| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/17/2031 |
| Caveat | When installed, initialized and configured as specified in Section 11.1 of the Security Policy |
| Vendor | Juniper Networks, Inc |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3693 |
| AES-CTR | A3693 |
| ECDSA KeyGen (FIPS186-4) | A3693 |
| ECDSA KeyVer (FIPS186-4) | A3693 |
| ECDSA SigGen (FIPS186-4) | A3693 |
| ECDSA SigVer (FIPS186-4) | A3693 |
| HMAC-SHA-1 | A3693 |
| HMAC-SHA2-256 | A3693 |
| HMAC-SHA2-512 | A3693 |
| KAS-ECC-SSC Sp800- 56Ar3 | A3610 |
| RSA KeyGen (FIPS186- 4) | A3693 |
| RSA SigGen (FIPS186- 4) | A3693 |
| RSA SigVer (FIPS186-4) | A3693 |
| SHA-1 | A3693 |
| SHA2-256 | A3693 |
| SHA2-384 | A3693 |
| SHA2-512 | A3693 |
| HMAC DRBG | A3493 |
| HMAC-SHA2- 256 | A3493 |
| KDF SSH (CVL) | A4271 |
| HMAC-SHA-1 HMAC-SHA2- 256 HMAC-SHA2- 512 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Physical Security | 7 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
flowchart LR
%% Deterministic review-risk graph for Juniper Networks SRX Series Services Gateways
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Soft Error State</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Enc/Dec (SSH)<br/>Show status<br/>Local reset</i>"]
C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>Serial</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>kernel<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C4 --> I4 --> R4 --> E4
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C4,C5,C6 clue;
class I2,I3,I4,I5,I6 infer;
class R2,R3,R4,R5,R6 risk;
class E2,E3,E4,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Juniper Networks SRX Series Services Gateways
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Soft Error State</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Enc/Dec (SSH)<br/>Show status<br/>Local reset</i><br/>src: securityPolicy.services"]
C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>Serial</i><br/>src: securityPolicy.portsAndInterfaces"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>kernel<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C4 clueHigh;
class C5,C6 clueLow;Juniper Networks, Inc Juniper Networks SRX Series Services Gateways Version: Junos OS 22.2R3-S1 Prepared for: Juniper Networks, Inc.
www.juniper.net TERON LABS Prepared by: www.teronlabs.com Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| # | Section | Page |
|---|---|---|
| 1 | General | 7 |
| 1.1 | Overview | 7 |
| 1.2 | Security Levels | 7 |
| 2 | Cryptographic Module Specification | 8 |
| 2.1 | Description | 8 |
| 2.2 | Tested and Vendor Affirmed Module Version and Identification | 13 |
| 2.3 | Excluded Components | 14 |
| 2.4 | Modes of Operation | 15 |
| 2.5 | Algorithms | 15 |
| 2.6 | Security Function Implementations | 18 |
| 2.7 | Algorithm Specific Information | 21 |
| 2.8 | RBG and Entropy | 21 |
| 2.9 | Key Generation | 22 |
| 2.10 | Key Establishment | 22 |
| 2.11 | Industry Protocols | 22 |
| 3 | Cryptographic Module Interfaces | 23 |
| 3.1 | Ports and Interfaces | 23 |
| 4 | Roles, Services, and Authentication | 24 |
| 4.1 | Authentication Methods | 24 |
| 4.2 | Roles | 24 |
| 4.3 | Approved Services | 25 |
| 4.4 | Non-Approved Services | 28 |
| 4.5 | External Software/Firmware Loaded | 28 |
| 5 | Software/Firmware Security | 29 |
| 5.1 | Integrity Techniques | 29 |
| 5.2 | Initiate on Demand | 29 |
| 6 | Operational Environment | 30 |
| 6.1 | Operational Environment Type and Requirements | 30 |
| 6.2 | Configuration Settings and Restrictions | 30 |
| 7 | Physical Security | 31 |
| 7.1 | Mechanisms and Actions Required | 31 |
| 7.2 | User Placed Tamper Seals | 31 |
| 8 | Non-Invasive Security | 47 |
| 9 | Sensitive Security Parameters Management | 48 |
| 9.1 | Storage Areas | 48 |
| 9.2 | SSP Input-Output Methods | 48 |
| 9.3 | SSP Zeroization Methods | 48 |
| 9.4 | SSPs | 49 |
| 9.5 | Transitions | 53 |
| 10 | Self-Tests | 54 |
| 10.1 | Pre-Operational Self-Tests | 54 |
| 10.2 | Conditional Self-Tests | 54 |
| 10.3 | Periodic Self-Test Information | 57 |
| 10.4 | Error States | 59 |
| 10.5 | Operator Initiation of Self-Tests | 60 |
| 11 | Life-Cycle Assurance | 61 |
| 11.1 | Installation, Initialization, and Startup Procedures | 61 |
| 11.2 | Administrator Guidance | 62 |
| 11.3 | Non-Administrator Guidance | 62 |
| 11.4 | Design and Rules | 62 |
| 11.5 | Maintenance Requirements | 62 |
| 11.6 | End of Life | 62 |
| 12 | Mitigation of Other Attacks | 63 |
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Item | Page |
|---|---|
| Table 1: Security Levels | 7 |
| Table 2: Tested Module Identification – Hardware | 14 |
| Table 3: Modes List and Description | 15 |
| Table 4: Approved Algorithms - OpenSSL Approved Cryptographic Functions | 17 |
| Table 5: Approved Algorithms - Kernel Approved Cryptographic Functions | 17 |
| Table 6: Approved Algorithms - LibMD Approved Cryptographic Functions | 18 |
| Table 7: Approved Algorithms - OpenSSH Approved Cryptographic Functions | 18 |
| Table 8: Vendor-Affirmed Algorithms | 18 |
| Table 9: Security Function Implementations | 21 |
| Table 10: Entropy Certificates | 21 |
| Table 11: Ports and Interfaces | 23 |
| Table 12: Authentication Methods | 24 |
| Table 13: Roles | 24 |
| Table 14: Approved Services | 28 |
| Table 15: Mechanisms and Actions Required | 31 |
| Table 16: Storage Areas | 48 |
| Table 17: SSP Input-Output Methods | 48 |
| Table 18: SSP Zeroization Methods | 49 |
| Table 19: SSP Table 1 | 51 |
| Table 20: SSP Table 2 | 53 |
| Table 21: Pre-Operational Self-Tests | 54 |
| Table 22: Conditional Self-Tests | 57 |
| Table 23: Pre-Operational Periodic Information | 57 |
| Table 24: Conditional Periodic Information | 59 |
| Table 25: Error States | 59 |
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 2 |
| 2 | 2 | Cryptographic module specification | 2 |
| 3 | 3 | Cryptographic module interfaces | 2 |
| 4 | 4 | Roles, services, and authentication | 2 |
| 5 | 5 | Software/Firmware security | 2 |
| 6 | 6 | Operational environment | N/A |
| 7 | 7 | Physical security | 2 |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 2 |
| 10 | 10 | Self-tests | 2 |
| 11 | 11 | Life-cycle assurance | 2 |
| 12 | 12 | Mitigation of other attacks | N/A |
| Overall Level | Overall Level | 2 |
This is a non-proprietary Cryptographic Module Security Policy for the Juniper Networks SRX Series Services Gateways consisting of the SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600 and SRX5800 models and running Junos OS 22.2R3-S1, hereafter referred to as the
The cryptographic module meets requirements applicable to Level 2 of FIPS 140-3. The table below shows the security levels claimed for each section of the security requirements. N/A N/A N/A Table 1: Security Levels Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Purpose and Use: The SRX Series Services Gateways are a series of secure routers that provide essential capabilities to connect, secure, and manage work force locations sized from handfuls to hundreds of users. By consolidating fast, highly available switching, routing, security, and applications capabilities in a single device, enterprises can economically deliver new services, safe connectivity, and a satisfying end user experience. Module Type: Hardware Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: This Security Policy covers the following models:
Figure 1
Figure 6
Figure 10
Figure 12
| Name | Model | Hardware Version | Firmware Version | Processor | Features |
|---|---|---|---|---|---|
| SRX1500 | SRX1500 | SRX1500 | JUNOS 22.2R3-S1.9 | Intel Xeon E3-1200 v2 | 12x1GbE ports; 4x1GbE SFP ports; 4x10GbE SFP ports; 2 PIM slots (not used in validation) |
| SRX4100 | SRX4100 | SRX4100 | JUNOS 22.2R3-S1.9 | Intel Xeon E5-2640 v4 | 8 x 1GbE/10GbE ports |
| SRX4200 | SRX4200 | SRX4200 | JUNOS 22.2R3-S1.9 | Intel Xeon E5-2640 v4 | 8 x 1GbE/10GbE ports |
| SRX4600 | SRX4600 | SRX4600 | JUNOS 22.2R3-S1.9 | Intel Xeon E5-2658 v4 | 8 x 1GbE/10Gb Ethernet SFP ports, 4 x 40/100Gb Ethernet QSFP21 ports |
| SRX5400 | SRX5400 | SRX5400 | JUNOS 22.2R3-S1.9 | Intel Xeon C5518, Intel Xeon E5-2658 v4, Intel Xeon CPU E5-2608L v3 | Routing Engine: SRX5K-RE3-128G Switch Control Board: SRX5K-SCB3 Service Processing Card: SRX5K-SPC- 4-15-320, SRX5K-SPC3 |
| SRX5600 | SRX5600 | SRX5600 | JUNOS 22.2R3-S1.9 | Intel Xeon C5518, Intel Xeon E5-2658 v4, Intel Xeon CPU E5-2608L v3 | Routing Engine: SRX5K-RE3-128G Switch Control Board: SRX5K-SCB3, SRX5K-SCB4 Service Processing Card: SRX5K-SPC- 4-15-320, SRX5K-SPC3 Module Interface Card: SRX5K-IOC4- 10G, SRX5K-MPC3-40G10G |
| SRX5800 | SRX5800 | SRX5800 | JUNOS 22.2R3-S1.9 | Intel Xeon C5518, Intel Xeon E5-2658 v4, Intel Xeon CPU E5-2608L v3 | Routing Engine: SRX5K-RE3-128n Switch Control Board: SRX5K-SCB3, SRX5K-SCB4 Service Processing Card: SRX5K-SPC- 4-15-320, SRX5K-SPC3 Module Interface Card: SRX5K-IOC4- 10G, SRX5K-MPC3-40G10G |
Tested Module Identification
Table 2: Tested Module Identification
No components are excluded from the requirements of FIPS 140-3. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Indicator | Type |
|---|---|---|---|
| JUNOS-FIPS- MODE | Approved mode of operation enabled by following the configuration commands in Section 11.1 | Suffix string :fips in the cli prompt | Approved |
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A3693 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CTR | A3693 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 Payload Length - Payload Length: 8-128 Increment 8 Supports Counter larger than maximum value - No Incremental Counter - Yes Counter Tests Performed - Yes | SP 800-38A |
| ECDSA KeyGen (FIPS186-4) | A3693 | Curve - P-256, P-384, P-521 Secret Generation Mode - Testing Candidates | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-4) | A3693 | Curve - P-256, P-384, P-521 | FIPS 186-4 |
| ECDSA SigGen (FIPS186-4) | A3693 | Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 |
| ECDSA SigVer (FIPS186-4) | A3693 | Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-4 |
| HMAC-SHA-1 | A3693 | MAC - MAC: 160 Key Length - Key Length: 160 | FIPS 198-1 |
| HMAC-SHA2-256 | A3693 | MAC - MAC: 256 Key Length - Key Length: 256 | FIPS 198-1 |
| HMAC-SHA2-512 | A3693 | MAC - MAC: 512 Key Length - Key Length: 512 | FIPS 198-1 |
| KAS-ECC-SSC Sp800- 56Ar3 | A3610 | Domain Parameter Generation Methods - P-256, P- 384, P-521 Hash Function Z - SHA2-256, SHA2-384, SHA2- 512 Scheme - ephemeralUnified - KAS Role - initiator | SP 800-56A Rev. 3 |
| RSA KeyGen (FIPS186- 4) | A3693 | Key Generation Mode - B.3.3 Modulo - 2048, 4096 Primality Tests - Table C.2 Info Generated By Server - No Public Exponent Mode - Fixed Fixed Public Exponent - 010001 Private Key Format - Standard | FIPS 186-4 |
| RSA SigGen (FIPS186- 4) | A3693 | Signature Type - PKCS 1.5 Modulo - 2048, 4096 Hash Pair - Hash Algorithm - SHA2-256 | FIPS 186-4 |
| RSA SigVer (FIPS186-4) | A3693 | Signature Type - PKCS 1.5 Modulo - 2048, 4096 Hash Pair - Hash Algorithm - SHA2-256 Public Exponent Mode - Fixed Fixed Public Exponent - 010001 | FIPS 186-4 |
| SHA-1 | A3693 | Message Length - Message Length: 0-65536 Increment 8 Function - SHA1 | FIPS 180-4 |
| SHA2-256 | A3693 | Message Length - Message Length: 0-65536 Increment 8 Function - SHA2 | FIPS 180-4 |
| SHA2-384 | A3693 | Message Length - Message Length: 0-65536 Increment 8 Function - SHA2 | FIPS 180-4 |
| SHA2-512 | A3693 | Message Length - Message Length: 0-65536 Increment 8 Function - SHA2 | FIPS 180-4 |
| HMAC DRBG | A3493 | Prediction Resistance - Yes Supports Reseed - No Mode - SHA2-256 Entropy Input - Entropy Input: 256 Nonce - Nonce: 128 Personalization String Length - Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 256 Returned Bits - 1024 | SP 800-90A Rev. 1 |
| HMAC-SHA2- 256 | A3493 | MAC - MAC: 256 Key Length - Key Length: 160, 256 | FIPS 198-1 |
| SHA2-256 | A3493 | Message Length - Message Length: 0-51200 Increment 8 Function - SHA2 | FIPS 180-4 |
| SHA2-512 | A3361 | Message Length - Message Length: 0-51200 Increment 8 Function - SHA2 | FIPS 180-4 |
| HMAC-SHA-1 | A3367 | MAC - MAC: 160 Key Length - Key Length: 112, 160 | FIPS 198-1 |
| HMAC-SHA2- 256 | A3367 | MAC - MAC: 256 Key Length - Key Length: 160, 256 | FIPS 198-1 |
| SHA-1 | A3367 | Message Length - Message Length: 0-51200 Increment 8 Function - SHA1 | FIPS 180-4 |
| SHA2-256 | A3367 | Message Length - Message Length: 0-51200 Increment 8 Function - SHA2 | FIPS 180-4 |
| SHA2-512 | A3367 | Message Length - Message Length: 0-65536 Increment 8 Function - SHA2 | FIPS 180-4 |
| KDF SSH (CVL) | A4271 | Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2- 512 | SP 800-135 Rev. 1 |
Modes List and Description: JUNOS-FIPSMODE Table 3: Modes List and Description Once the module has been securely initialized following the instructions provided in Section 11.1, the module is in approved mode of operation. Failure to follow the secure initialization instructions results in the module being in a non-compliant state which is out of scope of the validation.
Approved Algorithms: Although the module may have been tested for additional algorithms or modes, only those listed below are utilized by the module. OpenSSL Approved Cryptographic Functions Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Table 4: Approved Algorithms - OpenSSL Approved Cryptographic Functions Kernel Approved Cryptographic Functions HMAC-SHA2256 Table 5: Approved Algorithms - Kernel Approved Cryptographic Functions LibMD Approved Cryptographic Functions HMAC-SHA2256 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Approved Functions | Type | Properties | ||
|---|---|---|---|---|---|---|
| CKG | Key type:Asymmetric | Junos 22.2R1 - OpenSSL | SP 800-133 Rev.2 Section 4, example 1 direct output from DRBG. | |||
| Enc/Dec (SSH) | Unauthenticated encryption for SSH | AES-CBC: (A3693) AES-CTR: (A3693) | BC-UnAuth | |||
| KAS-SSC (SSH) | Key Agreement Scheme Shared Secret Computation for SSH | KAS-ECC-SSC Sp800-56Ar3: (A3610) | KAS-SSC | |||
| ECDSA SigGen (SSH) | Signature Generation for peer authentication in SSH | ECDSA SigGen (FIPS186-4): (A3693) SHA2-256: (A3693) | DigSig-SigGen |
| Name | Description | Approved Functions | Type | Properties | ||
|---|---|---|---|---|---|---|
| CKG | Key type:Asymmetric | Junos 22.2R1 - OpenSSL | SP 800-133 Rev.2 Section 4, example 1 direct output from DRBG. | |||
| Enc/Dec (SSH) | Unauthenticated encryption for SSH | AES-CBC: (A3693) AES-CTR: (A3693) | BC-UnAuth | |||
| KAS-SSC (SSH) | Key Agreement Scheme Shared Secret Computation for SSH | KAS-ECC-SSC Sp800-56Ar3: (A3610) | KAS-SSC | |||
| ECDSA SigGen (SSH) | Signature Generation for peer authentication in SSH | ECDSA SigGen (FIPS186-4): (A3693) SHA2-256: (A3693) | DigSig-SigGen | |||
| ECDSA SigVer (SSH) | Signature Verification for peer authentication in SSH | ECDSA SigVer (FIPS186-4): (A3693) SHA2-256: (A3693) SHA2-384: (A3693) SHA2-512: (A3693) | DigSig-SigVer | |||
| MAC (SSH) | Message Authentication for SSH | HMAC-SHA-1: (A3693) SHA2-256: (A3693) HMAC-SHA2-512: (A3693) | MAC | |||
| KDF (SSH) | Key derivation Function for SSH | KDF SSH: (A4271) SHA-1: (A3693) SHA2-256: (A3693) SHA2-384: (A3693) | KAS-135KDF | |||
| SHA (LibMD) | Message Digest Generation | SHA-1: (A3367) SHA2-256: (A3367) SHA2-512: (A3367) | SHA | |||
| MAC (LibMD) | Message authentication | HMAC-SHA-1: (A3367) HMAC-SHA2-256: (A3367) | MAC | |||
| DRBG (Kernel) | Random Bit Generation | HMAC DRBG: (A3493) HMAC-SHA2-256: (A3493) SHA2-256: (A3493) | DRBG | |||
| SHA (Kernel) | Entropy source conditioning component | SHA2-512: (A3361) | SHA | |||
| ECDSA KeyGen (PKID) | ECDSA Key Generation used for SSH when authentication keys are internally generated | ECDSA KeyGen (FIPS186-4): (A3693) ECDSA KeyVer (FIPS186-4): (A3693) CKG: () Key type: | AsymKeyPair- KeyGen AsymKeyPair- KeyVer | |||
| RSA KeyGen (PKID) | RSA Key generation used for SSH when authentication keys are internally generated | RSA KeyGen (FIPS186-4): (A3693) CKG: () Key type: Asymmetric HMAC DRBG: (A3493) | AsymKeyPair- KeyGen | |||
| RSA SigGen (SSH) | RSA Signature Generation for SSH | RSA SigGen (FIPS186-4): (A3693) | DigSig-SigGen | |||
| RSA SigVer (SSH) | RSA Signature verification for SSH | RSA SigVer (FIPS186-4): (A3693) | DigSig-SigVer | |||
| Verify image | Verification of software image | ECDSA SigVer (FIPS186-4): (A3693) SHA2-256: (A3693) SHA2-384: (A3693) | DigSig-SigVer | |||
| Full KAS (SSH) | Full Key Agreement for SSH | KAS-ECC-SSC Sp800-56Ar3: (A3610) KDF SSH: (A4271) SHA-1: (A3693) SHA2-256: (A3693) SHA2-384: (A3693) | KAS-Full | |||
| KAS-ECC KeyGen (SSH) | KAS-ECC Key Pair Generation for SSH | ECDSA KeyGen (FIPS186-4): (A3693) ECDSA KeyVer (FIPS186-4): (A3693) CKG: () Key type: Asymmetric HMAC DRBG: (A3493) | AsymKeyPair- KeyGen AsymKeyPair- KeyVer | |||
| ENT | Entropy Source | SHA2-512: (A3361) | ENT-ESV |
Table 6: Approved Algorithms - LibMD Approved Cryptographic Functions OpenSSH Approved Cryptographic Functions Table 7: Approved Algorithms - OpenSSH Approved Cryptographic Functions Vendor-Affirmed Algorithms: Table 8: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module.
The module implements the security functions listed in the following table. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
AsymKeyPairKeyGen AsymKeyPairKeyVer Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairKeyVer Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| KTS (SSH) | Key transport using SSH as per IG D.G provisions | AES-CBC: (A3693) AES-CTR: (A3693) HMAC-SHA-1: (A3693) HMAC-SHA2-256: (A3693) HMAC-SHA2-512: (A3693) | KTS-Wrap | KTS:128, 256, 384, 521, 2048, 3072 or 4096 bits keys provide between 112 and 256 bits of encryption strength |
| Cert | Vendor Name | |
|---|---|---|
| Number | ||
| E56 | Juniper Networks |
Table 9: Security Function Implementations
The module includes RSA and ECDSA algorithms that have been validated using FIPS 186-4 CAVP tests, which are mathematically identical to FIPS 186-5 CAVP tests. Per IG C.K, all RSA and ECDSA algorithms implemented by the module are claimed compliant with FIPS 186-5. The module complies with IG C.F. RSA Key Generation, Signature Generation and Signature Verification have been tested and validated using CAVP testing for all implemented modulus lengths (2048, 3072 and 4096 bits). The number of Miller-Rabin tests used for primality testing as part of RSA Key Generation is consistent with Table C.3. The module implements the following Approved key agreement methods which have been CAVP tested and validated:
Table 10: Entropy Certificates N/A for this module. Non-Proprietary FIPS 140-3 Security Policy
| Name | Mode Method | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Protocol | Protocol | Key Exchange | Auth | Cipher | Integrity | ||||
| HMAC-SHA-1 HMAC-SHA2- 256 HMAC-SHA2- 512 | AES CBC 128/192/256 AES CTR 128/192/256 | SSHv2 | KAS-ECC (P-256, P-384, P-521) | RSA 2048 ECDSA P- 256 |
The entropy source is used to seed the module’s HMAC DRBG with the minimum required 256bits of entropy. Each 512-bit block of conditioned output from the entropy source contains 448 bits of entropy. The HMAC DRBG is used for all random data required by the module, including key generation. There are no initialization procedures required by the users of the module to operate the entropy source in a compliant manner. The module complies to the ESV Public Use document of the validated entropy source (Cert. E56).
The cryptographic module implements the key generation methods listed above in the Security Functions implementation table.
The cryptographic module implements the key establishment methods listed above in the Security Functions implementation table.
The cryptographic module supports the protocols listed below. No part of these protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. The SSH algorithms allow independent selection of key exchange, authentication, cipher, and integrity. In reference to the supported protocols table below, each column of options for a given protocol is independent and may be used in any viable combination. Juniper Networks ECDSA P256 HMAC-SHA2256 HMAC-SHA2512 Non-Proprietary FIPS 140-3 Security Policy
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| Ethernet (data) | Ethernet (data) | Data Input Data Output Control Input Status Output | LAN communications |
| Ethernet (mgmt.) | Ethernet (mgmt.) | Data Input Data Output Control Input Status Output | Remote management |
| Serial | Serial | Control Input Status Output | Local management |
| Reset Button | Reset Button | Control Input | Reset |
| ToD | ToD | Control Input Status Output | RJ-45 Time of Day Port |
| BITS | BITS | Control Input Status Output | BITS RJ-45 port |
| GPS | GPS | Control Input Status Output | 10 Mhz clock synchronization |
| PPS | PPS | Control Input Control Output | 1 pulse per second |
| Offline | Offline | Control Input | Offline button |
| LED | LED | Status Output | Status indicator lighting |
| Power | Power | Power | Power |
The following table maps each physical interface to one or more logical interface types defined in the FIPS 140-3 standard. Table 11: Ports and Interfaces Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Strength | Strength per Minute | |
|---|---|---|---|---|
| Password authentication | User and CO authentication via SSH or console. Minimum of 10 ASCII character passwords. | Probability of guessing: 1/(96^10) 1/1,000,000. | SHA (LibMD) | Timed access mechanism allows max of 10 attempts / min. Probability of guessing: 10/(96^10) 1/100,000. |
| Signature authentication | User/CO authentication via SSH. | Strength of signature algorithm, minimum 112-bits. Probability of success for random attempt: 1/(2^112) 1/1,000,000. | ECDSA SigVer (SSH) | A rate of 1 CPU cycle per failed authentication for the Intel Xeon E3-1200 v2 processor (4 cores, 3.1 GHz) allows for the probability of success by brute- force attack: 60 x 4 x 3.1 x 10^9 x 1/(2^112) 1/100,000. |
| Name | Role Access | Type | |
|---|---|---|---|
| User | Monitor | Role | Password authentication Signature authentication |
| Cryptographic Officer | CO | Role | Password authentication Signature authentication |
Table 12: Authentication Methods The module enforces the separation of roles using either password-based authentication or
Table 13: Roles The module supports two roles: Cryptographic Officer (CO) and User. The module supports rolebased operator authentication for assuming these roles, using methods specified in Section 4.1. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. connection. As root or super-user, the Cryptographic Officer has permission to view and edit secrets within the module. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Configure security | Security relevant configuration | Cryptographic Officer - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - CO-PW: W - User-PW: W - SSH-Priv: G,R,W | SHA (LibMD) MAC (LibMD) DRBG (Kernel) SHA (Kernel) ECDSA KeyGen (PKID) RSA KeyGen (PKID) ENT | :fips suffix in CLI prompt | CLI commands | Status |
| Configure | Non-security relevant configuration | Cryptographic Officer | None | None | CLI commands | Status |
| Show status | Show status | Cryptographic Officer User | None | None | CLI command | Status |
| Zeroize | Zeroize / destroy all CSPs | Cryptographic Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Seed: Z - HMAC DRBG Entropy Input: Z - SSH-DH- Shared-Secret: Z - SSH-Priv: Z - SSH-SEKs: Z - CO-PW: Z - User-PW: Z - SSH-PUB: Z - Auth-User Pub: | None | None | CLI command | None (completion indicator is implicitly provided by the module rebooting) |
| SSH connect | Initiate SSH connection for SSH monitoring and control (CLI) | Cryptographic Officer - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - SSH-DH- Shared-Secret: G,E - SSH-DH-priv: G,E - SSH-SEKs: G,E - Auth-CO Pub: E - SSH-Priv: E - CO-PW: E - SSH-DH-PUB (self): G - SSH-DH-PUB (peer): E User - HMAC DRBG V value: E - HMAC DRBG Key value: E - HMAC DRBG Entropy Input: E - HMAC DRBG Seed: E - SSH-Priv: E - User-PW: E - SSH-DH- Shared-Secret: G,E - SSH-DH-priv: G,E | Enc/Dec (SSH) KAS-SSC (SSH) ECDSA SigGen (SSH) ECDSA SigVer (SSH) MAC (SSH) KDF (SSH) DRBG (Kernel) RSA SigGen (SSH) RSA SigVer (SSH) Full KAS (SSH) KAS-ECC KeyGen (SSH) ENT KTS (SSH) | :fips suffix in CLI prompt | SSH packets | SSH packets, status |
| Console access | Console monitoring and control (CLI) | Cryptographic Officer - CO-PW: E User - User-PW: R,E | None | None | CLI command | Status |
| Remote reset | Software initiated reset | Cryptographic Officer - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH-DH- Shared-Secret: Z - SSH-DH-priv: Z - SSH-SEKs: Z - SSH-DH-PUB (self): Z - SSH-DH-PUB (peer): Z | None | None | CLI command | Status |
| Local reset | Hardware reset or power cycle | Unauthenticated - HMAC DRBG V value: Z - HMAC DRBG Key value: Z - HMAC DRBG Entropy Input: Z - HMAC DRBG Seed: Z - SSH-DH- Shared-Secret: Z - SSH-SEKs: Z - SSH-DH-PUB (self): Z | None | None | Manual power cycle | Status |
| Traffic | Traffic requiring no cryptographic services | Unauthenticated | None | None | Traffic in | Traffic out |
| Load Image | Loading of firmware image | Cryptographic Officer - Root-CA: E - Package-CA: E | Verify image | :fips suffix in CLI prompt | CLI command | status |
| Perform self-tests | On-demand self- tests of all pre- operational and conditional algorithm self- tests | Cryptographic Officer User Unauthenticated | None | None | Local or remote reset | status |
| Show version | Show firmware version | Cryptographic Officer User | None | None | CLI command | Status |
The User role monitors the router via the console or SSH. The user role cannot change the
G,R,W Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Z Juniper Networks Non-Proprietary FIPS 140-3 Security Policy G,E G,E G,E G,E
E Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
algorithm selftests Table 14: Approved Services
The module includes a firmware load service to support necessary updates. Only the CO can install the new image using the CLI as described in Section 11.1. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
The cryptographic module implements an approved firmware integrity self-test that uses ECDSA P-256 with SHA2-256 to ensure the integrity of all Junos OS firmware components. The selftest is automatically run on power-up. It can also be run on demand by the module’s operator by power cycling the module. When the integrity check fails, the module enters an error state (kernel panic) which can only be exited by power-cycling the module.
The self-test is automatically run on power-up. It can also be run on demand by the module’s operator by power cycling the module. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Type of Operational Environment: Non-Modifiable How Requirements are Satisfied: The module consists of hardware containing a non-modifiable operational environment as per the FIPS 140-3 definitions. It includes a firmware load service to support necessary updates. The loaded firmware is a complete image replacement and constitutes an entirely new module and version of Junos OS which would require a separate FIPS 140-3 validation.
There are no security rules, settings, or restrictions to the configuration of the operational environment beyond the initialization instructions to set the module in approved mode. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Mechanism | Inspection Frequency | Inspection Guidance | |||
|---|---|---|---|---|---|
| Tamper seals (part # JNPR-FIPS- TAMPER-LBLS) | Once per month by the Cryptographic Officer | Seals should be free of any tamper evidence. | |||
| Opaque metal enclosure. | n/a | n/a |
n/a n/a Table 15: Mechanisms and Actions Required The module’s physical embodiment is that of a multi-chip standalone device that meets Level 2 Physical Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel, and brushed aluminum enclosure. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. Tamper-evident seals allow the operator to tell if the enclosure has been breached. These seals are not factory-installed and must be applied by the Cryptographic Officer. (Seals are available for order from Juniper using part number JNPR-FIPS-TAMPER-LBLS.) The tamper-evident seals shall be installed for the module to operate in approved mode. The Cryptographic Officer is responsible for securing and having control at all times of any unused seals and the direct control and observation of any changes to the module such as reconfigurations where the tamper-evident seals or security appliances are removed or installed to ensure the security of the module is maintained during such changes and the module is returned to an approved mode of operation. If the Cryptographic Officer observes tamper evidence, it shall be assumed that the device has been compromised. The Cryptographic Officer shall retain control of the module and perform zeroization of the module’s CSPs by following the steps in Section 9.3 and then follow the steps in Section 11.1 to place the module back into approved mode of operation.
The number of seals that need to be applied depends on the module model, as follows:
2 Tamper labels (#5 & #6) are used to cover the USB port and two tamper labels (#3 & #4) are
used to cover the High Availability port (Figure 4). Figure 15 - SRX1500 Front View: TEL 1 - 6
Figure 17 - SRX1500 Top - Rear View: TEL 7 Figure 18 - SRX1500 Bottom View: TEL 8, 9 & 10
Figure 19 - SRX1500 Right Side View: TEL 9 Figure 20 - SRX1500 Left Side View: TEL 10 SRX4100 & SRX4200 The placement of the tamper evident labels for the SRX4100 and SRX4200 are the same in that the outside of the devices is identical. Thirteen tamper-evident seals must be applied to the following locations:
Figure 22 - SRX4100 & SRX4200 Left-Side View: TEL 1 Figure 23 - SRX4100 & SRX4200 Right-Side View: TEL 2
Figure 25 - SRX4100 & SRX4200 Front View: TEL 6-11
Figure 28 - SRX4600 Top Front View: TEL 1, 3, 5, 7, 8
29 TEL #9 and TEL #10 wrap over the top and cover the back plate of each power supply
and the adjacent chassis edge. Each of TEL#11 to TEL #15 = wraps over the top and attaches to a fan cover. Figure 29 - SRX4600 Rear View: TEL 9-15 Figure 30 - SRX4600 Top Rear View: TEL 9
Figure 32 - SRX4600 Left Side View: TEL 11
Tamper-evident seals shall be applied to the following locations:
Figure 35 - SRX5400 Rear View: TEL 11-18 SRX5600 Tamper-evident seals must be applied to the following locations:
Figure 36 - SRX5600 Front View: TEL 1-11 Figure 37 - SRX5600 Rear View: TEL 12-20 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Figure 38 - SRX5600 USB Port: TEL 21 SRX5800 Tamper-evident seals shall be applied to the following locations:
One (1) Seal, Vertical: At the top of the case connecting the DC system pane to the mesh fan cover. Figure 39 - SRX5800 Front View: TEL 1-36 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Figure 40 - SRX5800 Rear View: TEL 37-41 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Figure 41 - SRX5800 Rear View: TEL 37,39,40-42 Surface Preparation: For all seal applications, the Cryptographic Officer should observe the following instructions:
Operator Responsible for Securing Unused Seals: The Cryptographic Officer is responsible for securing and having control at all times of any unused seals. Part Numbers: Tamper seals have part number JNPR-FIPS-TAMPER-LBLS. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
This section is not applicable, as there are currently no approved non-invasive mitigation techniques specified in ISO/IEC 19790:2012 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Type | Description |
|---|---|---|
| RAM | Dynamic | Random Access Memory |
| SSD | Dynamic | Solid-Stated Drive |
| Name | Type | From | To | |||
|---|---|---|---|---|---|---|
| Entry via SSH | Encrypted | Remote CO | RAM | Automated | Electronic | KTS (SSH) |
| Manual CLI entry | Plaintext | Local CO | RAM | Manual | Direct | |
| Entry via console | Plaintext | Local CO | RAM | Manual | Electronic | |
| Output via SSH | Encrypted | RAM | Remote CO | Automated | Electronic | KTS (SSH) |
| Output via console | Plaintext | RAM | Local CO | Manual | Direct | |
| Entry as part of KAS | Plaintext | Remote peer | RAM | Automated | Electronic | |
| Output as part of KAS | Plaintext | RAM | Remote peer | Automated | Electronic | |
| Pre-loaded | Plaintext | Manufacturer | SSD | Manual | Direct |
| Zeroization | Description | Rationale | Operator Initiation | |
|---|---|---|---|---|
| Method | ||||
| Reset | Zeroisation of SSPs in RAM via invocation of local or remote reset service | RAM is volatile and all data is lost when power is taken off. Zeroisation is practically instantaneous. | Yes, both User and CO, via invocation of Local Reset or Remote Reset services |
The table below lists the areas within the module’s cryptographic boundary where SSPs can be stored. Table 16: Storage Areas
The table below lists the method used by the module for the input and output of SSPs. Table 17: SSP Input-Output Methods
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Zeroization | Description | Rationale | Operator Initiation | |
|---|---|---|---|---|
| Method | ||||
| Zeroize CLI command | These command wipe clean all the SSPs/configs as well as the disk and installs a factory default firmware image | This command overwrites all data on disk and forces a power cycle | Yes, CO via invocation of zeroize CLI command | |
| Explicit zeroize function | Zeroisation of SSPs in memory when no longer needed | Use of explicit zeroisation function destroys SSP information immediately by overwriting memory area with zeroes | No. The operator cannot directly initiate this method. |
Table 18: SSP Zeroization Methods The CO can run the following commands to zeroize the approved mode SSPs:
| Name | Type | Description | Strength | Generation | Use | |
|---|---|---|---|---|---|---|
| HMAC DRBG V value | DRBG internal state - CSP | A critical value of the internal state of DRBG per IG D.L | 256 - 256 | DRBG (Kernel) | DRBG (Kernel) | |
| HMAC DRBG Key value | DRBG internal state - CSP | A critical value of the internal state of DRBG per IG D.L | 256 - 256 | DRBG (Kernel) | DRBG (Kernel) | |
| HMAC DRBG Entropy Input | Entropy source output - CSP | A critical value of the internal state of DRBG provided by entropy source | 256 - 256 | ENT | DRBG (Kernel) | |
| HMAC DRBG Seed | DRBG internal state - CSP | Seed material used to seed or reseed the HMAC DRBG | 256 - 256 | DRBG (Kernel) | DRBG (Kernel) | |
| SSH-DH- Shared- Secret | DH shared value - CSP | Shared DH value computed from the ephemeral DH key-pairs as part of SSH and used to derive session keys. P-256, P-384 and P-521 | 256, 384, 521 - 128, 192, 256 | KDF (SSH) | KAS-SSC (SSH) | |
| SSH-Priv | Asymmetric private key - CSP | SSH host authentication key (ECDSA or RSA) | 2048, 256, 4096, 384, 521 - 112,128, 152, 192, 256 | ECDSA KeyGen (PKID) RSA KeyGen (PKID) | ECDSA SigGen (SSH) RSA SigGen (SSH) | |
| SSH-DH- priv | Asymmetric private key - CSP | SSH DH private key used in SSH. P-256, P- 384 and P-521 | 256, 384, 521 - 128, 192, 256 | KAS-ECC KeyGen (SSH) | KAS-SSC (SSH) | |
| SSH-SEKs | Symmetric Key - CSP | Session keys used with SSH-2. | 128, 192, 256 - 128, 192, 256 | KDF (SSH) | Enc/Dec (SSH) MAC (SSH) | |
| CO-PW | Authentication password - CSP | Password used to authenticate the CO | n/a - n/a | SHA (LibMD) | KTS (SSH) | |
| User-PW | Authentication password - CSP | Password used to authenticate the User. | n/a - n/a | KTS (SSH) | ||
| SSH-PUB | Asymmetric key - PSP | SSH Public Host Key | 2048, 256, 4096, 384, 521 - | ECDSA KeyGen (PKID) | ||
| 112,128, 152, 192, 256 | 112,128, 152, 192, 256 | RSA KeyGen (PKID) | ||||
| Auth-User Pub | Asymmetric key - PSP | SSH User Authentication Public Key | 2048, 256, 4096, 384, 521 - 112,128, 152, 192, 256 | ECDSA SigVer (SSH) RSA SigVer (SSH) | KTS (SSH) | |
| Root-CA | Asymmetric key - PSP | JuniperRootCA. Used to verify the validity of the PackagCA | 256, 384 - 128, 196 | Verify image | ||
| Package- CA | Asymmetric key - PSP | Certificate that holds the public key of the signing key that was used to generate all the signatures used on the packages and signatures lists. | 256 - 128 | Verify image | ||
| SSH-DH- PUB (self) | Asymmetric key - PSP | SSH DH public key used for key establishment. P-256, P-384 and P-521 | 256, 384, 521 - 128, 192, 256 | KAS-ECC KeyGen (SSH) | KAS-SSC (SSH) | |
| SSH-DH- PUB (peer) | Asymmetric key - PSP | SSH DH public keys provided by protocol peer device and used with SSH for key establishment. P-256, P-384 and P-521. | 2048, 256, 4096, 384, 521 - 112,128, 152, 192, 256 | KAS-SSC (SSH) | ||
| Auth-CO Pub | Asymmetric key - PSP | SSH CO Authentication Public Key | 2048, 256, 4096, 384, 521 - 112,128, 152, 192, 256 | ECDSA SigVer (SSH) RSA SigVer (SSH) |
SSH-DHSharedSecret SSH-DHpriv n/a - n/a n/a - n/a Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
PackageCA SSH-DHPUB Table 19: SSP Table 1 Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Storage | Zeroization | Storage Duration | |
|---|---|---|---|---|
| HMAC DRBG V value | RAM:Plaintext | Reset | Until updated by HMAC_DRBG_Update() | |
| HMAC DRBG Key value | RAM:Plaintext | Reset | Until updated by HMAC_DRBG_Update() | |
| HMAC DRBG Entropy Input | RAM:Plaintext | Reset Explicit zeroize function | Until HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete | |
| HMAC DRBG Seed | RAM:Plaintext | Reset Explicit zeroize function | Until HMAC_Instantiate_Update() or HMAC_DRBG_Reseed() complete | |
| SSH-DH- Shared- Secret | RAM:Plaintext | Reset Explicit zeroize function | Until SSH session termination | |
| SSH-Priv | RAM:Plaintext SSD:Plaintext | Reset Zeroize CLI command Explicit zeroize function | Until SSH session termination | |
| SSH-DH- priv | RAM:Plaintext | Reset Explicit zeroize function | Until SSH session termination | |
| SSH-SEKs | RAM:Plaintext | Reset Explicit zeroize function | Until SSH session termination | |
| CO-PW | SSD:Encrypted RAM:Plaintext | Zeroize CLI command | Until authentication session termination | Manual CLI entry Entry via SSH Entry via console |
| User-PW | RAM:Plaintext SSD:Obfuscated | Zeroize CLI command | Until authentication session termination | Manual CLI entry Entry via SSH Entry via console |
| SSH-PUB | SSD:Plaintext | Zeroize CLI command | Output via SSH Output via console Output as part of KAS | |
| Auth-User Pub | SSD:Plaintext | Zeroize CLI command | Entry via SSH Entry via console | |
| Root-CA | SSD:Plaintext | Zeroize CLI command | Pre-loaded | |
| Package-CA | SSD:Plaintext | Zeroize CLI command | Pre-loaded | |
| SSH-DH- PUB (self) | RAM:Plaintext | Reset Explicit zeroize function | Until SSH session termination | Output as part of KAS |
| SSH-DH- PUB (peer) | RAM:Plaintext | Reset Explicit zeroize function | Until SSH session termination | Entry as part of KAS |
| Auth-CO Pub | Zeroize CLI command | Entry via SSH Entry via console |
SSH-DHSharedSecret SSH-DHpriv Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
The following transitions apply to algorithms used by this module: SHA-1: The SHA-1 hash algorithm will be non-Approved for all cryptographic purposes after December 31, 2030. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|
| Firmware Integrity check | Firmware Integrity check | KAT | SW/FW Integrity | ECDSA Verify | ECDSA P- 256 with SHA2-256 | PASS/FAIL console output | |
| Critical functions test | Critical functions test | KAT | Critical Function | The module implements a critical function that checks that any file that is executed is registered in a manifest of executable files that comes with the firmware. A pre- operational critical function test is implemented that verifies the integrity of the operational environment is being enforced by having the kernel attempt to run a specific executable file that does not contain a hash in the manifest file. The test is successful if it verifies that the specific file cannot be executed. | SHA2-256 | PASS/FAIL console output | |
| Entropy Source (start- up) | Entropy Source (start- up) | APT, RCT | CAST | Start-up | n/a | Console output / output of entropy source | On power-up |
| Entropy Source (continuous) | Entropy Source (continuous) | APT, RCT | CAST | Continuous | n/a | Console output / output of entropy source | On power-up |
| AES-CBC (A3693) Encrypt | AES-CBC (A3693) Encrypt | KAT | CAST | Encrypt | Key Sizes: 128, 192, 256 | PASS/FAIL console output | On power-up |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|---|---|
| Firmware Integrity check | Firmware Integrity check | KAT | SW/FW Integrity | ECDSA Verify | ECDSA P- 256 with SHA2-256 | PASS/FAIL console output | |||
| Critical functions test | Critical functions test | KAT | Critical Function | The module implements a critical function that checks that any file that is executed is registered in a manifest of executable files that comes with the firmware. A pre- operational critical function test is implemented that verifies the integrity of the operational environment is being enforced by having the kernel attempt to run a specific executable file that does not contain a hash in the manifest file. The test is successful if it verifies that the specific file cannot be executed. | SHA2-256 | PASS/FAIL console output | |||
| Entropy Source (start- up) | Entropy Source (start- up) | APT, RCT | CAST | Start-up | n/a | Console output / output of entropy source | On power-up | ||
| Entropy Source (continuous) | Entropy Source (continuous) | APT, RCT | CAST | Continuous | n/a | Console output / output of entropy source | On power-up | ||
| AES-CBC (A3693) Encrypt | AES-CBC (A3693) Encrypt | KAT | CAST | Encrypt | Key Sizes: 128, 192, 256 | PASS/FAIL console output | On power-up | ||
| AES-CBC (A3693) Decrypt | AES-CBC (A3693) Decrypt | KAT | CAST | Decrypt | Key Sizes: 128, 192, 256 | PASS/FAIL console output | On power-up | ||
| AES-CTR (A3693) Encrypt | AES-CTR (A3693) Encrypt | KAT | CAST | Encrypt | Key Sizes: 128, 192, 256 | PASS/FAIL console output | On power-up | ||
| AES-CTR (A3693) Decrypt | AES-CTR (A3693) Decrypt | KAT | CAST | Decrypt | Key Sizes: 128, 192, 256 | PASS/FAIL console output | On power-up | ||
| HMAC DRBG (A3693) | HMAC DRBG (A3693) | KAT | CAST | Instantiate, reseed, and generate. | SHA2-256 | PASS/FAIL console output | On power-up | ||
| KAS-ECC-SSC Sp800-56Ar3 (A3610) | KAS-ECC-SSC Sp800-56Ar3 (A3610) | KAT | CAST | Derivation of the expected shared secret | P-256 (SHA 256) P-384 (SHA 384) P- 521 (SHA 512) | PASS/FAIL console output | On power-up | ||
| ECDSA SigGen (FIPS186-4) (A3693) | ECDSA SigGen (FIPS186-4) (A3693) | KAT | CAST | Sign | P-256, P-384, P-521 | PASS/FAIL console output | On power-up | ||
| ECDSA SigVer (FIPS186-4) (A3693) | ECDSA SigVer (FIPS186-4) (A3693) | KAT | CAST | Verify | P-256, P-384, P-521 | PASS/FAIL console output | On power-up | ||
| HMAC-SHA-1 (A3693) | HMAC-SHA-1 (A3693) | KAT | CAST | MAC | Key size: 160 bits, = 160 | PASS/FAIL console output | On power-up | ||
| HMAC-SHA2- 256 (A3693) | HMAC-SHA2- 256 (A3693) | KAT | CAST | MAC | Key size: 256 bits, = 256 | PASS/FAIL console output | On power-up | ||
| HMAC-SHA2- 512 (A3693) | HMAC-SHA2- 512 (A3693) | KAT | CAST | MAC | Key size: 512 bits, = 512 | PASS/FAIL console output | On power-up | ||
| RSA SigGen (FIPS186-4) (A3693) | RSA SigGen (FIPS186-4) (A3693) | KAT | CAST | Sign | RSA 2048 w/ SHA2-256, RSA 4096 w/ SHA2- 256 | PASS/FAIL console output | On power-up | ||
| RSA SigVer (FIPS186-4) (A3693) | RSA SigVer (FIPS186-4) (A3693) | KAT | CAST | Verify | RSA 2048 w/ SHA2-256, RSA 4096 w/ SHA2- 256 | PASS/FAIL console output | On power-up | ||
| SHA-1 (A3693) | SHA-1 (A3693) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| SHA2-256 (A3693) | SHA2-256 (A3693) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| SHA2-384 (A3693) | SHA2-384 (A3693) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| SHA2-512 (A3693) | SHA2-512 (A3693) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| KDF SSH (A4271) | KDF SSH (A4271) | KAT | CAST | Key derivation | SHA-1, SHA2- 256, SHA2-384 | PASS/FAIL console output | On power-up | ||
| SHA-1 (A3367) | SHA-1 (A3367) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| SHA2-256 (A3367) | SHA2-256 (A3367) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| SHA2-512 (A3367) | SHA2-512 (A3367) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| HMAC-SHA-1 (A3367) | HMAC-SHA-1 (A3367) | KAT | CAST | MAC | Key size: 160 bits, = 160 | PASS/FAIL console output | On power-up | ||
| HMAC-SHA2- 256 (A3367) | HMAC-SHA2- 256 (A3367) | KAT | CAST | MAC | Key size: 256 bits, = 256 | PASS/FAIL console output | On power-up | ||
| HMAC DRBG (A3493) | HMAC DRBG (A3493) | KAT | CAST | Health-tests initialise, re- seed, and generate | SHA2-256 | PASS/FAIL console output | On power-up | ||
| AES-CBC (A3493) Encrypt | AES-CBC (A3493) Encrypt | KAT | CAST | Encrypt | Key Sizes: 128, 192, 256 | PASS/FAIL console output | On power-up | ||
| AES-CBC (A3493) Decrypt | AES-CBC (A3493) Decrypt | KAT | CAST | Decrypt | Key Sizes: 128, 192, 256 | PASS/FAIL console output | On power-up | ||
| HMAC-SHA-1 (A3493) | HMAC-SHA-1 (A3493) | KAT | CAST | MAC | Key size:160 bits, = 160 | PASS/FAIL console output | On power-up | ||
| HMAC-SHA2- 256 (A3493) | HMAC-SHA2- 256 (A3493) | KAT | CAST | MAC | Key size:256 bits, = 256 | PASS/FAIL console output | On power-up | ||
| SHA-1 (A3493) | SHA-1 (A3493) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| SHA2-256 (A3493) | SHA2-256 (A3493) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| SHA2-512 (A3361) | SHA2-512 (A3361) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| ECDSA KeyGen (FIPS186-4) (A3693) | ECDSA KeyGen (FIPS186-4) (A3693) | PCT | PCT | Generation and Verification of ECDSA signature | P-256, P-384, P-521 | Returned key/transition soft error state | On key generation | ||
| RSA KeyGen (FIPS186-4) (A3693) | RSA KeyGen (FIPS186-4) (A3693) | PCT | PCT | Generation and Verification of signature | RSA 2048, RSA 4096 | Returned key/transition soft error state | On key generation | ||
| FW load | FW load | KAT | SW/FW Load | Verification of ECDSA signature on FW | ECDSA P-256 with SHA2-256 | PASS/FAIL console output | On FW load | ||
| Manual SSP entry | Manual SSP entry | Duplicate entry | Manual Entry | Duplicate entry | PASS/FAIL console output | On manual, direct entry of SSP | |||
| Firmware Integrity check | Firmware Integrity check | KAT | SW/FW Integrity | On demand | Manually | ||||
| Critical functions test | Critical functions test | KAT | Critical Function | On demand | Manually | ||||
| Entropy Source (start-up) | Entropy Source (start-up) | APT, RCT | CAST | On demand | Manually | ||||
| Entropy Source (continuous) | Entropy Source (continuous) | APT, RCT | CAST | Continuous | Automatically | ||||
| AES-CBC (A3693) Encrypt | AES-CBC (A3693) Encrypt | KAT | CAST | On demand | Manually | ||||
| AES-CBC (A3693) Decrypt | AES-CBC (A3693) Decrypt | KAT | CAST | On demand | Manually |
On power up or reset, the module performs the pre-operational self-tests and the indicated conditional cryptographic algorithm self-tests described below. All KATs must be completed successfully prior to any other use of cryptography by the module. The algorithms utilized in the
Table 21: Pre-Operational Self-Tests
Source (startup) n/a n/a Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
n/a Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
n/a n/a n/a n/a n/a n/a n/a n/a Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|---|---|
| SHA2-512 (A3361) | SHA2-512 (A3361) | KAT | CAST | Hash | n/a | PASS/FAIL console output | On power-up | ||
| ECDSA KeyGen (FIPS186-4) (A3693) | ECDSA KeyGen (FIPS186-4) (A3693) | PCT | PCT | Generation and Verification of ECDSA signature | P-256, P-384, P-521 | Returned key/transition soft error state | On key generation | ||
| RSA KeyGen (FIPS186-4) (A3693) | RSA KeyGen (FIPS186-4) (A3693) | PCT | PCT | Generation and Verification of signature | RSA 2048, RSA 4096 | Returned key/transition soft error state | On key generation | ||
| FW load | FW load | KAT | SW/FW Load | Verification of ECDSA signature on FW | ECDSA P-256 with SHA2-256 | PASS/FAIL console output | On FW load | ||
| Manual SSP entry | Manual SSP entry | Duplicate entry | Manual Entry | Duplicate entry | PASS/FAIL console output | On manual, direct entry of SSP | |||
| Firmware Integrity check | Firmware Integrity check | KAT | SW/FW Integrity | On demand | Manually | ||||
| Critical functions test | Critical functions test | KAT | Critical Function | On demand | Manually | ||||
| Entropy Source (start-up) | Entropy Source (start-up) | APT, RCT | CAST | On demand | Manually | ||||
| Entropy Source (continuous) | Entropy Source (continuous) | APT, RCT | CAST | Continuous | Automatically | ||||
| AES-CBC (A3693) Encrypt | AES-CBC (A3693) Encrypt | KAT | CAST | On demand | Manually | ||||
| AES-CBC (A3693) Decrypt | AES-CBC (A3693) Decrypt | KAT | CAST | On demand | Manually | ||||
| AES-CTR (A3693) Encrypt | AES-CTR (A3693) Encrypt | KAT | CAST | On demand | Manually | ||||
| AES-CTR (A3693) Decrypt | AES-CTR (A3693) Decrypt | KAT | CAST | On demand | Manually | ||||
| HMAC DRBG (A3693) | HMAC DRBG (A3693) | KAT | CAST | On demand | Manually | ||||
| KAS-ECC-SSC Sp800-56Ar3 (A3610) | KAS-ECC-SSC Sp800-56Ar3 (A3610) | KAT | CAST | On demand | Manually | ||||
| ECDSA SigGen (FIPS186-4) (A3693) | ECDSA SigGen (FIPS186-4) (A3693) | KAT | CAST | On demand | Manually | ||||
| ECDSA SigVer (FIPS186-4) (A3693) | ECDSA SigVer (FIPS186-4) (A3693) | KAT | CAST | On demand | Manually | ||||
| HMAC-SHA-1 (A3693) | HMAC-SHA-1 (A3693) | KAT | CAST | On demand | Manually | ||||
| HMAC-SHA2-256 (A3693) | HMAC-SHA2-256 (A3693) | KAT | CAST | On demand | Manually | ||||
| HMAC-SHA2-512 (A3693) | HMAC-SHA2-512 (A3693) | KAT | CAST | On demand | Manually | ||||
| RSA SigGen (FIPS186-4) (A3693) | RSA SigGen (FIPS186-4) (A3693) | KAT | CAST | On demand | Manually | ||||
| RSA SigVer (FIPS186-4) (A3693) | RSA SigVer (FIPS186-4) (A3693) | KAT | CAST | On demand | Manually | ||||
| SHA-1 (A3693) | SHA-1 (A3693) | KAT | CAST | On demand | Manually | ||||
| SHA2-256 (A3693) | SHA2-256 (A3693) | KAT | CAST | On demand | Manually | ||||
| SHA2-384 (A3693) | SHA2-384 (A3693) | KAT | CAST | On demand | Manually | ||||
| SHA2-512 (A3693) | SHA2-512 (A3693) | KAT | CAST | On demand | Manually | ||||
| KDF SSH (A4271) | KDF SSH (A4271) | KAT | CAST | On demand | Manually | ||||
| SHA-1 (A3367) | SHA-1 (A3367) | KAT | CAST | On demand | Manually | ||||
| SHA2-256 (A3367) | SHA2-256 (A3367) | KAT | CAST | On demand | Manually | ||||
| SHA2-512 (A3367) | SHA2-512 (A3367) | KAT | CAST | On demand | Manually | ||||
| HMAC-SHA-1 (A3367) | HMAC-SHA-1 (A3367) | KAT | CAST | On power-up | Manually | ||||
| HMAC-SHA2-256 (A3367) | HMAC-SHA2-256 (A3367) | KAT | CAST | On power-up | Manually | ||||
| HMAC DRBG (A3493) | HMAC DRBG (A3493) | KAT | CAST | On power-up | Manually | ||||
| AES-CBC (A3493) Encrypt | AES-CBC (A3493) Encrypt | KAT | CAST | On power-up | Manually | ||||
| AES-CBC (A3493) Decrypt | AES-CBC (A3493) Decrypt | KAT | CAST | On power-up | Manually | ||||
| HMAC-SHA-1 (A3493) | HMAC-SHA-1 (A3493) | KAT | CAST | On power-up | Manually | ||||
| HMAC-SHA2-256 (A3493) | HMAC-SHA2-256 (A3493) | KAT | CAST | On power-up | Manually | ||||
| SHA-1 (A3493) | SHA-1 (A3493) | KAT | CAST | On power-up | Manually | ||||
| SHA2-256 (A3493) | SHA2-256 (A3493) | KAT | CAST | On power-up | Manually | ||||
| SHA2-512 (A3361) | SHA2-512 (A3361) | KAT | CAST | On power-up | Manually | ||||
| ECDSA KeyGen (FIPS186-4) (A3693) | ECDSA KeyGen (FIPS186-4) (A3693) | PCT | PCT | On condition trigger | Automatic | ||||
| RSA KeyGen (FIPS186-4) (A3693) | RSA KeyGen (FIPS186-4) (A3693) | PCT | PCT | On condition trigger | Automatic | ||||
| FW load | FW load | KAT | SW/FW Load | On FW load request | Automatic | ||||
| Manual SSP entry | Manual SSP entry | Duplicate entry | Manual Entry | On condition trigger | Automatic |
n/a Table 22: Conditional Self-Tests
Table 23: Pre-Operational Periodic Information Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| Critical Failure state | The cryptographic module ceases to perform cryptographic operations, inhibits all data output, and provides status of the error via syslog messages and console status output | On pre-operational self-test or CAST failure | Console status output | Power cycle |
| Soft Error State | A non-critical self-test failure occurs, causing a failure of the triggering operation | PCT, firmware load test, continuous entropy health test failure | Console displays error | The module processes the error, and resumes normal operation |
Table 24: Conditional Periodic Information
Table 25: Error States Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
The module enters Critical Failure State upon failure of any pre-operational self-tests or CAST, causing the kernel to ‘panic‘ and all execution to halt. The only way to exit from this state is to reboot the module, which causes the self-tests to be repeated and pass successfully before the corresponding algorithms are usable.
Self–tests that are performed at power-up are available on demand by power cycling the module. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
Before installation of module firmware, CO must first zeroize any module SSPs by following the instructions in Section 9.3. Once zeroization is complete, the CO must install the JUNOS firmware image on the device using the following CLI command: CO@host> request system software add /<image-path>/<image-filename> no-copy no-validate reboot. The image-filenames for the validated firmware are as follows: • • • • SRX1500: junos-srxentedge-x86-64-22.2R3-S1.9.tgz; SRX4100 and SRX4200: junos-srxmr-x86-64-22.2R3-S1.9.tgz; SRX4600: junos-srxhe-x86-64-22.2R3-S1.9.tgz; and SRX5400, SRX5600 and SRX5800: junos-vmhost-install-srx-x86-64-22.2R3-S1.9.tgz. Once the image is installed, the CO shall follow the instructions in Section 7.2 to apply the tamper seals to the module. Next, the CO shall proceed as follows:
The Cryptographic Officer is the person responsible for enabling, configuring, monitoring, and maintaining the module in approved mode. The Cryptographic Officer securely installs Junos OS on the device, enables the approved of operation, establishes keys and passwords for other users and software modules, and initializes the device before network connection. The Cryptographic Officer can configure and monitor the module through a console or SSH connection.
No specific non-administrator guidance is required to operate the module.
The module design corresponds to the security rules below. The term must in this context specifically refers to a requirement for correct usage of the module in the approved mode; all other statements indicate a security rule implemented by the module. 1. 2. 3.
No special maintenance requirements apply.
When disposing of the cryptographic module, the CO shall perform the zeroize command described in Section 9.3. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy
The module does not implement mechanisms to mitigate other attacks beyond what is described in this security policy. Juniper Networks Non-Proprietary FIPS 140-3 Security Policy