Juniper Networks SSG 5 and SSG 20 Security Policy
o AES, CBC mode, encrypt/decrypt KAT
o HMAC SHA-1 KAT, HMAC SHA-256 KAT
o ANSI X9.31 DRNG KAT
o RNG statistical (monobit, poker, runs and long runs) tests
o DH exponentiation test
o IKE v1/v2 Key Derivation Function KAT
The security appliance implements the following conditional tests:
• DRNG continuous test (both approved and non-approved RNG’s)
• DSA pairwise consistency test
• ECDSA pairwise consistency test
• RSA pairwise consistency test
• Bypass test
• Firmware download DSA signature test (Firmware Load Test)
• DH pairwise consistency test
• Public key validation test
On failure of any self-test, the module enters and stays in a permanent error state with the following
characteristics:
• The console displays an error message of the format: “XXX test failed: error code N”.
• The status LED flashes red.
• All traffic processing halts.
The module must be power cycled to return to operation.
Bypass tests are performed as a conditional test. The bypass state occurs when the administrator
configures the module with a non-VPN policy and an incoming packet whose source address,
destination address and service matching this policy arrives at the network port. The bypass enabled
status can be found by retrieving the entire policy list. Two internal actions must exist in order for
bypass to happen: (1) a non-VPN policy is matched for this traffic, and (2) a routing table entry exists
for the traffic that matches this non-VPN policy.
For every usage of the module’s random number generator, a continuous RNG self-test is performed.
Note that this is performed on both the FIPS approved RNG and non-FIPS approved RNG.
At any time the cryptographic module is in an idle state, the operator may command the device to
perform the self-tests.
FIPS Approved Algorithms
The following FIPS approved algorithms are supported by the security appliance:
• DSA , ECDSA Sign Verify
• SHA-1, SHA-256
• Triple-DES (CBC)
• AES (CBC)
To Next Page
Loading...
Need help?
General
