Understanding FIPS Authentication Methods
The Juniper Networks Junos operating system (Junos OS) running in FIPS-approved mode of operation allows a wide range of capabilities for users, and authentication is identity-based. The following types of identity-based authentication are supported in the FIPS-approved mode of operation:
Username and Password Authentication over the Console and SSH
In this authentication method, the user is requested to enter the username and password. The device enforces the user to enter a minimum of 10-characters password that is chosen from the 96 human-readable ASCII characters.
The maximum password length is 20 characters.
In this method, the device enforces a timed access mechanism—for example, first two failed attempts to enter the correct password (assuming 0 time to process), no timed access is enforced. When the user enters the password for the third time, the module enforces a 5-second delay. Each failed attempt thereafter results in an additional 5-second delay above the previous failed attempt. For example, if the fourth failed attempt is a 10-second delay, then the fifth failed attempt is a 15-second delay, the sixth failed attempt is a 20-second delay, and the seventh failed attempt is a 25-second delay.
Therefore, this leads to a maximum of seven possible attempts in a 1-minute period for each getty active terminal. So, the best approach for the attacker would be to disconnect after 4 failed attempts, and wait for a new getty to be spawned. This would allow the attacker to perform roughly 9.6 attempts per minute (576 attempts per hour or 60 minutes). This would be rounded off to 9 attempts per minute, because there is no such thing as 0.6 attempts. Thus the probability of a successful random attempt is 1/9610, which is less than 1/1 million. The probability of a success with multiple consecutive attempts in a 1-minute period is 9/(9610), which is less than 1/100,000.
Username and Public Key Authentication over SSH
In this authentication method, the user is requested to enter the username and SSH public-key authentication. The device supports ECDSA (P-256 and P-384) key-type. The probability of a success with multiple consecutive attempts in a 1-minute period is 5.6e7/(2128).
When you run the set system login user <username> authentication ssh-ecdsa key command on the device only ecdsa-sha2-nistp256 and ecdsa-sha2-nistp384 key-types are accepted. The ecdsa-sha2-nistp521 key-type is no longer supported on the FIPS-approved mode. If you try to configure ecdsa-sha2-nistp521 key-type on the device then the following error message is displayed ecdsa-sha2-nistp521 is not permitted in FIPS mode is displayed. The use of the ecdsa-sha2-nistp521 key exchange method for SSH is also disabled in the FIPS-approved mode.