Copyright Juniper, 2022 Version 1.4 Page 1 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). Juniper Networks EX4650, QFX5120 and QFX5210 Ethernet Switches with JUNOS 20.2R1-S1 Non-Proprietary FIPS 140-2 Cryptographic Module Security Policy Version: 1.4 June 14, 2022 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net Copyright Juniper, 2022 Version 1.4 Page 2 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). Table of Contents 1 Introduction..........................................................................................................5 1.1 Hardware and Physical Cryptographic Boundary .....................................................................8 1.2 Mode of Operation................................................................................................................12 1.3 Zeroization............................................................................................................................12 2 Cryptographic Functionality .................................................................................13 2.1 Approved Algorithms ............................................................................................................13 2.2 Allowed Algorithms...............................................................................................................14 2.3 Protocols...............................................................................................................................15 2.4 Disallowed Algorithms...........................................................................................................15 2.5 Critical Security Parameters ..................................................................................................15 3 Roles, Authentication and Services.......................................................................16 3.1 Roles and Authentication of Operators to Roles....................................................................16 3.2 Authentication Methods .......................................................................................................17 3.3 Services.................................................................................................................................17 3.4 Non-Approved Services .........................................................................................................20 4 Self-tests.............................................................................................................21 5 Security Rules and Guidance ................................................................................22 6 References and Definitions ..................................................................................24 Copyright Juniper, 2022 Version 1.4 Page 3 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). List of Tables Table 1 – Cryptographic Module Configurations......................................................................................5 Table 2 – Security Level of Security Requirements ..................................................................................6 Table 3 – Port and Interface types.........................................................................................................10 Table 4 – Ports and Interfaces ...............................................................................................................11 Table 5 – Kernel Cryptographic Functions ............................................................................................13 Table 6 – OpenSSL Approved Cryptographic Functions..........................................................................13 Table 7 – LibMD Approved Cryptographic Functions .............................................................................14 Table 8 – Allowed Cryptographic Functions...........................................................................................14 Table 9 – Protocols using approved algorithms in FIPS Mode in FIPS Mode...........................................15 Table 10 – Critical Security Parameters (CSPs).......................................................................................15 Table 11 – Public Keys ...........................................................................................................................16 Table 12 – Authenticated Services.........................................................................................................17 Table 13 – Unauthenticated services.....................................................................................................18 Table 14 – CSP Access Rights within Services.........................................................................................19 Table 15 – Public Key Access Rights within Services ..............................................................................20 Table 16 – Authenticated Services.........................................................................................................21 Table 17 – Unauthenticated traffic........................................................................................................21 Table 18 – References ...........................................................................................................................24 Table 19 – Acronyms and Definitions ....................................................................................................25 Table 20 – Datasheets ...........................................................................................................................25 Copyright Juniper, 2022 Version 1.4 Page 4 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). List of Figures Figure 1 - QFX 5120-48T front view .........................................................................................................8 Figure 2 - QFX 5120-48T rear view...........................................................................................................8 Figure 3 - QFX 5120-48Y front view .........................................................................................................8 Figure 4 - QFX 5120-48Y rear view...........................................................................................................8 Figure 5 - QFX 5120-32C front view.........................................................................................................9 Figure 6 - QFX 5120-32C rear view ..........................................................................................................9 Figure 7 - QFX 5210-64C front view.........................................................................................................9 Figure 8 - QFX 5210-64C rear view ........................................................................................................10 Figure 9 - EX 4650-48Y front view..........................................................................................................10 Figure 10 - EX4650-48Y rear view..........................................................................................................10 Copyright Juniper, 2022 Version 1.4 Page 5 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). 1 Introduction The Juniper Networks QFX series switches are high performance, high density data center switches. The QFX switches provide high performance, wire speed switching with low latency and jitter. The QFX series switches provide the universal building blocks for multiple data center fabric architectures. This Security Policy covers the following Ethernet switch models: • QFX5120-48T • QFX5120-48Y • QFX5120-32C • QFX5210-64C • EX4650-48Y This is a non-proprietary Cryptographic Module Security Policy for the Juniper Networks EX4650, QFX5120 and QFX5210 Ethernet switches cryptographic module from Juniper Networks, hereafter referred to as the module. It provides detailed information relating to each of the FIPS 140-2 security requirements relevant to Juniper Networks EX4650, QFX5120 and QFX5210 Ethernet switches module along with instructions on how to run the module in a secure FIPS 140-2 mode. All four models run Juniper’s Junos OS firmware. The validated version of the firmware is Junos OS 20.2R1-S1. The names of the image files are: • jinstall-host-qfx-5e-x86-64-20.2R1-S1.5-secure-signed.tgz (for all QFX platforms) • jinstall-host-ex-4e-x86-64-20.2R1-S1.5-secure-signed.tgz (only for EX platforms) The module is defined as a multiple-chip standalone module that execute Junos OS 20.2R1-S1 firmware on the switch models listed in Table 1. The cryptographic boundary is defined as the outer edge of the switch. The module’s operational environment is a non-modifiable operational environment. Table 1 provides a list of the hardware versions that are part of the module validation and the basic configuration of the hardware. Table 1 – Cryptographic Module Configurations Model Hardware Versions Chassis differences Network Ports QFX5120-48T QFX5120-48T-AFI QFX5120-48T-AFO QFX5120-48T-DC-AFI QFX5120-48T-DC-AFO AC airflow in AC airflow out DC airflow in DC airflow out 48x10GbE+6x100GbE or 48x25GbE+6x100GbE QFX5120-48Y QFX5120-48Y-AFI2 QFX5120-48Y-AFO2 QFX5120-48Y-DC-AFI2 QFX5120-48Y-DC-AFO2 AC Unit Air flow in AC Unit Air flow out DC Unit Air flow in DC Unit Air flow out 48x10GbE + 8x40GbE or 48x25GbE + 8x100GbE Copyright Juniper, 2022 Version 1.4 Page 6 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). QFX 5120-32C QFX5120-32C-AFI QFX5120-32C-AFO QFX5120-32C-DC-AFI QFX5120-32C-DC-AFO AC Unit Air flow in AC Unit Air flow out DC Unit Air flow in DC Unit Air flow out 32x100GbE QFX5210-64C QFX5210-64C-AFI QFX5210-64C-AFO QFX5210-64C-DC-AFI QFX5210-64C-DC-AFO AC Unit Air flow in AC Unit Air flow out DC Unit Air flow in DC Unit Air flow out 64 QSFP+/QSFP28 ports EX4650-48Y EX4650-48Y-AFI EX4650-48Y-AFO EX4650-48Y-DC-AFI EX4650-48Y-DC-AFO AC Unit Air flow in AC Unit Air flow out DC Unit Air flow in DC Unit Air flow out 48x25GbE/10GbE/GbE SFP28/SFP+/SFP ports, 8x100GbE/40GbE QSFP28/QSFP+ ports The module is designed to meet FIPS 140-2 Level 1 overall: Table 2 – Security Level of Security Requirements Area Description Level 1 Module Specification 1 2 Ports and Interfaces 1 3 Roles and Services 3 4 Finite State Model 1 5 Physical Security 1 6 Operational Environment N/A 7 Key Management 1 8 EMI/EMC 1 9 Self-test 1 10 Design Assurance 3 11 Mitigation of Other Attacks N/A Overall 1 The module has a non-modifiable operational environment as per the FIPS 140-2 definitions. It includes a firmware load service to support necessary updates. New firmware versions within the scope of this Copyright Juniper, 2022 Version 1.4 Page 7 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). validation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into the module is out of the scope of this validation and require a separate FIPS 140-2 validation. The module does not implement any mitigations of other attacks as defined by FIPS 140-2. Juniper's development processes are such that future releases of Junos should be FIPS validate-able when run on the same hardware platform and meet the claims made in this document. Only the versions that explicitly appear on the certificate, however, are formally validated. The CMVP makes no claim as to the correct operation of the module or the security strengths of the generated keys when operating under a version that is not listed on the validation certificate. Copyright Juniper, 2022 Version 1.4 Page 8 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). 1.1 Hardware and Physical Cryptographic Boundary The physical forms of the module are depicted in Figure 3 to Figure 10. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel and brushed aluminum enclosure. For all models, the cryptographic boundary is defined as the outer edge of the switch chassis. The module does not rely on external devices for input and output of critical security parameters (CSPs). Figure 1 - QFX 5120-48T front view Figure 2 - QFX 5120-48T rear view Figure 3 - QFX 5120-48Y front view Figure 4 - QFX 5120-48Y rear view Copyright Juniper, 2022 Version 1.4 Page 9 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). Figure 5 - QFX 5120-32C front view Figure 6 - QFX 5120-32C rear view Figure 7 - QFX 5210-64C front view Copyright Juniper, 2022 Version 1.4 Page 10 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). Figure 8 - QFX 5210-64C rear view Figure 9 - EX 4650-48Y front view Figure 10 - EX4650-48Y rear view The following table maps each logical interface type defined in the FIPS 140-2 standard to one or more physical interfaces. Table 3 – Port and Interface types Port Description Logical Interface Type Ethernet LAN Communications Control in, Data in, Data out, Status out Serial Console serial port Control in, Data in, Data out, Status out MGMT Out-of-band management port Control in, Data in, Data out, Status out Power Power connector Power in Reset Reset button Control in LED Status indicator lighting Status out USB Firmware load port Control in, Data in Copyright Juniper, 2022 Version 1.4 Page 11 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). The following table provides a detailed description of the ports and interfaces available for each model. Table 4 – Ports and Interfaces Router model Power supply port Fan modules Console port Management port USB port Built-In Ports Pluggable QFX5120-48T-AFI 2 5 1 1 1 48 6 SFP ports QFX5120-48T-AFO 2 5 1 1 1 48 6 SFP ports QFX5120-48T-DC-AFI 2 5 1 1 1 48 6 SFP ports QFX5120-48T-DC-AFO 2 5 1 1 1 48 6 SFP ports QFX5120-48Y-AFI2 2 5 1 2 1 0 56 SFP ports QFX5120-48Y-AFO2 2 5 1 2 1 0 56 SFP ports QFX5120-48Y-DC-AFI2 2 5 1 2 1 0 56 SFP ports QFX5120-48Y-DC-AFO2 2 5 1 2 1 0 56 SFP ports QFX5120-32C-AFI 2 6 1 2 1 0 32 SFP ports QFX5120-32C-AFO 2 6 1 2 1 0 32 SFP ports QFX5120-32C-DC-AFI 2 6 1 2 1 0 32 SFP ports QFX5120-32C-DC-AFO 2 6 1 2 1 0 32 SFP ports QFX5210- 64C-AFI 2 4 1 2 1 0 64 SFP ports QFX5210- 64C-AFO 2 4 1 2 1 0 64 SFP ports QFX5210-64C-DC-AFI 2 4 1 2 1 0 64 SFP ports QFX5210-64C-DC-AFO 2 4 1 2 1 0 64 SFP ports EX4650-48Y-AFI 2 5 1 2 1 48 8 SFP ports EX4650-48Y-AFO 2 5 1 2 1 48 8 SFP ports EX4650-48Y-DC-AFI 2 5 1 2 1 48 8 SFP ports EX4650-48Y-DC-AFO 2 5 1 2 1 48 8 SFP ports Copyright Juniper, 2022 Version 1.4 Page 12 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). 1.2 Mode of Operation The module provides a non-Approved mode of operation in which non-Approved cryptographic algorithms are supported. The module supports non-Approved algorithms when operating in the non-Approved mode of operation as described in Sections 2.4 and 3.4. When transitioning between the non-Approved mode of operation and the Approved mode of operation, the CO must zeroize all CSPs by following the instructions in Section 1.3. Then, the Cryptographic Officer (CO) must run the following commands to configure the module into the Approved mode of operation: co@fips-qfx# set system fips level 1 co@fips-qfx# commit Once the Junos firmware image is installed, configured into Approved mode and rebooted, and integrity and self-tests have run successfully on initial power-on, the module is operating in the Approved mode. This prevents access to non FIPS approved functionality. Transitioning back to non-approved mode is only possible via zeroising the module as described in Section 1.3. The operator can verify the module is operating in the Approved mode by verifying the following: • The “show version local” command indicates that the module is running the Approved firmware (i.e. Junos Software Release 20.2R1-S1). • The command prompt ends in “:fips”, which indicates the module has been configured in the Approved mode of operation. 1.3 Zeroization The following command allows the Cryptographic Officer to zeroize CSPs contained within the module: co@fips-qfx> request system zeroize Zeroization completely erases all configuration information on the device, including all cryptographic keys and CSPs and returns the module to its factory default state. Note: The Cryptographic Officer must retain control of the module while zeroization is in process. Copyright Juniper, 2022 Version 1.4 Page 13 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). 2 Cryptographic Functionality The module implements the FIPS Approved, vendor affirmed, and non-Approved-but-Allowed cryptographic functions listed in Table 5 through Table 8 below. Table 9 summarizes the high-level protocol algorithm support. Although the module may have been tested for additional algorithms or modes, only those listed below are actually utilized by the module. 2.1 Approved Algorithms References to standards are given in square bracket [ ]; see the References table. Table 5 – Kernel Cryptographic Functions CAVP Cert. Algorithm Mode Key Lengths, Curves, or Moduli Functions A866 HMAC [198] SHA-1 λ = 160 Message Authentication SHA-256 λ = 256 A866 SHS [180] SHA-1 SHA-256 SHA-384 SHA-512 Message Digest Generation A866 DRBG [90A] HMAC SHA-256 Random Bit Generation Table 6 – OpenSSL Approved Cryptographic Functions CAVP Cert. Algorithm Mode Key Lengths, Curves, or Moduli Functions A867 AES [197] CBC [38A] Key Sizes: 128, 192, 256 Encrypt, Decrypt CTR [38A] Key Sizes: 128, 192, 256 Encrypt, Decrypt N/A1 CKG [133] Section 6.1 Asymmetric key generation using unmodified DRBG output N/A2 KAS-SSC [56ARev3] FFC DH MODP-2048 (ID=14) FFC DH primitive used as part of key agreement for SSH protocol A867 ECDSA [186- 4] P-256 (SHA-256) P-384 (SHA-384) P-521 (SHA-512) KeyGen, PKV, SigGen, SigVer A867 HMAC [198] SHA-1 λ = 160 SSH Message Authentication DRBG Primitive SHA-256 λ = 256 SHA-384 λ = 384 1 Vendor affirmed. 2 Vendor affirmed as per IG D.1-rev3 Copyright Juniper, 2022 Version 1.4 Page 14 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). SHA-512 λ = 512 A867 RSA [186-4] n=2048 (SHA 256, 384, 512) n=3072 (SHA 256, 384, 512) n=4096(SHA 256, 384, 512) SigGen n=2048 (SHA 256, 384, 512) n=3072 (SHA 256, 384, 512) n=4096(SHA 256, 384, 512) SigVer n=2048 n=3072 n=4096 KeyGen A867 SHS [180] SHA-1 SHA-256 SHA-384 SHA-512 Message Digest Generation, SSH KDF Primitive A867 Triple-DES3 [67] TCBC [38A] Key Size: 192 Encrypt, Decrypt A867 DRBG [90A] HMAC SHA 256 Random Bit Generation A867 CVL SSH [135] SHA 1, 256, 384, 512 Key Derivation Table 7 – LibMD Approved Cryptographic Functions CAVP Cert. Algorithm Mode Key Lengths, Curves, or Moduli Functions A868 HMAC [198] SHA-1 λ = 160 Password Hashing SHA-256 λ = 256 SHS [180] SHA-1 SHA-256 SHA-512 Message Digest Generation 2.2 Allowed Algorithms Table 8 – Allowed Cryptographic Functions Algorithm Caveat Use NDRNG [IG] 7.14 Scenario 1a The module generates a minimum of 256 bits of entropy for key generation. Seeding the DRBG 3 The module enforces a limit of 220 transforms per Triple-DES key. Use of Triple-DES in this module is only allowed until December 31, 2023. Copyright Juniper, 2022 Version 1.4 Page 15 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). 2.3 Protocols Table 9 – Protocols using approved algorithms in FIPS Mode in FIPS Mode Protocol Key Exchange Auth Cipher Integrity SSHv24 Diffie-Hellman (L = 2048, N=2047) ECDSA P-256 ECDSA P-384 ECDSA P-521 RSA 2048 RSA 3072 RSA 4096 Triple-DES CBC5 AES CBC 128/192/256 AES CTR 128/192/256 HMAC-SHA-1 HMAC-SHA-256 HMAC-SHA-512 No part of these protocols, other than the KDF, have been tested by the CAVP and CMVP. The SSH protocol allows independent selection of key exchange, authentication, cipher and integrity. In Table 9 above, each column of options for a given protocol is independent and may be used in any viable combination. These security functions are also available in the SSH connect (non-compliant) service 2.4 Disallowed Algorithms These algorithms are non-Approved algorithms that are disabled when the module is operated in an Approved mode of operation. • ARCFOUR • Blowfish • CAST • DSA (SigGen, SigVer; non-compliant) • Elliptic Curve Diffie Hellman • HMAC-MD5 • HMAC-RIPEMD160 • UMAC 2.5 Critical Security Parameters All CSPs and public keys used by the module are described in this section. Table 10 – Critical Security Parameters (CSPs) Name Description and usage DRBG Seed Seed material used to seed or reseed the HMAC DRBG DRBG State V and Key values for the HMAC DRBG 4 RFC 4253 governs the generation of the Triple-DES encryption key for use with the SSHv2 protocol 5 Use of Triple-DES in this module is only allowed until December 31, 2023. Copyright Juniper, 2022 Version 1.4 Page 16 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). DRBG Entropy Input 256 bits entropy (min) input used to instantiate HMAC DRBG SSH PHK SSH Private host key. 1st time SSH is configured, the keys are generated. ECDSA P-256 by default, but also supports ECDSA P-384, ECDSA P-521, RSA 2048 and RSA 3072. Used to identify the host. SSH DH SSH Diffie-Hellman private component. Ephemeral Diffie-Hellman private key used in SSH. DH (L=2048, N=2047)6 SSH-SEKs SSH Session Keys (derived using SP 800-135 KDF): SSH Session Encryption Key: Triple-DES (3key) or AES; SSH Session Integrity Key: HMAC. HMAC key The LibMD HMAC keys: message digest for hashing password and critical function test. CO-PW Password used to authenticate the CO. Password is input as plaintext via serial port or encrypted via SSH. User-PW Password used to authenticate the User. Password is input as plaintext via serial port or encrypted via SSH. Table 11 – Public Keys Name Description and usage SSH-PUB SSH Public Host Key used to identify the host. ECDSA P-256 by default, but also supports ECDSA P-384, ECDSA P-521, RSA 2048 and RSA 3072. SSH-DH-PUB Diffie-Hellman public component. Ephemeral Diffie-Hellman public key used in SSH key establishment. DH (L=2048, N=2047) Auth-User Pub User Authentication Public Keys. Used to authenticate users to the module. ECDSA P-256, P-384, P-521, RSA 2048, RSA 3072 Auth-CO Pub CO Authentication Public Keys. Used to authenticate CO to the module. ECDSA P-256, P- 384, P-521, RSA 2048, RSA 3072 or RSA 4096 Root-CA ECDSA P-256 X.509 Certificate; Used to verify the validity of the Juniper Package CA at software load and also at runtime for integrity. Package-CA ECDSA P-256 X.509 Certificate; Used to verify the validity of Juniper images at software load and boot. 3 Roles, Authentication and Services 3.1 Roles and Authentication of Operators to Roles The module supports two roles: Cryptographic Officer (CO) and User. The module supports concurrent operators, but does not support a maintenance role and/or bypass capability. The module enforces the separation of roles using either of the identity-based operator authentication methods in Section 3.2. The Cryptographic Officer role configures and monitors the module via a console or SSH connection. As root or super-user, the Cryptographic Officer has permission to view and edit secrets within the module. 6 SSH generates a Diffie-Hellman private key that is 2x the bit length of the longest symmetric or MAC key negotiated. Copyright Juniper, 2022 Version 1.4 Page 17 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). The User role monitors the switch via the console or SSH. The user role cannot not change the configuration. 3.2 Authentication Methods The module implements two forms of Identity-based authentication: username and password over the Console and SSH, as well as username and public key over SSH. Password authentication The module enforces 10-character passwords (at minimum) chosen from the 96 human readable ASCII characters. The maximum password length is 20-characters; thus the probability of a successful random attempt is 1/9610 , which is less than 1/1,000,000. The module enforces a timed access mechanism as follows: For the first two failed attempts (assuming 0 time to process), no timed access is enforced. Upon the third attempt, the module enforces a 5-second delay. Each failed attempt thereafter results in an additional 5-second delay above the previous (e.g. 4th failed attempt = 10-second delay, 5th failed attempt = 15-second delay, 6th failed attempt = 20-second delay, 7th failed attempt = 25-second delay). This leads to a maximum of 9 possible attempts in a one-minute period for each getty. The best approach for the attacker would be to disconnect after 4 failed attempts and wait for a new getty to be spawned. This would allow the attacker to perform roughly 9.6 attempts per minute (576 attempts per hour/60 mins); this would be rounded down to 9 per minute, because there is no such thing as 0.6 attempts. Thus the probability of a successful random attempt is 1/9610 , which is less than 1/1 million. The probability of a success with multiple consecutive attempts in a one-minute period is 9/(9610 ), which is less than 1/100,000. Signature verification Public key authentication in SSH uses either RSA (2048 and 3072 bit moduli) or ECDSA signature (P-256, P-384 and P-521). Let 𝑥 denote the maximum number of signature verifications that the IUT can perform in a minute. Assuming a minimum security strength of 112 bits (corresponding to RSA with 2048-bit moduli as per SP800-57 Part1 Rev3), the probability of a successful brute-force attack with multiple consecutive attempts in a one-minute period is 𝑥/2112 . For this probability to be greater than 1/100,000, the number of verifications per minute must be 𝑥 > 2112 105 ≅ 2197 , which is clearly an infeasible amount of signature verifications. If the IUT were able to compute one signature verification per CPU cycle, this would amount to 60 × 4 × 2.2 × 109 ≅ 239 verifications per minute for the 2.2 GHz quad-core Intel CPU shared by all IUT models. 3.3 Services All services implemented by the module are listed in the tables below. Table 14 lists the access to CSPs by each service. Table 12 – Authenticated Services Service Description CO User Configure security Security relevant configuration X Configure Non-security relevant configuration X Status Show status X X Zeroize Destroy all CSPs X Copyright Juniper, 2022 Version 1.4 Page 18 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). SSH connect Initiate SSH connection for SSH monitoring and control (CLI) X X Console access Console monitoring and control (CLI) X X Remote reset Software initiated reset X Load image Verification and loading of a validated firmware image into the switch. X Table 13 – Unauthenticated services Service Description Local reset Hardware reset or power cycle Traffic Traffic requiring no cryptographic services Copyright Juniper, 2022 Version 1.4 Page 19 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). Table 14 – CSP Access Rights within Services SERVICE CSPs DRBG Seed DRBG State DRBG Entropy Input SSH PHK SSH DH SSH-SEK HMAC Key CO-PW User-PW Configure security -- E -- GWR -- -- G W W Configure -- -- -- -- -- -- -- -- -- Status -- -- -- -- -- -- -- -- -- Zeroize Z Z Z Z Z Z -- Z Z SSH connect -- E -- E GE GE -- E E Console access -- -- -- -- -- -- -- E E Remote reset GEZ GZ GZ -- Z Z Z Z Z Local reset GEZ GZ GZ -- Z Z -- Z Z Traffic -- -- -- -- -- -- -- -- -- Load Image -- -- -- -- -- -- -- -- -- G = Generate: The module generates the CSP R = Read: The CSP is read from the module (e.g. the CSP is output) E = Execute: The module executes using the CSP W = Write: The CSP is updated or written to the module Z = Zeroize: The module zeroizes the CSP. Copyright Juniper, 2022 Version 1.4 Page 20 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). Table 15 – Public Key Access Rights within Services SSH-PUB SSH-DH-PUB Auth-User Pub Auth-CO Pub Root-CA Package-CA Configure security GWR -- W W -- -- Configure -- -- -- -- -- -- Status -- -- -- -- -- -- Zeroize Z -- Z Z -- -- SSH connect E GE E E -- -- Console access -- -- -- -- -- -- Remote reset -- Z Z Z -- E Local reset -- Z Z Z -- E Traffic -- -- -- -- -- -- Load Image -- -- -- -- EW EW G = Generate: The module generates the CSP R = Read: The CSP is read from the module (e.g. the CSP is output) E = Execute: The module executes using the CSP W = Write: The CSP is updated or written to the module Z = Zeroize: The module zeroizes the CSP. 3.4 Non-Approved Services The following services are available in the non-Approved mode of operation. The security functions provided by the non-Approved services are identical to the Approved counterparts except for SSH Connect (non-compliant). SSH Connect (non-compliant) supports the security functions identified in Section 2.4 and Table 9. Copyright Juniper, 2022 Version 1.4 Page 21 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). Table 16 – Authenticated Services Service Description CO User Configure security (non-compliant) Security relevant configuration X Configure (non-compliant) Non-security relevant configuration X Status (non-compliant) Show status X X Zeroize (non-compliant) Destroy all CSPs X SSH connect (non-compliant) Initiate SSH connection for SSH monitoring and control (CLI) X X Console access (non-compliant) Console monitoring and control (CLI) X X Remote reset (non-compliant) Software initiated reset X Table 17 – Unauthenticated traffic Service Description Local reset (non-compliant) Hardware reset or power cycle Traffic (non-compliant) Traffic requiring no cryptographic services 4 Self-tests Each time the module is powered up, it tests that the cryptographic algorithms still operate correctly and that sensitive data have not been damaged. Power-up self–tests are available on demand by power cycling the module. On power up or reset, the module performs the self-tests described below. All KATs must be completed successfully prior to any other use of cryptography by the module. If one of the KATs fails, the module enters the Critical Failure error state. The module performs the following power-up self-tests: • Firmware Integrity check using ECDSA P-256 with SHA-256 • Kernel KATs o HMAC-SHA-1 KAT o HMAC-SHA-256 KAT o SHA-384 KAT o SHA-512 KAT o SP 800-90A HMAC DRBG KAT ▪ Health-tests initialize, re-seed, and generate. • OpenSSL KATs o ECDSA P-256 Sign/Verify PCT o ECDH P-256 KAT ▪ Derivation of the expected shared secret. o DH (L=2048, N=256) KAT *Derivation of the expected shared secret o RSA 2048 w/ SHA-256 Sign KAT o RSA 2048 w/ SHA-256 Verify KAT Copyright Juniper, 2022 Version 1.4 Page 22 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). o Triple-DES-CBC Encrypt KAT o Triple-DES-CBC Decrypt KAT o HMAC-SHA-1 KAT o HMAC-SHA-256 KAT o HMAC-SHA-384 KAT o HMAC-SHA-512 KAT o AES-CBC (128/192/256) Encrypt KAT o AES-CBC (128/192/256) Decrypt KAT o KDF-SSH KAT o SP 800-90A HMAC DRBG KAT ▪ Health-tests initialize, re-seed, and generate. • LibMD KATs o HMAC SHA-1 o HMAC SHA-256 o SHA-512 The module also performs the following conditional self-tests: • Continuous RNG Test on the SP 800-90A HMAC-DRBG • Continuous RNG test on the NDRNG • Pairwise consistency test when generating ECDSA, and RSA key pairs • SP800-56A assurances as per SP 800‐56A Sections 5.5.2,5.6.2, and/or 5.6.3, in accordance to IG 9.6. • Firmware Load Test (ECDSA P-256 with SHA-256 signature verification) 5 Security Rules and Guidance The module design corresponds to the security rules below. The term must in this context specifically refers to a requirement for correct usage of the module in the Approved mode; all other statements indicate a security rule implemented by the module. 1. The module clears previous authentications on power cycle. 2. When the module has not been placed in a valid role, the operator does not have access to any cryptographic services. 3. Power up self-tests do not require any operator action. 4. Data output is inhibited during key generation, self-tests, zeroization, and error states. 5. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 6. There are no restrictions on which keys or CSPs are zeroized by the zeroization service. 7. The module does not support a maintenance interface or role. 8. The module does not support manual key entry. 9. The module does not output intermediate key values. 10. The module requires two independent internal actions to be performed prior to outputting plaintext CSPs. 11. The cryptographic officer must determine whether firmware being loaded is a legacy use of the firmware load service (legacy being those Junos firmware images signed with RSA signatures instead of ECDSA). 12. The cryptographic officer must retain control of the module while zeroization is in process. 13. The module must be configured to disallow the use of ECDH in SSH by using the following CLI command: co@fips-qfx# s e t s y s t e m s e r v i c e s s s h k e y - e x c h a n g e d h - g r o u p 1 4 - s h a 1 Copyright Juniper, 2022 Version 1.4 Page 23 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). 14. Copyright Juniper, 2022 Version 1.4 Page 24 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). 6 References and Definitions The following standards are referred to in this Security Policy. Table 18 – References Abbreviation Full Specification Name [FIPS140-2] Security Requirements for Cryptographic Modules, May 25, 2001 [SP800-131A] Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, Revision 1, March 2019 [IG] Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program [135] National Institute of Standards and Technology, Recommendation for Existing Application-Specific Key Derivation Functions, Special Publication 800-135rev1, December 2011. [186-4] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4, July, 2013. [197] National Institute of Standards and Technology, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, November 26, 2001 [38A] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation, Methods and Techniques, Special Publication 800-38A, December 2001 [38D] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, Special Publication 800- 38D, November 2007 [56A] National Institute of Standards and Technology, Recommendation for Pair-Wise Key- Establishment Schemes Using Discrete Logarithm Cryptography, Special Publication 800-56A, March 2007 [56ARev3] National Institute of Standards and Technology, Recommendation for Pair-Wise Key- Establishment Schemes Using Discrete Logarithm Cryptography, Special Publication 800-56A Revision 3, April 2018 [198] National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008 [180] National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August, 2015 [67] National Institute of Standards and Technology, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Special Publication 800-67, Revision 2, November 2017 [90A] National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Special Publication 800-90A, June 2015. Copyright Juniper, 2022 Version 1.4 Page 25 of 25 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). Abbreviation Full Specification Name [133] National Institute of Standards and Technology, Recommendation for Cryptographic Key Generation, Special Publication 800-133, Revision 1, July 2019 Table 19 – Acronyms and Definitions Acronym Definition AEAD Authenticated Encryption with Associated Data AES Advanced Encryption Standard DH Diffie-Hellman DSA Digital Signature Algorithm ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EMI/EMC Electromagnetic Interference/Electromagnetic Compatibility ESP Encapsulating Security Payload FIPS Federal Information Processing Standard HMAC Keyed-Hash Message Authentication Code IKE Internet Key Exchange Protocol IPsec Internet Protocol Security MD5 Message Digest 5 RSA Public-key encryption technology developed by RSA Data Security, Inc. SHA Secure Hash Algorithms SSH Secure Shell Triple-DES Triple - Data Encryption Standard Table 20 – Datasheets Model Title URL EX4650 EX4650 Ethernet Switch https://www.juniper.net/assets/us/en/local/pdf/data sheets/1000640-en.pdf QFX5120 QFX5120 Ethernet Switch https://www.juniper.net/assets/us/en/local/pdf/data sheets/1000639-en.pdf QFX5210 QFX5210 Switch https://www.juniper.net/assets/us/en/local/pdf/data sheets/1000633-en.pdf