Juniper NS-5400 Security Policy
14
G. FIPS Certificate Verification
In FIPS mode, during the loading of the X509 certificate, if the signing CA
certificate cannot be found in the NetScreen-5400, the following message is
displayed on the console:
Please contact your CA's administrator to verify the following finger print (in
HEX) of the CA cert...
xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
Do you want to accept this certificate y/[n]?
Where x is one of (0, 1,2,3,4,5,6,7,8,9,A,B,C,D,E,F).
Based on the result of the CA certificate fingerprint checking, the Crypto-Officer
accepts or denies the loaded certificates.
H. Critical Security Parameter (CSP) Definitions
Below is a list of Critical Security Parameter (CSP) definitions:
•
IPSEC HMAC SHA-1 Key: Used by IPsec for data integrity.
•
IPSEC ESP Key: DES, TDES, and AES for user traffic encryption.
•
IKE Pre-Shared Key: Used during the IKE protocol to establish
cryptographic keys to be used by IKE.
•
IKE Encryption Key: DES, TDES, and AES for peer-to-peer IKE
message encryption.
•
IKE HMAC SHA-1 Key: Used by IKE for data integrity.
•
Password: Crypto-Officer and User passwords.
•
SSH Server/Host DSA Private Key: Used to create digital signatures.
•
SSH Encryption Key: TDES encryption key to encrypt telnet
commands.
•
SSH HMAC SHA-1 Key: Used by SSH for data integrity.
•
HA Key: AES Encryption key for HA data.
•
IKE RSA/DSA Private Key: DSA/RSA key used in IKE identity
authentication.
•
PRNG Algorithm Key: ANSI X9.31 algorithm key required to
generate pseudo-random numbers.
•
Diffie Hellman Private Key Components: Used during the DH key
agreement protocol.
I. Public Key Definitions
Below is a list of the public keys utilized by the module:
•
Firmware Authentication Key: Used by the device to verify DSA signatures over
firmware images.
•
CA DSA/RSA Public Key: Used by IKE to authenticate a peer’s certificate.
