Ciena Corporation Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module Hardware Version: 1.0 with PCB P/N NTK539QS-220 Firmware Version: 2.00 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 2 Document Version: 0.8 Prepared for: Prepared by: Ciena Corporation Corsec Security, Inc. 7035 Ridge Road 13921 Park Center Road Suite 460 Hanover, Maryland 21076 Herndon, VA 20171 United States of America United States of America Phone: +1 410 694 5700 Phone: +1 703 267 6050 www.ciena.com www.corsec.com FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Table of Contents 1. Introduction .........................................................................................................................................4 1.1 Purpose ...................................................................................................................................................4 1.2 References ..............................................................................................................................................4 2. WL3e Encryption Module ......................................................................................................................5 2.1 Overview .................................................................................................................................................5 2.2 Module Specification ..............................................................................................................................8 2.3 Module Interfaces ...................................................................................................................................9 2.4 Roles, Services, and Authentication..................................................................................................... 11 2.4.1 Authorized Roles ..................................................................................................................... 11 2.4.2 Services ................................................................................................................................... 11 2.4.3 Authentication ........................................................................................................................ 14 2.5 Physical Security................................................................................................................................... 15 2.6 Operational Environment .................................................................................................................... 16 2.7 Cryptographic Key Management ......................................................................................................... 17 2.8 EMI / EMC ............................................................................................................................................ 23 2.9 Self-Tests .............................................................................................................................................. 23 2.9.1 Power-Up Self-Tests................................................................................................................ 23 2.9.2 Conditional Self-Tests ............................................................................................................. 23 2.9.3 Critical Functions Tests ........................................................................................................... 24 2.9.4 Self-Test Failure Handling ....................................................................................................... 24 2.10 Mitigation of Other Attacks ................................................................................................................. 24 3. Secure Operation ................................................................................................................................ 25 3.1 Initial Setup .......................................................................................................................................... 25 3.2 Secure Management ............................................................................................................................ 26 3.2.1 Management........................................................................................................................... 26 3.2.2 Physical Inspection.................................................................................................................. 26 3.2.3 Monitoring Status ................................................................................................................... 26 3.2.4 Zeroization .............................................................................................................................. 26 3.3 User Guidance ...................................................................................................................................... 27 4. Acronyms ........................................................................................................................................... 28 List of Tables Table 1 – Security Level per FIPS 140-2 Section .........................................................................................................7 Table 2 – FIPS-Approved Algorithm Implementations ...............................................................................................8 Table 3 – Logical Interface Mapping........................................................................................................................ 11 Table 4 – Authorized Operator Services .................................................................................................................. 12 Table 5 – Additional Services ................................................................................................................................... 14 Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 2 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Table 6 – Authentication Mechanism ..................................................................................................................... 15 Table 7 – Cryptographic Keys, Cryptographic Key Components, and CSPs ............................................................. 18 Table 8 – Acronyms ................................................................................................................................................. 28 List of Figures Figure 1 – Module on Circuit Pack (Top View) ...........................................................................................................6 Figure 2 – Module on Circuit Pack (Bottom View) .....................................................................................................6 Figure 3 – Module Block Diagram ..............................................................................................................................7 Figure 4 – KM Mezzanine Connector ...................................................................................................................... 10 Figure 5 – ASIC Pin-Outs .......................................................................................................................................... 10 Figure 6 – Tamper-Evident Label Locations ............................................................................................................ 25 Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 3 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 1. Introduction 1.1 Purpose This is a non-proprietary Cryptographic Module Security Policy for the Ciena 6500 Flex3 WaveLogic 3e (WL3e) OCLD1 Encryption Module (hardware version: 1.0 with PCB part number NTK539QS-220; firmware version: 2.00). This Security Policy describes how the Ciena 6500 Flex3 WaveLogic 3e (WL3e) OCLD Encryption Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-2, which details the U.S. and Canadian Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/cmvp. This document also describes how to run the module in a secure FIPS-Approved mode of operation. This policy was prepared as part of the Level 2 FIPS 140-2 validation of the module. The Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module is referred to in this document as the WL3e Encryption Module or the module. 1.2 References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-2 cryptographic module security policy. More information is available on the module from the following sources:  The Ciena website (www.ciena.com) contains information on the full line of products from Ciena.  The CMVP website (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) contains contact information for individuals to answer technical or sales-related questions for the module. 1 OCLD – Optical Channel Laser and Detector Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 4 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 2. WL3e Encryption Module 2.1 Overview As network traffic demands and unpredictability grow, requirements for next-generation networks are rapidly increasing in scope. Ciena has developed its WaveLogic 3 coherent optical technology to help transport systems adapt and meet these requirements. Ciena’s customized solution, the 6500 Flex3 WaveLogic 3e OCLD Encryption Module with the WL3e chipset, provides the capacity and flexibility necessary to adapt to unpredictable service growth. The WL3e is a programmable chipset that provides four modulation schemes:  Extreme 16QAM2 – Provides double the capacity and spectral efficiency of 100Gb/s with 200Gb/s per wavelength for all applications.  Extreme QPSK 3 – Provides strong performance of 100 Gb/s per wavelength for most long-haul and transatlantic submarine distances; also provides enhanced non-linear mitigation for best performance alongside 10G channels. The WL3e is implemented as components on a circuit board. All traffic entering and exiting the circuit board (also called the “circuit pack”) is encrypted/decrypted at wire-speed using AES-256 Counter mode. To provide secure cryptographic services, the circuit pack contains the embedded 6500 Flex3 WL3e OCLD Encryption Module. The WL3e Encryption Module is composed of a Krypto Module (KM) daughtercard, an ASIC4, the PCB-embedded wire connections between them, and all associated physical security mechanisms (defined in Section 2.5 and illustrated in Section 3.1). The KM (part number NTK53926-501, including an aluminum enclosure) provides the certificate management, Crypto Officer (CO) and User authentication, peer authentication, and key derivation functions of the module. The ASIC (part number 077-0084-007) features two data path engines to encrypt/decrypt all Optical channel Data Unit (ODU) 4 traffic. The WL3e Encryption Module is part of the WaveLogic 3 Encryption OCLD circuit pack of the 6500 series Packet-Optical Platform. The module as it appears on the circuit pack can be seen in Figure 1, while Figure 3 provides the module’s block diagram. Both figures surround the module’s cryptographic boundary with a dotted red line. 2 QAM – Quadrature Amplitude Modulation 3 QPSK – Quadrature Phase Shift Keying 4 ASIC – Application-Specific Integrated Circuit Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 5 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Figure 1 – Module on Circuit Pack (Top View) Figure 2 – Module on Circuit Pack (Bottom View) Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 6 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Data Out (ciphertext) Data Out (plaintext) Status Out Status Out Control In Control In Data Out Data In WaveLogic 3 Processor Encryption OCLD Circuit Pack Backplane Decryptors Encryptors Memory (Flash, Krypto ASIC RAM, EEPROM) Module (KM) Embedded Wire Physical Link Connections Circuitry FPGAs Cryptographic Boundary Circuit Pack PCB Data In (plaintext) Data In (ciphertext) Acronyms 6500 Packet-Optical ASIC – Application-Specific Integrated Circuit Platform EEPROM – Electrically-Erasable Programmable Read-Only Memory FPGA – Field-Programmable Gate Array PCB – Printed Circuit Board RAM – Random Access Memory Figure 3 – Module Block Diagram The WL3e Encryption Module is validated at the FIPS 140-2 Section levels shown in Table 1. Table 1 – Security Level per FIPS 140-2 Section Section Section Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles, Services, and Authentication 3 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Key Management 2 Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 7 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Section Section Title Level EMI/EMC5 8 2 9 Self-tests 2 10 Design Assurance 3 11 Mitigation of Other Attacks N/A 2.2 Module Specification The WL3e Encryption Module is a hardware module with a multiple-chip embedded embodiment. The module consists of two primary components: a KM enclosed in an aluminum enclosure and an ASIC mounted on the motherboard’s PCB and covered by a heatsink. These two components communicate via wire connections embedded beneath multiple PCB layers. The KM also contains integrated circuits, processors, Synchronous Dynamic Random Access Memory (SDRAM), flash memories (NOR6 and EEPROM), and FPGAs7. The overall security level of the module is 2. The cryptographic boundary of the WL3e Encryption Module surrounds the KM, ASIC, the portion of the PCB under which the connecting wire traces are embedded, and all physical security mechanisms described in Section 2.5. The WL3e Encryption Module implements the FIPS-Approved algorithms listed in Table 2 below. Table 2 – FIPS-Approved Algorithm Implementations Certificate Number Algorithm ASIC KM Firmware AES8-CTR9 mode with 256-bit keys #3602 - AES-ECB10 mode (encryption) with 256-bit keys #3602 - AES-CBC11 mode with 128, 192, and 256-bit keys - #3601 AES-GCM12 mode with 128 and 256-bit keys - #3601 Triple-DES13-CBC mode (3-key) - #2005 SHA14-1, SHA-256, SHA-384, and SHA-512 - #2963 SHA-384 #2964 - HMAC15 with SHA-1, SHA-256, SHA-384, and SHA-512 - #2298 5 EMI/EMC – Electromagnetic Interference / Electromagnetic Compatibility 6 NOR – Not Or 7 FPGA – Field Programmable Gate Array 8 AES – Advanced Encryption Standard 9 CTR – Counter 10 ECB – Electronic Code Book 11 CBC – Cipher Block Chaining 12 GCM – Galois/Counter Mode 13 DES – Data Encryption Standard 14 SHA – Secure Hash Algorithm 15 HMAC – (Keyed) Hash Message Authentication Code Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 8 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Certificate Number Algorithm ASIC KM Firmware NIST SP16 800-90A CTR_DRBG17 - #934 ECDSA18 PKG19 with NIST-defined P-curves P-224, P-256, P-384, and P-521 - #736 PKV20 ECDSA with NIST-defined P-curves P-192, P-224, P-256, P-384, and P-521 - #736 ECDSA signature generation with NIST-defined P-curves P-224 (SHA-256, 384, and 512), P-256 (SHA-256, 384, and 512), P-384 (SHA-256, 384, and 512), and P-521 (SHA- - #736 256, 384, and 512) ECDSA signature verification with NIST-defined P-curves P-192 (SHA-1, 256, 384, and 512), P-224 (SHA-1, 256, 384, and 512), P-256 (SHA-1, 256, 384, and 512), P-384 (SHA- - #736 1, 256, 384, and 512), and P-521 (SHA-1, 256, 384, and 512) ECDSA signature verification with NIST-defined P-curve P-384 with SHA-384 #737 - Section 4.2 TLS21 v1.2 (NIST SP 800-135) - #624 Section 4.1.1 IKE22 v1 (NIST SP 800-135) - #624 Section 4.1.2 IKE v2 (NIST SP 800-135) - #624 NOTE: The TLS and IKE protocols have not been reviewed or tested by the CAVP or CMVP. Additionally, the module implements the following algorithms that are allowed for use in a FIPS-Approved mode of operation:  Non-Deterministic Random Number Generator (NDRNG)  Elliptic Curve Diffie-Hellman23 with NIST-defined P-curve P-384 2.3 Module Interfaces The module’s design separates the physical ports into four logically distinct and isolated interface categories. They are:  Data Input Interface  Data Output Interface  Control Input Interface  Status Output Interface Data input/output consists of the data utilizing the services provided by the module. Control input consists of configuration or administration data entered into the module. Status output consists of signals output that are then translated into alarms, LED signals, and log information by the circuit pack. 16 SP – Special Publication 17 DRBG – Deterministic Random Bit Generator 18 ECDSA – Elliptic Curve Digital Signature Algorithm 19 PKG – Public Key Generation 20 PKV – Public Key Validation 21 TLS – Transport Layer Security 22 IKE – Internet Key Exchange 23 Caveat: EC Diffie-Hellman (key agreement; key establishment methodology provides 192 bits of encryption strength). Please see NIST Special Publication 800-131A for further details. Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 9 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 The physical ports and interfaces of the WL3e Encryption Module consist of the mezzanine connector and ASIC pin-outs, and are depicted in Figure 4 and Figure 5. Figure 4 shows the KM; Figure 5 shows the ASIC. Figure 4 – KM Mezzanine Connector Figure 5 – ASIC Pin-Outs Table 3 lists the physical ports and interfaces available in the WL3e Encryption Module, and provides the mapping from the physical ports and interfaces to logical interfaces as defined by FIPS 140-2. Interfaces are provided by both the KM and the ASIC. Note that the ASIC pins are categorized into the following groupings (with associated pin counts):  Backplane Data In (40 pins)  Backplane Data Out (40 pins)  Line Data In (8 pins)  Line Data Out (44 pins)  Control In (52 pins)  Status Out (59 pins)  Power In (342 pins) Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 10 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Table 3 – Logical Interface Mapping FIPS 140-2 Logical Interface Module Interface Data Input Interface KM mezzanine connector, ASIC Backplane Data In pins, ASIC Line Data In pins Data Output Interface KM mezzanine connector, ASIC Backplane Data Out pins, ASIC Line Data Out pins Control Input Interface KM mezzanine connector, ASIC Control In pins Status Output Interface KM mezzanine connector, ASIC Status Out pins Power Interface KM mezzanine connector, ASIC Power In pins The ASIC also includes the following pin groupings that, based upon their purpose, are not mapped into the FIPS logical interface categories:  General Purpose I/O24 pins (provide interfaces for pre-installation scan testing; unused once installed)  Internal Control/Status I/O pins (provide internal interfaces between module components)  Ground pins 2.4 Roles, Services, and Authentication The following sections described the authorized roles supported by the module, the services provided for those roles, and the authentication mechanisms employed. 2.4.1 Authorized Roles The module supports two authorized roles: a CO role and a User role. The CO and the User roles are responsible for module initialization and module configuration, including security parameters, key management, status activities, and audit review. The module offers two management interfaces:  MyCryptoTool Interface – used for security-related configuration and management of the module.  TCS Interface – used for non-security-related configuration and carrier provisioning of the module and also firmware loads. While operators must assume an authorized role to access most module services, there are a limited number of services for which the operator is not required to assume an authorized role. Operators explicitly assume both the CO and User role by a mutually-authenticated HTTPS/TLS session over MyCryptoTool using digital certificates. Operators explicitly assume the CO role over the TCS interface using a username and password credential in the form of a preshared HMAC-SHA-256 authentication string. 2.4.2 Services The services that require operators to assume an authorized role are listed in Table 4 below. Please note that the keys and Critical Security Parameters (CSPs) listed in Table 4 use the following indicators to show the type of access required: 24I/O – Input/Output Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 11 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016  R – Read: The CSP is read.  W – Write: The CSP is established, generated, modified, or zeroized.  X – Execute: The CSP is used within an Approved or Allowed security function or authentication mechanism. Table 4 – Authorized Operator Services Operator Service Description Input Output CSP and Type of Access CO User Initialize the   Initialize the module Command Status output None module Configure the Configure enterprise Command CA ECDSA Public Key – R/X Command   MKEK25 – R/X module using settings and Import and response KEK26 – R/X MyCryptoTool certificates parameters Monitor Monitor specific alarms   Command Status output None alarms for diagnostic purposes Manage data encryption BKEK29 – R/X certificate enrollment, DEK30 – R/W Manage data signing CA27 certificate Command Command MKEK – R/X   encryption information, trusted CA and response KEK – R/X certificate certificates; Import CA parameters CA ECDSA Public Key – R/X certificate and CRL28; Clear CSPs Manage web BKEK – R/X Command access Manage web access Command MKEK – R/X   and certificate and certificate and import CRL response KEK – R/X parameters import CRL CA ECDSA Public Key – R/X Show the system status, Show FIPS FIPS-Approved mode,   status and Command Status output None configuration settings, statistics and active alarms. View system status View system messages in historical   Command Status output None logs alarm log and provisioning log. Zeroize the keys and CSPs Please see the ‘Zeroization’ column in Table Zeroize using Command   listed in the ‘Zeroization’ Command 7 below. MyCryptoTool response column in Table 7 below Employ Encrypt or decrypt user Command MKEK – X encryption / Command   data, keys, or and DEK – X decryption response management traffic parameters TLS Session Key – X service 25 MKEK – Master Key Encryption Key 26 KEK – Key Encryption Key 27 CA – Certificate Authority 28 CRL – Certificate Revocation List 29 BKEK – Base Key Encryption Key 30 DEK – Data Encryption Key Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 12 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Operator Service Description Input Output CSP and Type of Access CO User Authenticate Command Authenticate Command TLS Authentication Key – X   management and management traffic response traffic parameters Generate Generate the asymmetric Command Module Data Path ECDSA Private Key – W asymmetric   key pair (ECDSA) for data and Key pair Module Data Path ECDSA Public Key – W key pair (data path encryption parameters path) Generate Command Module Web Access ECDSA Private Key – W asymmetric Generate the asymmetric   and Key pair Module Web Access ECDSA Public Key – W key pair (web key pair (ECDSA) parameters access) Generate Generate a signature for signature Command the supplied message Status, Module ECDSA Private Key – R/X   (Certificate and using specified key and signature Signing parameters ECDSA algorithm Request) Verify the signature on Command Verify the supplied message Module ECDSA Public Key – R/X   and Status signature using the specified key parameters and ECDSA algorithm Command Test the module during Command Perform device response and   operation; Monitor the and None diagnostics status via log module parameters and LEDs Upgrade the KM Upgrade KM Command Command application firmware  application and response and ECDSA Public Key – R/X using ECDSA signature firmware parameters status output verification Upgrade the KM FPGA Command Command Upgrade KM  using ECDSA signature and response and ECDSA Public Key – R/X FPGA verification parameters status output In FIPS-Approved mode, the module provides a limited number of services for which the operator is not required to assume an authorized role (see Table 5). None of the services listed in the table disclose cryptographic keys and CSPs or otherwise affect the security of the module. Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 13 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Table 5 – Additional Services Service Description Input Output CSP and Type of Access CO ECDSA Public key – R/X Authenticate Perform operator User ECDSA Public key – R/X operators to the Command Status output authentication CA ECDSA Public Key – R/X module Preshared Authentication String – R/X Perform peer Authenticate peer Command Status output Peer ECDSA Public key – R/X authentication devices to the module Zeroize the keys and Please see the ‘Zeroization’ column in CSPs listed in the Command Zeroize using TCS Command Table 7 below. ‘Zeroization’ column response in Table 7 below Perform Power-up Power button on Perform on- Self-Tests on demand the host system or Status output All plaintext keys and CSPs – W demand self-tests via module restart command Show the system Show system status, system status and statistics identification, and Command Status output None using TCS configuration settings of the module Configure and manage Configure the Response and the carrier Command None module using TCS status output provisioning 2.4.3 Authentication The module supports identity-based authentication. Module operators must authenticate to the module before being allowed access to services that require the assumption of an authorized role. The module authenticates an operator using digital certificates containing the public key of the operator. The authentication is achieved by initiating a TLS session and using digital certificates for mutual authentication. The process of mutual authentication provides assurance to the module that it is communicating with an authenticated operator. The strength calculation below provides minimum strength based on the public key size in the digital certificates. The module employs the authentication methods described in Table 6 to authenticate COs and Users. Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 14 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Table 6 – Authentication Mechanism Authentication Type Strength Public Key Certificates The module supports ECDSA digital certificate authentication of COs and Users during MyCryptoTool access. Using conservative estimates and equating the use of ECDSA with the P-384 elliptic curve to a 192-bit symmetric key, the probability for a random attempt to succeed is: 1:2192 or 1: 6.28 x 1051 which is less than 1:1,000,000 as required by FIPS 140-2. The fastest network connection supported by the modules over Management interfaces is 5 Mb/s31. Hence, at most (5 ×106 × 60 = 3 × 108 =) 300,000,000 bits of data can be transmitted in one minute. Therefore, the probability that a random attempt will succeed or a false acceptance will occur in one minute is: 1: (2192 possible keys / ((3 × 108 bits per minute) / 192 bits per key)) 1: (2192 possible keys / 1,562,500 keys per minute) 1: 4.02 × 1051 which is less than 1:100,000 within one minute as required by FIPS 140-2. Preshared Key The module supports the use of a preshared authentication string for the TCS interface accessing the module on behalf of the CO. An HMAC-SHA-256 operation with a 512-bit key is performed on the preshared authentication string. The 256-bit output value of HMAC-SHA- 256 will have an equivalent symmetric key strength of 128 bits, Using conservative estimates, the probability for a random attempt to succeed is: 1:2128 or 1: 3.40 × 1038 which is less than 1:1,000,000 (as required by FIPS 140-2). The module implements a 200 ms32 delay between authentication attempts yielding a rate of five attempts per second, or 300 attempts per minute. Given that an attacker will have, at most, 300 attempts in one minute, and there are 1: 3.40 × 1038 possibilities, the probability that a random attempt will succeed or a false acceptance will occur in one minute is: 1: 3.40 × 1038 / 300 attempts per minute 1: 1.13 x 1036 which is less than 1:100,000 within one minute (as required by FIPS 140-2). The module also performs authentication of peers using public key certificates, but the module does not provide any authenticated services to peers. 2.5 Physical Security All CSPs are stored and protected within the WL3e Encryption Module’s components using the following physical security mechanisms, which provide opacity and tamper evidence:  The wire connections that provide the communications path between the KM and the ASIC are embedded beneath multiple layers of the PCB (part number NTK539QS-220), preventing visual access. Any attempts to access or tamper with the embedded wires will damage the PCB layers, leaving visual evidence of the attempt.  The KM is enclosed in a hard aluminum casing (part number NTK53926-501) that is completely opaque within the visible spectrum. The enclosure is secured using two tamper-evident labels (part number 415- 31 Mb/s – Megabits Per Second 32 ms - millisecond Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 15 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 2424-001) applied at the factory; their locations can be seen in Figure 6. Any attempt to remove the tamper-evident labels will leave visual evidence of the attempt.  The ASIC is mounted on the motherboard’s PCB and covered by a heatsink (part number 410-7025-001), preventing any visibility of the component. The heatsink is affixed to the PCB using screws, and is protected using a steel security plate (part number 410-7023-001), and a tamper-evident label (part number 415-2424-001) as shown in Figure 6. Any attempt to defeat these mechanisms will result in physical damage to the module.  There are two plastic opacity rings (part number 420-2160-002) that surround the KM and ASIC’s PCB connection points that prevent visibility from a side angle. The opacity rings will break if a tamper attempt is made.  On the bottom of the PCB, a heat spreader (part number 410-6598-001) is affixed to prevent tamper attacks from the underside of the KM. The heat spreader is secured by a tamper-evident label (part number 415-2424-001) over the screw that holds the heat spreader in place. The location of heat spreader and tamper-evident label can be seen below in Figure 6. Any attempt to remove the tamper-evident label will leave visual evidence of the attempt. Any attempt the defeat the heat spreader will result in visible damage to the heat spreader. 2.6 Operational Environment The operational environment of the WL3e Encryption Module does not provide the module operator access to a general-purpose operating system (OS). The KM contains a Xilinx Zync 7020 (Xilinx XC7Z020) with Cortex A9 dual- core processor running an embedded Linux kernel in a non-modifiable operational environment. The Linux operating system on the KM is not modifiable by the operator, and only the KM firmware’s signed image can be executed. All KM firmware downloads are digitally signed, and a conditional self-test (ECDSA signature verification) is performed during each download. If the signature test fails, the new KM firmware is ignored and the current firmware remains loaded. Only FIPS-validated firmware may be loaded into KM to maintain the module’s validation. The ASIC contains an embedded ARM946E-S ARM33 processor with 128 KB34 of ITCM35, 128 KB of DTCM36, 8 KB of instruction cache, and 4 KB of data cache. Program and data storage is provided by 64 KB of ROM 37and 2 MB38 of RAM. The ASIC firmware is stored in ROM prior to being loaded into RAM. While the ASIC firmware is still in ROM, a 32-bit CRC check of the ROM bootloader is performed. If successful, the firmware is loaded into RAM. Immediately upon loading into RAM, an ECDSA signature verification test using NIST P-384 curve is performed on the firmware to ensure that the image has not been modified or corrupted in any way. Once loaded, the ASIC operating environment cannot be modified. 33 ARM – Advanced Reduced Instruction Set Computing (RISC) Machines 34 KB – Kilobytes 35 ITCM – Instruction Tightly Coupled Memory 36 DTCM – Data Tightly Coupled Memory 37 ROM – Read-Only Memory 38 MB - Megabytes Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 16 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 2.7 Cryptographic Key Management The module generates keys as described in example #1 of FIPS 140-2 Implementation Guidance 7.8. It uses the FIPS-Approved CTR_DRBG (as specified in SP 800-90A) to generate cryptographic keys and ECDSA key pairs. The DRBG is seeded from seeding material provided by a hardware-based NDRNG, which provides an entropy source and whitening circuitry to supply a uniformly-distributed unbiased random sequence of bits to the DRBG. Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 17 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 The module supports the CSPs listed below in Table 7. Table 7 – Cryptographic Keys, Cryptographic Key Components, and CSPs CSP CSP Type Generation / Input Output Storage Zeroization Use AES 256-bit key Preloaded at the factory Never exits the module Stored in plaintext in non- N/A Used for decrypting the Base Key Encryption Key readable, write once, non- MKEK stored in the module (BKEK) probe-able eFuse within in non-volatile memory the KM processor AES 256-bit key Preloaded at the factory Never exits the module Encrypted with the BKEK N/A Used for encrypting or Master Key Encryption and stored in non-volatile decrypting KEK. Key (MKEK) memory; Key Encryption Key (KEK) AES 256-bit key Generated internally Never exits the module Encrypted with MKEK and By command via Used for encrypting or stored in non-volatile MyCryptoTool and TCS decrypting private key of memory interface an entity key pair Data Encryption Key (DEK) AES 256-bit key Generated internally Never exits the module Stored in plaintext in RAM By session termination, Used for encrypting or reboot, power removal, or decrypting payload data command via between an authorized MyCryptoTool and TCS external entity and the interface module Initialization Vector (IV) 128-bit value For encryption: generated For encryption: exits the Stored in plaintext in RAM By session termination, Used with AES-GCM for internally (using an module in encrypted form reboot, power removal, or encrypting or decrypting Approved DRBG with a command via payload data between an cryptographically-strong MyCryptoTool and TCS authorized external entity entropy source) interface and the module For decryption: generated For decryption: never exits externally and enters the the module module in encrypted form Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 18 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 CSP CSP Type Generation / Input Output Storage Zeroization Use Preshared Authentication 256-bit value Preloaded at the factory Never exits the module Stored plaintext in non- N/A Used for authenticating a String volatile memory CO for the Firmware Load (embedded in code) service Generated internally during Never exits the module Used for exchanging IKEv2 ECDH39 Private 384-bit value Stored in plaintext in RAM By session termination, reboot, power removal, or shared secret to derive Component IKEv2 negotiation session keys during IKEv2 command via MyCryptoTool and TCS interface For the public component Used for exchanging IKEv2 ECDH Public 384-bit value For the public component Stored in plaintext in RAM By session termination, of the module: exits the reboot, power removal, or shared secret to derive Component of the module: generated module in plaintext session keys during IKEv2 internally during IKEv2 command via negotiation MyCryptoTool and TCS interface For the public component For the public component of a peer: generated of a peer: never exits the externally and enters the module module in plaintext Generated internally during Never exits the module Used with AES-GCM for IKEv2 Session Encryption AES 256-bit key Stored in plaintext in RAM By session termination, reboot, power removal, or encrypting/decrypting Key EC DH key negotiation IKEv2 messages command via MyCryptoTool and TCS interface Generated internally during Never exits the module Used for authenticating IKEv2 Session HMAC SHA-384 Stored in plaintext in RAM By session termination, reboot, power removal, or IKEv2 messages Authentication Key EC DH key negotiation command via MyCryptoTool and TCS interface 39 ECDH – Elliptic Curve Diffie-Hellman Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 19 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 CSP CSP Type Generation / Input Output Storage Zeroization Use Generated internally during Never exits the module Used with AES-GCM for TLS Session Key AES 128, 256-bit key Stored in plaintext in RAM By session termination, reboot, power removal, or encrypting/decrypting TLS session negotiation messages command via MyCryptoTool and TCS interface TLS Authentication Key Generated internally during Never exits the module Stored in plaintext in RAM By session termination, Used for authenticating TLS HMAC SHA-256, HMAC session negotiation reboot, power removal, or messages SHA-384 command via MyCryptoTool and TCS interface TLS Pre-Master Secret Generated internally during Never exits the module Stored in plaintext in RAM By session termination, Establish the TLS Master 384-bit random value session negotiation reboot, power removal, or Secret command via MyCryptoTool and TCS interface TLS Master Secret Stored in plaintext in RAM By session termination, Establish the TLS Session 384-bit random value Generated internally during Never exits the module reboot, power removal, or Key session negotiation command via MyCryptoTool and TCS interface Peer ECDSA Public Key Enters the module in Stored in plaintext in RAM By command via Used for peer device 384-bit key Never exits the module encrypted form MyCryptoTool and TCS authentication for IKE v2 interface communications CA ECDSA Public Key Enters the module in Stored plaintext in non- By command via Used for authenticating the 384-bit key Never exits the module encrypted form volatile memory MyCryptoTool and TCS operator interface CO ECDSA Public Key Enters the module in Stored in plaintext in RAM By command via Used for authenticating the 384-bit key Never exits the module encrypted form MyCryptoTool and TCS CO interface User ECDSA Public Key Enters the module in Stored in plaintext in RAM By command via Used for authenticating the 384-bit key Never exits the module encrypted form MyCryptoTool and TCS User interface Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 20 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 CSP CSP Type Generation / Input Output Storage Zeroization Use Module Data Path ECDSA Generated internally using Stored encrypted with By command via Used for peer device 384-bit key Never exits the module Private Key Approved DRBG; imported KEK in non-volatile MyCryptoTool and TCS authentication for IKE v2 in encrypted form memory interface communications Module Data Path ECDSA Generated internally using Stored plaintext in non- By command via Used for peer device 384-bit key Exits the module in Public Key Approved DRBG; imported volatile memory MyCryptoTool and TCS authentication for IKE v2 encrypted form in encrypted form interface communications Module Web Access Generated internally using Stored encrypted with By command via Used with certificates in 384-bit key Never exits the module ECDSA Private Key Approved DRBG; imported KEK in non-volatile MyCryptoTool and TCS mutual authentication in encrypted form memory interface Module Web Access Generated internally using Stored plaintext in non- By command via Used with certificates in 384-bit key Exits the module in ECDSA Public Key Approved DRBG; imported volatile memory MyCryptoTool and TCS mutual authentication encrypted form in encrypted form interface ECDH Private Component 384-bit value Generated internally during Never exits the module Stored in plaintext in RAM By session termination, Used for establishing HTTPS negotiation reboot, power removal, or HTTPS session for command via MyCryptoTool MyCryptoTool and TCS interface ECDH Public Component 384-bit value For the public component For the public component Stored in plaintext in RAM By session termination, Used for establishing of the module: generated of the module: exits the reboot, power removal, or HTTPS session for internally during HTTPS module in plaintext command via MyCryptoTool negotiation MyCryptoTool and TCS interface For the public component For the public component of a peer: enters the of a peer: never exits the module in plaintext module DRBG Seed 384-bit value Generated internally using Never exits the module Stored in plaintext in RAM By reboot, power Used for random number entropy input removal, or command via generation MyCryptoTool and TCS interface Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 21 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 CSP CSP Type Generation / Input Output Storage Zeroization Use Entropy Input String 512-bit value Generated internally using Never exits the module Stored in plaintext in RAM By power removal or Used for random number NDRNG command via generation MyCryptoTool and TCS interface Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 22 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 2.8 EMI / EMC The module was tested and found to be conformant to the EMI/EMC requirements specified by Title 47 Code of Federal Regulations, Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class A (i.e., for business use). 2.9 Self-Tests The module performs various self-tests (power-up self-tests, conditional self-tests, and critical function self-tests) on the cryptographic algorithm implementations to verify their functionality and correctness. 2.9.1 Power-Up Self-Tests The Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module performs the following self-tests at power-up to verify the integrity of the firmware images and the correct operation of the FIPS-Approved algorithms implemented in the module:  Integrity tests for the KM: o KM application firmware image (Zone A) using ECDSA signature verification o KM FPGA image (Zone A) using ECDSA signature verification o KM application firmware image (Zone B) using ECDSA signature verification o KM FPGA image (Zone B) using ECDSA signature verification  Integrity test for the ASIC: o ASIC firmware image using ECDSA signature verification  Cryptographic algorithm tests for all implementations of the following FIPS-Approved algorithms: o KM  AES Encryption Known Answer Test (KAT)  AES Decryption KAT  Triple-DES Encryption KAT  Triple-DES Decryption KAT  SHA-1 KAT  SHA-256, 384, 512 KAT  HMAC SHA-1 KAT  HMAC SHA-256, 384, 512 KAT  SP 800-90A CTR_DRBG KAT  ECDSA 186-4 Signature Generation Pairwise Consistency Test (PCT)  ECDSA 186-4 Signature Verification PCT o ASIC  AES Encryption KAT  AES Decryption KAT The power-up self-tests can be performed at any time by power-cycling the module or via TCS command. 2.9.2 Conditional Self-Tests The module implements the following conditional self-tests:  Continuous Random Number Generator Test (CRNGT) for the SP 800-90A CTR_DRBG  CRNGT for the NDRNG  ECDSA key pair generation and verification Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 23 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016  Firmware Load Test for the KM Application using ECDSA signature verification  Firmware Load Test for the KM FPGA using ECDSA signature verification 2.9.3 Critical Functions Tests The module performs the following critical functions tests:  SP 800-90 CTR_DRBG Instantiate Health Test  SP 800-90 CTR_DRBG Generate Health Test  SP 800-90 CTR_DRBG Reseed Health Test  SP 800-90 CTR_DRBG Uninstantiate Health Test 2.9.4 Self-Test Failure Handling Upon the failure of any power-up self-test (except the Zone A KM application firmware Integrity test, Zone B KM firmware integrity test, or the Zone B FPGA integrity test), conditional self-test (except the firmware load tests), or critical functions tests, the module goes into “Critical Error” state and disables all access to cryptographic functions and CSPs. All data outputs via data output interfaces are inhibited upon any self-test failure. A permanent error status will be relayed via the status output interface, which then is interpreted either in the illumination of an LED or as a recorded entry to the system log file or alarm history log file. During the integrity tests at start up, the module first checks the Zone A firmware image. If this test fails, the module transitions to the Zone A Soft Error state where it will forgo the Zone A FPGA self-test and proceed with the Zone B application firmware integrity and FPGA tests. If the Zone A firmware image passes the integrity check, the Zone A FPGA is checked. If the Zone A FPGA integrity check fails, the module transitions to the Critical Error state. If the Zone A FPGA integrity passes, the module checks the firmware and FPGA within Zone B. If the Zone B firmware integrity check fails, the module transitions to either the Critical Error state (if the Zone A firmware integrity check also failed) or the Zone B Soft Error state (if the Zone A application firmware integrity check passed). If the Zone B firmware integrity check passes, but the Zone B FPGA integrity check fails, the module transitions to a Zone B Soft Error state where a new firmware image can be loaded from the TCS interface followed by a reboot. Upon failure of the firmware load test, the module enters “Soft Error” state. The soft error state is a non-persistent state wherein the module resolves the error by rejecting the loading of the new firmware. Upon rejection, the error state is cleared, and the module resumes its services using the previously-loaded firmware. While the error state persists, the module replies to all cryptographic service requests with a pre-defined error message to indicate the current error status. The management interface does not respond to any commands until the module is operational. The module requires rebooting or power-cycling to come out of the error state and resume normal operations. In the case of a KM firmware or KM FPGA load corruption in Zone B that cannot be corrected by the TCS interface, the module will not be able to resume normal operation and the Crypto Officer should contact Ciena. 2.10 Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any other attacks. Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 24 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 3. Secure Operation The WL3e Encryption Module meets Level 2 requirements for FIPS 140-2. The following sections describe how to place and keep the module in FIPS-Approved mode of operation. 3.1 Initial Setup The module does not require any installation activities as it is delivered to the customer pre-installed on the circuit pack from the factory. Either the CO or the User can perform the Secure Operation responsibilities and tasks listed here; however, this Security Policy places this responsibility solely on the CO. The module is shipped from the factory with the required physical security mechanisms (tamper-evident labels, opacity rings, security plate, heatsink, PCB layers, and heat spreader) installed. After removing the circuit pack from the shipping package, but prior to use, the CO must perform a physical inspection of the unit for signs of damage. The CO must ensure that all physical security mechanisms are in place. Additionally, the CO should check the package for any irregular tears or openings. If damage is found or tampering is suspected, the CO should immediately contact Ciena. The KM is contained in a strong, hard metal enclosure, and is protected by two tamper-evident labels. The wire connections between the KM and ASIC are protected from view and from tampering by multiple PCB layers. The bottom of the PCB where the KM connects is protected using the heat spreader and tamper-evident label. The ASIC component of the module is protected by the installed heatsink and security plate, with one tamper-evident label over one of the screws. In total, the module requires four tamper-evident labels (see Figure 6 for the locations of the tamper-evident labels). 2 1 4 3 Figure 6 – Tamper-Evident Label Locations Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 25 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 The CO is responsible for the configuration the module, which includes configuring the data path parameters and certificates. The CO must install the web server certificate and at least one CA certificate in order for the module to be able to verify the submitted CO and User ECDSA Public Keys during TLS mutual authentication for the MyCryptoTool interface. Please refer to Chapter 4, “Provisioning Certificate Management using MyCryptoTool”, in Ciena’s User’s Guide and Technical Practices document for more information. Once the module’s web server certificate has been configured, the web server software will restart for the certificate change to take effect and begin enforcing TLS mutual authentication. When the web server has completed the restart process, the module operates only in FIPS-Approved mode of operation. At any point in time, the “FIPS mode” status of the module can be viewed using the MyCryptoTool interface. Once properly provisioned, the module will operate in FIPS-Approved mode of operation until it is decommissioned by the CO or the physical security is breached. 3.2 Secure Management The CO is responsible for maintaining and monitoring the status of the module to ensure that it is running in its FIPS-Approved mode. For additional details regarding the management of the module, please refer to Ciena’s User’s Guide and Technical Practices document. 3.2.1 Management When configured according to the CO guidance in this Security Policy, the module only runs in an Approved mode of operation. The CO is able to monitor and configure the module via MyCryptoTool. Detailed instructions for monitoring and troubleshooting the module are provided in the Ciena’s User’s Guide and Technical Practices document. 3.2.2 Physical Inspection As the labels are applied at the factory, the CO shall inspect the module to ensure that the labels are applied correctly. The CO shall inspect the module for evidence of tampering at six-month intervals. The CO shall visually inspect the tamper-evident labels for tears, rips, dissolved adhesive, and other signs of tampering. The CO shall also inspect the PCB, the KM component’s enclosure, and the ASIC’s heatsink, security plate, and tamper-evident label for any signs of damage. If evidence of tampering is found during periodic inspection, the Crypto Officer should send the module back to Ciena Corporation for repair or replacement. 3.2.3 Monitoring Status The Crypto Officer should monitor the module’s status regularly. The operational status of the module can be viewed using MyCryptoTool. At any point of time, the “FIPS mode” status of the module can be viewed by accessing the “Encryption Details”, “Data Encryption Certificate Management”, “Web Access Certificate Management”, “Active Alarms”, or “Historical Logs” web page of the MyCryptoTool interface. The line at the top of these pages indicates “FIPS mode” of the module. 3.2.4 Zeroization All ephemeral keys used by the module are zeroized on reboot, loss of power, session termination, or MyCryptoTool erasure. The “Clear CSP (Critical Security Parameter)” button on MyCryptoTool and the Zeroize Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 26 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 command via TCS also allows an operator to clear certificates’ public keys, private keys, and the KEK. The BKEK, MKEK and KEK CSPs reside in non-volatile memory. The other CSPs are stored in the volatile and non-volatile memories of the module. The zeroization of the KEK, which encrypts all other CSPs, renders all the other CSPs stored in non-volatile memory useless, thereby effectively zeroizing them. The zeroization of KEK renders asymmetric private keys inaccessible, thereby rendering them unusable. The only public key that is stored in a file is embedded in code and is used for verifying the integrity of the firmware load image files cannot be zeroized. 3.3 User Guidance The User shall follow all the instructions and guidelines provided for the Crypto Officer in Section 3 of this Security Policy document in order to ensure the secure operation of the module. Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 27 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 4. Acronyms Table 8 provides definitions for the acronyms used in this document. Table 8 – Acronyms Acronym Definition AES Advanced Encryption Standard ARM Advanced RISC Machine ASIC Application-Specific Integrated Circuit CA Certificate Authority CBC Cipher Block Chaining CMVP Cryptographic Module Validation Program CO Crypto Officer CRL Certificate Revocation List CRNGT Continuous Random Number Generator Test CSE Communications Security Establishment CSP Critical Security Parameter CTR Counter DEK Data Encryption Key DES Data Encryption Standard DH Diffie-Hellman DRBG Deterministic Random Bit Generator DTCM Data Tightly Coupled Memory ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EEPROM Electrically-Erasable Programmable Read-Only Memory EMC Electromagnetic Compatibility EMI Electromagnetic Interference FIPS Federal Information Processing Standard FPGA Field Programmable Gate Array Gb/s Gigabit Per Second GbE Gigabit Ethernet GCM Galois/Counter Mode HMAC (Keyed-) Hash Message Authentication Code HTTPS Hypertext Transfer Protocol Secure Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 28 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Acronym Definition I/O Input/Output ITCM Instruction Tightly Coupled Memory IKE Internet Key Exchange IV Initialization Vector KAT Known Answer Test KB Kilobyte KEK Key Encrypting Key KM Krypto Module LED Light Emitting Diode Mb/s Megabits per second MKEK Master Key Encrypting Key ms millisecond N/A Not Applicable NDRNG Non-Deterministic Random Number Generator NIST National Institute of Standards and Technology NOR Not Or OCLD Optical Channel Laser and Detector OS Operating System OTN Optical Transport Network OTR Optical Transponder PCB Printed Circuit Board PCT Pairwise Consistency Test PKCS Public-Key Cryptography Standard PKG Public Key Generation PKV Public Key Validity QAM Quadrature Amplitude Modulation QPSK Quadrature Phase Shift Keying RAM Random Access Memory RISC Reduced Instruction Set Computing ROM Read Only Memory SDRAM Synchronous Dynamic Random Access Memory SHA Secure Hash Algorithm SP Special Publication TLS Transport Layer Security WL3e WaveLogic 3 Extreme Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 29 of 31 FIPS 140-2 Non-Proprietary Security Policy, Version 0.8 July 28, 2016 Ciena 6500 Flex3 WaveLogic 3e OCLD Encryption Module ©2016 Ciena Corporation This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 30 of 31 Prepared by: Corsec Security, Inc. 13921 Park Center Road, Suite 460 Herndon, VA 20171 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com