| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Embedded |
| Status | Active |
| Sunset date | 12/8/2026 |
| Caveat | Interim validation. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | Ciena Corporation |
| Hardware versions | [012 (P/Ns 174-0506-841, 174-0506-842)], [014 (P/N 174-0506-843)], [007 (P/N 174-0506-844)] with components [Mech Kit 500-0506-020 Version 001] |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3379 |
| AES-CTR | A3379 |
| AES-ECB | A3305 |
| AES-ECB | A3379 |
| AES-GCM | A3305 |
| AES-GCM | A3379 |
| AES-KW | A3379 |
| AES-KWP | A3379 |
| Counter DRBG | A3379 |
| ECDSA KeyGen (FIPS186-4) | A3379 |
| ECDSA KeyVer (FIPS186-4) | A3379 |
| ECDSA SigGen (FIPS186-4) | A3379 |
| ECDSA SigVer (FIPS186-4) | A3379 |
| HMAC-SHA2-256 | A3379 |
| HMAC-SHA2-384 | A3379 |
| HMAC-SHA2-512 | A3379 |
| KAS-ECC Sp800-56Ar3 | A3379 |
| KAS-ECC-SSC Sp800-56Ar3 | A3379 |
| KDA TwoStep Sp800-56Cr1 | A3379 |
| KDF SP800-108 | A3379 |
| SHA2-256 | A3379 |
| SHA2-384 | A3379 |
| SHA2-512 | A3379 |
| TLS v1.3 KDF | A3379 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 2 |
| Roles, Services, and Authentication | 2 |
| Software/Firmware Security | 2 |
| Operational Environment | N/A |
| Physical Security | 2 |
| Sensitive Security Parameter Management | 2 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for WaveLogic 5 Extreme Encryption Modem
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>12.3</i>"]
C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Perform a firmware upgrade<br/>Perform a firmware upgrade2</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Report the firmware version, alarms, Status and…<br/>Initialize the module<br/>Configure PSK and certificate</i>"]
C4["[high] Physical/logical<br/>interfaces (some 'blocked<br/>in firmware')<br/><i>UART/Host Connector</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>linux<br/>kernel<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I4["Interface reachability may<br/>vary by boot stage and<br/>lifecycle state."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R4["Are interfaces blocked<br/>before the bootloader<br/>runs, or only after<br/>approved mode starts?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E4["lifecycle reachability<br/>matrix · boot-stage<br/>interface timing ·<br/>factory/recovery/error-state<br/>access controls"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C1 --> I1 --> R1 --> E1
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C4 --> I4 --> R4 --> E4
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C1,C2,C3,C4,C5,C6 clue;
class I1,I2,I3,I4,I5,I6 infer;
class R1,R2,R3,R4,R5,R6 risk;
class E1,E2,E3,E4,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for WaveLogic 5 Extreme Encryption Modem
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>12.3</i><br/>src: certificate.firmwareVersions"]
C2["[high] Firmware update / recovery / rollback services<br/><i>Perform a firmware upgrade<br/>Perform a firmware upgrade2</i><br/>src: securityPolicy.services"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Report the firmware version, alarms, Status and…<br/>Initialize the module<br/>Configure PSK and certificate</i><br/>src: securityPolicy.services"]
C4["[high] Physical/logical interfaces (some 'blocked in firmware')<br/><i>UART/Host Connector</i><br/>src: securityPolicy.portsAndInterfaces"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>linux<br/>kernel<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C1,C2,C3,C4 clueHigh;
class C5,C6 clueLow;WaveLogic 5 Extreme Encryption Modem By Ciena Corporation [012 (P/Ns 174-0506-841) with components Mech Kit 500-0506-020 Version 001] [012 (P/Ns 174-0506-842) with components Mech Kit 500-0506-020 Version 001] [014 (P/N 174-0506-843) with components Mech Kit 500-0506-020 Version 001] [007 (P/N 174-0506-844) with components Mech Kit 500-0506-020 Version 001] Firmware Version: 12.3 Date: 11/28/2024 Prepared by: Acumen Security
Rockville, MD 20850 www.acumensecurity.net (Ciena Corporation © 2024) Version 1.0 Public Material
Introduction Federal Information Processing Standards Publication 140-3
The WaveLogic 5 Extreme Encryption Modem may also be referred to as the “module” or “modem” in this document. Disclaimer The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Ciena Corporation shall have no liability for any error or damages of any kind resulting from the use of this document. Notices This document may be freely reproduced and distributed in its entirety without modification. (Ciena Corporation © 2024) Version 1.0 Public Material
| # | Section | Page |
|---|---|---|
| Introduction | 2 | |
| Disclaimer | 2 | |
| Notices | 2 | |
| 1 | General | 4 |
| 2 | Cryptographic Module Specification | 5 |
| 3 | Cryptographic Module Interfaces | 11 |
| 4 | Roles, Services, and Authentication | 12 |
| 5 | Software/Firmware Security | 23 |
| 6 | Operational Environment | 24 |
| 7 | Physical Security | 25 |
| 8 | Non-invasive Security | 26 |
| 9 | Sensitive Security Parameter Management | 27 |
| 10 | Self-tests | 33 |
| 11 | Life-Cycle Assurance | 35 |
| 12 | Mitigation of Other Attacks | 36 |
| Claimed | 9 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 2 |
| 2 | 2 | Cryptographic Module Specification | 2 |
| 3 | 3 | Cryptographic Module Interfaces | 2 |
| 4 | 4 | Roles, Services, and Authentication | 2 |
| 5 | 5 | Software/Firmware Security | 2 |
| 6 | 6 | Operational Environment | N/A |
| 7 | 7 | Physical Security | 2 |
| 8 | 8 | Non-invasive Security | N/A |
| 9 | 9 | Sensitive Security Parameter Management | 2 |
| 10 | 10 | Self-tests | 2 |
| 11 | 11 | Life-cycle Assurance | 2 |
| 12 | 12 | Mitigation of Other Attacks | N/A |
2. Cryptographic Module Specification Figure 1: High level module block diagram As shown in the above block diagram, the module consists of an ARM A53 quad core processor with internal RAM. The firmware running on the processor performs all the monitoring/control activities related to the datapath encryption feature. The crypto accelerator is a security co-processor. It contains hardware cryptographic engines and firmware for the WaveLogic 5e Encryption Modem Crypto library. The datapath encryption and decryption block performs the AES-GCM encryption and decryption function on the client payload data. The module is packaged within other Ciena products to form a complete encryption transport solution. The Ciena product forms the Trusted Operational Environment’s Physical Perimeter (TOEPP) for the module. Figure 2 below shows the cryptographic boundary of the module (highlighted in red). (Ciena Corporation © 2024) Version 1.0 Public Material
| Name | Model | Hardware Version | Firmware Version | Features |
|---|---|---|---|---|
| WaveLogic 5 Extreme Encryption Modem | WaveLogic 5 Extreme Encryption Modem | [012 (P/Ns 174-0506-841) with components Mech Kit 500-0506-020 Version 001] | 12.3 | The part numbers are equivalent and just used to differentiate the manufacturing process and sites |
| WaveLogic 5 Extreme Encryption Modem | WaveLogic 5 Extreme Encryption Modem | [012 (P/Ns 174-0506-842) with components Mech Kit 500-0506-020 Version 001] | 12.3 | The part numbers are equivalent and just used to differentiate the manufacturing process and sites |
| WaveLogic 5 Extreme Encryption Modem | WaveLogic 5 Extreme Encryption Modem | [014 (P/Ns 174-0506-843) with components Mech Kit 500-0506-020 Version 001] | 12.3 | The part numbers are equivalent and just used to differentiate the manufacturing process and sites |
| WaveLogic 5 Extreme Encryption Modem | WaveLogic 5 Extreme Encryption Modem | [007 (P/Ns 174-0506-844) with components Mech Kit 500-0506-020 Version 001] | 12.3 | The part numbers are equivalent and just used to differentiate the manufacturing process and sites |
Figure 2: Cryptographic Boundary of WaveLogic 5 Extreme Encryption Modem (represents all P/Ns in Table 2) Table 2
| Name | CAVP Cert | Mode Method | Key Size | Use Function | ||
|---|---|---|---|---|---|---|
| AES | A3379 | CBC ECB CTR | CBC (256) ECB (256) CTR (128, 192, 256) | Encryption/ Decryption | FIPS PUB 197 NIST SP 800-38A | |
| FIPS PUB 197 NIST SP 800-38D | GCM | GCM (128, 192, 256) | Authenticat ed Encryption/ Decryption | FIPS PUB 197 NIST SP 800-38D | ||
| NIST SP 800-38F | KW KWP | KW (128, 192, 256) KWP (128, 192, 256) | Key Wrapping | NIST SP 800-38F | ||
| ECDSA | Key Generation Key Verification Signature Generation Signature Verification | Key Generation (P-384/521) Key Verification (P-384/521) Signature Generation (P- 384/521; SHA2-256, SHA2- 384, SHA2-512) Signature Verification (P- 384/521; SHA2-256, SHA2- 384, SHA2-512) | Key Gen/ Key Ver Sign/Verify | FIPS 186- 4 | ||
| HMAC | SHA2-256 SHA2-384 SHA2-512 | SHA2-256 SHA2-384 SHA2-512 | Keyed-Hash Message Authenticat ion | FIPS PUB 198-1 | ||
| SHS | SHA2-256 SHA2-384 SHA2-512 | SHA2-256 SHA2-384 SHA2-512 | Hashing | FIPS PUB 180-4 (SHA-1 and SHA- 2 functions ) | ||
| KAS- ECC- SSC | Scheme(s): Ephemeral Unified and onePassUnified | KAS-ECC-SSC: Domain Parameter Generation Methods: P-384, P-521 | Key Agreement | NIST SP800- 56arev3 | ||
| KAS- ECC1 | Scheme(s): Ephemeral Unified | KAS-ECC: Domain Parameter Generation Methods: P-384, P-521 | Key Agreement | NIST SP800- 56arev3 | ||
| KDF SP 800- 108 | Kdf Mode: Counter Mac Mode: HMAC SHA2-256 | HMAC SHA2-256 Supported Lengths: 96, 256 bits | Key Derivation | NIST SP 800-108 | ||
| CVL | TLS 1.3 KDF: | TLS 1.3 KDF: | Key Derivation | RFC8446 | ||
| NIST SP 800- 135rev1 | Running Mode: DHE and PSK- DHE | HMAC Algorithm: SHA2-256 and SHA2-384 | NIST SP 800- 135rev1 | |||
| KDA | Two Step KDF Mode: counter MAC Modes: HMAC-SHA2- 256 | Supported Lengths: 256 Counter Lengths: 8 Derived Key Length: 256 Shared Secret Length: 256 | Key Derivation | NIST SP 800- 56Crev1 | ||
| DRBG | AES CTR DRBG | AES CTR DRBG 256 with prediction resistance enabled; derivation function disabled | Random Bit Generation | NIST SP 800- 90Arev1 | ||
| KAS-1 | KAS-ECC- SSC Sp800- 56Ar3/ A3379 TLS v1.3 KDF/ A3379 | KAS-ECC-SSC with TLS v1.3 KDF per IG D.F Scenario 2 path (2) | P-384 and P-521 curves providing 192 bits and 256 bits of encryption strength | Key Agreement | NIST SP 800- 56Arev3 | |
| KAS-2 | KAS-ECC- SSC Sp800- 56Ar3/ A3379 KDA TwoStep Sp800- 56Cr1/ A3379 | KAS-ECC-SSC with NIST SP 800-56Crev1 KDA TwoStep per IG D.F Scenario 2 path (2) | P-384 and P-521 curves providing 192 bits and 256 bits of encryption strength | Key Agreement | NIST SP 800- 56Arev3 | |
| KAS-3 | KAS-ECC Sp800- 56Ar3/ A3379 | KAS-ECC per IG D.F Scenario 2 path (1) | P-384 and P-521 curves providing 192 bits and 256 bits of encryption strength | Key Agreement | NIST SP 800- 56Arev3 | |
| KTS-1 | AES-KW/ A3379 AES- KWP/ A3379 | KTS (key wrapping) per IG D.G | 128, 192, and 256- bit keys providing 128, 192, or 256 bits of encryption strength | Key Wrapping | SP 800- 38D and SP 800- 38F | |
| KTS-2 | AES- GCM/ A3379 | KTS (key wrapping) per IG D.G | 128, 192, and 256- bit keys providing 128, 192, or 256 bits of encryption strength | Key Wrapping in the context of TLS v1.3 | SP 800- 38F | |
| AES | A3305 | ECB | 256 bits | Tested as a pre- requisite for AES GCM | FIPS PUB 197 NIST SP 800-38A | |
| FIPS PUB 197 | GCM | 256 bits | Encryption/ Decryption | FIPS PUB 197 | ||
| CKG | Vendor Affirmed | Section 4 Using the Output of a Random Bit Generator Option 1 (Symmetric keys and seed values for Asymmetric keys) Section 5.1 Key Pairs for Digital Signature Schemes Section 5.2 Key Pairs for Key Establishment Section 6.1 Direct Generation of Symmetric Keys Section 6.2.1 Symmetric Keys Generated Using Key- Agreement Schemes Section 6.2.2 Symmetric Keys Derived from a Pre-existing Key | Section 4 Using the Output of a Random Bit Generator Option 1 (Symmetric keys and seed values for Asymmetric keys) Section 5.1 Key Pairs for Digital Signature Schemes Section 5.2 Key Pairs for Key Establishment Section 6.1 Direct Generation of Symmetric Keys 6.2.1 Symmetric Keys Generated Using Key- Agreement Schemes Section 6.2.2 Symmetric Keys Derived from a Pre-existing Key | Cryptograp hic Key Generation | SP800- 133rev2 | |
| AES | Cert. A3379, key unwrapping. Per IG D.G. | Symmetric key unwrapping | ||||
| AES-CBC (256 bits) | No Security Claimed | Boot image encryption | ||||
| AES-XTS (256 bits) | No Security Claimed | Filesystem encryption |
FIPS 1864 ) SP80056arev3 KASECCSSC KASECC1 SP80056arev3 800108 There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. (Ciena Corporation © 2024) Version 1.0 Public Material
800135rev1 80056Crev1 80090Arev1 80056Arev3 80056Arev3 80056Arev3 SP 80038F prerequisite for KAS-ECCSSC Sp80056Ar3/ KAS-ECCSSC Sp80056Ar3/ Sp80056Cr1/ Sp80056Ar3/ AESKWP/ AESGCM/ SP 80038F (Ciena Corporation © 2024) Version 1.0 Public Material
| Name | CAVP Cert | Mode Method | Key Size | Use Function | ||
|---|---|---|---|---|---|---|
| CKG | Vendor Affirmed | Section 4 Using the Output of a Random Bit Generator Option 1 (Symmetric keys and seed values for Asymmetric keys) Section 5.1 Key Pairs for Digital Signature Schemes Section 5.2 Key Pairs for Key Establishment Section 6.1 Direct Generation of Symmetric Keys Section 6.2.1 Symmetric Keys Generated Using Key- Agreement Schemes Section 6.2.2 Symmetric Keys Derived from a Pre-existing Key | Section 4 Using the Output of a Random Bit Generator Option 1 (Symmetric keys and seed values for Asymmetric keys) Section 5.1 Key Pairs for Digital Signature Schemes Section 5.2 Key Pairs for Key Establishment Section 6.1 Direct Generation of Symmetric Keys 6.2.1 Symmetric Keys Generated Using Key- Agreement Schemes Section 6.2.2 Symmetric Keys Derived from a Pre-existing Key | Cryptograp hic Key Generation | SP800- 133rev2 | |
| AES | Cert. A3379, key unwrapping. Per IG D.G. | Symmetric key unwrapping | ||||
| AES-CBC (256 bits) | No Security Claimed | Boot image encryption | ||||
| AES-XTS (256 bits) | No Security Claimed | Filesystem encryption |
SP800133rev2 Table 3
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| UART/Host Connector | UART/Host Connector | Status Output | Status Output port |
| SGMII/Host Connector | SGMII/Host Connector | Data Input, Data Output, Control Input and Status Output | TLS 1.3 communication |
| Host Connector (providing connectivity to client interface) | Host Connector (providing connectivity to client interface) | Data Input and Data Output | Plaintext Non-Security User Data |
| Optical Connector (providing connectivity to Line port interface) | Optical Connector (providing connectivity to Line port interface) | Data Input, Data Output Control Input, Control Output And Status Output | Control and status input and output encrypted using TLS 1.3 and client payload encrypted with AES-GCM |
| Host connector (providing connectivity to power interface) | Host connector (providing connectivity to power interface) | Power Interface | Power Input |
| eMMC | eMMC | Data Input | Firmware Load |
3. Cryptographic Module Interfaces The module supports the following physical ports and interfaces:
| Name | Roles | Input | Output |
|---|---|---|---|
| Initialize the module | CO | SSPs, Command | Command response |
| Configure PSK and certificate | CO | SSPs, Command | Command response |
| Zeroise (Perform zeroisation.) | CO | Command | Command response |
| Datapath Encryption/ Decryption Service (Perform approved security functions) | CO | SSPs, Command | Command response |
| Report the firmware version, alarms, Status and Statistics (Show status, Show module’s versioning information) | CO | Command | Command response |
| Perform a firmware upgrade | CO | Command | Command response |
| Perform operator re-authentication | CO | SSPs, Command | Command response |
| Issue re-authentication command | CO | SSPs, Command | Command response |
| Perform on demand self-tests (Perform self-tests) | CO | Reboot | N/A |
| Name | Use Function | ||
|---|---|---|---|
| Authentication Strength | Authentication | Role | |
| The module supports ECDSA P-384 and P-521 digital certificate authentication of Peers for | CO | Datapath Customer Enrolled Certificate | |
| Authentication Strength | Authentication | Role | |
| The module supports the use of a pre-Shared key for Datapath Encryption peer authentication for Users; The Pre-Shared key is 32 bytes in length. Using conservative estimates, the probability for a random attempt to succeed is: 1:2^256 or 1: 1.579 × 10^77 which is less than 1:1,000,000. The fastest network connection supported by the modules over the management interface is 10 MBits/s; Hence, at most 10 ×10^6 × 60 = 6 × 10^8 = 600,000,000 bits of data can be transmitted in one minute; | CO | Datapath Customer Enrollment Pre-Shared Key (PSK) | |
| Authentication Strength | Authentication | Role | |
| The module supports ECDSA digital certificate authentication of COs over the TLS 1.; Using conservative estimates and equating the use of ECDSA with P-521 elliptic curve to a 256- bit strength, the probability for a random attempt to succeed is: 1:2^256 or 1: 1.579 × 10^77 which is less than 1:1,000,000 The fastest network connection supported by the modules over Management interfaces is 2.5 GB/s; Hence, at most 2.5 ×10^9 × 60 = 15 × 10^10 = 150,000,000,000 bits of data can be transmitted in one minute Therefore, the probability that a random attempt will succeed, or a false acceptance will occur in one minute is: 1: (2^256 possible keys / ((15 × 10^10 bits per minute) / 256 bits per key)) 1: (2^256 possible keys / 585,937,500 keys per minute) 1: 1.97 × 10^68 which is less than 1:100,000 within one minute | CO | Initial Device ID (iDevID) and Local Device ID (LDevID) Public Key |
4. Roles, Services, and Authentication The module supports one authorized role (i.e., Crypto Officer role). The CO role is responsible for module initialization and module configuration, including security parameters, key management, status activities, and audit review. The CO role is assumed explicitly by the Ciena Control Processor Module that configures and monitors the module. The Ciena Control Processor Module authenticates to the module using TLS 1.3 certificatebased authentication. N/A Table 7
(Ciena Corporation © 2024) Version 1.0 Public Material
Table 8
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Initialize the module | Perform initialization of the module | CO | HUK HYDRA_KDK, BLOB_KEY, DRBG Seed, DRBG Key, DRBG V, Entropy Input, DRBG Output TLS 1.3 pre shared key (TLS-PSK), TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS Session Key, DPE_ECDH Public Key, | HMAC- SHA2-256 #A3379; AES-GCM, ECB, 256 bits, #A3379; KDA TwoStep Sp800- 56Cr1 #A3379; CKG; CTR_DRB G #A3379; ECDSA P- 521 #A3379; KDA TwoStep Sp800- 56Cr1 #A3379; CKG; | (E) (G) (R, G, E), | Event Log and a Global Approved mode indicator (show status indicator) |
| KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; KAS-ECC P-384, P- 521 #A3379 | DPE_ECDH Private Key, DPE “Z” Value, DPE MacKey, Datapath Customer Enrolled Certificate | KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; KAS-ECC P-384, P- 521 #A3379 | ||||
| Configure PSK and certificate | Set to PSK mode and provision the PSK or set to certificate mode and provision the certificate 32-256 bytes | CO | Datapath Customer Enrolled Preshared key (PSK), Datapath pre shared key (DPE-PSK), TLS 1.3 pre shared key (TLS-PSK) TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS | ECDSA P- 521 #A3379; KDA TwoStep Sp800- 56Cr1 #A3379; CKG; KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; | (W) (G) (G) (E) | Event logs and ‘show' command s and a Global Approved mode indicator (show status indicator) |
| KAS-ECC P-384, P- 521 #A3379 | Session Key, DPE_ECDH Public Key, DPE_ECDH Private Key, DPE “Z” Value, DPE MacKey, Datapath Customer Enrolled Certificate Or TLS 1.3 pre shared key (TLS-PSK), TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS Session Key, DPE_ECDH Public Key, DPE_ECDH Private Key, DPE “Z” Value, DPE MacKey, Datapath Customer Enrolled Certificate | KAS-ECC P-384, P- 521 #A3379 | Or (W) (E) | |||
| Zeroise (Perform zeroisation) | Power Down | CO | N/A | All SSPs except those loaded at the factory | N/A | “Show” command s and successful completio n of service and a Global Approved mode indicator (show status indicator) |
| Datapath Encryption/ Decryption Service (Perform approved security functions) | Initiate the TLS session to the peer modem, perform the key agreement protocol and configure the datapath keys; Automatically performed when PSK or certificate is provisioned | CO | Datapath pre shared key (DPE-PSK) TLS 1.3 pre shared key (TLS-PSK), TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS Session Key, Datapath Customer Enrolled Certificate DPE_ECDH Public Key, DPE_ECDH Private Key, | ECDSA P- 521 #A3379; KDF SP800-108 #A3379; KDA TwoStep Sp800- 56Cr1 #A3379; CKG; KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; KAS-ECC P-384, P- 521 | (E) (R, G,E) (G, E, W) (G, E, Z) | Event logs and a Global Approved mode indicator (show status indicator) |
| #A3379 | DPE “Z” Value, DPE MacKey, DPE_KDK, Datapath Cipher Encrypt/Decry pt keys (x16) (DDEK/DDDK) | #A3379 | ||||
| Report the firmware version, alarms, Status and Statistics (Show status, Show module’s versioning information) | View the firmware version, encryption related alarms, status and performance monitoring statistics | CO | N/A | N/A | N/A | Show Comman d Response and a Global Approved mode indicator (show status indicator) |
| Perform a firmware upgrade2 | Initiate the upgrade of the modem firmware when directed by the CO via control input interface (SGMII) | CO | LOAD_KEY | ECDSA P- 521 SHA2- 512 | N/A | Event Log and “show” command s to verify the updated version |
| Perform operator re- authenticatio n | Authenticate the CO with the module and replace the authenticatio n material; This is performed when received via the optical control input interface | CO | COID Public, IDEVID public key, IDEVID private key, Logical Device ID public key, Logical Device ID private key, TLS 1.3 pre shared key (TLS-PSK), TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS Session Key, DPE_ECDH Public Key, DPE_ECDH Private Key, DPE “Z” Value, DPE MacKey, Datapath Customer Enrolled Certificate | ECDSA P- 521 #A3379; CKG; KDA TwoStep Sp800- 56Cr1 #A3379; KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; KAS-ECC P-384, P- 521 #A3379 | (W) (E, R) (G, W) (W, E, R) | Event Log |
| Issue re- authenticatio n command | Send command to remote modem to initiate a re- authenticatio n with the COvia optical control output interface | CO | TLS 1.3 pre shared key (TLS-PSK), TLS 1.3 Pre- Master Secret, TLS 1.3 Master Secret, TLS 1.3 Authenticatio n Key, TLS Session Key, DPE_ECDH Public Key, DPE_ECDH Private Key, DPE “Z” Value, DPE MacKey, Datapath Customer Enrolled Certificate | ECDSA P- 521 #A3379; KDA TwoStep Sp800- 56Cr1 #A3379; CKG; KDF TLS 1.3 #A3379; HMAC SHA2- 384 #A3379; AES GCM, ECB 256- bit keys #A3379; KTS-2 #A3379; KAS-ECC P-384, P- 521 #A3379 | (W, E, R) | Event Log |
| Perform on demand self- tests (Perform self- tests ) | Perform pre- operational self-tests on demand via module restart | CO, Unauthorised | FIT_PUBLIC | ECDSA P- 521 SHA2- 512 | N/A | Event Log and a Global Approved mode indicator (show status indicator) |
In Approved mode, the module provides a limited number of services for which the operator is not required to assume an authorized role (see Table 7). None of the services listed in the table disclose
1.3 SHA2384 P-384, P521 ECDSA P521 Sp80056Cr1 1.3 SHA2384 s (W) (G) (G) (E) TLS 1.3 PreMaster (Ciena Corporation © 2024) Version 1.0 Public Material
P-384, P521 s TLS 1.3 PreMaster (W) (E) (Ciena Corporation © 2024) Version 1.0 Public Material
N/A s N/A ECDSA P521 Sp80056Cr1 1.3 SHA2384 P-384, P521 (E) (R, G,E) TLS 1.3 PreMaster (G, E, W) (G, E, Z) (Ciena Corporation © 2024) Version 1.0 Public Material
s d N/A N/A N/A ECDSA P521 SHA2512 N/A For firmware load test, the module runs ECDSA P-521 with SHA2-512 check. Please note that the module does not support complete image replacement. (Ciena Corporation © 2024) Public Material
operator reauthenticatio n ECDSA P521 Sp80056Cr1 1.3 SHA2384 P-384, P521 s (W) (E, R) (G, W) TLS 1.3 PreMaster (W, E, R) (Ciena Corporation © 2024) Version 1.0 Public Material
Issue reauthenticatio initiate a reauthenticatio demand selftests (Perform selftests ) Perform preoperational ECDSA P521 Sp80056Cr1 1.3 SHA2384 P-384, P521 ECDSA P521 SHA2512 s TLS 1.3 PreMaster (W, E, R) N/A Table 9
Self-initiated Cryptographic Output The module supports self-initiated cryptographic output functionality via the Datapath Encryption/ Decryption Service. Before enabling this service, the CO must configure and perform two independent internal actions in order for the service to get activated. The independent internal actions are as follows:
5. Software/Firmware Security The module uses ECDSA P-521 using SHA2-512 for firmware integrity testing/verification. The FIT_PUBLIC, an ECDSA P-521 SHA2-512 Public key, is used to authenticate the Linux kernel. This is run at startup and on demand by reloading the module. The module also runs the self-tests for ECDSA Signature verification, SHA2-256 and SHA2-512 prior to running the integrity check. The executable form of the module firmware is a pre-compiled binary. (Ciena Corporation © 2024) Version 1.0 Public Material
6. Operational Environment The module is a hardware module with the embodiment type as a multi-chip embedded cryptographic module. Hence, the module’s operational environment (OE) is a limited OE since the module is designed to accept only controlled firmware changes that successfully pass the firmware load test. The requirements per this section do not apply to the module since the module claims to meet Physical Security Level 2 requirements. (Ciena Corporation © 2024) Version 1.0 Public Material
| Physical Security Mechanism | Recommended Frequency of | Inspection/Test Guidance | ||
|---|---|---|---|---|
| Inspection/Test | Details | |||
| Tamper-evident seals | Periodic inspection of tamper- evident seals when moving/replacing the module | Two tamper-evident seals are applied to the multi-chip embedded cryptographic module during manufacturing; The physical security of the module is intact if there is no evidence of tampering with the tamper-evident seal(s); If evidence of tamper is found, the Cryptographic Officer is requested to follow their internal IT policies, which may include contacting Ciena for replacing the unit |
7. Table 10
8. Non-invasive Security This section is not applicable. The module does not implement any Non-invasive attack mitigation techniques. (Ciena Corporation © 2024) Version 1.0 Public Material
| Name | Strength | Security Function | Generation | Establishment | Storage | Import Export | Key/SSP Name/ Type | Zero- isation |
|---|---|---|---|---|---|---|---|---|
| Used to derive seconda ry Keys (HYDRA _KDK) | 256 bits | HMAC- SHA2-256 #A3379 | N/A | N/A | Read-only eFUSE in plaintext | Preloade d at the factory Never exits the module | Hardware Unique Key (HUK) CSP | N/A |
| Used to derive BLOB_K EY | 256 bits | AES-GCM, ECB, #A3379 KDA TwoStep Sp800- 56Cr1 #A3379 CKG | Derived from HUK | N/A | RAM Only | Never exits the module | HYDRA_KD K CSP | Zeroised after use |
| Used for decrypti ng the iDevID private key (IDEVID) | 256 bits | AES GCM, ECB #A3379, KDA TwoStep Sp800- 56Cr1 #A3379 CKG | Derived from HYDRA_KDK (KDA TwoStep Sp800-56Cr1 ) | N/A | RAM Only | Never exits the module | BLOB_KEY CSP | Zeroised after use |
| Used for random number generati on | 384-bits | CTR_DRBG #A3379 | Generated internally using entropy input | N/A | Stored in plaintext in RAM | Never exits the module | DRBG Seed CSP | Reboot or power removal |
| Used for random number generati on | 256-bits | CTR_DRBG #A3379 | Generated internally using entropy input | N/A | Stored in plaintext in RAM | Never exits the module | DRBG Key CSP | Reboot or power removal |
| Used for random number generati on | 256-bits | CTR_CRBG #A3379 | Generated internally using entropy input | N/A | Stored in plaintext in RAM | Never exits the module | DRBG V CSP | Reboot or power removal |
| Used for random number | 128-bits | CTR_DRBG #A3379 | Generated internally using | N/A | Stored in plaintext in RAM | Never exits the module | DRBG Output CSP | Reboot or power removal |
| generati on | entropy input | |||||||
| Used for random number generati on | 384 bits | ESV Cert. #E39 | Generated internally using entropy source | N/A | Stored in plaintext in RAM | Never exits the module | Entropy Input CSP | Reboot or power removal |
| Used to derive the DPE- PSK and TLS- PSK | 256-bits | ECDSA P- 521 #A3379; KTS-2 #A3379 | N/A | N/A | RAM Only | Enters the module via TLS 1.3 Never exits the module | Datapath Customer Enrolled Preshared key (PSK) CSP | Reboot or power removal |
| Used for remote device TLS 1.3 connecti on | 256-bits | ECDSA P- 521 #A3379; KTS-2 #A3379 | N/A | N/A | RAM Only | Enters the module via TLS 1.3 Never exits the module | Datapath Customer Enrolled Certificate PSP | Reboot or power removal |
| Used during the datapat h key agreeme nt | 256-bits | ECDSA P- 521 #A3379, KDA TwoStep Sp800- 56Cr1#A33 79 CKG | Generated internally from the PSK using KDA TwoStep Sp800-56Cr1 | N/A | RAM Only | Never exits the module | Datapath pre shared key (DPE-PSK) CSP | Reboot or power removal |
| Used during the TLS 1.3 handsha ke | 256-bits | ECDSA P- 521 #A3379, KDA TwoStep Sp800- 56Cr1 #A3379 CKG | Generated internally from the PSK using KDA TwoStep Sp800-56Cr1 | N/A | RAM Only | Never exits the module | TLS 1.3 pre shared key (TLS- PSK) CSP | Reboot or power removal |
| Default authenti | 256-bits | ECDSA P- 521 | N/A | N/A | Read-Only | Loaded at the | IDEVID public key | N/A |
| cation material for CO using TLS 1.3 | #A3379 | Stored encrypted in non- volatile memory with the BLOB_KEY | factory Exits in plaintext | PSP | ||||
| Default authenti cation material for CO using TLS 1.3 | 256-bits | ECDSA P- 521 #A3379 | N/A | N/A | Read-Only Stored encrypted in non- volatile memory with the BLOB_KEY | Loaded at the factory Never exits the module | IDEVID private key CSP | N/A |
| Used for CO to module authenti cation using TLS 1.3 | 256-bits | ECDSA P- 521 #A3379; KTS-2 #A3379 | N/A | N/A | RAM Only | Imported via TLS 1.3 during the first connecti on with the CO Never exits the module | COID Public PSP | Reboot or power removal |
| Used for CO to module authenti cation using TLS 1.3 | 256-bits | ECDSA P- 521 KeyGen #A3379 CKG | Generated internally using Module’s DRBG and FIPS 186-4 | N/A | RAM Only | Exits in plaintext | Logical Device ID Public Key PSP | Reboot or power removal |
| Used for CO to module authenti cation using TLS 1.3 | 256-bits | ECDSA P- 521 KeyGen #A3379 CKG | Generated internally using Module’s DRBG and FIPS 186-4 | N/A | RAM Only | Never exits the module | Logical Device ID Private Key CSP | Reboot or power removal |
| Establish the TLS | 256 bits | KDF TLS 1.3 #A3379 | Generated | N/A | RAM Only | Never exits the module | TLS 1.3 Pre- Master | Session termination, Reboot, or |
| Master Secret | internally by module’s DRBG during session negotiation | Secret CSP | power removal | |||||
| Establish the TLS Session and authenti cation Key | 256 bits | KDF TLS 1.3 #A3379 | Derived using TLS Pre-Master Secret during session negotiation | During TLS 1.3 handshake | RAM Only | Never exits the module | TLS 1.3 Master Secret CSP | Session termination, Reboot, or power removal |
| Used for authenti cating TLS commun ication | 256 bits | HMAC SHA2- 384 #A3379, KDF TLS 1.3 #A3379, CKG | Derived using KDF TLS 1.3 during session negotiation | During TLS 1.3 handshake | RAM Only | Never exits the module | TLS 1.3 Authentica tion Key CSP | Session termination, Reboot, or power removal |
| Used for encrypti ng the TLS commun ication | 256 bits | AES GCM, ECB 256- bit keys #A3379, KDF TLS 1.3 #A3379, CKG | Derived via KDF TLS 1.3 during session negotiation | During TLS 1.3 handshake | RAM Only | Never exits the module | TLS Session Key CSP | Session termination, Reboot, or power removal |
| Used for exchangi ng shared secret to derive session keys during key agreeme nt | 128 bits, 256 bits | KAS-ECC P- 384, P-521 #A3379, KDF TLS 1.3 #A3379, CKG | For the public component of the module: generated internally during negotiation For the public component of a peer: generate externally and enters during the | During datapath encryption /decryptio n service | RAM Only | For the public compone nt of the module: exits the module in plaintext For the public compone nt of a peer: never exits | DPE_ECDH Public Key PSP | Session termination, reboot, or power removal |
| TLS 1.3 handshake | TLS 1.3 handshake | the module | ||||||
| Used for exchangi ng shared secret to derive session keys during key agreeme nt | 128 bits, 256 bits | KAS-ECC P- 384, P-521 #A3379, KDF TLS 1.3 #A3379, CKG | Generated internally during TLS 1.3 negotiation | During datapath encryption /decryptio n service | RAM | Never exits the module | DPE_ECDH Private Key CSP | By session termination, reboot, or power removal |
| Shared secret resulting from the ECDHE exchang e between peers | 128 bits, 256 bits | KAS-ECC P- 384, P-521 #A3379 | Generated internally during key agreement negotiation | During datapath encryption - decryption service | RAM | Never exits the module | DPE “Z” Value CSP | Zeroised by reboot or power removal and after use |
| Used to authenti cate key agreeme nt message s | 128 bits, 256 bits | KAS-ECC- SSC P-384, P-521 #A3379, KDA TwoStep Sp800- 56Cr1 #A3379 CKG | Generated internally during key agreement negotiation (UsingKDA TwoStep Sp800-56Cr1 ) | N/A | RAM | Never exits the module | DPE Mac Key CSP | Zeroised by reboot or power removal once the key is programmed into HW cipher |
| Master key derivatio n key used to derive the datapat h cipher keys and IVs | 128 bits, 256 bits | KAS-ECC- SSC P-384, P-521 #A3379, KDA TwoStep Sp800- 56Cr1 #A3379, CKG | Generated internally during key agreement negotiation (Using KDA TwoStep Sp800-56Cr1 ) | N/A | RAM | Never exits the module | DPE_KDK CSP | Zeroised by reboot or power removal once the key is programmed into HW cipher |
| Used for encrypti on and decrypti on of the datapat h | 256 bits | AES GCM, ECB 256-bit key #A3305 KDF SP800-108 #A3379 CKG | Derived internally using a KDF SP 800- 108 function from the DPE_KDK | N/A | RAM | Never exits the module | Datapath Cipher Encrypt/D ecrypt keys (x16) (DDEK/DD DK) CSP | Zeroised by reboot or power removal once the key is programmed into HW cipher |
9. Sensitive Security Parameter Management HMACSHA2-256 K Sp80056Cr1 Sp80056Cr1 Generation N/A N/A N/A N/A Zeroisation ) N/A N/A N/A N/A N/A (Ciena Corporation © 2024) Version 1.0 Public Material
ECDSA P521 key (TLSPSK) ECDSA P521 ECDSA P521 Sp80056Cr1#A33 ECDSA P521 Sp80056Cr1 ECDSA P521 Generation N/A N/A Zeroisation the DPEPSK and TLSPSK N/A 1.3 N/A N/A N/A h 1.3 N/A 1.3 N/A N/A N/A (Ciena Corporation © 2024) Version 1.0 Public Material
Generation N/A in nonvolatile in nonvolatile N/A ECDSA P521 ECDSA P521 N/A N/A 1.3 Zeroisation N/A N/A ECDSA P521 ECDSA P521 N/A PreMaster 1.3 N/A (Ciena Corporation © 2024) Version 1.0 Public Material
1.3 SHA2384 1.3 1.3 1.3 Generation Zeroisation 1.3 1.3 1.3 (Ciena Corporation © 2024) Version 1.0 Public Material
Generation 1.3 Zeroisation e s 1.3 N/A ) ) Sp80056Cr1 Sp80056Cr1 N/A (Ciena Corporation © 2024) Version 1.0 Public Material
| Name | Key Size | ||
|---|---|---|---|
| Details | Entropy sources | Minimum number of bits of | |
| SP 800-90B compliant entropy source with a ring oscillator - based noise source | 0.5/bit | SP 800-90B ESV Cert. #E39 |
Generation N/A Zeroisation h Table 11
11. Life-Cycle Assurance The module only runs in an Approved mode of operation. The CO can monitor and configure the module via the TLS 1.3 management channel from the Ciena Control Processor Module. Detailed instructions for monitoring and troubleshooting the module are provided in the Ciena’s User’s Guide and Technical Practices document. Ciena uses Git software for the management of source code artifacts and SharePoint for hardware and documentation version control. The module is developed using high level programming languages C and C++. The module is always delivered via commercial bounded carrier. The shipment will contain a packing slip with the serial numbers of all shipped devices. Prior to deployment the receiver shall verify that the hardware serial numbers match the serial numbers listed in the packing slip. The module is shipped from the factory with the required physical security mechanisms (tamper-evident labels, metal covers and PCB layers) installed. The CO must perform a physical inspection of the unit for signs of damage and to ensure that all physical security mechanisms are in place. Additionally, the CO should check the package for any irregular tears or openings. If damage is found or tampering is suspected, the CO should immediately contact Ciena. There is no special procedure to decommission the modem. Disconnecting fibers and removing the encryption module from the system (powering down) results in all SSP zeroisation. There are no other sanitization procedures to complete. The module only supports an approved mode of operation. No additional configuration is required on the Crypto Officer’s part except for installing the module since the provisioning of the module will be taken care of by another Ciena module, the Control Processor. (Ciena Corporation © 2024) Version 1.0 Public Material
12. Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any other attacks. (Ciena Corporation © 2024) Version 1.0 Public Material
End of Document (Ciena Corporation © 2024) Version 1.0 Public Material