All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Juniper Networks vSRX 3.0 Virtual Firewall

Certificate#5150StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorJuniper Networks, Inc.
High review priority  ·  exposes debug/recovery interface  ·  last validated 6 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date1/27/2031
CaveatWhen operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorJuniper Networks, Inc.

Approved Algorithms (21)

AlgorithmACVP Cert
AES-CBCA3339
AES-CTRA3342
ECDSA KeyGen (FIPS186-5)A3342
ECDSA KeyVer (FIPS186-5)A3342
ECDSA SigGen (FIPS186-5)A3342
ECDSA SigVer (FIPS186-5)A3342
HMAC DRBGA3335
HMAC-SHA-1A3342
HMAC-SHA2-256A3335
HMAC-SHA2-512A3342
KAS-ECC-SSC Sp800-56Ar3A3342
KAS-FFC-SSC Sp800-56Ar3A3342
KDF IKEv1 (CVL)A3343
KDF IKEv2 (CVL)A3343
KDF SSH (CVL)A3341
RSA KeyGen (FIPS186-5)A3342
RSA SigGen (FIPS186-5)A3342
RSA SigVer (FIPS186-5)A3342
SHA-1A3342
SHA2-256A3335
SHA2-512A3335

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1
Life-Cycle Assurance1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Juniper Networks vSRX 3.0 Virtual Firewall
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>CASTs on boot<br/>Show status<br/>Show status (LED)</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>SSH<br/>IKEV<br/>IPSEC</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Juniper Networks vSRX 3.0 Virtual Firewall
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>CASTs on boot<br/>Show status<br/>Show status (LED)</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>SSH<br/>IKEV<br/>IPSEC</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Juniper Networks, Inc. Juniper Networks vSRX 3.0 Virtual Firewall Document Version 1.0

Page 2
Table of Contents
#SectionPage
1General5
1.1Overview5
1.2Security Levels5
2Cryptographic Module Specification6
2.1Description6
2.2Tested and Vendor Affirmed Module Version and Identification8
2.3Excluded Components8
2.4Modes of Operation8
2.5Algorithms9
2.6Security Function Implementations12
2.7Algorithm Specific Information17
2.8RBG and Entropy17
2.9Key Generation17
2.10Key Establishment17
2.11Industry Protocols18
3Cryptographic Module Interfaces18
3.1Ports and Interfaces18
4Roles, Services, and Authentication19
4.1Authentication Methods19
4.2Roles21
4.3Approved Services22
4.4Non-Approved Services36
4.5External Software/Firmware Loaded37
4.6Cryptographic Output Actions and Status37
5Software/Firmware Security37
5.1Integrity Techniques37
5.2Initiate on Demand37
5.3Additional Information37
6Operational Environment37
6.1Operational Environment Type and Requirements37
6.2Configuration Settings and Restrictions38
7Physical Security38
8Non-Invasive Security38
9Sensitive Security Parameters Management38
9.1Storage Areas38
9.2SSP Input-Output Methods38
9.3SSP Zeroization Methods39
9.4SSPs39
9.5Transitions48
10Self-Tests49
10.1Pre-Operational Self-Tests49
10.2Conditional Self-Tests49
10.3Periodic Self-Test Information55
10.4Error States57
10.5Operator Initiation of Self-Tests58
11Life-Cycle Assurance58
11.1Installation, Initialization, and Startup Procedures58
11.2Administrator Guidance61
11.3Non-Administrator Guidance61
11.4Design and Rules61
11.5Maintenance Requirements62
11.6End of Life62
12Mitigation of Other Attacks62
12.1Attack List62
Page 4
List of Tables
ItemPage
Table 1: Security Levels6
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)8
Table 3: Tested Operational Environments - Software, Firmware, Hybrid8
Table 4: Modes List and Description9
Table 5: Approved Algorithms11
Table 6: Vendor-Affirmed Algorithms11
Table 7: Non-Approved, Allowed Algorithms with No Security Claimed12
Table 8: Non-Approved, Not Allowed Algorithms12
Table 9: Security Function Implementations16
Table 10: Entropy Certificates17
Table 11: Entropy Sources17
Table 12: Ports and Interfaces18
Table 13: Authentication Methods20
Table 14: Roles21
Table 15: Approved Services36
Table 16: Non-Approved Services36
Table 17: Storage Areas38
Table 18: SSP Input-Output Methods39
Table 19: SSP Zeroization Methods39
Table 20: SSP Table 144
Table 21: SSP Table 248
Table 22: Pre-Operational Self-Tests49
Table 23: Conditional Self-Tests55
Table 24: Pre-Operational Periodic Information55
Table 25: Conditional Periodic Information57
Table 26: Error States58
Figure 1 – Block Diagram7
Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication3
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
Overall LevelOverall Level1
1.1 Overview

Federal Information Processing Standards Publication 140-3

1.2 Security Levels
Page 6
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Juniper Networks vSRX 3.0 Virtual Firewall cryptographic module is comprised of the Junos OS 22.2R2-S2.3 software. The Juniper Networks vSRX 3.0 Virtual Firewall is a secure firewall that provides essential capabilities to connect, secure, and manage work force locations sized from handfuls to hundreds of users. By consolidating fast, highly available switching, routing, security, and applications capabilities in a single device, enterprises can economically deliver new services, safe connectivity, and a satisfying end user experience. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: The cryptographic boundary of the module is depicted in Figure 1 below. The physical perimeter is defined as the outer edge of the hardware platform (server) on which the hypervisor and Juniper Networks vSRX 3.0 Virtual Firewall are installed. The cryptographic boundary is the Juniper vSRX 3.0 Virtual Firewall which is comprised of the Junos OS 22.2R2-S2.3 software. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested Operational Environment’s Physical Perimeter (TOEPP) is the hardware platform on which it executes. Document Version 1.0

Page 7

Figure 1

Page 8
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
junos-vsrx3-x86-64- 22.2R2-S2.3.scsi.ovaJunos OS 22.2R2- S2.3N/Ajunos-vsrx3-x86-64- 22.2R2-S2.3.scsi.ovaECDSA P-256 with SHA2-256
Junos OS 22.2R2-S2.3Junos OS 22.2R2-S2.3HP ProLiant DL380 Gen9 ServerJunos OS 22.2R2-S2.3Intel Xeon E5- 2660 v4NoVMware ESXi 7.0
Junos OS 22.2R2-S2.3Junos OS 22.2R2-S2.3PacStar 451 ServerJunos OS 22.2R2-S2.3Intel Xeon E- 2254MLNoVMware ESXi 7.0
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
junos-vsrx3-x86-64- 22.2R2-S2.3.scsi.ovaJunos OS 22.2R2- S2.3N/Ajunos-vsrx3-x86-64- 22.2R2-S2.3.scsi.ovaECDSA P-256 with SHA2-256
Junos OS 22.2R2-S2.3Junos OS 22.2R2-S2.3HP ProLiant DL380 Gen9 ServerJunos OS 22.2R2-S2.3Intel Xeon E5- 2660 v4NoVMware ESXi 7.0
Junos OS 22.2R2-S2.3Junos OS 22.2R2-S2.3PacStar 451 ServerJunos OS 22.2R2-S2.3Intel Xeon E- 2254MLNoVMware ESXi 7.0
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

2.3 Excluded Components

No components have been excluded from the cryptographic boundary of the module.

2.4 Modes of Operation

Modes List and Description: Document Version 1.0

Page 9
Service
NameDescriptionIndicatorType
Non- Approved mode* The cryptographic module supports a non- Approved mode of operation; * When operated in the non-Approved mode of operation, the module supports non-Approved algorithms as well as the algorithms supported in the Approved mode of operation * The module must be zeroised to transition from the Approved mode to the non-Approved modeglobal indicator (implicit indicator based on exclusion of string 'fips' from the command prompt)Non- Approved
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA3339Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA3342Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CBCA3343Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CTRA3342Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
ECDSA KeyGen (FIPS186-5)A3342Curve - P-256, P-384, P-521 Secret Generation Mode - testing candidatesFIPS 186-5
ECDSA KeyVer (FIPS186-5)A3342Curve - P-256, P-384, P-521FIPS 186-5
ECDSA SigGen (FIPS186-5)A3342Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512 Component - NoFIPS 186-5
ECDSA SigVer (FIPS186-5)A3342Curve - P-256, P-384, P-521 Hash Algorithm - SHA2-256, SHA2-384, SHA2-512FIPS 186-5
HMAC DRBGA3335Prediction Resistance - Yes Mode - SHA2-256SP 800-90A Rev. 1
HMAC-SHA-1A3342Key Length - Key Length: 160FIPS 198-1
HMAC-SHA2-256A3335Key Length - Key Length: 160, 256FIPS 198-1
HMAC-SHA2-256A3339Key Length - Key Length: 256FIPS 198-1
HMAC-SHA2-256A3342Key Length - Key Length: 256FIPS 198-1
HMAC-SHA2-256A3343Key Length - Key Length: 256FIPS 198-1
HMAC-SHA2-512A3342Key Length - Key Length: 512FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A3342Domain Parameter Generation Methods - P- 256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A3342Domain Parameter Generation Methods - FC, MODP-2048 Scheme - dhEphem - KAS Role - initiatorSP 800-56A Rev. 3
KDF IKEv1 (CVL)A3343Authentication Method - Digital Signature, Pre-shared Key Diffie-Hellman Shared Secret Length - Diffie- Hellman Shared Secret Length: 256, 384, 2048 Hash Algorithm - SHA2-256, SHA2-384 Preshared Key Length - Preshared Key Length: 8-256 Increment 8SP 800-135 Rev. 1
KDF IKEv2 (CVL)A3343Diffie-Hellman Shared Secret Length - Diffie- Hellman Shared Secret Length: 256, 384, 2048 Derived Keying Material Length - Derived Keying Material Length: 1136-2432 Increment 8 Hash Algorithm - SHA2-256, SHA2-384SP 800-135 Rev. 1
KDF SSH (CVL)A3341Cipher - AES-128, AES-192, AES-256, TDES Hash Algorithm - SHA-1, SHA2-256, SHA2- 384SP 800-135 Rev. 1
RSA KeyGen (FIPS186-5)A3342Key Generation Mode - probable Modulo - 2048, 3072, 4096 Primality Tests - 2powSecStr Private Key Format - standardFIPS 186-5
RSA SigGen (FIPS186-5)A3342Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5FIPS 186-5
RSA SigVer (FIPS186-5)A3342Modulo - 2048, 3072, 4096 Signature Type - pkcs1v1.5FIPS 186-5
Safe Primes Key GenerationA3342Safe Prime Groups - MODP-2048SP 800-56A Rev. 3
Safe Primes Key VerificationA3342Safe Prime Groups - MODP-2048SP 800-56A Rev. 3
SHA-1A3342Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-256A3335Message Length - Message Length: 0-51200 Increment 8FIPS 180-4
SHA2-256A3339Message Length - Message Length: 8-51200 Increment 8FIPS 180-4
SHA2-256A3342Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-256A3343Message Length - Message Length: 0-51200 Increment 8FIPS 180-4
SHA2-512A3335Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-512A3340Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-512A3342Message Length - Message Length: 0-65536 Increment 8FIPS 180-4

NonApproved NonApproved Table 4: Modes List and Description and the non-Approved mode of operation and vice versa. When switching from the nonApproved to the Approved mode, post zeroisation, the instructions in Section 11.1 Enabling the The module does not support a degraded mode of operation. Document Version 1.0

Page 11
Service
NameProperties
CKG - Section 4Key Type :Symmetric and AsymmetricN/ANIST SP800-133r2 Section 4: Symmetric key generation and Asymmetric seed generation using an unmodified output from an Approved DRBG (example 1); The module supports the following per NIST SP 800-133r2: 1. Section 5.1: Key Pairs for Digital Signature Schemes 2. Section 5.2: Key Pairs for Key Establishment 3. Section 6.2.1: Derivation of symmetric keys

Table 5: Approved Algorithms Vendor-Affirmed Algorithms: N/A Table 6: Vendor-Affirmed Algorithms Document Version 1.0

Page 12
Service
NameDescriptionApproved FunctionsTypeProperties
SHA2-256 (Junos 22.2R2- S2.3 - LibMD Implementation)Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to "obfuscate" a CSPno security claimed
SHA-1 (Junos 22.2R2- S2.3 - Kernel Implementation)Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevantno security claimed
RSA with key size less than 2048SSH
ECDSA with ed25519 curveSSH
EC Diffie-Hellman with ed25519 curveSSH
ARCFOURSSH
BlowfishSSH
CASTSSH
DSA (SignGen, SigVer, non-compliant)SSH
HMAC-MD5SSH
HMAC-RIPEMD160SSH
UMACSSH
KAS1Key Agreement for SSHv2KAS-ECC-SSC Sp800-56Ar3: (A3342) KDF SSH:CKG KAS-135KDF KAS-Full KAS-SSCIG: IG D.F Scenario 2, path (2), split Key
Service
NameDescriptionApproved FunctionsTypeProperties
SHA2-256 (Junos 22.2R2- S2.3 - LibMD Implementation)Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to "obfuscate" a CSPno security claimed
SHA-1 (Junos 22.2R2- S2.3 - Kernel Implementation)Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevantno security claimed
RSA with key size less than 2048SSH
ECDSA with ed25519 curveSSH
EC Diffie-Hellman with ed25519 curveSSH
ARCFOURSSH
BlowfishSSH
CASTSSH
DSA (SignGen, SigVer, non-compliant)SSH
HMAC-MD5SSH
HMAC-RIPEMD160SSH
UMACSSH
KAS1Key Agreement for SSHv2KAS-ECC-SSC Sp800-56Ar3: (A3342) KDF SSH:CKG KAS-135KDF KAS-Full KAS-SSCIG: IG D.F Scenario 2, path (2), split Key
Service
NameDescriptionApproved FunctionsTypeProperties
SHA2-256 (Junos 22.2R2- S2.3 - LibMD Implementation)Used to store operator passwords in hashed form, per IG 2.4.A: Use of a non-approved cryptographic algorithm to "obfuscate" a CSPno security claimed
SHA-1 (Junos 22.2R2- S2.3 - Kernel Implementation)Used for an extraneous check in the Kernel, per IG 2.4.A: Use of an approved, non-approved or proprietary algorithm for a purpose that is not security relevantno security claimed
RSA with key size less than 2048SSH
ECDSA with ed25519 curveSSH
EC Diffie-Hellman with ed25519 curveSSH
ARCFOURSSH
BlowfishSSH
CASTSSH
DSA (SignGen, SigVer, non-compliant)SSH
HMAC-MD5SSH
HMAC-RIPEMD160SSH
UMACSSH
KAS1Key Agreement for SSHv2KAS-ECC-SSC Sp800-56Ar3: (A3342) KDF SSH:CKG KAS-135KDF KAS-Full KAS-SSCIG: IG D.F Scenario 2, path (2), split Key

The module does not support any non-Approved algorithms in the Approved mode, i.e., it does Operation, all Approved algorithms supported in the Approved mode of operation are also Document Version 1.0

Page 13
Service
NameDescriptionRole AccessApproved FunctionsType
KAS2Key Agreement for SSHv2IG: IG D.F Scenario 2, path (2), split Key confirmation:no Key derivation: IG 2.4.B SP 800-135rev1 CVL Caveat:Key establishment methodology provides 112 bits of security strengthKAS-FFC-SSC Sp800-56Ar3: (A3342) KDF SSH: (A3341) Safe Primes Key Generation: (A3342) Safe Primes Key Verification: (A3342) CKG - Section 4: () Key Type : Symmetric and AsymmetricCKG KAS-135KDF KAS-SSC
KTS1Key Transport for SSHv2Standard:SP 800-38F IG D.G: approved method from IG D.G Key confirmation:no Caveat:Key establishment methodology provides between 128 and 256 bits of security strengthAES-CBC: (A3342) AES-CTR: (A3342) HMAC-SHA-1: (A3342) HMAC-SHA2- 256: (A3342) HMAC-SHA2- 512: (A3342) SHA-1: (A3342) SHA2-256: (A3342) SHA2-512: (A3342)KTS-Wrap
ECDSA SigVerECDSA Signature Verification used for identity- based public key authenticationFIPS 186-5:size: P-256, P-384, P- 521 curves, 128, 192 and 256 bitsECDSA SigVer (FIPS186-5): (A3342)DigSig-SigVer
Page 14
Service
NameDescriptionApproved FunctionsType
DRBGKernel DRBG providing random bits for SSP generation in the user/application spaceHMAC DRBG: (A3335) HMAC-SHA2- 256: (A3335) SHA2-256: (A3335)DRBG
Entropy SouceNon-Physical Entropy SourceSHA2-512: (A3335)ENT-Cond
ECDSA KeyGenGeneration of SSH host keysECDSA KeyGen (FIPS186-5): (A3342) CKG - Section 4: () Key Type : Symmetric and AsymmetricAsymKeyPair- KeyGen CKG
ECDSA KeyGen2SSP Agreement in the context of SSHECDSA KeyGen (FIPS186-5): (A3342) CKG - Section 4: () Key Type : Symmetric and AsymmetricAsymKeyPair- KeyGen CKG
ECDSA KeyVerVerification of keys generatedECDSA KeyVer (FIPS186-5): (A3342)AsymKeyPair- KeyVer
ECDSA SigGenSignature Generation using ECDSA in the context of SSHECDSA SigGen (FIPS186-5): (A3342)DigSig-SigGen
RSA KeyGenGeneration of SSH host keysRSA KeyGen (FIPS186-5): (A3342) CKG - Section 4: () Key Type : Symmetric and AsymmetricAsymKeyPair- KeyGen CKG
RSA SigGenSignature Generation using RSA in the context of SSHRSA SigGen (FIPS186-5): (A3342)DigSig-SigGen
RSA SigVerSignature Verification using RSA forRSA SigVer (FIPS186-5): (A3342)DigSig-SigVer

AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairKeyVer AsymKeyPairKeyGen () () () Document Version 1.0

Page 15
Service
NameDescriptionApproved FunctionsType
Password HashUsed to store passwords in hashed formSHA2-512: (A3340)SHA
KTS2Key Transport for IPsecAES-CBC: (A3343, A3339) HMAC-SHA2- 256: (A3343, A3339) SHA2-256: (A3343, A3339)KTS-WrapStandard:SP 800-38F IG D.G :approved method from IG D.G Key confirmation: no Caveat:Key establishment methodology provides between 128 and 256 bits of security strength
KAS3Key Agreement in the context of IPsecKAS-FFC-SSC Sp800-56Ar3: (A3342) KDF IKEv1: (A3343) KDF IKEv2: (A3343) CKG - Section 4: () Key Type : Symmetric and Asymmetric Safe Primes Key Generation: (A3342) Safe Primes Key Verification: (A3342)CKG KAS-135KDF KAS-Full KAS-SSCIG :IG D.F Scenario 2, path (2), split Key confirmation :no Key derivation :IG 2.4.B SP 800-135rev1 CVL Caveat:Key establishment methodology provides 112 bits of security strength
CASTs on bootList of algorithms for which Known Answer Tests (CASTs) have been implemented in the module and perform on each bootAES-CBC: (A3342, A3343, A3339) HMAC-SHA-1: (A3342) HMAC-SHA2- 256: (A3342, A3335, A3343, A3339) HMAC-SHA2- 512: (A3342)BC-Auth BC-UnAuth DigSig-SigGen DigSig-SigVer DRBG ENT-Cond KAS-135KDF KBKDF MAC SHA
Page 16
Service
NameDescriptionCsps AccessedTypeProperties
KAS4Key Agreement in the context of IPsecKAS-ECC-SSC Sp800-56Ar3: (A3342) KDF IKEv1: (A3343) KDF IKEv2: (A3343) CKG - Section 4: ()CKG KAS-135KDF KAS-Full KAS-SSCIG: IG D.F Scenario 2, path (2), split Key confirmation:no Key derivation: IG 2.4.B SP 800-135rev1 CVL Caveat :Key establishment methodology provides between 128 and 256 bits of security strength

() Table 9: Security Function Implementations Document Version 1.0

Page 17
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
Junos OS Non- Physical Entropy SourceNon- Physical8 bitsJunos OS 22.2R2 on VMWare ESXi v7.0 with Intel(R) Xeon(R) CPU E5-2660 v4 (Broadwell) on HP ProLiant DL380 Gen9 Server; Junos OS 22.2R2 on VMWare ESXi v7.0 with Intel(R) Xeon(R) E- 2254ML (Coffee Lake) on PacStar 451 Server6.4 bitsSHA2-512 (CAVP Cert. #A3335)
CertVendor Name
Number
E56Juniper Networks
2.7 Algorithm Specific Information

The module only supports testable RSA moduli/key sizes (2048, 3072 and 4096 bits) and thus the requirements per FIPS 140-3 IG C.F do not apply.

2.8 RBG and Entropy

Table 10: Entropy Certificates NonPhysical NonPhysical Table 11: Entropy Sources

2.9 Key Generation

The module implements an approved NIST SP 800-90Ar1 DRBG and supports the following sections per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2 and 6.2.1.

2.10 Key Establishment

Per IG D.F: The module implements full KAS (KAS-ECC-SSC, KAS-FFC-SSC per NIST SP 800-56Ar3 and KDF SSH/IKEv1/IKEv2 per NIST SP 800-135r1; IG D.F Scenario 2 (path 2 option 2, separate testing of the SSC and SP800-135r1 KDF). The KAS1, KAS2, KAS3 and KAS4 in the Security Functions Implementations Table 9 have been documented in accordance with this requirement: KAS1: KAS (KAS-ECC-SSC Cert. #A3342 and CVL Cert. #A3341; SSP establishment methodology provides between 128 and 256 bits of encryption strength) KAS2: KAS (KAS-FFC-SSC Cert.#A3342 and CVL Cert. #A3341; SSP establishment methodology provides 112 bits of encryption strength) Document Version 1.0

Page 18
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputVirtual Ethernet Ports, Virtual Serial Ports
N/AN/AData OutputVirtual Ethernet Ports, Virtual Serial Ports
N/AN/AControl InputVirtual Ethernet Ports, Virtual Serial Ports
N/AN/AStatus OutputVirtual Ethernet Ports, Virtual Serial Ports

KAS3: KAS (KAS-FFC-SSC Cert.#A3342 and CVL Cert. #A3343; SSP establishment methodology provides 112 bits of encryption strength) KAS4: KAS (KAS-ECC-SSC Cert. #A3342 and CVL Cert. #A3343; SSP establishment methodology provides between 128 and 256 bits of encryption strength) The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC, KDF SSH, KDF IKEv1 and KDF IKEv2) as individual entries. Per IG D.G: The module supports the IETF SSH and IPsec protocols and thus implements key transport in the context of the protocols (per the KTS1 and KTS2 entries in the Security Functions Implementations Table 9). The module implements the approved KTS using approved AES modes:

2.11 Industry Protocols

No parts of the SSH and IPsec protocols, other than the KDF SSH and the KDF IKEv1/KDF IKEv2 for IPsec, have been tested by the CAVP or CMVP.

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 12: Ports and Interfaces The module does not support control output. Document Version 1.0

Page 19
Sensitive security parameter
NameDescriptionStrengthSecurity MechanismStrength per Minute
Username and password over the console and SSH* The module enforces 10- character passwords (at minimum) chosen from the 96 human readable ASCII characters; The maximum password length is 20- characters; Thus, the probability of a successful random attempt is 1/(96^10), which is less than 1/1,000,000 (million); * The module enforces a timed access mechanism as follows: For the first two failed attempts (assuming 0 time to process), no timed access is enforced; Upon the third attempt, the module enforces a 5-second delay; Each failed attempt thereafter results in an additional 5-second delay above the previous (e.g., 4th failed attempt = 10-second delay, 5th failed attempt = 15-second delay, 6th failed attempt = 20- second delay, 7th failed attempt = 25-second delay); This leads to a maximum of 7 possible attempts in a one-minute period for each getty; The best approach for the attacker would be to disconnect after 4 failed attempts and wait for a new getty to be spawned; This would allow the attacker to perform roughly 9.6 attempts per minute (576 attempts per hour/60 mins); this would be rounded down to 9 per minute, because there is no such thing as 0.6 attempts; The probability of a success with multiple consecutive attempts in1/(96^10)SHA2-512 (A3340)9/(96^10)
Username and ECDSA public key over SSH* The module supports ECDSA (P-256, P-384, and P-521), which has a minimum equivalent computational resistance to attack of either 2^128, 2^192 or 2^256 depending on the curve; Thus, the probability of a successful random attempt is 1/(2^128), which is less than 1/1,000,000 (million) * Configurable SSH connection establishment rate limits the number of connection attempts, and thus failed authentication attempts in a one-minute period to a maximum of 15,000 attempts; The probability of a success with multiple consecutive attempts in a one- minute period is 15,000/(2^128), which is less than 1/100,0001/(2^128)ECDSA SigVer (FIPS186-5) (A3342)15,000/(2^128)
Username and RSA public key over SSH* The module supports RSA (2048, 3072, 4096 bits), which has a minimum equivalent computational resistance to attack of 2^112 (2048 bits); Thus, the probability of a successful random attempt is 1/ (2^112), which is less than 1/1,000,000 (million) * Configurable SSH connection establishment rate limits the number of connection attempts, and thus failed authentication attempts in a one- minute period to a maximum of 15,000 attempts; The probability of a success with multiple consecutive attempts in a one- minute period is 15,000/(2^112), which is less than 1/100,0001/ (2^112)RSA SigVer (FIPS186-5) (A3342)15,000/(2^112)
4 Roles, Services, and Authentication
4.1 Authentication Methods
Page 20

1/ Table 13: Authentication Methods The module enforces the separation of roles using role-based operator authentication. The module implements two forms of identity-based authentication, username, and password over Document Version 1.0

Page 21
Service
NameRole AccessType
Super-userCrypto Officer (CO)IdentityUsername and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH
OperatorUserIdentityUsername and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH
Read-onlyUserIdentityUsername and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH
RootCrypto Officer (CO)IdentityUsername and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH
UnauthorisedUserIdentityUsername and password over the console and SSH Username and ECDSA public key over SSH Username and RSA public key over SSH

the console and SSH connections, as well as username and an ECDSA or RSA public keybased authentication over SSHv2.

4.2 Roles

Table 14: Roles correspond to the User role. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. An operator assuming the Crypto Officer role configures and monitors the module via a console or SSH connection. As Root or Super-user, the Crypto Officer has permission to view and configure passwords and public keys within the module. The User role monitors the module via the console or SSH. The User role does not have the permission to modify the configuration. Document Version 1.0

Page 22
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Configure security (security relevant)Security relevant configuratio n (SSH, authenticati on data)Root - SSH Private Host Key: G - User Password: W,E - CO Password: W,E - HMAC_DRBG V value: E - HMAC_DRBG Key value: E - HMAC_DRBG entropy input: E - HMAC_DRBG seed: E - SSH Public Host Key: G - User Authentication Public Keys: W - CO Authentication Public Keys: W Super-user - SSH Private Host Key: G - User Password: W,E - CO Password: W,E - HMAC_DRBG V value: E -DRBG Entropy Souce ECDSA KeyGen ECDSA KeyGen2 RSA KeyGen Passwor d HashGlobal Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each serviceCommands (SSH configuration: set system services ssh root-login allow)Traffic
Configure (non- security relevant)Non- security relevant configuratio nSuper-user - CO Password: E Root - CO Password: EPasswor d HashGlobal Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each serviceCommands (miscellaneous commands e.g., for IP address configuration, routing protocols, etc.)Traffic
Show statusQuery the module statusSuper-user - CO Password: E Root - CO Password: E Operator - User Password: E Read-only - User Password: E Unauthorised - User Password: EPasswor d HashGlobal Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each serviceCommand (show)CLI output
Show status (LED)LEDs on the module provide physical status outputSuper-user Operator Read-only Unauthorised Root Unauthenticat edNoneLED(s) on the chassis turned onN/ALED
Show module's versioning informatio nQuery the module's versioning informationSuper-user - CO Password: E Operator - User Password: E Read-only - User Password: E Unauthorised - User Password: E Root - CO Password: EPasswor d HashGlobal Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each serviceCommand (show version)CLI output
Zeroise (Perform zeroisatio n)Zeroise: Destroy all SSPsSuper-user - SSH Private Host Key: Z - SSH ECDH Private Key: Z - SSH DH Private Key: Z - SSH Session Key: Z - User Password: Z - CO Password: E,Z - HMAC_DRBG V value: Z - HMAC_DRBG Key value: Z - HMAC_DRBG entropy input: Z - HMAC_DRBGPasswor d Hashsuccessf ul deletion of virtual machinePower (deletion of virtual machine)N/A
Page 23

(nonsecurity Nonsecurity n s s E W W Document Version 1.0

Page 25

s s Z A: Z Z Z Z - IKE-DHPUB: Z Document Version 1.0

Page 27
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Perform approved security functions (SSH connectio n)Initiate SSH connection for SSH monitoring and control (CLI)Super-user - SSH Private Host Key: E - SSH ECDH Private Key: G,E,Z - SSH DH Private Key: G,E,Z - SSH Session Key: G,E,Z - HMAC_DRBG V value: E - HMAC_DRBG Key value: E - HMAC_DRBG entropy input: E - HMAC_DRBG seed: E - ECDH Shared Secret: G,E,Z - DH Shared Secret: G,E,Z - HMAC Key: G,E,Z - SSH Public Host Key: G - SSH DH Public Key: G,E,ZKAS1 KAS2 KTS1 ECDSA SigVer DRBG Entropy Souce ECDSA KeyGen ECDSA KeyGen2 ECDSA KeyVer ECDSA SigGen RSA KeyGen RSA SigGen RSA SigVer Passwor d HashGlobal Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each serviceAuthentication data (Username and password/publi c-key based authentication)SSH session

n) s s Z Z - IKE-DHPUB: Z G,E,Z G,E,Z E G,E,Z G,E,Z Document Version 1.0

Page 32
Service
NameDescriptionRole AccessApproved FunctionsIndicatorInputOutput
Console AccessConsole monitoring and control (CLI)Super-user - CO Password: E Operator - CO Password: E Read-only - User Password: E Unauthorised - User Password: E Root - CO Password: EPasswor d HashGlobal Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each serviceUsername, password (set system login user <username> class <crypto- officer/user class> operator authentication plaintext- password)N/A
Perform self-tests (remote reset)Software initiated reset, performs self-tests onSuper-user - SSH ECDH Private Key: Z - SSH DH Private Key: Z - SSH SessionKAS1 KAS2 KTS1 DRBG Entropy SouceGlobal Approved Mode indicator "fips" at the CLIControl input/reset signal (request vmhost reboot)N/A
demand via SSHdemand via SSHKey: Z - HMAC_DRBG Key value: G,Z - HMAC_DRBG V value: G,Z - HMAC_DRBG entropy input: G,Z - HMAC_DRBG seed: G,Z - ECDH Shared Secret: Z - DH Shared Secret: Z - HMAC Key: G,E,Z - SSH ECDH Public Key: G,E - SSH DH Public Key: G,E - CO Password: E - Software Integrity Key: E - SSH Private Host Key: E - SSH Public Host Key: E - User Authentication Public Keys: E - CO Authentication Public Keys: E Root - SSH ECDH Private Key: Z - SSH DHECDSA KeyGen ECDSA KeyGen2 ECDSA KeyVer ECDSA SigGen RSA KeyGen RSA SigGen Passwor d Hash CASTs on bootcombined with successf ul completio n of each service
Page 35
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Perform self-tests (local reset)Hardware reset or power cycleSuper-user - Software Integrity Key: E Root - Software Integrity Key: E Operator - Software Integrity Key: E Read-only - Software Integrity Key: E Unauthorised - Software Integrity Key: E Unauthenticat ed - Software Integrity Key: ECASTs on bootGlobal Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each serviceControl input/reset signalN/A
Perform approved security functions (IPsec connectio n)Initiate IPsec connectionRoot - IKE-PSK: W,E - IKE-SKEYID: G,E,Z - IKE-SEK: G,E,Z - ESP-SEK: G,E,Z - IKE-DH-PRI: G,E,Z - IKE-DH- PUB: G,R,E,Z Super-user - IKE-PSK: W,E - IKE-SKEYID: G,E,Z - IKE-SEK: G,E,Z - ESP-SEK: G,E,ZKTS2 KAS3 KAS4Global Approved Mode indicator "fips" at the CLI combined with successf ul completio n of each serviceCommands (set security ipsec security- association sa- name; * set interfaces <name> unit 0 family inet address <ip address>; * set security ike security- association sa- name)IPsec session

N/A n) ipsec securityassociation saname; * set securityassociation saname) s s E E E E E E W,E G,E,Z G,E,Z G,E,Z G,E,Z - IKE-DHPUB: G,R,E,Z W,E G,E,Z G,E,Z G,E,Z Document Version 1.0

Page 36
Service
NameDescriptionRolesApproved Functions
Configure security (security relevant)Security relevant configurationRoot, Super-userRSA with key size less than 2048 ECDSA with ed25519 curve EC Diffie-Hellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, non- compliant) HMAC-MD5 HMAC- RIPEMD160 UMAC
Perform approved security functions (SSH connection)Initiate SSH connection for SSH monitoring and control (CLI)Root, Super-user, Operator, Read-Only, UnauthorizedRSA with key size less than 2048 ECDSA with ed25519 curve EC Diffie-Hellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, non- compliant) HMAC-MD5 HMAC- RIPEMD160 UMAC
Service
NameDescriptionRolesApproved Functions
Configure security (security relevant)Security relevant configurationRoot, Super-userRSA with key size less than 2048 ECDSA with ed25519 curve EC Diffie-Hellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, non- compliant) HMAC-MD5 HMAC- RIPEMD160 UMAC
Perform approved security functions (SSH connection)Initiate SSH connection for SSH monitoring and control (CLI)Root, Super-user, Operator, Read-Only, UnauthorizedRSA with key size less than 2048 ECDSA with ed25519 curve EC Diffie-Hellman with ed25519 curve ARCFOUR Blowfish CAST DSA (SignGen, SigVer, non- compliant) HMAC-MD5 HMAC- RIPEMD160 UMAC

s s G,E,Z - IKE-DHPUB: G,R,E,Z Table 15: Approved Services SigVer, noncompliant) HMACRIPEMD160 SigVer, noncompliant) HMACRIPEMD160 Table 16: Non-Approved Services Document Version 1.0

Page 37
4.5 External Software/Firmware Loaded

The module does not support software loading from an external source.

4.6 Cryptographic Output Actions and Status

The module supports self-initiated cryptographic output in the context of the IPsec protocol and three independent configurations are required serving as three independent internal actions (two actions required at minimum):

5 Software/Firmware Security
5.1 Integrity Techniques

The module performs the software integrity check using ECDSA P-256 with SHA2-256 (CAVP Cert. #A3342). The ECDSA P-256 public key used for signature verification is a non-SSP and stored persistently across reboots in the module’s Non-Volatile RAM (NVRAM) until zeroisation of the module.

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by rebooting the module.

5.3 Additional Information

The module software image is delivered in the form of a pre-compiled tarball (.ova).

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: Document Version 1.0

Page 38
Sensitive security parameter
NameTypeDescription
NVRAMStaticNon-Volatile Random Access Memory
RAMDynamicRandom Access Memory
Service
NameTypeFromTo
Entered over SSH - NVRAMEncryptedExternal endpointNVRAMAutomatedElectronicKTS1
Loaded at manufacturePlaintextExternal endpointNVRAMN/AN/A
Entered through the CLI via consolePlaintextExternal endpointNVRAMManualDirect

The module contains a modifiable operational environment since the underlying hardware platform supports uncontrollable modifications to itself. The module contains the operating system Junos OS 22.2R2-S2.3.

6.2 Configuration Settings and Restrictions

Security rules and restrictions for configuration of the operational environment have been specified in Sections 11.1 and 11.4 of this document.

7 Physical Security

The requirements per this section do not apply since the module is of type software.

8 Non-Invasive Security

The module does not implement any non-invasive security mitigations and thus the requirements per this section do not apply to the module.

9 Sensitive Security Parameters Management
9.1 Storage Areas
9.2 SSP Input-Output Methods
Page 39
Service
NameTypeFromTo
Input during SSH negotiationPlaintextExternal endpointRAMAutomatedElectronic
Output during SSH negotiation (host key)PlaintextNVRAMExternal endpointAutomatedElectronic
Output during SSH negotiation (Key Agreement public key)PlaintextRAMExternal endpointAutomatedElectronic
Output during IPsec negotiationPlaintextRAMExternal endpointAutomatedElectronic
ZeroizationDescriptionRationaleOperator
MethodInitiation
Deletion of virtual instanceDeletion of the vSRX 3.0 instanceUsed to provide zeroisation as a serviceOperator initiated
Power-cyclePower cycling the underlying host platform to zeroise temporary SSPsPower cycling the underlying host platform to zeroise temporary SSPsOperator initiated
Session terminationTermination of sessions automatically zeroises temporary SSPs used as part of the sessionTermination of sessions automatically zeroises temporary SSPs used as part of the sessionModule initiated
Derivation of session keyEC Diffie-Hellman/Diffie- Hellman shared secrets are zeroised after use in derivation of session keyEC Diffie-Hellman/Diffie- Hellman shared secrets are zeroised after use in derivation of session keyModule initiated

Table 18: SSP Input-Output Methods The module is complaint with FIPS 140-3 IG 9.5.A MD/DE and AD/EE for SSPs entered via the module’s CLI via a direct connection to its serial/console port and for SSPs entered/output/established via SSH/IPsec respectively.

9.3 SSP Zeroization Methods

Table 19: SSP Zeroization Methods Document Version 1.0

Page 40
Sensitive security parameter
NameTypeDescriptionStrength
SSH Private Host KeyPrivate Host Key - CSPHost key generated, used for authenticatio n and encryption in the context of SSHP-256 for ECDSA, 2048 bits for RSA - 128 bits for ECDSA, 112 bits for RSADRBG ECDSA KeyGen RSA KeyGenKAS1 KAS2
SSH ECDH Private KeyECDH Private Key - CSPEphemeral EC Diffie- Hellman private key used in SSHKAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bitsDRBG ECDSA KeyGen2KAS1
SSH DH Private KeyDH Private Key - CSPEphemeral Diffie- Hellman private key used in SSH2048 bits for KAS- FFC-SSC - 112 bits for KAS- FFC-SSCDRBGKAS2
SSH Session KeySession Key - CSPSSH Session Key128 bits, 192 bits, 256 bits - 128 bits, 192 bits, 256 bitsKAS1 KAS2
User PasswordUser Password - CSPPasswords used to authenticate users to the module10-20 character s - 1/(96^10) per attempt, 9/(96^10) per minute
CO PasswordCO Password - CSPPasswords used to authenticate COs to the module10-20 character s - 1/(96^10) per attempt, 9/(96^10) per minute
HMAC_DRBG V valueInternal state of the DRBG - CSPA critical value of the internal state of DRBG256 bits - 256 bitsDRBGDRB G
HMAC_DRBG Key valueInternal state of the DRBG - CSPA critical value of the internal state of DRBG440 bits - 440 bitsDRBGDRB G
HMAC_DRBG entropy inputEntropy input to the HMAC_DRB G - CSPEntropy input to the HMAC_DRB G512 bits - 448 bitsEntropy Souce
HMAC_DRBG seedSeed provided to the HMAC_DRB G - CSPSeed provided to the HMAC_DRB G512 bits - 440 bitsDRBGDRB G
ECDH Shared SecretShared secret - CSPUsed in EC Diffie- Hellman (ECDH) exchangeP-256, P- 384, P- 521 - 128 bits, 192 bits, 256 bitsKAS1
DH Shared SecretShared secret - CSPUsed in Diffie- Hellman (DH) exchange2048 bits - 112 bitsKAS2
HMAC KeyMAC key - CSPMAC key128 bits and 256 bits - 128 bits and 256 bitsKAS1 KAS2
SSH Public Host KeyPublic key - PSPHost key generated, used to identify the host. Also paired with the private key for authenticatio n and encryption in the context of SSHP-256 for ECDSA and 2048 bits for RSA - 128 bits for ECDSA, 112 bits for RSADRBG ECDSA KeyGen RSA KeyGen

EC DiffieHellman DiffieHellman KASECCSSC P256, P384, P512 - 128 Document Version 1.0

Page 41

G G DiffieHellman DiffieHellman G G G Document Version 1.0

Page 42
Sensitive security parameter
NameTypeDescriptionStrength
User Authentication Public KeysPublic key - PSPUsed to authenticate users to the moduleP-256, P- 384, P- 521 for ECDSA and 2048, 3072 and 4096 bits for RSA - 128, 192, 256 bits for ECDSA, 112, 192 and 256 bits for RSA
CO Authentication Public KeysPublic key - PSPUsed to authenticate the CO to the moduleP-256, P- 384, P- 521 for ECDSA and 2048, 3072 and 4096 bits for RSA - 128, 192, 256 bits for ECDSA, 112, 192 and 256 bits for RSA
JuniperRootC APublic key certificate - NeitherECDSA prime256v1 X.509 V3 Certificate Used to verify the validity of the PackagCAECDSA P-256 - 128 bits
PackageCAPublic key certificate - NeitherECDSA prime256v1 X.509 V3 Certificate Certificate that holds theECDSA P-256 - 128 bits

A P-256, P384, P521 for P-256, P384, P521 for Document Version 1.0

Page 43
Sensitive security parameter
NameTypeDescriptionStrength
SSH ECDH Public KeyPublic key - PSPEphemeral EC Diffie- Hellman public key used in SSHKAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits for KAS- ECC- SSCDRBG ECDSA KeyGen2
SSH DH Public KeyPublic key - PSPEphemeral Diffie- Hellman public key used in SSH2048 bits for KAS- FFC-SSC - 112 bits for KAS- FFC-SSCDRBG
Software Integrity KeyPublic key - NeitherPublic key used to perform the software integrity test on each bootECDSA P-256 - 128 bits
IKE-PSKIKE Pre- Shared Key - CSPPre-Shared Key used to authenticate IKE connections256 bits - 256 bits
IKE-SKEYIDIKE shared secret - CSPIKE secret used to derive IKE and IPsec ESP session keys256 bits - 256 bitsKAS3 KAS4KAS3 KAS4
IKE-SEKIKE Session Key - CSPIKE Session Keys. AESAES: 128 bits,KAS3 KAS4KTS2
(128 bits), HMAC (SHA- 256)(128 bits), HMAC (SHA- 256)HMAC: 256 bits - AES: 128 bits, HMAC: 256 bits
ESP-SEKESP Session Key - CSPESP Session Keys. AES (128 bits), HMAC (SHA- 256)AES: 128 bits, HMAC: 256 bits - AES: 128 bits, HMAC: 256 bitsKAS3 KAS4KTS2
IKE-DH-PRIIKE Diffie- Hellman private key - CSPDiffie- Hellman private key used in IKE2048 bits - 112 bitsKAS3 KAS4
SSH ECDH Client Public KeyPublic key - PSPEphemeral EC Diffie- Hellman public key used in SSH (sent by the client to the module acting as the server)KAS- ECC- SSC P- 256, P- 384, P- 512 - 128 bits, 192 bits, 256 bits for KAS- ECC- SSC
SSH DH Client Public KeyPublic key - PSPEphemeral Diffie- Hellman public key used in SSH (sent by the client to the module acting as the server)2048 bits for KAS- FFC-SSC - 112 bits for KAS- FFC-SSC
IKE-DH-PUBIKE Diffie- Hellman public key - PSPDiffie- Hellman public key used in IKE2048 bits - 112 bitsKAS3 KAS4

EC DiffieHellman DiffieHellman KASECCSSC P256, P384, P512 - 128 KASECCSSC Document Version 1.0

Page 44

HMAC (SHA256) HMAC (SHA256) DiffieHellman EC DiffieHellman DiffieHellman DiffieHellman KASECCSSC P256, P384, P512 - 128 KASECCSSC IKE DiffieHellman IKE DiffieHellman Table 20: SSP Table 1 Document Version 1.0

Page 45
Sensitive security parameter
NameStorageZeroization
SSH Private Host KeyNVRAM:PlaintextDeletion of virtual instance
SSH ECDH Private KeyRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationUntil session terminatio n
SSH DH Private KeyRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationUntil session terminatio n
SSH Session KeyRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationUntil session terminatio n
User PasswordNVRAM:Obfuscate dDeletion of virtual instanceEntered over SSH - NVRAM Entered through the CLI via console connection - NVRAM
CO PasswordNVRAM:Obfuscate dDeletion of virtual instanceEntered over SSH - NVRAM Entered through the CLI via console connection - NVRAM
HMAC_DRBG V valueRAM:PlaintextPower- cycleUntil power- cycle
HMAC_DRBG Key valueRAM:PlaintextPower- cycleUntil power- cycle
HMAC_DRBG entropy inputRAM:PlaintextPower- cycleUntil power- cycle
HMAC_DRBG seedRAM:PlaintextPower- cycleUntil power- cycle
ECDH Shared SecretRAM:PlaintextDeletion of virtual instance Power- cycle Derivation of session keyUntil SSH session key derivation
DH Shared SecretRAM:PlaintextDeletion of virtual instance Power- cycle Derivation of session keyUntil SSH session key derivation
HMAC KeyRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationUntil session terminatio n
SSH Public Host KeyNVRAM:PlaintextDeletion of virtual instanceOutput during SSH negotiation (host key)
User Authentication Public KeysNVRAM:PlaintextDeletion of virtual instanceEntered over SSH - NVRAM Entered through the CLI via console connection - NVRAM
CO Authentication Public KeysNVRAM:PlaintextDeletion of virtual instanceEntered over SSH - NVRAM
JuniperRootC ANVRAM:PlaintextDeletion of virtual instanceLoaded at manufactur e
PackageCANVRAM:PlaintextDeletion of virtual instanceLoaded at manufactur e
SSH ECDH Public KeyRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationUntil session terminatio nOutput during SSH negotiation (Key Agreement public key)
SSH DH Public KeyRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationUntil session terminatio nOutput during SSH negotiation (Key Agreement public key)
Software Integrity KeyNVRAM:PlaintextDeletion of virtual instanceLoaded at manufactur e
IKE-PSKNVRAM:PlaintextDeletion of virtual instanceEntered over SSH - NVRAM Entered through the CLI via console connection - NVRAM
IKE-SKEYIDRAM:PlaintextDerivation of session keyuntil session key derivation
IKE-SEKRAM:PlaintextDeletion of virtual instance Power- cycleuntil session terminatio n

n n n d d n Powercycle Powercycle Powercycle powercycle Powercycle Document Version 1.0

Page 46

powercycle powercycle powercycle n n Powercycle Powercycle Powercycle Powercycle Powercycle Powercycle Document Version 1.0

Page 47

e e n n e A n n Powercycle Powercycle Powercycle Document Version 1.0

Page 48
Sensitive security parameter
NameStorageZeroizationInput
ESP-SEKRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationuntil session terminatio n
IKE-DH-PRIRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationuntil session terminatio nIKE-DH- PUB:Paire d With
SSH ECDH Client Public KeyRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationInput during SSH negotiationuntil session terminatio n
SSH DH Client Public KeyRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationInput during SSH negotiationuntil session terminatio n
IKE-DH-PUBRAM:PlaintextDeletion of virtual instance Power- cycle Session terminationOutput during IPsec negotiationuntil session terminatio nIKE-DH- PRI:Paired With

n n n n n n Powercycle Powercycle Powercycle Powercycle Powercycle Table 21: SSP Table 2

9.5 Transitions

Per the NIST SP 800-133Ar2/3 and the programmatic transitions defined by the CMVP, the following algorithm transitions apply to the module, and the algorithms have been designated allowed/non-approved accordingly in Section 2.5: Document Version 1.0

Page 49
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicatorTest Method
Software Integrity TestSoftware Integrity TestKATSW/FW IntegrityVerifyUsing ECDSA P-256 with SHA2-256FIPS Self-tests Passed
HMAC DRBG (A3335)HMAC DRBG (A3335)KATNIST 800-90 HMAC DRBG Known Answer Test : PassedDuring bootPrediction Resistance: Yes Supports Reseed Capabilities: Mode: SHA2- 256 Entropy Input: 256 Nonce: 128 PersonalizatiN/ACAST
HMAC- SHA2- 256 (A3335)HMAC- SHA2- 256 (A3335)KATHMAC- SHA2- 256 Known Answer Test : PassedDuring bootKey Length: 256 bitsN/ACAST
AES- CBC (A3342) - Encrypt - 128 bitsAES- CBC (A3342) - Encrypt - 128 bitsKATAES- CBC Known Answer Test : PassedDuring bootKey Length: 128 bitsEncryptCAST
AES- CBC (A3342) - Encrypt - 192 bitsAES- CBC (A3342) - Encrypt - 192 bitsKATAES- CBC Known Answer Test : PassedDuring bootKey Length: 192 bitsEncryptCAST
AES- CBC (A3342) - Encrypt - 256 bitsAES- CBC (A3342) - Encrypt - 256 bitsKATAES- CBC Known Answer Test : PassedDuring bootKey Length: 256 bitsEncryptCAST
AES- CBC (A3342) - Decrypt - 128 bitsAES- CBC (A3342) - Decrypt - 128 bitsKATAES- CBC Known Answer Test : PassedDuring bootKey Length: 128 bitsDecryptCAST
AES- CBC (A3342) - Decrypt - 192 bitsAES- CBC (A3342) - Decrypt - 192 bitsKATAES- CBC Known Answer Test : PassedDuring bootKey Length: 192 bitsDecryptCAST
AES- CBC (A3342) - Decrypt - 256 bitsAES- CBC (A3342) - Decrypt - 256 bitsKATAES- CBC Known Answer Test : PassedDuring bootKey Length: 256 bitsDecryptCAST
HMAC- SHA-1 (A3342)HMAC- SHA-1 (A3342)KATHMAC- SHA-1 Known Answer Test : PassedDuring bootKey Length: 160 bitsN/ACAST
HMAC- SHA2- 256 (A3342)HMAC- SHA2- 256 (A3342)KATHMAC- SHA2- 256 Known Answer Test : PassedDuring bootKey Length: 256 bitsN/ACAST
HMAC- SHA2- 512 (A3342)HMAC- SHA2- 512 (A3342)KATHMAC- SHA2- 512 Known Answer Test : PassedDuring bootKey Length: 512 bitsN/ACAST
KAS- ECC- SSC Sp800- 56Ar3 (A3342) - P-256KAS- ECC- SSC Sp800- 56Ar3 (A3342) - P-256KATKAS- ECC- EPHEM- UNIFIED -NOKC Known Answer Test: PassedDuring bootDomain Parameter Generation Methods: P- 256N/ACAST
KAS- ECC- SSC Sp800- 56Ar3 (A3342) - P-384KAS- ECC- SSC Sp800- 56Ar3 (A3342) - P-384KATKAS- ECC- EPHEM- UNIFIED -NOKC Known Answer Test: PassedDuring bootDomain Parameter Generation Methods: P- 384N/ACAST
KAS- FFC- SSCKAS- FFC- SSCKATKAS- FFC- EPHEM-During bootDomain Parameter GenerationN/ACAST
Sp800- 56Ar3 (A3342)Sp800- 56Ar3 (A3342)NOKC Known Answer Test: PassedMethods: MODP-2048
KDF SSH (A3341)KDF SSH (A3341)KATKDF- SSH- SHA2- 256 Known Answer Test: PassedDuring bootCipher: AES- 128, AES- 192, AES- 256 ; Hash Algorithm: SHA-1, SHA2-256, SHA2-512N/ACAST
RSA SigGen (FIPS18 6-5) (A3342)RSA SigGen (FIPS18 6-5) (A3342)KATRSA- SIGN Known Answer Test: PassedDuring bootModulus 2048 bits SHA2-256SignCAST
RSA SigVer (FIPS18 6-5) (A3342)RSA SigVer (FIPS18 6-5) (A3342)KATRSA- VERIFY Known Answer Test: PassedDuring bootModulus 2048 bits SHA2-256VerifyCAST
ECDSA SigGen (FIPS18 6-5) (A3342)ECDSA SigGen (FIPS18 6-5) (A3342)KATECDSA- SIGN Known Answer Test: PassedDuring bootCurve: P-256 Hash Algorithm: SHA2-256SignCAST
ECDSA SigVer (FIPS18 6-5) (A3342)ECDSA SigVer (FIPS18 6-5) (A3342)KATECDSA- VERIFY Known Answer Test: PassedDuring bootCurve: P-256 Hash Algorithm: SHA2-256VerifyCAST
SHA2- 512 (A3340)SHA2- 512 (A3340)KATSHA-2- 512 Known Answer Test: PassedDuring bootSHA2-512N/ACAST
Entropy test - NIST SPEntropy test - NIST SPRCTpassDuring boot and continuallyNIST SP 800-90B Repetitive Count TestCutoff value C = 21CAST
Entropy test - NIST SP 800-90B APTEntropy test - NIST SP 800-90B APTAPTpassDuring boot and continuallyNIST SP 800-90B Adapative Proportion TestW = 512; Cutoff value C = 311CAST
ECDSA KeyGen (FIPS18 6-5) (A3342)ECDSA KeyGen (FIPS18 6-5) (A3342)PCT0On key generationCurve: P-256 Hash Algorithm: SHA2-256Key pair generated for SSP agreement in the context of SSHv2 protocol and for key generation for use in ECDSA signature generation/verificati onPCT
KAS- FFC- SSC Sp800- 56Ar3 (A3342) - PCTKAS- FFC- SSC Sp800- 56Ar3 (A3342) - PCTPCT0On key generationCapabilities: Domain Parameter: MODP2048Key pair generated for SSP agreement in the context of SSHv2 protocolPCT
RSA KeyGen (FIPS18 6-5) (A3342)RSA KeyGen (FIPS18 6-5) (A3342)PCT0On key generationModulus: 2048 Hash SHA2-256Key pair generated for signature generation/verificati on in the context of SSHv2 protocolPCT
Manual entry test (duplicat e entries)Manual entry test (duplicat e entries)Duplicate entry test required for entry of operator password s and IKE-PSK via direct connectio n to the module's console (serial) interfaceComman d prompt with "fips" string provided post completio n of the testOn configurati on of operator passwords and IKE- PSKDuplicate entry test required for entry of operator passwords and IKE-PSK via direct connection to the module's console (serial) interfaceN/AManu al Entry
KDF IKEv1 (A3343)KDF IKEv1 (A3343)KATIKEV1 Known Answer Test: PassedDuring bootIKEv1 (IPSec) KDFN/ACAST
KDF IKEv2 (A3343)KDF IKEv2 (A3343)KATIKEV2 Known Answer Test: PassedDuring bootIKEv2 (IPSec) KDFN/ACAST
AES- CBC (A3343) - Encrypt - 128 bitsAES- CBC (A3343) - Encrypt - 128 bitsKATAES- CBC Known Answer Test : PassedDuring bootKey length: 128 bitsEncryptCAST
AES- CBC (A3343) - Decrypt - 128 bitsAES- CBC (A3343) - Decrypt - 128 bitsKATAES- CBC Known Answer Test : PassedDuring bootKey length: 128 bitsDecrytCAST
HMAC- SHA2- 256 (A3343)HMAC- SHA2- 256 (A3343)KATHMAC- SHA2- 256 Known Answer Test : PassedDuring bootKey length: 256 bitsN/ACAST
AES- CBC (A3339) - Encrypt - 128 bitsAES- CBC (A3339) - Encrypt - 128 bitsKATAES- CBC Known Answer Test : PassedDuring bootKey length: 128 bitsEncryptCAST
AES- CBC (A3339) - Decrypt - 128 bitsAES- CBC (A3339) - Decrypt - 128 bitsKATAES- CBC Known Answer Test : PassedDuring bootKey length: 128 bitsDecryptCAST
HMAC- SHA2- 256 (A3339)HMAC- SHA2- 256 (A3339)KATHMAC- SHA2- 256 Known AnswerDuring bootKey length: 256 bitsN/ACAST

a. Usage of SHA-1 for SigVer is allowed for legacy use only until 2030. Thereafter, all usage of SHA-1 will be considered a non-approved, not allowed algorithm. b. Until January 1, 2031, the following algorithms will be considered deprecated: a. Hash function and HMAC using SHA-1 hash function b. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Generation c. As of January 1, 2031, the following algorithms will be considered deprecated/disallowed (i.e. non-approved, not allowed)/legacy use: a. Use of the 112-bit security strength for classical digital signature and keyestablishment mechanisms (deprecated) b. Use of the 112-bit security strength for block ciphers (disallowed) c. Use of a security strength less than 128-bits but greater than 112 bits for ECDA KeyGen and RSA KeyGen (PKCS #1 v1.5 & PSS) (deprecated) d. HMAC using SHA-1 hash function (legacy use) e. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Generation (disallowed) f. Use of a security strength less than 128-bits but greater than 112 bits for HMAC Verification (legacy use)

10.1 Pre-Operational Self-Tests

Table 22: Pre-Operational Self-Tests The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known integrity test on each boot prior to executing the software integrity test.

10.2 Conditional Self-Tests
Page 50

HMACSHA2256 Length: 0256 s HMACSHA2256 AESCBC AESCBC AESCBC AESCBC AESCBC N/A AESCBC AESCBC AESCBC AESCBC AESCBC Document Version 1.0

Page 51

AESCBC s HMACSHA-1 N/A HMACSHA2256 N/A HMACSHA2512 N/A KASECCSSC Sp80056Ar3 Methods: P256 N/A KASECCSSC Sp80056Ar3 Methods: P384 N/A KASFFCSSC AESCBC HMACSHA-1 HMACSHA2256 HMACSHA2512 KASECCEPHEMUNIFIED KASECCEPHEMUNIFIED KASFFCEPHEMN/A Document Version 1.0

Page 52

Sp80056Ar3 Cipher: AES128, AES192, AES256 ; Hash 6-5) 6-5) 6-5) SHA2512 6-5) KDFSSHSHA2256 RSASIGN RSAVERIFY ECDSASIGN ECDSAVERIFY SHA-2512 s N/A N/A Document Version 1.0

Page 53

6-5) s KASFFCSSC Sp80056Ar3 6-5) N/A and IKEPSK Document Version 1.0

Page 54

s N/A N/A AESCBC AESCBC HMACSHA2256 N/A AESCBC AESCBC HMACSHA2256 AESCBC AESCBC HMACSHA2256 AESCBC AESCBC HMACSHA2256 N/A Document Version 1.0

Page 55
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
Software Integrity TestSoftware Integrity TestKATSW/FW IntegrityOn DemandManually via a reboot
HMAC DRBG (A3335)HMAC DRBG (A3335)KATCASTOn DemandManually via a reboot
HMAC-SHA2- 256 (A3335)HMAC-SHA2- 256 (A3335)KATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Encrypt - 128 bitsAES-CBC (A3342) - Encrypt - 128 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Encrypt - 192 bitsAES-CBC (A3342) - Encrypt - 192 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Encrypt - 256 bitsAES-CBC (A3342) - Encrypt - 256 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Decrypt - 128 bitsAES-CBC (A3342) - Decrypt - 128 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Decrypt - 192 bitsAES-CBC (A3342) - Decrypt - 192 bitsKATCASTOn DemandManually via a reboot
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
Software Integrity TestSoftware Integrity TestKATSW/FW IntegrityOn DemandManually via a reboot
HMAC DRBG (A3335)HMAC DRBG (A3335)KATCASTOn DemandManually via a reboot
HMAC-SHA2- 256 (A3335)HMAC-SHA2- 256 (A3335)KATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Encrypt - 128 bitsAES-CBC (A3342) - Encrypt - 128 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Encrypt - 192 bitsAES-CBC (A3342) - Encrypt - 192 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Encrypt - 256 bitsAES-CBC (A3342) - Encrypt - 256 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Decrypt - 128 bitsAES-CBC (A3342) - Decrypt - 128 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Decrypt - 192 bitsAES-CBC (A3342) - Decrypt - 192 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3342) - Decrypt - 256 bitsAES-CBC (A3342) - Decrypt - 256 bitsKATCASTOn DemandManually via a reboot
HMAC-SHA-1 (A3342)HMAC-SHA-1 (A3342)KATCASTOn DemandManually via a reboot
HMAC-SHA2- 256 (A3342)HMAC-SHA2- 256 (A3342)KATCASTOn DemandManually via a reboot
HMAC-SHA2- 512 (A3342)HMAC-SHA2- 512 (A3342)KATCASTOn DemandManually via a reboot
KAS-ECC-SSC Sp800-56Ar3 (A3342) - P-256KAS-ECC-SSC Sp800-56Ar3 (A3342) - P-256KATCASTOn DemandManually via a reboot
KAS-ECC-SSC Sp800-56Ar3 (A3342) - P-384KAS-ECC-SSC Sp800-56Ar3 (A3342) - P-384KATCASTOn DemandManually via a reboot
KAS-FFC-SSC Sp800-56Ar3 (A3342)KAS-FFC-SSC Sp800-56Ar3 (A3342)KATCASTOn DemandManually via a reboot
KDF SSH (A3341)KDF SSH (A3341)KATCASTOn DemandManually via a reboot
RSA SigGen (FIPS186-5) (A3342)RSA SigGen (FIPS186-5) (A3342)KATCASTOn DemandManually via a reboot
RSA SigVer (FIPS186-5) (A3342)RSA SigVer (FIPS186-5) (A3342)KATCASTOn DemandManually via a reboot
ECDSA SigGen (FIPS186-5) (A3342)ECDSA SigGen (FIPS186-5) (A3342)KATCASTOn DemandManually via a reboot
ECDSA SigVer (FIPS186-5) (A3342)ECDSA SigVer (FIPS186-5) (A3342)KATCASTOn DemandManually via a reboot
SHA2-512 (A3340)SHA2-512 (A3340)KATCASTOn DemandManually via a reboot
Entropy test - NIST SP 800- 90B RCTEntropy test - NIST SP 800- 90B RCTRCTCASTOn DemandManually via a reboot
Entropy test - NIST SP 800- 90B APTEntropy test - NIST SP 800- 90B APTAPTCASTOn DemandManually via a reboot
ECDSA KeyGen (FIPS186-5) (A3342)ECDSA KeyGen (FIPS186-5) (A3342)PCTPCTOn DemandManually via a reboot
KAS-FFC-SSC Sp800-56Ar3 (A3342) - PCTKAS-FFC-SSC Sp800-56Ar3 (A3342) - PCTPCTPCTOn DemandManually via a reboot
RSA KeyGen (FIPS186-5) (A3342)RSA KeyGen (FIPS186-5) (A3342)PCTPCTOn DemandManually via a reboot
Manual entry test (duplicate entries)Manual entry test (duplicate entries)Duplicate entry test required for entry of operator passwords and IKE-PSK via direct connection to the module's console (serial) interfaceManual EntryOn DemandManually via configuration of operator passwords and IKE-PSK
KDF IKEv1 (A3343)KDF IKEv1 (A3343)KATCASTOn DemandManually via a reboot
KDF IKEv2 (A3343)KDF IKEv2 (A3343)KATCASTOn DemandManually via a reboot
AES-CBC (A3343) - Encrypt - 128 bitsAES-CBC (A3343) - Encrypt - 128 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3343) - Decrypt - 128 bitsAES-CBC (A3343) - Decrypt - 128 bitsKATCASTOn DemandManually via a reboot
HMAC-SHA2- 256 (A3343)HMAC-SHA2- 256 (A3343)KATCASTOn DemandManually via a reboot
AES-CBC (A3339) - Encrypt - 128 bitsAES-CBC (A3339) - Encrypt - 128 bitsKATCASTOn DemandManually via a reboot
AES-CBC (A3339) - Decrypt - 128 bitsAES-CBC (A3339) - Decrypt - 128 bitsKATCASTOn DemandManually via a reboot
HMAC-SHA2- 256 (A3339)HMAC-SHA2- 256 (A3339)KATCASTOn DemandManually via a reboot

s Table 23: Conditional Self-Tests Cryptographic Algorithm Self-tests (CASTs) are performed on each boot of the module. Other conditional self-tests are performed by the module when the corresponding condition is met. The pairwise consistency tests are performed on key pair generation for use in signature generation/verification (ECDSA and/or RSA tests) and/or for use in KAS-ECC-SSC or KASFFC-SSC SSP agreement (ECDSA and DSA tests respectively). The software load test is performed when a software image (.tgz) is loaded onto the module from an external source.

10.3 Periodic Self-Test Information

Table 24: Pre-Operational Periodic Information Document Version 1.0

Page 57

Table 25: Conditional Periodic Information The pre-operational software integrity test as well as all CASTs must be completed successfully prior to any other use of cryptography by the module in the Approved mode of operation. These tests can also be performed periodically by rebooting the module.

10.4 Error States
Page 58
Service
NameDescriptionRole AccessIndicator
Hard Error stateIf the pre-operation software integrity test, if any of the CASTs or pair-wise consistency tests fail, then the module returns an error indicator, inhibits all data output and enters the hard error stateIf the pre- operational software integrity test or if any of the CASTs fail"FIPS error: self-test failure" for software integrity failure, "FIPS error 1: <name of the algorithm> Known Answer Test: Failed" for CAST failure and -1 for pair-wise consistency test failureN/A
Soft Error stateIn the event of an APT or RCT health test failure, output from the entropy source is inhibited, all entropy accumulated in the conditioning context is discarded and the start-up health-tests are performed againIf the APT or RCT test failsEntropy data discarded in case of APT/RCT failureIn case of APT and/or RCT failures, new data continues to be tested by the health tests, and once both health tests indicate a "pass", the entropy source again outputs data

N/A Table 26: Error States generated keypair/loaded image, returns an error indicator and resumes normal operation.

10.5 Operator Initiation of Self-Tests

Each time the module is powered up it tests that all the cryptographic algorithms operate correctly, and that sensitive data have not been damaged. Pre-operational as well as Conditional Cryptographic Algorithm Self-tests (CAST) are performed on each power up/boot of the module and on demand by power cycling the module (Perform self-tests (remote reset) service).

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures
Page 59

The module is in the non-compliant state by default. The Crypto Officer (CO) shall follow the instructions in this section to download, install and initialize the module onto the host platforms identified in Table

  1. Next, the module must be configured in Approved mode, as described below, and rebooted. Once the module is rebooted and the integrity and self-tests have run successfully on initial boot, the module is operational in the Approved mode. The Crypto Officer must follow the procedures defined below for secure installation, initialization, startup and operation of the module. Downloading the Image The Crypto Officer must check to verify the image being loaded on the module is the FIPS 1403 validated version/image. If the image is the FIPS 140-3 validated image, then proceed with installation of the image. Guide to Download Software Packages for vSRX 3.0 from Juniper Networks:
  2. Using a Web browser, follow the link to the download URL on the Juniper Networks webpage at https://www.juniper.net/support/downloads/?p=vsrx#sw
  3. Log in to the Juniper Networks website using the username (generally your e-mail address) and password supplied by your Juniper Networks representatives.
  4. Under “Version” dropped down list, select the appropriate certified Release (Example: 22.2R2-S2.3).
  5. Under “Application Media” section, select the appropriate software package for the target release version and hypervisor.
  6. Download Junos OS to a local host or to an internal software distribution site.
  7. MD5 checksum and SHA1 checksum can be found under “Checksum” o Verify the checksum of the download with the provided checksum The crypto-officer shall follow the instructions for installation provided in the Juniper Networks documentation: For installing the vSRX 3.0 using a .tgz file, the instructions can be found in the Junos® OS FIPS Evaluated Configuration Guide for vSRX 3.0 Instance. The CLI command from the aforementioned document to install Junos OS is repeated below: >request system software add /<image-path>/<junos package>no-copy no-validate reboot Where the <junos package> is the .tgz file for e.g. junos-install-vsrx3-x86-64-22.2R2.tgz. For installing the vSRX 3.0 using an .ova file, the instructions can be found in the vSRX Guide for VMware. The steps from the aforementioned document are repeated below:
  8. Enter the vCenter server hostname or address in your browser (https://<ipaddress>:9443) to access the vSphere WebClient, and login to the vCenter server with your credentials.
  9. Select a host or other valid parent for a virtual machine and click Actions>All vCenter Actions>Deploy OVF Template.
  10. Click Browse to locate the vSRX 3.0 software package, and then click Next.
  11. Click Next in the OVF Template Details window.
  12. Click Accept in the End User License Agreement window, and then click Next.
  13. Change the default vSRX 3.0 VM name in the Name box and click Next. It is advisable to keep this name the same as the hostname you intend to give to the VM.
  14. In the Datastore window, do not change the default settings for: • Datastore • Available Space Document Version 1.0
Page 60
  1. Select a datastore to store the configuration file and virtual disk files in OVF template, and then click Next.
  2. Select your management network from the list, and then click Next. The management network is assigned to the first network adapter, which is reserved for the management interface (fxp0).
  3. Click Finish to complete the installation.
  4. Open the Edit Settings page of the vSRX 3.0 VM and select a virtual switch for each network adapter. Three network adapters are created by default. Network adapter 1 is for the management network (fxp0). To add a fourth adapter, select Network from New device list at the bottom of the page.
  5. Enable promiscuous mode for the management virtual switch:
  6. Select the host where the vSRX 3.0 VM is installed and select Manage>Networking >Virtual switches.
  7. In the list of virtual switches, select vSwitch0 to view the topology diagram for the management network connected to network adapter 1.
  8. Click the Edit icon at the top of the list, select Security, and select Accept next to Promiscuous mode. Click OK. Once the FIPS 140-3 validated vSRX 3.0 software is installed on the hardware platform and hypervisor in Table 3 then the crypto-officer shall follow the instructions below to place the module in the Approved mode of operation. Enabling the Approved Mode of Operation: The CO shall enable the module for Approved mode of operation by performing the following steps.
  9. Set up the password for root authentication: root@host> set system root-authentication plaintext-password Enter password: Re-enter password: root@host> commit commit complete
  10. Enable the Approved mode: root@host> set system fips level 2 *
  11. Commit. root@host> commit
  12. Restart the virtual machine from the hypervisor console.
  13. Verify that the module is operational in the Approved mode in the correct version (Junos OS 22.2R2-S2.3) by using the “show version” command. The command prompt should contain the string “fips” denoting that the Approved mode has been successfully configured. Document Version 1.0
Page 61

*Note: This module is a FIPS 140-3 Security Level 1 module but the command “set system fips level 2” must be used to invoke the Approved mode of operation. Please note this is Juniper terminology only. The module claims to meet FIPS 140-3/ISO 19790 Security Level

  1. Then, the CO must run the following commands to configure the SSHv2 protocol:
  2. Edit system services ssh and set root-login allow [edit system services] root@host# set ssh root-login allow
  3. Assign an IP address to the fxp0 interface and set the routing options [edit] root@host# set interfaces fxp0 unit <unit> family inet address <ip address> root@host# set routing-options static route 0.0.0.0/0 next-hop <gateway> The “show configuration security ike” and “show configuration security ipsec” commands display the approved and configured IKE/IPsec configuration for the module. Zeroisation The vSRX 3.0 instance can be deleted from the datastore of the VMware ESXi 7.0 hypervisor as the method of zeroisation. The cryptographic officer must retain control of the module while zeroisation is in process.
11.2 Administrator Guidance

For further information and for the Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for vSRX, Release 22.2R2 document.

11.3 Non-Administrator Guidance

For further information and for the non-Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for vSRX, Release 22.2R2 document.

11.4 Design and Rules

The module design corresponds to the security rules below. The term must in this context specifically refers to a requirement for correct usage of the module in the Approved mode; all other statements indicate a security rule implemented by the module.

  1. The module clears previous authentications on power cycle.
  2. When the module has not been placed in a valid role, the operator does not have access to any cryptographic services.
  3. Pre-operational self-test do not require any operator action.
  4. Data output is inhibited during key generation, self-tests, zeroization, and error states.
  5. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  6. There are no restrictions on which keys or CSPs are zeroized by the zeroization service. Document Version 1.0
Page 62
  1. The module does not support a maintenance interface or role.
  2. The module does not support manual key entry.
  3. The module does not output intermediate key values.
  4. The module does not output plaintext CSPs.
  5. The cryptographic officer must retain control of the module while zeroisation is in process.
  6. Entropy Source: The Juniper Networks vSRX 3.0 Virtual Firewall (running Junos OS 22.2R2-S2.3) cryptographic module is a software module with an entropy gathering non-physical entropy source inside of the module's physical perimeter per IG 9.3.A Scenario
  7. (b) (ESV cert.#E56 applies to the module). The module generates sufficient entropy for the generation of SSPs (using the approved DRBG of the module) with the maximum target security strength (256 bits) needed. As can be verified from the Public Use Document and Security Policy Section 2.8, Entropy Sources Table 11, the entropy source generates a minimum of 448 bits of overall entropy per 512-bit output sample/

6.4 per 8-bit sample (entropy input to the DRBG). The DRBG is seeded with 512 bits.

11.5 Maintenance Requirements

No other maintenance requirements apply for operation of the module in the Approved/nonApproved modes as defined above.

11.6 End of Life

The module can be securely sanitized at the end of its lifetime by zeroising it.

12 Mitigation of Other Attacks
12.1 Attack List

The module does not implement any mitigation of other attacks and thus the requirements per this section do not apply to the module. Document Version 1.0

Referenced URLs