Common Criteria—Common Criteria for information technology is an international
agreement signed by several countries that permits the evaluation
of security products against a common set of standards.
module—The set of hardware, software, and firmware that implements
approved security functions (including cryptographic algorithms and
key generation) and is contained within the cryptographic boundary.
MX10003 and EX9253 devices are certified at FIPS 140-2 Level 1.
For fixed-configuration devices, the cryptographic module is the device
case. For modular devices, the cryptographic module is the Routing
FIPS—Federal Information Processing Standards. FIPS 140-2 specifies
requirements for security and cryptographic modules. Junos OS in FIPS
mode complies with FIPS 140-2 Level 1.
FIPS maintenance role—The role the Security Administrator assumes to perform physical
maintenance or logical maintenance services such as hardware or software
diagnostics. For FIPS 140-2 compliance, the Security Administrator
zeroizes the Routing Engine on entry to and exit from the FIPS maintenance
role to erase all plain-text secret and private keys and unprotected
The FIPS maintenance role is not supported on Junos OS in FIPS
Hashing—A message authentication method that applies a cryptographic
technique iteratively to a message of arbitrary length and produces
a hash message digest or signature of fixed length that is appended to the message when sent.
NDcPPv2.1—Collaborative Protection Profile for Network Devices.
SSH—A protocol that uses strong authentication and encryption for
remote access across a nonsecure network. SSH provides remote login,
remote program execution, file copy, and other functions. It is intended
as a secure replacement for rlogin, rsh, and rcp in a UNIX environment. To secure the information sent over
administrative connections, use SSHv2 for CLI configuration. In Junos
OS, SSHv2 is enabled by default, and SSHv1, which is not considered
secure, is disabled.
Zeroization—Erasure of all CSPs and other user-created data on a device
before its operation as a FIPS cryptographic module—or in preparation
for repurposing the devices for non-FIPS operation. The Security Administrator
can zeroize the system with a CLI operational command.