Copyright Juniper Networks, Inc. 2024 Page 1 of 60 Document Version 1.0
Juniper Networks, Inc.
Juniper Networks QFX10002, QFX10008 and QFX10016
FIPS 140-3 Non-Proprietary Security Policy
Copyright Juniper Networks, Inc. 2024 Page 2 of 60 Document Version 1.0
Table of Contents
1 General................................................................................................................................... 5
1.1 Overview .......................................................................................................................... 5
1.2 Security Levels ................................................................................................................. 5
1.3 Additional Information....................................................................................................... 6
2 Cryptographic Module Specification........................................................................................ 6
2.1 Description ....................................................................................................................... 6
2.2 Tested and Vendor Affirmed Module Version and Identification.......................................10
2.3 Excluded Components.....................................................................................................11
2.4 Modes of Operation.........................................................................................................11
2.5 Algorithms .......................................................................................................................12
2.6 Security Function Implementations..................................................................................15
2.7 Algorithm Specific Information .........................................................................................18
2.8 RBG and Entropy ............................................................................................................18
2.9 Key Generation................................................................................................................18
2.10 Key Establishment.........................................................................................................19
2.11 Industry Protocols..........................................................................................................19
2.12 Additional Information....................................................................................................19
3 Cryptographic Module Interfaces............................................................................................20
3.1 Ports and Interfaces ........................................................................................................20
4 Roles, Services, and Authentication.......................................................................................21
4.1 Authentication Methods ...................................................................................................21
4.2 Roles...............................................................................................................................23
4.3 Approved Services ..........................................................................................................24
4.4 Non-Approved Services...................................................................................................38
4.5 External Software/Firmware Loaded................................................................................39
4.6 Cryptographic Output Actions and Status ........................................................................39
5 Software/Firmware Security ...................................................................................................39
5.1 Integrity Techniques ........................................................................................................39
5.2 Initiate on Demand ..........................................................................................................39
5.3 Additional Information......................................................................................................39
6 Operational Environment........................................................................................................40
6.1 Operational Environment Type and Requirements ..........................................................40
6.2 Configuration Settings and Restrictions ...........................................................................40
7 Physical Security....................................................................................................................40
7.1 Mechanisms and Actions Required..................................................................................40
Copyright Juniper Networks, Inc. 2024 Page 3 of 60 Document Version 1.0
8 Non-Invasive Security ............................................................................................................40
8.1 Mitigation Techniques......................................................................................................40
9 Sensitive Security Parameters Management..........................................................................40
9.1 Storage Areas .................................................................................................................40
9.2 SSP Input-Output Methods..............................................................................................41
9.3 SSP Zeroization Methods................................................................................................41
9.4 SSPs ...............................................................................................................................42
10 Self-Tests.............................................................................................................................49
10.1 Pre-Operational Self-Tests ............................................................................................49
10.2 Conditional Self-Tests....................................................................................................49
10.3 Periodic Self-Test Information........................................................................................54
10.4 Error States ...................................................................................................................56
10.5 Operator Initiation of Self-Tests .....................................................................................57
11 Life-Cycle Assurance ...........................................................................................................57
11.1 Installation, Initialization, and Startup Procedures..........................................................57
11.2 Administrator Guidance .................................................................................................59
11.3 Non-Administrator Guidance..........................................................................................59
11.4 Maintenance Requirements...........................................................................................59
11.5 End of Life .....................................................................................................................60
12 Mitigation of Other Attacks ...................................................................................................60
12.1 Attack List......................................................................................................................60
Copyright Juniper Networks, Inc. 2024 Page 4 of 60 Document Version 1.0
List of Tables
Table 1: Security Levels............................................................................................................. 6
Table 2: Tested Module Identification – Hardware ....................................................................11
Table 3: Modes List and Description .........................................................................................11
Table 4: Approved Algorithms - Kernel......................................................................................12
Table 5: Approved Algorithms - LibMD......................................................................................12
Table 6: Approved Algorithms - OpenSSL.................................................................................14
Table 7: Approved Algorithms -.................................................................................................14
Table 8: Vendor-Affirmed Algorithms ........................................................................................14
Table 9: Non-Approved, Allowed Algorithms with No Security Claimed.....................................15
Table 10: Non-Approved, Not Allowed Algorithms.....................................................................15
Table 11: Security Function Implementations............................................................................18
Table 12: Entropy Certificates...................................................................................................18
Table 13: Entropy Sources........................................................................................................18
Table 14: Ports and Interfaces ..................................................................................................20
Table 15: Authentication Methods.............................................................................................22
Table 16: Roles.........................................................................................................................23
Table 17: Approved Services ....................................................................................................37
Table 18: Non-Approved Services.............................................................................................39
Table 19: Storage Areas ...........................................................................................................41
Table 20: SSP Input-Output Methods........................................................................................41
Table 21: SSP Zeroization Methods..........................................................................................42
Table 22: SSP Table 1..............................................................................................................46
Table 23: SSP Table 2..............................................................................................................49
Table 24: Pre-Operational Self-Tests........................................................................................49
Table 25: Conditional Self-Tests ...............................................................................................54
Table 26: Pre-Operational Periodic Information.........................................................................54
Table 27: Conditional Periodic Information................................................................................56
Table 28: Error States...............................................................................................................56
List of Figures
Figure 1: Front view of QFX10002-36Q, QFX10002-72Q and QFX10002-60C .......................... 7
Figure 2: Rear view for QFX10002-36Q..................................................................................... 7
Figure 3: Rear view of QFX10002-72Q...................................................................................... 7
Figure 4: Rear view of QFX10002-60C ...................................................................................... 8
Figure 5: Front view of QFX10008 ............................................................................................. 8
Figure 6: Rear view of QFX10008.............................................................................................. 8
Figure 7: Front view of QFX100016 ........................................................................................... 9
Figure 8: Rear view image QFX100016 ..................................................................................... 9
Figure 9 – High-level Block Diagram for QFX10002/QFX10008/QFX10016..............................10
Copyright Juniper Networks, Inc. 2024 Page 5 of 60 Document Version 1.0
1 General
1.1 Overview
Introduction
Federal Information Processing Standards Publication 140-3 — Security Requirements for
Cryptographic Modules specifies requirements for cryptographic modules to be deployed in a
Sensitive but Unclassified environment. The National Institute of Standards and Technology
(NIST) and Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation
Program (CMVP) run the FIPS 140-3 program. The NVLAP accredits independent testing labs
to perform FIPS 140-3 testing; the CMVP validates modules meeting FIPS 140-3 validation.
Validated is the term given to a module that is documented and tested against the FIPS 140-3
criteria.
More information is available on the CMVP website at:
https://csrc.nist.gov/projects/cryptographic-module-validation-program.
About this Document
This non-proprietary Cryptographic Module Security Policy for the Juniper Networks QFX10002,
QFX10008 and QFX10016 provides an overview of the product and a high-level description of
how it meets the overall Level 1, security requirements of FIPS 140-3.
Disclaimer
The contents of this document are subject to revision without notice due to continued progress
in methodology, design, and manufacturing. Juniper Networks shall have no liability for any
error or damages of any kind resulting from the use of this document.
Notices
This document may be freely reproduced and distributed in its entirety without modification.
This document describes the cryptographic module security policy for the Juniper Networks
QFX10002, QFX10008, QFX10016 (Hardware versions: QFX10002-36Q, QFX10002-60C,
QFX10002-72Q, QFX10008 and QFX10016) cryptographic module (also referred to as the
“module” hereafter) with firmware version Junos OS 22.3R1-S2.3. The module has a multi-chip
standalone embodiment. It contains specification of the security rules, under which the
cryptographic module operates, including the security rules derived from the requirements of the
FIPS 140-3 standard.
1.2 Security Levels
Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 3
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security 1
Copyright Juniper Networks, Inc. 2024 Page 6 of 60 Document Version 1.0
Section Title Security Level
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Overall Level 1
Table 1: Security Levels
1.3 Additional Information
The module claims an overall Security Level of 1 with all individual sections at a Security Level
1 with the exceptions of Roles, Services and Authentication (claimed at Security Level 3). The
module does not implement any non-invasive security mitigations or mitigations of other attacks
and thus the requirements per these sections are inapplicable.
2 Cryptographic Module Specification
2.1 Description
Purpose and Use:
The cryptographic module provides for an encrypted connection, using SSH, between the
management station and itself, i.e., the QFX switch.
Module Type: Hardware
Module Embodiment: MultiChipStand
Cryptographic Boundary:
The cryptographic module’s operational environment is a limited operational environment. The
cryptographic boundary of the hardware module is the entirety of the module/chassis (demarked
with a black outline in the figures below). This includes the Routing Engine (RE). No
components have been excluded from the cryptographic boundary of the module.
Tested Operational Environment’s Physical Perimeter (TOEPP):
The Tested Operational Environment’s Physical Perimeter (TOEPP) is the entirety of the
module chassis.
Copyright Juniper Networks, Inc. 2024 Page 7 of 60 Document Version 1.0
Figure 1: Front view of QFX10002-36Q, QFX10002-72Q and QFX10002-60C
Figure 2: Rear view for QFX10002-36Q
Figure 3: Rear view of QFX10002-72Q
Copyright Juniper Networks, Inc. 2024 Page 8 of 60 Document Version 1.0
Figure 4: Rear view of QFX10002-60C
Figure 5: Front view of QFX10008
Figure 6: Rear view of QFX10008
Copyright Juniper Networks, Inc. 2024 Page 9 of 60 Document Version 1.0
Figure 7: Front view of QFX100016
Figure 8: Rear view image QFX100016
Copyright Juniper Networks, Inc. 2024 Page 10 of 60 Document Version 1.0
Figure 9 – High-level Block Diagram for QFX10002/QFX10008/QFX10016
2.2 Tested and Vendor Affirmed Module Version and Identification
Tested Module Identification – Hardware:
Model
and/or Part
Number
Hardware Version Firmware
Version
Processors Features
QFX10002-
36Q
QFX10002 -36Q Junos OS
22.3R1-S2.3
Intel Xeon E3-
1125V2
JPSU-1600W-AC-
AFO JPSU-1600W-
DC-AFO
QFX10002-
72Q
QFX10002-72Q Junos OS
22.3R1-S2.3
Intel Xeon E3-
1125V2
JPSU-1600W-AC-
AFO JPSU-1600W-
DC-AFO
QFX10002-
60C
QFX10002-60C Junos OS
22.3R1-S2.3
Intel Xeon E3-
1125V2
JPSU-1600W-AC-
AFO JPSU-1600W-
DC-AFO
Copyright Juniper Networks, Inc. 2024 Page 11 of 60 Document Version 1.0
Model
and/or Part
Number
Hardware Version Firmware
Version
Processors Features
QFX10008 QFX10008 with
QFX10000 Control
board
Junos OS
22.3R1-S2.3
Intel Xeon E3-
1125V2
QFX10000-PWR-AC
QFX10000-PWR-DC
QFX10016 QFX10016 with
QFX10000 Control
board
Junos OS
22.3R1-S2.3
Intel Xeon E3-
1125V2
QFX10000-PWR-AC
QFX10000-PWR-DC
Table 2: Tested Module Identification – Hardware
2.3 Excluded Components
No components have been excluded from the cryptographic boundary of the module.
2.4 Modes of Operation
Modes List and Description:
Mode
Name
Description Type Status Indicator
Approved
mode
• The operator can verify that the cryptographic
module is in the Approved mode by observing
the console prompt and running the “show
version” command; • When operating in the
Approved mode, the prompt will read
“<operator>:fips#” (e.g. root:fips#); • The “show
version” command will allow the Crypto Officer
to verify that the validated firmware version is
running on the module; • The Crypto Officer can
also use the “show system fips chassis level”
command (returns “level 1”) to determine if the
module is operating in the Approved mode; •
The Approved mode is entered when the
module is configured for it and successfully
passes all self-tests (both pre-operational and
conditional cryptographic algorithm self-tests
(CASTs))
Approved global indicator
(string 'fips'
included in the
command
prompt)
Non-
Approved
mode
• The cryptographic module supports a non-
Approved mode of operation; • When operated
in the non-Approved mode of operation, the
module supports non-Approved algorithms as
well as the algorithms supported in the
Approved mode of operation
Non-
Approved
global indicator
(implicit indicator
based on
exclusion of string
'fips' from the
command
prompt)
Table 3: Modes List and Description
Copyright Juniper Networks, Inc. 2024 Page 12 of 60 Document Version 1.0
The hardware versions contained in Table 2, with Junos OS 22.3R1-S2.3 installed, contain one
Approved mode of operation and a non-Approved mode of operation. The Junos OS 22.3R1-
S2.3 firmware image must first be installed on the module. The module is configured during
initialization by the Crypto Officer to operate in the Approved mode or the non-Approved mode.
When operated in the non-Approved mode of operation, the module supports non-Approved
algorithms as well as the algorithms supported in the Approved mode of operation. The module
is in a non-compliant state by default and the Crypto Officer can place the module into the non-
Approved mode of operation by following the instructions in Section 11 Life-Cyle Assurance in
this document.
Mode Change Instructions and Status:
The module must always be zeroised when switching between the Approved mode of operation
and the non-Approved mode of operation and vice versa.
Degraded Mode Description:
The module does not support a degraded mode of operation.
2.5 Algorithms
Approved Algorithms:
Kernel
Algorithm CAVP
Cert
Properties Reference
HMAC DRBG A3337 Prediction Resistance - Yes
Mode - SHA2-256
SP 800-90A
Rev. 1
HMAC-SHA2-
256
A3337 Key Length - Key Length: 256 FIPS 198-1
SHA2-256 A3337 Message Length - Message Length: 0-
65536 Increment 8
FIPS 180-4
Table 4: Approved Algorithms - Kernel
LibMD
Algorithm CAVP Cert Properties Reference
SHA2-512 A3348 Message Length - Message Length: 0-65536
Increment 8
FIPS 180-4
Table 5: Approved Algorithms - LibMD
OpenSSL
Algorithm CAVP
Cert
Properties Reference
AES-CBC A3349 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
AES-CTR A3349 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
Copyright Juniper Networks, Inc. 2024 Page 13 of 60 Document Version 1.0
Algorithm CAVP
Cert
Properties Reference
AES-ECB A3349 Direction - Decrypt, Encrypt
Key Length - 128, 192, 256
SP 800-38A
ECDSA KeyGen
(FIPS186-4)
A3349 Curve - P-256, P-384, P-521
Secret Generation Mode - Testing
Candidates
FIPS 186-4
ECDSA KeyVer
(FIPS186-4)
A3349 Curve - P-256, P-384, P-521 FIPS 186-4
ECDSA SigGen
(FIPS186-4)
A3349 Component - No
Curve - P-256, P-384, P-521
Hash Algorithm - SHA2-256, SHA2-384,
SHA2-512
FIPS 186-4
ECDSA SigVer
(FIPS186-4)
A3349 Component - No
Curve - P-256, P-384, P-521
Hash Algorithm - SHA2-256, SHA2-384,
SHA2-512
FIPS 186-4
HMAC DRBG A3349 Prediction Resistance - Yes
Mode - SHA2-256
SP 800-90A
Rev. 1
HMAC-SHA-1 A3349 Key Length - Key Length: 160 FIPS 198-1
HMAC-SHA2-256 A3349 Key Length - Key Length: 256 FIPS 198-1
HMAC-SHA2-512 A3349 Key Length - Key Length: 512 FIPS 198-1
KAS-ECC-SSC
Sp800-56Ar3
A3349 Domain Parameter Generation Methods
- P-256, P-384, P-521
Scheme -
ephemeralUnified -
KAS Role - initiator, responder
SP 800-56A
Rev. 3
KAS-FFC-SSC
Sp800-56Ar3
A3349 Domain Parameter Generation Methods
- FC, MODP-2048
Scheme -
dhEphem -
KAS Role - initiator
SP 800-56A
Rev. 3
KDF SSH (CVL) A3349 Cipher - AES-128, AES-192, AES-256,
TDES
Hash Algorithm - SHA-1, SHA2-256,
SHA2-384, SHA2-512
SP 800-135
Rev. 1
RSA KeyGen
(FIPS186-4)
A3349 Key Generation Mode - B.3.3
Modulo - 2048, 3072, 4096
Primality Tests - Table C.2
Private Key Format - Standard
FIPS 186-4
RSA SigGen
(FIPS186-4)
A3349 Signature Type - PKCS 1.5
Modulo - 2048, 3072, 4096
FIPS 186-4
RSA SigVer
(FIPS186-4)
A3349 Signature Type - PKCS 1.5
Modulo - 2048, 3072, 4096
FIPS 186-4
SHA-1 A3349 Message Length - Message Length: 0-
65536 Increment 8
FIPS 180-4
SHA2-256 A3349 Message Length - Message Length: 0-
65536 Increment 8
FIPS 180-4
SHA2-512 A3349 Message Length - Message Length: 0-
65536 Increment 8
FIPS 180-4
Copyright Juniper Networks, Inc. 2024 Page 14 of 60 Document Version 1.0
Table 6: Approved Algorithms - OpenSSL
Algorithm CAVP
Cert
Properties Reference
SHA2-512 A3337 Message Length - Message Length: 0-
65536 Increment 8
FIPS 180-4
Safe Primes Key
Generation
A3349 Safe Prime Groups - MODP-2048 SP 800-56A
Rev. 3
Safe Primes Key
Verification
A3349 Safe Prime Groups - MODP-2048 SP 800-56A
Rev. 3
Table 7: Approved Algorithms -
The following protocol is supported by the module in the Approved mode:
SSHv2 (EC Diffie-Hellman P-256, P-384, P-521; Diffie-Hellman MODP2048; RSA 2048, 3072
4096 bits; ECDSA P-256, P-384, P-521; AES CBC 128, 192, 256 bits; AES CTR 128, 192, 256
bits, HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512)
The SSH protocol allows independent selection of key exchange, authentication, cipher and
integrity algorithms. Please note that there are algorithms, modes, and key/moduli sizes that
have been CAVP-tested but are not used by any approved service of the module. Only the
algorithms, modes/methods, and key lengths/curves/moduli shown in the table above are used
by an approved service of the module.
Vendor-Affirmed Algorithms:
Name Properties Implementation Reference
CKG -
Section 4
and 5.1
Key
Type:Asymmetric
N/A NIST SP800-133r2 Section 4:
Asymmetric seed generation using an
unmodified output from an Approved
DRBG; Section 5.1: Key Pairs for Digital
Signature Schemes
CKG -
Section 4
and 5.2
Key
Type:Asymmetric
N/A NIST SP800-133r2 Section 4:
Asymmetric seed generation using an
unmodified output from an Approved
DRBG; Section 5.2: Key Pairs for Key
Establishment
CKG -
Section
6.2.1
Key
Type:Symmetric
N/A NIST SP800-133r2 Section 6.2.1:
Derivation of symmetric keys
Table 8: Vendor-Affirmed Algorithms
Non-Approved, Allowed Algorithms:
The module does not support any non-Approved algorithms in the Approved mode, i.e., it does
not support Non-Approved Algorithms Allowed in the Approved Mode of Operation.
Copyright Juniper Networks, Inc. 2024 Page 15 of 60 Document Version 1.0
Non-Approved, Allowed Algorithms with No Security Claimed:
Name Caveat Use and Function
SHA2-256 (JUNOS 22.3R1
QFX10K-LibMD
Implementation)
no
security
claimed
Used to store operator passwords in hashed form,
per IG 2.4.A: Use of a non-approved cryptographic
algorithm to “obfuscate” a CSP
SHA-1 (JUNOS 22.3R1
QFX10K-Kernel)
no
security
claimed
Used for an extraneous check in the Kernel, per IG
2.4.A: Use of an approved, non-approved or
proprietary algorithm for a purpose that is not
security relevant
Table 9: Non-Approved, Allowed Algorithms with No Security Claimed
The module does not support any non-Approved algorithms in the Approved mode, i.e., it does
not support Non-Approved Algorithms Allowed in the Approved Mode of Operation with No
Security Claimed.
Non-Approved, Not Allowed Algorithms:
Name Use and
Function
RSA with key size less than 2048 SSH
ECDSA with ed25519 curve SSH
EC Diffie-Hellman with ed25519 curve SSH
ARCFOUR SSH
Blowfish SSH
CAST SSH
DSA (SignGen, SigVer, non-compliant) SSH
HMAC-MD5 SSH
HMAC-RIPEMD160 SSH
UMAC SSH
Table 10: Non-Approved, Not Allowed Algorithms
In addition to the above non-Approved Algorithms Not Allowed in the Approved Mode of
Operation, all Approved algorithms supported in the Approved mode of operation are also
supported in the non-Approved mode.
2.6 Security Function Implementations
Name Type Description Properties Algorithms
KAS1 KAS-135KDF
KAS-SSC
Key Agreement
for SSHv2
SP 800-56Arev3
KAS-ECC per IG
D.F Scenario 2
path (2):size: P-
256, P-384, P-
521 curves;
encryption
strength:128,
KAS-ECC-SSC
Sp800-56Ar3
KDF SSH
Copyright Juniper Networks, Inc. 2024 Page 16 of 60 Document Version 1.0
Name Type Description Properties Algorithms
192, 256 bits;
strength caveat:
SSP
establishment
methodology
provides
between 128
and 256 bits of
encryption
strength
KAS2 AsymKeyPair-
KeyGen
AsymKeyPair-
KeyVer
KAS-135KDF
KAS-SSC
Key Agreement
for SSHv2
SP800-56Arev3
KAS-FFC per IG
D.F Scenario 2
path (2):size:
MODP 2048;
encryption
strength: SSP
establishment
methodology
provides 112
bits of
encryption
strength
KAS-FFC-SSC
Sp800-56Ar3
KDF SSH
Safe Primes Key
Generation
Safe Primes Key
Verification
KTS1 KTS-Wrap Key Transport
for SSHv2
SP800-38A AES
CBC, CTR and
HMAC 198 per
IG D.G:size:
128, 192, and
256-bit keys;
SSP
establishment
methodology
provides
between 128
and 256 bits of
encryption
strength
AES-CBC
AES-CTR
AES-ECB
HMAC-SHA-1
HMAC-SHA2-
256
HMAC-SHA2-
512
SHA-1
SHA2-256
SHA2-512
ECDSA SigVer DigSig-SigVer ECDSA
Signature
Verification used
for firmware
integrity
FIPS 186-4
:size: P-256,
encryption
strength: 128
bits
ECDSA SigVer
(FIPS186-4)
ECDSA SigVer2 DigSig-SigVer ECDSA
Signature
Verification used
for identity-
based public key
authentication
FIPS 186-4:size:
P-256, P-384, P-
521 curves, 128,
192 and 256 bits
ECDSA SigVer
(FIPS186-4)
Copyright Juniper Networks, Inc. 2024 Page 17 of 60 Document Version 1.0
Name Type Description Properties Algorithms
DRBG DRBG Kernel DRBG
providing
random bits to
the DRBG2 for
SSP generation
in the
user/application
space
HMAC DRBG
HMAC-SHA2-
256
SHA2-256
DRBG2 DRBG SSP generation
in
user/application
space
HMAC DRBG
HMAC-SHA2-
256
SHA2-256
Entropy Souce ENT-Cond Non-Physical
Entropy Source
SHA2-512
ECDSA KeyGen AsymKeyPair-
KeyGen
Generation of
SSH host keys
ECDSA KeyGen
(FIPS186-4)
ECDSA
KeyGen2
AsymKeyPair-
KeyGen
SSP Agreement
in the context of
SSH
ECDSA KeyGen
(FIPS186-4)
ECDSA KeyVer AsymKeyPair-
KeyVer
Verification of
keys generated
ECDSA KeyVer
(FIPS186-4)
ECDSA SigGen DigSig-SigGen Signature
Generation
using ECDSA in
the context of
SSH
ECDSA SigGen
(FIPS186-4)
RSA KeyGen AsymKeyPair-
KeyGen
Generation of
SSH host keys
RSA KeyGen
(FIPS186-4)
RSA SigGen DigSig-SigGen Signature
Generation
using RSA in the
context of SSH
RSA SigGen
(FIPS186-4)
RSA SigVer DigSig-SigVer Signature
Verification
using RSA for
public key
authentication
RSA SigVer
(FIPS186-4)
Password Hash SHA Used to store
passwords in
hashed form
SHA2-512
CKG CKG Cryptographic
Key Generation
(CKG)
CKG - Section
6.2.1
Key Type:
Symmetric
CASTs on boot BC-UnAuth
DigSig-SigGen
DigSig-SigVer
DRBG
ENT-Cond
List of
algorithms for
which Known
Answer Tests
(CASTs) have
AES-CBC
HMAC DRBG
HMAC-SHA-1
HMAC-SHA2-
256
Copyright Juniper Networks, Inc. 2024 Page 18 of 60 Document Version 1.0
Name Type Description Properties Algorithms
KAS-135KDF
MAC
SHA
been
implemented in
the module and
perform on each
boot
HMAC-SHA2-
512
KAS-ECC-SSC
Sp800-56Ar3
KAS-FFC-SSC
Sp800-56Ar3
KDF SSH
ECDSA SigGen
(FIPS186-4)
ECDSA SigVer
(FIPS186-4)
RSA SigGen
(FIPS186-4)
RSA SigVer
(FIPS186-4)
HMAC DRBG
HMAC-SHA2-
256
SHA2-512
SHA2-512
Table 11: Security Function Implementations
2.7 Algorithm Specific Information
The module only supports testable RSA moduli/key sizes (2048, 3072 and 4096 bits) and thus
the requirements per FIPS 140-3 IG C.F do not apply.
2.8 RBG and Entropy
Cert
Number
Vendor Name
E89 Juniper Networks
Table 12: Entropy Certificates
Name Type Operational
Environment
Sample
Size
Entropy
per
Sample
Conditioning
Component
Junos OS Non-
Physical Entropy
Source
Non-
Physical
Intel Xeon E3-
1125v2
8 bits 0.83 bits SHA2-512 (CAVP
Cert. #A3337)
Table 13: Entropy Sources
2.9 Key Generation
Copyright Juniper Networks, Inc. 2024 Page 19 of 60 Document Version 1.0
The module implements two NIST SP 800-90Ar1 DRBGs and supports the following sections
per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2 and 6.2.1.
2.10 Key Establishment
Per IG D.F:
The module implements full KAS (KAS-ECC-SSC, KAS-FFC-SSC per NIST SP 800-56Ar3 and
KDF SSH per NIST SP 800-135r1; IG D.F Scenario 2 (path 2 option 2, separate testing of the
SSC and SP800-135r1 KDF). The KAS1 and KAS2 in the SFI Table have been documented in
accordance with this requirement.
KAS1: KAS (KAS-ECC-SSC Cert.#A3349 and CVL Cert. #A3349; SSP establishment
methodology provides between 128 and 256 bits of encryption strength)
KAS2: KAS (KAS-FFC-SSC Cert.#A3349 and CVL Cert. #A3349; SSP establishment
methodology provides 112 bits of encryption strength)
The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC
and KDF SSH) as individual entries.
Per IG D.G:
The module supports the IETF SSH protocol and thus implements key transport in the context
of the protocol (per the KTS1 entry in the SFI table of the Security Policy).
The module implements the following approved KTS using approved AES modes:
AES CBC and CTR: KTS (AES Cert. #A3349 and HMAC Cert. #A3349; key establishment
methodology provides between 128 and 256 bits of encryption strength)
2.11 Industry Protocols
No parts of the SSH protocol, other than the KDF, have been tested by the CAVP or CMVP.
2.12 Additional Information
The module design corresponds to the security rules below. The term shall in this context
specifically refers to a requirement for correct usage of the module in the Approved mode; all
other statements indicate a security rule implemented by the module.
1. The module clears previous authentications on power cycle.
2. When the module has not been placed in a valid role, the operator does not have access
to any cryptographic services.
3. Self-tests do not require any operator action.
4. Data output is inhibited during SSP generation, self-test execution, zeroisation, and error
states.
5. Status information does not contain SSPs or sensitive data that if misused could lead to
a compromise of the module.
6. There are no restrictions on which SSPs are zeroised by the zeroisation service.
Copyright Juniper Networks, Inc. 2024 Page 20 of 60 Document Version 1.0
7. The module does not support a maintenance interface or role.
8. The module does not output intermediate key values.
9. The module does not output plaintext CSPs.
10. The Crypto officer shall verify that the firmware image to be loaded on the module is a
FIPS 140-3 validated image. If any non-validated firmware image is loaded the module
will no longer be a validated module.
11. The Crypto Officer shall retain control of the module while zeroisation is in process.
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces
Physical
Port
Logical
Interface(s)
Data That Passes
Ethernet Data Input
Data Output
Control
Input
Status
Output
LAN Communications (QFX10002-36Q(40: 2 MGMT, 36
QSFP+, 1 ETH), QFX10002-72Q(80: 2 MGMT, 72 QSFP+, 1
ETH), QFX10002-60C (63: 2 MGMT, 60 QSFP+, 1 ETH),
QFX10008(12: 4 MGMT, 8 SFP+), QFX10016(12: 4 MGMT, 8
SFP+))
Serial Control
Input
Status
Output
Serial Console Port (QFX10002(1), QFX10008(2),
QFX10016(2))
USB Data Input
Control
Input
Load Junos OS image/configuration (QFX10002(1),
QFX10008(2), QFX10016(2))
Power Power Power connector (QFX10002-36Q(4), QFX10002-72Q(4),
QFX10002-60C(4), QFX10008(6), QFX10016(10))
LED Status
Output
Status indicator lighting (QFX10002(4) QFX10008(13)
QFX10016(13))
Reset Control
Input
Reset (QFX10002(1) QFX10008(2) QFX10016(2))
SMB Control
Input
Status
Output
PTP Connectors (QFX10002(2) QFX10008(8) QFX10016(8))
Backplane
Line Card
Interface
Data Input
Data Output
Control
Input
Status
Output
Line card interface (QFX10008(8) QFX10016(16))
Table 14: Ports and Interfaces
The module does not support control output.
Copyright Juniper Networks, Inc. 2024 Page 21 of 60 Document Version 1.0
4 Roles, Services, and Authentication
4.1 Authentication Methods
Method
Name
Description Security
Mechanism
Strength
Each
Attempt
Strength per
Minute
Username
and
password
over the
console and
SSH
• The module enforces 10-
character passwords (at
minimum) chosen from the 96
human readable ASCII
characters; The maximum
password length is 20-
characters; Thus, the probability
of a successful random attempt is
1/(96^10), which is less than
1/1,000,000 (million); • The
module enforces a timed access
mechanism as follows: For the
first two failed attempts
(assuming 0 time to process), no
timed access is enforced; Upon
the third attempt, the module
enforces a 5-second delay; Each
failed attempt thereafter results in
an additional 5-second delay
above the previous (e.g., 4th
failed attempt = 10-second delay,
5th failed attempt = 15-second
delay, 6th failed attempt = 20-
second delay, 7th failed attempt
= 25-second delay); This leads to
a maximum of 7 possible
attempts in a one-minute period
for each getty; The best
approach for the attacker would
be to disconnect after 4 failed
attempts and wait for a new getty
to be spawned; This would allow
the attacker to perform roughly
9.6 attempts per minute (576
attempts per hour/60 mins); this
would be rounded down to 9 per
minute, because there is no such
thing as 0.6 attempts; The
probability of a success with
multiple consecutive attempts in
SHA2-512
(A3348)
1/(96^10) 9/(96^10)
Copyright Juniper Networks, Inc. 2024 Page 22 of 60 Document Version 1.0
Method
Name
Description Security
Mechanism
Strength
Each
Attempt
Strength per
Minute
a one-minute period is 9/(96^10),
which is less than 1/100,000
Username
and ECDSA
public key
over SSH
• The module supports ECDSA
(P-256, P-384, and P-521), which
has a minimum equivalent
computational resistance to
attack of either 2^128, 2^192 or
2^256 depending on the curve;
Thus, the probability of a
successful random attempt is
1/(2^128), which is less than
1/1,000,000 (million) •
Configurable SSH connection
establishment rate limits the
number of connection attempts,
and thus failed authentication
attempts in a one-minute period
to a maximum of 15,000
attempts; The probability of a
success with multiple
consecutive attempts in a one-
minute period is 15,000/(2^128),
which is less than 1/100,000
ECDSA
SigVer
(FIPS186-4)
(A3349)
1/(2^128) 15,000/(2^128)
Username
and RSA
public key
over SSH
• The module supports RSA
(2048, 3072, 4096 bits), which
has a minimum equivalent
computational resistance to
attack of 2^112 (2048 bits); Thus,
the probability of a successful
random attempt is 1/ (2^112),
which is less than 1/1,000,000
(million) • Configurable SSH
connection establishment rate
limits the number of connection
attempts, and thus failed
authentication attempts in a one-
minute period to a maximum of
15,000 attempts; The probability
of a success with multiple
consecutive attempts in a one-
minute period is 15,000/(2^112),
which is less than 1/100,000
RSA SigVer
(FIPS186-4)
(A3349)
1/
(2^112)
15,000/(2^112)
Table 15: Authentication Methods
The module enforces the separation of roles using identity-based operator authentication. The
module implements two forms of identity-based authentication, username, and password over
Copyright Juniper Networks, Inc. 2024 Page 23 of 60 Document Version 1.0
the console and SSH connections, as well as username and an ECDSA or RSA public key-
based authentication over SSHv2.
4.2 Roles
Name Type Operator Type Authentication Methods
Super-user Identity Crypto Officer
(CO)
Username and password
over the console and SSH
Username and ECDSA
public key over SSH
Username and RSA
public key over SSH
Operator Identity User Username and password
over the console and SSH
Username and ECDSA
public key over SSH
Username and RSA
public key over SSH
Read-only Identity User Username and password
over the console and SSH
Username and ECDSA
public key over SSH
Username and RSA
public key over SSH
Root Identity Crypto Officer
(CO)
Username and password
over the console and SSH
Username and ECDSA
public key over SSH
Username and RSA
public key over SSH
Unauthorised Identity User Username and password
over the console and SSH
Username and ECDSA
public key over SSH
Username and RSA
public key over SSH
Table 16: Roles
The module supports two roles: Crypto Officer (CO) and User. Root and Super-user correspond
to the Crypto Officer role whereas Operator, Read-Only and Unauthorised operator types
correspond to the User role. The module supports concurrent operators but does not support a
maintenance role and/or bypass capability.
An operator assuming the Crypto Officer role configures and monitors the module via a console
or SSH connection. As Root or Super-user, the Crypto Officer has permission to view and
configure passwords and public keys within the module. The User role monitors the module via
the console or SSH. The User role does not have the permission to modify the configuration.
Copyright Juniper Networks, Inc. 2024 Page 24 of 60 Document Version 1.0
4.3 Approved Services
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
Configure
security
(security
relevant)
Security
relevant
configuratio
n (SSH,
authenticati
on data)
Global
Approved
Mode
indicator
“fips” at
the CLI
combined
with
successf
ul
completio
n of each
service
Commands
(SSH
configuration:
set system
services ssh
root-login
allow)
Traffic DRBG
DRBG2
Passwor
d Hash
CKG
Root
- SSH Private
Host Key: G
- User
Password:
W,E
- CO
Password:
W,E
-
HMAC_DRBG
V value: E
-
HMAC_DRBG
Key value: E
-
HMAC_DRBG
entropy input:
E
-
HMAC_DRBG
seed: E
- SSH Public
Host Key: G
- User
Authentication
Public Keys:
W
- CO
Authentication
Public Keys:
W
Super-user
- SSH Private
Host Key: G
- User
Password:
W,E
- CO
Password:
W,E
-
HMAC_DRBG
V value: E
-
Copyright Juniper Networks, Inc. 2024 Page 25 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
HMAC_DRBG
Key value: E
-
HMAC_DRBG
entropy input:
E
-
HMAC_DRBG
seed: E
-
HMAC_DRBG
Key value: E
- SSH Public
Host Key: G
- CO
Authentication
Public Keys:
W
- User
Authentication
Public Keys:
W
Configure
(non-
security
relevant)
Non-
security
relevant
configuratio
n
Global
Approved
Mode
indicator
“fips” at
the CLI
combined
with
successf
ul
completio
n of each
service
Commands
(miscellaneous
commands
e.g., for IP
address
configuration,
routing
protocols, etc.)
Traffic Passwor
d Hash
Super-user
- CO
Password: E
Root
- CO
Password: E
Show
status
Query the
module
status
Global
Approved
Mode
indicator
“fips” at
the CLI
combined
with
successf
ul
completio
n of each
service
Command
(show)
CLI
output
Passwor
d Hash
Super-user
- CO
Password: E
Root
- CO
Password: E
Operator
- User
Password: E
Read-only
- User
Password: E
Unauthorised
Copyright Juniper Networks, Inc. 2024 Page 26 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
- User
Password: E
Show
status
(LED)
LEDs on the
module
provide
physical
status
output
LED(s)
on the
chassis
turned on
N/A LED None Super-user
Operator
Read-only
Unauthorised
Root
Unauthenticat
ed
Show
module’s
versioning
informatio
n
Query the
module’s
versioning
information
Global
Approved
Mode
indicator
“fips” at
the CLI
combined
with
successf
ul
completio
n of each
service
Command
(show version)
CLI
output
Passwor
d Hash
Super-user
- CO
Password: E
Operator
- User
Password: E
Read-only
- User
Password: E
Unauthorised
- User
Password: E
Root
- CO
Password: E
Zeroise
(Perform
zeroisatio
n)
Destroy all
SSPs
Global
Approved
Mode
indicator
“fips” at
the CLI
combined
with
successf
ul
completio
n of each
service
Command
(request
vmhost zeroise
no-forwarding)
N/A Passwor
d Hash
Super-user
- SSH Private
Host Key: Z
- SSH ECDH
Private Key: Z
- SSH DH
Private Key: Z
- SSH Session
Key: Z
- User
Password: Z
- CO
Password: E,Z
-
HMAC_DRBG
V value: Z
-
HMAC_DRBG
Key value: Z
-
HMAC_DRBG
entropy input:
Z
Copyright Juniper Networks, Inc. 2024 Page 27 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
-
HMAC_DRBG
seed: Z
- ECDH
Shared
Secret: Z
- DH Shared
Secret: Z
- HMAC Key:
Z
- SSH Public
Host Key: Z
- User
Authentication
Public Keys: Z
- CO
Authentication
Public Keys: Z
-
JuniperRootC
A: Z
- PackageCA:
Z
- SSH ECDH
Public Key: Z
- SSH DH
Public Key: Z
- SSH ECDH
Client Public
Key: Z
- SSH DH
Client Public
Key: Z
Root
- SSH Private
Host Key: Z
- SSH ECDH
Private Key: Z
- SSH DH
Private Key: Z
- SSH Session
Key: Z
- User
Password: Z
- CO
Password: E,Z
-
HMAC_DRBG
Copyright Juniper Networks, Inc. 2024 Page 28 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
V value: Z
-
HMAC_DRBG
Key value: Z
-
HMAC_DRBG
entropy input:
Z
-
HMAC_DRBG
seed: Z
- ECDH
Shared
Secret: Z
- DH Shared
Secret: Z
- HMAC Key:
Z
- SSH Public
Host Key: Z
- User
Authentication
Public Keys: Z
- CO
Authentication
Public Keys: Z
-
JuniperRootC
A: Z
- PackageCA:
Z
- SSH ECDH
Public Key: Z
- SSH DH
Public Key: Z
- SSH ECDH
Client Public
Key: Z
- SSH DH
Client Public
Key: Z
Perform
approved
security
functions
(SSH
connectio
n)
Initiate SSH
connection
for SSH
monitoring
and control
(CLI)
Global
Approved
Mode
indicator
“fips” at
the CLI
combined
Authentication
data
(Username
and
password/publi
c-key based
authentication)
SSH
session
KAS1
KAS2
KTS1
ECDSA
SigVer2
DRBG
DRBG2
Super-user
- SSH Private
Host Key: E
- SSH ECDH
Private Key:
G,E,Z
- SSH DH
Copyright Juniper Networks, Inc. 2024 Page 29 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
with
successf
ul
completio
n of each
service
Entropy
Souce
ECDSA
KeyGen
ECDSA
KeyGen2
ECDSA
KeyVer
ECDSA
SigGen
RSA
KeyGen
RSA
SigGen
RSA
SigVer
Passwor
d Hash
CKG
Private Key:
G,E,Z
- SSH Session
Key: G,E,Z
-
HMAC_DRBG
V value: E
-
HMAC_DRBG
Key value: E
-
HMAC_DRBG
entropy input:
E
-
HMAC_DRBG
seed: E
- ECDH
Shared
Secret: G,E,Z
- DH Shared
Secret: G,E,Z
- HMAC Key:
G,E,Z
- SSH Public
Host Key: E
- SSH DH
Public Key:
G,E,Z
- SSH ECDH
Public Key:
G,E,Z
- CO
Password: E
- CO
Authentication
Public Keys: E
- SSH ECDH
Client Public
Key: W,E,Z
- SSH DH
Client Public
Key: W,E,Z
Root
- SSH Private
Host Key: E
- SSH ECDH
Private Key:
Copyright Juniper Networks, Inc. 2024 Page 30 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
G,E,Z
- SSH DH
Private Key:
G,E,Z
- SSH Session
Key: G,E,Z
-
HMAC_DRBG
V value: E
-
HMAC_DRBG
Key value: E
-
HMAC_DRBG
entropy input:
E
-
HMAC_DRBG
seed: E
- ECDH
Shared
Secret: G,E,Z
- DH Shared
Secret: G,E,Z
- HMAC Key:
G,E,Z
- SSH Public
Host Key: E
- SSH ECDH
Public Key:
G,E,Z
- SSH DH
Public Key:
G,E,Z
- CO
Password: E
- CO
Authentication
Public Keys: E
- SSH ECDH
Client Public
Key: G,E,Z
- SSH DH
Client Public
Key: G,E,Z
Operator
- SSH Private
Host Key: E
Copyright Juniper Networks, Inc. 2024 Page 31 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
- SSH ECDH
Private Key:
G,E,Z
- SSH DH
Private Key:
G,E,Z
- SSH Session
Key: G,E,Z
-
HMAC_DRBG
V value: E
-
HMAC_DRBG
entropy input:
E
-
HMAC_DRBG
seed: E
- ECDH
Shared
Secret: G,E,Z
- DH Shared
Secret: G,E,Z
- HMAC Key:
G,E,Z
- SSH Public
Host Key: E
- SSH ECDH
Public Key:
G,E,Z
- SSH DH
Public Key:
G,E,Z
- User
Password: E
- User
Authentication
Public Keys: E
- SSH ECDH
Client Public
Key: G,E,Z
- SSH DH
Client Public
Key: G,E,Z
-
HMAC_DRBG
Key value: E
Read-only
Copyright Juniper Networks, Inc. 2024 Page 32 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
- SSH Private
Host Key: E
- SSH ECDH
Private Key:
G,E,Z
- SSH DH
Private Key:
G,E,Z
- SSH Session
Key: G,E,Z
-
HMAC_DRBG
V value: E
-
HMAC_DRBG
Key value: E
-
HMAC_DRBG
entropy input:
E
-
HMAC_DRBG
seed: E
- ECDH
Shared
Secret: G,E,Z
- DH Shared
Secret: G,E,Z
- HMAC Key:
G,E,Z
- SSH Public
Host Key: E
- SSH ECDH
Public Key:
G,E,Z
- SSH DH
Public Key:
G,E,Z
- User
Password: E
- User
Authentication
Public Keys: E
- SSH ECDH
Client Public
Key: G,E,Z
- SSH DH
Client Public
Copyright Juniper Networks, Inc. 2024 Page 33 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
Key: G,E,Z
Unauthorised
- SSH Private
Host Key: E
- SSH ECDH
Private Key:
G,E,Z
- SSH DH
Private Key:
G,E,Z
- SSH Session
Key: G,E,Z
-
HMAC_DRBG
V value: E
-
HMAC_DRBG
entropy input:
E
-
HMAC_DRBG
seed: E
- ECDH
Shared
Secret: G,E,Z
- DH Shared
Secret: G,E,Z
- HMAC Key:
G,E,Z
- SSH Public
Host Key: E
- SSH ECDH
Public Key:
G,E,Z
- SSH DH
Public Key:
G,E,Z
- User
Password: E
- User
Authentication
Public Keys: E
- SSH ECDH
Client Public
Key: G,E,Z
- SSH DH
Client Public
Key: G,E,Z
Copyright Juniper Networks, Inc. 2024 Page 34 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
-
HMAC_DRBG
Key value: E
Console
Access
Console
monitoring
and control
(CLI)
Global
Approved
Mode
indicator
“fips” at
the CLI
combined
with
successf
ul
completio
n of each
service
Username,
password (set
system login
user
<username>
class <crypto-
officer/user
class>
operator
authentication
plaintext-
password)
N/A Passwor
d Hash
Super-user
- CO
Password: E
Operator
- CO
Password: E
Read-only
- User
Password: E
Unauthorised
- User
Password: E
Root
- CO
Password: E
Perform
self-tests
(remote
reset)
Software
initiated
reset,
performs
self-tests on
demand via
SSH
Global
Approved
Mode
indicator
“fips” at
the CLI
combined
with
successf
ul
completio
n of each
service
Control
input/reset
signal (request
vmhost reboot)
N/A KAS1
KAS2
KTS1
DRBG
DRBG2
Entropy
Souce
ECDSA
KeyGen
ECDSA
KeyGen2
ECDSA
KeyVer
ECDSA
SigGen
RSA
KeyGen
RSA
SigGen
Passwor
d Hash
CKG
CASTs
on boot
Super-user
- SSH ECDH
Private Key:
G,E,Z
- SSH DH
Private Key:
G,E,Z
- SSH Session
Key: G,E,Z
-
HMAC_DRBG
Key value:
G,E,Z
-
HMAC_DRBG
V value: G,E,Z
-
HMAC_DRBG
entropy input:
G,E,Z
-
HMAC_DRBG
seed: G,E,Z
- ECDH
Shared
Secret: G,E,Z
- DH Shared
Secret: G,E,Z
- HMAC Key:
G,E,Z
Copyright Juniper Networks, Inc. 2024 Page 35 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
- SSH ECDH
Public Key:
G,E,Z
- SSH DH
Public Key:
G,E,Z
- CO
Password: E
- Firmware
Integrity Key:
E
- SSH Private
Host Key: E
- SSH Public
Host Key: E
- SSH ECDH
Client Public
Key: W,E,Z
- SSH DH
Client Public
Key: W,E,Z
- SSH Private
Host Key: E
- SSH Public
Host Key: E
- User
Authentication
Public Keys: E
- CO
Authentication
Public Keys: E
Root
- SSH ECDH
Private Key:
G,E,Z
- SSH DH
Private Key:
G,E,Z
- SSH Session
Key: G,E,Z
-
HMAC_DRBG
Key value:
G,E,Z
-
HMAC_DRBG
V value: G,E,Z
-
Copyright Juniper Networks, Inc. 2024 Page 36 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
HMAC_DRBG
entropy input:
G,E,Z
-
HMAC_DRBG
seed: G,E,Z
- ECDH
Shared
Secret: G,E,Z
- DH Shared
Secret: G,E,Z
- HMAC Key:
G,E,Z
- SSH ECDH
Public Key:
G,E,Z
- SSH DH
Public Key:
G,E,Z
- CO
Password: E
- Firmware
Integrity Key:
E
- SSH Private
Host Key: E
- SSH Public
Host Key: E
- SSH ECDH
Client Public
Key: W,E,Z
- SSH DH
Client Public
Key: W,E,Z
- SSH Private
Host Key: E
- SSH Public
Host Key: E
- User
Authentication
Public Keys: E
- CO
Authentication
Public Keys: E
Perform
self-tests
(local
reset)
Hardware
reset or
power cycle
Global
Approved
Mode
indicator
Control
input/reset
signal
N/A CASTs
on boot
Super-user
- Firmware
Integrity Key:
E
Copyright Juniper Networks, Inc. 2024 Page 37 of 60 Document Version 1.0
Name Description Indicator Inputs Output
s
Security
Function
s
SSP Access
“fips” at
the CLI
combined
with
successf
ul
completio
n of each
service
Root
- Firmware
Integrity Key:
E
Operator
- Firmware
Integrity Key:
E
Read-only
- Firmware
Integrity Key:
E
Unauthorised
- Firmware
Integrity Key:
E
Unauthenticat
ed
- Firmware
Integrity Key:
E
Load
Image
Verification
and loading
of a
validated
firmware
image into
the
router/switc
h
Global
Approved
Mode
indicator
“fips” at
the CLI
combined
with
successf
ul
completio
n of each
service
Image,
commands
N/A ECDSA
SigVer
Passwor
d Hash
Super-user
- CO
Password: E
- Firmware
Integrity Key:
E
-
JuniperRootC
A: E
- PackageCA:
E
Root
- CO
Password: E
- Firmware
Integrity Key:
E
-
JuniperRootC
A: E
- PackageCA:
E
Table 17: Approved Services
Copyright Juniper Networks, Inc. 2024 Page 38 of 60 Document Version 1.0
4.4 Non-Approved Services
Name Description Algorithms Role
Configure security
(security relevant)
Security relevant
configuration
RSA with key
size less than
2048
ECDSA with
ed25519 curve
EC Diffie-
Hellman with
ed25519 curve
ARCFOUR
Blowfish
CAST
DSA (SignGen,
SigVer, non-
compliant)
HMAC-MD5
HMAC-
RIPEMD160
UMAC
Root, Super-user
Configure (non-
security relevant)
Non-security relevant
configuration
None Root, Super-user
Show status Query the module
status
None Root, Super-user,
Operator, Read-Only,
Unauthorized
Show status (LED) LEDs on the module
provide physical status
output
None Root, Super-user,
Operator, Read-Only,
Unauthorized,
Unauthenticated
Show module’s
versioning
information
Query the module’s
versioning information
None Root, Super-user,
Operator, Read-Only,
Unauthorized
Zeroise (Perform
zeroisation)
Destroy all SSPs None Root, Super-user
Perform approved
security functions
(SSH connection)
Initiate SSH connection
for SSH monitoring and
control (CLI)
RSA with key
size less than
2048
ECDSA with
ed25519 curve
EC Diffie-
Hellman with
ed25519 curve
ARCFOUR
Blowfish
CAST
DSA (SignGen,
SigVer, non-
compliant)
HMAC-MD5
Root, Super-user,
Operator, Read-Only,
Unauthorized
Copyright Juniper Networks, Inc. 2024 Page 39 of 60 Document Version 1.0
Name Description Algorithms Role
HMAC-
RIPEMD160
UMAC
Console Access Console monitoring and
control (CLI)
None Root, Super-user,
Operator, Read-Only,
Unauthorized
Perform self-tests
(remote reset)
Software initiated reset,
performs self-tests on
demand
None Root, Super-user,
Operator, Read-Only,
Unauthorized
Perform self-tests
(local reset)
Hardware reset or
power cycle
None Root, Super-user,
Operator, Read-Only,
Unauthorized,
Unauthenticated
Load Image Verification and loading
of a validated firmware
image into the
router/switch
None Root, Super-user
Table 18: Non-Approved Services
4.5 External Software/Firmware Loaded
The module supports loading of firmware from an external source (a complete image
replacement) and a firmware load test using ECDSA P-256 with SHA2-256 (CAVP Cert.
#A3349) is performed in support of the load.
4.6 Cryptographic Output Actions and Status
The module does not support self-initiated cryptographic output.
5 Software/Firmware Security
5.1 Integrity Techniques
The module performs the firmware integrity check using ECDSA P-256 with SHA2-256 (CAVP
Cert. #A3349). The ECDSA P-256 public key used for signature verification is a non-SSP and
stored persistently across reboots in the module’s Non-Volatile RAM (NVRAM) and is exempt
from zeroisation.
5.2 Initiate on Demand
The operator can initiate the integrity test on demand by rebooting the module.
5.3 Additional Information
Copyright Juniper Networks, Inc. 2024 Page 40 of 60 Document Version 1.0
The module firmware image is delivered in the form of a pre-compiled tarball (.tgz).
6 Operational Environment
6.1 Operational Environment Type and Requirements
Type of Operational Environment: Limited
How Requirements are Satisfied:
The module contains a limited operational environment since it supports loading of firmware
from an external source. The Junos OS 22.3R1-S2.3 operating system is contained within the
module, i.e., the tested configurations listed in the Tested Module Identification – Hardware in
this document.
6.2 Configuration Settings and Restrictions
Security rules and restrictions for configuration of the operational environment have been
specified in Sections 2.12 and 11.1 of this document.
7 Physical Security
7.1 Mechanisms and Actions Required
The module’s physical embodiment is that of a multi-chip standalone meeting Level 1 Physical
Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc
coated, cold rolled steel, plated steel and brushed aluminum enclosure. The module enclosure
is made of production grade materials. There are no ventilation holes, gaps, slits, cracks, slots,
or crevices that would allow for any sort of observation of any component contained within the
cryptographic boundary. No actions are required by the operator to ensure that physical security
is maintained.
8 Non-Invasive Security
8.1 Mitigation Techniques
The module does not implement any non-invasive security mitigations and thus the
requirements per this section do not apply to the module.
9 Sensitive Security Parameters Management
9.1 Storage Areas
Copyright Juniper Networks, Inc. 2024 Page 41 of 60 Document Version 1.0
Storage
Area
Name
Description Persistence
Type
NVRAM Non-Volatile Random Access Memory Static
RAM Random Access Memory Dynamic
Table 19: Storage Areas
9.2 SSP Input-Output Methods
Name From To Format
Type
Distribution
Type
Entry
Type
SFI or
Algorithm
Entered over
SSH - NVRAM
External
endpoint
NVRAM Encrypted Automated Electronic KTS1
Loaded at
manufacture
External
endpoint
NVRAM Plaintext N/A N/A
Entered through
the CLI via
console
connection -
NVRAM
External
endpoint
NVRAM Plaintext Manual Direct
Input during SSH
negotiation
External
endpoint
RAM Plaintext Automated Electronic
Output during
SSH negotiation
(host key)
NVRAM External
endpoint
Plaintext Automated Electronic
Output during
SSH negotiation
(Key Agreement
public key)
RAM External
endpoint
Plaintext Automated Electronic
Table 20: SSP Input-Output Methods
The module is complaint with FIPS 140-3 IG 9.5.A MD/DE and AD/EE for SSPs entered via the
module’s CLI via a direct connection to its serial/console port and for SSPs
entered/ouput/established via SSH respectively.
9.3 SSP Zeroization Methods
Zeroization
Method
Description Rationale Operator
Initiation
Zeroisation
command
Command used to zeroise the
module: request vmhost
zeroize no-forwarding
Used to provide zeroisation as
a service
Operator
initiated
Power-cycle Power cycling the module to
zeroise temporary SSPs
Power cycling the module to
zeroise temporary SSPs
Operator
initiated
Session
termination
Termination of SSH sessions
automatically zeroises
Termination of SSH sessions
automatically zeroises
Module
initiated
Copyright Juniper Networks, Inc. 2024 Page 42 of 60 Document Version 1.0
Zeroization
Method
Description Rationale Operator
Initiation
temporary SSPs used as part
of the session
temporary SSPs used as part
of the session
Not zeroised PSP not zeroised since it
cannot be modified due to
being inaccessible in the
filesystem
PSP not zeroised since it
cannot be modified due to
being inaccessible in the
filesystem
N/A
Derivation of
SSH session
key
EC Diffie-Hellman/Diffie-
Hellman shared secrets are
zeroised after use in
derivation of SSH session key
EC Diffie-Hellman/Diffie-
Hellman shared secrets are
zeroised after use in
derivation of SSH session key
Module
initiated
Table 21: SSP Zeroization Methods
9.4 SSPs
Name Description Size -
Strength
Type -
Category
Generate
d By
Establishe
d By
Used
By
SSH Private
Host Key
Host key
generated,
used for
authenticatio
n and
encryption in
the context
of SSH
P-256 for
ECDSA,
2048 bits
for RSA -
128 bits
for
ECDSA,
112 bits
for RSA
Private Host
Key - CSP
DRBG2
ECDSA
KeyGen
RSA
KeyGen
KAS1
KAS2
SSH ECDH
Private Key
Ephemeral
EC Diffie-
Hellman
private key
used in SSH
KAS-
ECC-
SSC P-
256, P-
384, P-
512 - 128
bits, 192
bits, 256
bits
ECDH
Private Key -
CSP
DRBG2
ECDSA
KeyGen2
KAS1
SSH DH
Private Key
Ephemeral
Diffie-
Hellman
private key
used in SSH
2048 bits
for KAS-
FFC-SSC
- 112 bits
for KAS-
FFC-SSC
DH Private
Key - CSP
DRBG2 KAS2
SSH Session
Key
SSH Session
Key
128 bits,
192 bits,
256 bits -
128 bits,
192 bits,
256 bits
Session Key
- CSP
CKG KAS1
KAS2
Copyright Juniper Networks, Inc. 2024 Page 43 of 60 Document Version 1.0
Name Description Size -
Strength
Type -
Category
Generate
d By
Establishe
d By
Used
By
User
Password
Passwords
used to
authenticate
users to the
module
10-20
character
s -
1/(96^10)
per
attempt,
9/(96^10)
per
minute
User
Password -
CSP
CO Password Passwords
used to
authenticate
COs to the
module
10-20
character
s -
1/(96^10)
per
attempt,
9/(96^10)
per
minute
CO
Password -
CSP
HMAC_DRB
G V value
A critical
value of the
internal state
of DRBG
256 bits -
256 bits
Internal state
of the DRBG
- CSP
DRBG
DRBG2
DRBG
DRBG
2
HMAC_DRB
G Key value
A critical
value of the
internal state
of DRBG
440 bits -
440 bits
Internal state
of the DRBG
- CSP
DRBG
DRBG2
DRBG
DRBG
2
HMAC_DRB
G entropy
input
Entropy input
to the
HMAC_DRB
G
512 bits
- 448 bits
Entropy input
to the
HMAC_DRB
G - CSP
Entropy
Souce
HMAC_DRB
G seed
Seed
provided to
the
HMAC_DRB
G
512 bits -
440 bits
Seed
provided to
the
HMAC_DRB
G - CSP
DRBG
DRBG2
DRBG
DRBG
2
ECDH
Shared
Secret
Used in EC
Diffie-
Hellman
(ECDH)
exchange
P-256, P-
384, P-
521 - 128
bits, 192
bits, 256
bits
Shared
secret - CSP
KAS1
DH Shared
Secret
Used in
Diffie-
Hellman
(DH)
exchange
2048 bits
- 112 bits
Shared
secret - CSP
KAS2
HMAC Key MAC key 128 bits
and 256
MAC key -
CSP
KAS1
KAS2
Copyright Juniper Networks, Inc. 2024 Page 44 of 60 Document Version 1.0
Name Description Size -
Strength
Type -
Category
Generate
d By
Establishe
d By
Used
By
bits - 128
bits and
256 bits
SSH Public
Host Key
Host key
generated,
used to
identify the
host. Also
paired with
the private
key for
authenticatio
n and
encryption in
the context
of SSH
P-256 for
ECDSA
and 2048
bits for
RSA -
128 bits
for
ECDSA,
112 bits
for RSA
Public key -
PSP
DRBG2
ECDSA
KeyGen
RSA
KeyGen
User
Authenticatio
n Public Keys
Used to
authenticate
users to the
module
P-256, P-
384, P-
521 for
ECDSA
and
2048,
3072 and
4096 bits
for RSA -
128, 192,
256 bits
for
ECDSA,
112, 192
and 256
bits for
RSA
Public key -
PSP
CO
Authenticatio
n Public Keys
Used to
authenticate
the CO to the
module
P-256, P-
384, P-
521 for
ECDSA
and
2048,
3072 and
4096 bits
for RSA -
128, 192,
256 bits
for
ECDSA,
112, 192
and 256
Public key -
PSP
Copyright Juniper Networks, Inc. 2024 Page 45 of 60 Document Version 1.0
Name Description Size -
Strength
Type -
Category
Generate
d By
Establishe
d By
Used
By
bits for
RSA
JuniperRootC
A
ECDSA
prime256v1
X.509 V3
Certificate
Used to
verify the
validity of the
PackagCA
ECDSA
P-256 -
128 bits
Public key
certificate -
Neither
PackageCA ECDSA
prime256v1
X.509 V3
Certificate
Certificate
that holds
the public
key for the
signing key
used to
generate all
the
signatures
used on the
packages
and
signature
lists
ECDSA
P-256 -
128 bits
Public key
certificate -
Neither
SSH ECDH
Public Key
Ephemeral
EC Diffie-
Hellman
public key
used in SSH
KAS-
ECC-
SSC P-
256, P-
384, P-
512 - 128
bits, 192
bits, 256
bits for
KAS-
ECC-
SSC
Public key -
PSP
DRBG2
ECDSA
KeyGen2
SSH DH
Public Key
Ephemeral
Diffie-
Hellman
public key
used in SSH
2048 bits
for KAS-
FFC-SSC
- 112 bits
for KAS-
FFC-SSC
Public key -
PSP
DRBG2
Copyright Juniper Networks, Inc. 2024 Page 46 of 60 Document Version 1.0
Name Description Size -
Strength
Type -
Category
Generate
d By
Establishe
d By
Used
By
Firmware
Integrity Key
Public key
used to
perform the
firmware
integrity test
on each boot
and
authenticate
firmware
loaded from
an external
source
ECDSA
P-256 -
128 bits
Public key -
Neither
SSH ECDH
Client Public
Key
Ephemeral
EC Diffie-
Hellman
public key
used in SSH
(sent by the
client to the
module
acting as the
server)
KAS-
ECC-
SSC P-
256, P-
384, P-
512 - 128
bits, 192
bits, 256
bits for
KAS-
ECC-
SSC
Public key -
PSP
SSH DH
Client Public
Key
Ephemeral
Diffie-
Hellman
public key
used in SSH
(sent by the
client to the
module
acting as the
server)
2048 bits
for KAS-
FFC-SSC
- 112 bits
for KAS-
FFC-SSC
Public key -
PSP
Table 22: SSP Table 1
Name Input -
Output
Storage Storage
Duration
Zeroization Related
SSPs
SSH Private
Host Key
NVRAM:Plaintext Zeroisation
command
SSH ECDH
Private Key
RAM:Plaintext Until
session
termination
Zeroisation
command
Power-cycle
Session
termination
SSH DH
Private Key
RAM:Plaintext Until
session
termination
Zeroisation
command
Power-cycle
Copyright Juniper Networks, Inc. 2024 Page 47 of 60 Document Version 1.0
Name Input -
Output
Storage Storage
Duration
Zeroization Related
SSPs
Session
termination
SSH Session
Key
RAM:Plaintext Until
session
termination
Zeroisation
command
Power-cycle
Session
termination
User Password Entered over
SSH -
NVRAM
Entered
through the
CLI via
console
connection -
NVRAM
NVRAM:Obfuscated
NVRAM:Obfuscated
Zeroisation
command
CO Password Entered over
SSH -
NVRAM
Entered
through the
CLI via
console
connection -
NVRAM
NVRAM:Obfuscated
NVRAM:Obfuscated
Zeroisation
command
HMAC_DRBG
V value
RAM:Plaintext Until
power-
cycle
Power-cycle
HMAC_DRBG
Key value
RAM:Plaintext Until
power-
cycle
Power-cycle
HMAC_DRBG
entropy input
RAM:Plaintext Until
power-
cycle
Power-cycle
HMAC_DRBG
seed
RAM:Plaintext Until
power-
cycle
Power-cycle
ECDH Shared
Secret
RAM:Plaintext Until SSH
session key
derivation
Zeroisation
command
Power-cycle
Derivation
of SSH
session key
DH Shared
Secret
RAM:Plaintext Until SSH
session key
derivation
Zeroisation
command
Power-cycle
Derivation
Copyright Juniper Networks, Inc. 2024 Page 48 of 60 Document Version 1.0
Name Input -
Output
Storage Storage
Duration
Zeroization Related
SSPs
of SSH
session key
HMAC Key RAM:Plaintext Until
session
termination
Zeroisation
command
Power-cycle
Session
termination
SSH Public
Host Key
Output during
SSH
negotiation
(host key)
NVRAM:Plaintext Zeroisation
command
User
Authentication
Public Keys
Entered over
SSH -
NVRAM
Entered
through the
CLI via
console
connection -
NVRAM
NVRAM:Plaintext Zeroisation
command
CO
Authentication
Public Keys
Entered over
SSH -
NVRAM
Entered
through the
CLI via
console
connection -
NVRAM
NVRAM:Plaintext Zeroisation
command
JuniperRootCA Loaded at
manufacture
NVRAM:Plaintext Not
zeroised
PackageCA Loaded at
manufacture
NVRAM:Plaintext Not
zeroised
SSH ECDH
Public Key
Output during
SSH
negotiation
(Key
Agreement
public key)
RAM:Plaintext Until
session
termination
Zeroisation
command
Power-cycle
Session
termination
SSH DH Public
Key
Output during
SSH
negotiation
(Key
Agreement
public key)
RAM:Plaintext Until
session
termination
Zeroisation
command
Power-cycle
Session
termination
Firmware
Integrity Key
Loaded at
manufacture
NVRAM:Plaintext Not
zeroised
Copyright Juniper Networks, Inc. 2024 Page 49 of 60 Document Version 1.0
Name Input -
Output
Storage Storage
Duration
Zeroization Related
SSPs
SSH ECDH
Client Public
Key
Input during
SSH
negotiation
RAM:Plaintext Until
session
termination
Zeroisation
command
Power-cycle
Session
termination
SSH DH Client
Public Key
Input during
SSH
negotiation
RAM:Plaintext Until
session
termination
Zeroisation
command
Power-cycle
Session
termination
Table 23: SSP Table 2
10 Self-Tests
10.1 Pre-Operational Self-Tests
Algorithm or
Test
Test Properties Test
Method
Test Type Indicator Details
Firmware
Integrity Test
Using ECDSA P-256
with SHA2-256
KAT SW/FW
Integrity
FIPS Self-tests
Passed
Verify
Table 24: Pre-Operational Self-Tests
The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known
Answer Test (KAT) for the ECDSA P-256 (with SHA2-256) algorithm used in the firmware
integrity test on each boot prior to executing the firmware integrity test.
10.2 Conditional Self-Tests
Algorith
m or
Test
Test
Properties
Test
Method
Test
Type
Indicator Details Condition
s
HMAC
DRBG
(A3337)
Prediction
Resistance:
Yes Supports
Reseed
Capabilities:
Mode: SHA2-
256 Entropy
Input: 256
Nonce: 128
Personalizati
on String
Length: 0-
256
Increment 8
Additional
KAT CAST NIST
800-90
HMAC
DRBG
Known
Answer
Test :
Passed
N/A During
boot
Copyright Juniper Networks, Inc. 2024 Page 50 of 60 Document Version 1.0
Algorith
m or
Test
Test
Properties
Test
Method
Test
Type
Indicator Details Condition
s
Input: 8-256
Increment 8
Returned
Bits: 1024
HMAC-
SHA2-
256
(A3337)
Key Length:
256 bits
KAT CAST HMAC-
SHA2-
256
Known
Answer
Test :
Passed
N/A During
boot
AES-
CBC
(A3349)
Key Length:
128 bits
KAT CAST AES-CBC
Known
Answer
Test :
Passed
Encrypt During
boot
AES-
CBC
(A3349)
Key Length:
192 bits
KAT CAST AES-CBC
Known
Answer
Test :
Passed
Encrypt During
boot
AES-
CBC
(A3349)
Key Length:
256 bits
KAT CAST AES-CBC
Known
Answer
Test :
Passed
Encrypt During
boot
AES-
CBC
(A3349)
Key Length:
128 bits
KAT CAST AES-CBC
Known
Answer
Test :
Passed
Decrypt During
boot
AES-
CBC
(A3349)
Key Length:
192 bits
KAT CAST AES-CBC
Known
Answer
Test :
Passed
Decrypt During
boot
AES-
CBC
(A3349)
Key Length:
256 bits
KAT CAST AES-CBC
Known
Answer
Test :
Passed
Decrypt During
boot
HMAC
DRBG
(A3349)
Mode: SHA2-
256, Entropy
Input: 256 ,
Nonce: 128,
Personalizati
on String
KAT CAST NIST
800-90
HMAC
DRBG
Known
Answer
N/A During
boot
Copyright Juniper Networks, Inc. 2024 Page 51 of 60 Document Version 1.0
Algorith
m or
Test
Test
Properties
Test
Method
Test
Type
Indicator Details Condition
s
Length: 0-
256 ,
Increment 8 ,
Additional
Input: 8-256
Increment 8 ,
Returned
Bits: 1024
Test :
Passed
HMAC-
SHA-1
(A3349)
Key Length:
160 bits
KAT CAST HMAC-
SHA-1
Known
Answer
Test :
Passed
N/A During
boot
HMAC-
SHA2-
256
(A3349)
Key Length:
256 bits
KAT CAST HMAC-
SHA2-
256
Known
Answer
Test :
Passed
N/A During
boot
HMAC-
SHA2-
512
(A3349)
Key Length:
512 bits
KAT CAST HMAC-
SHA2-
512
Known
Answer
Test :
Passed
N/A During
boot
KAS-
ECC-
SSC
Sp800-
56Ar3
(A3349)
Domain
Parameter
Generation
Methods: P-
256
KAT CAST KAS-
ECC-
EPHEM-
UNIFIED-
NOKC
Known
Answer
Test:
Passed
N/A During
boot
KAS-
ECC-
SSC
Sp800-
56Ar3
(A3349)
Domain
Parameter
Generation
Methods: P-
384
KAT CAST KAS-
ECC-
EPHEM-
UNIFIED-
NOKC
Known
Answer
Test:
Passed
N/A During
boot
Copyright Juniper Networks, Inc. 2024 Page 52 of 60 Document Version 1.0
Algorith
m or
Test
Test
Properties
Test
Method
Test
Type
Indicator Details Condition
s
KAS-
FFC-
SSC
Sp800-
56Ar3
(A3349)
Domain
Parameter
Generation
Methods:
MODP-2048
KAT CAST KAS-
FFC-
EPHEM-
NOKC
Known
Answer
Test:
Passed
N/A During
boot
KDF
SSH
(A3349)
Cipher: AES-
128, AES-
192, AES-
256 ; Hash
Algorithm:
SHA-1,
SHA2-256,
SHA2-384,
SHA2-512
KAT CAST KDF-
SSH-
SHA2-
256
Known
Answer
Test:
Passed
N/A During
boot
RSA
SigGen
(FIPS186
-4)
(A3349)
Modulus
2048 bits
SHA2-256
KAT CAST RSA-
SIGN
Known
Answer
Test:
Passed
Sign During
boot
RSA
SigVer
(FIPS186
-4)
(A3349)
Modulus
2048 bits
SHA2-256
KAT CAST RSA-
VERIFY
Known
Answer
Test:
Passed
Verify During
boot
ECDSA
SigGen
(FIPS186
-4)
(A3349)
Curve: P-256
Hash
Algorithm:
SHA2-256
KAT CAST ECDSA-
SIGN
Known
Answer
Test:
Passed
Sign During
boot
ECDSA
SigVer
(FIPS186
-4)
(A3349)
Curve: P-256
Hash
Algorithm:
SHA2-256
KAT CAST ECDSA-
VERIFY
Known
Answer
Test:
Passed
Verify During
boot
SHA2-
512
(A3348)
SHA2-512 KAT CAST SHA-2-
512
Known
Answer
Test:
Passed
N/A During
boot
Copyright Juniper Networks, Inc. 2024 Page 53 of 60 Document Version 1.0
Algorith
m or
Test
Test
Properties
Test
Method
Test
Type
Indicator Details Condition
s
Entropy
test
NIST SP
800-90B
Repetitive
Count Test
RCT CAST pass Cutoff value C = 21 During
boot and
continually
Entropy
test
NIST SP
800-90B
Adapative
Proportion
Test
APT CAST pass W = 512; Cutoff
value C = 311
During
boot and
continually
ECDSA
KeyGen
(FIPS186
-4)
(A3349)
Curve: P-256
Hash
Algorithm:
SHA2-256
PCT PCT 0 Key pair generated
for signature
generation/verificati
on in the context of
SSHv2 protocol
On key
generation
ECDSA
KeyGen
(FIPS186
-4)
(A3349)
Curve: P-256
Hash
Algorithm:
SHA2-256
PCT PCT 0 Key pair generated
for SSP agreement
in the context of
SSHv2 protocol
On key
generation
KAS-
FFC-
SSC
Sp800-
56Ar3
(A3349)
Capabilities:
Domain
Parameter:
MODP2048
PCT PCT 0 Key pair generated
for SSP agreement
in the context of
SSHv2 protocol
On key
generation
RSA
KeyGen
(FIPS186
-4)
(A3349)
Modulus:
2048 Hash
SHA2-256
PCT PCT 0 Key pair generated
for signature
generation/verificati
on in the context of
SSHv2 protocol
On key
generation
ECDSA
SigVer
(FIPS186
-4)
(A3349)
Curve: P-256
Hash
Algorithm:
SHA2-256
KAT SW/F
W
Load
Host OS
upgrade
staged.
Reboot
the
system to
complete
installatio
n!
Verify On loading
of firmware
from an
external
source
Manual
entry test
(duplicat
e entries)
Duplicate
entry test
required for
entry of
operator
passwords
via direct
connection to
Duplicat
e entry
test
Manua
l Entry
Comman
d prompt
with "fips"
string
provided
post
completio
N/A On
configurati
on of
operator
passwords
Copyright Juniper Networks, Inc. 2024 Page 54 of 60 Document Version 1.0
Algorith
m or
Test
Test
Properties
Test
Method
Test
Type
Indicator Details Condition
s
the module's
console
(serial)
interface
n of the
test
Table 25: Conditional Self-Tests
Cryptographic Algorithm Self-tests (CASTs) are performed on each boot of the module. Other
conditional self-tests are performed by the module when the corresponding condition is met.
The pairwise consistency tests are performed on key pair generation for use in signature
generation/verification (ECDSA and/or RSA tests) and/or for use in KAS-ECC-SSC or KAS-
FFC-SSC SSP agreement (ECDSA and FFC tests respectively). The firmware load test is
performed when a firmware image is loaded onto the module from an external source.
10.3 Periodic Self-Test Information
Algorithm or
Test
Test Method Test Type Period Periodic
Method
Firmware
Integrity Test
KAT SW/FW Integrity On Demand Manually via a
reboot
Table 26: Pre-Operational Periodic Information
Algorithm or
Test
Test Method Test Type Period Periodic
Method
HMAC DRBG
(A3337)
KAT CAST On Demand Manually via a
reboot
HMAC-SHA2-
256 (A3337)
KAT CAST On Demand Manually via a
reboot
AES-CBC
(A3349)
KAT CAST On Demand Manually via a
reboot
AES-CBC
(A3349)
KAT CAST On Demand Manually via a
reboot
AES-CBC
(A3349)
KAT CAST On Demand Manually via a
reboot
AES-CBC
(A3349)
KAT CAST On Demand Manually via a
reboot
AES-CBC
(A3349)
KAT CAST On Demand Manually via a
reboot
AES-CBC
(A3349)
KAT CAST On Demand Manually via a
reboot
HMAC DRBG
(A3349)
KAT CAST On Demand Manually via a
reboot
HMAC-SHA-1
(A3349)
KAT CAST On Demand Manually via a
reboot
HMAC-SHA2-
256 (A3349)
KAT CAST On Demand Manually via a
reboot
Copyright Juniper Networks, Inc. 2024 Page 55 of 60 Document Version 1.0
Algorithm or
Test
Test Method Test Type Period Periodic
Method
HMAC-SHA2-
512 (A3349)
KAT CAST On Demand Manually via a
reboot
KAS-ECC-SSC
Sp800-56Ar3
(A3349)
KAT CAST On Demand Manually via a
reboot
KAS-ECC-SSC
Sp800-56Ar3
(A3349)
KAT CAST On Demand Manually via a
reboot
KAS-FFC-SSC
Sp800-56Ar3
(A3349)
KAT CAST On Demand Manually via a
reboot
KDF SSH
(A3349)
KAT CAST On Demand Manually via a
reboot
RSA SigGen
(FIPS186-4)
(A3349)
KAT CAST On Demand Manually via a
reboot
RSA SigVer
(FIPS186-4)
(A3349)
KAT CAST On Demand Manually via a
reboot
ECDSA SigGen
(FIPS186-4)
(A3349)
KAT CAST On Demand Manually via a
reboot
ECDSA SigVer
(FIPS186-4)
(A3349)
KAT CAST On Demand Manually via a
reboot
SHA2-512
(A3348)
KAT CAST On Demand Manually via a
reboot
Entropy test RCT CAST On Demand Manually via a
reboot
Entropy test APT CAST On Demand Manually via a
reboot
ECDSA KeyGen
(FIPS186-4)
(A3349)
PCT PCT On Demand Manually via a
reboot
ECDSA KeyGen
(FIPS186-4)
(A3349)
PCT PCT On Demand Manually via a
reboot
KAS-FFC-SSC
Sp800-56Ar3
(A3349)
PCT PCT On Demand Manually via a
reboot
RSA KeyGen
(FIPS186-4)
(A3349)
PCT PCT On Demand Manually via a
reboot
ECDSA SigVer
(FIPS186-4)
(A3349)
KAT SW/FW Load On Demand Manually via
loading of
firmware from an
external source
Copyright Juniper Networks, Inc. 2024 Page 56 of 60 Document Version 1.0
Algorithm or
Test
Test Method Test Type Period Periodic
Method
Manual entry
test (duplicate
entries)
Duplicate entry
test
Manual Entry On Demand Manually via
configuration of
operator
passwords
Table 27: Conditional Periodic Information
The pre-operational firmware integrity test as well as all CASTs must be completed successfully
prior to any other use of cryptography by the module in the Approved mode of operation. These
tests can also be performed periodically by rebooting the module.
10.4 Error States
Name Description Conditions Recovery
Method
Indicator
Hard
Error
state
If the pre-operation
firmware integrity test, if
any of the CASTs or pair-
wise consistency tests
fail, then the module
returns an error indicator,
inhibits all data output
and enters the hard error
state
If the pre-
operational
firmware
integrity test
or if any of
the CASTs
fail
N/A "FIPS error: self-
test failure" for
firmware integrity
failure, "FIPS error
1: <name of the
algorithm> Known
Answer Test:
Failed" for CAST
failure and -1 for
pair-wise
consistency test
failure
Soft
Error
state
•In case of a firmware
load test failure, the
module rejects the
firmware, returns an error
indicator and enters the
soft error state •In the
event of an APT or RCT
health test failure, output
from the entropy source is
inhibited, all entropy
accumulated in the
conditioning context is
discarded and the start-
up health-tests are
performed again
If the
firmware load
test fails
If the APT or
RCT test fails
N/A for firmware
load test failure; In
case of APT
and/or RCT
failures, new data
continues to be
tested by the
health tests, and
once both health
tests indicate a
“pass”, the
entropy source
again outputs
data
"Validation Error"
for the firmware
load test failure;
entropy data
discarded in case
of APT/RCT failure
Table 28: Error States
If the pre-operation firmware integrity test or if any of the CASTs fail, then the module returns
the error indicator “FIPS error: self-test failure”, inhibits all data output and enters the hard error
state.
Copyright Juniper Networks, Inc. 2024 Page 57 of 60 Document Version 1.0
If the conditional self-tests fail, the module enters the soft error state, i.e., it rejects the
generated keypair/loaded image, returns an error indicator and resumes normal operation.
10.5 Operator Initiation of Self-Tests
Each time the module is powered up it tests that all the cryptographic algorithms operate
correctly, and that sensitive data have not been damaged. Pre-operational as well as
Conditional Cryptographic Algorithm Self-tests (CAST) are performed on each power up/boot of
the module and on demand by power cycling the module (Perform self-tests (remote reset)
service).
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures
The Crypto Officer must follow the procedures defined below for secure installation, initialization,
startup and operation of the module.
Crypto Officer Guidance
The Crypto Officer must check to verify the firmware image being loaded on the module is the
FIPS 140-3 validated version/image. If the image is the FIPS 140-3 validated image, then
proceed with installation of the image.
Installing The Firmware Image
Download the validated firmware image from
https://www.juniper.net/support/downloads/junos.html. Log in to the Juniper Networks
authentication system using the username (generally your e-mail address) and password
supplied by Juniper Networks representatives. Select the validated firmware image. Download
the firmware image to a local host or to an internal software distribution site.
Connect to the console port on the device from your management device and log in to the Junos
OS CLI. Copy the firmware package to the device to the /var/tmp/ directory. Install the new
package on the device using the following command: operator > request vmhost software add
/var/tmp/<package>.tgz.
NOTE: If you need to terminate the installation, do not reboot your device; instead, finish the
installation and then issue the request system software delete package.tgz command, where
package.tgz is, for example, jinstall-host-qfx-10-f-x86-64.22.3R1-S2.3.secure-signed.tgz.This is
your last chance to stop the installation.
Reboot the device to complete the load and start the installation:
For QFX10002-60C:
operator> request vmhost reboot
Copyright Juniper Networks, Inc. 2024 Page 58 of 60 Document Version 1.0
For QFX10002-36Q/QFX10002-72Q/QFX10008/QFX10016:
operator> request system reboot
After the reboot has completed, log in and use the show version command to verify that the new
version of the firmware is successfully installed.
Also install the built-in fips-mode.tgz package needed for enabling the Approved-mode and the
jpfe-fips package needed for execution of the CASTs. Please note that this is a one-time
installation after which the module remains in the Approved mode once enabled and
automatically executes the CASTs on each boot without requiring any operator or external
intervention. The following are the commands used for installing these packages:
operator >request system software add optional://fips-mode.tgz
operator >request system software add optional://jpfe-fips.tgz
Enabling Approved Mode of Operation
The Crypto Officer is responsible for initializing the module in the Approved mode of operation.
The Approved mode of operation is not automatically enabled. The Crypto Officer shall place
the module in the Approved mode by first zeroising it to ensure no SSPs are present. Next, the
cryptographic officer shall follow the steps found in the Junos OS FIPS Evaluated Configuration
Guide for QFX Series, Release 22.3R1 document Chapter 2 to place the module into an
Approved mode of operation. The steps from the aforementioned document have been
reiterated below.
To enable the Approved mode in Junos OS on the module:
1. Zeroise the module using the “request vmhost zeroize” command for QFX10002-60C
hardware version or “request system zeroize” command for the other hardware
versions. Once the module comes up in the “amnesiac mode” post zeroisation, connect
to it using the console port with username “root” and enter the configuration mode.
Enable the Approved mode on the device by setting the Approved level to 1, and verify
the level:
[edit]
root# set system fips level 1
[edit]
root# show system fips level
level 1;
2. Configure the root-authentication password (i.e., Crypto Officer credentials) as follows:
root> edit
Entering configuration mode
[edit]
root# set system root-authentication plain-text password
New password:
Retype new password:
Copyright Juniper Networks, Inc. 2024 Page 59 of 60 Document Version 1.0
3. Commit the configuration
[edit ]
root# commit configuration
check succeeds
Generating RSA key /etc/ssh/fips_ssh_host_key
Generating RSA2 key /etc/ssh/fips_ssh_host_rsa_key
Generating ECDSA key
/etc/ssh/fips_ssh_host_ecdsa_key
'system' reboot is required to transition to fips level 1
commit complete
4. Reboot the device:
[edit]
root# run request system reboot Reboot
the system ? [yes,no] (no) yes
During the reboot, the device runs the pre-operational firmware integrity test and
all CASTs. It returns a login prompt as follows:
root:fips>
5. After the reboot has completed, log in and use the show version command to verify the
firmware version is the validated version:
root:fips > show version
Placing the Module in the Non-Approved Mode of Operation
As Crypto Officer, the operator needs to disable the Approved mode of operation on the device
to return it to the non-Approved mode of operation. To disable the Approved mode on the
device, the module must be zeroised (step 1 defined above).
11.2 Administrator Guidance
For further information and for the Administrator guidance, please see the Junos OS FIPS
Evaluated Configuration Guide for QFX, Release 22.3R1 document.
11.3 Non-Administrator Guidance
For further information and for the Administrator guidance, please see the Junos OS FIPS
Evaluated Configuration Guide for QFX, Release 22.3R1 document.
11.4 Maintenance Requirements
Copyright Juniper Networks, Inc. 2024 Page 60 of 60 Document Version 1.0
No other maintenance requirements apply for operation of the module in the Approved/non-
Approved modes as defined above.
11.5 End of Life
The module can be securely sanitized at the end of its lifetime by zeroising it.
12 Mitigation of Other Attacks
12.1 Attack List
The module does not implement any mitigation of other attacks and thus the requirements per
this section do not apply to the module.