Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding Services for Junos OS in FIPS-Approved Mode of Operation

    All services implemented by the module are listed in the tables that follow.

    Understanding Authenticated Services

    Table 1 lists the authenticated services on the device running Junos OS.

    Table 1: Authenticated services

    Authenticated Services

    Description

    Cryptographic Officer

    User (read-only)

    User (network)

    Configure security

    Security relevant configuration

    x

    Configure

    Non-security relevant configuration

    x

    Secure traffic

    IPsec protected routing

    x

    Status

    Display the status

    x

    x

    Zeroize

    Destroy all critical security parameters (CSPs)

    x

    SSH connect

    Initiate SSH connection for SSH monitoring and control (CLI)

    x

    x

    IPsec connect

    Initiate IPsec connection (IKE)

    x

    x

    Console access

    Console monitoring and control (CLI)

    x

    x

    Remote reset

    Software-initiated reset

    x

    Table 2: Unauthenticated traffic

    Service

    Description

    Local reset

    Hardware reset or power cycle

    Traffic

    Traffic requiring no cryptographic services

    Critical Security Parameters

    Critical security parameters (CSPs) are security-related information such as cryptographic keys and passwords that can compromise the security of the cryptographic module or the security of the information protected by the module if they are disclosed or modified.

    Zeroization of the system erases all traces of CSPs in preparation for operating the device as a cryptographic module.

    Table 3 lists the CSP access rights within services.

    Table 3: CSP Access Rights Within Services

    Service

    CSPs

    DRGB_Seed

    DRGB_State

    SSH PHK

    SSH DH

    SSH-SEK

    ESP-SEK

    Configure security

    E

    G, W

    Configure

    Secure Traffic

    E

    Status

    Zeroize

    Z

    SSH connect

    E

    E

    G, E

    G, E

    IPSec connect

    E

    G

    Console access

    Remote reset

    G, E

    G

    Z

    Z

    Z

    Local Reset

    G, E

    G

    Z

    Z

    Z

    Traffic

    Service

    CSPs

    IKE-PSK

    IKE-Priv

    IKE-SKEYI

    IKE-SKE

    IKE-DH-PRI

    Configure security

    W

    G, W

    Configure

    Secure Traffic

    E

    Status

    Zeroize

    Z

    Z

    SSH connect

    IPSec connect

    E

    E

    G

    G

    Console access

    Remote reset

    Z

    Z

    Z

    Local Reset

    Z

    Z

    Z

    Traffic

    Here:

    • G = Generate: The device generates the CSP.
    • E = Execute: The device runs using the CSP.
    • W = Write: The CSP is updated or written to the device.
    • Z = Zeroize: The device zeroizes the CSP.

    Modified: 2016-10-19