Juniper NS-5400 Security Policy
10
•
TDES, CBC mode, encrypt/decrypt KAT
•
SHA-1 KAT
•
RSA (encryption and signature) KAT
•
ANSI X9.31 DRNG KAT
•
DSA Sign/Verify KAT
•
AES, CBC mode, encrypt/decrypt KAT
•
HMAC-SHA-1 KAT
•
DH key agreement test
•
The NetScreen-5400 implements the following conditional tests:
•
DRNG continuous test
•
Hardware RNG continuous test
•
DSA pairwise consistency test
•
RSA pairwise consistency test
•
Bypass test
•
Firmware download DSA signature test (Software Load Test)
•
The internal packaging cannot show damage or evidence of tampering.
The plastic bag should not have a large hole and the label that seals the
plastic bag should not be detached or missing. If the bag or the seal are
damaged in any way, this may be evidence of tampering
F. Other Parameters
Also note that:
•
The firmware can be loaded through the Trivial File Transfer Protocol
(TFTP), where a firmware load test is performed via a DSA
signature.
•
Keys are generated using the FIPS-approved ANSI X9.31 pseudo
random number generator.
•
For every usage of the module's random number generator, a
continuous RNG self-test is performed. Note that this is performed
on both the FIPS approved RNG and non-FIPS approved RNG.
•
The NetScreen-5400 enforces both identity based and role based
authentication. Based on their identity, the operator assumes the
correct role.
•
Operators must be authenticated using user names and passwords.
Alternatively, the CO may also be authenticated via digital signature
verification during the download of a new firmware image.
Authentication will occur locally. As an option, the user can be
authenticated via a RADIUS server. The RADIUS server provides an
external database for user role administrators. The NetScreen-5400
acts as a RADIUS proxy, forwarding the authentication request to the
RADIUS server. The RADIUS server replies with either an accept or