New Features and Enhancements

Thales Group has introduced many new features and enhancements to SafeNet Luna PCIe HSM 7 since the initial release, as described below.

>Luna HSM Client 10.2.0

>Luna HSM Firmware 7.4.2

>Luna HSM Client 10.1.0

>SafeNet Luna PCIe HSM Release 7.4

>SafeNet Luna PCIe HSM Release 7.3

>SafeNet Luna PCIe HSM Release 7.2

>SafeNet Luna PCIe HSM Release 7.1

>SafeNet Luna PCIe HSM Release 7.0

Luna HSM Client 10.2.0

New Luna HSM Client Operating System Support

Luna HSM Client 10.2.0 can be installed on the following new operating systems:

>Windows Server Core 2016/2019

>Red Hat Enterprise Linux 8 (including variants like CentOS 8)

>AIX 7.2

Support for New Mechanisms in Luna HSM Firmware 7.4.2

Luna HSM Client 10.2.0 includes support for Luna HSM firmware 7.4.2 mechanisms.

>3GPP Mechanisms for 5G Mobile Networks

>SM2/SM4 Mechanisms

>SHA-3 Mechanisms

Luna HSM Firmware 7.4.2

This release adds support for 3GPP, SM2/SM4, and SHA-3 cryptographic functions to SafeNet Luna PCIe HSMs. It consists of:

>Luna HSM firmware 7.4.2

>Luna HSM Client 7.4.0 software patch

3GPP Cryptography for 5G Mobile Networks

The new 3GPP crypto functions support the authentication and re-synchronization of a mobile device to the back-end authentication center (AUC). Milenage, Tuak and Comp128 algorithms are available and are relevant to 2/2.5G, 3G, 4G(LTE) and newer 5G mobile networks. The primary benefit of using the Luna HSM ensures that the subscribers key (Ki) is never exposed in the clear outside the security perimeter of a hardware security device. Optionally the Operators Variant string (OP) may also be encrypted under a storage key only found inside the HSM.

See 3GPP Mechanisms for 5G Mobile Networks.

SM2/SM4 Support

SM2 is comparable to Elliptic Curve (EC) in terms of key structure though the signing algorithm is different. SM2 is required for sign/verify. There is a new key type CKK_SM2. SM4 is comparable to Advanced Encryption Standard (AES-128) in terms of key size though the encryption algorithm is different. SM4 is required for encrypt/decrypt (modes ECB, CBC, CBC-PAD). There is a new key type CKK_SM4.

See SM2/SM4 Mechanisms.

SHA-3 Function Support

This provides a guide to using the SHA-3 crypto functions in the Luna HSM. The SHA-3 implementation conforms to the NIST publication FIPS PUB 202. The SHA-3 hash algorithm has been implemented in the K7 FW. This provides the ability to send message data to the Luna HSM in order to receive the SHA-3 digest of the data. The algorithm is implemented for digest bit lengths of 224, 256, 384 and 512 similar to the SHA-2 family of hash algorithms. Other mechanisms that make use of a digest include support for SHA-3 by either specifying the mechanism type or specifying mechanism parameters.

See SHA-3 Mechanisms.

Luna HSM Client 10.1.0

This release consists of:

>Luna HSM Client 10.1.0

Luna HSM Client 10.1 Supports Both Luna HSMs and DPoD HSM on Demand Services

Luna HSM Client can now be used with HSM on Demand services provided by SafeNet Data Protection on Demand. This allows you to migrate keys from a password-authenticated Luna HSM partition to an HSMoD service or vice-versa, set up High-Availability (HA) groups that include both password-authenticated Luna partitions and HSMoD services, and operate your local (Luna PCIe), remote (Luna Network), and cloud (HSMoD) HSM solutions on the same client workstation.

HSMoD client compatibility is limited to Windows and Red Hat Enterprise Linux 7-based operating systems in this release.

Refer to the following sections:

>Adding a DPoD HSM on Demand Service

>Cloning Keys Between Luna 6, Luna 7, and HSM on Demand

G7-based SafeNet Luna Backup HSM

Thales is pleased to announce the availability of the G7-based SafeNet Luna Backup HSM – a full-featured, hand-held, USB-attached backup HSM that includes an informational full-color display.

You can use the SafeNet Luna Backup HSM to backup your Luna HSM 5.x, 6.x, and 7.x user partitions.

The SafeNet Luna Backup HSM connects easily to a client workstation using the included USB 3.0 Type C cable, and includes a universal 5V external power supply, which may be required to power the device in some instances.

NOTE   The smart card slot located at the bottom front of the unit is reserved for future use and has been disabled in this release.

For detailed usage instructions, see Backup and Restore Using a G7-Based Backup HSM.

Models

The G7-based SafeNet Luna Backup HSM is available in the following models. All models can be initialized in PED or password-authenticated mode for backing up either PED or password authenticated partitions. In-field storage upgrades are not available.

B700 32 MB storage. Up to 100 partitions of the same authentication type.
B750 128 MB storage. Up to 100 partitions of the same authentication type.

To use the G7-based SafeNet Luna Backup HSM, you must upgrade to Luna HSM Client 10.1, a client-only field update for Linux and Windows. Luna HSM Client 10.1 provides the drivers and software updates you need to use the G7-based SafeNet Luna Backup HSM.

Remote PED Support on Linux

You can now host Remote PED services on a Linux workstation.

See Remote PED Setup.

Windows Secure Boot Support

The drivers included with the Luna HSM Client software for Luna PCIe HSMs, Luna Backup HSMs, Luna USB HSMs, and Luna PEDs now support Windows Secure Boot.

SafeNet Luna PCIe HSM Release 7.4

This release consists of:

>Luna HSM Client 7.4.0

>Luna HSM firmware 7.4.0

Functionality Modules

SafeNet Luna PCIe HSM 7.4 introduces Functionality Modules (FMs). FMs consist of your own custom-developed code, loaded and operating within the logical and physical security of a SafeNet Luna PCIe HSM as part of the HSM firmware. FMs allow you to customize your SafeNet Luna PCIe HSM's functionality to suit the needs of your organization. Custom functionality provided by your own FMs can include:

>new cryptographic algorithms, including Quantum algorithms

>security-sensitive code, isolated from the rest of the HSM environment

>keys and critical parameters managed by the FM, independent from standard PKCS#11 objects, held in tamper-protected persistent storage

To create FMs, you will need the Functionality Module Software Development Kit (SDK), which is included with the Luna HSM Client software. Applications that use FM functions are supported on Windows and Linux.

CAUTION!   Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset. Refer to FM Deployment Constraints for details before enabling.

See About the FM SDK Programming Guide and Functionality Modules for details and procedures.

View Utilization Metrics by Partition

Release 7.4 allows you to view utilization metrics for an individual partition or a specified list of partitions.

See Partition Utilization Metrics for details.

Ed25519ph Curve

SafeNet Luna PCIe HSM firmware version 7.4.0 includes support for the ed25519ph curve variant.

See CKM_EDDSA for details.

SafeNet Luna PCIe HSM Release 7.3

This release consists of:

>Luna HSM Client 7.3.0

>Luna HSM firmware 7.3.0

BIP32 Algorithm

SafeNet Luna PCIe HSM 7.3 includes new mechanisms that use the BIP32 cryptographic algorithm. This allows SafeNet Luna PCIe HSM to support applications that use Hierarchical Deterministic Wallets, used in Bitcoin and blockchain transactions (requires firmware 7.3.0).

JavaSP support for ECC Curve 25519

The SafeNet Java Provider now includes support for mechanisms using ECC Curve 25519.

SafeNet Luna PCIe HSM Release 7.2

This release consists of:

>Luna HSM Client 7.2.0

>Luna HSM firmware 7.2.0

Improved Luna HSM Client

Release 7.2 adds improvements to the Luna HSM Client software:

>Enhanced Version Compatibility for Luna HSM Client — Version 7.2 and newer Luna HSM Client can be used with HSMs running Luna 6.2.1 or higher, or any Luna 7 version, without conflict. Luna HSM Client 7.2 and newer versions can coexist in large deployments. You can schedule client roll-outs at your convenience, without need to match versions across your organization. Future HSM features that do not have client-version dependencies will function without issue.

>Improved Client Installer with User-Defined Install Paths (Windows)Luna HSM Client can be installed at user-selected locations (file paths with sufficient space), and installed Client software can be modified without uninstalling and reinstalling.

>User-Defined Client Install Paths (Linux) — Linux root-level users can install the Luna HSM Client software to an installation directory of their choice.

Relabel Partitions

The Partition SO can now change the label of an initialized partition. This allows partitions to be created ahead of time and renamed to something more suitable later, when they are allocated for a particular purpose (Requires firmware 7.2.0).

Crypto User Can Clone Public Objects

The Crypto User (CU) role has always been able to create public objects, but not clone them. In HA mode, this would cause the replication and subsequent object creation operations to fail. Firmware 7.2.0 allows the CU to clone public objects, and therefore to perform operations on HA groups without Crypto Officer authentication (Requires firmware 7.2.0).

Auto-Enabled HA Logging

Luna HSM Client now automatically enables HA logging, either when you create the first HA group, or when you update the Luna HSM Client to 7.2.0 and it detects a previously-configured HA group. If you manually turn HA logging off, logging is not auto-enabled for new HA groups.

SCP03 Encoding

The SCP03 encoding scheme, as defined in NIST SP 800-108, is now supported for Global Platform.

SafeNet Luna PCIe HSM Release 7.1

This release consists of:

>Luna HSM Client 7.1.0

>Luna HSM firmware 7.1.0

Policy Templates

The HSM or Partition SO can save a copy of their organization's preferred HSM or partition policy settings to a template. They can then use this template to configure policy settings when initializing other HSMs or partitions.

This can save time and effort when deploying multiple HSMs or partitions. It also ensures consistency across your HSMs and partitions, which helps to simplify future audit and compliance requirements.

See Setting HSM Policies Using a Template and Setting Partition Policies Using a Template.

Configurable Policies for Export of Private Keys

The Partition SO can use partition policies to control whether or not the private keys in a given partition can be exported off the HSM. The ability to export private keys is particularly useful in use cases such as smart card & identity issuance, secure manufacturing, etc.

This gives organizations the ability to support a wider variety of use cases with their HSM, and also provides Partition SOs with more flexibility overall.

See Configuring the Partition for Cloning or Export of Private Keys.

Curve 25519 Available in FIPS Mode

Curve 25519 is now available for use in FIPS mode.

SafeNet Luna PCIe HSM Release 7.0

This release consists of:

>New SafeNet Luna PCIe HSM adapter

>Luna HSM Client 7.0.0

>Luna HSM firmware 7.0.1

Low-Profile Card

The SafeNet Luna PCIe HSM 7 is smaller than its predecessors and can be installed in a half-height PCIe slot.

See SafeNet Luna PCIe HSM Required Items.

Partition Security Officer

All application partitions now have a Partition Security Officer (PO) role that is completely distinct from the HSM Security Officer (HSM SO) role. In this security model, the HSM SO is responsible only for initializing the HSM, setting HSM-level security policies, and creating and deleting partitions. After creating the partitions, the HSM SO has no access to the contents of the partitions. Partitions are owned by the PO, who is responsible for initializing the partition, setting the partition-level security policies and initializing the cryptographic roles on the partition. This model permits a complete separation of roles on the HSM.

See Partition Roles.

Best-in-Class Performance

SafeNet Luna PCIe HSM 7 provides cryptographic performance that is 10x faster than the release 5.x and 6.x SafeNet Luna HSMs.

Industry-Leading Security

SafeNet Luna PCIe HSM 7 provides enhanced environmental failure protection and tamper resistance.

Improved Random Number Generation

The performance of SafeNet Luna PCIe HSM 7's AES-256 CTR DRBG random number generation is significantly increased from previous versions. The RNG is fully compliant with the latest entropy standards:

>SP800-90B

>SP800-90C

>BSI DRG.4

New Cryptographic Mechanism Support

SafeNet Luna PCIe HSM 7 adds support for the following cryptographic algorithms:

>SP800-108 HMAC (RSA & ECC)

>SP800-38F (KWP)

>Curve 25519

>AES-XTS - disk encryption standard

Increased Key Storage Capacity

SafeNet Luna PCIe HSM 7 provides up to 32 MB of cryptographic object storage (depending on the model).

Secure Transport Mode Redesigned

Secure Transport Mode (STM) in SafeNet Luna PCIe HSM 7 provides a simple, secure method for shipping an HSM to a new location and verifying its integrity upon receipt. When the HSM SO enables STM, it locks the HSM and its contents, and records the current configuration as a pair of unique strings. When the HSM is recovered from STM, the unique strings are redisplayed. If the strings match, the HSM has not been tampered or modified during transport.

See Secure Transport Mode.