Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Juniper OpenSSL Cryptographic Module Overview

Junos OS Evolved OpenSSL Cryptographic Module provides cryptographic primitive APIs for Junos OS Evolved user space. This module provides cryptographic services to applications that runs in the user space of Junos OS Evolved through C language Application Program Interface (API).

Cryptographic Boundary

The Cryptographic Logical Boundary for OpenSSL consists of all shared libraries and integrity check files used to perform integrity tests.

Supported Cryptographic Algorithms

You must use FIPS approved cryptographic algorithms in FIPS mode to run the TOE in the CC evaluated configuration. Table 1 lists the approved cryptographic algorithms that you can use in FIPS mode.

Table 1: Cryptographic Algorithms Implemented by the Junos OS Evolved OpenSSL Cryptographic Module

Cryptographic Service

 Algorithm Key Sizes Standard Purpose

FCS_CKM.1

Cryptographic Key Generation

 RSA   FIPS186-5

Key generation of the SSH host (TOE) key pair (used for TOE authentication by the SSH peer).

Elliptic Curve

Cryptography (ECC)

P-256, P-384, P-521 (256, 384 and 521 bits)

 FIPS186-5

Key generation of the SSH

host (TOE) key pair (used for TOE authentication by the SSH peer).

Ephemeral asymmetric key generation for SSHv2 key exchange.

FCS_CKM.2 -

Cryptographic Key Establishment

Elliptic Curve

Cryptography (KAS-ECC-SSC)

P-256, P-384,

P-521 (256, 384 and 521 bits)

 SP800-56ARev3 SSHv2 key exchange.

FCS_COP.1/Data Encryption

Cryptographic Operation (AES Data Encryption/ Decryption)

Elliptic Curve Cryptography (KAS-ECC-SSC)

P-256, P-384, P-521 (256, 384 and 521 bits)

 SP800-56A Rev3 SSHv2 key exchange.

FCS_COP.1/SigGen

Cryptographic Operation (Signature Generation and Verification)

 RSA with SHA-1

2048, 3072 and 4096 bits

 FIPS186-5

Server authentication in the SSHv2 protocol.

RSA with SHA2-256, SHA2-512

Server authentication in the SSHv2 protocol.

Public-key authentication in the SSHv2 protocol.

Digital Signature Verification for Trusted Updates of the TOE.

ECDSA with SHA2-256, SHA2-384, SHA2-512

P-256, P-384,

P-521 (256, 384 and 521 bits)

 FIPS186-5

Server authentication in the SSHv2 protocol.

Public-key authentication in the SSHv2 protocol.

FCS_COP.1/Hash

Cryptographic Operation (Hash Algorithm)

SHA-1, SHA2-256, SHA2-384, SHA2-512

 NA FIPS180-4

HMAC algorithm.

Authentication in NTP protocol (SHA-1, SHA2-256).

Digital Signature Generation and Verification.

Pseudorandom function (PRF) for the SSHv2 protocol.