All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Juniper Networks MX Series 3D Universal Edge Routers

Certificate#5134StandardFIPS 140-3Level1TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorJuniper Networks, Inc.
High review priority  ·  no TCB surface named  ·  last validated 6 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date1/14/2031
CaveatWhen installed, initialized and configured as specified in Section 11.1 of the Security Policy
VendorJuniper Networks, Inc.

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Juniper Networks MX Series 3D Universal Edge Routers
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>firmware load<br/>Recovery</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Unauthenticated</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Juniper Networks MX Series 3D Universal Edge Routers
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>firmware load<br/>Recovery</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Unauthenticated</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Juniper Networks, Inc. Juniper Networks MX Series 3D Universal Edge Routers Version: Junos OS 22.2R3-S1 Juniper Networks, Inc.

1133 Innovation Way
1.888 JUNIPER

www.juniper.net Prepared by: www.teronlabs.com

Page 2
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Hardware9
Table 3: Modes List and Description10
Table 4: Approved Algorithms - OpenSSL Approved Cryptographic Functions11
Table 5: Approved Algorithms - Kernel Approved Cryptographic Functions11
Table 6: Approved Algorithms - OpenSSH Approved Cryptographic Functions12
Table 7: Vendor-Affirmed Algorithms12
Table 8: Security Function Implementations14
Table 9: Entropy Certificates15
Table 10: Entropy Sources15
Table 11: Ports and Interfaces17
Table 12: Authentication Methods18
Table 13: Roles18
Table 14: Approved Services22
Table 15: Mechanisms and Actions Required25
Table 16: Storage Areas27
Table 17: SSP Input-Output Methods27
Table 18: SSP Zeroization Methods28
Table 19: SSP Table 130
Table 20: SSP Table 232
Table 21: Pre-Operational Self-Tests33
Table 22: Conditional Self-Tests36
Table 23: Pre-Operational Periodic Information36
Table 24: Conditional Periodic Information38
Table 25: Error States38
Page 6
1 General
1.1 Overview

This is a non-proprietary Cryptographic Module Security Policy for the Juniper Networks MX Series 3D Universal Edge Routers, consisting of the MX240, MX480 and MX960 models, with MX-SPC3 Services Processing Card, running Junos OS 22.2R3-S1.

1.2 Security Levels

The cryptographic module meets requirements applicable to Level 1 of FIPS 140-3. The following table lists the security levels claimed by the cryptographic module for each security requirements area of the FIPS 140-3 standard. Section Title Security Level

1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 2
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security 1
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A

Overall Level 1 Table 1: Security Levels

Page 7
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The MX series universal routing modular platforms MX240, MX480 and MX960 provide dedicated high-performance processing for flows and sessions and integrates advanced security capabilities that protect the network infrastructure as well as user data. The MX-SPC3 services card provides security services such as carrier-grade NAT (CGNAT), IPsec, stateful firewall, deep packet inspection, IDS, traffic load balancing, Web filtering, and DNS sinkhole. Module Type: Hardware Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: This Security Policy covers the following models:

Page 8

The cryptographic module provides for an encrypted connection, using SSH, between the management station and the module. All other data input or output from the module are considered plaintext for this FIPS 140-3 validation. The module does not rely on external devices for input and output of security sensitive parameters (SSPs). Figure 1 Physical Cryptographic Boundary (Left to Right: MX240, MX480, MX960) Figure 2 MX-SPC3 Services Card

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 9

Model Hardware Firmware Processors Features and/or Version Version Part Number MX480 MX480 JUNOS Intel Xeon C5518, Intel Routing Engine (RE): RE-S-X6-64G, RE-S-X622.2R3- Xeon E5-2658 v4, Intel 128G; Switch control board (SCB): SCBE3-MX; S1.9 Xeon CPU E5-2608L Services Processing Card (SPC): MX-SPC3; v3 Modular Port Concentrator (MPC): MPC10E-10C, MPC10E-15C MX960 MX960 JUNOS Intel Xeon C5518, Intel Routing Engine (RE): RE-S-X6-64G, RE-S-X622.2R3- Xeon E5-2658 v4, Intel 128G; Switch control board (SCB): SCBE3-MX; S1.9 Xeon CPU E5-2608L Services Processing Card (SPC): MX-SPC3; v3 Modular Port Concentrator (MPC): MPC10E-10C, MPC10E-15C Table 2: Tested Module Identification

2.3 Excluded Components

No components are excluded from the requirements of FIPS 140-3.

2.4 Modes of Operation

Modes List and Description:

Page 10

Mode Name Description Type Status Indicator JUNOS-FIPS- Approved mode of operation enabled by following the Approved Suffix string ":fips" in MODE configuration commands in Section 11.1 the cli prompt Table 3: Modes List and Description Once the module has been securely initialized following the instructions provided in Section 11.1, the module is in approved mode of operation. Failure to follow the secure initialization instructions results in the module being in a non-compliant state which is out of scope of the validation.

2.5 Algorithms

Approved Algorithms: Although the module may have been tested for additional algorithms or modes, only those listed below are utilized by the module. OpenSSL Approved Cryptographic Functions Algorithm CAVP Cert Properties Reference AES-CBC A3693 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A3693 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 ECDSA KeyGen A3693 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A3693 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A3693 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 ECDSA SigVer A3693 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 HMAC-SHA-1 A3693 Key Length - Key Length: 160 FIPS 198-1 HMAC-SHA2-256 A3693 Key Length - Key Length: 256 FIPS 198-1 HMAC-SHA2-512 A3693 Key Length - Key Length: 512 FIPS 198-1 KAS-ECC-SSC Sp800- A3610 Domain Parameter Generation Methods - P-256, P- SP 800-56A 56Ar3 384, P-521 Rev. 3 Scheme -

Page 11

Algorithm CAVP Cert Properties Reference ephemeralUnified KAS Role - initiator RSA KeyGen (FIPS186- A3693 Key Generation Mode - B.3.3 FIPS 186-4

  1. Modulo - 2048, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen (FIPS186- A3693 Signature Type - PKCS 1.5 FIPS 186-4
  2. Modulo - 2048, 4096 RSA SigVer (FIPS186-4) A3693 Signature Type - PKCS 1.5 FIPS 186-4 Modulo - 2048, 4096 SHA-1 A3693 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-256 A3693 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-384 A3693 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512 A3693 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 Table 4: Approved Algorithms - OpenSSL Approved Cryptographic Functions Kernel Approved Cryptographic Functions Algorithm CAVP Cert Properties Reference HMAC DRBG A3493 Prediction Resistance - Yes SP 800-90A Rev. Mode - SHA2-256 1 HMAC-SHA2- A3493 Key Length - Key Length: 160, 256 FIPS 198-1 SHA2-256 A3493 Message Length - Message Length: 0-51200 FIPS 180-4 Increment 8 SHA2-512 A3361 Message Length - Message Length: 0-51200 FIPS 180-4 Increment 8 Table 5: Approved Algorithms - Kernel Approved Cryptographic Functions OpenSSH Approved Cryptographic Functions Algorithm CAVP Cert Properties Reference KDF SSH A4271 Cipher - AES-128, AES-192, AES-256 SP 800-135 Rev. (CVL) Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2- 1
Page 12

Table 6: Approved Algorithms - OpenSSH Approved Cryptographic Functions Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key Junos 22.2R1 - SP 800-133 Rev.2 Section 4, example 1 direct output type:Asymmetric OpenSSL from DRBG. Table 7: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module.

2.6 Security Function Implementations

The module implements the security functions listed in the following table. Name Type Description Properties Algorithms Enc/Dec (SSH) BC-UnAuth Unauthenticated AES-CBC: (A3693) encryption for SSH AES-CTR: (A3693) KAS-SSC (SSH) KAS-SSC Key Agreement KAS-ECC-SSC Scheme Shared Sp800-56Ar3: Secret Computation (A3610) for SSH ECDSA SigGen DigSig-SigGen Signature ECDSA SigGen (SSH) Generation for peer (FIPS186-4): authentication in (A3693) SSH SHA2-256: (A3693) SHA2-384: (A3693) SHA2-512: (A3693) HMAC DRBG: (A3493) ECDSA SigVer (SSH) DigSig-SigVer Signature ECDSA SigVer Verification for peer (FIPS186-4): authentication in (A3693) SSH SHA2-256: (A3693)

Page 13

Name Type Description Properties Algorithms SHA2-384: (A3693) SHA2-512: (A3693) MAC (SSH) MAC Message HMAC-SHA-1: Authentication for (A3693) SSH HMAC-SHA2-256: (A3693) HMAC-SHA2-512: (A3693) KDF (SSH) KAS-135KDF Key derivation KDF SSH: (A4271) Function for SSH SHA-1: (A3693) SHA2-256: (A3693) SHA2-384: (A3693) SHA (LibMD) SHA Message Digest SHA-1: (A3367) Generation SHA2-256: (A3367) SHA2-512: (A3367) MAC (LibMD) MAC Message HMAC-SHA-1: authentication (A3367) HMAC-SHA2-256: (A3367) DRBG (Kernel) DRBG Random Bit HMAC DRBG: Generation (A3493) HMAC-SHA2-256: (A3493) SHA2-256: (A3493) ECDSA KeyGen AsymKeyPair- ECDSA Key ECDSA KeyGen (PKID) KeyGen Generation used for (FIPS186-4): SSH when (A3693) authentication keys ECDSA KeyVer are internally (FIPS186-4): generated (A3693) CKG: () Key type: Asymmetric HMAC DRBG: (A3493) RSA KeyGen (PKID) AsymKeyPair- RSA Key generation RSA KeyGen KeyGen used for SSH when (FIPS186-4): authentication keys (A3693) are internally CKG: () generated Key type: Asymmetric HMAC DRBG: (A3493)

Page 14

Name Type Description Properties Algorithms RSA SigGen (SSH) DigSig-SigGen RSA Signature RSA SigGen Generation for SSH (FIPS186-4): (A3693) RSA SigVer (SSH) DigSig-SigVer RSA Signature RSA SigVer verification for SSH (FIPS186-4): (A3693) Verify image DigSig-SigVer Verification of ECDSA SigVer software image (FIPS186-4): (A3693) SHA2-256: (A3693) SHA2-384: (A3693) Full KAS (SSH) KAS-Full Full Key Agreement KAS-ECC-SSC for SSH Sp800-56Ar3: (A3610) KDF SSH: (A4271) SHA-1: (A3693) SHA2-256: (A3693) SHA2-384: (A3693) KAS-ECC KeyGen AsymKeyPair- KAS-ECC Key Pair ECDSA KeyGen (SSH) KeyGen Generation for SSH (FIPS186-4): (A3693) ECDSA KeyVer (FIPS186-4): (A3693) CKG: () Key type: Asymmetric HMAC DRBG: (A3493) ENT ENT-ESV Entropy source SHA2-512: (A3361) Table 8: Security Function Implementations

2.7 Algorithm Specific Information

The module includes RSA and ECDSA algorithms that have been validated using FIPS 186-4 CAVP tests, which are mathematically identical to FIPS 186-5 CAVP tests. Per IG C.K, all RSA and ECDSA algorithms implemented by the module are claimed compliant with FIPS 186-5. The module complies with IG C.F. RSA Key Generation, Signature Generation and Signature Verification have been tested and validated using CAVP testing for all implemented modulus lengths (2048, 3072 and 4096 bits). The number of Miller-Rabin tests used for primality testing as part of RSA Key Generation is consistent with Table C.3.

Page 15

The module implements the following Approved key agreement methods which have been CAVP tested and validated:

2.8 RBG and Entropy

Cert Vendor Name Number E56 Juniper Networks Table 9: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample Junos OS Non-Physical Entropy Non- Intel Xeon 512 448 bits A3361 (SHA2Source Physical C5518 bits 512) Table 10: Entropy Sources The entropy source is used to seed the module’s HMAC DRBG with the minimum required 256bits of entropy. Each 512-bit block of conditioned output from the entropy source contains 448 bits of entropy. The HMAC DRBG is used for all random data required by the module, including key generation. There are no initialization procedures required by the users of the module to operate the entropy source in a compliant manner. The module complies to the ESV Public Use document of the validated entropy source (Cert. E56).

2.9 Key Generation

The cryptographic module implements the key generation methods listed above in the Security Functions implementation table.

Page 16
2.10 Key Establishment

The cryptographic module implements the key establishment methods listed above in the Security Functions implementation table.

2.11 Industry Protocols

The cryptographic module supports the protocols listed below. No part of these protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. The SSH algorithms allow independent selection of key exchange, authentication, cipher, and integrity. In reference to the supported protocols table below, each column of options for a given protocol is independent and may be used in any viable combination. Protocol Key Exchange Auth Cipher Integrity SSHv2 KAS-ECC (P-256, RSA 2048 AES CBC 128/192/256 HMAC-SHA-1 P-384, P-521) ECDSA P-256 AES CTR 128/192/256 HMAC-SHA2-256 HMAC-SHA2-512

Page 17
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

The following table maps each physical interface to one or more logical interface types defined in the FIPS 140-3 standard. Physical Port Logical Data That Passes Interface(s) Ethernet (data) Data Input LAN Communications Data Output Control Input Status Output Ethernet (mgmt.) Data Input Remote management Data Output Control Input Status Output Serial Control Input Local management Status Output Reset Button Control Input Reset LED Status Output Status indicator lighting Power Power Power Table 11: Ports and Interfaces

Page 18
4 Roles, Services, and Authentication
4.1 Authentication Methods

Method Name Description Security Strength Each Strength per Minute Mechanism Attempt Password User and CO SHA Probability of Timed access mechanism allows authentication authentication via (LibMD) guessing: 1/(96^10) < max of 9 attempts / min. SSH or console. 1/1,000,000. Probability of guessing: Minimum of 10 9/(96^10) < 1/100,000. ASCII character passwords. Signature User/CO ECDSA Strength of signature A rate of 1 CPU cycle per failed authentication authentication via SigVer algorithm, minimum authentication for the Intel SSH (SSH) 112-bits. Probability Xeon E5-2658 v4 processor (14 of success for random cores, 2.3 GHz) allows for the attempt: 1/(2^112) < probability of success by brute1/1,000,000. force attack: 60 x 14 x 2.3 x 10^9 x 1/(2^112) < 1/100,000. Table 12: Authentication Methods The module enforces the separation of roles using either password-based authentication or signature-based authentication.

4.2 Roles

Name Type Operator Type Authentication Methods User Role Monitor Password authentication Signature authentication Cryptographic Officer Role CO Password authentication Signature authentication Table 13: Roles The module supports two roles: Cryptographic Officer (CO) and User. The module supports rolebased operator authentication for assuming these roles, using methods specified in Section 4.1. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. The Cryptographic Officer role configures and monitors the module via a console or SSH connection. As root or super-user, the Cryptographic Officer has permission to view and edit secrets within the module and establish VPN tunnels.

Page 19

The User role monitors the router via the console or SSH. The user role cannot change the configuration.

4.3 Approved Services

Name Description Indicator Inputs Outputs Security SSP Access Functions Configure Security relevant ':fips' CLI Status SHA Cryptographic security configuration suffix in commands (LibMD) Officer CLI MAC - HMAC DRBG V prompt (LibMD) value: E DRBG - HMAC DRBG (Kernel) Key value: E ECDSA - HMAC DRBG KeyGen Entropy Input: E (PKID) - HMAC DRBG RSA Seed: E KeyGen - CO-PW: W,R (PKID) - User-PW: W,R ENT - SSH-Priv: G,R,W Configure Non-security None CLI Status None Cryptographic relevant commands Officer configuration Show Show status None CLI Status None Cryptographic status command Officer User Zeroize Zeroize/destroy all None CLI None None Cryptographic CSPs command (completion Officer indicator is - HMAC DRBG V implicitly value: Z provided by the - HMAC DRBG module Key value: Z rebooting) - HMAC DRBG Seed: Z - HMAC DRBG Entropy Input: Z - SSH-DHShared-Secret: Z - SSH-Priv: Z - SSH-SEKs: Z - CO-PW: Z - User-PW: Z - SSH-PUB: Z - Auth-User Pub: Z

Page 20

Name Description Indicator Inputs Outputs Security SSP Access Functions - Root-CA: Z - Package-CA: Z - SSH-DH-PUB (self): Z - SSH-DH-PUB (peer): Z SSH Initiate SSH ':fips' SSH SSH packets, Enc/Dec Cryptographic connect connection for SSH suffix in packets status (SSH) Officer monitoring and CLI KAS-SSC - HMAC DRBG V control (CLI) prompt (SSH) value: E ECDSA - HMAC DRBG SigGen Key value: E (SSH) - HMAC DRBG ECDSA Entropy Input: E SigVer - HMAC DRBG (SSH) Seed: E MAC - SSH-DH(SSH) Shared-Secret: KDF (SSH) G,E RSA - SSH-DH-Priv: SigGen G,E (SSH) - SSH-SEKs: G,E RSA - Auth-CO Pub: E SigVer - SSH-Priv: E (SSH) - CO-PW: E Full KAS - SSH-DH-PUB (SSH) (self): G KAS-ECC - SSH-DH-PUB KeyGen (peer): E (SSH) User ENT - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - SSH-Priv: E - User-PW: E - SSH-DHShared-Secret: G,E - SSH-DH-Priv: G,E - SSH-SEKs: G

Page 21

Name Description Indicator Inputs Outputs Security SSP Access Functions - SSH-DH-PUB (self): G - SSH-DH-PUB (peer): E - Auth-User Pub: E Console Console monitoring None CLI Status None Cryptographic access and control (CLI) command Officer - CO-PW: E User - User-PW: R,E Remote Software initiated None CLI Status None Cryptographic reset reset command Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH-DHShared-Secret: Z - SSH-DH-Priv: Z - SSH-SEKs: Z - SSH-DH-PUB (self): Z - SSH-DH-PUB (peer): Z Local Hardware reset or None Manual Status None Unauthenticated reset power cycle power - HMAC DRBG V cycle value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH-DHShared-Secret: Z - SSH-SEKs: Z - SSH-DH-PUB (self): Z

Page 22

Name Description Indicator Inputs Outputs Security SSP Access Functions - SSH-DH-PUB (peer): Z Traffic Traffic requiring no None Traffic in Traffic out None Unauthenticated cryptographic services Load Loading of firmware ':fips' CLI status Verify Cryptographic Image image suffix in command image Officer CLI - Root-CA: E prompt - Package-CA: E Perform On-demand None Local or status None Cryptographic self-tests execution of all pre- remote Officer operational and reset User conditional Unauthenticated algorithm self-tests Show Show firmware None CLI Status None Cryptographic version version command Officer User Table 14: Approved Services

4.4 Non-Approved Services
4.5 External Software/Firmware Loaded

The module includes a firmware load service to support necessary updates. Only the CO can install the new image using the CLI as described in Section 11.1. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation.

Page 23
5.1 Integrity Techniques

The cryptographic module implements an approved firmware integrity self-test that uses ECDSA P-256 with SHA2-256 to ensure the integrity of all Junos OS firmware components. The selftest is automatically run on power-up. It can also be run on demand by the module’s operator by power cycling the module. When the integrity check fails, the module enters an error state (kernel panic) which can only be exited by power-cycling the module.

5.2 Initiate on Demand

The self-test is automatically run on power-up. It can also be run on demand by the module’s operator by power cycling the module.

Page 24
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Non-Modifiable How Requirements are Satisfied: The module consists of hardware containing a non-modifiable operational environment as per the FIPS 140-3 definitions. It includes a firmware load service to support necessary updates. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation.

6.2 Configuration Settings and Restrictions

There are no security rules, settings, or restrictions to the configuration of the operational environment beyond the initialization instructions to set the module in approved mode.

Page 25
7 Physical Security
7.1 Mechanisms and Actions Required

Mechanism Inspection Inspection Frequency Guidance Production-grade components with standard passivation N/A N/A Table 15: Mechanisms and Actions Required The module’s physical embodiment is that of a multi-chip standalone device that meets Level 1 Physical Security requirements. The module consists of production-grade components with standard passivation.

Page 26
8 Non-Invasive Security

This section is not applicable, as there are currently no approved non-invasive mitigation techniques specified in ISO/IEC 19790:2012.

Page 27
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Random Access Memory Dynamic SSD Solid-Stated Drive Dynamic Table 16: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm Manual CLI entry Local CO RAM Plaintext Manual Direct Entry via SSH Remote CO RAM Encrypted Automated Electronic Enc/Dec (SSH) Entry via console Local CO RAM Plaintext Manual Electronic Output via SSH RAM Remote CO Encrypted Automated Electronic Enc/Dec (SSH) Output via console RAM Local CO Plaintext Manual Direct Entry as part of KAS Remote peer RAM Plaintext Automated Electronic Output as part of KAS RAM Remote peer Plaintext Automated Electronic Pre-loaded Manufacturer SSD Plaintext Manual Direct Table 17: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Reset Zeroisation of SSPs in RAM via RAM is volatile and all data is lost Yes, both User and CO, invocation of local or remote when power is taken off. via invocation of Local reset service Zeroisation is practically Reset or Remote Reset instantaneous. services Zeroize CLI These command wipe clean all This command overwrites all data Yes, CO via invocation command the SSPs/configs as well as the on disk and forces a power cycle of zeroize CLI command disk and installs a factory default firmware image

Page 28

Zeroization Description Rationale Operator Initiation Method Explicit Zeroisation of SSPs in memory Use of explicit zeroisation function No. The operator zeroize when no longer needed destroys SSP information cannot directly initiate function immediately by overwriting this method. memory area with zeroes Table 18: SSP Zeroization Methods The CO can run the following commands to zeroize the approved mode SSPs: user@host> request vmhost zeroize This command wipes clean all the SSPs/configs as well as the disk and install a factory default firmware image. After zeroizing the system, the module is no longer in a FIPS compliant state. Installation and configuration as per section 11.1 is required to enter the FIPS compliant state and enable the Approved mode of operation. The Cryptographic Officer must retain control of the module while zeroization is in process. Zeroization commands, as described above, and power cycling are initiated by the operator. The module automatically zeroizes all SSPs when no longer required by calling explicit delete commands. Session termination is initiated by the operator or by environmental errors. The completion of zeroization is indicated implicitly. If the zeroization is initiated using a zeroization command or explicit delete command, completion of the command indicates that zeroization has successfully completed. If the zeroization is initiated by power cycling the module, then successful reboot of the module indicates that zeroization has completed successfully. In the case of zeroization initiated by session termination, SSPs are zeroized when the session terminates, and session termination is indicated in the log.

9.4 SSPs

Name Description Size - Type - Generated Established Used By Strength Category By By HMAC A critical value of the 256 - 256 DRBG internal DRBG DRBG DRBG V internal state of DRBG state - CSP (Kernel) (Kernel) value per IG D.L HMAC A critical value of the 256 - 256 DRBG internal DRBG DRBG DRBG internal state of DRBG state - CSP (Kernel) (Kernel) Key value per IG D.L HMAC A critical value of the 256 - 256 Entropy source ENT DRBG DRBG internal state of DRBG output - CSP (Kernel)

Page 29

Name Description Size - Type - Generated Established Used By Strength Category By By Entropy provided by entropy Input source HMAC Seed material used to 256 - 256 DRBG internal DRBG DRBG DRBG seed or reseed the HMAC state - CSP (Kernel) (Kernel) Seed DRBG SSH-DH- Shared DH value 256, 384, DH shared KAS-SSC KDF Shared- computed from the 521 - 128, value - CSP (SSH) (SSH) Secret ephemeral DH key-pairs 192, 256 as part of SSH and used to derive session keys. P256, P-384 and P-521 SSH-Priv SSH host authentication 2048, 256, Asymmetric ECDSA ECDSA key (ECDSA or RSA) 4096, 384, private key - KeyGen SigGen

521 - CSP (PKID) (SSH)

112,128, RSA RSA 152, 192, KeyGen SigGen

256 (PKID) (SSH)

SSH-DH- SSH Diffie-Hellman 256, 384, Asymmetric KAS-ECC KAS-SSC Priv private component. 521 - 128, private key - KeyGen (SSH) Ephemeral Diffie-Hellman 192, 256 CSP (SSH) private key used in SSH. P-256, P-384 and P-521 SSH-SEKs Session keys used with 128, 192, Symmetric Key KDF (SSH) Enc/Dec SSH-2. 256 - - CSP (SSH) 112,128, MAC 192, 256 (SSH) CO-PW Password used to n/a - n/a Authentication SHA authenticate the CO password - (LibMD) CSP User-PW Password used to n/a - n/a Authentication authenticate the User. password - CSP SSH-PUB SSH Public Host Key 2048, 256, Asymmetric key ECDSA 4096, 384, - PSP KeyGen

521 - (PKID)
256 (PKID)

Auth-User SSH User Authentication 2048, 256, Asymmetric key ECDSA Pub Public Key 4096, 384, - PSP SigVer

521 - (SSH)
Page 30

Name Description Size - Type - Generated Established Used By Strength Category By By 152, 192, SigVer

256 (SSH)

Root-CA JuniperRootCA. Used to 256, 384 - Asymmetric key Verify verify the validity of the 128, 196 - PSP image PackagCA Package- Certificate that holds the 256 - 128 Asymmetric key Verify CA public key of the signing - PSP image key that was used to generate all the signatures used on the packages and signatures lists. SSH-DH- ECDH Public Keys 256, 384, Asymmetric key KAS-ECC PUB (self) generated by module and 521 - 128, - PSP KeyGen used with SSH for key 192, 256 (SSH) establishment SSH-DH- ECDH Public Keys 256, 384, Asymmetric key KAS-SSC PUB provided by protocol peer 521 - 128, - PSP (SSH) (peer) device and used with SSH 192, 256 for key establishment. P256, P-384 and P-521 Auth-CO SSH CO Authentication 2048, 256, Asymmetric key ECDSA Pub Public Key 4096, 384, - PSP SigVer

521 - (SSH)
256 (SSH)

Table 19: SSP Table 1 Name Input - Storage Storage Duration Zeroization Related Output SSPs HMAC RAM:Plaintext Until updated by Reset DRBG V HMAC_DRBG_Update() value HMAC RAM:Plaintext Until updated by Reset DRBG Key HMAC_DRBG_Update() value HMAC RAM:Plaintext Until HMAC_Instantiate_Update() or Reset DRBG HMAC_DRBG_Reseed() complete Explicit

Page 31

Name Input - Storage Storage Duration Zeroization Related Output SSPs Entropy zeroize Input function HMAC RAM:Plaintext Until HMAC_Instantiate_Update() or Reset DRBG Seed HMAC_DRBG_Reseed() complete Explicit zeroize function SSH-DH- RAM:Plaintext Until SSH session termination Reset Shared- Explicit Secret zeroize function SSH-Priv RAM:Plaintext Until SSH session termination Reset SSD:Plaintext Zeroize CLI command Explicit zeroize function SSH-DH-Priv RAM:Plaintext Until SSH session termination Reset Explicit zeroize function SSH-SEKs RAM:Plaintext Until SSH session termination Reset Explicit zeroize function CO-PW Manual SSD:Encrypted Until authentication session Zeroize CLI CLI entry RAM:Plaintext termination command Entry via SSH Entry via console User-PW Manual RAM:Plaintext Until authentication session Zeroize CLI CLI entry SSD:Obfuscated termination command Entry via SSH Entry via console SSH-PUB Output via SSD:Plaintext Zeroize CLI SSH command Output via console Output as

Page 32

Name Input - Storage Storage Duration Zeroization Related Output SSPs part of KAS Auth-User Entry via SSD:Plaintext Zeroize CLI Pub SSH command Entry via console Root-CA Pre-loaded SSD:Plaintext Zeroize CLI command Package-CA Pre-loaded SSD:Plaintext Zeroize CLI command SSH-DH- Output as RAM:Plaintext Until SSH session termination Reset PUB (self) part of Explicit KAS zeroize function SSH-DH- Entry as RAM:Plaintext Until SSH session termination Reset PUB (peer) part of Explicit KAS zeroize function Auth-CO Pub Entry via Zeroize CLI SSH command Entry via console Table 20: SSP Table 2

9.5 Transitions

The following transitions apply to algorithms used by this module: SHA-1: The SHA-1 hash algorithm will be non-Approved for all cryptographic purposes after December 31, 2030.

Page 33
10 Self-Tests

On power up or reset, the module performs the pre-operational self-tests and the indicated conditional cryptographic algorithm self-tests described below. All KATs must be completed successfully prior to any other use of cryptography by the module. The algorithms utilized in the pre-operational firmware integrity test must pass their own CASTs prior to the Integrity Test.

10.1 Pre-Operational Self-Tests

Algorithm Test Test Test Indicator Details or Test Properties Method Type Firmware ECDSA P- KAT SW/FW PASS/FAIL ECDSA Verify Integrity 256 with Integrity console check SHA2-256 output Critical SHA2-256 KAT Critical PASS/FAIL The module implements a critical function that functions Function console checks that any file that is executed is test output registered in a manifest of executable files that comes with the firmware. A pre-operational critical function test is implemented that verifies the integrity of the operational environment is being enforced by having the kernel attempt to run a specific executable file that does not contain a hash in the manifest file. The test is successful if it verifies that the specific file cannot be executed. Table 21: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Entropy Source n/a APT, RCT CAST Console output / Start-up On power-up (start-up) output of entropy source Entropy Source n/a APT, RCT CAST Console output / Continuous On power-up (continuous) output of entropy source AES-CBC Key Sizes: 128, KAT CAST PASS/FAIL Encrypt On power-up (A3693) 192, 256 console output Encrypt AES-CBC Key Sizes: 128, KAT CAST PASS/FAIL Decrypt On power-up (A3693) 192, 256 console output Decrypt

Page 34

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type AES-CTR Key Sizes: 128, KAT CAST PASS/FAIL Encrypt On power-up (A3693) 192, 256 console output Encrypt AES-CTR Key Sizes: 128, KAT CAST PASS/FAIL Decrypt On power-up (A3693) 192, 256 console output Decrypt HMAC DRBG SHA2-256 KAT CAST PASS/FAIL Health-tests On power-up (A3693) console output initialise, reseed, and generate KAS-ECC-SSC P-256 (SHA KAT CAST PASS/FAIL ECDH On power-up Sp800-56Ar3 256) P-384 console output computation (A3610) (SHA 384) P-

521 (SHA 512)

ECDSA SigGen P-256, P-384, KAT CAST PASS/FAIL Sign On power-up (FIPS186-4) P-521 console output (A3693) ECDSA SigVer P-256, P-384, KAT CAST PASS/FAIL Verify On power-up (FIPS186-4) P-521 console output (A3693) HMAC-SHA-1 Key size: 160 KAT CAST PASS/FAIL MAC On power-up (A3693) bits, = 160 console output HMAC-SHA2- Key size: 256 KAT CAST PASS/FAIL MAC On power-up

256 (A3693) bits, = 256 console output

HMAC-SHA2- Key size: 512 KAT CAST PASS/FAIL MAC On power-up

512 (A3693) bits, = 512 console output

RSA SigGen RSA 2048 w/ KAT CAST PASS/FAIL Sign On power-up (FIPS186-4) SHA2-256, console output (A3693) RSA 4096 w/ SHA2-256 RSA SigVer RSA 2048 w/ KAT CAST PASS/FAIL Verify On power-up (FIPS186-4) SHA2-256, console output (A3693) RSA 4096 w/ SHA2-256 SHA-1 (A3693) n/a KAT CAST PASS/FAIL Hash On power-up console output SHA2-256 n/a KAT CAST PASS/FAIL Hash On power-up (A3693) console output

Page 35

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type SHA2-384 n/a KAT CAST PASS/FAIL Hash On power-up (A3693) console output SHA2-512 n/a KAT CAST PASS/FAIL Hash On power-up (A3693) console output KDF SSH SHA-1, SHA2- KAT CAST PASS/FAIL Key derivation On power-up (A4271) 256, SHA2-384 console output SHA-1 (A3367) n/a KAT CAST PASS/FAIL Hash On power-up console output SHA2-256 n/a KAT CAST PASS/FAIL Hash On power-up (A3367) console output SHA2-512 n/a KAT CAST PASS/FAIL Hash On power-up (A3367) console output HMAC-SHA-1 Key size: 160 KAT CAST PASS/FAIL MAC On power-up (A3367) bits, = 160 console output HMAC-SHA2- Key size: 256 KAT CAST PASS/FAIL MAC On power-up

256 (A3367) bits, = 256 console output

HMAC DRBG SHA2-256 KAT CAST PASS/FAIL Instantiate, On power-up (A3493) console output Reseed, Generate HMAC-SHA2- Key size:256 KAT CAST PASS/FAIL MAC On power-up

256 (A3493) bits, = 256 console output

SHA2-256 n/a KAT CAST PASS/FAIL Hash On power-up (A3493) console output ECDSA P-256, P-384, PCT PCT Returned Generation and On key KeyGen P-521 key/transition Verification of generation (FIPS186-4) soft error state ECDSA signature (A3693) RSA KeyGen RSA 2048, RSA PCT PCT Returned Generation and On key (FIPS186-4) 4096 key/transition Verification of generation (A3693) soft error state signature FW load ECDSA P-256 KAT SW/FW PASS/FAIL Verification of On FW load with SHA2-256 Load console output ECDSA signature on FW SHA2-512 n/a KAT CAST PASS/FAIL hash On power-up (A3361) console output

Page 36

Algorithm or Test Properties Test Test Indicator Details Conditions Test Method Type Manual SSP - Duplicate Manual PASS/FAIL Duplicate entry On manual, entry entry Entry console output direct entry of SSP Table 22: Conditional Self-Tests

10.3 Periodic Self-Test Information

Algorithm or Test Test Method Test Type Period Periodic Method Firmware Integrity KAT SW/FW Integrity On demand Manually check Critical functions KAT Critical Function On demand Manually test Table 23: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method Entropy Source APT, RCT CAST On demand Manually (start-up) Entropy Source APT, RCT CAST Continuous Automatically (continuous) AES-CBC (A3693) KAT CAST On demand Manually Encrypt AES-CBC (A3693) KAT CAST On demand Manually Decrypt AES-CTR (A3693) KAT CAST On demand Manually Encrypt AES-CTR (A3693) KAT CAST On demand Manually Decrypt HMAC DRBG KAT CAST On demand Manually (A3693) KAS-ECC-SSC KAT CAST On demand Manually Sp800-56Ar3 (A3610) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A3693) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A3693)

Page 37

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA-1 KAT CAST On demand Manually (A3693) HMAC-SHA2-256 KAT CAST On demand Manually (A3693) HMAC-SHA2-512 KAT CAST On demand Manually (A3693) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A3693) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A3693) SHA-1 (A3693) KAT CAST On demand Manually SHA2-256 (A3693) KAT CAST On demand Manually SHA2-384 (A3693) KAT CAST On demand Manually SHA2-512 (A3693) KAT CAST On demand Manually KDF SSH (A4271) KAT CAST On demand Manually SHA-1 (A3367) KAT CAST On demand Manually SHA2-256 (A3367) KAT CAST On demand Manually SHA2-512 (A3367) KAT CAST On demand Manually HMAC-SHA-1 KAT CAST On power-up Manually (A3367) HMAC-SHA2-256 KAT CAST On power-up Manually (A3367) HMAC DRBG KAT CAST On power-up Manually (A3493) HMAC-SHA2-256 KAT CAST On power-up Manually (A3493) SHA2-256 (A3493) KAT CAST On power-up Manually ECDSA KeyGen PCT PCT On condition trigger Automatic (FIPS186-4) (A3693) RSA KeyGen PCT PCT On condition trigger Automatic (FIPS186-4) (A3693) FW load KAT SW/FW Load On FW load request Automatic SHA2-512 (A3361) KAT CAST On power-up Manually Manual SSP entry Duplicate entry Manual Entry On condition trigger Automatic

Page 38

Table 24: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Method Indicator Critical The cryptographic module ceases to On self-test error Power cycle Console Failure perform cryptographic operations, inhibits status state all data output, and provides status of the output error via syslog messages and console status output Soft A non-critical self-test failure occurs, PCT, firmware load The module Console Error causing a failure of the triggering operation test, continuous processes the displays State entropy health test error, and resumes error failure normal operation Table 25: Error States The module enters error state upon failure of any self-tests, causing the kernel to ‘panic‘ and all execution to halt. The only way to exit from this state is to reboot the module, which causes the self-tests to be repeated and pass successfully before the corresponding algorithms are usable.

10.5 Operator Initiation of Self-Tests

Self–tests that are performed at power-up are available on demand by power cycling the module.

Page 39
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Before installation of module firmware, CO must first zeroize any module SSPs by following the instructions in Section 9.3. Once zeroization is complete, the CO must install the JUNOS firmware image on the device using the following CLI command: CO@host> request system software add /<image-path>/<image-filename> no-copy no-validate reboot. The image-filename for the validated firmware is as follows: • junos-vmhost-install-srx-x86-64-22.2R3-S1.9.tgz Next, the CO shall proceed as follows:

  1. Enable the approved mode on the device. CO@host> set system fips chassis level 1
  2. Set the root password. user@host# set system root-authentication plain-text-password New password: <type password here>
  3. Commit and reboot the device. CO@host# commit Once the module is rebooted and the integrity and self-tests have run successfully on initial power-on in, the module is operating in the approved mode of operation. The CO must create a backup image of the firmware to ensure it is also an approved mode Junos OS image by issuing the request system snapshot command. The show version command will display the version of the Junos OS on the device so that the CO can confirm it is the FIPS validated version. The CO should also verify the presence of the suffix string “:fips” in the cli prompt, indicating the module is operating in approved mode. TLS and IKE/IPsec are not enabled by default and must not be enabled for FIPS compliant usage of the module.
11.2 Administrator Guidance

The Cryptographic Officer is the person responsible for enabling, configuring, monitoring, and maintaining the module in approved mode. The Cryptographic Officer securely installs Junos OS on the device, enables the approved of operation, establishes keys and passwords for other users and software modules, and initializes the device before network connection. The

Page 40

Cryptographic Officer can configure and monitor the module through a console or SSH connection.

11.3 Non-Administrator Guidance

No specific non-administrator guidance is required to operate the module.

11.4 Design and Rules

The module design corresponds to the security rules below. The term must in this context specifically refers to a requirement for correct usage of the module in the approved mode; all other statements indicate a security rule implemented by the module.

  1. The module clears previous authentications on power cycle.
  2. Power up self-tests do not require any operator action.
  3. Data output is inhibited during key generation, self-tests, zeroization, and error states.
  4. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  5. There are no restrictions on which SSPs are zeroized by the zeroization service.
  6. The module does not support a maintenance interface or role.
  7. The module does not output intermediate key values.
  8. The module requires two independent internal actions to be performed prior to outputting plaintext CSPs.
  9. The cryptographic officer must invoke the zeroize command (as per Section 9.3) before using the firmware load service to install a new firmware image.
  10. The cryptographic officer must determine whether firmware being loaded is a legacy use of the firmware load service.
  11. The cryptographic officer must retain control of the module while zeroization is in process.
  12. IKE/IPsec and TLS features must not be enabled.
11.5 Maintenance Requirements

No special maintenance requirements and required.

11.6 End of Life

When disposing of the cryptographic module, the CO shall perform the zeroize command described in Section 9.3.

Page 41
12 Mitigation of Other Attacks

The module does not implement mechanisms to mitigate other attacks beyond what is described in this security policy.