Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 1 of 39
Juniper Networks
FIPS 140-3 Non-Proprietary Security Policy
Juniper Networks EX, QFX and ACX Series with MACsec
Version: Junos OS 22.3R2-S1
Prepared for:
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408.745.2000
1.888 JUNIPER
www.juniper.net
Prepared by:
www.teronlabs.com
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 2 of 39
Table of Contents
1 General ........................................................................................................................................................... 6
1.1 Overview ................................................................................................................................................ 6
1.2 Security Levels....................................................................................................................................... 6
2 Cryptographic Module Specification........................................................................................................ 6
2.1 Description............................................................................................................................................. 6
2.2 Tested and Vendor Affirmed Module Version and Identification.............................................10
2.3 Excluded Components.......................................................................................................................11
2.4 Modes of Operation...........................................................................................................................11
2.5 Algorithms ............................................................................................................................................11
2.6 Security Function Implementations ................................................................................................14
2.7 Algorithm Specific Information ........................................................................................................16
2.8 RBG and Entropy ................................................................................................................................17
2.9 Key Generation ...................................................................................................................................17
2.10 Key Establishment............................................................................................................................17
2.11 Industry Protocols ............................................................................................................................18
3 Cryptographic Module Interfaces ...........................................................................................................18
3.1 Ports and Interfaces ...........................................................................................................................18
4 Roles, Services, and Authentication........................................................................................................19
4.1 Authentication Methods....................................................................................................................19
4.2 Roles ......................................................................................................................................................19
4.3 Approved Services..............................................................................................................................20
4.4 Non-Approved Services.....................................................................................................................23
4.5 External Software/Firmware Loaded..............................................................................................23
5 Software/Firmware Security....................................................................................................................23
5.1 Integrity Techniques...........................................................................................................................23
5.2 Initiate on Demand.............................................................................................................................23
6 Operational Environment .........................................................................................................................24
6.1 Operational Environment Type and Requirements .....................................................................24
6.2 Configuration Settings and Restrictions.........................................................................................24
7 Physical Security.........................................................................................................................................24
7.1 Mechanisms and Actions Required.................................................................................................24
8 Non-Invasive Security ...............................................................................................................................24
9 Sensitive Security Parameters Management ........................................................................................24
9.1 Storage Areas.......................................................................................................................................24
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 3 of 39
9.2 SSP Input-Output Methods..............................................................................................................25
9.3 SSP Zeroization Methods..................................................................................................................25
9.4 SSPs .......................................................................................................................................................26
9.5 Transitions............................................................................................................................................30
10 Self-Tests...................................................................................................................................................30
10.1 Pre-Operational Self-Tests.............................................................................................................30
10.2 Conditional Self-Tests .....................................................................................................................30
10.3 Periodic Self-Test Information.......................................................................................................33
10.4 Error States........................................................................................................................................35
10.5 Operator Initiation of Self-Tests ...................................................................................................36
11 Life-Cycle Assurance...............................................................................................................................36
11.1 Installation, Initialization, and Startup Procedures ....................................................................36
11.2 Administrator Guidance...........................................................................................................36
11.2.1 Installing the Junos OS firmware image...............................................................................36
11.2.2 Configure the device for the Approved mode....................................................................37
11.2.3 Zeroizing the System............................................................................................................37
11.3 Non-Administrator Guidance.........................................................................................................38
11.4 Design and Rules ..............................................................................................................................38
11.4.1 Module Design Rules ...........................................................................................................38
11.4.2 Module Operation Rules .....................................................................................................38
11.5 Maintenance Requirements ...........................................................................................................38
11.6 End of Life..........................................................................................................................................39
12 Mitigation of Other Attacks...................................................................................................................39
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 4 of 39
List of Tables
Table 1: Security Levels.................................................................................................................................. 6
Table 2: Tested Module Identification – Hardware................................................................................10
Table 3: Modes List and Description .........................................................................................................11
Table 4: Approved Algorithms - OpenSSL 1.0.2......................................................................................12
Table 5: Approved Algorithms - MACsec .................................................................................................12
Table 6: Approved Algorithms - MACsec PHY........................................................................................13
Table 7: Approved Algorithms - OpenSSL 1.1.1......................................................................................13
Table 8: Approved Algorithms - Kernel.....................................................................................................13
Table 9: Approved Algorithms - LibMD ....................................................................................................13
Table 10: Vendor-Affirmed Algorithms.....................................................................................................14
Table 11: Security Function Implementations .........................................................................................16
Table 12: Entropy Certificates.....................................................................................................................17
Table 13: Entropy Sources...........................................................................................................................17
Table 14: Ports and Interfaces ....................................................................................................................19
Table 15: Authentication Methods ............................................................................................................19
Table 16: Roles ...............................................................................................................................................19
Table 17: Approved Services.......................................................................................................................23
Table 18: Mechanisms and Actions Required ..........................................................................................24
Table 19: Storage Areas................................................................................................................................25
Table 20: SSP Input-Output Methods.......................................................................................................25
Table 21: SSP Zeroization Methods...........................................................................................................25
Table 22: SSP Table 1....................................................................................................................................27
Table 23: SSP Table 2....................................................................................................................................30
Table 24: Pre-Operational Self-Tests ........................................................................................................30
Table 25: Conditional Self-Tests.................................................................................................................33
Table 26: Pre-Operational Periodic Information .....................................................................................33
Table 27: Conditional Periodic Information..............................................................................................35
Table 28: Error States ...................................................................................................................................35
List of Figures
Figure 1 – EX4400-24P Ethernet switch (front)........................................................................................ 7
Figure 2 –EX4400-24P Ethernet switch (rear) .......................................................................................... 7
Figure 3 –EX4400-24T Ethernet switch (front)......................................................................................... 7
Figure 4 – EX4400-24T Ethernet switch (rear) ......................................................................................... 8
Figure 5 – EX4400-48T Ethernet switch (front)........................................................................................ 8
Figure 6 – EX4400-48T Ethernet switch (rear) ......................................................................................... 8
Figure 7 – EX4400-48P Ethernet switch (front)........................................................................................ 8
Figure 8 – EX4400-48P Ethernet switch (rear) ......................................................................................... 8
Figure 9 – EX4400-48F Ethernet switch (front)........................................................................................ 8
Figure 10 – EX4400-48F Ethernet switch (rear)....................................................................................... 8
Figure 11 – EX4400-24MP Ethernet switch (front) ................................................................................. 9
Figure 12 – EX4400-24MP Ethernet switch (rear) ................................................................................... 9
Figure 13 – EX4400-48MP Ethernet switch (front) ................................................................................. 9
Figure 14 – EX4400-48MP Ethernet switch (rear) ................................................................................... 9
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 5 of 39
Figure 15 – QFX5120-48YM switch (front)............................................................................................... 9
Figure 16 – QFX5120-48YM switch (rear)................................................................................................. 9
Figure 17 – ACX5448-M Router – Front.................................................................................................... 9
Figure 18 – ACX5448-M Router – Rear ...................................................................................................10
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 6 of 39
1 General
1.1 Overview
This is a non-proprietary Cryptographic Module Security Policy for the Juniper Networks EX,
QFX and ACX series network devices running Junos OS 22.3R2-S1.
1.2 Security Levels
The cryptographic module is designed to meet FIPS 140-3 Level 1 overall. The table below
shows the security levels claimed for each section of the security requirements.
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 2
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security 1
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Overall Level 1
Table 1: Security Levels
2 Cryptographic Module Specification
2.1 Description
Purpose and Use:
The following models are included in this validation and provide network switching and routing
functionality:
• EX4400-24T
• EX4400-24P
• EX4400-48T
• EX4400-48P
• EX4400-48F
• EX4400-24MP
• EX4400-48MP
• QFX5120-YM
• ACX5448-M
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 7 of 39
The cryptographic module runs Junos OS, Juniper’s reliable, high-performance, modular network
operating system that is supported across all of Juniper’s physical and virtual routing, switching,
and security platforms.
The cryptographic module provides for an encrypted connection, using SSH, between the
management station and the module. The cryptographic modules also provide for an encrypted
connection, using MACsec, between devices. All other data input or output from the modules
are considered plaintext for this FIPS 140-3 validation.
Module Type:
The cryptographic module is a Hardware cryptographic module.
Module Embodiment:
The cryptographic module is defined as a MultiChipStand module that executes Junos OS
22.3R2-S1 firmware on any of the identified Juniper Networks devices.
Module Characteristics:
There are no additional characteristics relevant to this module.
Cryptographic Boundary:
The cryptographic boundary encompasses the entire Tested Operational Environment Physical
Perimeter (TOEPP), which is defined as the outer edge of the chassis. The chassis is a rigid sheet-
metal structure that houses all components of the device.
The cryptographic module is FIPS-compliant when installed and configured with Junos OS
22.3R2-S1 validated firmware as specified in section 11.1.
The physical form of the module is depicted in Figure 1 to Figure 18.
Figure 1 – EX4400-24P Ethernet switch (front)
Figure 2 –EX4400-24P Ethernet switch (rear)
Figure 3 –EX4400-24T Ethernet switch (front)
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 8 of 39
Figure 4 – EX4400-24T Ethernet switch (rear)
Figure 5 – EX4400-48T Ethernet switch (front)
Figure 6 – EX4400-48T Ethernet switch (rear)
Figure 7 – EX4400-48P Ethernet switch (front)
Figure 8 – EX4400-48P Ethernet switch (rear)
Figure 9 – EX4400-48F Ethernet switch (front)
Figure 10 – EX4400-48F Ethernet switch (rear)
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 9 of 39
Figure 11 – EX4400-24MP Ethernet switch (front)
Figure 12 – EX4400-24MP Ethernet switch (rear)
Figure 13 – EX4400-48MP Ethernet switch (front)
Figure 14 – EX4400-48MP Ethernet switch (rear)
Figure 15 – QFX5120-48YM switch (front)
Figure 16 – QFX5120-48YM switch (rear)
Figure 17 – ACX5448-M Router – Front
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 10 of 39
Figure 18 – ACX5448-M Router – Rear
2.2 Tested and Vendor Affirmed Module Version and Identification
Tested Module Identification – Hardware:
The following models of the module were tested.
Model
and/or Part
Number
Hardware
Version
Firmware
Version
Processors Features
EX4400-48F EX4400-48F JUNOS
22.3R2-S1.9
Intel Atom
C3558R
12 x 10GbE SFP+ ports; 36 x 1GbE SFP fiber
access ports
QFX5120-
48YM
QFX5120-
48YM
JUNOS
22.3R2-S1.9
Intel Xeon D-
1627
48 x 1/10/25GbE SFP/SFP+ ports; 8 x
40/100GbE QSFP+/QSFP28
ACX5400-M ACX5400-M JUNOS
22.3R2-S1.9
Intel Xeon D-
1528
44 x 1GbE/10GbE SFP+/SFP ports; 6 x
40GbE/100GbE QSFP28 ports.
EX4400-24T EX4400-24T JUNOS
22.3R2-S1.9
Intel Atom
C3558R
24 x 1GbE non-PoE ports
EX4400-24P EX4400-24P JUNOS
22.3R2-S1.9
Intel Atom
C3558R
24 x 1GbE PoE ports
EX4400-48T EX4400-48T JUNOS
22.3R2-S1.9
Intel Atom
C3558R
48 x 1GbE non-PoE ports
EX4400-48P EX4400-48P JUNOS
22.3R2-S1.9
Intel Atom
C3558R
48 x 1GbE PoE ports
EX4400-
24MP
EX4400-
24MP
JUNOS
22.3R2-S1.9
Intel Atom
C3558R
24 x 100M/1/2.5/5/10GbE PoE ports
EX4400-
48MP
EX4400-
48MP
JUNOS
22.3R2-S1.9
Intel Atom
C3558R
12 x 100M/1/2.5/5/10GbE and 36 x
100M/1/2.5GbE PoE access ports
Table 2: Tested Module Identification – Hardware
Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets): N/A
The module is not classified as software, firmware, or hybrid; thus, this section is not applicable.
Tested Module Identification – Hybrid Disjoint Hardware: N/A
The module is not classified as hybrid disjoint hardware; thus, this section is not applicable.
Tested Operational Environments - Software, Firmware, Hybrid: N/A
The module is not classified as software, firmware, or hybrid; thus, this section is not applicable.
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 11 of 39
Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A
There are no vendor-affirmed operational environments claimed.
2.3 Excluded Components
No components are excluded from the requirements of FIPS PUB 140-3.
2.4 Modes of Operation
The module supports an Approved mode only. The module enters Approved mode as a result of
successful installation, initialization and configuration steps described in section 11. Until these
procedures have been followed, the module is non-compliant.
Mode
Name
Description Type Status Indicator
Approved Approved mode of operation. Approved Suffix string ":fips" in the cli prompt
Table 3: Modes List and Description
2.5 Algorithms
Approved Algorithms:
Although the module may have been tested for additional algorithms or modes, only those listed
below are utilized by the module.
OpenSSL 1.0.2
Algorithm CAVP Cert Properties Reference
AES-CBC A4210 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CTR A4210 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
ECDSA KeyGen
(FIPS186-4)
A4210 Curve - P-256, P-384, P-521
Secret Generation Mode - Testing Candidates
FIPS 186-4
ECDSA KeyGen
(FIPS186-4)
A6440 Curve - P-256, P-384, P-521
Secret Generation Mode - Testing Candidates
FIPS 186-4
ECDSA KeyVer
(FIPS186-4)
A4210 Curve - P-256, P-384, P-521 FIPS 186-4
ECDSA KeyVer
(FIPS186-4)
A6440 Curve - P-256, P-384, P-521 FIPS 186-4
ECDSA SigGen
(FIPS186-4)
A4210 Curve - P-256, P-384, P-521
Hash Algorithm - SHA2-256, SHA2-384, SHA2-512
FIPS 186-4
ECDSA SigGen
(FIPS186-4)
A6440 Component - No
Curve - P-256, P-384, P-521
Hash Algorithm - SHA2-256, SHA2-384, SHA2-512
FIPS 186-4
ECDSA SigVer
(FIPS186-4)
A4210 Curve - P-256, P-384, P-521
Hash Algorithm - SHA2-256, SHA2-384, SHA2-512
FIPS 186-4
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 12 of 39
Algorithm CAVP Cert Properties Reference
ECDSA SigVer
(FIPS186-4)
A6440 Component - No
Curve - P-256, P-384, P-521
Hash Algorithm - SHA2-256, SHA2-384, SHA2-512
FIPS 186-4
HMAC-SHA-1 A4210 Key Length - Key Length: 160 FIPS 198-1
HMAC-SHA2-256 A4210 Key Length - Key Length: 256 FIPS 198-1
HMAC-SHA2-512 A4210 Key Length - Key Length: 512 FIPS 198-1
KAS-ECC-SSC Sp800-
56Ar3
A4387 Domain Parameter Generation Methods - P-256, P-
384, P-521
Scheme -
ephemeralUnified -
KAS Role - initiator, responder
SP 800-56A Rev.
3
KDF SSH (CVL) A4347 Cipher - AES-128, AES-192, AES-256
Hash Algorithm - SHA-1, SHA2-256, SHA2-384,
SHA2-512
SP 800-135 Rev.
1
RSA KeyGen (FIPS186-
4)
A4210 Key Generation Mode - B.3.3
Modulo - 2048, 3072, 4096
Primality Tests - Table C.2
Private Key Format - Standard
FIPS 186-4
RSA SigGen (FIPS186-
4)
A4210 Signature Type - PKCS 1.5
Modulo - 2048, 3072, 4096
FIPS 186-4
RSA SigVer (FIPS186-4) A4210 Signature Type - PKCS 1.5
Modulo - 2048, 3072, 4096
FIPS 186-4
SHA-1 A4210 Message Length - Message Length: 0-65536
Increment 8
FIPS 180-4
SHA2-256 A4210 Message Length - Message Length: 0-65536
Increment 8
FIPS 180-4
SHA2-384 A4210 Message Length - Message Length: 0-65536
Increment 8
FIPS 180-4
SHA2-512 A4210 Message Length - Message Length: 0-65536
Increment 8
FIPS 180-4
Table 4: Approved Algorithms - OpenSSL 1.0.2
MACsec
Algorithm CAVP Cert Properties Reference
AES-CBC A4416 Direction - Decrypt, Encrypt
Key Length - 128, 256
SP 800-38A
AES-CMAC A4416 Direction - Generation, Verification
Key Length - 128, 256
SP 800-38B
AES-KW A4416 Direction - Decrypt, Encrypt
Key Length - 128
SP 800-38F
KDF SP800-108 A4416 KDF Mode - Counter
Supported Lengths - Supported Lengths: 128, 256
SP 800-108 Rev. 1
Table 5: Approved Algorithms - MACsec
MACsec PHY
Algorithm CAVP Cert Properties Reference
AES-GCM AES 3969 Direction - Decrypt, Encrypt
Key Length - 128, 256
SP 800-38D
AES-GCM AES 4544 Direction - Decrypt, Encrypt
Key Length - 128, 256
SP 800-38D
AES-GCM AES 4545 Direction - Decrypt, Encrypt
Key Length - 128, 256
SP 800-38D
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 13 of 39
Algorithm CAVP Cert Properties Reference
AES-GCM AES 4550 Direction - Decrypt, Encrypt
Key Length - 128, 256
SP 800-38D
AES-GCM C1869 Direction - Decrypt, Encrypt
IV Generation - External
Key Length - 128, 256
SP 800-38D
AES-GCM C996 Direction - Decrypt, Encrypt
IV Generation - External
Key Length - 128, 256
SP 800-38D
Table 6: Approved Algorithms - MACsec PHY
OpenSSL 1.1.1
Algorithm CAVP Cert Properties Reference
ECDSA SigVer (FIPS186-
4)
A4211 Curve - P-256, P-384, P-521
Hash Algorithm - SHA2-256, SHA2-384, SHA2-
512
FIPS 186-4
ECDSA SigVer (FIPS186-
4)
A6401 Component - No
Curve - P-256, P-384, P-521
Hash Algorithm - SHA2-256, SHA2-384, SHA2-
512
FIPS 186-4
SHA2-256 A4211 Message Length - Message Length: 0-65536
Increment 8
FIPS 180-4
Table 7: Approved Algorithms - OpenSSL 1.1.1
Kernel
Algorithm CAVP Cert Properties Reference
HMAC DRBG A4417 Prediction Resistance - Yes
Mode - SHA2-256
SP 800-90A Rev.
1
HMAC-SHA2-
256
A4417 Key Length - Key Length: 256 FIPS 198-1
SHA2-256 A4417 Message Length - Message Length: 0-51200
Increment 8
FIPS 180-4
SHA2-512 A3330 Message Length - Message Length: 0-51200
Increment 8
FIPS 180-4
SHA2-512 A3355 Message Length - Message Length: 0-51200
Increment 8
FIPS 180-4
SHA2-512 A3498 Message Length - Message Length: 0-51200
Increment 8
FIPS 180-4
Table 8: Approved Algorithms - Kernel
LibMD
Algorithm CAVP Cert Properties Reference
HMAC-SHA-1 A4208 Key Length - Key Length: 112, 160 FIPS 198-1
HMAC-SHA2-
256
A4208 Key Length - Key Length: 160, 256 FIPS 198-1
SHA-1 A4208 Message Length - Message Length: 0-51200 Increment
8
FIPS 180-4
SHA2-256 A4208 Message Length - Message Length: 0-51200 Increment
8
FIPS 180-4
SHA2-512 A4208 Message Length - Message Length: 0-65536 Increment
8
FIPS 180-4
Table 9: Approved Algorithms - LibMD
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 14 of 39
Vendor-Affirmed Algorithms:
Name Properties Implementation Reference
CKG Key
type:Asymmetric
Junos 22.3R2-S1 - OpenSSL
1.0.2
SP 800-133 Rev.2 Section 4, example 1 direct
output from DRBG.
Table 10: Vendor-Affirmed Algorithms
Non-Approved, Allowed Algorithms:
N/A for this module.
Non-Approved, Allowed Algorithms with No Security Claimed:
N/A for this module.
Non-Approved, Not Allowed Algorithms:
N/A for this module.
2.6 Security Function Implementations
The module implements the security functions listed in the following table.
Name Type Description Properties Algorithms
Enc/Dec (SSH) BC-UnAuth Unauthenticated
encryption for SSH
AES-CBC: (A4210)
AES-CTR: (A4210)
KAS-SSC (SSH) KAS-SSC Key Agreement
Scheme Shared
Secret Computation
for SSH
KAS-ECC-SSC
Sp800-56Ar3:
(A4387)
KeyGen (SSH) AsymKeyPair-
KeyGen
Key Generation
used for SSH
authentication keys
ECDSA KeyGen
(FIPS186-4):
(A4210, A6440)
ECDSA KeyVer
(FIPS186-4):
(A4210, A6440)
RSA KeyGen
(FIPS186-4):
(A4210)
HMAC DRBG:
(A4417)
CKG: ()
SigGen (SSH) DigSig-SigGen Signature
Generation for peer
authentication in
SSH
ECDSA SigGen
(FIPS186-4):
(A4210, A6440)
RSA SigGen
(FIPS186-4):
(A4210)
SHA2-256: (A4210)
SHA2-384: (A4210)
SHA2-512: (A4210)
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 15 of 39
Name Type Description Properties Algorithms
SigVer (SSH) DigSig-SigVer Signature
Verification for peer
authentication in
SSH
ECDSA SigVer
(FIPS186-4):
(A4210, A6440)
RSA SigVer
(FIPS186-4):
(A4210)
SHA2-256: (A4210)
SHA2-384: (A4210)
SHA2-512: (A4210)
MAC (SSH) MAC Message
authentication for
SSH
HMAC-SHA-1:
(A4210)
HMAC-SHA2-256:
(A4210)
HMAC-SHA2-512:
(A4210)
SHA-1: (A4210)
SHA2-256: (A4210)
SHA2-512: (A4210)
KAS KeyGen (SSH) KAS-KeyGen Key Generation for
Key Agreement in
SSH
ECDSA KeyGen
(FIPS186-4):
(A4210)
ECDSA KeyVer
(FIPS186-4):
(A4210)
CKG: ()
HMAC DRBG:
(A4417)
KDF (SSH) KAS-135KDF Key derivation
function for SSH
KDF SSH: (A4347)
SHA-1: (A4210)
SHA2-256: (A4210)
SHA2-384: (A4210)
SHA2-512: (A4210)
Full KAS (SSH) KAS-Full Full Key Agreement
for SSH
ECDSA KeyGen
(FIPS186-4):
(A4210, A6440)
ECDSA KeyVer
(FIPS186-4):
(A4210, A6440)
KAS-ECC-SSC
Sp800-56Ar3:
(A4387)
SHA-1: (A4210)
SHA2-256: (A4210)
SHA2-384: (A4210)
SHA2-512: (A4210)
KDF SSH: (A4347)
KTS (SSH) KTS-Wrap Key transport using
SSH as per IG D.G
provisions
KTS:128, 256, 384,
521, 2048, 3072,
4096 bit keys
provide between
112 and 256 bits of
encryption strength
AES-CBC: (A4210)
AES-CTR: (A4210)
HMAC-SHA-1:
(A4210)
HMAC-SHA2-256:
(A4210)
HMAC-SHA2-512:
(A4210)
SHA (LibMD) SHA Message Digest
Generation
SHA-1: (A4208)
SHA2-256: (A4208)
SHA2-512: (A4208)
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 16 of 39
Name Type Description Properties Algorithms
MAC (LibMD) MAC Message
Authentication
HMAC-SHA-1:
(A4208)
HMAC-SHA2-256:
(A4208)
SHA-1: (A4208)
SHA2-256: (A4208)
DRBG (Kernel) DRBG Random Bit
Generation
HMAC DRBG:
(A4417)
HMAC-SHA2-256:
(A4417)
SHA2-256: (A4417)
SHA (Kernel) SHA Entropy source
conditioning
component
SHA2-512: (A3355,
A3498, A3330)
Verify image DigSig-SigVer Verification of
firmware image
ECDSA SigVer
(FIPS186-4):
(A4211, A6401)
SHA2-256: (A4211)
Key derivation
(MACsec)
KAS-56CKDF Derivation of
MACsec MKA keys
KDF SP800-108:
(A4416)
AES-CBC: (A4416)
AES-CMAC: (A4416)
Key wrap (MACsec) KTS-Wrap Distribution of
MACsec SAKs
KTS:128 and 256 bit
keys provide
between 128 and
256 bits of
encryption strength
AES-KW: (A4416)
Enc/Dec (MACsec) BC-Auth Encryption and
decryption of
MACsec data
AES-GCM: (AES
3969, AES 4544,
AES 4545, AES
4550, C1869, C996)
Integrity (MACsec) MAC MACsec protocol
data integrity
protection
AES-CMAC: (A4416)
Entropy Source ENT-ESV Entropy source SHA2-512: (A3355,
A3498, A3330)
Table 11: Security Function Implementations
2.7 Algorithm Specific Information
In reference to the MACsec protocol, the modules can take on the role of Peer or Authenticator.
The AES GCM IV construction is performed in compliance with IG C.H scenario 1c (MACsec per
IEEE 802.1AE and its amendments).
The module includes ECDSA algorithms that have been validated using FIPS 186-4 CAVP tests,
which are mathematically identical to FIPS 186-5 CAVP tests. Per IG C.K, all RSA and ECDSA
algorithms implemented by the module are claimed compliant with FIPS 186-5.
The module complies with IG C.F. RSA Key Generation, Signature Generation and Signature
Verification have been tested and validated using CAVP testing for all implemented modulus
lengths (2048, 3072 and 4096 bits). The number of Miller-Rabin tests used for primality testing
as part of RSA Key Generation is consistent with Table C.3.
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 17 of 39
The module implements the following Approved key agreement methods which have been CAVP
tested and validated:
⦁ KAS-ECC per SP 800-56A Rev. 3 (FIPS 140-3 IG D.F Scenario 2, path 2).
The module obtains the FIPS 140-3 IG D.F required key agreement assurances in accordance
with Section 5.6.2 of SP800-56A Rev. 3. All the key agreement protocols implemented by the
module are Diffie-Hellman based.
2.8 RBG and Entropy
The tables below indicate the entropy source used by the module and their associated
certificates.
Cert
Number
Vendor Name
E89 Juniper Networks
Table 12: Entropy Certificates
Name Type Operational
Environment
Sample
Size
Entropy
per
Sample
Conditioning
Component
EX4400 - Junos OS 22.3 Entropy
Source (E89)
Non-
Physical
Intel Atom
C3558R
512 bits 448 bits A3355 (SHA2-
512)
QFX5120-48YM - Junos OS 22.3
Entropy Source (E89)
Non-
Physical
Intel Xeon D-
1627
512 bits 448 bits A3498 (SHA2-
512)
ACX5448-M - Junos OS 22.3 Entropy
Source (E89)
Non-
Physical
Intel Xeon D-
1528
512 bits 448 bits A3330 (SHA2-
512)
Table 13: Entropy Sources
The entropy source is used to seed the module’s HMAC DRBG with the minimum required 256-
bits of entropy. Each 512-bit block of conditioned output from the entropy source contains 448
bits of entropy. The HMAC DRBG is used for all random data required by the module, including
key generation.
There are no initialization procedures required by the users of the module to operate the entropy
source in a compliant manner. The module complies with the ESV Public Use document of the
validated entropy source (Cert. E89).
2.9 Key Generation
The cryptographic module implements the key generation methods listed above in the Security
Functions implementation table.
2.10 Key Establishment
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 18 of 39
The cryptographic module implements the key establishment methods listed above in the
Security Functions implementation table.
2.11 Industry Protocols
The cryptographic module supports the protocols listed below. No part of these protocols, other
than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and
CMVP. The SSH algorithms allow independent selection of key exchange, authentication, cipher,
and integrity. In reference to the supported protocols table below, each column of options for a
given protocol is independent and may be used in any viable combination.
Protocol Key Exchange Auth Cipher Integrity
SSHv2
EC Diffie-Hellman P-256
EC Diffie-Hellman P-384
EC Diffie-Hellman P-521
ECDSA P-256
ECDSA P-384
ECDSA P-521
RSA 2048
RSA 3072
RSA 4096
AES CBC
128/192/256
AES CTR
128/192/256
HMAC-SHA-1
HMAC-SHA2-256
HMAC-SHA2-512
MACsec
MACsec Key Agreement (SP800-108 KDF,
AES-CMAC-128/256, AES-KW 128/256)
Shared secret
AES-GCM-128
AES-GCM-256
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces
The following table maps each physical interface to one or more logical interface types
defined in the FIPS 140-3 standard. The module does not have a Control Output Interface.
Physical Port Logical
Interface(s)
Data That Passes
Ethernet (data) Data Input
Data Output
Control Input
Status
Output
LAN communications
Ethernet (mgmt.) Data Input
Data Output
Control Input
Status
Output
Remote management
Serial Data Input
Data Output
Control Input
Status
Output
Console serial port management
Power Power Power
Reset button Control Input Reset
USB Data Input
Control Input
Firmware load port
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 19 of 39
Physical Port Logical
Interface(s)
Data That Passes
LED Status
Output
Status indicator lighting
SFP28 (EX4400 only) Data Input
Data Output
Control Input
Status
Output
Virtual chassis ports
Timing interface ports: PPS and 10M GPS (ACX5448 and
QFX5120 models only)
Control Input Clock and timing signals from
external devices
Table 14: Ports and Interfaces
4 Roles, Services, and Authentication
4.1 Authentication Methods
The module implements two forms of role-based authentication methods, as described in the
following table.
Method
Name
Description Security
Mechanism
Strength Each
Attempt
Strength per Minute
Password
authentication
User and CO
authentication via
SSH or consol.
Minimum of 10
ASCII character
passwords.
SHA
(LibMD)
Probability of
guessing: 1/(96^10) <
1/1,000,000.
Timed access mechanism
allows max of 10 attempts /
min. Probability of guessing:
10/(96^10) < 1/100,000.
Signature
authentication
User/CO
authentication via
SSH
SigVer (SSH) Strength of signature
algorithm, minimum
112-bits. Probability
of success for random
attempt: 1/(2^112) <
1/1,000,000.
A rate of 1 CPU cycle per failed
authentication for the Intel
Xeon D-1627 processor (4
cores, 2.9 GHz) allows for the
probability of success by brute-
force attack: 60 x 4 x 2.9 x
10^9 x 1/(2^112) < 1/100,000.
Table 15: Authentication Methods
4.2 Roles
Name Type Operator Type Authentication Methods
Crypto Officer Role CO Password authentication
Signature authentication
User Role Monitor Password authentication
Signature authentication
Table 16: Roles
The module supports two roles: Cryptographic Officer (CO) and User. The module supports role-
based operator authentication for assuming these roles, using methods specified in Section 4.1.
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 20 of 39
The module supports concurrent operators but does not support a maintenance role and/or
bypass capability. The module enforces the separation of roles using either of the role-based
operator authentication methods in Section 4.1.
The Cryptographic Officer role configures and monitors the module via a console or SSH
connection. As root or super-user, the Cryptographic Officer has permission to view and edit
secrets within the module.
The User role monitors the module via the console or SSH. The user role cannot change the
configuration.
4.3 Approved Services
Name Description Indicator Inputs Outputs Security
Functions
SSP Access
Configure
Security
Security relevant
configuration
':fips'
suffix in
CLI
prompt
CLI Command Status SHA
(Kernel)
Entropy
Source
KeyGen
(SSH)
SHA
(LibMD)
MAC
(LibMD)
DRBG
(Kernel)
Crypto Officer
- HMAC DRBG V
value: E
- HMAC DRBG
Key value: E
- HMAC DRBG
Entropy Input: E
- HMAC DRBG
Seed: E
- User-PW: W
- CO-PW: W
- Root-PW: W
- SSH PUB:
G,R,W
- SSH PHK:
G,R,W
- MACsec CAK:
W
- MACsec CKN:
R,W
Configure Non-security
relevant
configuration
None CLI Command Status None Crypto Officer
Secure
Traffic
MACsec
encrypted
transfer of data,
distribution of
keys
':fips'
suffix in
CLI
prompt
MACsec traffic
frames
MACsec traffic
frames
Key wrap
(MACsec)
Enc/Dec
(MACsec)
Integrity
(MACsec)
Crypto Officer
- MACsec KEK:
G,E
- MACsec SAK:
G,E
- MACsec ICK:
G,E
Show
status
Show status None None ':fips' suffix in
CLI prompt
None Crypto Officer
User
Zeroize Zeroize all CSPs None CLI command None
(completion
indicator is
implicitly
provided by
the module
rebooting)
None Crypto Officer
- HMAC DRBG V
value: Z
- HMAC DRBG
Key value: Z
- HMAC DRBG
Entropy Input: Z
- HMAC DRBG
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 21 of 39
Name Description Indicator Inputs Outputs Security
Functions
SSP Access
Seed: Z
- SSH DH Shared
Secret: Z
- SSH PHK: Z
- SSH PUB: Z
- SSH DH PRV: Z
- SSH DH PUB: Z
- SSH DH Pub
(peer): Z
- SSH-SEKs: Z
- CO-PW: Z
- Root-PW: Z
- User-PW: Z
- Auth-CO Pub: Z
- Auth-User Pub:
Z
- Root-CA: Z
- Package-CA: Z
- MACsec CAK: Z
- MACsec CKN:
Z
- MACsec SAK: Z
- MACsec KEK: Z
- MACsec ICK: Z
SSH
connect
Initiate SSH
connection for
SSH monitoring
and control (CLI)
':fips'
suffix in
CLI
prompt
SSH packets SSH packets,
Status
Enc/Dec
(SSH)
KAS-SSC
(SSH)
SigGen
(SSH)
SigVer
(SSH)
MAC (SSH)
KAS
KeyGen
(SSH)
KDF (SSH)
Full KAS
(SSH)
KTS (SSH)
SHA
(Kernel)
Entropy
Source
Crypto Officer
- HMAC DRBG V
value: E
- HMAC DRBG
Key value: E
- HMAC DRBG
Entropy Input: E
- HMAC DRBG
Seed: E
- SSH DH Shared
Secret: G,E
- SSH DH PRV:
G,E
- SSH DH PUB: G
- SSH-SEKs: G,E
- SSH DH Pub
(peer): E
- CO-PW: E
User
- HMAC DRBG V
value: E
- HMAC DRBG
Key value: E
- HMAC DRBG
Entropy Input: E
- HMAC DRBG
Seed: E
- SSH DH Shared
Secret: G,E
- SSH DH PRV:
G,E
- SSH DH PUB: G
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 22 of 39
Name Description Indicator Inputs Outputs Security
Functions
SSP Access
- SSH-SEKs: G,E
- SSH DH Pub
(peer): E
- User-PW: E
MACsec
connect
Initiate MACsec
connection
':fips'
suffix in
CLI
prompt
MACsec link
configuration,
CKN, CAK
MACsec
frames, Status
Key
derivation
(MACsec)
Key wrap
(MACsec)
Enc/Dec
(MACsec)
Integrity
(MACsec)
Crypto Officer
- MACsec ICK: E
- MACsec SAK:
E,W,R
- MACsec KEK: E
Console
access
Console
monitoring and
control (CLI)
None CLI Command Status None Crypto Officer
- CO-PW: E
- Root-PW: E
User
- User-PW: E
Remote
reset
Software
initiated reset,
performs self-
tests on demand.
None CLI command Status None Crypto Officer
- HMAC DRBG V
value: Z
- HMAC DRBG
Key value: Z
- HMAC DRBG
Entropy Input: Z
- HMAC DRBG
Seed: Z
- SSH DH Shared
Secret: Z
- SSH DH PRV: Z
- SSH DH PUB: Z
- SSH-SEKs: Z
- SSH DH Pub
(peer): Z
- MACsec SAK: Z
- MACsec KEK: Z
- MACsec ICK: Z
Local
reset
Hardware reset
or power cycle
None Main power
cycle
Status None Unauthenticated
- HMAC DRBG V
value: Z
- HMAC DRBG
Key value: Z
- HMAC DRBG
Entropy Input: Z
- HMAC DRBG
Seed: Z
- SSH DH Shared
Secret: Z
- SSH DH PRV: Z
- SSH DH PUB: Z
- SSH-SEKs: Z
- SSH DH Pub
(peer): Z
- MACsec SAK: Z
- MACsec KEK: Z
- MACsec ICK: Z
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 23 of 39
Name Description Indicator Inputs Outputs Security
Functions
SSP Access
Traffic Traffic requiring
no cryptographic
services
None Traffic in Traffic out None Unauthenticated
Load
Image
Loading of
firmware image
':fips'
suffix in
CLI
prompt
CLI Command Status Verify
image
Crypto Officer
- Root-CA: E
- Package-CA: Z
Perform
self-test
On demand
execution of all
pre-operational
and conditional
algorithm self-
tests
None Local or
remote reset
Status None Crypto Officer
User
Unauthenticated
Show
module
version
Show system
information
identifying
module
None CLI command Status None Crypto Officer
User
Table 17: Approved Services
4.4 Non-Approved Services
The module does not offer any non-approved services.
N/A for this module.
4.5 External Software/Firmware Loaded
The module includes a firmware load service that is used to install the Junos OS firmware image
as part of installation of the module, as described in Section 11.1. The loaded firmware is a
complete image replacement and constitutes an entirely new module and version of Junos OS
which would require a separate FIPS 140-3 validation.
5 Software/Firmware Security
5.1 Integrity Techniques
The cryptographic module implements a firmware integrity self-test that uses ECDSA P-256 with
SHA2-256 to ensure the integrity of all Junos OS firmware components. The self-test is
automatically run on power-up.
5.2 Initiate on Demand
The firmware integrity test can be run on demand by the module’s operator by power cycling the
module.
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 24 of 39
6 Operational Environment
6.1 Operational Environment Type and Requirements
Type of Operational Environment: Non-Modifiable
The module consists of hardware containing a non-modifiable operational environment as per
the FIPS 140-3 definitions. It includes a firmware load service to support necessary updates. The
loaded firmware is a complete image replacement and constitutes an entirely new module and
version of Junos OS which would require a separate FIPS 140-3 validation.
6.2 Configuration Settings and Restrictions
There are no security rules, settings, or restrictions to the configuration of the operational
environment beyond the initialization instructions to set the module in Approved mode.
7 Physical Security
7.1 Mechanisms and Actions Required
The module’s physical embodiment meets Level 1 Physical Security requirements. The module is
completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel and
brushed aluminum enclosure. There are no ventilation holes, gaps, slits, cracks, slots, or crevices
that would allow for any sort of observation of any component contained within the
cryptographic boundary.
Mechanism Inspection
Frequency
Inspection
Guidance
Opaque metal enclosure n/a n/a
Table 18: Mechanisms and Actions Required
8 Non-Invasive Security
This section is not applicable, as there are currently no approved non-invasive mitigation
techniques specified in ISO/IEC 19790:2012.
9 Sensitive Security Parameters Management
9.1 Storage Areas
The table below lists the areas within the module’s cryptographic boundary where SSPs can be
stored.
Storage
Area
Name
Description Persistence
Type
RAM Random Access Memory Dynamic
Flash Internal flash memory storage drive Static
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 25 of 39
Table 19: Storage Areas
9.2 SSP Input-Output Methods
The table below lists the method used by the module for the input and output of SSPs.
Name From To Format
Type
Distribution
Type
Entry
Type
SFI or
Algorithm
Manual CLI entry Local CO RAM Plaintext Manual Direct
Entry via SSH Remote CO RAM Encrypted Automated Electronic KTS (SSH)
Entry via console Local CO RAM Plaintext Manual Electronic
Output via SSH RAM Remote CO Encrypted Automated Electronic KTS (SSH)
Output via console RAM Local CO Plaintext Manual Electronic
Entry as part of KAS Remote peer RAM Plaintext Automated Electronic Full KAS (SSH)
Output as part of KAS RAM Remote
peer
Plaintext Automated Electronic Full KAS (SSH)
Pre-loaded Manufacturer Flash Plaintext Manual Direct
MACsec Key
Agreement Input
Remote
device
RAM Encrypted Automated Electronic Key wrap
(MACsec)
MACsec Key
Agreement Output
RAM Remote
device
Encrypted Automated Electronic Key wrap
(MACsec)
Table 20: SSP Input-Output Methods
9.3 SSP Zeroization Methods
The table below describes the SSP zeroization methods employed by the module.
Zeroization
Method
Description Rationale Operator Initiation
Zeroize CLI
command
This command erases all data,
including all configuration
information, returning the module to
its factory default state The system
is then rebooted.
This command erases all keys
and CSPS from storage. The
forced power cycle also zeroizes
SSPs in volatile memory.
Yes, CO via invocation
of zeroize CLI
command.
Reset Zeroization of SSPs in RAM via
invocation of local or remote reset
service.
RAM is volatile and all data is
lost when power is taken off.
Zeroization is practically
instantaneous.
Yes, both User and
CO, via invocation of
Local Reset or Remote
Reset services.
Explicit
zeroize
function
Zeroization of SSPs in memory when
no longer needed.
Use of explicit zeroization
function destroys SSP
information immediately by
overwriting memory area with
zeroes.
No. The operator
cannot directly initiate
this method.
Table 21: SSP Zeroization Methods
The Zeroize CLI command method is detailed in section 11.2.3.
The completion of zeroization is indicated implicitly. If the zeroization is initiated using a
zeroization command or explicit delete command, completion of the command indicates that
zeroization has successfully completed. If the zeroization is initiated by power cycling the
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 26 of 39
module, then successful reboot of the module indicates that zeroization has completed
successfully. In the case of zeroization initiated by session termination, SSPs are zeroized when
the session terminates, and session termination is indicated in the log.
9.4 SSPs
All SSPs used by the module are described in this section.
Name Description Size -
Strength
Type -
Category
Generated
By
Established
By
Used By
HMAC
DRBG V
value
A critical value of the
internal state of
DRBG
256 - 256 DRBG internal
state - CSP
DRBG
(Kernel)
DRBG
(Kernel)
HMAC
DRBG
Key value
A critical value of the
internal state of
DRBG
256 - 256 DRB internal
state - CSP
DRBG
(Kernel)
DRBG
(Kernel)
HMAC
DRBG
Entropy
Input
A critical value of the
internal state of
DRBG provided by
entropy source
256 - 256 Entropy source
output - CSP
Entropy
Source
DRBG
(Kernel)
HMAC
DRBG
Seed
Seed material used to
seed or reseed the
HMAC DRBG
256 - 256 DRBG internal
state - CSP
DRBG
(Kernel)
DRBG
(Kernel)
SSH DH
Shared
Secret
Shared DH value
computed from the
ephemeral DH key-
pairs as part of SSH
and used to derive
session keys.
256, 384, 521
- 128, 192,
256
DH shared
value - CSP
KAS-SSC
(SSH)
KDF
(SSH)
SSH PHK SSH Private host key.
1st time SSH is
configured, the keys
are generated.
2048, 256,
4096, 384,
521 - 112,
128, 152, 192,
256
Asymmetric
private key -
CSP
KeyGen
(SSH)
SigGen
(SSH)
SSH PUB SSH Public Host Key 2048, 256,
4096, 384,
521 - 112,
128, 152, 192,
256
Asymmetric
public key -
PSP
KeyGen
(SSH)
SigVer
(SSH)
SSH DH
PRV
SSH KAS private key 256, 384, 521
- 128, 192,
256
Asymmetric
private key -
CSP
KAS
KeyGen
(SSH)
KAS-SSC
(SSH)
Full KAS
(SSH)
SSH DH
PUB
SSH KAS public key 256, 384, 521
- 128, 192,
256
Asymmetric
public key -
PSP
KAS
KeyGen
(SSH)
SSH DH
Pub
(peer)
SSH KAS public key
from peer
256, 384, 521
- 128, 192,
256
Asymmetric
public key -
PSP
KAS-SSC
(SSH)
Full KAS
(SSH)
SSH-SEKs SSH Session
Encryption Keys
128, 192, 256
- 128, 192,
256
Symmetric key
- CSP
KDF (SSH)
Full KAS
(SSH)
Enc/Dec
(SSH)
MAC
(SSH)
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 27 of 39
Name Description Size -
Strength
Type -
Category
Generated
By
Established
By
Used By
CO-PW Password used to
authenticate the CO.
Min 10
characters -
n/a
Authentication
password - CSP
KTS (SSH) SHA
(LibMD)
Root-PW Password used by CO
to authenticate as
'root'.
Min 10
characters -
n/a
Authentication
password - CSP
KTS (SSH) SHA
(LibMD)
User-PW Password used to
authenticate User
Min 10
characters -
n/a
Authentication
password - CSP
KTS (SSH) SHA
(LibMD)
Auth-CO
Pub
SSH CO
Authentication Public
Key
2048, 4096,
256, 384, 521
- 112, 128,
152, 192, 256
Asymmetric
public key -
PSP
KTS (SSH) SigVer
(SSH)
Auth-
User Pub
SSH User
Authentication Public
Key
2048, 4096,
256, 384, 521
- 112, 128,
152, 192, 256
Asymmetric
public key -
PSP
KTS (SSH) SigVer
(SSH)
Root-CA X.509 Certificate
used to verify the
validity of the Juniper
Package CA
256, 384 -
128, 196
Asymmetric
public key -
PSP
Verify
image
Package-
CA
X.509 Certificate
used to verify the
validity the Juniper
Image at software
load and also at
runtime for integrity.
256 - 128 Asymmetric
public key -
PSP
Verify
image
MACsec
CAK
Externally generated
pre-shared key
entered when
MACsec static
connectivity
association key (CAK)
security mode is
enabled.
32 (hex)
characters for
128-bit AES
keys, 64 (hex)
characters for
256-bit AES
keys - 128,
256
Symmetric key
- CSP
MACsec
CKN
Externally generated
pre-shared key used
to identify the CAK
(64 characters)
64 characters
- n/a
Identifier - PSP
MACsec
SAK
Security Association
Key used to
encrypt/decrypt
traffic for a given
session
128, 256 -
128, 256
Symmetric key
- CSP
Key
derivation
(MACsec)
Key wrap
(MACsec)
Enc/Dec
(MACsec)
MACsec
KEK
Key Encryption Key
used to transmit SAK
to other members of a
MACsec connectivity
association
128, 256 -
128, 256
Symmetric key
- CSP
Key
derivation
(MACsec)
Key wrap
(MACsec)
MACsec
ICK
Integrity Check Key
used to verify the
integrity and
authenticity of
MPDUs.
128, 256 -
128, 256
Symmetric key
- CSP
Key
derivation
(MACsec)
Integrity
(MACsec)
Table 22: SSP Table 1
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 28 of 39
Name Input -
Output
Storage Storage Duration Zeroization Related
SSPs
HMAC
DRBG V
value
RAM:Plaintext Until updated by
HMAC_DRBG_Update()
Zeroize CLI
command
Reset
HMAC
DRBG Key
value
RAM:Plaintext Until updated by
HMAC_DRBG_Update()
Zeroize CLI
command
Reset
HMAC
DRBG
Entropy
Input
RAM:Plaintext Until
HMAC_Instantiate_Update() or
HMAC_DRBG_Reseed()
complete
Zeroize CLI
command
Reset
HMAC
DRBG
Seed
RAM:Plaintext Until
HMAC_Instantiate_Update() or
HMAC_DRBG_Reseed()
complete
Zeroize CLI
command
Reset
SSH DH
Shared
Secret
RAM:Plaintext Until SSH session termination Zeroize CLI
command
Reset
Explicit
zeroize
function
SSH PHK Entry via
SSH
Entry via
console
Output via
SSH
Output via
console
RAM:Plaintext
Flash:Plaintext
Until SSH session termination
(RAM)
Zeroize CLI
command
SSH
PUB:Paired
With
SSH PUB Entry via
SSH
Entry via
console
Output via
SSH
Output via
console
RAM:Plaintext
Flash:Plaintext
Zeroize CLI
command
SSH
PHK:Paired
With
SSH DH
PRV
RAM:Plaintext Until SSH session termination Reset
Explicit
zeroize
function
SSH DH
PUB:Paired
With
SSH DH
PUB
Output as
part of KAS
RAM:Plaintext Until SSH session termination Reset
Explicit
zeroize
function
SSH DH
PRV:Paired
With
SSH DH
Pub (peer)
Entry as part
of KAS
RAM:Plaintext Until SSH session termination Reset
Explicit
zeroize
function
SSH-SEKs RAM:Plaintext Until SSH session termination Reset
Explicit
zeroize
function
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 29 of 39
Name Input -
Output
Storage Storage Duration Zeroization Related
SSPs
CO-PW Manual CLI
entry
Entry via
SSH
Entry via
console
RAM:Plaintext
Flash:Plaintext
Zeroize CLI
command
Root-PW Manual CLI
entry
Entry via
SSH
Entry via
console
RAM:Plaintext
Flash:Plaintext
Zeroize CLI
command
User-PW Manual CLI
entry
Entry via
SSH
Entry via
console
RAM:Plaintext
Flash:Plaintext
Zeroize CLI
command
Auth-CO
Pub
Entry via
SSH
Entry via
console
Output via
SSH
Output via
console
RAM:Plaintext
Flash:Plaintext
Zeroize CLI
command
Auth-User
Pub
Entry via
SSH
Entry via
console
Output via
SSH
Output via
console
RAM:Plaintext
Flash:Plaintext
Zeroize CLI
command
Root-CA Pre-loaded RAM:Plaintext
Flash:Plaintext
Zeroize CLI
command
Package-
CA
Pre-loaded RAM:Plaintext
Flash:Plaintext
Zeroize CLI
command
MACsec
CAK
Entry via
SSH
Entry via
console
RAM:Plaintext
Flash:Obfuscated
Zeroize CLI
command
MACsec
CKN
Entry via
SSH
Entry via
console
RAM:Plaintext
Flash:Obfuscated
Zeroize CLI
command
MACsec
SAK
MACsec Key
Agreement
Input
MACsec Key
Agreement
Output
RAM:Plaintext Zeroize CLI
command
Reset
MACsec
KEK
RAM:Plaintext Zeroize CLI
command
Reset
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 30 of 39
Name Input -
Output
Storage Storage Duration Zeroization Related
SSPs
MACsec
ICK
RAM:Plaintext Zeroize CLI
command
Reset
Table 23: SSP Table 2
9.5 Transitions
The following transitions apply to algorithms used by this module:
SHA-1: The SHA-1 hash algorithm will be non-Approved for cryptographic protection purposes
after December 31, 2030.
10 Self-Tests
On power up or reset, the module performs the pre-operational self-tests and the indicated
conditional cryptographic algorithm self-tests described below. All KATs must be completed
successfully prior to any other use of cryptography by the module. The CASTs for algorithms
utilized in the pre-operational Firmware integrity check are performed prior to the Firmware
integrity check.
10.1 Pre-Operational Self-Tests
Algorithm
or Test
Test
Properties
Test
Method
Test
Type
Indicator Details
Firmware
integrity
check
ECDSA P-
256 with
SHA2-256
KAT SW/FW
Integrity
PASS/FAIL
console
output
ECDSA verify
Critical
functions
test
SHA2-256 KAT Critical
Function
PASS/FAIL
console
output
Checks that any file that is executed is
registered in a manifest of executable files
that comes with the firmware. Test verifies
the integrity of the operational environment
is being enforced by having the kernel
attempt to run a specific executable file that
does not contain a hash in the manifest file,
verifying it cannot be executed.
Table 24: Pre-Operational Self-Tests
10.2 Conditional Self-Tests
Algorithm or Test Test
Properti
es
Test
Metho
d
Test
Type
Indicator Details Conditio
ns
Entropy Source (start-up) n/a APT,
RCT
CAST PASS/FAIL
console
output
Start-up On-
power up
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 31 of 39
Algorithm or Test Test
Properti
es
Test
Metho
d
Test
Type
Indicator Details Conditio
ns
Entropy Source (continuous) n/a APT,
RCT
CAST Console
output /
output of
entropy
source
Continuo
us
Data
output
from
noise
source
AES-CBC (A4210) Encrypt Key size:
128,
192, 256
KAT CAST PASS/FAIL
console
output
Encrypt On
power-
up
AES-CBC (A4210) Decrypt Key size:
128,
192, 256
KAT CAST PASS/FAIL
console
output
Decrypt On
power-
up
HMAC-SHA-1 (A4210) Key size:
160
KAT CAST PASS/FAIL
console
output
MAC On
power-
up
HMAC-SHA2-256 (A4210) Key size:
256
KAT CAST PASS/FAIL
console
output
MAC On
power-
up
HMAC-SHA2-384 (A4210) Key size:
384
KAT CAST PASS/FAIL
console
output
MAC On
power-
up
HMAC-SHA2-512 (A4210) Key size:
512
KAT CAST PASS/FAIL
console
output
MAC On
power-
up
RSA SigGen (FIPS186-4) (A4210) RSA
2048 w/
SHA2-
256, RSA
4096 w/
SHA2-
256
KAT CAST PASS/FAIL
console
output
Sign On
power-
up
RSA SigVer (FIPS186-4) (A4210) RSA
2048 w/
SHA2-
256, RSA
4096 w/
SHA2-
256
KAT CAST PASS/FAIL
console
output
Verify On
power-
up
ECDSA SigGen (FIPS186-4) (A4210) P-256,
P-384,
P-521
KAT CAST PASS/FAIL
console
output
Sign On
power-
up
ECDSA SigGen (FIPS186-4) (A6440) P-256,
P-384,
P-521
KAT CAST PASS/FAIL
console
output
Sign On
power-
up
ECDSA SigVer (FIPS186-4) (A4210) P-256,
P-384,
P-521
KAT CAST PASS/FAIL
console
output
Verify On
power-
up
ECDSA SigVer (FIPS186-4) (A6440) P-256,
P-384,
P-521
KAT CAST PASS/FAIL
console
output
Verify On
power-
up
KAS-ECC-SSC Sp800-56Ar3 (A4387) P-256,
P-384,
P-521
KAT CAST PASS/FAIL
console
output
ECDH
Computat
ion
On
power-
up
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 32 of 39
Algorithm or Test Test
Properti
es
Test
Metho
d
Test
Type
Indicator Details Conditio
ns
KDF SSH (A4347) SHA-1,
SHA2-
256,
SHA2-
384
KAT CAST PASS/FAIL
console
output
Key
derivation
Computat
ion
On
power-
up
RSA KeyGen (FIPS186-4) (A4210) n/a PCT PCT Returned
key/transit
ion soft
error state
Generatio
n and
Verificatio
n of
signature
On key
generatio
n
ECDSA KeyGen (FIPS186-4) (A4210) n/a PCT PCT Returned
key/transit
ion soft
error state
Generatio
n and
Verificatio
n of
signature
On key
generatio
n
ECDSA KeyGen (FIPS186-4) (A6440) n/a PCT PCT Returned
key/transit
ion soft
error state
Generatio
n and
Verificatio
n of
signature
On key
generatio
n
ECDSA SigVer (FIPS186-4) (A4211) P-256 KAT CAST PASS/FAIL
console
output
Verify On
power-
up
FW Load ECDSA
P-256
with
SHA2-
256
KAT SW/F
W
Load
PASS/FAIL
console
output
Verificatio
n of
ECDSA
signature
on FW
On FW
load
HMAC DRBG (A4417) 256,
SHA2-
256
KAT CAST PASS/FAIL
console
output
Instantiat
e, re-seed,
and
generate
On
power-
up
HMAC-SHA-1 (A4417) Key size:
160
KAT CAST PASS/FAIL
console
output
MAC On
power-
up
HMAC-SHA2-256 (A4417) Key size:
256
KAT CAST PASS/FAIL
console
output
MAC On
power-
up
SHA2-384 (A4417) n/a KAT CAST PASS/FAIL
console
output
Hash On
power-
up
SHA2-512 (A3355) n/a KAT CAST PASS/FAIL
console
output
Hash On
power-
up
HMAC-SHA2-256 (A4208) Key size:
256
KAT CAST PASS/FAIL
console
output
MAC On
power-
up
HMAC-SHA-1 (A4208) Key size:
256
KAT CAST PASS/FAIL
console
output
MAC On
power-
up
SHA2-512 (A4208) n/a KAT CAST PASS/FAIL
console
output
Hash On
power-
up
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 33 of 39
Algorithm or Test Test
Properti
es
Test
Metho
d
Test
Type
Indicator Details Conditio
ns
KDF SP800-108 (A4416) Key size:
128
KAT CAST PASS/FAIL
console
output
Derive On
power-
up
AES-KW (A4416) Wrap Key size:
128,
192, 256
KAT CAST PASS/FAIL
console
output
Wrap On
power-
up
AES-KW (A4416) Unwrap Key size:
128,
192, 256
KAT CAST PASS/FAIL
console
output
Unwrap On
power-
up
AES-CMAC (A4416) Key size:
128, 256
KAT CAST PASS/FAIL
console
output
MAC On
power-
up
AES-GCM Encrypt
(AES3969/AES4544/AES4545/AES4550/C
1869/C996)
128,256 KAT CAST Internal
status:
power-up
continues
or errors
Encrypt On
power-
up
AES-GCM Decrypt
(AES3969/AES4544/AES4545/AES4550/C
1869/C996)
128,256 KAT CAST Internal
status:
power-up
continues
or errors
Decrypt On
power-
up
ECDSA SigVer (FIPS186-4) (A6401) P-256 KAT CAST PASS/FAIL
console
output
Verify On
power-
up
SHA2-512 (A3498) n/a KAT CAST PASS/FAIL
console
output
hash On
power-
up
SHA2-512 (A3330) n/a KAT CAST PASS/FAIL
console
output
hash On
power-
up
Manual SSP entry n/a Duplica
te
entry
Manu
al
Entry
PASS/FAIL
console
output
Duplicate
entry
On
manual,
direct
entry of
SSP
Table 25: Conditional Self-Tests
10.3 Periodic Self-Test Information
The module does not implement periodic self-testing.
Algorithm or Test Test Method Test Type Period Periodic Method
Firmware integrity
check
KAT SW/FW Integrity On demand Manually
Critical functions
test
KAT Critical Function On demand Manually
Table 26: Pre-Operational Periodic Information
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 34 of 39
Algorithm or Test Test
Method
Test Type Period Periodic
Method
Entropy Source (start-up) APT, RCT CAST On
demand
Manually
Entropy Source (continuous) APT, RCT CAST Continuous Automatically
AES-CBC (A4210) Encrypt KAT CAST On
Demand
Manually
AES-CBC (A4210) Decrypt KAT CAST On
Demand
Manually
HMAC-SHA-1 (A4210) KAT CAST On
Demand
Manually
HMAC-SHA2-256 (A4210) KAT CAST On
Demand
Manually
HMAC-SHA2-384 (A4210) KAT CAST On
Demand
Manually
HMAC-SHA2-512 (A4210) KAT CAST On
Demand
Manually
RSA SigGen (FIPS186-4) (A4210) KAT CAST On
Demand
Manually
RSA SigVer (FIPS186-4) (A4210) KAT CAST On
Demand
Manually
ECDSA SigGen (FIPS186-4) (A4210) KAT CAST On
Demand
Manually
ECDSA SigGen (FIPS186-4) (A6440) KAT CAST On
Demand
Manually
ECDSA SigVer (FIPS186-4) (A4210) KAT CAST On
Demand
Manually
ECDSA SigVer (FIPS186-4) (A6440) KAT CAST On
Demand
Manually
KAS-ECC-SSC Sp800-56Ar3 (A4387) KAT CAST On
Demand
Manually
KDF SSH (A4347) KAT CAST On
Demand
Manually
RSA KeyGen (FIPS186-4) (A4210) PCT PCT On trigger
condition
Automatic
ECDSA KeyGen (FIPS186-4) (A4210) PCT PCT On trigger
condition
Automatic
ECDSA KeyGen (FIPS186-4) (A6440) PCT PCT On trigger
condition
Automatic
ECDSA SigVer (FIPS186-4) (A4211) KAT CAST On
Demand
Manually
FW Load KAT SW/FW
Load
On FW
load
request
Automatic
HMAC DRBG (A4417) KAT CAST On
Demand
Manually
HMAC-SHA-1 (A4417) KAT CAST On
Demand
Manually
HMAC-SHA2-256 (A4417) KAT CAST On
Demand
Manually
SHA2-384 (A4417) KAT CAST On
Demand
Manually
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 35 of 39
Algorithm or Test Test
Method
Test Type Period Periodic
Method
SHA2-512 (A3355) KAT CAST On
Demand
Manually
HMAC-SHA2-256 (A4208) KAT CAST On
Demand
Manually
HMAC-SHA-1 (A4208) KAT CAST On
Demand
Manually
SHA2-512 (A4208) KAT CAST On
Demand
Manually
KDF SP800-108 (A4416) KAT CAST On
Demand
Manually
AES-KW (A4416) Wrap KAT CAST On
Demand
Manually
AES-KW (A4416) Unwrap KAT CAST On
Demand
Manually
AES-CMAC (A4416) KAT CAST On
Demand
Manually
AES-GCM Encrypt
(AES3969/AES4544/AES4545/AES4550/C1869/C996)
KAT CAST On
Demand
Manually
AES-GCM Decrypt
(AES3969/AES4544/AES4545/AES4550/C1869/C996)
KAT CAST On
Demand
Manually
ECDSA SigVer (FIPS186-4) (A6401) KAT CAST On
demand
Manually
SHA2-512 (A3498) KAT CAST On
demand
Manually
SHA2-512 (A3330) KAT CAST On
demand
Manually
Manual SSP entry Duplicate
entry
Manual
Entry
On
condition
trigger
Automatic
Table 27: Conditional Periodic Information
10.4 Error States
Name Description Conditions Recovery
Method
Indicator
Critical
Failure
State
The cryptographic module ceases to
perform cryptographic operations,
inhibits all data output, and provides
status of the error via syslog messages
and console status output
On any power-up
self-test error
Power cycle Console
status
indicator
Soft
Error
State
A non-critical self-test failure occurs,
causing a failure of the triggering
operation
PCT, firmware load
test, continuous
entropy health test
failure
The module
processes the error,
and resumes
normal operation
Console
displays
error
Table 28: Error States
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 36 of 39
The module enters error state upon failure of any self-tests, causing the kernel to ‘panic‘ and all
execution to halt. The only way to exit from this state is to reboot the module, which causes the
self-tests to be repeated and pass successfully before the corresponding algorithms are usable.
10.5 Operator Initiation of Self-Tests
Self–tests that are performed at power-up are available on demand by power cycling the
module.
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures
The module must be correctly installed and configured to enter a FIPS compliant state and
operate in the Approved mode. The required procedures are as follows:
1. Install the Junos OS firmware image - the procedure is detailed in section 11.2.1
2. Configure device for the Approved mode - the procedure is section 11.2.2.
To continue using the module in a FIPS compliant way, the Module Operation Rules in section
11.4.2 must be followed.
11.2 Administrator Guidance
11.2.1 Installing the Junos OS firmware image
1. Download the validated firmware image from
https://www.juniper.net/support/downloads/junos.html. Log in to the Juniper Networks
authentication system using the username (generally your e-mail address) and password
supplied by Juniper Networks representatives. Select the validated firmware image.
Download the firmware image to a local host or to an internal software distribution site.
The cryptographic module devices use the following firmware images
EX4400 jinstall-host-ex-4e-x86-64-22.3R2-S1.7-secure-signed.tgz
QFX5120 jinstall-host9-qfx-5e-ng-x86-64-22.3R2-S1.7-secure-signed.tgz
ACX5448 junos-vmhost-install-acx-x86-64-22.3R2-S1.7.tgz
2. Connect to the console port on the device from your management device, and log in to
the Junos OS CLI.
3. Install the new package on the device (package may be a local file copied to the device, or
a file on a remote server):
user@host> request system software add <package>
4. Reboot the device to load the installation:
user@host> request system reboot
5. After the reboot has completed, log in and use the show version command to verify that
the new version of the software is successfully installed.
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 37 of 39
user@host> show version
11.2.2 Configure the device for the Approved mode
To configure the device for the Approved mode:
1. Zeroize the device to delete all CSPs before entering the Approved mode.
root@host# request system zeroize
2. After the device comes up, login using username “root” and password blank.
3. Configure root authentication with password at least 10 characters or more.
root@host# set system root-authentication plain-text-password
4. Load configuration onto device and commit new configuration.
NOTE: SSH key-exchange configuration must not include ‘dh-group14-sha1’. It is not
approved for this module.
5. Configure crypto-officer and login with crypto-officer credentials.
6. Set the fips level to 1.
crypto-officer@host# set system fips chassis level 1
crypto-officer@host# set system fips level 1
7. Commit and reboot the device.
crypto-officer@host# commit
crypto-officer@host# run request system reboot
11.2.3 Zeroizing the System
CAUTION: Perform system zeroization with care. After the zeroization process is complete, no
data is left on the device. The device is returned to the factory default state, equivalent to a
fresh installation of the firmware, without any configured users or configuration files.
After zeroizing the system, the module is no longer in a FIPS compliant state. (Installation and
configuration as per section 11.1 is required to enter the FIPS compliant state and enable the
Approved mode of operation).
NOTE: The Crypto-Officer must retain control of the module while zeroization is in progress.
To zeroize the device:
1. Login to the device as Crypto Officer and from CLI, enter
crypto-officer@host# request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes, no] (no)
2. To initiate the zeroization process, type yes at the prompt:
Erase all data, including configuration and log files? [yes, no] (no)
yes
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 38 of 39
11.3 Non-Administrator Guidance
No specific non-administrator guidance is required to operate the module.
11.4 Design and Rules
11.4.1 Module Design Rules
The module design implements the following security rules:
1. The module clears previous authentications on power cycle.
2. Power up self-tests do not require any operator action.
3. Data output is inhibited during key generation, self-tests, zeroization, and error states.
4. Status information does not contain CSPs or sensitive data that if misused could lead to a
compromise of the module.
5. There are no restrictions on which SSPs are zeroized by the zeroization service.
6. The module does not support a maintenance interface or role.
7. The module does not output intermediate key values.
8. The module requires two independent internal actions to be performed prior to
outputting plaintext CSPs.
9. If the module loses power and then it is restored, then a new key shall be established for
use with the AES GCM encryption/decryption processes.
11.4.2 Module Operation Rules
The following are requirements for compliant usage of the module:
1. The cryptographic officer must retain control of the module while zeroization is in
process.
2. The cryptographic officer shall verify that the firmware image to be loaded on the module
is a FIPS validated image.
3. Before pushing the factory reset button on the device, the cryptographic officer shall
perform the zeroize command as described in section 11.2.3.
4. The password minimum-length must be configured to be at least 10.
5. Virtual Chassis features must not be configured.
6. Dynamic CAK mode shall not be configured for MACsec.
7. Only the AES-GCM cipher suites shall be configured for MACsec.
8. The module shall only be used with CMVP-validated modules when supporting the
MACsec protocol for providing Peer, Authenticator functionality.
9. The link between the Peer and Authenticator, used in the MACsec communication, shall
be secure to prevent the possibility for an attacker to introduce foreign equipment into
the local area network.
10. The module shall not be configured to use a radius server and the radius server capability
shall be disabled.
11. SSH key-exchange must not be configured to include ‘dh-group14-sha1’.
11.5 Maintenance Requirements
No special maintenance requirements are required.
Juniper Networks Non-Proprietary FIPS 140-3 Security Policy Page 39 of 39
11.6 End of Life
When disposing of the cryptographic module, the cryptographic officer shall perform the zeroize
command as described in Section 11.2.3.
12 Mitigation of Other Attacks
The module does not implement mechanisms to mitigate other attacks beyond what is described
in this security policy.