Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Post-Quantum Cryptography (PQC)

  • PQC signatures for software images with off-box verification (ACX Series, PTX Series, and QFX Series)—Use post-quantum cryptography (PQC) signatures to ensure software images remain unaltered, protecting integrity and guarding against quantum threats. The images comply with algorithms recommended by Commercial National Security Algorithm 2.0 (CNSA 2.0):

    • ML-DSA-87 PQC algorithm for digital signatures

    • SHA-512 for hashing

    For off-box verification, request the PQC signature from the support portal. Confirm the image’s SHA-512 hash, retrieve the public key from the certificate, and validate the signature with your chosen verifier. PQC signatures provide additional security beyond existing legacy signatures.

    [See PQC Signatures for Software Images.]

  • Support for Quantum Buffer in SSH (ACX Series, PTX Series, and QFX Series)—Use Juniper Networks Quantum Buffer for JSSH to enhance SSH management and maintain cryptoagility. The feature uses finite field cryptography (FFC) to extend the security life span of the current systems against quantum attacks. Quantum Buffer provides a phased approach to adopting post-quantum cryptography (PQC), thereby mitigating operational risks associated with the transition.

    To enable the feature, configure the following command:

    • set system services ssh moduli type name refresh frequency count count

      The configuration dynamically generates prime moduli for existing Diffie-Hellman (DH) group exchange algorithms, group-exchange-sha1 and group-exchange-sha2. The qbufd process is responsible for generating the moduli.

    [See Quantum Buffer and moduli.]

  • Support for Shor-resistant and other default key exchange algorithms in SSH (ACX Series, PTX Series, and QFX Series)—SSH supports the hybrid Streamlined NTRU Prime 761 and X25519 key exchange algorithm, which is Shor-resistant and improves protection against quantum attacks.

    Configure sntrup761x25519-sha512 at the [edit system services ssh key-exchange] hierarchy level.

    Additionally, SSH includes default support for the following Diffie-Hellman (DH) group key exchange algorithms that are available at the [edit system services ssh key-exchange] hierarchy level.

    • dh-group16-sha512

    • dh-group18-sha512

    [See key-exchange.]