of 31/31
Copyright Juniper, 2017 Version 1.3 Page 1 of 31 Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). Juniper Networks SRX5400, SRX5600, and SRX5800 Services Gateways with Junos 15.1X49-D75 Non-Proprietary FIPS 140-2 Cryptographic Module Security Policy Version: 1.3 Date: June 29, 2017 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net

Juniper Networks SRX5400, SRX5600, and SRX5800 ......the “Junos 15.1X49-D75.5”. This Security Policy covers the SRX5400, SRX5600, and SRX5800 models. They are meant for service

  • View
    1

  • Download
    0

Embed Size (px)

Text of Juniper Networks SRX5400, SRX5600, and SRX5800 ......the “Junos 15.1X49-D75.5”. This Security...

  • CopyrightJuniper,2017 Version1.3 Page1of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    JuniperNetworksSRX5400,SRX5600,andSRX5800ServicesGatewayswithJunos15.1X49-D75

    Non-ProprietaryFIPS140-2CryptographicModuleSecurityPolicy

    Version:1.3Date:June29,2017

    JuniperNetworks,Inc.1133InnovationWaySunnyvale,California94089USA408.745.20001.888JUNIPERwww.juniper.net

  • CopyrightJuniper,2017 Version1.3 Page2of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    TableofContents1 Introduction...................................................................................................................4

    1.1 HardwareandPhysicalCryptographicBoundary.......................................................................61.2 ModeofOperation...................................................................................................................111.3 Zeroization................................................................................................................................11

    2 CryptographicFunctionality..........................................................................................13

    2.1 ApprovedAlgorithms................................................................................................................132.2 AllowedAlgorithms..................................................................................................................152.3 AllowedProtocols.....................................................................................................................162.4 DisallowedAlgorithms..............................................................................................................172.5 CriticalSecurityParameters.....................................................................................................17

    3 Roles,AuthenticationandServices...............................................................................19

    3.1 RolesandAuthenticationofOperatorstoRoles......................................................................193.2 AuthenticationMethods...........................................................................................................193.3 Services.....................................................................................................................................193.4 Non-ApprovedServices............................................................................................................21

    4 Self-tests......................................................................................................................22

    5 PhysicalSecurityPolicy.................................................................................................24

    5.1 GeneralTamperSealPlacementandApplicationInstructions................................................245.2 SRX5400(13seals)....................................................................................................................245.3 SRX5600(18seals)....................................................................................................................255.4 SRX5800(24seals)....................................................................................................................27

    6 SecurityRulesandGuidance.........................................................................................29

    7 ReferencesandDefinitions...........................................................................................30

    ListofTablesTable1–CryptographicModuleConfigurations.........................................................................................4Table2-SecurityLevelofSecurityRequirements.......................................................................................4Table3-PortsandInterfaces....................................................................................................................11Table4-DataPlaneApprovedCryptographicFunctions...........................................................................13Table5-ControlPlaneAuthentecApprovedCryptographicFunctions.....................................................13Table6–HMACDRBGApprovedCryptographicFunctions.......................................................................14Table7-OpenSSLApprovedCryptographicFunctions..............................................................................14Table8–OpenSSHApprovedCryptographicFunctions............................................................................15Table9–LibMDApprovedCryptographicFunctions.................................................................................15Table10–AllowedCryptographicFunctions.............................................................................................15Table11–ProtocolsAllowedinFIPSMode...............................................................................................16Table12–CriticalSecurityParameters(CSPs)...........................................................................................17

  • CopyrightJuniper,2017 Version1.3 Page3of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Table13–PublicKeys................................................................................................................................18Table14–AuthenticatedServices.............................................................................................................19Table15–Unauthenticatedtraffic............................................................................................................20Table16–CSPAccessRightswithinServices.............................................................................................20Table17–AuthenticatedServices.............................................................................................................21Table18–Unauthenticatedtraffic............................................................................................................21Table19–PhysicalSecurityInspectionGuidelines....................................................................................24Table20–References................................................................................................................................30Table21–AcronymsandDefinitions.........................................................................................................31Table22–Datasheets................................................................................................................................31ListofFiguresFigure1–SRX5400FrontView....................................................................................................................6Figure2–SRX5400BottomView.................................................................................................................7Figure3–SRX5600ProfileView..................................................................................................................7Figure4–SRX5600RearView......................................................................................................................8Figure5–SRX5600LeftView.......................................................................................................................8Figure6–SRX5800TopView.......................................................................................................................9Figure7–SRX5800RearView....................................................................................................................10Figure8–SRX5800LeftView.....................................................................................................................10Figure9-SRX5400-Tamper-EvidentSealLocationsonFront-SixSeals....................................................25Figure10-SRX5400-Tamper-EvidentSealLocationsonRear-SevenSeals..............................................25Figure11-SRX5600-Tamper-EvidentSealLocationsonFront-11Seals...................................................26Figure12-SRX5600-Tamper-EvidentSealLocationsonRear-SevenSeals..............................................26Figure13-SRX5800-Tamper-EvidentSealLocationsonFront-19Seals..................................................27Figure14-SRX5800-Tamper-EvidentSealLocationsonRear-FiveSeals.................................................28

  • CopyrightJuniper,2017 Version1.3 Page4of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    1 IntroductionTheJuniperNetworksSRXSeriesServicesGatewaysareaseriesofsecureroutersthatprovideessentialcapabilities to connect, secure, andmanagework force locations sized fromhandfuls to hundreds ofusers.Byconsolidatingfast,highlyavailableswitching,routing,security,andapplicationscapabilitiesinasingledevice,enterprisescaneconomicallydelivernewservices,safeconnectivity,andasatisfyingenduser experience. All models run Juniper’s JUNOS firmware – in this case, a specific FIPS-compliantversion,whenconfigured inFIPS-MODEcalled JUNOS-FIPS-MODE,version15.1X49-D75.The firmwareimageisjunos-srx5000-15.1X49-D75.5-domestic.tgzandthefirmwareStatusserviceidentifiesitselfasinthe“Junos15.1X49-D75.5”.

    This Security Policy covers the SRX5400, SRX5600, and SRX5800models. They aremeant for serviceproviders,largeenterprisenetworks,andpublic-sectornetworks.

    Thecryptographicmodulesaredefinedasmultiple-chip standalonemodules thatexecute JUNOS-FIPSfirmwareonanyoftheJuniperNetworksSRX-Seriesgatewayslistedinthetablebelow.

    Table1–CryptographicModuleConfigurations

    ChassisPN

    REPN SCBPN SPCPN IOCPN PowerPN

    TamperSeals

    SRX5400 SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-15-320SRX-MIC-10XG-SFPP

    ACHCorDC

    JNPR-FIPS-TAMPER-LBLS

    SRX5600 SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-15-320SRX-MIC-10XG-SFPP

    SRX5800 SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-15-320SRX-MIC-10XG-SFPP

    ThemodulesaredesignedtomeetFIPS140-2Level2overall:

    Table2-SecurityLevelofSecurityRequirements

    Area Description Level1 ModuleSpecification 22 PortsandInterfaces 23 RolesandServices 34 FiniteStateModel 25 PhysicalSecurity 26 OperationalEnvironment N/A7 KeyManagement 28 EMI/EMC 29 Self-test 210 DesignAssurance 311 MitigationofOtherAttacks N/A

    Overall 2

  • CopyrightJuniper,2017 Version1.3 Page5of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Themoduleshavea limitedoperationalenvironmentaspertheFIPS140-2definitions.They includeafirmware load service to support necessary updates. New firmware versionswithin the scope of thisvalidation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into thesemodulesareoutofthescopeofthisvalidationandrequireaseparateFIPS140-2validation.

    ThemodulesdonotimplementanymitigationofotherattacksasdefinedbyFIPS140-2.

  • CopyrightJuniper,2017 Version1.3 Page6of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    1.1 HardwareandPhysicalCryptographicBoundaryThephysical formsof themodule’svariousmodelsaredepicted inFigures1-11below.Forallmodelsthecryptographicboundaryisdefinedastheouteredgeofthechassis.ThemodulesexcludethepowersupplyandfancomponentsfromtherequirementsofFIPS140-2.Thepowersuppliesandfansdonotcontainanysecurityrelevantcomponentsandcannotaffect thesecurityof themodule.Theexcludedcomponents are identified with red borders in the following figures. The module does not rely onexternaldevicesforinputandoutput.

    Figure1–SRX5400FrontView

  • CopyrightJuniper,2017 Version1.3 Page7of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Figure2–SRX5400BottomView

    Figure3–SRX5600ProfileView

  • CopyrightJuniper,2017 Version1.3 Page8of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Figure4–SRX5600RearView

    Figure5–SRX5600LeftView

  • CopyrightJuniper,2017 Version1.3 Page9of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Figure6–SRX5800TopView

  • CopyrightJuniper,2017 Version1.3 Page10of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Figure7–SRX5800RearView

    Figure8–SRX5800LeftView

  • CopyrightJuniper,2017 Version1.3 Page11of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Table3-PortsandInterfaces

    Port Description LogicalInterfaceTypeEthernet LANCommunications Controlin,Datain,Dataout,StatusoutSerial Consoleserialport Controlin,StatusoutPower Powerconnector PowerReset Reset ControlinLED Statusindicatorlighting StatusoutUSB Firmwareloadport Controlin,DatainWAN SHDSL,VDSL,T1,E1 Controlin,Datain,Dataout,Statusout

    1.2 ModeofOperationFollowtheinstructionsinSection5toapplythetampersealstothemodule.Oncethetampersealshavebeen applied as shown in this document, the JUNOS firmware image is installed on the device, andconfigured in FIPS-MODE and rebooted, and integrity and self-tests have run successfully on initialpower-oninFIPS-MODE,themoduleisoperatingintheapprovedmode.TheCrypto-OfficermustensurethatthebackupimageofthefirmwareisalsoaJUNOS-FIPS-MODEimagebyissuingtherequestsystemsnapshotcommand.

    If themodule was previously in a non-Approvedmode of operation, the Cryptographic OfficermustzeroizetheCSPsbyfollowingtheinstructionsinSection1.3.

    Then,theCOmustrunthefollowingcommandstoconfigureSSHtouseFIPSapprovedandFIPSallowedalgorithms:[email protected]# set system fips level 2

    [email protected]:fips# commit

    ForeachIPsectunnelconfigured,theCOmustrunthefollowingcommandtoconfigurethealgorithms:[email protected]:fips# set security ike gateway version v2-only

    - the user configured name for the IKE gateway

    [email protected]:fips# commit

    The“showversion”commandwillindicateifthemoduleisoperatinginFIPSmode(e.g.JUNOSSoftwareRelease[15.1X49-D75]and“:fips”keywordasaprefixnexttohostnameinCLImode).Alsorun“show security ike” and “show security ipsec” to verify IKEv2 is configured when ipsec or ikeproposalencryptionalgorithmisconfiguredtouseAES-GCM.

    1.3 ZeroizationThe cryptographic module provides a non-Approved mode of operation in which non-approvedcryptographic algorithms are supported. When transitioning between the non-Approved mode of

  • CopyrightJuniper,2017 Version1.3 Page12of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    operation and the Approved mode of operation, the Cryptographic Officer must run the followingcommandtozeroizetheApprovedmodeCSPs:[email protected]> request system zeroize

    Note:TheCryptographicOfficermustretaincontrolofthemodulewhilezeroizationisinprocess.

  • CopyrightJuniper,2017 Version1.3 Page13of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    2 CryptographicFunctionality2.1 ApprovedAlgorithmsThe module implements the FIPS Approved and Non-Approved but Allowed cryptographic functionslisted in the Tables 4 to 6 below. Table 8 summarizes the high level protocol algorithm support. Themoduledoesnotimplementalgorithmsthatrequirevendoraffirmation.

    Referencestostandardsaregiveninsquarebracket[];seetheReferencestable.Itemsenclosedincurlybrackets{}areCAVPtestedbutnotusedbythemoduleintheApprovedmode.

    Table4-DataPlaneApprovedCryptographicFunctions

    CAVPCert. Algorithm Mode Description Functions

    4395 AES[197]CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt

    GCM[38D] KeySizes:128,192,256 Encrypt,Decrypt,MessageAuthentication

    2921 HMAC[198]SHA-1 λ=96

    MessageAuthenticationSHA-256 λ=128

    3623 SHS[180] SHA-1SHA-256 MessageDigestGeneration

    2370 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt

    Table5-ControlPlaneAuthentecApprovedCryptographicFunctions

    Cert Algorithm Mode Description Functions

    4393 AES[197]CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt

    GCM[38D] KeySizes:128,256 Encrypt,Decrypt,MessageAuthentication

    N/A1 CKG[133]Section6.2 AsymmetrickeygenerationusingunmodifiedDRBGoutput[133]Section7.3 Derivationofsymmetrickeys

    1095 CVLIKEv1[135] SHA256,384

    KeyDerivationIKEv2[135] SHA256,384

    1053 ECDSA[186] P-256(SHA256)P-384(SHA384)KeyGenforECDiffie-Hellman,SigGen,SigVer

    1172 DSA[186] (L=2048,N=224)(L=2048,N=256) KeyGenforDiffie-Hellman

    2919 HMAC[198]SHA-256 λ=128,256 MessageAuthentication,KDFPrimitive,DRBGPrimitive

    SHA-384 λ=192,384 MessageAuthentication,KDFPrimitive

    1VendorAffirmed.

  • CopyrightJuniper,2017 Version1.3 Page14of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    N/A KTS

    AESCert.#4393andHMACCert.#2919keyestablishmentmethodologyprovidesbetween128and256bitsofencryptionstrength

    Triple-DESCert.#2368andHMACCert.#2919

    keyestablishmentmethodologyprovides112bitsofencryptionstrength

    2383 RSA[186] PKCS1_V1_5 n=2048(SHA256)n=4096(SHA256) SigGen,SigVer2

    3621 SHS[180] SHA-256SHA-384 MessageDigestGeneration

    2368 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt

    Table6–HMACDRBGApprovedCryptographicFunctions

    Cert Algorithm Mode Description Functions

    1423 DRBG[90A] HMAC SHA-256 ControlPlaneRandomBitGeneration1415 DRBG[90A] HMAC SHA-256 OpenSSLRandomBitGeneration

    Table7-OpenSSLApprovedCryptographicFunctions

    CAVPCert. Algorithm Mode Description Functions

    4394 AES[197] CBC[38A]CTR[38A] KeySizes:128,192,256 Encrypt,Decrypt

    N/A3 CKG [133]Section6.1[133]Section6.2AsymmetrickeygenerationusingunmodifiedDRBGoutput

    1173 DSA[186] (2048,224)(2048,256) KeyGen

    1054 ECDSA[186] P-256(SHA256)P-384(SHA384) SigGen,KeyGen,SigVer

    2920 HMAC[198]

    SHA-1 λ=160MessageAuthentication{SHA-384} N/A

    SHA-512 λ=512

    SHA-256 λ=256 MessageAuthentication,DRBGPrimitive

    N/A KTS AESCert.#4394andHMACCert.#2920keyestablishmentmethodologyprovidesbetween128and256bitsofencryptionstrength

    2 RSA 4096 SigVerwas not tested by the CAVP; however, it is Approved for use per CMVP guidance,becauseRSA2048SigVerwastestedandtestingforRSA4096SigVerisnotavailable.3VendorAffirmed.

  • CopyrightJuniper,2017 Version1.3 Page15of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Triple-DESCert.#2369andHMACCert.#2920

    keyestablishmentmethodologyprovides112bitsofencryptionstrength

    2377 RSA[186]PKCS1_V1_5 n=2048(SHA256)

    n=4096(SHA256)

    SigGen,SigVer4

    X9.31 KeyGen5

    3622 SHS[180]

    SHA-1SHA-256SHA-384

    MessageDigestGeneration,KDFPrimitive

    SHA-512 MessageDigestGeneration

    2369 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt

    Table8–OpenSSHApprovedCryptographicFunctions

    Cert Algorithm Mode Description FunctionsN/A6 CKG [133]Section7.3 Derivationofsymmetrickeys1096 CVL SSH[135] SHA1,256,384 KeyDerivation

    Table9–LibMDApprovedCryptographicFunctions

    Cert Algorithm Mode Description Functions

    3624 SHS[180] SHA-256SHA-512 MessageDigestGeneration

    2.2 AllowedAlgorithmsTable10–AllowedCryptographicFunctions

    Algorithm Caveat Use

    Diffie-Hellman[IG]D.8 Provides112bitsofencryptionstrength. keyagreement;keyestablishment

    EllipticCurveDiffie-Hellman[IG]D.8

    Provides 128 or 192 bits of encryptionstrength. keyagreement;keyestablishment

    NDRNG[IG]7.14Scenario1a

    The module generates a minimum of256bitsofentropyforkeygeneration. SeedingtheDBRG

    4 RSA 4096 SigVerwas not tested by the CAVP; however, it is Approved for use per CMVP guidance,becauseRSA2048SigVerwastestedandtestingforRSA4096SigVerisnotavailable.5RSA4096KeyGenwasnot testedby theCAVP;however, it isApproved foruseperCMVPguidance,becauseRSA2048KeyGenwastestedandtestingforRSA4096KeyGenisnotavailable.6VendorAffirmed.

  • CopyrightJuniper,2017 Version1.3 Page16of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    2.3 AllowedProtocolsTable11–ProtocolsAllowedinFIPSMode

    Protocol KeyExchange Auth Cipher Integrity

    IKEv1 Diffie-Hellman(L=2048,N=224,256)ECDiffie-HellmanP-256,P-384

    RSA2048RSA4096Pre-SharedSecretECDSAP-256ECDSAP-384

    Triple-DESCBCAESCBC128/192/256

    HMAC-SHA-256HMAC-SHA-384

    IKEv27 Diffie-Hellman(L=2048,N=224,256)ECDiffie-HellmanP-256,P-384

    RSA2048RSA4096Pre-SharedSecretECDSAP-256ECDSAP-384

    Triple-DESCBCAESCBC128/192/256AESGCM8128/256

    HMAC-SHA-256HMAC-SHA-384

    IPsecESP

    IKEv1withoptional:• Diffie-Hellman(L=2048,N=224,

    256)• ECDiffie-HellmanP-256,P-384

    IKEv13KeyTriple-DESCBCAESCBC128/192/256 HMAC-SHA-

    1-96HMAC-SHA-256-128

    IKEv2withoptional:• Diffie-Hellman(L=2048,N=224),

    (2048,256)• ECDiffie-HellmanP-256,P-384

    IKEv2

    3KeyTriple-DESCBCAESCBC128/192/256AESGCM9128/192/256

    SSHv2Diffie-Hellman(L=2048,N=256)ECDiffie-HellmanP-256,P-384

    ECDSAP-256

    Triple-DESCBCAESCBC128/192/256AESCTR128/192/256

    HMAC-SHA-1HMAC-SHA-256HMAC-SHA-512

    TheseprotocolshavenotbeenreviewedortestedbytheCAVPorCMVP.

    The IKE and SSH algorithms allow independent selection of key exchange, authentication, cipher andintegrity.InTable8above,eachcolumnofoptionsforagivenprotocolisindependent,andmaybeusedin any viable combination. These security functions are also available in the SSH connect (non-compliant)service.

    7IKEv2generatestheSKEYSEEDaccordingtoRFC7296.8TheGCMIVisgeneratedaccordingtoRFC5282.9TheGCMIVisgeneratedaccordingtoRFC4106.

  • CopyrightJuniper,2017 Version1.3 Page17of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    2.4 DisallowedAlgorithmsThese algorithms are non-Approved algorithms that are disabledwhen themodule is operated in anApprovedmodeofoperation.

    • ARCFOUR• Blowfish• CAST• DSA(SigGen,SigVer;non-compliant)• HMAC-MD5• HMAC-RIPEMD160• UMAC

    2.5 CriticalSecurityParametersAllCSPsandpublickeysusedbythemodulearedescribedinthissection.

    Table12–CriticalSecurityParameters(CSPs)

    Name Descriptionandusage CKGDRBG_Seed SeedmaterialusedtoseedorreseedtheDRBG N/ADRBG_State VandKeyvaluesfortheHMAC_DRBG N/A

    SSHPHK SSHPrivatehostkey.1sttimeSSHisconfigured,thekeysare

    generated.ECDSAP-256.Usedtoidentifythehost. [133]Section6.1

    SSHDH

    SSHDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinSSH.Diffie-Hellman(N=256bit,320bit,384bit,512bit,or1024bit10),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

    [133]Section6.2

    SSH-SEK SSHSessionKey;SessionkeysusedwithSSH.Triple-DES(3key),AES,HMAC. [133]Section7.3

    ESP-SEK IPSecESPSessionKeys.Triple-DES(3key),AES,HMAC. [133]Section7.3IKE-PSK Pre-SharedKeyusedtoauthenticateIKEconnections. N/A

    IKE-Priv IKEPrivateKey.RSA2048,RSA4096,ECDSAP-256,orECDSAP-384 [133]Section6.1

    IKE-SKEYID IKESKEYID.IKEsecretusedtoderiveIKEandIPsecESPsessionkeys. [133]Section7.3

    IKE-SEK IKESessionKeys.Triple-DES(3key),AES,HMAC. [133]Section7.3

    IKE-DH-PRIIKEDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinIKE.DHN=224bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

    [133]Section6.2

    CO-PW ASCIITextusedtoauthenticatetheCO. N/AUser-PW ASCIITextusedtoauthenticatetheUser. N/A

    10SSHgeneratesaDiffie-Hellmanprivatekeythatis2xthebitlengthofthelongestsymmetricorMACkeynegotiated.

  • CopyrightJuniper,2017 Version1.3 Page18of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Table13–PublicKeys

    Name Descriptionandusage CKGSSH-PUB SSHPublicHostKeyusedtoidentifythehost.ECDSAP-256. [133]Section6.1

    SSH-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinSSHkeyestablishment.Diffie-Hellman(L=2048bit),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

    [133]Section6.2

    IKE-PUB IKEPublicKeyRSA2048,RSA4096,ECDSAP-256,orECDSAP-384 [133]Section6.1

    IKE-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinIKEkeyestablishment.Diffie-HellmanL=2048bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

    [133]Section6.2

    Auth-UPub UserAuthenticationPublicKeys.Usedtoauthenticateuserstothemodule.ECDSAP256orP-384 N/A

    Auth-COPub COAuthenticationPublicKeys.UsedtoauthenticateCOtothemodule.ECDSAP256orP-384 N/A

    Root-CA JuniperRootCA.ECDSAP-256orP-384X.509Certificate;UsedtoverifythevalidityoftheJuniperPackage-CAatsoftwareload. N/A

    Package-CA PackageCA.ECDSAP-256X.509Certificate;UsedtoverifythevalidityofJuniperImagesatsoftwareloadandboot. N/A

  • CopyrightJuniper,2017 Version1.3 Page19of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    3 Roles,AuthenticationandServices3.1 RolesandAuthenticationofOperatorstoRolesThemodulesupportstworoles:CryptographicOfficer(CO)andUser.Themodulesupportsconcurrentoperators,butdoesnotsupportamaintenanceroleand/orbypasscapability.Themoduleenforcestheseparationofrolesusingeitheridentity-basedoperatorauthentication.

    TheCryptographicOfficerroleconfiguresandmonitorsthemoduleviaaconsoleorSSHconnection.Asrootorsuper-user,theCryptographicOfficerhaspermissiontoviewandeditsecretswithinthemodule

    The User role monitors the router via the console or SSH. The user role may not change theconfiguration.

    3.2 AuthenticationMethodsThemoduleimplementstwoformsofIdentity-Basedauthentication,UsernameandpasswordovertheConsoleandSSHaswellasUsernameandpublickeyoverSSH.

    Passwordauthentication:Themoduleenforces10-characterpasswords(atminimum)chosenfromthe96humanreadableASCIIcharacters.Themaximumpasswordlengthis20-characters.

    Themoduleenforcesatimedaccessmechanismasfollows:Forthefirsttwofailedattempts(assuming0timetoprocess),notimedaccessisenforced.Uponthethirdattempt,themoduleenforcesa5-seconddelay.Eachfailedattemptthereafterresultsinanadditional5-seconddelayabovetheprevious(e.g.4thfailedattempt=10-seconddelay,5th failedattempt=15-seconddelay,6th failedattempt=20-seconddelay,7thfailedattempt=25-seconddelay).

    Thisleadstoamaximumofseven(7)possibleattemptsinaone-minuteperiodforeachgetty.Thebestapproachfortheattackerwouldbetodisconnectafter4failedattempts,andwaitforanewgettytobespawned.Thiswouldallowtheattackertoperformroughly9.6attemptsperminute(576attemptsperhour/60mins); this would be rounded down to 9 perminute, because there is no such thing as 0.6attempts.Thustheprobabilityofasuccessfulrandomattemptis1/9610,whichislessthan1/1million.Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis9/(9610),whichislessthan1/100,000.

    ECDSAsignatureverification:SSHpublic-keyauthentication.Processingconstraintsallowforamaximumof5.6e7ECDSAattemptsperminute.ThemodulesupportsECDSA(P-256andP-384).Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis5.6e7/(2128).

    3.3 ServicesAllservicesimplementedbythemodulearelistedinthetablesbelow.Table16liststheaccesstoCSPsbyeachservice.

    Table14–AuthenticatedServices

    Service Description CO UserConfiguresecurity Securityrelevantconfiguration x

    Configure Non-securityrelevantconfiguration x SecureTraffic IPsecprotectedconnection(ESP) x Status Showstatus x x

  • CopyrightJuniper,2017 Version1.3 Page20of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Zeroize DestroyallCSPs x

    SSHconnect InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x

    IPsecconnect InitiateIPsecconnection(IKE) x Consoleaccess Consolemonitoringandcontrol(CLI) x xRemotereset Softwareinitiatedreset x

    Table15–Unauthenticatedtraffic

    Service DescriptionLocalreset HardwareresetorpowercycleTraffic Trafficrequiringnocryptographicservices

    Table16–CSPAccessRightswithinServices

    Service

    CSPs

    DRBG

    _Seed

    DRBG

    _State

    SSHPH

    K

    SSHDH

    SSH-SEK

    ESP-SEK

    IKE-PSK

    IKE-Priv

    IKE-SKEYID

    IKE-SEK

    IKE-DH

    -PRI

    CO-PW

    User-PW

    Configuresecurity -- E GWR -- -- -- WR GWR -- -- --

    W W

    Configure -- -- -- -- -- -- -- -- -- -- -- -- --Securetraffic -- -- -- -- -- E -- -- -- E --

    -- --

    Status -- -- -- -- -- -- -- -- -- -- -- -- --

    Zeroize -- Z Z -- -- -- Z Z -- -- -- Z Z

    SSHconnect -- E E GE GE -- -- -- -- -- -- E EIPsecconnect -- E -- -- -- G E E GE G GE

    -- --

    Consoleaccess -- -- -- -- -- -- -- -- -- -- --

    E E

    Remotereset GZE GZ -- Z Z Z -- -- Z Z Z

    Z Z

    Localreset GZE GZ -- Z Z Z -- -- Z Z Z Z Z

    Traffic -- -- -- -- -- -- -- -- -- -- -- -- --G=Generate:ThemodulegeneratestheCSPR=Read:TheCSPisreadfromthemodule(e.g.theCSPisoutput)E=Execute:ThemoduleexecutesusingtheCSPW=Write:TheCSPiswrittentopersistentstorageinthemoduleZ=Zeroize:ThemodulezeroizestheCSP.

  • CopyrightJuniper,2017 Version1.3 Page21of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    3.4 Non-ApprovedServicesThefollowingservicesareavailableinthenon-Approvedmodeofoperation.Thesecurityfunctionsprovidedbythenon-ApprovedservicesareidenticaltotheApprovedcounterpartswiththeexceptionofSSHConnect(non-compliant).SSHConnect(non-compliant)supportsthesecurityfunctionsidentifiedinSection2.4andtheSSHv2rowofTable11.

    Table17–AuthenticatedServices

    Service Description CO UserConfiguresecurity(non-compliant) Securityrelevantconfiguration x

    Configure(non-compliant) Non-securityrelevantconfiguration x

    SecureTraffic(non-compliant) IPsecprotectedconnection(ESP) x

    Status(non-compliant) Showstatus x xZeroize(non-compliant) DestroyallCSPs x SSHconnect(non-compliant)

    InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x

    IPsecconnect(non-compliant) InitiateIPsecconnection(IKE) x

    Consoleaccess(non-compliant) Consolemonitoringandcontrol(CLI) x x

    Remotereset(non-compliant) Softwareinitiatedreset x

    Table18–Unauthenticatedtraffic

    Service DescriptionLocalreset(non-compliant) Hardwareresetorpowercycle

    Traffic(non-compliant) Trafficrequiringnocryptographicservices

  • CopyrightJuniper,2017 Version1.3 Page22of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    4 Self-testsEachtimethemoduleispoweredupitteststhatthecryptographicalgorithmsstilloperatecorrectlyandthat sensitive data have not been damaged. Power-up self-tests are available on demand by powercyclingthemodule.

    Onpower-uporreset,themoduleperformstheself-testsdescribedbelow.AllKATsmustbecompletedsuccessfullypriortoanyotheruseofcryptographybythemodule.IfoneoftheKATsfails,themoduleenterstheCriticalFailureerrorstate.

    Themoduleperformsthefollowingpower-upself-tests:

    • FirmwareIntegritycheckusingECDSAP-256withSHA-256• DataPlaneKATs

    o AES-CBCEncryptKATo AES-CBCDecryptKATo AES-GCMEncryptKATo AES-GCMDecryptKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA-256KAT

    • OpenSSLKATso SP800-90AHMACDRBGKAT

    § Health-testsinitialize,re-seed,andgenerate.o ECDSAP-256Sign/VerifyPCTo ECDiffie-HellmanP-256KAT

    § Derivationoftheexpectedsharedsecret.o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA2-256KATo HMAC-SHA2-384KATo HMAC-SHA2-512KATo AES-CBCEncryptKATo AES-CBCDecryptKAT

    • OpenSSHKATo KDF-SSH-SHA256KAT

    • HMACDRBGKATo HMACDRBGKAT(Certs.#1423)

    § Health-testsinitialize,re-seed,andgenerate.o HMACDRBGKAT(Certs.#1415)

    § Health-testsinitialize,re-seed,andgenerate.• ControlPlaneAuthentecKATs

    o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo ECDSAP-256w/SHA-256Sign/VerifyPCT

  • CopyrightJuniper,2017 Version1.3 Page23of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    o Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-256KATo HMAC-SHA-384KATo AES-CBCEncryptKATo AES-CBCDecryptKATo AES-GCMEncryptKATo AES-GCMDecryptKATo KDF-IKE-V1KATo KDF-IKE-V2KAT

    • LibmdKATso HMAC-SHA2-256KATo SHA-2-512KAT

    • CriticalFunctionTesto Thecryptographicmoduleperformsaverificationofalimitedoperationalenvironment,

    andverificationofoptionalnon-criticalpackages.

    Upon successful completion of the self-tests, themodule outputs “FIPS self-tests completed.” to thelocalconsole.

    Ifaself-testfails,themoduleoutputs“:Failed”tothelocalconsoleandautomaticallyreboots.

    Themodulealsoperformsthefollowingconditionalself-tests:

    • ContinuousRNGTestontheSP800-90AHMAC-DRBG• ContinuousRNGtestontheNDRNG• PairwiseconsistencytestwhengeneratingECDSAandRSAkeypairs.• FirmwareLoadTest(ECDSAsignatureverification)

  • CopyrightJuniper,2017 Version1.3 Page24of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    5 PhysicalSecurityPolicyThemodulesphysicalembodimentisthatofamulti-chipstandalonedevicethatmeetsLevel2PhysicalSecurityrequirements.Themodule iscompletelyenclosed inarectangularnickelorclearzinccoated,cold rolled steel, plated steel andbrushed aluminumenclosure. There are no ventilationholes, gaps,slits,cracks,slots,orcrevicesthatwouldallowforanysortofobservationofanycomponentcontainedwithinthecryptographicboundary.Tamper-evidentsealsallowtheoperatortotelliftheenclosurehasbeenbreached.Thesesealsarenotfactory-installedandmustbeappliedbytheCryptographicOfficer.(Seals are available for order from Juniper using part number JNPR-FIPS-TAMPER-LBLS.) The tamper-evidentsealsshallbeinstalledforthemoduletooperateinaFIPSmodeofoperation.

    TheCryptographicOfficerisresponsibleforsecuringandhavingcontrolatalltimesofanyunusedsealsandthedirectcontrolandobservationofanychangestothemodulesuchasreconfigurationswherethetamper-evident seals or security appliances are removed or installed to ensure the security of themoduleismaintainedduringsuchchangesandthemoduleisreturnedtoaFIPSApprovedstate.

    Table19–PhysicalSecurityInspectionGuidelines

    PhysicalSecurityMechanism

    RecommendedFrequencyofInspection/Test

    Inspection/TestGuidanceDetails

    Tamperseals,opaquemetalenclosure.

    OncepermonthbytheCryptographicOfficer.

    Sealsshouldbefreeofanytamperevidence.

    If the CryptographicOfficer observes tamper evidence, it shall be assumed that the device has beencompromised.TheCryptographicOfficershallretaincontrolofthemoduleandperformZeroizationofthemodule'sCSPsbyfollowingthestepsinSection1.3oftheSecurityPolicy.

    5.1 GeneralTamperSealPlacementandApplicationInstructionsForallsealapplications,theCryptographicOfficershouldobservethefollowinginstructions:

    • Handlethesealswithcare.Donottouchtheadhesiveside.• Beforeapplyingaseal,ensurethelocationofapplicationisclean,dry,andclearofanyresidue.• Placethesealonthemodule,applyingfirmpressureacrossittoensureadhesion.Allowatleast

    1hourfortheadhesivetocure.

    5.2 SRX5400(13seals)Tamper-evidentsealsshallbeappliedtothefollowinglocations:

    • FrontPane:o Twoseals,vertical,connectedtothetopmost(non-honeycomb)sub-pane.Theyextend

    tothethinpanebelowandthehoneycombpanelabove.o Oneseal,vertical,acrossthethinpane.Extendstotheblankpanebelowandthesub-

    paneabove.o Threeseals,vertical,oneoneach“long”horizontalsub-pane.Eachattachestothesub-

    paneaboveandtheonebelow(orthechassis,ifit’sthebottommostsub-pane).Ensureoneofthesealsextendstotheleftsub-panebelowthethinsub-pane.

    • BackPane:o Four seals, vertical: one on each of the top four sub-panes, extending to the large

    chassisplatebelow.o Oneseal,vertical:onthehorizontalscrewed-inplaterestingonthelargecentralchassis.

    Shouldextendtothechassisinbothdirections.

  • CopyrightJuniper,2017 Version1.3 Page25of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    o Twoseals,horizontal:placedonthelowsidesub-panes,extendingtothelargecentralchassisareaandwrappingaroundtotheneighboringsidepanes.

    Figure9-SRX5400-Tamper-EvidentSealLocationsonFront-SixSeals

    Figure10-SRX5400-Tamper-EvidentSealLocationsonRear-SevenSeals

    5.3 SRX5600(18seals)Tamper-evidentsealsmustbeappliedtothefollowinglocations:

    • FrontPane:o Elevenseals,vertical:oneforeachhorizontalsub-pane(excludingthehoneycombplate

    onthetopandthethinsub-panealittlebelow),asecondforthetop(non-honeycomb)sub-pane, and an extra for the bottom. The seals should attach to vertically adjacentsub-panes. The extra on the bottom attaches to the lowermost sub-pane and wraps

  • CopyrightJuniper,2017 Version1.3 Page26of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    aroundattachingtothebottompane.Itshouldbeensuredthatoneofthesealsspansacrossthethinplatewithampleextradistanceoneachside.

    • BackPane:o Fiveseals,vertical:oneoneachoftheupperfoursub-panes,attachingtothelargeplate

    below.o Twoseals,horizontal:oneoneachoftheverticalsidesub-panes,extendingtoboththe

    largecentralplateandthesidepanes.

    Figure11-SRX5600-Tamper-EvidentSealLocationsonFront-11Seals

    Figure12-SRX5600-Tamper-EvidentSealLocationsonRear-SevenSeals

  • CopyrightJuniper,2017 Version1.3 Page27of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    5.4 SRX5800(24seals)Tamper-evidentsealsshallbeappliedtothefollowinglocations:

    • FrontPane:o Fourteenseals,horizontal:oneoneachofthelongverticalsub-panes,extendingtothe

    neighboringtwo.Ifonanendsub-pane,sealshouldwraparoundtotheside.o Threeseals,vertical:Oneovereachofthethinpanes–twonearthebottom,onenear

    thetopofthelowerhalf.o Twoseals,vertical:bothontheconsoleareaatthetopofthemodule,oneextendingto

    thetopandtheotherextendingtothechassisareabelow.• BackPane:

    o Five seals, horizontal: Three spanning the gaps between the vertical sub-panels, andthentwomore,oneeachonthefaredgesoftheleftandrightpanels.(Theselasttwoshouldwraparoundtothesides.)

    Figure13-SRX5800-Tamper-EvidentSealLocationsonFront-19Seals

  • CopyrightJuniper,2017 Version1.3 Page28of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Figure14-SRX5800-Tamper-EvidentSealLocationsonRear-FiveSeals

  • CopyrightJuniper,2017 Version1.3 Page29of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    6 SecurityRulesandGuidanceThemoduledesigncorresponds to thesecurity rulesbelow.Thetermmust in thiscontextspecificallyrefers to a requirement for correctusageof themodule in theApprovedmode; all other statementsindicateasecurityruleimplementedbythemodule.

    1. Themoduleclearspreviousauthenticationsonpowercycle.2. When themodule has not beenplaced in a valid role, the operator does not have access to any

    cryptographicservices.3. Powerupself-testsdonotrequireanyoperatoraction.4. Dataoutputisinhibitedduringkeygeneration,self-tests,zeroization,anderrorstates.5. Status information does not contain CSPs or sensitive data that if misused could lead to a

    compromiseofthemodule.6. TherearenorestrictionsonwhichkeysorCSPsarezeroizedbythezeroizationservice.7. Themoduledoesnotsupportamaintenanceinterfaceorrole.8. Themoduledoesnotsupportmanualkeyentry.9. Themoduledoesnotoutputintermediatekeyvalues.10. Themodulerequiresto independent internalactionstobeperformedpriortooutputingplaintext

    CSPs.11. The cryptographic officer must determine whether firmware being loaded is a legacy use of the

    firmwareloadservice.12. Thecryptographicofficermustretaincontrolofthemodulewhilezeroizationisinprocess.

  • CopyrightJuniper,2017 Version1.3 Page30of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    7 ReferencesandDefinitionsThefollowingstandardsarereferencedinthisSecurityPolicy.

    Table20–References

    Abbreviation FullSpecificationName

    [FIPS140-2] SecurityRequirementsforCryptographicModules,May25,2001

    [SP800-131A] Transitions: Recommendation for Transitioning the Use of Cryptographic AlgorithmsandKeyLengths,January2011

    [IG] ImplementationGuidanceforFIPSPUB140-2andtheCryptographicModuleValidationProgram

    [133] NISTSpecialPublication800-133,RecommendationforCryptographicKeyGeneration,December2012

    [135] National Institute of Standards and Technology, Recommendation for ExistingApplication-Specific Key Derivation Functions, Special Publication 800-135rev1,December2011.

    [186] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-4,July,2013.

    [197] National InstituteofStandardsandTechnology,AdvancedEncryptionStandard(AES),FederalInformationProcessingStandardsPublication197,November26,2001

    [38A] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation,MethodsandTechniques,SpecialPublication800-38A,December2001

    [38D] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation:Galois/CounterMode(GCM)andGMAC,SpecialPublication800-38D,November2007

    [198] National Institute of Standards and Technology, The Keyed-Hash MessageAuthentication Code (HMAC), Federal Information Processing Standards Publication198-1,July,2008

    [180] National Institute of Standards and Technology, Secure Hash Standard, FederalInformationProcessingStandardsPublication180-4,August,2015

    [67] National Instituteof StandardsandTechnology,Recommendation for theTripleDataEncryptionAlgorithm(TDEA)BlockCipher,SpecialPublication800-67,May2004

    [90A] NationalInstituteofStandardsandTechnology,RecommendationforRandomNumberGenerationUsingDeterministicRandomBitGenerators, Special Publication800-90A,June2015.

  • CopyrightJuniper,2017 Version1.3 Page31of31JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

    Table21–AcronymsandDefinitions

    Acronym DefinitionAES AdvancedEncryptionStandardDH Diffie-HellmanDSA DigitalSignatureAlgorithmECDH EllipticCurveDiffie-HellmanECDSA EllipticCurveDigitalSignatureAlgorithmEMC ElectromagneticCompatibilityESP EncapsulatingSecurityPayloadFIPS FederalInformationProcessingStandardHMAC Keyed-HashMessageAuthenticationCodeICV IntegrityCheckValue(i.e.Tag)IKE InternetKeyExchangeProtocolIOC Input/OutputCardIPsec InternetProtocolSecurityMD5 MessageDigest5NPC NetworkProcessingCardRE RoutingEngineRSA Public-keyencryptiontechnologydevelopedbyRSADataSecurity,Inc.SHA SecureHashAlgorithmsSCB SwitchControlBoardSPC ServicesProcessingCardSSH SecureShellTriple-DES Triple-DataEncryptionStandard

    Table22–Datasheets

    Model Title URL

    SRX5400SRX5600SRX5800

    SRXSeriesServiceGatewaysforserviceprovider,largeenterprise,andpublicsectornetworks.

    http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000254-en.pdf