New Features and Enhancements
Thales Group has introduced many new features and enhancements to SafeNet Luna Network HSM 7 since the initial release, as described below.
>SafeNet Luna Network HSM Release 7.4
>SafeNet Luna Network HSM Release 7.3
>SafeNet Luna Network HSM Release 7.2
>SafeNet Luna Network HSM Release 7.1
>SafeNet Luna Network HSM Release 7.0
Luna HSM Client 10.2.0
New Luna HSM Client Operating System Support
Luna HSM Client 10.2.0 can be installed on the following new operating systems:
>Windows Server Core 2016/2019
>Red Hat Enterprise Linux 8 (including variants like CentOS 8)
>AIX 7.2
Support for New Mechanisms in Luna HSM Firmware 7.4.2
Luna HSM Client 10.2.0 includes support for Luna HSM firmware 7.4.2 mechanisms.
>3GPP Mechanisms for 5G Mobile Networks
Luna HSM Firmware 7.4.2
This release adds support for 3GPP, SM2/SM4, and SHA-3 cryptographic functions to SafeNet Luna Network HSMs. It consists of:
>Luna HSM firmware 7.4.2
>Luna HSM Client 7.4.0 software patch
3GPP Cryptography for 5G Mobile Networks
The new 3GPP crypto functions support the authentication and re-synchronization of a mobile device to the back-end authentication center (AUC). Milenage, Tuak and Comp128 algorithms are available and are relevant to 2/2.5G, 3G, 4G(LTE) and newer 5G mobile networks. The primary benefit of using the Luna HSM ensures that the subscribers key (Ki) is never exposed in the clear outside the security perimeter of a hardware security device. Optionally the Operators Variant string (OP) may also be encrypted under a storage key only found inside the HSM.
See 3GPP Mechanisms for 5G Mobile Networks.
SM2/SM4 Support
SM2 is comparable to Elliptic Curve (EC) in terms of key structure though the signing algorithm is different. SM2 is required for sign/verify. There is a new key type CKK_SM2. SM4 is comparable to Advanced Encryption Standard (AES-128) in terms of key size though the encryption algorithm is different. SM4 is required for encrypt/decrypt (modes ECB, CBC, CBC-PAD). There is a new key type CKK_SM4.
See SM2/SM4 Mechanisms.
SHA-3 Function Support
This provides a guide to using the SHA-3 crypto functions in the Luna HSM. The SHA-3 implementation conforms to the NIST publication FIPS PUB 202. The SHA-3 hash algorithm has been implemented in the K7 FW. This provides the ability to send message data to the Luna HSM in order to receive the SHA-3 digest of the data. The algorithm is implemented for digest bit lengths of 224, 256, 384 and 512 similar to the SHA-2 family of hash algorithms. Other mechanisms that make use of a digest include support for SHA-3 by either specifying the mechanism type or specifying mechanism parameters.
See SHA-3 Mechanisms.
Luna HSM Client 10.1.0
This release consists of:
>Luna HSM Client 10.1.0
Luna HSM Client 10.1 Supports Both Luna HSMs and DPoD HSM on Demand Services
Luna HSM Client can now be used with HSM on Demand services provided by SafeNet Data Protection on Demand. This allows you to migrate keys from a password-authenticated Luna HSM partition to an HSMoD service or vice-versa, set up High-Availability (HA) groups that include both password-authenticated Luna partitions and HSMoD services, and operate your local (Luna PCIe), remote (Luna Network), and cloud (HSMoD) HSM solutions on the same client workstation.
HSMoD client compatibility is limited to Windows and Red Hat Enterprise Linux 7-based operating systems in this release.
Refer to the following sections:
>Adding a DPoD HSM on Demand Service
>Cloning Keys Between Luna 6, Luna 7, and HSM on Demand
G7-based SafeNet Luna Backup HSM
Thales is pleased to announce the availability of the G7-based SafeNet Luna Backup HSM – a full-featured, hand-held, USB-attached backup HSM that includes an informational full-color display. You can use the SafeNet Luna Backup HSM to backup your Luna HSM 5.x, 6.x, and 7.x user partitions. The SafeNet Luna Backup HSM connects easily to a client workstation using the included USB 3.0 Type C cable, and includes a universal 5V external power supply, which may be required to power the device in some instances. NOTE The smart card slot located at the bottom front of the unit is reserved for future use and has been disabled in this release. For detailed usage instructions, see Backup and Restore Using a G7-Based Backup HSM. |
Models
The G7-based SafeNet Luna Backup HSM is available in the following models. All models can be initialized in PED or password-authenticated mode for backing up either PED or password authenticated partitions. In-field storage upgrades are not available.
B700 | 32 MB storage. Up to 100 partitions of the same authentication type. |
B750 | 128 MB storage. Up to 100 partitions of the same authentication type. |
To use the G7-based SafeNet Luna Backup HSM, you must upgrade to Luna HSM Client 10.1, a client-only field update for Linux and Windows. Luna HSM Client 10.1 provides the drivers and software updates you need to use the G7-based SafeNet Luna Backup HSM.
Remote PED Support on Linux
You can now host Remote PED services on a Linux workstation.
See Remote PED Setup.
Client Certificates Signed by a Trusted Certificate Authority
Luna HSM Client 10.1 allows you to use client certificates signed by a trusted Certificate Authority (CA), which can be a commercial third-party CA or your organization's own signing station.
See Creating an NTLS Connection Using a Client Certificate Signed by a Trusted Certificate Authority.
Windows Secure Boot Support
The drivers included with the Luna HSM Client software for Luna PCIe HSMs, Luna Backup HSMs, Luna USB HSMs, and Luna PEDs now support Windows Secure Boot.
SafeNet Luna Network HSM Release 7.4
This release consists of:
>Luna HSM Client 7.4.0
>SafeNet Luna Network HSM appliance software 7.4.0
>Luna HSM firmware 7.4.0
Functionality Modules
SafeNet Luna Network HSM 7.4 introduces Functionality Modules (FMs). FMs consist of your own custom-developed code, loaded and operating within the logical and physical security of a SafeNet Luna Network HSM as part of the HSM firmware. FMs allow you to customize your SafeNet Luna Network HSM's functionality to suit the needs of your organization. Custom functionality provided by your own FMs can include:
>new cryptographic algorithms, including Quantum algorithms
>security-sensitive code, isolated from the rest of the HSM environment
>keys and critical parameters managed by the FM, independent from standard PKCS#11 objects, held in tamper-protected persistent storage
To create FMs, you will need the Functionality Module Software Development Kit (SDK), which is included with the Luna HSM Client software. Applications that use FM functions are supported on Windows and Linux.
CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset.
See About the FM SDK Programming Guide and Functionality Modules for details and procedures.
View Utilization Metrics by Partition
Release 7.4 allows you to view utilization metrics for an individual partition or a specified list of partitions.
See Partition Utilization Metrics for details.
Ed25519ph Curve
SafeNet Luna Network HSM firmware version 7.4.0 includes support for the ed25519ph curve variant.
See CKM_EDDSA for details.
SafeNet Luna Network HSM Release 7.3
This release consists of:
>Luna HSM Client 7.3.0
>SafeNet Luna Network HSM appliance software 7.3.0
>Luna HSM firmware 7.3.0
Appliance Re-Image
SafeNet Luna Network HSM 7.3 allows you to re-image the appliance to a pre-installed baseline version. This procedure formats the SafeNet Luna Network HSM file system, zeroizes the HSM, erases the appliance configuration, and resets the appliance software to Luna 7.2 and the HSM firmware to version 7.0.3. This capability is useful if you are re-purposing an HSM for a project that has standardized on an earlier software/firmware configuration, or if you need to format the appliance completely and remove all trace of its prior configuration (requires firmware 7.3.0).
See Re-Imaging the Appliance to Factory Baseline.
Partition Utilization Metrics
SafeNet Luna Network HSM 7.3 allows the HSM SO to access utilization records for all partitions on the HSM. This information is restricted to operation counts, and shows which partitions are using the HSM's resources. Information about which keys are being used for which operation is still restricted to the Auditor (requires firmware 7.3.0).
See Partition Utilization Metrics.
BIP32 Algorithm
SafeNet Luna Network HSM 7.3 includes new mechanisms that use the BIP32 cryptographic algorithm. This allows SafeNet Luna Network HSM to support applications that use Hierarchical Deterministic Wallets, used in Bitcoin and blockchain transactions (requires firmware 7.3.0).
JavaSP support for ECC Curve 25519
The SafeNet Java Provider now includes support for mechanisms using ECC Curve 25519.
SafeNet Luna Network HSM Release 7.2
This release consists of:
>Luna HSM Client 7.2.0
>SafeNet Luna Network HSM appliance software 7.2.0
>Luna HSM firmware 7.2.0
10 Gbps Optical NIC SafeNet Luna Network HSM Support
Thales is pleased to announce the availability of the 10 Gbps optical NIC SafeNet Luna Network HSM. This product variant provides two 10G optical network interfaces and two 1G copper network interfaces, as opposed to the standard 1G model which provides four 1G copper network interfaces.
The 10G SafeNet Luna Network HSM provides two 10G SFP optical Ethernet network interfaces (labeled 0 and 1), and two 1G copper RJ45 network interfaces (labeled 2 and 3), as illustrated below. You can optionally bond eth0 and eth1 to bond0, or eth2 and eth3 to bond1, to provide a redundant active/standby virtual interface.
Improved Luna HSM Client
Release 7.2 adds improvements to the Luna HSM Client software:
>Enhanced Version Compatibility for Luna HSM Client — Version 7.2 and newer Luna HSM Client can be used with HSMs running Luna 6.2.1 or higher, or any Luna 7 version, without conflict. Luna HSM Client 7.2 and newer versions can coexist in large deployments. You can schedule client roll-outs at your convenience, without need to match versions across your organization. Future HSM features that do not have client-version dependencies will function without issue.
>Mixed-Version HA Groups — HA groups containing both SafeNet Luna Network HSM 6 and 7 partitions are now supported using Luna HSM Client 7.2 or newer. This mixed-version configuration is useful for migrating keys to a new SafeNet Luna Network HSM 7, or to gradually upgrade your production environment from Luna 6 to Luna 7.
>Improved Client Installer with User-Defined Install Paths (Windows) — Luna HSM Client can be installed at user-selected locations (file paths with sufficient space), and installed Client software can be modified without uninstalling and reinstalling.
>User-Defined Client Install Paths (Linux) — Linux root-level users can install the Luna HSM Client software to an installation directory of their choice.
>Minimal Client (Linux) — The SafeNet Luna Minimal Client for Linux provides only the files needed to use an application with a partition on a SafeNet Luna Network HSM for deployment in Docker containers and similar microservice environments. The Luna Minimal Client can be installed on a workstation without root access.
Configurable Cipher Suites
You can now configure the TLS cipher suites used by NTLS, STC, and PEDserver on the SafeNet Luna Network HSM. This new capability allows administrators to select and configure cipher strength to meet their internal security objectives and compliance requirements.
The cipher suites are configured using the new sysconf tls cipher LunaSH commands. The available set of ciphers is displayed in default order. Users can choose which ciphers from the set to use, as well as the order of preference for TLS cipher-suite negotiation. The modified cipher list and order can also be exported as a template; the template can then be used to configure TLS cipher suites on multiple HSMs.
Customizable System Logging
You can now customize local and remote system logging according to message severity. There is no limit on the number of remote logging servers you can add, and you can configure the severity level for each server and log type independently. For example, you could send all log entries produced by the appliance to one remote server, and only entries marked critical or higher to another. Storing only the most severe (infrequent) entries locally on the appliance can prevent the syslog directory from filling up over time.
Rename/ Relabel Partitions
The HSM SO can now change the name assigned to a partition on creation. This does not affect the label set by the Partition SO during initialization and is only visible in LunaSH. This allows partitions to be created ahead of time and renamed to something more suitable later, when they are allocated for a particular purpose (Requires firmware 7.2.0).
The Partition SO can now change the label of an initialized partition
Initialize the Orange RPV Key Remotely
You can now initialize the Remote PED Vector (orange key) using a Luna PED connected to a remote workstation running PEDserver. A one-time numeric password is used to authenticate the Remote PED to the HSM before initializing the RPV. This optional method is useful if the HSM SO only has remote SSH access to the appliance. The HSM must be in a zeroized state (uninitialized), for security. Your firewall settings must allow an HSM-initiated Remote PED connection (Requires firmware 7.2.0).
Crypto User Can Clone Public Objects
The Crypto User (CU) role has always been able to create public objects, but not clone them. In HA mode, this would cause the replication and subsequent object creation operations to fail. Firmware 7.2.0 allows the CU to clone public objects, and therefore to perform operations on HA groups without Crypto Officer authentication (Requires firmware 7.2.0).
Auto-Enabled HA Logging
Luna HSM Client now automatically enables HA logging, either when you create the first HA group, or when you update the Luna HSM Client to 7.2.0 and it detects a previously-configured HA group. If you manually turn HA logging off, logging is not auto-enabled for new HA groups.
SCP03 Encoding
The SCP03 encoding scheme, as defined in NIST SP 800-108, is now supported for Global Platform.
REST API 6.0
REST API 6.0 is included with the SafeNet Luna Network HSM 7.2 release. Customers who update their appliance software to version 7.2.0 will automatically receive the REST API 6.0 update. REST API 6.0 contains the following new features:
>Appliance Upgrade Management — Manage Thales Group Licensing Portal partition upgrade packs using REST API.
>Package and Firmware Update Management — Update, verify, list, and delete secure packages with REST API, including firmware updates.
>Multi-Part Upload Requests — Upgrade your HSMs via a single REST API call, improving performance and efficiency.
>Configurable REST API Users and Roles — Manage REST API users and roles (add, remove, modify, show, list) using REST API.
>Configurable REST API Access Control List -- Modify role access using REST API, by importing and exporting lists of available resources.
SafeNet Luna Network HSM Release 7.1
This release consists of:
>Luna HSM Client 7.1.0
>SafeNet Luna Network HSM appliance software 7.1.0
>Luna HSM firmware 7.1.0
Policy Templates
The HSM or Partition SO can save a copy of their organization's preferred HSM or partition policy settings to a template. They can then use this template to configure policy settings when initializing other HSMs or partitions.
This can save time and effort when deploying multiple HSMs or partitions. It also ensures consistency across your HSMs and partitions, which helps to simplify future audit and compliance requirements.
See Setting HSM Policies Using a Template and Setting Partition Policies Using a Template.
Configurable Policies for Export of Private Keys
The Partition SO can use partition policies to control whether or not the private keys in a given partition can be exported off the HSM. The ability to export private keys is particularly useful in use cases such as smart card & identity issuance, secure manufacturing, etc.
This gives organizations the ability to support a wider variety of use cases with their HSM, and also provides Partition SOs with more flexibility overall.
See Configuring the Partition for Cloning or Export of Private Keys.
Curve 25519 Available in FIPS Mode
Curve 25519 is now available for use in FIPS mode.
REST API 5.0
REST API 5.0 is included with the SafeNet Luna HSM 7.1 release. Customers who upgrade their appliance to 7.1 will automatically receive the REST API 5.0 update as part of the upgrade.
REST API provides a set of web services which customers can use to communicate with and provision the HSM.
See REST API Reference.
SafeNet Luna Network HSM Release 7.0
This release consists of:
>New SafeNet Luna Network HSM appliance
>Luna HSM Client 7.0.0
>SafeNet Luna Network HSM appliance software 7.0.0
>Luna HSM firmware 7.0.1
New SafeNet Luna Network HSM Appliance
The SafeNet Luna Network HSM 7 has a new chassis and offers enhanced installation, maintenance, security, and usability features, including the following:
>Optional sliding mounting rails provide simplified installation and improved access for performing maintenance tasks and accessing the network ports.
>A locking faceplate bezel restricts access to the front of the appliance for enhanced security.
>A new LCD display provides a quick view of the appliance network configuration and overall health.
>Four 1GB Ethernet interface ports with port bonding (eth0 and eth1 to bond0 and/or eth2 and eth3 to bond1), for redundancy and enhanced reliability.
See Appliance Hardware Functions.
Partition Security Officer
All application partitions now have a Partition Security Officer (PO) role that is completely distinct from the HSM Security Officer (HSM SO) role. In this security model, the HSM SO is responsible only for initializing the HSM, setting HSM-level security policies, and creating and deleting partitions. After creating the partitions, the HSM SO has no access to the contents of the partitions. Partitions are owned by the PO, who is responsible for initializing the partition, setting the partition-level security policies and initializing the cryptographic roles on the partition. This model permits a complete separation of roles on the HSM
See Partition Roles.
Best-in-Class Performance
SafeNet Luna Network HSM 7 provides cryptographic performance that is 10x faster than the release 5.x and 6.x SafeNet Luna HSMs.
Industry-Leading Security
SafeNet Luna Network HSM 7 provides enhanced environmental failure protection and tamper resistance.
Improved Random Number Generation
The performance of SafeNet Luna Network HSM 7's AES-256 CTR DRBG random number generation is significantly increased from previous versions. The RNG is fully compliant with the latest entropy standards:
>SP800-90B
>SP800-90C
>BSI DRG.4
New Cryptographic Mechanism Support
SafeNet Luna Network HSM 7 adds support for the following cryptographic algorithms:
>SP800-108 HMAC (RSA & ECC)
>SP800-38F (KWP)
>Curve 25519
>AES-XTS - disk encryption standard
Increased Key Storage Capacity
SafeNet Luna Network HSM 7 provides up to 32 MB of cryptographic object storage (depending on the model).
Secure Transport Mode Redesigned
Secure Transport Mode (STM) in SafeNet Luna Network HSM 7 provides a simple, secure method for shipping an HSM to a new location and verifying its integrity upon receipt. When the HSM SO enables STM, it locks the HSM and its contents, and records the current configuration as a pair of unique strings. When the HSM is recovered from STM, the unique strings are redisplayed. If the strings match, the HSM has not been tampered or modified during transport.
REST API
The SafeNet Luna Network HSM REST API web application allows you to use a set of scriptable REST APIs to perform some LunaSH functions.
See REST API Reference.
IPv6
The SafeNet Luna Network HSM10.2 now supports IPv6, using static addressing, SLAAC, or DHCP.
See IPv6 Support and Limitations.
Improved Serial Access
Serial access to the SafeNet Luna Network HSM is via an RJ45 serial port. A custom Prolific Technologies USB to RJ45 cable with a standard 8P8C modular connector is included. The cable requires the PL2303 driver, which you can download from http://www.prolific.com.tw.
See Opening a Serial Connection.
Enable Decommission on Tamper
A new capability, Enable Decommission on Tamper, allows you to set HSM policy 40 to decommission the HSM in the event of a tamper.
See HSM Capabilities and Policies.
Controlled Tamper Recovery
If Policy 48: Do Controlled Tamper Recovery is enabled (the default), the HSM SO must clear the tamper condition before the HSM is reset, to return the HSM to normal operation.
See Tamper Events.