CopyrightJuniper,2017 Version1.10 Page1of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
JuniperNetworksSRX5400,SRX5600,andSRX5800ServicesGateways
Non-ProprietaryFIPS140-2CryptographicModuleSecurityPolicy
Version:1.10Date:June09,2017
JuniperNetworks,Inc.1133InnovationWaySunnyvale,California94089USA408.745.20001.888JUNIPERwww.juniper.net
CopyrightJuniper,2017 Version1.10 Page2of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
TableofContents1 Introduction...................................................................................................................4
1.1 HardwareandPhysicalCryptographicBoundary.......................................................................61.2 ModeofOperation...................................................................................................................111.3 Zeroization................................................................................................................................12
2 CryptographicFunctionality..........................................................................................13
2.1 ApprovedAlgorithms................................................................................................................132.2 AllowedAlgorithms..................................................................................................................142.3 AllowedProtocols.....................................................................................................................152.4 DisallowedAlgorithms..............................................................................................................162.5 CriticalSecurityParameters.....................................................................................................16
3 Roles,AuthenticationandServices...............................................................................18
3.1 RolesandAuthenticationofOperatorstoRoles......................................................................183.2 AuthenticationMethods...........................................................................................................183.3 Services.....................................................................................................................................183.4 Non-ApprovedServices............................................................................................................20
4 Self-tests......................................................................................................................21
5 PhysicalSecurityPolicy.................................................................................................23
5.1 GeneralTamperSealPlacementandApplicationInstructions................................................235.2 SRX5400(13seals)....................................................................................................................235.3 SRX5600(18seals)....................................................................................................................245.4 SRX5800(24seals)....................................................................................................................26
6 SecurityRulesandGuidance.........................................................................................28
7 ReferencesandDefinitions...........................................................................................29
ListofTablesTable1–CryptographicModuleHardwareConfigurations.........................................................................4Table2-SecurityLevelofSecurityRequirements.......................................................................................5Table3-PortsandInterfaces....................................................................................................................11Table4-DataPlaneApprovedCryptographicFunctions...........................................................................13Table5-ControlPlaneAuthentecApprovedCryptographicFunctions.....................................................13Table6-OpenSSLApprovedCryptographicFunctions..............................................................................14Table7–AllowedCryptographicFunctions...............................................................................................14Table8–ProtocolsAllowedinFIPSMode.................................................................................................15Table9–CriticalSecurityParameters(CSPs).............................................................................................16Table10–PublicKeys................................................................................................................................17Table11–AuthenticatedServices.............................................................................................................18Table12–Unauthenticatedtraffic............................................................................................................19
CopyrightJuniper,2017 Version1.10 Page3of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table13–CSPAccessRightswithinServices.............................................................................................19Table14–AuthenticatedServices.............................................................................................................20Table15–Unauthenticatedtraffic............................................................................................................20Table16–PhysicalSecurityInspectionGuidelines....................................................................................23Table17–References................................................................................................................................29Table18–AcronymsandDefinitions.........................................................................................................30Table19–Datasheets................................................................................................................................30ListofFiguresFigure1–SRX5400FrontView....................................................................................................................6Figure2–SRX5400BottomView.................................................................................................................7Figure3–SRX5600ProfileView..................................................................................................................7Figure4–SRX5600RearView......................................................................................................................8Figure5–SRX5600LeftView.......................................................................................................................8Figure6–SRX5800TopView.......................................................................................................................9Figure7–SRX5800RearView....................................................................................................................10Figure8–SRX5800LeftView.....................................................................................................................10Figure9-SRX5400-Tamper-EvidentSealLocationsonFront-SixSeals....................................................24Figure10-SRX5400-Tamper-EvidentSealLocationsonRear-SevenSeals..............................................24Figure11-SRX5600-Tamper-EvidentSealLocationsonFront-11Seals..................................................25Figure12-SRX5600-Tamper-EvidentSealLocationsonRear-SevenSeals..............................................25Figure13-SRX5800-Tamper-EvidentSealLocationsonFront-19Seals..................................................26Figure14-SRX5800-Tamper-EvidentSealLocationsonRear-FiveSeals.................................................27
CopyrightJuniper,2017 Version1.10 Page4of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
1 IntroductionTheJuniperNetworksSRXSeriesServicesGatewaysareaseriesofsecureroutersthatprovideessentialcapabilitiestoconnect,secure,andmanageworkforcelocationssizedfromhandfulstohundredsofusers.Byconsolidatingfast,highlyavailableswitching,routing,security,andapplicationscapabilitiesinasingledevice,enterprises caneconomicallydelivernewservices, safeconnectivity,anda satisfyingenduserexperience.AllmodelsrunJuniper’sJUNOSfirmware–inthiscase,aspecificFIPS-compliantversioncalledJUNOS-FIPS,version12.3X48-D30.Thefirmwareimageisjunos-srx5000-12.3X48-D30.12-fips.tgzandthefirmwareStatusserviceidentifiesitselfasinthe“Junos12.3X48-D30.12(FIPSedition)”.
This Security Policy covers the SRX5400, SRX5600, and SRX5800models. They aremeant for serviceproviders,largeenterprisenetworks,andpublic-sectornetworks.
Thecryptographicmodulesaredefinedasmultiple-chip standalonemodules thatexecute JUNOS-FIPSfirmwareonanyoftheJuniperNetworksSRX-Seriesgatewayslistedinthetablebelow.
Table1–CryptographicModuleHardwareConfigurations
ChassisPN REPN SCBPN SPCPN IOCPN PowerPN TamperSeals
SRX5400
SRX5K-RE-13-20 SRX5K-SCB SRX5K-SPC-4-
15-320SRX5K-40GE-SFP
withACHCorDC
JNPR-FIPS-TAMPER-LBLS
SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-
15-320SRX-MIC-10XG-SFPP
SRX5600
SRX5K-RE-13-20 SRX5K-SCB SRX5K-SPC-2-
10-40SRX5K-40GE-SFP
SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-
15-320SRX-MIC-10XG-SFPP
SRX5800
SRX5K-RE-13-20 SRX5K-SCB SRX5K-SPC-2-
10-40SRX-MIC-10XG-SFPP
SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-
15-320SRX-MIC-10XG-SFPP
ThemodulesaredesignedtomeetFIPS140-2Level2overall:
CopyrightJuniper,2017 Version1.10 Page5of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table2-SecurityLevelofSecurityRequirements
Area Description Level1 ModuleSpecification 2
2 PortsandInterfaces 2
3 RolesandServices 3
4 FiniteStateModel 2
5 PhysicalSecurity 2
6 OperationalEnvironment N/A
7 KeyManagement 28 EMI/EMC 2
9 Self-test 2
10 DesignAssurance 3
11 MitigationofOtherAttacks N/A
Overall 2
Themoduleshavea limitedoperationalenvironmentaspertheFIPS140-2definitions.They includeafirmware load service to support necessary updates. New firmware versionswithin the scope of thisvalidationmustbevalidatedthroughtheFIPS140-2CMVP.AnyotherfirmwareloadedintothesemodulesareoutofthescopeofthisvalidationandrequireaseparateFIPS140-2validation.
ThemodulesdonotimplementanymitigationofotherattacksasdefinedbyFIPS140-2.
CopyrightJuniper,2017 Version1.10 Page6of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
1.1 HardwareandPhysicalCryptographicBoundary
Thephysicalformsofthemodule’svariousmodelsaredepictedinFigures1-11below.Forallmodels,thecryptographicboundaryisdefinedastheouteredgeofthechassis.ThemodulesexcludethepowersupplyandfancomponentsfromtherequirementsofFIPS140-2.Thepowersuppliesandfansdonotcontainanysecurityrelevantcomponentsandcannotaffectthesecurityofthemodule.Theexcludedcomponentsareidentifiedwithredbordersinthefollowingfigures.Themoduledoesnotrelyonexternaldevicesforinputandoutput.
Figure1–SRX5400FrontView
CopyrightJuniper,2017 Version1.10 Page7of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure2–SRX5400BottomView
Figure3–SRX5600ProfileView
CopyrightJuniper,2017 Version1.10 Page8of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure4–SRX5600RearView
Figure5–SRX5600LeftView
CopyrightJuniper,2017 Version1.10 Page9of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure6–SRX5800TopView
CopyrightJuniper,2017 Version1.10 Page10of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure7–SRX5800RearView
Figure8–SRX5800LeftView
CopyrightJuniper,2017 Version1.10 Page11of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table3-PortsandInterfaces
Port Description LogicalInterfaceTypeEthernet LANCommunications Controlin,Datain,Dataout,StatusoutSerial Consoleserialport Controlin,StatusoutPower Powerconnector PowerinReset Reset ControlinLED Statusindicatorlighting StatusoutUSB Firmwareloadport Controlin,DatainWAN SHDSL,VDSL,T1,E1 Controlin,Datain,Dataout,Statusout
1.2 ModeofOperation
FollowtheinstructionsinSection5toapplythetampersealstothemodule.Oncethetampersealshavebeenappliedasshowninthisdocument,theJUNOS-FIPSfirmwareimageisinstalledonthedevice,andintegrityandself-testshaverunsuccessfullyoninitialpower-on,themoduleisoperatingintheApprovedmode.TheCrypto-OfficermustensurethatthebackupimageofthefirmwareisalsoaJUNOS-FIPSimagebyissuingtherequestsystemsnapshotcommand.
If themodule was previously in a non-Approvedmode of operation, the Cryptographic OfficermustzeroizetheCSPsbyfollowingtheinstructionsinSection1.3.
Then,theCOmustrunthefollowingcommandstoconfigureSSHtouseFIPSApprovedandFIPSallowedalgorithms:co@fips-srx# set system services ssh hostkey-algorithm ssh-ecdsa
co@fips-srx# set system services ssh hostkey-algorithm no-ssh-rsa
co@fips-srx# set system services ssh hostkey-algorithm no-ssh-dss
co@fips-srx# set system services ssh hostkey-algorithm no-ssh-ed25519
co@fips-srx# commit
TheCOcanchangethepreferenceofSSHkeyexchangemethodsusingthefollowingcommand:co@fips-srx# set system services ssh key-exchange <algorithm>
<algorithm> - dh-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, group-exchange-sha1, or group-exchange-sha2
TheCOcanchangethepreferenceofSSHcipheralgorithmsusingthefollowingcommand:co@fips-srx# set system services ssh ciphers <algorithm>
<algorithm> - 3des-cbc, aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr
TheCOcanchangethepreferenceofSSHMACalgorithmsorenableadditionalApprovedalgorithmsusingthefollowingcommand:
CopyrightJuniper,2017 Version1.10 Page12of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
co@fips-srx# set system services ssh macs <algorithm>
<algorithm> - hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, [email protected], [email protected], [email protected], [email protected]
WhenAESGCMisconfiguredastheencryption-algorithmforIKEorIPsec,theCOmustrunthefollowingcommandtoconfigurethealgorithms:co@fips-srx# set security ike gateway <name> version v2-only
<name> - the user configured name for the IKE gateway
co@fips-srx# commit
The“showversion”commandwillindicateifthemoduleisoperatinginFIPSmode(e.g.JUNOSSoftwareRelease[12.3X48-D30](FIPSedition)),run“show system services ssh”,andrun“show security ipsec” toverify thatonly theFIPSApprovedandFIPSallowedalgorithmsareconfiguredforSSHandIPsecasspecifiedabove.
1.3 Zeroization
The cryptographic module provides a non-Approved mode of operation in which non-Approvedcryptographic algorithms are supported. When transitioning between the non-Approved mode ofoperation and the Approved mode of operation, the Cryptographic Officer must run the followingcommandstozeroizetheApprovedmodeCSPs:co@fips-srx> start shell
co@fips-srx% rm –P <keyfile>
<keyfile> - each persistent private or secret key other than the SSH host keys and the X.509 keys for IKE.
co@fips-srx% rm –P /var/db/certs/common/certificate-request/*
co@fips-srx% exit
co@fips-srx> request system zeroize
Note:TheCryptographicOfficermustretaincontrolofthemodulewhilezeroizationisinprocess.
CopyrightJuniper,2017 Version1.10 Page13of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
2 CryptographicFunctionality2.1 ApprovedAlgorithms
ThemoduleimplementstheFIPSApprovedandNon-ApprovedbutAllowedcryptographicfunctionslistedintheTables4to6below.Table8summarizesthehighlevelprotocolalgorithmsupport.Themoduledoesnotimplementalgorithmsthatrequirevendoraffirmation.
Table4-DataPlaneApprovedCryptographicFunctions
CAVPCert. Algorithm Mode Description Functions4070,4329 AES[197] CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt
4070 AES[197] GCM[38D]1 KeySizes:128,192,256 Encrypt,Decrypt,AEAD
2657,2867 HMAC[198]
SHA-1 λ=96MessageAuthentication
SHA-256 λ=1283353,3571 SHS[180] SHA-1
SHA-256 MessageDigestGeneration
2221,2222 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
Table5-ControlPlaneAuthentecApprovedCryptographicFunctions
Cert Algorithm Mode Description Functions4054,4055 AES[197] CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt
4055 AES[197] GCM[38D]1 KeySizes:128,256 Encrypt,Decrypt,AEAD
926 CVLIKEv1[135] SHA1,256,384
KeyDerivationIKEv2[135] SHA1,256,384
1103,1104 DSA[186] (L=2048,N=224)
(L=2048,N=256) KeyGen
916,917 ECDSA[186] P-256(SHA256)
P-384(SHA{256},384) KeyGen,SigGen,SigVer
2646,2647 HMAC[198]
SHA-1 λ=96,160MessageAuthentication,KDFPrimitiveSHA-256 λ=128,256
SHA-384 λ=192,384
N/A KTS[38F]
(AESCert.#4054andHMACCert.#2646),(AESCert.#4055andHMACCert.#2647),(Triple-DESCert.#2224
andHMACCert.#2646)
KeyWrapping/Unwrapping
2201,2202 RSA[186] PKCS1_V1_5 n=2048(SHA256)
{n=3072(SHA256)} SigGen,SigVer
1TheSRX5K-SPC-2-10-40doesnotsupportAESGCM.
CopyrightJuniper,2017 Version1.10 Page14of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
3341,3342 SHS[180]
SHA-1SHA-256SHA-384
MessageDigestGeneration
2224 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
Table6-OpenSSLApprovedCryptographicFunctions
CAVPCert. Algorithm Mode Description Functions
4056 AES[197] CBC[38A]CTR[38A] KeySizes:128,192,256 Encrypt,Decrypt
880 CVL SSH[135] SHA1,256,384 KeyDerivation1216,1399,1401
DRBG[90A] HMAC SHA-256 RandomBitGeneration
1096 DSA[186] {(2048,224)}(2048,256) KeyGen
909 ECDSA[186]
{P-224(SHA256)}P-256(SHA256){P-384(SHA256)}
SigGen
{P-224(SHA256)}P-256(SHA256)P-384(SHA{256},384)
KeyGen,SigVer
2648 HMAC[198]SHA-1 λ=96,160
MessageAuthenticationDRBGPrimitiveSHA-256 λ=256
SHA-512 λ=512
N/A KTS[38F](AESCert.#4056andHMACCert.#2648),(Triple-DESCert.#2223and
HMACCert.#2648)KeyWrapping/Unwrapping
2087 RSA[186] n=2048(SHA256){n=3072(SHA256)} KeyGen,SigGen,SigVer
RSA[186-2] {n=4096(SHA256)} {SigGen}
3343 SHS[180]
SHA-1SHA-256SHA-384
MessageDigestGeneration,KDFPrimitive
SHA-512 MessageDigestGeneration
2223 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
2.2 AllowedAlgorithms
Table7–AllowedCryptographicFunctions
Algorithm Caveat Use
CopyrightJuniper,2017 Version1.10 Page15of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Diffie-Hellman[IG]D.8 Provides between 112 and 192 bits ofencryptionstrength. keyagreement;keyestablishment
EllipticCurveDiffie-Hellman[IG]D.8
Provides 128 or 192 bits of encryptionstrength. keyagreement;keyestablishment
NDRNG SeedingtheDBRG
2.3 AllowedProtocols
Table8–ProtocolsAllowedinFIPSMode
Protocol KeyExchange Auth Cipher Integrity
IKEv1 Diffie-Hellman(L=2048,N=224,256)ECDiffie-HellmanP-256,P-384
RSA2048Pre-SharedSecretECDSAP-256ECDSAP-384
Triple-DESCBCAESCBC128/192/256
HMAC-SHA-1-96HMAC-SHA-256-128HMAC-SHA-384-192
IKEv22 Diffie-Hellman(L=2048,N=224,256)ECDiffie-HellmanP-256,P-384
RSA2048Pre-SharedSecretECDSAP-256ECDSAP-384
Triple-DESCBCAESCBC128/192/256AESGCM3128/256
HMAC-SHA-1-96HMAC-SHA-256-128HMAC-SHA-384-192
IPsecESP
IKEv1withoptional:• Diffie-Hellman(L=2048,N=224,
256)• ECDiffie-HellmanP-256,P-384
IKEv13KeyTriple-DESCBCAESCBC128/192/256 HMAC-SHA-
1-96HMAC-SHA-256-128
IKEv2withoptional:• Diffie-Hellman(L=2048,N=224),
(2048,256)• ECDiffie-HellmanP-256,P-384
IKEv2
3KeyTriple-DESCBCAESCBC128/192/256AESGCM4128/192/256
SSHv2
Diffie-Hellman(L=2048,3072,4096,6144,7680,8192;N=256,320,384,512,1024)ECDiffie-HellmanP-256,P-384
ECDSAP-256
Triple-DESCBCAESCBC128/192/256AESCTR128/192/256
HMAC-SHA-1-96HMAC-SHA-1HMAC-SHA-256HMAC-SHA-512
2IKEv2generatestheSKEYSEEDaccordingtoRFC7296.3TheGCMIVisgeneratedaccordingtoRFC5282.4TheGCMIVisgeneratedaccordingtoRFC4106.
CopyrightJuniper,2017 Version1.10 Page16of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
TheseprotocolshavenotbeenreviewedortestedbytheCAVPorCMVP.
The IKE and SSH algorithms allow independent selection of key exchange, authentication, cipher andintegrity.InTable8above,eachcolumnofoptionsforagivenprotocolisindependent,andmaybeusedinanyviablecombination.ThesesecurityfunctionsarealsoavailableintheSSHconnect(non-compliant)service.
2.4 DisallowedAlgorithms
These algorithms are non-Approved algorithms that are disabledwhen themodule is operated in anApprovedmodeofoperation.
• ARCFOUR• Blowfish• CAST• HMAC-MD5• HMAC-RIPEMD160• UMAC
2.5 CriticalSecurityParameters
AllCSPsandpublickeysusedbythemodulearedescribedinthissection.
Table9–CriticalSecurityParameters(CSPs)
Name DescriptionandusageDRBG_Seed SeedmaterialusedtoseedorreseedtheDRBGDRBG_State VandKeyvaluesfortheHMAC_DRBG
SSHPHK SSHPrivatehostkey.1sttimeSSHisconfigured,thekeysaregenerated.ECDSAP-256.Usedtoidentifythehost.
SSHDHSSHDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinSSH.Diffie-Hellman(N=256bit,320bit,384bit,512bit,or1024bit5),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
SSH-SEK SSHSessionKey;SessionkeysusedwithSSH.Triple-DES(3key),AES,HMAC.ESP-SEK IPSecESPSessionKeys.Triple-DES(3key),AES,HMAC.IKE-PSK Pre-SharedKeyusedtoauthenticateIKEconnections.IKE-Priv IKEPrivateKey.RSA2048,ECDSAP-256,orECDSAP-384IKE-SKEYID IKESKEYID.IKEsecretusedtoderiveIKEandIPsecESPsessionkeys.IKE-SEK IKESessionKeys.Triple-DES(3key),AES,HMAC.
IKE-DH-PRI IKEDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinIKE.Diffie-HellmanN=224bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
5SSHgeneratesaDiffie-Hellmanprivatekeythatis2xthebitlengthofthelongestsymmetricorMACkeynegotiated.
CopyrightJuniper,2017 Version1.10 Page17of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
CO-PW ASCIITextusedtoauthenticatetheCO.User-PW ASCIITextusedtoauthenticatetheUser.
Table10–PublicKeys
Name DescriptionandusageSSH-PUB SSHPublicHostKeyusedtoidentifythehost.ECDSAP-256.
SSH-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinSSHkeyestablishment.Diffie-Hellman(L=2048bit,3072bit,4096bit,6144bit,7680bit,or8192bit),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
IKE-PUB IKEPublicKeyRSA2048,ECDSAP-256,orECDSAP-384
IKE-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinIKEkeyestablishment.Diffie-HellmanL=2048bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
Auth-UPub SSHUserAuthenticationPublicKeys.Usedtoauthenticateuserstothemodule.ECDSAP-256orP-384
Auth-COPub SSHCOAuthenticationPublicKeys.UsedtoauthenticateCOtothemodule.ECDSAP-256orP-384
RootCA JuniperRootCA.ECDSAP-256orP-384X.509Certificate;UsedtoverifythevalidityoftheJuniperPackageCAatsoftwareload.
PackageCA PackageCA.ECDSAP-256X.509Certificate;UsedtoverifythevalidityofJuniperImagesatsoftwareloadandalsoatruntimeintegrity.
CopyrightJuniper,2017 Version1.10 Page18of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
3 Roles,AuthenticationandServices3.1 RolesandAuthenticationofOperatorstoRoles
Themodulesupportstworoles:CryptographicOfficer(CO)andUser.Themodulesupportsconcurrentoperators,butdoesnotsupportamaintenanceroleand/orbypasscapability.Themoduleenforcestheseparationofrolesusingeitheridentity-basedoperatorauthentication.
TheCryptographicOfficerroleconfiguresandmonitorsthemoduleviaaconsoleorSSHconnection.Asrootorsuper-user,theCryptographicOfficerhaspermissiontoviewandeditsecretswithinthemodule
TheUserrolemonitorstherouterviatheconsoleorSSH.Theuserrolemaynotchangetheconfiguration.
3.2 AuthenticationMethods
ThemoduleimplementstwoformsofIdentity-Basedauthentication,usernameandpasswordovertheConsoleandSSHaswellasusernameandpublickeyoverSSH.
Passwordauthentication:Themoduleenforces10-characterpasswords(atminimum)chosenfromthe96humanreadableASCIIcharacters.Themaximumpasswordlengthis20characters.
Themoduleenforcesatimedaccessmechanismasfollows:Forthefirsttwofailedattempts(assuming0timetoprocess),notimedaccessisenforced.Uponthethirdattempt,themoduleenforcesa5-seconddelay.Eachfailedattemptthereafterresultsinanadditional5-seconddelayabovetheprevious(e.g.4thfailedattempt=10-seconddelay,5th failedattempt=15-seconddelay,6th failedattempt=20-seconddelay,7thfailedattempt=25-seconddelay).
Thisleadstoamaximumofseven(7)possibleattemptsinaone-minuteperiodforeachgetty.Thebestapproachfortheattackerwouldbetodisconnectafter4failedattempts,andwaitforanewgettytobespawned.Thiswouldallowtheattackertoperformroughly9.6attemptsperminute(576attemptsperhour/60mins); this would be rounded down to 9 perminute, because there is no such thing as 0.6attempts.Thustheprobabilityofasuccessfulrandomattemptis1/9610,whichislessthan1/1million.Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis9/(9610),whichislessthan1/100,000.
ECDSAsignatureverification:SSHpublic-keyauthentication.Processingconstraintsallowforamaximumof5.6e7ECDSAattemptsperminute.ThemodulesupportsECDSA(P-256andP-384).Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis5.6e7/(2128).
3.3 Services
Allservicesimplementedbythemodulearelistedinthetablesbelow.Table13–liststheaccesstoCSPsbyeachservice.
Table11–AuthenticatedServices
Service Description CO UserConfiguresecurity Securityrelevantconfiguration x
Configure Non-securityrelevantconfiguration x SecureTraffic IPsecprotectedconnection(ESP) x Status Showstatus x xZeroize DestroyallCSPs x
CopyrightJuniper,2017 Version1.10 Page19of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
SSHconnect InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x
IPsecconnect InitiateIPsecconnection(IKE) x Consoleaccess Consolemonitoringandcontrol(CLI) x xRemotereset Softwareinitiatedreset x
Table12–Unauthenticatedtraffic
Service DescriptionLocalreset HardwareresetorpowercycleTraffic Trafficrequiringnocryptographicservices
Table13–CSPAccessRightswithinServices
Service
CSPs
DRBG
_Seed
DRBG
_State
SSHPH
K
SSHDH
SSH-SEK
ESP-SEK
IKE-PSK
IKE-Priv
IKE-SKEYI
IKE-SEK
IKE-DH
-PRI
CO-PW
User-PW
Configuresecurity -- E GW -- -- -- RW RGW -- -- -- RW RW
Configure -- -- -- -- -- -- -- -- -- -- -- -- --Securetraffic -- -- -- -- -- E -- -- -- E -- -- --
Status -- -- -- -- -- -- -- -- -- -- -- -- --
Zeroize -- Z Z -- -- -- Z Z -- -- -- Z Z
SSHconnect -- E E GE GE -- -- -- -- -- -- E EIPsecconnect -- E -- -- -- G E E G G G -- --
Consoleaccess -- -- -- -- -- -- -- -- -- -- -- E E
Remotereset GEZ G -- Z Z Z -- -- Z Z Z Z Z
Localreset GEZ G -- Z Z Z -- -- Z Z Z Z Z
Traffic -- -- -- -- -- -- -- -- -- -- -- -- --G=Generate:ThemodulegeneratestheCSPR=Read:TheCSPisreadfromthemodule(e.g.theCSPisoutput)E=Execute:ThemoduleexecutesusingtheCSPW=Write:TheCSPisupdatedorwrittentothemoduleZ=Zeroize:ThemodulezeroizestheCSP.
CopyrightJuniper,2017 Version1.10 Page20of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
3.4 Non-ApprovedServices
The following services are available in the non-Approved mode of operation. The security functionsprovidedbythenon-ApprovedservicesareidenticaltotheApprovedcounterpartswiththeexceptionofSSHConnect(non-compliant).SSHConnect(non-compliant)supportsthesecurityfunctionsidentifiedinSection2.4andtheSSHv2rowofTable8.
Table14–AuthenticatedServices
Service Description CO UserConfiguresecurity(non-compliant) Securityrelevantconfiguration x
Configure(non-compliant) Non-securityrelevantconfiguration x
SecureTraffic(non-compliant) IPsecprotectedconnection(ESP) x
Status(non-compliant) Showstatus x xZeroize(non-compliant) DestroyallCSPs x SSHconnect(non-compliant)
InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x
IPsecconnect(non-compliant) InitiateIPsecconnection(IKE) x
Consoleaccess(non-compliant) Consolemonitoringandcontrol(CLI) x x
Remotereset(non-compliant) Softwareinitiatedreset x
Table15–Unauthenticatedtraffic
Service DescriptionLocalreset(non-compliant) Hardwareresetorpowercycle
Traffic(non-compliant) Trafficrequiringnocryptographicservices
CopyrightJuniper,2017 Version1.10 Page21of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
4 Self-testsEachtimethemoduleispoweredupitteststhatthecryptographicalgorithmsstilloperatecorrectlyandthatsensitivedatahavenotbeendamaged.Power-upself–testsareavailableondemandbypowercyclingthemodule.
Onpoweruporreset,themoduleperformstheself-testsdescribedbelow.AllKATsmustbecompletedsuccessfullypriortoanyotheruseofcryptographybythemodule.IfoneoftheKATsfails,themoduleenterstheCriticalFailureerrorstate.
Themoduleperformsthefollowingpower-upself-tests:
• FirmwareIntegritycheckusingECDSAP-256withSHA-256• DataPlaneKATs
o AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA-256KATo AES-GCM(128/192/256)EncryptKAT(Note:ExceptonSRX5K-SPC-2-10-40,whichdoes
notsupportAESGCM)o ASE-GCM(128/192/256)DecryptKAT(Note:ExceptonSRX5K-SPC-2-10-40,whichdoes
notsupportAESGCM)• ControlPlaneAuthentecKATs
o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo ECDSAP-256w/SHA-256Sign/VerifyPCTo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA-256KATo HMAC-SHA-384KATo AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo AES-GCM(128/256)EncryptKATo AES-GCM(128/256)DecryptKATo KDF-IKE-V1KATo KDF-IKE-V2KAT
• OpenSSLKATso SP800-90AHMACDRBGKAT
§ Health-testsinitialize,re-seed,andgenerate.o ECDSAP-256Sign/VerifyPCTo ECDiffie-HellmanP-256KAT
§ Derivationoftheexpectedsharedsecret.o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKAT
CopyrightJuniper,2017 Version1.10 Page22of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
o HMAC-SHA-1KATo HMAC-SHA-256KATo HMAC-SHA-512KATo SHA(256/384/512)KATo AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo KDF-SSHKAT
• CriticalFunctionTest
o Thecryptographicmoduleperformsaverificationofalimitedoperationalenvironmentandverificationofoptionalnon-criticalpackages.
Themodulealsoperformsthefollowingconditionalself-tests:
• ContinuousRNGTestontheSP800-90AHMAC-DRBG• ContinuousRNGtestontheNDRNG• PairwiseconsistencytestwhengeneratingECDSAandRSAkeypairs.• FirmwareLoadTest(ECDSAsignatureverification)
CopyrightJuniper,2017 Version1.10 Page23of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
5 PhysicalSecurityPolicyThemodule’sphysicalembodimentisthatofamulti-chipstandalonedevicethatmeetsLevel2PhysicalSecurityrequirements.Themodule iscompletelyenclosed inarectangularnickelorclearzinccoated,coldrolledsteel,platedsteelandbrushedaluminumenclosure.Therearenoventilationholes,gaps,slits,cracks,slots,orcrevicesthatwouldallowforanysortofobservationofanycomponentcontainedwithinthecryptographicboundary.Tamper-evidentsealsallowtheoperatortotell if theenclosurehasbeenbreached.Thesesealsarenotfactory-installedandmustbeappliedbytheCryptographicOfficer.(Sealsare available for order from Juniper usingpart number JNPR-FIPS-TAMPER-LBLS.) The tamper-evidentsealsshallbeinstalledforthemoduletooperateinaFIPSmodeofoperation.
TheCryptographicOfficerisresponsibleforsecuringandhavingcontrolatalltimesofanyunusedsealsandthedirectcontrolandobservationofanychangestothemodule,suchasreconfigurationswherethetamper-evidentsealsorsecurityappliancesareremovedorinstalledtoensurethesecurityofthemoduleismaintainedduringsuchchangesandthemoduleisreturnedtoaFIPSApprovedstate.
Table16–PhysicalSecurityInspectionGuidelines
PhysicalSecurityMechanism
RecommendedFrequencyofInspection/Test
Inspection/TestGuidanceDetails
Tamperseals,opaquemetalenclosure.
OncepermonthbytheCryptographicOfficer.
Sealsshouldbefreeofanytamperevidence.
If the CryptographicOfficer observes tamper evidence, it shall be assumed that the device has beencompromised.TheCryptographicOfficershallretaincontrolofthemoduleandperformZeroizationofthemodule'sCSPsbyfollowingthestepsinSection1.3oftheSecurityPolicy.
5.1 GeneralTamperSealPlacementandApplicationInstructions
Forallsealapplications,theCryptographicOfficershouldobservethefollowinginstructions:
• Handlethesealswithcare.Donottouchtheadhesiveside.• Beforeapplyingaseal,ensurethelocationofapplicationisclean,dry,andclearofanyresidue.• Placethesealonthemodule,applyingfirmpressureacrossittoensureadhesion.Allowatleast
1hourfortheadhesivetocure.
5.2 SRX5400(13seals)
Tamper-evidentsealsshallbeappliedtothefollowinglocations:
• FrontPane:o Twoseals,vertical,connectedtothetopmost(non-honeycomb)sub-pane.Theyextend
tothethinpanebelowandthehoneycombpanelabove.o Oneseal,vertical,acrossthethinpane.Extendstotheblankpanebelowandthesub-
paneabove.o Threeseals,vertical,oneoneach“long”horizontalsub-pane.Eachattachestothesub-
paneaboveandtheonebelow(orthechassis,ifit’sthebottommostsub-pane).Ensureoneofthesealsextendstotheleftsub-panebelowthethinsub-pane.
• BackPane:o Fourseals,vertical:oneoneachofthetopfoursub-panes,extendingtothelargechassis
platebelow.o Oneseal,vertical:onthehorizontalscrewed-inplaterestingonthelargecentralchassis.
Shouldextendtothechassisinbothdirections.
CopyrightJuniper,2017 Version1.10 Page24of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
o Twoseals,horizontal:placedonthelowsidesub-panes,extendingtothelargecentralchassisareaandwrappingaroundtotheneighboringsidepanes.
Figure9-SRX5400-Tamper-EvidentSealLocationsonFront-SixSeals
Figure10-SRX5400-Tamper-EvidentSealLocationsonRear-SevenSeals
5.3 SRX5600(18seals)
Tamper-evidentsealsmustbeappliedtothefollowinglocations:
• FrontPane:o Elevenseals,vertical:oneforeachhorizontalsub-pane(excludingthehoneycombplate
onthetopandthethinsub-panealittlebelow),asecondforthetop(non-honeycomb)sub-pane,andanextraforthebottom.Thesealsshouldattachtoverticallyadjacentsub-panes.Theextraonthebottomattachestothelowermostsub-paneandwrapsaround,
CopyrightJuniper,2017 Version1.10 Page25of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
attachingtothebottompane.Itshouldbeensuredthatoneofthesealsspansacrossthethinplatewithampleextradistanceoneachside.
• BackPane:o Fiveseals,vertical:oneoneachoftheupperfoursub-panes,attachingtothelargeplate
below.o Twoseals,horizontal:oneoneachoftheverticalsidesub-panes,extendingtoboththe
largecentralplateandthesidepanes.
Figure11-SRX5600-Tamper-EvidentSealLocationsonFront-11Seals
Figure12-SRX5600-Tamper-EvidentSealLocationsonRear-SevenSeals
CopyrightJuniper,2017 Version1.10 Page26of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
5.4 SRX5800(24seals)
Tamper-evidentsealsshallbeappliedtothefollowinglocations:
• FrontPane:o Fourteenseals,horizontal:oneoneachofthelongverticalsub-panes,extendingtothe
neighboringtwo.Ifonanendsub-pane,sealshouldwraparoundtotheside.o Threeseals,vertical:oneovereachofthethinpanes–twonearthebottom,onenear
thetopofthelowerhalf.o Twoseals,vertical:bothontheconsoleareaatthetopofthemodule,oneextendingto
thetopandtheotherextendingtothechassisareabelow.• BackPane:
o Fiveseals,horizontal:threespanningthegapsbetweentheverticalsub-panels,andthentwomore,oneeachonthefaredgesoftheleftandrightpanels.(Theselasttwoshouldwraparoundtothesides.)
Figure13-SRX5800-Tamper-EvidentSealLocationsonFront-19Seals
CopyrightJuniper,2017 Version1.10 Page27of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure14-SRX5800-Tamper-EvidentSealLocationsonRear-FiveSeals
CopyrightJuniper,2017 Version1.10 Page28of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
6 SecurityRulesandGuidanceThemoduledesigncorresponds to thesecurity rulesbelow.Thetermmust in thiscontextspecificallyrefers to a requirement for correctusageof themodule in theApprovedmode; all other statementsindicateasecurityruleimplementedbythemodule.
1. Themoduleclearspreviousauthenticationsonpowercycle.2. When themodule has not beenplaced in a valid role, the operator does not have access to any
cryptographicservices.3. Powerupself-testsdonotrequireanyoperatoraction.4. Dataoutputisinhibitedduringkeygeneration,self-tests,zeroization,anderrorstates.5. StatusinformationdoesnotcontainCSPsorsensitivedatathatifmisusedcouldleadtoacompromise
ofthemodule.6. TherearenorestrictionsonwhichkeysorCSPsarezeroizedbythezeroizationservice.7. Themoduledoesnotsupportamaintenanceinterfaceorrole.8. Themoduledoesnotsupportmanualkeyentry.9. Themoduledoesnotoutputintermediatekeyvalues.10. Themodulerequiresto independent internalactionstobeperformedpriortooutputingplaintext
CSPs.11. The cryptographic officer must determine whether firmware being loaded is a legacy use of the
firmwareloadservice.12. Thecryptographicofficermustretaincontrolofthemodulewhilezeroizationisinprocess.
CopyrightJuniper,2017 Version1.10 Page29of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
7 ReferencesandDefinitionsThefollowingstandardsarereferredtointhisSecurityPolicy.
Table17–References
Abbreviation FullSpecificationName
[FIPS140-2] SecurityRequirementsforCryptographicModules,May25,2001
[SP800-131A] Transitions:RecommendationforTransitioningtheUseofCryptographicAlgorithmsandKeyLengths,January2011
[IG] ImplementationGuidanceforFIPSPUB140-2andtheCryptographicModuleValidationProgram
[135] National Institute of Standards and Technology, Recommendation for ExistingApplication-Specific Key Derivation Functions, Special Publication 800-135rev1,December2011.
[186] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-4,July2013.
[186-2] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-2,January2000.
[197] National InstituteofStandardsandTechnology,AdvancedEncryptionStandard(AES),FederalInformationProcessingStandardsPublication197,November26,2001
[38A] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation,MethodsandTechniques,SpecialPublication800-38A,December2001
[38D] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation:Galois/CounterMode(GCM)andGMAC,SpecialPublication800-38D,November2007
[38F] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation:MethodsforKeyWrapping,SpecialPublication800-38F,December2012
[198] National Institute of Standards and Technology, The Keyed-Hash MessageAuthenticationCode(HMAC),FederalInformationProcessingStandardsPublication198-1,July,2008
[180] National Institute of Standards and Technology, Secure Hash Standard, FederalInformationProcessingStandardsPublication180-4,August,2015
[67] National Instituteof StandardsandTechnology,Recommendation for theTripleDataEncryptionAlgorithm(TDEA)BlockCipher,SpecialPublication800-67,May2004
[90A] NationalInstituteofStandardsandTechnology,RecommendationforRandomNumberGenerationUsingDeterministic RandomBit Generators, Special Publication 800-90A,June2015.
CopyrightJuniper,2017 Version1.10 Page30of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table18–AcronymsandDefinitions
Acronym DefinitionAES AdvancedEncryptionStandardDH Diffie-HellmanDSA DigitalSignatureAlgorithmECDH EllipticCurveDiffie-HellmanECDSA EllipticCurveDigitalSignatureAlgorithmEMC ElectromagneticCompatibilityESP EncapsulatingSecurityPayloadFIPS FederalInformationProcessingStandardHMAC Keyed-HashMessageAuthenticationCodeICV IntegrityCheckValue(i.e.Tag)IKE InternetKeyExchangeProtocolIOC Input/OutputCardIPsec InternetProtocolSecurityMD5 MessageDigest5NPC NetworkProcessingCardRE RoutingEngineRSA Public-keyencryptiontechnologydevelopedbyRSADataSecurity,Inc.SHA SecureHashAlgorithmsSPC ServicesProcessingCardSSH SecureShellTriple-DES Triple-DataEncryptionStandard
Table19–Datasheets
Model Title URL
SRX5400SRX5600SRX5800
SRXSeriesServiceGatewaysforserviceprovider,largeenterprise,andpublicsectornetworks.
http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000254-en.pdf