Juniper Networks SRX5400, SRX5600, and SRX5800 ......The Juniper Networks SRX Series Services Gateways are a series of secure routers that provide essential capabilities to connect,

CopyrightJuniper,2017 Version1.10 Page1of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).

JuniperNetworksSRX5400,SRX5600,andSRX5800ServicesGateways

Non-ProprietaryFIPS140-2CryptographicModuleSecurityPolicy

Version:1.10Date:June09,2017

JuniperNetworks,Inc.1133InnovationWaySunnyvale,California94089USA408.745.20001.888JUNIPERwww.juniper.net


TableofContents1 Introduction...................................................................................................................4

1.1 HardwareandPhysicalCryptographicBoundary.......................................................................61.2 ModeofOperation...................................................................................................................111.3 Zeroization................................................................................................................................12

2 CryptographicFunctionality..........................................................................................13

2.1 ApprovedAlgorithms................................................................................................................132.2 AllowedAlgorithms..................................................................................................................142.3 AllowedProtocols.....................................................................................................................152.4 DisallowedAlgorithms..............................................................................................................162.5 CriticalSecurityParameters.....................................................................................................16

3 Roles,AuthenticationandServices...............................................................................18

3.1 RolesandAuthenticationofOperatorstoRoles......................................................................183.2 AuthenticationMethods...........................................................................................................183.3 Services.....................................................................................................................................183.4 Non-ApprovedServices............................................................................................................20

4 Self-tests......................................................................................................................21

5 PhysicalSecurityPolicy.................................................................................................23

5.1 GeneralTamperSealPlacementandApplicationInstructions................................................235.2 SRX5400(13seals)....................................................................................................................235.3 SRX5600(18seals)....................................................................................................................245.4 SRX5800(24seals)....................................................................................................................26

6 SecurityRulesandGuidance.........................................................................................28

7 ReferencesandDefinitions...........................................................................................29

ListofTablesTable1–CryptographicModuleHardwareConfigurations.........................................................................4Table2-SecurityLevelofSecurityRequirements.......................................................................................5Table3-PortsandInterfaces....................................................................................................................11Table4-DataPlaneApprovedCryptographicFunctions...........................................................................13Table5-ControlPlaneAuthentecApprovedCryptographicFunctions.....................................................13Table6-OpenSSLApprovedCryptographicFunctions..............................................................................14Table7–AllowedCryptographicFunctions...............................................................................................14Table8–ProtocolsAllowedinFIPSMode.................................................................................................15Table9–CriticalSecurityParameters(CSPs).............................................................................................16Table10–PublicKeys................................................................................................................................17Table11–AuthenticatedServices.............................................................................................................18Table12–Unauthenticatedtraffic............................................................................................................19


Table13–CSPAccessRightswithinServices.............................................................................................19Table14–AuthenticatedServices.............................................................................................................20Table15–Unauthenticatedtraffic............................................................................................................20Table16–PhysicalSecurityInspectionGuidelines....................................................................................23Table17–References................................................................................................................................29Table18–AcronymsandDefinitions.........................................................................................................30Table19–Datasheets................................................................................................................................30ListofFiguresFigure1–SRX5400FrontView....................................................................................................................6Figure2–SRX5400BottomView.................................................................................................................7Figure3–SRX5600ProfileView..................................................................................................................7Figure4–SRX5600RearView......................................................................................................................8Figure5–SRX5600LeftView.......................................................................................................................8Figure6–SRX5800TopView.......................................................................................................................9Figure7–SRX5800RearView....................................................................................................................10Figure8–SRX5800LeftView.....................................................................................................................10Figure9-SRX5400-Tamper-EvidentSealLocationsonFront-SixSeals....................................................24Figure10-SRX5400-Tamper-EvidentSealLocationsonRear-SevenSeals..............................................24Figure11-SRX5600-Tamper-EvidentSealLocationsonFront-11Seals..................................................25Figure12-SRX5600-Tamper-EvidentSealLocationsonRear-SevenSeals..............................................25Figure13-SRX5800-Tamper-EvidentSealLocationsonFront-19Seals..................................................26Figure14-SRX5800-Tamper-EvidentSealLocationsonRear-FiveSeals.................................................27


1 IntroductionTheJuniperNetworksSRXSeriesServicesGatewaysareaseriesofsecureroutersthatprovideessentialcapabilitiestoconnect,secure,andmanageworkforcelocationssizedfromhandfulstohundredsofusers.Byconsolidatingfast,highlyavailableswitching,routing,security,andapplicationscapabilitiesinasingledevice,enterprises caneconomicallydelivernewservices, safeconnectivity,anda satisfyingenduserexperience.AllmodelsrunJuniper’sJUNOSfirmware–inthiscase,aspecificFIPS-compliantversioncalledJUNOS-FIPS,version12.3X48-D30.Thefirmwareimageisjunos-srx5000-12.3X48-D30.12-fips.tgzandthefirmwareStatusserviceidentifiesitselfasinthe“Junos12.3X48-D30.12(FIPSedition)”.

This Security Policy covers the SRX5400, SRX5600, and SRX5800models. They aremeant for serviceproviders,largeenterprisenetworks,andpublic-sectornetworks.

Thecryptographicmodulesaredefinedasmultiple-chip standalonemodules thatexecute JUNOS-FIPSfirmwareonanyoftheJuniperNetworksSRX-Seriesgatewayslistedinthetablebelow.

Table1–CryptographicModuleHardwareConfigurations

ChassisPN REPN SCBPN SPCPN IOCPN PowerPN TamperSeals

SRX5400

SRX5K-RE-13-20 SRX5K-SCB SRX5K-SPC-4-

15-320SRX5K-40GE-SFP

withACHCorDC

JNPR-FIPS-TAMPER-LBLS

SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-

15-320SRX-MIC-10XG-SFPP

SRX5600


10-40SRX5K-40GE-SFP



SRX5800





ThemodulesaredesignedtomeetFIPS140-2Level2overall:


Table2-SecurityLevelofSecurityRequirements

Area Description Level1 ModuleSpecification 2

2 PortsandInterfaces 2

3 RolesandServices 3

4 FiniteStateModel 2

5 PhysicalSecurity 2

6 OperationalEnvironment N/A

7 KeyManagement 28 EMI/EMC 2

9 Self-test 2

10 DesignAssurance 3

11 MitigationofOtherAttacks N/A

Overall 2

Themoduleshavea limitedoperationalenvironmentaspertheFIPS140-2definitions.They includeafirmware load service to support necessary updates. New firmware versionswithin the scope of thisvalidationmustbevalidatedthroughtheFIPS140-2CMVP.AnyotherfirmwareloadedintothesemodulesareoutofthescopeofthisvalidationandrequireaseparateFIPS140-2validation.

ThemodulesdonotimplementanymitigationofotherattacksasdefinedbyFIPS140-2.


1.1 HardwareandPhysicalCryptographicBoundary

Thephysicalformsofthemodule’svariousmodelsaredepictedinFigures1-11below.Forallmodels,thecryptographicboundaryisdefinedastheouteredgeofthechassis.ThemodulesexcludethepowersupplyandfancomponentsfromtherequirementsofFIPS140-2.Thepowersuppliesandfansdonotcontainanysecurityrelevantcomponentsandcannotaffectthesecurityofthemodule.Theexcludedcomponentsareidentifiedwithredbordersinthefollowingfigures.Themoduledoesnotrelyonexternaldevicesforinputandoutput.

Figure1–SRX5400FrontView


Figure2–SRX5400BottomView

Figure3–SRX5600ProfileView


Figure4–SRX5600RearView

Figure5–SRX5600LeftView


Figure6–SRX5800TopView


Figure7–SRX5800RearView

Figure8–SRX5800LeftView


Table3-PortsandInterfaces

Port Description LogicalInterfaceTypeEthernet LANCommunications Controlin,Datain,Dataout,StatusoutSerial Consoleserialport Controlin,StatusoutPower Powerconnector PowerinReset Reset ControlinLED Statusindicatorlighting StatusoutUSB Firmwareloadport Controlin,DatainWAN SHDSL,VDSL,T1,E1 Controlin,Datain,Dataout,Statusout

1.2 ModeofOperation

FollowtheinstructionsinSection5toapplythetampersealstothemodule.Oncethetampersealshavebeenappliedasshowninthisdocument,theJUNOS-FIPSfirmwareimageisinstalledonthedevice,andintegrityandself-testshaverunsuccessfullyoninitialpower-on,themoduleisoperatingintheApprovedmode.TheCrypto-OfficermustensurethatthebackupimageofthefirmwareisalsoaJUNOS-FIPSimagebyissuingtherequestsystemsnapshotcommand.

If themodule was previously in a non-Approvedmode of operation, the Cryptographic OfficermustzeroizetheCSPsbyfollowingtheinstructionsinSection1.3.

Then,theCOmustrunthefollowingcommandstoconfigureSSHtouseFIPSApprovedandFIPSallowedalgorithms:co@fips-srx# set system services ssh hostkey-algorithm ssh-ecdsa

co@fips-srx# set system services ssh hostkey-algorithm no-ssh-rsa

co@fips-srx# set system services ssh hostkey-algorithm no-ssh-dss

co@fips-srx# set system services ssh hostkey-algorithm no-ssh-ed25519

co@fips-srx# commit

TheCOcanchangethepreferenceofSSHkeyexchangemethodsusingthefollowingcommand:co@fips-srx# set system services ssh key-exchange <algorithm>

<algorithm> - dh-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, group-exchange-sha1, or group-exchange-sha2

TheCOcanchangethepreferenceofSSHcipheralgorithmsusingthefollowingcommand:co@fips-srx# set system services ssh ciphers <algorithm>

<algorithm> - 3des-cbc, aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr

TheCOcanchangethepreferenceofSSHMACalgorithmsorenableadditionalApprovedalgorithmsusingthefollowingcommand:


co@fips-srx# set system services ssh macs <algorithm>

<algorithm> - hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, [email protected], [email protected], [email protected], [email protected]

WhenAESGCMisconfiguredastheencryption-algorithmforIKEorIPsec,theCOmustrunthefollowingcommandtoconfigurethealgorithms:co@fips-srx# set security ike gateway <name> version v2-only

<name> - the user configured name for the IKE gateway

co@fips-srx# commit

The“showversion”commandwillindicateifthemoduleisoperatinginFIPSmode(e.g.JUNOSSoftwareRelease[12.3X48-D30](FIPSedition)),run“show system services ssh”,andrun“show security ipsec” toverify thatonly theFIPSApprovedandFIPSallowedalgorithmsareconfiguredforSSHandIPsecasspecifiedabove.

1.3 Zeroization

The cryptographic module provides a non-Approved mode of operation in which non-Approvedcryptographic algorithms are supported. When transitioning between the non-Approved mode ofoperation and the Approved mode of operation, the Cryptographic Officer must run the followingcommandstozeroizetheApprovedmodeCSPs:co@fips-srx> start shell

co@fips-srx% rm –P <keyfile>

<keyfile> - each persistent private or secret key other than the SSH host keys and the X.509 keys for IKE.

co@fips-srx% rm –P /var/db/certs/common/certificate-request/*

co@fips-srx% exit

co@fips-srx> request system zeroize

Note:TheCryptographicOfficermustretaincontrolofthemodulewhilezeroizationisinprocess.


2 CryptographicFunctionality2.1 ApprovedAlgorithms

ThemoduleimplementstheFIPSApprovedandNon-ApprovedbutAllowedcryptographicfunctionslistedintheTables4to6below.Table8summarizesthehighlevelprotocolalgorithmsupport.Themoduledoesnotimplementalgorithmsthatrequirevendoraffirmation.

Table4-DataPlaneApprovedCryptographicFunctions

CAVPCert. Algorithm Mode Description Functions4070,4329 AES[197] CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt

4070 AES[197] GCM[38D]1 KeySizes:128,192,256 Encrypt,Decrypt,AEAD

2657,2867 HMAC[198]

SHA-1 λ=96MessageAuthentication

SHA-256 λ=1283353,3571 SHS[180] SHA-1

SHA-256 MessageDigestGeneration

2221,2222 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt

Table5-ControlPlaneAuthentecApprovedCryptographicFunctions

Cert Algorithm Mode Description Functions4054,4055 AES[197] CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt

4055 AES[197] GCM[38D]1 KeySizes:128,256 Encrypt,Decrypt,AEAD

926 CVLIKEv1[135] SHA1,256,384

KeyDerivationIKEv2[135] SHA1,256,384

1103,1104 DSA[186] (L=2048,N=224)

(L=2048,N=256) KeyGen

916,917 ECDSA[186] P-256(SHA256)

P-384(SHA{256},384) KeyGen,SigGen,SigVer

2646,2647 HMAC[198]

SHA-1 λ=96,160MessageAuthentication,KDFPrimitiveSHA-256 λ=128,256

SHA-384 λ=192,384

N/A KTS[38F]

(AESCert.#4054andHMACCert.#2646),(AESCert.#4055andHMACCert.#2647),(Triple-DESCert.#2224

andHMACCert.#2646)

KeyWrapping/Unwrapping

2201,2202 RSA[186] PKCS1_V1_5 n=2048(SHA256)

{n=3072(SHA256)} SigGen,SigVer

1TheSRX5K-SPC-2-10-40doesnotsupportAESGCM.


3341,3342 SHS[180]

SHA-1SHA-256SHA-384

MessageDigestGeneration

2224 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt

Table6-OpenSSLApprovedCryptographicFunctions

CAVPCert. Algorithm Mode Description Functions

4056 AES[197] CBC[38A]CTR[38A] KeySizes:128,192,256 Encrypt,Decrypt

880 CVL SSH[135] SHA1,256,384 KeyDerivation1216,1399,1401

DRBG[90A] HMAC SHA-256 RandomBitGeneration

1096 DSA[186] {(2048,224)}(2048,256) KeyGen

909 ECDSA[186]

{P-224(SHA256)}P-256(SHA256){P-384(SHA256)}

SigGen

{P-224(SHA256)}P-256(SHA256)P-384(SHA{256},384)

KeyGen,SigVer

2648 HMAC[198]SHA-1 λ=96,160

MessageAuthenticationDRBGPrimitiveSHA-256 λ=256

SHA-512 λ=512

N/A KTS[38F](AESCert.#4056andHMACCert.#2648),(Triple-DESCert.#2223and

HMACCert.#2648)KeyWrapping/Unwrapping

2087 RSA[186] n=2048(SHA256){n=3072(SHA256)} KeyGen,SigGen,SigVer

RSA[186-2] {n=4096(SHA256)} {SigGen}

3343 SHS[180]

SHA-1SHA-256SHA-384

MessageDigestGeneration,KDFPrimitive

SHA-512 MessageDigestGeneration

2223 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt

2.2 AllowedAlgorithms

Table7–AllowedCryptographicFunctions

Algorithm Caveat Use


Diffie-Hellman[IG]D.8 Provides between 112 and 192 bits ofencryptionstrength. keyagreement;keyestablishment

EllipticCurveDiffie-Hellman[IG]D.8

Provides 128 or 192 bits of encryptionstrength. keyagreement;keyestablishment

NDRNG SeedingtheDBRG

2.3 AllowedProtocols

Table8–ProtocolsAllowedinFIPSMode

Protocol KeyExchange Auth Cipher Integrity

IKEv1 Diffie-Hellman(L=2048,N=224,256)ECDiffie-HellmanP-256,P-384

RSA2048Pre-SharedSecretECDSAP-256ECDSAP-384

Triple-DESCBCAESCBC128/192/256

HMAC-SHA-1-96HMAC-SHA-256-128HMAC-SHA-384-192

IKEv22 Diffie-Hellman(L=2048,N=224,256)ECDiffie-HellmanP-256,P-384

RSA2048Pre-SharedSecretECDSAP-256ECDSAP-384

Triple-DESCBCAESCBC128/192/256AESGCM3128/256

HMAC-SHA-1-96HMAC-SHA-256-128HMAC-SHA-384-192

IPsecESP

IKEv1withoptional:• Diffie-Hellman(L=2048,N=224,

256)• ECDiffie-HellmanP-256,P-384

IKEv13KeyTriple-DESCBCAESCBC128/192/256 HMAC-SHA-

1-96HMAC-SHA-256-128

IKEv2withoptional:• Diffie-Hellman(L=2048,N=224),

(2048,256)• ECDiffie-HellmanP-256,P-384

IKEv2

3KeyTriple-DESCBCAESCBC128/192/256AESGCM4128/192/256

SSHv2

Diffie-Hellman(L=2048,3072,4096,6144,7680,8192;N=256,320,384,512,1024)ECDiffie-HellmanP-256,P-384

ECDSAP-256

Triple-DESCBCAESCBC128/192/256AESCTR128/192/256

HMAC-SHA-1-96HMAC-SHA-1HMAC-SHA-256HMAC-SHA-512

2IKEv2generatestheSKEYSEEDaccordingtoRFC7296.3TheGCMIVisgeneratedaccordingtoRFC5282.4TheGCMIVisgeneratedaccordingtoRFC4106.


TheseprotocolshavenotbeenreviewedortestedbytheCAVPorCMVP.

The IKE and SSH algorithms allow independent selection of key exchange, authentication, cipher andintegrity.InTable8above,eachcolumnofoptionsforagivenprotocolisindependent,andmaybeusedinanyviablecombination.ThesesecurityfunctionsarealsoavailableintheSSHconnect(non-compliant)service.

2.4 DisallowedAlgorithms

These algorithms are non-Approved algorithms that are disabledwhen themodule is operated in anApprovedmodeofoperation.

• ARCFOUR• Blowfish• CAST• HMAC-MD5• HMAC-RIPEMD160• UMAC

2.5 CriticalSecurityParameters

AllCSPsandpublickeysusedbythemodulearedescribedinthissection.

Table9–CriticalSecurityParameters(CSPs)

Name DescriptionandusageDRBG_Seed SeedmaterialusedtoseedorreseedtheDRBGDRBG_State VandKeyvaluesfortheHMAC_DRBG

SSHPHK SSHPrivatehostkey.1sttimeSSHisconfigured,thekeysaregenerated.ECDSAP-256.Usedtoidentifythehost.

SSHDHSSHDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinSSH.Diffie-Hellman(N=256bit,320bit,384bit,512bit,or1024bit5),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

SSH-SEK SSHSessionKey;SessionkeysusedwithSSH.Triple-DES(3key),AES,HMAC.ESP-SEK IPSecESPSessionKeys.Triple-DES(3key),AES,HMAC.IKE-PSK Pre-SharedKeyusedtoauthenticateIKEconnections.IKE-Priv IKEPrivateKey.RSA2048,ECDSAP-256,orECDSAP-384IKE-SKEYID IKESKEYID.IKEsecretusedtoderiveIKEandIPsecESPsessionkeys.IKE-SEK IKESessionKeys.Triple-DES(3key),AES,HMAC.

IKE-DH-PRI IKEDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinIKE.Diffie-HellmanN=224bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

5SSHgeneratesaDiffie-Hellmanprivatekeythatis2xthebitlengthofthelongestsymmetricorMACkeynegotiated.


CO-PW ASCIITextusedtoauthenticatetheCO.User-PW ASCIITextusedtoauthenticatetheUser.

Table10–PublicKeys

Name DescriptionandusageSSH-PUB SSHPublicHostKeyusedtoidentifythehost.ECDSAP-256.

SSH-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinSSHkeyestablishment.Diffie-Hellman(L=2048bit,3072bit,4096bit,6144bit,7680bit,or8192bit),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

IKE-PUB IKEPublicKeyRSA2048,ECDSAP-256,orECDSAP-384

IKE-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinIKEkeyestablishment.Diffie-HellmanL=2048bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

Auth-UPub SSHUserAuthenticationPublicKeys.Usedtoauthenticateuserstothemodule.ECDSAP-256orP-384

Auth-COPub SSHCOAuthenticationPublicKeys.UsedtoauthenticateCOtothemodule.ECDSAP-256orP-384

RootCA JuniperRootCA.ECDSAP-256orP-384X.509Certificate;UsedtoverifythevalidityoftheJuniperPackageCAatsoftwareload.

PackageCA PackageCA.ECDSAP-256X.509Certificate;UsedtoverifythevalidityofJuniperImagesatsoftwareloadandalsoatruntimeintegrity.


3 Roles,AuthenticationandServices3.1 RolesandAuthenticationofOperatorstoRoles

Themodulesupportstworoles:CryptographicOfficer(CO)andUser.Themodulesupportsconcurrentoperators,butdoesnotsupportamaintenanceroleand/orbypasscapability.Themoduleenforcestheseparationofrolesusingeitheridentity-basedoperatorauthentication.

TheCryptographicOfficerroleconfiguresandmonitorsthemoduleviaaconsoleorSSHconnection.Asrootorsuper-user,theCryptographicOfficerhaspermissiontoviewandeditsecretswithinthemodule

TheUserrolemonitorstherouterviatheconsoleorSSH.Theuserrolemaynotchangetheconfiguration.

3.2 AuthenticationMethods

ThemoduleimplementstwoformsofIdentity-Basedauthentication,usernameandpasswordovertheConsoleandSSHaswellasusernameandpublickeyoverSSH.

Passwordauthentication:Themoduleenforces10-characterpasswords(atminimum)chosenfromthe96humanreadableASCIIcharacters.Themaximumpasswordlengthis20characters.

Themoduleenforcesatimedaccessmechanismasfollows:Forthefirsttwofailedattempts(assuming0timetoprocess),notimedaccessisenforced.Uponthethirdattempt,themoduleenforcesa5-seconddelay.Eachfailedattemptthereafterresultsinanadditional5-seconddelayabovetheprevious(e.g.4thfailedattempt=10-seconddelay,5th failedattempt=15-seconddelay,6th failedattempt=20-seconddelay,7thfailedattempt=25-seconddelay).

Thisleadstoamaximumofseven(7)possibleattemptsinaone-minuteperiodforeachgetty.Thebestapproachfortheattackerwouldbetodisconnectafter4failedattempts,andwaitforanewgettytobespawned.Thiswouldallowtheattackertoperformroughly9.6attemptsperminute(576attemptsperhour/60mins); this would be rounded down to 9 perminute, because there is no such thing as 0.6attempts.Thustheprobabilityofasuccessfulrandomattemptis1/9610,whichislessthan1/1million.Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis9/(9610),whichislessthan1/100,000.

ECDSAsignatureverification:SSHpublic-keyauthentication.Processingconstraintsallowforamaximumof5.6e7ECDSAattemptsperminute.ThemodulesupportsECDSA(P-256andP-384).Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis5.6e7/(2128).

3.3 Services

Allservicesimplementedbythemodulearelistedinthetablesbelow.Table13–liststheaccesstoCSPsbyeachservice.

Table11–AuthenticatedServices

Service Description CO UserConfiguresecurity Securityrelevantconfiguration x

Configure Non-securityrelevantconfiguration x SecureTraffic IPsecprotectedconnection(ESP) x Status Showstatus x xZeroize DestroyallCSPs x


SSHconnect InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x

IPsecconnect InitiateIPsecconnection(IKE) x Consoleaccess Consolemonitoringandcontrol(CLI) x xRemotereset Softwareinitiatedreset x

Table12–Unauthenticatedtraffic

Service DescriptionLocalreset HardwareresetorpowercycleTraffic Trafficrequiringnocryptographicservices

Table13–CSPAccessRightswithinServices

Service

CSPs

DRBG

_Seed

DRBG

_State

SSHPH

K

SSHDH

SSH-SEK

ESP-SEK

IKE-PSK

IKE-Priv

IKE-SKEYI

IKE-SEK

IKE-DH

-PRI

CO-PW

User-PW

Configuresecurity -- E GW -- -- -- RW RGW -- -- -- RW RW

Configure -- -- -- -- -- -- -- -- -- -- -- -- --Securetraffic -- -- -- -- -- E -- -- -- E -- -- --

Status -- -- -- -- -- -- -- -- -- -- -- -- --

Zeroize -- Z Z -- -- -- Z Z -- -- -- Z Z

SSHconnect -- E E GE GE -- -- -- -- -- -- E EIPsecconnect -- E -- -- -- G E E G G G -- --

Consoleaccess -- -- -- -- -- -- -- -- -- -- -- E E

Remotereset GEZ G -- Z Z Z -- -- Z Z Z Z Z

Localreset GEZ G -- Z Z Z -- -- Z Z Z Z Z

Traffic -- -- -- -- -- -- -- -- -- -- -- -- --G=Generate:ThemodulegeneratestheCSPR=Read:TheCSPisreadfromthemodule(e.g.theCSPisoutput)E=Execute:ThemoduleexecutesusingtheCSPW=Write:TheCSPisupdatedorwrittentothemoduleZ=Zeroize:ThemodulezeroizestheCSP.


3.4 Non-ApprovedServices

The following services are available in the non-Approved mode of operation. The security functionsprovidedbythenon-ApprovedservicesareidenticaltotheApprovedcounterpartswiththeexceptionofSSHConnect(non-compliant).SSHConnect(non-compliant)supportsthesecurityfunctionsidentifiedinSection2.4andtheSSHv2rowofTable8.

Table14–AuthenticatedServices

Service Description CO UserConfiguresecurity(non-compliant) Securityrelevantconfiguration x

Configure(non-compliant) Non-securityrelevantconfiguration x

SecureTraffic(non-compliant) IPsecprotectedconnection(ESP) x

Status(non-compliant) Showstatus x xZeroize(non-compliant) DestroyallCSPs x SSHconnect(non-compliant)

InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x

IPsecconnect(non-compliant) InitiateIPsecconnection(IKE) x

Consoleaccess(non-compliant) Consolemonitoringandcontrol(CLI) x x

Remotereset(non-compliant) Softwareinitiatedreset x

Table15–Unauthenticatedtraffic

Service DescriptionLocalreset(non-compliant) Hardwareresetorpowercycle

Traffic(non-compliant) Trafficrequiringnocryptographicservices


4 Self-testsEachtimethemoduleispoweredupitteststhatthecryptographicalgorithmsstilloperatecorrectlyandthatsensitivedatahavenotbeendamaged.Power-upself–testsareavailableondemandbypowercyclingthemodule.

Onpoweruporreset,themoduleperformstheself-testsdescribedbelow.AllKATsmustbecompletedsuccessfullypriortoanyotheruseofcryptographybythemodule.IfoneoftheKATsfails,themoduleenterstheCriticalFailureerrorstate.

Themoduleperformsthefollowingpower-upself-tests:

• FirmwareIntegritycheckusingECDSAP-256withSHA-256• DataPlaneKATs

o AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA-256KATo AES-GCM(128/192/256)EncryptKAT(Note:ExceptonSRX5K-SPC-2-10-40,whichdoes

notsupportAESGCM)o ASE-GCM(128/192/256)DecryptKAT(Note:ExceptonSRX5K-SPC-2-10-40,whichdoes

notsupportAESGCM)• ControlPlaneAuthentecKATs

o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo ECDSAP-256w/SHA-256Sign/VerifyPCTo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA-256KATo HMAC-SHA-384KATo AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo AES-GCM(128/256)EncryptKATo AES-GCM(128/256)DecryptKATo KDF-IKE-V1KATo KDF-IKE-V2KAT

• OpenSSLKATso SP800-90AHMACDRBGKAT

§ Health-testsinitialize,re-seed,andgenerate.o ECDSAP-256Sign/VerifyPCTo ECDiffie-HellmanP-256KAT

§ Derivationoftheexpectedsharedsecret.o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKAT


o HMAC-SHA-1KATo HMAC-SHA-256KATo HMAC-SHA-512KATo SHA(256/384/512)KATo AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo KDF-SSHKAT

• CriticalFunctionTest

o Thecryptographicmoduleperformsaverificationofalimitedoperationalenvironmentandverificationofoptionalnon-criticalpackages.

Themodulealsoperformsthefollowingconditionalself-tests:

• ContinuousRNGTestontheSP800-90AHMAC-DRBG• ContinuousRNGtestontheNDRNG• PairwiseconsistencytestwhengeneratingECDSAandRSAkeypairs.• FirmwareLoadTest(ECDSAsignatureverification)


5 PhysicalSecurityPolicyThemodule’sphysicalembodimentisthatofamulti-chipstandalonedevicethatmeetsLevel2PhysicalSecurityrequirements.Themodule iscompletelyenclosed inarectangularnickelorclearzinccoated,coldrolledsteel,platedsteelandbrushedaluminumenclosure.Therearenoventilationholes,gaps,slits,cracks,slots,orcrevicesthatwouldallowforanysortofobservationofanycomponentcontainedwithinthecryptographicboundary.Tamper-evidentsealsallowtheoperatortotell if theenclosurehasbeenbreached.Thesesealsarenotfactory-installedandmustbeappliedbytheCryptographicOfficer.(Sealsare available for order from Juniper usingpart number JNPR-FIPS-TAMPER-LBLS.) The tamper-evidentsealsshallbeinstalledforthemoduletooperateinaFIPSmodeofoperation.

TheCryptographicOfficerisresponsibleforsecuringandhavingcontrolatalltimesofanyunusedsealsandthedirectcontrolandobservationofanychangestothemodule,suchasreconfigurationswherethetamper-evidentsealsorsecurityappliancesareremovedorinstalledtoensurethesecurityofthemoduleismaintainedduringsuchchangesandthemoduleisreturnedtoaFIPSApprovedstate.

Table16–PhysicalSecurityInspectionGuidelines

PhysicalSecurityMechanism

RecommendedFrequencyofInspection/Test

Inspection/TestGuidanceDetails

Tamperseals,opaquemetalenclosure.

OncepermonthbytheCryptographicOfficer.

Sealsshouldbefreeofanytamperevidence.

If the CryptographicOfficer observes tamper evidence, it shall be assumed that the device has beencompromised.TheCryptographicOfficershallretaincontrolofthemoduleandperformZeroizationofthemodule'sCSPsbyfollowingthestepsinSection1.3oftheSecurityPolicy.

5.1 GeneralTamperSealPlacementandApplicationInstructions

Forallsealapplications,theCryptographicOfficershouldobservethefollowinginstructions:

• Handlethesealswithcare.Donottouchtheadhesiveside.• Beforeapplyingaseal,ensurethelocationofapplicationisclean,dry,andclearofanyresidue.• Placethesealonthemodule,applyingfirmpressureacrossittoensureadhesion.Allowatleast

1hourfortheadhesivetocure.

5.2 SRX5400(13seals)

Tamper-evidentsealsshallbeappliedtothefollowinglocations:

• FrontPane:o Twoseals,vertical,connectedtothetopmost(non-honeycomb)sub-pane.Theyextend

tothethinpanebelowandthehoneycombpanelabove.o Oneseal,vertical,acrossthethinpane.Extendstotheblankpanebelowandthesub-

paneabove.o Threeseals,vertical,oneoneach“long”horizontalsub-pane.Eachattachestothesub-

paneaboveandtheonebelow(orthechassis,ifit’sthebottommostsub-pane).Ensureoneofthesealsextendstotheleftsub-panebelowthethinsub-pane.

• BackPane:o Fourseals,vertical:oneoneachofthetopfoursub-panes,extendingtothelargechassis

platebelow.o Oneseal,vertical:onthehorizontalscrewed-inplaterestingonthelargecentralchassis.

Shouldextendtothechassisinbothdirections.


o Twoseals,horizontal:placedonthelowsidesub-panes,extendingtothelargecentralchassisareaandwrappingaroundtotheneighboringsidepanes.

Figure9-SRX5400-Tamper-EvidentSealLocationsonFront-SixSeals

Figure10-SRX5400-Tamper-EvidentSealLocationsonRear-SevenSeals


Tamper-evidentsealsmustbeappliedtothefollowinglocations:

• FrontPane:o Elevenseals,vertical:oneforeachhorizontalsub-pane(excludingthehoneycombplate

onthetopandthethinsub-panealittlebelow),asecondforthetop(non-honeycomb)sub-pane,andanextraforthebottom.Thesealsshouldattachtoverticallyadjacentsub-panes.Theextraonthebottomattachestothelowermostsub-paneandwrapsaround,


attachingtothebottompane.Itshouldbeensuredthatoneofthesealsspansacrossthethinplatewithampleextradistanceoneachside.

• BackPane:o Fiveseals,vertical:oneoneachoftheupperfoursub-panes,attachingtothelargeplate

below.o Twoseals,horizontal:oneoneachoftheverticalsidesub-panes,extendingtoboththe

largecentralplateandthesidepanes.

Figure11-SRX5600-Tamper-EvidentSealLocationsonFront-11Seals

Figure12-SRX5600-Tamper-EvidentSealLocationsonRear-SevenSeals



Tamper-evidentsealsshallbeappliedtothefollowinglocations:

• FrontPane:o Fourteenseals,horizontal:oneoneachofthelongverticalsub-panes,extendingtothe

neighboringtwo.Ifonanendsub-pane,sealshouldwraparoundtotheside.o Threeseals,vertical:oneovereachofthethinpanes–twonearthebottom,onenear

thetopofthelowerhalf.o Twoseals,vertical:bothontheconsoleareaatthetopofthemodule,oneextendingto

thetopandtheotherextendingtothechassisareabelow.• BackPane:

o Fiveseals,horizontal:threespanningthegapsbetweentheverticalsub-panels,andthentwomore,oneeachonthefaredgesoftheleftandrightpanels.(Theselasttwoshouldwraparoundtothesides.)

Figure13-SRX5800-Tamper-EvidentSealLocationsonFront-19Seals


Figure14-SRX5800-Tamper-EvidentSealLocationsonRear-FiveSeals


6 SecurityRulesandGuidanceThemoduledesigncorresponds to thesecurity rulesbelow.Thetermmust in thiscontextspecificallyrefers to a requirement for correctusageof themodule in theApprovedmode; all other statementsindicateasecurityruleimplementedbythemodule.

1. Themoduleclearspreviousauthenticationsonpowercycle.2. When themodule has not beenplaced in a valid role, the operator does not have access to any

cryptographicservices.3. Powerupself-testsdonotrequireanyoperatoraction.4. Dataoutputisinhibitedduringkeygeneration,self-tests,zeroization,anderrorstates.5. StatusinformationdoesnotcontainCSPsorsensitivedatathatifmisusedcouldleadtoacompromise

ofthemodule.6. TherearenorestrictionsonwhichkeysorCSPsarezeroizedbythezeroizationservice.7. Themoduledoesnotsupportamaintenanceinterfaceorrole.8. Themoduledoesnotsupportmanualkeyentry.9. Themoduledoesnotoutputintermediatekeyvalues.10. Themodulerequiresto independent internalactionstobeperformedpriortooutputingplaintext

CSPs.11. The cryptographic officer must determine whether firmware being loaded is a legacy use of the

firmwareloadservice.12. Thecryptographicofficermustretaincontrolofthemodulewhilezeroizationisinprocess.


7 ReferencesandDefinitionsThefollowingstandardsarereferredtointhisSecurityPolicy.

Table17–References

Abbreviation FullSpecificationName

[FIPS140-2] SecurityRequirementsforCryptographicModules,May25,2001

[SP800-131A] Transitions:RecommendationforTransitioningtheUseofCryptographicAlgorithmsandKeyLengths,January2011

[IG] ImplementationGuidanceforFIPSPUB140-2andtheCryptographicModuleValidationProgram

[135] National Institute of Standards and Technology, Recommendation for ExistingApplication-Specific Key Derivation Functions, Special Publication 800-135rev1,December2011.

[186] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-4,July2013.

[186-2] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-2,January2000.

[197] National InstituteofStandardsandTechnology,AdvancedEncryptionStandard(AES),FederalInformationProcessingStandardsPublication197,November26,2001

[38A] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation,MethodsandTechniques,SpecialPublication800-38A,December2001

[38D] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation:Galois/CounterMode(GCM)andGMAC,SpecialPublication800-38D,November2007

[38F] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation:MethodsforKeyWrapping,SpecialPublication800-38F,December2012

[198] National Institute of Standards and Technology, The Keyed-Hash MessageAuthenticationCode(HMAC),FederalInformationProcessingStandardsPublication198-1,July,2008

[180] National Institute of Standards and Technology, Secure Hash Standard, FederalInformationProcessingStandardsPublication180-4,August,2015

[67] National Instituteof StandardsandTechnology,Recommendation for theTripleDataEncryptionAlgorithm(TDEA)BlockCipher,SpecialPublication800-67,May2004

[90A] NationalInstituteofStandardsandTechnology,RecommendationforRandomNumberGenerationUsingDeterministic RandomBit Generators, Special Publication 800-90A,June2015.


Table18–AcronymsandDefinitions

Acronym DefinitionAES AdvancedEncryptionStandardDH Diffie-HellmanDSA DigitalSignatureAlgorithmECDH EllipticCurveDiffie-HellmanECDSA EllipticCurveDigitalSignatureAlgorithmEMC ElectromagneticCompatibilityESP EncapsulatingSecurityPayloadFIPS FederalInformationProcessingStandardHMAC Keyed-HashMessageAuthenticationCodeICV IntegrityCheckValue(i.e.Tag)IKE InternetKeyExchangeProtocolIOC Input/OutputCardIPsec InternetProtocolSecurityMD5 MessageDigest5NPC NetworkProcessingCardRE RoutingEngineRSA Public-keyencryptiontechnologydevelopedbyRSADataSecurity,Inc.SHA SecureHashAlgorithmsSPC ServicesProcessingCardSSH SecureShellTriple-DES Triple-DataEncryptionStandard

Table19–Datasheets

Model Title URL

SRX5400SRX5600SRX5800

SRXSeriesServiceGatewaysforserviceprovider,largeenterprise,andpublicsectornetworks.

http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000254-en.pdf

Documents

Juniper Networks SRX5400, SRX5600, and SRX5800 ......The Juniper Networks SRX Series Services Gateways are a series of secure routers that provide essential capabilities to connect,