(Juniper Networks, Inc. © 2023) Version 1.0 Page 1 of 47 Public Material – May be reproduced only in its original entirety (without revision). FIPS 140-3 Non-Proprietary Security Policy Juniper Networks PTX1000 Packet Transport Router Firmware: Junos OS 22.4R2.8 Document Version: 1.0 Date: December 28, 2023 Prepared by: www.acumensecurity.net (Juniper Networks, Inc. © 2023) Version 1.0 Page 2 of 47 Public Material – May be reproduced only in its original entirety (without revision). Table of Contents 1. General..................................................................................................................................................3 2. Cryptographic Module Specification.....................................................................................................5 3. Cryptographic Module Interfaces.......................................................................................................14 4. Roles, Services, and Authentication....................................................................................................15 5. Software/Firmware Security...............................................................................................................27 6. Operational Environment ...................................................................................................................28 7. Physical Security..................................................................................................................................29 8. Non-invasive Security..........................................................................................................................30 9. Sensitive Security Parameter Management .......................................................................................31 10. Self-tests..............................................................................................................................................42 11. Life-cycle Assurance............................................................................................................................44 12. Mitigation of Other Attacks ................................................................................................................47 List of Tables Table 1 - Security Levels................................................................................................................................4 Table 2 – Cryptographic Module Tested Configuration................................................................................5 Table 3 – Approved Algorithms ..................................................................................................................12 Table 4 – Non-Approved Algorithms Not Allowed in the Approved Mode of Operation ..........................13 Table 5 – Ports and Interfaces ....................................................................................................................14 Table 6 – Roles, Service Commands, Input and Output..............................................................................16 Table 7 – Roles and Authentication............................................................................................................18 Table 8 – Approved Services.......................................................................................................................23 Table 9 – Non-Approved Services...............................................................................................................26 Table 10 – SSPs............................................................................................................................................41 Table 11 – Non-Deterministic Random Number Generation Specification................................................41 List of Figures Figure 1 –PTX1000 ........................................................................................................................................5 Figure 2 – High-level PTX1000 Block Diagram ..............................................................................................6 (Juniper Networks, Inc. © 2023) Version 1.0 Page 3 of 47 Public Material – May be reproduced only in its original entirety (without revision). 1. General Introduction Federal Information Processing Standards Publication 140-3 — Security Requirements for Cryptographic Modules specifies requirements for cryptographic modules to be deployed in a Sensitive but Unclassified environment. The National Institute of Standards and Technology (NIST) and Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) run the FIPS 140-3 program. The NVLAP accredits independent testing labs to perform FIPS 140-3 testing; the CMVP validates modules meeting FIPS 140-3 validation. Validated is the term given to a module that is documented and tested against the FIPS 140-3 criteria. More information is available on the CMVP website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program. About this Document This non-proprietary Cryptographic Module Security Policy for the Juniper Networks, Inc. Juniper Networks PTX1000 Packet Transport Router provides an overview of the product and a high-level description of how it meets the overall Level 1 security requirements of FIPS 140-3. The Juniper Networks PTX1000 Packet Transport Router may also be referred to as the “module” in this document. Disclaimer The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Juniper Networks shall have no liability for any error or damages of any kind resulting from the use of this document. Notices This document may be freely reproduced and distributed in its entirety without modification. (Juniper Networks, Inc. © 2023) Version 1.0 Page 4 of 47 Public Material – May be reproduced only in its original entirety (without revision). This document describes the cryptographic module security policy for the Juniper Networks, Inc. Juniper Networks PTX1000 Packet Transport Router (Hardware version: PTX1000) cryptographic module (also referred to as the “module” hereafter) with firmware version Junos OS 22.4R2.8 . The module has a multi- chip standalone embodiment. It contains specification of the security rules, under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. The following table lists the level of validation for each area in FIPS 140-3: ISO/IEC 24759 Section 6. [Number Below] FIPS 140-3 Section Title Security Level 1 General 1 2 Cryptographic module specification 1 3 Cryptographic module interfaces 1 4 Roles, services, and authentication 3 5 Software/Firmware security 1 6 Operational environment 1 7 Physical security 1 8 Non-invasive security N/A 9 Sensitive security parameter management 1 10 Self-tests 1 11 Life-cycle assurance 1 12 Mitigation of other attacks N/A Table 1 - Security Levels The module claims an overall Security Level 1. (Juniper Networks, Inc. © 2023) Version 1.0 Page 5 of 47 Public Material – May be reproduced only in its original entirety (without revision). 2. Cryptographic Module Specification The versions of the module are as follows: Model Hardware [Part Number and Version] Firmware Version Distinguishing Features PTX1000 PTX1000 Junos OS 22.4R2.8 N/A Table 2 – Cryptographic Module Tested Configuration Module Usage and Cryptographic Boundary The cryptographic module provides for an encrypted connection, using SSH, between the management station and the module. The cryptographic module’s operational environment is a limited operational environment. The images below depict the cryptographic boundary of the hardware module (the entirety of the module/chassis). This includes the Routing Engine (RE). No components have been excluded from the cryptographic boundary of the module. Figure 1 –PTX1000 (Juniper Networks, Inc. © 2023) Version 1.0 Page 6 of 47 Public Material – May be reproduced only in its original entirety (without revision). Figure 2 – High-level PTX1000 Block Diagram The module claims an overall Security Level of 1 with all individual sections at a Security Level 1 with the exceptions of Roles, Services and Authentication (claimed at Security Level 3). The module does not implement any non-invasive security mitigations or mitigations of other attacks and thus the requirements per these sections are inapplicable. Modes Of Operation The module supports one Approved mode of operation and a non-Approved mode of operation. The module must always be zeroised when switching between the Approved mode of operation and the non-Approved mode of operation and vice versa. Approved Mode The hardware versions contained in Table 2, with Junos OS 22.4R2.8 installed, contain one Approved mode of operation and a non-Approved mode of operation. The Junos OS 22.4R2.8 firmware image must be installed on the module. The module is configured during initialization by the Crypto Officer to operate in the Approved mode or the non-Approved mode. The Crypto Officer can place the module in (Juniper Networks, Inc. © 2023) Version 1.0 Page 7 of 47 Public Material – May be reproduced only in its original entirety (without revision). the Approved mode of operation by following the instructions specified in Section 11 Life-Cyle Assurance in this document (Crypto Officer guidance). The Crypto Officer can verify that the cryptographic module is in the Approved mode by observing the console prompt and running the “show version” command. When operating in the Approved mode, the prompt will read “@:fips#” (e.g. crypto-officer@ptx1000fips#). The “show version” command will allow the Crypto Officer to verify that the validated firmware version is running on the module. The Crypto Officer can also use the “show system fips chassis level” command (returns “level 1”) to determine if the module is operating in the Approved mode. The Approved mode is entered when the module is configured for it and successfully passes all self-tests (both pre-operational and conditional cryptographic algorithm self-tests (CASTs)) . Non-Approved Mode The cryptographic module supports a non-Approved mode of operation. When operated in the non- Approved mode of operation, the module supports non-Approved algorithms identified below in this section as well as the algorithms supported in the Approved mode of operation. The Crypto Officer can place the module into the non-Approved mode of operation by following the instructions in the Section 11 Life-Cyle Assurance in this document (Crypto Officer guidance). Degraded Operation The module does not support a degraded mode of operation. Overall Security Rules of Operation The module design corresponds to the security rules below. The term shall in this context specifically refers to a requirement for correct usage of the module in the Approved mode; all other statements indicate a security rule implemented by the module. 1. The module clears previous authentications on power cycle. 2. When the module has not been placed in a valid role, the operator does not have access to any cryptographic services. 3. Self-tests do not require any operator action. 4. Data output is inhibited during SSP generation, self-test execution, zeroisation, and error states. 5. Status information does not contain SSPs or sensitive data that if misused could lead to a compromise of the module. 6. There are no restrictions on which SSPs are zeroised by the zeroisation service. 7. The module does not support a maintenance interface or role. (Juniper Networks, Inc. © 2023) Version 1.0 Page 8 of 47 Public Material – May be reproduced only in its original entirety (without revision). 8. The module does not output intermediate key values. 9. The module does not output plaintext CSPs. 10. The Crypto officer shall verify that the firmware image to be loaded on the module is a FIPS 140- 3 validated image. If any non-validated firmware image is loaded the module will no longer be a validated module. 11. The Crypto Officer shall retain control of the module while zeroisation is in process. 12. The virtual chassis feature is not supported in Approved mode and shall not be configured on the module. 13. The module shall not be configured to use a radius server and the radius server capability shall be disabled. 14. No parts of the SSH protocol, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. CAVP Cert1 Algorithm and Standard Mode/Method Description/Key Size/Key Strength Use/Function A4301 AES-CBC CBC Key sizes 128, 192, 256 with 128 to 256 bits of key strength Encrypt, Decrypt A4301 AES-CTR CTR Key sizes 128, 192, 256 with 128 to 256 bits of key strength Encrypt, Decrypt A4301 AES-ECB ECB Key sizes 128, 192, 256 with 128 to 256 bits of key strength Encrypt, Decrypt A4301 ECDSA KeyGen (FIPS186-4) ECDSA KeyGen Curve sizes P-256, P-384, P-521 with 128 to 256 bits of strength Key Generation A4301 ECDSA KeyVer (FIPS186-4) ECDSA KeyVer Curve sizes P-256, P-384, P-521 with 128 to 256 bits of strength Key Verification A4301 ECDSA SigGen (FIPS186-4) ECDSA SigGen Curve sizes P-256 (SHA2-256), P-384 (SHA2-384), P-521 (SHA2-512) with 128 to 256 bits of strength Signature Generation 1 There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. (Juniper Networks, Inc. © 2023) Version 1.0 Page 9 of 47 Public Material – May be reproduced only in its original entirety (without revision). CAVP Cert1 Algorithm and Standard Mode/Method Description/Key Size/Key Strength Use/Function A4301 ECDSA SigVer (FIPS186-4) ECDSA SigVer Curve sizes P-256 (SHA2-256), P-384 (SHA2-384), P-521 (SHA2-512) with 128 to 256 bits of strength Signature Verification A4301 HMAC DRBG HMAC-SHA2- 256 Key size 256-bits with 256-bits of key strength Random Bit Generation A4301 HMAC-SHA-1 SHA-1 SHA-1: Key size 160 bits with 160 bits of key strength Message Authentication, DRBG Primitive A4301 HMAC-SHA2-256 SHA2-256 SHA2-256: Key size: 256 bits with 256-bits of key strength Message Authentication, DRBG Primitive A4301 HMAC-SHA2-512 SHA2-512 SHA2-512: Key size: 512 bits with 512-bits of key strength Message Authentication, DRBG Primitive A4301 KAS-ECC-SSC SP800-56Ar3 Ephemeral Unified Curve sizes P-256, P-384, P-521 with 128 bits to 256 bits of strength Key Agreement Shared Secret Computation A4301 KAS-FFC-SSC SP800-56Ar3 dhEphemeral Domain Parameter Generation Method: MODP- 2048 with 2048 bits of strength Key Agreement Shared Secret Computation A4301 KDF SSH SSH Key sizes 128, 192, 256 with 128 to 256 bits of key strength Key Derivation Function A4301 RSA KeyGen (FIPS186-4) RSA KeyGen Moduli 2048, 3072 and 4096 bits with 112, 128 and 152 bits of strength Key Generation A4301 RSA SigGen (FIPS186-4) RSA SigGen Moduli 2048 (SHA2-256, SHA2- 512), 3072 (SHA2- 256, SHA2-512) and 4096 (SHA2- 256, SHA2-512) bits with 112, 128 and 152 bits of strength Signature Generation (Juniper Networks, Inc. © 2023) Version 1.0 Page 10 of 47 Public Material – May be reproduced only in its original entirety (without revision). CAVP Cert1 Algorithm and Standard Mode/Method Description/Key Size/Key Strength Use/Function A4301 RSA SigVer (FIPS186-4) RSA SigVer Moduli 2048 (SHA2-256, SHA2- 512), 3072 (SHA2- 256, SHA2-512) and 4096 (SHA2- 256, SHA2-512) bits with 112, 128 and 152 bits of strength Signature Verification A4301 SHA-1 SHA-1 SHA-1: Key size 160 bits with 160 bits of key strength Message Digest Generation A4301 SHA2-256 SHA2-256 SHA2-256: Key size 256 bits with 256-bits of key strength Message Digest Generation A4301 SHA2-384 SHA2-384 SHA2-384: Key size 384 bits with 256-bits of key strength Message Digest Generation A4301 SHA2-512 SHA2-512 SHA2-512: Key size 512 bits with 256-bits of key strength Message Digest Generation A4303 HMAC DRBG HMAC-SHA2- 256 Key size 256-bits with 256-bits of key strength Random Bit Generation A4303 HMAC-SHA-1 SHA-1 SHA-1: Key size 160 bits with 160 bits of key strength Message Authentication, DRBG primitive A4303 HMAC-SHA2-256 SHA2-256 SHA2-256: Key size: 256 bits with 256-bits of key strength Message Authentication, DRBG primitive A4303 SHA-1 SHA-1 SHA-1: Key size 160 bits with 160 bits of key strength Message Digest Generation A4303 SHA2-256 SHA2-256 SHA2-256: Key size 256 bits with 256-bits of key strength Message Digest Generation (Juniper Networks, Inc. © 2023) Version 1.0 Page 11 of 47 Public Material – May be reproduced only in its original entirety (without revision). CAVP Cert1 Algorithm and Standard Mode/Method Description/Key Size/Key Strength Use/Function A4303 SHA2-384 SHA2-384 SHA2-384: Key size 384 bits with 256-bits of key strength Message Digest Generation A4303 SHA2-512 SHA2-512 SHA2-512: Key size 512 bits with 256-bits of key strength Message Digest Generation A4306 HMAC-SHA-1 SHA-1 SHA-1: Key size 160 bits with 160 bits of key strength Message Authentication, DRBG primitive A4306 HMAC-SHA2-256 SHA2-256 SHA2-256: Key size: 256 bits with 256-bits of key strength Message Authentication, DRBG primitive A4306 SHA-1 SHA-1 SHA-1: Key size 160 bits with 160 bits of key strength Message Digest Generation A4306 SHA2-256 SHA2-256 SHA2-256: Key size 256 bits with 256-bits of key strength Message Digest Generation A4306 SHA2-512 SHA2-512 SHA2-512: Key size 512 bits with 256-bits of key strength Message Digest Generation Vendor Affirmed CKG NIST SP 800-133r2 Section 4 Section 5.1 Section 5.2 Section 6.2.1 Section 4: Asymmetric seed generation using an unmodified output from an Approved DRBG; Section 5.1: Key Pairs for Digital Signature Schemes; Section 5.2: Key Pairs for Key Establishment; Section 6.2.1: Derivation of symmetric keys Cryptographic Key Generation (Juniper Networks, Inc. © 2023) Version 1.0 Page 12 of 47 Public Material – May be reproduced only in its original entirety (without revision). CAVP Cert1 Algorithm and Standard Mode/Method Description/Key Size/Key Strength Use/Function KAS-ECC-SSC SP800- 56Ar3/A4301 KDF SSH/A4301 KAS-1 SP 800-56Arev3 KAS-ECC per IG D.F Scenario 2 path (2) P-256, P-384, P- 521 curves Key Agreement for SSHv2 KAS-FFC-SSC SP800- 56Ar3/A4301 KDF SSH/A4301 KAS-2 SP 800-56Arev3 KAS-FFC per IG D.F Scenario 2 path (2) MODP-2048 Key Agreement for SSHv2 AES- CBC/A4301 AES- CTR/A4301 HMAC-SHA- 1/A4301 HMAC-SHA2- 256/A4301 HMAC-SHA2- 512/A4301 KTS-1 SP 800-38A AES CBC, CTR and HMAC 198 per IG D.G 128, 192, and 256- bit keys providing 128, 192, or 256 bits of encryption strength Key Transport for SSHv2 Table 3 – Approved Algorithms The following protocol is supported by the module in the Approved mode: • SSHv2 (EC Diffie-Hellman P-256, P-384, P-521; Diffie-Hellman MODP2048; RSA 2048, 4096; ECDSA P-256; AES CBC 128, 192, 256 bits; AES CTR 128, 192, 256 bits, HMAC-SHA-1, HMAC- SHA2-256, HMAC-SHA2-512) The SSH protocol allows independent selection of key exchange, authentication, cipher and integrity algorithms. (Juniper Networks, Inc. © 2023) Version 1.0 Page 13 of 47 Public Material – May be reproduced only in its original entirety (without revision). The module does not support any non-Approved algorithms in the Approved mode, i.e., it does not support Non-Approved Algorithms Allowed in the Approved Mode of Operation and Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed. In addition to all Approved algorithms supported in the Approved mode of operation, the following non- Approved Algorithms Not Allowed in the Approved Mode of Operation are supported only in the non- Approved mode: Algorithm/Function Use/Function RSA with key size less than 2048 SSH ECDSA with ed25519 curve SSH EC Diffie-Hellman with ed25519 curve SSH ARCFOUR SSH Blowfish SSH CAST SSH DSA (SignGen, SigVer, non-compliant) SSH HMAC-MD5 SSH HMAC-RIPEMD160 SSH UMAC SSH Table 4 – Non-Approved Algorithms Not Allowed in the Approved Mode of Operation (Juniper Networks, Inc. © 2023) Version 1.0 Page 14 of 47 Public Material – May be reproduced only in its original entirety (without revision). 3. Cryptographic Module Interfaces Physical port Logical interface Data that passes over port/interface Ethernet Control input interface, Data input interface, Data output interface, Status output interface LAN, Communications/remote management Serial Control input interface, Data input interface, Data output interface, Status output interface Console Serial Port USB Control input interface, Data input interface USB port, load Junos Image Power Power interface Power connector LEDs Status output interface Status indicator lighting Reset Button Control input interface Reset Table 5 – Ports and Interfaces The module does not support control output. There are additional ethernet interfaces, 10 Hz pulses-per-second (PPS) Sub-Miniature B (SMB) connector and 10 MHz SMB timing connector (10MHz) which are reserved for future use (disabled). (Juniper Networks, Inc. © 2023) Version 1.0 Page 15 of 47 Public Material – May be reproduced only in its original entirety (without revision). 4. Roles, Services, and Authentication The module supports two roles: Crypto Officer (CO) and User. The module supports concurrent operators but does not support a maintenance role and/or bypass capability. The module enforces the separation of roles using identity-based operator authentication. The module implements two forms of identity-based authentication, username, and password over the console and SSH connections, as well as username and an ECDSA or RSA public key-based authentication over SSH. The Crypto Officer role configures and monitors the module via a console or SSH connection. As root or super-user, the Crypto Officer has permission to view and configure passwords and public keys within the module. The User role monitors the module via the console or SSH. The User role does not have the permission to modify the configuration. Role Service Input Output Crypto Officer Configure security (security relevant) Commands (SSH configuration: set system services ssh root-login allow ) Traffic Configure (non-security relevant) Commands (miscellaneous commands e.g., for IP address configuration, routing protocols, etc.) Traffic Show status Command (show) CLI output Show status (LED) N/A LED Show module’s versioning information Command (show version) CLI output Perform zeroisation Command (request vmhost zeroise) N/A Perform approved security functions (SSH connection) Command (set system services ssh root-login allow) SSH session Console access Username, password (set system login user class operator authentication plaintext- password) N/A Perform self-tests (remote reset) Control input/reset signal (request vmhost reboot) N/A Perform self-tests (local reset) Control input/reset signal N/A Load image Image, commands N/A User Show status Command CLI Output (Juniper Networks, Inc. © 2023) Version 1.0 Page 16 of 47 Public Material – May be reproduced only in its original entirety (without revision). Role Service Input Output (show) Show status (LED) N/A LED Show module’s versioning information Command (show version) CLI output Perform approved security functions (SSH connection) Commands (set system services ssh root-login allow) SSH session Console access Username, password (set system login user class operator authentication plaintext- password) N/A Perform self-tests (remote reset) Control input/reset signal (request vmhost reboot) N/A Perform self-tests (local reset) Control input/reset signal N/A Table 6 – Roles, Service Commands, Input and Output Role Authentication Method Authentication Strength Crypto Officer (CO), User 1. Username and password over the console and SSH 2. Username and ECDSA public key over SSH 3. Username and RSA public key over SSH 1. For Password Authentication: The module enforces 10- character passwords (at minimum) chosen from the 96 human readable ASCII characters; The maximum password length is 20-characters; Thus, the probability of a successful random attempt is 1/(96^10), which is less than 1/1,000,000 (million) The module enforces a timed access mechanism as follows: For the first two failed attempts (assuming 0 time to process), no timed access is enforced; Upon the third attempt, the module enforces a 5- second delay; Each failed attempt thereafter results in an (Juniper Networks, Inc. © 2023) Version 1.0 Page 17 of 47 Public Material – May be reproduced only in its original entirety (without revision). Role Authentication Method Authentication Strength additional 5-second delay above the previous (e.g., 4th failed attempt = 10- second delay, 5th failed attempt = 15-second delay, 6th failed attempt = 20- second delay, 7th failed attempt = 25- second delay); This leads to a maximum of 7 possible attempts in a one-minute period for each getty; The best approach for the attacker would be to disconnect after 4 failed attempts and wait for a new getty to be spawned; This would allow the attacker to perform roughly 9.6 attempts per minute (576 attempts per hour/60 mins); this would be rounded down to 9 per minute, because there is no such thing as 0.6 attempts; The probability of a success with multiple consecutive attempts in a one-minute period is 9/(96^10), which is less than 1/100,000 2. ECDSA signature verification: SSH public- key authentication; The module supports ECDSA (P-256, P-384, and P-521), which has a minimum equivalent computational resistance to attack of either 2128 , 2192 or 2256 depending on the curve; Thus, the probability of a successful random attempt is 1/(2128 ), which is less than 1/1,000,000 (million) (Juniper Networks, Inc. © 2023) Version 1.0 Page 18 of 47 Public Material – May be reproduced only in its original entirety (without revision). Role Authentication Method Authentication Strength Configurable SSH connection establishment rate limits the number of connection attempts, and thus failed authentication attempts in a one-minute period to a maximum of 15,000 attempts; The probability of a success with multiple consecutive attempts in a one-minute period is 15,000/(2128 ), which is less than 1/100,000 3. RSA signature verification: SSH public-key authentication; The module supports RSA (2048, 4096 bits), which has a minimum equivalent computational resistance to attack of 2112 (2048 bits); Thus, the probability of a successful random attempt is 1/ (2112 ), which is less than 1/1,000,000 (million) Configurable SSH connection establishment rate limits the number of connection attempts, and thus failed authentication attempts in a one-minute period to a maximum of 15,000 attempts; The probability of a success with multiple consecutive attempts in a one-minute period is 15,000/(2112 ), which is less than 1/100,000 Table 7 – Roles and Authentication (Juniper Networks, Inc. © 2023) Version 1.0 Page 19 of 47 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSP’s Roles Access rights to Keys and/or SSP’s Indicator Configure security (security relevant) Security relevant configuration All (per Table 3) SSH Private Host Key SSH ECDH Private Key SSH DH Private Key SSH Session Key User Password CO Password HMAC_DRBG Key Value HMAC_DRBG V value HMAC_DRBG entropy input HMAC_DRBG seed HMAC_DRBG output ECDH Shared Secret DH Shared Secret HMAC Key SSH Public Host Key User Authentication Public Keys CO Authentication Public Keys JuniperRootCA PackageCA SSH ECDH Public Key SSH DH Public Key Crypto Officer (CO) (G, E) (G, E) (G, E) (G, E) (W, E) (W, E) (G, E) (G, E) (G, E) (G, E) (G, E) (G, E) (G, E) (G, E) (G, E) (W, E) (W, E) (W, E) (W, E) (G, E) (G, E) Global Approved Mode indicator “fips” at the CLI combined with successful completion of each service Configure (non- security relevant) Non-security relevant configuration N/A N/A Crypto Officer (CO) N/A Global Approved Mode indicator “fips” at the CLI combined with successful (Juniper Networks, Inc. © 2023) Version 1.0 Page 20 of 47 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSP’s Roles Access rights to Keys and/or SSP’s Indicator completion of each service Show status Query the module status N/A N/A Crypto Officer (CO), User N/A Global Approved Mode indicator “fips” at the CLI combined with successful completion of each service Show status (LED) LEDs on the module provide physical status output N/A N/A Crypto Officer (CO), User, Unauth orised N/A LED(s) on the chassis turned on Show module’s versioning informatio n Query the module’s versioning information N/A N/A Crypto Officer (CO), User N/A Global Approved Mode indicator “fips” at the CLI combined with successful completion of each service Perform zeroisation Destroy all SSPs N/A SSH Private Host Key SSH ECDH Private Key SSH DH Private Key SSH Session Key User Password CO Password HMAC_DRBG Key Value HMAC_DRBG V value HMAC_DRBG entropy input HMAC_DRBG seed Crypto Officer (CO) (Z) Global Approved Mode indicator “fips” at the CLI combined with successful completion of each service (Juniper Networks, Inc. © 2023) Version 1.0 Page 21 of 47 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSP’s Roles Access rights to Keys and/or SSP’s Indicator HMAC_DRBG output ECDH Shared Secret DH Shared Secret HMAC Key SSH Public Host Key User Authentication Public Keys CO Authentication Public Keys JuniperRootCA PackageCA SSH ECDH Public Key SSH DH Public Key Perform approved security functions (SSH connection ) Initiate SSH connection for SSH monitoring and control (CLI) ECDSA (P-256, SHA2-256, KeyGen, SIgVer, Cert. #A4301), RSA (2048 bits, SHA2-256, SHA2- 512, KeyGen, SIgVer, Cert. #A4301), KAS- ECC-SSC (P-256, P- 384, P-512, Cert. #A4301), KAS-FFC- SSC (MODP 2048, Cert. #A4301), AES (CBC, CTR 128, 192, 256 bits, Cert. #A4301), KDF SSH (Cert. #A4301), HMAC_DRBG (HMAC-SHA2-256, CAVP Certs. A4303, A4301), HMAC (SHA-1, SHA2-256, SHA2- 512, CAVP Certs. #A4303, #A4301, #A4306; SHA2- 384, CAVP Certs. #A4303); SHA (SHA-1, SHA2-256, SHA2-512, CAVP SSH Private Host Key SSH ECDH Private Key SSH DH Private Key SSH Session Key HMAC_DRBG Key Value HMAC_DRBG V value HMAC_DRBG entropy input HMAC_DRBG seed HMAC_DRBG output ECDH Shared Secret DH Shared Secret HMAC Key SSH Public Host Key User SSH ECDH Public Key SSH DH Public Key Crypto Officer (CO), User (G, E) Global Approved Mode indicator “fips” at the CLI combined with successful completion of each service (Juniper Networks, Inc. © 2023) Version 1.0 Page 22 of 47 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSP’s Roles Access rights to Keys and/or SSP’s Indicator Certs. #A4303, #A4301, #A4306; SHA2-384, CAVP Certs. #A4303), CKG Console Access Console monitoring and control (CLI) N/A N/A Crypto Officer (CO), User N/A Global Approved Mode indicator “fips” at the CLI combined with successful completion of each service Perform self-tests (remote reset) Software initiated reset, performs self- tests on demand All (per Table 3) SSH ECDH Private Key, SSH DH Private Key, SSH Session Key, HMAC_DRBG Key Value Crypto Officer (CO), User (Z) (Z) (Z) (G, Z, E) (G, Z, E) Global Approved Mode indicator “fips” at the CLI combined (Juniper Networks, Inc. © 2023) Version 1.0 Page 23 of 47 Public Material – May be reproduced only in its original entirety (without revision). Service Description Approved Security Functions Keys and/or SSP’s Roles Access rights to Keys and/or SSP’s Indicator HMAC_DRBG V value HMAC_DRBG entropy input HMAC_DRBG seed HMAC_DRBG output ECDH Shared Secret DH Shared Secret HMAC Key SSH ECDH Public Key SSH DH Public Key (G, Z, E) (G, Z, E) (G, Z, E) (Z) (Z) (G, Z, E) (G, E) (G, E) with successful completion of each service Perform self-tests (local reset) Hardware reset or power cycle All (per Table 3) SSH ECDH Private Key, SSH DH Private Key, SSH Session Key, HMAC_DRBG Key Value HMAC_DRBG V value HMAC_DRBG entropy input HMAC_DRBG seed HMAC_DRBG output ECDH Shared Secret DH Shared Secret HMAC Key SSH ECDH Public Key SSH DH Public Key Crypto Officer (CO), User, Unauth orised (Z) (Z) (Z) (G, Z, E) (G, Z, E) (G, Z, E) (G, Z, E) (G, Z, E) (Z) (Z) (G, Z, E) (G, E) (G, E) Global Approved Mode indicator “fips” at the CLI combined with successful completion of each service Load Image Verification and loading of a validated firmware image into the router/switch. ECDSA (P-256, SHA2-256, SigVer, CAVP Cert. #A4301) N/A Crypto Officer (CO) N/A Global Approved Mode indicator “fips” at the CLI combined with successful completion of each service Table 8 – Approved Services G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). (Juniper Networks, Inc. © 2023) Version 1.0 Page 24 of 47 Public Material – May be reproduced only in its original entirety (without revision). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Service Description Algorithms Accessed Role Indicator Configure security (security relevant) Security relevant configuration All (per Table 3) Crypto Officer (CO) Lack of the global Approved Mode indicator "fips" at the CLI combined with successful completion of the service Configure (non- security relevant) Non-security relevant configuration N/A Crypto Officer (CO) Lack of the global Approved Mode indicator "fips" at the CLI combined with successful completion of the service Show status Query the module status N/A Crypto Officer (CO), User Lack of the global Approved Mode indicator "fips" at the CLI combined with successful completion of the service Show status (LED) LEDs on the module provide physical status output N/A Crypto Officer (CO), User, Unauthorised LED(s) on the chassis turned on Show module’s versioning information Query the module’s versioning information N/A Crypto Officer (CO), User Lack of the global Approved Mode indicator "fips" at the CLI combined with successful completion of the service Perform zeroisation Destroy all SSPs N/A Crypto Officer (CO) Lack of the global Approved Mode indicator "fips" at the CLI combined with successful completion of the service Perform approved security functions (SSH connection) Initiate SSH connection for SSH monitoring and control (CLI) AES (CBC, CTR, 128, 192 and 256 bits); KAS-ECC-SSC (P-256, P-384, P-521); KAS-FFC-SSC Crypto Officer (CO), User Lack of the global Approved Mode indicator "fips" at the CLI combined with successful (Juniper Networks, Inc. © 2023) Version 1.0 Page 25 of 47 Public Material – May be reproduced only in its original entirety (without revision). Service Description Algorithms Accessed Role Indicator (MODP 2048) RSA (2048, 4096 bits); ECDSA (P-256); HMAC (SHA-1, SHA2-256, SHA2- 512); SHA (SHA-1, SHA2-256, SHA2- 512); SSH KDF; RSA (key size <= 2048); ECDSA (ed25519 curve); EC DH (ed25519 curve); ARCFOUR ; Blowfish; CAST; DSA (SignGen, SigVer, non- compliant); HMAC-MD5; HMAC-RIPEMD160; UMAC completion of the service Console Access Console monitoring and control (CLI) N/A Crypto Officer (CO), User Lack of the global Approved Mode indicator "fips" at the CLI combined with successful completion of the service Perform self- tests (remote reset) Software initiated reset, performs self- tests on demand All (per Table 3) Crypto Officer (CO), User Lack of the global Approved Mode indicator "fips" at the CLI combined with successful completion of the service Perform self- tests (local reset) Hardware reset or power cycle All (per Table 3) Crypto Officer (CO), User, Unauthorised Lack of the global Approved Mode indicator "fips" at the CLI combined with successful completion of the service (Juniper Networks, Inc. © 2023) Version 1.0 Page 26 of 47 Public Material – May be reproduced only in its original entirety (without revision). Service Description Algorithms Accessed Role Indicator Load Image Verification and loading of a validated firmware image into the router/switch. ECDSA (P-256, SHA2-256) Crypto Officer (CO) Lack of the global Approved Mode indicator "fips" at the CLI combined with successful completion of the service Table 9 – Non-Approved Services (Juniper Networks, Inc. © 2023) Version 1.0 Page 27 of 47 Public Material – May be reproduced only in its original entirety (without revision). 5. Software/Firmware Security The module performs the firmware integrity check using ECDSA P-256 with SHA2-256. The operator can initiate the integrity test on demand by rebooting the module. The module firmware image is delivered in the form of a pre-compiled tarball (.tgz). The module supports loading of firmware from an external source and a firmware load test using ECDSA P-256 with SHA2-256 is performed in support of the load. (Juniper Networks, Inc. © 2023) Version 1.0 Page 28 of 47 Public Material – May be reproduced only in its original entirety (without revision). 6. Operational Environment The module contains a limited operational environment. The Junos OS 22.4R2.8 operating system is contained within the module, i.e., the tested configurations listed in Table 2 of this document. Security rules and restrictions for configuration of the operational environment have been specified in Section 2 (Overall Security Rules of Operation) and Section 11 (Installing The Firmware Image and Enabling the Approved Mode of Operation) of this document. (Juniper Networks, Inc. © 2023) Version 1.0 Page 29 of 47 Public Material – May be reproduced only in its original entirety (without revision). 7. Physical Security The module’s physical embodiment is that of a multi-chip standalone meeting Level 1 Physical Security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel and brushed aluminum enclosure. The module enclosure is made of production grade materials. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. No actions are required by the operator to ensure that physical security is maintained. (Juniper Networks, Inc. © 2023) Version 1.0 Page 30 of 47 Public Material – May be reproduced only in its original entirety (without revision). 8. Non-invasive Security The module does not implement any non-invasive security mitigations and thus the requirements per this section do not apply to the module. (Juniper Networks, Inc. © 2023) Version 1.0 Page 31 of 47 Public Material – May be reproduced only in its original entirety (without revision). 9. Sensitive Security Parameter Management Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys SSH Private Host Key CSP 128 bits for ECDSA, 112 bits for RSA ECDSA (P-256, SHA2- 256, KeyGen, Cert. #A4301), RSA (2048 bits, SHA2- 256, SHA2- 512, KeyGen, Cert. #A4301), HMAC_D RBG (HMAC- SHA2- 256, Cert. #A4301) HMAC (SHA2- 256, Cert. #A4301) SHA (SHA2- 256, SHA2- 512, Cert. #A4301), CKG Generated internally using NIST SP 800- 90Ar1 HMAC_DR BG Import: N/A Export: N/A N/A Plaintext: Persistent Zeroisation command (request vmhost zeroise no- forwarding ) Host keypairs generated, used to identify the host SSH ECDH Private Key CSP 128 bits, 192 bits, 256 bits KAS-ECC- SSC (P-256, P-384, Generated internally using NIST SP 800- 90Ar1 Import: N/A Export: N/A N/A Plaintext: RAM Zeroisation command (request vmhost zeroise no- Ephemeral EC Diffie- Hellman private key used in SSH (Juniper Networks, Inc. © 2023) Version 1.0 Page 32 of 47 Public Material – May be reproduced only in its original entirety (without revision). Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys P-512, Cert. #A4301), HMAC_D RBG (HMAC- SHA2- 256, Cert. #A4301) HMAC (SHA2- 256, Cert. #A4301) SHA (SHA2- 256, SHA2- 512, Cert. #A4301), CKG HMAC_DR BG forwarding ), power- cycle SSH DH Private Key CSP 112 bits KAS-FFC- SSC (MODP 2048, Cert. #A4301), HMAC_D RBG (HMAC- SHA2- 256, Cert. #A4301) HMAC (SHA2- 256, Cert. #A4301) SHA (SHA2- 256, Generated internally using NIST SP 800- 90Ar1 HMAC_DR BG Import: N/A Export: N/A N/A Plaintext: RAM Zeroisation command (request vmhost zeroise no- forwarding ), power- cycle Ephemeral Diffie- Hellman private key used in SSH (Juniper Networks, Inc. © 2023) Version 1.0 Page 33 of 47 Public Material – May be reproduced only in its original entirety (without revision). Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys SHA2- 512, Cert. #A4301), CKG SSH Session Key CSP 128 bits, 192 bits, 256 bits AES (CBC, CTR 128, 192, 256 bits, Cert. #A4301), KAS-ECC- SSC (P-256, P-384, P-512, Cert. #A4301), KAS-FFC- SSC (MODP 2048, Cert. #A4301), KDF SSH (Cert. #A4301), HMAC_D RBG (HMAC- SHA2- 256, Cert. #A4301), HMAC (SHA-1, SHA2- 256, SHA2- 512, Cert. #A4301), SHA N/A Import: N/A Export: N/A Key Agreeme nt Scheme (KAS), Derived using KDF SSH Plaintext: RAM Zeroisation command (request vmhost zeroise no- forwarding ), power- cycle, session terminatio n SSH Session keys (Juniper Networks, Inc. © 2023) Version 1.0 Page 34 of 47 Public Material – May be reproduced only in its original entirety (without revision). Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys (SHA-1, SHA2- 256, SHA2- 512, Cert. #A4301), CKG User Password CSP 256 bits, 512 bits SHA (SHA2- 256, Cert. #A4306, SHA2- 512, Cert. #A4306) Password hash generated internally (Password is configured by the Crypto Officer) Import: Manual entry via CLI, manual SSP entry test perfor med Export: N/A N/A Non- Plaintext: Persistent (Password Hash) Zeroisation command (request vmhost zeroise no- forwarding ) and explicit delete command Used to authentica te users to the module CO Password CSP 256 bits, 512 bits SHA (SHA2- 256, Cert. #A4306, SHA2- 512, Cert. #A4306) Password hash generated internally (Password is configured by the Crypto Officer) Import: Manual entry via CLI, manual SSP entry test perfor med Export: N/A N/A Non- plaintext: Persistent (Password Hash) Zeroisation command (request vmhost zeroise no- forwarding ) and explicit delete command Used to authentica te COs to the module HMAC_DR BG V value CSP 256 bits HMAC_D RBG (HMAC- SHA2- 256), HMAC (SHA2- 256), SHA Generated internally using NIST SP 800- 90Ar1 HMAC_DR BG Import: N/A Export: N/A N/A Plaintext: RAM Power cycle A critical value of the internal state of DRBG (Juniper Networks, Inc. © 2023) Version 1.0 Page 35 of 47 Public Material – May be reproduced only in its original entirety (without revision). Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys (SHA2- 256, CAVP Certs. A4303, A4301) HMAC_DR BG Key value CSP 256 bits HMAC_D RBG (HMAC- SHA2- 256), HMAC (SHA2- 256), SHA (SHA2- 256, CAVP Certs. A4303, A4301) Generated internally using NIST SP 800- 90Ar1 HMAC_DR BG Import: N/A Export: N/A N/A Plaintext: RAM Power cycle A critical value of the internal state of DRBG HMAC_DR BG entropy input CSP 256 bits HMAC_D RBG (HMAC- SHA2- 256), HMAC (SHA2- 256), SHA (SHA2- 256, CAVP Certs. A4303, A4301) NIST SP 800-90B ENT (NP) entropy source Import: N/A Export: N/A N/A Plaintext: RAM Power cycle Entropy input to the HMAC_DR BG HMAC_DR BG seed CSP 256 bits HMAC_D RBG (HMAC- SHA2- 256), HMAC (SHA2- 256), SHA NIST SP 800-90B ENT (NP) entropy source Import: N/A Export: N/A N/A Plaintext: RAM Power cycle Seed provided to the HMAC_DR BG (Juniper Networks, Inc. © 2023) Version 1.0 Page 36 of 47 Public Material – May be reproduced only in its original entirety (without revision). Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys (SHA2- 256, CAVP Certs. A4303, A4301) HMAC_DR BG output CSP 256 bits HMAC_D RBG (HMAC- SHA2- 256), HMAC (SHA2- 256), SHA (SHA2- 256, CAVP Certs. A4303, A4301) Generated internally using NIST SP 800- 90Ar1 HMAC_DR BG Import: N/A Export: N/A N/A Plaintext: RAM Power cycle Unmodifie d output of the HMAC_DR BG used in SSP generation ECDH Shared Secret CSP 128 bits, 192 bits, 256 bits KAS-ECC- SSC (P-256, P-384, P-521, Cert. #A4301) N/A Import: N/A Export: N/A KAS-ECC- SSC Ephemer al Unified scheme Plaintext: RAM Zeroisation command (request vmhost zeroise no- forwarding ), power- cycle, session terminatio n Used in EC Diffie- Hellman (ECDH) exchange DH Shared Secret CSP 112 bits KAS-FFC- SSC (MODP 2048, Cert. #A4301) N/A Import: N/A Export: N/A KAS-FCC- SSC dhEphe meral scheme Plaintext: RAM Zeroisation command (request vmhost zeroise no- forwarding ), power- cycle, Used in Diffie- Hellman (DH) exchange (Juniper Networks, Inc. © 2023) Version 1.0 Page 37 of 47 Public Material – May be reproduced only in its original entirety (without revision). Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys session terminatio n HMAC Key CSP 160 bits, 256 bits, 384 bits, 512 bits HMAC_D RBG (HMAC- SHA2- 256, CAVP Certs. A4303, A4301), HMAC (SHA-1, SHA2- 256, SHA2- 512, CAVP Certs. #A4303, #A4301, #A4306; SHA2- 384, CAVP Certs. #A4303); SHA (SHA-1, SHA2- 256, SHA2- 512, CAVP Certs. #A4303, #A4301, #A4306; SHA2- 384, CAVP Generated internally using NIST SP 800- 90Ar1 HMAC_DR BG Import: N/A Export: N/A N/A Plaintext: RAM Zeroisation command (request vmhost zeroise no- forwarding ), power- cycle HMAC Key (Juniper Networks, Inc. © 2023) Version 1.0 Page 38 of 47 Public Material – May be reproduced only in its original entirety (without revision). Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys Certs. #A4303) SSH Public Host Key PSP 128 bits for ECDSA, 112 bits for RSA ECDSA (P-256, SHA2- 256, KeyGen, Cert. #A4301), RSA (2048 bits, SHA2- 256, SHA2- 512, KeyGen, Cert. #A4301), HMAC_D RBG (HMAC- SHA2- 256, Cert. #A4301) HMAC (SHA2- 256, Cert. #A4301) SHA (SHA2- 256, SHA2- 512, Cert. #A4301), CKG Generated internally using NIST SP 800- 90Ar1 HMAC_DR BG Import: N/A Export: N/A N/A Plaintext: Persistent Zeroisation command (request vmhost zeroise no- forwarding ) Host keypairs generated, used to identify the host User Authentica tion Public Keys 128 bits, 192 bits, 256 bits ECDSA SigVer (P-256, P-384, P- N/A Import: Entere d by the N/A Plaintext: Persistent Zeroisation command (request vmhost Used to authentica te users to (Juniper Networks, Inc. © 2023) Version 1.0 Page 39 of 47 Public Material – May be reproduced only in its original entirety (without revision). Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys PSP for ECDSA, 112 bits, 152 bits for RSA 521, Cert. #A4301); RSA SigVer (2048, 4096 bits, Cert. #A4301) Crypto Officer Export: N/A zeroise no- forwarding ) the module CO Authentica tion Public Keys PSP 128 bits, 192 bits, 256 bits for ECDSA, 112 bits, 152 bits for RSA ECDSA SigVer (P-256, P-384, P- 521, Cert. #A4301); RSA SigVer (2048, 4096 bits, Cert. #A4301) N/A Import: Entere d by the Crypto Officer Export: N/A NA Plaintext: Persistent Zeroisation command (request vmhost zeroise no- forwarding ) Used to authentica te the CO to the module JuniperRo otCA PSP 128 bits ECDSA (P-256, Cert. #A4301) N/A Import: Loaded at manufa cture time Export: N/A N/A Plaintext: Persistent Zeroisation command (request vmhost zeroise no- forwarding ) ECDSA prime256v 1 X.509 V3 Certificate Used to verify the validity of the PackagCA PackageCA PSP 128 bits ECDSA (P-256, Cert. #A4301) N/A Import: Loaded at manufa cture time Export: N/A N/A Plaintext: Persistent Zeroisation command (request vmhost zeroise no- forwarding ) ECDSA prime256v 1 X.509 V3 Certificate Certificate that holds the public key for the signing key used to generate (Juniper Networks, Inc. © 2023) Version 1.0 Page 40 of 47 Public Material – May be reproduced only in its original entirety (without revision). Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys all the signatures used on the packages and signature lists SSH ECDH Public Key PSP 128 bits, 192 bits, 256 bits KAS-ECC- SSC (P-256, P-384, P-512, Cert. #A4301), HMAC_D RBG (HMAC- SHA2- 256, Cert. #A4301) HMAC (SHA2- 256, Cert. #A4301) SHA (SHA2- 256, SHA2- 512, Cert. #A4301), CKG Generated internally using NIST SP 800- 90Ar1 HMAC_DR BG Import: N/A Export: N/A N/A Plaintext: RAM Zeroisation command (request vmhost zeroise no- forwarding ), power- cycle Ephemeral EC Diffie- Hellman public key used in SSH SSH DH Public Key PSP 112 bits KAS-FFC- SSC (MODP 2048, Cert. #A4301), HMAC_D RBG Generated internally using NIST SP 800- 90Ar1 HMAC_DR BG Import: N/A Export: N/A N/A Plaintext: RAM Zeroisation command (request vmhost zeroise no- forwarding ), power- cycle Ephemeral Diffie- Hellman public key used in SSH (Juniper Networks, Inc. © 2023) Version 1.0 Page 41 of 47 Public Material – May be reproduced only in its original entirety (without revision). Key/SSP Name/ Type Strength Security Function and Cert. Number Gener- ation Import /Export Establish - ment Storage Zero- isation Use & related keys (HMAC- SHA2- 256, Cert. #A4301) HMAC (SHA2- 256, Cert. #A4301) SHA (SHA2- 256, SHA2- 512, Cert. #A4301), CKG Table 10 – SSPs Entropy sources Minimum number of bits of entropy Details SP 800-90B ENT (NP) ESV Cert. #E104 The module generates a minimum of 448 bits of overall entropy per 512-bit output sample, 0.875 bits of entropy per bit for SSP generation Entropy input for seeding the approved NIST SP 800-90Ar1 DRBGs Table 11 – Non-Deterministic Random Number Generation Specification (Juniper Networks, Inc. © 2023) Version 1.0 Page 42 of 47 Public Material – May be reproduced only in its original entirety (without revision). 10. Self-tests The module performs the following self-tests: • Pre-operational Self-Tests: o Firmware Integrity Test: using ECDSA P-256 with SHA2-256 • Conditional Self-Tests: o Conditional Cryptographic Algorithm Self-tests (CAST): o Kernel KATs (CAVP Cert. #A4303) ▪ HMAC-SHA2-256 DRBG KAT • Generate, Instantiate and Reseed ▪ HMAC-SHA-1 KAT ▪ HMAC-SHA2-256 KAT ▪ SHA2-384 KAT ▪ SHA2-512 KAT o OpenSSL KATs (CAVP Cert. #A4301) ▪ AES CBC 128 bits Encrypt KAT ▪ AES CBC 192 bits Encrypt KAT ▪ AES CBC 256 bits Encrypt KAT ▪ AES CBC 128 bits Decrypt KAT ▪ AES CBC 192 bits Decrypt KAT ▪ AES CBC 256 bits Decrypt KAT ▪ HMAC-SHA2-256 DRBG KAT • Generate, Instantiate and Reseed ▪ HMAC-SHA-1 KAT ▪ HMAC-SHA2-256 KAT ▪ HMAC-SHA2-512 KAT ▪ KAS-ECC-SSC P-256 KAT ▪ KAS-ECC-SCC P-384 KAT ▪ KAS-FFC-SSC MODP-2048 KAT ▪ KDF SSH KAT ▪ RSA 2048 bits SHA2-256 Sign KAT ▪ RSA 2048 bits SHA2-256 Verify KAT ▪ ECDSA P-256 Sig Gen KAT ▪ ECDSA P-256 Sig Ver KAT ▪ ECDSA P-384 Sig Gen KAT ▪ ECDSA P-384 Sig Ver KAT ▪ SHA2-384 KAT o LibMD KATs (CAVP Cert. #A4306) ▪ HMAC-SHA-1 ▪ HMAC-SHA2-256 ▪ SHA2-512 (Juniper Networks, Inc. © 2023) Version 1.0 Page 43 of 47 Public Material – May be reproduced only in its original entirety (without revision). o NIST SP 800-90B Repetitive Count Test (RCT) o NIST SP 800-90B Adaptive Proportion Test (APT) o Pairwise consistency test when generating ECDSA key pairs (for signature generation/verification and KAS-ECC SSP agreement) o Pairwise consistency test when generating RSA key pairs (for signature generation/verification) o Pairwise consistency test when generating DSA key pairs (for KAS-FFC SSP agreement) o Firmware Load Test (ECDSA P-256 SHA2-256 signature verification) Each time the module is powered up it tests that all the cryptographic algorithms operate correctly, and that sensitive data have not been damaged. Pre-operational as well as Conditional Cryptographic Algorithm Self-tests (CAST) are performed on each power up/boot of the module and on demand by power cycling the module (Perform self-tests (remote reset) service). The module performs a CAST for ECDSA P-256 with SHA2-256 prior to executing the firmware integrity check on each boot. The pre-operational firmware integrity test as well as all CASTs must be completed successfully prior to any other use of cryptography by the module in the Approved mode of operation. These tests can also be performed periodically by rebooting the module. If the pre-operation firmware integrity test or if any of the CASTs fail, then the module returns the error indicator “FIPS error: self-test failure”, inhibits all data output and enters the hard error state. Conditional Self-Tests are performed by the module when the corresponding condition is met. The pairwise consistency tests are performed on key pair generation for use in signature generation/verification (ECDSA and/or RSA tests) and/or for use in KAS-ECC SSP agreement (ECDSA tests). The firmware load test is performed when a firmware image is loaded onto the module from an external source. If the conditional self-tests fail, the module enters the soft error state, i.e., it rejects the generated keypair/loaded image, returns an error indicator and resumes normal operation. The error indicator is the return code -1 in case of a pairwise consistency test failure and “ERROR: Failed signature check” for the firmware load test failure. (Juniper Networks, Inc. © 2023) Version 1.0 Page 44 of 47 Public Material – May be reproduced only in its original entirety (without revision). 11. Life-cycle Assurance The Crypto Officer must follow the procedures defined below for secure installation, initialization, startup and operation of the module. Crypto Officer Guidance The Crypto Officer must check to verify the firmware image being loaded on the module is the FIPS 140-3 validated version/image. If the image is the FIPS 140-3 validated image, then proceed with installation of the image. Installing The Firmware Image Download the validated firmware image from https://www.juniper.net/support/downloads/junos.html. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives. Select the validated firmware image. Download the firmware image to a local host or to an internal software distribution site. Connect to the console port on the device from your management device and log in to the Junos OS CLI. Copy the firmware package to the device to the /var/tmp/ directory. Install the new package on the device using the following command: operator@device> request vmhost software add /var/tmp/.tgz. NOTE: If you need to terminate the installation, do not reboot your device; instead, finish the installation and then issue the request system software delete package.tgz command, where package.tgz is, for example, junos-vmhost-install-ptx-x86-64-22.4R2.8.tgz.This is your last chance to stop the installation. Reboot the device to complete the load and start the installation: operator@device> request vmhost reboot After the reboot has completed, log in and use the show version command to verify that the new version of the firmware is successfully installed. Also install the built-in fips-mode.tgz package needed for enabling the Approved-mode and the jpfe-fips package needed for execution of the CASTs. Please note that this is a one-time installation post which the module remains in the Approved mode once enabled and automatically executes the CASTs on each boot without requiring any operator or external intervention. The following are the commands used for installing these packages: operator@device >request system software add optional://fips-mode.tgz operator@device >request system software add optional://jpfe-fips.tgz Enabling Approved Mode of Operation (Juniper Networks, Inc. © 2023) Version 1.0 Page 45 of 47 Public Material – May be reproduced only in its original entirety (without revision). The Crypto Officer is responsible for initializing the module in the Approved mode of operation. The Approved mode of operation is not automatically enabled. The Crypto Officer shall place the module in the Approved mode by first zeroising it to ensure no SSPs are present. Next, the cryptographic officer shall follow the steps found in the Junos OS FIPS Evaluated Configuration Guide for PTX1000, Release 22.4R2 document Chapter 2 to place the module into an Approved mode of operation. The steps from the aforementioned document have been reiterated below. To enable the Approved mode in Junos OS on the module: 1. Zeroise the module using the “request vmhost zeroize” command. Once the module comes up in the “amnesiac mode” post zeroisation, connect to it using the console port with username “root”, enter the configuration mode and configure the root-authentication password (i.e., Crypto Officer credentials) as follows: root@device> edit Entering configuration mode [edit] root@device# set system root-authentication plain-text-password New password: Retype new password: [edit] root@device# commit configuration check succeeds commit complete 2. Enable Approved mode on the device by setting the Approved level to 1, and verify the level: [edit] root@device# set system fips level 1 [edit] root@device# show system fips level level 1; 4. Commit the configuration (Juniper Networks, Inc. © 2023) Version 1.0 Page 46 of 47 Public Material – May be reproduced only in its original entirety (without revision). [edit ] root@device# commit configuration check succeeds Generating RSA key /etc/ssh/fips_ssh_host_key Generating RSA2 key /etc/ssh/fips_ssh_host_rsa_key Generating ECDSA key /etc/ssh/fips_ssh_host_ecdsa_key 'system' reboot is required to transition to fips level 1 commit complete 5. Reboot the device: [edit] root@device# run request system reboot Reboot the system ? [yes,no] (no) yes During the reboot, the device runs the pre-operational firmware integrity test and all CASTs. It returns a login prompt as follows: root@device:fips> 6. After the reboot has completed, log in and use the show version command to verify the firmware version is the validated version: root@device:fips > show version Placing the Module in the Non-Approved Mode of Operation As Crypto Officer, the operator needs to disable the Approved mode of operation on the device to return it to the non-Approved mode of operation. To disable the Approved mode on the device, the module must be zeroised (step 1 defined above). No other maintenance requirements apply for operation of the module in the Approved/non-Approved modes as defined above. For further information and for the Administrator and non-Administrator guidance, please see the Junos OS FIPS Evaluated Configuration Guide for PTX1000, Release 22.4R2 document. (Juniper Networks, Inc. © 2023) Version 1.0 Page 47 of 47 Public Material – May be reproduced only in its original entirety (without revision). 12. Mitigation of Other Attacks The module does not implement any mitigation of other attacks and thus the requirements per this section do not apply to the module.