 | Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. | |
Critical security parameters (CSPs) are defined as security-related information (including cryptographic keys and authentication data, such as passwords), the disclosure or modification of which can compromise the security of a cryptographic module or the security of the information protected by the module.
In JUNOS-FIPS, user authentication data can be entered in plain text. During initial configuration, the Routing-Engine-to-Routing-Engine IP Security (IPSec) key can also be entered in plain text on the console (under manual key entry rules). Otherwise all CSPs must enter and leave the cryptographic module in encrypted form. In general, configuration should be done with secure shell (SSH) or Transport Layer Security (TLS) connections.
Services such as RADIUS and TACACS+ can still use clear text because FIPS 140 Level 2 or below allows for authentication data to be sent in clear text. For strict compliance, the RADIUS or TACACS+ server secret must be 10 characters or longer.
Local passwords are encrypted using HMAC-SHA1. Password recovery is not possible in JUNOS-FIPS. JUNOS-FIPS cannot boot into single-user mode without the correct root password.
If JUNOS-FIPS encounters a FIPS error, this condition halts all cryptographic processing, stops data flows, creates a system panic, and displays only status messages on the console.
For example, a FIPS error is logged as:
panic: pid 5090 (fips-error), uid 0, FIPS error 5: cannot verify certificate PackageCA
The reboot after panic displays the error message on the console:
savecore: reboot after panic: pid 5090 (fips-error), uid 0, FIPS error 5: cannot verify certificate PackageCA
Memory failures are logged as well:
Apr 15 23:08:15 shmoo /kernel: pid 6374 (fips-error), uid 0, FIPS error 9: RSA verify memory allocation failed
| Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. | |