All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Juniper Networks EX, QFX and ACX Series

Certificate#5135StandardFIPS 140-3Level1TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorJuniper Networks
Medium review priority  ·  exposes network crypto parser/protocol, debug/recovery interface  ·  last validated 6 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date1/14/2031
CaveatWhen installed, initialized and configured as specified in Section 11.1 of the Security Policy.
VendorJuniper Networks

Approved Algorithms (22)

AlgorithmACVP Cert
AES-CBCA4210
AES-CTRA4210
ECDSA KeyGen (FIPS186-4)A4210
ECDSA KeyVer (FIPS186-4)A4210
ECDSA SigGen (FIPS186-4)A4210
ECDSA SigVer (FIPS186-4)A4210
HMAC-SHA-1A4210
HMAC-SHA2-256A4210
HMAC-SHA2-512A4210
KAS-ECC-SSC Sp800- 56Ar3A4387
KDF SSH (CVL)A4347
RSA KeyGen (FIPS186- 4)A4210
RSA SigGen (FIPS186- 4)A4210
RSA SigVer (FIPS186-4)A4210
SHA-1A4210
SHA2-256A4210
SHA2-384A4210
SHA2-512A4210
ECDSA SigVer (FIPS186- 4)A4211
HMAC DRBGA4417
HMAC-SHA2- 256A4417
HMAC-SHA-1 HMAC-SHA2-256 HMAC-SHA2-512

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical Security7
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Juniper Networks EX, QFX and ACX Series
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Soft Error State</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Enc/Dec (SSH)<br/>Show status<br/>Local reset</i>"]
    C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>Serial<br/>USB</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C4 --> I4 --> R4 --> E4
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C4,C5,C6 clue;
  class I2,I3,I4,I5,I6 infer;
  class R2,R3,R4,R5,R6 risk;
  class E2,E3,E4,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Juniper Networks EX, QFX and ACX Series
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Soft Error State</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Enc/Dec (SSH)<br/>Show status<br/>Local reset</i><br/>src: securityPolicy.services"]
    C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>Serial<br/>USB</i><br/>src: securityPolicy.portsAndInterfaces"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C4 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Juniper Networks Juniper Networks EX, QFX and ACX Series Version: Junos OS 22.3R2-S1 Prepared for: Juniper Networks, Inc.

1133 Innovation Way
1.888 JUNIPER

www.juniper.net Prepared by: www.teronlabs.com Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 2
Table of Contents
#SectionPage
1General6
1.1Overview6
1.2Security Levels6
2Cryptographic Module Specification6
2.1Description6
2.2Tested and Vendor Affirmed Module Version and Identification9
2.3Excluded Components10
2.4Modes of Operation10
2.5Algorithms10
2.6Security Function Implementations13
2.7Algorithm Specific Information15
2.8RBG and Entropy15
2.9Key Generation16
2.10Key Establishment16
2.11Industry Protocols16
3Cryptographic Module Interfaces16
3.1Ports and Interfaces16
4Roles, Services, and Authentication17
4.1Authentication Methods17
4.2Roles18
4.3Approved Services18
4.4Non-Approved Services21
4.5External Software/Firmware Loaded21
5Software/Firmware Security21
5.1Integrity Techniques21
5.2Initiate on Demand21
6Operational Environment21
6.1Operational Environment Type and Requirements21
6.2Configuration Settings and Restrictions21
7Physical Security22
7.1Mechanisms and Actions Required22
8Non-Invasive Security22
9Sensitive Security Parameters Management22
9.1Storage Areas22
9.2SSP Input-Output Methods22
9.3SSP Zeroization Methods23
9.4SSPs23
9.5Transitions27
10Self-Tests27
10.1Pre-Operational Self-Tests27
10.2Conditional Self-Tests27
10.3Periodic Self-Test Information30
10.4Error States31
10.5Operator Initiation of Self-Tests31
11Life-Cycle Assurance32
11.1Installation, Initialization, and Startup Procedures32
11.2Administrator Guidance32
11.3Non-Administrator Guidance33
11.4Design and Rules33
11.4.1Module Design Rules33
11.4.1Module Operation Rules33
11.5Maintenance Requirements33
11.6End of Life33
12Mitigation of Other Attacks34
Page 3
11.4.1 11.4.1 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Hardware9
Table 3: Modes List and Description10
Table 4: Approved Algorithms - OpenSSL 1.0.211
Table 5: Approved Algorithms - OpenSSL 1.1.111
Table 6: Approved Algorithms - Kernel12
Table 7: Approved Algorithms - LibMD12
Table 8: Vendor-Affirmed Algorithms12
Table 9: Security Function Implementations15
Table 10: Entropy Certificates15
Table 11: Entropy Sources15
Table 12: Ports and Interfaces17
Table 13: Authentication Methods17
Table 14: Roles18
Table 15: Approved Services20
Table 16: Mechanisms and Actions Required22
Table 17: Storage Areas22
Table 18: SSP Input-Output Methods23
Table 19: SSP Zeroization Methods23
Table 20: SSP Table 125
Table 21: SSP Table 227
Table 22: Pre-Operational Self-Tests27
Table 23: Conditional Self-Tests29
Table 24: Pre-Operational Periodic Information30
Table 25: Conditional Periodic Information31
Table 26: Error States31
Figure 1 EX4650-48Y switch (front)7
Figure 2 EX4650-48Y switch (rear)7
Figure 3 QFX5120-48T switch (front)8
Figure 4 QFX5120-48T switch (rear)8
Figure 5 QFX5120-48Y switch (front)8
Figure 6 QFX5120-48Y switch (rear)8
Figure 7 QFX5200-32C switch (front)8
Figure 8 QFX5200-32C switch (rear)8
Figure 9 – MX204 router (front)8
Figure 10 – MX204 router (rear)8
Figure 11 ACX5448 Router (front)9
Figure 12 ACX5448 Router (Rear)9
Page 5

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 6
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication2
55Software/Firmware security1
66Operational environment1
77Physical security1
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
Overall LevelOverall Level1
1.1 Overview

This is a non-proprietary Cryptographic Module Security Policy for the Juniper Networks EX, QFX and ACX series network devices running Junos OS 22.3R2-S1.

1.2 Security Levels

The cryptographic module is designed to meet FIPS 140-3 Level 1 overall. The table below shows the security levels claimed for each section of the security requirements. N/A N/A Table 1: Security Levels

2.1 Description

Purpose and Use: The following models are included in this validation and provide network switching and routing functionality:

Page 7

The cryptographic module provides for an encrypted connection, using SSH, between the management station and the module. All other data input or output from the modules are considered plaintext for this FIPS 140-3 validation. Module Type: The cryptographic module is a Hardware cryptographic module. Module Embodiment: The cryptographic module is defined as a MultiChipStand module that executes Junos OS 22.3R2-S1 firmware on any of the identified Juniper Networks devices. Module Characteristics: There are no additional characteristics relevant to this module. Cryptographic Boundary: The cryptographic boundary encompasses the entire Tested Operational Environment Physical Perimeter (TOEPP), which is defined as the outer edge of the chassis. The chassis is a rigid sheetmetal structure that houses all components of the device. The cryptographic module is FIPS-compliant when installed and configured with Junos OS 22.3R2-S1 validated firmware as specified in section 11.1. The physical form of the module is depicted in Figure 1 to Figure 12 Figure 1 EX4650-48Y switch (front) Figure 2 EX4650-48Y switch (rear) Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 8

Figure 3 QFX5120-48T switch (front) Figure 4 QFX5120-48T switch (rear) Figure 5 QFX5120-48Y switch (front) Figure 6 QFX5120-48Y switch (rear) Figure 7 QFX5200-32C switch (front) Figure 8 QFX5200-32C switch (rear) Figure 9

Page 9
Module configuration
NameModelHardware VersionFirmware VersionProcessorFeatures
EX4650-48YEX4650-48YEX4650-48YJUNOS 22.3R2- S1.7Intel Xeon D- 151848 x 1/10/25GbE SFP/SFP+; 8 x 40/100GbE QSFP+/QSFP28
QFX5120- 48TQFX5120- 48TQFX5120- 48TJUNOS 22.3R2- S1.7Intel Xeon D- 151848 x1 /10GbE; 6 x 40/100GbE QSFP+/QSFP+
QFX5120- 48YQFX5120- 48YQFX5120- 48YJUNOS 22.3R2- S1.7Intel Xeon D- 151848 x 1/10/25GbE SFP/SFP+; 8 x 40/100GbE QSFP+/QSFP28
QFX5120- 32CQFX5120- 32CQFX5120- 32CJUNOS 22.3R2- S1.7ntel Xeon E3- 1105CV232 x 40/100GbE QSFP+/QSFP28; 2 x 10GbE SFP+
MX204MX204MX204JUNOS 22.3R2- S1.7Intel Xeon E5- 26088 x 1/10GbE SFP+; 4 x 40/100GbE QSFP+/QSFP28
ACX5448ACX5448ACX5548JUNOS 22.3R2- S1.7Intel Xeon D- 152844 1/10GbE SFP+/SFP ports; 6 x 10/100GbE QSFP28

Figure 11 ACX5448 Router (front) Figure 12 ACX5448 Router (Rear)

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 10
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA4210Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA4210Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
ECDSA KeyGen (FIPS186-4)A4210Curve - P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyGen (FIPS186-4)A4419Curve - P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyGen (FIPS186-4)A6440Curve - P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyVer (FIPS186-4)A4210Curve - P-256, P-384, P-521FIPS 186-4
ECDSA KeyVer (FIPS186-4)A4419Curve - P-256, P-384, P-521FIPS 186-4
ECDSA KeyVer (FIPS186-4)A6440Curve - P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A4210Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-4

The module is not classified as software, firmware, or hybrid; thus, this section is not applicable. Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A There are no vendor-affirmed operational environments claimed.

2.3 Excluded Components

No components are excluded from the requirements of FIPS PUB 140-3. The module supports an Approved mode only. The module enters Approved mode as a result of successful installation, initialization and configuration steps described in section 11. Until these procedures have been followed, the module is non-compliant. Table 3: Modes List and Description

2.5 Algorithms

Approved Algorithms: Although the module may have been tested for additional algorithms or modes, only those listed below are utilized by the module. OpenSSL 1.0.2 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 11
Approved algorithm
NameCAVP CertPropertiesReferenceProperties
ECDSA SigGen (FIPS186-4)A4419Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-4
ECDSA SigGen (FIPS186-4)A6440Component - No Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A4210Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A4419Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A6440Component - No Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-4
HMAC-SHA-1A4210Key Length - Key Length: 160FIPS 198-1
HMAC-SHA2-256A4210Key Length - Key Length: 256FIPS 198-1
HMAC-SHA2-512A4210Key Length - Key Length: 512FIPS 198-1
KAS-ECC-SSC Sp800- 56Ar3A4387Domain Parameter Generation Methods - P-256, P- 384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KDF SSH (CVL)A4347Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512SP 800-135 Rev. 1
RSA KeyGen (FIPS186- 4)A4210Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186- 4)A4210Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-4)A4210Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096FIPS 186-4
SHA-1A4210Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-256A4210Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-384A4210Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-512A4210Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
ECDSA SigVer (FIPS186- 4)A4211Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512FIPS 186-4
ECDSA SigVer (FIPS186- 4)A6401Component - No Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512FIPS 186-4
SHA2-256A4211Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
HMAC DRBGA4417SP 800-90A Rev. 1Prediction Resistance - Yes Mode - SHA2-256
HMAC-SHA2- 256A4417FIPS 198-1Key Length - Key Length: 256
SHA2-256A4417FIPS 180-4Message Length - Message Length: 0-51200 Increment 8
SHA2-512A3329FIPS 180-4Message Length - Message Length: 0-51200 Increment 8
SHA2-512A3330FIPS 180-4Message Length - Message Length: 0-51200 Increment 8
SHA2-512A3498FIPS 180-4Message Length - Message Length: 0-51200 Increment 8
HMAC-SHA-1A4208FIPS 198-1Key Length - Key Length: 112, 160
HMAC-SHA2- 256A4208FIPS 198-1Key Length - Key Length: 160, 256
SHA-1A4208FIPS 180-4Message Length - Message Length: 0-51200 Increment 8
SHA2-256A4208FIPS 180-4Message Length - Message Length: 0-51200 Increment 8
SHA2-512A4208FIPS 180-4Message Length - Message Length: 0-65536 Increment 8

Table 4: Approved Algorithms - OpenSSL 1.0.2 OpenSSL 1.1.1 Table 5: Approved Algorithms - OpenSSL 1.1.1 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 12
Service
NameProperties
CKGKey type:AsymmetricJunos 22.3R2-S1 - OpenSSL 1.0.2SP 800-133 Rev.2 Section 4, example 1 direct output from DRBG.

Kernel HMAC-SHA2256 Table 6: Approved Algorithms - Kernel LibMD HMAC-SHA2256 Table 7: Approved Algorithms - LibMD Vendor-Affirmed Algorithms: 1.0.2 Table 8: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 13
Service
NameDescriptionApproved FunctionsType
Enc/Dec (SSH)Unauthenticated encryption for SSHAES-CBC: (A4210) AES-CTR: (A4210)BC-UnAuth
KAS-SSC (SSH)Key Agreement Scheme Shared Secret Computation for SSHKAS-ECC-SSC Sp800-56Ar3: (A4387)KAS-SSC
KeyGen (SSH)Key Generation used for SSH authentication keysECDSA KeyGen (FIPS186-4): (A4210, A6440, A4419) ECDSA KeyVer (FIPS186-4): (A4210, A6440, A4419) RSA KeyGen (FIPS186-4): (A4210) HMAC DRBG: (A4417) CKG: ()AsymKeyPair- KeyGen
SigGen (SSH)Signature Generation for peer authentication in SSHECDSA SigGen (FIPS186-4): (A4210, A6440, A4419) RSA SigGen (FIPS186-4): (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210)DigSig-SigGen
SigVer (SSH)Signature Verification for peer authentication in SSHECDSA SigVer (FIPS186-4): (A4210, A6440, A4419) RSA SigVer (FIPS186-4): (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210)DigSig-SigVer
MAC (SSH)Message authentication for SSHHMAC-SHA-1: (A4210) HMAC-SHA2-256: (A4210) HMAC-SHA2-512: (A4210) SHA-1: (A4210) SHA2-256: (A4210) SHA2-512: (A4210)MAC
KAS KeyGen (SSH)Key Generation for Key Agreement in SSHECDSA KeyGen (FIPS186-4): (A4210, A6440,KAS-KeyGen
2.6 Security Function Implementations

The module implements the security functions listed in the following table. AsymKeyPairKeyGen Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 14
Service
NameDescriptionApproved FunctionsType
KDF (SSH)Key derivation function for SSHKDF SSH: (A4347) SHA-1: (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210)KAS-135KDF
Full KAS (SSH)Full Key Agreement for SSHECDSA KeyGen (FIPS186-4): (A4210, A6440, A4419) ECDSA KeyVer (FIPS186-4): (A4210, A6440, A4419) KAS-ECC-SSC Sp800-56Ar3: (A4387) SHA-1: (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210) KDF SSH: (A4347)KAS-Full
KTS (SSH)Key transport using SSH as per IG D.G provisionsAES-CBC: (A4210) AES-CTR: (A4210) HMAC-SHA-1: (A4210) HMAC-SHA2-256: (A4210) HMAC-SHA2-512: (A4210)KTS-WrapKTS:128, 256, 384, 521, 2048, 3072, 4096 bit keys provide between 112 and 256 bits of encryption strength
SHA (LibMD)Message Digest GenerationSHA-1: (A4208) SHA2-256: (A4208) SHA2-512: (A4208)SHA
MAC (LibMD)Message AuthenticationHMAC-SHA-1: (A4208) HMAC-SHA2-256: (A4208) SHA-1: (A4208) SHA2-256: (A4208)MAC
DRBG (Kernel)Random Bit GenerationHMAC DRBG: (A4417) HMAC-SHA2-256: (A4417) SHA2-256: (A4417)DRBG
SHA (Kernel)Entropy source conditioning componentSHA2-512: (A3329, A3498, A3330)SHA
Verify imageVerification of firmware imageECDSA SigVer (FIPS186-4):DigSig-SigVer

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 15
Service
NameDescriptionApproved FunctionsType
Entropy SourceEntropy sourceSHA2-512: (A3329, A3498, A3330)ENT-ESV
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
QFX5200-48Y - Junos OS 22.3 Entropy Source (E89)Non- Physical512 bitsIntel Xeon D-1518448 bitsA3498 (SHA2- 512)
ACX5448 - Junos OS 22.3 Entropy Source (E89)Non- Physical512 bitsIntel Xeon D-1528448 bitsA3330 (SHA2- 512)
MX204 - Junos OS 22.3 Entropy Source (E89)Non- Physical512 bitsIntel Xeon E5- 2608L448 bitsA3329 (SHA2- 512)
QFX5200-32C - Junos OS 22.3 Entropy Source (E89)Non- Physical512 bitsIntel Xeon E3- 1105CV2448 bitsA3498 (SHA2- 512)
CertVendor Name
Number
E89Juniper Networks

Table 9: Security Function Implementations

2.7 Algorithm Specific Information

The module includes ECDSA algorithms that have been validated using FIPS 186-4 CAVP tests, which are mathematically identical to FIPS 186-5 CAVP tests. Per IG C.K, all RSA and ECDSA algorithms implemented by the module are claimed compliant with FIPS 186-5. The module complies with IG C.F. RSA Key Generation, Signature Generation and Signature Verification have been tested and validated using CAVP testing for all implemented modulus lengths (2048, 3072 and 4096 bits). The number of Miller-Rabin tests used for primality testing as part of RSA Key Generation is consistent with Table C.3. The module implements the following Approved key agreement methods which have been CAVP tested and validated: ⦁ KAS-ECC per SP 800-56A Rev. 3 (FIPS 140-3 IG D.F Scenario 2, path 2). The module obtains the FIPS 140-3 IG D.F required key agreement assurances in accordance with Section 5.6.2 of SP800-56A Rev. 3. All the key agreement protocols implemented by the module are Diffie-Hellman based.

2.8 RBG and Entropy

The tables below indicate the entropy source used by the module and their associated certificates. Table 10: Entropy Certificates NonPhysical NonPhysical NonPhysical NonPhysical A3498 (SHA2512) A3330 (SHA2512) A3329 (SHA2512) A3498 (SHA2512) Table 11: Entropy Sources Non-Proprietary FIPS 140-3 Security Policy

Page 16
Approved algorithm
NameMode Method
IntegrityCipherProtocolKey ExchangeAuth
HMAC-SHA-1 HMAC-SHA2-256 HMAC-SHA2-512AES CBC 128/192/256 AES CTR 128/192/256SSHv2EC Diffie-Hellman P-256 EC Diffie-Hellman P-384 EC Diffie-Hellman P-521ECDSA P-256 ECDSA P-384 ECDSA P-521 RSA 2048 RSA 3072 RSA 4096
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
Ethernet (data)Ethernet (data)Data Input Data OutputLAN communications
Ethernet (mgmt.)Ethernet (mgmt.)Data Input Data Output Control Input Status OutputRemote management
SerialSerialData Input Data Output Control Input Status OutputConsole serial port management
PowerPowerPowerPower
Reset buttonReset buttonControl InputReset
USBUSBData Input Control InputFirmware load port
LEDLEDStatus OutputStatus indicator lighting
Timing interface ports: PPS and 10M GPS (ACX5448 and QFX5120 models only)Timing interface ports: PPS and 10M GPS (ACX5448 and QFX5120 models only)Control InputClock and timing signals from external devices

The entropy source is used to seed the module’s HMAC DRBG with the minimum required 256bits of entropy. Each 512-bit block of conditioned output from the entropy source contains 448 bits of entropy. The HMAC DRBG is used for all random data required by the module, including key generation. There are no initialization procedures required by the users of the module to operate the entropy source in a compliant manner. The module complies with the ESV Public Use document of the validated entropy source (Cert. E89).

2.9 Key Generation

The cryptographic module implements the key generation methods listed above in the Security Functions implementation table.

2.10 Key Establishment

The cryptographic module implements the key establishment methods listed above in the Security Functions implementation table.

2.11 Industry Protocols

The cryptographic module supports the protocols listed below. No part of these protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. The SSH algorithms allow independent selection of key exchange, authentication, cipher, and integrity. In reference to the supported protocols table below, each column of options for a given protocol is independent and may be used in any viable combination.

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

The following table maps each physical interface to one or more logical interface types defined in the FIPS 140-3 standard. The module does not have a Control Output Interface. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 17
Sensitive security parameter
NameDescriptionStrengthStrength per Minute
Password authenticationUser and CO authentication via SSH or consol. Minimum of 10 ASCII character passwords.Probability of guessing: 1/(96^10) < 1/1,000,000.SHA (LibMD)Timed access mechanism allows max of 10 attempts / min. Probability of guessing: 10/(96^10) < 1/100,000.
Signature authenticationUser/CO authentication via SSHStrength of signature algorithm, minimum 112-bits. Probability of success for random attempt: 1/(2^112) < 1/1,000,000.SigVer (SSH)A rate of 1 CPU cycle per failed authentication for the Intel Xeon D-1518 processor (4 cores, 2.2 GHz) allows for the probability of success by brute- force attack: 60 x 4 x 2.2 x 10^9 x 1/(2^112) < 1/100,000.

Table 12: Ports and Interfaces

4 Roles, Services, and Authentication
4.1 Authentication Methods

The module implements two forms of role-based authentication methods, as described in the following table. Table 13: Authentication Methods Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 18
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCORolePassword authentication Signature authentication
UserMonitorRolePassword authentication Signature authentication
Configure SecuritySecurity relevant configurationCrypto Officer - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - User-PW: W - CO-PW: W - Root-PW: W - SSH PUB: G,R,W - SSH PHK: G,R,WSHA (Kernel) Entropy Source KeyGen (SSH) SHA (LibMD) MAC (LibMD) DRBG (Kernel)':fips' suffix in CLI promptCLI CommandStatus
ConfigureNon-security relevant configurationCrypto OfficerNoneNoneCLI CommandStatus
Show statusShow statusCrypto Officer UserNoneNoneNone':fips' suffix in CLI prompt
ZeroizeZeroize all CSPsCrypto Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: ZNoneNoneCLI commandNone (completion indicator is implicitly provided by the
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCORolePassword authentication Signature authentication
UserMonitorRolePassword authentication Signature authentication
Configure SecuritySecurity relevant configurationCrypto Officer - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - User-PW: W - CO-PW: W - Root-PW: W - SSH PUB: G,R,W - SSH PHK: G,R,WSHA (Kernel) Entropy Source KeyGen (SSH) SHA (LibMD) MAC (LibMD) DRBG (Kernel)':fips' suffix in CLI promptCLI CommandStatus
ConfigureNon-security relevant configurationCrypto OfficerNoneNoneCLI CommandStatus
Show statusShow statusCrypto Officer UserNoneNoneNone':fips' suffix in CLI prompt
ZeroizeZeroize all CSPsCrypto Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: ZNoneNoneCLI commandNone (completion indicator is implicitly provided by the
module rebooting)- HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH DH Shared Secret: Z - SSH PHK: Z - SSH PUB: Z - SSH DH PRV: Z - SSH DH PUB: Z - SSH DH Pub (peer): Z - SSH-SEKs: Z - CO-PW: Z - Root-PW: Z - User-PW: Z - Auth-CO Pub: Z - Auth-User Pub: Z - Root-CA: Z - Package-CA: Zmodule rebooting)
SSH connectInitiate SSH connection for SSH monitoring and control (CLI)Crypto Officer - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - SSH DH Shared Secret: G,E - SSH DH PRV: G,E - SSH DH PUB: G - SSH-SEKs: G,E - SSH DH Pub (peer): E - CO-PW: E User - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - SSH DH Shared Secret: G,E - SSH DH PRV: G,E - SSH DH PUB: G - SSH-SEKs: G,E - SSH DH PubEnc/Dec (SSH) KAS-SSC (SSH) SigGen (SSH) SigVer (SSH) MAC (SSH) KAS KeyGen (SSH) KDF (SSH) Full KAS (SSH) KTS (SSH) SHA (Kernel) Entropy Source':fips' suffix in CLI promptSSH packetsSSH packets, Status
Console accessConsole monitoring and control (CLI)Crypto Officer - CO-PW: E - Root-PW: E User - User-PW: ENoneNoneCLI CommandStatus
Remote resetSoftware initiated reset, performs self-tests on demand.Crypto Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH DH Shared Secret: Z - SSH DH PRV: Z - SSH DH PUB: Z - SSH-SEKs: Z - SSH DH Pub (peer): ZNoneNoneCLI commandStatus
Local resetHardware reset or power cycleUnauthenticated - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH DH Shared Secret: Z - SSH DH PRV: Z - SSH DH PUB: Z - SSH-SEKs: Z - SSH DH Pub (peer): ZNoneNoneMain power cycleStatus
TrafficTraffic requiring no cryptographic servicesUnauthenticatedNoneNoneTraffic inTraffic out
Load ImageLoading of firmware imageCrypto Officer - Root-CA: E - Package-CA: ZVerify image':fips' suffix in CLI promptCLI CommandStatus
Perform self-testsOn demand execution of all pre-operational and conditional algorithm self- testsCrypto Officer User UnauthenticatedNoneNoneLocal or remote resetStatus
Show module versionShow system information identifying moduleCrypto Officer UserNoneNoneCLI commandStatus
4.2 Roles

Table 14: Roles The module supports two roles: Cryptographic Officer (CO) and User. The module supports rolebased operator authentication for assuming these roles, using methods specified in Section 4.1. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. The module enforces the separation of roles using either of the role-based The Cryptographic Officer role configures and monitors the module via a console or SSH connection. As root or super-user, the Cryptographic Officer has permission to view and edit secrets within the module. The User role monitors the module via the console or SSH. The user role cannot change the

4.3 Approved Services

G,R,W G,R,W Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 19

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Z G,E G,E

Page 20

algorithm selftests Table 15: Approved Services Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 21
4.4 Non-Approved Services

The module does not offer any non-approved services. N/A for this module.

4.5 External Software/Firmware Loaded

The module includes a firmware load service that is used to install the Junos OS firmware image as part of installation of the module, as described in Section 11.1. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation.

5 Software/Firmware Security
5.1 Integrity Techniques

The cryptographic module implements a firmware integrity self-test that uses ECDSA P-256 with SHA2-256 to ensure the integrity of all Junos OS firmware components. The self-test is automatically run on power-up.

5.2 Initiate on Demand

The firmware integrity test can be run on demand by the module’s operator by power cycling the module.

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Non-Modifiable The module consists of hardware containing a non-modifiable operational environment as per the FIPS 140-3 definitions. It includes a firmware load service to support necessary updates. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation.

6.2 Configuration Settings and Restrictions

There are no security rules, settings, or restrictions to the configuration of the operational environment beyond the initialization instructions to set the module in Approved mode. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 22
Sensitive security parameter
NameTypeDescription
RAMDynamicRandom Access Memory
FlashStaticInternal flash memory storage drive
Service
NameApproved FunctionsTypeFromTo
Manual CLI entryPlaintextLocal CORAMManualDirect
Entry via SSHKTS (SSH)EncryptedRemote CORAMAutomatedElectronic
Entry via consolePlaintextLocal CORAMManualElectronic
Output via SSHKTS (SSH)EncryptedRAMRemote COAutomatedElectronic
Output via consolePlaintextRAMLocal COManualElectronic
Entry as part of KASFull KAS (SSH)PlaintextRemote peerRAMAutomatedElectronic
Output as part of KASFull KAS (SSH)PlaintextRAMRemote peerAutomatedElectronic
MechanismInspectionInspection Guidance
Frequency
Opaque metal enclosuren/an/a
7 Physical Security
7.1 Mechanisms and Actions Required

The module’s physical embodiment meets Level 1 Physical Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel and brushed aluminum enclosure. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. n/a n/a Table 16: Mechanisms and Actions Required

8 Non-Invasive Security

This section is not applicable, as there are currently no approved non-invasive mitigation techniques specified in ISO/IEC 19790:2012.

9 Sensitive Security Parameters Management
9.1 Storage Areas

The table below lists the areas within the module’s cryptographic boundary where SSPs can be stored. Table 17: Storage Areas

9.2 SSP Input-Output Methods

The table below lists the method used by the module for the input and output of SSPs. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 23
Service
NameTypeFromTo
Pre-loadedPlaintextManufacturerFlashManualDirect
ZeroizationDescriptionRationaleOperator Initiation
Method
Zeroize CLI commandThis command erases all data, including all configuration information, returning the module to its factory default state The system is then rebooted.This command erases all keys and CSPS from storage. The forced power cycle also zeroizes SSPs in volatile memory.Yes, CO via invocation of zeroize CLI command.
ResetZeroization of SSPs in RAM via invocation of local or remote reset service.RAM is volatile and all data is lost when power is taken off. Zeroization is practically instantaneous.Yes, both User and CO, via invocation of Local Reset or Remote Reset services.
Explicit zeroize functionZeroization of SSPs in memory when no longer needed.Use of explicit zeroization function destroys SSP information immediately by overwriting memory area with zeroes.No. The operator cannot directly initiate this method.

Table 18: SSP Input-Output Methods The table below describes the SSP zeroization methods employed by the module. Table 19: SSP Zeroization Methods The CO can run the following commands to zeroize the approved mode SSPs: This command wipes clean all the SSPs/configs as well as the disk and install a factory default firmware image. After zeroizing the system, the module is no longer in a FIPS compliant state. Installation and configuration as per section 11.1 is required to enter the FIPS compliant state and enable the Approved mode of operation. The Cryptographic Officer must retain control of the module while zeroization is in process. Zeroization commands, as described above, and power cycling are initiated by the operator. The commands. Session termination is initiated by the operator or by environmental errors. The completion of zeroization is indicated implicitly. If the zeroization is initiated using a zeroization has successfully completed. If the zeroization is initiated by power cycling the module, then successful reboot of the module indicates that zeroization has completed successfully. In the case of zeroization initiated by session termination, SSPs are zeroized when the session terminates, and session termination is indicated in the log. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 24
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishment
HMAC DRBG V valueDRBG internal state - CSPA critical value of the internal state of DRBG256 - 256DRBG (Kernel)DRBG (Kernel)
HMAC DRBG Key valueDRB internal state - CSPA critical value of the internal state of DRBG256 - 256DRBG (Kernel)DRBG (Kernel)
HMAC DRBG Entropy InputEntropy source output - CSPA critical value of the internal state of DRBG provided by entropy source256 - 256Entropy SourceDRBG (Kernel)
HMAC DRBG SeedDRBG internal state - CSPSeed material used to seed or reseed the HMAC DRBG256 - 256DRBG (Kernel)DRBG (Kernel)
SSH DH Shared SecretDH shared value - CSPShared DH value computed from the ephemeral DH key- pairs as part of SSH and used to derive session keys.256, 384, 521 - 128, 192, 256KDF (SSH)KAS-SSC (SSH)
SSH PHKAsymmetric private key - CSPSSH Private host key. 1st time SSH is configured, the keys are generated.2048, 256, 4096, 384, 521 - 112, 128, 152, 192, 256KeyGen (SSH)SigGen (SSH)
SSH PUBAsymmetric public key - PSPSSH Public Host Key2048, 256, 4096, 384, 521 - 112, 128, 152, 192, 256KeyGen (SSH)SigVer (SSH)
SSH DH PRVAsymmetric private key - CSPSSH KAS private key256, 384, 521 - 128, 192, 256KAS KeyGen (SSH)KAS-SSC (SSH) Full KAS (SSH)
SSH DH PUBAsymmetric public key - PSPSSH KAS public key256, 384, 521 - 128, 192, 256KAS KeyGen (SSH)
SSH DH Pub (peer)Asymmetric public key - PSPSSH KAS public key from peer256, 384, 521 - 128, 192, 256KAS-SSC (SSH) Full KAS (SSH)
SSH-SEKsSymmetric key - CSPSSH Session Encryption Keys128, 192, 256 - 128, 192, 256Enc/Dec (SSH) MAC (SSH)KDF (SSH) Full KAS (SSH)
CO-PWAuthentication password - CSPPassword used to authenticate the CO.Min 10 characters - n/aSHA (LibMD)KTS (SSH)
Root-PWAuthentication password - CSPPassword used by CO to authenticate as 'root'.Min 10 characters - n/aSHA (LibMD)KTS (SSH)
User-PWAuthentication password - CSPPassword used to authenticate UserMin 10 characters - n/aSHA (LibMD)KTS (SSH)

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 25
Sensitive security parameter
NameTypeDescriptionStrengthEstablishmentStorageZeroizationStorage Duration
Auth-CO PubAsymmetric public key - PSPSSH CO Authentication Public Key2048, 4096, 256, 384, 521 - 112, 128, 152, 192, 256SigVer (SSH)KTS (SSH)
Auth-User PubAsymmetric public key - PSPSSH User Authentication Public Key2048, 4096, 256, 384, 521 - 112, 128, 152, 192, 256SigVer (SSH)KTS (SSH)
Root-CAAsymmetric public key - PSPX.509 Certificate used to verify the validity of the Juniper Package CA256, 384 - 128, 196Verify image
Package- CAAsymmetric public key - PSPX.509 Certificate used to verify the validity the Juniper Image at software load and also at runtime for integrity.256 - 128Verify image
HMAC DRBG V valueRAM:PlaintextZeroize CLI command ResetUntil updated by HMAC_DRBG_Update()
HMAC DRBG Key valueRAM:PlaintextZeroize CLI command ResetUntil updated by HMAC_DRBG_Update()
HMAC DRBG Entropy InputRAM:PlaintextZeroize CLI command ResetUntil HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete
HMAC DRBG SeedRAM:PlaintextZeroize CLI command ResetUntil HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete
SSH DH Shared SecretRAM:PlaintextZeroize CLI command Reset Explicit zeroize functionUntil SSH session termination
SSH PHKRAM:Plaintext Flash:PlaintextZeroize CLI commandUntil SSH session termination (RAM)Entry via SSH Entry via console Output via SSH Output via consoleSSH PUB:Paired With
Sensitive security parameter
NameTypeDescriptionStrengthEstablishmentStorageZeroizationStorage Duration
Auth-CO PubAsymmetric public key - PSPSSH CO Authentication Public Key2048, 4096, 256, 384, 521 - 112, 128, 152, 192, 256SigVer (SSH)KTS (SSH)
Auth-User PubAsymmetric public key - PSPSSH User Authentication Public Key2048, 4096, 256, 384, 521 - 112, 128, 152, 192, 256SigVer (SSH)KTS (SSH)
Root-CAAsymmetric public key - PSPX.509 Certificate used to verify the validity of the Juniper Package CA256, 384 - 128, 196Verify image
Package- CAAsymmetric public key - PSPX.509 Certificate used to verify the validity the Juniper Image at software load and also at runtime for integrity.256 - 128Verify image
HMAC DRBG V valueRAM:PlaintextZeroize CLI command ResetUntil updated by HMAC_DRBG_Update()
HMAC DRBG Key valueRAM:PlaintextZeroize CLI command ResetUntil updated by HMAC_DRBG_Update()
HMAC DRBG Entropy InputRAM:PlaintextZeroize CLI command ResetUntil HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete
HMAC DRBG SeedRAM:PlaintextZeroize CLI command ResetUntil HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete
SSH DH Shared SecretRAM:PlaintextZeroize CLI command Reset Explicit zeroize functionUntil SSH session termination
SSH PHKRAM:Plaintext Flash:PlaintextZeroize CLI commandUntil SSH session termination (RAM)Entry via SSH Entry via console Output via SSH Output via consoleSSH PUB:Paired With
SSH PUBRAM:Plaintext Flash:PlaintextZeroize CLI commandEntry via SSH Entry via console Output via SSH Output via consoleSSH PHK:Paired With
SSH DH PRVRAM:PlaintextReset Explicit zeroize functionUntil SSH session terminationSSH DH PUB:Paired With
SSH DH PUBRAM:PlaintextReset Explicit zeroize functionUntil SSH session terminationOutput as part of KASSSH DH PRV:Paired With
SSH DH Pub (peer)RAM:PlaintextReset Explicit zeroize functionUntil SSH session terminationEntry as part of KAS
SSH-SEKsRAM:PlaintextReset Explicit zeroize functionUntil SSH session termination
CO-PWRAM:Plaintext Flash:PlaintextZeroize CLI commandManual CLI entry Entry via SSH Entry via console
Root-PWRAM:Plaintext Flash:PlaintextZeroize CLI commandManual CLI entry Entry via SSH Entry via console
User-PWRAM:Plaintext Flash:PlaintextZeroize CLI commandManual CLI entry Entry via SSH Entry via console
Auth-CO PubRAM:Plaintext Flash:PlaintextZeroize CLI commandEntry via SSH Entry via console Output via SSH Output via console
Auth-User PubRAM:Plaintext Flash:PlaintextZeroize CLI commandEntry via SSH Entry via

PackageCA Table 20: SSP Table 1 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 26

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 27
Sensitive security parameter
NameStorageZeroizationOutput
Root-CARAM:Plaintext Flash:PlaintextZeroize CLI commandPre- loaded
Package-CARAM:Plaintext Flash:PlaintextZeroize CLI commandPre- loaded
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicator
Firmware integrity checkFirmware integrity checkKATSW/FW IntegrityECDSA verifyECDSA P- 256 with SHA2-256PASS/FAIL console output
Critical functions testCritical functions testKATCritical FunctionChecks that any file that is executed is registered in a manifest of executable files that comes with the firmware. Test verifies the integrity of the operational environment is being enforced by having the kernel attempt to run a specific executable file that does not contain a hash in the manifest file, verifying it cannot be executed.SHA2-256PASS/FAIL console output

Preloaded Preloaded Table 21: SSP Table 2

9.5 Transitions

The following transitions apply to algorithms used by this module: SHA-1: The SHA-1 hash algorithm will be non-Approved for all cryptographic purposes after December 31, 2030.

10 Self-Tests

On power up or reset, the module performs the pre-operational self-tests and the indicated conditional cryptographic algorithm self-tests described below. All KATs must be completed successfully prior to any other use of cryptography by the module. The CASTs for algorithms

10.1 Pre-Operational Self-Tests

Table 22: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 28
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
Entropy Source (start- up)Entropy Source (start- up)APT, RCTCASTStart-upn/aPASS/FAIL console outputOn-power up
Entropy Source (continuous)Entropy Source (continuous)APT, RCTCASTContinuousn/aConsole output / output of entropy sourceData output from noise source
AES-CBC (A4210) EncryptAES-CBC (A4210) EncryptKATCASTEncryptKey size: 128, 192, 256PASS/FAIL console outputOn power-up
AES-CBC (A4210) DecryptAES-CBC (A4210) DecryptKATCASTDecryptKey size: 128, 192, 256PASS/FAIL console outputOn power-up
HMAC-SHA-1 (A4210)HMAC-SHA-1 (A4210)KATCASTMACKey size: 160PASS/FAIL console outputOn power-up
HMAC-SHA2- 256 (A4210)HMAC-SHA2- 256 (A4210)KATCASTMACKey size: 256PASS/FAIL console outputOn power-up
HMAC-SHA2- 384 (A4210)HMAC-SHA2- 384 (A4210)KATCASTMACKey size: 384PASS/FAIL console outputOn power-up
HMAC-SHA2- 512 (A4210)HMAC-SHA2- 512 (A4210)KATCASTMACKey size: 512PASS/FAIL console outputOn power-up
RSA SigGen (FIPS186-4) (A4210)RSA SigGen (FIPS186-4) (A4210)KATCASTSignRSA 2048 w/ SHA2-256, RSA 4096 w/ SHA2- 256PASS/FAIL console outputOn power-up
RSA SigVer (FIPS186-4) (A4210)RSA SigVer (FIPS186-4) (A4210)KATCASTVerifyRSA 2048 w/ SHA2-256, RSA 4096 w/ SHA2- 256PASS/FAIL console outputOn power-up
ECDSA SigGen (FIPS186-4) (A4210)ECDSA SigGen (FIPS186-4) (A4210)KATCASTSignP-256, P-384, P-521PASS/FAIL console outputOn power-up
ECDSA SigGen (FIPS186-4) (A6440)ECDSA SigGen (FIPS186-4) (A6440)KATCASTSignP-256, P-384, P-521PASS/FAIL console outputOn power-up
ECDSA SigGen (FIPS186-4) (A4419)ECDSA SigGen (FIPS186-4) (A4419)KATCASTSignP-256, P-384, P-521PASS/FAIL console outputOn power-up
ECDSA SigVer (FIPS186-4) (A4210)ECDSA SigVer (FIPS186-4) (A4210)KATCASTVerifyP-256, P-384, P-521PASS/FAIL console outputOn power-up
ECDSA SigVer (FIPS186-4) (A6440)ECDSA SigVer (FIPS186-4) (A6440)KATCASTVerifyP-256, P-384, P-521PASS/FAIL console outputOn power-up
ECDSA SigVer (FIPS186-4) (A4419)ECDSA SigVer (FIPS186-4) (A4419)KATCASTVerifyP-256, P-384, P-521PASS/FAIL console outputOn power-up
KAS-ECC-SSC Sp800-56Ar3 (A4387)KAS-ECC-SSC Sp800-56Ar3 (A4387)KATCASTECDH ComputationP-256, P-384, P-521PASS/FAIL console outputOn power-up
KDF SSH (A4347)KDF SSH (A4347)KATCASTKey derivation ComputationSHA-1, SHA2- 256, SHA2-384PASS/FAIL console outputOn power-up
RSA KeyGen (FIPS186-4) (A4210)RSA KeyGen (FIPS186-4) (A4210)PCTPCTGeneration and Verification of signaturen/aReturned key/transition soft error stateOn key generation
ECDSA KeyGen (FIPS186-4) (A4210)ECDSA KeyGen (FIPS186-4) (A4210)PCTPCTGeneration and Verification of signaturen/aReturned key/transition soft error stateOn key generation
ECDSA KeyGen (FIPS186-4) (A6440)ECDSA KeyGen (FIPS186-4) (A6440)PCTPCTGeneration and Verification of signaturen/aReturned key/transition soft error stateOn key generation
ECDSA KeyGen (FIPS186-4) (A4419)ECDSA KeyGen (FIPS186-4) (A4419)PCTPCTGeneration and Verification of signaturen/aReturned key/transition soft error stateOn key generation
ECDSA SigVer (FIPS186-4) (A6401)ECDSA SigVer (FIPS186-4) (A6401)KATCASTVerifyP-256PASS/FAIL console outputOn power-up
ECDSA SigVer (FIPS186-4) (A4211)ECDSA SigVer (FIPS186-4) (A4211)KATCASTVerifyP-256PASS/FAIL console outputOn power-up
FW LoadFW LoadKATSW/FW LoadVerification of ECDSA signature on FWECDSA P-256 with SHA2-256PASS/FAIL console outputOn FW load
HMAC DRBG (A4417)HMAC DRBG (A4417)KATCASTInstantiate, re- seed, and generate256, SHA2-256PASS/FAIL console outputOn power-up
HMAC-SHA-1 (A4417)HMAC-SHA-1 (A4417)KATCASTMACKey size: 160PASS/FAIL console outputOn power-up
HMAC-SHA2- 256 (A4417)HMAC-SHA2- 256 (A4417)KATCASTMACKey size: 256PASS/FAIL console outputOn power-up
SHA2-384 (A4417)SHA2-384 (A4417)KATCASTHashn/aPASS/FAIL console outputOn power-up
HMAC-SHA2- 256 (A4208)HMAC-SHA2- 256 (A4208)KATCASTMACKey size: 256PASS/FAIL console outputOn power-up
HMAC-SHA-1 (A4208)HMAC-SHA-1 (A4208)KATCASTMACKey size: 256PASS/FAIL console outputOn power-up
SHA2-512 (A4208)SHA2-512 (A4208)KATCASTHashn/aPASS/FAIL console outputOn power-up
SHA2-512 (A3498)SHA2-512 (A3498)KATCASThashn/aPASS/FAIL console outputOn power-up
SHA2-512 (A3330)SHA2-512 (A3330)KATCASThashn/aPASS/FAIL console outputOn power-up
SHA2-512 (A3329)SHA2-512 (A3329)KATCASThashn/aPASS/FAIL console outputOn power-up
Manual SSP entryManual SSP entryDuplicate entryManual EntryDuplicate entryn/aPASS/FAIL console outputOn manual, direct entry of SSP
4096 w/ SHA2256
4096 w/ SHA2256

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 29

n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a Table 23: Conditional Self-Tests Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 30
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
Firmware integrity checkFirmware integrity checkKATSW/FW IntegrityOn demandManually
Critical functions testCritical functions testKATCritical FunctionOn demandManually
Entropy Source (start-up)Entropy Source (start-up)APT, RCTCASTOn demandManually
Entropy Source (continuous)Entropy Source (continuous)APT, RCTCASTContinuousAutomatically
AES-CBC (A4210) EncryptAES-CBC (A4210) EncryptKATCASTOn DemandManually
AES-CBC (A4210) DecryptAES-CBC (A4210) DecryptKATCASTOn DemandManually
HMAC-SHA-1 (A4210)HMAC-SHA-1 (A4210)KATCASTOn DemandManually
HMAC-SHA2-256 (A4210)HMAC-SHA2-256 (A4210)KATCASTOn DemandManually
HMAC-SHA2-384 (A4210)HMAC-SHA2-384 (A4210)KATCASTOn DemandManually
HMAC-SHA2-512 (A4210)HMAC-SHA2-512 (A4210)KATCASTOn DemandManually
RSA SigGen (FIPS186-4) (A4210)RSA SigGen (FIPS186-4) (A4210)KATCASTOn DemandManually
RSA SigVer (FIPS186-4) (A4210)RSA SigVer (FIPS186-4) (A4210)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A4210)ECDSA SigGen (FIPS186-4) (A4210)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A6440)ECDSA SigGen (FIPS186-4) (A6440)KATCASTOn DemandManually
ECDSA SigGen (FIPS186-4) (A4419)ECDSA SigGen (FIPS186-4) (A4419)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A4210)ECDSA SigVer (FIPS186-4) (A4210)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A6440)ECDSA SigVer (FIPS186-4) (A6440)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A4419)ECDSA SigVer (FIPS186-4) (A4419)KATCASTOn DemandManually
KAS-ECC-SSC Sp800-56Ar3 (A4387)KAS-ECC-SSC Sp800-56Ar3 (A4387)KATCASTOn DemandManually
KDF SSH (A4347)KDF SSH (A4347)KATCASTOn DemandManually
RSA KeyGen (FIPS186-4) (A4210)RSA KeyGen (FIPS186-4) (A4210)PCTPCTOn trigger conditionAutomatic
ECDSA KeyGen (FIPS186-4) (A4210)ECDSA KeyGen (FIPS186-4) (A4210)PCTPCTOn trigger conditionAutomatic
ECDSA KeyGen (FIPS186-4) (A6440)ECDSA KeyGen (FIPS186-4) (A6440)PCTPCTOn trigger conditionAutomatic
ECDSA KeyGen (FIPS186-4) (A4419)ECDSA KeyGen (FIPS186-4) (A4419)PCTPCTOn trigger conditionAutomatic
ECDSA SigVer (FIPS186-4) (A6401)ECDSA SigVer (FIPS186-4) (A6401)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-4) (A4211)ECDSA SigVer (FIPS186-4) (A4211)KATCASTOn DemandManually
FW LoadFW LoadKATSW/FW LoadOn FW load requestAutomatic
HMAC DRBG (A4417)HMAC DRBG (A4417)KATCASTOn DemandManually
HMAC-SHA-1 (A4417)HMAC-SHA-1 (A4417)KATCASTOn DemandManually
HMAC-SHA2-256 (A4417)HMAC-SHA2-256 (A4417)KATCASTOn DemandManually
SHA2-384 (A4417)SHA2-384 (A4417)KATCASTOn DemandManually
HMAC-SHA2-256 (A4208)HMAC-SHA2-256 (A4208)KATCASTOn DemandManually
HMAC-SHA-1 (A4208)HMAC-SHA-1 (A4208)KATCASTOn DemandManually
SHA2-512 (A4208)SHA2-512 (A4208)KATCASTOn DemandManually
SHA2-512 (A3498)SHA2-512 (A3498)KATCASTOn demandManually
SHA2-512 (A3330)SHA2-512 (A3330)KATCASTOn demandManually
SHA2-512 (A3329)SHA2-512 (A3329)KATCASTOn demandManually
Manual SSP entryManual SSP entryDuplicate entryManual EntryOn condition triggerAutomatic
10.3 Periodic Self-Test Information

The module does not implement periodic self-testing. Table 24: Pre-Operational Periodic Information Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 31
Service
NameDescriptionRole AccessIndicator
Critical Failure StateThe cryptographic module ceases to perform cryptographic operations, inhibits all data output, and provides status of the error via syslog messages and console status outputOn any power-up self-test errorConsole status indicatorPower cycle
Soft Error StateA non-critical self-test failure occurs, causing a failure of the triggering operationPCT, firmware load test, continuous entropy health test failureConsole displays errorThe module processes the error, and resumes normal operation

Table 25: Conditional Periodic Information

10.4 Error States

Table 26: Error States execution to halt. The only way to exit from this state is to reboot the module, which causes the self-tests to be repeated and pass successfully before the corresponding algorithms are usable.

10.5 Operator Initiation of Self-Tests

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 32

Self–tests that are performed at power-up are available on demand by power cycling the module.

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Before installation of module firmware, CO must first zeroize any module SSPs by following the instructions in Section 9.3. Once zeroization is complete, the CO must install the JUNOS firmware image on the device using the following CLI command: CO@host> request system software add /<image-path>/<image-filename> no-copy no-validate reboot. The image-filenames for the validated firmware are as follows: • EX series: jinstall-host-ex-4e-x86-64-22.3R2-S1.7-secure-signed.tgz • QFX series: jinstall-host-qfx-5e-x86-64-22.3R2-S1.7-secure-signed.tgz • MX series: junos-vmhost-install-mx-x86-64-22.3R2-S1.7.tgz • ACX series: junos-vmhost-install-acx-x86-64-22.3R2-S1.7.tgz Next, the CO shall proceed as follows:

  1. Enable the approved mode on the device. CO@host> set system fips chassis level 1
  2. Set the root password. user@host# set system root-authentication plain-text-password New password: <type password here>
  3. Commit and reboot the device. CO@host# commit Once the module is rebooted and the integrity and self-tests have run successfully on initial power-on in, the module is operating in the approved mode of operation. The CO must create a backup image of the firmware to ensure it is also an approved mode Junos OS image by issuing the request system snapshot command. The show version command will display the version of the Junos OS on the device so that the CO can confirm it is the FIPS validated version. The CO should also verify the presence of the suffix string “:fips” in the cli prompt, indicating the module is operating in approved mode. TLS and IKE/IPsec are not enabled by default and must not be enabled for FIPS compliant usage of the module.
11.2 Administrator Guidance

The Cryptographic Officer is the person responsible for enabling, configuring, monitoring, and maintaining the module in approved mode. The Cryptographic Officer securely installs Junos OS on the device, enables the approved mode of operation, establishes keys and passwords for other users and software modules, and initializes the device before network connection. The Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 33

Cryptographic Officer can configure and monitor the module through a console or SSH connection.

11.3 Non-Administrator Guidance

No specific non-administrator guidance is required to operate the module.

11.4 Design and Rules
11.4.1 Module Design Rules

The module design implements the following security rules:

  1. The module clears previous authentications on power cycle.
  2. Power up self-tests do not require any operator action.
  3. Data output is inhibited during key generation, self-tests, zeroization, and error states.
  4. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  5. There are no restrictions on which SSPs are zeroized by the zeroization service.
  6. The module does not support a maintenance interface or role.
  7. The module does not output intermediate key values.
  8. The module requires two independent internal actions to be performed prior to outputting plaintext CSPs.
11.4.1 Module Operation Rules

The following are requirements for compliant usage of the module:

  1. The cryptographic officer must retain control of the module while zeroization is in process.
  2. The cryptographic officer shall verify that the firmware image to be loaded on the module is a FIPS validated image.
  3. Before pushing the factory reset button on the device, the cryptographic officer shall perform the zeroize command as described in section 9.3
  4. The password minimum-length must be configured to be at least 10.
  5. The module shall not be configured to use a radius server and the radius server capability shall be disabled.
  6. SSH key-exchange must not be configured to include ‘dh-group14-sha1’.
11.5 Maintenance Requirements

No special maintenance requirements are required.

11.6 End of Life

When disposing of the cryptographic module, the cryptographic officer shall perform the zeroize command as described in Section 9.3. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 34
12 Mitigation of Other Attacks

The module does not implement mechanisms to mitigate other attacks beyond what is described in this security policy. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Referenced URLs