| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/14/2031 |
| Caveat | When installed, initialized and configured as specified in Section 11.1 of the Security Policy. |
| Vendor | Juniper Networks |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A4210 |
| AES-CTR | A4210 |
| ECDSA KeyGen (FIPS186-4) | A4210 |
| ECDSA KeyVer (FIPS186-4) | A4210 |
| ECDSA SigGen (FIPS186-4) | A4210 |
| ECDSA SigVer (FIPS186-4) | A4210 |
| HMAC-SHA-1 | A4210 |
| HMAC-SHA2-256 | A4210 |
| HMAC-SHA2-512 | A4210 |
| KAS-ECC-SSC Sp800- 56Ar3 | A4387 |
| KDF SSH (CVL) | A4347 |
| RSA KeyGen (FIPS186- 4) | A4210 |
| RSA SigGen (FIPS186- 4) | A4210 |
| RSA SigVer (FIPS186-4) | A4210 |
| SHA-1 | A4210 |
| SHA2-256 | A4210 |
| SHA2-384 | A4210 |
| SHA2-512 | A4210 |
| ECDSA SigVer (FIPS186- 4) | A4211 |
| HMAC DRBG | A4417 |
| HMAC-SHA2- 256 | A4417 |
| HMAC-SHA-1 HMAC-SHA2-256 HMAC-SHA2-512 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Physical Security | 7 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
flowchart LR
%% Deterministic review-risk graph for Juniper Networks EX, QFX and ACX Series
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Soft Error State</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Enc/Dec (SSH)<br/>Show status<br/>Local reset</i>"]
C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>Serial<br/>USB</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C4 --> I4 --> R4 --> E4
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C4,C5,C6 clue;
class I2,I3,I4,I5,I6 infer;
class R2,R3,R4,R5,R6 risk;
class E2,E3,E4,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Juniper Networks EX, QFX and ACX Series
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Soft Error State</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Enc/Dec (SSH)<br/>Show status<br/>Local reset</i><br/>src: securityPolicy.services"]
C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>Serial<br/>USB</i><br/>src: securityPolicy.portsAndInterfaces"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C4 clueHigh;
class C5,C6 clueLow;Juniper Networks Juniper Networks EX, QFX and ACX Series Version: Junos OS 22.3R2-S1 Prepared for: Juniper Networks, Inc.
www.juniper.net Prepared by: www.teronlabs.com Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| # | Section | Page |
|---|---|---|
| 1 | General | 6 |
| 1.1 | Overview | 6 |
| 1.2 | Security Levels | 6 |
| 2 | Cryptographic Module Specification | 6 |
| 2.1 | Description | 6 |
| 2.2 | Tested and Vendor Affirmed Module Version and Identification | 9 |
| 2.3 | Excluded Components | 10 |
| 2.4 | Modes of Operation | 10 |
| 2.5 | Algorithms | 10 |
| 2.6 | Security Function Implementations | 13 |
| 2.7 | Algorithm Specific Information | 15 |
| 2.8 | RBG and Entropy | 15 |
| 2.9 | Key Generation | 16 |
| 2.10 | Key Establishment | 16 |
| 2.11 | Industry Protocols | 16 |
| 3 | Cryptographic Module Interfaces | 16 |
| 3.1 | Ports and Interfaces | 16 |
| 4 | Roles, Services, and Authentication | 17 |
| 4.1 | Authentication Methods | 17 |
| 4.2 | Roles | 18 |
| 4.3 | Approved Services | 18 |
| 4.4 | Non-Approved Services | 21 |
| 4.5 | External Software/Firmware Loaded | 21 |
| 5 | Software/Firmware Security | 21 |
| 5.1 | Integrity Techniques | 21 |
| 5.2 | Initiate on Demand | 21 |
| 6 | Operational Environment | 21 |
| 6.1 | Operational Environment Type and Requirements | 21 |
| 6.2 | Configuration Settings and Restrictions | 21 |
| 7 | Physical Security | 22 |
| 7.1 | Mechanisms and Actions Required | 22 |
| 8 | Non-Invasive Security | 22 |
| 9 | Sensitive Security Parameters Management | 22 |
| 9.1 | Storage Areas | 22 |
| 9.2 | SSP Input-Output Methods | 22 |
| 9.3 | SSP Zeroization Methods | 23 |
| 9.4 | SSPs | 23 |
| 9.5 | Transitions | 27 |
| 10 | Self-Tests | 27 |
| 10.1 | Pre-Operational Self-Tests | 27 |
| 10.2 | Conditional Self-Tests | 27 |
| 10.3 | Periodic Self-Test Information | 30 |
| 10.4 | Error States | 31 |
| 10.5 | Operator Initiation of Self-Tests | 31 |
| 11 | Life-Cycle Assurance | 32 |
| 11.1 | Installation, Initialization, and Startup Procedures | 32 |
| 11.2 | Administrator Guidance | 32 |
| 11.3 | Non-Administrator Guidance | 33 |
| 11.4 | Design and Rules | 33 |
| 11.4.1 | Module Design Rules | 33 |
| 11.4.1 | Module Operation Rules | 33 |
| 11.5 | Maintenance Requirements | 33 |
| 11.6 | End of Life | 33 |
| 12 | Mitigation of Other Attacks | 34 |
| Item | Page |
|---|---|
| Table 1: Security Levels | 6 |
| Table 2: Tested Module Identification – Hardware | 9 |
| Table 3: Modes List and Description | 10 |
| Table 4: Approved Algorithms - OpenSSL 1.0.2 | 11 |
| Table 5: Approved Algorithms - OpenSSL 1.1.1 | 11 |
| Table 6: Approved Algorithms - Kernel | 12 |
| Table 7: Approved Algorithms - LibMD | 12 |
| Table 8: Vendor-Affirmed Algorithms | 12 |
| Table 9: Security Function Implementations | 15 |
| Table 10: Entropy Certificates | 15 |
| Table 11: Entropy Sources | 15 |
| Table 12: Ports and Interfaces | 17 |
| Table 13: Authentication Methods | 17 |
| Table 14: Roles | 18 |
| Table 15: Approved Services | 20 |
| Table 16: Mechanisms and Actions Required | 22 |
| Table 17: Storage Areas | 22 |
| Table 18: SSP Input-Output Methods | 23 |
| Table 19: SSP Zeroization Methods | 23 |
| Table 20: SSP Table 1 | 25 |
| Table 21: SSP Table 2 | 27 |
| Table 22: Pre-Operational Self-Tests | 27 |
| Table 23: Conditional Self-Tests | 29 |
| Table 24: Pre-Operational Periodic Information | 30 |
| Table 25: Conditional Periodic Information | 31 |
| Table 26: Error States | 31 |
| Figure 1 EX4650-48Y switch (front) | 7 |
| Figure 2 EX4650-48Y switch (rear) | 7 |
| Figure 3 QFX5120-48T switch (front) | 8 |
| Figure 4 QFX5120-48T switch (rear) | 8 |
| Figure 5 QFX5120-48Y switch (front) | 8 |
| Figure 6 QFX5120-48Y switch (rear) | 8 |
| Figure 7 QFX5200-32C switch (front) | 8 |
| Figure 8 QFX5200-32C switch (rear) | 8 |
| Figure 9 – MX204 router (front) | 8 |
| Figure 10 – MX204 router (rear) | 8 |
| Figure 11 ACX5448 Router (front) | 9 |
| Figure 12 ACX5448 Router (Rear) | 9 |
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 2 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | 1 |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | N/A |
| Overall Level | Overall Level | 1 |
This is a non-proprietary Cryptographic Module Security Policy for the Juniper Networks EX, QFX and ACX series network devices running Junos OS 22.3R2-S1.
The cryptographic module is designed to meet FIPS 140-3 Level 1 overall. The table below shows the security levels claimed for each section of the security requirements. N/A N/A Table 1: Security Levels
Purpose and Use: The following models are included in this validation and provide network switching and routing functionality:
The cryptographic module provides for an encrypted connection, using SSH, between the management station and the module. All other data input or output from the modules are considered plaintext for this FIPS 140-3 validation. Module Type: The cryptographic module is a Hardware cryptographic module. Module Embodiment: The cryptographic module is defined as a MultiChipStand module that executes Junos OS 22.3R2-S1 firmware on any of the identified Juniper Networks devices. Module Characteristics: There are no additional characteristics relevant to this module. Cryptographic Boundary: The cryptographic boundary encompasses the entire Tested Operational Environment Physical Perimeter (TOEPP), which is defined as the outer edge of the chassis. The chassis is a rigid sheetmetal structure that houses all components of the device. The cryptographic module is FIPS-compliant when installed and configured with Junos OS 22.3R2-S1 validated firmware as specified in section 11.1. The physical form of the module is depicted in Figure 1 to Figure 12 Figure 1 EX4650-48Y switch (front) Figure 2 EX4650-48Y switch (rear) Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Figure 3 QFX5120-48T switch (front) Figure 4 QFX5120-48T switch (rear) Figure 5 QFX5120-48Y switch (front) Figure 6 QFX5120-48Y switch (rear) Figure 7 QFX5200-32C switch (front) Figure 8 QFX5200-32C switch (rear) Figure 9
| Name | Model | Hardware Version | Firmware Version | Processor | Features |
|---|---|---|---|---|---|
| EX4650-48Y | EX4650-48Y | EX4650-48Y | JUNOS 22.3R2- S1.7 | Intel Xeon D- 1518 | 48 x 1/10/25GbE SFP/SFP+; 8 x 40/100GbE QSFP+/QSFP28 |
| QFX5120- 48T | QFX5120- 48T | QFX5120- 48T | JUNOS 22.3R2- S1.7 | Intel Xeon D- 1518 | 48 x1 /10GbE; 6 x 40/100GbE QSFP+/QSFP+ |
| QFX5120- 48Y | QFX5120- 48Y | QFX5120- 48Y | JUNOS 22.3R2- S1.7 | Intel Xeon D- 1518 | 48 x 1/10/25GbE SFP/SFP+; 8 x 40/100GbE QSFP+/QSFP28 |
| QFX5120- 32C | QFX5120- 32C | QFX5120- 32C | JUNOS 22.3R2- S1.7 | ntel Xeon E3- 1105CV2 | 32 x 40/100GbE QSFP+/QSFP28; 2 x 10GbE SFP+ |
| MX204 | MX204 | MX204 | JUNOS 22.3R2- S1.7 | Intel Xeon E5- 2608 | 8 x 1/10GbE SFP+; 4 x 40/100GbE QSFP+/QSFP28 |
| ACX5448 | ACX5448 | ACX5548 | JUNOS 22.3R2- S1.7 | Intel Xeon D- 1528 | 44 1/10GbE SFP+/SFP ports; 6 x 10/100GbE QSFP28 |
Figure 11 ACX5448 Router (front) Figure 12 ACX5448 Router (Rear)
Tested Module Identification
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A4210 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CTR | A4210 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| ECDSA KeyGen (FIPS186-4) | A4210 | Curve - P-256, P-384, P-521 Secret Generation Mode - Testing Candidates | FIPS 186-4 |
| ECDSA KeyGen (FIPS186-4) | A4419 | Curve - P-256, P-384, P-521 Secret Generation Mode - Testing Candidates | FIPS 186-4 |
| ECDSA KeyGen (FIPS186-4) | A6440 | Curve - P-256, P-384, P-521 Secret Generation Mode - Testing Candidates | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-4) | A4210 | Curve - P-256, P-384, P-521 | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-4) | A4419 | Curve - P-256, P-384, P-521 | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-4) | A6440 | Curve - P-256, P-384, P-521 | FIPS 186-4 |
| ECDSA SigGen (FIPS186-4) | A4210 | Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 |
The module is not classified as software, firmware, or hybrid; thus, this section is not applicable. Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A There are no vendor-affirmed operational environments claimed.
No components are excluded from the requirements of FIPS PUB 140-3. The module supports an Approved mode only. The module enters Approved mode as a result of successful installation, initialization and configuration steps described in section 11. Until these procedures have been followed, the module is non-compliant. Table 3: Modes List and Description
Approved Algorithms: Although the module may have been tested for additional algorithms or modes, only those listed below are utilized by the module. OpenSSL 1.0.2 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | CAVP Cert | Properties | Reference | Properties |
|---|---|---|---|---|
| ECDSA SigGen (FIPS186-4) | A4419 | Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 | |
| ECDSA SigGen (FIPS186-4) | A6440 | Component - No Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 | |
| ECDSA SigVer (FIPS186-4) | A4210 | Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 | |
| ECDSA SigVer (FIPS186-4) | A4419 | Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 | |
| ECDSA SigVer (FIPS186-4) | A6440 | Component - No Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 | |
| HMAC-SHA-1 | A4210 | Key Length - Key Length: 160 | FIPS 198-1 | |
| HMAC-SHA2-256 | A4210 | Key Length - Key Length: 256 | FIPS 198-1 | |
| HMAC-SHA2-512 | A4210 | Key Length - Key Length: 512 | FIPS 198-1 | |
| KAS-ECC-SSC Sp800- 56Ar3 | A4387 | Domain Parameter Generation Methods - P-256, P- 384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responder | SP 800-56A Rev. 3 | |
| KDF SSH (CVL) | A4347 | Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512 | SP 800-135 Rev. 1 | |
| RSA KeyGen (FIPS186- 4) | A4210 | Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard | FIPS 186-4 | |
| RSA SigGen (FIPS186- 4) | A4210 | Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 | FIPS 186-4 | |
| RSA SigVer (FIPS186-4) | A4210 | Signature Type - PKCS 1.5 Modulo - 2048, 3072, 4096 | FIPS 186-4 | |
| SHA-1 | A4210 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 | |
| SHA2-256 | A4210 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 | |
| SHA2-384 | A4210 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 | |
| SHA2-512 | A4210 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 | |
| ECDSA SigVer (FIPS186- 4) | A4211 | Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512 | FIPS 186-4 | |
| ECDSA SigVer (FIPS186- 4) | A6401 | Component - No Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512 | FIPS 186-4 | |
| SHA2-256 | A4211 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 | |
| HMAC DRBG | A4417 | SP 800-90A Rev. 1 | Prediction Resistance - Yes Mode - SHA2-256 | |
| HMAC-SHA2- 256 | A4417 | FIPS 198-1 | Key Length - Key Length: 256 | |
| SHA2-256 | A4417 | FIPS 180-4 | Message Length - Message Length: 0-51200 Increment 8 | |
| SHA2-512 | A3329 | FIPS 180-4 | Message Length - Message Length: 0-51200 Increment 8 | |
| SHA2-512 | A3330 | FIPS 180-4 | Message Length - Message Length: 0-51200 Increment 8 | |
| SHA2-512 | A3498 | FIPS 180-4 | Message Length - Message Length: 0-51200 Increment 8 | |
| HMAC-SHA-1 | A4208 | FIPS 198-1 | Key Length - Key Length: 112, 160 | |
| HMAC-SHA2- 256 | A4208 | FIPS 198-1 | Key Length - Key Length: 160, 256 | |
| SHA-1 | A4208 | FIPS 180-4 | Message Length - Message Length: 0-51200 Increment 8 | |
| SHA2-256 | A4208 | FIPS 180-4 | Message Length - Message Length: 0-51200 Increment 8 | |
| SHA2-512 | A4208 | FIPS 180-4 | Message Length - Message Length: 0-65536 Increment 8 |
Table 4: Approved Algorithms - OpenSSL 1.0.2 OpenSSL 1.1.1 Table 5: Approved Algorithms - OpenSSL 1.1.1 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Properties | ||
|---|---|---|---|
| CKG | Key type:Asymmetric | Junos 22.3R2-S1 - OpenSSL 1.0.2 | SP 800-133 Rev.2 Section 4, example 1 direct output from DRBG. |
Kernel HMAC-SHA2256 Table 6: Approved Algorithms - Kernel LibMD HMAC-SHA2256 Table 7: Approved Algorithms - LibMD Vendor-Affirmed Algorithms: 1.0.2 Table 8: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| Enc/Dec (SSH) | Unauthenticated encryption for SSH | AES-CBC: (A4210) AES-CTR: (A4210) | BC-UnAuth |
| KAS-SSC (SSH) | Key Agreement Scheme Shared Secret Computation for SSH | KAS-ECC-SSC Sp800-56Ar3: (A4387) | KAS-SSC |
| KeyGen (SSH) | Key Generation used for SSH authentication keys | ECDSA KeyGen (FIPS186-4): (A4210, A6440, A4419) ECDSA KeyVer (FIPS186-4): (A4210, A6440, A4419) RSA KeyGen (FIPS186-4): (A4210) HMAC DRBG: (A4417) CKG: () | AsymKeyPair- KeyGen |
| SigGen (SSH) | Signature Generation for peer authentication in SSH | ECDSA SigGen (FIPS186-4): (A4210, A6440, A4419) RSA SigGen (FIPS186-4): (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210) | DigSig-SigGen |
| SigVer (SSH) | Signature Verification for peer authentication in SSH | ECDSA SigVer (FIPS186-4): (A4210, A6440, A4419) RSA SigVer (FIPS186-4): (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210) | DigSig-SigVer |
| MAC (SSH) | Message authentication for SSH | HMAC-SHA-1: (A4210) HMAC-SHA2-256: (A4210) HMAC-SHA2-512: (A4210) SHA-1: (A4210) SHA2-256: (A4210) SHA2-512: (A4210) | MAC |
| KAS KeyGen (SSH) | Key Generation for Key Agreement in SSH | ECDSA KeyGen (FIPS186-4): (A4210, A6440, | KAS-KeyGen |
The module implements the security functions listed in the following table. AsymKeyPairKeyGen Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Approved Functions | Type | |
|---|---|---|---|---|
| KDF (SSH) | Key derivation function for SSH | KDF SSH: (A4347) SHA-1: (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210) | KAS-135KDF | |
| Full KAS (SSH) | Full Key Agreement for SSH | ECDSA KeyGen (FIPS186-4): (A4210, A6440, A4419) ECDSA KeyVer (FIPS186-4): (A4210, A6440, A4419) KAS-ECC-SSC Sp800-56Ar3: (A4387) SHA-1: (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210) KDF SSH: (A4347) | KAS-Full | |
| KTS (SSH) | Key transport using SSH as per IG D.G provisions | AES-CBC: (A4210) AES-CTR: (A4210) HMAC-SHA-1: (A4210) HMAC-SHA2-256: (A4210) HMAC-SHA2-512: (A4210) | KTS-Wrap | KTS:128, 256, 384, 521, 2048, 3072, 4096 bit keys provide between 112 and 256 bits of encryption strength |
| SHA (LibMD) | Message Digest Generation | SHA-1: (A4208) SHA2-256: (A4208) SHA2-512: (A4208) | SHA | |
| MAC (LibMD) | Message Authentication | HMAC-SHA-1: (A4208) HMAC-SHA2-256: (A4208) SHA-1: (A4208) SHA2-256: (A4208) | MAC | |
| DRBG (Kernel) | Random Bit Generation | HMAC DRBG: (A4417) HMAC-SHA2-256: (A4417) SHA2-256: (A4417) | DRBG | |
| SHA (Kernel) | Entropy source conditioning component | SHA2-512: (A3329, A3498, A3330) | SHA | |
| Verify image | Verification of firmware image | ECDSA SigVer (FIPS186-4): | DigSig-SigVer |
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| Entropy Source | Entropy source | SHA2-512: (A3329, A3498, A3330) | ENT-ESV |
| Name | Type | Strength | Operational Environment | Conditioning Component | |
|---|---|---|---|---|---|
| QFX5200-48Y - Junos OS 22.3 Entropy Source (E89) | Non- Physical | 512 bits | Intel Xeon D-1518 | 448 bits | A3498 (SHA2- 512) |
| ACX5448 - Junos OS 22.3 Entropy Source (E89) | Non- Physical | 512 bits | Intel Xeon D-1528 | 448 bits | A3330 (SHA2- 512) |
| MX204 - Junos OS 22.3 Entropy Source (E89) | Non- Physical | 512 bits | Intel Xeon E5- 2608L | 448 bits | A3329 (SHA2- 512) |
| QFX5200-32C - Junos OS 22.3 Entropy Source (E89) | Non- Physical | 512 bits | Intel Xeon E3- 1105CV2 | 448 bits | A3498 (SHA2- 512) |
| Cert | Vendor Name | |
|---|---|---|
| Number | ||
| E89 | Juniper Networks |
Table 9: Security Function Implementations
The module includes ECDSA algorithms that have been validated using FIPS 186-4 CAVP tests, which are mathematically identical to FIPS 186-5 CAVP tests. Per IG C.K, all RSA and ECDSA algorithms implemented by the module are claimed compliant with FIPS 186-5. The module complies with IG C.F. RSA Key Generation, Signature Generation and Signature Verification have been tested and validated using CAVP testing for all implemented modulus lengths (2048, 3072 and 4096 bits). The number of Miller-Rabin tests used for primality testing as part of RSA Key Generation is consistent with Table C.3. The module implements the following Approved key agreement methods which have been CAVP tested and validated: ⦁ KAS-ECC per SP 800-56A Rev. 3 (FIPS 140-3 IG D.F Scenario 2, path 2). The module obtains the FIPS 140-3 IG D.F required key agreement assurances in accordance with Section 5.6.2 of SP800-56A Rev. 3. All the key agreement protocols implemented by the module are Diffie-Hellman based.
The tables below indicate the entropy source used by the module and their associated certificates. Table 10: Entropy Certificates NonPhysical NonPhysical NonPhysical NonPhysical A3498 (SHA2512) A3330 (SHA2512) A3329 (SHA2512) A3498 (SHA2512) Table 11: Entropy Sources Non-Proprietary FIPS 140-3 Security Policy
| Name | Mode Method | |||
|---|---|---|---|---|
| Integrity | Cipher | Protocol | Key Exchange | Auth |
| HMAC-SHA-1 HMAC-SHA2-256 HMAC-SHA2-512 | AES CBC 128/192/256 AES CTR 128/192/256 | SSHv2 | EC Diffie-Hellman P-256 EC Diffie-Hellman P-384 EC Diffie-Hellman P-521 | ECDSA P-256 ECDSA P-384 ECDSA P-521 RSA 2048 RSA 3072 RSA 4096 |
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| Ethernet (data) | Ethernet (data) | Data Input Data Output | LAN communications |
| Ethernet (mgmt.) | Ethernet (mgmt.) | Data Input Data Output Control Input Status Output | Remote management |
| Serial | Serial | Data Input Data Output Control Input Status Output | Console serial port management |
| Power | Power | Power | Power |
| Reset button | Reset button | Control Input | Reset |
| USB | USB | Data Input Control Input | Firmware load port |
| LED | LED | Status Output | Status indicator lighting |
| Timing interface ports: PPS and 10M GPS (ACX5448 and QFX5120 models only) | Timing interface ports: PPS and 10M GPS (ACX5448 and QFX5120 models only) | Control Input | Clock and timing signals from external devices |
The entropy source is used to seed the module’s HMAC DRBG with the minimum required 256bits of entropy. Each 512-bit block of conditioned output from the entropy source contains 448 bits of entropy. The HMAC DRBG is used for all random data required by the module, including key generation. There are no initialization procedures required by the users of the module to operate the entropy source in a compliant manner. The module complies with the ESV Public Use document of the validated entropy source (Cert. E89).
The cryptographic module implements the key generation methods listed above in the Security Functions implementation table.
The cryptographic module implements the key establishment methods listed above in the Security Functions implementation table.
The cryptographic module supports the protocols listed below. No part of these protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. The SSH algorithms allow independent selection of key exchange, authentication, cipher, and integrity. In reference to the supported protocols table below, each column of options for a given protocol is independent and may be used in any viable combination.
The following table maps each physical interface to one or more logical interface types defined in the FIPS 140-3 standard. The module does not have a Control Output Interface. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Strength | Strength per Minute | |
|---|---|---|---|---|
| Password authentication | User and CO authentication via SSH or consol. Minimum of 10 ASCII character passwords. | Probability of guessing: 1/(96^10) < 1/1,000,000. | SHA (LibMD) | Timed access mechanism allows max of 10 attempts / min. Probability of guessing: 10/(96^10) < 1/100,000. |
| Signature authentication | User/CO authentication via SSH | Strength of signature algorithm, minimum 112-bits. Probability of success for random attempt: 1/(2^112) < 1/1,000,000. | SigVer (SSH) | A rate of 1 CPU cycle per failed authentication for the Intel Xeon D-1518 processor (4 cores, 2.2 GHz) allows for the probability of success by brute- force attack: 60 x 4 x 2.2 x 10^9 x 1/(2^112) < 1/100,000. |
Table 12: Ports and Interfaces
The module implements two forms of role-based authentication methods, as described in the following table. Table 13: Authentication Methods Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | Password authentication Signature authentication | ||||||
| User | Monitor | Role | Password authentication Signature authentication | ||||||
| Configure Security | Security relevant configuration | Crypto Officer - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - User-PW: W - CO-PW: W - Root-PW: W - SSH PUB: G,R,W - SSH PHK: G,R,W | SHA (Kernel) Entropy Source KeyGen (SSH) SHA (LibMD) MAC (LibMD) DRBG (Kernel) | ':fips' suffix in CLI prompt | CLI Command | Status | |||
| Configure | Non-security relevant configuration | Crypto Officer | None | None | CLI Command | Status | |||
| Show status | Show status | Crypto Officer User | None | None | None | ':fips' suffix in CLI prompt | |||
| Zeroize | Zeroize all CSPs | Crypto Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: Z | None | None | CLI command | None (completion indicator is implicitly provided by the |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | Password authentication Signature authentication | ||||||
| User | Monitor | Role | Password authentication Signature authentication | ||||||
| Configure Security | Security relevant configuration | Crypto Officer - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - User-PW: W - CO-PW: W - Root-PW: W - SSH PUB: G,R,W - SSH PHK: G,R,W | SHA (Kernel) Entropy Source KeyGen (SSH) SHA (LibMD) MAC (LibMD) DRBG (Kernel) | ':fips' suffix in CLI prompt | CLI Command | Status | |||
| Configure | Non-security relevant configuration | Crypto Officer | None | None | CLI Command | Status | |||
| Show status | Show status | Crypto Officer User | None | None | None | ':fips' suffix in CLI prompt | |||
| Zeroize | Zeroize all CSPs | Crypto Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: Z | None | None | CLI command | None (completion indicator is implicitly provided by the | |||
| module rebooting) | - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH DH Shared Secret: Z - SSH PHK: Z - SSH PUB: Z - SSH DH PRV: Z - SSH DH PUB: Z - SSH DH Pub (peer): Z - SSH-SEKs: Z - CO-PW: Z - Root-PW: Z - User-PW: Z - Auth-CO Pub: Z - Auth-User Pub: Z - Root-CA: Z - Package-CA: Z | module rebooting) | |||||||
| SSH connect | Initiate SSH connection for SSH monitoring and control (CLI) | Crypto Officer - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - SSH DH Shared Secret: G,E - SSH DH PRV: G,E - SSH DH PUB: G - SSH-SEKs: G,E - SSH DH Pub (peer): E - CO-PW: E User - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - SSH DH Shared Secret: G,E - SSH DH PRV: G,E - SSH DH PUB: G - SSH-SEKs: G,E - SSH DH Pub | Enc/Dec (SSH) KAS-SSC (SSH) SigGen (SSH) SigVer (SSH) MAC (SSH) KAS KeyGen (SSH) KDF (SSH) Full KAS (SSH) KTS (SSH) SHA (Kernel) Entropy Source | ':fips' suffix in CLI prompt | SSH packets | SSH packets, Status | |||
| Console access | Console monitoring and control (CLI) | Crypto Officer - CO-PW: E - Root-PW: E User - User-PW: E | None | None | CLI Command | Status | |||
| Remote reset | Software initiated reset, performs self-tests on demand. | Crypto Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH DH Shared Secret: Z - SSH DH PRV: Z - SSH DH PUB: Z - SSH-SEKs: Z - SSH DH Pub (peer): Z | None | None | CLI command | Status | |||
| Local reset | Hardware reset or power cycle | Unauthenticated - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH DH Shared Secret: Z - SSH DH PRV: Z - SSH DH PUB: Z - SSH-SEKs: Z - SSH DH Pub (peer): Z | None | None | Main power cycle | Status | |||
| Traffic | Traffic requiring no cryptographic services | Unauthenticated | None | None | Traffic in | Traffic out | |||
| Load Image | Loading of firmware image | Crypto Officer - Root-CA: E - Package-CA: Z | Verify image | ':fips' suffix in CLI prompt | CLI Command | Status | |||
| Perform self-tests | On demand execution of all pre-operational and conditional algorithm self- tests | Crypto Officer User Unauthenticated | None | None | Local or remote reset | Status | |||
| Show module version | Show system information identifying module | Crypto Officer User | None | None | CLI command | Status |
Table 14: Roles The module supports two roles: Cryptographic Officer (CO) and User. The module supports rolebased operator authentication for assuming these roles, using methods specified in Section 4.1. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. The module enforces the separation of roles using either of the role-based The Cryptographic Officer role configures and monitors the module via a console or SSH connection. As root or super-user, the Cryptographic Officer has permission to view and edit secrets within the module. The User role monitors the module via the console or SSH. The user role cannot change the
G,R,W G,R,W Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Z G,E G,E
algorithm selftests Table 15: Approved Services Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
The module does not offer any non-approved services. N/A for this module.
The module includes a firmware load service that is used to install the Junos OS firmware image as part of installation of the module, as described in Section 11.1. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation.
The cryptographic module implements a firmware integrity self-test that uses ECDSA P-256 with SHA2-256 to ensure the integrity of all Junos OS firmware components. The self-test is automatically run on power-up.
The firmware integrity test can be run on demand by the module’s operator by power cycling the module.
Type of Operational Environment: Non-Modifiable The module consists of hardware containing a non-modifiable operational environment as per the FIPS 140-3 definitions. It includes a firmware load service to support necessary updates. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation.
There are no security rules, settings, or restrictions to the configuration of the operational environment beyond the initialization instructions to set the module in Approved mode. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Type | Description |
|---|---|---|
| RAM | Dynamic | Random Access Memory |
| Flash | Static | Internal flash memory storage drive |
| Name | Approved Functions | Type | From | To | ||
|---|---|---|---|---|---|---|
| Manual CLI entry | Plaintext | Local CO | RAM | Manual | Direct | |
| Entry via SSH | KTS (SSH) | Encrypted | Remote CO | RAM | Automated | Electronic |
| Entry via console | Plaintext | Local CO | RAM | Manual | Electronic | |
| Output via SSH | KTS (SSH) | Encrypted | RAM | Remote CO | Automated | Electronic |
| Output via console | Plaintext | RAM | Local CO | Manual | Electronic | |
| Entry as part of KAS | Full KAS (SSH) | Plaintext | Remote peer | RAM | Automated | Electronic |
| Output as part of KAS | Full KAS (SSH) | Plaintext | RAM | Remote peer | Automated | Electronic |
| Mechanism | Inspection | Inspection Guidance | ||
|---|---|---|---|---|
| Frequency | ||||
| Opaque metal enclosure | n/a | n/a |
The module’s physical embodiment meets Level 1 Physical Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel and brushed aluminum enclosure. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. n/a n/a Table 16: Mechanisms and Actions Required
This section is not applicable, as there are currently no approved non-invasive mitigation techniques specified in ISO/IEC 19790:2012.
The table below lists the areas within the module’s cryptographic boundary where SSPs can be stored. Table 17: Storage Areas
The table below lists the method used by the module for the input and output of SSPs. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Type | From | To | ||
|---|---|---|---|---|---|
| Pre-loaded | Plaintext | Manufacturer | Flash | Manual | Direct |
| Zeroization | Description | Rationale | Operator Initiation | |
|---|---|---|---|---|
| Method | ||||
| Zeroize CLI command | This command erases all data, including all configuration information, returning the module to its factory default state The system is then rebooted. | This command erases all keys and CSPS from storage. The forced power cycle also zeroizes SSPs in volatile memory. | Yes, CO via invocation of zeroize CLI command. | |
| Reset | Zeroization of SSPs in RAM via invocation of local or remote reset service. | RAM is volatile and all data is lost when power is taken off. Zeroization is practically instantaneous. | Yes, both User and CO, via invocation of Local Reset or Remote Reset services. | |
| Explicit zeroize function | Zeroization of SSPs in memory when no longer needed. | Use of explicit zeroization function destroys SSP information immediately by overwriting memory area with zeroes. | No. The operator cannot directly initiate this method. |
Table 18: SSP Input-Output Methods The table below describes the SSP zeroization methods employed by the module. Table 19: SSP Zeroization Methods The CO can run the following commands to zeroize the approved mode SSPs: This command wipes clean all the SSPs/configs as well as the disk and install a factory default firmware image. After zeroizing the system, the module is no longer in a FIPS compliant state. Installation and configuration as per section 11.1 is required to enter the FIPS compliant state and enable the Approved mode of operation. The Cryptographic Officer must retain control of the module while zeroization is in process. Zeroization commands, as described above, and power cycling are initiated by the operator. The commands. Session termination is initiated by the operator or by environmental errors. The completion of zeroization is indicated implicitly. If the zeroization is initiated using a zeroization has successfully completed. If the zeroization is initiated by power cycling the module, then successful reboot of the module indicates that zeroization has completed successfully. In the case of zeroization initiated by session termination, SSPs are zeroized when the session terminates, and session termination is indicated in the log. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Type | Description | Strength | Generation | Establishment | |
|---|---|---|---|---|---|---|
| HMAC DRBG V value | DRBG internal state - CSP | A critical value of the internal state of DRBG | 256 - 256 | DRBG (Kernel) | DRBG (Kernel) | |
| HMAC DRBG Key value | DRB internal state - CSP | A critical value of the internal state of DRBG | 256 - 256 | DRBG (Kernel) | DRBG (Kernel) | |
| HMAC DRBG Entropy Input | Entropy source output - CSP | A critical value of the internal state of DRBG provided by entropy source | 256 - 256 | Entropy Source | DRBG (Kernel) | |
| HMAC DRBG Seed | DRBG internal state - CSP | Seed material used to seed or reseed the HMAC DRBG | 256 - 256 | DRBG (Kernel) | DRBG (Kernel) | |
| SSH DH Shared Secret | DH shared value - CSP | Shared DH value computed from the ephemeral DH key- pairs as part of SSH and used to derive session keys. | 256, 384, 521 - 128, 192, 256 | KDF (SSH) | KAS-SSC (SSH) | |
| SSH PHK | Asymmetric private key - CSP | SSH Private host key. 1st time SSH is configured, the keys are generated. | 2048, 256, 4096, 384, 521 - 112, 128, 152, 192, 256 | KeyGen (SSH) | SigGen (SSH) | |
| SSH PUB | Asymmetric public key - PSP | SSH Public Host Key | 2048, 256, 4096, 384, 521 - 112, 128, 152, 192, 256 | KeyGen (SSH) | SigVer (SSH) | |
| SSH DH PRV | Asymmetric private key - CSP | SSH KAS private key | 256, 384, 521 - 128, 192, 256 | KAS KeyGen (SSH) | KAS-SSC (SSH) Full KAS (SSH) | |
| SSH DH PUB | Asymmetric public key - PSP | SSH KAS public key | 256, 384, 521 - 128, 192, 256 | KAS KeyGen (SSH) | ||
| SSH DH Pub (peer) | Asymmetric public key - PSP | SSH KAS public key from peer | 256, 384, 521 - 128, 192, 256 | KAS-SSC (SSH) Full KAS (SSH) | ||
| SSH-SEKs | Symmetric key - CSP | SSH Session Encryption Keys | 128, 192, 256 - 128, 192, 256 | Enc/Dec (SSH) MAC (SSH) | KDF (SSH) Full KAS (SSH) | |
| CO-PW | Authentication password - CSP | Password used to authenticate the CO. | Min 10 characters - n/a | SHA (LibMD) | KTS (SSH) | |
| Root-PW | Authentication password - CSP | Password used by CO to authenticate as 'root'. | Min 10 characters - n/a | SHA (LibMD) | KTS (SSH) | |
| User-PW | Authentication password - CSP | Password used to authenticate User | Min 10 characters - n/a | SHA (LibMD) | KTS (SSH) |
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Type | Description | Strength | Establishment | Storage | Zeroization | Storage Duration | |||
|---|---|---|---|---|---|---|---|---|---|---|
| Auth-CO Pub | Asymmetric public key - PSP | SSH CO Authentication Public Key | 2048, 4096, 256, 384, 521 - 112, 128, 152, 192, 256 | SigVer (SSH) | KTS (SSH) | |||||
| Auth-User Pub | Asymmetric public key - PSP | SSH User Authentication Public Key | 2048, 4096, 256, 384, 521 - 112, 128, 152, 192, 256 | SigVer (SSH) | KTS (SSH) | |||||
| Root-CA | Asymmetric public key - PSP | X.509 Certificate used to verify the validity of the Juniper Package CA | 256, 384 - 128, 196 | Verify image | ||||||
| Package- CA | Asymmetric public key - PSP | X.509 Certificate used to verify the validity the Juniper Image at software load and also at runtime for integrity. | 256 - 128 | Verify image | ||||||
| HMAC DRBG V value | RAM:Plaintext | Zeroize CLI command Reset | Until updated by HMAC_DRBG_Update() | |||||||
| HMAC DRBG Key value | RAM:Plaintext | Zeroize CLI command Reset | Until updated by HMAC_DRBG_Update() | |||||||
| HMAC DRBG Entropy Input | RAM:Plaintext | Zeroize CLI command Reset | Until HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete | |||||||
| HMAC DRBG Seed | RAM:Plaintext | Zeroize CLI command Reset | Until HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete | |||||||
| SSH DH Shared Secret | RAM:Plaintext | Zeroize CLI command Reset Explicit zeroize function | Until SSH session termination | |||||||
| SSH PHK | RAM:Plaintext Flash:Plaintext | Zeroize CLI command | Until SSH session termination (RAM) | Entry via SSH Entry via console Output via SSH Output via console | SSH PUB:Paired With |
| Name | Type | Description | Strength | Establishment | Storage | Zeroization | Storage Duration | |||
|---|---|---|---|---|---|---|---|---|---|---|
| Auth-CO Pub | Asymmetric public key - PSP | SSH CO Authentication Public Key | 2048, 4096, 256, 384, 521 - 112, 128, 152, 192, 256 | SigVer (SSH) | KTS (SSH) | |||||
| Auth-User Pub | Asymmetric public key - PSP | SSH User Authentication Public Key | 2048, 4096, 256, 384, 521 - 112, 128, 152, 192, 256 | SigVer (SSH) | KTS (SSH) | |||||
| Root-CA | Asymmetric public key - PSP | X.509 Certificate used to verify the validity of the Juniper Package CA | 256, 384 - 128, 196 | Verify image | ||||||
| Package- CA | Asymmetric public key - PSP | X.509 Certificate used to verify the validity the Juniper Image at software load and also at runtime for integrity. | 256 - 128 | Verify image | ||||||
| HMAC DRBG V value | RAM:Plaintext | Zeroize CLI command Reset | Until updated by HMAC_DRBG_Update() | |||||||
| HMAC DRBG Key value | RAM:Plaintext | Zeroize CLI command Reset | Until updated by HMAC_DRBG_Update() | |||||||
| HMAC DRBG Entropy Input | RAM:Plaintext | Zeroize CLI command Reset | Until HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete | |||||||
| HMAC DRBG Seed | RAM:Plaintext | Zeroize CLI command Reset | Until HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete | |||||||
| SSH DH Shared Secret | RAM:Plaintext | Zeroize CLI command Reset Explicit zeroize function | Until SSH session termination | |||||||
| SSH PHK | RAM:Plaintext Flash:Plaintext | Zeroize CLI command | Until SSH session termination (RAM) | Entry via SSH Entry via console Output via SSH Output via console | SSH PUB:Paired With | |||||
| SSH PUB | RAM:Plaintext Flash:Plaintext | Zeroize CLI command | Entry via SSH Entry via console Output via SSH Output via console | SSH PHK:Paired With | ||||||
| SSH DH PRV | RAM:Plaintext | Reset Explicit zeroize function | Until SSH session termination | SSH DH PUB:Paired With | ||||||
| SSH DH PUB | RAM:Plaintext | Reset Explicit zeroize function | Until SSH session termination | Output as part of KAS | SSH DH PRV:Paired With | |||||
| SSH DH Pub (peer) | RAM:Plaintext | Reset Explicit zeroize function | Until SSH session termination | Entry as part of KAS | ||||||
| SSH-SEKs | RAM:Plaintext | Reset Explicit zeroize function | Until SSH session termination | |||||||
| CO-PW | RAM:Plaintext Flash:Plaintext | Zeroize CLI command | Manual CLI entry Entry via SSH Entry via console | |||||||
| Root-PW | RAM:Plaintext Flash:Plaintext | Zeroize CLI command | Manual CLI entry Entry via SSH Entry via console | |||||||
| User-PW | RAM:Plaintext Flash:Plaintext | Zeroize CLI command | Manual CLI entry Entry via SSH Entry via console | |||||||
| Auth-CO Pub | RAM:Plaintext Flash:Plaintext | Zeroize CLI command | Entry via SSH Entry via console Output via SSH Output via console | |||||||
| Auth-User Pub | RAM:Plaintext Flash:Plaintext | Zeroize CLI command | Entry via SSH Entry via |
PackageCA Table 20: SSP Table 1 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Storage | Zeroization | Output |
|---|---|---|---|
| Root-CA | RAM:Plaintext Flash:Plaintext | Zeroize CLI command | Pre- loaded |
| Package-CA | RAM:Plaintext Flash:Plaintext | Zeroize CLI command | Pre- loaded |
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | |
|---|---|---|---|---|---|---|
| Firmware integrity check | Firmware integrity check | KAT | SW/FW Integrity | ECDSA verify | ECDSA P- 256 with SHA2-256 | PASS/FAIL console output |
| Critical functions test | Critical functions test | KAT | Critical Function | Checks that any file that is executed is registered in a manifest of executable files that comes with the firmware. Test verifies the integrity of the operational environment is being enforced by having the kernel attempt to run a specific executable file that does not contain a hash in the manifest file, verifying it cannot be executed. | SHA2-256 | PASS/FAIL console output |
Preloaded Preloaded Table 21: SSP Table 2
The following transitions apply to algorithms used by this module: SHA-1: The SHA-1 hash algorithm will be non-Approved for all cryptographic purposes after December 31, 2030.
On power up or reset, the module performs the pre-operational self-tests and the indicated conditional cryptographic algorithm self-tests described below. All KATs must be completed successfully prior to any other use of cryptography by the module. The CASTs for algorithms
Table 22: Pre-Operational Self-Tests
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|
| Entropy Source (start- up) | Entropy Source (start- up) | APT, RCT | CAST | Start-up | n/a | PASS/FAIL console output | On-power up |
| Entropy Source (continuous) | Entropy Source (continuous) | APT, RCT | CAST | Continuous | n/a | Console output / output of entropy source | Data output from noise source |
| AES-CBC (A4210) Encrypt | AES-CBC (A4210) Encrypt | KAT | CAST | Encrypt | Key size: 128, 192, 256 | PASS/FAIL console output | On power-up |
| AES-CBC (A4210) Decrypt | AES-CBC (A4210) Decrypt | KAT | CAST | Decrypt | Key size: 128, 192, 256 | PASS/FAIL console output | On power-up |
| HMAC-SHA-1 (A4210) | HMAC-SHA-1 (A4210) | KAT | CAST | MAC | Key size: 160 | PASS/FAIL console output | On power-up |
| HMAC-SHA2- 256 (A4210) | HMAC-SHA2- 256 (A4210) | KAT | CAST | MAC | Key size: 256 | PASS/FAIL console output | On power-up |
| HMAC-SHA2- 384 (A4210) | HMAC-SHA2- 384 (A4210) | KAT | CAST | MAC | Key size: 384 | PASS/FAIL console output | On power-up |
| HMAC-SHA2- 512 (A4210) | HMAC-SHA2- 512 (A4210) | KAT | CAST | MAC | Key size: 512 | PASS/FAIL console output | On power-up |
| RSA SigGen (FIPS186-4) (A4210) | RSA SigGen (FIPS186-4) (A4210) | KAT | CAST | Sign | RSA 2048 w/ SHA2-256, RSA 4096 w/ SHA2- 256 | PASS/FAIL console output | On power-up |
| RSA SigVer (FIPS186-4) (A4210) | RSA SigVer (FIPS186-4) (A4210) | KAT | CAST | Verify | RSA 2048 w/ SHA2-256, RSA 4096 w/ SHA2- 256 | PASS/FAIL console output | On power-up |
| ECDSA SigGen (FIPS186-4) (A4210) | ECDSA SigGen (FIPS186-4) (A4210) | KAT | CAST | Sign | P-256, P-384, P-521 | PASS/FAIL console output | On power-up |
| ECDSA SigGen (FIPS186-4) (A6440) | ECDSA SigGen (FIPS186-4) (A6440) | KAT | CAST | Sign | P-256, P-384, P-521 | PASS/FAIL console output | On power-up |
| ECDSA SigGen (FIPS186-4) (A4419) | ECDSA SigGen (FIPS186-4) (A4419) | KAT | CAST | Sign | P-256, P-384, P-521 | PASS/FAIL console output | On power-up |
| ECDSA SigVer (FIPS186-4) (A4210) | ECDSA SigVer (FIPS186-4) (A4210) | KAT | CAST | Verify | P-256, P-384, P-521 | PASS/FAIL console output | On power-up |
| ECDSA SigVer (FIPS186-4) (A6440) | ECDSA SigVer (FIPS186-4) (A6440) | KAT | CAST | Verify | P-256, P-384, P-521 | PASS/FAIL console output | On power-up |
| ECDSA SigVer (FIPS186-4) (A4419) | ECDSA SigVer (FIPS186-4) (A4419) | KAT | CAST | Verify | P-256, P-384, P-521 | PASS/FAIL console output | On power-up |
| KAS-ECC-SSC Sp800-56Ar3 (A4387) | KAS-ECC-SSC Sp800-56Ar3 (A4387) | KAT | CAST | ECDH Computation | P-256, P-384, P-521 | PASS/FAIL console output | On power-up |
| KDF SSH (A4347) | KDF SSH (A4347) | KAT | CAST | Key derivation Computation | SHA-1, SHA2- 256, SHA2-384 | PASS/FAIL console output | On power-up |
| RSA KeyGen (FIPS186-4) (A4210) | RSA KeyGen (FIPS186-4) (A4210) | PCT | PCT | Generation and Verification of signature | n/a | Returned key/transition soft error state | On key generation |
| ECDSA KeyGen (FIPS186-4) (A4210) | ECDSA KeyGen (FIPS186-4) (A4210) | PCT | PCT | Generation and Verification of signature | n/a | Returned key/transition soft error state | On key generation |
| ECDSA KeyGen (FIPS186-4) (A6440) | ECDSA KeyGen (FIPS186-4) (A6440) | PCT | PCT | Generation and Verification of signature | n/a | Returned key/transition soft error state | On key generation |
| ECDSA KeyGen (FIPS186-4) (A4419) | ECDSA KeyGen (FIPS186-4) (A4419) | PCT | PCT | Generation and Verification of signature | n/a | Returned key/transition soft error state | On key generation |
| ECDSA SigVer (FIPS186-4) (A6401) | ECDSA SigVer (FIPS186-4) (A6401) | KAT | CAST | Verify | P-256 | PASS/FAIL console output | On power-up |
| ECDSA SigVer (FIPS186-4) (A4211) | ECDSA SigVer (FIPS186-4) (A4211) | KAT | CAST | Verify | P-256 | PASS/FAIL console output | On power-up |
| FW Load | FW Load | KAT | SW/FW Load | Verification of ECDSA signature on FW | ECDSA P-256 with SHA2-256 | PASS/FAIL console output | On FW load |
| HMAC DRBG (A4417) | HMAC DRBG (A4417) | KAT | CAST | Instantiate, re- seed, and generate | 256, SHA2-256 | PASS/FAIL console output | On power-up |
| HMAC-SHA-1 (A4417) | HMAC-SHA-1 (A4417) | KAT | CAST | MAC | Key size: 160 | PASS/FAIL console output | On power-up |
| HMAC-SHA2- 256 (A4417) | HMAC-SHA2- 256 (A4417) | KAT | CAST | MAC | Key size: 256 | PASS/FAIL console output | On power-up |
| SHA2-384 (A4417) | SHA2-384 (A4417) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up |
| HMAC-SHA2- 256 (A4208) | HMAC-SHA2- 256 (A4208) | KAT | CAST | MAC | Key size: 256 | PASS/FAIL console output | On power-up |
| HMAC-SHA-1 (A4208) | HMAC-SHA-1 (A4208) | KAT | CAST | MAC | Key size: 256 | PASS/FAIL console output | On power-up |
| SHA2-512 (A4208) | SHA2-512 (A4208) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up |
| SHA2-512 (A3498) | SHA2-512 (A3498) | KAT | CAST | hash | n/a | PASS/FAIL console output | On power-up |
| SHA2-512 (A3330) | SHA2-512 (A3330) | KAT | CAST | hash | n/a | PASS/FAIL console output | On power-up |
| SHA2-512 (A3329) | SHA2-512 (A3329) | KAT | CAST | hash | n/a | PASS/FAIL console output | On power-up |
| Manual SSP entry | Manual SSP entry | Duplicate entry | Manual Entry | Duplicate entry | n/a | PASS/FAIL console output | On manual, direct entry of SSP |
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a Table 23: Conditional Self-Tests Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| Firmware integrity check | Firmware integrity check | KAT | SW/FW Integrity | On demand | Manually |
| Critical functions test | Critical functions test | KAT | Critical Function | On demand | Manually |
| Entropy Source (start-up) | Entropy Source (start-up) | APT, RCT | CAST | On demand | Manually |
| Entropy Source (continuous) | Entropy Source (continuous) | APT, RCT | CAST | Continuous | Automatically |
| AES-CBC (A4210) Encrypt | AES-CBC (A4210) Encrypt | KAT | CAST | On Demand | Manually |
| AES-CBC (A4210) Decrypt | AES-CBC (A4210) Decrypt | KAT | CAST | On Demand | Manually |
| HMAC-SHA-1 (A4210) | HMAC-SHA-1 (A4210) | KAT | CAST | On Demand | Manually |
| HMAC-SHA2-256 (A4210) | HMAC-SHA2-256 (A4210) | KAT | CAST | On Demand | Manually |
| HMAC-SHA2-384 (A4210) | HMAC-SHA2-384 (A4210) | KAT | CAST | On Demand | Manually |
| HMAC-SHA2-512 (A4210) | HMAC-SHA2-512 (A4210) | KAT | CAST | On Demand | Manually |
| RSA SigGen (FIPS186-4) (A4210) | RSA SigGen (FIPS186-4) (A4210) | KAT | CAST | On Demand | Manually |
| RSA SigVer (FIPS186-4) (A4210) | RSA SigVer (FIPS186-4) (A4210) | KAT | CAST | On Demand | Manually |
| ECDSA SigGen (FIPS186-4) (A4210) | ECDSA SigGen (FIPS186-4) (A4210) | KAT | CAST | On Demand | Manually |
| ECDSA SigGen (FIPS186-4) (A6440) | ECDSA SigGen (FIPS186-4) (A6440) | KAT | CAST | On Demand | Manually |
| ECDSA SigGen (FIPS186-4) (A4419) | ECDSA SigGen (FIPS186-4) (A4419) | KAT | CAST | On Demand | Manually |
| ECDSA SigVer (FIPS186-4) (A4210) | ECDSA SigVer (FIPS186-4) (A4210) | KAT | CAST | On Demand | Manually |
| ECDSA SigVer (FIPS186-4) (A6440) | ECDSA SigVer (FIPS186-4) (A6440) | KAT | CAST | On Demand | Manually |
| ECDSA SigVer (FIPS186-4) (A4419) | ECDSA SigVer (FIPS186-4) (A4419) | KAT | CAST | On Demand | Manually |
| KAS-ECC-SSC Sp800-56Ar3 (A4387) | KAS-ECC-SSC Sp800-56Ar3 (A4387) | KAT | CAST | On Demand | Manually |
| KDF SSH (A4347) | KDF SSH (A4347) | KAT | CAST | On Demand | Manually |
| RSA KeyGen (FIPS186-4) (A4210) | RSA KeyGen (FIPS186-4) (A4210) | PCT | PCT | On trigger condition | Automatic |
| ECDSA KeyGen (FIPS186-4) (A4210) | ECDSA KeyGen (FIPS186-4) (A4210) | PCT | PCT | On trigger condition | Automatic |
| ECDSA KeyGen (FIPS186-4) (A6440) | ECDSA KeyGen (FIPS186-4) (A6440) | PCT | PCT | On trigger condition | Automatic |
| ECDSA KeyGen (FIPS186-4) (A4419) | ECDSA KeyGen (FIPS186-4) (A4419) | PCT | PCT | On trigger condition | Automatic |
| ECDSA SigVer (FIPS186-4) (A6401) | ECDSA SigVer (FIPS186-4) (A6401) | KAT | CAST | On Demand | Manually |
| ECDSA SigVer (FIPS186-4) (A4211) | ECDSA SigVer (FIPS186-4) (A4211) | KAT | CAST | On Demand | Manually |
| FW Load | FW Load | KAT | SW/FW Load | On FW load request | Automatic |
| HMAC DRBG (A4417) | HMAC DRBG (A4417) | KAT | CAST | On Demand | Manually |
| HMAC-SHA-1 (A4417) | HMAC-SHA-1 (A4417) | KAT | CAST | On Demand | Manually |
| HMAC-SHA2-256 (A4417) | HMAC-SHA2-256 (A4417) | KAT | CAST | On Demand | Manually |
| SHA2-384 (A4417) | SHA2-384 (A4417) | KAT | CAST | On Demand | Manually |
| HMAC-SHA2-256 (A4208) | HMAC-SHA2-256 (A4208) | KAT | CAST | On Demand | Manually |
| HMAC-SHA-1 (A4208) | HMAC-SHA-1 (A4208) | KAT | CAST | On Demand | Manually |
| SHA2-512 (A4208) | SHA2-512 (A4208) | KAT | CAST | On Demand | Manually |
| SHA2-512 (A3498) | SHA2-512 (A3498) | KAT | CAST | On demand | Manually |
| SHA2-512 (A3330) | SHA2-512 (A3330) | KAT | CAST | On demand | Manually |
| SHA2-512 (A3329) | SHA2-512 (A3329) | KAT | CAST | On demand | Manually |
| Manual SSP entry | Manual SSP entry | Duplicate entry | Manual Entry | On condition trigger | Automatic |
The module does not implement periodic self-testing. Table 24: Pre-Operational Periodic Information Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| Critical Failure State | The cryptographic module ceases to perform cryptographic operations, inhibits all data output, and provides status of the error via syslog messages and console status output | On any power-up self-test error | Console status indicator | Power cycle |
| Soft Error State | A non-critical self-test failure occurs, causing a failure of the triggering operation | PCT, firmware load test, continuous entropy health test failure | Console displays error | The module processes the error, and resumes normal operation |
Table 25: Conditional Periodic Information
Table 26: Error States execution to halt. The only way to exit from this state is to reboot the module, which causes the self-tests to be repeated and pass successfully before the corresponding algorithms are usable.
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Self–tests that are performed at power-up are available on demand by power cycling the module.
Before installation of module firmware, CO must first zeroize any module SSPs by following the instructions in Section 9.3. Once zeroization is complete, the CO must install the JUNOS firmware image on the device using the following CLI command: CO@host> request system software add /<image-path>/<image-filename> no-copy no-validate reboot. The image-filenames for the validated firmware are as follows: • EX series: jinstall-host-ex-4e-x86-64-22.3R2-S1.7-secure-signed.tgz • QFX series: jinstall-host-qfx-5e-x86-64-22.3R2-S1.7-secure-signed.tgz • MX series: junos-vmhost-install-mx-x86-64-22.3R2-S1.7.tgz • ACX series: junos-vmhost-install-acx-x86-64-22.3R2-S1.7.tgz Next, the CO shall proceed as follows:
The Cryptographic Officer is the person responsible for enabling, configuring, monitoring, and maintaining the module in approved mode. The Cryptographic Officer securely installs Junos OS on the device, enables the approved mode of operation, establishes keys and passwords for other users and software modules, and initializes the device before network connection. The Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Cryptographic Officer can configure and monitor the module through a console or SSH connection.
No specific non-administrator guidance is required to operate the module.
The module design implements the following security rules:
The following are requirements for compliant usage of the module:
No special maintenance requirements are required.
When disposing of the cryptographic module, the cryptographic officer shall perform the zeroize command as described in Section 9.3. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
The module does not implement mechanisms to mitigate other attacks beyond what is described in this security policy. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy