View
8
Download
0
Category
Preview:
Citation preview
CopyrightJuniper,2017 Version1.3 Page1of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
JuniperNetworksSRX5400,SRX5600,andSRX5800ServicesGatewayswithJunos15.1X49-D75
Non-ProprietaryFIPS140-2CryptographicModuleSecurityPolicy
Version:1.3Date:June29,2017
JuniperNetworks,Inc.1133InnovationWaySunnyvale,California94089USA408.745.20001.888JUNIPERwww.juniper.net
CopyrightJuniper,2017 Version1.3 Page2of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
TableofContents1 Introduction...................................................................................................................4
1.1 HardwareandPhysicalCryptographicBoundary.......................................................................61.2 ModeofOperation...................................................................................................................111.3 Zeroization................................................................................................................................11
2 CryptographicFunctionality..........................................................................................13
2.1 ApprovedAlgorithms................................................................................................................132.2 AllowedAlgorithms..................................................................................................................152.3 AllowedProtocols.....................................................................................................................162.4 DisallowedAlgorithms..............................................................................................................172.5 CriticalSecurityParameters.....................................................................................................17
3 Roles,AuthenticationandServices...............................................................................19
3.1 RolesandAuthenticationofOperatorstoRoles......................................................................193.2 AuthenticationMethods...........................................................................................................193.3 Services.....................................................................................................................................193.4 Non-ApprovedServices............................................................................................................21
4 Self-tests......................................................................................................................22
5 PhysicalSecurityPolicy.................................................................................................24
5.1 GeneralTamperSealPlacementandApplicationInstructions................................................245.2 SRX5400(13seals)....................................................................................................................245.3 SRX5600(18seals)....................................................................................................................255.4 SRX5800(24seals)....................................................................................................................27
6 SecurityRulesandGuidance.........................................................................................29
7 ReferencesandDefinitions...........................................................................................30
ListofTablesTable1–CryptographicModuleConfigurations.........................................................................................4Table2-SecurityLevelofSecurityRequirements.......................................................................................4Table3-PortsandInterfaces....................................................................................................................11Table4-DataPlaneApprovedCryptographicFunctions...........................................................................13Table5-ControlPlaneAuthentecApprovedCryptographicFunctions.....................................................13Table6–HMACDRBGApprovedCryptographicFunctions.......................................................................14Table7-OpenSSLApprovedCryptographicFunctions..............................................................................14Table8–OpenSSHApprovedCryptographicFunctions............................................................................15Table9–LibMDApprovedCryptographicFunctions.................................................................................15Table10–AllowedCryptographicFunctions.............................................................................................15Table11–ProtocolsAllowedinFIPSMode...............................................................................................16Table12–CriticalSecurityParameters(CSPs)...........................................................................................17
CopyrightJuniper,2017 Version1.3 Page3of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table13–PublicKeys................................................................................................................................18Table14–AuthenticatedServices.............................................................................................................19Table15–Unauthenticatedtraffic............................................................................................................20Table16–CSPAccessRightswithinServices.............................................................................................20Table17–AuthenticatedServices.............................................................................................................21Table18–Unauthenticatedtraffic............................................................................................................21Table19–PhysicalSecurityInspectionGuidelines....................................................................................24Table20–References................................................................................................................................30Table21–AcronymsandDefinitions.........................................................................................................31Table22–Datasheets................................................................................................................................31ListofFiguresFigure1–SRX5400FrontView....................................................................................................................6Figure2–SRX5400BottomView.................................................................................................................7Figure3–SRX5600ProfileView..................................................................................................................7Figure4–SRX5600RearView......................................................................................................................8Figure5–SRX5600LeftView.......................................................................................................................8Figure6–SRX5800TopView.......................................................................................................................9Figure7–SRX5800RearView....................................................................................................................10Figure8–SRX5800LeftView.....................................................................................................................10Figure9-SRX5400-Tamper-EvidentSealLocationsonFront-SixSeals....................................................25Figure10-SRX5400-Tamper-EvidentSealLocationsonRear-SevenSeals..............................................25Figure11-SRX5600-Tamper-EvidentSealLocationsonFront-11Seals...................................................26Figure12-SRX5600-Tamper-EvidentSealLocationsonRear-SevenSeals..............................................26Figure13-SRX5800-Tamper-EvidentSealLocationsonFront-19Seals..................................................27Figure14-SRX5800-Tamper-EvidentSealLocationsonRear-FiveSeals.................................................28
CopyrightJuniper,2017 Version1.3 Page4of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
1 IntroductionTheJuniperNetworksSRXSeriesServicesGatewaysareaseriesofsecureroutersthatprovideessentialcapabilities to connect, secure, andmanagework force locations sized fromhandfuls to hundreds ofusers.Byconsolidatingfast,highlyavailableswitching,routing,security,andapplicationscapabilitiesinasingledevice,enterprisescaneconomicallydelivernewservices,safeconnectivity,andasatisfyingenduser experience. All models run Juniper’s JUNOS firmware – in this case, a specific FIPS-compliantversion,whenconfigured inFIPS-MODEcalled JUNOS-FIPS-MODE,version15.1X49-D75.The firmwareimageisjunos-srx5000-15.1X49-D75.5-domestic.tgzandthefirmwareStatusserviceidentifiesitselfasinthe“Junos15.1X49-D75.5”.
This Security Policy covers the SRX5400, SRX5600, and SRX5800models. They aremeant for serviceproviders,largeenterprisenetworks,andpublic-sectornetworks.
Thecryptographicmodulesaredefinedasmultiple-chip standalonemodules thatexecute JUNOS-FIPSfirmwareonanyoftheJuniperNetworksSRX-Seriesgatewayslistedinthetablebelow.
Table1–CryptographicModuleConfigurations
ChassisPN
REPN SCBPN SPCPN IOCPN PowerPN
TamperSeals
SRX5400 SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-15-320 SRX-MIC-10XG-
SFPPACHCorDC
JNPR-FIPS-TAMPER-LBLS
SRX5600 SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-15-320 SRX-MIC-10XG-
SFPP
SRX5800 SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-15-320 SRX-MIC-10XG-
SFPP
ThemodulesaredesignedtomeetFIPS140-2Level2overall:
Table2-SecurityLevelofSecurityRequirements
Area Description Level1 ModuleSpecification 2
2 PortsandInterfaces 2
3 RolesandServices 3
4 FiniteStateModel 2
5 PhysicalSecurity 2
6 OperationalEnvironment N/A
7 KeyManagement 28 EMI/EMC 2
9 Self-test 2
10 DesignAssurance 3
11 MitigationofOtherAttacks N/A
Overall 2
CopyrightJuniper,2017 Version1.3 Page5of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Themoduleshavea limitedoperationalenvironmentaspertheFIPS140-2definitions.They includeafirmware load service to support necessary updates. New firmware versionswithin the scope of thisvalidation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into thesemodulesareoutofthescopeofthisvalidationandrequireaseparateFIPS140-2validation.
ThemodulesdonotimplementanymitigationofotherattacksasdefinedbyFIPS140-2.
CopyrightJuniper,2017 Version1.3 Page6of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
1.1 HardwareandPhysicalCryptographicBoundary
Thephysical formsof themodule’svariousmodelsaredepicted inFigures1-11below.Forallmodelsthecryptographicboundaryisdefinedastheouteredgeofthechassis.ThemodulesexcludethepowersupplyandfancomponentsfromtherequirementsofFIPS140-2.Thepowersuppliesandfansdonotcontainanysecurityrelevantcomponentsandcannotaffect thesecurityof themodule.Theexcludedcomponents are identified with red borders in the following figures. The module does not rely onexternaldevicesforinputandoutput.
Figure1–SRX5400FrontView
CopyrightJuniper,2017 Version1.3 Page7of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure2–SRX5400BottomView
Figure3–SRX5600ProfileView
CopyrightJuniper,2017 Version1.3 Page8of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure4–SRX5600RearView
Figure5–SRX5600LeftView
CopyrightJuniper,2017 Version1.3 Page9of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure6–SRX5800TopView
CopyrightJuniper,2017 Version1.3 Page10of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure7–SRX5800RearView
Figure8–SRX5800LeftView
CopyrightJuniper,2017 Version1.3 Page11of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table3-PortsandInterfaces
Port Description LogicalInterfaceTypeEthernet LANCommunications Controlin,Datain,Dataout,StatusoutSerial Consoleserialport Controlin,StatusoutPower Powerconnector PowerReset Reset ControlinLED Statusindicatorlighting StatusoutUSB Firmwareloadport Controlin,DatainWAN SHDSL,VDSL,T1,E1 Controlin,Datain,Dataout,Statusout
1.2 ModeofOperation
FollowtheinstructionsinSection5toapplythetampersealstothemodule.Oncethetampersealshavebeen applied as shown in this document, the JUNOS firmware image is installed on the device, andconfigured in FIPS-MODE and rebooted, and integrity and self-tests have run successfully on initialpower-oninFIPS-MODE,themoduleisoperatingintheapprovedmode.TheCrypto-OfficermustensurethatthebackupimageofthefirmwareisalsoaJUNOS-FIPS-MODEimagebyissuingtherequestsystemsnapshotcommand.
If themodule was previously in a non-Approvedmode of operation, the Cryptographic OfficermustzeroizetheCSPsbyfollowingtheinstructionsinSection1.3.
Then,theCOmustrunthefollowingcommandstoconfigureSSHtouseFIPSapprovedandFIPSallowedalgorithms:co@fips-srx# set system fips level 2
co@fips-srx:fips# commit
ForeachIPsectunnelconfigured,theCOmustrunthefollowingcommandtoconfigurethealgorithms:co@fips-srx:fips# set security ike gateway <name> version v2-only
<name> - the user configured name for the IKE gateway
co@fips-srx:fips# commit
The“showversion”commandwillindicateifthemoduleisoperatinginFIPSmode(e.g.JUNOSSoftwareRelease[15.1X49-D75]and“:fips”keywordasaprefixnexttohostnameinCLImode).Alsorun“show security ike” and “show security ipsec” to verify IKEv2 is configured when ipsec or ikeproposalencryptionalgorithmisconfiguredtouseAES-GCM.
1.3 Zeroization
The cryptographic module provides a non-Approved mode of operation in which non-approvedcryptographic algorithms are supported. When transitioning between the non-Approved mode of
CopyrightJuniper,2017 Version1.3 Page12of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
operation and the Approved mode of operation, the Cryptographic Officer must run the followingcommandtozeroizetheApprovedmodeCSPs:co@fips-srx> request system zeroize
Note:TheCryptographicOfficermustretaincontrolofthemodulewhilezeroizationisinprocess.
CopyrightJuniper,2017 Version1.3 Page13of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
2 CryptographicFunctionality2.1 ApprovedAlgorithms
The module implements the FIPS Approved and Non-Approved but Allowed cryptographic functionslisted in the Tables 4 to 6 below. Table 8 summarizes the high level protocol algorithm support. Themoduledoesnotimplementalgorithmsthatrequirevendoraffirmation.
Referencestostandardsaregiveninsquarebracket[];seetheReferencestable.Itemsenclosedincurlybrackets{}areCAVPtestedbutnotusedbythemoduleintheApprovedmode.
Table4-DataPlaneApprovedCryptographicFunctions
CAVPCert. Algorithm Mode Description Functions
4395 AES[197]CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt
GCM[38D] KeySizes:128,192,256 Encrypt,Decrypt,MessageAuthentication
2921 HMAC[198]SHA-1 λ=96
MessageAuthenticationSHA-256 λ=128
3623 SHS[180] SHA-1SHA-256 MessageDigestGeneration
2370 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
Table5-ControlPlaneAuthentecApprovedCryptographicFunctions
Cert Algorithm Mode Description Functions
4393 AES[197]CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt
GCM[38D] KeySizes:128,256 Encrypt,Decrypt,MessageAuthentication
N/A1 CKG[133]Section6.2 Asymmetrickeygenerationusing
unmodifiedDRBGoutput[133]Section7.3 Derivationofsymmetrickeys
1095 CVLIKEv1[135] SHA256,384
KeyDerivationIKEv2[135] SHA256,384
1053 ECDSA[186] P-256(SHA256)P-384(SHA384)
KeyGenforECDiffie-Hellman,SigGen,SigVer
1172 DSA[186] (L=2048,N=224)(L=2048,N=256) KeyGenforDiffie-Hellman
2919 HMAC[198]SHA-256 λ=128,256 MessageAuthentication,KDF
Primitive,DRBGPrimitive
SHA-384 λ=192,384 MessageAuthentication,KDFPrimitive
1VendorAffirmed.
CopyrightJuniper,2017 Version1.3 Page14of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
N/A KTS
AESCert.#4393andHMACCert.#2919keyestablishmentmethodologyprovidesbetween128and256bitsofencryptionstrength
Triple-DESCert.#2368andHMACCert.#2919
keyestablishmentmethodologyprovides112bitsofencryptionstrength
2383 RSA[186] PKCS1_V1_5 n=2048(SHA256)n=4096(SHA256) SigGen,SigVer2
3621 SHS[180] SHA-256SHA-384 MessageDigestGeneration
2368 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
Table6–HMACDRBGApprovedCryptographicFunctions
Cert Algorithm Mode Description Functions
1423 DRBG[90A] HMAC SHA-256 ControlPlaneRandomBitGeneration
1415 DRBG[90A] HMAC SHA-256 OpenSSLRandomBitGeneration
Table7-OpenSSLApprovedCryptographicFunctions
CAVPCert. Algorithm Mode Description Functions
4394 AES[197] CBC[38A]CTR[38A] KeySizes:128,192,256 Encrypt,Decrypt
N/A3 CKG [133]Section6.1[133]Section6.2
AsymmetrickeygenerationusingunmodifiedDRBGoutput
1173 DSA[186] (2048,224)(2048,256) KeyGen
1054 ECDSA[186] P-256(SHA256)P-384(SHA384) SigGen,KeyGen,SigVer
2920 HMAC[198]
SHA-1 λ=160MessageAuthentication{SHA-384} N/A
SHA-512 λ=512
SHA-256 λ=256 MessageAuthentication,DRBGPrimitive
N/A KTS AESCert.#4394andHMACCert.#2920keyestablishmentmethodologyprovidesbetween128and256bitsofencryptionstrength
2 RSA 4096 SigVerwas not tested by the CAVP; however, it is Approved for use per CMVP guidance,becauseRSA2048SigVerwastestedandtestingforRSA4096SigVerisnotavailable.3VendorAffirmed.
CopyrightJuniper,2017 Version1.3 Page15of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Triple-DESCert.#2369andHMACCert.#2920
keyestablishmentmethodologyprovides112bitsofencryptionstrength
2377 RSA[186]PKCS1_V1_5 n=2048(SHA256)
n=4096(SHA256)
SigGen,SigVer4
X9.31 KeyGen5
3622 SHS[180]
SHA-1SHA-256SHA-384
MessageDigestGeneration,KDFPrimitive
SHA-512 MessageDigestGeneration
2369 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
Table8–OpenSSHApprovedCryptographicFunctions
Cert Algorithm Mode Description FunctionsN/A6 CKG [133]Section7.3 Derivationofsymmetrickeys1096 CVL SSH[135] SHA1,256,384 KeyDerivation
Table9–LibMDApprovedCryptographicFunctions
Cert Algorithm Mode Description Functions
3624 SHS[180] SHA-256SHA-512 MessageDigestGeneration
2.2 AllowedAlgorithms
Table10–AllowedCryptographicFunctions
Algorithm Caveat Use
Diffie-Hellman[IG]D.8 Provides112bitsofencryptionstrength. keyagreement;keyestablishment
EllipticCurveDiffie-Hellman[IG]D.8
Provides 128 or 192 bits of encryptionstrength. keyagreement;keyestablishment
NDRNG[IG]7.14Scenario1a
The module generates a minimum of256bitsofentropyforkeygeneration. SeedingtheDBRG
4 RSA 4096 SigVerwas not tested by the CAVP; however, it is Approved for use per CMVP guidance,becauseRSA2048SigVerwastestedandtestingforRSA4096SigVerisnotavailable.5RSA4096KeyGenwasnot testedby theCAVP;however, it isApproved foruseperCMVPguidance,becauseRSA2048KeyGenwastestedandtestingforRSA4096KeyGenisnotavailable.6VendorAffirmed.
CopyrightJuniper,2017 Version1.3 Page16of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
2.3 AllowedProtocols
Table11–ProtocolsAllowedinFIPSMode
Protocol KeyExchange Auth Cipher Integrity
IKEv1 Diffie-Hellman(L=2048,N=224,256)ECDiffie-HellmanP-256,P-384
RSA2048RSA4096Pre-SharedSecretECDSAP-256ECDSAP-384
Triple-DESCBCAESCBC128/192/256
HMAC-SHA-256HMAC-SHA-384
IKEv27 Diffie-Hellman(L=2048,N=224,256)ECDiffie-HellmanP-256,P-384
RSA2048RSA4096Pre-SharedSecretECDSAP-256ECDSAP-384
Triple-DESCBCAESCBC128/192/256AESGCM8128/256
HMAC-SHA-256HMAC-SHA-384
IPsecESP
IKEv1withoptional:• Diffie-Hellman(L=2048,N=224,
256)• ECDiffie-HellmanP-256,P-384
IKEv13KeyTriple-DESCBCAESCBC128/192/256 HMAC-SHA-
1-96HMAC-SHA-256-128
IKEv2withoptional:• Diffie-Hellman(L=2048,N=224),
(2048,256)• ECDiffie-HellmanP-256,P-384
IKEv2
3KeyTriple-DESCBCAESCBC128/192/256AESGCM9128/192/256
SSHv2Diffie-Hellman(L=2048,N=256)ECDiffie-HellmanP-256,P-384
ECDSAP-256
Triple-DESCBCAESCBC128/192/256AESCTR128/192/256
HMAC-SHA-1HMAC-SHA-256HMAC-SHA-512
TheseprotocolshavenotbeenreviewedortestedbytheCAVPorCMVP.
The IKE and SSH algorithms allow independent selection of key exchange, authentication, cipher andintegrity.InTable8above,eachcolumnofoptionsforagivenprotocolisindependent,andmaybeusedin any viable combination. These security functions are also available in the SSH connect (non-compliant)service.
7IKEv2generatestheSKEYSEEDaccordingtoRFC7296.8TheGCMIVisgeneratedaccordingtoRFC5282.9TheGCMIVisgeneratedaccordingtoRFC4106.
CopyrightJuniper,2017 Version1.3 Page17of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
2.4 DisallowedAlgorithms
These algorithms are non-Approved algorithms that are disabledwhen themodule is operated in anApprovedmodeofoperation.
• ARCFOUR• Blowfish• CAST• DSA(SigGen,SigVer;non-compliant)• HMAC-MD5• HMAC-RIPEMD160• UMAC
2.5 CriticalSecurityParameters
AllCSPsandpublickeysusedbythemodulearedescribedinthissection.
Table12–CriticalSecurityParameters(CSPs)
Name Descriptionandusage CKGDRBG_Seed SeedmaterialusedtoseedorreseedtheDRBG N/ADRBG_State VandKeyvaluesfortheHMAC_DRBG N/A
SSHPHK SSHPrivatehostkey.1sttimeSSHisconfigured,thekeysaregenerated.ECDSAP-256.Usedtoidentifythehost. [133]Section6.1
SSHDH
SSHDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinSSH.Diffie-Hellman(N=256bit,320bit,384bit,512bit,or1024bit10),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
[133]Section6.2
SSH-SEK SSHSessionKey;SessionkeysusedwithSSH.Triple-DES(3key),AES,HMAC. [133]Section7.3
ESP-SEK IPSecESPSessionKeys.Triple-DES(3key),AES,HMAC. [133]Section7.3IKE-PSK Pre-SharedKeyusedtoauthenticateIKEconnections. N/A
IKE-Priv IKEPrivateKey.RSA2048,RSA4096,ECDSAP-256,orECDSAP-384 [133]Section6.1
IKE-SKEYID IKESKEYID.IKEsecretusedtoderiveIKEandIPsecESPsessionkeys. [133]Section7.3
IKE-SEK IKESessionKeys.Triple-DES(3key),AES,HMAC. [133]Section7.3
IKE-DH-PRIIKEDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinIKE.DHN=224bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
[133]Section6.2
CO-PW ASCIITextusedtoauthenticatetheCO. N/AUser-PW ASCIITextusedtoauthenticatetheUser. N/A
10SSHgeneratesaDiffie-Hellmanprivatekeythatis2xthebitlengthofthelongestsymmetricorMACkeynegotiated.
CopyrightJuniper,2017 Version1.3 Page18of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table13–PublicKeys
Name Descriptionandusage CKGSSH-PUB SSHPublicHostKeyusedtoidentifythehost.ECDSAP-256. [133]Section6.1
SSH-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinSSHkeyestablishment.Diffie-Hellman(L=2048bit),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
[133]Section6.2
IKE-PUB IKEPublicKeyRSA2048,RSA4096,ECDSAP-256,orECDSAP-384 [133]Section6.1
IKE-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinIKEkeyestablishment.Diffie-HellmanL=2048bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
[133]Section6.2
Auth-UPub UserAuthenticationPublicKeys.Usedtoauthenticateuserstothemodule.ECDSAP256orP-384 N/A
Auth-COPub COAuthenticationPublicKeys.UsedtoauthenticateCOtothemodule.ECDSAP256orP-384 N/A
Root-CA JuniperRootCA.ECDSAP-256orP-384X.509Certificate;UsedtoverifythevalidityoftheJuniperPackage-CAatsoftwareload. N/A
Package-CA PackageCA.ECDSAP-256X.509Certificate;UsedtoverifythevalidityofJuniperImagesatsoftwareloadandboot. N/A
CopyrightJuniper,2017 Version1.3 Page19of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
3 Roles,AuthenticationandServices3.1 RolesandAuthenticationofOperatorstoRoles
Themodulesupportstworoles:CryptographicOfficer(CO)andUser.Themodulesupportsconcurrentoperators,butdoesnotsupportamaintenanceroleand/orbypasscapability.Themoduleenforcestheseparationofrolesusingeitheridentity-basedoperatorauthentication.
TheCryptographicOfficerroleconfiguresandmonitorsthemoduleviaaconsoleorSSHconnection.Asrootorsuper-user,theCryptographicOfficerhaspermissiontoviewandeditsecretswithinthemodule
The User role monitors the router via the console or SSH. The user role may not change theconfiguration.
3.2 AuthenticationMethods
ThemoduleimplementstwoformsofIdentity-Basedauthentication,UsernameandpasswordovertheConsoleandSSHaswellasUsernameandpublickeyoverSSH.
Passwordauthentication:Themoduleenforces10-characterpasswords(atminimum)chosenfromthe96humanreadableASCIIcharacters.Themaximumpasswordlengthis20-characters.
Themoduleenforcesatimedaccessmechanismasfollows:Forthefirsttwofailedattempts(assuming0timetoprocess),notimedaccessisenforced.Uponthethirdattempt,themoduleenforcesa5-seconddelay.Eachfailedattemptthereafterresultsinanadditional5-seconddelayabovetheprevious(e.g.4thfailedattempt=10-seconddelay,5th failedattempt=15-seconddelay,6th failedattempt=20-seconddelay,7thfailedattempt=25-seconddelay).
Thisleadstoamaximumofseven(7)possibleattemptsinaone-minuteperiodforeachgetty.Thebestapproachfortheattackerwouldbetodisconnectafter4failedattempts,andwaitforanewgettytobespawned.Thiswouldallowtheattackertoperformroughly9.6attemptsperminute(576attemptsperhour/60mins); this would be rounded down to 9 perminute, because there is no such thing as 0.6attempts.Thustheprobabilityofasuccessfulrandomattemptis1/9610,whichislessthan1/1million.Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis9/(9610),whichislessthan1/100,000.
ECDSAsignatureverification:SSHpublic-keyauthentication.Processingconstraintsallowforamaximumof5.6e7ECDSAattemptsperminute.ThemodulesupportsECDSA(P-256andP-384).Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis5.6e7/(2128).
3.3 Services
Allservicesimplementedbythemodulearelistedinthetablesbelow.Table16liststheaccesstoCSPsbyeachservice.
Table14–AuthenticatedServices
Service Description CO UserConfiguresecurity Securityrelevantconfiguration x
Configure Non-securityrelevantconfiguration x SecureTraffic IPsecprotectedconnection(ESP) x Status Showstatus x x
CopyrightJuniper,2017 Version1.3 Page20of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Zeroize DestroyallCSPs x
SSHconnect InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x
IPsecconnect InitiateIPsecconnection(IKE) x Consoleaccess Consolemonitoringandcontrol(CLI) x xRemotereset Softwareinitiatedreset x
Table15–Unauthenticatedtraffic
Service DescriptionLocalreset HardwareresetorpowercycleTraffic Trafficrequiringnocryptographicservices
Table16–CSPAccessRightswithinServices
Service
CSPs
DRBG
_Seed
DRBG
_State
SSHPH
K
SSHDH
SSH-SEK
ESP-SEK
IKE-PSK
IKE-Priv
IKE-SKEYID
IKE-SEK
IKE-DH
-PRI
CO-PW
User-PW
Configuresecurity -- E GWR -- -- -- WR GWR -- -- -- W W
Configure -- -- -- -- -- -- -- -- -- -- -- -- --Securetraffic -- -- -- -- -- E -- -- -- E -- -- --
Status -- -- -- -- -- -- -- -- -- -- -- -- --
Zeroize -- Z Z -- -- -- Z Z -- -- -- Z Z
SSHconnect -- E E GE GE -- -- -- -- -- -- E EIPsecconnect -- E -- -- -- G E E GE G GE -- --
Consoleaccess -- -- -- -- -- -- -- -- -- -- -- E E
Remotereset GZE GZ -- Z Z Z -- -- Z Z Z Z Z
Localreset GZE GZ -- Z Z Z -- -- Z Z Z Z Z
Traffic -- -- -- -- -- -- -- -- -- -- -- -- --G=Generate:ThemodulegeneratestheCSPR=Read:TheCSPisreadfromthemodule(e.g.theCSPisoutput)E=Execute:ThemoduleexecutesusingtheCSPW=Write:TheCSPiswrittentopersistentstorageinthemoduleZ=Zeroize:ThemodulezeroizestheCSP.
CopyrightJuniper,2017 Version1.3 Page21of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
3.4 Non-ApprovedServices
Thefollowingservicesareavailableinthenon-Approvedmodeofoperation.Thesecurityfunctionsprovidedbythenon-ApprovedservicesareidenticaltotheApprovedcounterpartswiththeexceptionofSSHConnect(non-compliant).SSHConnect(non-compliant)supportsthesecurityfunctionsidentifiedinSection2.4andtheSSHv2rowofTable11.
Table17–AuthenticatedServices
Service Description CO UserConfiguresecurity(non-compliant) Securityrelevantconfiguration x
Configure(non-compliant) Non-securityrelevantconfiguration x
SecureTraffic(non-compliant) IPsecprotectedconnection(ESP) x
Status(non-compliant) Showstatus x xZeroize(non-compliant) DestroyallCSPs x SSHconnect(non-compliant)
InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x
IPsecconnect(non-compliant) InitiateIPsecconnection(IKE) x
Consoleaccess(non-compliant) Consolemonitoringandcontrol(CLI) x x
Remotereset(non-compliant) Softwareinitiatedreset x
Table18–Unauthenticatedtraffic
Service DescriptionLocalreset(non-compliant) Hardwareresetorpowercycle
Traffic(non-compliant) Trafficrequiringnocryptographicservices
CopyrightJuniper,2017 Version1.3 Page22of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
4 Self-testsEachtimethemoduleispoweredupitteststhatthecryptographicalgorithmsstilloperatecorrectlyandthat sensitive data have not been damaged. Power-up self-tests are available on demand by powercyclingthemodule.
Onpower-uporreset,themoduleperformstheself-testsdescribedbelow.AllKATsmustbecompletedsuccessfullypriortoanyotheruseofcryptographybythemodule.IfoneoftheKATsfails,themoduleenterstheCriticalFailureerrorstate.
Themoduleperformsthefollowingpower-upself-tests:
• FirmwareIntegritycheckusingECDSAP-256withSHA-256• DataPlaneKATs
o AES-CBCEncryptKATo AES-CBCDecryptKATo AES-GCMEncryptKATo AES-GCMDecryptKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA-256KAT
• OpenSSLKATso SP800-90AHMACDRBGKAT
§ Health-testsinitialize,re-seed,andgenerate.o ECDSAP-256Sign/VerifyPCTo ECDiffie-HellmanP-256KAT
§ Derivationoftheexpectedsharedsecret.o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA2-256KATo HMAC-SHA2-384KATo HMAC-SHA2-512KATo AES-CBCEncryptKATo AES-CBCDecryptKAT
• OpenSSHKATo KDF-SSH-SHA256KAT
• HMACDRBGKATo HMACDRBGKAT(Certs.#1423)
§ Health-testsinitialize,re-seed,andgenerate.o HMACDRBGKAT(Certs.#1415)
§ Health-testsinitialize,re-seed,andgenerate.• ControlPlaneAuthentecKATs
o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo ECDSAP-256w/SHA-256Sign/VerifyPCT
CopyrightJuniper,2017 Version1.3 Page23of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
o Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-256KATo HMAC-SHA-384KATo AES-CBCEncryptKATo AES-CBCDecryptKATo AES-GCMEncryptKATo AES-GCMDecryptKATo KDF-IKE-V1KATo KDF-IKE-V2KAT
• LibmdKATso HMAC-SHA2-256KATo SHA-2-512KAT
• CriticalFunctionTesto Thecryptographicmoduleperformsaverificationofalimitedoperationalenvironment,
andverificationofoptionalnon-criticalpackages.
Upon successful completion of the self-tests, themodule outputs “FIPS self-tests completed.” to thelocalconsole.
Ifaself-testfails,themoduleoutputs“<self-testname>:Failed”tothelocalconsoleandautomaticallyreboots.
Themodulealsoperformsthefollowingconditionalself-tests:
• ContinuousRNGTestontheSP800-90AHMAC-DRBG• ContinuousRNGtestontheNDRNG• PairwiseconsistencytestwhengeneratingECDSAandRSAkeypairs.• FirmwareLoadTest(ECDSAsignatureverification)
CopyrightJuniper,2017 Version1.3 Page24of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
5 PhysicalSecurityPolicyThemodulesphysicalembodimentisthatofamulti-chipstandalonedevicethatmeetsLevel2PhysicalSecurityrequirements.Themodule iscompletelyenclosed inarectangularnickelorclearzinccoated,cold rolled steel, plated steel andbrushed aluminumenclosure. There are no ventilationholes, gaps,slits,cracks,slots,orcrevicesthatwouldallowforanysortofobservationofanycomponentcontainedwithinthecryptographicboundary.Tamper-evidentsealsallowtheoperatortotelliftheenclosurehasbeenbreached.Thesesealsarenotfactory-installedandmustbeappliedbytheCryptographicOfficer.(Seals are available for order from Juniper using part number JNPR-FIPS-TAMPER-LBLS.) The tamper-evidentsealsshallbeinstalledforthemoduletooperateinaFIPSmodeofoperation.
TheCryptographicOfficerisresponsibleforsecuringandhavingcontrolatalltimesofanyunusedsealsandthedirectcontrolandobservationofanychangestothemodulesuchasreconfigurationswherethetamper-evident seals or security appliances are removed or installed to ensure the security of themoduleismaintainedduringsuchchangesandthemoduleisreturnedtoaFIPSApprovedstate.
Table19–PhysicalSecurityInspectionGuidelines
PhysicalSecurityMechanism
RecommendedFrequencyofInspection/Test
Inspection/TestGuidanceDetails
Tamperseals,opaquemetalenclosure.
OncepermonthbytheCryptographicOfficer.
Sealsshouldbefreeofanytamperevidence.
If the CryptographicOfficer observes tamper evidence, it shall be assumed that the device has beencompromised.TheCryptographicOfficershallretaincontrolofthemoduleandperformZeroizationofthemodule'sCSPsbyfollowingthestepsinSection1.3oftheSecurityPolicy.
5.1 GeneralTamperSealPlacementandApplicationInstructions
Forallsealapplications,theCryptographicOfficershouldobservethefollowinginstructions:
• Handlethesealswithcare.Donottouchtheadhesiveside.• Beforeapplyingaseal,ensurethelocationofapplicationisclean,dry,andclearofanyresidue.• Placethesealonthemodule,applyingfirmpressureacrossittoensureadhesion.Allowatleast
1hourfortheadhesivetocure.
5.2 SRX5400(13seals)
Tamper-evidentsealsshallbeappliedtothefollowinglocations:
• FrontPane:o Twoseals,vertical,connectedtothetopmost(non-honeycomb)sub-pane.Theyextend
tothethinpanebelowandthehoneycombpanelabove.o Oneseal,vertical,acrossthethinpane.Extendstotheblankpanebelowandthesub-
paneabove.o Threeseals,vertical,oneoneach“long”horizontalsub-pane.Eachattachestothesub-
paneaboveandtheonebelow(orthechassis,ifit’sthebottommostsub-pane).Ensureoneofthesealsextendstotheleftsub-panebelowthethinsub-pane.
• BackPane:o Four seals, vertical: one on each of the top four sub-panes, extending to the large
chassisplatebelow.o Oneseal,vertical:onthehorizontalscrewed-inplaterestingonthelargecentralchassis.
Shouldextendtothechassisinbothdirections.
CopyrightJuniper,2017 Version1.3 Page25of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
o Twoseals,horizontal:placedonthelowsidesub-panes,extendingtothelargecentralchassisareaandwrappingaroundtotheneighboringsidepanes.
Figure9-SRX5400-Tamper-EvidentSealLocationsonFront-SixSeals
Figure10-SRX5400-Tamper-EvidentSealLocationsonRear-SevenSeals
5.3 SRX5600(18seals)
Tamper-evidentsealsmustbeappliedtothefollowinglocations:
• FrontPane:o Elevenseals,vertical:oneforeachhorizontalsub-pane(excludingthehoneycombplate
onthetopandthethinsub-panealittlebelow),asecondforthetop(non-honeycomb)sub-pane, and an extra for the bottom. The seals should attach to vertically adjacentsub-panes. The extra on the bottom attaches to the lowermost sub-pane and wraps
CopyrightJuniper,2017 Version1.3 Page26of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
aroundattachingtothebottompane.Itshouldbeensuredthatoneofthesealsspansacrossthethinplatewithampleextradistanceoneachside.
• BackPane:o Fiveseals,vertical:oneoneachoftheupperfoursub-panes,attachingtothelargeplate
below.o Twoseals,horizontal:oneoneachoftheverticalsidesub-panes,extendingtoboththe
largecentralplateandthesidepanes.
Figure11-SRX5600-Tamper-EvidentSealLocationsonFront-11Seals
Figure12-SRX5600-Tamper-EvidentSealLocationsonRear-SevenSeals
CopyrightJuniper,2017 Version1.3 Page27of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
5.4 SRX5800(24seals)
Tamper-evidentsealsshallbeappliedtothefollowinglocations:
• FrontPane:o Fourteenseals,horizontal:oneoneachofthelongverticalsub-panes,extendingtothe
neighboringtwo.Ifonanendsub-pane,sealshouldwraparoundtotheside.o Threeseals,vertical:Oneovereachofthethinpanes–twonearthebottom,onenear
thetopofthelowerhalf.o Twoseals,vertical:bothontheconsoleareaatthetopofthemodule,oneextendingto
thetopandtheotherextendingtothechassisareabelow.• BackPane:
o Five seals, horizontal: Three spanning the gaps between the vertical sub-panels, andthentwomore,oneeachonthefaredgesoftheleftandrightpanels.(Theselasttwoshouldwraparoundtothesides.)
Figure13-SRX5800-Tamper-EvidentSealLocationsonFront-19Seals
CopyrightJuniper,2017 Version1.3 Page28of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure14-SRX5800-Tamper-EvidentSealLocationsonRear-FiveSeals
CopyrightJuniper,2017 Version1.3 Page29of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
6 SecurityRulesandGuidanceThemoduledesigncorresponds to thesecurity rulesbelow.Thetermmust in thiscontextspecificallyrefers to a requirement for correctusageof themodule in theApprovedmode; all other statementsindicateasecurityruleimplementedbythemodule.
1. Themoduleclearspreviousauthenticationsonpowercycle.2. When themodule has not beenplaced in a valid role, the operator does not have access to any
cryptographicservices.3. Powerupself-testsdonotrequireanyoperatoraction.4. Dataoutputisinhibitedduringkeygeneration,self-tests,zeroization,anderrorstates.5. Status information does not contain CSPs or sensitive data that if misused could lead to a
compromiseofthemodule.6. TherearenorestrictionsonwhichkeysorCSPsarezeroizedbythezeroizationservice.7. Themoduledoesnotsupportamaintenanceinterfaceorrole.8. Themoduledoesnotsupportmanualkeyentry.9. Themoduledoesnotoutputintermediatekeyvalues.10. Themodulerequiresto independent internalactionstobeperformedpriortooutputingplaintext
CSPs.11. The cryptographic officer must determine whether firmware being loaded is a legacy use of the
firmwareloadservice.12. Thecryptographicofficermustretaincontrolofthemodulewhilezeroizationisinprocess.
CopyrightJuniper,2017 Version1.3 Page30of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
7 ReferencesandDefinitionsThefollowingstandardsarereferencedinthisSecurityPolicy.
Table20–References
Abbreviation FullSpecificationName
[FIPS140-2] SecurityRequirementsforCryptographicModules,May25,2001
[SP800-131A] Transitions: Recommendation for Transitioning the Use of Cryptographic AlgorithmsandKeyLengths,January2011
[IG] ImplementationGuidanceforFIPSPUB140-2andtheCryptographicModuleValidationProgram
[133] NISTSpecialPublication800-133,RecommendationforCryptographicKeyGeneration,December2012
[135] National Institute of Standards and Technology, Recommendation for ExistingApplication-Specific Key Derivation Functions, Special Publication 800-135rev1,December2011.
[186] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-4,July,2013.
[197] National InstituteofStandardsandTechnology,AdvancedEncryptionStandard(AES),FederalInformationProcessingStandardsPublication197,November26,2001
[38A] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation,MethodsandTechniques,SpecialPublication800-38A,December2001
[38D] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation:Galois/CounterMode(GCM)andGMAC,SpecialPublication800-38D,November2007
[198] National Institute of Standards and Technology, The Keyed-Hash MessageAuthentication Code (HMAC), Federal Information Processing Standards Publication198-1,July,2008
[180] National Institute of Standards and Technology, Secure Hash Standard, FederalInformationProcessingStandardsPublication180-4,August,2015
[67] National Instituteof StandardsandTechnology,Recommendation for theTripleDataEncryptionAlgorithm(TDEA)BlockCipher,SpecialPublication800-67,May2004
[90A] NationalInstituteofStandardsandTechnology,RecommendationforRandomNumberGenerationUsingDeterministicRandomBitGenerators, Special Publication800-90A,June2015.
CopyrightJuniper,2017 Version1.3 Page31of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table21–AcronymsandDefinitions
Acronym DefinitionAES AdvancedEncryptionStandardDH Diffie-HellmanDSA DigitalSignatureAlgorithmECDH EllipticCurveDiffie-HellmanECDSA EllipticCurveDigitalSignatureAlgorithmEMC ElectromagneticCompatibilityESP EncapsulatingSecurityPayloadFIPS FederalInformationProcessingStandardHMAC Keyed-HashMessageAuthenticationCodeICV IntegrityCheckValue(i.e.Tag)IKE InternetKeyExchangeProtocolIOC Input/OutputCardIPsec InternetProtocolSecurityMD5 MessageDigest5NPC NetworkProcessingCardRE RoutingEngineRSA Public-keyencryptiontechnologydevelopedbyRSADataSecurity,Inc.SHA SecureHashAlgorithmsSCB SwitchControlBoardSPC ServicesProcessingCardSSH SecureShellTriple-DES Triple-DataEncryptionStandard
Table22–Datasheets
Model Title URL
SRX5400SRX5600SRX5800
SRXSeriesServiceGatewaysforserviceprovider,largeenterprise,andpublicsectornetworks.
http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000254-en.pdf
Recommended