| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 2/6/2027 |
| Caveat | Interim validation. When operated in Approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | Juniper Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A4301 |
| AES-CMAC | A4304 |
| AES-CTR | A4301 |
| AES-ECB | A4301 |
| AES-GCM | |
| AES-KW | A4304 |
| AES-XPN | |
| ECDSA KeyGen (FIPS186-4) | A4301 |
| ECDSA KeyVer (FIPS186-4) | A4301 |
| ECDSA SigGen (FIPS186-4) | A4301 |
| ECDSA SigVer (FIPS186-4) | A4301 |
| HMAC DRBG | A4301 |
| HMAC-SHA-1 | A4301 |
| HMAC-SHA2-256 | A4301 |
| HMAC-SHA2-512 | A4301 |
| KAS-ECC-SSC Sp800-56Ar3 | A4301 |
| KAS-FFC-SSC Sp800-56Ar3 | A4301 |
| KDF SP800-108 | A4304 |
| KDF SSH (CVL) | A4301 |
| RSA KeyGen (FIPS186-4) | A4301 |
| RSA SigGen (FIPS186-4) | A4301 |
| RSA SigVer (FIPS186-4) | A4301 |
| SHA-1 | A4301 |
| SHA2-256 | A4301 |
| SHA2-512 | A4301 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Physical Security | 7 |
| Non-Invasive Security | 8 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Juniper Networks PTX10008 and PTX10016 Packet Transport Routers
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Soft Error state</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>CASTs on boot<br/>Show status<br/>Show status (LED)</i>"]
C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>Serial<br/>USB</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C4 --> I4 --> R4 --> E4
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C4,C5,C6 clue;
class I2,I3,I4,I5,I6 infer;
class R2,R3,R4,R5,R6 risk;
class E2,E3,E4,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Juniper Networks PTX10008 and PTX10016 Packet Transport Routers
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Soft Error state</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>CASTs on boot<br/>Show status<br/>Show status (LED)</i><br/>src: securityPolicy.services"]
C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>Serial<br/>USB</i><br/>src: securityPolicy.portsAndInterfaces"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C4 clueHigh;
class C5,C6 clueLow;Juniper Networks, Inc. Juniper Networks PTX10008 and PTX10016 Packet Transport Routers Document Version 1.0
| # | Section | Page |
|---|---|---|
| 1 | General | 5 |
| 1.1 | Overview | 5 |
| 1.2 | Security Levels | 5 |
| 1.3 | Additional Information | 6 |
| 2 | Cryptographic Module Specification | 6 |
| 2.1 | Description | 6 |
| 2.2 | Tested and Vendor Affirmed Module Version and Identification | 11 |
| 2.3 | Excluded Components | 12 |
| 2.4 | Modes of Operation | 12 |
| 2.5 | Algorithms | 13 |
| 2.6 | Security Function Implementations | 16 |
| 2.7 | Algorithm Specific Information | 20 |
| 2.8 | RBG and Entropy | 20 |
| 2.9 | Key Generation | 21 |
| 2.10 | Key Establishment | 21 |
| 2.11 | Industry Protocols | 21 |
| 2.12 | Additional Information | 21 |
| 3 | Cryptographic Module Interfaces | 22 |
| 3.1 | Ports and Interfaces | 22 |
| 4 | Roles, Services, and Authentication | 23 |
| 4.1 | Authentication Methods | 23 |
| 4.2 | Roles | 25 |
| 4.3 | Approved Services | 26 |
| 4.4 | Non-Approved Services | 41 |
| 4.5 | External Software/Firmware Loaded | 43 |
| 4.6 | Cryptographic Output Actions and Status | 43 |
| 5 | Software/Firmware Security | 43 |
| 5.1 | Integrity Techniques | 43 |
| 5.2 | Initiate on Demand | 44 |
| 5.3 | Additional Information | 44 |
| 6 | Operational Environment | 44 |
| 6.1 | Operational Environment Type and Requirements | 44 |
| 6.2 | Configuration Settings and Restrictions | 44 |
| 7 | Physical Security | 44 |
| 7.1 | Mechanisms and Actions Required | 44 |
| 8 | Non-Invasive Security | 45 |
| 8.1 | Mitigation Techniques | 45 |
| 9 | Sensitive Security Parameters Management | 45 |
| 9.1 | Storage Areas | 45 |
| 9.2 | SSP Input-Output Methods | 45 |
| 9.3 | SSP Zeroization Methods | 46 |
| 9.4 | SSPs | 46 |
| 10 | Self-Tests | 54 |
| 10.1 | Pre-Operational Self-Tests | 54 |
| 10.2 | Conditional Self-Tests | 55 |
| 10.3 | Periodic Self-Test Information | 60 |
| 10.4 | Error States | 63 |
| 10.5 | Operator Initiation of Self-Tests | 64 |
| 11 | Life-Cycle Assurance | 64 |
| 11.1 | Installation, Initialization, and Startup Procedures | 64 |
| 11.2 | Administrator Guidance | 66 |
| 11.3 | Non-Administrator Guidance | 66 |
| 11.4 | Maintenance Requirements | 66 |
| 11.5 | End of Life | 66 |
| 12 | Mitigation of Other Attacks | 67 |
| 12.1 | Attack List | 67 |
| Item | Page |
|---|---|
| Table 1: Security Levels | 6 |
| Table 2: Tested Module Identification – Hardware | 12 |
| Table 3: Modes List and Description | 12 |
| Table 4: Approved Algorithms | 15 |
| Table 5: Vendor-Affirmed Algorithms | 15 |
| Table 6: Non-Approved, Allowed Algorithms | 16 |
| Table 7: Non-Approved, Allowed Algorithms with No Security Claimed | 16 |
| Table 8: Non-Approved, Not Allowed Algorithms | 16 |
| Table 9: Security Function Implementations | 20 |
| Table 10: Entropy Certificates | 20 |
| Table 11: Entropy Sources | 20 |
| Table 12: Ports and Interfaces | 23 |
| Table 13: Authentication Methods | 25 |
| Table 14: Roles | 26 |
| Table 15: Approved Services | 41 |
| Table 16: Non-Approved Services | 43 |
| Table 17: Mechanisms and Actions Required | 44 |
| Table 18: Storage Areas | 45 |
| Table 19: SSP Input-Output Methods | 45 |
| Table 20: SSP Zeroization Methods | 46 |
| Table 21: SSP Table 1 | 51 |
| Table 22: SSP Table 2 | 54 |
| Table 23: Pre-Operational Self-Tests | 54 |
| Table 24: Conditional Self-Tests | 60 |
| Table 25: Pre-Operational Periodic Information | 60 |
| Table 26: Conditional Periodic Information | 63 |
| Table 27: Error States | 63 |
| Figure 1: Physical Cryptographic Boundary [Left to Right: PTX10008 and PTX10016] | 7 |
| Figure 2: Routing Engine [JNP10K-RE0] | 7 |
| Figure 3: PTX10K-LC1105-M MACSec Line Card | 8 |
| Figure 4: PTX10008 Chassis Rear | 8 |
| Figure 5: PTX10016 Chassis Rear | 9 |
| Figure 6: PTX10008 Block diagram | 10 |
| Figure 7: PTX10016 Block diagram | 11 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 3 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | 1 |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | N/A |
| Overall Level | Overall Level | 1 |
Introduction Federal Information Processing Standards Publication 140-3
The module claims an overall Security Level of 1 with all individual sections at a Security Level
1 with the exceptions of Roles, Services and Authentication (claimed at Security Level 3). The
module does not implement any non-invasive security mitigations or mitigations of other attacks and thus the requirements per these sections are inapplicable.
Purpose and Use: The cryptographic module provides for an encrypted connection, using SSH, between the management station and itself, i.e., the PTX series routers. The cryptographic module also provides for an encrypted connection, using MACsec, between itself and a peer. Module Type: Hardware Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic module’s operational environment is a limited operational environment. The cryptographic boundary of the hardware module is the entirety of the module/chassis. This includes the Routing Engine (RE). No components have been excluded from the cryptographic boundary of the module. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested Operational Environment’s Physical Perimeter (TOEPP) is the entirety of the module chassis. The images below depict the physical boundary of the modules, including the Routing Engine, the PTX10KLC1105-M MACsec Line Card and SIB. The non-crypto-relevant line cards included in the figure are not inserted in the module/excluded from the boundary per the scope of this validation. Document Version 1.0
Figure 1: Physical Cryptographic Boundary [Left to Right: PTX10008 and PTX10016] Figure 2: Routing Engine [JNP10K-RE0] 1- RCB status LEDs 3- PTP-capable connections: SMB In, SMB Out, 10 MHz In, 10 MHz Out 5- USB 2.0 port 7- Reset (RESET) button 2- Console port (CON) 4- Management port (MGMT) 6- Secondary 50-GB SATA SSD slot 8- Four SFP+ ports (reserved for future use) Document Version 1.0
Figure 3: PTX10K-LC1105-M MACSec Line Card 1- Power LED (PWR), status LED (STS), and offline (OFF) button 2- Network ports. Figure 4: PTX10008 Chassis Rear 1- AC or DC power supplies numbered 0–5 (top to bottom) 2- Fan trays with redundant fans Document Version 1.0
Figure 5: PTX10016 Chassis Rear 1- Power supplies 2- Fan trays 3- ESD point 4- Protective earthing terminal Document Version 1.0
Figure 6: PTX10008 Block diagram Document Version 1.0
| Name | Model | Hardware Version | Firmware Version | Processor | Features |
|---|---|---|---|---|---|
| PTX10008 | PTX10008 | PTX10008 | Junos OS 22.4R2.8 | Intel Xeon E3- 1125v2 | JNP10K-PWR-AC; JNP10K- PWR-DC; JNP10K-PWRAC2; JNP10K-PWR-DC2 |
| PTX10016 | PTX10016 | PTX10016 | Junos OS 22.4R2.8 | Intel Xeon E3- 1125v2 | JNP10K-PWR-AC; JNP10K- PWR-DC; JNP10K-PWRAC2; JNP10K-PWR-DC2 |
Figure 7: PTX10016 Block diagram The PTX10K-LC1105-M has thirty 28-Gbps QSFP+ (QSFP28) ports that are Media Access Control Security (MACsec) capable, each of which can be configured via the CLI to support speeds of 100 Gbps or 40 Gbps. Each of the 30 QSFP28 ports can operate as:
Tested Module Identification
| Name | Description | Role Access | Type |
|---|---|---|---|
| Non- Approved mode | • The cryptographic module supports a non- Approved mode of operation; • When operated in the non-Approved mode of operation, the module supports non-Approved algorithms as well as the algorithms supported in the Approved mode of operation | global indicator (implicit indicator based on exclusion of string 'fips' from the command prompt) | Non- Approved |
Table 2: Tested Module Identification
No components have been excluded from the cryptographic boundary of the module. Modes List and Description: NonApproved NonApproved Table 3: Modes List and Description The hardware versions contained in Table 2, with Junos OS 22.4R2.8 installed, contain one Document Version 1.0
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A4301 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC | A4304 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CMAC | A4304 | Direction - Generation, Verification Key Length - 128, 256 | SP 800-38B |
| AES-CTR | A4301 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-ECB | A4301 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-ECB | A4304 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-GCM | AES 4369 | Direction - Decrypt, Encrypt IV Generation - External Key Length - 128, 256 | SP 800-38D |
| AES-KW | A4304 | Direction - Decrypt, Encrypt Key Length - 128 | SP 800-38F |
| AES-XPN | AES 4369 | Direction - Decrypt, Encrypt Key Length - 128, 256 IV Generation - External | SP 800-38D |
| ECDSA KeyGen (FIPS186-4) | A4301 | Curve - P-256, P-384, P-521 Secret Generation Mode - Testing Candidates | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-4) | A4301 | Curve - P-256, P-384, P-521 | FIPS 186-4 |
| ECDSA SigGen (FIPS186-4) | A4301 | Component - No Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 |
| ECDSA SigVer (FIPS186-4) | A4301 | Component - No Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 |
| HMAC DRBG | A4301 | Prediction Resistance - Yes Mode - SHA2-256 | SP 800-90A Rev. 1 |
| HMAC DRBG | A4303 | Prediction Resistance - Yes Mode - SHA2-256 | SP 800-90A Rev. 1 |
| HMAC-SHA-1 | A4301 | Key Length - Key Length: 160 | FIPS 198-1 |
| HMAC-SHA2-256 | A4301 | Key Length - Key Length: 256 | FIPS 198-1 |
| HMAC-SHA2-256 | A4303 | Key Length - Key Length: 256 | FIPS 198-1 |
| HMAC-SHA2-512 | A4301 | Key Length - Key Length: 512 | FIPS 198-1 |
| KAS-ECC-SSC Sp800-56Ar3 | A4301 | Domain Parameter Generation Methods - P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KAS-FFC-SSC Sp800-56Ar3 | A4301 | Domain Parameter Generation Methods - FC, MODP-2048 Scheme - dhEphem - KAS Role - initiator | SP 800-56A Rev. 3 |
| KDF SP800-108 | A4304 | KDF Mode - Counter Supported Lengths - Supported Lengths: 128, 256 | SP 800-108 Rev. 1 |
| KDF SSH (CVL) | A4301 | Cipher - AES-128, AES-192, AES-256, TDES Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512 | SP 800-135 Rev. 1 |
| RSA KeyGen (FIPS186-4) | A4301 | Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard | FIPS 186-4 |
| RSA SigGen (FIPS186-4) | A4301 | Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 | FIPS 186-4 |
| RSA SigVer (FIPS186-4) | A4301 | Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 | FIPS 186-4 |
| Safe Primes Key Generation | A4301 | Safe Prime Groups - MODP-2048 | SP 800-56A Rev. 3 |
| Safe Primes Key Verification | A4301 | Safe Prime Groups - MODP-2048 | SP 800-56A Rev. 3 |
| SHA-1 | A4301 | Message Length - Message Length: 0- 65536 Increment 8 | FIPS 180-4 |
| SHA2-256 | A4301 | Message Length - Message Length: 0- 65536 Increment 8 | FIPS 180-4 |
| SHA2-256 | A4303 | Message Length - Message Length: 0- 65536 Increment 8 | FIPS 180-4 |
| SHA2-512 | A4301 | Message Length - Message Length: 0- 65536 Increment 8 | FIPS 180-4 |
| SHA2-512 | A4303 | Message Length - Message Length: 0- 65536 Increment 8 | FIPS 180-4 |
| SHA2-512 | A4306 | Message Length - Message Length: 0- 65536 Increment 8 | FIPS 180-4 |
firmware image must be installed on the module. The module is configured during initialization by the Crypto Officer to operate in the Approved mode or the non-Approved mode. When operated in the non-Approved mode of operation, the module supports non-Approved algorithms as well as the algorithms supported in the Approved mode of operation. The module is in a non-compliant state by default and the Crypto Officer can place the module into the nonApproved mode of operation by following the instructions in Section 11 Life-Cyle Assurance in this document. Mode Change Instructions and Status: The module must always be zeroised when switching between the Approved mode of operation and the non-Approved mode of operation and vice versa. Degraded Mode Description: The module does not support a degraded mode of operation.
Approved Algorithms: Document Version 1.0
| Name | Properties | ||
|---|---|---|---|
| CKG - Section 4 and 5.1 | Key Type:Asymmetric | N/A | NIST SP800-133r2 Section 4: Asymmetric seed generation using an unmodified output from an Approved DRBG; Section 5.1: Key Pairs for Digital Signature Schemes |
| CKG - Section 4 and 5.2 | Key Type:Asymmetric | N/A | NIST SP800-133r2 Section 4: Asymmetric seed generation using an unmodified output from an Approved DRBG; Section 5.2: Key Pairs for Key Establishment |
| CKG - Section 6.2.1 | Key Type:Symmetric | N/A | NIST SP800-133r2 Section 6.2.1: Derivation of symmetric keys |
Table 4: Approved Algorithms The following protocols are supported by the module in the Approved mode: SSHv2 (EC Diffie-Hellman P-256, P-384, P-521; Diffie-Hellman MODP2048; RSA 2048, 3072,
4096 bits; ECDSA P-256, P-384, P-521; AES CBC 128, 192, 256 bits; AES CTR 128, 192, 256
bits, HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512) MACsec (MACsec Key Agreement (MKA); AES GCM, XPN 128 and 256 bits) The SSH protocol allows independent selection of key exchange, authentication, cipher and integrity algorithms. Please note that there are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in the table above are used by an approved service of the module. Vendor-Affirmed Algorithms: 6.2.1 N/A N/A N/A Table 5: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: Document Version 1.0
| Name | Approved Functions | Properties | Reference | |
|---|---|---|---|---|
| N/A | N/A | N/A | ||
| SHA2-256 (Junos 22.4R2 - LibMD Implementation) | Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to “obfuscate” a CSP | no security claimed | ||
| SHA-1 (Junos 22.4R2 - Kernel Implementation) | Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevant | no security claimed | ||
| RSA with key size less than 2048 | SSH | |||
| ECDSA with ed25519 curve | SSH | |||
| EC Diffie-Hellman with ed25519 curve | SSH | |||
| ARCFOUR | SSH | |||
| Blowfish | SSH | |||
| CAST | SSH | |||
| DSA (SignGen, SigVer, non-compliant) | SSH | |||
| HMAC-MD5 | SSH | |||
| HMAC-RIPEMD160 | SSH | |||
| UMAC | SSH |
| Name | Approved Functions | Properties | Reference | |
|---|---|---|---|---|
| N/A | N/A | N/A | ||
| SHA2-256 (Junos 22.4R2 - LibMD Implementation) | Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to “obfuscate” a CSP | no security claimed | ||
| SHA-1 (Junos 22.4R2 - Kernel Implementation) | Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevant | no security claimed | ||
| RSA with key size less than 2048 | SSH | |||
| ECDSA with ed25519 curve | SSH | |||
| EC Diffie-Hellman with ed25519 curve | SSH | |||
| ARCFOUR | SSH | |||
| Blowfish | SSH | |||
| CAST | SSH | |||
| DSA (SignGen, SigVer, non-compliant) | SSH | |||
| HMAC-MD5 | SSH | |||
| HMAC-RIPEMD160 | SSH | |||
| UMAC | SSH |
| Name | Approved Functions | Properties | Reference | |
|---|---|---|---|---|
| N/A | N/A | N/A | ||
| SHA2-256 (Junos 22.4R2 - LibMD Implementation) | Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to “obfuscate” a CSP | no security claimed | ||
| SHA-1 (Junos 22.4R2 - Kernel Implementation) | Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevant | no security claimed | ||
| RSA with key size less than 2048 | SSH | |||
| ECDSA with ed25519 curve | SSH | |||
| EC Diffie-Hellman with ed25519 curve | SSH | |||
| ARCFOUR | SSH | |||
| Blowfish | SSH | |||
| CAST | SSH | |||
| DSA (SignGen, SigVer, non-compliant) | SSH | |||
| HMAC-MD5 | SSH | |||
| HMAC-RIPEMD160 | SSH | |||
| UMAC | SSH |
N/A N/A N/A Table 6: Non-Approved, Allowed Algorithms The module does not support any non-Approved algorithms in the Approved mode, i.e., it does not support Non-Approved Algorithms Allowed in the Approved Mode of Operation. The module does not support any non-Approved algorithms in the Approved mode, i.e., it does Table 8: Non-Approved, Not Allowed Algorithms In addition to the above non-Approved Algorithms Not Allowed in the Approved Mode of Operation, all Approved algorithms supported in the Approved mode of operation are also Document Version 1.0
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| KAS1 | Key Agreement for SSHv2 | KAS-ECC- SSC Sp800- 56Ar3 KDF SSH | KAS-135KDF KAS-SSC | SP 800- 56Arev3 KAS-ECC per IG D.F Scenario 2 path (2):size: P-256, P-384, P-521 curves; encryption strength:128, 192, 256 bits; strength caveat: SSP establishment methodology provides between 128 and 256 bits of encryption strength |
| KAS2 | Key Agreement for SSHv2 | KAS-FFC- SSC Sp800- 56Ar3 KDF SSH Safe Primes Key Generation Safe Primes Key Verification | AsymKeyPair- KeyGen AsymKeyPair- KeyVer KAS-135KDF KAS-SSC | SP800- 56Arev3 KAS-FFC per IG D.F Scenario 2 path (2):size: MODP 2048; encryption strength: SSP establishment methodology provides 112 bits of encryption strength |
| KTS1 | Key Transport for SSHv2 | AES-CBC AES-CTR AES-ECB HMAC- SHA-1 HMAC- SHA2-256 HMAC- SHA2-512 SHA-1 SHA2-256 SHA2-512 | KTS-Wrap | SP800-38A AES CBC, CTR and HMAC 198 per IG D.G:size: 128, 192, and 256-bit keys; SSP establishment methodology provides between 128 and 256 bits |
| ECDSA SigVer | ECDSA Signature Verification used for firmware integrity | ECDSA SigVer (FIPS186-4) | DigSig-SigVer | FIPS 186-4 :size: P-256, encryption strength: 128 bits |
| ECDSA SigVer2 | ECDSA Signature Verification used for identity-based public key authentication | ECDSA SigVer (FIPS186-4) | DigSig-SigVer | FIPS 186- 4:size: P-256, P-384, P-521 curves, 128, 192 and 256 bits |
| DRBG | Kernel DRBG providing random bits to the DRBG2 for SSP generation in the user/application space | HMAC DRBG HMAC- SHA2-256 SHA2-256 | DRBG | |
| DRBG2 | SSP generation in user/application space | HMAC DRBG HMAC- SHA2-256 SHA2-256 | DRBG | |
| Entropy Souce | Non-Physical Entropy Source | SHA2-512 | ENT-Cond | |
| ECDSA KeyGen | Generation of SSH host keys | ECDSA KeyGen (FIPS186-4) | AsymKeyPair- KeyGen | |
| ECDSA KeyGen2 | SSP Agreement in the context of SSH | ECDSA KeyGen (FIPS186-4) | AsymKeyPair- KeyGen | |
| ECDSA KeyVer | Verification of keys generated | ECDSA KeyVer (FIPS186-4) | AsymKeyPair- KeyVer | |
| ECDSA SigGen | Signature Generation using ECDSA in the context of SSH | ECDSA SigGen (FIPS186-4) | DigSig- SigGen | |
| RSA KeyGen | Generation of SSH host keys | RSA KeyGen (FIPS186-4) | AsymKeyPair- KeyGen | |
| RSA SigGen | Signature Generation using RSA in the context of SSH | RSA SigGen (FIPS186-4) | DigSig- SigGen | |
| RSA SigVer | Signature Verification using RSA for public key authentication | RSA SigVer (FIPS186-4) | DigSig-SigVer | |
| Password Hash | Used to store passwords in hashed form | SHA2-512 | SHA | |
| CKG | Cryptographic Key Generation (CKG) | CKG - Section 6.2.1 Key Type: Symmetric | CKG | |
| MACsec Encryption/Decryption | Encryption/Decryption of MACsec packets | AES-GCM AES-XPN | BC-Auth | |
| KTS2 | Key Transport for MACsec | AES-KW | KTS-Wrap | SP800-38D AES KW per IG D.G :size:128- ,192-,256-bit keys; encryption strength: SSP establishment methodology provides between 128 and 256 bits of encryption strength |
| MACsec Key Derivation | NIST SP 800-108 KDF used in the context of MAcsec to derive SSPs | KDF SP800-108 AES-CMAC AES-ECB AES-CBC | KBKDF MAC | |
| CASTs on boot | List of algorithms for which Known Answer Tests (CASTs) have been implemented in the module and perform on each boot | AES-CBC HMAC DRBG HMAC- SHA-1 HMAC- SHA2-256 HMAC- SHA2-512 KAS-ECC- SSC Sp800- 56Ar3 KAS-FFC- SSC Sp800- 56Ar3 KDF SSH ECDSA | BC-Auth BC-UnAuth DigSig- SigGen DigSig-SigVer DRBG ENT-Cond KAS-135KDF KBKDF MAC SHA |
AsymKeyPairKeyVer SP 80056Arev3 SP80056Arev3 KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 HMACSHA-1 HMACSHA2-256 HMACSHA2-512 Document Version 1.0
DigSigSigGen DigSigSigGen HMACSHA2-256 HMACSHA2-256 Document Version 1.0
DigSigSigGen 6.2.1 HMACSHA-1 HMACSHA2-256 HMACSHA2-512 KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 Document Version 1.0
| Name | Type | Strength | Operational Environment | Conditioning Component | |
|---|---|---|---|---|---|
| Junos OS Non- Physical Entropy Source | Non- Physical | 8 bits | Intel Xeon E3- 1125v2 | 0.83 bits | SHA2-512 (CAVP Cert. #A3403) |
| Cert | Vendor Name | |
|---|---|---|
| Number | ||
| E104 | Juniper Networks |
Table 9: Security Function Implementations HMACSHA2-256
The module only supports testable RSA moduli/key sizes (2048, 3072 and 4096 bits) and thus the requirements per FIPS 140-3 IG C.F do not apply.
Table 10: Entropy Certificates NonPhysical Table 11: Entropy Sources Document Version 1.0
The module implements two NIST SP 800-90Ar1 DRBGs and supports the following sections per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2 and 6.2.1.
Per IG D.F: The module implements full KAS (KAS-ECC-SSC, KAS-FFC-SSC per NIST SP 800-56Ar3 and KDF SSH per NIST SP 800-135r1; IG D.F Scenario 2 (path 2 option 2, separate testing of the SSC and SP800-135r1 KDF). The KAS1 and KAS2 in the SFI Table have been documented in accordance with this requirement: KAS1: KAS (KAS-ECC-SSC Cert.#A4301 and CVL Cert. #A4301; SSP establishment methodology provides between 128 and 256 bits of encryption strength) KAS2: KAS (KAS-FFC-SSC Cert.#A4301 and CVL Cert. #A4301; SSP establishment methodology provides 112 bits of encryption strength) The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC and KDF SSH) as individual entries. Per IG D.G: The module supports the IETF SSH and MACsec protocols and thus implements key transport in the context of the protocols (per the KTS1 and KTS2 entries in the SFI table of the Security Policy). The module implements the following approved KTS using approved AES modes: AES CBC and CTR (KTS1): KTS (AES Cert. #A4301 and HMAC Cert. #A4301; SSP establishment methodology provides between 128 and 256 bits of encryption strength) AES KW (KTS2): KTS (AES Cert. #A4304; SSP establishment methodology provides between
No parts of the SSH and MACsec protocols, other than the KDF SSH and the NIST SP 800-108 KDF for MACsec, have been tested by the CAVP or CMVP.
The module design corresponds to the security rules below. The term shall in this context specifically refers to a requirement for correct usage of the module in the Approved mode; all other statements indicate a security rule implemented by the module.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| Ethernet (Management port) | Ethernet (Management port) | Data Input Data Output Control Input Status Output | LAN, Communications/remote management |
| Serial | Serial | Data Input Data Output | Console Serial Port |
| USB | USB | Data Input Control Input | USB port, load Junos Image |
| Power | Power | Power | Power connector, Power over Ethernet |
| Alarm LEDs | Alarm LEDs | Status Output | Status indicator lighting |
| Reset Button | Reset Button | Control Input | Reset signal |
| PTP-capable connections | PTP-capable connections | Data Input Data Output | SMB In/out (clock synchronization) |
| Online/Offline Button | Online/Offline Button | Control Input | Online/Offline signal |
| Name | Description | Strength | Security Mechanism | Strength per Minute |
|---|---|---|---|---|
| Username and password over the console and SSH | • The module enforces 10- character passwords (at minimum) chosen from the 96 human readable ASCII characters; The maximum password length is 20- characters; Thus, the probability of a successful random attempt is 1/(96^10), which is less than 1/1,000,000 (million); • The module enforces a timed access mechanism as follows: For the first two failed attempts (assuming 0 time to process), no timed access is enforced; Upon the third attempt, the module enforces a 5-second delay; Each failed attempt thereafter results in an additional 5-second delay above the previous (e.g., 4th failed attempt = 10-second delay, 5th failed attempt = 15-second delay, 6th failed attempt = 20- second delay, 7th failed attempt | 1/(96^10) | SHA2-512 (A4306) | 9/(96^10) |
| Username and ECDSA public key over SSH | • The module supports ECDSA (P-256, P-384, and P-521), which has a minimum equivalent computational resistance to attack of either 2^128, 2^192 or 2^256 depending on the curve; Thus, the probability of a successful random attempt is 1/(2^128), which is less than 1/1,000,000 (million) • Configurable SSH connection establishment rate limits the number of connection attempts, and thus failed authentication attempts in a one-minute period to a maximum of 15,000 attempts; The probability of a success with multiple consecutive attempts in a one- minute period is 15,000/(2^128), which is less than 1/100,000 | 1/(2^128) | ECDSA SigVer (FIPS186-4) (A4301) | 15,000/(2^128) |
| Username and RSA public key over SSH | • The module supports RSA (2048, 3072, 4096 bits), which has a minimum equivalent computational resistance to attack of 2^112 (2048 bits); Thus, the probability of a successful random attempt is 1/ (2^112), which is less than 1/1,000,000 (million) • Configurable SSH | 1/ (2^112) | RSA SigVer (FIPS186-4) (A4301) | 15,000/(2^112) |
Table 12: Ports and Interfaces The module does not support control output.
| Name | Role Access | Type | |
|---|---|---|---|
| Super-user | Crypto Officer (CO) | Identity | Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH |
| Operator | User | Identity | Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH |
| Read-only | User | Identity | Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH |
| Root | Crypto Officer (CO) | Identity | Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH |
| Unauthorised | User | Identity | Username and password over the console and SSH |
Table 13: Authentication Methods The module enforces the separation of roles using identity-based operator authentication. The module implements two forms of identity-based authentication, username, and password over the console and SSH connections, as well as username and an ECDSA or RSA public keybased authentication over SSHv2.
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Configur e security (security relevant) | Security relevant configurati on (SSH, authenticat ion data) | Root - SSH Private Host Key: G - User Password: W,E - CO Password: W,E - HMAC_DRB G V value: E - HMAC_DRB G Key value: E - HMAC_DRB G entropy input: E - HMAC_DRB G seed: E - SSH Public Host Key: G - User Authenticatio | DRBG DRBG2 Password Hash CKG | Global Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each service | Commands (SSH configuration : set system services ssh root-login allow) | Traffic |
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Configur e security (security relevant) | Security relevant configurati on (SSH, authenticat ion data) | Root - SSH Private Host Key: G - User Password: W,E - CO Password: W,E - HMAC_DRB G V value: E - HMAC_DRB G Key value: E - HMAC_DRB G entropy input: E - HMAC_DRB G seed: E - SSH Public Host Key: G - User Authenticatio | DRBG DRBG2 Password Hash CKG | Global Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each service | Commands (SSH configuration : set system services ssh root-login allow) | Traffic |
| Configur e (non- security relevant) | Non- security relevant configurati on | Super-user - CO Password: E Root - CO Password: E | Password Hash | Global Approve d Mode indicator “fips” at the CLI combine d with success | Commands (miscellaneo us commands e.g., for IP address configuration , routing | Traffic |
| ful completi on of each service | ful completi on of each service | protocols, etc.) | ||||
| Show status | Query the module status | Super-user - CO Password: E Root - CO Password: E Operator - User Password: E Read-only - User Password: E Unauthorise d - User Password: E | Password Hash | Global Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each service | Command (show) | CLI output |
| Show status (LED) | LEDs on the module provide physical status output | Super-user Operator Read-only Unauthorise d Root Unauthentic ated | None | LED(s) on the chassis turned on | N/A | LED |
| Show module’s versionin g informati on | Query the module’s versioning information | Super-user - CO Password: E Operator - User Password: E Read-only - User Password: E Unauthorise d - User Password: E Root - CO Password: E | Password Hash | Global Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each service | Command (show version) | CLI output |
| Zeroise (Perform | Destroy all SSPs | Super-user - SSH Private Host | Password Hash | Global Approve d Mode | Command (request vmhost | N/A |
Table 14: Roles The module supports two roles: Crypto Officer (CO) and User. Root and Super-user correspond to the Crypto Officer role whereas Operator, Read-Only and Unauthorised operator types correspond to the User role. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. An operator assuming the Crypto Officer role configures and monitors the module via a console or SSH connection. As Root or Super-user, the Crypto Officer has permission to view and configure passwords and public keys within the module. The User role monitors the module via the console or SSH. The User role does not have the permission to modify the configuration.
e (nonsecurity n r Nonsecurity W,E W,E E Document Version 1.0
| Name | Description | Csps Accessed | Input |
|---|---|---|---|
| zeroisati on) | indicator “fips” at the CLI combine d with success ful completi on of each service | Key: Z - SSH ECDH Private Key: Z - SSH DH Private Key: Z - SSH Session Key: Z - User Password: Z - CO Password: E,Z - HMAC_DRB G V value: Z - HMAC_DRB G Key value: Z - HMAC_DRB G entropy input: Z - HMAC_DRB G seed: Z - ECDH Shared Secret: Z - DH Shared Secret: Z - HMAC Key: Z - SSH Public Host Key: Z - User Authenticatio n Public Keys: Z - CO Authenticatio n Public Keys: Z - JuniperRoot CA: Z | zeroise no- forwarding) |
| Name | Descriptio | Indicato | Outpu | Security |
|---|---|---|---|---|
| n | n | r | ts | Functions |
| n | n | r | ts | Functions |
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Perform approve d security functions (SSH connecti on) | Initiate SSH connection for SSH monitoring and control (CLI) | Super-user - SSH Private Host Key: E - SSH ECDH Private Key: G,E,Z - SSH DH Private Key: G,E,Z - SSH Session Key: G,E,Z - HMAC_DRB G V value: E - HMAC_DRB G Key value: E - HMAC_DRB G entropy input: E - HMAC_DRB G seed: E - ECDH Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z - SSH Public Host Key: G - SSH DH Public Key: G,E,Z - SSH ECDH Public Key: G,E,Z - CO Password: E - CO Authenticatio n Public | KAS1 KAS2 KTS1 ECDSA SigVer2 DRBG DRBG2 Entropy Souce ECDSA KeyGen ECDSA KeyGen2 ECDSA KeyVer ECDSA SigGen RSA KeyGen RSA SigGen RSA SigVer Password Hash CKG | Global Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each service | Authenticatio n data (Username and password/pu blic-key based authenticatio n) | SSH sessio n |
| Name | Descriptio | Indicato | Outpu | Security |
|---|---|---|---|---|
| n | n | r | ts | Functions |
| n | n | r | ts | Functions |
| n | n | r | ts | Functions |
| n | n | r | ts | Functions |
| Name | Description | Role Access | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Console Access | Console monitoring and control (CLI) | Super-user - CO Password: E Operator - CO Password: E Read-only - User Password: E Unauthorise d - User Password: E | Password Hash | Global Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of | Username, password (set system login user <username> class <crypto- officer/user class> operator authenticatio n plaintext- password) | N/A |
| each service | Root - CO Password: E | each service | ||||
| Perform self-tests (remote reset) | Software initiated reset, performs self-tests on demand via SSH | Super-user - SSH ECDH Private Key: Z - SSH DH Private Key: Z - SSH Session Key: Z - HMAC_DRB G Key value: G,Z - HMAC_DRB G V value: G,Z - HMAC_DRB G entropy input: G,Z - HMAC_DRB G seed: G,Z - ECDH Shared Secret: Z - DH Shared Secret: Z - HMAC Key: G,E,Z - SSH ECDH Public Key: G,E - SSH DH Public Key: G,E - CO Password: E - Firmware Integrity Key: E - SSH Private Host Key: E | KAS1 KAS2 KTS1 DRBG DRBG2 Entropy Souce ECDSA KeyGen ECDSA KeyGen2 ECDSA KeyVer ECDSA SigGen RSA KeyGen RSA SigGen Password Hash CKG CASTs on boot | Global Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each service | Control input/reset signal (request vmhost reboot) | N/A |
n r N/A <cryptoofficer/user n plaintextpassword) G,E,Z G,E,Z G,E,Z G,E,Z E d Document Version 1.0
| Name | Descriptio | Indicato | Outpu | Security |
|---|---|---|---|---|
| n | n | r | ts | Functions |
| Name | Description | Roles | Role Access | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|---|
| Perform self-tests (local reset) | Hardware reset or power cycle | Super-user - Firmware Integrity Key: E Root - Firmware Integrity Key: E Operator - Firmware Integrity Key: E Read-only - Firmware Integrity Key: E Unauthorise d - Firmware Integrity Key: E Unauthentic ated - Firmware Integrity Key: E | CASTs on boot | Global Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each service | Control input/reset signal | N/A | |
| Load Image | Verification and loading of a validated firmware image into | Super-user - CO Password: E - Firmware Integrity Key: E | ECDSA SigVer Password Hash | Global Approve d Mode indicator “fips” at the CLI | Image, commands | N/A | |
| the router/swit ch | the router/swit ch | - JuniperRoot CA: E - PackageCA: E Root - CO Password: E - Firmware Integrity Key: E - JuniperRoot CA: E - PackageCA: E | combine d with success ful completi on of each service | ||||
| Perform approve d security functions (MACsec connecti on) | Initiate MACsec connection | Root - MACsec PSK: W,E - MACsec SAK: G,R,E - MACsec KEK: G,E - MACsec ICK: G,E Super-user - MACsec PSK: W,E - MACsec SAK: G,R,E - MACsec KEK: G,E - MACsec ICK: G,E | CKG MACsec Encryption/Decry ption KTS2 MACsec Key Derivation | Global Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each service | Commands (set security macsec connectivity- association connectivity- association- name; set security macsec connectivity- association connectivity- association- name pre- shared key) | MACs ec sessio n | |
| Configure security (security relevant) | Security relevant configuration | Root, Super-user | RSA with key size less than 2048 ECDSA with ed25519 curve |
| Name | Description | Roles | Role Access | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|---|
| the router/swit ch | the router/swit ch | - JuniperRoot CA: E - PackageCA: E Root - CO Password: E - Firmware Integrity Key: E - JuniperRoot CA: E - PackageCA: E | combine d with success ful completi on of each service | ||||
| Perform approve d security functions (MACsec connecti on) | Initiate MACsec connection | Root - MACsec PSK: W,E - MACsec SAK: G,R,E - MACsec KEK: G,E - MACsec ICK: G,E Super-user - MACsec PSK: W,E - MACsec SAK: G,R,E - MACsec KEK: G,E - MACsec ICK: G,E | CKG MACsec Encryption/Decry ption KTS2 MACsec Key Derivation | Global Approve d Mode indicator “fips” at the CLI combine d with success ful completi on of each service | Commands (set security macsec connectivity- association connectivity- association- name; set security macsec connectivity- association connectivity- association- name pre- shared key) | MACs ec sessio n | |
| Configure security (security relevant) | Security relevant configuration | Root, Super-user | RSA with key size less than 2048 ECDSA with ed25519 curve |
n d r n connectivityassociation connectivityassociationname; set connectivityassociation connectivityassociationname preshared key) Table 15: Approved Services E E
| Name | Description | Roles | Role Access |
|---|---|---|---|
| Configure (non- security relevant) | Non-security relevant configuration | Root, Super-user | None |
| Show status | Query the module status | Root, Super-user, Operator, Read-Only, Unauthorized | None |
| Show status (LED) | LEDs on the module provide physical status output | Root, Super-user, Operator, Read-Only, Unauthorized, Unauthenticated | None |
| Show module’s versioning information | Query the module’s versioning information | Root, Super-user, Operator, Read-Only, Unauthorized | None |
| Zeroise (Perform zeroisation) | Destroy all SSPs | Root, Super-user | None |
| Perform approved security functions (SSH connection) | Initiate SSH connection for SSH monitoring and control (CLI) | Root, Super-user, Operator, Read-Only, Unauthorized | RSA with key size less than 2048 ECDSA with ed25519 curve EC Diffie- Hellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, non- compliant) HMAC-MD5 HMAC- RIPEMD160 UMAC |
| Console Access | Console monitoring and control (CLI) | Root, Super-user, Operator, Read-Only, Unauthorized | None |
| Perform self-tests (remote reset) | Software initiated reset, performs self-tests on demand | Root, Super-user, Operator, Read-Only, Unauthorized | None |
| Perform self-tests (local reset) | Hardware reset or power cycle | Root, Super-user, Operator, Read-Only, Unauthorized, Unauthenticated | None |
| Load Image | Verification and loading of a validated firmware image into the router/switch | Root, Super-user | None |
| Perform approved security functions (MACsec connection) | Initiate MACsec connection | Root, Super-user | None |
SigVer, noncompliant) HMACRIPEMD160 SigVer, noncompliant) HMACRIPEMD160 Document Version 1.0
Table 16: Non-Approved Services
The module supports loading of firmware from an external source (a complete image replacement) and a firmware load test using ECDSA P-256 with SHA2-256 (CAVP Cert. #A4301) is performed in support of the load.
The module supports self-initiated cryptographic output in the context of the MACsec protocol and three independent configurations are required serving as three independent internal actions (two actions required at minimum):
The module performs the firmware integrity check using ECDSA P-256 with SHA2-256 (CAVP Cert. #A4301). The ECDSA P-256 public key used for signature verification is a non-SSP and stored persistently across reboots in the module’s Non-Volatile RAM (NVRAM) and is exempt from zeroisation. Document Version 1.0
| Mechanism | Inspection | Inspection | ||
|---|---|---|---|---|
| Frequency | Guidance | |||
| N/A | N/A | N/A |
The operator can initiate the integrity test on demand by rebooting the module.
The module firmware image is delivered in the form of a pre-compiled tarball (.tgz).
Type of Operational Environment: Limited How Requirements are Satisfied: The module contains a limited operational environment since it supports loading of firmware from an external source. The Junos OS 22.4R2.8 operating system is contained within the module, i.e., the tested configurations listed in the Tested Module Identification
Security rules and restrictions for configuration of the operational environment have been specified in Sections 2.12 and 11.1 of this document.
N/A N/A N/A Table 17: Mechanisms and Actions Required The module’s physical embodiment is that of a multi-chip standalone meeting Level 1 Physical Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel and brushed aluminum enclosure. The module enclosure is made of production grade materials. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. No actions are required by the operator to ensure that physical security is maintained. Document Version 1.0
| Name | Type | Description |
|---|---|---|
| NVRAM | Static | Non-Volatile Random Access Memory |
| RAM | Dynamic | Random Access Memory |
| Name | Type | From | To | |||
|---|---|---|---|---|---|---|
| Entered over SSH - NVRAM | Encrypted | External endpoint | NVRAM | Automated | Electronic | KTS1 |
| Loaded at manufacture | Plaintext | External endpoint | NVRAM | N/A | N/A | |
| Entered through the CLI via console connection - NVRAM | Plaintext | External endpoint | NVRAM | Manual | Direct | |
| Output encrypted with MAcsec KEK | Encrypted | RAM | External endpoint (MACsec peer) | Automated | Electronic | KTS2 |
| Input during SSH negotiation | Plaintext | External endpoint | RAM | Automated | Electronic | |
| Output during SSH negotiation (host key) | Plaintext | NVRAM | External endpoint | Automated | Electronic | |
| Output during SSH negotiation (Key Agreement public key) | Plaintext | RAM | External endpoint | Automated | Electronic |
The module does not implement any non-invasive security mitigations and thus the requirements per this section do not apply to the module.
N/A N/A Table 19: SSP Input-Output Methods Document Version 1.0
| Name | Type | Description | Strength | Generation | Establishment | Storage | Zeroization | Use | |
|---|---|---|---|---|---|---|---|---|---|
| SSH Private Host Key | Private Host Key - CSP | Host key generated, used for authentication and encryption in the context of SSH | P-256 for ECDSA, 2048 bits for RSA - 128 bits for ECDSA, 112 bits for RSA | DRBG2 ECDSA KeyGen RSA KeyGen | KAS1 KAS2 | ||||
| SSH ECDH Private Key | ECDH Private Key - CSP | Ephemeral EC Diffie-Hellman private key used in SSH | KAS- ECC- SSC P- 256, P- | DRBG2 ECDSA KeyGen2 | KAS1 | ||||
| SSH DH Private Key | DH Private Key - CSP | Ephemeral Diffie- Hellman private key used in SSH | 2048 bits for KAS- FFC- SSC - 112 bits for KAS- FFC- SSC | DRBG2 | KAS2 | ||||
| SSH Session Key | Session Key - CSP | SSH Session Key | 128 bits, 192 bits, 256 bits - 128 bits, 192 bits, 256 bits | CKG | KAS1 KAS2 | ||||
| User Password | User Password - CSP | Passwords used to authenticate users to the module | 10-20 characte rs - 1/(96^10 ) per attempt, 9/(96^10 ) per minute | ||||||
| CO Password | CO Password - CSP | Passwords used to authenticate COs to the module | 10-20 characte rs - 1/(96^10 ) per attempt, 9/(96^10 ) per minute | ||||||
| HMAC_DRB G V value | Internal state of the DRBG - CSP | A critical value of the internal state of DRBG | 256 bits - 256 bits | DRBG DRBG2 | DRBG DRBG 2 | ||||
| HMAC_DRB G Key value | Internal state of the DRBG - CSP | A critical value of the internal state of DRBG | 440 bits - 440 bits | DRBG DRBG2 | DRBG DRBG 2 | ||||
| HMAC_DRB G entropy input | Entropy input to the HMAC_DR BG - CSP | Entropy input to the HMAC_DRBG | 512 bits - 448 bits | Entropy Souce | |||||
| HMAC_DRB G seed | Seed provided to the HMAC_DR BG - CSP | Seed provided to the HMAC_DRBG | 512 bits - 440 bits | DRBG DRBG2 | DRBG DRBG 2 | ||||
| ECDH Shared Secret | Shared secret - CSP | Used in EC Diffie- Hellman (ECDH) exchange | P-256, P-384, P-521 - 128 bits, 192 bits, 256 bits | KAS1 | |||||
| DH Shared Secret | Shared secret - CSP | Used in Diffie- Hellman (DH) exchange | 2048 bits - 112 bits | KAS2 | |||||
| HMAC Key | MAC key - CSP | MAC key | 128 bits and 256 bits - 128 bits and 256 bits | KAS1 KAS2 | |||||
| SSH Public Host Key | Public key - PSP | Host key generated, used to identify the host. Also paired with the private key for authentication and encryption in the context of SSH | P-256 for ECDSA and 2048 bits for RSA - 128 bits for ECDSA, 112 bits for RSA | DRBG2 ECDSA KeyGen RSA KeyGen | |||||
| User Authenticatio n Public Keys | Public key - PSP | Used to authenticate users to the module | P-256, P-384, P-521 for ECDSA and 2048, 3072 and 4096 bits for | ||||||
| CO Authenticatio n Public Keys | Public key - PSP | Used to authenticate the CO to the module | P-256, P-384, P-521 for ECDSA and 2048, 3072 and 4096 bits for RSA - 128, 192, 256 bits for ECDSA, 112, 192 and 256 bits for RSA | ||||||
| JuniperRoot CA | Public key certificate - Neither | ECDSA prime256v1 X.509 V3 Certificate Used to verify the validity of the PackagCA | ECDSA P-256 - 128 bits | ||||||
| PackageCA | Public key certificate - Neither | ECDSA prime256v1 X.509 V3 Certificate Certificate that holds the public key for the signing key used to generate all the signatures used on the packages and signature lists | ECDSA P-256 - 128 bits | ||||||
| SSH ECDH Public Key | Public key - PSP | Ephemeral EC Diffie-Hellman public key used in SSH | KAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits for KAS- ECC- SSC | DRBG2 ECDSA KeyGen2 | |||||
| SSH DH Public Key | Public key - PSP | Ephemeral Diffie- Hellman public key used in SSH | 2048 bits for KAS- FFC- SSC - 112 bits for KAS- FFC- SSC | DRBG2 | |||||
| Firmware Integrity Key | Public key - Neither | Public key used to perform the firmware integrity test on each boot and authenticate firmware loaded from an external source | ECDSA P-256 - 128 bits | ||||||
| MACsec PSK | Symmetric key - CSP | Credential used for device-to- device authentication, consists of the CAK (pre-shared key) and CKN (identifier for the pre-shared key) | 128, 256 bits - 128, 256 bits | ||||||
| MACsec SAK | Symmetric key - CSP | Security Association Key used for creating Security Associations for encryption/decrypt ion of MACsec traffic | 128, 256 bits - 128, 256 bits | MACsec Key Derivatio n | |||||
| MACsec KEK | Symmetric key - CSP | Used to transmit SAKs to other members of a MACsec connectivity association | 128, 256 bits - 128, 256 bits | MACsec Key Derivatio n | |||||
| MACsec ICK | Symmetric key - CSP | Used to verify the integrity and authenticity of MACsec protocol data units | 128, 256 bits - 128, 256 bits | MACsec Key Derivatio n | |||||
| SSH ECDH Client Public Key | Public key - PSP | Ephemeral EC Diffie-Hellman public key used in SSH (sent by the client to the module acting as the server) | KAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits for KAS- ECC- SSC | ||||||
| SSH DH Client Public Key | Public key - PSP | Ephemeral Diffie- Hellman public key used in SSH (sent by the client to the module acting as the server) | 2048 bits for KAS- FFC- SSC - 112 bits for KAS- FFC- SSC | ||||||
| SSH Private Host Key | NVRAM:Plaintext | Zeroisation command | |||||||
| SSH ECDH Private Key | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Until session termination | ||||||
| SSH DH Private Key | RAM:Plaintext | Zeroisation command Power-cycle | Until session termination |
| Zeroization | Description | Rationale | Operator | ||
|---|---|---|---|---|---|
| Method | Initiation | ||||
| Zeroisation command | Command used to zeroise the module: request vmhost zeroize no-forwarding | Used to provide zeroisation as a service | Operator initiated | ||
| Power-cycle | Power cycling the module to zeroise temporary SSPs | Power cycling the module to zeroise temporary SSPs | Operator initiated | ||
| Session termination | Termination of SSH sessions automatically zeroises temporary SSPs used as part of the session | Termination of SSH sessions automatically zeroises temporary SSPs used as part of the session | Module initiated | ||
| Not zeroised | PSP not zeroised since it cannot be modified due to being inaccessible in the filesystem | PSP not zeroised since it cannot be modified due to being inaccessible in the filesystem | N/A | ||
| Derivation of SSH session key | EC Diffie-Hellman/Diffie- Hellman shared secrets are zeroised after use in derivation of SSH session key | EC Diffie-Hellman/Diffie- Hellman shared secrets are zeroised after use in derivation of SSH session key | Module initiated |
The module is complaint with FIPS 140-3 IG 9.5.A MD/DE and AD/EE for SSPs entered via the module’s CLI via a direct connection to its serial/console port and for SSPs entered/output/established via SSH/MACsec respectively.
Table 20: SSP Zeroization Methods N/A h KASECCSSC P256, PDocument Version 1.0
h for KASFFCSSC Document Version 1.0
h KASECCSSC P256, P384, P512 128 bits, for KASECCSSC for KASFFCSSC n Document Version 1.0
| Name | Type | Description | Strength | Generation | Storage | Zeroization | |
|---|---|---|---|---|---|---|---|
| MACsec KEK | Symmetric key - CSP | Used to transmit SAKs to other members of a MACsec connectivity association | 128, 256 bits - 128, 256 bits | MACsec Key Derivatio n | |||
| MACsec ICK | Symmetric key - CSP | Used to verify the integrity and authenticity of MACsec protocol data units | 128, 256 bits - 128, 256 bits | MACsec Key Derivatio n | |||
| SSH ECDH Client Public Key | Public key - PSP | Ephemeral EC Diffie-Hellman public key used in SSH (sent by the client to the module acting as the server) | KAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits for KAS- ECC- SSC | ||||
| SSH DH Client Public Key | Public key - PSP | Ephemeral Diffie- Hellman public key used in SSH (sent by the client to the module acting as the server) | 2048 bits for KAS- FFC- SSC - 112 bits for KAS- FFC- SSC | ||||
| SSH Private Host Key | NVRAM:Plaintext | Zeroisation command | |||||
| SSH ECDH Private Key | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Until session termination | ||||
| SSH DH Private Key | RAM:Plaintext | Zeroisation command Power-cycle | Until session termination |
Table 21: SSP Table 1 h n n KASECCSSC P256, P384, P512 128 bits, for KASECCSSC for KASFFCSSC Document Version 1.0
| Name | Storage | Zeroization | ||
|---|---|---|---|---|
| SSH Session Key | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Until session termination | |
| User Password | NVRAM:Obfuscated NVRAM:Obfuscated | Zeroisation command | Entered over SSH - NVRAM Entered through the CLI via console connection - NVRAM | |
| CO Password | NVRAM:Obfuscated NVRAM:Obfuscated | Zeroisation command | Entered over SSH - NVRAM Entered through the CLI via console connection - NVRAM | |
| HMAC_DRBG V value | RAM:Plaintext | Power-cycle | Until power- cycle | |
| HMAC_DRBG Key value | RAM:Plaintext | Power-cycle | Until power- cycle | |
| HMAC_DRBG entropy input | RAM:Plaintext | Power-cycle | Until power- cycle | |
| HMAC_DRBG seed | RAM:Plaintext | Power-cycle | Until power- cycle | |
| ECDH Shared Secret | RAM:Plaintext | Zeroisation command Power-cycle Derivation of SSH session key | Until SSH session key derivation | |
| DH Shared Secret | RAM:Plaintext | Zeroisation command Power-cycle Derivation | Until SSH session key derivation | |
| HMAC Key | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Until session termination | |
| SSH Public Host Key | NVRAM:Plaintext | Zeroisation command | Output during SSH negotiation (host key) | |
| User Authentication Public Keys | NVRAM:Plaintext | Zeroisation command | Entered over SSH - NVRAM Entered through the CLI via console connection - NVRAM | |
| CO Authentication Public Keys | NVRAM:Plaintext | Zeroisation command | Entered over SSH - NVRAM Entered through the CLI via console connection - NVRAM | |
| JuniperRootCA | NVRAM:Plaintext | Not zeroised | Loaded at manufacture | |
| PackageCA | NVRAM:Plaintext | Not zeroised | Loaded at manufacture | |
| SSH ECDH Public Key | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Until session termination | Output during SSH negotiation (Key Agreement public key) |
| SSH DH Public Key | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Until session termination | Output during SSH negotiation (Key Agreement public key) |
| Firmware Integrity Key | NVRAM:Plaintext | Not zeroised | Loaded at manufacture |
powercycle powercycle powercycle powercycle Document Version 1.0
| Name | Storage | Zeroization | Input | |
|---|---|---|---|---|
| MACsec PSK | NVRAM:Plaintext | Zeroisation command | Entered over SSH - NVRAM Entered through the CLI via console connection - NVRAM | |
| MACsec SAK | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Output encrypted with MAcsec KEK | Until session termination |
| MACsec KEK | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Until session termination | |
| MACsec ICK | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Until session termination | |
| SSH ECDH Client Public Key | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Input during SSH negotiation | Until session termination |
| SSH DH Client Public Key | RAM:Plaintext | Zeroisation command Power-cycle Session termination | Input during SSH negotiation | Until session termination |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Test Properties | Indicator | Test Method |
|---|---|---|---|---|---|---|---|---|---|
| Firmware Integrity Test | Firmware Integrity Test | KAT | SW/FW Integrity | Verify | Using ECDSA P-256 with SHA2-256 | FIPS Self-tests Passed | |||
| HMAC DRBG (A4303) | HMAC DRBG (A4303) | KAT | NIST 800- 90 HMAC DRBG Known Answer Test : Passed | During boot | Prediction Resistance: Yes Supports Reseed Capabilities: Mode: SHA2-256 Entropy Input: 256 Nonce: 128 Personalizati on String Length: 0- 256 Increment 8 Additional Input: 8-256 Increment 8 Returned Bits: 1024 | N/A | CAST | ||
| HMAC- SHA2- 256 (A4303) | HMAC- SHA2- 256 (A4303) | KAT | HMAC- SHA2-256 Known Answer Test : Passed | During boot | Key Length: 256 bits | N/A | CAST | ||
| AES- CBC (A4301) | AES- CBC (A4301) | KAT | AES-CBC Known Answer Test : Passed | During boot | Key Length: 128 bits | Encrypt | CAST | ||
| AES- CBC (A4301) | AES- CBC (A4301) | KAT | AES-CBC Known Answer Test : Passed | During boot | Key Length: 192 bits | Encrypt | CAST | ||
| AES- CBC (A4301) | AES- CBC (A4301) | KAT | AES-CBC Known Answer | During boot | Key Length: 256 bits | Encrypt | CAST | ||
| AES- CBC (A4301) | AES- CBC (A4301) | KAT | AES-CBC Known Answer Test : Passed | During boot | Key Length: 128 bits | Decrypt | CAST | ||
| AES- CBC (A4301) | AES- CBC (A4301) | KAT | AES-CBC Known Answer Test : Passed | During boot | Key Length: 192 bits | Decrypt | CAST | ||
| AES- CBC (A4301) | AES- CBC (A4301) | KAT | AES-CBC Known Answer Test : Passed | During boot | Key Length: 256 bits | Decrypt | CAST | ||
| HMAC DRBG (A4301) | HMAC DRBG (A4301) | KAT | NIST 800- 90 HMAC DRBG Known Answer Test : Passed | During boot | Mode: SHA2-256, Entropy Input: 256 , Nonce: 128, Personalizati on String Length: 0- 256 , Increment 8 , Additional Input: 8-256 Increment 8 , Returned Bits: 1024 | N/A | CAST | ||
| HMAC- SHA-1 (A4301) | HMAC- SHA-1 (A4301) | KAT | HMAC- SHA-1 Known Answer Test : Passed | During boot | Key Length: 160 bits | N/A | CAST | ||
| HMAC- SHA2- 256 (A4301) | HMAC- SHA2- 256 (A4301) | KAT | HMAC- SHA2-256 Known Answer Test : Passed | During boot | Key Length: 256 bits | N/A | CAST | ||
| HMAC- SHA2- | HMAC- SHA2- | KAT | HMAC- SHA2-512 Known | During boot | Key Length: 512 bits | N/A | CAST | ||
| 512 (A4301) | 512 (A4301) | Answer Test : Passed | |||||||
| KAS- ECC- SSC Sp800- 56Ar3 (A4301) | KAS- ECC- SSC Sp800- 56Ar3 (A4301) | KAT | KAS-ECC- EPHEM- UNIFIED- NOKC Known Answer Test: Passed | During boot | Domain Parameter Generation Methods: P- 256 | N/A | CAST | ||
| KAS- ECC- SSC Sp800- 56Ar3 (A4301) | KAS- ECC- SSC Sp800- 56Ar3 (A4301) | KAT | KAS-ECC- EPHEM- UNIFIED- NOKC Known Answer Test: Passed | During boot | Domain Parameter Generation Methods: P- 384 | N/A | CAST | ||
| KAS- FFC- SSC Sp800- 56Ar3 (A4301) | KAS- FFC- SSC Sp800- 56Ar3 (A4301) | KAT | KAS-FFC- EPHEM- NOKC Known Answer Test: Passed | During boot | Domain Parameter Generation Methods: MODP-2048 | N/A | CAST | ||
| KDF SSH (A4301) | KDF SSH (A4301) | KAT | KDF-SSH- SHA2-256 Known Answer Test: Passed | During boot | Cipher: AES- 128, AES- 192, AES- 256 ; Hash Algorithm: SHA-1, SHA2-256, SHA2-512 | N/A | CAST | ||
| RSA SigGen (FIPS18 6-4) (A4301) | RSA SigGen (FIPS18 6-4) (A4301) | KAT | RSA-SIGN Known Answer Test: Passed | During boot | Modulus 2048 bits SHA2-256 | Sign | CAST | ||
| RSA SigVer (FIPS18 6-4) (A4301) | RSA SigVer (FIPS18 6-4) (A4301) | KAT | RSA- VERIFY Known Answer Test: Passed | During boot | Modulus 2048 bits SHA2-256 | Verify | CAST | ||
| ECDSA SigGen | ECDSA SigGen | KAT | ECDSA- SIGN | During boot | Curve: P-256 Hash | Sign | CAST | ||
| (FIPS18 6-4) (A4301) | (FIPS18 6-4) (A4301) | Known Answer Test: Passed | Algorithm: SHA2-256 | ||||||
| ECDSA SigVer (FIPS18 6-4) (A4301) | ECDSA SigVer (FIPS18 6-4) (A4301) | KAT | ECDSA- VERIFY Known Answer Test: Passed | During boot | Curve: P-256 Hash Algorithm: SHA2-256 | Verify | CAST | ||
| SHA2- 512 (A4306) | SHA2- 512 (A4306) | KAT | SHA-2- 512 Known Answer Test: Passed | During boot | SHA2-512 | N/A | CAST | ||
| Entropy test | Entropy test | RCT | pass | During boot and continually | NIST SP 800-90B Repetitive Count Test | Cutoff value C = 21 | CAST | ||
| Entropy test | Entropy test | APT | pass | During boot and continually | NIST SP 800-90B Adapative Proportion Test | W = 512; Cutoff value C = 311 | CAST | ||
| ECDSA KeyGen (FIPS18 6-4) (A4301) | ECDSA KeyGen (FIPS18 6-4) (A4301) | PCT | 0 | On key generation | Curve: P-256 Hash Algorithm: SHA2-256 | Key pair generated for signature generation/verificat ion in the context of SSHv2 protocol | PCT | ||
| ECDSA KeyGen (FIPS18 6-4) (A4301) | ECDSA KeyGen (FIPS18 6-4) (A4301) | PCT | 0 | On key generation | Curve: P-256 Hash Algorithm: SHA2-256 | Key pair generated for SSP agreement in the context of SSHv2 protocol | PCT | ||
| KAS- FFC- SSC Sp800- 56Ar3 (A4301) | KAS- FFC- SSC Sp800- 56Ar3 (A4301) | PCT | 0 | On key generation | Capabilities: Domain Parameter: MODP2048 | Key pair generated for SSP agreement in the context of SSHv2 protocol | PCT | ||
| RSA KeyGen (FIPS18 6-4) (A4301) | RSA KeyGen (FIPS18 6-4) (A4301) | PCT | 0 | On key generation | Modulus: 2048 Hash SHA2-256 | Key pair generated for signature generation/verificat ion in the context of SSHv2 protocol | PCT | ||
| AES-KW (A4304) | AES-KW (A4304) | KAT | AES- KEYWRA P Known Answer Test: Passed | During boot | Key Length: 128 bits | Encrypt | CAST | ||
| AES-KW (A4304) | AES-KW (A4304) | KAT | AES- KEYWRA P Known Answer Test: Passed | During boot | Key Length: 128 bits | Decrypt | CAST | ||
| KDF SP800- 108 (A4304) | KDF SP800- 108 (A4304) | KAT | KBKDF Known Answer Test:Pass ed | During boot | Mode: Counter | N/A | CAST | ||
| AES- GCM (AES 4369) | AES- GCM (AES 4369) | KAT | 0 | During boot | Key Length: 256 bits | Encrypt | CAST | ||
| AES- GCM (AES 4369) | AES- GCM (AES 4369) | KAT | 0 | During boot | Key Length: 256 bits | Decrypt | CAST | ||
| AES- CMAC (A4304) | AES- CMAC (A4304) | KAT | AES128- CMAC Known Answer Test: Passed | During boot | Key Length: 128 bits | Encrypt | CAST | ||
| AES- CMAC (A4304) | AES- CMAC (A4304) | KAT | AES128- CMAC Known Answer Test: Passed | During boot | Key Length: 128 bits | Decrypt | CAST | ||
| AES- CMAC (A4304) | AES- CMAC (A4304) | KAT | AES256- CMAC Known Answer Test: Passed | During boot | Key Length: 256 bits | Encrypt | CAST | ||
| AES- CMAC (A4304) | AES- CMAC (A4304) | KAT | AES256- CMAC Known Answer | During boot | Key Length: 256 bits | Decrypt | CAST | ||
| ECDSA SigVer (FIPS18 6-4) (A4301) | ECDSA SigVer (FIPS18 6-4) (A4301) | KAT | Host OS upgrade staged. Reboot the system to complete installation ! | On loading of firmware from an external source | Curve: P-256 Hash Algorithm: SHA2-256 | Verify | SW/F W Load | ||
| Manual entry test (duplicat e entries) | Manual entry test (duplicat e entries) | Duplicate entry test required for entry of operator passwor ds and MACsec PSK via direct connecti on to the module's console (serial) interface | Command prompt with "fips" string provided post completion of the test | On configurati on of operator passwords and MACsec PSK | Duplicate entry test required for entry of operator passwords and MACsec PSK via direct connection to the module's console (serial) interface | N/A | Manu al Entry | ||
| Firmware Integrity Test | Firmware Integrity Test | KAT | SW/FW Integrity | On Demand | Manually via a reboot |
Table 23: Pre-Operational Self-Tests Document Version 1.0
The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known Answer Test (KAT) for the ECDSA P-256 (with SHA2-256) algorithm used in the firmware integrity test on each boot prior to executing the firmware integrity test.
s Length: 0256 N/A N/A AESCBC AESCBC AESCBC HMACSHA2-256 HMACSHA2256 Document Version 1.0
AESCBC AESCBC AESCBC Length: 0256 , HMACSHA2256 HMACSHA2HMACSHA-1 HMACSHA-1 HMACSHA2-256 HMACSHA2-512 s N/A N/A N/A N/A Document Version 1.0
KASECCSSC Sp80056Ar3 Methods: P256 KASECCSSC Sp80056Ar3 Methods: P384 KASFFCSSC Sp80056Ar3 Cipher: AES128, AES192, AES256 ; Hash 6-4) 6-4) KAS-ECCEPHEMUNIFIEDNOKC KAS-ECCEPHEMUNIFIEDNOKC KAS-FFCEPHEMNOKC s N/A N/A N/A N/A RSAVerify ECDSASign Document Version 1.0
6-4) 6-4) SHA2512 ECDSAVERIFY SHA-2512 6-4) 6-4) KASFFCSSC Sp80056Ar3 6-4) s N/A Document Version 1.0
s SP800108 N/A AESGCM AESGCM AESCMAC AESKEYWRA AESKEYWRA AESCMAC AESCMAC AESCMAC AES128CMAC AES128CMAC AES256CMAC AES256CMAC Document Version 1.0
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Test Properties | Test Method | Indicator |
|---|---|---|---|---|---|---|---|---|---|
| ECDSA SigVer (FIPS18 6-4) (A4301) | ECDSA SigVer (FIPS18 6-4) (A4301) | KAT | Host OS upgrade staged. Reboot the system to complete installation ! | On loading of firmware from an external source | Curve: P-256 Hash Algorithm: SHA2-256 | SW/F W Load | Verify | ||
| Manual entry test (duplicat e entries) | Manual entry test (duplicat e entries) | Duplicate entry test required for entry of operator passwor ds and MACsec PSK via direct connecti on to the module's console (serial) interface | Command prompt with "fips" string provided post completion of the test | On configurati on of operator passwords and MACsec PSK | Duplicate entry test required for entry of operator passwords and MACsec PSK via direct connection to the module's console (serial) interface | Manu al Entry | N/A | ||
| Firmware Integrity Test | Firmware Integrity Test | KAT | SW/FW Integrity | On Demand | Manually via a reboot | ||||
| HMAC DRBG (A4303) | HMAC DRBG (A4303) | KAT | CAST | On Demand | Manually via a reboot | ||||
| HMAC-SHA2- 256 (A4303) | HMAC-SHA2- 256 (A4303) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-CBC (A4301) | AES-CBC (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-CBC (A4301) | AES-CBC (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-CBC (A4301) | AES-CBC (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-CBC (A4301) | AES-CBC (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-CBC (A4301) | AES-CBC (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-CBC (A4301) | AES-CBC (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| HMAC DRBG (A4301) | HMAC DRBG (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| HMAC-SHA-1 (A4301) | HMAC-SHA-1 (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| HMAC-SHA2- 256 (A4301) | HMAC-SHA2- 256 (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| HMAC-SHA2- 512 (A4301) | HMAC-SHA2- 512 (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| KAS-ECC-SSC Sp800-56Ar3 (A4301) | KAS-ECC-SSC Sp800-56Ar3 (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| KAS-ECC-SSC Sp800-56Ar3 (A4301) | KAS-ECC-SSC Sp800-56Ar3 (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| KAS-FFC-SSC Sp800-56Ar3 (A4301) | KAS-FFC-SSC Sp800-56Ar3 (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| KDF SSH (A4301) | KDF SSH (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| RSA SigGen (FIPS186-4) (A4301) | RSA SigGen (FIPS186-4) (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| RSA SigVer (FIPS186-4) (A4301) | RSA SigVer (FIPS186-4) (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| ECDSA SigGen (FIPS186-4) (A4301) | ECDSA SigGen (FIPS186-4) (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| ECDSA SigVer (FIPS186-4) (A4301) | ECDSA SigVer (FIPS186-4) (A4301) | KAT | CAST | On Demand | Manually via a reboot | ||||
| SHA2-512 (A4306) | SHA2-512 (A4306) | KAT | CAST | On Demand | Manually via a reboot | ||||
| Entropy test | Entropy test | RCT | CAST | On Demand | Manually via a reboot | ||||
| Entropy test | Entropy test | APT | CAST | On Demand | Manually via a reboot | ||||
| ECDSA KeyGen (FIPS186-4) (A4301) | ECDSA KeyGen (FIPS186-4) (A4301) | PCT | PCT | On Demand | Manually via a reboot | ||||
| ECDSA KeyGen (FIPS186-4) (A4301) | ECDSA KeyGen (FIPS186-4) (A4301) | PCT | PCT | On Demand | Manually via a reboot | ||||
| KAS-FFC-SSC Sp800-56Ar3 (A4301) | KAS-FFC-SSC Sp800-56Ar3 (A4301) | PCT | PCT | On Demand | Manually via a reboot | ||||
| RSA KeyGen (FIPS186-4) (A4301) | RSA KeyGen (FIPS186-4) (A4301) | PCT | PCT | On Demand | Manually via a reboot | ||||
| AES-KW (A4304) | AES-KW (A4304) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-KW (A4304) | AES-KW (A4304) | KAT | CAST | On Demand | Manually via a reboot | ||||
| KDF SP800-108 (A4304) | KDF SP800-108 (A4304) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-GCM (AES 4369) | AES-GCM (AES 4369) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-GCM (AES 4369) | AES-GCM (AES 4369) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-CMAC (A4304) | AES-CMAC (A4304) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-CMAC (A4304) | AES-CMAC (A4304) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-CMAC (A4304) | AES-CMAC (A4304) | KAT | CAST | On Demand | Manually via a reboot | ||||
| AES-CMAC (A4304) | AES-CMAC (A4304) | KAT | CAST | On Demand | Manually via a reboot | ||||
| ECDSA SigVer (FIPS186-4) (A4301) | ECDSA SigVer (FIPS186-4) (A4301) | KAT | SW/FW Load | On Demand | Manually via loading of firmware from an external source | ||||
| Manual entry test (duplicate entries) | Manual entry test (duplicate entries) | Duplicate entry test required for entry of operator passwords and MACsec PSK via direct connection to the module's | Manual Entry | On Demand | Manually via configuration of operator passwords and MACsec PSK |
6-4) W e ! s Table 24: Conditional Self-Tests Cryptographic Algorithm Self-tests (CASTs) are performed on each boot of the module. Other conditional self-tests are performed by the module when the corresponding condition is met. The pairwise consistency tests are performed on key pair generation for use in signature generation/verification (ECDSA and/or RSA tests) and/or for use in KAS-ECC-SSC or KASFFC-SSC SSP agreement (ECDSA and FFC tests respectively). The firmware load test is performed when a firmware image is loaded onto the module from an external source.
Table 25: Pre-Operational Periodic Information Document Version 1.0
| Name | Algorithm Or Test | Periodic Method |
|---|---|---|
| Test | Test | Method |
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| Hard Error state | If the pre-operation firmware integrity test, if any of the CASTs or pair- wise consistency tests fail, then the module returns an error indicator, inhibits all data output and enters the hard error state | If the pre- operational firmware integrity test, fails, if any of the CASTs fail or if a pairwise consistency test fails | "FIPS error: self- test failure" for firmware integrity failure, "FIPS error 1: <name of the algorithm> Known Answer Test: Failed" for CAST failure and -1 for pair-wise consistency test failure | N/A |
| Soft Error state | •In case of a firmware load test failure, the module rejects the firmware, returns an error indicator and enters the soft error state •In the event of an APT or RCT health test failure, output from the entropy source is inhibited, all entropy accumulated in the conditioning context is discarded and the start- up health-tests are performed again | If the firmware load test fails If the APT or RCT test fails | "Validation Error" for the firmware load test failure; entropy data discarded in case of APT/RCT failure | N/A for firmware load test failure; In case of APT and/or RCT failures, new data continues to be tested by the health tests, and once both health tests indicate a “pass”, the entropy source again outputs data |
Table 26: Conditional Periodic Information prior to any other use of cryptography by the module in the Approved mode of operation. These
N/A Table 27: Error States generated keypair/loaded image, returns an error indicator and resumes normal operation. Document Version 1.0
Each time the module is powered up it tests that all the cryptographic algorithms operate correctly, and that sensitive data have not been damaged. Pre-operational as well as Conditional Cryptographic Algorithm Self-tests (CAST) are performed on each power up/boot of the module and on demand by power cycling the module (Perform self-tests (remote reset) service).
The Crypto Officer must follow the procedures defined below for secure installation, initialization, startup and operation of the module. Crypto Officer Guidance The Crypto Officer must check to verify the firmware image being loaded on the module is the FIPS 140-3 validated version/image. If the image is the FIPS 140-3 validated image, then proceed with installation of the image. Installing The Firmware Image Download the validated firmware image from https://www.juniper.net/support/downloads/junos.html. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives. Select the validated firmware image. Download the firmware image to a local host or to an internal software distribution site. Connect to the console port on the device from your management device and log in to the Junos OS CLI. Copy the firmware package to the device to the /var/tmp/ directory. Install the new package on the device using the following command: operator> request vmhost software add /var/tmp/<package>.tgz. NOTE: If you need to terminate the installation, do not reboot your device; instead, finish the installation and then issue the request system software delete package.tgz command, where package.tgz is, for example, junos-vmhost-install-ptx-x86-64-22.4R2.8.tgz. This is your last chance to stop the installation. Reboot the device to complete the load and start the installation: operator> request vmhost reboot After the reboot has completed, log in and use the show version command to verify that the new version of the firmware is successfully installed. Document Version 1.0
Also install the built-in fips-mode.tgz package needed for enabling the Approved-mode and the jpfe-fips package needed for execution of the CASTs. Please note that this is a one-time installation after which the module remains in the Approved mode once enabled and automatically executes the CASTs on each boot without requiring any operator or external intervention. The following are the commands used for installing these packages: operator >request system software add optional://fips-mode.tgz operator >request system software add optional://jpfe-fips.tgz Enabling Approved Mode of Operation The Crypto Officer is responsible for initializing the module in the Approved mode of operation. The Approved mode of operation is not automatically enabled. The Crypto Officer shall place the module in the Approved mode by first zeroising it to ensure no SSPs are present. Next, the cryptographic officer shall follow the steps found in the Junos OS FIPS Evaluated Configuration Guide for PTX Series, Release 22.4R2 document Chapter 2 to place the module into an Approved mode of operation. The steps from the aforementioned document have been reiterated below. To enable the Approved mode in Junos OS on the module:
[edit ] root@device# commit configuration check succeeds Generating RSA key /etc/ssh/fips_ssh_host_key Generating RSA2 key /etc/ssh/fips_ssh_host_rsa_key Generating ECDSA key /etc/ssh/fips_ssh_host_ecdsa_key 'system' reboot is required to transition to fips level 1 commit complete
For further information and for the Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for PTX, Release 22.4R2 document.
For further information and for the Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for PTX, Release 22.4R2 document.
No other maintenance requirements apply for operation of the module in the Approved/nonApproved modes as defined above.
The module can be securely sanitized at the end of its lifetime by zeroising it. Document Version 1.0
The module does not implement any mitigation of other attacks and thus the requirements per this section do not apply to the module. Document Version 1.0