control output.

Page 21
4 Roles, Services, and Authentication
4.1 Authentication Methods

Method Description Security Strength Strength per Name Mechanism Each Minute Attempt Username

9.6 attempts per minute (576

attempts per hour/60 mins); this would be rounded down to 9 per minute, because there is no such thing as 0.6 attempts; The probability of a success with multiple consecutive attempts in

Page 22

Method Description Security Strength Strength per Name Mechanism Each Minute Attempt a one-minute period is 9/(96^10), which is less than 1/100,000 Username

Page 23

the console and SSH connections, as well as username and an ECDSA or RSA public keybased authentication over SSHv2.

4.2 Roles

Name Type Operator Type Authentication Methods Super-user Identity Crypto Officer Username and password (CO) over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH Operator Identity User Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH Read-only Identity User Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH Root Identity Crypto Officer Username and password (CO) over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH Unauthorised Identity User Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH Table 16: Roles The module supports two roles: Crypto Officer (CO) and User. Root and Super-user correspond to the Crypto Officer role whereas Operator, Read-Only and Unauthorised operator types correspond to the User role. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. An operator assuming the Crypto Officer role configures and monitors the module via a console or SSH connection. As Root or Super-user, the Crypto Officer has permission to view and configure passwords and public keys within the module. The User role monitors the module via the console or SSH. The User role does not have the permission to modify the configuration.

Page 24
4.3 Approved Services

Name Description Indicator Inputs Output Security SSP Access s Function s Configure Security Global Commands Traffic DRBG Root security relevant Approved (SSH DRBG2 - SSH Private (security configuratio Mode configuration: Passwor Host Key: G relevant) n (SSH, indicator set system d Hash - User authenticati “fips” at services ssh CKG Password: on data) the CLI root-login W,E combined allow) - CO with Password: successf W,E ul completio HMAC_DRBG n of each V value: E service HMAC_DRBG Key value: E HMAC_DRBG entropy input: E HMAC_DRBG seed: E - SSH Public Host Key: G - User Authentication Public Keys: W - CO Authentication Public Keys: W Super-user - SSH Private Host Key: G - User Password: W,E - CO Password: W,E HMAC_DRBG V value: E -

Page 25

Name Description Indicator Inputs Output Security SSP Access s Function s HMAC_DRBG Key value: E HMAC_DRBG entropy input: E HMAC_DRBG seed: E HMAC_DRBG Key value: E - SSH Public Host Key: G - CO Authentication Public Keys: W - User Authentication Public Keys: W Configure Non- Global Commands Traffic Passwor Super-user (non- security Approved (miscellaneous d Hash - CO security relevant Mode commands Password: E relevant) configuratio indicator e.g., for IP Root n “fips” at address - CO the CLI configuration, Password: E combined routing with protocols, etc.) successf ul completio n of each service Show Query the Global Command CLI Passwor Super-user status module Approved (show) output d Hash - CO status Mode Password: E indicator Root “fips” at - CO the CLI Password: E combined Operator with - User successf Password: E ul Read-only completio - User n of each Password: E service Unauthorised

Page 26

Name Description Indicator Inputs Output Security SSP Access s Function s - User Password: E Show LEDs on the LED(s) N/A LED None Super-user status module on the Operator (LED) provide chassis Read-only physical turned on Unauthorised status Root output Unauthenticat ed Show Query the Global Command CLI Passwor Super-user module’s module’s Approved (show version) output d Hash - CO versioning versioning Mode Password: E informatio information indicator Operator n “fips” at - User the CLI Password: E combined Read-only with - User successf Password: E ul Unauthorised completio - User n of each Password: E service Root - CO Password: E Zeroise Destroy all Global Command N/A Passwor Super-user (Perform SSPs Approved (request d Hash - SSH Private zeroisatio Mode vmhost zeroise Host Key: Z n) indicator no-forwarding) - SSH ECDH “fips” at Private Key: Z the CLI - SSH DH combined Private Key: Z with - SSH Session successf Key: Z ul - User completio Password: Z n of each - CO service Password: E,Z HMAC_DRBG V value: Z HMAC_DRBG Key value: Z HMAC_DRBG entropy input: Z

Page 27

Name Description Indicator Inputs Output Security SSP Access s Function s HMAC_DRBG seed: Z - ECDH Shared Secret: Z - DH Shared Secret: Z - HMAC Key: Z - SSH Public Host Key: Z - User Authentication Public Keys: Z - CO Authentication Public Keys: Z JuniperRootC A: Z - PackageCA: Z - SSH ECDH Public Key: Z - SSH DH Public Key: Z - SSH ECDH Client Public Key: Z - SSH DH Client Public Key: Z Root - SSH Private Host Key: Z - SSH ECDH Private Key: Z - SSH DH Private Key: Z - SSH Session Key: Z - User Password: Z - CO Password: E,Z HMAC_DRBG

Page 28

Name Description Indicator Inputs Output Security SSP Access s Function s V value: Z HMAC_DRBG Key value: Z HMAC_DRBG entropy input: Z HMAC_DRBG seed: Z - ECDH Shared Secret: Z - DH Shared Secret: Z - HMAC Key: Z - SSH Public Host Key: Z - User Authentication Public Keys: Z - CO Authentication Public Keys: Z JuniperRootC A: Z - PackageCA: Z - SSH ECDH Public Key: Z - SSH DH Public Key: Z - SSH ECDH Client Public Key: Z - SSH DH Client Public Key: Z Perform Initiate SSH Global Authentication SSH KAS1 Super-user approved connection Approved data session KAS2 - SSH Private security for SSH Mode (Username KTS1 Host Key: E functions monitoring indicator and ECDSA - SSH ECDH (SSH and control “fips” at password/publi SigVer2 Private Key: connectio (CLI) the CLI c-key based DRBG G,E,Z n) combined authentication) DRBG2 - SSH DH

Page 29

Name Description Indicator Inputs Output Security SSP Access s Function s with Entropy Private Key: successf Souce G,E,Z ul ECDSA - SSH Session completio KeyGen Key: G,E,Z n of each ECDSA service KeyGen2 HMAC_DRBG ECDSA V value: E KeyVer ECDSA HMAC_DRBG SigGen Key value: E RSA KeyGen HMAC_DRBG RSA entropy input: SigGen E RSA SigVer HMAC_DRBG Passwor seed: E d Hash - ECDH CKG Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z - SSH Public Host Key: E - SSH DH Public Key: G,E,Z - SSH ECDH Public Key: G,E,Z - CO Password: E - CO Authentication Public Keys: E - SSH ECDH Client Public Key: W,E,Z - SSH DH Client Public Key: W,E,Z Root - SSH Private Host Key: E - SSH ECDH Private Key:

Page 30

Name Description Indicator Inputs Output Security SSP Access s Function s G,E,Z - SSH DH Private Key: G,E,Z - SSH Session Key: G,E,Z HMAC_DRBG V value: E HMAC_DRBG Key value: E HMAC_DRBG entropy input: E HMAC_DRBG seed: E - ECDH Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z - SSH Public Host Key: E - SSH ECDH Public Key: G,E,Z - SSH DH Public Key: G,E,Z - CO Password: E - CO Authentication Public Keys: E - SSH ECDH Client Public Key: G,E,Z - SSH DH Client Public Key: G,E,Z Operator - SSH Private Host Key: E

Page 31

Name Description Indicator Inputs Output Security SSP Access s Function s - SSH ECDH Private Key: G,E,Z - SSH DH Private Key: G,E,Z - SSH Session Key: G,E,Z HMAC_DRBG V value: E HMAC_DRBG entropy input: E HMAC_DRBG seed: E - ECDH Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z - SSH Public Host Key: E - SSH ECDH Public Key: G,E,Z - SSH DH Public Key: G,E,Z - User Password: E - User Authentication Public Keys: E - SSH ECDH Client Public Key: G,E,Z - SSH DH Client Public Key: G,E,Z HMAC_DRBG Key value: E Read-only

Page 32

Name Description Indicator Inputs Output Security SSP Access s Function s - SSH Private Host Key: E - SSH ECDH Private Key: G,E,Z - SSH DH Private Key: G,E,Z - SSH Session Key: G,E,Z HMAC_DRBG V value: E HMAC_DRBG Key value: E HMAC_DRBG entropy input: E HMAC_DRBG seed: E - ECDH Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z - SSH Public Host Key: E - SSH ECDH Public Key: G,E,Z - SSH DH Public Key: G,E,Z - User Password: E - User Authentication Public Keys: E - SSH ECDH Client Public Key: G,E,Z - SSH DH Client Public

Page 33

Name Description Indicator Inputs Output Security SSP Access s Function s Key: G,E,Z Unauthorised - SSH Private Host Key: E - SSH ECDH Private Key: G,E,Z - SSH DH Private Key: G,E,Z - SSH Session Key: G,E,Z HMAC_DRBG V value: E HMAC_DRBG entropy input: E HMAC_DRBG seed: E - ECDH Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z - SSH Public Host Key: E - SSH ECDH Public Key: G,E,Z - SSH DH Public Key: G,E,Z - User Password: E - User Authentication Public Keys: E - SSH ECDH Client Public Key: G,E,Z - SSH DH Client Public Key: G,E,Z

Page 34

Name Description Indicator Inputs Output Security SSP Access s Function s HMAC_DRBG Key value: E Console Console Global Username, N/A Passwor Super-user Access monitoring Approved password (set d Hash - CO and control Mode system login Password: E (CLI) indicator user Operator “fips” at <username> - CO the CLI class <crypto- Password: E combined officer/user Read-only with class> - User successf operator Password: E ul authentication Unauthorised completio plaintext- - User n of each password) Password: E service Root - CO Password: E Perform Software Global Control N/A KAS1 Super-user self-tests initiated Approved input/reset KAS2 - SSH ECDH (remote reset, Mode signal (request KTS1 Private Key: reset) performs indicator vmhost reboot) DRBG G,E,Z self-tests on “fips” at DRBG2 - SSH DH demand via the CLI Entropy Private Key: SSH combined Souce G,E,Z with ECDSA - SSH Session successf KeyGen Key: G,E,Z ul ECDSA completio KeyGen2 HMAC_DRBG n of each ECDSA Key value: service KeyVer G,E,Z ECDSA SigGen HMAC_DRBG RSA V value: G,E,Z KeyGen RSA HMAC_DRBG SigGen entropy input: Passwor G,E,Z d Hash CKG HMAC_DRBG CASTs seed: G,E,Z on boot - ECDH Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z

Page 35

Name Description Indicator Inputs Output Security SSP Access s Function s - SSH ECDH Public Key: G,E,Z - SSH DH Public Key: G,E,Z - CO Password: E - Firmware Integrity Key: E - SSH Private Host Key: E - SSH Public Host Key: E - SSH ECDH Client Public Key: W,E,Z - SSH DH Client Public Key: W,E,Z - SSH Private Host Key: E - SSH Public Host Key: E - User Authentication Public Keys: E - CO Authentication Public Keys: E Root - SSH ECDH Private Key: G,E,Z - SSH DH Private Key: G,E,Z - SSH Session Key: G,E,Z HMAC_DRBG Key value: G,E,Z HMAC_DRBG V value: G,E,Z -

Page 36

Name Description Indicator Inputs Output Security SSP Access s Function s HMAC_DRBG entropy input: G,E,Z HMAC_DRBG seed: G,E,Z - ECDH Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z - SSH ECDH Public Key: G,E,Z - SSH DH Public Key: G,E,Z - CO Password: E - Firmware Integrity Key: E - SSH Private Host Key: E - SSH Public Host Key: E - SSH ECDH Client Public Key: W,E,Z - SSH DH Client Public Key: W,E,Z - SSH Private Host Key: E - SSH Public Host Key: E - User Authentication Public Keys: E - CO Authentication Public Keys: E Perform Hardware Global Control N/A CASTs Super-user self-tests reset or Approved input/reset on boot - Firmware (local power cycle Mode signal Integrity Key: reset) indicator E

Page 37

Name Description Indicator Inputs Output Security SSP Access s Function s “fips” at Root the CLI - Firmware combined Integrity Key: with E successf Operator ul - Firmware completio Integrity Key: n of each E service Read-only - Firmware Integrity Key: E Unauthorised - Firmware Integrity Key: E Unauthenticat ed - Firmware Integrity Key: E Load Verification Global Image, N/A ECDSA Super-user Image and loading Approved commands SigVer - CO of a Mode Passwor Password: E validated indicator d Hash - Firmware firmware “fips” at Integrity Key: image into the CLI E the combined router/switc with JuniperRootC h successf A: E ul - PackageCA: completio E n of each Root service - CO Password: E - Firmware Integrity Key: E JuniperRootC A: E - PackageCA: E Table 17: Approved Services

Page 38
4.4 Non-Approved Services

Name Description Algorithms Role Configure security Security relevant RSA with key Root, Super-user (security relevant) configuration size less than 2048 ECDSA with ed25519 curve EC DiffieHellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, noncompliant) HMAC-MD5 HMACRIPEMD160 UMAC Configure (non- Non-security relevant None Root, Super-user security relevant) configuration Show status Query the module None Root, Super-user, status Operator, Read-Only, Unauthorized Show status (LED) LEDs on the module None Root, Super-user, provide physical status Operator, Read-Only, output Unauthorized, Unauthenticated Show module’s Query the module’s None Root, Super-user, versioning versioning information Operator, Read-Only, information Unauthorized Zeroise (Perform Destroy all SSPs None Root, Super-user zeroisation) Perform approved Initiate SSH connection RSA with key Root, Super-user, security functions for SSH monitoring and size less than Operator, Read-Only, (SSH connection) control (CLI) 2048 Unauthorized ECDSA with ed25519 curve EC DiffieHellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, noncompliant) HMAC-MD5

Page 39

Name Description Algorithms Role HMACRIPEMD160 UMAC Console Access Console monitoring and None Root, Super-user, control (CLI) Operator, Read-Only, Unauthorized Perform self-tests Software initiated reset, None Root, Super-user, (remote reset) performs self-tests on Operator, Read-Only, demand Unauthorized Perform self-tests Hardware reset or None Root, Super-user, (local reset) power cycle Operator, Read-Only, Unauthorized, Unauthenticated Load Image Verification and loading None Root, Super-user of a validated firmware image into the router/switch Table 18: Non-Approved Services

4.5 External Software/Firmware Loaded

The module supports loading of firmware from an external source (a complete image replacement) and a firmware load test using ECDSA P-256 with SHA2-256 (CAVP Cert. #A3349) is performed in support of the load.

4.6 Cryptographic Output Actions and Status

The module does not support self-initiated cryptographic output.

5 Software/Firmware Security
5.1 Integrity Techniques

The module performs the firmware integrity check using ECDSA P-256 with SHA2-256 (CAVP Cert. #A3349). The ECDSA P-256 public key used for signature verification is a non-SSP and stored persistently across reboots in the module’s Non-Volatile RAM (NVRAM) and is exempt from zeroisation.

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by rebooting the module.

5.3 Additional Information
Page 40

The module firmware image is delivered in the form of a pre-compiled tarball (.tgz).

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Limited How Requirements are Satisfied: The module contains a limited operational environment since it supports loading of firmware from an external source. The Junos OS 22.3R1-S2.3 operating system is contained within the module, i.e., the tested configurations listed in the Tested Module Identification

6.2 Configuration Settings and Restrictions

Security rules and restrictions for configuration of the operational environment have been specified in Sections 2.12 and 11.1 of this document.

7 Physical Security
7.1 Mechanisms and Actions Required

The module’s physical embodiment is that of a multi-chip standalone meeting Level 1 Physical Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel and brushed aluminum enclosure. The module enclosure is made of production grade materials. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. No actions are required by the operator to ensure that physical security is maintained.

8 Non-Invasive Security
8.1 Mitigation Techniques

The module does not implement any non-invasive security mitigations and thus the requirements per this section do not apply to the module.

9 Sensitive Security Parameters Management
9.1 Storage Areas
Page 41

Storage Description Persistence Area Type Name NVRAM Non-Volatile Random Access Memory Static RAM Random Access Memory Dynamic Table 19: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm Entered over External NVRAM Encrypted Automated Electronic KTS1 SSH - NVRAM endpoint Loaded at External NVRAM Plaintext N/A N/A manufacture endpoint Entered through External NVRAM Plaintext Manual Direct the CLI via endpoint console connection NVRAM Input during SSH External RAM Plaintext Automated Electronic negotiation endpoint Output during NVRAM External Plaintext Automated Electronic SSH negotiation endpoint (host key) Output during RAM External Plaintext Automated Electronic SSH negotiation endpoint (Key Agreement public key) Table 20: SSP Input-Output Methods The module is complaint with FIPS 140-3 IG 9.5.A MD/DE and AD/EE for SSPs entered via the module’s CLI via a direct connection to its serial/console port and for SSPs entered/ouput/established via SSH respectively.

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Method Initiation Zeroisation Command used to zeroise the Used to provide zeroisation as Operator command module: request vmhost a service initiated zeroize no-forwarding Power-cycle Power cycling the module to Power cycling the module to Operator zeroise temporary SSPs zeroise temporary SSPs initiated Session Termination of SSH sessions Termination of SSH sessions Module termination automatically zeroises automatically zeroises initiated

Page 42

Zeroization Description Rationale Operator Method Initiation temporary SSPs used as part temporary SSPs used as part of the session of the session Not zeroised PSP not zeroised since it PSP not zeroised since it N/A cannot be modified due to cannot be modified due to being inaccessible in the being inaccessible in the filesystem filesystem Derivation of EC Diffie-Hellman/Diffie- EC Diffie-Hellman/Diffie- Module SSH session Hellman shared secrets are Hellman shared secrets are initiated key zeroised after use in zeroised after use in derivation of SSH session key derivation of SSH session key Table 21: SSP Zeroization Methods

9.4 SSPs

Name Description Size - Type - Generate Establishe Used Strength Category d By d By By SSH Private Host key P-256 for Private Host DRBG2 KAS1 Host Key generated, ECDSA, Key - CSP ECDSA KAS2 used for 2048 bits KeyGen authenticatio for RSA - RSA n and 128 bits KeyGen encryption in for the context ECDSA, of SSH 112 bits for RSA SSH ECDH Ephemeral KAS- ECDH DRBG2 KAS1 Private Key EC Diffie- ECC- Private Key - ECDSA Hellman SSC P- CSP KeyGen2 private key 256, Pused in SSH 384, P-

512 - 128

bits, 192 bits, 256 bits SSH DH Ephemeral 2048 bits DH Private DRBG2 KAS2 Private Key Diffie- for KAS- Key - CSP Hellman FFC-SSC private key - 112 bits used in SSH for KASFFC-SSC SSH Session SSH Session 128 bits, Session Key CKG KAS1 Key Key 192 bits, - CSP KAS2

256 bits -
128 bits,
192 bits,
256 bits
Page 43

Name Description Size - Type - Generate Establishe Used Strength Category d By d By By User Passwords 10-20 User Password used to character Password authenticate s- CSP users to the 1/(96^10) module per attempt, 9/(96^10) per minute CO Password Passwords 10-20 CO used to character Password authenticate s- CSP COs to the 1/(96^10) module per attempt, 9/(96^10) per minute HMAC_DRB A critical 256 bits - Internal state DRBG DRBG G V value value of the 256 bits of the DRBG DRBG2 DRBG internal state - CSP 2 of DRBG HMAC_DRB A critical 440 bits - Internal state DRBG DRBG G Key value value of the 440 bits of the DRBG DRBG2 DRBG internal state - CSP 2 of DRBG HMAC_DRB Entropy input 512 bits Entropy input Entropy G entropy to the - 448 bits to the Souce input HMAC_DRB HMAC_DRB G G - CSP HMAC_DRB Seed 512 bits - Seed DRBG DRBG G seed provided to 440 bits provided to DRBG2 DRBG the the 2 HMAC_DRB HMAC_DRB G G - CSP ECDH Used in EC P-256, P- Shared KAS1 Shared Diffie- 384, P- secret - CSP Secret Hellman 521 - 128 (ECDH) bits, 192 exchange bits, 256 bits DH Shared Used in 2048 bits Shared KAS2 Secret Diffie- - 112 bits secret - CSP Hellman (DH) exchange HMAC Key MAC key 128 bits MAC key - KAS1 and 256 CSP KAS2

Page 44

Name Description Size - Type - Generate Establishe Used Strength Category d By d By By bits - 128 bits and

256 bits

SSH Public Host key P-256 for Public key - DRBG2 Host Key generated, ECDSA PSP ECDSA used to and 2048 KeyGen identify the bits for RSA host. Also RSA - KeyGen paired with 128 bits the private for key for ECDSA, authenticatio 112 bits n and for RSA encryption in the context of SSH User Used to P-256, P- Public key Authenticatio authenticate 384, P- PSP n Public Keys users to the 521 for module ECDSA and 2048,

3072 and
4096 bits
256 bits

for ECDSA, 112, 192 and 256 bits for RSA CO Used to P-256, P- Public key Authenticatio authenticate 384, P- PSP n Public Keys the CO to the 521 for module ECDSA and 2048,

3072 and
4096 bits
256 bits
Page 45

Name Description Size - Type - Generate Establishe Used Strength Category d By d By By bits for RSA JuniperRootC ECDSA ECDSA Public key A prime256v1 P-256 - certificate X.509 V3 128 bits Neither Certificate Used to verify the validity of the PackagCA PackageCA ECDSA ECDSA Public key prime256v1 P-256 - certificate X.509 V3 128 bits Neither Certificate Certificate that holds the public key for the signing key used to generate all the signatures used on the packages and signature lists SSH ECDH Ephemeral KAS- Public key - DRBG2 Public Key EC Diffie- ECC- PSP ECDSA Hellman SSC P- KeyGen2 public key 256, Pused in SSH 384, P-

512 - 128

bits, 192 bits, 256 bits for KASECCSSC SSH DH Ephemeral 2048 bits Public key - DRBG2 Public Key Diffie- for KAS- PSP Hellman FFC-SSC public key - 112 bits used in SSH for KASFFC-SSC

Page 46

Name Description Size - Type - Generate Establishe Used Strength Category d By d By By Firmware Public key ECDSA Public key Integrity Key used to P-256 - Neither perform the 128 bits firmware integrity test on each boot and authenticate firmware loaded from an external source SSH ECDH Ephemeral KAS- Public key Client Public EC Diffie- ECC- PSP Key Hellman SSC Ppublic key 256, Pused in SSH 384, P(sent by the 512 - 128 client to the bits, 192 module bits, 256 acting as the bits for server) KASECCSSC SSH DH Ephemeral 2048 bits Public key Client Public Diffie- for KAS- PSP Key Hellman FFC-SSC public key - 112 bits used in SSH for KAS(sent by the FFC-SSC client to the module acting as the server) Table 22: SSP Table 1 Name Input - Storage Storage Zeroization Related Output Duration SSPs SSH Private NVRAM:Plaintext Zeroisation Host Key command SSH ECDH RAM:Plaintext Until Zeroisation Private Key session command termination Power-cycle Session termination SSH DH RAM:Plaintext Until Zeroisation Private Key session command termination Power-cycle

Page 47

Name Input - Storage Storage Zeroization Related Output Duration SSPs Session termination SSH Session RAM:Plaintext Until Zeroisation Key session command termination Power-cycle Session termination User Password Entered over NVRAM:Obfuscated Zeroisation SSH - NVRAM:Obfuscated command NVRAM Entered through the CLI via console connection NVRAM CO Password Entered over NVRAM:Obfuscated Zeroisation SSH - NVRAM:Obfuscated command NVRAM Entered through the CLI via console connection NVRAM HMAC_DRBG RAM:Plaintext Until Power-cycle V value powercycle HMAC_DRBG RAM:Plaintext Until Power-cycle Key value powercycle HMAC_DRBG RAM:Plaintext Until Power-cycle entropy input powercycle HMAC_DRBG RAM:Plaintext Until Power-cycle seed powercycle ECDH Shared RAM:Plaintext Until SSH Zeroisation Secret session key command derivation Power-cycle Derivation of SSH session key DH Shared RAM:Plaintext Until SSH Zeroisation Secret session key command derivation Power-cycle Derivation

Page 48

Name Input - Storage Storage Zeroization Related Output Duration SSPs of SSH session key HMAC Key RAM:Plaintext Until Zeroisation session command termination Power-cycle Session termination SSH Public Output during NVRAM:Plaintext Zeroisation Host Key SSH command negotiation (host key) User Entered over NVRAM:Plaintext Zeroisation Authentication SSH - command Public Keys NVRAM Entered through the CLI via console connection NVRAM CO Entered over NVRAM:Plaintext Zeroisation Authentication SSH - command Public Keys NVRAM Entered through the CLI via console connection NVRAM JuniperRootCA Loaded at NVRAM:Plaintext Not manufacture zeroised PackageCA Loaded at NVRAM:Plaintext Not manufacture zeroised SSH ECDH Output during RAM:Plaintext Until Zeroisation Public Key SSH session command negotiation termination Power-cycle (Key Session Agreement termination public key) SSH DH Public Output during RAM:Plaintext Until Zeroisation Key SSH session command negotiation termination Power-cycle (Key Session Agreement termination public key) Firmware Loaded at NVRAM:Plaintext Not Integrity Key manufacture zeroised

Page 49

Name Input - Storage Storage Zeroization Related Output Duration SSPs SSH ECDH Input during RAM:Plaintext Until Zeroisation Client Public SSH session command Key negotiation termination Power-cycle Session termination SSH DH Client Input during RAM:Plaintext Until Zeroisation Public Key SSH session command negotiation termination Power-cycle Session termination Table 23: SSP Table 2

10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Properties Test Test Type Indicator Details Test Method Firmware Using ECDSA P-256 KAT SW/FW FIPS Self-tests Verify Integrity Test with SHA2-256 Integrity Passed Table 24: Pre-Operational Self-Tests The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known Answer Test (KAT) for the ECDSA P-256 (with SHA2-256) algorithm used in the firmware integrity test on each boot prior to executing the firmware integrity test.

10.2 Conditional Self-Tests

Algorith Test Test Test Indicator Details Condition m or Properties Method Type s Test HMAC Prediction KAT CAST NIST N/A During DRBG Resistance: 800-90 boot (A3337) Yes Supports HMAC Reseed DRBG Capabilities: Known Mode: SHA2- Answer

256 Entropy Test :

Input: 256 Passed Nonce: 128 Personalizati on String Length: 0Increment 8 Additional

Page 50

Algorith Test Test Test Indicator Details Condition m or Properties Method Type s Test Input: 8-256 Increment 8 Returned Bits: 1024 HMAC- Key Length: KAT CAST HMAC- N/A During SHA2- 256 bits SHA2- boot

256 256

(A3337) Known Answer Test : Passed AES- Key Length: KAT CAST AES-CBC Encrypt During CBC 128 bits Known boot (A3349) Answer Test : Passed AES- Key Length: KAT CAST AES-CBC Encrypt During CBC 192 bits Known boot (A3349) Answer Test : Passed AES- Key Length: KAT CAST AES-CBC Encrypt During CBC 256 bits Known boot (A3349) Answer Test : Passed AES- Key Length: KAT CAST AES-CBC Decrypt During CBC 128 bits Known boot (A3349) Answer Test : Passed AES- Key Length: KAT CAST AES-CBC Decrypt During CBC 192 bits Known boot (A3349) Answer Test : Passed AES- Key Length: KAT CAST AES-CBC Decrypt During CBC 256 bits Known boot (A3349) Answer Test : Passed HMAC Mode: SHA2- KAT CAST NIST N/A During DRBG 256, Entropy 800-90 boot (A3349) Input: 256 , HMAC Nonce: 128, DRBG Personalizati Known on String Answer

Page 51

Algorith Test Test Test Indicator Details Condition m or Properties Method Type s Test Length: 0- Test :

256 , Passed

Increment 8 , Additional Input: 8-256 Increment 8 , Returned Bits: 1024 HMAC- Key Length: KAT CAST HMAC- N/A During SHA-1 160 bits SHA-1 boot (A3349) Known Answer Test : Passed HMAC- Key Length: KAT CAST HMAC- N/A During SHA2- 256 bits SHA2- boot

256 256

(A3349) Known Answer Test : Passed HMAC- Key Length: KAT CAST HMAC- N/A During SHA2- 512 bits SHA2- boot

512 512

(A3349) Known Answer Test : Passed KAS- Domain KAT CAST KAS- N/A During ECC- Parameter ECC- boot SSC Generation EPHEMSp800- Methods: P- UNIFIED56Ar3 256 NOKC (A3349) Known Answer Test: Passed KAS- Domain KAT CAST KAS- N/A During ECC- Parameter ECC- boot SSC Generation EPHEMSp800- Methods: P- UNIFIED56Ar3 384 NOKC (A3349) Known Answer Test: Passed

Page 52

Algorith Test Test Test Indicator Details Condition m or Properties Method Type s Test KAS- Domain KAT CAST KAS- N/A During FFC- Parameter FFC- boot SSC Generation EPHEMSp800- Methods: NOKC 56Ar3 MODP-2048 Known (A3349) Answer Test: Passed KDF Cipher: AES- KAT CAST KDF- N/A During SSH 128, AES- SSH- boot (A3349) 192, AES- SHA2-

256 ; Hash 256

Algorithm: Known SHA-1, Answer SHA2-256, Test: SHA2-384, Passed SHA2-512 RSA Modulus KAT CAST RSA- Sign During SigGen 2048 bits SIGN boot (FIPS186 SHA2-256 Known -4) Answer (A3349) Test: Passed RSA Modulus KAT CAST RSA- Verify During SigVer 2048 bits VERIFY boot (FIPS186 SHA2-256 Known -4) Answer (A3349) Test: Passed ECDSA Curve: P-256 KAT CAST ECDSA- Sign During SigGen Hash SIGN boot (FIPS186 Algorithm: Known -4) SHA2-256 Answer (A3349) Test: Passed ECDSA Curve: P-256 KAT CAST ECDSA- Verify During SigVer Hash VERIFY boot (FIPS186 Algorithm: Known -4) SHA2-256 Answer (A3349) Test: Passed SHA2- SHA2-512 KAT CAST SHA-2- N/A During

512 512 boot

(A3348) Known Answer Test: Passed

Page 53

Algorith Test Test Test Indicator Details Condition m or Properties Method Type s Test Entropy NIST SP RCT CAST pass Cutoff value C = 21 During test 800-90B boot and Repetitive continually Count Test Entropy NIST SP APT CAST pass W = 512; Cutoff During test 800-90B value C = 311 boot and Adapative continually Proportion Test ECDSA Curve: P-256 PCT PCT 0 Key pair generated On key KeyGen Hash for signature generation (FIPS186 Algorithm: generation/verificati -4) SHA2-256 on in the context of (A3349) SSHv2 protocol ECDSA Curve: P-256 PCT PCT 0 Key pair generated On key KeyGen Hash for SSP agreement generation (FIPS186 Algorithm: in the context of -4) SHA2-256 SSHv2 protocol (A3349) KAS- Capabilities: PCT PCT 0 Key pair generated On key FFC- Domain for SSP agreement generation SSC Parameter: in the context of Sp800- MODP2048 SSHv2 protocol 56Ar3 (A3349) RSA Modulus: PCT PCT 0 Key pair generated On key KeyGen 2048 Hash for signature generation (FIPS186 SHA2-256 generation/verificati -4) on in the context of (A3349) SSHv2 protocol ECDSA Curve: P-256 KAT SW/F Host OS Verify On loading SigVer Hash W upgrade of firmware (FIPS186 Algorithm: Load staged. from an -4) SHA2-256 Reboot external (A3349) the source system to complete installatio n! Manual Duplicate Duplicat Manua Comman N/A On entry test entry test e entry l Entry d prompt configurati (duplicat required for test with "fips" on of e entries) entry of string operator operator provided passwords passwords post via direct completio connection to

Page 54

Algorith Test Test Test Indicator Details Condition m or Properties Method Type s Test the module's n of the console test (serial) interface Table 25: Conditional Self-Tests Cryptographic Algorithm Self-tests (CASTs) are performed on each boot of the module. Other conditional self-tests are performed by the module when the corresponding condition is met. The pairwise consistency tests are performed on key pair generation for use in signature generation/verification (ECDSA and/or RSA tests) and/or for use in KAS-ECC-SSC or KASFFC-SSC SSP agreement (ECDSA and FFC tests respectively). The firmware load test is performed when a firmware image is loaded onto the module from an external source.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method Firmware KAT SW/FW Integrity On Demand Manually via a Integrity Test reboot Table 26: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method HMAC DRBG KAT CAST On Demand Manually via a (A3337) reboot HMAC-SHA2- KAT CAST On Demand Manually via a

256 (A3337) reboot

AES-CBC KAT CAST On Demand Manually via a (A3349) reboot AES-CBC KAT CAST On Demand Manually via a (A3349) reboot AES-CBC KAT CAST On Demand Manually via a (A3349) reboot AES-CBC KAT CAST On Demand Manually via a (A3349) reboot AES-CBC KAT CAST On Demand Manually via a (A3349) reboot AES-CBC KAT CAST On Demand Manually via a (A3349) reboot HMAC DRBG KAT CAST On Demand Manually via a (A3349) reboot HMAC-SHA-1 KAT CAST On Demand Manually via a (A3349) reboot HMAC-SHA2- KAT CAST On Demand Manually via a

256 (A3349) reboot

Page 55

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT CAST On Demand Manually via a

512 (A3349) reboot

KAS-ECC-SSC KAT CAST On Demand Manually via a Sp800-56Ar3 reboot (A3349) KAS-ECC-SSC KAT CAST On Demand Manually via a Sp800-56Ar3 reboot (A3349) KAS-FFC-SSC KAT CAST On Demand Manually via a Sp800-56Ar3 reboot (A3349) KDF SSH KAT CAST On Demand Manually via a (A3349) reboot RSA SigGen KAT CAST On Demand Manually via a (FIPS186-4) reboot (A3349) RSA SigVer KAT CAST On Demand Manually via a (FIPS186-4) reboot (A3349) ECDSA SigGen KAT CAST On Demand Manually via a (FIPS186-4) reboot (A3349) ECDSA SigVer KAT CAST On Demand Manually via a (FIPS186-4) reboot (A3349) SHA2-512 KAT CAST On Demand Manually via a (A3348) reboot Entropy test RCT CAST On Demand Manually via a reboot Entropy test APT CAST On Demand Manually via a reboot ECDSA KeyGen PCT PCT On Demand Manually via a (FIPS186-4) reboot (A3349) ECDSA KeyGen PCT PCT On Demand Manually via a (FIPS186-4) reboot (A3349) KAS-FFC-SSC PCT PCT On Demand Manually via a Sp800-56Ar3 reboot (A3349) RSA KeyGen PCT PCT On Demand Manually via a (FIPS186-4) reboot (A3349) ECDSA SigVer KAT SW/FW Load On Demand Manually via (FIPS186-4) loading of (A3349) firmware from an external source

Page 56

Algorithm or Test Method Test Type Period Periodic Test Method Manual entry Duplicate entry Manual Entry On Demand Manually via test (duplicate test configuration of entries) operator passwords Table 27: Conditional Periodic Information The pre-operational firmware integrity test as well as all CASTs must be completed successfully prior to any other use of cryptography by the module in the Approved mode of operation. These tests can also be performed periodically by rebooting the module.

10.4 Error States

Name Description Conditions Recovery Indicator Method Hard If the pre-operation If the pre- N/A "FIPS error: selfError firmware integrity test, if operational test failure" for state any of the CASTs or pair- firmware firmware integrity wise consistency tests integrity test failure, "FIPS error fail, then the module or if any of 1: <name of the returns an error indicator, the CASTs algorithm> Known inhibits all data output fail Answer Test: and enters the hard error Failed" for CAST state failure and -1 for pair-wise consistency test failure Soft

Page 57

If the conditional self-tests fail, the module enters the soft error state, i.e., it rejects the generated keypair/loaded image, returns an error indicator and resumes normal operation.

10.5 Operator Initiation of Self-Tests

Each time the module is powered up it tests that all the cryptographic algorithms operate correctly, and that sensitive data have not been damaged. Pre-operational as well as Conditional Cryptographic Algorithm Self-tests (CAST) are performed on each power up/boot of the module and on demand by power cycling the module (Perform self-tests (remote reset) service).

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The Crypto Officer must follow the procedures defined below for secure installation, initialization, startup and operation of the module. Crypto Officer Guidance The Crypto Officer must check to verify the firmware image being loaded on the module is the FIPS 140-3 validated version/image. If the image is the FIPS 140-3 validated image, then proceed with installation of the image. Installing The Firmware Image Download the validated firmware image from https://www.juniper.net/support/downloads/junos.html. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives. Select the validated firmware image. Download the firmware image to a local host or to an internal software distribution site. Connect to the console port on the device from your management device and log in to the Junos OS CLI. Copy the firmware package to the device to the /var/tmp/ directory. Install the new package on the device using the following command: operator > request vmhost software add /var/tmp/<package>.tgz. NOTE: If you need to terminate the installation, do not reboot your device; instead, finish the installation and then issue the request system software delete package.tgz command, where package.tgz is, for example, jinstall-host-qfx-10-f-x86-64.22.3R1-S2.3.secure-signed.tgz.This is your last chance to stop the installation. Reboot the device to complete the load and start the installation: For QFX10002-60C: operator> request vmhost reboot

Page 58

For QFX10002-36Q/QFX10002-72Q/QFX10008/QFX10016: operator> request system reboot After the reboot has completed, log in and use the show version command to verify that the new version of the firmware is successfully installed. Also install the built-in fips-mode.tgz package needed for enabling the Approved-mode and the jpfe-fips package needed for execution of the CASTs. Please note that this is a one-time installation after which the module remains in the Approved mode once enabled and automatically executes the CASTs on each boot without requiring any operator or external intervention. The following are the commands used for installing these packages: operator >request system software add optional://fips-mode.tgz operator >request system software add optional://jpfe-fips.tgz Enabling Approved Mode of Operation The Crypto Officer is responsible for initializing the module in the Approved mode of operation. The Approved mode of operation is not automatically enabled. The Crypto Officer shall place the module in the Approved mode by first zeroising it to ensure no SSPs are present. Next, the cryptographic officer shall follow the steps found in the Junos OS FIPS Evaluated Configuration Guide for QFX Series, Release 22.3R1 document Chapter 2 to place the module into an Approved mode of operation. The steps from the aforementioned document have been reiterated below. To enable the Approved mode in Junos OS on the module:

  1. Zeroise the module using the “request vmhost zeroize” command for QFX10002-60C hardware version or “request system zeroize” command for the other hardware versions. Once the module comes up in the “amnesiac mode” post zeroisation, connect to it using the console port with username “root” and enter the configuration mode. Enable the Approved mode on the device by setting the Approved level to 1, and verify the level: [edit] root# set system fips level 1 [edit] root# show system fips level level 1;
  2. Configure the root-authentication password (i.e., Crypto Officer credentials) as follows: root> edit Entering configuration mode [edit] root# set system root-authentication plain-text password New password: Retype new password:
Page 59
  1. Commit the configuration [edit ] root# commit configuration check succeeds Generating RSA key /etc/ssh/fips_ssh_host_key Generating RSA2 key /etc/ssh/fips_ssh_host_rsa_key Generating ECDSA key /etc/ssh/fips_ssh_host_ecdsa_key 'system' reboot is required to transition to fips level 1 commit complete
  2. Reboot the device: [edit] root# run request system reboot Reboot the system ? [yes,no] (no) yes During the reboot, the device runs the pre-operational firmware integrity test and all CASTs. It returns a login prompt as follows: root:fips>
  3. After the reboot has completed, log in and use the show version command to verify the firmware version is the validated version: root:fips > show version Placing the Module in the Non-Approved Mode of Operation As Crypto Officer, the operator needs to disable the Approved mode of operation on the device to return it to the non-Approved mode of operation. To disable the Approved mode on the device, the module must be zeroised (step 1 defined above).
11.2 Administrator Guidance

For further information and for the Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for QFX, Release 22.3R1 document.

11.3 Non-Administrator Guidance

For further information and for the Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for QFX, Release 22.3R1 document.

11.4 Maintenance Requirements
Page 60

No other maintenance requirements apply for operation of the module in the Approved/nonApproved modes as defined above.

11.5 End of Life

The module can be securely sanitized at the end of its lifetime by zeroising it.

12 Mitigation of Other Attacks
12.1 Attack List

The module does not implement any mitigation of other attacks and thus the requirements per this section do not apply to the module.