All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Juniper Networks PTX10008 and PTX10016 Packet Transport Routers

Certificate#4961StandardFIPS 140-3Level1TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorJuniper Networks, Inc.
High review priority  ·  exposes debug/recovery interface  ·  last validated 17 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date2/6/2027
CaveatInterim validation. When operated in Approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorJuniper Networks, Inc.

Approved Algorithms (25)

AlgorithmACVP Cert
AES-CBCA4301
AES-CMACA4304
AES-CTRA4301
AES-ECBA4301
AES-GCM
AES-KWA4304
AES-XPN
ECDSA KeyGen (FIPS186-4)A4301
ECDSA KeyVer (FIPS186-4)A4301
ECDSA SigGen (FIPS186-4)A4301
ECDSA SigVer (FIPS186-4)A4301
HMAC DRBGA4301
HMAC-SHA-1A4301
HMAC-SHA2-256A4301
HMAC-SHA2-512A4301
KAS-ECC-SSC Sp800-56Ar3A4301
KAS-FFC-SSC Sp800-56Ar3A4301
KDF SP800-108A4304
KDF SSH (CVL)A4301
RSA KeyGen (FIPS186-4)A4301
RSA SigGen (FIPS186-4)A4301
RSA SigVer (FIPS186-4)A4301
SHA-1A4301
SHA2-256A4301
SHA2-512A4301

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical Security7
Non-Invasive Security8
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Juniper Networks PTX10008 and PTX10016 Packet Transport Routers
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Soft Error state</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>CASTs on boot<br/>Show status<br/>Show status (LED)</i>"]
    C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>Serial<br/>USB</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C4 --> I4 --> R4 --> E4
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C4,C5,C6 clue;
  class I2,I3,I4,I5,I6 infer;
  class R2,R3,R4,R5,R6 risk;
  class E2,E3,E4,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Juniper Networks PTX10008 and PTX10016 Packet Transport Routers
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Soft Error state</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>CASTs on boot<br/>Show status<br/>Show status (LED)</i><br/>src: securityPolicy.services"]
    C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>Serial<br/>USB</i><br/>src: securityPolicy.portsAndInterfaces"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C4 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Juniper Networks, Inc. Juniper Networks PTX10008 and PTX10016 Packet Transport Routers Document Version 1.0

Page 2
Table of Contents
#SectionPage
1General5
1.1Overview5
1.2Security Levels5
1.3Additional Information6
2Cryptographic Module Specification6
2.1Description6
2.2Tested and Vendor Affirmed Module Version and Identification11
2.3Excluded Components12
2.4Modes of Operation12
2.5Algorithms13
2.6Security Function Implementations16
2.7Algorithm Specific Information20
2.8RBG and Entropy20
2.9Key Generation21
2.10Key Establishment21
2.11Industry Protocols21
2.12Additional Information21
3Cryptographic Module Interfaces22
3.1Ports and Interfaces22
4Roles, Services, and Authentication23
4.1Authentication Methods23
4.2Roles25
4.3Approved Services26
4.4Non-Approved Services41
4.5External Software/Firmware Loaded43
4.6Cryptographic Output Actions and Status43
5Software/Firmware Security43
5.1Integrity Techniques43
5.2Initiate on Demand44
5.3Additional Information44
6Operational Environment44
6.1Operational Environment Type and Requirements44
6.2Configuration Settings and Restrictions44
7Physical Security44
7.1Mechanisms and Actions Required44
8Non-Invasive Security45
8.1Mitigation Techniques45
9Sensitive Security Parameters Management45
9.1Storage Areas45
9.2SSP Input-Output Methods45
9.3SSP Zeroization Methods46
9.4SSPs46
10Self-Tests54
10.1Pre-Operational Self-Tests54
10.2Conditional Self-Tests55
10.3Periodic Self-Test Information60
10.4Error States63
10.5Operator Initiation of Self-Tests64
11Life-Cycle Assurance64
11.1Installation, Initialization, and Startup Procedures64
11.2Administrator Guidance66
11.3Non-Administrator Guidance66
11.4Maintenance Requirements66
11.5End of Life66
12Mitigation of Other Attacks67
12.1Attack List67
Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Hardware12
Table 3: Modes List and Description12
Table 4: Approved Algorithms15
Table 5: Vendor-Affirmed Algorithms15
Table 6: Non-Approved, Allowed Algorithms16
Table 7: Non-Approved, Allowed Algorithms with No Security Claimed16
Table 8: Non-Approved, Not Allowed Algorithms16
Table 9: Security Function Implementations20
Table 10: Entropy Certificates20
Table 11: Entropy Sources20
Table 12: Ports and Interfaces23
Table 13: Authentication Methods25
Table 14: Roles26
Table 15: Approved Services41
Table 16: Non-Approved Services43
Table 17: Mechanisms and Actions Required44
Table 18: Storage Areas45
Table 19: SSP Input-Output Methods45
Table 20: SSP Zeroization Methods46
Table 21: SSP Table 151
Table 22: SSP Table 254
Table 23: Pre-Operational Self-Tests54
Table 24: Conditional Self-Tests60
Table 25: Pre-Operational Periodic Information60
Table 26: Conditional Periodic Information63
Table 27: Error States63
Figure 1: Physical Cryptographic Boundary [Left to Right: PTX10008 and PTX10016]7
Figure 2: Routing Engine [JNP10K-RE0]7
Figure 3: PTX10K-LC1105-M MACSec Line Card8
Figure 4: PTX10008 Chassis Rear8
Figure 5: PTX10016 Chassis Rear9
Figure 6: PTX10008 Block diagram10
Figure 7: PTX10016 Block diagram11
Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication3
55Software/Firmware security1
66Operational environment1
77Physical security1
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
Overall LevelOverall Level1
1.1 Overview

Introduction Federal Information Processing Standards Publication 140-3

1.2 Security Levels
Page 6
1.3 Additional Information

The module claims an overall Security Level of 1 with all individual sections at a Security Level

1 with the exceptions of Roles, Services and Authentication (claimed at Security Level 3). The

module does not implement any non-invasive security mitigations or mitigations of other attacks and thus the requirements per these sections are inapplicable.

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The cryptographic module provides for an encrypted connection, using SSH, between the management station and itself, i.e., the PTX series routers. The cryptographic module also provides for an encrypted connection, using MACsec, between itself and a peer. Module Type: Hardware Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic module’s operational environment is a limited operational environment. The cryptographic boundary of the hardware module is the entirety of the module/chassis. This includes the Routing Engine (RE). No components have been excluded from the cryptographic boundary of the module. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested Operational Environment’s Physical Perimeter (TOEPP) is the entirety of the module chassis. The images below depict the physical boundary of the modules, including the Routing Engine, the PTX10KLC1105-M MACsec Line Card and SIB. The non-crypto-relevant line cards included in the figure are not inserted in the module/excluded from the boundary per the scope of this validation. Document Version 1.0

Page 7

Figure 1: Physical Cryptographic Boundary [Left to Right: PTX10008 and PTX10016] Figure 2: Routing Engine [JNP10K-RE0] 1- RCB status LEDs 3- PTP-capable connections: SMB In, SMB Out, 10 MHz In, 10 MHz Out 5- USB 2.0 port 7- Reset (RESET) button 2- Console port (CON) 4- Management port (MGMT) 6- Secondary 50-GB SATA SSD slot 8- Four SFP+ ports (reserved for future use) Document Version 1.0

Page 8

Figure 3: PTX10K-LC1105-M MACSec Line Card 1- Power LED (PWR), status LED (STS), and offline (OFF) button 2- Network ports. Figure 4: PTX10008 Chassis Rear 1- AC or DC power supplies numbered 0–5 (top to bottom) 2- Fan trays with redundant fans Document Version 1.0

Page 9

Figure 5: PTX10016 Chassis Rear 1- Power supplies 2- Fan trays 3- ESD point 4- Protective earthing terminal Document Version 1.0

Page 10

Figure 6: PTX10008 Block diagram Document Version 1.0

Page 11
Module configuration
NameModelHardware VersionFirmware VersionProcessorFeatures
PTX10008PTX10008PTX10008Junos OS 22.4R2.8Intel Xeon E3- 1125v2JNP10K-PWR-AC; JNP10K- PWR-DC; JNP10K-PWRAC2; JNP10K-PWR-DC2
PTX10016PTX10016PTX10016Junos OS 22.4R2.8Intel Xeon E3- 1125v2JNP10K-PWR-AC; JNP10K- PWR-DC; JNP10K-PWRAC2; JNP10K-PWR-DC2

Figure 7: PTX10016 Block diagram The PTX10K-LC1105-M has thirty 28-Gbps QSFP+ (QSFP28) ports that are Media Access Control Security (MACsec) capable, each of which can be configured via the CLI to support speeds of 100 Gbps or 40 Gbps. Each of the 30 QSFP28 ports can operate as:

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 12
Service
NameDescriptionRole AccessType
Non- Approved mode• The cryptographic module supports a non- Approved mode of operation; • When operated in the non-Approved mode of operation, the module supports non-Approved algorithms as well as the algorithms supported in the Approved mode of operationglobal indicator (implicit indicator based on exclusion of string 'fips' from the command prompt)Non- Approved

Table 2: Tested Module Identification

2.3 Excluded Components

No components have been excluded from the cryptographic boundary of the module. Modes List and Description: NonApproved NonApproved Table 3: Modes List and Description The hardware versions contained in Table 2, with Junos OS 22.4R2.8 installed, contain one Document Version 1.0

Page 13
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA4301Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA4304Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CMACA4304Direction - Generation, Verification Key Length - 128, 256SP 800-38B
AES-CTRA4301Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4301Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4304Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-GCMAES 4369Direction - Decrypt, Encrypt IV Generation - External Key Length - 128, 256SP 800-38D
AES-KWA4304Direction - Decrypt, Encrypt Key Length - 128SP 800-38F
AES-XPNAES 4369Direction - Decrypt, Encrypt Key Length - 128, 256 IV Generation - ExternalSP 800-38D
ECDSA KeyGen (FIPS186-4)A4301Curve - P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyVer (FIPS186-4)A4301Curve - P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A4301Component - No Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A4301Component - No Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-4
HMAC DRBGA4301Prediction Resistance - Yes Mode - SHA2-256SP 800-90A Rev. 1
HMAC DRBGA4303Prediction Resistance - Yes Mode - SHA2-256SP 800-90A Rev. 1
HMAC-SHA-1A4301Key Length - Key Length: 160FIPS 198-1
HMAC-SHA2-256A4301Key Length - Key Length: 256FIPS 198-1
HMAC-SHA2-256A4303Key Length - Key Length: 256FIPS 198-1
HMAC-SHA2-512A4301Key Length - Key Length: 512FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A4301Domain Parameter Generation Methods - P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A4301Domain Parameter Generation Methods - FC, MODP-2048 Scheme - dhEphem - KAS Role - initiatorSP 800-56A Rev. 3
KDF SP800-108A4304KDF Mode - Counter Supported Lengths - Supported Lengths: 128, 256SP 800-108 Rev. 1
KDF SSH (CVL)A4301Cipher - AES-128, AES-192, AES-256, TDES Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512SP 800-135 Rev. 1
RSA KeyGen (FIPS186-4)A4301Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186-4)A4301Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-4)A4301Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096FIPS 186-4
Safe Primes Key GenerationA4301Safe Prime Groups - MODP-2048SP 800-56A Rev. 3
Safe Primes Key VerificationA4301Safe Prime Groups - MODP-2048SP 800-56A Rev. 3
SHA-1A4301Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2-256A4301Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2-256A4303Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2-512A4301Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2-512A4303Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4
SHA2-512A4306Message Length - Message Length: 0- 65536 Increment 8FIPS 180-4

firmware image must be installed on the module. The module is configured during initialization by the Crypto Officer to operate in the Approved mode or the non-Approved mode. When operated in the non-Approved mode of operation, the module supports non-Approved algorithms as well as the algorithms supported in the Approved mode of operation. The module is in a non-compliant state by default and the Crypto Officer can place the module into the nonApproved mode of operation by following the instructions in Section 11 Life-Cyle Assurance in this document. Mode Change Instructions and Status: The module must always be zeroised when switching between the Approved mode of operation and the non-Approved mode of operation and vice versa. Degraded Mode Description: The module does not support a degraded mode of operation.

2.5 Algorithms

Approved Algorithms: Document Version 1.0

Page 15
Service
NameProperties
CKG - Section 4 and 5.1Key Type:AsymmetricN/ANIST SP800-133r2 Section 4: Asymmetric seed generation using an unmodified output from an Approved DRBG; Section 5.1: Key Pairs for Digital Signature Schemes
CKG - Section 4 and 5.2Key Type:AsymmetricN/ANIST SP800-133r2 Section 4: Asymmetric seed generation using an unmodified output from an Approved DRBG; Section 5.2: Key Pairs for Key Establishment
CKG - Section 6.2.1Key Type:SymmetricN/ANIST SP800-133r2 Section 6.2.1: Derivation of symmetric keys

Table 4: Approved Algorithms The following protocols are supported by the module in the Approved mode: SSHv2 (EC Diffie-Hellman P-256, P-384, P-521; Diffie-Hellman MODP2048; RSA 2048, 3072,

4096 bits; ECDSA P-256, P-384, P-521; AES CBC 128, 192, 256 bits; AES CTR 128, 192, 256

bits, HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512) MACsec (MACsec Key Agreement (MKA); AES GCM, XPN 128 and 256 bits) The SSH protocol allows independent selection of key exchange, authentication, cipher and integrity algorithms. Please note that there are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in the table above are used by an approved service of the module. Vendor-Affirmed Algorithms: 6.2.1 N/A N/A N/A Table 5: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: Document Version 1.0

Page 16
Service
NameApproved FunctionsPropertiesReference
N/AN/AN/A
SHA2-256 (Junos 22.4R2 - LibMD Implementation)Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to “obfuscate” a CSPno security claimed
SHA-1 (Junos 22.4R2 - Kernel Implementation)Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevantno security claimed
RSA with key size less than 2048SSH
ECDSA with ed25519 curveSSH
EC Diffie-Hellman with ed25519 curveSSH
ARCFOURSSH
BlowfishSSH
CASTSSH
DSA (SignGen, SigVer, non-compliant)SSH
HMAC-MD5SSH
HMAC-RIPEMD160SSH
UMACSSH
Service
NameApproved FunctionsPropertiesReference
N/AN/AN/A
SHA2-256 (Junos 22.4R2 - LibMD Implementation)Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to “obfuscate” a CSPno security claimed
SHA-1 (Junos 22.4R2 - Kernel Implementation)Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevantno security claimed
RSA with key size less than 2048SSH
ECDSA with ed25519 curveSSH
EC Diffie-Hellman with ed25519 curveSSH
ARCFOURSSH
BlowfishSSH
CASTSSH
DSA (SignGen, SigVer, non-compliant)SSH
HMAC-MD5SSH
HMAC-RIPEMD160SSH
UMACSSH
Service
NameApproved FunctionsPropertiesReference
N/AN/AN/A
SHA2-256 (Junos 22.4R2 - LibMD Implementation)Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to “obfuscate” a CSPno security claimed
SHA-1 (Junos 22.4R2 - Kernel Implementation)Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevantno security claimed
RSA with key size less than 2048SSH
ECDSA with ed25519 curveSSH
EC Diffie-Hellman with ed25519 curveSSH
ARCFOURSSH
BlowfishSSH
CASTSSH
DSA (SignGen, SigVer, non-compliant)SSH
HMAC-MD5SSH
HMAC-RIPEMD160SSH
UMACSSH

N/A N/A N/A Table 6: Non-Approved, Allowed Algorithms The module does not support any non-Approved algorithms in the Approved mode, i.e., it does not support Non-Approved Algorithms Allowed in the Approved Mode of Operation. The module does not support any non-Approved algorithms in the Approved mode, i.e., it does Table 8: Non-Approved, Not Allowed Algorithms In addition to the above non-Approved Algorithms Not Allowed in the Approved Mode of Operation, all Approved algorithms supported in the Approved mode of operation are also Document Version 1.0

Page 17
Service
NameDescriptionApproved FunctionsTypeProperties
KAS1Key Agreement for SSHv2KAS-ECC- SSC Sp800- 56Ar3 KDF SSHKAS-135KDF KAS-SSCSP 800- 56Arev3 KAS-ECC per IG D.F Scenario 2 path (2):size: P-256, P-384, P-521 curves; encryption strength:128, 192, 256 bits; strength caveat: SSP establishment methodology provides between 128 and 256 bits of encryption strength
KAS2Key Agreement for SSHv2KAS-FFC- SSC Sp800- 56Ar3 KDF SSH Safe Primes Key Generation Safe Primes Key VerificationAsymKeyPair- KeyGen AsymKeyPair- KeyVer KAS-135KDF KAS-SSCSP800- 56Arev3 KAS-FFC per IG D.F Scenario 2 path (2):size: MODP 2048; encryption strength: SSP establishment methodology provides 112 bits of encryption strength
KTS1Key Transport for SSHv2AES-CBC AES-CTR AES-ECB HMAC- SHA-1 HMAC- SHA2-256 HMAC- SHA2-512 SHA-1 SHA2-256 SHA2-512KTS-WrapSP800-38A AES CBC, CTR and HMAC 198 per IG D.G:size: 128, 192, and 256-bit keys; SSP establishment methodology provides between 128 and 256 bits
ECDSA SigVerECDSA Signature Verification used for firmware integrityECDSA SigVer (FIPS186-4)DigSig-SigVerFIPS 186-4 :size: P-256, encryption strength: 128 bits
ECDSA SigVer2ECDSA Signature Verification used for identity-based public key authenticationECDSA SigVer (FIPS186-4)DigSig-SigVerFIPS 186- 4:size: P-256, P-384, P-521 curves, 128, 192 and 256 bits
DRBGKernel DRBG providing random bits to the DRBG2 for SSP generation in the user/application spaceHMAC DRBG HMAC- SHA2-256 SHA2-256DRBG
DRBG2SSP generation in user/application spaceHMAC DRBG HMAC- SHA2-256 SHA2-256DRBG
Entropy SouceNon-Physical Entropy SourceSHA2-512ENT-Cond
ECDSA KeyGenGeneration of SSH host keysECDSA KeyGen (FIPS186-4)AsymKeyPair- KeyGen
ECDSA KeyGen2SSP Agreement in the context of SSHECDSA KeyGen (FIPS186-4)AsymKeyPair- KeyGen
ECDSA KeyVerVerification of keys generatedECDSA KeyVer (FIPS186-4)AsymKeyPair- KeyVer
ECDSA SigGenSignature Generation using ECDSA in the context of SSHECDSA SigGen (FIPS186-4)DigSig- SigGen
RSA KeyGenGeneration of SSH host keysRSA KeyGen (FIPS186-4)AsymKeyPair- KeyGen
RSA SigGenSignature Generation using RSA in the context of SSHRSA SigGen (FIPS186-4)DigSig- SigGen
RSA SigVerSignature Verification using RSA for public key authenticationRSA SigVer (FIPS186-4)DigSig-SigVer
Password HashUsed to store passwords in hashed formSHA2-512SHA
CKGCryptographic Key Generation (CKG)CKG - Section 6.2.1 Key Type: SymmetricCKG
MACsec Encryption/DecryptionEncryption/Decryption of MACsec packetsAES-GCM AES-XPNBC-Auth
KTS2Key Transport for MACsecAES-KWKTS-WrapSP800-38D AES KW per IG D.G :size:128- ,192-,256-bit keys; encryption strength: SSP establishment methodology provides between 128 and 256 bits of encryption strength
MACsec Key DerivationNIST SP 800-108 KDF used in the context of MAcsec to derive SSPsKDF SP800-108 AES-CMAC AES-ECB AES-CBCKBKDF MAC
CASTs on bootList of algorithms for which Known Answer Tests (CASTs) have been implemented in the module and perform on each bootAES-CBC HMAC DRBG HMAC- SHA-1 HMAC- SHA2-256 HMAC- SHA2-512 KAS-ECC- SSC Sp800- 56Ar3 KAS-FFC- SSC Sp800- 56Ar3 KDF SSH ECDSABC-Auth BC-UnAuth DigSig- SigGen DigSig-SigVer DRBG ENT-Cond KAS-135KDF KBKDF MAC SHA

AsymKeyPairKeyVer SP 80056Arev3 SP80056Arev3 KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 HMACSHA-1 HMACSHA2-256 HMACSHA2-512 Document Version 1.0

Page 18

DigSigSigGen DigSigSigGen HMACSHA2-256 HMACSHA2-256 Document Version 1.0

Page 19

DigSigSigGen 6.2.1 HMACSHA-1 HMACSHA2-256 HMACSHA2-512 KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 Document Version 1.0

Page 20
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
Junos OS Non- Physical Entropy SourceNon- Physical8 bitsIntel Xeon E3- 1125v20.83 bitsSHA2-512 (CAVP Cert. #A3403)
CertVendor Name
Number
E104Juniper Networks

Table 9: Security Function Implementations HMACSHA2-256

2.7 Algorithm Specific Information

The module only supports testable RSA moduli/key sizes (2048, 3072 and 4096 bits) and thus the requirements per FIPS 140-3 IG C.F do not apply.

2.8 RBG and Entropy

Table 10: Entropy Certificates NonPhysical Table 11: Entropy Sources Document Version 1.0

Page 21
2.9 Key Generation

The module implements two NIST SP 800-90Ar1 DRBGs and supports the following sections per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2 and 6.2.1.

2.10 Key Establishment

Per IG D.F: The module implements full KAS (KAS-ECC-SSC, KAS-FFC-SSC per NIST SP 800-56Ar3 and KDF SSH per NIST SP 800-135r1; IG D.F Scenario 2 (path 2 option 2, separate testing of the SSC and SP800-135r1 KDF). The KAS1 and KAS2 in the SFI Table have been documented in accordance with this requirement: KAS1: KAS (KAS-ECC-SSC Cert.#A4301 and CVL Cert. #A4301; SSP establishment methodology provides between 128 and 256 bits of encryption strength) KAS2: KAS (KAS-FFC-SSC Cert.#A4301 and CVL Cert. #A4301; SSP establishment methodology provides 112 bits of encryption strength) The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC and KDF SSH) as individual entries. Per IG D.G: The module supports the IETF SSH and MACsec protocols and thus implements key transport in the context of the protocols (per the KTS1 and KTS2 entries in the SFI table of the Security Policy). The module implements the following approved KTS using approved AES modes: AES CBC and CTR (KTS1): KTS (AES Cert. #A4301 and HMAC Cert. #A4301; SSP establishment methodology provides between 128 and 256 bits of encryption strength) AES KW (KTS2): KTS (AES Cert. #A4304; SSP establishment methodology provides between

128 and 256 bits of encryption strength)
2.11 Industry Protocols

No parts of the SSH and MACsec protocols, other than the KDF SSH and the NIST SP 800-108 KDF for MACsec, have been tested by the CAVP or CMVP.

2.12 Additional Information

The module design corresponds to the security rules below. The term shall in this context specifically refers to a requirement for correct usage of the module in the Approved mode; all other statements indicate a security rule implemented by the module.

  1. The module clears previous authentications on power cycle.
  2. When the module has not been placed in a valid role, the operator does not have access to any cryptographic services. Document Version 1.0
Page 22
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
Ethernet (Management port)Ethernet (Management port)Data Input Data Output Control Input Status OutputLAN, Communications/remote management
SerialSerialData Input Data OutputConsole Serial Port
USBUSBData Input Control InputUSB port, load Junos Image
PowerPowerPowerPower connector, Power over Ethernet
Alarm LEDsAlarm LEDsStatus OutputStatus indicator lighting
Reset ButtonReset ButtonControl InputReset signal
PTP-capable connectionsPTP-capable connectionsData Input Data OutputSMB In/out (clock synchronization)
Online/Offline ButtonOnline/Offline ButtonControl InputOnline/Offline signal
  1. Self-tests do not require any operator action.
  2. Data output is inhibited during SSP generation, self-test execution, zeroisation, and error states.
  3. Status information does not contain SSPs or sensitive data that if misused could lead to a compromise of the module.
  4. There are no restrictions on which SSPs are zeroised by the zeroisation service.
  5. The module does not support a maintenance interface or role.
  6. The module does not output intermediate key values.
  7. The module does not output plaintext CSPs.
  8. The Crypto officer shall verify that the firmware image to be loaded on the module is a FIPS 140-3 validated image. If any non-validated firmware image is loaded the module will no longer be a validated module.
  9. The Crypto Officer shall retain control of the module while zeroisation is in process.
  10. MACsec protocol IV generation: • The AES GCM IV construction is performed internal to the module in compliance with IEEE 802.1AEand its amendments. The IV length is 96 bits (per SP 800-38D). The module ensures the IV is constructed deterministically per Section 8.2 in SP 800-38D and the MACsec standard IEEE 802.1AE as a result of concatenating the fixed field (SCI) and invocation field (PN). • The module can take on the role of Peer or Authenticator in reference to the MACsec protocol. • The module shall only be used with other FIPS 140-3 validated modules when supporting the MACsec protocol in the role of a Peer/Authenticator for providing the remaining functionalities. • Per FIPS 140-3 IG C.H Scenario 3, if the module loses power and then it is restored, then a new key shall be established for use with the AES GCM encryption/decryption processes. • The link between the Peer and Authenticator, used in the MACsec communication, shall be secure to prevent the possibility for an attacker to introduce foreign equipment into the local area network.
  11. The module shall not be configured to use a radius server and the radius server capability shall be disabled.
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces
Page 23
Sensitive security parameter
NameDescriptionStrengthSecurity MechanismStrength per Minute
Username and password over the console and SSH• The module enforces 10- character passwords (at minimum) chosen from the 96 human readable ASCII characters; The maximum password length is 20- characters; Thus, the probability of a successful random attempt is 1/(96^10), which is less than 1/1,000,000 (million); • The module enforces a timed access mechanism as follows: For the first two failed attempts (assuming 0 time to process), no timed access is enforced; Upon the third attempt, the module enforces a 5-second delay; Each failed attempt thereafter results in an additional 5-second delay above the previous (e.g., 4th failed attempt = 10-second delay, 5th failed attempt = 15-second delay, 6th failed attempt = 20- second delay, 7th failed attempt1/(96^10)SHA2-512 (A4306)9/(96^10)
Username and ECDSA public key over SSH• The module supports ECDSA (P-256, P-384, and P-521), which has a minimum equivalent computational resistance to attack of either 2^128, 2^192 or 2^256 depending on the curve; Thus, the probability of a successful random attempt is 1/(2^128), which is less than 1/1,000,000 (million) • Configurable SSH connection establishment rate limits the number of connection attempts, and thus failed authentication attempts in a one-minute period to a maximum of 15,000 attempts; The probability of a success with multiple consecutive attempts in a one- minute period is 15,000/(2^128), which is less than 1/100,0001/(2^128)ECDSA SigVer (FIPS186-4) (A4301)15,000/(2^128)
Username and RSA public key over SSH• The module supports RSA (2048, 3072, 4096 bits), which has a minimum equivalent computational resistance to attack of 2^112 (2048 bits); Thus, the probability of a successful random attempt is 1/ (2^112), which is less than 1/1,000,000 (million) • Configurable SSH1/ (2^112)RSA SigVer (FIPS186-4) (A4301)15,000/(2^112)

Table 12: Ports and Interfaces The module does not support control output.

4 Roles, Services, and Authentication
4.1 Authentication Methods
Page 25
Service
NameRole AccessType
Super-userCrypto Officer (CO)IdentityUsername and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH
OperatorUserIdentityUsername and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH
Read-onlyUserIdentityUsername and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH
RootCrypto Officer (CO)IdentityUsername and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH
UnauthorisedUserIdentityUsername and password over the console and SSH

Table 13: Authentication Methods The module enforces the separation of roles using identity-based operator authentication. The module implements two forms of identity-based authentication, username, and password over the console and SSH connections, as well as username and an ECDSA or RSA public keybased authentication over SSHv2.

4.2 Roles
Page 26
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Configur e security (security relevant)Security relevant configurati on (SSH, authenticat ion data)Root - SSH Private Host Key: G - User Password: W,E - CO Password: W,E - HMAC_DRB G V value: E - HMAC_DRB G Key value: E - HMAC_DRB G entropy input: E - HMAC_DRB G seed: E - SSH Public Host Key: G - User AuthenticatioDRBG DRBG2 Password Hash CKGGlobal Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each serviceCommands (SSH configuration : set system services ssh root-login allow)Traffic
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Configur e security (security relevant)Security relevant configurati on (SSH, authenticat ion data)Root - SSH Private Host Key: G - User Password: W,E - CO Password: W,E - HMAC_DRB G V value: E - HMAC_DRB G Key value: E - HMAC_DRB G entropy input: E - HMAC_DRB G seed: E - SSH Public Host Key: G - User AuthenticatioDRBG DRBG2 Password Hash CKGGlobal Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each serviceCommands (SSH configuration : set system services ssh root-login allow)Traffic
Configur e (non- security relevant)Non- security relevant configurati onSuper-user - CO Password: E Root - CO Password: EPassword HashGlobal Approve d Mode indicator “fips” at the CLI combine d with successCommands (miscellaneo us commands e.g., for IP address configuration , routingTraffic
ful completi on of each serviceful completi on of each serviceprotocols, etc.)
Show statusQuery the module statusSuper-user - CO Password: E Root - CO Password: E Operator - User Password: E Read-only - User Password: E Unauthorise d - User Password: EPassword HashGlobal Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each serviceCommand (show)CLI output
Show status (LED)LEDs on the module provide physical status outputSuper-user Operator Read-only Unauthorise d Root Unauthentic atedNoneLED(s) on the chassis turned onN/ALED
Show module’s versionin g informati onQuery the module’s versioning informationSuper-user - CO Password: E Operator - User Password: E Read-only - User Password: E Unauthorise d - User Password: E Root - CO Password: EPassword HashGlobal Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each serviceCommand (show version)CLI output
Zeroise (PerformDestroy all SSPsSuper-user - SSH Private HostPassword HashGlobal Approve d ModeCommand (request vmhostN/A

Table 14: Roles The module supports two roles: Crypto Officer (CO) and User. Root and Super-user correspond to the Crypto Officer role whereas Operator, Read-Only and Unauthorised operator types correspond to the User role. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. An operator assuming the Crypto Officer role configures and monitors the module via a console or SSH connection. As Root or Super-user, the Crypto Officer has permission to view and configure passwords and public keys within the module. The User role monitors the module via the console or SSH. The User role does not have the permission to modify the configuration.

4.3 Approved Services
Page 27

e (nonsecurity n r Nonsecurity W,E W,E E Document Version 1.0

Page 29
Service
NameDescriptionCsps AccessedInput
zeroisati on)indicator “fips” at the CLI combine d with success ful completi on of each serviceKey: Z - SSH ECDH Private Key: Z - SSH DH Private Key: Z - SSH Session Key: Z - User Password: Z - CO Password: E,Z - HMAC_DRB G V value: Z - HMAC_DRB G Key value: Z - HMAC_DRB G entropy input: Z - HMAC_DRB G seed: Z - ECDH Shared Secret: Z - DH Shared Secret: Z - HMAC Key: Z - SSH Public Host Key: Z - User Authenticatio n Public Keys: Z - CO Authenticatio n Public Keys: Z - JuniperRoot CA: Zzeroise no- forwarding)
Page 30
Sensitive security parameter
NameDescriptioIndicatoOutpuSecurity
nnrtsFunctions
nnrtsFunctions
Page 32
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Perform approve d security functions (SSH connecti on)Initiate SSH connection for SSH monitoring and control (CLI)Super-user - SSH Private Host Key: E - SSH ECDH Private Key: G,E,Z - SSH DH Private Key: G,E,Z - SSH Session Key: G,E,Z - HMAC_DRB G V value: E - HMAC_DRB G Key value: E - HMAC_DRB G entropy input: E - HMAC_DRB G seed: E - ECDH Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z - SSH Public Host Key: G - SSH DH Public Key: G,E,Z - SSH ECDH Public Key: G,E,Z - CO Password: E - CO Authenticatio n PublicKAS1 KAS2 KTS1 ECDSA SigVer2 DRBG DRBG2 Entropy Souce ECDSA KeyGen ECDSA KeyGen2 ECDSA KeyVer ECDSA SigGen RSA KeyGen RSA SigGen RSA SigVer Password Hash CKGGlobal Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each serviceAuthenticatio n data (Username and password/pu blic-key based authenticatio n)SSH sessio n
Page 33
Sensitive security parameter
NameDescriptioIndicatoOutpuSecurity
nnrtsFunctions
nnrtsFunctions
nnrtsFunctions
nnrtsFunctions
Page 37
Service
NameDescriptionRole AccessApproved FunctionsIndicatorInputOutput
Console AccessConsole monitoring and control (CLI)Super-user - CO Password: E Operator - CO Password: E Read-only - User Password: E Unauthorise d - User Password: EPassword HashGlobal Approve d Mode indicator “fips” at the CLI combine d with success ful completi on ofUsername, password (set system login user <username> class <crypto- officer/user class> operator authenticatio n plaintext- password)N/A
each serviceRoot - CO Password: Eeach service
Perform self-tests (remote reset)Software initiated reset, performs self-tests on demand via SSHSuper-user - SSH ECDH Private Key: Z - SSH DH Private Key: Z - SSH Session Key: Z - HMAC_DRB G Key value: G,Z - HMAC_DRB G V value: G,Z - HMAC_DRB G entropy input: G,Z - HMAC_DRB G seed: G,Z - ECDH Shared Secret: Z - DH Shared Secret: Z - HMAC Key: G,E,Z - SSH ECDH Public Key: G,E - SSH DH Public Key: G,E - CO Password: E - Firmware Integrity Key: E - SSH Private Host Key: EKAS1 KAS2 KTS1 DRBG DRBG2 Entropy Souce ECDSA KeyGen ECDSA KeyGen2 ECDSA KeyVer ECDSA SigGen RSA KeyGen RSA SigGen Password Hash CKG CASTs on bootGlobal Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each serviceControl input/reset signal (request vmhost reboot)N/A

n r N/A <cryptoofficer/user n plaintextpassword) G,E,Z G,E,Z G,E,Z G,E,Z E d Document Version 1.0

Page 39
Sensitive security parameter
NameDescriptioIndicatoOutpuSecurity
nnrtsFunctions
Page 40
Service
NameDescriptionRolesRole AccessApproved FunctionsIndicatorInputOutput
Perform self-tests (local reset)Hardware reset or power cycleSuper-user - Firmware Integrity Key: E Root - Firmware Integrity Key: E Operator - Firmware Integrity Key: E Read-only - Firmware Integrity Key: E Unauthorise d - Firmware Integrity Key: E Unauthentic ated - Firmware Integrity Key: ECASTs on bootGlobal Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each serviceControl input/reset signalN/A
Load ImageVerification and loading of a validated firmware image intoSuper-user - CO Password: E - Firmware Integrity Key: EECDSA SigVer Password HashGlobal Approve d Mode indicator “fips” at the CLIImage, commandsN/A
the router/swit chthe router/swit ch- JuniperRoot CA: E - PackageCA: E Root - CO Password: E - Firmware Integrity Key: E - JuniperRoot CA: E - PackageCA: Ecombine d with success ful completi on of each service
Perform approve d security functions (MACsec connecti on)Initiate MACsec connectionRoot - MACsec PSK: W,E - MACsec SAK: G,R,E - MACsec KEK: G,E - MACsec ICK: G,E Super-user - MACsec PSK: W,E - MACsec SAK: G,R,E - MACsec KEK: G,E - MACsec ICK: G,ECKG MACsec Encryption/Decry ption KTS2 MACsec Key DerivationGlobal Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each serviceCommands (set security macsec connectivity- association connectivity- association- name; set security macsec connectivity- association connectivity- association- name pre- shared key)MACs ec sessio n
Configure security (security relevant)Security relevant configurationRoot, Super-userRSA with key size less than 2048 ECDSA with ed25519 curve
Page 41
Service
NameDescriptionRolesRole AccessApproved FunctionsIndicatorInputOutput
the router/swit chthe router/swit ch- JuniperRoot CA: E - PackageCA: E Root - CO Password: E - Firmware Integrity Key: E - JuniperRoot CA: E - PackageCA: Ecombine d with success ful completi on of each service
Perform approve d security functions (MACsec connecti on)Initiate MACsec connectionRoot - MACsec PSK: W,E - MACsec SAK: G,R,E - MACsec KEK: G,E - MACsec ICK: G,E Super-user - MACsec PSK: W,E - MACsec SAK: G,R,E - MACsec KEK: G,E - MACsec ICK: G,ECKG MACsec Encryption/Decry ption KTS2 MACsec Key DerivationGlobal Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each serviceCommands (set security macsec connectivity- association connectivity- association- name; set security macsec connectivity- association connectivity- association- name pre- shared key)MACs ec sessio n
Configure security (security relevant)Security relevant configurationRoot, Super-userRSA with key size less than 2048 ECDSA with ed25519 curve

n d r n connectivityassociation connectivityassociationname; set connectivityassociation connectivityassociationname preshared key) Table 15: Approved Services E E

4.4 Non-Approved Services
Page 42
Service
NameDescriptionRolesRole Access
Configure (non- security relevant)Non-security relevant configurationRoot, Super-userNone
Show statusQuery the module statusRoot, Super-user, Operator, Read-Only, UnauthorizedNone
Show status (LED)LEDs on the module provide physical status outputRoot, Super-user, Operator, Read-Only, Unauthorized, UnauthenticatedNone
Show module’s versioning informationQuery the module’s versioning informationRoot, Super-user, Operator, Read-Only, UnauthorizedNone
Zeroise (Perform zeroisation)Destroy all SSPsRoot, Super-userNone
Perform approved security functions (SSH connection)Initiate SSH connection for SSH monitoring and control (CLI)Root, Super-user, Operator, Read-Only, UnauthorizedRSA with key size less than 2048 ECDSA with ed25519 curve EC Diffie- Hellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, non- compliant) HMAC-MD5 HMAC- RIPEMD160 UMAC
Console AccessConsole monitoring and control (CLI)Root, Super-user, Operator, Read-Only, UnauthorizedNone
Perform self-tests (remote reset)Software initiated reset, performs self-tests on demandRoot, Super-user, Operator, Read-Only, UnauthorizedNone
Perform self-tests (local reset)Hardware reset or power cycleRoot, Super-user, Operator, Read-Only, Unauthorized, UnauthenticatedNone
Load ImageVerification and loading of a validated firmware image into the router/switchRoot, Super-userNone
Perform approved security functions (MACsec connection)Initiate MACsec connectionRoot, Super-userNone

SigVer, noncompliant) HMACRIPEMD160 SigVer, noncompliant) HMACRIPEMD160 Document Version 1.0

Page 43

Table 16: Non-Approved Services

4.5 External Software/Firmware Loaded

The module supports loading of firmware from an external source (a complete image replacement) and a firmware load test using ECDSA P-256 with SHA2-256 (CAVP Cert. #A4301) is performed in support of the load.

4.6 Cryptographic Output Actions and Status

The module supports self-initiated cryptographic output in the context of the MACsec protocol and three independent configurations are required serving as three independent internal actions (two actions required at minimum):

5.1 Integrity Techniques

The module performs the firmware integrity check using ECDSA P-256 with SHA2-256 (CAVP Cert. #A4301). The ECDSA P-256 public key used for signature verification is a non-SSP and stored persistently across reboots in the module’s Non-Volatile RAM (NVRAM) and is exempt from zeroisation. Document Version 1.0

Page 44
MechanismInspectionInspection
FrequencyGuidance
N/AN/AN/A
5.2 Initiate on Demand

The operator can initiate the integrity test on demand by rebooting the module.

5.3 Additional Information

The module firmware image is delivered in the form of a pre-compiled tarball (.tgz).

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Limited How Requirements are Satisfied: The module contains a limited operational environment since it supports loading of firmware from an external source. The Junos OS 22.4R2.8 operating system is contained within the module, i.e., the tested configurations listed in the Tested Module Identification

6.2 Configuration Settings and Restrictions

Security rules and restrictions for configuration of the operational environment have been specified in Sections 2.12 and 11.1 of this document.

7 Physical Security
7.1 Mechanisms and Actions Required

N/A N/A N/A Table 17: Mechanisms and Actions Required The module’s physical embodiment is that of a multi-chip standalone meeting Level 1 Physical Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel and brushed aluminum enclosure. The module enclosure is made of production grade materials. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. No actions are required by the operator to ensure that physical security is maintained. Document Version 1.0

Page 45
Sensitive security parameter
NameTypeDescription
NVRAMStaticNon-Volatile Random Access Memory
RAMDynamicRandom Access Memory
Service
NameTypeFromTo
Entered over SSH - NVRAMEncryptedExternal endpointNVRAMAutomatedElectronicKTS1
Loaded at manufacturePlaintextExternal endpointNVRAMN/AN/A
Entered through the CLI via console connection - NVRAMPlaintextExternal endpointNVRAMManualDirect
Output encrypted with MAcsec KEKEncryptedRAMExternal endpoint (MACsec peer)AutomatedElectronicKTS2
Input during SSH negotiationPlaintextExternal endpointRAMAutomatedElectronic
Output during SSH negotiation (host key)PlaintextNVRAMExternal endpointAutomatedElectronic
Output during SSH negotiation (Key Agreement public key)PlaintextRAMExternal endpointAutomatedElectronic
8 Non-Invasive Security
8.1 Mitigation Techniques

The module does not implement any non-invasive security mitigations and thus the requirements per this section do not apply to the module.

9 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input-Output Methods

N/A N/A Table 19: SSP Input-Output Methods Document Version 1.0

Page 46
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentStorageZeroizationUse
SSH Private Host KeyPrivate Host Key - CSPHost key generated, used for authentication and encryption in the context of SSHP-256 for ECDSA, 2048 bits for RSA - 128 bits for ECDSA, 112 bits for RSADRBG2 ECDSA KeyGen RSA KeyGenKAS1 KAS2
SSH ECDH Private KeyECDH Private Key - CSPEphemeral EC Diffie-Hellman private key used in SSHKAS- ECC- SSC P- 256, P-DRBG2 ECDSA KeyGen2KAS1
SSH DH Private KeyDH Private Key - CSPEphemeral Diffie- Hellman private key used in SSH2048 bits for KAS- FFC- SSC - 112 bits for KAS- FFC- SSCDRBG2KAS2
SSH Session KeySession Key - CSPSSH Session Key128 bits, 192 bits, 256 bits - 128 bits, 192 bits, 256 bitsCKGKAS1 KAS2
User PasswordUser Password - CSPPasswords used to authenticate users to the module10-20 characte rs - 1/(96^10 ) per attempt, 9/(96^10 ) per minute
CO PasswordCO Password - CSPPasswords used to authenticate COs to the module10-20 characte rs - 1/(96^10 ) per attempt, 9/(96^10 ) per minute
HMAC_DRB G V valueInternal state of the DRBG - CSPA critical value of the internal state of DRBG256 bits - 256 bitsDRBG DRBG2DRBG DRBG 2
HMAC_DRB G Key valueInternal state of the DRBG - CSPA critical value of the internal state of DRBG440 bits - 440 bitsDRBG DRBG2DRBG DRBG 2
HMAC_DRB G entropy inputEntropy input to the HMAC_DR BG - CSPEntropy input to the HMAC_DRBG512 bits - 448 bitsEntropy Souce
HMAC_DRB G seedSeed provided to the HMAC_DR BG - CSPSeed provided to the HMAC_DRBG512 bits - 440 bitsDRBG DRBG2DRBG DRBG 2
ECDH Shared SecretShared secret - CSPUsed in EC Diffie- Hellman (ECDH) exchangeP-256, P-384, P-521 - 128 bits, 192 bits, 256 bitsKAS1
DH Shared SecretShared secret - CSPUsed in Diffie- Hellman (DH) exchange2048 bits - 112 bitsKAS2
HMAC KeyMAC key - CSPMAC key128 bits and 256 bits - 128 bits and 256 bitsKAS1 KAS2
SSH Public Host KeyPublic key - PSPHost key generated, used to identify the host. Also paired with the private key for authentication and encryption in the context of SSHP-256 for ECDSA and 2048 bits for RSA - 128 bits for ECDSA, 112 bits for RSADRBG2 ECDSA KeyGen RSA KeyGen
User Authenticatio n Public KeysPublic key - PSPUsed to authenticate users to the moduleP-256, P-384, P-521 for ECDSA and 2048, 3072 and 4096 bits for
CO Authenticatio n Public KeysPublic key - PSPUsed to authenticate the CO to the moduleP-256, P-384, P-521 for ECDSA and 2048, 3072 and 4096 bits for RSA - 128, 192, 256 bits for ECDSA, 112, 192 and 256 bits for RSA
JuniperRoot CAPublic key certificate - NeitherECDSA prime256v1 X.509 V3 Certificate Used to verify the validity of the PackagCAECDSA P-256 - 128 bits
PackageCAPublic key certificate - NeitherECDSA prime256v1 X.509 V3 Certificate Certificate that holds the public key for the signing key used to generate all the signatures used on the packages and signature listsECDSA P-256 - 128 bits
SSH ECDH Public KeyPublic key - PSPEphemeral EC Diffie-Hellman public key used in SSHKAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits for KAS- ECC- SSCDRBG2 ECDSA KeyGen2
SSH DH Public KeyPublic key - PSPEphemeral Diffie- Hellman public key used in SSH2048 bits for KAS- FFC- SSC - 112 bits for KAS- FFC- SSCDRBG2
Firmware Integrity KeyPublic key - NeitherPublic key used to perform the firmware integrity test on each boot and authenticate firmware loaded from an external sourceECDSA P-256 - 128 bits
MACsec PSKSymmetric key - CSPCredential used for device-to- device authentication, consists of the CAK (pre-shared key) and CKN (identifier for the pre-shared key)128, 256 bits - 128, 256 bits
MACsec SAKSymmetric key - CSPSecurity Association Key used for creating Security Associations for encryption/decrypt ion of MACsec traffic128, 256 bits - 128, 256 bitsMACsec Key Derivatio n
MACsec KEKSymmetric key - CSPUsed to transmit SAKs to other members of a MACsec connectivity association128, 256 bits - 128, 256 bitsMACsec Key Derivatio n
MACsec ICKSymmetric key - CSPUsed to verify the integrity and authenticity of MACsec protocol data units128, 256 bits - 128, 256 bitsMACsec Key Derivatio n
SSH ECDH Client Public KeyPublic key - PSPEphemeral EC Diffie-Hellman public key used in SSH (sent by the client to the module acting as the server)KAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits for KAS- ECC- SSC
SSH DH Client Public KeyPublic key - PSPEphemeral Diffie- Hellman public key used in SSH (sent by the client to the module acting as the server)2048 bits for KAS- FFC- SSC - 112 bits for KAS- FFC- SSC
SSH Private Host KeyNVRAM:PlaintextZeroisation command
SSH ECDH Private KeyRAM:PlaintextZeroisation command Power-cycle Session terminationUntil session termination
SSH DH Private KeyRAM:PlaintextZeroisation command Power-cycleUntil session termination
ZeroizationDescriptionRationaleOperator
MethodInitiation
Zeroisation commandCommand used to zeroise the module: request vmhost zeroize no-forwardingUsed to provide zeroisation as a serviceOperator initiated
Power-cyclePower cycling the module to zeroise temporary SSPsPower cycling the module to zeroise temporary SSPsOperator initiated
Session terminationTermination of SSH sessions automatically zeroises temporary SSPs used as part of the sessionTermination of SSH sessions automatically zeroises temporary SSPs used as part of the sessionModule initiated
Not zeroisedPSP not zeroised since it cannot be modified due to being inaccessible in the filesystemPSP not zeroised since it cannot be modified due to being inaccessible in the filesystemN/A
Derivation of SSH session keyEC Diffie-Hellman/Diffie- Hellman shared secrets are zeroised after use in derivation of SSH session keyEC Diffie-Hellman/Diffie- Hellman shared secrets are zeroised after use in derivation of SSH session keyModule initiated

The module is complaint with FIPS 140-3 IG 9.5.A MD/DE and AD/EE for SSPs entered via the module’s CLI via a direct connection to its serial/console port and for SSPs entered/output/established via SSH/MACsec respectively.

9.3 SSP Zeroization Methods

Table 20: SSP Zeroization Methods N/A h KASECCSSC P256, PDocument Version 1.0

Page 47

h for KASFFCSSC Document Version 1.0

Page 50

h KASECCSSC P256, P384, P512 128 bits, for KASECCSSC for KASFFCSSC n Document Version 1.0

Page 51
Sensitive security parameter
NameTypeDescriptionStrengthGenerationStorageZeroization
MACsec KEKSymmetric key - CSPUsed to transmit SAKs to other members of a MACsec connectivity association128, 256 bits - 128, 256 bitsMACsec Key Derivatio n
MACsec ICKSymmetric key - CSPUsed to verify the integrity and authenticity of MACsec protocol data units128, 256 bits - 128, 256 bitsMACsec Key Derivatio n
SSH ECDH Client Public KeyPublic key - PSPEphemeral EC Diffie-Hellman public key used in SSH (sent by the client to the module acting as the server)KAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits for KAS- ECC- SSC
SSH DH Client Public KeyPublic key - PSPEphemeral Diffie- Hellman public key used in SSH (sent by the client to the module acting as the server)2048 bits for KAS- FFC- SSC - 112 bits for KAS- FFC- SSC
SSH Private Host KeyNVRAM:PlaintextZeroisation command
SSH ECDH Private KeyRAM:PlaintextZeroisation command Power-cycle Session terminationUntil session termination
SSH DH Private KeyRAM:PlaintextZeroisation command Power-cycleUntil session termination

Table 21: SSP Table 1 h n n KASECCSSC P256, P384, P512 128 bits, for KASECCSSC for KASFFCSSC Document Version 1.0

Page 52
Sensitive security parameter
NameStorageZeroization
SSH Session KeyRAM:PlaintextZeroisation command Power-cycle Session terminationUntil session termination
User PasswordNVRAM:Obfuscated NVRAM:ObfuscatedZeroisation commandEntered over SSH - NVRAM Entered through the CLI via console connection - NVRAM
CO PasswordNVRAM:Obfuscated NVRAM:ObfuscatedZeroisation commandEntered over SSH - NVRAM Entered through the CLI via console connection - NVRAM
HMAC_DRBG V valueRAM:PlaintextPower-cycleUntil power- cycle
HMAC_DRBG Key valueRAM:PlaintextPower-cycleUntil power- cycle
HMAC_DRBG entropy inputRAM:PlaintextPower-cycleUntil power- cycle
HMAC_DRBG seedRAM:PlaintextPower-cycleUntil power- cycle
ECDH Shared SecretRAM:PlaintextZeroisation command Power-cycle Derivation of SSH session keyUntil SSH session key derivation
DH Shared SecretRAM:PlaintextZeroisation command Power-cycle DerivationUntil SSH session key derivation
HMAC KeyRAM:PlaintextZeroisation command Power-cycle Session terminationUntil session termination
SSH Public Host KeyNVRAM:PlaintextZeroisation commandOutput during SSH negotiation (host key)
User Authentication Public KeysNVRAM:PlaintextZeroisation commandEntered over SSH - NVRAM Entered through the CLI via console connection - NVRAM
CO Authentication Public KeysNVRAM:PlaintextZeroisation commandEntered over SSH - NVRAM Entered through the CLI via console connection - NVRAM
JuniperRootCANVRAM:PlaintextNot zeroisedLoaded at manufacture
PackageCANVRAM:PlaintextNot zeroisedLoaded at manufacture
SSH ECDH Public KeyRAM:PlaintextZeroisation command Power-cycle Session terminationUntil session terminationOutput during SSH negotiation (Key Agreement public key)
SSH DH Public KeyRAM:PlaintextZeroisation command Power-cycle Session terminationUntil session terminationOutput during SSH negotiation (Key Agreement public key)
Firmware Integrity KeyNVRAM:PlaintextNot zeroisedLoaded at manufacture

powercycle powercycle powercycle powercycle Document Version 1.0

Page 54
Sensitive security parameter
NameStorageZeroizationInput
MACsec PSKNVRAM:PlaintextZeroisation commandEntered over SSH - NVRAM Entered through the CLI via console connection - NVRAM
MACsec SAKRAM:PlaintextZeroisation command Power-cycle Session terminationOutput encrypted with MAcsec KEKUntil session termination
MACsec KEKRAM:PlaintextZeroisation command Power-cycle Session terminationUntil session termination
MACsec ICKRAM:PlaintextZeroisation command Power-cycle Session terminationUntil session termination
SSH ECDH Client Public KeyRAM:PlaintextZeroisation command Power-cycle Session terminationInput during SSH negotiationUntil session termination
SSH DH Client Public KeyRAM:PlaintextZeroisation command Power-cycle Session terminationInput during SSH negotiationUntil session termination
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsTest PropertiesIndicatorTest Method
Firmware Integrity TestFirmware Integrity TestKATSW/FW IntegrityVerifyUsing ECDSA P-256 with SHA2-256FIPS Self-tests Passed
HMAC DRBG (A4303)HMAC DRBG (A4303)KATNIST 800- 90 HMAC DRBG Known Answer Test : PassedDuring bootPrediction Resistance: Yes Supports Reseed Capabilities: Mode: SHA2-256 Entropy Input: 256 Nonce: 128 Personalizati on String Length: 0- 256 Increment 8 Additional Input: 8-256 Increment 8 Returned Bits: 1024N/ACAST
HMAC- SHA2- 256 (A4303)HMAC- SHA2- 256 (A4303)KATHMAC- SHA2-256 Known Answer Test : PassedDuring bootKey Length: 256 bitsN/ACAST
AES- CBC (A4301)AES- CBC (A4301)KATAES-CBC Known Answer Test : PassedDuring bootKey Length: 128 bitsEncryptCAST
AES- CBC (A4301)AES- CBC (A4301)KATAES-CBC Known Answer Test : PassedDuring bootKey Length: 192 bitsEncryptCAST
AES- CBC (A4301)AES- CBC (A4301)KATAES-CBC Known AnswerDuring bootKey Length: 256 bitsEncryptCAST
AES- CBC (A4301)AES- CBC (A4301)KATAES-CBC Known Answer Test : PassedDuring bootKey Length: 128 bitsDecryptCAST
AES- CBC (A4301)AES- CBC (A4301)KATAES-CBC Known Answer Test : PassedDuring bootKey Length: 192 bitsDecryptCAST
AES- CBC (A4301)AES- CBC (A4301)KATAES-CBC Known Answer Test : PassedDuring bootKey Length: 256 bitsDecryptCAST
HMAC DRBG (A4301)HMAC DRBG (A4301)KATNIST 800- 90 HMAC DRBG Known Answer Test : PassedDuring bootMode: SHA2-256, Entropy Input: 256 , Nonce: 128, Personalizati on String Length: 0- 256 , Increment 8 , Additional Input: 8-256 Increment 8 , Returned Bits: 1024N/ACAST
HMAC- SHA-1 (A4301)HMAC- SHA-1 (A4301)KATHMAC- SHA-1 Known Answer Test : PassedDuring bootKey Length: 160 bitsN/ACAST
HMAC- SHA2- 256 (A4301)HMAC- SHA2- 256 (A4301)KATHMAC- SHA2-256 Known Answer Test : PassedDuring bootKey Length: 256 bitsN/ACAST
HMAC- SHA2-HMAC- SHA2-KATHMAC- SHA2-512 KnownDuring bootKey Length: 512 bitsN/ACAST
512 (A4301)512 (A4301)Answer Test : Passed
KAS- ECC- SSC Sp800- 56Ar3 (A4301)KAS- ECC- SSC Sp800- 56Ar3 (A4301)KATKAS-ECC- EPHEM- UNIFIED- NOKC Known Answer Test: PassedDuring bootDomain Parameter Generation Methods: P- 256N/ACAST
KAS- ECC- SSC Sp800- 56Ar3 (A4301)KAS- ECC- SSC Sp800- 56Ar3 (A4301)KATKAS-ECC- EPHEM- UNIFIED- NOKC Known Answer Test: PassedDuring bootDomain Parameter Generation Methods: P- 384N/ACAST
KAS- FFC- SSC Sp800- 56Ar3 (A4301)KAS- FFC- SSC Sp800- 56Ar3 (A4301)KATKAS-FFC- EPHEM- NOKC Known Answer Test: PassedDuring bootDomain Parameter Generation Methods: MODP-2048N/ACAST
KDF SSH (A4301)KDF SSH (A4301)KATKDF-SSH- SHA2-256 Known Answer Test: PassedDuring bootCipher: AES- 128, AES- 192, AES- 256 ; Hash Algorithm: SHA-1, SHA2-256, SHA2-512N/ACAST
RSA SigGen (FIPS18 6-4) (A4301)RSA SigGen (FIPS18 6-4) (A4301)KATRSA-SIGN Known Answer Test: PassedDuring bootModulus 2048 bits SHA2-256SignCAST
RSA SigVer (FIPS18 6-4) (A4301)RSA SigVer (FIPS18 6-4) (A4301)KATRSA- VERIFY Known Answer Test: PassedDuring bootModulus 2048 bits SHA2-256VerifyCAST
ECDSA SigGenECDSA SigGenKATECDSA- SIGNDuring bootCurve: P-256 HashSignCAST
(FIPS18 6-4) (A4301)(FIPS18 6-4) (A4301)Known Answer Test: PassedAlgorithm: SHA2-256
ECDSA SigVer (FIPS18 6-4) (A4301)ECDSA SigVer (FIPS18 6-4) (A4301)KATECDSA- VERIFY Known Answer Test: PassedDuring bootCurve: P-256 Hash Algorithm: SHA2-256VerifyCAST
SHA2- 512 (A4306)SHA2- 512 (A4306)KATSHA-2- 512 Known Answer Test: PassedDuring bootSHA2-512N/ACAST
Entropy testEntropy testRCTpassDuring boot and continuallyNIST SP 800-90B Repetitive Count TestCutoff value C = 21CAST
Entropy testEntropy testAPTpassDuring boot and continuallyNIST SP 800-90B Adapative Proportion TestW = 512; Cutoff value C = 311CAST
ECDSA KeyGen (FIPS18 6-4) (A4301)ECDSA KeyGen (FIPS18 6-4) (A4301)PCT0On key generationCurve: P-256 Hash Algorithm: SHA2-256Key pair generated for signature generation/verificat ion in the context of SSHv2 protocolPCT
ECDSA KeyGen (FIPS18 6-4) (A4301)ECDSA KeyGen (FIPS18 6-4) (A4301)PCT0On key generationCurve: P-256 Hash Algorithm: SHA2-256Key pair generated for SSP agreement in the context of SSHv2 protocolPCT
KAS- FFC- SSC Sp800- 56Ar3 (A4301)KAS- FFC- SSC Sp800- 56Ar3 (A4301)PCT0On key generationCapabilities: Domain Parameter: MODP2048Key pair generated for SSP agreement in the context of SSHv2 protocolPCT
RSA KeyGen (FIPS18 6-4) (A4301)RSA KeyGen (FIPS18 6-4) (A4301)PCT0On key generationModulus: 2048 Hash SHA2-256Key pair generated for signature generation/verificat ion in the context of SSHv2 protocolPCT
AES-KW (A4304)AES-KW (A4304)KATAES- KEYWRA P Known Answer Test: PassedDuring bootKey Length: 128 bitsEncryptCAST
AES-KW (A4304)AES-KW (A4304)KATAES- KEYWRA P Known Answer Test: PassedDuring bootKey Length: 128 bitsDecryptCAST
KDF SP800- 108 (A4304)KDF SP800- 108 (A4304)KATKBKDF Known Answer Test:Pass edDuring bootMode: CounterN/ACAST
AES- GCM (AES 4369)AES- GCM (AES 4369)KAT0During bootKey Length: 256 bitsEncryptCAST
AES- GCM (AES 4369)AES- GCM (AES 4369)KAT0During bootKey Length: 256 bitsDecryptCAST
AES- CMAC (A4304)AES- CMAC (A4304)KATAES128- CMAC Known Answer Test: PassedDuring bootKey Length: 128 bitsEncryptCAST
AES- CMAC (A4304)AES- CMAC (A4304)KATAES128- CMAC Known Answer Test: PassedDuring bootKey Length: 128 bitsDecryptCAST
AES- CMAC (A4304)AES- CMAC (A4304)KATAES256- CMAC Known Answer Test: PassedDuring bootKey Length: 256 bitsEncryptCAST
AES- CMAC (A4304)AES- CMAC (A4304)KATAES256- CMAC Known AnswerDuring bootKey Length: 256 bitsDecryptCAST
ECDSA SigVer (FIPS18 6-4) (A4301)ECDSA SigVer (FIPS18 6-4) (A4301)KATHost OS upgrade staged. Reboot the system to complete installation !On loading of firmware from an external sourceCurve: P-256 Hash Algorithm: SHA2-256VerifySW/F W Load
Manual entry test (duplicat e entries)Manual entry test (duplicat e entries)Duplicate entry test required for entry of operator passwor ds and MACsec PSK via direct connecti on to the module's console (serial) interfaceCommand prompt with "fips" string provided post completion of the testOn configurati on of operator passwords and MACsec PSKDuplicate entry test required for entry of operator passwords and MACsec PSK via direct connection to the module's console (serial) interfaceN/AManu al Entry
Firmware Integrity TestFirmware Integrity TestKATSW/FW IntegrityOn DemandManually via a reboot
10.1 Pre-Operational Self-Tests

Table 23: Pre-Operational Self-Tests Document Version 1.0

Page 55

The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known Answer Test (KAT) for the ECDSA P-256 (with SHA2-256) algorithm used in the firmware integrity test on each boot prior to executing the firmware integrity test.

10.2 Conditional Self-Tests

s Length: 0256 N/A N/A AESCBC AESCBC AESCBC HMACSHA2-256 HMACSHA2256 Document Version 1.0

Page 56

AESCBC AESCBC AESCBC Length: 0256 , HMACSHA2256 HMACSHA2HMACSHA-1 HMACSHA-1 HMACSHA2-256 HMACSHA2-512 s N/A N/A N/A N/A Document Version 1.0

Page 57

KASECCSSC Sp80056Ar3 Methods: P256 KASECCSSC Sp80056Ar3 Methods: P384 KASFFCSSC Sp80056Ar3 Cipher: AES128, AES192, AES256 ; Hash 6-4) 6-4) KAS-ECCEPHEMUNIFIEDNOKC KAS-ECCEPHEMUNIFIEDNOKC KAS-FFCEPHEMNOKC s N/A N/A N/A N/A RSAVerify ECDSASign Document Version 1.0

Page 58

6-4) 6-4) SHA2512 ECDSAVERIFY SHA-2512 6-4) 6-4) KASFFCSSC Sp80056Ar3 6-4) s N/A Document Version 1.0

Page 59

s SP800108 N/A AESGCM AESGCM AESCMAC AESKEYWRA AESKEYWRA AESCMAC AESCMAC AESCMAC AES128CMAC AES128CMAC AES256CMAC AES256CMAC Document Version 1.0

Page 60
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsTest PropertiesTest MethodIndicator
ECDSA SigVer (FIPS18 6-4) (A4301)ECDSA SigVer (FIPS18 6-4) (A4301)KATHost OS upgrade staged. Reboot the system to complete installation !On loading of firmware from an external sourceCurve: P-256 Hash Algorithm: SHA2-256SW/F W LoadVerify
Manual entry test (duplicat e entries)Manual entry test (duplicat e entries)Duplicate entry test required for entry of operator passwor ds and MACsec PSK via direct connecti on to the module's console (serial) interfaceCommand prompt with "fips" string provided post completion of the testOn configurati on of operator passwords and MACsec PSKDuplicate entry test required for entry of operator passwords and MACsec PSK via direct connection to the module's console (serial) interfaceManu al EntryN/A
Firmware Integrity TestFirmware Integrity TestKATSW/FW IntegrityOn DemandManually via a reboot
HMAC DRBG (A4303)HMAC DRBG (A4303)KATCASTOn DemandManually via a reboot
HMAC-SHA2- 256 (A4303)HMAC-SHA2- 256 (A4303)KATCASTOn DemandManually via a reboot
AES-CBC (A4301)AES-CBC (A4301)KATCASTOn DemandManually via a reboot
AES-CBC (A4301)AES-CBC (A4301)KATCASTOn DemandManually via a reboot
AES-CBC (A4301)AES-CBC (A4301)KATCASTOn DemandManually via a reboot
AES-CBC (A4301)AES-CBC (A4301)KATCASTOn DemandManually via a reboot
AES-CBC (A4301)AES-CBC (A4301)KATCASTOn DemandManually via a reboot
AES-CBC (A4301)AES-CBC (A4301)KATCASTOn DemandManually via a reboot
HMAC DRBG (A4301)HMAC DRBG (A4301)KATCASTOn DemandManually via a reboot
HMAC-SHA-1 (A4301)HMAC-SHA-1 (A4301)KATCASTOn DemandManually via a reboot
HMAC-SHA2- 256 (A4301)HMAC-SHA2- 256 (A4301)KATCASTOn DemandManually via a reboot
HMAC-SHA2- 512 (A4301)HMAC-SHA2- 512 (A4301)KATCASTOn DemandManually via a reboot
KAS-ECC-SSC Sp800-56Ar3 (A4301)KAS-ECC-SSC Sp800-56Ar3 (A4301)KATCASTOn DemandManually via a reboot
KAS-ECC-SSC Sp800-56Ar3 (A4301)KAS-ECC-SSC Sp800-56Ar3 (A4301)KATCASTOn DemandManually via a reboot
KAS-FFC-SSC Sp800-56Ar3 (A4301)KAS-FFC-SSC Sp800-56Ar3 (A4301)KATCASTOn DemandManually via a reboot
KDF SSH (A4301)KDF SSH (A4301)KATCASTOn DemandManually via a reboot
RSA SigGen (FIPS186-4) (A4301)RSA SigGen (FIPS186-4) (A4301)KATCASTOn DemandManually via a reboot
RSA SigVer (FIPS186-4) (A4301)RSA SigVer (FIPS186-4) (A4301)KATCASTOn DemandManually via a reboot
ECDSA SigGen (FIPS186-4) (A4301)ECDSA SigGen (FIPS186-4) (A4301)KATCASTOn DemandManually via a reboot
ECDSA SigVer (FIPS186-4) (A4301)ECDSA SigVer (FIPS186-4) (A4301)KATCASTOn DemandManually via a reboot
SHA2-512 (A4306)SHA2-512 (A4306)KATCASTOn DemandManually via a reboot
Entropy testEntropy testRCTCASTOn DemandManually via a reboot
Entropy testEntropy testAPTCASTOn DemandManually via a reboot
ECDSA KeyGen (FIPS186-4) (A4301)ECDSA KeyGen (FIPS186-4) (A4301)PCTPCTOn DemandManually via a reboot
ECDSA KeyGen (FIPS186-4) (A4301)ECDSA KeyGen (FIPS186-4) (A4301)PCTPCTOn DemandManually via a reboot
KAS-FFC-SSC Sp800-56Ar3 (A4301)KAS-FFC-SSC Sp800-56Ar3 (A4301)PCTPCTOn DemandManually via a reboot
RSA KeyGen (FIPS186-4) (A4301)RSA KeyGen (FIPS186-4) (A4301)PCTPCTOn DemandManually via a reboot
AES-KW (A4304)AES-KW (A4304)KATCASTOn DemandManually via a reboot
AES-KW (A4304)AES-KW (A4304)KATCASTOn DemandManually via a reboot
KDF SP800-108 (A4304)KDF SP800-108 (A4304)KATCASTOn DemandManually via a reboot
AES-GCM (AES 4369)AES-GCM (AES 4369)KATCASTOn DemandManually via a reboot
AES-GCM (AES 4369)AES-GCM (AES 4369)KATCASTOn DemandManually via a reboot
AES-CMAC (A4304)AES-CMAC (A4304)KATCASTOn DemandManually via a reboot
AES-CMAC (A4304)AES-CMAC (A4304)KATCASTOn DemandManually via a reboot
AES-CMAC (A4304)AES-CMAC (A4304)KATCASTOn DemandManually via a reboot
AES-CMAC (A4304)AES-CMAC (A4304)KATCASTOn DemandManually via a reboot
ECDSA SigVer (FIPS186-4) (A4301)ECDSA SigVer (FIPS186-4) (A4301)KATSW/FW LoadOn DemandManually via loading of firmware from an external source
Manual entry test (duplicate entries)Manual entry test (duplicate entries)Duplicate entry test required for entry of operator passwords and MACsec PSK via direct connection to the module'sManual EntryOn DemandManually via configuration of operator passwords and MACsec PSK

6-4) W e ! s Table 24: Conditional Self-Tests Cryptographic Algorithm Self-tests (CASTs) are performed on each boot of the module. Other conditional self-tests are performed by the module when the corresponding condition is met. The pairwise consistency tests are performed on key pair generation for use in signature generation/verification (ECDSA and/or RSA tests) and/or for use in KAS-ECC-SSC or KASFFC-SSC SSP agreement (ECDSA and FFC tests respectively). The firmware load test is performed when a firmware image is loaded onto the module from an external source.

10.3 Periodic Self-Test Information

Table 25: Pre-Operational Periodic Information Document Version 1.0

Page 63
Self test
NameAlgorithm Or TestPeriodic Method
TestTestMethod
Service
NameDescriptionRole AccessIndicator
Hard Error stateIf the pre-operation firmware integrity test, if any of the CASTs or pair- wise consistency tests fail, then the module returns an error indicator, inhibits all data output and enters the hard error stateIf the pre- operational firmware integrity test, fails, if any of the CASTs fail or if a pairwise consistency test fails"FIPS error: self- test failure" for firmware integrity failure, "FIPS error 1: <name of the algorithm> Known Answer Test: Failed" for CAST failure and -1 for pair-wise consistency test failureN/A
Soft Error state•In case of a firmware load test failure, the module rejects the firmware, returns an error indicator and enters the soft error state •In the event of an APT or RCT health test failure, output from the entropy source is inhibited, all entropy accumulated in the conditioning context is discarded and the start- up health-tests are performed againIf the firmware load test fails If the APT or RCT test fails"Validation Error" for the firmware load test failure; entropy data discarded in case of APT/RCT failureN/A for firmware load test failure; In case of APT and/or RCT failures, new data continues to be tested by the health tests, and once both health tests indicate a “pass”, the entropy source again outputs data

Table 26: Conditional Periodic Information prior to any other use of cryptography by the module in the Approved mode of operation. These

10.4 Error States

N/A Table 27: Error States generated keypair/loaded image, returns an error indicator and resumes normal operation. Document Version 1.0

Page 64
10.5 Operator Initiation of Self-Tests

Each time the module is powered up it tests that all the cryptographic algorithms operate correctly, and that sensitive data have not been damaged. Pre-operational as well as Conditional Cryptographic Algorithm Self-tests (CAST) are performed on each power up/boot of the module and on demand by power cycling the module (Perform self-tests (remote reset) service).

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The Crypto Officer must follow the procedures defined below for secure installation, initialization, startup and operation of the module. Crypto Officer Guidance The Crypto Officer must check to verify the firmware image being loaded on the module is the FIPS 140-3 validated version/image. If the image is the FIPS 140-3 validated image, then proceed with installation of the image. Installing The Firmware Image Download the validated firmware image from https://www.juniper.net/support/downloads/junos.html. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives. Select the validated firmware image. Download the firmware image to a local host or to an internal software distribution site. Connect to the console port on the device from your management device and log in to the Junos OS CLI. Copy the firmware package to the device to the /var/tmp/ directory. Install the new package on the device using the following command: operator> request vmhost software add /var/tmp/<package>.tgz. NOTE: If you need to terminate the installation, do not reboot your device; instead, finish the installation and then issue the request system software delete package.tgz command, where package.tgz is, for example, junos-vmhost-install-ptx-x86-64-22.4R2.8.tgz. This is your last chance to stop the installation. Reboot the device to complete the load and start the installation: operator> request vmhost reboot After the reboot has completed, log in and use the show version command to verify that the new version of the firmware is successfully installed. Document Version 1.0

Page 65

Also install the built-in fips-mode.tgz package needed for enabling the Approved-mode and the jpfe-fips package needed for execution of the CASTs. Please note that this is a one-time installation after which the module remains in the Approved mode once enabled and automatically executes the CASTs on each boot without requiring any operator or external intervention. The following are the commands used for installing these packages: operator >request system software add optional://fips-mode.tgz operator >request system software add optional://jpfe-fips.tgz Enabling Approved Mode of Operation The Crypto Officer is responsible for initializing the module in the Approved mode of operation. The Approved mode of operation is not automatically enabled. The Crypto Officer shall place the module in the Approved mode by first zeroising it to ensure no SSPs are present. Next, the cryptographic officer shall follow the steps found in the Junos OS FIPS Evaluated Configuration Guide for PTX Series, Release 22.4R2 document Chapter 2 to place the module into an Approved mode of operation. The steps from the aforementioned document have been reiterated below. To enable the Approved mode in Junos OS on the module:

  1. Zeroise the module using the “request vmhost zeroize” command. Once the module comes up in the “amnesiac mode” post zeroisation, connect to it using the console port with username “root”, enter the configuration mode and configure the rootauthentication password (i.e., Crypto Officer credentials) as follows: root@device> edit Entering configuration mode [edit] root@device# set system root-authentication plain-textpassword New password: Retype new password: [edit] root@device# commit configuration check succeeds commit complete
  2. Enable Approved mode on the device by setting the Approved level to 1, and verify the level: [edit] root@device# set system fips level 1 [edit] root@device# show system fips level level 1;
  3. Commit the configuration Document Version 1.0
Page 66

[edit ] root@device# commit configuration check succeeds Generating RSA key /etc/ssh/fips_ssh_host_key Generating RSA2 key /etc/ssh/fips_ssh_host_rsa_key Generating ECDSA key /etc/ssh/fips_ssh_host_ecdsa_key 'system' reboot is required to transition to fips level 1 commit complete

  1. Reboot the device: [edit] root@device# run request system reboot Reboot the system ? [yes,no] (no) yes During the reboot, the device runs the pre-operational firmware integrity test and all CASTs. It returns a login prompt as follows: root@device:fips>
  2. After the reboot has completed, log in and use the show version command to verify the firmware version is the validated version: root@device:fips > show version Placing the Module in the Non-Approved Mode of Operation As Crypto Officer, the operator needs to disable the Approved mode of operation on the device to return it to the non-Approved mode of operation. To disable the Approved mode on the device, the module must be zeroised (step 1 defined above).
11.2 Administrator Guidance

For further information and for the Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for PTX, Release 22.4R2 document.

11.3 Non-Administrator Guidance

For further information and for the Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for PTX, Release 22.4R2 document.

11.4 Maintenance Requirements

No other maintenance requirements apply for operation of the module in the Approved/nonApproved modes as defined above.

11.5 End of Life

The module can be securely sanitized at the end of its lifetime by zeroising it. Document Version 1.0

Page 67
12 Mitigation of Other Attacks
12.1 Attack List

The module does not implement any mitigation of other attacks and thus the requirements per this section do not apply to the module. Document Version 1.0

Referenced URLs