juniper networks srx300, srx340, and srx345 … juniper networks srx series services gateways are a...
TRANSCRIPT
Page 1 FIPS Policy
JuniperNetworksSRX300,SRX340,andSRX345ServicesGateways
Non-ProprietaryFIPS140-2CryptographicModuleSecurityPolicy
Version:2.4Date:December22,2017
JuniperNetworks,Inc.1133InnovationWaySunnyvale,California94089USA408.745.20001.888JUNIPERwww.juniper.net
Page 2 FIPS Policy TableofContents1 Introduction................................................................................................................................................................................................4
2 HardwareandPhysicalCryptographicBoundary.........................................................................................................................................52.1 ModeofOperation.........................................................................................................................................................62.2 Zeroization....................................................................................................................................................................7
3 CryptographicFunctionality.........................................................................................................................................................................73.1 ApprovedAlgorithms.......................................................................................................................................................73.2 AllowedAlgorithms.......................................................................................................................................................103.3 AllowedProtocols.........................................................................................................................................................103.4 DisallowedAlgorithms...................................................................................................................................................113.5 CriticalSecurityParameters............................................................................................................................................12
4 Roles,AuthenticationandServices............................................................................................................................................................134.1 RolesandAuthenticationofOperatorstoRoles..................................................................................................................134.2 AuthenticationMethods................................................................................................................................................134.3 Services......................................................................................................................................................................134.4 Non-ApprovedServices..................................................................................................................................................16
5 Self-Tests...................................................................................................................................................................................................17
6 PhysicalSecurityPolicy..............................................................................................................................................................................186.1 GeneralTamperSealPlacementandApplicationInstructions.................................................................................................196.2 SRX300(4seals)...........................................................................................................................................................206.3 SRX340/345(27seals)...................................................................................................................................................21
7 SecurityRulesandGuidance......................................................................................................................................................................23
8 ReferencesandDefinitions........................................................................................................................................................................23
ListofTablesTABLE1–CRYPTOGRAPHICMODULECONFIGURATIONS........................................................................................................................................4TABLE2-SECURITYLEVELOFSECURITYREQUIREMENTS........................................................................................................................................4TABLE3-PORTSANDINTERFACES....................................................................................................................................................................6TABLE4–DATAPLANEAPPROVEDCRYPTOGRAPHICFUNCTIONS............................................................................................................................7TABLE5–CONTROLPLANEAUTHENTECAPPROVEDCRYPTOGRAPHICFUNCTIONS......................................................................................................8TABLE6–OPENSSLAPPROVEDCRYPTOGRAPHICFUNCTIONS................................................................................................................................9TABLE7–OPENSSLAPPROVEDCRYPTOGRAPHICFUNCTIONS................................................................................................................................9TABLE8–OPENSSHAPPROVEDCRYPTOGRAPHICFUNCTIONS.............................................................................................................................10TABLE9–LIBMDAPPROVEDCRYPTOGRAPHICFUNCTIONS.................................................................................................................................10TABLE10-ALLOWEDCRYPTOGRAPHICFUNCTIONS............................................................................................................................................10TABLE11-PROTOCOLSALLOWEDINFIPSMODE..............................................................................................................................................10TABLE12-CRITICALSECURITYPARAMETERS(CSPS)..........................................................................................................................................12TABLE13-PUBLICKEYS................................................................................................................................................................................12TABLE14-AUTHENTICATEDSERVICES.............................................................................................................................................................14TABLE15-UNAUTHENTICATEDTRAFFIC...........................................................................................................................................................14TABLE16-CSPACCESSRIGHTSWITHINSERVICES.............................................................................................................................................15TABLE17:PUBLICKEYACCESSRIGHTSWITHINSERVICES.....................................................................................................................................15TABLE18-AUTHENTICATEDSERVICES.............................................................................................................................................................16TABLE19-UNAUTHENTICATEDTRAFFIC...........................................................................................................................................................17TABLE20–PHYSICALSECURITYINSPECTIONGUIDELINES.....................................................................................................................................19TABLE21–REFERENCES................................................................................................................................................................................23
Page 3 FIPS Policy TABLE22–ACRONYMSANDDEFINITIONS........................................................................................................................................................24TABLE23–DATASHEETS...............................................................................................................................................................................25
ListofFiguresFIGURE1.SRX300........................................................................................................................................................................................5FIGURE2.SRX340........................................................................................................................................................................................5FIGURE3.SRX345........................................................................................................................................................................................6FIGURE4.SRX300TAMPER-EVIDENTSEALPLACEMENT-FOUR(4)SEALS.............................................................................................................20FIGURE5.SRX340/SRX345TAMPER-EVIDENTSEALPLACEMENT-TOPCOVER.NINE(9)SEALS...............................................................................21FIGURE6.SRX340/345TAMPER-EVIDENTSEALPLACEMENT-RAREPANEL.TWO(2)SEALS...................................................................................22FIGURE7.SRX340/SRX345TAMPER-EVIDENTSEALPLACEMENT-SIDEPANELSOVERTHESCREWHOLES.EIGHTONEACHSIDE(16)SEALS.....................22
Page 4 FIPS Policy 1 INTRODUCTION
TheJuniperNetworksSRXSeriesServicesGatewaysareaseriesofsecureroutersthatprovideessentialcapabilitiestoconnect,secure,andmanageworkforcelocationssizedfromhandfulstohundredsofusers.Byconsolidatingfast,highlyavailableswitching,routing,security,andapplicationscapabilitiesinasingledevice,enterprisescaneconomicallydelivernewservices,safeconnectivity,andasatisfyingenduserexperience.AllmodelsrunJuniper’sJUNOSfirmware–inthiscase,aspecificFIPS-compliantversion,whenconfiguredinFIPS-MODEcalledJUNOS-FIPS-MODE,version15.1X49-D60.Thefirmwareimageisjunos-srxsme-15.1X49-D60.10-domestic.tgzandthefirmwareStatusserviceidentifiesitselfasinthe“JunosOS15.1X49-D60.10”.
ThisSecurityPolicycoversthe“Branch”models–theSRX300,SRX340,andSRX345.Theyaremeantforcorporatebranchofficesofvarioussizes.(Intendedsizeisproportionaltomodelnumber.)
Thecryptographicmodulesaredefinedasmultiple-chipstandalonemodulesthatexecuteJUNOSfirmwareonanyoftheJuniperNetworksSRX-SeriesServicesGatewayslistedinthetablebelow.
Table1–CryptographicModuleConfigurations
Model HardwareVersions Firmware DistinguishingFeatures
SRX300 SRX300 JUNOS15.1X49-D60 6x10/100/1000;2SFP
SRX340 SRX340 JUNOS15.1X49-D60
8x10/100/1000;4SFP;4MPIMexpansionslots;1x10/100/1000managementport
SRX345 SRX345 JUNOS15.1X49-D60
8x10/100/1000;4SFP;4MPIMexpansionslots;1x10/100/1000managementport
All JNPR-FIPS-TAMPER-LBLS(P/N520-052564) N/A Tamper-EvidentSeals
(FIPSLabelforPSDProducts)
ThemodulesaredesignedtomeetFIPS140-2Level2overall:
Table2-SecurityLevelofSecurityRequirements
Area Description Level
1 ModuleSpecification 2
2 PortsandInterfaces 2
3 RolesandServices 3
4 FiniteStateModel 2
5 PhysicalSecurity 2
6 OperationalEnvironment N/A
7 KeyManagement 2
8 EMI/EMC 2
9 Self-test 2
10 DesignAssurance 3
11 MitigationofOtherAttacks N/A
Overall 2
Page 5 FIPS Policy
Themoduleshavea limitedoperational environmentasper theFIPS140-2definitions. They includea firmware loadservicetosupportnecessaryupdates.NewfirmwareversionswithinthescopeofthisvalidationmustbevalidatedthroughtheFIPS140-2CMVP.AnyotherfirmwareloadedintothesemodulesisoutofthescopeofthisvalidationandrequireaseparateFIPS140-2validation.
ThemodulesdonotimplementanymitigationsofotherattacksasdefinedbyFIPS140-2.
2 HARDWAREANDPHYSICALCRYPTOGRAPHICBOUNDARY
Thephysicalformsofthemodule’svariousmodelsaredepictedinFigures1-5below.Forallmodelsthecryptographicboundaryisdefinedastheouteredgeofthechassis.TheSRX340andSRX345excludetheTITMP435ADGSRtemperaturesensorfromtherequirementsofFIPS140-2.
Figure1.SRX300
Figure2.SRX340
Page 6 FIPS Policy
Figure3.SRX345
Table3-PortsandInterfaces
Port Description LogicalInterfaceTypeEthernet LANCommunications Controlin,Datain,Dataout,StatusoutSerial Consoleserialport Controlin,StatusoutPower Powerconnector PowerinReset Resetbutton ControlinLED Statusindicatorlighting StatusoutUSB Firmwareloadport Controlin,DatainWAN SHDSL,VDSL,T1,E1 Controlin,Datain,Dataout,Statusout
2.1 MODEOFOPERATION
Thecryptographicmoduleprovidesanon-Approvedmodeofoperationinwhichnon-Approvedcryptographicalgorithmsaresupported.Themodulesupportsnon-Approvedalgorithmswhenoperatinginthenon-ApprovedmodeofoperationasdescribedinSections2.4and3.4.Whentransitioningbetweenthenon-ApprovedmodeofoperationandtheApprovedmodeofoperation,theCOmustzeroizeallCSPsbyfollowingtheinstructionsinSection1.3.Ifthemodulewaspreviouslyinanon-Approvedmodeofoperation,theCryptographicOfficermustzeroizetheCSPsbyfollowingtheinstructionsinSection1.4
Then,theCOmustrunthefollowingcommandstoconfigurethemoduleintotheApprovedmodeofoperation:
co@fips-srx#setsystemfipslevel2
co@fips-srx#commit
WhenTriple-DES isconfiguredas theencryption-algorithmfor IKEor IPsec, theCOmustconfigure the IPsecproposallifetime-kilobytestocomplywith[IGA.13]usingthefollowingcommand:
co@fips-srx:fips#setsecurityipsecproposal<ipsec_proposal_name>lifetime-kilobytes<kilobytes>”
Page 7 FIPS Policy co@fips-srx:fips#commit
WhenTriple-DESistheencryption-algorithmforIKE(regardlessoftheIPsecencryptionalgorithm),thelifetime-kilobytesfortheassociatedIPsecproposalmustbegreaterthanorequalto12800.
WhenTriple-DESistheencryption-algorithmforIPsec,thelifetime-kilobytesmustbelessthanorequalto33554432.
WhenAES-GCMisconfiguredastheencryption-algorithmforIKEorIPSec,theCOmustalsoconfigurethemoduletouseIKEv2byrunningthefollowingcommands:
co@fips-srx:fips#setsecurityikegateway<name>versionv2-only
<name>-theuserconfigurednamefortheIKEgateway
co@fips-srx:fips#commit
TheoperatorcanverifythemoduleisoperatingintheApprovedmodebyverifyingthefollowing:
• The“showversion”commandindicatesthatthemoduleisrunningtheApprovedfirmware(i.e.JUNOSSoftwareRelease[15.1X49-D60]).
• Thecommandpromptendsin“:fips”,whichindicatesthemodulehasbeenconfiguredintheApprovedmodeofoperation.
• The“showsecurityike”and“showsecurityipsec”commandsshowIKEv2isconfiguredwheneitheranIPsecorIKEproposalisconfiguredtouseAES-GCM.
2.2 ZEROIZATION
ThefollowingcommandallowstheCryptographicOfficertozeroizeCSPscontainedwithinthemodule:
co@fips-srx>requestsystemzeroize
Note:TheCryptographicOfficermustretaincontrolofthemodulewhilezeroizationisinprocess.
3 CRYPTOGRAPHICFUNCTIONALITY
Themodule implements theFIPSApproved,vendoraffirmed,andnon-ApprovedbutAllowedcryptographic functionslistedinTable4throughTable10below.Table11summarizesthehighlevelprotocolalgorithmsupport.
3.1 APPROVEDALGORITHMS
Referencestostandardsaregiveninsquarebracket[];seetheReferencestable.
Itemsenclosedincurlybrackets{}areCAVPtestedbutnotusedbythemoduleintheApprovedmode.
Table4–DataPlaneApprovedCryptographicFunctionsCAVPCert. Algorithm Mode Description Functions43484347 AES[197] CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt
Page 8 FIPS Policy
GCM[38D] KeySizes:128,192,256 Encrypt,Decrypt,AEAD
28882887 HMAC[198]
SHA-1 λ=96MessageAuthentication
SHA-256 λ=128
35853584 SHS[180] SHA-1
SHA-256 MessageDigestGeneration
23522351 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
Table5–ControlPlaneAuthentecApprovedCryptographicFunctions
Cert Algorithm Mode Description Functions
4345 AES[197]CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt
GCM[38D] KeySizes:128,256 Encrypt,Decrypt,AEAD
N/A1 CKG[133]Section6.2
AsymmetrickeygenerationusingunmodifiedDRBGoutput
[133]Section7.3 Derivationofsymmetrickeys
1051 CVLIKEv1[135] SHA256,384
KeyDerivationIKEv2[135] SHA256,384
10411040 ECDSA[186] P-256(SHA256)
P-384(SHA{256},384) KeyGen,SigGen,SigVer
2885 HMAC[198]{SHA-1}
IKEMessageAuthentication,IKEKDFPrimitiveSHA-256 λ=128,256
SHA-384 λ=192,384
N/A KTS
AESCert.#4345andHMACCert.#2885
Keyestablishmentmethodologyprovidesbetween128and256bitsofencryptionstrength
Triple-DESCert.#2349andHMACCert.#2885
Keyestablishmentmethodologyprovides112bitsofencryptionstrength
23612360 RSA[186] PKCS1_V1_
5n=2048(SHA256)n=4096(SHA256)2 SigGen,SigVer
3582 SHS[180]{SHA-1}SHA-256SHA-384
MessageDigestGeneration
2349 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
1 Vendor Affirmed. 2 RSA 4096 SigGen was tested to FIPS 186-4; however, the CAVP certificate lists 4096 under FIPS 186-2.
Page 9 FIPS Policy
Table6–OpenSSLApprovedCryptographicFunctions
Cert Algorithm Mode Description Functions
1398 DRBG[90A] HMAC SHA-256ControlPlaneRandomBitGeneration/OpenSSLRandomBitGenerator
Table7–OpenSSLApprovedCryptographicFunctions
CAVPCert. Algorithm Mode Description Functions
4362 AES[197] CBC[38A]CTR[38A] KeySizes:128,192,256 Encrypt,Decrypt
N/A3 CKG[133]Section6.1[133]Section6.2
AsymmetrickeygenerationusingunmodifiedDRBGoutput
[133]Section7.3 Derivationofsymmetrickeys
1038 ECDSA[186]
{P-224(SHA256)}P-256(SHA256){P-384(SHA256)}
SigGen
{P-224(SHA256)}P-256(SHA256)P-384(SHA{256},384){P-521(SHA-256)}
KeyGen,SigVer
2902 HMAC[198]SHA-1 λ=160
SSHMessageAuthenticationDRBGPrimitiveSHA-256 λ=256
SHA-512 λ=512
N/A KTS
AESCert.#4362andHMACCert.#2902Keyestablishmentmethodologyprovidesbetween128and256bitsofencryptionstrength
Triple-DESCert.#2358andHMACCert.#2902Keyestablishmentmethodologyprovides112bitsofencryptionstrength
2358 RSA[186]
n=2048(SHA256){n=3072(SHA256)}n=4096(SHA256)4
SigGen
n=2048(SHA256){n=3072(SHA256)} KeyGen,SigVer
3600 SHS[180]
SHA-1SHA-256SHA-384
MessageDigestGeneration,SSHKDFPrimitive
SHA-512 MessageDigestGeneration
2358 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
3 Vendor Affirmed. 4 RSA 4096 SigGen was tested to FIPS 186-4; however, the CAVP certificate lists 4096 under FIPS 186-2.
Page 10 FIPS Policy
Table8–OpenSSHApprovedCryptographicFunctions
Cert Algorithm Mode Description Functions1071 CVL SSH[135] SHA1,256,384 KeyDerivation
Table9–LibMDApprovedCryptographicFunctions
Cert Algorithm Mode Description Functions
3586 SHS[180] SHA-256SHA-512 MessageDigestGeneration
3.2 ALLOWEDALGORITHMS
Table10-AllowedCryptographicFunctions
Algorithm Caveat Use
Diffie-Hellman[IG]D.8 Provides112bitsofencryptionstrength. Keyagreement;keyestablishment
EllipticCurveDiffie-Hellman[IG]D.8
Provides 128 or 192 bits of encryptionstrength. Keyagreement;keyestablishment
NDRNG Provides256bitsofentropy. SeedingtheDRBG
3.3 ALLOWEDPROTOCOLS
Table11-ProtocolsAllowedinFIPSMode
Protocol KeyExchange Auth Cipher Integrity
IKEv1 Diffie-Hellman(L=2048,N=2047)ECDiffie-HellmanP-256,P-384
RSA2048RSA4096Pre-SharedSecretECDSAP-256ECDSAP-384
Triple-DESCBC5AESCBC128/192/256AESGCM128/256
SHA-256,384
IKEv26 Diffie-Hellman(L=2048,N=2047)ECDiffie-HellmanP-256,P-384
RSA2048RSA4096Pre-SharedSecretECDSAP-256ECDSAP-384
Triple-DESCBC7AESCBC128/192/256AESGCM8128/256
SHA-256,384
5 The Triple-DES key for the IETF IKEv1 protocol is generated according to RFC 2409. 6 IKEv2 generates the SKEYSEED according to RFC7296. 7 The Triple-DES key for the IETF IKEv2 protocol is generated according to RFC 7296. 8 The GCM IV is generated according to RFC5282.
Page 11 FIPS Policy
IPsecESP
IKEv1withoptional:• Diffie-Hellman(L=2048,N=2047)• ECDiffie-HellmanP-256,P-384
IKEv1 3KeyTriple-DESCBC9AESCBC128/192/256 HMAC-SHA-
1-96HMAC-SHA-256-128
IKEv2withoptional:• Diffie-Hellman(L=2048,N=2047)• ECDiffie-HellmanP-256,P-384
IKEv2
3KeyTriple-DESCBC10AESCBC128/192/256AESGCM11128/192/256
SSHv2Diffie-Hellman(L=2048,N=2047)ECDiffie-HellmanP-256,P-384
ECDSAP-256Triple-DESCBC12AESCBC128/192/256AESCTR128/192/256
HMAC-SHA-1HMAC-SHA-256HMAC-SHA-512
NopartsoftheIKEv1,IKEv2,ESP,andSSHv2protocols,otherthantheKDF,havebeentestedbytheCAVPorCMVP.
TheIKEandSSHalgorithmsallowindependentselectionofkeyexchange,authentication,cipherandintegrity.InTable11-ProtocolsAllowedinFIPSModeabove,eachcolumnofoptionsforagivenprotocolisindependent,andmaybeusedinanyviablecombination.ThesesecurityfunctionsarealsoavailableintheSSHconnect(non-compliant)service.
3.4 DISALLOWEDALGORITHMS
Thesealgorithmsarenon-ApprovedalgorithmsthataredisabledwhenthemoduleisoperatedinanApprovedmodeofoperation.
• ARCFOUR• Blowfish• CAST• DSA(SigGen,SigVer;non-compliant)• HMAC-MD5• HMAC-RIPEMD160• UMAC
9 The Triple-DES key for the ESP protocol is generated by the IETF IKEv1 protocol according to RFC 2409. 10 The Triple-DES key for the ESP protocol is generated by the IETF IKEv2 protocol according to RFC 7296. 11 The GCM IV is generated according to RFC4106. 12 The Triple-DES key for the IETF SSHv2 protocol is generated according to RFCs 4253 and 4344.
Page 12 FIPS Policy
3.5 CRITICALSECURITYPARAMETERS
AllCSPsandpublickeysusedbythemodulearedescribedinthissection.
Table12-CriticalSecurityParameters(CSPs)
Name Descriptionandusage CKG
DRBG_Seed SeedmaterialusedtoseedorreseedtheDRBG N/ADRBG_State VandKeyvaluesfortheHMAC_DRBG N/A
SSHPHK SSHPrivatehostkey.1sttimeSSHisconfigured,thekeysaregenerated.ECDSAP-256.Usedtoidentifythehost. [133]Section6.1
SSHDHSSHDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinSSH.Diffie-Hellman(N=256bit,320bit,384bit,512bit,or1024bit13),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
[133]Section6.2
SSH-SEK SSHSessionKey;SessionkeysusedwithSSH.Triple-DES(3key),AES,HMAC. [133]Section7.3
ESP-SEK IPSecESPSessionKeys.Triple-DES(3key),AES,HMAC. [133]Section7.3IKE-PSK Pre-SharedKeyusedtoauthenticateIKEconnections. N/AIKE-Priv IKEPrivateKey.RSA2048,RSA4096,ECDSAP-256,orECDSAP-384 [133]Section6.1IKE-SKEYID IKESKEYID.IKEsecretusedtoderiveIKEandIPsecESPsessionkeys. [133]Section7.3IKE-SEK IKESessionKeys.Triple-DES(3key),AES,HMAC. [133]Section7.3
IKE-DH-PRIIKEDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinIKE.Diffie-HellmanN=224bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
[133]Section6.2
CO-PW ASCIITextusedtoauthenticatetheCO. N/AUser-PW ASCIITextusedtoauthenticatetheUser. N/A
Table13-PublicKeys
Name Descriptionandusage CKGSSH-PUB SSHPublicHostKeyusedtoidentifythehost.ECDSAP-256. [133]Section6.1
SSH-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinSSHkeyestablishment.DH(L=2048bit),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
[133]Section6.2
IKE-PUB IKEPublicKeyRSA2048,RSA4096,ECDSAP-256,orECDSAP-384 [133]Section6.1
IKE-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinIKEkeyestablishment.Diffie-HellmanL=2048bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
[133]Section6.2
13 SSH generates a Diffie-Hellman private key that is 2x the bit length of the longest symmetric or MAC key negotiated.
Page 13 FIPS Policy
Name Descriptionandusage CKG
Auth-UPub SSHUserAuthenticationPublicKeys.Usedtoauthenticateuserstothemodule.ECDSAP-256orP-384 N/A
Auth-COPub SSHCOAuthenticationPublicKeys.UsedtoauthenticateCOtothemodule.ECDSAP-256orP-384 N/A
RootCA JuniperRootCA.ECDSAP-256orP-384X.509Certificate;UsedtoverifythevalidityoftheJuniperPackageCAatsoftwareload. N/A
PackageCA PackageCA.ECDSAP-256X.509Certificate;UsedtoverifythevalidityofJuniperImagesatsoftwareloadandboot. N/A
4 ROLES,AUTHENTICATIONANDSERVICES
4.1 ROLESANDAUTHENTICATIONOFOPERATORSTOROLES
Themodulesupportstworoles:CryptographicOfficer(CO)andUser.Themodulesupportsconcurrentoperators,butdoesnot support a maintenance role and/or bypass capability. Themodule enforces the separation of roles using eitheridentity-basedoperatorauthentication.
TheCryptographicOfficerroleconfiguresandmonitorsthemoduleviaaconsoleorSSHconnection.Asrootorsuper-user,theCryptographicOfficerhaspermissiontoviewandeditsecretswithinthemodule.
TheUserrolemonitorstherouterviatheconsoleorSSH.Theuserrolemaynotchangetheconfiguration.
4.2 AUTHENTICATIONMETHODS
ThemoduleimplementstwoformsofIdentity-Basedauthentication,usernameandpasswordovertheConsoleandSSHaswellasusernameandpublickeyoverSSH.
Password authentication: The module enforces 10-character passwords (at minimum) chosen from the 96 humanreadableASCIIcharacters.Themaximumpasswordlengthis20characters.
Themoduleenforcesatimedaccessmechanismasfollows:Forthefirsttwofailedattempts(assuming0timetoprocess),notimedaccessisenforced.Uponthethirdattempt,themoduleenforcesa5-seconddelay.Eachfailedattemptthereafterresultsinanadditional5-seconddelayabovetheprevious(e.g.4thfailedattempt=10-seconddelay,5thfailedattempt=15-seconddelay,6thfailedattempt=20-seconddelay,7thfailedattempt=25-seconddelay).
Thisleadstoamaximumofnine(9)possibleattemptsinaone-minuteperiodforeachgetty.Thebestapproachfortheattackerwouldbetodisconnectafter4failedattemptsandwaitforanewgettytobespawned.Thiswouldallowtheattackertoperformroughly9.6attemptsperminute;thiswouldberoundeddownto9perminute,becausethereisnosuchthingas0.6attempts.Thustheprobabilityofasuccessfulrandomattemptis1/9610,whichislessthan1/1million.Theprobabilityofa successwithmultiple consecutiveattempts inaone-minuteperiod is9/(9610),which is less than1/100,000.
ECDSAsignatureverification:SSHpublic-keyauthentication.Processingconstraintsallowforamaximumof56,000,000ECDSAattemptsperminute.ThemodulesupportsECDSA(P-256andP-384).Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis56,000,000/(2128).
4.3 SERVICES
Allservicesimplementedbythemodulearelistedinthetablesbelow.
Page 14 FIPS Policy Table16liststheaccesstoCSPsbyeachservice.
Table14-AuthenticatedServices
Service Description CO User
Configuresecurity Securityrelevantconfiguration x
Configure Non-securityrelevantconfiguration x
SecureTraffic IPsecprotectedconnection(ESP) x
Status Showstatus x x
Zeroize DestroyallCSPs x
SSHconnect InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x
IPsecconnect InitiateIPsecconnection(IKE) x
Consoleaccess Consolemonitoringandcontrol(CLI) x x
Remotereset Softwareinitiatedreset x
Table15-UnauthenticatedTraffic
Service Description
Localreset Hardwareresetorpowercycle
Traffic Trafficrequiringnocryptographicservices
Page 15 FIPS Policy
Table16-CSPAccessRightswithinServices
Service
CSPs
DRBG
_Seed
DRBG
_State
SSHPH
K
SSHDH
SSH-SEK
ESP-SEK
IKE-PSK
IKE-Priv
IKE-SKEYID
IKE-SEK
IKE-DH
-PRI
CO-PW
User-PW
Configuresecurity -- E GWR -- -- -- WR GWR -- -- -- W W
Configure -- -- -- -- -- -- -- -- -- -- -- -- --
Securetraffic -- -- -- -- -- E -- -- -- E -- -- --
Status -- -- -- -- -- -- -- -- -- -- -- -- --
Zeroize -- Z Z -- -- -- Z Z -- -- -- Z Z
SSHconnect -- E E GE GE -- -- -- -- -- -- E E
IPsecconnect -- E -- -- -- G E E G G G -- --
Consoleaccess -- -- -- -- -- -- -- -- -- -- -- E E
Remotereset GZE GZ -- Z Z Z -- -- Z Z Z Z Z
Localreset GZE GZ -- Z Z Z -- -- Z Z Z Z Z
Traffic -- -- -- -- -- -- -- -- -- -- -- -- --
G=Generate:ThemodulegeneratestheCSPR=Read:TheCSPisreadfromthemodule(e.g.theCSPisoutput)E=Execute:ThemoduleexecutesusingtheCSPW=Write:TheCSPiswrittentopersistentstorageinthemoduleZ=Zeroize:ThemodulezeroizestheCSP.
Table17:PublicKeyAccessRightswithinServices
ServicePublicKeys
SSH-PUB
SSH-DH-PUB
IKE-PUB
IKE-DH-PUB
Auth-UPub
Auth-COPub
Root-CA
Package-CA
Configuresecurity GWR - GWR - W W - -
Configure - - - - - - - -Securetraffic - - - - - - - -
Status - - - - - - - -
Zeroize Z - Z Z Z Z - -
SSHconnect E GE - - E E - -IPsecconnect - - E GE - - - -
Consoleaccess - - - - - - - -
Page 16 FIPS Policy
Remotereset - Z - Z Z Z - E
Localreset - Z - Z Z Z - E
Traffic - - - - - - - -Softwareload - - - - - - EW EW
G=Generate:Themodulegeneratesthekey.R=Read:Thekeyisreadfromthemodule(e.g.thekeyisoutput).E=Execute:Themoduleexecutesusingthekey.W=Write:Thekeyiswrittentopersistentstorageinthemodule.Z=Zeroize:Themodulezeroizesthekey.
4.4 NON-APPROVEDSERVICES
Thefollowingservicesareavailableinthenon-Approvedmodeofoperation.Thesecurityfunctionsprovidedbythenon-ApprovedservicesareidenticaltotheApprovedcounterpartswiththeexceptionofSSHConnect(non-compliant).SSHConnect(non-compliant)supportsthesecurityfunctionsidentifiedinSection2.3andtheSSHv2rowofTable11-ProtocolsAllowedinFIPSMode.
Table18-AuthenticatedServices
Service Description CO UserConfiguresecurity(non-compliant) Securityrelevantconfiguration x
Configure(non-compliant) Non-securityrelevantconfiguration x
SecureTraffic(non-compliant) IPsecprotectedconnection(ESP) x
Status(non-compliant) Showstatus x x
Zeroize(non-compliant) DestroyallCSPs x
SSHconnect(non-compliant)
InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x
IPsecconnect(non-compliant) InitiateIPsecconnection(IKE) x
Consoleaccess(non-compliant) Consolemonitoringandcontrol(CLI) x x
Remotereset(non-compliant) Softwareinitiatedreset x
Page 17 FIPS Policy
Table19-Unauthenticatedtraffic
Service DescriptionLocalreset(non-compliant) Hardwareresetorpowercycle
Traffic(non-compliant) Trafficrequiringnocryptographicservices
5 SELF-TESTS
Eachtimethemoduleispoweredup,itteststhatthecryptographicalgorithmsstilloperatecorrectlyandthatsensitivedatahasnotbeendamaged.Power-upself–testsareavailableondemandbypowercyclingthemodule.
Onpoweruporreset,themoduleperformstheself-testsdescribedbelow.AllKATsmustbecompletedsuccessfullypriortoanyotheruseofcryptographybythemodule.IfoneoftheKATsfails,themoduleenterstheCriticalFailureerrorstate.
Themoduleperformsthefollowingpower-upself-tests:
• FirmwareIntegritycheckusingECDSAP-256withSHA-256• DataPlaneKATs
o AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA-256KATo AES-GCM(128/192/256)EncryptKATo AES-GCM(128/192/256)DecryptKAT
• ControlPlaneAuthentecKATso RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo ECDSAP-256w/SHA-256Sign/VerifyPCTo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA2-256KATo HMAC-SHA2-384KATo AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo AES-GCM(128/256)EncryptKATo AES-GCM(128/256)DecryptKATo KDF-IKE-V1KATo KDF-IKE-V2KAT
• HMAC_DRBGKATo SP800-90AHMACDRBGKAT
§ Health-testsinitialize,re-seed,andgenerate.
Page 18 FIPS Policy
• OpenSSLKATso ECDSAP-256Sign/VerifyPCTo ECDiffie-HellmanP-256KAT
§ Derivationoftheexpectedsharedsecret.o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA2-256KATo HMAC-SHA2-384KATo HMAC-SHA2-512KATo AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKAT
• OpenSSHKATo KDF-SSHKAT
• LibmdKATso HMAC-SHA2-256KATo SHA-2-512KAT
• CriticalFunctionTest
o Thecryptographicmoduleperformsaverificationofalimitedoperationalenvironment.
Uponsuccessfulcompletionoftheself-tests,themoduleoutputs“FIPSself-testscompleted.”tothelocalconsole.
Ifaself-testfails,themoduleoutputs“<self-testname>:Failed”tothelocalconsoleandautomaticallyreboots.
Themodulealsoperformsthefollowingconditionalself-tests:
• ContinuousRNGTestontheSP800-90AHMAC-DRBG• ContinuousRNGtestontheNDRNG• PairwiseconsistencytestwhengeneratingECDSAandRSAkeypairs.• FirmwareLoadTest(ECDSAP-256withSHA-256signatureverification)
6 PHYSICALSECURITYPOLICY
The module’s physical embodiment is that of a multi-chip standalone device that meets Level 2 Physical Securityrequirements.Themoduleiscompletelyenclosedinarectangularnickelorclearzinccoated,coldrolledsteel,platedsteelandbrushedaluminumenclosure.Therearenoventilationholes,gaps,slits,cracks,slots,orcrevicesthatwouldallowforanysortofobservationofanycomponentcontainedwithinthecryptographicboundary.Tamper-evidentsealsallowtheoperator to tell if theenclosurehasbeenbreached.These sealsarenot factory-installedandmustbeappliedby theCryptographic Officer. (Seals are available for order from Juniper using part number JNPR-FIPS-TAMPER-LBLS.) Thetamper-evidentsealsshallbeinstalledforthemoduletooperateinaFIPSmodeofoperation.
TheCryptographicOfficerisresponsibleforsecuringandhavingcontrolatalltimesofanyunusedsealsandthedirectcontrol and observation of any changes to themodule, such as reconfigurations where the tamper-evident seals or
Page 19 FIPS Policy securityappliancesareremovedorinstalled,toensurethesecurityofthemoduleismaintainedduringsuchchangesandthemoduleisreturnedtoaFIPSApprovedstate.
Table20–PhysicalSecurityInspectionGuidelines
PhysicalSecurityMechanism RecommendedFrequencyofInspection/Test
Inspection/TestGuidanceDetails
Tamperseals,opaquemetalenclosure.
OncepermonthbytheCryptographicOfficer.
Sealsshouldbefreeofanytamperevidence.
IftheCryptographicOfficerobservestamperevidence,itshallbeassumedthatthedevicehasbeencompromised.TheCryptographicOfficershallretaincontrolofthemoduleandperformzeroizationofthemodule'sCSPsbyfollowingthestepsinSection2.2oftheSecurityPolicy.
6.1 GENERALTAMPERSEALPLACEMENTANDAPPLICATIONINSTRUCTIONS
Forallsealapplications,theCryptographicOfficershouldobservethefollowinginstructions:
• Handlethesealswithcare.Donottouchtheadhesiveside.• Beforeapplyingaseal,ensurethelocationofapplicationisclean,dry,andclearofanyresidue.• Placethesealonthemodule,applyingfirmpressureacrossittoensureadhesion.Allowatleast1hourforthe
adhesivetocure.
Page 20 FIPS Policy
6.2 SRX300(4SEALS)
Atamper-evidentsealmustbeappliedtothefollowinglocation:
• Thebottomofthechassis,coveringthefourchassisscrews.
Figure4.SRX300Tamper-EvidentSealPlacement-Four(4)Seals
Page 21 FIPS Policy
6.3 SRX340/345(27SEALS)
Tamper-evidentsealsmustbeappliedtothefollowinglocations:
• Thetopofthechassis,coveringoneofthefivechassisscrews.1-5.Fiveseals.• TheI/OSlots.6-9.Fourseals.• Therarepanel,coveringtheblankfaceplateandtheSSD.10-11.Twoseals.• Sidepanelsoverthescrewholes.Eightoneachside12-27.SixteenSeals
Totalof27seals
Figure5.SRX340/SRX345Tamper-EvidentSealPlacement-TopCover.Nine(9)Seals
Page 22 FIPS Policy
Figure6.SRX340/345Tamper-EvidentSealPlacement-RarePanel.Two(2)Seals
Figure7.SRX340/SRX345Tamper-EvidentSealPlacement-SidePanelsOvertheScrewHoles.Eightoneachside(16)Seals
Page 23 FIPS Policy
7 SECURITYRULESANDGUIDANCE
The module design corresponds to the security rules below. The termmust in this context specifically refers to arequirement for correct usage of the module in the Approved mode; all other statements indicate a security ruleimplementedbythemodule.
1. Themoduleclearspreviousauthenticationsonpowercycle.2. Whenthemodulehasnotbeenplacedinavalidrole,theoperatordoesnothaveaccesstoanycryptographicservices.3. Powerupself-testsdonotrequireanyoperatoraction.4. Dataoutputisinhibitedduringkeygeneration,self-tests,zeroization,anderrorstates.5. StatusinformationdoesnotcontainCSPsorsensitivedatathatifmisusedcouldleadtoacompromiseofthemodule.6. TherearenorestrictionsonwhichkeysorCSPsarezeroizedbythezeroizationservice.7. Themoduledoesnotsupportamaintenanceinterfaceorrole.8. Themoduledoesnotsupportmanualkeyentry.9. Themoduledoesnotoutputintermediatekeyvalues.10. ThemodulerequirestwoindependentinternalactionstobeperformedpriortooutputtingplaintextCSPs(i.e.SSH
PHK,IKE-PSK,orIKE-PrivviatheConfiguresecurityservice).11. Thecryptographicofficermustdeterminewhetherfirmwarebeingloadedisalegacyuseofthefirmwareloadservice.12. Thecryptographicofficermustretaincontrolofthemodulewhilezeroizationisinprocess.13. ThecryptographicofficermustconfigurethemoduletouseIKEv2whenGCMisconfiguredforIKEorIPsecESP.14. ThecryptographicofficermustconfigurethemoduletoIPsecESPlifetime-kilobytestoensurethemoduledoesnot
encryptmorethan2^32blockswithasingleTriple-DESkeywhenTriple-DESistheencryption-algorithmforIKEand/orIPsecESP.
8 REFERENCESANDDEFINITIONS
ThefollowingstandardsarereferredtointhisSecurityPolicy.
Table21–References
Abbreviation FullSpecificationName
[FIPS140-2] SecurityRequirementsforCryptographicModules,May25,2001
[SP800-131A] Transitions:RecommendationforTransitioningtheUseofCryptographicAlgorithmsandKeyLengths,January2011
[IG] ImplementationGuidanceforFIPSPUB140-2andtheCryptographicModuleValidationProgram
[133] NISTSpecialPublication800-133,RecommendationforCryptographicKeyGeneration,December2012
[135] National Institute of Standards and Technology, Recommendation for ExistingApplication-Specific Key Derivation Functions, Special Publication 800-135rev1,December2011.
Page 24 FIPS Policy Abbreviation FullSpecificationName
[186] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-4,July,2013.
[186-2] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-2,January2000.
[197] National InstituteofStandardsandTechnology,AdvancedEncryptionStandard(AES),FederalInformationProcessingStandardsPublication197,November26,2001
[38A] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation,MethodsandTechniques,SpecialPublication800-38A,December2001
[38D] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation:Galois/CounterMode(GCM)andGMAC,SpecialPublication800-38D,November2007
[198] National Institute of Standards and Technology, The Keyed-Hash MessageAuthenticationCode(HMAC),FederalInformationProcessingStandardsPublication198-1,July,2008
[180] National Institute of Standards and Technology, Secure Hash Standard, FederalInformationProcessingStandardsPublication180-4,August,2015
[67] National Instituteof StandardsandTechnology,Recommendation for theTripleDataEncryptionAlgorithm(TDEA)BlockCipher,SpecialPublication800-67,May2004
[90A] NationalInstituteofStandardsandTechnology,RecommendationforRandomNumberGenerationUsingDeterministic RandomBit Generators, Special Publication 800-90A,June2015.
Table22–AcronymsandDefinitions
Acronym DefinitionAES AdvancedEncryptionStandardDSA DigitalSignatureAlgorithmECDiffie-Hellman
EllipticCurveDiffie-Hellman
ECDSA EllipticCurveDigitalSignatureAlgorithmEMC ElectromagneticCompatibilityESP EncapsulatingSecurityPayloadFIPS FederalInformationProcessingStandardHMAC Keyed-HashMessageAuthenticationCodeICV IntegrityCheckValue(i.e.Tag)IKE InternetKeyExchangeProtocolIOC Input/OutputCardIPsec InternetProtocolSecurityMD5 MessageDigest5
Page 25 FIPS Policy Acronym DefinitionNPC NetworkProcessingCardRE RoutingEngineRSA Public-keyencryptiontechnologydevelopedbyRSADataSecurity,Inc.SHA SecureHashAlgorithmsSPC ServicesProcessingCardSSH SecureShellTriple-DES
Triple-DataEncryptionStandard
Table23–Datasheets
Model Title URLSRX300SRX340SRX345
SRX300LineofServicesGatewaysfortheBranch
http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000550-en.pdf