| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/27/2031 |
| Caveat | When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | Juniper Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3339 |
| AES-CTR | A3342 |
| ECDSA KeyGen (FIPS186-5) | A3342 |
| ECDSA KeyVer (FIPS186-5) | A3342 |
| ECDSA SigGen (FIPS186-5) | A3342 |
| ECDSA SigVer (FIPS186-5) | A3342 |
| HMAC DRBG | A3335 |
| HMAC-SHA-1 | A3342 |
| HMAC-SHA2-256 | A3335 |
| HMAC-SHA2-512 | A3342 |
| KAS-ECC-SSC Sp800-56Ar3 | A3342 |
| KAS-FFC-SSC Sp800-56Ar3 | A3342 |
| KDF IKEv1 (CVL) | A3343 |
| KDF IKEv2 (CVL) | A3343 |
| KDF SSH (CVL) | A3341 |
| RSA KeyGen (FIPS186-5) | A3342 |
| RSA SigGen (FIPS186-5) | A3342 |
| RSA SigVer (FIPS186-5) | A3342 |
| SHA-1 | A3342 |
| SHA2-256 | A3335 |
| SHA2-512 | A3335 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Juniper Networks vSRX 3.0 Virtual Firewall
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>CASTs on boot<br/>Show status<br/>Show status (LED)</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>SSH<br/>IKEV<br/>IPSEC</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>kernel<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Juniper Networks vSRX 3.0 Virtual Firewall
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>CASTs on boot<br/>Show status<br/>Show status (LED)</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>SSH<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>kernel<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;Juniper Networks, Inc. Juniper Networks vSRX 3.0 Virtual Firewall Document Version 1.0
| # | Section | Page |
|---|---|---|
| 1 | General | 5 |
| 1.1 | Overview | 5 |
| 1.2 | Security Levels | 5 |
| 2 | Cryptographic Module Specification | 6 |
| 2.1 | Description | 6 |
| 2.2 | Tested and Vendor Affirmed Module Version and Identification | 8 |
| 2.3 | Excluded Components | 8 |
| 2.4 | Modes of Operation | 8 |
| 2.5 | Algorithms | 9 |
| 2.6 | Security Function Implementations | 12 |
| 2.7 | Algorithm Specific Information | 17 |
| 2.8 | RBG and Entropy | 17 |
| 2.9 | Key Generation | 17 |
| 2.10 | Key Establishment | 17 |
| 2.11 | Industry Protocols | 18 |
| 3 | Cryptographic Module Interfaces | 18 |
| 3.1 | Ports and Interfaces | 18 |
| 4 | Roles, Services, and Authentication | 19 |
| 4.1 | Authentication Methods | 19 |
| 4.2 | Roles | 21 |
| 4.3 | Approved Services | 22 |
| 4.4 | Non-Approved Services | 36 |
| 4.5 | External Software/Firmware Loaded | 37 |
| 4.6 | Cryptographic Output Actions and Status | 37 |
| 5 | Software/Firmware Security | 37 |
| 5.1 | Integrity Techniques | 37 |
| 5.2 | Initiate on Demand | 37 |
| 5.3 | Additional Information | 37 |
| 6 | Operational Environment | 37 |
| 6.1 | Operational Environment Type and Requirements | 37 |
| 6.2 | Configuration Settings and Restrictions | 38 |
| 7 | Physical Security | 38 |
| 8 | Non-Invasive Security | 38 |
| 9 | Sensitive Security Parameters Management | 38 |
| 9.1 | Storage Areas | 38 |
| 9.2 | SSP Input-Output Methods | 38 |
| 9.3 | SSP Zeroization Methods | 39 |
| 9.4 | SSPs | 39 |
| 9.5 | Transitions | 48 |
| 10 | Self-Tests | 49 |
| 10.1 | Pre-Operational Self-Tests | 49 |
| 10.2 | Conditional Self-Tests | 49 |
| 10.3 | Periodic Self-Test Information | 55 |
| 10.4 | Error States | 57 |
| 10.5 | Operator Initiation of Self-Tests | 58 |
| 11 | Life-Cycle Assurance | 58 |
| 11.1 | Installation, Initialization, and Startup Procedures | 58 |
| 11.2 | Administrator Guidance | 61 |
| 11.3 | Non-Administrator Guidance | 61 |
| 11.4 | Design and Rules | 61 |
| 11.5 | Maintenance Requirements | 62 |
| 11.6 | End of Life | 62 |
| 12 | Mitigation of Other Attacks | 62 |
| 12.1 | Attack List | 62 |
| Item | Page |
|---|---|
| Table 1: Security Levels | 6 |
| Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 8 |
| Table 3: Tested Operational Environments - Software, Firmware, Hybrid | 8 |
| Table 4: Modes List and Description | 9 |
| Table 5: Approved Algorithms | 11 |
| Table 6: Vendor-Affirmed Algorithms | 11 |
| Table 7: Non-Approved, Allowed Algorithms with No Security Claimed | 12 |
| Table 8: Non-Approved, Not Allowed Algorithms | 12 |
| Table 9: Security Function Implementations | 16 |
| Table 10: Entropy Certificates | 17 |
| Table 11: Entropy Sources | 17 |
| Table 12: Ports and Interfaces | 18 |
| Table 13: Authentication Methods | 20 |
| Table 14: Roles | 21 |
| Table 15: Approved Services | 36 |
| Table 16: Non-Approved Services | 36 |
| Table 17: Storage Areas | 38 |
| Table 18: SSP Input-Output Methods | 39 |
| Table 19: SSP Zeroization Methods | 39 |
| Table 20: SSP Table 1 | 44 |
| Table 21: SSP Table 2 | 48 |
| Table 22: Pre-Operational Self-Tests | 49 |
| Table 23: Conditional Self-Tests | 55 |
| Table 24: Pre-Operational Periodic Information | 55 |
| Table 25: Conditional Periodic Information | 57 |
| Table 26: Error States | 58 |
| Figure 1 – Block Diagram | 7 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 3 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | N/A |
| Overall Level | Overall Level | 1 |
Federal Information Processing Standards Publication 140-3
Purpose and Use: The Juniper Networks vSRX 3.0 Virtual Firewall cryptographic module is comprised of the Junos OS 22.2R2-S2.3 software. The Juniper Networks vSRX 3.0 Virtual Firewall is a secure firewall that provides essential capabilities to connect, secure, and manage work force locations sized from handfuls to hundreds of users. By consolidating fast, highly available switching, routing, security, and applications capabilities in a single device, enterprises can economically deliver new services, safe connectivity, and a satisfying end user experience. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is depicted in Figure 1 below. The physical perimeter is defined as the outer edge of the hardware platform (server) on which the hypervisor and Juniper Networks vSRX 3.0 Virtual Firewall are installed. The cryptographic boundary is the Juniper vSRX 3.0 Virtual Firewall which is comprised of the Junos OS 22.2R2-S2.3 software. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested Operational Environment’s Physical Perimeter (TOEPP) is the hardware platform on which it executes. Document Version 1.0
Figure 1
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| junos-vsrx3-x86-64- 22.2R2-S2.3.scsi.ova | Junos OS 22.2R2- S2.3 | N/A | junos-vsrx3-x86-64- 22.2R2-S2.3.scsi.ova | ECDSA P-256 with SHA2-256 | ||||||
| Junos OS 22.2R2-S2.3 | Junos OS 22.2R2-S2.3 | HP ProLiant DL380 Gen9 Server | Junos OS 22.2R2-S2.3 | Intel Xeon E5- 2660 v4 | No | VMware ESXi 7.0 | ||||
| Junos OS 22.2R2-S2.3 | Junos OS 22.2R2-S2.3 | PacStar 451 Server | Junos OS 22.2R2-S2.3 | Intel Xeon E- 2254ML | No | VMware ESXi 7.0 |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| junos-vsrx3-x86-64- 22.2R2-S2.3.scsi.ova | Junos OS 22.2R2- S2.3 | N/A | junos-vsrx3-x86-64- 22.2R2-S2.3.scsi.ova | ECDSA P-256 with SHA2-256 | ||||||
| Junos OS 22.2R2-S2.3 | Junos OS 22.2R2-S2.3 | HP ProLiant DL380 Gen9 Server | Junos OS 22.2R2-S2.3 | Intel Xeon E5- 2660 v4 | No | VMware ESXi 7.0 | ||||
| Junos OS 22.2R2-S2.3 | Junos OS 22.2R2-S2.3 | PacStar 451 Server | Junos OS 22.2R2-S2.3 | Intel Xeon E- 2254ML | No | VMware ESXi 7.0 |
Tested Module Identification
No components have been excluded from the cryptographic boundary of the module.
Modes List and Description: Document Version 1.0
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non- Approved mode | * The cryptographic module supports a non- Approved mode of operation; * When operated in the non-Approved mode of operation, the module supports non-Approved algorithms as well as the algorithms supported in the Approved mode of operation * The module must be zeroised to transition from the Approved mode to the non-Approved mode | global indicator (implicit indicator based on exclusion of string 'fips' from the command prompt) | Non- Approved |
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A3339 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC | A3342 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC | A3343 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CTR | A3342 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| ECDSA KeyGen (FIPS186-5) | A3342 | Curve - P-256, P-384, P-521 Secret Generation Mode - testing candidates | FIPS 186-5 |
| ECDSA KeyVer (FIPS186-5) | A3342 | Curve - P-256, P-384, P-521 | FIPS 186-5 |
| ECDSA SigGen (FIPS186-5) | A3342 | Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 Component - No | FIPS 186-5 |
| ECDSA SigVer (FIPS186-5) | A3342 | Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 | FIPS 186-5 |
| HMAC DRBG | A3335 | Prediction Resistance - Yes Mode - SHA2-256 | SP 800-90A Rev. 1 |
| HMAC-SHA-1 | A3342 | Key Length - Key Length: 160 | FIPS 198-1 |
| HMAC-SHA2-256 | A3335 | Key Length - Key Length: 160, 256 | FIPS 198-1 |
| HMAC-SHA2-256 | A3339 | Key Length - Key Length: 256 | FIPS 198-1 |
| HMAC-SHA2-256 | A3342 | Key Length - Key Length: 256 | FIPS 198-1 |
| HMAC-SHA2-256 | A3343 | Key Length - Key Length: 256 | FIPS 198-1 |
| HMAC-SHA2-512 | A3342 | Key Length - Key Length: 512 | FIPS 198-1 |
| KAS-ECC-SSC Sp800-56Ar3 | A3342 | Domain Parameter Generation Methods - P- 256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KAS-FFC-SSC Sp800-56Ar3 | A3342 | Domain Parameter Generation Methods - FC, MODP-2048 Scheme - dhEphem - KAS Role - initiator | SP 800-56A Rev. 3 |
| KDF IKEv1 (CVL) | A3343 | Authentication Method - Digital Signature, Pre-shared Key Diffie-Hellman Shared Secret Length - Diffie- Hellman Shared Secret Length: 256, 384, 2048 Hash Algorithm - SHA2-256, SHA2-384 Preshared Key Length - Preshared Key Length: 8-256 Increment 8 | SP 800-135 Rev. 1 |
| KDF IKEv2 (CVL) | A3343 | Diffie-Hellman Shared Secret Length - Diffie- Hellman Shared Secret Length: 256, 384, 2048 Derived Keying Material Length - Derived Keying Material Length: 1136-2432 Increment 8 Hash Algorithm - SHA2-256, SHA2-384 | SP 800-135 Rev. 1 |
| KDF SSH (CVL) | A3341 | Cipher - AES-128, AES-192, AES-256, TDES Hash Algorithm - SHA-1, SHA2-256, SHA2- 384 | SP 800-135 Rev. 1 |
| RSA KeyGen (FIPS186-5) | A3342 | Key Generation Mode - probable Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standard | FIPS 186-5 |
| RSA SigGen (FIPS186-5) | A3342 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5 | FIPS 186-5 |
| RSA SigVer (FIPS186-5) | A3342 | Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5 | FIPS 186-5 |
| Safe Primes Key Generation | A3342 | Safe Prime Groups - MODP-2048 | SP 800-56A Rev. 3 |
| Safe Primes Key Verification | A3342 | Safe Prime Groups - MODP-2048 | SP 800-56A Rev. 3 |
| SHA-1 | A3342 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-256 | A3335 | Message Length - Message Length: 0-51200 Increment 8 | FIPS 180-4 |
| SHA2-256 | A3339 | Message Length - Message Length: 8-51200 Increment 8 | FIPS 180-4 |
| SHA2-256 | A3342 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-256 | A3343 | Message Length - Message Length: 0-51200 Increment 8 | FIPS 180-4 |
| SHA2-512 | A3335 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-512 | A3340 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-512 | A3342 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
NonApproved NonApproved Table 4: Modes List and Description and the non-Approved mode of operation and vice versa. When switching from the nonApproved to the Approved mode, post zeroisation, the instructions in Section 11.1 Enabling the The module does not support a degraded mode of operation. Document Version 1.0
| Name | Properties | ||
|---|---|---|---|
| CKG - Section 4 | Key Type :Symmetric and Asymmetric | N/A | NIST SP800-133r2 Section 4: Symmetric key generation and Asymmetric seed generation using an unmodified output from an Approved DRBG (example 1); The module supports the following per NIST SP 800-133r2: 1. Section 5.1: Key Pairs for Digital Signature Schemes 2. Section 5.2: Key Pairs for Key Establishment 3. Section 6.2.1: Derivation of symmetric keys |
Table 5: Approved Algorithms Vendor-Affirmed Algorithms: N/A Table 6: Vendor-Affirmed Algorithms Document Version 1.0
| Name | Description | Approved Functions | Type | Properties | |
|---|---|---|---|---|---|
| SHA2-256 (Junos 22.2R2- S2.3 - LibMD Implementation) | Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to "obfuscate" a CSP | no security claimed | |||
| SHA-1 (Junos 22.2R2- S2.3 - Kernel Implementation) | Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevant | no security claimed | |||
| RSA with key size less than 2048 | SSH | ||||
| ECDSA with ed25519 curve | SSH | ||||
| EC Diffie-Hellman with ed25519 curve | SSH | ||||
| ARCFOUR | SSH | ||||
| Blowfish | SSH | ||||
| CAST | SSH | ||||
| DSA (SignGen, SigVer, non-compliant) | SSH | ||||
| HMAC-MD5 | SSH | ||||
| HMAC-RIPEMD160 | SSH | ||||
| UMAC | SSH | ||||
| KAS1 | Key Agreement for SSHv2 | KAS-ECC-SSC Sp800-56Ar3: (A3342) KDF SSH: | CKG KAS-135KDF KAS-Full KAS-SSC | IG: IG D.F Scenario 2, path (2), split Key |
| Name | Description | Approved Functions | Type | Properties | |
|---|---|---|---|---|---|
| SHA2-256 (Junos 22.2R2- S2.3 - LibMD Implementation) | Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to "obfuscate" a CSP | no security claimed | |||
| SHA-1 (Junos 22.2R2- S2.3 - Kernel Implementation) | Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevant | no security claimed | |||
| RSA with key size less than 2048 | SSH | ||||
| ECDSA with ed25519 curve | SSH | ||||
| EC Diffie-Hellman with ed25519 curve | SSH | ||||
| ARCFOUR | SSH | ||||
| Blowfish | SSH | ||||
| CAST | SSH | ||||
| DSA (SignGen, SigVer, non-compliant) | SSH | ||||
| HMAC-MD5 | SSH | ||||
| HMAC-RIPEMD160 | SSH | ||||
| UMAC | SSH | ||||
| KAS1 | Key Agreement for SSHv2 | KAS-ECC-SSC Sp800-56Ar3: (A3342) KDF SSH: | CKG KAS-135KDF KAS-Full KAS-SSC | IG: IG D.F Scenario 2, path (2), split Key |
| Name | Description | Approved Functions | Type | Properties | |
|---|---|---|---|---|---|
| SHA2-256 (Junos 22.2R2- S2.3 - LibMD Implementation) | Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to "obfuscate" a CSP | no security claimed | |||
| SHA-1 (Junos 22.2R2- S2.3 - Kernel Implementation) | Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevant | no security claimed | |||
| RSA with key size less than 2048 | SSH | ||||
| ECDSA with ed25519 curve | SSH | ||||
| EC Diffie-Hellman with ed25519 curve | SSH | ||||
| ARCFOUR | SSH | ||||
| Blowfish | SSH | ||||
| CAST | SSH | ||||
| DSA (SignGen, SigVer, non-compliant) | SSH | ||||
| HMAC-MD5 | SSH | ||||
| HMAC-RIPEMD160 | SSH | ||||
| UMAC | SSH | ||||
| KAS1 | Key Agreement for SSHv2 | KAS-ECC-SSC Sp800-56Ar3: (A3342) KDF SSH: | CKG KAS-135KDF KAS-Full KAS-SSC | IG: IG D.F Scenario 2, path (2), split Key |
The module does not support any non-Approved algorithms in the Approved mode, i.e., it does Operation, all Approved algorithms supported in the Approved mode of operation are also Document Version 1.0
| Name | Description | Role Access | Approved Functions | Type |
|---|---|---|---|---|
| KAS2 | Key Agreement for SSHv2 | IG: IG D.F Scenario 2, path (2), split Key confirmation:no Key derivation: IG 2.4.B SP 800-135rev1 CVL Caveat:Key establishment methodology provides 112 bits of security strength | KAS-FFC-SSC Sp800-56Ar3: (A3342) KDF SSH: (A3341) Safe Primes Key Generation: (A3342) Safe Primes Key Verification: (A3342) CKG - Section 4: () Key Type : Symmetric and Asymmetric | CKG KAS-135KDF KAS-SSC |
| KTS1 | Key Transport for SSHv2 | Standard:SP 800-38F IG D.G: approved method from IG D.G Key confirmation:no Caveat:Key establishment methodology provides between 128 and 256 bits of security strength | AES-CBC: (A3342) AES-CTR: (A3342) HMAC-SHA-1: (A3342) HMAC-SHA2- 256: (A3342) HMAC-SHA2- 512: (A3342) SHA-1: (A3342) SHA2-256: (A3342) SHA2-512: (A3342) | KTS-Wrap |
| ECDSA SigVer | ECDSA Signature Verification used for identity- based public key authentication | FIPS 186-5:size: P-256, P-384, P- 521 curves, 128, 192 and 256 bits | ECDSA SigVer (FIPS186-5): (A3342) | DigSig-SigVer |
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| DRBG | Kernel DRBG providing random bits for SSP generation in the user/application space | HMAC DRBG: (A3335) HMAC-SHA2- 256: (A3335) SHA2-256: (A3335) | DRBG |
| Entropy Souce | Non-Physical Entropy Source | SHA2-512: (A3335) | ENT-Cond |
| ECDSA KeyGen | Generation of SSH host keys | ECDSA KeyGen (FIPS186-5): (A3342) CKG - Section 4: () Key Type : Symmetric and Asymmetric | AsymKeyPair- KeyGen CKG |
| ECDSA KeyGen2 | SSP Agreement in the context of SSH | ECDSA KeyGen (FIPS186-5): (A3342) CKG - Section 4: () Key Type : Symmetric and Asymmetric | AsymKeyPair- KeyGen CKG |
| ECDSA KeyVer | Verification of keys generated | ECDSA KeyVer (FIPS186-5): (A3342) | AsymKeyPair- KeyVer |
| ECDSA SigGen | Signature Generation using ECDSA in the context of SSH | ECDSA SigGen (FIPS186-5): (A3342) | DigSig-SigGen |
| RSA KeyGen | Generation of SSH host keys | RSA KeyGen (FIPS186-5): (A3342) CKG - Section 4: () Key Type : Symmetric and Asymmetric | AsymKeyPair- KeyGen CKG |
| RSA SigGen | Signature Generation using RSA in the context of SSH | RSA SigGen (FIPS186-5): (A3342) | DigSig-SigGen |
| RSA SigVer | Signature Verification using RSA for | RSA SigVer (FIPS186-5): (A3342) | DigSig-SigVer |
AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairKeyVer AsymKeyPairKeyGen () () () Document Version 1.0
| Name | Description | Approved Functions | Type | |
|---|---|---|---|---|
| Password Hash | Used to store passwords in hashed form | SHA2-512: (A3340) | SHA | |
| KTS2 | Key Transport for IPsec | AES-CBC: (A3343, A3339) HMAC-SHA2- 256: (A3343, A3339) SHA2-256: (A3343, A3339) | KTS-Wrap | Standard:SP 800-38F IG D.G :approved method from IG D.G Key confirmation: no Caveat:Key establishment methodology provides between 128 and 256 bits of security strength |
| KAS3 | Key Agreement in the context of IPsec | KAS-FFC-SSC Sp800-56Ar3: (A3342) KDF IKEv1: (A3343) KDF IKEv2: (A3343) CKG - Section 4: () Key Type : Symmetric and Asymmetric Safe Primes Key Generation: (A3342) Safe Primes Key Verification: (A3342) | CKG KAS-135KDF KAS-Full KAS-SSC | IG :IG D.F Scenario 2, path (2), split Key confirmation :no Key derivation :IG 2.4.B SP 800-135rev1 CVL Caveat:Key establishment methodology provides 112 bits of security strength |
| CASTs on boot | List of algorithms for which Known Answer Tests (CASTs) have been implemented in the module and perform on each boot | AES-CBC: (A3342, A3343, A3339) HMAC-SHA-1: (A3342) HMAC-SHA2- 256: (A3342, A3335, A3343, A3339) HMAC-SHA2- 512: (A3342) | BC-Auth BC-UnAuth DigSig-SigGen DigSig-SigVer DRBG ENT-Cond KAS-135KDF KBKDF MAC SHA |
| Name | Description | Csps Accessed | Type | Properties |
|---|---|---|---|---|
| KAS4 | Key Agreement in the context of IPsec | KAS-ECC-SSC Sp800-56Ar3: (A3342) KDF IKEv1: (A3343) KDF IKEv2: (A3343) CKG - Section 4: () | CKG KAS-135KDF KAS-Full KAS-SSC | IG: IG D.F Scenario 2, path (2), split Key confirmation:no Key derivation: IG 2.4.B SP 800-135rev1 CVL Caveat :Key establishment methodology provides between 128 and 256 bits of security strength |
() Table 9: Security Function Implementations Document Version 1.0
| Name | Type | Strength | Operational Environment | Conditioning Component | |
|---|---|---|---|---|---|
| Junos OS Non- Physical Entropy Source | Non- Physical | 8 bits | Junos OS 22.2R2 on VMWare ESXi v7.0 with Intel(R) Xeon(R) CPU E5-2660 v4 (Broadwell) on HP ProLiant DL380 Gen9 Server; Junos OS 22.2R2 on VMWare ESXi v7.0 with Intel(R) Xeon(R) E- 2254ML (Coffee Lake) on PacStar 451 Server | 6.4 bits | SHA2-512 (CAVP Cert. #A3335) |
| Cert | Vendor Name | |
|---|---|---|
| Number | ||
| E56 | Juniper Networks |
The module only supports testable RSA moduli/key sizes (2048, 3072 and 4096 bits) and thus the requirements per FIPS 140-3 IG C.F do not apply.
Table 10: Entropy Certificates NonPhysical NonPhysical Table 11: Entropy Sources
The module implements an approved NIST SP 800-90Ar1 DRBG and supports the following sections per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2 and 6.2.1.
Per IG D.F: The module implements full KAS (KAS-ECC-SSC, KAS-FFC-SSC per NIST SP 800-56Ar3 and KDF SSH/IKEv1/IKEv2 per NIST SP 800-135r1; IG D.F Scenario 2 (path 2 option 2, separate testing of the SSC and SP800-135r1 KDF). The KAS1, KAS2, KAS3 and KAS4 in the Security Functions Implementations Table 9 have been documented in accordance with this requirement: KAS1: KAS (KAS-ECC-SSC Cert. #A3342 and CVL Cert. #A3341; SSP establishment methodology provides between 128 and 256 bits of encryption strength) KAS2: KAS (KAS-FFC-SSC Cert.#A3342 and CVL Cert. #A3341; SSP establishment methodology provides 112 bits of encryption strength) Document Version 1.0
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input | Virtual Ethernet Ports, Virtual Serial Ports |
| N/A | N/A | Data Output | Virtual Ethernet Ports, Virtual Serial Ports |
| N/A | N/A | Control Input | Virtual Ethernet Ports, Virtual Serial Ports |
| N/A | N/A | Status Output | Virtual Ethernet Ports, Virtual Serial Ports |
KAS3: KAS (KAS-FFC-SSC Cert.#A3342 and CVL Cert. #A3343; SSP establishment methodology provides 112 bits of encryption strength) KAS4: KAS (KAS-ECC-SSC Cert. #A3342 and CVL Cert. #A3343; SSP establishment methodology provides between 128 and 256 bits of encryption strength) The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC, KDF SSH, KDF IKEv1 and KDF IKEv2) as individual entries. Per IG D.G: The module supports the IETF SSH and IPsec protocols and thus implements key transport in the context of the protocols (per the KTS1 and KTS2 entries in the Security Functions Implementations Table 9). The module implements the approved KTS using approved AES modes:
No parts of the SSH and IPsec protocols, other than the KDF SSH and the KDF IKEv1/KDF IKEv2 for IPsec, have been tested by the CAVP or CMVP.
N/A N/A N/A N/A Table 12: Ports and Interfaces The module does not support control output. Document Version 1.0
| Name | Description | Strength | Security Mechanism | Strength per Minute |
|---|---|---|---|---|
| Username and password over the console and SSH | * The module enforces 10- character passwords (at minimum) chosen from the 96 human readable ASCII characters; The maximum password length is 20- characters; Thus, the probability of a successful random attempt is 1/(96^10), which is less than 1/1,000,000 (million); * The module enforces a timed access mechanism as follows: For the first two failed attempts (assuming 0 time to process), no timed access is enforced; Upon the third attempt, the module enforces a 5-second delay; Each failed attempt thereafter results in an additional 5-second delay above the previous (e.g., 4th failed attempt = 10-second delay, 5th failed attempt = 15-second delay, 6th failed attempt = 20- second delay, 7th failed attempt = 25-second delay); This leads to a maximum of 7 possible attempts in a one-minute period for each getty; The best approach for the attacker would be to disconnect after 4 failed attempts and wait for a new getty to be spawned; This would allow the attacker to perform roughly 9.6 attempts per minute (576 attempts per hour/60 mins); this would be rounded down to 9 per minute, because there is no such thing as 0.6 attempts; The probability of a success with multiple consecutive attempts in | 1/(96^10) | SHA2-512 (A3340) | 9/(96^10) |
| Username and ECDSA public key over SSH | * The module supports ECDSA (P-256, P-384, and P-521), which has a minimum equivalent computational resistance to attack of either 2^128, 2^192 or 2^256 depending on the curve; Thus, the probability of a successful random attempt is 1/(2^128), which is less than 1/1,000,000 (million) * Configurable SSH connection establishment rate limits the number of connection attempts, and thus failed authentication attempts in a one-minute period to a maximum of 15,000 attempts; The probability of a success with multiple consecutive attempts in a one- minute period is 15,000/(2^128), which is less than 1/100,000 | 1/(2^128) | ECDSA SigVer (FIPS186-5) (A3342) | 15,000/(2^128) |
| Username and RSA public key over SSH | * The module supports RSA (2048, 3072, 4096 bits), which has a minimum equivalent computational resistance to attack of 2^112 (2048 bits); Thus, the probability of a successful random attempt is 1/ (2^112), which is less than 1/1,000,000 (million) * Configurable SSH connection establishment rate limits the number of connection attempts, and thus failed authentication attempts in a one- minute period to a maximum of 15,000 attempts; The probability of a success with multiple consecutive attempts in a one- minute period is 15,000/(2^112), which is less than 1/100,000 | 1/ (2^112) | RSA SigVer (FIPS186-5) (A3342) | 15,000/(2^112) |
1/ Table 13: Authentication Methods The module enforces the separation of roles using role-based operator authentication. The module implements two forms of identity-based authentication, username, and password over Document Version 1.0
| Name | Role Access | Type | |
|---|---|---|---|
| Super-user | Crypto Officer (CO) | Identity | Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH |
| Operator | User | Identity | Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH |
| Read-only | User | Identity | Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH |
| Root | Crypto Officer (CO) | Identity | Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH |
| Unauthorised | User | Identity | Username and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH |
the console and SSH connections, as well as username and an ECDSA or RSA public keybased authentication over SSHv2.
Table 14: Roles correspond to the User role. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. An operator assuming the Crypto Officer role configures and monitors the module via a console or SSH connection. As Root or Super-user, the Crypto Officer has permission to view and configure passwords and public keys within the module. The User role monitors the module via the console or SSH. The User role does not have the permission to modify the configuration. Document Version 1.0
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Configure security (security relevant) | Security relevant configuratio n (SSH, authenticati on data) | Root - SSH Private Host Key: G - User Password: W,E - CO Password: W,E - HMAC_DRBG V value: E - HMAC_DRBG Key value: E - HMAC_DRBG entropy input: E - HMAC_DRBG seed: E - SSH Public Host Key: G - User Authentication Public Keys: W - CO Authentication Public Keys: W Super-user - SSH Private Host Key: G - User Password: W,E - CO Password: W,E - HMAC_DRBG V value: E - | DRBG Entropy Souce ECDSA KeyGen ECDSA KeyGen2 RSA KeyGen Passwor d Hash | Global Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each service | Commands (SSH configuration: set system services ssh root-login allow) | Traffic |
| Configure (non- security relevant) | Non- security relevant configuratio n | Super-user - CO Password: E Root - CO Password: E | Passwor d Hash | Global Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each service | Commands (miscellaneous commands e.g., for IP address configuration, routing protocols, etc.) | Traffic |
| Show status | Query the module status | Super-user - CO Password: E Root - CO Password: E Operator - User Password: E Read-only - User Password: E Unauthorised - User Password: E | Passwor d Hash | Global Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each service | Command (show) | CLI output |
| Show status (LED) | LEDs on the module provide physical status output | Super-user Operator Read-only Unauthorised Root Unauthenticat ed | None | LED(s) on the chassis turned on | N/A | LED |
| Show module's versioning informatio n | Query the module's versioning information | Super-user - CO Password: E Operator - User Password: E Read-only - User Password: E Unauthorised - User Password: E Root - CO Password: E | Passwor d Hash | Global Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each service | Command (show version) | CLI output |
| Zeroise (Perform zeroisatio n) | Zeroise: Destroy all SSPs | Super-user - SSH Private Host Key: Z - SSH ECDH Private Key: Z - SSH DH Private Key: Z - SSH Session Key: Z - User Password: Z - CO Password: E,Z - HMAC_DRBG V value: Z - HMAC_DRBG Key value: Z - HMAC_DRBG entropy input: Z - HMAC_DRBG | Passwor d Hash | successf ul deletion of virtual machine | Power (deletion of virtual machine) | N/A |
(nonsecurity Nonsecurity n s s E W W Document Version 1.0
s s Z A: Z Z Z Z - IKE-DHPUB: Z Document Version 1.0
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Perform approved security functions (SSH connectio n) | Initiate SSH connection for SSH monitoring and control (CLI) | Super-user - SSH Private Host Key: E - SSH ECDH Private Key: G,E,Z - SSH DH Private Key: G,E,Z - SSH Session Key: G,E,Z - HMAC_DRBG V value: E - HMAC_DRBG Key value: E - HMAC_DRBG entropy input: E - HMAC_DRBG seed: E - ECDH Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z - SSH Public Host Key: G - SSH DH Public Key: G,E,Z | KAS1 KAS2 KTS1 ECDSA SigVer DRBG Entropy Souce ECDSA KeyGen ECDSA KeyGen2 ECDSA KeyVer ECDSA SigGen RSA KeyGen RSA SigGen RSA SigVer Passwor d Hash | Global Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each service | Authentication data (Username and password/publi c-key based authentication) | SSH session |
n) s s Z Z - IKE-DHPUB: Z G,E,Z G,E,Z E G,E,Z G,E,Z Document Version 1.0
| Name | Description | Role Access | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Console Access | Console monitoring and control (CLI) | Super-user - CO Password: E Operator - CO Password: E Read-only - User Password: E Unauthorised - User Password: E Root - CO Password: E | Passwor d Hash | Global Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each service | Username, password (set system login user <username> class <crypto- officer/user class> operator authentication plaintext- password) | N/A |
| Perform self-tests (remote reset) | Software initiated reset, performs self-tests on | Super-user - SSH ECDH Private Key: Z - SSH DH Private Key: Z - SSH Session | KAS1 KAS2 KTS1 DRBG Entropy Souce | Global Approved Mode indicator "fips" at the CLI | Control input/reset signal (request vmhost reboot) | N/A |
| demand via SSH | demand via SSH | Key: Z - HMAC_DRBG Key value: G,Z - HMAC_DRBG V value: G,Z - HMAC_DRBG entropy input: G,Z - HMAC_DRBG seed: G,Z - ECDH Shared Secret: Z - DH Shared Secret: Z - HMAC Key: G,E,Z - SSH ECDH Public Key: G,E - SSH DH Public Key: G,E - CO Password: E - Software Integrity Key: E - SSH Private Host Key: E - SSH Public Host Key: E - User Authentication Public Keys: E - CO Authentication Public Keys: E Root - SSH ECDH Private Key: Z - SSH DH | ECDSA KeyGen ECDSA KeyGen2 ECDSA KeyVer ECDSA SigGen RSA KeyGen RSA SigGen Passwor d Hash CASTs on boot | combined with successf ul completio n of each service |
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Perform self-tests (local reset) | Hardware reset or power cycle | Super-user - Software Integrity Key: E Root - Software Integrity Key: E Operator - Software Integrity Key: E Read-only - Software Integrity Key: E Unauthorised - Software Integrity Key: E Unauthenticat ed - Software Integrity Key: E | CASTs on boot | Global Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each service | Control input/reset signal | N/A |
| Perform approved security functions (IPsec connectio n) | Initiate IPsec connection | Root - IKE-PSK: W,E - IKE-SKEYID: G,E,Z - IKE-SEK: G,E,Z - ESP-SEK: G,E,Z - IKE-DH-PRI: G,E,Z - IKE-DH- PUB: G,R,E,Z Super-user - IKE-PSK: W,E - IKE-SKEYID: G,E,Z - IKE-SEK: G,E,Z - ESP-SEK: G,E,Z | KTS2 KAS3 KAS4 | Global Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each service | Commands (set security ipsec security- association sa- name; * set interfaces <name> unit 0 family inet address <ip address>; * set security ike security- association sa- name) | IPsec session |
N/A n) ipsec securityassociation saname; * set securityassociation saname) s s E E E E E E W,E G,E,Z G,E,Z G,E,Z G,E,Z - IKE-DHPUB: G,R,E,Z W,E G,E,Z G,E,Z G,E,Z Document Version 1.0
| Name | Description | Roles | Approved Functions |
|---|---|---|---|
| Configure security (security relevant) | Security relevant configuration | Root, Super-user | RSA with key size less than 2048 ECDSA with ed25519 curve EC Diffie-Hellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, non- compliant) HMAC-MD5 HMAC- RIPEMD160 UMAC |
| Perform approved security functions (SSH connection) | Initiate SSH connection for SSH monitoring and control (CLI) | Root, Super-user, Operator, Read-Only, Unauthorized | RSA with key size less than 2048 ECDSA with ed25519 curve EC Diffie-Hellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, non- compliant) HMAC-MD5 HMAC- RIPEMD160 UMAC |
| Name | Description | Roles | Approved Functions |
|---|---|---|---|
| Configure security (security relevant) | Security relevant configuration | Root, Super-user | RSA with key size less than 2048 ECDSA with ed25519 curve EC Diffie-Hellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, non- compliant) HMAC-MD5 HMAC- RIPEMD160 UMAC |
| Perform approved security functions (SSH connection) | Initiate SSH connection for SSH monitoring and control (CLI) | Root, Super-user, Operator, Read-Only, Unauthorized | RSA with key size less than 2048 ECDSA with ed25519 curve EC Diffie-Hellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, non- compliant) HMAC-MD5 HMAC- RIPEMD160 UMAC |
s s G,E,Z - IKE-DHPUB: G,R,E,Z Table 15: Approved Services SigVer, noncompliant) HMACRIPEMD160 SigVer, noncompliant) HMACRIPEMD160 Table 16: Non-Approved Services Document Version 1.0
The module does not support software loading from an external source.
The module supports self-initiated cryptographic output in the context of the IPsec protocol and three independent configurations are required serving as three independent internal actions (two actions required at minimum):
The module performs the software integrity check using ECDSA P-256 with SHA2-256 (CAVP Cert. #A3342). The ECDSA P-256 public key used for signature verification is a non-SSP and stored persistently across reboots in the module’s Non-Volatile RAM (NVRAM) until zeroisation of the module.
The operator can initiate the integrity test on demand by rebooting the module.
The module software image is delivered in the form of a pre-compiled tarball (.ova).
Type of Operational Environment: Modifiable How Requirements are Satisfied: Document Version 1.0
| Name | Type | Description |
|---|---|---|
| NVRAM | Static | Non-Volatile Random Access Memory |
| RAM | Dynamic | Random Access Memory |
| Name | Type | From | To | |||
|---|---|---|---|---|---|---|
| Entered over SSH - NVRAM | Encrypted | External endpoint | NVRAM | Automated | Electronic | KTS1 |
| Loaded at manufacture | Plaintext | External endpoint | NVRAM | N/A | N/A | |
| Entered through the CLI via console | Plaintext | External endpoint | NVRAM | Manual | Direct |
The module contains a modifiable operational environment since the underlying hardware platform supports uncontrollable modifications to itself. The module contains the operating system Junos OS 22.2R2-S2.3.
Security rules and restrictions for configuration of the operational environment have been specified in Sections 11.1 and 11.4 of this document.
The requirements per this section do not apply since the module is of type software.
The module does not implement any non-invasive security mitigations and thus the requirements per this section do not apply to the module.
| Name | Type | From | To | ||
|---|---|---|---|---|---|
| Input during SSH negotiation | Plaintext | External endpoint | RAM | Automated | Electronic |
| Output during SSH negotiation (host key) | Plaintext | NVRAM | External endpoint | Automated | Electronic |
| Output during SSH negotiation (Key Agreement public key) | Plaintext | RAM | External endpoint | Automated | Electronic |
| Output during IPsec negotiation | Plaintext | RAM | External endpoint | Automated | Electronic |
| Zeroization | Description | Rationale | Operator | ||
|---|---|---|---|---|---|
| Method | Initiation | ||||
| Deletion of virtual instance | Deletion of the vSRX 3.0 instance | Used to provide zeroisation as a service | Operator initiated | ||
| Power-cycle | Power cycling the underlying host platform to zeroise temporary SSPs | Power cycling the underlying host platform to zeroise temporary SSPs | Operator initiated | ||
| Session termination | Termination of sessions automatically zeroises temporary SSPs used as part of the session | Termination of sessions automatically zeroises temporary SSPs used as part of the session | Module initiated | ||
| Derivation of session key | EC Diffie-Hellman/Diffie- Hellman shared secrets are zeroised after use in derivation of session key | EC Diffie-Hellman/Diffie- Hellman shared secrets are zeroised after use in derivation of session key | Module initiated |
Table 18: SSP Input-Output Methods The module is complaint with FIPS 140-3 IG 9.5.A MD/DE and AD/EE for SSPs entered via the module’s CLI via a direct connection to its serial/console port and for SSPs entered/output/established via SSH/IPsec respectively.
Table 19: SSP Zeroization Methods Document Version 1.0
| Name | Type | Description | Strength | |||
|---|---|---|---|---|---|---|
| SSH Private Host Key | Private Host Key - CSP | Host key generated, used for authenticatio n and encryption in the context of SSH | P-256 for ECDSA, 2048 bits for RSA - 128 bits for ECDSA, 112 bits for RSA | DRBG ECDSA KeyGen RSA KeyGen | KAS1 KAS2 | |
| SSH ECDH Private Key | ECDH Private Key - CSP | Ephemeral EC Diffie- Hellman private key used in SSH | KAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits | DRBG ECDSA KeyGen2 | KAS1 | |
| SSH DH Private Key | DH Private Key - CSP | Ephemeral Diffie- Hellman private key used in SSH | 2048 bits for KAS- FFC-SSC - 112 bits for KAS- FFC-SSC | DRBG | KAS2 | |
| SSH Session Key | Session Key - CSP | SSH Session Key | 128 bits, 192 bits, 256 bits - 128 bits, 192 bits, 256 bits | KAS1 KAS2 | ||
| User Password | User Password - CSP | Passwords used to authenticate users to the module | 10-20 character s - 1/(96^10) per attempt, 9/(96^10) per minute | |||
| CO Password | CO Password - CSP | Passwords used to authenticate COs to the module | 10-20 character s - 1/(96^10) per attempt, 9/(96^10) per minute | |||
| HMAC_DRBG V value | Internal state of the DRBG - CSP | A critical value of the internal state of DRBG | 256 bits - 256 bits | DRBG | DRB G | |
| HMAC_DRBG Key value | Internal state of the DRBG - CSP | A critical value of the internal state of DRBG | 440 bits - 440 bits | DRBG | DRB G | |
| HMAC_DRBG entropy input | Entropy input to the HMAC_DRB G - CSP | Entropy input to the HMAC_DRB G | 512 bits - 448 bits | Entropy Souce | ||
| HMAC_DRBG seed | Seed provided to the HMAC_DRB G - CSP | Seed provided to the HMAC_DRB G | 512 bits - 440 bits | DRBG | DRB G | |
| ECDH Shared Secret | Shared secret - CSP | Used in EC Diffie- Hellman (ECDH) exchange | P-256, P- 384, P- 521 - 128 bits, 192 bits, 256 bits | KAS1 | ||
| DH Shared Secret | Shared secret - CSP | Used in Diffie- Hellman (DH) exchange | 2048 bits - 112 bits | KAS2 | ||
| HMAC Key | MAC key - CSP | MAC key | 128 bits and 256 bits - 128 bits and 256 bits | KAS1 KAS2 | ||
| SSH Public Host Key | Public key - PSP | Host key generated, used to identify the host. Also paired with the private key for authenticatio n and encryption in the context of SSH | P-256 for ECDSA and 2048 bits for RSA - 128 bits for ECDSA, 112 bits for RSA | DRBG ECDSA KeyGen RSA KeyGen |
EC DiffieHellman DiffieHellman KASECCSSC P256, P384, P512 - 128 Document Version 1.0
G G DiffieHellman DiffieHellman G G G Document Version 1.0
| Name | Type | Description | Strength |
|---|---|---|---|
| User Authentication Public Keys | Public key - PSP | Used to authenticate users to the module | P-256, P- 384, P- 521 for ECDSA and 2048, 3072 and 4096 bits for RSA - 128, 192, 256 bits for ECDSA, 112, 192 and 256 bits for RSA |
| CO Authentication Public Keys | Public key - PSP | Used to authenticate the CO to the module | P-256, P- 384, P- 521 for ECDSA and 2048, 3072 and 4096 bits for RSA - 128, 192, 256 bits for ECDSA, 112, 192 and 256 bits for RSA |
| JuniperRootC A | Public key certificate - Neither | ECDSA prime256v1 X.509 V3 Certificate Used to verify the validity of the PackagCA | ECDSA P-256 - 128 bits |
| PackageCA | Public key certificate - Neither | ECDSA prime256v1 X.509 V3 Certificate Certificate that holds the | ECDSA P-256 - 128 bits |
A P-256, P384, P521 for P-256, P384, P521 for Document Version 1.0
| Name | Type | Description | Strength | |||
|---|---|---|---|---|---|---|
| SSH ECDH Public Key | Public key - PSP | Ephemeral EC Diffie- Hellman public key used in SSH | KAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits for KAS- ECC- SSC | DRBG ECDSA KeyGen2 | ||
| SSH DH Public Key | Public key - PSP | Ephemeral Diffie- Hellman public key used in SSH | 2048 bits for KAS- FFC-SSC - 112 bits for KAS- FFC-SSC | DRBG | ||
| Software Integrity Key | Public key - Neither | Public key used to perform the software integrity test on each boot | ECDSA P-256 - 128 bits | |||
| IKE-PSK | IKE Pre- Shared Key - CSP | Pre-Shared Key used to authenticate IKE connections | 256 bits - 256 bits | |||
| IKE-SKEYID | IKE shared secret - CSP | IKE secret used to derive IKE and IPsec ESP session keys | 256 bits - 256 bits | KAS3 KAS4 | KAS3 KAS4 | |
| IKE-SEK | IKE Session Key - CSP | IKE Session Keys. AES | AES: 128 bits, | KAS3 KAS4 | KTS2 | |
| (128 bits), HMAC (SHA- 256) | (128 bits), HMAC (SHA- 256) | HMAC: 256 bits - AES: 128 bits, HMAC: 256 bits | ||||
| ESP-SEK | ESP Session Key - CSP | ESP Session Keys. AES (128 bits), HMAC (SHA- 256) | AES: 128 bits, HMAC: 256 bits - AES: 128 bits, HMAC: 256 bits | KAS3 KAS4 | KTS2 | |
| IKE-DH-PRI | IKE Diffie- Hellman private key - CSP | Diffie- Hellman private key used in IKE | 2048 bits - 112 bits | KAS3 KAS4 | ||
| SSH ECDH Client Public Key | Public key - PSP | Ephemeral EC Diffie- Hellman public key used in SSH (sent by the client to the module acting as the server) | KAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits for KAS- ECC- SSC | |||
| SSH DH Client Public Key | Public key - PSP | Ephemeral Diffie- Hellman public key used in SSH (sent by the client to the module acting as the server) | 2048 bits for KAS- FFC-SSC - 112 bits for KAS- FFC-SSC | |||
| IKE-DH-PUB | IKE Diffie- Hellman public key - PSP | Diffie- Hellman public key used in IKE | 2048 bits - 112 bits | KAS3 KAS4 |
EC DiffieHellman DiffieHellman KASECCSSC P256, P384, P512 - 128 KASECCSSC Document Version 1.0
HMAC (SHA256) HMAC (SHA256) DiffieHellman EC DiffieHellman DiffieHellman DiffieHellman KASECCSSC P256, P384, P512 - 128 KASECCSSC IKE DiffieHellman IKE DiffieHellman Table 20: SSP Table 1 Document Version 1.0
| Name | Storage | Zeroization | ||
|---|---|---|---|---|
| SSH Private Host Key | NVRAM:Plaintext | Deletion of virtual instance | ||
| SSH ECDH Private Key | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | Until session terminatio n | |
| SSH DH Private Key | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | Until session terminatio n | |
| SSH Session Key | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | Until session terminatio n | |
| User Password | NVRAM:Obfuscate d | Deletion of virtual instance | Entered over SSH - NVRAM Entered through the CLI via console connection - NVRAM | |
| CO Password | NVRAM:Obfuscate d | Deletion of virtual instance | Entered over SSH - NVRAM Entered through the CLI via console connection - NVRAM | |
| HMAC_DRBG V value | RAM:Plaintext | Power- cycle | Until power- cycle | |
| HMAC_DRBG Key value | RAM:Plaintext | Power- cycle | Until power- cycle | |
| HMAC_DRBG entropy input | RAM:Plaintext | Power- cycle | Until power- cycle | |
| HMAC_DRBG seed | RAM:Plaintext | Power- cycle | Until power- cycle | |
| ECDH Shared Secret | RAM:Plaintext | Deletion of virtual instance Power- cycle Derivation of session key | Until SSH session key derivation | |
| DH Shared Secret | RAM:Plaintext | Deletion of virtual instance Power- cycle Derivation of session key | Until SSH session key derivation | |
| HMAC Key | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | Until session terminatio n | |
| SSH Public Host Key | NVRAM:Plaintext | Deletion of virtual instance | Output during SSH negotiation (host key) | |
| User Authentication Public Keys | NVRAM:Plaintext | Deletion of virtual instance | Entered over SSH - NVRAM Entered through the CLI via console connection - NVRAM | |
| CO Authentication Public Keys | NVRAM:Plaintext | Deletion of virtual instance | Entered over SSH - NVRAM | |
| JuniperRootC A | NVRAM:Plaintext | Deletion of virtual instance | Loaded at manufactur e | |
| PackageCA | NVRAM:Plaintext | Deletion of virtual instance | Loaded at manufactur e | |
| SSH ECDH Public Key | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | Until session terminatio n | Output during SSH negotiation (Key Agreement public key) |
| SSH DH Public Key | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | Until session terminatio n | Output during SSH negotiation (Key Agreement public key) |
| Software Integrity Key | NVRAM:Plaintext | Deletion of virtual instance | Loaded at manufactur e | |
| IKE-PSK | NVRAM:Plaintext | Deletion of virtual instance | Entered over SSH - NVRAM Entered through the CLI via console connection - NVRAM | |
| IKE-SKEYID | RAM:Plaintext | Derivation of session key | until session key derivation | |
| IKE-SEK | RAM:Plaintext | Deletion of virtual instance Power- cycle | until session terminatio n |
n n n d d n Powercycle Powercycle Powercycle powercycle Powercycle Document Version 1.0
powercycle powercycle powercycle n n Powercycle Powercycle Powercycle Powercycle Powercycle Powercycle Document Version 1.0
e e n n e A n n Powercycle Powercycle Powercycle Document Version 1.0
| Name | Storage | Zeroization | Input | ||
|---|---|---|---|---|---|
| ESP-SEK | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | until session terminatio n | ||
| IKE-DH-PRI | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | until session terminatio n | IKE-DH- PUB:Paire d With | |
| SSH ECDH Client Public Key | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | Input during SSH negotiation | until session terminatio n | |
| SSH DH Client Public Key | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | Input during SSH negotiation | until session terminatio n | |
| IKE-DH-PUB | RAM:Plaintext | Deletion of virtual instance Power- cycle Session termination | Output during IPsec negotiation | until session terminatio n | IKE-DH- PRI:Paired With |
n n n n n n Powercycle Powercycle Powercycle Powercycle Powercycle Table 21: SSP Table 2
Per the NIST SP 800-133Ar2/3 and the programmatic transitions defined by the CMVP, the following algorithm transitions apply to the module, and the algorithms have been designated allowed/non-approved accordingly in Section 2.5: Document Version 1.0
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | Indicator | Test Method |
|---|---|---|---|---|---|---|---|
| Software Integrity Test | Software Integrity Test | KAT | SW/FW Integrity | Verify | Using ECDSA P-256 with SHA2-256 | FIPS Self-tests Passed | |
| HMAC DRBG (A3335) | HMAC DRBG (A3335) | KAT | NIST 800-90 HMAC DRBG Known Answer Test : Passed | During boot | Prediction Resistance: Yes Supports Reseed Capabilities: Mode: SHA2- 256 Entropy Input: 256 Nonce: 128 Personalizati | N/A | CAST |
| HMAC- SHA2- 256 (A3335) | HMAC- SHA2- 256 (A3335) | KAT | HMAC- SHA2- 256 Known Answer Test : Passed | During boot | Key Length: 256 bits | N/A | CAST |
| AES- CBC (A3342) - Encrypt - 128 bits | AES- CBC (A3342) - Encrypt - 128 bits | KAT | AES- CBC Known Answer Test : Passed | During boot | Key Length: 128 bits | Encrypt | CAST |
| AES- CBC (A3342) - Encrypt - 192 bits | AES- CBC (A3342) - Encrypt - 192 bits | KAT | AES- CBC Known Answer Test : Passed | During boot | Key Length: 192 bits | Encrypt | CAST |
| AES- CBC (A3342) - Encrypt - 256 bits | AES- CBC (A3342) - Encrypt - 256 bits | KAT | AES- CBC Known Answer Test : Passed | During boot | Key Length: 256 bits | Encrypt | CAST |
| AES- CBC (A3342) - Decrypt - 128 bits | AES- CBC (A3342) - Decrypt - 128 bits | KAT | AES- CBC Known Answer Test : Passed | During boot | Key Length: 128 bits | Decrypt | CAST |
| AES- CBC (A3342) - Decrypt - 192 bits | AES- CBC (A3342) - Decrypt - 192 bits | KAT | AES- CBC Known Answer Test : Passed | During boot | Key Length: 192 bits | Decrypt | CAST |
| AES- CBC (A3342) - Decrypt - 256 bits | AES- CBC (A3342) - Decrypt - 256 bits | KAT | AES- CBC Known Answer Test : Passed | During boot | Key Length: 256 bits | Decrypt | CAST |
| HMAC- SHA-1 (A3342) | HMAC- SHA-1 (A3342) | KAT | HMAC- SHA-1 Known Answer Test : Passed | During boot | Key Length: 160 bits | N/A | CAST |
| HMAC- SHA2- 256 (A3342) | HMAC- SHA2- 256 (A3342) | KAT | HMAC- SHA2- 256 Known Answer Test : Passed | During boot | Key Length: 256 bits | N/A | CAST |
| HMAC- SHA2- 512 (A3342) | HMAC- SHA2- 512 (A3342) | KAT | HMAC- SHA2- 512 Known Answer Test : Passed | During boot | Key Length: 512 bits | N/A | CAST |
| KAS- ECC- SSC Sp800- 56Ar3 (A3342) - P-256 | KAS- ECC- SSC Sp800- 56Ar3 (A3342) - P-256 | KAT | KAS- ECC- EPHEM- UNIFIED -NOKC Known Answer Test: Passed | During boot | Domain Parameter Generation Methods: P- 256 | N/A | CAST |
| KAS- ECC- SSC Sp800- 56Ar3 (A3342) - P-384 | KAS- ECC- SSC Sp800- 56Ar3 (A3342) - P-384 | KAT | KAS- ECC- EPHEM- UNIFIED -NOKC Known Answer Test: Passed | During boot | Domain Parameter Generation Methods: P- 384 | N/A | CAST |
| KAS- FFC- SSC | KAS- FFC- SSC | KAT | KAS- FFC- EPHEM- | During boot | Domain Parameter Generation | N/A | CAST |
| Sp800- 56Ar3 (A3342) | Sp800- 56Ar3 (A3342) | NOKC Known Answer Test: Passed | Methods: MODP-2048 | ||||
| KDF SSH (A3341) | KDF SSH (A3341) | KAT | KDF- SSH- SHA2- 256 Known Answer Test: Passed | During boot | Cipher: AES- 128, AES- 192, AES- 256 ; Hash Algorithm: SHA-1, SHA2-256, SHA2-512 | N/A | CAST |
| RSA SigGen (FIPS18 6-5) (A3342) | RSA SigGen (FIPS18 6-5) (A3342) | KAT | RSA- SIGN Known Answer Test: Passed | During boot | Modulus 2048 bits SHA2-256 | Sign | CAST |
| RSA SigVer (FIPS18 6-5) (A3342) | RSA SigVer (FIPS18 6-5) (A3342) | KAT | RSA- VERIFY Known Answer Test: Passed | During boot | Modulus 2048 bits SHA2-256 | Verify | CAST |
| ECDSA SigGen (FIPS18 6-5) (A3342) | ECDSA SigGen (FIPS18 6-5) (A3342) | KAT | ECDSA- SIGN Known Answer Test: Passed | During boot | Curve: P-256 Hash Algorithm: SHA2-256 | Sign | CAST |
| ECDSA SigVer (FIPS18 6-5) (A3342) | ECDSA SigVer (FIPS18 6-5) (A3342) | KAT | ECDSA- VERIFY Known Answer Test: Passed | During boot | Curve: P-256 Hash Algorithm: SHA2-256 | Verify | CAST |
| SHA2- 512 (A3340) | SHA2- 512 (A3340) | KAT | SHA-2- 512 Known Answer Test: Passed | During boot | SHA2-512 | N/A | CAST |
| Entropy test - NIST SP | Entropy test - NIST SP | RCT | pass | During boot and continually | NIST SP 800-90B Repetitive Count Test | Cutoff value C = 21 | CAST |
| Entropy test - NIST SP 800-90B APT | Entropy test - NIST SP 800-90B APT | APT | pass | During boot and continually | NIST SP 800-90B Adapative Proportion Test | W = 512; Cutoff value C = 311 | CAST |
| ECDSA KeyGen (FIPS18 6-5) (A3342) | ECDSA KeyGen (FIPS18 6-5) (A3342) | PCT | 0 | On key generation | Curve: P-256 Hash Algorithm: SHA2-256 | Key pair generated for SSP agreement in the context of SSHv2 protocol and for key generation for use in ECDSA signature generation/verificati on | PCT |
| KAS- FFC- SSC Sp800- 56Ar3 (A3342) - PCT | KAS- FFC- SSC Sp800- 56Ar3 (A3342) - PCT | PCT | 0 | On key generation | Capabilities: Domain Parameter: MODP2048 | Key pair generated for SSP agreement in the context of SSHv2 protocol | PCT |
| RSA KeyGen (FIPS18 6-5) (A3342) | RSA KeyGen (FIPS18 6-5) (A3342) | PCT | 0 | On key generation | Modulus: 2048 Hash SHA2-256 | Key pair generated for signature generation/verificati on in the context of SSHv2 protocol | PCT |
| Manual entry test (duplicat e entries) | Manual entry test (duplicat e entries) | Duplicate entry test required for entry of operator password s and IKE-PSK via direct connectio n to the module's console (serial) interface | Comman d prompt with "fips" string provided post completio n of the test | On configurati on of operator passwords and IKE- PSK | Duplicate entry test required for entry of operator passwords and IKE-PSK via direct connection to the module's console (serial) interface | N/A | Manu al Entry |
| KDF IKEv1 (A3343) | KDF IKEv1 (A3343) | KAT | IKEV1 Known Answer Test: Passed | During boot | IKEv1 (IPSec) KDF | N/A | CAST |
| KDF IKEv2 (A3343) | KDF IKEv2 (A3343) | KAT | IKEV2 Known Answer Test: Passed | During boot | IKEv2 (IPSec) KDF | N/A | CAST |
| AES- CBC (A3343) - Encrypt - 128 bits | AES- CBC (A3343) - Encrypt - 128 bits | KAT | AES- CBC Known Answer Test : Passed | During boot | Key length: 128 bits | Encrypt | CAST |
| AES- CBC (A3343) - Decrypt - 128 bits | AES- CBC (A3343) - Decrypt - 128 bits | KAT | AES- CBC Known Answer Test : Passed | During boot | Key length: 128 bits | Decryt | CAST |
| HMAC- SHA2- 256 (A3343) | HMAC- SHA2- 256 (A3343) | KAT | HMAC- SHA2- 256 Known Answer Test : Passed | During boot | Key length: 256 bits | N/A | CAST |
| AES- CBC (A3339) - Encrypt - 128 bits | AES- CBC (A3339) - Encrypt - 128 bits | KAT | AES- CBC Known Answer Test : Passed | During boot | Key length: 128 bits | Encrypt | CAST |
| AES- CBC (A3339) - Decrypt - 128 bits | AES- CBC (A3339) - Decrypt - 128 bits | KAT | AES- CBC Known Answer Test : Passed | During boot | Key length: 128 bits | Decrypt | CAST |
| HMAC- SHA2- 256 (A3339) | HMAC- SHA2- 256 (A3339) | KAT | HMAC- SHA2- 256 Known Answer | During boot | Key length: 256 bits | N/A | CAST |
a. Usage of SHA-1 for SigVer is allowed for legacy use only until 2030. Thereafter, all usage of SHA-1 will be considered a non-approved, not allowed algorithm. b. Until January 1, 2031, the following algorithms will be considered deprecated: a. Hash function and HMAC using SHA-1 hash function b. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Generation c. As of January 1, 2031, the following algorithms will be considered deprecated/disallowed (i.e. non-approved, not allowed)/legacy use: a. Use of the 112-bit security strength for classical digital signature and keyestablishment mechanisms (deprecated) b. Use of the 112-bit security strength for block ciphers (disallowed) c. Use of a security strength less than 128-bits but greater than 112 bits for ECDA KeyGen and RSA KeyGen (PKCS #1 v1.5 & PSS) (deprecated) d. HMAC using SHA-1 hash function (legacy use) e. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Generation (disallowed) f. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Verification (legacy use)
Table 22: Pre-Operational Self-Tests The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known integrity test on each boot prior to executing the software integrity test.
HMACSHA2256 Length: 0256 s HMACSHA2256 AESCBC AESCBC AESCBC AESCBC AESCBC N/A AESCBC AESCBC AESCBC AESCBC AESCBC Document Version 1.0
AESCBC s HMACSHA-1 N/A HMACSHA2256 N/A HMACSHA2512 N/A KASECCSSC Sp80056Ar3 Methods: P256 N/A KASECCSSC Sp80056Ar3 Methods: P384 N/A KASFFCSSC AESCBC HMACSHA-1 HMACSHA2256 HMACSHA2512 KASECCEPHEMUNIFIED KASECCEPHEMUNIFIED KASFFCEPHEMN/A Document Version 1.0
Sp80056Ar3 Cipher: AES128, AES192, AES256 ; Hash 6-5) 6-5) 6-5) SHA2512 6-5) KDFSSHSHA2256 RSASIGN RSAVERIFY ECDSASIGN ECDSAVERIFY SHA-2512 s N/A N/A Document Version 1.0
6-5) s KASFFCSSC Sp80056Ar3 6-5) N/A and IKEPSK Document Version 1.0
s N/A N/A AESCBC AESCBC HMACSHA2256 N/A AESCBC AESCBC HMACSHA2256 AESCBC AESCBC HMACSHA2256 AESCBC AESCBC HMACSHA2256 N/A Document Version 1.0
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| Software Integrity Test | Software Integrity Test | KAT | SW/FW Integrity | On Demand | Manually via a reboot |
| HMAC DRBG (A3335) | HMAC DRBG (A3335) | KAT | CAST | On Demand | Manually via a reboot |
| HMAC-SHA2- 256 (A3335) | HMAC-SHA2- 256 (A3335) | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Encrypt - 128 bits | AES-CBC (A3342) - Encrypt - 128 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Encrypt - 192 bits | AES-CBC (A3342) - Encrypt - 192 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Encrypt - 256 bits | AES-CBC (A3342) - Encrypt - 256 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Decrypt - 128 bits | AES-CBC (A3342) - Decrypt - 128 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Decrypt - 192 bits | AES-CBC (A3342) - Decrypt - 192 bits | KAT | CAST | On Demand | Manually via a reboot |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| Software Integrity Test | Software Integrity Test | KAT | SW/FW Integrity | On Demand | Manually via a reboot |
| HMAC DRBG (A3335) | HMAC DRBG (A3335) | KAT | CAST | On Demand | Manually via a reboot |
| HMAC-SHA2- 256 (A3335) | HMAC-SHA2- 256 (A3335) | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Encrypt - 128 bits | AES-CBC (A3342) - Encrypt - 128 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Encrypt - 192 bits | AES-CBC (A3342) - Encrypt - 192 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Encrypt - 256 bits | AES-CBC (A3342) - Encrypt - 256 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Decrypt - 128 bits | AES-CBC (A3342) - Decrypt - 128 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Decrypt - 192 bits | AES-CBC (A3342) - Decrypt - 192 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3342) - Decrypt - 256 bits | AES-CBC (A3342) - Decrypt - 256 bits | KAT | CAST | On Demand | Manually via a reboot |
| HMAC-SHA-1 (A3342) | HMAC-SHA-1 (A3342) | KAT | CAST | On Demand | Manually via a reboot |
| HMAC-SHA2- 256 (A3342) | HMAC-SHA2- 256 (A3342) | KAT | CAST | On Demand | Manually via a reboot |
| HMAC-SHA2- 512 (A3342) | HMAC-SHA2- 512 (A3342) | KAT | CAST | On Demand | Manually via a reboot |
| KAS-ECC-SSC Sp800-56Ar3 (A3342) - P-256 | KAS-ECC-SSC Sp800-56Ar3 (A3342) - P-256 | KAT | CAST | On Demand | Manually via a reboot |
| KAS-ECC-SSC Sp800-56Ar3 (A3342) - P-384 | KAS-ECC-SSC Sp800-56Ar3 (A3342) - P-384 | KAT | CAST | On Demand | Manually via a reboot |
| KAS-FFC-SSC Sp800-56Ar3 (A3342) | KAS-FFC-SSC Sp800-56Ar3 (A3342) | KAT | CAST | On Demand | Manually via a reboot |
| KDF SSH (A3341) | KDF SSH (A3341) | KAT | CAST | On Demand | Manually via a reboot |
| RSA SigGen (FIPS186-5) (A3342) | RSA SigGen (FIPS186-5) (A3342) | KAT | CAST | On Demand | Manually via a reboot |
| RSA SigVer (FIPS186-5) (A3342) | RSA SigVer (FIPS186-5) (A3342) | KAT | CAST | On Demand | Manually via a reboot |
| ECDSA SigGen (FIPS186-5) (A3342) | ECDSA SigGen (FIPS186-5) (A3342) | KAT | CAST | On Demand | Manually via a reboot |
| ECDSA SigVer (FIPS186-5) (A3342) | ECDSA SigVer (FIPS186-5) (A3342) | KAT | CAST | On Demand | Manually via a reboot |
| SHA2-512 (A3340) | SHA2-512 (A3340) | KAT | CAST | On Demand | Manually via a reboot |
| Entropy test - NIST SP 800- 90B RCT | Entropy test - NIST SP 800- 90B RCT | RCT | CAST | On Demand | Manually via a reboot |
| Entropy test - NIST SP 800- 90B APT | Entropy test - NIST SP 800- 90B APT | APT | CAST | On Demand | Manually via a reboot |
| ECDSA KeyGen (FIPS186-5) (A3342) | ECDSA KeyGen (FIPS186-5) (A3342) | PCT | PCT | On Demand | Manually via a reboot |
| KAS-FFC-SSC Sp800-56Ar3 (A3342) - PCT | KAS-FFC-SSC Sp800-56Ar3 (A3342) - PCT | PCT | PCT | On Demand | Manually via a reboot |
| RSA KeyGen (FIPS186-5) (A3342) | RSA KeyGen (FIPS186-5) (A3342) | PCT | PCT | On Demand | Manually via a reboot |
| Manual entry test (duplicate entries) | Manual entry test (duplicate entries) | Duplicate entry test required for entry of operator passwords and IKE-PSK via direct connection to the module's console (serial) interface | Manual Entry | On Demand | Manually via configuration of operator passwords and IKE-PSK |
| KDF IKEv1 (A3343) | KDF IKEv1 (A3343) | KAT | CAST | On Demand | Manually via a reboot |
| KDF IKEv2 (A3343) | KDF IKEv2 (A3343) | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3343) - Encrypt - 128 bits | AES-CBC (A3343) - Encrypt - 128 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3343) - Decrypt - 128 bits | AES-CBC (A3343) - Decrypt - 128 bits | KAT | CAST | On Demand | Manually via a reboot |
| HMAC-SHA2- 256 (A3343) | HMAC-SHA2- 256 (A3343) | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3339) - Encrypt - 128 bits | AES-CBC (A3339) - Encrypt - 128 bits | KAT | CAST | On Demand | Manually via a reboot |
| AES-CBC (A3339) - Decrypt - 128 bits | AES-CBC (A3339) - Decrypt - 128 bits | KAT | CAST | On Demand | Manually via a reboot |
| HMAC-SHA2- 256 (A3339) | HMAC-SHA2- 256 (A3339) | KAT | CAST | On Demand | Manually via a reboot |
s Table 23: Conditional Self-Tests Cryptographic Algorithm Self-tests (CASTs) are performed on each boot of the module. Other conditional self-tests are performed by the module when the corresponding condition is met. The pairwise consistency tests are performed on key pair generation for use in signature generation/verification (ECDSA and/or RSA tests) and/or for use in KAS-ECC-SSC or KASFFC-SSC SSP agreement (ECDSA and DSA tests respectively). The software load test is performed when a software image (.tgz) is loaded onto the module from an external source.
Table 24: Pre-Operational Periodic Information Document Version 1.0
Table 25: Conditional Periodic Information The pre-operational software integrity test as well as all CASTs must be completed successfully prior to any other use of cryptography by the module in the Approved mode of operation. These tests can also be performed periodically by rebooting the module.
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| Hard Error state | If the pre-operation software integrity test, if any of the CASTs or pair-wise consistency tests fail, then the module returns an error indicator, inhibits all data output and enters the hard error state | If the pre- operational software integrity test or if any of the CASTs fail | "FIPS error: self-test failure" for software integrity failure, "FIPS error 1: <name of the algorithm> Known Answer Test: Failed" for CAST failure and -1 for pair-wise consistency test failure | N/A |
| Soft Error state | In the event of an APT or RCT health test failure, output from the entropy source is inhibited, all entropy accumulated in the conditioning context is discarded and the start-up health-tests are performed again | If the APT or RCT test fails | Entropy data discarded in case of APT/RCT failure | In case of APT and/or RCT failures, new data continues to be tested by the health tests, and once both health tests indicate a "pass", the entropy source again outputs data |
N/A Table 26: Error States generated keypair/loaded image, returns an error indicator and resumes normal operation.
Each time the module is powered up it tests that all the cryptographic algorithms operate correctly, and that sensitive data have not been damaged. Pre-operational as well as Conditional Cryptographic Algorithm Self-tests (CAST) are performed on each power up/boot of the module and on demand by power cycling the module (Perform self-tests (remote reset) service).
The module is in the non-compliant state by default. The Crypto Officer (CO) shall follow the instructions in this section to download, install and initialize the module onto the host platforms identified in Table
*Note: This module is a FIPS 140-3 Security Level 1 module but the command “set system fips level 2” must be used to invoke the Approved mode of operation. Please note this is Juniper terminology only. The module claims to meet FIPS 140-3/ISO 19790 Security Level
For further information and for the Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for vSRX, Release 22.2R2 document.
For further information and for the non-Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for vSRX, Release 22.2R2 document.
The module design corresponds to the security rules below. The term must in this context specifically refers to a requirement for correct usage of the module in the Approved mode; all other statements indicate a security rule implemented by the module.
6.4 per 8-bit sample (entropy input to the DRBG). The DRBG is seeded with 512 bits.
No other maintenance requirements apply for operation of the module in the Approved/nonApproved modes as defined above.
The module can be securely sanitized at the end of its lifetime by zeroising it.
The module does not implement any mitigation of other attacks and thus the requirements per this section do not apply to the module. Document Version 1.0