| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Embedded |
| Status | Active |
| Sunset date | 12/17/2026 |
| Caveat | Interim validation. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. No operator authentication is enforced for executing security services that were unlocked by an authenticated service. |
| Vendor | Ciena Corporation |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3284 |
| AES-CTR | A3283 |
| AES-CTR | A3284 |
| AES-ECB | A3283 |
| AES-ECB | A3284 |
| AES-GCM | A3283 |
| AES-GCM | A3284 |
| ECDSA KeyGen (FIPS186-4) | A3284 |
| ECDSA KeyVer (FIPS186-4) | A3284 |
| ECDSA SigGen (FIPS186-4) | A3284 |
| ECDSA SigVer (FIPS186-4) | A3284 |
| Hash DRBG | A3284 |
| HMAC-SHA-1 | A3284 |
| HMAC-SHA2-256 | A3284 |
| HMAC-SHA2-384 | A3284 |
| HMAC-SHA2-512 | A3284 |
| KAS-ECC-SSC Sp800-56Ar3 | A3284 |
| KAS-FFC-SSC Sp800-56Ar3 | A3284 |
| KDF SP800-108 | A3284 |
| KDF SSH | A3284 |
| PBKDF | A3284 |
| RSA KeyGen (FIPS186-4) | A3284 |
| RSA SigGen (FIPS186-4) | A3284 |
| RSA SigVer (FIPS186-4) | A3284 |
| Safe Primes Key Generation | A3284 |
| Safe Primes Key Generation | A3284 |
| Safe Primes Key Generation | A3284 |
| Safe Primes Key Generation | A3284 |
| Safe Primes Key Generation | A3284 |
| Safe Primes Key Generation | A3284 |
| Safe Primes Key Verification | A3284 |
| Safe Primes Key Verification | A3284 |
| Safe Primes Key Verification | A3284 |
| Safe Primes Key Verification | A3284 |
| Safe Primes Key Verification | A3284 |
| Safe Primes Key Verification | A3284 |
| SHA-1 | A3284 |
| SHA2-224 | A3284 |
| SHA2-256 | A3284 |
| SHA2-384 | A3284 |
| SHA2-512 | A3284 |
| TDES-CBC | A3284 |
| TLS v1.2 KDF RFC7627 | A3284 |
| TLS v1.3 KDF | A3284 |
flowchart LR
%% Deterministic review-risk graph for Waveserver 5 Control Processor Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Upgrade<br/>firmware load</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Waveserver 5 Control Processor Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Upgrade<br/>firmware load</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>Show Status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Waveserver 5 Control Processor Module By Ciena Corporation Hardware Version(s): 186-3011-900 revision 001 and revision 002, 186-3011-901 revision 001 and revision 002 Firmware Version: 2.3.12 Date: 11/28/2024 Prepared by: Acumen Security
Rockville, MD 20850 www.acumensecurity.net Public Material
| # | Section | Page |
|---|
1. General Introduction Federal Information Processing Standards Publication 140-3
The Waveserver 5 Control Processor Module may also be referred to as the “CP” or “module” in this document. Disclaimer The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Ciena Corporation shall have no liability for any error or damages of any kind resulting from the use of this document. Notices This document may be freely reproduced and distributed in its entirety without modification. Scope This non-proprietary document describes the cryptographic module security policy for the Waveserver 5 Control Processor Module (Hardware version: 186-3011-900 revision 001 and revision 002 and 1863011-901 revision 001 and revision 002, Firmware Version 2.3.12). The two part numbers are equivalent and just used to differentiate the manufacturing process and sites. It contains specification of the security rules under which the cryptographic module operates, including those derived from the requirements of the FIPS 140-3 standard. Public Material
Overview The Waveserver 5 Control Processor Module is a multi-chip embedded hardware cryptographic module. The module is a purpose-built field replaceable unit intended for operation within the Ciena Waveserver
5 chassis. Its primary function is management of the Waveserver 5 chassis, which includes one or more
Waveserver 5 Encryption Modules. The module serves as the central control and storage facility for any SSPs utilized by the Encryption Module. Management functions of the module include device configuration, alarm monitoring, and log collection. The security functions performed by the module include operations related to the provisioning of the chassis (access controls, user passwords, remote authentication, and firmware upgrades), as well as control of the Encryption Module via TLS v1.3. All communication to the module via its management interface is encrypted either using TLS v1.2 or SSHv2. The module also supports a local serial console interface and read-only SNMPv3 data. The major components of the module include a Marvell CN9130 System on a Chip (SOC) with external DDR memory, an SSD, a CPLD (Complex Programmable Logic Device), and FPGA (Field-Programmable Gate Arrays). The module is installed inside the Waveserver 5 chassis and is attached to other Waveserver subsystems via a host connector, PCIe, Ethernet, serial, and USB-C. The module is shipped in factory state and the module is explicitly configured to operate in an Approved mode of operation. Section 14 provides additional information for configuring the module in the Approved mode of operation. Public Material
The following table lists the level of validation for each area in FIPS 140-3: ISO/IEC 24759 Section FIPS 140-3 Section Title Security Level 6. [Number Below]
1 General 2
2 Cryptographic Module Specification 2
3 Cryptographic Module Interfaces 2
4 Roles, Services, and Authentication 3
5 Software/Firmware Security 2
6 Operational Environment N/A
7 Physical Security 2
8 Non-invasive Security N/A
9 Sensitive Security Parameter Management 2
10 Self-tests 2
11 Life-cycle Assurance 2
12 Mitigation of Other Attacks N/A
Table 1
2. Cryptographic Module Specification Figure 1 below depicts the Waveserver 5 chassis, which consists of a CP card and up to four Encryption Modules. The validated module i.e., the Waveserver 5 Control Processor Module (CP card), is a multichip embedded embodiment housed in the Waveserver 5 chassis; the module components are completely enclosed within a hard metal clamshell cover with tamper evident labels applied. Figure 2 provides a block diagram of the module, depicting the major components of the module and the cryptographic boundary as shown in red. No module components have been excluded from the cryptographic boundary. The Ciena Waveserver 5 Chassis forms the Trusted Operational Environment’s Physical Perimeter (TOEPP) for the module. Figure 1
Figure 2
Figure 3 below shows the cryptographic boundary of the module (highlighted in red). Figure 3
The cryptographic module tested configuration can be found in the table below: Model Hardware Firmware Version Distinguishing Features [Part Number and Version] CP Type 2 186-3011-900 revision 001 2.3.12
CAVP Cert1 Algorithm Mode/Method Description / Use/Function and Standard Key Size(s) / Key Strength(s) Signature Generation (P256/384/521) Signature Verification (P256/384/521) DRBG NIST SP 800- Hash 256 bits Random Bit 90Arev1 Generation HMAC FIPS PUB 198-1 SHA-1 160, 256, Keyed-Hash SHA2-256 384, 512 bits Message SHA2-384 Authenticatio SHA2-512 n KAS-ECC- NIST SP 800- Domain P-256, P-384, Key SSC 56Arev3 Parameter P-521 Agreement Generation Methods: P-256, P-384, PScheme: ephemeralUnifie d KAS-FFC- NIST SP 800- Domain 2048, 3072, Key SSC 56Arev3 Parameter 4096, 6144, Agreement Generation 8192 bits Methods: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048 Scheme: dhEphem KDF SP NIST SP 800- Feedback, 256 bits Key Derivation 800-108 108 HMAC-SHA2-256 KDF SSH NIST SP 800- Cipher: AES-128, 128, 192, 256 Key Derivation (CVL) 135rev1 AES-192, AES-256 bits Public Material
CAVP Cert1 Algorithm Mode/Method Description / Use/Function and Standard Key Size(s) / Key Strength(s) Hash Algorithm: SHA-1, SHA2-256, SHA2-384, SHA2PBKDF NIST SP 800- Option 1 a Password Key Derivation
Salt Length: 128-512 Key Data Length: 128 RSA FIPS PUB 186-4 Key Generation 186-4: Key Gen/ (Mode: B.3.3), 2048/3072 Sign/Verify Signature bits, 186-4: Generation PKCS1 v1.5
CAVP Cert1 Algorithm Mode/Method Description / Use/Function and Standard Key Size(s) / Key Strength(s) TLS 1.3 RFC8446 256, 384 bits Key Derivation KDF HMAC-SHA2-256 (CVL) and HMAC-SHA2-384 Running Mode: DHE and PSK-DHE KAS-1 KAS NIST SP 800- KAS-ECC-SSC per P-256, P-384 Key 56Arev3 IG D.F Scenario 2 and P- Agreement KAS-ECC-SSC path (2) 521curves (SSH and TLS) Sp800- providing 128 56Ar3/A3284 bits, 192 bits KDF SSH/A3284 and 256 bits TLS v1.2 KDF of encryption RFC7627/A328 strength TLS v1.3 KDF/A3284 KAS-2 KAS NIST SP 800- KAS-FFC-SSC per 2048, 3072, Key 56Arev3 IG D.F Scenario 2 4096, 6144, Agreement KAS-FFC-SSC path (2) 8192-bit keys (SSH and TLS) Sp800- with 112, 56Ar3/A3284 192, 152, KDF SSH/A3284 176, 200 bits TLS v1.2 KDF of encryption RFC7627/A328 strength TLS v1.3 KDF/A3284 KTS KTS SP 800-38D key wrapping per 128, 192, and Key Transport AES-CBC/A3284 and SP 800- IG D.G 256- bit keys (SSH and TLS) AES-CTR/A3284 38F providing HMAC-SHA- 128, 192, or 1/A3284 256 bits of HMAC-SHA2- encryption 256/A3284 strength HMAC-SHA2384/A3284 HMAC-SHA2512/A3284 Public Material
CAVP Cert1 Algorithm Mode/Method Description / Use/Function and Standard Key Size(s) / Key Strength(s) A3283 AES FIPS PUB 197 CTR 256 bits Decryption NIST SP800- ECB 38A FIPS PUB 197 GCM 256 bits Decryption NIST SP80038D Vendor CKG SP800-133rev2 Section 4 Using Section 4 Cryptographic Affirmed the Output of a Using the Key Random Bit Output of a Generation Generator Option Random Bit
keys and seed Option 1 values for (Symmetric Asymmetric keys) keys and seed values for Section 5.1 Key Asymmetric Pairs for Digital keys) Signature Schemes Section 5.1 Key Pairs for Section 5.2 Key Digital Pairs for Key Signature Establishment Schemes Section 6.1 Direct Section 5.2 Generation of Key Pairs for Symmetric Keys Key Establishmen
Keys Generated Using Key- Section 6.1 Agreement Direct Schemes Generation of Symmetric Section 6.2.3 Keys Symmetric Keys Derived from 6.2.1 Passwords Symmetric Keys Generated Using KeyPublic Material
CAVP Cert1 Algorithm Mode/Method Description / Use/Function and Standard Key Size(s) / Key Strength(s) Agreement Schemes Section 6.2.3 Symmetric Keys Derived from Passwords Table 3
were performed entirely within the cryptographic boundary of the module being validated. The counter portion of the IV is set by the module within its cryptographic boundary. The module supports AES-GCM cipher suites from Section 3.3.1 of SP800-52 rev2. The implementation of the nonce_explicit management logic inside the module ensures that when the nonce_explicit part of the IV exhausts the maximum number of possible values for a given session key (e.g., a 64-bit counter starting from 0 and increasing, when it reaches the maximum value of 2^64 -1), either party (the client or the server) that encounters this condition triggers a handshake to establish a new encryption key (per Sections 7.4.1.1 and 7.4.1.2 in RFC 5246).
3. Cryptographic Module Interfaces The module supports the following physical ports and interfaces:
Power Supply/Input Power Interface Power supply/input from within the Waveserver 5 chassis where the module resides Table 5
4. Roles, Services, and Authentication The module supports one authorized role: Crypto Officer role. The CO role is responsible for module initialization and module configuration, including security parameters, key management, status activities, and audit review. The module supports both role-based and identity-based operator authentication methods as specified in Section 5.1. The CO role is able to configure and monitor the module via a console, HTTPS or SSH connection. Role Service Input Output CO Firmware Upgrade (Perform approved security Command Command functions) response CO View/Display the firmware version of the module Command Command (Show module’s versioning information) response CO Initialize and configure the module (Perform SSPs, Command approved security functions) Command response, SSPs s CO Alarms, status Command Command & Statistics (Show Status) response CO View System Logs (Show Status) Command, Command SSPs response CO Manage the Encryption Modem (Perform SSPs, SSPs, Command approved security functions) Command response CO Perform Secure Transfer (Perform approved SSPs, Command security functions) Command response CO Import/Install Certificate (Perform approved SSPs, Command security functions) Command response CO Import PSK (Perform approved security functions) SSPs, Command Command response CO Activate PSK SSPs, Command Command response CO Zeroise - Secure Erase Command Command via the Return to Factory Defaults (RTFD) response command or pushbutton (Perform zeroisation) CO Secure Backup/ Restore (Perform approved SSPs, SSPs, Command security functions) Command response CO Issue remote SSPs, Command CP reauthentication Command (Perform approved Command response security functions) CO Perform on demand self-tests (Perform self-tests) Power Self-test Cycle indicator CO Factory reset is available via a signal which Reset Self-test zeroises all SSPs and returns the module to its Signal indicator initial state Table 6
Role Authentication Method Authentication Strength CO Public Key Certificates The module supports ECDSA P-256, P-384 and P(TLS/HTTPS) 521 bit and RSA 2048, 3072- and 4096-bit digital Public key-based certificate authentication for TLS 1.2 and public authentication (SSH) key-based authentication for SSH; Using conservative estimates and equating the use of RSA with 2048 bits with 112 bits of security strength (the lowest strength offered by the module), the probability for a random attempt to succeed is: 1:2^112 or 1: 5.19 x 10^33 which is less than 1:1,000,000. The fastest network connection supported by the modules over Management interfaces is 10 Gb/s.; Hence, at most (1 ×10^10 × 60 = 6 × 10^11) 600,000,000,000 bits of data can be transmitted in one minute; Therefore, the probability that a random attempt will succeed, or a false acceptance will occur in one minute is: 1: (2^112 possible keys / ((6 × 10^11 bits per minute) / 112 bits per key)) 1: (2^112 possible keys / 535,714,2857 keys per minute) 1: 9.69 × 10^23 which is less than 1:100,000 within one minute. CO Initial Device ID (iDevID) and This is for the communication between module and Local Device ID (LDevID) encryption modem using TLS 1.3; Public Key Using conservative estimates and equating the use of ECDSA with P-521 elliptic curve to a 256-bit symmetric key, the probability for a random attempt to succeed is: 1:2^256 or 1: 1.16 x 10^77 which is less than 1:1,000,000; The fastest network connection supported by the modules over Management interfaces is 10 Gb/s. Public Material
Role Authentication Method Authentication Strength Hence, at most 10 ×10^9 × 60 = 6 × 10^11 = 600,000,000,000 bits of data can be transmitted in one minute; Therefore, the probability that a random attempt will succeed, or a false acceptance will occur in one minute is: 1: (2^256 possible keys / ((6 × 10^11 bits per minute) / 256 bits per key)) 1: (2^256 possible keys / 2,343,750,000 keys per minute) 1: 4.9 x 10^67 which is less than 1:100,000 within one minute CO Password-based For HTTPS, SSH and Console the module enforces 8character passwords (at minimum) chosen from the
The password can be a maximum of 128 characters. Based on the minimum password length, the probability for a random attempt to succeed is: 1:96^8 or 1: 7.21 X 10^15 Which is less than 1:1,000,000 A limit of 10 failed attempts is enforced by the module for SSH and HTTPS; Therefore, there can be at most 10:96^8 attempts in a one-minute period, which is less than 1:100,000 Table 7– Roles and Authentication The services that require operators to assume an authorized role are listed in Table 8 below:
Service Description Approved Keys Roles Access rights Indicator Security and/or to Keys Functions SSPs and/or SSPs Firmware Perform system ECDSA Ciena CO CPK (R, X) Command Upgrade wide firmware #A3284 signature response (Perform upgrade public key approved (CPK) Log security generation functions) View/Display Report the None None CO None Command the firmware running firmware response version of version of the the module module (Show module’s versioning information) Initialize and Perform ECDSA, CPK, BKEK, CO CPK, BKEK, Module configure initialization of AES, DRBG, MKEK, MKEK, status show the module the module HMAC, KAS IDEVID IDEVID (X) command. (Perform SSC (ECDH COID, DPE- COID, DPEapproved Configure the Key Pair), KEK, PKIX- KEK, PKIX- Event Log security module settings, CVL, RSA KEK, KEK, (G) generation functions) Import #A3283 DRBG, ESV DRBG, ESV certificates over and Cert. #E23 Cert. #E23 Command SSH or the #A3284 [TLS SSPs: (W, X) response Console, Setup TLS Pre- [TLS SSPs: data path Master TLS Preencryption Secret, TLS Master Approved modem, HTTPS Master Secret, TLS mode keys etc. Via Secret, TLS Master indication control / data Authentica Secret, TLS (command: input interface tion Key, Authenticatio “system (SGMII,console) TLS n Key, TLS environment Session Session Key, show” and Perform required Key, TLS TLS Public “system operations to Public key, key, TLS encryption enter Approved TLS Private Private key, show”) mode key, DH DH Public Public Key, Key, DH Configure DH Private Private Key, encryption PSK Key, ECDH ECDH Public or certificate Public Key, Key, ECDH ECDH Private Key Private Key ], (R, X, G) ] [SSH SSPs: SSH Session Public Material
Service Description Approved Keys Roles Access rights Indicator Security and/or to Keys Functions SSPs and/or SSPs [SSH SSPs: Authenticatio SSH n Key, SSH Session Encryption Authentica Key, SSH tion Key, Server Host SSH Key, SSH Encryption User Key, SSH Authenticatio Server n Public Key, Host Key, DH Public SSH User Key, DH Authentica Private Key, tion Public ECDH Public Key, DH Key, ECDH Public Key, Private Key DH Private ] (R, X, G) Key, ECDH Password, Public Key, DPE-CERT, ECDH DPE-CA, Private CUST-CERT Key] (W) Password, DPE-CERT, DPE-CA, CUSTCERT] Alarms, View and None None CO None Command status monitor active Response & Statistics alarms and (Show module status Approved Status) for diagnostic mode purposes indication (command: “system environment show”) View System View system AES, [TLS SSPs: CO [TLS SSPs: Status Logs (Show status messages, HMAC, TLS Pre- TLS Pre- Output via Status) events and ECDSA, Master Master SSH, Console provisioning logs KAS SSC Secret, TLS Secret, TLS or syslog locally or via (ECDH Key Master Master over TLS Syslog over TLS Pair), CVL, Secret, TLS Secret, TLS RSA. Authentica Authenticatio Public Material
Service Description Approved Keys Roles Access rights Indicator Security and/or to Keys Functions SSPs and/or SSPs #A3283 tion Key, n Key, TLS Approved and TLS Session Session Key, mode #A3284 Key, TLS TLS Public indication Public key, key, TLS (command: TLS Private Private key, “system key, DH DH Public environment Public Key, Key, DH show”) DH Private Private Key, Key, ECDH ECDH Public Public Key, Key, ECDH ECDH Private Key Private Key ] (G, R. X) ] or or [SSH SSPs: [SSH SSPs: SSH Session SSH Authenticatio Session n Key, SSH Authentica Encryption tion Key, Key, SSH SSH Server Host Encryption Key, SSH Key, SSH User Server Authenticatio Host Key, n Public Key, SSH User DH Public Authentica Key, DH tion Public Private Key, Key, DH ECDH Public Public Key, Key, ECDH DH Private Private Key Key, ECDH ] (G, R, X) Public Key, Or ECDH Password Private Key (W, X) ] Or Password Manage the Manage the ECDSA, PSK CO PSK (R) Log Encryption directly AES, DPE-CERT, DPE-CERT, generation Modem connected HMAC, KAS DPE-CA DPE-CA (R) (Perform Encryption SSC (ECDH Module approved Modem using Key Pair), Or Or Show security TLS 1.3 CVL command functions) PKIX-KEK PKIX-KEK (X) Public Material
Service Description Approved Keys Roles Access rights Indicator Security and/or to Keys Functions SSPs and/or SSPs Select PSK for #A3283 DPE-CERT, DPE-CERT, Approved DPE peer and DPE-CA DPE-CA (X,R) mode authentication #A3284 indication and provision the [ CP TLS [ CP TLS SSPs: (command: modem SSPs: TLS TLS Pre- “system Pre-Master Master environment or Secret, TLS Secret, TLS show”) Master Master Activate Secret, TLS Secret, TLS certificate peer Authentica Authenticatio authentication tion Key, n Key, TLS and provision the TLS Session Session Key, modem Over the Key, TLS TLS Public TLS 1.3 interface Public key, key, TLS TLS Private Private key, key, DH DH Public Public Key, Key, DH DH Private Private Key, Key, ECDH ECDH Public Public Key, Key, ECDH ECDH Private Key Private Key ] (X, R) ] LDEVID (W, LDEVID X) Perform Transfer ECDSA, [SSH SSPs: CO [SSH SSPs: Command Secure configuration file RSA, AES, SSH SSH Session Response Transfer or firmware HMAC, KAS Session Authenticatio (Perform image to the SSC (ECDH Authentica n Key, SSH Approved approved module Key Pair), tion Key, Encryption mode security CVL SSH Key, SSH indication functions) #A3283 Encryption Server Host (command: and Key, SSH Key, SSH “system #A3284 Server User environment Host Key, Authenticatio show”) SSH User n Public Key, Authentica DH Public tion Public Key, DH Key, DH Private Key, Public Key, ECDH Public DH Private Key, ECDH Key, ECDH Private Key Public Key, ] (G, R., X) Public Material
Service Description Approved Keys Roles Access rights Indicator Security and/or to Keys Functions SSPs and/or SSPs ECDH Password Private Key (W, X) ] Password Import/Instal Install customer ECDSA, [SSH SSPs: CO [SSH SSPs: Successful l Certificate certificates using RSA, AES, SSH SSH Session completion (Perform SSH HMAC, KAS Session Authenticatio of service approved SSC (ECDH Authentica n Key, SSH security Key Pair), tion Key, Encryption Approved functions) CVL SSH Key, SSH mode #A3283 Encryption Server Host indication and Key, SSH Key, SSH (command: #A3284 Server User “system Host Key, Authenticatio environment SSH User n Public Key, show”) Authentica DH Public tion Public Key, DH Key, DH Private Key, Public Key, ECDH Public DH Private Key, ECDH Key, ECDH Private Key Public Key, ] (G, R, X) ECDH CUSTCERT Private Key (W) ] CUSTCERT Import PSK Import PSK using ECDSA, [SSH SSPs: CO [SSH SSPs: Successful (Perform SSH RSA, AES, SSH SSH Session Completion approved HMAC, KAS Session Authenticatio of the service security SSC (ECDH Authentica n Key, SSH functions) Key Pair), tion Key, Encryption Approved CVL SSH Key, SSH mode #A3283 Encryption Server Host indication and Key, SSH Key, SSH (command: #A3284 Server User “system Host Key, Authenticatio environment SSH User n Public Key, show”) Authentica DH Public tion Public Key, DH Key, DH Private Key, Public Key, ECDH Public DH Private Key, ECDH Key, ECDH Private Key Public Material
Service Description Approved Keys Roles Access rights Indicator Security and/or to Keys Functions SSPs and/or SSPs Public Key, ] (R. G, X) ECDH PSK (W) Private Key ] PSK Activate PSK Activate a PSK AES DPE-KEK CO DPE-KEK (X) Command for DPE peer #A3283 PSK PSK (X, R) response authentication and via control / data #A3284 Log output interface generation (SGMII) Approved mode indication (command: “system environment show”) Zeroise
SP show”) Secure Activate and ECDSA, BAK-PW, CO BAK-PW, Log Backup perform RSA, AES, BAK-KEY, BAK-KEY (G, generation (Perform periodic backup HMAC, KAS [SSH SSPs: W, X), [SSH approved of the SSC (ECDH SSH SSPs: SSH Approved security CSPs or restore Key Pair), Session Session mode functions) CSPs from the CVL. Authentica Authenticatio indication secure backup #A3283 tion Key, n Key, SSH (command: and SSH Encryption “system #A3284 Encryption Key, SSH environment Key, SSH Server Host show”) Server Key, SSH Host Key, User SSH User Authenticatio Authentica n Public Key, tion Public DH Public Key, DH Key, DH Public Material
Service Description Approved Keys Roles Access rights Indicator Security and/or to Keys Functions SSPs and/or SSPs Public Key, Private Key, DH Private ECDH Public Key, ECDH Key, ECDH Public Key, Private Key ECDH ] (R. G, X), Private Key Password ], (W, X) Password Material part Material of backup: part of DPE-KEK, backup: X509-PW, DPE-KEK, PKIX-KEK, X509-PW, COID_PRIV, PKIX-KEK, LDEVID_PUB, COID_PRIV PSK, DPE, CERT, DPELDEVID_PU CA, CUSTB, PSK, CERT (R or DPE-CERT, W) DPE-CA, CUST-CERT Issue remote Send command ECDSA, [CP TLS CO [CP TLS SSPs: Successful CP to remote AES, SSPs: TLS TLS Pre- completion reauthentica node to initiate a HMAC, KAS Pre-Master Master of service tion reauthentication SSC (ECDH Secret, TLS Secret, TLS Command with the Key Pair), Master Master Approved (Perform CO via control CVL Secret, TLS Secret, TLS mode approved output interface #A3283 Authentica Authenticatio indication security (SGMII) and tion Key, n Key, TLS (command: functions) #A3284 TLS Session Session Key, “system Key, TLS TLS Public environment Public key, key, TLS show”) TLS Private Private key, key, DH DH Public Public Key, Key, DH DH Private Private Key, Key, ECDH ECDH Public Public Key, Key, ECDH ECDH Private Key Private Key ] (X) ] Public Material
Service Description Approved Keys Roles Access rights Indicator Security and/or to Keys Functions SSPs and/or SSPs Perform on Perform Self- ECDSA P- CPK CO, N/A Successful demand self- Tests on demand 521 SHA2- Unaut completion tests via module 512 horise of service (Perform restart d self-tests) Approved mode indication (command: “system environment show”) Factory Factory reset is N/A N/A CO, All SSPs (Z) Successful Reset available via a Unaut completion signal which horise of service zeroises all SSPs d and returns the Approved module to its mode initial state indication (command: “system environment show”) Table 8 – Approved Services In Approved mode, the module provides a limited number of services for which the operator is not required to assume an authorized role (see Table 8). None of the services listed in the table disclose cryptographic keys and CSPs or otherwise affect the security of the module. The module does not support any non-approved services. Self-initiated Cryptographic Output The module supports self-initiated cryptographic output in the context of two services, namely, the Manage the Encryption Modem and Secure Backup services. The module is designed to require the following two internal actions in support of the self-initiated cryptographic output: For the Manage the Encryption Modem service:
5. Software/Firmware Security The module uses ECDSA P-521 using SHA2-384 for integrity testing/verification. This is run at startup and on demand by reloading the module. The module also runs the self-tests for ECDSA Signature verification and SHA2-384 prior to running the integrity check. The Ciena signature public key (CPK) (256 bits; ECDSA P-521, #A3284) is used for ECDSA validation of all firmware. For firmware load test, the module runs ECDSA P-521 with SHA2-384 check. Please note that the module does not support complete image replacement, and the upgrade is considered a partial replacement since it is not replacing the entire firmware. Public Material
7. Physical Security The chassis of the multi-chip embedded cryptographic module are sealed with 3 tamper-evident seals, applied during manufacturing. The physical security of the module is intact if there is no evidence of tampering with the tamper-evident seal(s). Physical Security Mechanism Recommended Frequency of Inspection/Test Guidance Inspection/Test Details Tamper-evident seals Periodic inspection of tamper- If evidence of tamper is found, evident seals when the Cryptographic Officer is moving/replacing the module requested to follow their internal IT policies, which may include contacting Ciena for replacing the unit Table 9
Figure 5
8. Non-invasive Security This section is not applicable. The module does not implement any Non-invasive attack mitigation techniques. Public Material
9. Sensitive Security Parameter Management The module supports the following SSPs listed below in Table 10: Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number Base 256 AES GCM, N/A Loaded at N/A Stored in N/A Used for Key bits ECB the plaintext decrypting Encrypti 256 bits factory in the the on #A3283 CPU’s MKEK and Key Does not non- Ciena (BKEK) exit the readable, Device ID CSP module write once eFuse Master 256 AES GCM N/A Loaded at N/A Stored N/A Used for Key bits 256 bits the encrypted encrypting Encrypti #A3284, factory with the or on #A3283 BKEK in decrypting Key Does not non- DEK-KEK (MKEK) exit the volatile and PXIXCSP module memory KEK (NVM) Ciena 256 ECDSA P- N/A Loaded at N/A Stored N/A Used for Device bits 521 Sig the encrypted end point ID Ver factory with the authenticat private #A3284 BKEK in ion of key Does not non- TLS 1.3 to (iDevID- exit the volatile modem priv) module memory CSP (NVM) Ciena 256 ECDSA P- N/A Loaded at N/A Stored N/A Used for Device bits 521 Sig the encrypted end point ID Ver factory with the authenticat certifica #A3284 BKEK in ion of te Exits non- TLS 1.3 to (iDevID) the volatile modem PSP module in memory plaintext (NVM) Backup String AES-GCM N/A Input N/A RAM only Power Used to Passphr 128, 256 electronic cycle of derive the ase bits, ally over the BAK-KEY (BAK- AES - console module, PW) or SSH Secure Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number CSP CTR, 128, Erase via
256 bits, Never RTFD
#A3284, exits the command #A3284 module or HMAC-SH pushbutt A-256 on #A3284, KDF SSH Security 256 AES GCM, Generated Neither N/A Encrypted Secure Used for Backup bits ECB 256 by the input nor with DPE- Erase via encrypting encrypti bits module output KEK and RTFD optional on #A3284 using stored in command security key Hash approved non- or backup (BAK- DRBG DRBG and volatile pushbutt KEY) #A3284, PBKDF memory on CSP PBKDF (NVM) #A3284 CKG Data 256 AES-GCM Generated No Input N/A Encrypted Secure Used for Encrypti bits 256 bits by the Exits the with Erase via encrypting on #A3284 module at module in MKEK and RTFD DPE-PSK, Key Hash runtime optional stored in command COID_PRIV, (DPE- DRBG from security non- or BAK-KEY KEK) #A3284 approved backup, volatile pushbutt CSP CKG DRBG encrypted memory on with BAK- (NVM) KEY X509 128- Hash Generated Exits the Key Encrypted Secure Passphrase Passphr 256 DRBG by the module in transpor with PKIX- Erase via (X509-PW) ase bits #A3284 module at optional t KEK RTFD Used to runtime security (SSH) and command protect the (X509- Or from backup, stored in or private key PW) approved encrypted non- pushbutt of the CSP AES-GCM DRBG with BAK- volatile on X509 128, 256 KEY memory certificate bits, Or (NVM) AES CTR, 128, Imported
Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number #A3284, #A3284 HMAC-SH A-256 #A3284, KDF SSH X.509 256 AES CBC Generated No Input N/A Encrypted Secure Used to Key bits 256-bit by the with Erase via encrypt Encrypti key Module’s Exits the MKEK and RTFD the X509on #A3284 DRBG at module in stored in command PW Key Hash runtime optional non- or (Security (PKIX- DRBG security volatile pushbutt Manager) KEK) #A3284 backup, memory on CSP CKG encrypted with BAKKEY COID_P 256 HMAC- Generated No Input N/A Encrypted Secure Used for RIV bits SHA2-384 by the with Erase via end point CSP #A3284, module at Exits the DPEKEK, RTFD authenticat AES 256 runtime module in stored in command ion of bits GCM from optional non- or TLS 1.3 to #A3284, approved security volatile pushbutt modem ECDSA P- DRBG backup, memory on
#A3284, with BAKHash KEY and DRBG over TLS #A3284, 1.3 CKG COID_P 256 HMAC- Generated No Input N/A Plaintext Secure Used for UB bits SHA2-384 by the in Erase via end point PSP #A3284, module at Exits the non- RTFD authenticat AES 256 runtime module in volatile command ion of bits GCM from optional memory or TLS 1.3 to #A3284, approved security (NVM) in pushbutt modem ECDSA P- DRBG backup, PEM on
#A3284, Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number Hash with BAKDRBG KEY and #A3284, over TLS CKG 1.3 LDEVID_ 256 HMAC- N/A Enters N/A Stored in Secure Used for PUB bits SHA2-384 module plaintext Erase via end point PSP #A3284, electronic in non- RTFD authenticat AES 256 ally volatile command ion of bits GCM using TLS memory or TLS 1.3 to #A3284, 1.3 (NVM) in pushbutt modem ECDSA P- North- PEM on
#A3284, connectio CKG n Exits the module in optional security backup, encrypted with BAKKEY DPE Pre- String - SSH: N/A Imported N/A Encrypted Secure Used by Shared 256- AES-GCM via SSH with DPE- Erase via the Keys bit to 128, 256 electronic KEK and RTFD modem, (PSK) 2048- bits, ally stored in command only CSP bit AES - non- or stored on secret CTR, 128, Exits the volatile pushbutt the CP
#A3284, via TLS (NVM) #A3284 1.3 HMAC-SH electronic A-256 ally #A3284, KDF SSH or TLS 1.3: Exits the module in Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number HMAC- optional SHA2-384 security #A3284, backup, AES 256 encrypted bits GCM with BAK#A3284, KEY ECDSA P#A3284, CKG DPE 192, ECDSA Input Exits the N/A Stored in Secure Used for Custom 256 P-384, encrypted module plaintext Erase via remote er bits P-521 via SSH via TLS in non- RTFD device peer Enrollm #A3284, 1.3 volatile command authenticat ent Or electronic memory or ion Certifica SSH: ally pushbutt te AES-GCM Generated on (DPE- 128, 256 by the Or CERT) bits, module’s PSP AES - approved Exits the CTR, 128, DRBG module in
#A3284, security #A3284 backup, HMAC-SH encrypted A-256 with BAK#A3284, KEY KDF SSH TLS 1.3: HMACSHA2-384 #A3284, AES 256 bits GCM #A3284, Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number ECDSA P#A3284, CKG Or Hash DRBG #A3284 DPE 192 ECDSA N/A Input N/A Stored in Secure Used for Custom bits, P-384, encrypted plaintext Erase via modem er 256 P-512 via in non- RTFD remote Enrollm bits public SFTP/SCP volatile command device peer ent Key (SSH) memory or authenticat CA #A3284 electronic (NVM) pushbutt ion Certifica ally on te SSH: (DPE- AES-GCM Exits the CA) 128, 256 module PSP bits, via TLS AES - 1.3 CTR, 128, electronic
#A3284, optional #A3284 security HMAC-SH backup, A-256 encrypted #A3284, with BAKKDF SSH KEY TLS 1.3: HMACSHA2-384 #A3284, AES 256 bits GCM #A3284, ECDSA P#A3284, Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number CKG TLS Pre- 384- KDF TLS Generated Never N/A Stored in Power Establish Master bit 1.2 internally exits the plaintext cycle of the TLS Secret #A3284, by module in RAM the Master CSP KDF TLS module’s module, Secret
1.3 DRBG Secure
#A3284, during Erase via Hash session RTFD DRBG negotiation command #A3284 or pushbutt on TLS 384- KDF TLS N/A Never Derived Stored in Power Establish Master bit 1.2 exits the using plaintext cycle of the TLS Secret #A3284, module TLS Pre- in RAM the Session and CSP KDF TLS Master module, authenticat
1.3 Secret Secure ion Key
#A3284 during Erase via session RTFD negotiat command ion or pushbutt on TLS 256 or HMAC- N/A Neither Derived Stored in Power Used for Authent 384 SHA2- Input nor via KDF plaintext cycle of authenticat ication bits 256, Output defined in RAM the ing TLS Key HMAC- in module, communica CSP SHA2- SP800- Secure tion
384 135rev1 Erase via
#A3284, KDF (TLS RTFD KDF TLS 1.2) and command
#A3284 during pushbutt for TLS session on
ion HMACSHA2-384 Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number #A3284, KDF TLS 1.3 #A3284 for TLS 1.3 TLS 128- AES GCM N/A Neither Derived Stored in Power Used for Session 256 128/256- Input nor via KDF plaintext cycle of encrypting Key bits bit keys Output defined in RAM the the TLS CSP for TLS in module, communica
1.2 SP800- Secure tion
#A3284 135rev1 Erase via KDF (TLS RTFD AES CBC 1.2) and command 128/256- KDF TLS or bit keys 1.3 pushbutt for TLS during on
#A3284 negotiat ion AES 256bit GCM for TLS 1.3 #A3284 TLS TLS ECDSA P- Generated No Input N/A Stored in Power Used Public Public 256, P- as per plaintext cycle of during the key key 384, defined in exits in in RAM the TLS PSP PSP P-512 FIPS 186-4 plaintext module, handshake #A3284, and seed Secure process RSA generated Erase via 2048, by using RTFD 3072, module’s command
#A3284 pushbutt for TLS on 1.2 ECDSA P#A3284 Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number for TLS 1.3 CKG TLS 128- ECDSA P- Generated No Input N/A Stored in Power Used Private 256 256, P- as per plaintext cycle of during the key bits 384, P- defined in Never in RAM the TLS CSP 512 FIPS 186-4 exits module, handshake #A3284, and seed the Secure process RSA 2048, generated module Erase via 3072, by using RTFD
4096 bits module’s command
#A3284 DRBG or for TLS pushbutt
ECDSA P#A3284 for TLS 1.3 CKG SSH 256 HMAC- N/A Neither Derived Stored in Power It is used to Session bits SHA2- Input nor via key plaintext cycle of authenticat Authent 256, Output derivati in RAM the e all ication #A3284 on module, SSH data Key HMAC- function Secure traffic CSP SHA2- defined Erase via between
512 in RTFD the SSH
#A3284 SP800- command Client and 135rev1 or SSH KDF pushbutt Server (SSH) on SSH 128 AES-GCM N/A Neither Derived Stored in Power It is used to Encrypti and 128, 256 Input nor via key plaintext cycle of encrypt all on Key 256 bits, Output derivati in RAM the SSH data CSP bits AES - on module, traffic CTR, 128, function Secure between
256 bits, defined Erase via the SSH
#A3284, RTFD Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number #A3284 in command Client and HMAC-SH SP800- or SSH A-256 135rev1 pushbutt Server #A3284, KDF on KDF SSH (SSH) SSH 112 RSA 2048, Generated Never N/A Stored in Secure Used to Server bits, 3072, as per exits the plaintext Erase via identify the Host 128 4096 bits defined in module in NVM RTFD host Key bits, #A3284 FIPS 186-4 command CSP 152 and seed or bits for ECDSA P- generated pushbutt RSA 256, P- by using on 384, module’s P-521 DRBG 128, #A3284
bits for CKG ECDSA Imported Hash via SSH DRBG #A3284 Or AES-GCM 128, 256 bits, AES-CTR, 128, 256 bits #A3284 SSH 112- RSA 2048, N/A Imported N/A Stored in Secure Used for User 256 3072, in plaintext Erase via key based Authent bits 4096 Plaintext in NVM RTFD ication #A3284 command Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number Public Never or SSH Key ECDSA P- exits the pushbutt authenticat PSP 256, P- module on ion 384, PP-521 #A3284 DH 112 2048-bits Generated Exits the Establis Stored in Power Public Public bits KAS-FFC- Per SP800- module in hed per plaintext cycle of key used Key SSC 56arev3 plaintext SP800- in RAM the for PSP #A3284 and seed is 56Arev3 module, establishin Hash generated Secure g TLS DRBG by the Erase via /SSH #A3284 module’s RTFD sessions CKG DRBG command or pushbutt on DH 112 2048-bits Generated Never Establis Stored in Power Private Private bits KAS-FFC- Per SP800- exits hed per plaintext cycle of key used Key SSC 56arev3 the SP800- in RAM the for CSP #A3284 and seed is module 56Arev3 module, establishin Hash generated Secure g TLS DRBG by the Erase via /SSH #A3284 module’s RTFD sessions CKG DRBG command or pushbutt on ECDH 128- KAS-ECC- Generated Private Establis Stored in Power Public key Public 256 SSC, P- Per SP800- Key: hed per plaintext cycle of used for Key bits 256, P- 56Arev3 Never SP800- in RAM the establishin PSP 384, P- and seed is exits 56Arev3 module, g TLS
521 generated the Secure /SSH
#A3284 by the module Erase via sessions Hash module’s RTFD DRBG DRBG Public command #A3284 Key: Exits or CKG the pushbutt module in on plaintext Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number ECDH 128- KAS-ECC- Generated Never Establis Stored in Power Private Private 256 SSC, P- Per SP800- exits hed per plaintext cycle of key used Key bits 256, P- 56Arev3 the SP800- in RAM the for CSP 384, P- and seed is module 56Arev3 module, establishin
521 generated Secure g TLS
#A3284 by the Erase via /SSH Hash module’s RTFD sessions DRBG DRBG command #A3284 or CKG pushbutt on DRBG 440 ESV Cert. Generated Neither N/A Stored in Power Used for Seed bits #E23 internally input nor plaintext cycle of random CSP using output in RAM the number entropy module, generation input Secure Erase via RTFD command or pushbutt on Entropy 256 ESV Cert. Generated Neither N/A Stored in Power Used for Input bits #E23 internally input nor plaintext cycle of random CSP using output in RAM the number ESV Cert. module, generation #E23 Secure Erase via RTFD command or pushbutt on DRBG C 440 Hash Generated N/A N/A Stored in Power Used for CSP bits DRBG internally plaintext cycle of random #A3284 using the in RAM the number approved module, generation NIST Secure SP800- Erase via 90Ar1 RTFD DRBG command Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number or pushbutt on DRBG V 440 Hash Generated N/A N/A Stored in Power Used for CSP bits DRBG internally plaintext cycle of random #A3284 using the in RAM the number approved module, generation NIST Secure SP800- Erase via 90Ar1 RTFD DRBG command or pushbutt on DRBG 256 Hash Generated N/A N/A Stored in Power Used for Output bits DRBG internally plaintext cycle of random CSP #A3284 using the in RAM the number approved module, generation NIST Secure SP800- Erase via 90Ar1 RTFD DRBG command or pushbutt on Custom 112, RSA 2048, Input Never N/A Stored Secure Used to er 128, 3072, encrypted exits the encrypted Erase via establish Enrollm 152 4096 via SSH module with PKI RTFD identity ent bits for #A3284 XKEK command prior to a Certifica RSA Or in non- or TLS session te ECDSA P- volatile pushbutt (Syslog (CUST- 128, 256, P- Generated memory on over TLS) CERT) 192, 384, internally PSP 152 P-521 using bits for #A3284 the ECDSA Approved AES-GCM DRBG 128, 256 bits, AES Public Material
Key/SSP Stren- Security Generation Import/ Establis Storage Zeroisatio Use & Name/ gth Function Export h-ment n related Type and Cert. keys Number CTR, 128,
#A3284, #A3284 HMAC-SH A-256 #A3284, KDF SSH Or Hash DRBG #A3284 Passwor 8-128 SHA2-512 N/A Input by N/A Stored in Secure Used to d ASCII #A3284 the a salted Erase via authenticat CSP charac operator hashed RTFD e the ters, (SHA2- command CO
512 Does not 512) form or
bits exit the in non- pushbutt module volatile on memory (file system) Table 10
Entropy sources Minimum number of bits of Details entropy ESV Cert. #E23 0.73 bits of entropy per bit The module supports the use of Infineon Trusted Platform Infineon Trusted Platform Module 2.0 SLB 9672 Entropy Module 2.0 SLB 9672 Entropy Source (Ring Oscillator based Source as an ESV Cert. #E23 noise source) approved entropy source; The noise source is the root of security for the entropy source and for the RNG as a whole; This is the component, which contains the nondeterministic, entropy-providing activity that is ultimately responsible for the uncertainty associated with the bit-strings output by the entropy source; If this component fails, no other mechanism in the RNG can compensate for the lack of entropy The entropy source contains a noise source, which includes a bias compensator, an entropy estimator (online health test), and a post‐processing algorithm (conditioning algorithm); The noise source makes use of two resetting ring oscillators, a fast oscillator and a slow oscillator; The fast oscillator is sampled using a frequency divided (prescaled) version of the slow oscillator. These oscillators are reinitialized each time a new raw bit is requested, and only run until the requested bit is produced Table 11
AES-GCM 256-bit KAT (Decrypt) Transition Count Health Test on noise source: This test covers both RCT and APT test implementations. The test is implemented per the details of SP800-90B section 4.5 developer defined health tests. c. Conditional pairwise-consistency test: Whenever an RSA and ECDSA key pair of any valid size is generated on the module (RSA and/or ECDSA key pairs for use in signature generation/verification and ECDSA key pairs for use in SSP agreement), before the operation is completed and the keys are made available for use to the operator, a pairwise consistency test is executed on the key pair. d. Conditional firmware load test: When firmware is updated on the module, the update image must be validated before the underlying firmware on the device is updated. This is accomplished through an ECDSA P-521 with SHA2-384 signature validation on the update image. The CASTs for the cryptographic algorithms used to perform the Approved integrity technique, ECDSA P-
521 SHA2-384 KATs, occur before the integrity test. The respective Conditional cryptographic algorithm
self-tests (CAST) are run prior to the first use of each algorithm for the cryptographic operations. Preoperational self-tests can be performed on demand by reloading the module. Conditional self-tests can be performed by invoking the corresponding cryptographic functionality of the module. Upon the failure of any pre-operational self-test and the cryptographic algorithm self-tests, the module goes into “Hard Error” state and disables all access to cryptographic functions and SSPs. A permanent error status will be relayed via the status output interface. The module returns the error indicator/message "Error Validating image" for a failure in the firmware integrity test and "FIPS Self-Test Suite: self-test failure for <algorithm> (forced)" in case of failures triggered in the CASTs. Upon failure of the firmware load test, the module enters “Soft Error” state. The soft error state is a nonpersistent state wherein the module resolves the error by rejecting the loading of the new firmware. Upon rejection, the error state is cleared, and the module resumes its services using the previously loaded firmware. If the module encounters an error in Pairwise Consistency tests, the module re-generates the key pair and performs the test again until it is passed. If the error condition is not cleared, then the module is considered to be malfunctioning and should be returned to Ciena. Public Material
a. Life-cycle Assurance Ciena uses Git software for the management of source code artifacts and SharePoint for hardware and documentation version control. The module is developed using high level programming languages C, C++ and Python. The module is always delivered via commercial bounded carrier. The shipment will contain a packing slip with the serial numbers of all shipped devices. Prior to deployment the receiver shall verify that the hardware serial numbers match the serial numbers listed in the packing slip. The module is shipped from the factory with the required physical security mechanisms (tamper-evident labels, metal covers and PCB layers) installed. The CO must perform a physical inspection of the unit for signs of damage and to ensure that all physical security mechanisms are in place. Additionally, the CO should check the package for any irregular tears or openings. If damage is found or tampering is suspected, the CO should immediately contact Ciena. The end of life for the module meets the ISO/IEC 19790 requirements. The sanitization requirements are met by zeroising the module using Secure Erase via RTFD command or pushbutton. The following steps must be followed by the CO to place the module in Approved mode of operation. Please note that the module does not support a non-approved mode of operation. The module is shipped to the customers in default state and the following steps must be used by the CO to place the module in Approved mode of operation.
and configure the module via the console port or SSH. The CO is responsible for configuring, maintaining, and monitoring the status of the module to ensure that the module is in Approved mode of operation. No additional maintenance requirements apply for the module. For additional details regarding the management of the module, please refer to Ciena’s User’s Guide and Technical Practices document. Public Material
b. Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any other attacks. Public Material
End of Document Public Material