All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Juniper Networks EX4300-48MP Ethernet Switch

Certificate#4959StandardFIPS 140-3Level1TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorJuniper Networks, Inc.
High review priority  ·  no TCB surface named  ·  last validated 17 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date2/6/2027
CaveatInterim validation. When operated in Approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorJuniper Networks, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Juniper Networks EX4300-48MP Ethernet Switch
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>self-test<br/>Status output<br/>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>library named: openssl</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Juniper Networks EX4300-48MP Ethernet Switch
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>self-test<br/>Status output<br/>Show status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>library named: openssl</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Juniper Networks EX4300-48MP Ethernet Switch Firmware Version: Junos OS 22.4R2.8 Document Version: 1.0 Date: December 28th, 2023 Prepared by: www.acumensecurity.net Public Material

Page 2
Table of Contents
#SectionPage
Page 3

1. General Introduction Federal Information Processing Standards Publication 140-3

Page 4

This document describes the cryptographic module security policy for the Juniper Networks, Inc. Juniper Networks EX4300-48MP Ethernet Switch (Hardware version EX4300-48MP) cryptographic module (also referred to as the “module” hereafter) with firmware version Junos OS 22.4R2.8. The module has a multichip standalone embodiment. It contains specification of the security rules, under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. The following table lists the level of validation for each area in FIPS 140-3: ISO/IEC 24759 FIPS 140-3 Section Title Security Level Section 6. [Number Below]

1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 3
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security 1

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Table 1 - Security Levels The module claims an overall Security Level 1. Public Material

Page 5

2. Cryptographic Module Specification The version of the module are as follows: Model Hardware Firmware Version Distinguishing Features [Part Number and Version] EX4300-48MP EX4300-48MP Junos OS 22.4R2.8 Power PN: JPSU-1400-ACAFO RE PN: Built-in Routing Engine (EX430048MP RE) Table 2

Page 6

Figure 2 - EX4300-48MP (Rear Panel) Figure 3 - EX4300-48MP Schematic (Front Panel)

1 —QR code 5 — Factory Reset/Mode button

2 —Mini-USB console port 6

3 —Chassis status LEDs
4 —Port status mode LEDs

Figure 4 - EX4300-48MP Schematic (Rear Panel) Public Material

Page 7
1 —Management port 7—Empty slot for AC power supply

2 —ESD point 8—QSFP+ ports (dedicated Virtual Chassis ports)

3—Fan module 9—Console port 4—Serial number label 10—Reset button 5—CLEI code label 11—USB port 6—AC power supply in slot 0 The module claims an overall Security Level of 1 with all individual sections at a Security Level 1 with the exceptions of Roles, Services and Authentication (claimed at Security Level 3). The module does not implement any non-invasive security mitigations or mitigations of other attacks and thus the requirements per these sections are inapplicable. Figure 5

Page 8

Modes Of Operation The module supports one Approved mode of operation and a non-Approved mode of operation. The module must always be zeroised when switching between the Approved mode of operation and the non-Approved mode of operation and vice versa. Approved Mode The hardware versions contained in Table 2, with Junos OS 22.4R2.8 installed, contain one Approved mode of operation and a non-Approved mode of operation. The Junos OS 22.4R2.8 firmware image must be installed on the module. The module is configured during initialization by the Crypto Officer to operate in the Approved mode or the non-Approved mode. The Crypto Officer can place the module in the Approved mode of operation by following the instructions specified in Section 11 Life-Cyle Assurance in this document (Crypto Officer guidance). The Crypto Officer can verify that the cryptographic module is in the Approved mode by observing the console prompt and running the “show version” command. When operating in the Approved mode, the prompt will read “<operator>@<device name>:fips#” (e.g. crypto-officer@ EX4300-48MP:fips#). The “show version” command will allow the Crypto Officer to verify that the validated firmware version is running on the module. The Crypto Officer can also use the “show system fips chassis level” command (returns “level 1”) to determine if the module is operating in the Approved mode. The Approved mode is entered when the module is configured for it and successfully passes all self-tests (both pre-operational and conditional cryptographic algorithm self-tests (CASTs)). The CASTs must pass in both the routing engine (RE). Non-Approved Mode The cryptographic module supports a non-Approved mode of operation. When operated in the nonApproved mode of operation, the module supports non-Approved algorithms identified below in this section as well as the algorithms supported in the Approved mode of operation. The Crypto Officer can place the module into the non-Approved mode of operation by following the instructions in the Section

11 Life-Cyle Assurance in this document (Crypto Officer guidance).

Degraded Operation The module does not support a degraded mode of operation. Public Material

Page 9

Overall Security Rules of Operation The module design corresponds to the security rules below. The term shall in this context specifically refers to a requirement for correct usage of the module in the Approved mode; all other statements indicate a security rule implemented by the module.

  1. The module clears previous authentications on power cycle.
  2. When the module has not been placed in a valid role, the operator does not have access to any cryptographic services.
  3. Self-tests do not require any operator action.
  4. Data output is inhibited during SSP generation, self-test execution, zeroisation, and error states.
  5. Status information does not contain SSPs or sensitive data that if misused could lead to a compromise of the module.
  6. There are no restrictions on which SSPs are zeroised by the zeroisation service.
  7. The module does not support a maintenance interface or role.
  8. The module does not output intermediate key values.
  9. The module does not output plaintext CSPs.
  10. The Crypto officer shall verify that the firmware image to be loaded on the module is a FIPS 140-

3 validated image. If any non-validated firmware image is loaded the module will no longer be a

validated module.

  1. The Crypto Officer shall retain control of the module while zeroisation is in process.
  2. The virtual chassis feature is not supported in Approved mode and shall not be configured on the module.
  3. MACsec protocol IV generation: • The AES GCM IV construction is performed internal to the module in compliance with IEEE 802.1AEand its amendments. The IV length is 96 bits (per SP 800-38D). The module ensures the IV is constructed deterministically per Section 8.2 in SP 800-38D and the MACsec standard IEEE 802.1AE as a result of concatenating the fixed field (SCI) and invocation field (PN). • The module can take on the role of Peer or Authenticator in reference to the MACsec protocol. • The module shall only be used with other FIPS 140-3 validated modules when supporting the MACsec protocol in the role of a Peer/Authenticator for providing the remaining functionalities. • If the module loses power and then it is restored, then a new key shall be established for use with the AES GCM encryption/decryption processes. • The link between the Peer and Authenticator, used in the MACsec communication, shall be secure to prevent the possibility for an attacker to introduce foreign equipment into the local area network.
  4. The module shall not be configured to use a radius server and the radius server capability shall be disabled.
  5. No parts of the SSH and MACsec protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. Public Material – May be reproduced only in its original entirety (without revision).
Page 10

Description/Key CAVP Cert1 Algorithm and Standard Mode/Method Use/Function Size/Key Strength Key sizes 128, 192, A4301 AES-CBC CBC 256 with 128 to 256 Encrypt, Decrypt bits of key strength Key sizes 128, 192, A4301 AES-CTR CTR 256 with 128 to 256 Encrypt, Decrypt bits of key strength Key sizes 128, 192, A4301 AES-ECB ECB 256 with 128 to 256 Encrypt, Decrypt bits of key strength Key sizes 128, 192, A4301 AES-GCM GCM 256 with 128 to 256 Encrypt, Decrypt bits of key strength Curve sizes P-256, ECDSA KeyGen P-384, P-521 with A4301 ECDSA KeyGen Key Generation (FIPS186-4) 128 to 256 bits of strength Curve sizes P-256, ECDSA KeyVer P-384, P-521 with A4301 ECDSA KeyVer Key Verification (FIPS186-4) 128 to 256 bits of strength Curve sizes P-256 (SHA2-256), P-384 ECDSA SigGen (SHA2-384), P-521 A4301 ECDSA SigGen Signature Generation (FIPS186-4) (SHA2-512) with

128 to 256 bits of

strength Curve sizes P-256 (SHA2-256), P-384 ECDSA SigVer (SHA2-384), P-521 A4301 ECDSA SigVer Signature Verification (FIPS186-4) (SHA2-512) with

128 to 256 bits of

strength Key size 256-bits HMAC-SHA2A4301 HMAC DRBG with 256-bits of key Random Bit Generation strength SHA-1: Key size 160 Message A4301 HMAC-SHA-1 SHA-1 bits with 160 bits of Authentication, DRBG key strength Primitive There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. Public Material

Page 11

Description/Key CAVP Cert1 Algorithm and Standard Mode/Method Use/Function Size/Key Strength SHA2-256: Key size: Message A4301 HMAC-SHA2-256 SHA2-256 256 bits with 256- Authentication, DRBG bits of key strength Primitive SHA2-512: Key size: Message A4301 HMAC-SHA2-512 SHA2-512 512 bits with 512- Authentication, DRBG bits of key strength Primitive Curve sizes P-256, KAS-ECC-SSC Ephemeral P-384, P-521 with Key Agreement Shared A4301 SP800-56Ar3 Unified 128 bits to 256 bits Secret Computation of strength Domain Parameter Generation KAS-FFC-SSC Key Agreement Shared A4301 dhEphemeral Method: MODPSP800-56Ar3 Secret Computation

2048 with 2048 bits

of strength Key sizes 128, 192, Key Derivation A4301 KDF SSH SSH 256 with 128 to 256 Function bits of key strength Moduli 2048, 3072 RSA KeyGen and 4096 bits with A4301 RSA KeyGen Key Generation (FIPS186-4) 112, 128 and 152 bits of strength Moduli 2048 (SHA2256, SHA2-512),

3072 (SHA2-256,

RSA SigGen SHA2-512) and 4096 A4301 RSA SigGen Signature Generation (FIPS186-4) (SHA2-256, SHA2512) bits with 112,

128 and 152 bits of

strength Moduli 2048 (SHA2256, SHA2-512),

3072 (SHA2-256,

RSA SigVer SHA2-512) and 4096 A4301 RSA SigVer Signature Verification (FIPS186-4) (SHA2-256, SHA2512) bits with 112,

128 and 152 bits of

strength SHA-1: Key size 160 Message Digest A4301 SHA-1 SHA-1 bits with 160 bits of Generation key strength SHA2-256: Key size Message Digest A4301 SHA2-256 SHA2-256 256 bits with 256Generation bits of key strength Public Material

Page 12

Description/Key CAVP Cert1 Algorithm and Standard Mode/Method Use/Function Size/Key Strength SHA2-384: Key size Message Digest A4301 SHA2-384 SHA2-384 384 bits with 256Generation bits of key strength SHA2-512: Key size Message Digest A4301 SHA2-512 SHA2-512 512 bits with 256Generation bits of key strength Key size 256-bits HMAC-SHA2A4303 HMAC DRBG with 256-bits of key Random Bit Generation strength SHA-1: Key size 160 Message A4303 HMAC-SHA-1 SHA-1 bits with 160 bits of Authentication, DRBG key strength primitive SHA2-256: Key size: Message A4303 HMAC-SHA2-256 SHA2-256 256 bits with 256- Authentication, DRBG bits of key strength primitive SHA-1: Key size 160 Message Digest A4303 SHA-1 SHA-1 bits with 160 bits of Generation key strength SHA2-256: Key size Message Digest A4303 SHA2-256 SHA2-256 256 bits with 256Generation bits of key strength SHA2-384: Key size Message Digest A4303 SHA2-384 SHA2-384 384 bits with 256Generation bits of key strength SHA2-512: Key size Message Digest A4303 SHA2-512 SHA2-512 512 bits with 256Generation bits of key strength Key sizes 128, 192, A4304 AES-CBC CBC 256 with 128 to 256 Encrypt, Decrypt bits of key strength Key sizes 128 and A4304 AES-CMAC CMAC 256 with 128 to 256 Generate, Verify bits of key strength Key sizes 128, 192, A4304 AES-ECB ECB 256 with 128 to 256 Encrypt, Decrypt bits of key strength Public Material

Page 13

Description/Key CAVP Cert1 Algorithm and Standard Mode/Method Use/Function Size/Key Strength Key size 128 bits A4304 AES-KW KW with 128 bits of key Encrypt, Decrypt strength Key sizes 128 and A4304 KDF SP 800-108 Counter 256 with 128 to 256 Key Derivation bits of key strength SHA-1: Key size 160 Message A4306 HMAC-SHA-1 SHA-1 bits with 160 bits of Authentication, DRBG key strength primitive SHA2-256: Key size: Message A4306 HMAC-SHA2-256 SHA2-256 256 bits with 256- Authentication, DRBG bits of key strength primitive SHA-1: Key size 160 Message Digest A4306 SHA-1 SHA-1 bits with 160 bits of Generation key strength SHA2-256: Key size Message Digest A4306 SHA2-256 SHA2-256 256 bits with 256Generation bits of key strength SHA2-512: Key size Message Digest A4306 SHA2-512 SHA2-512 512 bits with 256Generation bits of key strength Section 4: Cryptographic Key Asymmetric seed Generation generation using an unmodified output from an Approved Section 4 DRBG; Section 5.1 Section 5.1: Key Vendor CKG Section 5.2 Pairs for Digital Affirmed NIST SP 800-133r2 Signature Schemes; Section 6.2.1 Section 5.2: Key Pairs for Key Establishment; Section 6.2.1: Derivation of symmetric keys Public Material

Page 14

Description/Key CAVP Cert1 Algorithm and Standard Mode/Method Use/Function Size/Key Strength KAS-ECC-SSC Key Agreement for SP800- SP 800-56Arev3 SSHv2 56Ar3/A4301 KAS-ECC per IG KDF P-256, P-384, P-521 KAS-1 D.F Scenario 2 SSH/A4301 curves path (2) KAS-FFC-SSC Key Agreement for SP800- SP 800-56Arev3 SSHv2 56Ar3/A4301 KAS-2 KAS-FFC per IG MODP-2048 KDF D.F Scenario 2 SSH/A4301 path (2) AES- Key Transport for CBC/A4301 SSHv2 AESCTR/A4301 128, 192, and 256HMAC-SHA- SP 800-38A AES bit keys providing 1/A4301 CBC, CTR and KTS-1 128, 192, or 256 bits HMAC 198 per HMAC-SHA2- of encryption IG D.G 256/A4301 strength HMAC-SHA2512/A4301 SP 800-38D and Key Transport for SP 800-38F 128 bit keys MACsec AESKTS-2 KTS (key providing 128 bits of KW/A4304 wrapping) per encryption strength IG D.G Table 3

Page 15
Page 16

3. Cryptographic Module Interfaces Physical port Logical interface Data that passes over port/interface Ethernet Control input interface, Data input LAN, Communications/remote (Management Port) interface, Data output interface, management Status output interface Serial Control input interface, Data input Console Serial Port interface, Data output interface, Status output interface USB Control input interface, Data input USB port, load Junos Image interface Power Power interface Power connector, Power over Ethernet Alarm LEDs Status output interface Status indicator lighting Reset Button Control input interface Reset signal Table 5

Page 17

4. Roles, Services, and Authentication The module supports two roles: Crypto Officer (CO) and User. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. The module enforces the separation of roles using identity-based operator authentication. The module implements two forms of identity-based authentication, username, and password over the console and SSH connections, as well as username and an ECDSA or RSA public key-based authentication over SSH. The Crypto Officer role configures and monitors the module via a console or SSH connection. As root or super-user, the Crypto Officer has permission to view and configure passwords and public keys within the module. The User role monitors the module via the console or SSH. The User role does not have the permission to modify the configuration. Role Service Input Output Crypto Officer Configure security Commands Traffic (security relevant) (SSH configuration: set system services ssh root-login allow; MACsec configuration: set security macsec connectivity-association connectivity-associationname; set security macsec connectivity-association connectivity-associationname security-mode static-cak) Configure Commands Traffic (non-security relevant) (miscellaneous commands e.g., for IP address configuration, routing protocols, etc.) Show status Command CLI output (show) Show status (LED) N/A LED Show module’s Command CLI output versioning information (show version) Perform zeroisation Command N/A (request system zeroize) Perform approved Command SSH session security functions (set system services ssh (SSH connection) root-login allow) Perform approved Commands MACsec session security functions (set security macsec (MACsec connection) connectivity-association connectivity-associationname; Public Material

Page 18

Role Service Input Output set security macsec connectivity-association connectivity-associationname security-mode static-cak) Console access Username, password N/A (set system login user <username> class <crypto-officer/user class> operator authentication plaintextpassword) Perform self-tests Control input/reset signal N/A (remote reset) (request system reboot) Perform self-tests Control input/reset signal N/A (local reset) Load image Image, commands N/A User Show status Command CLI Output (show) Show status (LED) N/A LED Show module’s Command CLI output versioning information (show version) Perform approved Commands SSH session security functions (SSH (set system services ssh connection) root-login allow) Console access Username, password N/A (set system login user <username> class <crypto-officer/user class> operator authentication plaintextpassword) Perform self-tests Control input/reset signal N/A (remote reset) (request system reboot) Perform self-tests Control input/reset signal N/A (local reset) Table 6 – Roles, Service Commands, Input and Output Role Authentication Method Authentication Strength Crypto Officer (CO), User

  1. Username and password
  2. For Password over the console and SSH Authentication: The
  3. Username and ECDSA module enforces 10public key over SSH character passwords (at
  4. Username and RSA public minimum) chosen from key over SSH the 96 human readable ASCII characters; Public Material – May be reproduced only in its original entirety (without revision).
Page 19

Role Authentication Method Authentication Strength The maximum password length is 20-characters; Thus, the probability of a successful random attempt is 1/(96^10), which is less than 1/1,000,000 (million) The module enforces a timed access mechanism as follows: For the first two failed attempts (assuming 0 time to process), no timed access is enforced; Upon the third attempt, the module enforces a 5second delay; Each failed attempt thereafter results in an additional 5-second delay above the previous (e.g., 4th failed attempt = 10second delay, 5th failed attempt = 15-second delay, 6th failed attempt = 20- second delay, 7th failed attempt = 25second delay); This leads to a maximum of 7 possible attempts in a one-minute period for each getty; The best approach for the attacker would be to disconnect after 4 failed attempts and wait for a new getty to be spawned; This would allow the attacker to perform roughly 9.6 attempts per minute (576 attempts per hour/60 mins); this would be rounded down to 9 per minute, because there is no such thing as 0.6 attempts; The probability of a success with multiple consecutive attempts in a one-minute period is Public Material

Page 20

Role Authentication Method Authentication Strength 9/(96^10), which is less than 1/100,000 2. ECDSA signature verification: SSH publickey authentication; The module supports ECDSA (P-256, P-384, and P-521), which has a minimum equivalent computational resistance to attack of either 2128,

2192 or 2256 depending on

the curve; Thus, the probability of a successful random attempt is 1/(2128), which is less than 1/1,000,000 (million) Configurable SSH connection establishment rate limits the number of connection attempts, and thus failed authentication attempts in a one-minute period to a maximum of 15,000 attempts; The probability of a success with multiple consecutive attempts in a one-minute period is 15,000/(2128), which is less than 1/100,000 3. RSA signature verification: SSH public-key authentication; The module supports RSA (2048, 4096 bits), which has a minimum equivalent computational resistance to attack of 2112 (2048 bits); Thus, the probability of a successful random attempt is 1/ (2112), which is less than 1/1,000,000 (million) Public Material

Page 21

Role Authentication Method Authentication Strength Configurable SSH connection establishment rate limits the number of connection attempts, and thus failed authentication attempts in a one-minute period to a maximum of 15,000 attempts; The probability of a success with multiple consecutive attempts in a one-minute period is 15,000/(2112), which is less than 1/100,000 Table 7

Page 22

Service Description Approved Keys and/or SSP’s Roles Access rights to Indicator Security Keys and/or Functions SSP’s CO Authentication (W, E) Public Keys JuniperRootCA (W, E) PackageCA (W, E) SSH ECDH Public (G, E) Key SSH DH Public Key (G, E) Configure Non- N/A N/A Crypto N/A Global (non- security Officer Approved security relevant (CO) Mode relevant) configuratio indicator n “fips” at the CLI combined with successful completion of each service Show status Query the N/A N/A Crypto N/A Global module Officer Approved status (CO), Mode User indicator “fips” at the CLI combined with successful completion of each service Show status LEDs on the N/A N/A Crypto N/A LED(s) on (LED) module Officer the chassis provide (CO), turned on physical User, status Unauth output orised Show Query the N/A N/A Crypto N/A Global module’s module’s Officer Approved Public Material

Page 23

Service Description Approved Keys and/or SSP’s Roles Access rights to Indicator Security Keys and/or Functions SSP’s versioning versioning (CO), Mode information information User indicator “fips” at the CLI combined with successful completion of each service Perform Destroy all N/A SSH Private Host Crypto (Z) Global zeroisation SSPs Key Officer Approved SSH ECDH Private (CO) Mode Key indicator SSH DH Private Key “fips” at the SSH Session Key CLI User Password combined CO Password with HMAC_DRBG Key successful Value completion HMAC_DRBG V of each value service HMAC_DRBG entropy input HMAC_DRBG seed HMAC_DRBG output MACsec PSK MACsec CAK MACsec CKN MACsec SAK MACsec KEK MACsec ICK ECDH Shared Secret DH Shared Secret HMAC Key SSH Public Host Key User Authentication Public Keys CO Authentication Public Keys JuniperRootCA PackageCA SSH ECDH Public Key SSH DH Public Key Public Material

Page 24

Service Description Approved Keys and/or SSP’s Roles Access rights to Indicator Security Keys and/or Functions SSP’s Perform Initiate SSH ECDSA (P-256, SSH Private Host Crypto (G, E) Global approved connection SHA2-256, Key Officer Approved security for SSH KeyGen, SIgVer, SSH ECDH Private (CO), Mode functions monitoring Cert. #A4301), Key User indicator (SSH and control RSA (2048 bits, SSH DH Private Key “fips” at the connection) (CLI) SHA2-256, SHA2- SSH Session Key CLI 512, KeyGen, HMAC_DRBG Key combined SIgVer, Cert. Value with #A4301), KAS- HMAC_DRBG V successful ECC-SSC (P-256, P- value completion 384, P-512, Cert. HMAC_DRBG of each #A4301), KAS-FFC- entropy input service SSC (MODP 2048, HMAC_DRBG seed Cert. #A4301), HMAC_DRBG AES (CBC, CTR output 128, 192, 256 bits, ECDH Shared Secret Cert. #A4301), DH Shared Secret KDF SSH (Cert. HMAC Key #A4301), SSH Public Host Key HMAC_DRBG User (HMAC-SHA2-256, SSH ECDH Public CAVP Certs. Key A4303, A4301), SSH DH Public Key HMAC (SHA-1, SHA2-256, SHA2512, CAVP Certs. #A4303, #A4301, #A4306; SHA2384, CAVP Certs. #A4303); SHA (SHA-1, SHA2-256, SHA2-512, CAVP Certs. #A4303, #A4301, #A4306; SHA2-384, CAVP Certs. #A4303), CKG Public Material

Page 25

Service Description Approved Keys and/or SSP’s Roles Access rights to Indicator Security Keys and/or Functions SSP’s Perform Initiate AES MACsec PSK Crypto (W, E) Global approved MACsec (GCM, CMAC, 128, MACsec CAK Officer (W, E) Approved security connection 256 bits, KW, 128 MACsec CKN (CO) (W, E) Mode functions bits, Cert. #4369), MACsec SAK, (G, R, E) indicator (MACsec SP 800-108 KDF MACsec KEK, (G, E) “fips” at the connection) (Cert. #A4304) MACsec ICK (G, E) CLI combined with successful completion of each service Console Console N/A N/A Crypto N/A Global Access monitoring Officer Approved and control (CO), Mode (CLI) User indicator “fips” at the CLI combined with successful completion of each service Perform Software All (per Table 3) SSH ECDH Private Crypto (Z) Global self-tests initiated Key, Officer Approved (remote reset, SSH DH Private Key, (CO), (Z) Mode reset) performs SSH Session Key, User (Z) indicator self-tests on HMAC_DRBG Key (G, Z, E) “fips” at the demand Value CLI HMAC_DRBG V (G, Z, E) combined value with HMAC_DRBG (G, Z, E) successful entropy input completion HMAC_DRBG seed (G, Z, E) of each (G, Z, E) service Public Material

Page 26

Service Description Approved Keys and/or SSP’s Roles Access rights to Indicator Security Keys and/or Functions SSP’s HMAC_DRBG output (Z) MACsec PSK (Z) (Z) MACsec CAK (Z) (Z) MACsec CKN (Z) (Z) MACsec SAK (Z) (Z) MACsec KEK (Z) (Z) MACsec ICK (Z) (Z) ECDH Shared Secret (Z) DH Shared Secret (G, Z, E) HMAC Key (G, E) SSH ECDH Public Key (G, E) SSH DH Public Key Perform Hardware All (per Table 3) SSH ECDH Private Crypto (Z) Global self-tests reset or Key, Officer Approved (local reset) power cycle SSH DH Private Key, (CO), (Z) Mode SSH Session Key, User, (Z) indicator HMAC_DRBG Key Unauth (G, Z, E) “fips” at the Value orised CLI HMAC_DRBG V (G, Z, E) combined value with HMAC_DRBG (G, Z, E) successful entropy input completion HMAC_DRBG seed (G, Z, E) of each HMAC_DRBG (G, Z, E) service output MACsec PSK (Z) MACsec CAK (Z) MACsec CKN (Z) MACsec SAK (Z) MACsec KEK (Z) MACsec ICK (Z) ECDH Shared Secret (Z) DH Shared Secret (Z) HMAC Key (G, Z, E) SSH ECDH Public (G, E) Key SSH DH Public Key (G, E) Load Image Verification ECDSA (P-256, N/A Crypto N/A Global and loading SHA2-256, SigVer, Officer Approved of a CAVP Cert. (CO) Mode validated #A4301) indicator firmware “fips” at the image into CLI the combined router/switc with h successful completion Public Material

Page 27

Service Description Approved Keys and/or SSP’s Roles Access rights to Indicator Security Keys and/or Functions SSP’s of each service Table 8

Page 28

Service Description Algorithms Accessed Role Indicator the CLI combined with successful completion of the service Perform Initiate SSH AES Crypto Lack of the global approved connection for SSH (CBC, CTR, 128, 192 and 256 Officer (CO), Approved Mode security monitoring and bits); User indicator "fips" at functions (SSH control (CLI) KAS-ECC-SSC the CLI combined connection) (P-256, P-384, P-521); with successful KAS-FFC-SSC completion of the (MODP 2048) service RSA (2048, 4096 bits); ECDSA (P-256); HMAC (SHA-1, SHA2-256, SHA2512); SHA (SHA-1, SHA2-256, SHA2512); SSH KDF; RSA (key size <= 2048); ECDSA (ed25519 curve); EC DH (ed25519 curve); ARCFOUR ; Blowfish; CAST; DSA (SignGen, SigVer, noncompliant); HMAC-MD5; HMAC-RIPEMD160; UMAC Perform Initiate MACsec AES Crypto Lack of the global approved connection (GCM, 128, 256 bits), Officer (CO) Approved Mode security SP 800-108 KDF AES indicator "fips" at functions (CTR 128, 256 bits), the CLI combined (MACsec HMAC with successful connection) (SHA2-256) completion of the SHA service (SHA2-256) Console Access Console monitoring N/A Crypto Lack of the global and control (CLI) Officer (CO), Approved Mode User indicator "fips" at Public Material

Page 29

Service Description Algorithms Accessed Role Indicator the CLI combined with successful completion of the service Perform self- Software initiated All (per Table

  1. Crypto Lack of the global tests (remote reset, performs self- Officer (CO), Approved Mode reset) tests on demand User indicator "fips" at the CLI combined with successful completion of the service Perform self- Hardware reset or All (per Table
  2. Crypto Lack of the global tests power cycle Officer (CO), Approved Mode (local reset) User, indicator "fips" at Unauthorised the CLI combined with successful completion of the service Load Image Verification and ECDSA Crypto Lack of the global loading of a validated (P-256, SHA2-256) Officer (CO) Approved Mode firmware image into indicator "fips" at the router/switch. the CLI combined with successful completion of the service Table 9 – Non-Approved Services The module supports self-initiated cryptographic output capability in the form of the MACsec service provided and performs two internal checks (firmware flags set) prior to activating the service. The following command can be used by the operator as the indicator to verify that the self-initiated cryptographic output capability has been activated, for e.g.: operator@device> show security macsec connections Interface name: xe-0/1/0 CA name: CA1 Cipher suite: GCM-AES-128 Encryption: on Key server offset: 0 Include SCI: no Replay protect: off Replay window: 0 Public Material – May be reproduced only in its original entirety (without revision).
Page 30

5. Software/Firmware Security The module performs the firmware integrity check using ECDSA P-256 with SHA2-256. The operator can initiate the integrity test on demand by rebooting the module. The module firmware image is delivered in the form of a pre-compiled tarball (.tgz). The module supports loading of firmware from an external source and a firmware load test using ECDSA P-256 with SHA2-256 is performed in support of the load. Public Material

Page 31

6. Operational Environment The module contains a limited operational environment. The Junos OS 22.4R2.8 operating system is contained within the module, i.e., the tested configurations listed in Table 2 of this document. Security rules and restrictions for configuration of the operational environment have been specified in Section 2 (Overall Security Rules of Operation) and Section 11 (Installing The Firmware Image and Enabling the Approved Mode of Operation) of this document. Public Material

Page 32

7. Physical Security The module’s physical embodiment is that of a multi-chip standalone meeting Level 1 Physical Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel and brushed aluminum enclosure. The module enclosure is made of production grade materials. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. No actions are required by the operator to ensure that physical security is maintained. Public Material

Page 33

8. Non-invasive Security The module does not implement any non-invasive security mitigations and thus the requirements per this section do not apply to the module. Public Material

Page 34

9. Sensitive Security Parameter Management Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number SSH 128 bits ECDSA Generated Import: N/A Plaintext: Zeroisation Host Private for (P-256, internally N/A Persistent command keypairs Host Key ECDSA, SHA2- using NIST (request generated, CSP 112 bits 256, SP 800- Export: system used to for RSA KeyGen, 90Ar1 N/A zeroize) identify the Cert. HMAC_DR host #A4301), BG RSA (2048 bits, SHA2256, SHA2512, KeyGen, Cert. #A4301), HMAC_D RBG (HMACSHA2256, Cert. #A4301) HMAC (SHA2256, Cert. #A4301) SHA (SHA2256, SHA2512, Cert. #A4301), CKG SSH ECDH 128 bits, KAS-ECC- Generated Import: N/A Plaintext: Zeroisation Ephemeral Private 192 bits, SSC internally N/A RAM command EC DiffieKey 256 bits (P-256, using NIST (request Hellman CSP P-384, SP 800- Export: system private key P-512, 90Ar1 N/A zeroize), used in SSH Cert. HMAC_DR power-cycle #A4301), BG HMAC_D RBG Public Material

Page 35

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number (HMACSHA2256, Cert. #A4301) HMAC (SHA2256, Cert. #A4301) SHA (SHA2256, SHA2512, Cert. #A4301), CKG SSH DH 112 bits KAS-FFC- Generated Import: N/A Plaintext: Zeroisation Ephemeral Private SSC internally N/A RAM command DiffieKey (MODP using NIST (request Hellman CSP 2048, SP 800- Export: system private key Cert. 90Ar1 N/A zeroize), used in SSH #A4301), HMAC_DR power-cycle HMAC_D BG RBG (HMACSHA2256, Cert. #A4301) HMAC (SHA2256, Cert. #A4301) SHA (SHA2256, SHA2512, Cert. #A4301), CKG Public Material

Page 36

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number SSH 128 bits, AES N/A Import: Key Plaintext: Zeroisation SSH Session Session 192 bits, (CBC, N/A Agreement RAM command keys Key 256 bits CTR 128, Scheme (request CSP 192, 256 Export: (KAS), system bits, N/A Derived zeroize), Cert. using KDF power-cycle, #A4301), SSH session KAS-ECC- termination SSC (P-256, P-384, P-512, Cert. #A4301), KAS-FFCSSC (MODP 2048, Cert. #A4301), KDF SSH (Cert. #A4301), HMAC_D RBG (HMACSHA2256, Cert. #A4301), HMAC (SHA-1, SHA2256, SHA2512, Cert. #A4301), SHA (SHA-1, SHA2256, SHA2512, Cert. #A4301), CKG Public Material

Page 37

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number User 256 bits, SHA Password Import: N/A Non- Zeroisation Used to Password 512 bits (SHA2- hash Manual Plaintext: command authenticate CSP 256, generated entry Persistent (request users to the Cert. internally via CLI, (Password system module #A4306, (Password manual Hash) zeroize) SHA2- is SSP and explicit 512, configured entry delete Cert. by the test command #A4306) Crypto perfor Officer) med Export: N/A CO 256 bits, SHA Password Import: N/A Non- Zeroisation Used to Password 512 bits (SHA2- hash Manual plaintext: command authenticate CSP 256, generated entry Persistent (request COs to the Cert. internally via CLI, (Password system module #A4306, (Password manual Hash) zeroize) SHA2- is SSP and explicit 512, configured entry delete Cert. by the test command #A4306) Crypto perfor Officer) med Export: N/A HMAC_DR 256 bits HMAC_D Generated Import: N/A Plaintext: Power cycle A critical BG V value RBG internally N/A RAM value of the CSP (HMAC- using NIST internal SHA2- SP 800- Export: state of 256), 90Ar1 N/A DRBG HMAC HMAC_DR (SHA2- BG 256), SHA (SHA2256, CAVP Certs. A4303, A4301) Public Material

Page 38

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number HMAC_DR 256 bits HMAC_D Generated Import: N/A Plaintext: Power cycle A critical BG Key RBG internally N/A RAM value of the value (HMAC- using NIST internal CSP SHA2- SP 800- Export: state of 256), 90Ar1 N/A DRBG HMAC HMAC_DR (SHA2- BG 256), SHA (SHA2256, CAVP Certs. A4303, A4301) HMAC_DR 256 bits HMAC_D NIST SP Import: N/A Plaintext: Power cycle Entropy BG RBG 800-90B N/A RAM input to the entropy (HMAC- ENT (NP) HMAC_DRB input SHA2- entropy Export: G CSP 256), source N/A HMAC (SHA2256), SHA (SHA2256, CAVP Certs. A4303, A4301) HMAC_DR 256 bits HMAC_D NIST SP Import: N/A Plaintext: Power cycle Seed BG seed RBG 800-90B N/A RAM provided to CSP (HMAC- ENT (NP) the SHA2- entropy Export: HMAC_DRB 256), source N/A G HMAC (SHA2256), SHA (SHA2256, CAVP Certs. A4303, A4301) Public Material

Page 39

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number HMAC_DR 256 bits HMAC_D Generated Import: N/A Plaintext: Power cycle Unmodified BG output RBG internally N/A RAM output of CSP (HMAC- using NIST the SHA2- SP 800- Export: HMAC_DRB 256), 90Ar1 N/A G used in HMAC HMAC_DR SSP (SHA2- BG generation 256), SHA (SHA2256, CAVP Certs. A4303, A4301) MACsec 128 bits, AES N/A Import: N/A Plaintext: Zeroisation Credential PSK 256 bits (GCM, Configu RAM command used for CSP 128, 256 red by (request device-tobits, the system device Cert. Crypto zeroize), authenticati #A4304) Officer power-cycle, on, consists in session of the CAK plainte termination and CKN xt via console port or encrypt ed via SSH connec tion Export: MACse c connec tion establis hment MACsec 128 bits, AES N/A Import: N/A Plaintext: Zeroisation A secret key CAK 256 bits (GCM, Pre- RAM command possessed CSP 128, 256 Shared (request by members bits, Key system of a MACsec Cert. entere zeroize), connectivity #A4304) d by power-cycle, association the session termination Public Material

Page 40

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number Crypto entered as a Officer pre-shared key Export: N/A MACsec 128 bits, AES N/A Import: N/A Plaintext: Zeroisation Connectivity CKN 256 bits (GCM, Pre- RAM command Key Name: 128, 256 Shared (request Identifies bits, Key system the CAK Cert. entere zeroize), Entered as a #A4304) d by power-cycle, pre-shared the session key Crypto termination Officer Export: N/A MACsec 128 bits, AES Derived Import: N/A Plaintext: Zeroisation Security SAK 256 bits (GCM, from the N/A RAM command Association CSP 128, 256 CAK using (request Key used for bits, SP 800-108 system creating Cert. KDF Export: zeroize), Security #A4304) Encrypt power-cycle, Associations SP 800- ed with session for

108 KDF the KEK termination encryption/

(Cert. decryption #A4304) of MACsec traffic MACsec 128 bits, AES Derived Import: N/A Plaintext: Zeroisation Used to KEK 256 bits (GCM, from the N/A RAM command transmit CSP 128, 256 CAK using (request SAKs to bits, SP 800-108 system other Cert. KDF Export: zeroize), members of #4304) N/A power-cycle, a MACsec SP 800- session connectivity

108 KDF termination association

(Cert. #A4304) Public Material

Page 41

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number MACsec 128 bits, AES Derived Import: N/A Plaintext: Zeroisation Used to ICK 256 bits (GCM, from the N/A RAM command verify the CSP 128, 256 CAK using (request integrity and bits, SP 800-108 Export: system authenticity Cert. KDF N/A zeroize), of MACsec #A4304) power-cycle, protocol SP 800- session data units

108 KDF termination

(Cert. #A4304) ECDH 128 bits, KAS-ECC- N/A Import: KAS-ECC- Plaintext: Zeroisation Used in EC Shared 192 bits, SSC N/A SSC RAM command DiffieSecret 256 bits (P-256, Ephemeral (request Hellman CSP P-384, Export: Unified system (ECDH) P-521, N/A scheme zeroize), exchange Cert. power-cycle, #A4301) session termination DH Shared 112 bits KAS-FFC- N/A Import: KAS-FCC- Plaintext: Zeroisation Used in Secret SSC N/A SSC RAM command DiffieCSP (MODP dhEpheme (request Hellman 2048, Export: ral scheme system (DH) Cert. N/A zeroize), exchange #A4301) power-cycle, session termination HMAC Key 160 bits, HMAC_D Generated Import: N/A Plaintext: Zeroisation HMAC Key CSP 256 bits, RBG internally N/A RAM command

384 bits, (HMAC- using NIST (request

512 bits SHA2- SP 800- system

256, 90Ar1 Export: zeroize), CAVP HMAC_DR N/A power-cycle Certs. BG A4303, A4301), HMAC (SHA-1, SHA2256, SHA2512, CAVP Certs. #A4303, Public Material

Page 42

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number #A4301, #A4306; SHA2384, CAVP Certs. #A4303); SHA (SHA-1, SHA2256, SHA2512, CAVP Certs. #A4303, #A4301, #A4306; SHA2384, CAVP Certs. #A4303) SSH Public 128 bits ECDSA Generated Import: N/A Plaintext: Zeroisation Host Host Key for (P-256, internally N/A Persistent command keypairs PSP ECDSA, SHA2- using NIST (request generated,

112 bits 256, SP 800- Export: system used to

for RSA KeyGen, 90Ar1 N/A zeroize) identify the Cert. HMAC_DR host #A4301), BG RSA (2048 bits, SHA2256, SHA2512, KeyGen, Cert. #A4301), HMAC_D RBG (HMACSHA2256, Public Material

Page 43

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number Cert. #A4301) HMAC (SHA2256, Cert. #A4301) SHA (SHA2256, SHA2512, Cert. #A4301), CKG User 128 bits, ECDSA N/A Import: N/A Plaintext: Zeroisation Used to Authentica 192 bits, SigVer Entere Persistent command authenticate tion Public 256 bits (P-256, d by (request users to the Keys for P-384, P- the system module PSP ECDSA, 521, Crypto zeroize)

112 bits, Cert. Officer
152 bits #A4301);

for RSA RSA Export: SigVer N/A (2048, 4096 bits, Cert. #A4301) CO 128 bits, ECDSA N/A Import: NA Plaintext: Zeroisation Used to Authentica 192 bits, SigVer Entere Persistent command authenticate tion Public 256 bits (P-256, d by (request the CO to Keys for P-384, P- the system the module PSP ECDSA, 521, Crypto zeroize)

112 bits, Cert. Officer
152 bits #A4301);

for RSA RSA Export: SigVer N/A (2048, 4096 bits, Cert. #A4301) Public Material

Page 44

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number JuniperRo 128 bits ECDSA N/A Import: N/A Plaintext: Zeroisation ECDSA otCA (P-256, Loaded Persistent command prime256v1 PSP Cert. at (request X.509 V3 #A4301) manufa system Certificate cture zeroize) time Used to verify the Export: validity of N/A the PackagCA PackageCA 128 bits ECDSA N/A Import: N/A Plaintext: Zeroisation ECDSA PSP (P-256, Loaded Persistent command prime256v1 Cert. at (request X.509 V3 #A4301) manufa system Certificate cture zeroize) time Certificate that holds Export: the public N/A key for the signing key used to generate all the signatures used on the packages and signature lists SSH ECDH 128 bits, KAS-ECC- Generated Import: N/A Plaintext: Zeroisation Ephemeral Public Key 192 bits, SSC internally N/A RAM command EC DiffiePSP 256 bits (P-256, using NIST (request Hellman P-384, SP 800- Export: system public key P-512, 90Ar1 N/A zeroize), used in SSH Cert. HMAC_DR power-cycle #A4301), BG HMAC_D RBG (HMACSHA2256, Cert. #A4301) HMAC (SHA2256, Cert. #A4301) Public Material

Page 45

Key/SSP Strength Security Gener- Import Establish- Storage Zero- Use & Name/ Function ation /Export ment isation related keys Type and Cert. Number SHA (SHA2256, SHA2512, Cert. #A4301), CKG SSH DH 112 bits KAS-FFC- Generated Import: N/A Plaintext: Zeroisation Ephemeral Public Key SSC internally N/A RAM command DiffiePSP (MODP using NIST (request Hellman 2048, SP 800- Export: system public key Cert. 90Ar1 N/A zeroize), used in SSH #A4301), HMAC_DR power-cycle HMAC_D BG RBG (HMACSHA2256, Cert. #A4301) HMAC (SHA2256, Cert. #A4301) SHA (SHA2256, SHA2512, Cert. #A4301), CKG Table 10

Page 46

Entropy sources Minimum number of bits of Details entropy SP 800-90B ENT (NP) The module generates a minimum Entropy input for seeding the ESV Cert. #E104 of 448 bits of overall entropy per approved NIST SP 800-90Ar1 512-bit output sample, 0.875 bits DRBGs of entropy per bit for SSP generation Table 11

Page 47

10. Self-tests The module performs the following self-tests:

Page 48
Page 49

Conditional Self-Tests are performed by the module when the corresponding condition is met. The pairwise consistency tests are performed on key pair generation for use in signature generation/verification (ECDSA and/or RSA tests) and/or for use in KAS-ECC SSP agreement (ECDSA tests). The firmware load test is performed when a firmware image is loaded onto the module from an external source. If the conditional self-tests fail, the module enters the soft error state, i.e., it rejects the generated keypair/loaded image, returns an error indicator and resumes normal operation. The error indicator is the return code -1 in case of a pairwise consistency test failure and “ERROR: Failed signature check” for the firmware load test failure. Public Material

Page 50

11. Life-cycle Assurance The Crypto Officer must follow the procedures defined below for secure installation, initialization, startup and operation of the module. Crypto Officer Guidance The Crypto Officer must check to verify the firmware image being loaded on the module is the FIPS 140-3 validated version/image. If the image is the FIPS 140-3 validated image, then proceed with installation of the image. Installing The Firmware Image Download the validated firmware image from https://www.juniper.net/support/downloads/junos.html. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives. Select the validated firmware image. Download the firmware image to a local host or to an internal software distribution site. Connect to the console port on the device from your management device and log in to the Junos OS CLI. Copy the firmware package to the device to the /var/tmp/ directory. Install the new package on the device using the following command: operator@device> request system software add /var/tmp/<package>.tgz. NOTE: If you need to terminate the installation, do not reboot your device; instead, finish the installation and then issue the request system software delete package.tgz command, where package.tgz is, for example, junos-install-ex-4300mp-x86-64-22.4R2.8.tgz. This is your last chance to stop the installation. Reboot the device to complete the load and start the installation: operator@device> request system reboot After the reboot has completed, log in and use the show version command to verify that the new version of the firmware is successfully installed. Public Material

Page 51

Enabling Approved Mode of Operation The Crypto Officer is responsible for initializing the module in the Approved mode of operation. The Approved mode of operation is not automatically enabled. The Crypto Officer shall place the module in the Approved mode by first zeroising it to ensure no SSPs are present. Next, the cryptographic officer shall follow the steps found in the Junos OS FIPS Evaluated Configuration Guide for Juniper Networks EX4300-48MP Ethernet Switch, Release 22.4R2.8 document Chapters 3 & 7 to place the module into an Approved mode of operation. The steps from the before mentioned document have been reiterated below. To enable the Approved mode in Junos OS on the module:

  1. Zeroise the module using the “request system zeroize” command. Once the module comes up in the “amnesiac mode” post zeroisation, connect to it using the console port with username “root”, enter the configuration mode and configure the root-authentication password (i.e., Crypto Officer credentials) as follows: root@device> edit Entering configuration mode [edit] root@device# set system root-authentication plain-text-password New password: Retype new password: [edit] root@device# commit configuration check succeeds commit complete
  2. Enable Approved mode on the device by setting the Approved level to 1, and verify the level: [edit] root@device# set system fips chassis level 1 Public Material – May be reproduced only in its original entirety (without revision).
Page 52

[edit] root@device# show system fips chassis level level 1;

  1. Commit the configuration [edit ] root@device# commit configuration check succeeds Generating RSA key /etc/ssh/fips_ssh_host_key Generating RSA2 key /etc/ssh/fips_ssh_host_rsa_key Generating ECDSA key /etc/ssh/fips_ssh_host_ecdsa_key 'system' reboot is required to transition to fips level 1 commit complete
  2. Reboot the device: [edit] root@device# run request system reboot Reboot the system ? [yes,no] (no) yes During the reboot, the device runs the pre-operational firmware integrity test and all CASTs. It returns a login prompt.
  3. After the reboot has completed, log in and use the show version command to verify the firmware version is the validated version: root@device:fips > show version The tester verified that the prompt contained "fips" indicating it was in the approved mode of operation. No further configuration is required. Public Material – May be reproduced only in its original entirety (without revision).
Page 53

Placing the Module in the Non-Approved Mode of Operation As Crypto Officer, the operator needs to disable the Approved mode of operation on the device to return it to the non-Approved mode of operation. To disable the Approved mode on the device, the module must be zeroised (step 1 defined above). No other maintenance requirements apply for operation of the module in the Approved/non-Approved modes as defined above. For further information and for the Administrator and non-Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for Juniper Networks EX4300-48MP Ethernet Switch, Release 22.4R2.8 document. Public Material

Page 54

12. Mitigation of Other Attacks The module does not implement any mitigation of other attacks and thus the requirements per this section do not apply to the module. Public Material