| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/14/2031 |
| Caveat | When installed, initialized and configured as specified in Section 11.1 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs |
| Vendor | Juniper Networks |
flowchart LR
%% Deterministic review-risk graph for Juniper Networks EX, QFX and ACX Series with MACsec
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Firmware load<br/>Recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Unauthenticated</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>library named: openssl</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Juniper Networks EX, QFX and ACX Series with MACsec
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Firmware load<br/>Recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Unauthenticated</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>SSH<br/>HTTPS<br/>library named: openssl</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Juniper Networks Juniper Networks EX, QFX and ACX Series with MACsec Version: Junos OS 22.3R2-S1 Prepared for: Juniper Networks, Inc.
www.juniper.net Prepared by: www.teronlabs.com
| # | Section | Page |
|---|
| Item | Page |
|---|---|
| Table 1: Security Levels | 6 |
| Table 2: Tested Module Identification – Hardware | 10 |
| Table 3: Modes List and Description | 11 |
| Table 4: Approved Algorithms - OpenSSL 1.0.2 | 12 |
| Table 5: Approved Algorithms - MACsec | 12 |
| Table 6: Approved Algorithms - MACsec PHY | 13 |
| Table 7: Approved Algorithms - OpenSSL 1.1.1 | 13 |
| Table 8: Approved Algorithms - Kernel | 13 |
| Table 9: Approved Algorithms - LibMD | 13 |
| Table 10: Vendor-Affirmed Algorithms | 14 |
| Table 11: Security Function Implementations | 16 |
| Table 12: Entropy Certificates | 17 |
| Table 13: Entropy Sources | 17 |
| Table 14: Ports and Interfaces | 19 |
| Table 15: Authentication Methods | 19 |
| Table 16: Roles | 19 |
| Table 17: Approved Services | 23 |
| Table 18: Mechanisms and Actions Required | 24 |
| Table 19: Storage Areas | 25 |
| Table 20: SSP Input-Output Methods | 25 |
| Table 21: SSP Zeroization Methods | 25 |
| Table 22: SSP Table 1 | 27 |
| Table 23: SSP Table 2 | 30 |
| Table 24: Pre-Operational Self-Tests | 30 |
| Table 25: Conditional Self-Tests | 33 |
| Table 26: Pre-Operational Periodic Information | 33 |
| Table 27: Conditional Periodic Information | 35 |
| Table 28: Error States | 35 |
| Figure 1 – EX4400-24P Ethernet switch (front) | 7 |
| Figure 2 –EX4400-24P Ethernet switch (rear) | 7 |
| Figure 3 –EX4400-24T Ethernet switch (front) | 7 |
| Figure 4 – EX4400-24T Ethernet switch (rear) | 8 |
| Figure 5 – EX4400-48T Ethernet switch (front) | 8 |
| Figure 6 – EX4400-48T Ethernet switch (rear) | 8 |
| Figure 7 – EX4400-48P Ethernet switch (front) | 8 |
| Figure 8 – EX4400-48P Ethernet switch (rear) | 8 |
| Figure 9 – EX4400-48F Ethernet switch (front) | 8 |
| Figure 10 – EX4400-48F Ethernet switch (rear) | 8 |
| Figure 11 – EX4400-24MP Ethernet switch (front) | 9 |
| Figure 12 – EX4400-24MP Ethernet switch (rear) | 9 |
| Figure 13 – EX4400-48MP Ethernet switch (front) | 9 |
| Figure 14 – EX4400-48MP Ethernet switch (rear) | 9 |
This is a non-proprietary Cryptographic Module Security Policy for the Juniper Networks EX, QFX and ACX series network devices running Junos OS 22.3R2-S1.
The cryptographic module is designed to meet FIPS 140-3 Level 1 overall. The table below shows the security levels claimed for each section of the security requirements. Section Title Security Level
Overall Level 1 Table 1: Security Levels
Purpose and Use: The following models are included in this validation and provide network switching and routing functionality:
The cryptographic module runs Junos OS, Juniper’s reliable, high-performance, modular network operating system that is supported across all of Juniper’s physical and virtual routing, switching, and security platforms. The cryptographic module provides for an encrypted connection, using SSH, between the management station and the module. The cryptographic modules also provide for an encrypted connection, using MACsec, between devices. All other data input or output from the modules are considered plaintext for this FIPS 140-3 validation. Module Type: The cryptographic module is a Hardware cryptographic module. Module Embodiment: The cryptographic module is defined as a MultiChipStand module that executes Junos OS 22.3R2-S1 firmware on any of the identified Juniper Networks devices. Module Characteristics: There are no additional characteristics relevant to this module. Cryptographic Boundary: The cryptographic boundary encompasses the entire Tested Operational Environment Physical Perimeter (TOEPP), which is defined as the outer edge of the chassis. The chassis is a rigid sheetmetal structure that houses all components of the device. The cryptographic module is FIPS-compliant when installed and configured with Junos OS 22.3R2-S1 validated firmware as specified in section 11.1. The physical form of the module is depicted in Figure 1 to Figure 18. Figure 1
Figure 4
Figure 11
Figure 18
Tested Module Identification
Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A There are no vendor-affirmed operational environments claimed.
No components are excluded from the requirements of FIPS PUB 140-3.
The module supports an Approved mode only. The module enters Approved mode as a result of successful installation, initialization and configuration steps described in section 11. Until these procedures have been followed, the module is non-compliant. Mode Description Type Status Indicator Name Approved Approved mode of operation. Approved Suffix string ":fips" in the cli prompt Table 3: Modes List and Description
Approved Algorithms: Although the module may have been tested for additional algorithms or modes, only those listed below are utilized by the module. OpenSSL 1.0.2 Algorithm CAVP Cert Properties Reference AES-CBC A4210 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CTR A4210 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 ECDSA KeyGen A4210 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyGen A6440 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A4210 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A6440 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A4210 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 ECDSA SigGen A6440 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 ECDSA SigVer A4210 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Hash Algorithm - SHA2-256, SHA2-384, SHA2-512
Algorithm CAVP Cert Properties Reference ECDSA SigVer A6440 Component - No FIPS 186-4 (FIPS186-4) Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 HMAC-SHA-1 A4210 Key Length - Key Length: 160 FIPS 198-1 HMAC-SHA2-256 A4210 Key Length - Key Length: 256 FIPS 198-1 HMAC-SHA2-512 A4210 Key Length - Key Length: 512 FIPS 198-1 KAS-ECC-SSC Sp800- A4387 Domain Parameter Generation Methods - P-256, P- SP 800-56A Rev. 56Ar3 384, P-521 3 Scheme ephemeralUnified KAS Role - initiator, responder KDF SSH (CVL) A4347 Cipher - AES-128, AES-192, AES-256 SP 800-135 Rev. Hash Algorithm - SHA-1, SHA2-256, SHA2-384, 1 SHA2-512 RSA KeyGen (FIPS186- A4210 Key Generation Mode - B.3.3 FIPS 186-4
Algorithm CAVP Cert Properties Reference AES-GCM AES 4550 Direction - Decrypt, Encrypt SP 800-38D Key Length - 128, 256 AES-GCM C1869 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 256 AES-GCM C996 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External Key Length - 128, 256 Table 6: Approved Algorithms - MACsec PHY OpenSSL 1.1.1 Algorithm CAVP Cert Properties Reference ECDSA SigVer (FIPS186- A4211 Curve - P-256, P-384, P-521 FIPS 186-4
Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG Key Junos 22.3R2-S1 - OpenSSL SP 800-133 Rev.2 Section 4, example 1 direct type:Asymmetric 1.0.2 output from DRBG. Table 10: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module.
The module implements the security functions listed in the following table. Name Type Description Properties Algorithms Enc/Dec (SSH) BC-UnAuth Unauthenticated AES-CBC: (A4210) encryption for SSH AES-CTR: (A4210) KAS-SSC (SSH) KAS-SSC Key Agreement KAS-ECC-SSC Scheme Shared Sp800-56Ar3: Secret Computation (A4387) for SSH KeyGen (SSH) AsymKeyPair- Key Generation ECDSA KeyGen KeyGen used for SSH (FIPS186-4): authentication keys (A4210, A6440) ECDSA KeyVer (FIPS186-4): (A4210, A6440) RSA KeyGen (FIPS186-4): (A4210) HMAC DRBG: (A4417) CKG: () SigGen (SSH) DigSig-SigGen Signature ECDSA SigGen Generation for peer (FIPS186-4): authentication in (A4210, A6440) SSH RSA SigGen (FIPS186-4): (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210)
Name Type Description Properties Algorithms SigVer (SSH) DigSig-SigVer Signature ECDSA SigVer Verification for peer (FIPS186-4): authentication in (A4210, A6440) SSH RSA SigVer (FIPS186-4): (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210) MAC (SSH) MAC Message HMAC-SHA-1: authentication for (A4210) SSH HMAC-SHA2-256: (A4210) HMAC-SHA2-512: (A4210) SHA-1: (A4210) SHA2-256: (A4210) SHA2-512: (A4210) KAS KeyGen (SSH) KAS-KeyGen Key Generation for ECDSA KeyGen Key Agreement in (FIPS186-4): SSH (A4210) ECDSA KeyVer (FIPS186-4): (A4210) CKG: () HMAC DRBG: (A4417) KDF (SSH) KAS-135KDF Key derivation KDF SSH: (A4347) function for SSH SHA-1: (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210) Full KAS (SSH) KAS-Full Full Key Agreement ECDSA KeyGen for SSH (FIPS186-4): (A4210, A6440) ECDSA KeyVer (FIPS186-4): (A4210, A6440) KAS-ECC-SSC Sp800-56Ar3: (A4387) SHA-1: (A4210) SHA2-256: (A4210) SHA2-384: (A4210) SHA2-512: (A4210) KDF SSH: (A4347) KTS (SSH) KTS-Wrap Key transport using KTS:128, 256, 384, AES-CBC: (A4210) SSH as per IG D.G 521, 2048, 3072, AES-CTR: (A4210) provisions 4096 bit keys HMAC-SHA-1: provide between (A4210)
encryption strength (A4210) HMAC-SHA2-512: (A4210) SHA (LibMD) SHA Message Digest SHA-1: (A4208) Generation SHA2-256: (A4208) SHA2-512: (A4208)
Name Type Description Properties Algorithms MAC (LibMD) MAC Message HMAC-SHA-1: Authentication (A4208) HMAC-SHA2-256: (A4208) SHA-1: (A4208) SHA2-256: (A4208) DRBG (Kernel) DRBG Random Bit HMAC DRBG: Generation (A4417) HMAC-SHA2-256: (A4417) SHA2-256: (A4417) SHA (Kernel) SHA Entropy source SHA2-512: (A3355, conditioning A3498, A3330) component Verify image DigSig-SigVer Verification of ECDSA SigVer firmware image (FIPS186-4): (A4211, A6401) SHA2-256: (A4211) Key derivation KAS-56CKDF Derivation of KDF SP800-108: (MACsec) MACsec MKA keys (A4416) AES-CBC: (A4416) AES-CMAC: (A4416) Key wrap (MACsec) KTS-Wrap Distribution of KTS:128 and 256 bit AES-KW: (A4416) MACsec SAKs keys provide between 128 and
encryption strength Enc/Dec (MACsec) BC-Auth Encryption and AES-GCM: (AES decryption of 3969, AES 4544, MACsec data AES 4545, AES 4550, C1869, C996) Integrity (MACsec) MAC MACsec protocol AES-CMAC: (A4416) data integrity protection Entropy Source ENT-ESV Entropy source SHA2-512: (A3355, A3498, A3330) Table 11: Security Function Implementations
In reference to the MACsec protocol, the modules can take on the role of Peer or Authenticator. The AES GCM IV construction is performed in compliance with IG C.H scenario 1c (MACsec per IEEE 802.1AE and its amendments). The module includes ECDSA algorithms that have been validated using FIPS 186-4 CAVP tests, which are mathematically identical to FIPS 186-5 CAVP tests. Per IG C.K, all RSA and ECDSA algorithms implemented by the module are claimed compliant with FIPS 186-5. The module complies with IG C.F. RSA Key Generation, Signature Generation and Signature Verification have been tested and validated using CAVP testing for all implemented modulus lengths (2048, 3072 and 4096 bits). The number of Miller-Rabin tests used for primality testing as part of RSA Key Generation is consistent with Table C.3.
The module implements the following Approved key agreement methods which have been CAVP tested and validated: ⦁ KAS-ECC per SP 800-56A Rev. 3 (FIPS 140-3 IG D.F Scenario 2, path 2). The module obtains the FIPS 140-3 IG D.F required key agreement assurances in accordance with Section 5.6.2 of SP800-56A Rev. 3. All the key agreement protocols implemented by the module are Diffie-Hellman based.
The tables below indicate the entropy source used by the module and their associated certificates. Cert Vendor Name Number E89 Juniper Networks Table 12: Entropy Certificates Name Type Operational Sample Entropy Conditioning Environment Size per Component Sample EX4400 - Junos OS 22.3 Entropy Non- Intel Atom 512 bits 448 bits A3355 (SHA2Source (E89) Physical C3558R 512) QFX5120-48YM - Junos OS 22.3 Non- Intel Xeon D- 512 bits 448 bits A3498 (SHA2Entropy Source (E89) Physical 1627 512) ACX5448-M - Junos OS 22.3 Entropy Non- Intel Xeon D- 512 bits 448 bits A3330 (SHA2Source (E89) Physical 1528 512) Table 13: Entropy Sources The entropy source is used to seed the module’s HMAC DRBG with the minimum required 256bits of entropy. Each 512-bit block of conditioned output from the entropy source contains 448 bits of entropy. The HMAC DRBG is used for all random data required by the module, including key generation. There are no initialization procedures required by the users of the module to operate the entropy source in a compliant manner. The module complies with the ESV Public Use document of the validated entropy source (Cert. E89).
The cryptographic module implements the key generation methods listed above in the Security Functions implementation table.
The cryptographic module implements the key establishment methods listed above in the Security Functions implementation table.
The cryptographic module supports the protocols listed below. No part of these protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. The SSH algorithms allow independent selection of key exchange, authentication, cipher, and integrity. In reference to the supported protocols table below, each column of options for a given protocol is independent and may be used in any viable combination. Protocol Key Exchange Auth Cipher Integrity ECDSA P-256 ECDSA P-384 AES CBC EC Diffie-Hellman P-256 HMAC-SHA-1 ECDSA P-521 128/192/256 SSHv2 EC Diffie-Hellman P-384 HMAC-SHA2-256 RSA 2048 AES CTR EC Diffie-Hellman P-521 HMAC-SHA2-512 RSA 3072 128/192/256 RSA 4096 MACsec Key Agreement (SP800-108 KDF, AES-GCM-128 MACsec Shared secret AES-CMAC-128/256, AES-KW 128/256) AES-GCM-256
The following table maps each physical interface to one or more logical interface types defined in the FIPS 140-3 standard. The module does not have a Control Output Interface. Physical Port Logical Data That Passes Interface(s) Ethernet (data) Data Input LAN communications Data Output Control Input Status Output Ethernet (mgmt.) Data Input Remote management Data Output Control Input Status Output Serial Data Input Console serial port management Data Output Control Input Status Output Power Power Power Reset button Control Input Reset USB Data Input Firmware load port Control Input
Physical Port Logical Data That Passes Interface(s) LED Status Status indicator lighting Output SFP28 (EX4400 only) Data Input Virtual chassis ports Data Output Control Input Status Output Timing interface ports: PPS and 10M GPS (ACX5448 and Control Input Clock and timing signals from QFX5120 models only) external devices Table 14: Ports and Interfaces
The module implements two forms of role-based authentication methods, as described in the following table. Method Description Security Strength Each Strength per Minute Name Mechanism Attempt Password User and CO SHA Probability of Timed access mechanism authentication authentication via (LibMD) guessing: 1/(96^10) < allows max of 10 attempts / SSH or consol. 1/1,000,000. min. Probability of guessing: Minimum of 10 10/(96^10) < 1/100,000. ASCII character passwords. Signature User/CO SigVer (SSH) Strength of signature A rate of 1 CPU cycle per failed authentication authentication via algorithm, minimum authentication for the Intel SSH 112-bits. Probability Xeon D-1627 processor (4 of success for random cores, 2.9 GHz) allows for the attempt: 1/(2^112) < probability of success by brute1/1,000,000. force attack: 60 x 4 x 2.9 x 10^9 x 1/(2^112) < 1/100,000. Table 15: Authentication Methods
Name Type Operator Type Authentication Methods Crypto Officer Role CO Password authentication Signature authentication User Role Monitor Password authentication Signature authentication Table 16: Roles The module supports two roles: Cryptographic Officer (CO) and User. The module supports rolebased operator authentication for assuming these roles, using methods specified in Section 4.1.
The module supports concurrent operators but does not support a maintenance role and/or bypass capability. The module enforces the separation of roles using either of the role-based operator authentication methods in Section 4.1. The Cryptographic Officer role configures and monitors the module via a console or SSH connection. As root or super-user, the Cryptographic Officer has permission to view and edit secrets within the module. The User role monitors the module via the console or SSH. The user role cannot change the configuration.
Name Description Indicator Inputs Outputs Security SSP Access Functions Configure Security relevant ':fips' CLI Command Status SHA Crypto Officer Security configuration suffix in (Kernel) - HMAC DRBG V CLI Entropy value: E prompt Source - HMAC DRBG KeyGen Key value: E (SSH) - HMAC DRBG SHA Entropy Input: E (LibMD) - HMAC DRBG MAC Seed: E (LibMD) - User-PW: W DRBG - CO-PW: W (Kernel) - Root-PW: W - SSH PUB: G,R,W - SSH PHK: G,R,W - MACsec CAK: W - MACsec CKN: R,W Configure Non-security None CLI Command Status None Crypto Officer relevant configuration Secure MACsec ':fips' MACsec traffic MACsec traffic Key wrap Crypto Officer Traffic encrypted suffix in frames frames (MACsec) - MACsec KEK: transfer of data, CLI Enc/Dec G,E distribution of prompt (MACsec) - MACsec SAK: keys Integrity G,E (MACsec) - MACsec ICK: G,E Show Show status None None ':fips' suffix in None Crypto Officer status CLI prompt User Zeroize Zeroize all CSPs None CLI command None None Crypto Officer (completion - HMAC DRBG V indicator is value: Z implicitly - HMAC DRBG provided by Key value: Z the module - HMAC DRBG rebooting) Entropy Input: Z - HMAC DRBG
Name Description Indicator Inputs Outputs Security SSP Access Functions Seed: Z - SSH DH Shared Secret: Z - SSH PHK: Z - SSH PUB: Z - SSH DH PRV: Z - SSH DH PUB: Z - SSH DH Pub (peer): Z - SSH-SEKs: Z - CO-PW: Z - Root-PW: Z - User-PW: Z - Auth-CO Pub: Z - Auth-User Pub: Z - Root-CA: Z - Package-CA: Z - MACsec CAK: Z - MACsec CKN: Z - MACsec SAK: Z - MACsec KEK: Z - MACsec ICK: Z SSH Initiate SSH ':fips' SSH packets SSH packets, Enc/Dec Crypto Officer connect connection for suffix in Status (SSH) - HMAC DRBG V SSH monitoring CLI KAS-SSC value: E and control (CLI) prompt (SSH) - HMAC DRBG SigGen Key value: E (SSH) - HMAC DRBG SigVer Entropy Input: E (SSH) - HMAC DRBG MAC (SSH) Seed: E KAS - SSH DH Shared KeyGen Secret: G,E (SSH) - SSH DH PRV: KDF (SSH) G,E Full KAS - SSH DH PUB: G (SSH) - SSH-SEKs: G,E KTS (SSH) - SSH DH Pub SHA (peer): E (Kernel) - CO-PW: E Entropy User Source - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - SSH DH Shared Secret: G,E - SSH DH PRV: G,E - SSH DH PUB: G
Name Description Indicator Inputs Outputs Security SSP Access Functions - SSH-SEKs: G,E - SSH DH Pub (peer): E - User-PW: E MACsec Initiate MACsec ':fips' MACsec link MACsec Key Crypto Officer connect connection suffix in configuration, frames, Status derivation - MACsec ICK: E CLI CKN, CAK (MACsec) - MACsec SAK: prompt Key wrap E,W,R (MACsec) - MACsec KEK: E Enc/Dec (MACsec) Integrity (MACsec) Console Console None CLI Command Status None Crypto Officer access monitoring and - CO-PW: E control (CLI) - Root-PW: E User - User-PW: E Remote Software None CLI command Status None Crypto Officer reset initiated reset, - HMAC DRBG V performs self- value: Z tests on demand. - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH DH Shared Secret: Z - SSH DH PRV: Z - SSH DH PUB: Z - SSH-SEKs: Z - SSH DH Pub (peer): Z - MACsec SAK: Z - MACsec KEK: Z - MACsec ICK: Z Local Hardware reset None Main power Status None Unauthenticated reset or power cycle cycle - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH DH Shared Secret: Z - SSH DH PRV: Z - SSH DH PUB: Z - SSH-SEKs: Z - SSH DH Pub (peer): Z - MACsec SAK: Z - MACsec KEK: Z - MACsec ICK: Z
Name Description Indicator Inputs Outputs Security SSP Access Functions Traffic Traffic requiring None Traffic in Traffic out None Unauthenticated no cryptographic services Load Loading of ':fips' CLI Command Status Verify Crypto Officer Image firmware image suffix in image - Root-CA: E CLI - Package-CA: Z prompt Perform On demand None Local or Status None Crypto Officer self-test execution of all remote reset User pre-operational Unauthenticated and conditional algorithm selftests Show Show system None CLI command Status None Crypto Officer module information User version identifying module Table 17: Approved Services
The module does not offer any non-approved services. N/A for this module.
The module includes a firmware load service that is used to install the Junos OS firmware image as part of installation of the module, as described in Section 11.1. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation.
The cryptographic module implements a firmware integrity self-test that uses ECDSA P-256 with SHA2-256 to ensure the integrity of all Junos OS firmware components. The self-test is automatically run on power-up.
The firmware integrity test can be run on demand by the module’s operator by power cycling the module.
Type of Operational Environment: Non-Modifiable The module consists of hardware containing a non-modifiable operational environment as per the FIPS 140-3 definitions. It includes a firmware load service to support necessary updates. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation.
There are no security rules, settings, or restrictions to the configuration of the operational environment beyond the initialization instructions to set the module in Approved mode.
The module’s physical embodiment meets Level 1 Physical Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel and brushed aluminum enclosure. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. Mechanism Inspection Inspection Frequency Guidance Opaque metal enclosure n/a n/a Table 18: Mechanisms and Actions Required
This section is not applicable, as there are currently no approved non-invasive mitigation techniques specified in ISO/IEC 19790:2012.
The table below lists the areas within the module’s cryptographic boundary where SSPs can be stored. Storage Description Persistence Area Type Name RAM Random Access Memory Dynamic Flash Internal flash memory storage drive Static
The table below lists the method used by the module for the input and output of SSPs. Name From To Format Distribution Entry SFI or Type Type Type Algorithm Manual CLI entry Local CO RAM Plaintext Manual Direct Entry via SSH Remote CO RAM Encrypted Automated Electronic KTS (SSH) Entry via console Local CO RAM Plaintext Manual Electronic Output via SSH RAM Remote CO Encrypted Automated Electronic KTS (SSH) Output via console RAM Local CO Plaintext Manual Electronic Entry as part of KAS Remote peer RAM Plaintext Automated Electronic Full KAS (SSH) Output as part of KAS RAM Remote Plaintext Automated Electronic Full KAS (SSH) peer Pre-loaded Manufacturer Flash Plaintext Manual Direct MACsec Key Remote RAM Encrypted Automated Electronic Key wrap Agreement Input device (MACsec) MACsec Key RAM Remote Encrypted Automated Electronic Key wrap Agreement Output device (MACsec) Table 20: SSP Input-Output Methods
The table below describes the SSP zeroization methods employed by the module. Zeroization Description Rationale Operator Initiation Method Zeroize CLI This command erases all data, This command erases all keys Yes, CO via invocation command including all configuration and CSPS from storage. The of zeroize CLI information, returning the module to forced power cycle also zeroizes command. its factory default state The system SSPs in volatile memory. is then rebooted. Reset Zeroization of SSPs in RAM via RAM is volatile and all data is Yes, both User and invocation of local or remote reset lost when power is taken off. CO, via invocation of service. Zeroization is practically Local Reset or Remote instantaneous. Reset services. Explicit Zeroization of SSPs in memory when Use of explicit zeroization No. The operator zeroize no longer needed. function destroys SSP cannot directly initiate function information immediately by this method. overwriting memory area with zeroes. Table 21: SSP Zeroization Methods The Zeroize CLI command method is detailed in section 11.2.3. The completion of zeroization is indicated implicitly. If the zeroization is initiated using a zeroization command or explicit delete command, completion of the command indicates that zeroization has successfully completed. If the zeroization is initiated by power cycling the
module, then successful reboot of the module indicates that zeroization has completed successfully. In the case of zeroization initiated by session termination, SSPs are zeroized when the session terminates, and session termination is indicated in the log.
All SSPs used by the module are described in this section. Name Description Size - Type - Generated Established Used By Strength Category By By HMAC A critical value of the 256 - 256 DRBG internal DRBG DRBG DRBG V internal state of state - CSP (Kernel) (Kernel) value DRBG HMAC A critical value of the 256 - 256 DRB internal DRBG DRBG DRBG internal state of state - CSP (Kernel) (Kernel) Key value DRBG HMAC A critical value of the 256 - 256 Entropy source Entropy DRBG DRBG internal state of output - CSP Source (Kernel) Entropy DRBG provided by Input entropy source HMAC Seed material used to 256 - 256 DRBG internal DRBG DRBG DRBG seed or reseed the state - CSP (Kernel) (Kernel) Seed HMAC DRBG SSH DH Shared DH value 256, 384, 521 DH shared KAS-SSC KDF Shared computed from the - 128, 192, value - CSP (SSH) (SSH) Secret ephemeral DH key- 256 pairs as part of SSH and used to derive session keys. SSH PHK SSH Private host key. 2048, 256, Asymmetric KeyGen SigGen 1st time SSH is 4096, 384, private key - (SSH) (SSH) configured, the keys 521 - 112, CSP are generated. 128, 152, 192, SSH PUB SSH Public Host Key 2048, 256, Asymmetric KeyGen SigVer 4096, 384, public key - (SSH) (SSH)
128, 152, 192, SSH DH SSH KAS private key 256, 384, 521 Asymmetric KAS KAS-SSC PRV - 128, 192, private key - KeyGen (SSH)
(SSH) SSH DH SSH KAS public key 256, 384, 521 Asymmetric KAS PUB - 128, 192, public key - KeyGen
SSH DH SSH KAS public key 256, 384, 521 Asymmetric KAS-SSC Pub from peer - 128, 192, public key - (SSH) (peer) 256 PSP Full KAS (SSH) SSH-SEKs SSH Session 128, 192, 256 Symmetric key KDF (SSH) Enc/Dec Encryption Keys - 128, 192, - CSP Full KAS (SSH)
Name Description Size - Type - Generated Established Used By Strength Category By By CO-PW Password used to Min 10 Authentication KTS (SSH) SHA authenticate the CO. characters - password - CSP (LibMD) n/a Root-PW Password used by CO Min 10 Authentication KTS (SSH) SHA to authenticate as characters - password - CSP (LibMD) 'root'. n/a User-PW Password used to Min 10 Authentication KTS (SSH) SHA authenticate User characters - password - CSP (LibMD) n/a Auth-CO SSH CO 2048, 4096, Asymmetric KTS (SSH) SigVer Pub Authentication Public 256, 384, 521 public key - (SSH) Key - 112, 128, PSP 152, 192, 256 Auth- SSH User 2048, 4096, Asymmetric KTS (SSH) SigVer User Pub Authentication Public 256, 384, 521 public key - (SSH) Key - 112, 128, PSP 152, 192, 256 Root-CA X.509 Certificate 256, 384 - Asymmetric Verify used to verify the 128, 196 public key - image validity of the Juniper PSP Package CA Package- X.509 Certificate 256 - 128 Asymmetric Verify CA used to verify the public key - image validity the Juniper PSP Image at software load and also at runtime for integrity. MACsec Externally generated 32 (hex) Symmetric key CAK pre-shared key characters for - CSP entered when 128-bit AES MACsec static keys, 64 (hex) connectivity characters for association key (CAK) 256-bit AES security mode is keys - 128, enabled. 256 MACsec Externally generated 64 characters Identifier - PSP CKN pre-shared key used - n/a to identify the CAK (64 characters) MACsec Security Association 128, 256 - Symmetric key Key Key wrap Enc/Dec SAK Key used to 128, 256 - CSP derivation (MACsec) (MACsec) encrypt/decrypt (MACsec) traffic for a given session MACsec Key Encryption Key 128, 256 - Symmetric key Key Key wrap KEK used to transmit SAK 128, 256 - CSP derivation (MACsec) to other members of a (MACsec) MACsec connectivity association MACsec Integrity Check Key 128, 256 - Symmetric key Key Integrity ICK used to verify the 128, 256 - CSP derivation (MACsec) integrity and (MACsec) authenticity of MPDUs. Table 22: SSP Table 1
Name Input - Storage Storage Duration Zeroization Related Output SSPs HMAC RAM:Plaintext Until updated by Zeroize CLI DRBG V HMAC_DRBG_Update() command value Reset HMAC RAM:Plaintext Until updated by Zeroize CLI DRBG Key HMAC_DRBG_Update() command value Reset HMAC RAM:Plaintext Until Zeroize CLI DRBG HMAC_Instantiate_Update() or command Entropy HMAC_DRBG_Reseed() Reset Input complete HMAC RAM:Plaintext Until Zeroize CLI DRBG HMAC_Instantiate_Update() or command Seed HMAC_DRBG_Reseed() Reset complete SSH DH RAM:Plaintext Until SSH session termination Zeroize CLI Shared command Secret Reset Explicit zeroize function SSH PHK Entry via RAM:Plaintext Until SSH session termination Zeroize CLI SSH SSH Flash:Plaintext (RAM) command PUB:Paired Entry via With console Output via SSH Output via console SSH PUB Entry via RAM:Plaintext Zeroize CLI SSH SSH Flash:Plaintext command PHK:Paired Entry via With console Output via SSH Output via console SSH DH RAM:Plaintext Until SSH session termination Reset SSH DH PRV Explicit PUB:Paired zeroize With function SSH DH Output as RAM:Plaintext Until SSH session termination Reset SSH DH PUB part of KAS Explicit PRV:Paired zeroize With function SSH DH Entry as part RAM:Plaintext Until SSH session termination Reset Pub (peer) of KAS Explicit zeroize function SSH-SEKs RAM:Plaintext Until SSH session termination Reset Explicit zeroize function
Name Input - Storage Storage Duration Zeroization Related Output SSPs CO-PW Manual CLI RAM:Plaintext Zeroize CLI entry Flash:Plaintext command Entry via SSH Entry via console Root-PW Manual CLI RAM:Plaintext Zeroize CLI entry Flash:Plaintext command Entry via SSH Entry via console User-PW Manual CLI RAM:Plaintext Zeroize CLI entry Flash:Plaintext command Entry via SSH Entry via console Auth-CO Entry via RAM:Plaintext Zeroize CLI Pub SSH Flash:Plaintext command Entry via console Output via SSH Output via console Auth-User Entry via RAM:Plaintext Zeroize CLI Pub SSH Flash:Plaintext command Entry via console Output via SSH Output via console Root-CA Pre-loaded RAM:Plaintext Zeroize CLI Flash:Plaintext command Package- Pre-loaded RAM:Plaintext Zeroize CLI CA Flash:Plaintext command MACsec Entry via RAM:Plaintext Zeroize CLI CAK SSH Flash:Obfuscated command Entry via console MACsec Entry via RAM:Plaintext Zeroize CLI CKN SSH Flash:Obfuscated command Entry via console MACsec MACsec Key RAM:Plaintext Zeroize CLI SAK Agreement command Input Reset MACsec Key Agreement Output MACsec RAM:Plaintext Zeroize CLI KEK command Reset
Name Input - Storage Storage Duration Zeroization Related Output SSPs MACsec RAM:Plaintext Zeroize CLI ICK command Reset Table 23: SSP Table 2
The following transitions apply to algorithms used by this module: SHA-1: The SHA-1 hash algorithm will be non-Approved for cryptographic protection purposes after December 31, 2030.
On power up or reset, the module performs the pre-operational self-tests and the indicated conditional cryptographic algorithm self-tests described below. All KATs must be completed successfully prior to any other use of cryptography by the module. The CASTs for algorithms utilized in the pre-operational Firmware integrity check are performed prior to the Firmware integrity check.
Algorithm Test Test Test Indicator Details or Test Properties Method Type Firmware ECDSA P- KAT SW/FW PASS/FAIL ECDSA verify integrity 256 with Integrity console check SHA2-256 output Critical SHA2-256 KAT Critical PASS/FAIL Checks that any file that is executed is functions Function console registered in a manifest of executable files test output that comes with the firmware. Test verifies the integrity of the operational environment is being enforced by having the kernel attempt to run a specific executable file that does not contain a hash in the manifest file, verifying it cannot be executed. Table 24: Pre-Operational Self-Tests
Algorithm or Test Test Test Test Indicator Details Conditio Properti Metho Type ns es d Entropy Source (start-up) n/a APT, CAST PASS/FAIL Start-up OnRCT console power up output
Algorithm or Test Test Test Test Indicator Details Conditio Properti Metho Type ns es d Entropy Source (continuous) n/a APT, CAST Console Continuo Data RCT output / us output output of from entropy noise source source AES-CBC (A4210) Encrypt Key size: KAT CAST PASS/FAIL Encrypt On 128, console power192, 256 output up AES-CBC (A4210) Decrypt Key size: KAT CAST PASS/FAIL Decrypt On 128, console power192, 256 output up HMAC-SHA-1 (A4210) Key size: KAT CAST PASS/FAIL MAC On
output up HMAC-SHA2-256 (A4210) Key size: KAT CAST PASS/FAIL MAC On
output up HMAC-SHA2-384 (A4210) Key size: KAT CAST PASS/FAIL MAC On
output up HMAC-SHA2-512 (A4210) Key size: KAT CAST PASS/FAIL MAC On
output up RSA SigGen (FIPS186-4) (A4210) RSA KAT CAST PASS/FAIL Sign On
SHA2- output up 256, RSA
SHA2RSA SigVer (FIPS186-4) (A4210) RSA KAT CAST PASS/FAIL Verify On
SHA2- output up 256, RSA
SHA2ECDSA SigGen (FIPS186-4) (A4210) P-256, KAT CAST PASS/FAIL Sign On P-384, console powerP-521 output up ECDSA SigGen (FIPS186-4) (A6440) P-256, KAT CAST PASS/FAIL Sign On P-384, console powerP-521 output up ECDSA SigVer (FIPS186-4) (A4210) P-256, KAT CAST PASS/FAIL Verify On P-384, console powerP-521 output up ECDSA SigVer (FIPS186-4) (A6440) P-256, KAT CAST PASS/FAIL Verify On P-384, console powerP-521 output up KAS-ECC-SSC Sp800-56Ar3 (A4387) P-256, KAT CAST PASS/FAIL ECDH On P-384, console Computat powerP-521 output ion up
Algorithm or Test Test Test Test Indicator Details Conditio Properti Metho Type ns es d KDF SSH (A4347) SHA-1, KAT CAST PASS/FAIL Key On SHA2- console derivation power256, output Computat up SHA2- ion RSA KeyGen (FIPS186-4) (A4210) n/a PCT PCT Returned Generatio On key key/transit n and generatio ion soft Verificatio n error state n of signature ECDSA KeyGen (FIPS186-4) (A4210) n/a PCT PCT Returned Generatio On key key/transit n and generatio ion soft Verificatio n error state n of signature ECDSA KeyGen (FIPS186-4) (A6440) n/a PCT PCT Returned Generatio On key key/transit n and generatio ion soft Verificatio n error state n of signature ECDSA SigVer (FIPS186-4) (A4211) P-256 KAT CAST PASS/FAIL Verify On console poweroutput up FW Load ECDSA KAT SW/F PASS/FAIL Verificatio On FW P-256 W console n of load with Load output ECDSA SHA2- signature
HMAC DRBG (A4417) 256, KAT CAST PASS/FAIL Instantiat On SHA2- console e, re-seed, power-
generate HMAC-SHA-1 (A4417) Key size: KAT CAST PASS/FAIL MAC On
output up HMAC-SHA2-256 (A4417) Key size: KAT CAST PASS/FAIL MAC On
output up SHA2-384 (A4417) n/a KAT CAST PASS/FAIL Hash On console poweroutput up SHA2-512 (A3355) n/a KAT CAST PASS/FAIL Hash On console poweroutput up HMAC-SHA2-256 (A4208) Key size: KAT CAST PASS/FAIL MAC On
output up HMAC-SHA-1 (A4208) Key size: KAT CAST PASS/FAIL MAC On
output up SHA2-512 (A4208) n/a KAT CAST PASS/FAIL Hash On console poweroutput up
Algorithm or Test Test Test Test Indicator Details Conditio Properti Metho Type ns es d KDF SP800-108 (A4416) Key size: KAT CAST PASS/FAIL Derive On
output up AES-KW (A4416) Wrap Key size: KAT CAST PASS/FAIL Wrap On 128, console power192, 256 output up AES-KW (A4416) Unwrap Key size: KAT CAST PASS/FAIL Unwrap On 128, console power192, 256 output up AES-CMAC (A4416) Key size: KAT CAST PASS/FAIL MAC On 128, 256 console poweroutput up AES-GCM Encrypt 128,256 KAT CAST Internal Encrypt On (AES3969/AES4544/AES4545/AES4550/C status: power1869/C996) power-up up continues or errors AES-GCM Decrypt 128,256 KAT CAST Internal Decrypt On (AES3969/AES4544/AES4545/AES4550/C status: power1869/C996) power-up up continues or errors ECDSA SigVer (FIPS186-4) (A6401) P-256 KAT CAST PASS/FAIL Verify On console poweroutput up SHA2-512 (A3498) n/a KAT CAST PASS/FAIL hash On console poweroutput up SHA2-512 (A3330) n/a KAT CAST PASS/FAIL hash On console poweroutput up Manual SSP entry n/a Duplica Manu PASS/FAIL Duplicate On te al console entry manual, entry Entry output direct entry of SSP Table 25: Conditional Self-Tests
The module does not implement periodic self-testing. Algorithm or Test Test Method Test Type Period Periodic Method Firmware integrity KAT SW/FW Integrity On demand Manually check Critical functions KAT Critical Function On demand Manually test Table 26: Pre-Operational Periodic Information
Algorithm or Test Test Test Type Period Periodic Method Method Entropy Source (start-up) APT, RCT CAST On Manually demand Entropy Source (continuous) APT, RCT CAST Continuous Automatically AES-CBC (A4210) Encrypt KAT CAST On Manually Demand AES-CBC (A4210) Decrypt KAT CAST On Manually Demand HMAC-SHA-1 (A4210) KAT CAST On Manually Demand HMAC-SHA2-256 (A4210) KAT CAST On Manually Demand HMAC-SHA2-384 (A4210) KAT CAST On Manually Demand HMAC-SHA2-512 (A4210) KAT CAST On Manually Demand RSA SigGen (FIPS186-4) (A4210) KAT CAST On Manually Demand RSA SigVer (FIPS186-4) (A4210) KAT CAST On Manually Demand ECDSA SigGen (FIPS186-4) (A4210) KAT CAST On Manually Demand ECDSA SigGen (FIPS186-4) (A6440) KAT CAST On Manually Demand ECDSA SigVer (FIPS186-4) (A4210) KAT CAST On Manually Demand ECDSA SigVer (FIPS186-4) (A6440) KAT CAST On Manually Demand KAS-ECC-SSC Sp800-56Ar3 (A4387) KAT CAST On Manually Demand KDF SSH (A4347) KAT CAST On Manually Demand RSA KeyGen (FIPS186-4) (A4210) PCT PCT On trigger Automatic condition ECDSA KeyGen (FIPS186-4) (A4210) PCT PCT On trigger Automatic condition ECDSA KeyGen (FIPS186-4) (A6440) PCT PCT On trigger Automatic condition ECDSA SigVer (FIPS186-4) (A4211) KAT CAST On Manually Demand FW Load KAT SW/FW On FW Automatic Load load request HMAC DRBG (A4417) KAT CAST On Manually Demand HMAC-SHA-1 (A4417) KAT CAST On Manually Demand HMAC-SHA2-256 (A4417) KAT CAST On Manually Demand SHA2-384 (A4417) KAT CAST On Manually Demand
Algorithm or Test Test Test Type Period Periodic Method Method SHA2-512 (A3355) KAT CAST On Manually Demand HMAC-SHA2-256 (A4208) KAT CAST On Manually Demand HMAC-SHA-1 (A4208) KAT CAST On Manually Demand SHA2-512 (A4208) KAT CAST On Manually Demand KDF SP800-108 (A4416) KAT CAST On Manually Demand AES-KW (A4416) Wrap KAT CAST On Manually Demand AES-KW (A4416) Unwrap KAT CAST On Manually Demand AES-CMAC (A4416) KAT CAST On Manually Demand AES-GCM Encrypt KAT CAST On Manually (AES3969/AES4544/AES4545/AES4550/C1869/C996) Demand AES-GCM Decrypt KAT CAST On Manually (AES3969/AES4544/AES4545/AES4550/C1869/C996) Demand ECDSA SigVer (FIPS186-4) (A6401) KAT CAST On Manually demand SHA2-512 (A3498) KAT CAST On Manually demand SHA2-512 (A3330) KAT CAST On Manually demand Manual SSP entry Duplicate Manual On Automatic entry Entry condition trigger Table 27: Conditional Periodic Information
Name Description Conditions Recovery Indicator Method Critical The cryptographic module ceases to On any power-up Power cycle Console Failure perform cryptographic operations, self-test error status State inhibits all data output, and provides indicator status of the error via syslog messages and console status output Soft A non-critical self-test failure occurs, PCT, firmware load The module Console Error causing a failure of the triggering test, continuous processes the error, displays State operation entropy health test and resumes error failure normal operation Table 28: Error States
The module enters error state upon failure of any self-tests, causing the kernel to ‘panic‘ and all execution to halt. The only way to exit from this state is to reboot the module, which causes the self-tests to be repeated and pass successfully before the corresponding algorithms are usable.
Self–tests that are performed at power-up are available on demand by power cycling the module.
The module must be correctly installed and configured to enter a FIPS compliant state and operate in the Approved mode. The required procedures are as follows:
user@host> show version
To configure the device for the Approved mode:
CAUTION: Perform system zeroization with care. After the zeroization process is complete, no data is left on the device. The device is returned to the factory default state, equivalent to a fresh installation of the firmware, without any configured users or configuration files. After zeroizing the system, the module is no longer in a FIPS compliant state. (Installation and configuration as per section 11.1 is required to enter the FIPS compliant state and enable the Approved mode of operation). NOTE: The Crypto-Officer must retain control of the module while zeroization is in progress. To zeroize the device:
No specific non-administrator guidance is required to operate the module.
The module design implements the following security rules:
The following are requirements for compliant usage of the module:
No special maintenance requirements are required.
When disposing of the cryptographic module, the cryptographic officer shall perform the zeroize command as described in Section 11.2.3.
The module does not implement mechanisms to mitigate other attacks beyond what is described in this security policy.