All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Juniper Networks SRX Series Services Gateways

Certificate#5141StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorJuniper Networks, Inc
High review priority  ·  exposes network crypto parser/protocol, debug/recovery interface  ·  last validated 5 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date1/17/2031
CaveatWhen installed, initialized and configured as specified in Section 11.1 of the Security Policy
VendorJuniper Networks, Inc

Approved Algorithms (21)

AlgorithmACVP Cert
AES-CBCA3693
AES-CTRA3693
ECDSA KeyGen (FIPS186-4)A3693
ECDSA KeyVer (FIPS186-4)A3693
ECDSA SigGen (FIPS186-4)A3693
ECDSA SigVer (FIPS186-4)A3693
HMAC-SHA-1A3693
HMAC-SHA2-256A3693
HMAC-SHA2-512A3693
KAS-ECC-SSC Sp800- 56Ar3A3610
RSA KeyGen (FIPS186- 4)A3693
RSA SigGen (FIPS186- 4)A3693
RSA SigVer (FIPS186-4)A3693
SHA-1A3693
SHA2-256A3693
SHA2-384A3693
SHA2-512A3693
HMAC DRBGA3493
HMAC-SHA2- 256A3493
KDF SSH (CVL)A4271
HMAC-SHA-1 HMAC-SHA2- 256 HMAC-SHA2- 512

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical Security7
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Juniper Networks SRX Series Services Gateways
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Soft Error State</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Enc/Dec (SSH)<br/>Show status<br/>Local reset</i>"]
    C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>Serial</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C4 --> I4 --> R4 --> E4
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C4,C5,C6 clue;
  class I2,I3,I4,I5,I6 infer;
  class R2,R3,R4,R5,R6 risk;
  class E2,E3,E4,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Juniper Networks SRX Series Services Gateways
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Soft Error State</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Enc/Dec (SSH)<br/>Show status<br/>Local reset</i><br/>src: securityPolicy.services"]
    C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>Serial</i><br/>src: securityPolicy.portsAndInterfaces"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C4 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

Juniper Networks, Inc Juniper Networks SRX Series Services Gateways Version: Junos OS 22.2R3-S1 Prepared for: Juniper Networks, Inc.

1133 Innovation Way
1.888 JUNIPER

www.juniper.net TERON LABS Prepared by: www.teronlabs.com Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 2
Table of Contents
#SectionPage
1General7
1.1Overview7
1.2Security Levels7
2Cryptographic Module Specification8
2.1Description8
2.2Tested and Vendor Affirmed Module Version and Identification13
2.3Excluded Components14
2.4Modes of Operation15
2.5Algorithms15
2.6Security Function Implementations18
2.7Algorithm Specific Information21
2.8RBG and Entropy21
2.9Key Generation22
2.10Key Establishment22
2.11Industry Protocols22
3Cryptographic Module Interfaces23
3.1Ports and Interfaces23
4Roles, Services, and Authentication24
4.1Authentication Methods24
4.2Roles24
4.3Approved Services25
4.4Non-Approved Services28
4.5External Software/Firmware Loaded28
5Software/Firmware Security29
5.1Integrity Techniques29
5.2Initiate on Demand29
6Operational Environment30
6.1Operational Environment Type and Requirements30
6.2Configuration Settings and Restrictions30
7Physical Security31
7.1Mechanisms and Actions Required31
7.2User Placed Tamper Seals31
8Non-Invasive Security47
9Sensitive Security Parameters Management48
9.1Storage Areas48
9.2SSP Input-Output Methods48
9.3SSP Zeroization Methods48
9.4SSPs49
9.5Transitions53
10Self-Tests54
10.1Pre-Operational Self-Tests54
10.2Conditional Self-Tests54
10.3Periodic Self-Test Information57
10.4Error States59
10.5Operator Initiation of Self-Tests60
11Life-Cycle Assurance61
11.1Installation, Initialization, and Startup Procedures61
11.2Administrator Guidance62
11.3Non-Administrator Guidance62
11.4Design and Rules62
11.5Maintenance Requirements62
11.6End of Life62
12Mitigation of Other Attacks63
Page 3

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 4
List of Tables
ItemPage
Table 1: Security Levels7
Table 2: Tested Module Identification – Hardware14
Table 3: Modes List and Description15
Table 4: Approved Algorithms - OpenSSL Approved Cryptographic Functions17
Table 5: Approved Algorithms - Kernel Approved Cryptographic Functions17
Table 6: Approved Algorithms - LibMD Approved Cryptographic Functions18
Table 7: Approved Algorithms - OpenSSH Approved Cryptographic Functions18
Table 8: Vendor-Affirmed Algorithms18
Table 9: Security Function Implementations21
Table 10: Entropy Certificates21
Table 11: Ports and Interfaces23
Table 12: Authentication Methods24
Table 13: Roles24
Table 14: Approved Services28
Table 15: Mechanisms and Actions Required31
Table 16: Storage Areas48
Table 17: SSP Input-Output Methods48
Table 18: SSP Zeroization Methods49
Table 19: SSP Table 151
Table 20: SSP Table 253
Table 21: Pre-Operational Self-Tests54
Table 22: Conditional Self-Tests57
Table 23: Pre-Operational Periodic Information57
Table 24: Conditional Periodic Information59
Table 25: Error States59
Page 5

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 6

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 7
Security level
NameISO SectionRequirementLevel
11General2
22Cryptographic module specification2
33Cryptographic module interfaces2
44Roles, services, and authentication2
55Software/Firmware security2
66Operational environmentN/A
77Physical security2
88Non-invasive securityN/A
99Sensitive security parameter management2
1010Self-tests2
1111Life-cycle assurance2
1212Mitigation of other attacksN/A
Overall LevelOverall Level2
1.1 Overview

This is a non-proprietary Cryptographic Module Security Policy for the Juniper Networks SRX Series Services Gateways consisting of the SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600 and SRX5800 models and running Junos OS 22.2R3-S1, hereafter referred to as the

1.2 Security Levels

The cryptographic module meets requirements applicable to Level 2 of FIPS 140-3. The table below shows the security levels claimed for each section of the security requirements. N/A N/A N/A Table 1: Security Levels Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 8
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The SRX Series Services Gateways are a series of secure routers that provide essential capabilities to connect, secure, and manage work force locations sized from handfuls to hundreds of users. By consolidating fast, highly available switching, routing, security, and applications capabilities in a single device, enterprises can economically deliver new services, safe connectivity, and a satisfying end user experience. Module Type: Hardware Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: This Security Policy covers the following models:

Page 9

Figure 1

Page 10

Figure 6

Page 11

Figure 10

Page 12

Figure 12

Page 13
Module configuration
NameModelHardware VersionFirmware VersionProcessorFeatures
SRX1500SRX1500SRX1500JUNOS 22.2R3-S1.9Intel Xeon E3-1200 v212x1GbE ports; 4x1GbE SFP ports; 4x10GbE SFP ports; 2 PIM slots (not used in validation)
SRX4100SRX4100SRX4100JUNOS 22.2R3-S1.9Intel Xeon E5-2640 v48 x 1GbE/10GbE ports
SRX4200SRX4200SRX4200JUNOS 22.2R3-S1.9Intel Xeon E5-2640 v48 x 1GbE/10GbE ports
SRX4600SRX4600SRX4600JUNOS 22.2R3-S1.9Intel Xeon E5-2658 v48 x 1GbE/10Gb Ethernet SFP ports, 4 x 40/100Gb Ethernet QSFP21 ports
SRX5400SRX5400SRX5400JUNOS 22.2R3-S1.9Intel Xeon C5518, Intel Xeon E5-2658 v4, Intel Xeon CPU E5-2608L v3Routing Engine: SRX5K-RE3-128G Switch Control Board: SRX5K-SCB3 Service Processing Card: SRX5K-SPC- 4-15-320, SRX5K-SPC3
SRX5600SRX5600SRX5600JUNOS 22.2R3-S1.9Intel Xeon C5518, Intel Xeon E5-2658 v4, Intel Xeon CPU E5-2608L v3Routing Engine: SRX5K-RE3-128G Switch Control Board: SRX5K-SCB3, SRX5K-SCB4 Service Processing Card: SRX5K-SPC- 4-15-320, SRX5K-SPC3 Module Interface Card: SRX5K-IOC4- 10G, SRX5K-MPC3-40G10G
SRX5800SRX5800SRX5800JUNOS 22.2R3-S1.9Intel Xeon C5518, Intel Xeon E5-2658 v4, Intel Xeon CPU E5-2608L v3Routing Engine: SRX5K-RE3-128n Switch Control Board: SRX5K-SCB3, SRX5K-SCB4 Service Processing Card: SRX5K-SPC- 4-15-320, SRX5K-SPC3 Module Interface Card: SRX5K-IOC4- 10G, SRX5K-MPC3-40G10G
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 14

Table 2: Tested Module Identification

2.3 Excluded Components

No components are excluded from the requirements of FIPS 140-3. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 15
Service
NameDescriptionIndicatorType
JUNOS-FIPS- MODEApproved mode of operation enabled by following the configuration commands in Section 11.1Suffix string :fips in the cli promptApproved
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA3693Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA3693Direction - Decrypt, Encrypt Key Length - 128, 192, 256 Payload Length - Payload Length: 8-128 Increment 8 Supports Counter larger than maximum value - No Incremental Counter - Yes Counter Tests Performed - YesSP 800-38A
ECDSA KeyGen (FIPS186-4)A3693Curve - P-256, P-384, P-521 Secret Generation Mode - Testing CandidatesFIPS 186-4
ECDSA KeyVer (FIPS186-4)A3693Curve - P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A3693Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A3693Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-4
HMAC-SHA-1A3693MAC - MAC: 160 Key Length - Key Length: 160FIPS 198-1
HMAC-SHA2-256A3693MAC - MAC: 256 Key Length - Key Length: 256FIPS 198-1
HMAC-SHA2-512A3693MAC - MAC: 512 Key Length - Key Length: 512FIPS 198-1
KAS-ECC-SSC Sp800- 56Ar3A3610Domain Parameter Generation Methods - P-256, P- 384, P-521 Hash Function Z - SHA2-256, SHA2-384, SHA2- 512 Scheme - ephemeralUnified - KAS Role - initiatorSP 800-56A Rev. 3
RSA KeyGen (FIPS186- 4)A3693Key Generation Mode - B.3.3 Modulo - 2048, 4096 Primality Tests - Table C.2 Info Generated By Server - No Public Exponent Mode - Fixed Fixed Public Exponent - 010001 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186- 4)A3693Signature Type - PKCS 1.5 Modulo - 2048, 4096 Hash Pair - Hash Algorithm - SHA2-256FIPS 186-4
RSA SigVer (FIPS186-4)A3693Signature Type - PKCS 1.5 Modulo - 2048, 4096 Hash Pair - Hash Algorithm - SHA2-256 Public Exponent Mode - Fixed Fixed Public Exponent - 010001FIPS 186-4
SHA-1A3693Message Length - Message Length: 0-65536 Increment 8 Function - SHA1FIPS 180-4
SHA2-256A3693Message Length - Message Length: 0-65536 Increment 8 Function - SHA2FIPS 180-4
SHA2-384A3693Message Length - Message Length: 0-65536 Increment 8 Function - SHA2FIPS 180-4
SHA2-512A3693Message Length - Message Length: 0-65536 Increment 8 Function - SHA2FIPS 180-4
HMAC DRBGA3493Prediction Resistance - Yes Supports Reseed - No Mode - SHA2-256 Entropy Input - Entropy Input: 256 Nonce - Nonce: 128 Personalization String Length - Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 256 Returned Bits - 1024SP 800-90A Rev. 1
HMAC-SHA2- 256A3493MAC - MAC: 256 Key Length - Key Length: 160, 256FIPS 198-1
SHA2-256A3493Message Length - Message Length: 0-51200 Increment 8 Function - SHA2FIPS 180-4
SHA2-512A3361Message Length - Message Length: 0-51200 Increment 8 Function - SHA2FIPS 180-4
HMAC-SHA-1A3367MAC - MAC: 160 Key Length - Key Length: 112, 160FIPS 198-1
HMAC-SHA2- 256A3367MAC - MAC: 256 Key Length - Key Length: 160, 256FIPS 198-1
SHA-1A3367Message Length - Message Length: 0-51200 Increment 8 Function - SHA1FIPS 180-4
SHA2-256A3367Message Length - Message Length: 0-51200 Increment 8 Function - SHA2FIPS 180-4
SHA2-512A3367Message Length - Message Length: 0-65536 Increment 8 Function - SHA2FIPS 180-4
KDF SSH (CVL)A4271Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2- 512SP 800-135 Rev. 1

Modes List and Description: JUNOS-FIPSMODE Table 3: Modes List and Description Once the module has been securely initialized following the instructions provided in Section 11.1, the module is in approved mode of operation. Failure to follow the secure initialization instructions results in the module being in a non-compliant state which is out of scope of the validation.

2.5 Algorithms

Approved Algorithms: Although the module may have been tested for additional algorithms or modes, only those listed below are utilized by the module. OpenSSL Approved Cryptographic Functions Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 16

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 17

Table 4: Approved Algorithms - OpenSSL Approved Cryptographic Functions Kernel Approved Cryptographic Functions HMAC-SHA2256 Table 5: Approved Algorithms - Kernel Approved Cryptographic Functions LibMD Approved Cryptographic Functions HMAC-SHA2256 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 18
Service
NameDescriptionApproved FunctionsTypeProperties
CKGKey type:AsymmetricJunos 22.2R1 - OpenSSLSP 800-133 Rev.2 Section 4, example 1 direct output from DRBG.
Enc/Dec (SSH)Unauthenticated encryption for SSHAES-CBC: (A3693) AES-CTR: (A3693)BC-UnAuth
KAS-SSC (SSH)Key Agreement Scheme Shared Secret Computation for SSHKAS-ECC-SSC Sp800-56Ar3: (A3610)KAS-SSC
ECDSA SigGen (SSH)Signature Generation for peer authentication in SSHECDSA SigGen (FIPS186-4): (A3693) SHA2-256: (A3693)DigSig-SigGen
Service
NameDescriptionApproved FunctionsTypeProperties
CKGKey type:AsymmetricJunos 22.2R1 - OpenSSLSP 800-133 Rev.2 Section 4, example 1 direct output from DRBG.
Enc/Dec (SSH)Unauthenticated encryption for SSHAES-CBC: (A3693) AES-CTR: (A3693)BC-UnAuth
KAS-SSC (SSH)Key Agreement Scheme Shared Secret Computation for SSHKAS-ECC-SSC Sp800-56Ar3: (A3610)KAS-SSC
ECDSA SigGen (SSH)Signature Generation for peer authentication in SSHECDSA SigGen (FIPS186-4): (A3693) SHA2-256: (A3693)DigSig-SigGen
ECDSA SigVer (SSH)Signature Verification for peer authentication in SSHECDSA SigVer (FIPS186-4): (A3693) SHA2-256: (A3693) SHA2-384: (A3693) SHA2-512: (A3693)DigSig-SigVer
MAC (SSH)Message Authentication for SSHHMAC-SHA-1: (A3693) SHA2-256: (A3693) HMAC-SHA2-512: (A3693)MAC
KDF (SSH)Key derivation Function for SSHKDF SSH: (A4271) SHA-1: (A3693) SHA2-256: (A3693) SHA2-384: (A3693)KAS-135KDF
SHA (LibMD)Message Digest GenerationSHA-1: (A3367) SHA2-256: (A3367) SHA2-512: (A3367)SHA
MAC (LibMD)Message authenticationHMAC-SHA-1: (A3367) HMAC-SHA2-256: (A3367)MAC
DRBG (Kernel)Random Bit GenerationHMAC DRBG: (A3493) HMAC-SHA2-256: (A3493) SHA2-256: (A3493)DRBG
SHA (Kernel)Entropy source conditioning componentSHA2-512: (A3361)SHA
ECDSA KeyGen (PKID)ECDSA Key Generation used for SSH when authentication keys are internally generatedECDSA KeyGen (FIPS186-4): (A3693) ECDSA KeyVer (FIPS186-4): (A3693) CKG: () Key type:AsymKeyPair- KeyGen AsymKeyPair- KeyVer
RSA KeyGen (PKID)RSA Key generation used for SSH when authentication keys are internally generatedRSA KeyGen (FIPS186-4): (A3693) CKG: () Key type: Asymmetric HMAC DRBG: (A3493)AsymKeyPair- KeyGen
RSA SigGen (SSH)RSA Signature Generation for SSHRSA SigGen (FIPS186-4): (A3693)DigSig-SigGen
RSA SigVer (SSH)RSA Signature verification for SSHRSA SigVer (FIPS186-4): (A3693)DigSig-SigVer
Verify imageVerification of software imageECDSA SigVer (FIPS186-4): (A3693) SHA2-256: (A3693) SHA2-384: (A3693)DigSig-SigVer
Full KAS (SSH)Full Key Agreement for SSHKAS-ECC-SSC Sp800-56Ar3: (A3610) KDF SSH: (A4271) SHA-1: (A3693) SHA2-256: (A3693) SHA2-384: (A3693)KAS-Full
KAS-ECC KeyGen (SSH)KAS-ECC Key Pair Generation for SSHECDSA KeyGen (FIPS186-4): (A3693) ECDSA KeyVer (FIPS186-4): (A3693) CKG: () Key type: Asymmetric HMAC DRBG: (A3493)AsymKeyPair- KeyGen AsymKeyPair- KeyVer
ENTEntropy SourceSHA2-512: (A3361)ENT-ESV

Table 6: Approved Algorithms - LibMD Approved Cryptographic Functions OpenSSH Approved Cryptographic Functions Table 7: Approved Algorithms - OpenSSH Approved Cryptographic Functions Vendor-Affirmed Algorithms: Table 8: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module.

2.6 Security Function Implementations

The module implements the security functions listed in the following table. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 19

AsymKeyPairKeyGen AsymKeyPairKeyVer Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 20

AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairKeyVer Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 21
Service
NameDescriptionApproved FunctionsTypeProperties
KTS (SSH)Key transport using SSH as per IG D.G provisionsAES-CBC: (A3693) AES-CTR: (A3693) HMAC-SHA-1: (A3693) HMAC-SHA2-256: (A3693) HMAC-SHA2-512: (A3693)KTS-WrapKTS:128, 256, 384, 521, 2048, 3072 or 4096 bits keys provide between 112 and 256 bits of encryption strength
CertVendor Name
Number
E56Juniper Networks

Table 9: Security Function Implementations

2.7 Algorithm Specific Information

The module includes RSA and ECDSA algorithms that have been validated using FIPS 186-4 CAVP tests, which are mathematically identical to FIPS 186-5 CAVP tests. Per IG C.K, all RSA and ECDSA algorithms implemented by the module are claimed compliant with FIPS 186-5. The module complies with IG C.F. RSA Key Generation, Signature Generation and Signature Verification have been tested and validated using CAVP testing for all implemented modulus lengths (2048, 3072 and 4096 bits). The number of Miller-Rabin tests used for primality testing as part of RSA Key Generation is consistent with Table C.3. The module implements the following Approved key agreement methods which have been CAVP tested and validated:

2.8 RBG and Entropy

Table 10: Entropy Certificates N/A for this module. Non-Proprietary FIPS 140-3 Security Policy

Page 22
Approved algorithm
NameMode Method
ProtocolProtocolKey ExchangeAuthCipherIntegrity
HMAC-SHA-1 HMAC-SHA2- 256 HMAC-SHA2- 512AES CBC 128/192/256 AES CTR 128/192/256SSHv2KAS-ECC (P-256, P-384, P-521)RSA 2048 ECDSA P- 256

The entropy source is used to seed the module’s HMAC DRBG with the minimum required 256bits of entropy. Each 512-bit block of conditioned output from the entropy source contains 448 bits of entropy. The HMAC DRBG is used for all random data required by the module, including key generation. There are no initialization procedures required by the users of the module to operate the entropy source in a compliant manner. The module complies to the ESV Public Use document of the validated entropy source (Cert. E56).

2.9 Key Generation

The cryptographic module implements the key generation methods listed above in the Security Functions implementation table.

2.10 Key Establishment

The cryptographic module implements the key establishment methods listed above in the Security Functions implementation table.

2.11 Industry Protocols

The cryptographic module supports the protocols listed below. No part of these protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. The SSH algorithms allow independent selection of key exchange, authentication, cipher, and integrity. In reference to the supported protocols table below, each column of options for a given protocol is independent and may be used in any viable combination. Juniper Networks ECDSA P256 HMAC-SHA2256 HMAC-SHA2512 Non-Proprietary FIPS 140-3 Security Policy

Page 23
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
Ethernet (data)Ethernet (data)Data Input Data Output Control Input Status OutputLAN communications
Ethernet (mgmt.)Ethernet (mgmt.)Data Input Data Output Control Input Status OutputRemote management
SerialSerialControl Input Status OutputLocal management
Reset ButtonReset ButtonControl InputReset
ToDToDControl Input Status OutputRJ-45 Time of Day Port
BITSBITSControl Input Status OutputBITS RJ-45 port
GPSGPSControl Input Status Output10 Mhz clock synchronization
PPSPPSControl Input Control Output1 pulse per second
OfflineOfflineControl InputOffline button
LEDLEDStatus OutputStatus indicator lighting
PowerPowerPowerPower
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

The following table maps each physical interface to one or more logical interface types defined in the FIPS 140-3 standard. Table 11: Ports and Interfaces Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 24
Sensitive security parameter
NameDescriptionStrengthStrength per Minute
Password authenticationUser and CO authentication via SSH or console. Minimum of 10 ASCII character passwords.Probability of guessing: 1/(96^10) 1/1,000,000.SHA (LibMD)Timed access mechanism allows max of 10 attempts / min. Probability of guessing: 10/(96^10) 1/100,000.
Signature authenticationUser/CO authentication via SSH.Strength of signature algorithm, minimum 112-bits. Probability of success for random attempt: 1/(2^112) 1/1,000,000.ECDSA SigVer (SSH)A rate of 1 CPU cycle per failed authentication for the Intel Xeon E3-1200 v2 processor (4 cores, 3.1 GHz) allows for the probability of success by brute- force attack: 60 x 4 x 3.1 x 10^9 x 1/(2^112) 1/100,000.
Service
NameRole AccessType
UserMonitorRolePassword authentication Signature authentication
Cryptographic OfficerCORolePassword authentication Signature authentication
4 Roles, Services, and Authentication

Table 12: Authentication Methods The module enforces the separation of roles using either password-based authentication or

4.2 Roles

Table 13: Roles The module supports two roles: Cryptographic Officer (CO) and User. The module supports rolebased operator authentication for assuming these roles, using methods specified in Section 4.1. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. connection. As root or super-user, the Cryptographic Officer has permission to view and edit secrets within the module. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 25
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Configure securitySecurity relevant configurationCryptographic Officer - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - CO-PW: W - User-PW: W - SSH-Priv: G,R,WSHA (LibMD) MAC (LibMD) DRBG (Kernel) SHA (Kernel) ECDSA KeyGen (PKID) RSA KeyGen (PKID) ENT:fips suffix in CLI promptCLI commandsStatus
ConfigureNon-security relevant configurationCryptographic OfficerNoneNoneCLI commandsStatus
Show statusShow statusCryptographic Officer UserNoneNoneCLI commandStatus
ZeroizeZeroize / destroy all CSPsCryptographic Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Seed: Z - HMAC DRBG Entropy Input: Z - SSH-DH- Shared-Secret: Z - SSH-Priv: Z - SSH-SEKs: Z - CO-PW: Z - User-PW: Z - SSH-PUB: Z - Auth-User Pub:NoneNoneCLI commandNone (completion indicator is implicitly provided by the module rebooting)
SSH connectInitiate SSH connection for SSH monitoring and control (CLI)Cryptographic Officer - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - SSH-DH- Shared-Secret: G,E - SSH-DH-priv: G,E - SSH-SEKs: G,E - Auth-CO Pub: E - SSH-Priv: E - CO-PW: E - SSH-DH-PUB (self): G - SSH-DH-PUB (peer): E User - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - SSH-Priv: E - User-PW: E - SSH-DH- Shared-Secret: G,E - SSH-DH-priv: G,EEnc/Dec (SSH) KAS-SSC (SSH) ECDSA SigGen (SSH) ECDSA SigVer (SSH) MAC (SSH) KDF (SSH) DRBG (Kernel) RSA SigGen (SSH) RSA SigVer (SSH) Full KAS (SSH) KAS-ECC KeyGen (SSH) ENT KTS (SSH):fips suffix in CLI promptSSH packetsSSH packets, status
Console accessConsole monitoring and control (CLI)Cryptographic Officer - CO-PW: E User - User-PW: R,ENoneNoneCLI commandStatus
Remote resetSoftware initiated resetCryptographic Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH-DH- Shared-Secret: Z - SSH-DH-priv: Z - SSH-SEKs: Z - SSH-DH-PUB (self): Z - SSH-DH-PUB (peer): ZNoneNoneCLI commandStatus
Local resetHardware reset or power cycleUnauthenticated - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH-DH- Shared-Secret: Z - SSH-SEKs: Z - SSH-DH-PUB (self): ZNoneNoneManual power cycleStatus
TrafficTraffic requiring no cryptographic servicesUnauthenticatedNoneNoneTraffic inTraffic out
Load ImageLoading of firmware imageCryptographic Officer - Root-CA: E - Package-CA: EVerify image:fips suffix in CLI promptCLI commandstatus
Perform self-testsOn-demand self- tests of all pre- operational and conditional algorithm self- testsCryptographic Officer User UnauthenticatedNoneNoneLocal or remote resetstatus
Show versionShow firmware versionCryptographic Officer UserNoneNoneCLI commandStatus

The User role monitors the router via the console or SSH. The user role cannot change the

4.3 Approved Services

G,R,W Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 26

Z Juniper Networks Non-Proprietary FIPS 140-3 Security Policy G,E G,E G,E G,E

Page 27

E Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 28

algorithm selftests Table 14: Approved Services

4.4 Non-Approved Services
4.5 External Software/Firmware Loaded

The module includes a firmware load service to support necessary updates. Only the CO can install the new image using the CLI as described in Section 11.1. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 29
5 Software/Firmware Security
5.1 Integrity Techniques

The cryptographic module implements an approved firmware integrity self-test that uses ECDSA P-256 with SHA2-256 to ensure the integrity of all Junos OS firmware components. The selftest is automatically run on power-up. It can also be run on demand by the module’s operator by power cycling the module. When the integrity check fails, the module enters an error state (kernel panic) which can only be exited by power-cycling the module.

5.2 Initiate on Demand

The self-test is automatically run on power-up. It can also be run on demand by the module’s operator by power cycling the module. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 30
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Non-Modifiable How Requirements are Satisfied: The module consists of hardware containing a non-modifiable operational environment as per the FIPS 140-3 definitions. It includes a firmware load service to support necessary updates. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation.

6.2 Configuration Settings and Restrictions

There are no security rules, settings, or restrictions to the configuration of the operational environment beyond the initialization instructions to set the module in approved mode. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 31
MechanismInspection FrequencyInspection Guidance
Tamper seals (part # JNPR-FIPS- TAMPER-LBLS)Once per month by the Cryptographic OfficerSeals should be free of any tamper evidence.
Opaque metal enclosure.n/an/a
7 Physical Security
7.1 Mechanisms and Actions Required

n/a n/a Table 15: Mechanisms and Actions Required The module’s physical embodiment is that of a multi-chip standalone device that meets Level 2 Physical Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel, and brushed aluminum enclosure. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. Tamper-evident seals allow the operator to tell if the enclosure has been breached. These seals are not factory-installed and must be applied by the Cryptographic Officer. (Seals are available for order from Juniper using part number JNPR-FIPS-TAMPER-LBLS.) The tamper-evident seals shall be installed for the module to operate in approved mode. The Cryptographic Officer is responsible for securing and having control at all times of any unused seals and the direct control and observation of any changes to the module such as reconfigurations where the tamper-evident seals or security appliances are removed or installed to ensure the security of the module is maintained during such changes and the module is returned to an approved mode of operation. If the Cryptographic Officer observes tamper evidence, it shall be assumed that the device has been compromised. The Cryptographic Officer shall retain control of the module and perform zeroization of the module’s CSPs by following the steps in Section 9.3 and then follow the steps in Section 11.1 to place the module back into approved mode of operation.

7.2 User Placed Tamper Seals

The number of seals that need to be applied depends on the module model, as follows:

Page 32

2 Tamper labels (#5 & #6) are used to cover the USB port and two tamper labels (#3 & #4) are

used to cover the High Availability port (Figure 4). Figure 15 - SRX1500 Front View: TEL 1 - 6

Page 33

Figure 17 - SRX1500 Top - Rear View: TEL 7 Figure 18 - SRX1500 Bottom View: TEL 8, 9 & 10

Page 34

Figure 19 - SRX1500 Right Side View: TEL 9 Figure 20 - SRX1500 Left Side View: TEL 10 SRX4100 & SRX4200 The placement of the tamper evident labels for the SRX4100 and SRX4200 are the same in that the outside of the devices is identical. Thirteen tamper-evident seals must be applied to the following locations:

Page 35

Figure 22 - SRX4100 & SRX4200 Left-Side View: TEL 1 Figure 23 - SRX4100 & SRX4200 Right-Side View: TEL 2

Page 36

Figure 25 - SRX4100 & SRX4200 Front View: TEL 6-11

Page 37

Figure 28 - SRX4600 Top Front View: TEL 1, 3, 5, 7, 8

29 TEL #9 and TEL #10 wrap over the top and cover the back plate of each power supply

and the adjacent chassis edge. Each of TEL#11 to TEL #15 = wraps over the top and attaches to a fan cover. Figure 29 - SRX4600 Rear View: TEL 9-15 Figure 30 - SRX4600 Top Rear View: TEL 9

Page 38

Figure 32 - SRX4600 Left Side View: TEL 11

Page 39

Tamper-evident seals shall be applied to the following locations:

Page 40

Figure 35 - SRX5400 Rear View: TEL 11-18 SRX5600 Tamper-evident seals must be applied to the following locations:

Page 41

Figure 36 - SRX5600 Front View: TEL 1-11 Figure 37 - SRX5600 Rear View: TEL 12-20 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 42

Figure 38 - SRX5600 USB Port: TEL 21 SRX5800 Tamper-evident seals shall be applied to the following locations:

Page 43

One (1) Seal, Vertical: At the top of the case connecting the DC system pane to the mesh fan cover. Figure 39 - SRX5800 Front View: TEL 1-36 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 44

Figure 40 - SRX5800 Rear View: TEL 37-41 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 45

Figure 41 - SRX5800 Rear View: TEL 37,39,40-42 Surface Preparation: For all seal applications, the Cryptographic Officer should observe the following instructions:

Page 46

Operator Responsible for Securing Unused Seals: The Cryptographic Officer is responsible for securing and having control at all times of any unused seals. Part Numbers: Tamper seals have part number JNPR-FIPS-TAMPER-LBLS. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 47
8 Non-Invasive Security

This section is not applicable, as there are currently no approved non-invasive mitigation techniques specified in ISO/IEC 19790:2012 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 48
Sensitive security parameter
NameTypeDescription
RAMDynamicRandom Access Memory
SSDDynamicSolid-Stated Drive
Service
NameTypeFromTo
Entry via SSHEncryptedRemote CORAMAutomatedElectronicKTS (SSH)
Manual CLI entryPlaintextLocal CORAMManualDirect
Entry via consolePlaintextLocal CORAMManualElectronic
Output via SSHEncryptedRAMRemote COAutomatedElectronicKTS (SSH)
Output via consolePlaintextRAMLocal COManualDirect
Entry as part of KASPlaintextRemote peerRAMAutomatedElectronic
Output as part of KASPlaintextRAMRemote peerAutomatedElectronic
Pre-loadedPlaintextManufacturerSSDManualDirect
ZeroizationDescriptionRationaleOperator Initiation
Method
ResetZeroisation of SSPs in RAM via invocation of local or remote reset serviceRAM is volatile and all data is lost when power is taken off. Zeroisation is practically instantaneous.Yes, both User and CO, via invocation of Local Reset or Remote Reset services
9 Sensitive Security Parameters Management
9.1 Storage Areas

The table below lists the areas within the module’s cryptographic boundary where SSPs can be stored. Table 16: Storage Areas

9.2 SSP Input-Output Methods

The table below lists the method used by the module for the input and output of SSPs. Table 17: SSP Input-Output Methods

9.3 SSP Zeroization Methods

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 49
ZeroizationDescriptionRationaleOperator Initiation
Method
Zeroize CLI commandThese command wipe clean all the SSPs/configs as well as the disk and installs a factory default firmware imageThis command overwrites all data on disk and forces a power cycleYes, CO via invocation of zeroize CLI command
Explicit zeroize functionZeroisation of SSPs in memory when no longer neededUse of explicit zeroisation function destroys SSP information immediately by overwriting memory area with zeroesNo. The operator cannot directly initiate this method.

Table 18: SSP Zeroization Methods The CO can run the following commands to zeroize the approved mode SSPs:

Page 50
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
HMAC DRBG V valueDRBG internal state - CSPA critical value of the internal state of DRBG per IG D.L256 - 256DRBG (Kernel)DRBG (Kernel)
HMAC DRBG Key valueDRBG internal state - CSPA critical value of the internal state of DRBG per IG D.L256 - 256DRBG (Kernel)DRBG (Kernel)
HMAC DRBG Entropy InputEntropy source output - CSPA critical value of the internal state of DRBG provided by entropy source256 - 256ENTDRBG (Kernel)
HMAC DRBG SeedDRBG internal state - CSPSeed material used to seed or reseed the HMAC DRBG256 - 256DRBG (Kernel)DRBG (Kernel)
SSH-DH- Shared- SecretDH shared value - CSPShared DH value computed from the ephemeral DH key-pairs as part of SSH and used to derive session keys. P-256, P-384 and P-521256, 384, 521 - 128, 192, 256KDF (SSH)KAS-SSC (SSH)
SSH-PrivAsymmetric private key - CSPSSH host authentication key (ECDSA or RSA)2048, 256, 4096, 384, 521 - 112,128, 152, 192, 256ECDSA KeyGen (PKID) RSA KeyGen (PKID)ECDSA SigGen (SSH) RSA SigGen (SSH)
SSH-DH- privAsymmetric private key - CSPSSH DH private key used in SSH. P-256, P- 384 and P-521256, 384, 521 - 128, 192, 256KAS-ECC KeyGen (SSH)KAS-SSC (SSH)
SSH-SEKsSymmetric Key - CSPSession keys used with SSH-2.128, 192, 256 - 128, 192, 256KDF (SSH)Enc/Dec (SSH) MAC (SSH)
CO-PWAuthentication password - CSPPassword used to authenticate the COn/a - n/aSHA (LibMD)KTS (SSH)
User-PWAuthentication password - CSPPassword used to authenticate the User.n/a - n/aKTS (SSH)
SSH-PUBAsymmetric key - PSPSSH Public Host Key2048, 256, 4096, 384, 521 -ECDSA KeyGen (PKID)
112,128, 152, 192, 256112,128, 152, 192, 256RSA KeyGen (PKID)
Auth-User PubAsymmetric key - PSPSSH User Authentication Public Key2048, 256, 4096, 384, 521 - 112,128, 152, 192, 256ECDSA SigVer (SSH) RSA SigVer (SSH)KTS (SSH)
Root-CAAsymmetric key - PSPJuniperRootCA. Used to verify the validity of the PackagCA256, 384 - 128, 196Verify image
Package- CAAsymmetric key - PSPCertificate that holds the public key of the signing key that was used to generate all the signatures used on the packages and signatures lists.256 - 128Verify image
SSH-DH- PUB (self)Asymmetric key - PSPSSH DH public key used for key establishment. P-256, P-384 and P-521256, 384, 521 - 128, 192, 256KAS-ECC KeyGen (SSH)KAS-SSC (SSH)
SSH-DH- PUB (peer)Asymmetric key - PSPSSH DH public keys provided by protocol peer device and used with SSH for key establishment. P-256, P-384 and P-521.2048, 256, 4096, 384, 521 - 112,128, 152, 192, 256KAS-SSC (SSH)
Auth-CO PubAsymmetric key - PSPSSH CO Authentication Public Key2048, 256, 4096, 384, 521 - 112,128, 152, 192, 256ECDSA SigVer (SSH) RSA SigVer (SSH)

SSH-DHSharedSecret SSH-DHpriv n/a - n/a n/a - n/a Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 51

PackageCA SSH-DHPUB Table 19: SSP Table 1 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 52
Sensitive security parameter
NameStorageZeroizationStorage Duration
HMAC DRBG V valueRAM:PlaintextResetUntil updated by HMAC_DRBG_Update()
HMAC DRBG Key valueRAM:PlaintextResetUntil updated by HMAC_DRBG_Update()
HMAC DRBG Entropy InputRAM:PlaintextReset Explicit zeroize functionUntil HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete
HMAC DRBG SeedRAM:PlaintextReset Explicit zeroize functionUntil HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete
SSH-DH- Shared- SecretRAM:PlaintextReset Explicit zeroize functionUntil SSH session termination
SSH-PrivRAM:Plaintext SSD:PlaintextReset Zeroize CLI command Explicit zeroize functionUntil SSH session termination
SSH-DH- privRAM:PlaintextReset Explicit zeroize functionUntil SSH session termination
SSH-SEKsRAM:PlaintextReset Explicit zeroize functionUntil SSH session termination
CO-PWSSD:Encrypted RAM:PlaintextZeroize CLI commandUntil authentication session terminationManual CLI entry Entry via SSH Entry via console
User-PWRAM:Plaintext SSD:ObfuscatedZeroize CLI commandUntil authentication session terminationManual CLI entry Entry via SSH Entry via console
SSH-PUBSSD:PlaintextZeroize CLI commandOutput via SSH Output via console Output as part of KAS
Auth-User PubSSD:PlaintextZeroize CLI commandEntry via SSH Entry via console
Root-CASSD:PlaintextZeroize CLI commandPre-loaded
Package-CASSD:PlaintextZeroize CLI commandPre-loaded
SSH-DH- PUB (self)RAM:PlaintextReset Explicit zeroize functionUntil SSH session terminationOutput as part of KAS
SSH-DH- PUB (peer)RAM:PlaintextReset Explicit zeroize functionUntil SSH session terminationEntry as part of KAS
Auth-CO PubZeroize CLI commandEntry via SSH Entry via console

SSH-DHSharedSecret SSH-DHpriv Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 53
9.5 Transitions

The following transitions apply to algorithms used by this module: SHA-1: The SHA-1 hash algorithm will be non-Approved for all cryptographic purposes after December 31, 2030. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 54
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorConditions
Firmware Integrity checkFirmware Integrity checkKATSW/FW IntegrityECDSA VerifyECDSA P- 256 with SHA2-256PASS/FAIL console output
Critical functions testCritical functions testKATCritical FunctionThe module implements a critical function that checks that any file that is executed is registered in a manifest of executable files that comes with the firmware. A pre- operational critical function test is implemented that verifies the integrity of the operational environment is being enforced by having the kernel attempt to run a specific executable file that does not contain a hash in the manifest file. The test is successful if it verifies that the specific file cannot be executed.SHA2-256PASS/FAIL console output
Entropy Source (start- up)Entropy Source (start- up)APT, RCTCASTStart-upn/aConsole output / output of entropy sourceOn power-up
Entropy Source (continuous)Entropy Source (continuous)APT, RCTCASTContinuousn/aConsole output / output of entropy sourceOn power-up
AES-CBC (A3693) EncryptAES-CBC (A3693) EncryptKATCASTEncryptKey Sizes: 128, 192, 256PASS/FAIL console outputOn power-up
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
Firmware Integrity checkFirmware Integrity checkKATSW/FW IntegrityECDSA VerifyECDSA P- 256 with SHA2-256PASS/FAIL console output
Critical functions testCritical functions testKATCritical FunctionThe module implements a critical function that checks that any file that is executed is registered in a manifest of executable files that comes with the firmware. A pre- operational critical function test is implemented that verifies the integrity of the operational environment is being enforced by having the kernel attempt to run a specific executable file that does not contain a hash in the manifest file. The test is successful if it verifies that the specific file cannot be executed.SHA2-256PASS/FAIL console output
Entropy Source (start- up)Entropy Source (start- up)APT, RCTCASTStart-upn/aConsole output / output of entropy sourceOn power-up
Entropy Source (continuous)Entropy Source (continuous)APT, RCTCASTContinuousn/aConsole output / output of entropy sourceOn power-up
AES-CBC (A3693) EncryptAES-CBC (A3693) EncryptKATCASTEncryptKey Sizes: 128, 192, 256PASS/FAIL console outputOn power-up
AES-CBC (A3693) DecryptAES-CBC (A3693) DecryptKATCASTDecryptKey Sizes: 128, 192, 256PASS/FAIL console outputOn power-up
AES-CTR (A3693) EncryptAES-CTR (A3693) EncryptKATCASTEncryptKey Sizes: 128, 192, 256PASS/FAIL console outputOn power-up
AES-CTR (A3693) DecryptAES-CTR (A3693) DecryptKATCASTDecryptKey Sizes: 128, 192, 256PASS/FAIL console outputOn power-up
HMAC DRBG (A3693)HMAC DRBG (A3693)KATCASTInstantiate, reseed, and generate.SHA2-256PASS/FAIL console outputOn power-up
KAS-ECC-SSC Sp800-56Ar3 (A3610)KAS-ECC-SSC Sp800-56Ar3 (A3610)KATCASTDerivation of the expected shared secretP-256 (SHA 256) P-384 (SHA 384) P- 521 (SHA 512)PASS/FAIL console outputOn power-up
ECDSA SigGen (FIPS186-4) (A3693)ECDSA SigGen (FIPS186-4) (A3693)KATCASTSignP-256, P-384, P-521PASS/FAIL console outputOn power-up
ECDSA SigVer (FIPS186-4) (A3693)ECDSA SigVer (FIPS186-4) (A3693)KATCASTVerifyP-256, P-384, P-521PASS/FAIL console outputOn power-up
HMAC-SHA-1 (A3693)HMAC-SHA-1 (A3693)KATCASTMACKey size: 160 bits, = 160PASS/FAIL console outputOn power-up
HMAC-SHA2- 256 (A3693)HMAC-SHA2- 256 (A3693)KATCASTMACKey size: 256 bits, = 256PASS/FAIL console outputOn power-up
HMAC-SHA2- 512 (A3693)HMAC-SHA2- 512 (A3693)KATCASTMACKey size: 512 bits, = 512PASS/FAIL console outputOn power-up
RSA SigGen (FIPS186-4) (A3693)RSA SigGen (FIPS186-4) (A3693)KATCASTSignRSA 2048 w/ SHA2-256, RSA 4096 w/ SHA2- 256PASS/FAIL console outputOn power-up
RSA SigVer (FIPS186-4) (A3693)RSA SigVer (FIPS186-4) (A3693)KATCASTVerifyRSA 2048 w/ SHA2-256, RSA 4096 w/ SHA2- 256PASS/FAIL console outputOn power-up
SHA-1 (A3693)SHA-1 (A3693)KATCASTHashn/aPASS/FAIL console outputOn power-up
SHA2-256 (A3693)SHA2-256 (A3693)KATCASTHashn/aPASS/FAIL console outputOn power-up
SHA2-384 (A3693)SHA2-384 (A3693)KATCASTHashn/aPASS/FAIL console outputOn power-up
SHA2-512 (A3693)SHA2-512 (A3693)KATCASTHashn/aPASS/FAIL console outputOn power-up
KDF SSH (A4271)KDF SSH (A4271)KATCASTKey derivationSHA-1, SHA2- 256, SHA2-384PASS/FAIL console outputOn power-up
SHA-1 (A3367)SHA-1 (A3367)KATCASTHashn/aPASS/FAIL console outputOn power-up
SHA2-256 (A3367)SHA2-256 (A3367)KATCASTHashn/aPASS/FAIL console outputOn power-up
SHA2-512 (A3367)SHA2-512 (A3367)KATCASTHashn/aPASS/FAIL console outputOn power-up
HMAC-SHA-1 (A3367)HMAC-SHA-1 (A3367)KATCASTMACKey size: 160 bits, = 160PASS/FAIL console outputOn power-up
HMAC-SHA2- 256 (A3367)HMAC-SHA2- 256 (A3367)KATCASTMACKey size: 256 bits, = 256PASS/FAIL console outputOn power-up
HMAC DRBG (A3493)HMAC DRBG (A3493)KATCASTHealth-tests initialise, re- seed, and generateSHA2-256PASS/FAIL console outputOn power-up
AES-CBC (A3493) EncryptAES-CBC (A3493) EncryptKATCASTEncryptKey Sizes: 128, 192, 256PASS/FAIL console outputOn power-up
AES-CBC (A3493) DecryptAES-CBC (A3493) DecryptKATCASTDecryptKey Sizes: 128, 192, 256PASS/FAIL console outputOn power-up
HMAC-SHA-1 (A3493)HMAC-SHA-1 (A3493)KATCASTMACKey size:160 bits, = 160PASS/FAIL console outputOn power-up
HMAC-SHA2- 256 (A3493)HMAC-SHA2- 256 (A3493)KATCASTMACKey size:256 bits, = 256PASS/FAIL console outputOn power-up
SHA-1 (A3493)SHA-1 (A3493)KATCASTHashn/aPASS/FAIL console outputOn power-up
SHA2-256 (A3493)SHA2-256 (A3493)KATCASTHashn/aPASS/FAIL console outputOn power-up
SHA2-512 (A3361)SHA2-512 (A3361)KATCASTHashn/aPASS/FAIL console outputOn power-up
ECDSA KeyGen (FIPS186-4) (A3693)ECDSA KeyGen (FIPS186-4) (A3693)PCTPCTGeneration and Verification of ECDSA signatureP-256, P-384, P-521Returned key/transition soft error stateOn key generation
RSA KeyGen (FIPS186-4) (A3693)RSA KeyGen (FIPS186-4) (A3693)PCTPCTGeneration and Verification of signatureRSA 2048, RSA 4096Returned key/transition soft error stateOn key generation
FW loadFW loadKATSW/FW LoadVerification of ECDSA signature on FWECDSA P-256 with SHA2-256PASS/FAIL console outputOn FW load
Manual SSP entryManual SSP entryDuplicate entryManual EntryDuplicate entryPASS/FAIL console outputOn manual, direct entry of SSP
Firmware Integrity checkFirmware Integrity checkKATSW/FW IntegrityOn demandManually
Critical functions testCritical functions testKATCritical FunctionOn demandManually
Entropy Source (start-up)Entropy Source (start-up)APT, RCTCASTOn demandManually
Entropy Source (continuous)Entropy Source (continuous)APT, RCTCASTContinuousAutomatically
AES-CBC (A3693) EncryptAES-CBC (A3693) EncryptKATCASTOn demandManually
AES-CBC (A3693) DecryptAES-CBC (A3693) DecryptKATCASTOn demandManually
10 Self-Tests

On power up or reset, the module performs the pre-operational self-tests and the indicated conditional cryptographic algorithm self-tests described below. All KATs must be completed successfully prior to any other use of cryptography by the module. The algorithms utilized in the

10.1 Pre-Operational Self-Tests

Table 21: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

Source (startup) n/a n/a Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 55
4096 w/ SHA2256
4096 w/ SHA2256

n/a Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 56

n/a n/a n/a n/a n/a n/a n/a n/a Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 57
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsIndicatorConditions
SHA2-512 (A3361)SHA2-512 (A3361)KATCASTHashn/aPASS/FAIL console outputOn power-up
ECDSA KeyGen (FIPS186-4) (A3693)ECDSA KeyGen (FIPS186-4) (A3693)PCTPCTGeneration and Verification of ECDSA signatureP-256, P-384, P-521Returned key/transition soft error stateOn key generation
RSA KeyGen (FIPS186-4) (A3693)RSA KeyGen (FIPS186-4) (A3693)PCTPCTGeneration and Verification of signatureRSA 2048, RSA 4096Returned key/transition soft error stateOn key generation
FW loadFW loadKATSW/FW LoadVerification of ECDSA signature on FWECDSA P-256 with SHA2-256PASS/FAIL console outputOn FW load
Manual SSP entryManual SSP entryDuplicate entryManual EntryDuplicate entryPASS/FAIL console outputOn manual, direct entry of SSP
Firmware Integrity checkFirmware Integrity checkKATSW/FW IntegrityOn demandManually
Critical functions testCritical functions testKATCritical FunctionOn demandManually
Entropy Source (start-up)Entropy Source (start-up)APT, RCTCASTOn demandManually
Entropy Source (continuous)Entropy Source (continuous)APT, RCTCASTContinuousAutomatically
AES-CBC (A3693) EncryptAES-CBC (A3693) EncryptKATCASTOn demandManually
AES-CBC (A3693) DecryptAES-CBC (A3693) DecryptKATCASTOn demandManually
AES-CTR (A3693) EncryptAES-CTR (A3693) EncryptKATCASTOn demandManually
AES-CTR (A3693) DecryptAES-CTR (A3693) DecryptKATCASTOn demandManually
HMAC DRBG (A3693)HMAC DRBG (A3693)KATCASTOn demandManually
KAS-ECC-SSC Sp800-56Ar3 (A3610)KAS-ECC-SSC Sp800-56Ar3 (A3610)KATCASTOn demandManually
ECDSA SigGen (FIPS186-4) (A3693)ECDSA SigGen (FIPS186-4) (A3693)KATCASTOn demandManually
ECDSA SigVer (FIPS186-4) (A3693)ECDSA SigVer (FIPS186-4) (A3693)KATCASTOn demandManually
HMAC-SHA-1 (A3693)HMAC-SHA-1 (A3693)KATCASTOn demandManually
HMAC-SHA2-256 (A3693)HMAC-SHA2-256 (A3693)KATCASTOn demandManually
HMAC-SHA2-512 (A3693)HMAC-SHA2-512 (A3693)KATCASTOn demandManually
RSA SigGen (FIPS186-4) (A3693)RSA SigGen (FIPS186-4) (A3693)KATCASTOn demandManually
RSA SigVer (FIPS186-4) (A3693)RSA SigVer (FIPS186-4) (A3693)KATCASTOn demandManually
SHA-1 (A3693)SHA-1 (A3693)KATCASTOn demandManually
SHA2-256 (A3693)SHA2-256 (A3693)KATCASTOn demandManually
SHA2-384 (A3693)SHA2-384 (A3693)KATCASTOn demandManually
SHA2-512 (A3693)SHA2-512 (A3693)KATCASTOn demandManually
KDF SSH (A4271)KDF SSH (A4271)KATCASTOn demandManually
SHA-1 (A3367)SHA-1 (A3367)KATCASTOn demandManually
SHA2-256 (A3367)SHA2-256 (A3367)KATCASTOn demandManually
SHA2-512 (A3367)SHA2-512 (A3367)KATCASTOn demandManually
HMAC-SHA-1 (A3367)HMAC-SHA-1 (A3367)KATCASTOn power-upManually
HMAC-SHA2-256 (A3367)HMAC-SHA2-256 (A3367)KATCASTOn power-upManually
HMAC DRBG (A3493)HMAC DRBG (A3493)KATCASTOn power-upManually
AES-CBC (A3493) EncryptAES-CBC (A3493) EncryptKATCASTOn power-upManually
AES-CBC (A3493) DecryptAES-CBC (A3493) DecryptKATCASTOn power-upManually
HMAC-SHA-1 (A3493)HMAC-SHA-1 (A3493)KATCASTOn power-upManually
HMAC-SHA2-256 (A3493)HMAC-SHA2-256 (A3493)KATCASTOn power-upManually
SHA-1 (A3493)SHA-1 (A3493)KATCASTOn power-upManually
SHA2-256 (A3493)SHA2-256 (A3493)KATCASTOn power-upManually
SHA2-512 (A3361)SHA2-512 (A3361)KATCASTOn power-upManually
ECDSA KeyGen (FIPS186-4) (A3693)ECDSA KeyGen (FIPS186-4) (A3693)PCTPCTOn condition triggerAutomatic
RSA KeyGen (FIPS186-4) (A3693)RSA KeyGen (FIPS186-4) (A3693)PCTPCTOn condition triggerAutomatic
FW loadFW loadKATSW/FW LoadOn FW load requestAutomatic
Manual SSP entryManual SSP entryDuplicate entryManual EntryOn condition triggerAutomatic

n/a Table 22: Conditional Self-Tests

10.3 Periodic Self-Test Information

Table 23: Pre-Operational Periodic Information Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 58

Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 59
Service
NameDescriptionRole AccessIndicator
Critical Failure stateThe cryptographic module ceases to perform cryptographic operations, inhibits all data output, and provides status of the error via syslog messages and console status outputOn pre-operational self-test or CAST failureConsole status outputPower cycle
Soft Error StateA non-critical self-test failure occurs, causing a failure of the triggering operationPCT, firmware load test, continuous entropy health test failureConsole displays errorThe module processes the error, and resumes normal operation

Table 24: Conditional Periodic Information

10.4 Error States

Table 25: Error States Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 60

The module enters Critical Failure State upon failure of any pre-operational self-tests or CAST, causing the kernel to ‘panic‘ and all execution to halt. The only way to exit from this state is to reboot the module, which causes the self-tests to be repeated and pass successfully before the corresponding algorithms are usable.

10.5 Operator Initiation of Self-Tests

Self–tests that are performed at power-up are available on demand by power cycling the module. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 61
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Before installation of module firmware, CO must first zeroize any module SSPs by following the instructions in Section 9.3. Once zeroization is complete, the CO must install the JUNOS firmware image on the device using the following CLI command: CO@host> request system software add /<image-path>/<image-filename> no-copy no-validate reboot. The image-filenames for the validated firmware are as follows: • • • • SRX1500: junos-srxentedge-x86-64-22.2R3-S1.9.tgz; SRX4100 and SRX4200: junos-srxmr-x86-64-22.2R3-S1.9.tgz; SRX4600: junos-srxhe-x86-64-22.2R3-S1.9.tgz; and SRX5400, SRX5600 and SRX5800: junos-vmhost-install-srx-x86-64-22.2R3-S1.9.tgz. Once the image is installed, the CO shall follow the instructions in Section 7.2 to apply the tamper seals to the module. Next, the CO shall proceed as follows:

  1. Enable the approved mode on the device. CO@host> set system fips level 2
  2. Set the root password. user@host# set system root-authentication plain-text-password New password: <type password here>
  3. Commit and reboot the device. CO@host# commit Once the module is rebooted and the integrity and self-tests have run successfully on initial power-on in, the module is operating in the approved mode of operation. The CO must create a backup image of the firmware to ensure it is also a approved mode Junos OS image by issuing the request system snapshot command. The show version command will display the version of the Junos OS on the device so that the CO can confirm it is the FIPS validated version. The CO should also verify the presence of the suffix string “:fips” in the cli prompt, indicating the module is operating in approved mode. IPsec, High Availability and TLS features are not enabled by default and must not be enabled for FIPS compliant usage of the module. . Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Page 62
11.2 Administrator Guidance

The Cryptographic Officer is the person responsible for enabling, configuring, monitoring, and maintaining the module in approved mode. The Cryptographic Officer securely installs Junos OS on the device, enables the approved of operation, establishes keys and passwords for other users and software modules, and initializes the device before network connection. The Cryptographic Officer can configure and monitor the module through a console or SSH connection.

11.3 Non-Administrator Guidance

No specific non-administrator guidance is required to operate the module.

11.4 Design and Rules

The module design corresponds to the security rules below. The term must in this context specifically refers to a requirement for correct usage of the module in the approved mode; all other statements indicate a security rule implemented by the module. 1. 2. 3.

  1. The module clears previous authentications on power cycle. Power up self-tests do not require any operator action. Data output is inhibited during key generation, self-tests, zeroization, and error states. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  2. There are no restrictions on which SSPs are zeroized by the zeroization service.
  3. The module does not support a maintenance interface or role.
  4. The module does not output intermediate key values.
  5. The module requires two independent internal actions to be performed prior to outputting plaintext CSPs.
  6. The cryptographic officer must determine whether firmware being loaded is a legacy use of the firmware load service.
  7. The cryptographic officer must retain control of the module while zeroization is in process.
  8. IPsec, High Availability and TLS features must not be enabled.
11.5 Maintenance Requirements

No special maintenance requirements apply.

11.6 End of Life

When disposing of the cryptographic module, the CO shall perform the zeroize command described in Section 9.3. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Page 63
12 Mitigation of Other Attacks

The module does not implement mechanisms to mitigate other attacks beyond what is described in this security policy. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy

Referenced URLs