Let us know what you think.

Do you have time for a two-minute survey?

Understanding Common Criteria and FIPS Terminology and Supported Cryptographic Algorithms

Use the definitions of Common Criteria and FIPS terms, and supported algorithms to help you understand Junos OS.

Supported Cryptographic Algorithms

Table 1 summarizes the high level protocol algorithm support.

Table 1: Protocols Allowed in FIPS Mode

Protocol

Key Exchange

Authentication

Cipher

Integrity

SSHv2

• dh-group14-sha1

• ECDH-sha2-nistp256

• ECDH-sha2-nistp384

• ECDH-sha2-nistp521

Host (module):

• ECDSA P-256

• SSH-RSA

Client (user):

• ECDSA P-256

• ECDSA P-384

• ECDSA P-521

• SSH-RSA

• RSA-SHA2-256
• RSA-SHA2-512
• AES CTR 128

• AES CTR 256

• AES CBC 128

• AES CBC 256

• HMAC-SHA-1

• HMAC-SHA-256

• HMAC-SHA-512

The following cryptographic algorithms are supported in FIPS mode. Symmetric methods use the same key for encryption and decryption, while asymmetric methods use different keys for encryption and decryption.

 AES The Advanced Encryption Standard (AES), defined in FIPS PUB 197. The AES algorithm uses keys of 128 or 256 bits to encrypt and decrypt data in blocks of 128 bits. Diffie-Hellman A method of key exchange across a nonsecure environment (such as the Internet). The Diffie-Hellman algorithm negotiates a session key without sending the key itself across the network by allowing each party to pick a partial key independently and send part of that key to the other. Each side then calculates a common key value. This is a symmetrical method—keys are typically used only for a short time, discarded, and regenerated. ECDH Elliptic Curve Diffie-Hellman. A variant of the Diffie-Hellman key exchange algorithm that uses cryptography based on the algebraic structure of elliptic curves over finite fields. ECDH allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel. The shared secret can be used either as a key or to derive another key for encrypting subsequent communications using a symmetric key cipher. ECDSA Elliptic Curve Digital Signature Algorithm. A variant of the Digital Signature Algorithm (DSA) that uses cryptography based on the algebraic structure of elliptic curves over finite fields. The bit size of the elliptic curve determines the difficulty of decrypting the key. The public key believed to be needed for ECDSA is about twice the size of the security strength, in bits. ECDSA uses the P-256, P-384, and P-521 curves that can be configured under OpenSSH. HMAC Defined as “Keyed-Hashing for Message Authentication” in RFC 2104, HMAC combines hashing algorithms with cryptographic keys for message authentication. SHA-256, SHA-384, and SHA-512 Secure hash algorithms (SHA) belonging to the SHA-2 standard defined in FIPS PUB 180-2. Developed by NIST, SHA-256 produces a 256-bit hash digest, SHA-384 produces a 384-bit hash digest, and SHA-512 produces a 512-bit hash digest. AES-CMAC AES-CMAC provides stronger assurance of data integrity than a checksum or an error-detecting code. The verification of a checksum or an error-detecting code detects only accidental modifications of the data, while CMAC is designed to detect intentional, unauthorized modifications of the data, as well as accidental modifications.