The FIPS 140-2 Random Number Generator Crisis Impact on Juniper Networks Products
Jan 9, 2015
A few weeks ago, I wrote about the NIST Random Number Transition and the crisis this will cause at the end of 2015. I am not alone in attempting to raise visibility to this issue. There is a very good blog written by Marc Ireland, from InfoGard Laboratories, titled The RNG Transition is Coming! on the same subject.
I recommended, in my blog, that customers, like the US Federal Government, who require FIPS 140-2 encryption, should check the FIPS 140-2 certifications of the products that they use to make sure they use the mandated NIST SP 800-90A deterministic random bit generator DRBG versus the soon to be disallowed legacy random number generators.
I didn’t have space in the earlier blog to share the DRBG status of Juniper products that have been FIPS certified, but I thought it might be helpful to provide a summary overview in a new blog.
FIPS 140-2 solutions that use NIST SP 800-90A DRBG
Junos devices using Junos 12.1 or later software.
Note that the SRX is currently in evaluation for FIPS 140-2. This evaluation uses the new DRBG. NIST has already validated the SRX DRBG.
The MX is also currently in evaluation for FIPS 140-2. This evaluation uses the new DRBG as well.
Juniper Networks/Pulse Secure MAG and Virtual Appliances which use SA 7.4 or UAC 5.0 and later software.
Juniper Networks/Pulse Secure Pulse Desktop Clients which use 5.0 and later software.
Juniper Networks/Pulse Secure Pulse Mobile Clients which use 4.0 and later software.
FIPS 140-2 solutions that do not use NIST SP 800-90A DRBG
Junos devices using Junos versions prior to 12.1.
ScreenOS devices regardless of software version.
SA4500FIPS, SA6500FIPS, and IC6500FIPS Appliances regardless of software version.
Network and Security Manager (NSM) regardless of software version.
Odyssey Clients regardless of software version.
Network Connect Client regardless of software version.
My recommendation is that if you have devices which do not use the NIST SP 800-90A DRBG, you begin taking steps now to transition to products which do support NIST SP 800-90A DRBG before the end of 2015.