Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Administrative Privileges

 

Understanding Roles and Services for Junos OS in FIPS Mode

FIPS 140-2 standard defines two user roles: Crypto Officer and FIPS user. These roles are defined in terms of Junos OS user capabilities. All other user types defined for Junos OS in FIPS mode (operator, administrative user, and so on) must fall into one of the two categories: Crypto Officer or FIPS user.

Crypto Officers perform all FIPS-mode-related configuration tasks and issue all statements and commands for Junos OS in FIPS mode. Crypto Officer and FIPS user configurations must follow the guidelines for Junos OS in FIPS mode.

For details, see:

Crypto Officer Role and Responsibilities

The Crypto Officer is the person responsible for enabling, configuring, monitoring, and maintaining Junos OS in FIPS mode on a device. The Crypto Officer securely installs Junos OS on the device, enables FIPS mode, establishes keys and passwords for other users and software modules, and initializes the device before network connection.

Best Practice

We recommend that the Crypto Officer administer the system in a secure manner by keeping passwords secure and checking audit files.

The permissions that distinguish the Crypto Officer from other FIPS users are secret, security, maintenance, and control. For FIPS compliance, assign the Crypto Officer to a login class that contains all of these permissions. A user with the Junos OS maintenance permission can read files containing critical security parameters (CSPs).

Note

Junos OS in FIPS mode does not support the FIPS 140-2 maintenance role, which is different from the Junos OS maintenance permission.

Among the tasks related to Junos OS in FIPS mode, the Crypto Officer is expected to:

  • Set the initial root password. The length of the password should be atleast 10 characters.

  • Reset user passwords with FIPS-approved algorithms.

  • Examine log and audit files for events of interest.

  • Erase user-generated files, keys, and data by zeroizing the device.

FIPS User Role and Responsibilities

All FIPS users, including the Crypto Officer, can view the configuration. Only the user assigned as the Crypto Officer can modify the configuration.

FIPS user can view status output but cannot reboot or zeroize the device.

What Is Expected of All FIPS Users

All FIPS users, including the Crypto Officer, must observe security guidelines at all times.

All FIPS users must:

  • Keep all passwords confidential.

  • Store devices and documentation in a secure area.

  • Deploy devices in secure areas.

  • Check audit files periodically.

  • Conform to all other FIPS 140-2 security rules.

  • Follow these guidelines:

    • Users are trusted.

    • Users abide by all security guidelines.

    • Users do not deliberately compromise security.

    • Users behave responsibly at all times.

Understanding the Operational Environment for Junos OS in FIPS Mode

A Juniper Networks device running the Juniper Networks Junos operating system (Junos OS) in FIPS mode forms a special type of hardware and software operational environment that is different from the environment of a device in non-FIPS mode:

Hardware Environment for Junos OS in FIPS Mode

Junos OS in FIPS mode establishes a cryptographic boundary in the device that no critical security parameters (CSPs) can cross using plain text. Each hardware component of the device that requires a cryptographic boundary for FIPS 140-2 compliance is a separate cryptographic module. There are two types of hardware with cryptographic boundaries in Junos OS in FIPS mode: one for each Routing Engine and one for entire chassis which includes encryption services PIC (MS-MIC).

Cryptographic methods are not a substitute for physical security. The hardware must be located in a secure physical environment. Users of all types must not reveal keys or passwords, or allow written records or notes to be seen by unauthorized personnel.

Software Environment for Junos OS in FIPS Mode

A Juniper Networks device running Junos OS in FIPS mode forms a special type of nonmodifiable operational environment. To achieve this environment on the device, the system prevents the execution of any binary file that was not part of the certified Junos OS in FIPS mode distribution. When a device is in FIPS mode, it can run only Junos OS.

FIPS mode on MX104 device is available in Junos OS Release 18.2R1 and later. The Junos OS in FIPS mode software environment is established after the Crypto Officer successfully enables FIPS mode on a device. The Junos OS Release 18.2R1 image that includes FIPS mode is available on the Juniper Networks website and can be installed on a functioning device.

For FIPS 140-2 compliance, we recommend that you delete all user-created files and data by zeroizing the device before enabling FIPS mode.

Enabling FIPS mode disables many of the usual Junos OS protocols and services. In particular, you cannot configure the following services in Junos OS in FIPS mode:

  • finger

  • ftp

  • rlogin

  • telnet

  • tftp

  • xnm-clear-text

Attempts to configure these services, or load configurations with these services configured, result in a configuration syntax error.

You can use only SSH as a remote access service.

All passwords established for users after upgrading to Junos OS in FIPS mode must conform to Junos OS in FIPS mode specifications. Passwords must be between 10 and 20 characters in length and require the use of at least three of the five defined character sets (uppercase and lowercase letters, digits, punctuation marks, and keyboard characters, such as % and &, not included in the other four categories). The default password format in FIPS mode is SHA512. Attempts to configure passwords that do not conform to these rules result in an error. All passwords and keys used to authenticate peers must be at least 10 characters in length, and in some cases the length must match the digest size.

Note

Do not attach the device to a network until the Crypto Officer completes configuration from the local console connection.

For strict compliance, do not examine core and crash dump information on the local console in Junos OS in FIPS mode because some CSPs might be shown in plain text.

Critical Security Parameters

Critical security parameters (CSPs) are security-related information such as cryptographic keys and passwords that can compromise the security of the cryptographic module or the security of the information protected by the module if they are disclosed or modified.

Zeroization of the system erases all traces of CSPs in preparation for operating the device or Routing Engine as a cryptographic module.

Table 1 lists CSPs on devices running Junos OS.

Table 1: Critical Security Parameters

CSP

Description

Zeroize

Use

SSH-2 private host key

ECDSA / RSA key used to identify the host, generated the first time SSH is configured.

Zeroize command.

Used to identify the host.

SSH-2 session keys

Session key used with SSH-2. and as a Diffie-Hellman private key.

Encryption: 3DES, AES-128, AES-192 , AES-256.

MACs: HMAC-SHA-1, HMAC SHA-2-256, HMAC SHA2-512.

Key exchange: ECDH-sha2-nistp256, ECDH-sha2-nistp384, and ECDH-sha2-nistp521.

Power cycle and terminate session.

Symmetric key used to encrypt data between host and client.

User authentication key

Hash of the user’s password: SHA256, SHA512.

Zeroize command.

Used to authenticate a user to the cryptographic module.

Crypto Officer authentication key

Hash of the Crypto Officer’s password: SHA256, SHA512.

Zeroize command.

Used to authenticate the Crypto Officer to the cryptographic module.

HMAC DRBG seed

Seed for deterministic randon bit generator (DRBG).

Seed is not stored by the cryptographic module.

Used for seeding DRBG.

HMAC DRBG V value

The value (V) of output block length (outlen) in bits, which is updated each time another outlen bits of output are produced.

Power cycle.

A critical value of the internal state of DRBG.

HMAC DRBG key value

The current value of the outlen-bit key, which is updated at least once each time that the DRBG mechanism generates pseudorandom bits.

Power cycle.

A critical value of the internal state of DRBG.

NDRNG entropy

Used as entropy input string to the HMAC DRBG.

Power cycle.

A critical value of the internal state of DRBG.

In Junos OS in FIPS mode, all CSPs must enter and leave the cryptographic module in encrypted form. Any CSP encrypted with a non-approved algorithm is considered plain text by FIPS.

Best Practice

For FIPS compliance, configure the device over SSH connections because they are encrypted connections.

Local passwords are encrypted with the SHA256 or SHA512 algorithm. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.

Understanding Password Specifications and Guidelines for Junos OS

All passwords established for users by the Crypto Officer must conform to the following Junos OS in FIPS mode requirements. Attempts to configure passwords that do not conform to the following specifications result in an error.

  • Length. Passwords must contain between 10 and 20 characters.

  • Character set requirements. Passwords must contain at least three of the following five defined character sets:

    • Uppercase letters

    • Lowercase letters

    • Digits

    • Punctuation marks

    • Keyboard characters not included in the other four sets—such as the percent sign (%) and the ampersand (&)

  • Authentication requirements. All passwords and keys used to authenticate peers must contain at least 10 characters, and in some cases the number of characters must match the digest size.

  • Password encryption. To change the default encryption method (SHA512) include the format statement at the [edit system login password] hierarchy level.

Guidelines for strong passwords. Strong, reusable passwords can be based on letters from a favorite phrase or word and then concatenated with other unrelated words, along with added digits and punctuation. In general, a strong password is:

  • Easy to remember so that users are not tempted to write it down.

  • Made up of mixed alphanumeric characters and punctuation. For FIPS compliance include at least one change of case, one or more digits, and one or more punctuation marks.

  • Changed periodically.

  • Not divulged to anyone.

Characteristics of weak passwords. Do not use the following weak passwords:

  • Words that might be found in or exist as a permuted form in a system files such as /etc/passwd.

  • The hostname of the system (always a first guess).

  • Any word or phrase that appears in a dictionary or other well-known source, including dictionaries and thesauruses in languages other than English; works by classical or popular writers; or common words and phrases from sports, sayings, movies or television shows.

  • Permutations on any of the above—for example, a dictionary word with letters replaced with digits (r00t) or with digits added to the end.

  • Any machine-generated password. Algorithms reduce the search space of password-guessing programs and so must not be used.

Downloading Software Packages from Juniper Networks

You can download the following Junos OS software packages from the Juniper Networks website:

  • Junos fips-mode package fips-mode-powerpc-18.2R1.9-signed.tgz.

  • Junos jpfe-fips package jpfe-fips-powerpc-18.2R1.9-signed.tgz.

  • For MX104 device, download jinstall-ppc-18.2R1.9-signed.tgz.

Before you begin to download the software, ensure that you have a Juniper Networks Web account and a valid support contract. To obtain an account, complete the registration form at the Juniper Networks website: https://www.juniper.net/registration/Register.jsp.

To download software packages from Juniper Networks:

  1. Using a Web browser, follow the links to the download URL on the Juniper Networks webpage.

    https://www.juniper.net/support/downloads/junos.html

  2. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.
  3. Download the software. See Downloading Software

Installing Software on a Device

Note

Junos OS is delivered in signed packages that contain digital signatures to ensure the Juniper Networks software is running. When installing the software packages, Junos OS validates the signatures and the public key certificates used to digitally sign the software packages. If the signature or certificate is found to be invalid (for example, when the certificate validity period has expired or cannot be verified against the root CA stored in the Junos OS internal store), the installation process fails.

You can use this procedure to upgrade Junos OS on device with a single Routing Engine.

To install software upgrades on a device with a single Routing Engine:

  1. Download the software package as described in Downloading Software Packages from Juniper Networks.
  2. If you have not already done so, connect to the console port on the device from your management device, and log in to the Junos OS CLI.
  3. (Optional) Back up the current software configuration to a second storage option. See the Junos OS Installation and Upgrade Guide for instructions on performing this task.
  4. (Optional) Copy the software package to the device.

    This step is optional because Junos OS can also be upgraded when the software image is stored at a remote location. These instructions describe the software upgrade process for both scenarios.

  5. Install the new Junos OS image on the device:

    Replace package with one of the following paths:

    • For a software package in a local directory on the device, use /var/tmp/package.tgz.

    • For a software package on a remote server, use one of the following paths, replacing package with the software package name—for example, jinstall-ppc-18.2R1.9-signed.tgz.

      • ftp://hostname/pathname/package.tgz

      • http://hostname/pathname/package.tgz

  6. Reboot the device to load the installation:
  7. After the reboot has completed, log in and use the show version command to verify that the new version of the software is successfully installed. If you installed the Junos FIPS mode package, verify that the FIPS mode utilities are present—as shown in the following example:

Understanding Zeroization to Clear System Data

Zeroization completely erases all configuration information on the Routing Engines, including all plain-text passwords, secrets, and private keys for SSH, local encryption, local authentication, and IPsec.

The Crypto Officer initiates the zeroization process by entering the request system zeroize operational command for MX104 devices from the CLI after enabling FIPS mode. Use of this command is restricted to the Crypto Officer. (To zeroize the system before enabling FIPS mode, use the request system zeroize command to completely wipe-out older CSPs and scrub memory.)

Caution

Perform system zeroization with care. After the zeroization process is complete, no data is left on the Routing Engine. The device is returned to the factory default state, without any configured users or configuration files.

Zeroization can be time-consuming. Although all configurations are removed in a few seconds, the zeroization process goes on to overwrite all media, which can take considerable time depending on the size of the media.

Why Zeroize?

Your device is not considered a valid FIPS cryptographic module until all critical security parameters (CSPs) have been entered—or reentered—while the device is in FIPS mode.

For FIPS 140-2 compliance, you must zeroize the system to remove sensitive information before disabling FIPS mode on the device.

When to Zeroize?

As Crypto Officer, perform zeroization in the following situations:

  • Before FIPS operation: To prepare your device for operation as a FIPS cryptographic module, perform zeroization before enabling FIPS mode.

  • Before non-FIPS operation: To begin repurposing your device for non-FIPS operation, perform zeroization.

    Note

    Juniper Networks does not support installing non-FIPS software in a FIPS environment, but doing so might be necessary in certain test environments. Be sure to zeroize the system first.

Zeroizing the System

Your device is not considered a valid FIPS cryptographic module until all critical security parameters (CSPs) have been entered—or reentered—while the device is in FIPS mode.

For FIPS 140-2 compliance, you must zeroize the system to remove sensitive information before disabling FIPS mode on the device.

As Crypto Officer, you run the request system zeroize command to remove all user-created files from a device and replace the user data with zeros. This command completely erases all configuration information on the Routing Engines, including all rollback configuration files and plain-text passwords, secrets, and private keys for SSH, local encryption, local authentication, and IPsec.

Note

Zeroization is required on MX104 device before you upgrade in FIPS mode.

To zeroize your device:

  1. From the CLI, enter
  2. To initiate the zeroization process, type yes at the prompt:

    The entire operation can take considerable time depending on the size of the media, but all critical security parameters (CSPs) are removed within a few seconds. The physical environment must remain secure until the zeroization process is complete.

Enabling FIPS Mode

When Junos OS is installed on a device and the device is powered on, it is ready to be configured. Initially, you log in as the user root with no password.

As Crypto Officer, you must establish a root password conforming to the FIPS password requirements in Understanding Password Specifications and Guidelines for Junos OS. When you enable FIPS mode in Junos OS on the device, you cannot configure passwords unless they meet this standard.

Local passwords are encrypted with the secure hash algorithm SHA256 or SHA512. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.

To enable FIPS mode in Junos OS on the device:

  1. Zeroize the device to delete all CSPs before entering FIPS mode. Refer to Understanding Zeroization to Clear System Data section for details.
  2. After the device comes up in ’Amnesiac mode’, login using username root and password "" (blank).
  3. Configure root authentication.
  4. Load configuration onto device and commit new configuration. Configure crypto-officer and login using crypt-officer credentials.
  5. Install fips-mode package needed for Routing Engine Known Answer Tests (KATS).
  6. Install jpfe-fips package needed for MS-MIC line card KATS.
  7. Configure chassis boundary fips by setting set system fips chassis level 1 and commit.

    Device might display the Encrypted-password must be re-configured to use FIPS compliant hash warning to delete older CSP in loaded configuration.

  8. After deleting and reconfiguring CSPs, commit will go through and device needs reboot to enter FIPS mode.
  9. After rebooting the device, FIPS self-tests will run and device enters FIPS mode.

Configuring Crypto Officer and FIPS User Identification and Access

Crypto Officers perform all configuration tasks for Junos OS in FIPS mode and issue all Junos OS in FIPS mode statements and commands. Crypto Officer and FIPS user configurations must follow Junos OS in FIPS mode guidelines.

Configuring Crypto Officer Access

Junos OS in FIPS mode offers a finer granularity of user permissions than those mandated by FIPS 140-2.

For FIPS 140-2 compliance, a user with the secret, security, maintenance, and control permission bits set is a Crypto Officer. In most cases the super-user class suffices for the Crypto Officer.

To configure login access for a Crypto Officer:

  1. Log in to the device with the root password if you have not already done so, and enter configuration mode:
  2. Name the user crypto-officer and assign the Crypto Officer a user ID (for example, 6400, which must be a unique number associated with the login account in the range of 100 through 64000) and a class (for example, super-user). When you assign the class, you assign the permissions—for example, secret, security, maintenance, and control.

    For a list of permissions, see Understanding Junos OS Access Privilege Levels.

    For example:

  3. Following the guidelines in Understanding Password Specifications and Guidelines for Junos OS, assign the Crypto Officer a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.

    For example:

  4. Optionally, display the configuration:
  5. If you are finished configuring the device, commit the configuration and exit:

    Otherwise, go on to Configuring FIPS User Login Access.

Configuring FIPS User Login Access

A fips-user is defined as the user who does not have the secret, security, maintenance, and control permission bits set.

As the Crypto Officer you set up FIPS users. FIPS users cannot be granted permissions normally reserved for the Crypto Officer—for example, permission to zeroize the system.

To configure login access for a FIPS user:

  1. Log in to the device with your Crypto Officer password if you have not already done so, and enter configuration mode:
  2. Give the user, a username, and assign the user a user ID (for example, 6401, which must be a unique number in the range of 1 through 64000) and a class. When you assign the class, you assign the permissions—for example, clear, network, resetview, and view-configuration.

    For a list of permissions, see Understanding Junos OS Access Privilege Levels.

  3. Following the guidelines in Understanding Password Specifications and Guidelines for Junos OS, assign the FIPS user a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.
  4. Optionally, display the configuration:
  5. If you are finished configuring the device, commit the configuration and exit: