All modules
CMVP Validated Module · FIPS 140-3 Security Policy

WaveLogic 5 Extreme Encryption Modem

Certificate#4913StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip EmbeddedStatusActiveVendorCiena Corporation
Medium review priority  ·  exposes boot-chain verification, firmware-update authentication, debug/recovery interface  ·  last validated 19 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Embedded
StatusActive
Sunset date12/8/2026
CaveatInterim validation. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorCiena Corporation
Hardware versions[012 (P/Ns 174-0506-841, 174-0506-842)], [014 (P/N 174-0506-843)], [007 (P/N 174-0506-844)] with components [Mech Kit 500-0506-020 Version 001]

Approved Algorithms (24)

AlgorithmACVP Cert
AES-CBCA3379
AES-CTRA3379
AES-ECBA3305
AES-ECBA3379
AES-GCMA3305
AES-GCMA3379
AES-KWA3379
AES-KWPA3379
Counter DRBGA3379
ECDSA KeyGen (FIPS186-4)A3379
ECDSA KeyVer (FIPS186-4)A3379
ECDSA SigGen (FIPS186-4)A3379
ECDSA SigVer (FIPS186-4)A3379
HMAC-SHA2-256A3379
HMAC-SHA2-384A3379
HMAC-SHA2-512A3379
KAS-ECC Sp800-56Ar3A3379
KAS-ECC-SSC Sp800-56Ar3A3379
KDA TwoStep Sp800-56Cr1A3379
KDF SP800-108A3379
SHA2-256A3379
SHA2-384A3379
SHA2-512A3379
TLS v1.3 KDFA3379

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces2
Roles, Services, and Authentication2
Software/Firmware Security2
Operational EnvironmentN/A
Physical Security2
Sensitive Security Parameter Management2
Mitigation of Other AttacksN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for WaveLogic 5 Extreme Encryption Modem
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>12.3</i>"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Perform a firmware upgrade<br/>Perform a firmware upgrade2</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Report the firmware version, alarms, Status and…<br/>Initialize the module<br/>Configure PSK and certificate</i>"]
    C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>UART/Host Connector</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>linux<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C4 --> I4 --> R4 --> E4
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C2,C3,C4,C5,C6 clue;
  class I1,I2,I3,I4,I5,I6 infer;
  class R1,R2,R3,R4,R5,R6 risk;
  class E1,E2,E3,E4,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for WaveLogic 5 Extreme Encryption Modem
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>12.3</i><br/>src: certificate.firmwareVersions"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Perform a firmware upgrade<br/>Perform a firmware upgrade2</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Report the firmware version, alarms, Status and…<br/>Initialize the module<br/>Configure PSK and certificate</i><br/>src: securityPolicy.services"]
    C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>UART/Host Connector</i><br/>src: securityPolicy.portsAndInterfaces"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>linux<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C2,C3,C4 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

WaveLogic 5 Extreme Encryption Modem By Ciena Corporation [012 (P/Ns 174-0506-841) with components Mech Kit 500-0506-020 Version 001] [012 (P/Ns 174-0506-842) with components Mech Kit 500-0506-020 Version 001] [014 (P/N 174-0506-843) with components Mech Kit 500-0506-020 Version 001] [007 (P/N 174-0506-844) with components Mech Kit 500-0506-020 Version 001] Firmware Version: 12.3 Date: 11/28/2024 Prepared by: Acumen Security

2400 Research Blvd, Suite 395

Rockville, MD 20850 www.acumensecurity.net (Ciena Corporation © 2024) Version 1.0 Public Material

Page 2

Introduction Federal Information Processing Standards Publication 140-3

2 security requirements of FIPS 140-3.

The WaveLogic 5 Extreme Encryption Modem may also be referred to as the “module” or “modem” in this document. Disclaimer The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Ciena Corporation shall have no liability for any error or damages of any kind resulting from the use of this document. Notices This document may be freely reproduced and distributed in its entirety without modification. (Ciena Corporation © 2024) Version 1.0 Public Material

Page 3
Table of Contents
#SectionPage
Introduction2
Disclaimer2
Notices2
1General4
2Cryptographic Module Specification5
3Cryptographic Module Interfaces11
4Roles, Services, and Authentication12
5Software/Firmware Security23
6Operational Environment24
7Physical Security25
8Non-invasive Security26
9Sensitive Security Parameter Management27
10Self-tests33
11Life-Cycle Assurance35
12Mitigation of Other Attacks36
Claimed9
Page 4
Security level
NameISO SectionRequirementLevel
11General2
22Cryptographic Module Specification2
33Cryptographic Module Interfaces2
44Roles, Services, and Authentication2
55Software/Firmware Security2
66Operational EnvironmentN/A
77Physical Security2
88Non-invasive SecurityN/A
99Sensitive Security Parameter Management2
1010Self-tests2
1111Life-cycle Assurance2
1212Mitigation of Other AttacksN/A
  1. Scope Extreme Encryption Modem (Hardware versions: 007, 012 and 014) (Firmware Version 12.3) by Ciena Corporation. It contains specification of the security rules under which the cryptographic module operates, including those derived from the requirements of the FIPS 140-3 standard. Overview The WaveLogic 5 Extreme Encryption Modem is an optical transponder daughter card installed within a Ciena optical transponder service module. It consists of a multiple chip-embedded application specific integrated circuit (ASIC) along with optical components and supporting circuitry. All security-relevant communications to the module via its management interface (Ethernet) are encrypted using TLS v1.3. The module also supports a client input and output data interface and optical connector. All traffic entering and exiting the module via the optical connector is encrypted/decrypted using AES GCM. The module provides fully secure cryptographic functionality, including peer authentication, key derivation, datapath encryption, physical security, and identification and authentication of the module’s Crypto Officer (CO). This module is configured and monitored by a Ciena Control Processor Module. The module operates in Approved mode by default. No additional configuration is needed for rendering or operating the module in the Approved mode. The following table lists the level of validation for each area in FIPS 140-3: N/A N/A N/A Table 1 – Security Levels The module meets the requirements of an overall Security Level
  2. (Ciena Corporation © 2024) Version 1.0 Public Material – May be reproduced only in its original entirety (without revision).
Page 5

2. Cryptographic Module Specification Figure 1: High level module block diagram As shown in the above block diagram, the module consists of an ARM A53 quad core processor with internal RAM. The firmware running on the processor performs all the monitoring/control activities related to the datapath encryption feature. The crypto accelerator is a security co-processor. It contains hardware cryptographic engines and firmware for the WaveLogic 5e Encryption Modem Crypto library. The datapath encryption and decryption block performs the AES-GCM encryption and decryption function on the client payload data. The module is packaged within other Ciena products to form a complete encryption transport solution. The Ciena product forms the Trusted Operational Environment’s Physical Perimeter (TOEPP) for the module. Figure 2 below shows the cryptographic boundary of the module (highlighted in red). (Ciena Corporation © 2024) Version 1.0 Public Material

Page 6
Module configuration
NameModelHardware VersionFirmware VersionFeatures
WaveLogic 5 Extreme Encryption ModemWaveLogic 5 Extreme Encryption Modem[012 (P/Ns 174-0506-841) with components Mech Kit 500-0506-020 Version 001]12.3The part numbers are equivalent and just used to differentiate the manufacturing process and sites
WaveLogic 5 Extreme Encryption ModemWaveLogic 5 Extreme Encryption Modem[012 (P/Ns 174-0506-842) with components Mech Kit 500-0506-020 Version 001]12.3The part numbers are equivalent and just used to differentiate the manufacturing process and sites
WaveLogic 5 Extreme Encryption ModemWaveLogic 5 Extreme Encryption Modem[014 (P/Ns 174-0506-843) with components Mech Kit 500-0506-020 Version 001]12.3The part numbers are equivalent and just used to differentiate the manufacturing process and sites
WaveLogic 5 Extreme Encryption ModemWaveLogic 5 Extreme Encryption Modem[007 (P/Ns 174-0506-844) with components Mech Kit 500-0506-020 Version 001]12.3The part numbers are equivalent and just used to differentiate the manufacturing process and sites

Figure 2: Cryptographic Boundary of WaveLogic 5 Extreme Encryption Modem (represents all P/Ns in Table 2) Table 2

Page 7
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AESA3379CBC ECB CTRCBC (256) ECB (256) CTR (128, 192, 256)Encryption/ DecryptionFIPS PUB 197 NIST SP 800-38A
FIPS PUB 197 NIST SP 800-38DGCMGCM (128, 192, 256)Authenticat ed Encryption/ DecryptionFIPS PUB 197 NIST SP 800-38D
NIST SP 800-38FKW KWPKW (128, 192, 256) KWP (128, 192, 256)Key WrappingNIST SP 800-38F
ECDSAKey Generation Key Verification Signature Generation Signature VerificationKey Generation (P-384/521) Key Verification (P-384/521) Signature Generation (P- 384/521; SHA2-256, SHA2- 384, SHA2-512) Signature Verification (P- 384/521; SHA2-256, SHA2- 384, SHA2-512)Key Gen/ Key Ver Sign/VerifyFIPS 186- 4
HMACSHA2-256 SHA2-384 SHA2-512SHA2-256 SHA2-384 SHA2-512Keyed-Hash Message Authenticat ionFIPS PUB 198-1
SHSSHA2-256 SHA2-384 SHA2-512SHA2-256 SHA2-384 SHA2-512HashingFIPS PUB 180-4 (SHA-1 and SHA- 2 functions )
KAS- ECC- SSCScheme(s): Ephemeral Unified and onePassUnifiedKAS-ECC-SSC: Domain Parameter Generation Methods: P-384, P-521Key AgreementNIST SP800- 56arev3
KAS- ECC1Scheme(s): Ephemeral UnifiedKAS-ECC: Domain Parameter Generation Methods: P-384, P-521Key AgreementNIST SP800- 56arev3
KDF SP 800- 108Kdf Mode: Counter Mac Mode: HMAC SHA2-256HMAC SHA2-256 Supported Lengths: 96, 256 bitsKey DerivationNIST SP 800-108
CVLTLS 1.3 KDF:TLS 1.3 KDF:Key DerivationRFC8446
NIST SP 800- 135rev1Running Mode: DHE and PSK- DHEHMAC Algorithm: SHA2-256 and SHA2-384NIST SP 800- 135rev1
KDATwo Step KDF Mode: counter MAC Modes: HMAC-SHA2- 256Supported Lengths: 256 Counter Lengths: 8 Derived Key Length: 256 Shared Secret Length: 256Key DerivationNIST SP 800- 56Crev1
DRBGAES CTR DRBGAES CTR DRBG 256 with prediction resistance enabled; derivation function disabledRandom Bit GenerationNIST SP 800- 90Arev1
KAS-1KAS-ECC- SSC Sp800- 56Ar3/ A3379 TLS v1.3 KDF/ A3379KAS-ECC-SSC with TLS v1.3 KDF per IG D.F Scenario 2 path (2)P-384 and P-521 curves providing 192 bits and 256 bits of encryption strengthKey AgreementNIST SP 800- 56Arev3
KAS-2KAS-ECC- SSC Sp800- 56Ar3/ A3379 KDA TwoStep Sp800- 56Cr1/ A3379KAS-ECC-SSC with NIST SP 800-56Crev1 KDA TwoStep per IG D.F Scenario 2 path (2)P-384 and P-521 curves providing 192 bits and 256 bits of encryption strengthKey AgreementNIST SP 800- 56Arev3
KAS-3KAS-ECC Sp800- 56Ar3/ A3379KAS-ECC per IG D.F Scenario 2 path (1)P-384 and P-521 curves providing 192 bits and 256 bits of encryption strengthKey AgreementNIST SP 800- 56Arev3
KTS-1AES-KW/ A3379 AES- KWP/ A3379KTS (key wrapping) per IG D.G128, 192, and 256- bit keys providing 128, 192, or 256 bits of encryption strengthKey WrappingSP 800- 38D and SP 800- 38F
KTS-2AES- GCM/ A3379KTS (key wrapping) per IG D.G128, 192, and 256- bit keys providing 128, 192, or 256 bits of encryption strengthKey Wrapping in the context of TLS v1.3SP 800- 38F
AESA3305ECB256 bitsTested as a pre- requisite for AES GCMFIPS PUB 197 NIST SP 800-38A
FIPS PUB 197GCM256 bitsEncryption/ DecryptionFIPS PUB 197
CKGVendor AffirmedSection 4 Using the Output of a Random Bit Generator Option 1 (Symmetric keys and seed values for Asymmetric keys) Section 5.1 Key Pairs for Digital Signature Schemes Section 5.2 Key Pairs for Key Establishment Section 6.1 Direct Generation of Symmetric Keys Section 6.2.1 Symmetric Keys Generated Using Key- Agreement Schemes Section 6.2.2 Symmetric Keys Derived from a Pre-existing KeySection 4 Using the Output of a Random Bit Generator Option 1 (Symmetric keys and seed values for Asymmetric keys) Section 5.1 Key Pairs for Digital Signature Schemes Section 5.2 Key Pairs for Key Establishment Section 6.1 Direct Generation of Symmetric Keys 6.2.1 Symmetric Keys Generated Using Key- Agreement Schemes Section 6.2.2 Symmetric Keys Derived from a Pre-existing KeyCryptograp hic Key GenerationSP800- 133rev2
AESCert. A3379, key unwrapping. Per IG D.G.Symmetric key unwrapping
AES-CBC (256 bits)No Security ClaimedBoot image encryption
AES-XTS (256 bits)No Security ClaimedFilesystem encryption

FIPS 1864 ) SP80056arev3 KASECCSSC KASECC1 SP80056arev3 800108 There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. (Ciena Corporation © 2024) Version 1.0 Public Material

Page 8

800135rev1 80056Crev1 80090Arev1 80056Arev3 80056Arev3 80056Arev3 SP 80038F prerequisite for KAS-ECCSSC Sp80056Ar3/ KAS-ECCSSC Sp80056Ar3/ Sp80056Cr1/ Sp80056Ar3/ AESKWP/ AESGCM/ SP 80038F (Ciena Corporation © 2024) Version 1.0 Public Material

Page 9
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
CKGVendor AffirmedSection 4 Using the Output of a Random Bit Generator Option 1 (Symmetric keys and seed values for Asymmetric keys) Section 5.1 Key Pairs for Digital Signature Schemes Section 5.2 Key Pairs for Key Establishment Section 6.1 Direct Generation of Symmetric Keys Section 6.2.1 Symmetric Keys Generated Using Key- Agreement Schemes Section 6.2.2 Symmetric Keys Derived from a Pre-existing KeySection 4 Using the Output of a Random Bit Generator Option 1 (Symmetric keys and seed values for Asymmetric keys) Section 5.1 Key Pairs for Digital Signature Schemes Section 5.2 Key Pairs for Key Establishment Section 6.1 Direct Generation of Symmetric Keys 6.2.1 Symmetric Keys Generated Using Key- Agreement Schemes Section 6.2.2 Symmetric Keys Derived from a Pre-existing KeyCryptograp hic Key GenerationSP800- 133rev2
AESCert. A3379, key unwrapping. Per IG D.G.Symmetric key unwrapping
AES-CBC (256 bits)No Security ClaimedBoot image encryption
AES-XTS (256 bits)No Security ClaimedFilesystem encryption

SP800133rev2 Table 3

Page 10
Page 11
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
UART/Host ConnectorUART/Host ConnectorStatus OutputStatus Output port
SGMII/Host ConnectorSGMII/Host ConnectorData Input, Data Output, Control Input and Status OutputTLS 1.3 communication
Host Connector (providing connectivity to client interface)Host Connector (providing connectivity to client interface)Data Input and Data OutputPlaintext Non-Security User Data
Optical Connector (providing connectivity to Line port interface)Optical Connector (providing connectivity to Line port interface)Data Input, Data Output Control Input, Control Output And Status OutputControl and status input and output encrypted using TLS 1.3 and client payload encrypted with AES-GCM
Host connector (providing connectivity to power interface)Host connector (providing connectivity to power interface)Power InterfacePower Input
eMMCeMMCData InputFirmware Load

3. Cryptographic Module Interfaces The module supports the following physical ports and interfaces:

Page 12
Service
NameRolesInputOutput
Initialize the moduleCOSSPs, CommandCommand response
Configure PSK and certificateCOSSPs, CommandCommand response
Zeroise (Perform zeroisation.)COCommandCommand response
Datapath Encryption/ Decryption Service (Perform approved security functions)COSSPs, CommandCommand response
Report the firmware version, alarms, Status and Statistics (Show status, Show module’s versioning information)COCommandCommand response
Perform a firmware upgradeCOCommandCommand response
Perform operator re-authenticationCOSSPs, CommandCommand response
Issue re-authentication commandCOSSPs, CommandCommand response
Perform on demand self-tests (Perform self-tests)CORebootN/A
Approved algorithm
NameUse Function
Authentication StrengthAuthenticationRole
The module supports ECDSA P-384 and P-521 digital certificate authentication of Peers forCODatapath Customer Enrolled Certificate
Authentication StrengthAuthenticationRole
The module supports the use of a pre-Shared key for Datapath Encryption peer authentication for Users; The Pre-Shared key is 32 bytes in length. Using conservative estimates, the probability for a random attempt to succeed is: 1:2^256 or 1: 1.579 × 10^77 which is less than 1:1,000,000. The fastest network connection supported by the modules over the management interface is 10 MBits/s; Hence, at most 10 ×10^6 × 60 = 6 × 10^8 = 600,000,000 bits of data can be transmitted in one minute;CODatapath Customer Enrollment Pre-Shared Key (PSK)
Authentication StrengthAuthenticationRole
The module supports ECDSA digital certificate authentication of COs over the TLS 1.; Using conservative estimates and equating the use of ECDSA with P-521 elliptic curve to a 256- bit strength, the probability for a random attempt to succeed is: 1:2^256 or 1: 1.579 × 10^77 which is less than 1:1,000,000 The fastest network connection supported by the modules over Management interfaces is 2.5 GB/s; Hence, at most 2.5 ×10^9 × 60 = 15 × 10^10 = 150,000,000,000 bits of data can be transmitted in one minute Therefore, the probability that a random attempt will succeed, or a false acceptance will occur in one minute is: 1: (2^256 possible keys / ((15 × 10^10 bits per minute) / 256 bits per key)) 1: (2^256 possible keys / 585,937,500 keys per minute) 1: 1.97 × 10^68 which is less than 1:100,000 within one minuteCOInitial Device ID (iDevID) and Local Device ID (LDevID) Public Key

4. Roles, Services, and Authentication The module supports one authorized role (i.e., Crypto Officer role). The CO role is responsible for module initialization and module configuration, including security parameters, key management, status activities, and audit review. The CO role is assumed explicitly by the Ciena Control Processor Module that configures and monitors the module. The Ciena Control Processor Module authenticates to the module using TLS 1.3 certificatebased authentication. N/A Table 7

Page 13

(Ciena Corporation © 2024) Version 1.0 Public Material

Page 14

Table 8

Page 15
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Initialize the modulePerform initialization of the moduleCOHUK HYDRA_KDK, BLOB_KEY, DRBG Seed, DRBG Key, DRBG V, Entropy Input, DRBG Output TLS 1.3 pre shared key (TLS-PSK), TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS Session Key, DPE_ECDH Public Key,HMAC- SHA2-256 #A3379; AES-GCM, ECB, 256 bits, #A3379; KDA TwoStep Sp800- 56Cr1 #A3379; CKG; CTR_DRB G #A3379; ECDSA P- 521 #A3379; KDA TwoStep Sp800- 56Cr1 #A3379; CKG;(E) (G) (R, G, E),Event Log and a Global Approved mode indicator (show status indicator)
KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; KAS-ECC P-384, P- 521 #A3379DPE_ECDH Private Key, DPE “Z” Value, DPE MacKey, Datapath Customer Enrolled CertificateKDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; KAS-ECC P-384, P- 521 #A3379
Configure PSK and certificateSet to PSK mode and provision the PSK or set to certificate mode and provision the certificate 32-256 bytesCODatapath Customer Enrolled Preshared key (PSK), Datapath pre shared key (DPE-PSK), TLS 1.3 pre shared key (TLS-PSK) TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLSECDSA P- 521 #A3379; KDA TwoStep Sp800- 56Cr1 #A3379; CKG; KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379;(W) (G) (G) (E)Event logs and ‘show' command s and a Global Approved mode indicator (show status indicator)
KAS-ECC P-384, P- 521 #A3379Session Key, DPE_ECDH Public Key, DPE_ECDH Private Key, DPE “Z” Value, DPE MacKey, Datapath Customer Enrolled Certificate Or TLS 1.3 pre shared key (TLS-PSK), TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS Session Key, DPE_ECDH Public Key, DPE_ECDH Private Key, DPE “Z” Value, DPE MacKey, Datapath Customer Enrolled CertificateKAS-ECC P-384, P- 521 #A3379Or (W) (E)
Zeroise (Perform zeroisation)Power DownCON/AAll SSPs except those loaded at the factoryN/A“Show” command s and successful completio n of service and a Global Approved mode indicator (show status indicator)
Datapath Encryption/ Decryption Service (Perform approved security functions)Initiate the TLS session to the peer modem, perform the key agreement protocol and configure the datapath keys; Automatically performed when PSK or certificate is provisionedCODatapath pre shared key (DPE-PSK) TLS 1.3 pre shared key (TLS-PSK), TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS Session Key, Datapath Customer Enrolled Certificate DPE_ECDH Public Key, DPE_ECDH Private Key,ECDSA P- 521 #A3379; KDF SP800-108 #A3379; KDA TwoStep Sp800- 56Cr1 #A3379; CKG; KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; KAS-ECC P-384, P- 521(E) (R, G,E) (G, E, W) (G, E, Z)Event logs and a Global Approved mode indicator (show status indicator)
#A3379DPE “Z” Value, DPE MacKey, DPE_KDK, Datapath Cipher Encrypt/Decry pt keys (x16) (DDEK/DDDK)#A3379
Report the firmware version, alarms, Status and Statistics (Show status, Show module’s versioning information)View the firmware version, encryption related alarms, status and performance monitoring statisticsCON/AN/AN/AShow Comman d Response and a Global Approved mode indicator (show status indicator)
Perform a firmware upgrade2Initiate the upgrade of the modem firmware when directed by the CO via control input interface (SGMII)COLOAD_KEYECDSA P- 521 SHA2- 512N/AEvent Log and “show” command s to verify the updated version
Perform operator re- authenticatio nAuthenticate the CO with the module and replace the authenticatio n material; This is performed when received via the optical control input interfaceCOCOID Public, IDEVID public key, IDEVID private key, Logical Device ID public key, Logical Device ID private key, TLS 1.3 pre shared key (TLS-PSK), TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS Session Key, DPE_ECDH Public Key, DPE_ECDH Private Key, DPE “Z” Value, DPE MacKey, Datapath Customer Enrolled CertificateECDSA P- 521 #A3379; CKG; KDA TwoStep Sp800- 56Cr1 #A3379; KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; KAS-ECC P-384, P- 521 #A3379(W) (E, R) (G, W) (W, E, R)Event Log
Issue re- authenticatio n commandSend command to remote modem to initiate a re- authenticatio n with the COvia optical control output interfaceCOTLS 1.3 pre shared key (TLS-PSK), TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS Session Key, DPE_ECDH Public Key, DPE_ECDH Private Key, DPE “Z” Value, DPE MacKey, Datapath Customer Enrolled CertificateECDSA P- 521 #A3379; KDA TwoStep Sp800- 56Cr1 #A3379; CKG; KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; KAS-ECC P-384, P- 521 #A3379(W, E, R)Event Log
Perform on demand self- tests (Perform self- tests )Perform pre- operational self-tests on demand via module restartCO, UnauthorisedFIT_PUBLICECDSA P- 521 SHA2- 512N/AEvent Log and a Global Approved mode indicator (show status indicator)

In Approved mode, the module provides a limited number of services for which the operator is not required to assume an authorized role (see Table 7). None of the services listed in the table disclose

Page 16

1.3 SHA2384 P-384, P521 ECDSA P521 Sp80056Cr1 1.3 SHA2384 s (W) (G) (G) (E) TLS 1.3 PreMaster (Ciena Corporation © 2024) Version 1.0 Public Material

Page 17

P-384, P521 s TLS 1.3 PreMaster (W) (E) (Ciena Corporation © 2024) Version 1.0 Public Material

Page 18

N/A s N/A ECDSA P521 Sp80056Cr1 1.3 SHA2384 P-384, P521 (E) (R, G,E) TLS 1.3 PreMaster (G, E, W) (G, E, Z) (Ciena Corporation © 2024) Version 1.0 Public Material

Page 19

s d N/A N/A N/A ECDSA P521 SHA2512 N/A For firmware load test, the module runs ECDSA P-521 with SHA2-512 check. Please note that the module does not support complete image replacement. (Ciena Corporation © 2024) Public Material

Page 20

operator reauthenticatio n ECDSA P521 Sp80056Cr1 1.3 SHA2384 P-384, P521 s (W) (E, R) (G, W) TLS 1.3 PreMaster (W, E, R) (Ciena Corporation © 2024) Version 1.0 Public Material

Page 21

Issue reauthenticatio initiate a reauthenticatio demand selftests (Perform selftests ) Perform preoperational ECDSA P521 Sp80056Cr1 1.3 SHA2384 P-384, P521 ECDSA P521 SHA2512 s TLS 1.3 PreMaster (W, E, R) N/A Table 9

Page 22

Self-initiated Cryptographic Output The module supports self-initiated cryptographic output functionality via the Datapath Encryption/ Decryption Service. Before enabling this service, the CO must configure and perform two independent internal actions in order for the service to get activated. The independent internal actions are as follows:

  1. The CO must authenticate with the modem.
  2. The CO must perform the service to activate PSK or install a certificate authentication. (Ciena Corporation © 2024) Version 1.0 Public Material – May be reproduced only in its original entirety (without revision).
Page 23

5. Software/Firmware Security The module uses ECDSA P-521 using SHA2-512 for firmware integrity testing/verification. The FIT_PUBLIC, an ECDSA P-521 SHA2-512 Public key, is used to authenticate the Linux kernel. This is run at startup and on demand by reloading the module. The module also runs the self-tests for ECDSA Signature verification, SHA2-256 and SHA2-512 prior to running the integrity check. The executable form of the module firmware is a pre-compiled binary. (Ciena Corporation © 2024) Version 1.0 Public Material

Page 24

6. Operational Environment The module is a hardware module with the embodiment type as a multi-chip embedded cryptographic module. Hence, the module’s operational environment (OE) is a limited OE since the module is designed to accept only controlled firmware changes that successfully pass the firmware load test. The requirements per this section do not apply to the module since the module claims to meet Physical Security Level 2 requirements. (Ciena Corporation © 2024) Version 1.0 Public Material

Page 25
Physical Security MechanismRecommended Frequency ofInspection/Test Guidance
Inspection/TestDetails
Tamper-evident sealsPeriodic inspection of tamper- evident seals when moving/replacing the moduleTwo tamper-evident seals are applied to the multi-chip embedded cryptographic module during manufacturing; The physical security of the module is intact if there is no evidence of tampering with the tamper-evident seal(s); If evidence of tamper is found, the Cryptographic Officer is requested to follow their internal IT policies, which may include contacting Ciena for replacing the unit

7. Table 10

Page 26

8. Non-invasive Security This section is not applicable. The module does not implement any Non-invasive attack mitigation techniques. (Ciena Corporation © 2024) Version 1.0 Public Material

Page 27
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageImport ExportKey/SSP Name/ TypeZero- isation
Used to derive seconda ry Keys (HYDRA _KDK)256 bitsHMAC- SHA2-256 #A3379N/AN/ARead-only eFUSE in plaintextPreloade d at the factory Never exits the moduleHardware Unique Key (HUK) CSPN/A
Used to derive BLOB_K EY256 bitsAES-GCM, ECB, #A3379 KDA TwoStep Sp800- 56Cr1 #A3379 CKGDerived from HUKN/ARAM OnlyNever exits the moduleHYDRA_KD K CSPZeroised after use
Used for decrypti ng the iDevID private key (IDEVID)256 bitsAES GCM, ECB #A3379, KDA TwoStep Sp800- 56Cr1 #A3379 CKGDerived from HYDRA_KDK (KDA TwoStep Sp800-56Cr1 )N/ARAM OnlyNever exits the moduleBLOB_KEY CSPZeroised after use
Used for random number generati on384-bitsCTR_DRBG #A3379Generated internally using entropy inputN/AStored in plaintext in RAMNever exits the moduleDRBG Seed CSPReboot or power removal
Used for random number generati on256-bitsCTR_DRBG #A3379Generated internally using entropy inputN/AStored in plaintext in RAMNever exits the moduleDRBG Key CSPReboot or power removal
Used for random number generati on256-bitsCTR_CRBG #A3379Generated internally using entropy inputN/AStored in plaintext in RAMNever exits the moduleDRBG V CSPReboot or power removal
Used for random number128-bitsCTR_DRBG #A3379Generated internally usingN/AStored in plaintext in RAMNever exits the moduleDRBG Output CSPReboot or power removal
generati onentropy input
Used for random number generati on384 bitsESV Cert. #E39Generated internally using entropy sourceN/AStored in plaintext in RAMNever exits the moduleEntropy Input CSPReboot or power removal
Used to derive the DPE- PSK and TLS- PSK256-bitsECDSA P- 521 #A3379; KTS-2 #A3379N/AN/ARAM OnlyEnters the module via TLS 1.3 Never exits the moduleDatapath Customer Enrolled Preshared key (PSK) CSPReboot or power removal
Used for remote device TLS 1.3 connecti on256-bitsECDSA P- 521 #A3379; KTS-2 #A3379N/AN/ARAM OnlyEnters the module via TLS 1.3 Never exits the moduleDatapath Customer Enrolled Certificate PSPReboot or power removal
Used during the datapat h key agreeme nt256-bitsECDSA P- 521 #A3379, KDA TwoStep Sp800- 56Cr1#A33 79 CKGGenerated internally from the PSK using KDA TwoStep Sp800-56Cr1N/ARAM OnlyNever exits the moduleDatapath pre shared key (DPE-PSK) CSPReboot or power removal
Used during the TLS 1.3 handsha ke256-bitsECDSA P- 521 #A3379, KDA TwoStep Sp800- 56Cr1 #A3379 CKGGenerated internally from the PSK using KDA TwoStep Sp800-56Cr1N/ARAM OnlyNever exits the moduleTLS 1.3 pre shared key (TLS- PSK) CSPReboot or power removal
Default authenti256-bitsECDSA P- 521N/AN/ARead-OnlyLoaded at theIDEVID public keyN/A
cation material for CO using TLS 1.3#A3379Stored encrypted in non- volatile memory with the BLOB_KEYfactory Exits in plaintextPSP
Default authenti cation material for CO using TLS 1.3256-bitsECDSA P- 521 #A3379N/AN/ARead-Only Stored encrypted in non- volatile memory with the BLOB_KEYLoaded at the factory Never exits the moduleIDEVID private key CSPN/A
Used for CO to module authenti cation using TLS 1.3256-bitsECDSA P- 521 #A3379; KTS-2 #A3379N/AN/ARAM OnlyImported via TLS 1.3 during the first connecti on with the CO Never exits the moduleCOID Public PSPReboot or power removal
Used for CO to module authenti cation using TLS 1.3256-bitsECDSA P- 521 KeyGen #A3379 CKGGenerated internally using Module’s DRBG and FIPS 186-4N/ARAM OnlyExits in plaintextLogical Device ID Public Key PSPReboot or power removal
Used for CO to module authenti cation using TLS 1.3256-bitsECDSA P- 521 KeyGen #A3379 CKGGenerated internally using Module’s DRBG and FIPS 186-4N/ARAM OnlyNever exits the moduleLogical Device ID Private Key CSPReboot or power removal
Establish the TLS256 bitsKDF TLS 1.3 #A3379GeneratedN/ARAM OnlyNever exits the moduleTLS 1.3 Pre- MasterSession termination, Reboot, or
Master Secretinternally by module’s DRBG during session negotiationSecret CSPpower removal
Establish the TLS Session and authenti cation Key256 bitsKDF TLS 1.3 #A3379Derived using TLS Pre-Master Secret during session negotiationDuring TLS 1.3 handshakeRAM OnlyNever exits the moduleTLS 1.3 Master Secret CSPSession termination, Reboot, or power removal
Used for authenti cating TLS commun ication256 bitsHMAC SHA2- 384 #A3379, KDF TLS 1.3 #A3379, CKGDerived using KDF TLS 1.3 during session negotiationDuring TLS 1.3 handshakeRAM OnlyNever exits the moduleTLS 1.3 Authentica tion Key CSPSession termination, Reboot, or power removal
Used for encrypti ng the TLS commun ication256 bitsAES GCM, ECB 256- bit keys #A3379, KDF TLS 1.3 #A3379, CKGDerived via KDF TLS 1.3 during session negotiationDuring TLS 1.3 handshakeRAM OnlyNever exits the moduleTLS Session Key CSPSession termination, Reboot, or power removal
Used for exchangi ng shared secret to derive session keys during key agreeme nt128 bits, 256 bitsKAS-ECC P- 384, P-521 #A3379, KDF TLS 1.3 #A3379, CKGFor the public component of the module: generated internally during negotiation For the public component of a peer: generate externally and enters during theDuring datapath encryption /decryptio n serviceRAM OnlyFor the public compone nt of the module: exits the module in plaintext For the public compone nt of a peer: never exitsDPE_ECDH Public Key PSPSession termination, reboot, or power removal
TLS 1.3 handshakeTLS 1.3 handshakethe module
Used for exchangi ng shared secret to derive session keys during key agreeme nt128 bits, 256 bitsKAS-ECC P- 384, P-521 #A3379, KDF TLS 1.3 #A3379, CKGGenerated internally during TLS 1.3 negotiationDuring datapath encryption /decryptio n serviceRAMNever exits the moduleDPE_ECDH Private Key CSPBy session termination, reboot, or power removal
Shared secret resulting from the ECDHE exchang e between peers128 bits, 256 bitsKAS-ECC P- 384, P-521 #A3379Generated internally during key agreement negotiationDuring datapath encryption - decryption serviceRAMNever exits the moduleDPE “Z” Value CSPZeroised by reboot or power removal and after use
Used to authenti cate key agreeme nt message s128 bits, 256 bitsKAS-ECC- SSC P-384, P-521 #A3379, KDA TwoStep Sp800- 56Cr1 #A3379 CKGGenerated internally during key agreement negotiation (UsingKDA TwoStep Sp800-56Cr1 )N/ARAMNever exits the moduleDPE Mac Key CSPZeroised by reboot or power removal once the key is programmed into HW cipher
Master key derivatio n key used to derive the datapat h cipher keys and IVs128 bits, 256 bitsKAS-ECC- SSC P-384, P-521 #A3379, KDA TwoStep Sp800- 56Cr1 #A3379, CKGGenerated internally during key agreement negotiation (Using KDA TwoStep Sp800-56Cr1 )N/ARAMNever exits the moduleDPE_KDK CSPZeroised by reboot or power removal once the key is programmed into HW cipher
Used for encrypti on and decrypti on of the datapat h256 bitsAES GCM, ECB 256-bit key #A3305 KDF SP800-108 #A3379 CKGDerived internally using a KDF SP 800- 108 function from the DPE_KDKN/ARAMNever exits the moduleDatapath Cipher Encrypt/D ecrypt keys (x16) (DDEK/DD DK) CSPZeroised by reboot or power removal once the key is programmed into HW cipher

9. Sensitive Security Parameter Management HMACSHA2-256 K Sp80056Cr1 Sp80056Cr1 Generation N/A N/A N/A N/A Zeroisation ) N/A N/A N/A N/A N/A (Ciena Corporation © 2024) Version 1.0 Public Material

Page 28

ECDSA P521 key (TLSPSK) ECDSA P521 ECDSA P521 Sp80056Cr1#A33 ECDSA P521 Sp80056Cr1 ECDSA P521 Generation N/A N/A Zeroisation the DPEPSK and TLSPSK N/A 1.3 N/A N/A N/A h 1.3 N/A 1.3 N/A N/A N/A (Ciena Corporation © 2024) Version 1.0 Public Material

Page 29

Generation N/A in nonvolatile in nonvolatile N/A ECDSA P521 ECDSA P521 N/A N/A 1.3 Zeroisation N/A N/A ECDSA P521 ECDSA P521 N/A PreMaster 1.3 N/A (Ciena Corporation © 2024) Version 1.0 Public Material

Page 30

1.3 SHA2384 1.3 1.3 1.3 Generation Zeroisation 1.3 1.3 1.3 (Ciena Corporation © 2024) Version 1.0 Public Material

Page 31

Generation 1.3 Zeroisation e s 1.3 N/A ) ) Sp80056Cr1 Sp80056Cr1 N/A (Ciena Corporation © 2024) Version 1.0 Public Material

Page 32
Approved algorithm
NameKey Size
DetailsEntropy sourcesMinimum number of bits of
SP 800-90B compliant entropy source with a ring oscillator - based noise source0.5/bitSP 800-90B ESV Cert. #E39

Generation N/A Zeroisation h Table 11

Page 33
  1. Self-tests ISO/IEC 19790 requires the module to perform pre-operational self-tests to ensure the module integrity and the correctness of the cryptographic functionality at start-up. The algorithms supported by the module require cryptographic self-tests and these tests are run when the module is in operational state prior to the first use of algorithm. Some functions also require conditional tests during normal operation of the module. The pre-operational firmware integrity test (using ECDSA P-521 SHA2-512) can be run on demand by reloading the module.
  2. Pre-operational self-tests: a. Firmware Integrity test using ECDSA P-521/SHA2-512
  3. Conditional self-tests: a. conditional cryptographic algorithm test ▪ Ciena WaveLogic 5e Encryption Modem Crypto Implementation: o AES-CBC 128-bit KAT (Encrypt) o AES-CBC 128-bit KAT (Decrypt) o AES-GCM 256-bit KAT (Encrypt) o AES-GCM 256-bit KAT (Decrypt) o SHA2-256 KAT o SHA2-384 KAT o SHA2-512 KAT o HMAC-SHA2-256 KAT o HMAC-SHA2-384 KAT o HMAC-SHA2-512 KAT o AES-256 CTR DRBG KAT ▪ SP800-90Arev1 Section 11 health tests o SP800-56Arev3 KAS-ECC-SSC KAT (Curve used: P-521) o ECDSA P-521 Sign KAT o ECDSA P-521 Verify KAT o KDF NIST SP 800-108 (HMAC SHA2-256) KAT o One-Step KDA KAT o Two Step KDA KAT o TLS 1.3 KDF KAT ▪ o o o o Ciena WaveLogic 5e Encryption Modem Datapath Ciphers Implementation: AES-GCM KAT (Encrypt) AES-GCM KAT (Decrypt) Repetition Count Test on ENT Adaptive Proportion Test on ENT b. Conditional pair-wise consistency test: (Ciena Corporation © 2024) Version 1.0 Public Material – May be reproduced only in its original entirety (without revision).
Page 34
Page 35

11. Life-Cycle Assurance The module only runs in an Approved mode of operation. The CO can monitor and configure the module via the TLS 1.3 management channel from the Ciena Control Processor Module. Detailed instructions for monitoring and troubleshooting the module are provided in the Ciena’s User’s Guide and Technical Practices document. Ciena uses Git software for the management of source code artifacts and SharePoint for hardware and documentation version control. The module is developed using high level programming languages C and C++. The module is always delivered via commercial bounded carrier. The shipment will contain a packing slip with the serial numbers of all shipped devices. Prior to deployment the receiver shall verify that the hardware serial numbers match the serial numbers listed in the packing slip. The module is shipped from the factory with the required physical security mechanisms (tamper-evident labels, metal covers and PCB layers) installed. The CO must perform a physical inspection of the unit for signs of damage and to ensure that all physical security mechanisms are in place. Additionally, the CO should check the package for any irregular tears or openings. If damage is found or tampering is suspected, the CO should immediately contact Ciena. There is no special procedure to decommission the modem. Disconnecting fibers and removing the encryption module from the system (powering down) results in all SSP zeroisation. There are no other sanitization procedures to complete. The module only supports an approved mode of operation. No additional configuration is required on the Crypto Officer’s part except for installing the module since the provisioning of the module will be taken care of by another Ciena module, the Control Processor. (Ciena Corporation © 2024) Version 1.0 Public Material

Page 36

12. Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any other attacks. (Ciena Corporation © 2024) Version 1.0 Public Material

Page 37

End of Document (Ciena Corporation © 2024) Version 1.0 Public Material

Referenced URLs