Juniper Networks SRX300, SRX340, and SRX345 … Juniper Networks SRX Series Services Gateways are a series of secure routers that provide essential capabilities to connect, secure

Page 1 FIPS Policy

JuniperNetworksSRX300,SRX340,andSRX345ServicesGateways

Non-ProprietaryFIPS140-2CryptographicModuleSecurityPolicy

Version:2.4Date:December22,2017

JuniperNetworks,Inc.1133InnovationWaySunnyvale,California94089USA408.745.20001.888JUNIPERwww.juniper.net

Page 2 FIPS Policy TableofContents1 Introduction................................................................................................................................................................................................4

2 HardwareandPhysicalCryptographicBoundary.........................................................................................................................................52.1 ModeofOperation.........................................................................................................................................................62.2 Zeroization....................................................................................................................................................................7

3 CryptographicFunctionality.........................................................................................................................................................................73.1 ApprovedAlgorithms.......................................................................................................................................................73.2 AllowedAlgorithms.......................................................................................................................................................103.3 AllowedProtocols.........................................................................................................................................................103.4 DisallowedAlgorithms...................................................................................................................................................113.5 CriticalSecurityParameters............................................................................................................................................12

4 Roles,AuthenticationandServices............................................................................................................................................................134.1 RolesandAuthenticationofOperatorstoRoles..................................................................................................................134.2 AuthenticationMethods................................................................................................................................................134.3 Services......................................................................................................................................................................134.4 Non-ApprovedServices..................................................................................................................................................16

5 Self-Tests...................................................................................................................................................................................................17

6 PhysicalSecurityPolicy..............................................................................................................................................................................186.1 GeneralTamperSealPlacementandApplicationInstructions.................................................................................................196.2 SRX300(4seals)...........................................................................................................................................................206.3 SRX340/345(27seals)...................................................................................................................................................21

7 SecurityRulesandGuidance......................................................................................................................................................................23

8 ReferencesandDefinitions........................................................................................................................................................................23

ListofTablesTABLE1–CRYPTOGRAPHICMODULECONFIGURATIONS........................................................................................................................................4TABLE2-SECURITYLEVELOFSECURITYREQUIREMENTS........................................................................................................................................4TABLE3-PORTSANDINTERFACES....................................................................................................................................................................6TABLE4–DATAPLANEAPPROVEDCRYPTOGRAPHICFUNCTIONS............................................................................................................................7TABLE5–CONTROLPLANEAUTHENTECAPPROVEDCRYPTOGRAPHICFUNCTIONS......................................................................................................8TABLE6–OPENSSLAPPROVEDCRYPTOGRAPHICFUNCTIONS................................................................................................................................9TABLE7–OPENSSLAPPROVEDCRYPTOGRAPHICFUNCTIONS................................................................................................................................9TABLE8–OPENSSHAPPROVEDCRYPTOGRAPHICFUNCTIONS.............................................................................................................................10TABLE9–LIBMDAPPROVEDCRYPTOGRAPHICFUNCTIONS.................................................................................................................................10TABLE10-ALLOWEDCRYPTOGRAPHICFUNCTIONS............................................................................................................................................10TABLE11-PROTOCOLSALLOWEDINFIPSMODE..............................................................................................................................................10TABLE12-CRITICALSECURITYPARAMETERS(CSPS)..........................................................................................................................................12TABLE13-PUBLICKEYS................................................................................................................................................................................12TABLE14-AUTHENTICATEDSERVICES.............................................................................................................................................................14TABLE15-UNAUTHENTICATEDTRAFFIC...........................................................................................................................................................14TABLE16-CSPACCESSRIGHTSWITHINSERVICES.............................................................................................................................................15TABLE17:PUBLICKEYACCESSRIGHTSWITHINSERVICES.....................................................................................................................................15TABLE18-AUTHENTICATEDSERVICES.............................................................................................................................................................16TABLE19-UNAUTHENTICATEDTRAFFIC...........................................................................................................................................................17TABLE20–PHYSICALSECURITYINSPECTIONGUIDELINES.....................................................................................................................................19TABLE21–REFERENCES................................................................................................................................................................................23

Page 3 FIPS Policy TABLE22–ACRONYMSANDDEFINITIONS........................................................................................................................................................24TABLE23–DATASHEETS...............................................................................................................................................................................25

ListofFiguresFIGURE1.SRX300........................................................................................................................................................................................5FIGURE2.SRX340........................................................................................................................................................................................5FIGURE3.SRX345........................................................................................................................................................................................6FIGURE4.SRX300TAMPER-EVIDENTSEALPLACEMENT-FOUR(4)SEALS.............................................................................................................20FIGURE5.SRX340/SRX345TAMPER-EVIDENTSEALPLACEMENT-TOPCOVER.NINE(9)SEALS...............................................................................21FIGURE6.SRX340/345TAMPER-EVIDENTSEALPLACEMENT-RAREPANEL.TWO(2)SEALS...................................................................................22FIGURE7.SRX340/SRX345TAMPER-EVIDENTSEALPLACEMENT-SIDEPANELSOVERTHESCREWHOLES.EIGHTONEACHSIDE(16)SEALS.....................22

Page 4 FIPS Policy 1 INTRODUCTION

TheJuniperNetworksSRXSeriesServicesGatewaysareaseriesofsecureroutersthatprovideessentialcapabilitiestoconnect,secure,andmanageworkforcelocationssizedfromhandfulstohundredsofusers.Byconsolidatingfast,highlyavailableswitching,routing,security,andapplicationscapabilitiesinasingledevice,enterprisescaneconomicallydelivernewservices,safeconnectivity,andasatisfyingenduserexperience.AllmodelsrunJuniper’sJUNOSfirmware–inthiscase,aspecificFIPS-compliantversion,whenconfiguredinFIPS-MODEcalledJUNOS-FIPS-MODE,version15.1X49-D60.Thefirmwareimageisjunos-srxsme-15.1X49-D60.10-domestic.tgzandthefirmwareStatusserviceidentifiesitselfasinthe“JunosOS15.1X49-D60.10”.

ThisSecurityPolicycoversthe“Branch”models–theSRX300,SRX340,andSRX345.Theyaremeantforcorporatebranchofficesofvarioussizes.(Intendedsizeisproportionaltomodelnumber.)

Thecryptographicmodulesaredefinedasmultiple-chipstandalonemodulesthatexecuteJUNOSfirmwareonanyoftheJuniperNetworksSRX-SeriesServicesGatewayslistedinthetablebelow.

Table1–CryptographicModuleConfigurations

Model HardwareVersions Firmware DistinguishingFeatures

SRX300 SRX300 JUNOS15.1X49-D60 6x10/100/1000;2SFP

SRX340 SRX340 JUNOS15.1X49-D60

8x10/100/1000;4SFP;4MPIMexpansionslots;1x10/100/1000managementport

SRX345 SRX345 JUNOS15.1X49-D60

8x10/100/1000;4SFP;4MPIMexpansionslots;1x10/100/1000managementport

All JNPR-FIPS-TAMPER-LBLS(P/N520-052564) N/A Tamper-EvidentSeals

(FIPSLabelforPSDProducts)

ThemodulesaredesignedtomeetFIPS140-2Level2overall:

Table2-SecurityLevelofSecurityRequirements

Area Description Level

1 ModuleSpecification 2

2 PortsandInterfaces 2

3 RolesandServices 3

4 FiniteStateModel 2

5 PhysicalSecurity 2

6 OperationalEnvironment N/A

7 KeyManagement 2

8 EMI/EMC 2

9 Self-test 2

10 DesignAssurance 3

11 MitigationofOtherAttacks N/A

Overall 2

Page 5 FIPS Policy

Themoduleshavea limitedoperational environmentasper theFIPS140-2definitions. They includea firmware loadservicetosupportnecessaryupdates.NewfirmwareversionswithinthescopeofthisvalidationmustbevalidatedthroughtheFIPS140-2CMVP.AnyotherfirmwareloadedintothesemodulesisoutofthescopeofthisvalidationandrequireaseparateFIPS140-2validation.

ThemodulesdonotimplementanymitigationsofotherattacksasdefinedbyFIPS140-2.

2 HARDWAREANDPHYSICALCRYPTOGRAPHICBOUNDARY

Thephysicalformsofthemodule’svariousmodelsaredepictedinFigures1-5below.Forallmodelsthecryptographicboundaryisdefinedastheouteredgeofthechassis.TheSRX340andSRX345excludetheTITMP435ADGSRtemperaturesensorfromtherequirementsofFIPS140-2.

Figure1.SRX300

Figure2.SRX340

Page 6 FIPS Policy

Figure3.SRX345

Table3-PortsandInterfaces

Port Description LogicalInterfaceTypeEthernet LANCommunications Controlin,Datain,Dataout,StatusoutSerial Consoleserialport Controlin,StatusoutPower Powerconnector PowerinReset Resetbutton ControlinLED Statusindicatorlighting StatusoutUSB Firmwareloadport Controlin,DatainWAN SHDSL,VDSL,T1,E1 Controlin,Datain,Dataout,Statusout

2.1 MODEOFOPERATION

Thecryptographicmoduleprovidesanon-Approvedmodeofoperationinwhichnon-Approvedcryptographicalgorithmsaresupported.Themodulesupportsnon-Approvedalgorithmswhenoperatinginthenon-ApprovedmodeofoperationasdescribedinSections2.4and3.4.Whentransitioningbetweenthenon-ApprovedmodeofoperationandtheApprovedmodeofoperation,theCOmustzeroizeallCSPsbyfollowingtheinstructionsinSection1.3.Ifthemodulewaspreviouslyinanon-Approvedmodeofoperation,theCryptographicOfficermustzeroizetheCSPsbyfollowingtheinstructionsinSection1.4

Then,theCOmustrunthefollowingcommandstoconfigurethemoduleintotheApprovedmodeofoperation:

co@fips-srx#setsystemfipslevel2

co@fips-srx#commit

WhenTriple-DES isconfiguredas theencryption-algorithmfor IKEor IPsec, theCOmustconfigure the IPsecproposallifetime-kilobytestocomplywith[IGA.13]usingthefollowingcommand:

co@fips-srx:fips#setsecurityipsecproposal<ipsec_proposal_name>lifetime-kilobytes<kilobytes>”

Page 7 FIPS Policy co@fips-srx:fips#commit

WhenTriple-DESistheencryption-algorithmforIKE(regardlessoftheIPsecencryptionalgorithm),thelifetime-kilobytesfortheassociatedIPsecproposalmustbegreaterthanorequalto12800.

WhenTriple-DESistheencryption-algorithmforIPsec,thelifetime-kilobytesmustbelessthanorequalto33554432.

WhenAES-GCMisconfiguredastheencryption-algorithmforIKEorIPSec,theCOmustalsoconfigurethemoduletouseIKEv2byrunningthefollowingcommands:

co@fips-srx:fips#setsecurityikegateway<name>versionv2-only

<name>-theuserconfigurednamefortheIKEgateway

co@fips-srx:fips#commit

TheoperatorcanverifythemoduleisoperatingintheApprovedmodebyverifyingthefollowing:

• The“showversion”commandindicatesthatthemoduleisrunningtheApprovedfirmware(i.e.JUNOSSoftwareRelease[15.1X49-D60]).

• Thecommandpromptendsin“:fips”,whichindicatesthemodulehasbeenconfiguredintheApprovedmodeofoperation.

• The“showsecurityike”and“showsecurityipsec”commandsshowIKEv2isconfiguredwheneitheranIPsecorIKEproposalisconfiguredtouseAES-GCM.

2.2 ZEROIZATION

ThefollowingcommandallowstheCryptographicOfficertozeroizeCSPscontainedwithinthemodule:

co@fips-srx>requestsystemzeroize

Note:TheCryptographicOfficermustretaincontrolofthemodulewhilezeroizationisinprocess.

3 CRYPTOGRAPHICFUNCTIONALITY

Themodule implements theFIPSApproved,vendoraffirmed,andnon-ApprovedbutAllowedcryptographic functionslistedinTable4throughTable10below.Table11summarizesthehighlevelprotocolalgorithmsupport.

3.1 APPROVEDALGORITHMS

Referencestostandardsaregiveninsquarebracket[];seetheReferencestable.

Itemsenclosedincurlybrackets{}areCAVPtestedbutnotusedbythemoduleintheApprovedmode.

Table4–DataPlaneApprovedCryptographicFunctionsCAVPCert. Algorithm Mode Description Functions43484347 AES[197] CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt

Page 8 FIPS Policy

GCM[38D] KeySizes:128,192,256 Encrypt,Decrypt,AEAD

28882887 HMAC[198]

SHA-1 λ=96MessageAuthentication

SHA-256 λ=128

35853584 SHS[180] SHA-1

SHA-256 MessageDigestGeneration

23522351 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt

Table5–ControlPlaneAuthentecApprovedCryptographicFunctions

Cert Algorithm Mode Description Functions

4345 AES[197]CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt

GCM[38D] KeySizes:128,256 Encrypt,Decrypt,AEAD

N/A1 CKG[133]Section6.2

AsymmetrickeygenerationusingunmodifiedDRBGoutput

[133]Section7.3 Derivationofsymmetrickeys

1051 CVLIKEv1[135] SHA256,384

KeyDerivationIKEv2[135] SHA256,384

10411040 ECDSA[186] P-256(SHA256)

P-384(SHA{256},384) KeyGen,SigGen,SigVer

2885 HMAC[198]{SHA-1}

IKEMessageAuthentication,IKEKDFPrimitiveSHA-256 λ=128,256

SHA-384 λ=192,384

N/A KTS

AESCert.#4345andHMACCert.#2885

Keyestablishmentmethodologyprovidesbetween128and256bitsofencryptionstrength

Triple-DESCert.#2349andHMACCert.#2885

Keyestablishmentmethodologyprovides112bitsofencryptionstrength

23612360 RSA[186] PKCS1_V1_

5n=2048(SHA256)n=4096(SHA256)2 SigGen,SigVer

3582 SHS[180]{SHA-1}SHA-256SHA-384

MessageDigestGeneration

2349 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt

1 Vendor Affirmed. 2 RSA 4096 SigGen was tested to FIPS 186-4; however, the CAVP certificate lists 4096 under FIPS 186-2.

Page 9 FIPS Policy

Table6–OpenSSLApprovedCryptographicFunctions

Cert Algorithm Mode Description Functions

1398 DRBG[90A] HMAC SHA-256ControlPlaneRandomBitGeneration/OpenSSLRandomBitGenerator

Table7–OpenSSLApprovedCryptographicFunctions

CAVPCert. Algorithm Mode Description Functions

4362 AES[197] CBC[38A]CTR[38A] KeySizes:128,192,256 Encrypt,Decrypt

N/A3 CKG[133]Section6.1[133]Section6.2

AsymmetrickeygenerationusingunmodifiedDRBGoutput

[133]Section7.3 Derivationofsymmetrickeys

1038 ECDSA[186]

{P-224(SHA256)}P-256(SHA256){P-384(SHA256)}

SigGen

{P-224(SHA256)}P-256(SHA256)P-384(SHA{256},384){P-521(SHA-256)}

KeyGen,SigVer

2902 HMAC[198]SHA-1 λ=160

SSHMessageAuthenticationDRBGPrimitiveSHA-256 λ=256

SHA-512 λ=512

N/A KTS

AESCert.#4362andHMACCert.#2902Keyestablishmentmethodologyprovidesbetween128and256bitsofencryptionstrength

Triple-DESCert.#2358andHMACCert.#2902Keyestablishmentmethodologyprovides112bitsofencryptionstrength

2358 RSA[186]

n=2048(SHA256){n=3072(SHA256)}n=4096(SHA256)4

SigGen

n=2048(SHA256){n=3072(SHA256)} KeyGen,SigVer

3600 SHS[180]

SHA-1SHA-256SHA-384

MessageDigestGeneration,SSHKDFPrimitive

SHA-512 MessageDigestGeneration

2358 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt

3 Vendor Affirmed. 4 RSA 4096 SigGen was tested to FIPS 186-4; however, the CAVP certificate lists 4096 under FIPS 186-2.

Page 10 FIPS Policy

Table8–OpenSSHApprovedCryptographicFunctions

Cert Algorithm Mode Description Functions1071 CVL SSH[135] SHA1,256,384 KeyDerivation

Table9–LibMDApprovedCryptographicFunctions

Cert Algorithm Mode Description Functions

3586 SHS[180] SHA-256SHA-512 MessageDigestGeneration

3.2 ALLOWEDALGORITHMS

Table10-AllowedCryptographicFunctions

Algorithm Caveat Use

Diffie-Hellman[IG]D.8 Provides112bitsofencryptionstrength. Keyagreement;keyestablishment

EllipticCurveDiffie-Hellman[IG]D.8

Provides 128 or 192 bits of encryptionstrength. Keyagreement;keyestablishment

NDRNG Provides256bitsofentropy. SeedingtheDRBG

3.3 ALLOWEDPROTOCOLS

Table11-ProtocolsAllowedinFIPSMode

Protocol KeyExchange Auth Cipher Integrity

IKEv1 Diffie-Hellman(L=2048,N=2047)ECDiffie-HellmanP-256,P-384

RSA2048RSA4096Pre-SharedSecretECDSAP-256ECDSAP-384

Triple-DESCBC5AESCBC128/192/256AESGCM128/256

SHA-256,384

IKEv26 Diffie-Hellman(L=2048,N=2047)ECDiffie-HellmanP-256,P-384

RSA2048RSA4096Pre-SharedSecretECDSAP-256ECDSAP-384

Triple-DESCBC7AESCBC128/192/256AESGCM8128/256

SHA-256,384

5 The Triple-DES key for the IETF IKEv1 protocol is generated according to RFC 2409. 6 IKEv2 generates the SKEYSEED according to RFC7296. 7 The Triple-DES key for the IETF IKEv2 protocol is generated according to RFC 7296. 8 The GCM IV is generated according to RFC5282.

Page 11 FIPS Policy

IPsecESP

IKEv1withoptional:• Diffie-Hellman(L=2048,N=2047)• ECDiffie-HellmanP-256,P-384

IKEv1 3KeyTriple-DESCBC9AESCBC128/192/256 HMAC-SHA-

1-96HMAC-SHA-256-128

IKEv2withoptional:• Diffie-Hellman(L=2048,N=2047)• ECDiffie-HellmanP-256,P-384

IKEv2

3KeyTriple-DESCBC10AESCBC128/192/256AESGCM11128/192/256

SSHv2Diffie-Hellman(L=2048,N=2047)ECDiffie-HellmanP-256,P-384

ECDSAP-256Triple-DESCBC12AESCBC128/192/256AESCTR128/192/256

HMAC-SHA-1HMAC-SHA-256HMAC-SHA-512

NopartsoftheIKEv1,IKEv2,ESP,andSSHv2protocols,otherthantheKDF,havebeentestedbytheCAVPorCMVP.

TheIKEandSSHalgorithmsallowindependentselectionofkeyexchange,authentication,cipherandintegrity.InTable11-ProtocolsAllowedinFIPSModeabove,eachcolumnofoptionsforagivenprotocolisindependent,andmaybeusedinanyviablecombination.ThesesecurityfunctionsarealsoavailableintheSSHconnect(non-compliant)service.

3.4 DISALLOWEDALGORITHMS

Thesealgorithmsarenon-ApprovedalgorithmsthataredisabledwhenthemoduleisoperatedinanApprovedmodeofoperation.

• ARCFOUR• Blowfish• CAST• DSA(SigGen,SigVer;non-compliant)• HMAC-MD5• HMAC-RIPEMD160• UMAC

9 The Triple-DES key for the ESP protocol is generated by the IETF IKEv1 protocol according to RFC 2409. 10 The Triple-DES key for the ESP protocol is generated by the IETF IKEv2 protocol according to RFC 7296. 11 The GCM IV is generated according to RFC4106. 12 The Triple-DES key for the IETF SSHv2 protocol is generated according to RFCs 4253 and 4344.

Page 12 FIPS Policy

3.5 CRITICALSECURITYPARAMETERS

AllCSPsandpublickeysusedbythemodulearedescribedinthissection.

Table12-CriticalSecurityParameters(CSPs)

Name Descriptionandusage CKG

DRBG_Seed SeedmaterialusedtoseedorreseedtheDRBG N/ADRBG_State VandKeyvaluesfortheHMAC_DRBG N/A

SSHPHK SSHPrivatehostkey.1sttimeSSHisconfigured,thekeysaregenerated.ECDSAP-256.Usedtoidentifythehost. [133]Section6.1

SSHDHSSHDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinSSH.Diffie-Hellman(N=256bit,320bit,384bit,512bit,or1024bit13),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

[133]Section6.2

SSH-SEK SSHSessionKey;SessionkeysusedwithSSH.Triple-DES(3key),AES,HMAC. [133]Section7.3

ESP-SEK IPSecESPSessionKeys.Triple-DES(3key),AES,HMAC. [133]Section7.3IKE-PSK Pre-SharedKeyusedtoauthenticateIKEconnections. N/AIKE-Priv IKEPrivateKey.RSA2048,RSA4096,ECDSAP-256,orECDSAP-384 [133]Section6.1IKE-SKEYID IKESKEYID.IKEsecretusedtoderiveIKEandIPsecESPsessionkeys. [133]Section7.3IKE-SEK IKESessionKeys.Triple-DES(3key),AES,HMAC. [133]Section7.3

IKE-DH-PRIIKEDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinIKE.Diffie-HellmanN=224bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

[133]Section6.2

CO-PW ASCIITextusedtoauthenticatetheCO. N/AUser-PW ASCIITextusedtoauthenticatetheUser. N/A

Table13-PublicKeys

Name Descriptionandusage CKGSSH-PUB SSHPublicHostKeyusedtoidentifythehost.ECDSAP-256. [133]Section6.1

SSH-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinSSHkeyestablishment.DH(L=2048bit),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

[133]Section6.2

IKE-PUB IKEPublicKeyRSA2048,RSA4096,ECDSAP-256,orECDSAP-384 [133]Section6.1

IKE-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinIKEkeyestablishment.Diffie-HellmanL=2048bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384

[133]Section6.2

13 SSH generates a Diffie-Hellman private key that is 2x the bit length of the longest symmetric or MAC key negotiated.

Page 13 FIPS Policy

Name Descriptionandusage CKG

Auth-UPub SSHUserAuthenticationPublicKeys.Usedtoauthenticateuserstothemodule.ECDSAP-256orP-384 N/A

Auth-COPub SSHCOAuthenticationPublicKeys.UsedtoauthenticateCOtothemodule.ECDSAP-256orP-384 N/A

RootCA JuniperRootCA.ECDSAP-256orP-384X.509Certificate;UsedtoverifythevalidityoftheJuniperPackageCAatsoftwareload. N/A

PackageCA PackageCA.ECDSAP-256X.509Certificate;UsedtoverifythevalidityofJuniperImagesatsoftwareloadandboot. N/A

4 ROLES,AUTHENTICATIONANDSERVICES

4.1 ROLESANDAUTHENTICATIONOFOPERATORSTOROLES

Themodulesupportstworoles:CryptographicOfficer(CO)andUser.Themodulesupportsconcurrentoperators,butdoesnot support a maintenance role and/or bypass capability. Themodule enforces the separation of roles using eitheridentity-basedoperatorauthentication.

TheCryptographicOfficerroleconfiguresandmonitorsthemoduleviaaconsoleorSSHconnection.Asrootorsuper-user,theCryptographicOfficerhaspermissiontoviewandeditsecretswithinthemodule.

TheUserrolemonitorstherouterviatheconsoleorSSH.Theuserrolemaynotchangetheconfiguration.

4.2 AUTHENTICATIONMETHODS

ThemoduleimplementstwoformsofIdentity-Basedauthentication,usernameandpasswordovertheConsoleandSSHaswellasusernameandpublickeyoverSSH.

Password authentication: The module enforces 10-character passwords (at minimum) chosen from the 96 humanreadableASCIIcharacters.Themaximumpasswordlengthis20characters.

Themoduleenforcesatimedaccessmechanismasfollows:Forthefirsttwofailedattempts(assuming0timetoprocess),notimedaccessisenforced.Uponthethirdattempt,themoduleenforcesa5-seconddelay.Eachfailedattemptthereafterresultsinanadditional5-seconddelayabovetheprevious(e.g.4thfailedattempt=10-seconddelay,5thfailedattempt=15-seconddelay,6thfailedattempt=20-seconddelay,7thfailedattempt=25-seconddelay).

Thisleadstoamaximumofnine(9)possibleattemptsinaone-minuteperiodforeachgetty.Thebestapproachfortheattackerwouldbetodisconnectafter4failedattemptsandwaitforanewgettytobespawned.Thiswouldallowtheattackertoperformroughly9.6attemptsperminute;thiswouldberoundeddownto9perminute,becausethereisnosuchthingas0.6attempts.Thustheprobabilityofasuccessfulrandomattemptis1/9610,whichislessthan1/1million.Theprobabilityofa successwithmultiple consecutiveattempts inaone-minuteperiod is9/(9610),which is less than1/100,000.

ECDSAsignatureverification:SSHpublic-keyauthentication.Processingconstraintsallowforamaximumof56,000,000ECDSAattemptsperminute.ThemodulesupportsECDSA(P-256andP-384).Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis56,000,000/(2128).

4.3 SERVICES

Allservicesimplementedbythemodulearelistedinthetablesbelow.

Page 14 FIPS Policy Table16liststheaccesstoCSPsbyeachservice.

Table14-AuthenticatedServices

Service Description CO User

Configuresecurity Securityrelevantconfiguration x

Configure Non-securityrelevantconfiguration x

SecureTraffic IPsecprotectedconnection(ESP) x

Status Showstatus x x

Zeroize DestroyallCSPs x

SSHconnect InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x

IPsecconnect InitiateIPsecconnection(IKE) x

Consoleaccess Consolemonitoringandcontrol(CLI) x x

Remotereset Softwareinitiatedreset x

Table15-UnauthenticatedTraffic

Service Description

Localreset Hardwareresetorpowercycle

Traffic Trafficrequiringnocryptographicservices

Page 15 FIPS Policy

Table16-CSPAccessRightswithinServices

Service

CSPs

DRBG

_Seed

DRBG

_State

SSHPH

K

SSHDH

SSH-SEK

ESP-SEK

IKE-PSK

IKE-Priv

IKE-SKEYID

IKE-SEK

IKE-DH

-PRI

CO-PW

User-PW

Configuresecurity -- E GWR -- -- -- WR GWR -- -- -- W W

Configure -- -- -- -- -- -- -- -- -- -- -- -- --

Securetraffic -- -- -- -- -- E -- -- -- E -- -- --

Status -- -- -- -- -- -- -- -- -- -- -- -- --

Zeroize -- Z Z -- -- -- Z Z -- -- -- Z Z

SSHconnect -- E E GE GE -- -- -- -- -- -- E E

IPsecconnect -- E -- -- -- G E E G G G -- --

Consoleaccess -- -- -- -- -- -- -- -- -- -- -- E E

Remotereset GZE GZ -- Z Z Z -- -- Z Z Z Z Z

Localreset GZE GZ -- Z Z Z -- -- Z Z Z Z Z

Traffic -- -- -- -- -- -- -- -- -- -- -- -- --

G=Generate:ThemodulegeneratestheCSPR=Read:TheCSPisreadfromthemodule(e.g.theCSPisoutput)E=Execute:ThemoduleexecutesusingtheCSPW=Write:TheCSPiswrittentopersistentstorageinthemoduleZ=Zeroize:ThemodulezeroizestheCSP.

Table17:PublicKeyAccessRightswithinServices

ServicePublicKeys

SSH-PUB

SSH-DH-PUB

IKE-PUB

IKE-DH-PUB

Auth-UPub

Auth-COPub

Root-CA

Package-CA

Configuresecurity GWR - GWR - W W - -

Configure - - - - - - - -Securetraffic - - - - - - - -

Status - - - - - - - -

Zeroize Z - Z Z Z Z - -

SSHconnect E GE - - E E - -IPsecconnect - - E GE - - - -

Consoleaccess - - - - - - - -

Page 16 FIPS Policy

Remotereset - Z - Z Z Z - E

Localreset - Z - Z Z Z - E

Traffic - - - - - - - -Softwareload - - - - - - EW EW

G=Generate:Themodulegeneratesthekey.R=Read:Thekeyisreadfromthemodule(e.g.thekeyisoutput).E=Execute:Themoduleexecutesusingthekey.W=Write:Thekeyiswrittentopersistentstorageinthemodule.Z=Zeroize:Themodulezeroizesthekey.

4.4 NON-APPROVEDSERVICES

Thefollowingservicesareavailableinthenon-Approvedmodeofoperation.Thesecurityfunctionsprovidedbythenon-ApprovedservicesareidenticaltotheApprovedcounterpartswiththeexceptionofSSHConnect(non-compliant).SSHConnect(non-compliant)supportsthesecurityfunctionsidentifiedinSection2.3andtheSSHv2rowofTable11-ProtocolsAllowedinFIPSMode.

Table18-AuthenticatedServices

Service Description CO UserConfiguresecurity(non-compliant) Securityrelevantconfiguration x

Configure(non-compliant) Non-securityrelevantconfiguration x

SecureTraffic(non-compliant) IPsecprotectedconnection(ESP) x

Status(non-compliant) Showstatus x x

Zeroize(non-compliant) DestroyallCSPs x

SSHconnect(non-compliant)

InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x

IPsecconnect(non-compliant) InitiateIPsecconnection(IKE) x

Consoleaccess(non-compliant) Consolemonitoringandcontrol(CLI) x x

Remotereset(non-compliant) Softwareinitiatedreset x

Page 17 FIPS Policy

Table19-Unauthenticatedtraffic

Service DescriptionLocalreset(non-compliant) Hardwareresetorpowercycle

Traffic(non-compliant) Trafficrequiringnocryptographicservices

5 SELF-TESTS

Eachtimethemoduleispoweredup,itteststhatthecryptographicalgorithmsstilloperatecorrectlyandthatsensitivedatahasnotbeendamaged.Power-upself–testsareavailableondemandbypowercyclingthemodule.

Onpoweruporreset,themoduleperformstheself-testsdescribedbelow.AllKATsmustbecompletedsuccessfullypriortoanyotheruseofcryptographybythemodule.IfoneoftheKATsfails,themoduleenterstheCriticalFailureerrorstate.

Themoduleperformsthefollowingpower-upself-tests:

• FirmwareIntegritycheckusingECDSAP-256withSHA-256• DataPlaneKATs

o AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA-256KATo AES-GCM(128/192/256)EncryptKATo AES-GCM(128/192/256)DecryptKAT

• ControlPlaneAuthentecKATso RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo ECDSAP-256w/SHA-256Sign/VerifyPCTo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA2-256KATo HMAC-SHA2-384KATo AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo AES-GCM(128/256)EncryptKATo AES-GCM(128/256)DecryptKATo KDF-IKE-V1KATo KDF-IKE-V2KAT

• HMAC_DRBGKATo SP800-90AHMACDRBGKAT

§ Health-testsinitialize,re-seed,andgenerate.

Page 18 FIPS Policy

• OpenSSLKATso ECDSAP-256Sign/VerifyPCTo ECDiffie-HellmanP-256KAT

§ Derivationoftheexpectedsharedsecret.o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA2-256KATo HMAC-SHA2-384KATo HMAC-SHA2-512KATo AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKAT

• OpenSSHKATo KDF-SSHKAT

• LibmdKATso HMAC-SHA2-256KATo SHA-2-512KAT

• CriticalFunctionTest

o Thecryptographicmoduleperformsaverificationofalimitedoperationalenvironment.

Uponsuccessfulcompletionoftheself-tests,themoduleoutputs“FIPSself-testscompleted.”tothelocalconsole.

Ifaself-testfails,themoduleoutputs“<self-testname>:Failed”tothelocalconsoleandautomaticallyreboots.

Themodulealsoperformsthefollowingconditionalself-tests:

• ContinuousRNGTestontheSP800-90AHMAC-DRBG• ContinuousRNGtestontheNDRNG• PairwiseconsistencytestwhengeneratingECDSAandRSAkeypairs.• FirmwareLoadTest(ECDSAP-256withSHA-256signatureverification)

6 PHYSICALSECURITYPOLICY

The module’s physical embodiment is that of a multi-chip standalone device that meets Level 2 Physical Securityrequirements.Themoduleiscompletelyenclosedinarectangularnickelorclearzinccoated,coldrolledsteel,platedsteelandbrushedaluminumenclosure.Therearenoventilationholes,gaps,slits,cracks,slots,orcrevicesthatwouldallowforanysortofobservationofanycomponentcontainedwithinthecryptographicboundary.Tamper-evidentsealsallowtheoperator to tell if theenclosurehasbeenbreached.These sealsarenot factory-installedandmustbeappliedby theCryptographic Officer. (Seals are available for order from Juniper using part number JNPR-FIPS-TAMPER-LBLS.) Thetamper-evidentsealsshallbeinstalledforthemoduletooperateinaFIPSmodeofoperation.

TheCryptographicOfficerisresponsibleforsecuringandhavingcontrolatalltimesofanyunusedsealsandthedirectcontrol and observation of any changes to themodule, such as reconfigurations where the tamper-evident seals or

Page 19 FIPS Policy securityappliancesareremovedorinstalled,toensurethesecurityofthemoduleismaintainedduringsuchchangesandthemoduleisreturnedtoaFIPSApprovedstate.

Table20–PhysicalSecurityInspectionGuidelines

PhysicalSecurityMechanism RecommendedFrequencyofInspection/Test

Inspection/TestGuidanceDetails

Tamperseals,opaquemetalenclosure.

OncepermonthbytheCryptographicOfficer.

Sealsshouldbefreeofanytamperevidence.

IftheCryptographicOfficerobservestamperevidence,itshallbeassumedthatthedevicehasbeencompromised.TheCryptographicOfficershallretaincontrolofthemoduleandperformzeroizationofthemodule'sCSPsbyfollowingthestepsinSection2.2oftheSecurityPolicy.

6.1 GENERALTAMPERSEALPLACEMENTANDAPPLICATIONINSTRUCTIONS

Forallsealapplications,theCryptographicOfficershouldobservethefollowinginstructions:

• Handlethesealswithcare.Donottouchtheadhesiveside.• Beforeapplyingaseal,ensurethelocationofapplicationisclean,dry,andclearofanyresidue.• Placethesealonthemodule,applyingfirmpressureacrossittoensureadhesion.Allowatleast1hourforthe

adhesivetocure.

Page 20 FIPS Policy

6.2 SRX300(4SEALS)

Atamper-evidentsealmustbeappliedtothefollowinglocation:

• Thebottomofthechassis,coveringthefourchassisscrews.

Figure4.SRX300Tamper-EvidentSealPlacement-Four(4)Seals

Page 21 FIPS Policy

6.3 SRX340/345(27SEALS)

Tamper-evidentsealsmustbeappliedtothefollowinglocations:

• Thetopofthechassis,coveringoneofthefivechassisscrews.1-5.Fiveseals.• TheI/OSlots.6-9.Fourseals.• Therarepanel,coveringtheblankfaceplateandtheSSD.10-11.Twoseals.• Sidepanelsoverthescrewholes.Eightoneachside12-27.SixteenSeals

Totalof27seals

Figure5.SRX340/SRX345Tamper-EvidentSealPlacement-TopCover.Nine(9)Seals

Page 22 FIPS Policy

Figure6.SRX340/345Tamper-EvidentSealPlacement-RarePanel.Two(2)Seals

Figure7.SRX340/SRX345Tamper-EvidentSealPlacement-SidePanelsOvertheScrewHoles.Eightoneachside(16)Seals

Page 23 FIPS Policy

7 SECURITYRULESANDGUIDANCE

The module design corresponds to the security rules below. The termmust in this context specifically refers to arequirement for correct usage of the module in the Approved mode; all other statements indicate a security ruleimplementedbythemodule.

1. Themoduleclearspreviousauthenticationsonpowercycle.2. Whenthemodulehasnotbeenplacedinavalidrole,theoperatordoesnothaveaccesstoanycryptographicservices.3. Powerupself-testsdonotrequireanyoperatoraction.4. Dataoutputisinhibitedduringkeygeneration,self-tests,zeroization,anderrorstates.5. StatusinformationdoesnotcontainCSPsorsensitivedatathatifmisusedcouldleadtoacompromiseofthemodule.6. TherearenorestrictionsonwhichkeysorCSPsarezeroizedbythezeroizationservice.7. Themoduledoesnotsupportamaintenanceinterfaceorrole.8. Themoduledoesnotsupportmanualkeyentry.9. Themoduledoesnotoutputintermediatekeyvalues.10. ThemodulerequirestwoindependentinternalactionstobeperformedpriortooutputtingplaintextCSPs(i.e.SSH

PHK,IKE-PSK,orIKE-PrivviatheConfiguresecurityservice).11. Thecryptographicofficermustdeterminewhetherfirmwarebeingloadedisalegacyuseofthefirmwareloadservice.12. Thecryptographicofficermustretaincontrolofthemodulewhilezeroizationisinprocess.13. ThecryptographicofficermustconfigurethemoduletouseIKEv2whenGCMisconfiguredforIKEorIPsecESP.14. ThecryptographicofficermustconfigurethemoduletoIPsecESPlifetime-kilobytestoensurethemoduledoesnot

encryptmorethan2^32blockswithasingleTriple-DESkeywhenTriple-DESistheencryption-algorithmforIKEand/orIPsecESP.

8 REFERENCESANDDEFINITIONS

ThefollowingstandardsarereferredtointhisSecurityPolicy.

Table21–References

Abbreviation FullSpecificationName

[FIPS140-2] SecurityRequirementsforCryptographicModules,May25,2001

[SP800-131A] Transitions:RecommendationforTransitioningtheUseofCryptographicAlgorithmsandKeyLengths,January2011

[IG] ImplementationGuidanceforFIPSPUB140-2andtheCryptographicModuleValidationProgram

[133] NISTSpecialPublication800-133,RecommendationforCryptographicKeyGeneration,December2012

[135] National Institute of Standards and Technology, Recommendation for ExistingApplication-Specific Key Derivation Functions, Special Publication 800-135rev1,December2011.

Page 24 FIPS Policy Abbreviation FullSpecificationName

[186] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-4,July,2013.

[186-2] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-2,January2000.

[197] National InstituteofStandardsandTechnology,AdvancedEncryptionStandard(AES),FederalInformationProcessingStandardsPublication197,November26,2001

[38A] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation,MethodsandTechniques,SpecialPublication800-38A,December2001

[38D] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation:Galois/CounterMode(GCM)andGMAC,SpecialPublication800-38D,November2007

[198] National Institute of Standards and Technology, The Keyed-Hash MessageAuthenticationCode(HMAC),FederalInformationProcessingStandardsPublication198-1,July,2008

[180] National Institute of Standards and Technology, Secure Hash Standard, FederalInformationProcessingStandardsPublication180-4,August,2015

[67] National Instituteof StandardsandTechnology,Recommendation for theTripleDataEncryptionAlgorithm(TDEA)BlockCipher,SpecialPublication800-67,May2004

[90A] NationalInstituteofStandardsandTechnology,RecommendationforRandomNumberGenerationUsingDeterministic RandomBit Generators, Special Publication 800-90A,June2015.

Table22–AcronymsandDefinitions

Acronym DefinitionAES AdvancedEncryptionStandardDSA DigitalSignatureAlgorithmECDiffie-Hellman

EllipticCurveDiffie-Hellman

ECDSA EllipticCurveDigitalSignatureAlgorithmEMC ElectromagneticCompatibilityESP EncapsulatingSecurityPayloadFIPS FederalInformationProcessingStandardHMAC Keyed-HashMessageAuthenticationCodeICV IntegrityCheckValue(i.e.Tag)IKE InternetKeyExchangeProtocolIOC Input/OutputCardIPsec InternetProtocolSecurityMD5 MessageDigest5

Page 25 FIPS Policy Acronym DefinitionNPC NetworkProcessingCardRE RoutingEngineRSA Public-keyencryptiontechnologydevelopedbyRSADataSecurity,Inc.SHA SecureHashAlgorithmsSPC ServicesProcessingCardSSH SecureShellTriple-DES

Triple-DataEncryptionStandard

Table23–Datasheets

Model Title URLSRX300SRX340SRX345

SRX300LineofServicesGatewaysfortheBranch

http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000550-en.pdf