Juniper Networks SSG 320M and 350M Security Policy
The cryptographic module’s design corresponds to the cryptographic module’s security rules. This
section documents the security rules enforced by the cryptographic module to implement the security
requirements of this FIPS 140-2 Level 2 module.
The cryptographic module provides identity-based authentication. Until the operator has been
authenticated to the module to assume a valid role, the operator does not have access to any
cryptographic services.
Data output is inhibited during key generation, self-tests, zeroization, and error states. Status
information does not contain CSPs or sensitive data that if misused could lead to a compromise of the
module. The module does not support a maintenance mode.
The module performs key agreement as per the guidelines in NIST SP 800-57.
Self tests
The security appliance implements the following power-up self-tests:
Device Specific Self-Tests:
o Boot ROM firmware self-test via DSA signature (Firmware Integrity Test)
Critical Function Self-Tests:
o SDRAM read/write check
o FLASH test
Algorithm Self-Tests:
o Triple-DES, CBC mode, encrypt/decrypt KAT
o SHA-1 KAT
o SHA-256 KAT
o RSA (encrypt/decrypt and sign/verify) KAT
o DSA Sign/Verify pairwise consistency test
o ECDSA Sign/Verify pairwise consistency test
o AES, CBC mode, encrypt/decrypt KAT
o HMAC SHA-1 KAT, HMAC SHA-256 KAT
o ANSI X9.31 DRNG KAT
o RNG statistical (monobit, poker, runs and long runs) tests
o DH exponentiation test
o IKE v1/v2 Key Derivation Function KAT
The security appliance implements the following conditional tests:
DRNG continuous test (both approved and non-approved RNG’s)
DSA pairwise consistency test
ECDSA pairwise consistency test
RSA pairwise consistency test
Bypass test
Firmware download DSA signature test (Firmware Load Test)
DH pairwise consistency test
Public key validation test
To Next Page
Loading...
Need help?
General
