A PED Key is an electrically-programmed device, with USB interface, embedded in a molded plastic body for ease of handling. Specifically, a PED Key is a SafeNet iKey authentication device with FIPS configuration. In conjunction with PED 2 or PED 2 Remote, a PED Key can be electronically imprinted with identifying information, which it retains until deliberately changed.
The HSM-related secret might be the access control for one or more HSMs, the access control for Partitions within HSMs, or the Domain key that permits secure moving/copying/sharing of secrets among HSMs that share a domain.
The PED comes in two versions:
- the standard PED 2 is designed for local connection, only, to a SafeNet HSM
- the Remote PED 2 has all the function of the standard PED 2 and can also be used remotely from an HSM, when used with PEDServer.exe workstation software.
The PED and PED Keys are the only means of authenticating, and permitting access to the administrative interface of the PED-authenticated HSM, and are the first part of the two-part Client authentication of the compliant SafeNet HSM with Trusted Path Authentication. Click to see a note about FIPS validation.
The use of PED and PED Keys prevents key-logging exploits on the host HSM, because the authentication information is delivered directly from the hand-held PED into the HSM via the independent, trusted-path interface. You do not type the authentication information at a computer keyboard, and the authentication information does not pass through the internals of the computer, where it could possibly be intercepted by spy software.
The PED does not hold the HSM authentication secrets. The PED facilitates the creation and communication of those secrets, but the secrets themselves reside on the portable PED Keys. This means that an imprinted PED Key can be used only with HSMs that share the particular secret, but PEDs are .
The current-model PED uses iKey USB-fob type PED Keys of no particular color (the standard issue is black) for all functions. You can visually differentiate your PED Keys by attaching tags or labels. A set of sticky labels in appropriate colors (see below) is supplied with your PED Keys.
The roles and uses of the PED Keys employed with SafeNet HSMs and the PED are as follows:
Security Officer (SO)’s
PED Key.
The first actions with a new SafeNet HSM involve creating an SO PIN and imprinting
an SO PED Key. The SO identity is used for further administrative actions
on the HSMs, such as creating HSM Partition Users and changing passwords,
backing up HSM objects, controlling HSM Policy settings. A PED PIN (an additional, optional password typed on the
PED touchpad) can be added. SO PED
Keys can be duplicateda PED Key can be copied so that two or more PED Keys contain the same secret - this is useful and necessary in order to have backups of each of your PED Keys, and for other operational purposes, but you must maintain rigorous control of all duplicates to prevent unauthorized persons from accessing your HSM(s), and tracking of the "paper trail" of possession.
for backup, and can be shared
among HSMs by imprinting subsequent HSMs with an SO PIN already on
a PED Key.
HSM Partition User key. This PED Key is required to login
as HSM Partition Owner or Crypto Officer. Needed for Partition maintenance,
creation and destruction of key objects, etc. Needed for the local portion
of the login that permits remote Client (or Crypto User) access to the
Partition. A PED PIN (an additional, optional password typed on the
PED touchpad) can be added. Black User PED Keys can be duplicateda PED Key can be copied so that two or more PED Keys contain the same secret - this is useful and necessary in order to have backups of each of your PED Keys, and for other operational purposes, but you must maintain rigorous control of all duplicates to prevent unauthorized persons from accessing your HSM(s), and tracking of the "paper trail" of possession.
for backup, and can be shared among HSM Partitions using the "Group
PED Key" option.
Key Cloning Vector (KCV) or Domain ID key. This PED Key
carries the domain(Also referred to as KCV – Key Cloning Vector) A domain is a shared identifier, common to a group of Luna cryptographic modules, with access controlled by a red PED Key (for Trusted Path Authentication) or by a domain string (for Password Authentication). Cloning (secure duplication) of token objects is possible among tokens/HSMs that share a particular domain. Cloning is not possible across different domains, and is not possible where the tokens lack a domain. A domain must be declared and imprinted at the time a token is initialized.
identifier for any group of HSMs for which key-cloning/backup is
to be used. The red PED Key is created/imprinted upon HSM initialization. Another (or could reuse the same domain) is created/imprinted with each HSM
Partition. A cloning domain key carries the domain (via PED) to other HSMs or HSM partitions which
are to be initialized with the same domain, thus permitting backup and
restore among (only) those containers and tokens. The red Domain PED Key
receives a domain identifier the first time it is used, at which time
a random domain is generated by the HSM and sent to both the red Domain
key and the current HSM Partition. Once imprinted, that domain identifier
is intended to be permanent on the red Domain PED Key – and on any HSM
Partitions or tokens that share its domain. Any future operations with
that red Domain PED Key should simply copy that domain onto future HSM
Partitions or backup tokens (via PED) so that they may participate
in backup and restore operations (see What
is a Domain PED Key? later in this section, for a more detailed explanation).
Red PED Keys can be duplicateda PED Key can be copied so that two or more PED Keys contain the same secret - this is useful and necessary in order to have backups of each of your PED Keys, and for other operational purposes, but you must maintain rigorous control of all duplicates to prevent unauthorized persons from accessing your HSM(s), and tracking of the "paper trail" of possession.
for backup or multiple copies of the key.
The red PED Key can be considered the most important PED Key to protect from access by unauthorized persons. An unauthorized person who is able to learn the Luna SA appliance admin password, could see and manipulate objects on a logged-in or activated partition, but would be able to copy those objects to another HSM only if he had possession of the partition domain secret. Without the proper red PED Key, an attacker cannot copy/clone HSM partition contents to other HSMs.
This PED Key is required when you need to perform PED operations at a distance. The orange RPK carries the Remote PED Vector (RPV) and allows a Luna PED connected to a properly configured computer to substitute for a PED connected directly to the Luna appliance/HSM, when that local connection is not convenient.
The RPV is created/imprinted by a Luna HSM with a suitable PED connected (version 2.4.0 or later, having the Remote PED feature installed). A Remote PED can be connected to the USB port of a networked computer that has the PED driver installed and is running the PEDserver.exe program. A Luna HSM (that has been initialized with a Remote PED vector) can initiate a secure connection to the Remote PED Server computer, and that connection can be validated by an orange Remote PED Key that carries the same vector as the Luna HSM. For the duration of that session, HSM commands can be run at that appliance with all the needed PED Keys (SO, User, Domain, even SRK) being supplied via the PED connected to the computer. There is no need to be present at the remotely located Luna appliance/HSM with PED Keys and PED. Orange PED Keys can be duplicateda PED Key can be copied so that two or more PED Keys contain the same secret - this is useful and necessary in order to have backups of each of your PED Keys, and for other operational purposes, but you must maintain rigorous control of all duplicates to prevent unauthorized persons from accessing your HSM(s), and tracking of the "paper trail" of possession. for backup or multiple copies of the key.
The purple Secure Recovery Key contains the external split of the SRV (secure recovery vector), to recreate the HSM's master key with which all HSM contents are encrypted. The master key is destroyed whenever a tamper event occurs, or when the HSM is deliberately set to Secure Transport Mode. For Secure Transport Mode, the purple PED Key is then shipped via a separate channel from the HSM shipment so that no attacker could obtain access to both the HSM and the SRV while they are in transit. Upon receipt, the administrator brings both the HSM and the purple key together, and invokes the "hsm srk recover" command. This brings the internal (in the HSM) and external (on the purple SRK) components of the SRV together and recreates the HSM master key, allowing the HSM to be used.
Purple PED Keys can be duplicateda PED Key can be copied so that two or more PED Keys contain the same secret - this is useful and necessary in order to have backups of each of your PED Keys, and for other operational purposes, but you must maintain rigorous control of all duplicates to prevent unauthorized persons from accessing your HSM(s), and tracking of the "paper trail" of possession.
for backup or multiple copies of the key.
Audit is an HSM role that takes care of audit logging, under independent control. The audit role is initialized and imprints a white PED Key, without need for the SO or other role. The Auditor configures and maintains the audit logging feature, determining what HSM activity is logged, as well as other logging parameters, such as rollover period, etc. The purpose of the separate Audit role is to satisfy certain security requirements, while ensuring that no one else - including the HSM SO - can modify the logs or hide any actions on the HSM. The Audit role is optional until initialized. For Luna G5 and Luna PCI-E see the audit commands in lunacm:>. For Luna SA, there is a separate appliance login role (audit) that has access to its own lunash:> commands, in addition to a limited set of view-only commands for the HSM. The SO (a.k.a. HSM Admin) and others who log into the appliance as "admin" or as other named roles, do not have access to the lunash:> audit commands.
A nominal set of PED Keys, as purchased with a SafeNet HSM with PED (Trusted Path) Authentication, consists of ten black USB-token PED Keys, along with colored stickers to identify them (several each of blue, red, black, orange, white, and purple), which allows some spares or backups. The PED Keys are completely interchangeable before they are imprinted by your action. The PED Keys are imprinted by the PED during HSM initialization and Partition creation, so at a minimum you would have one each of :
The others are spares for each role. The SO, Domain, and User roles are the minimum that you need to operate the HSM.
For purposes of backup redundancy, you would normally have at least a second full set for keeping in safe storage, once they have been imprinted. Imprinting takes place when an HSM is . Initialization is also an opportunity to make more duplicates of any PED Key, if you require them. Imprinting of Partition PED Keys takes place when an HSM Partition is . Again, Partition backup is an opportunity to create more duplicate black PED Keys, or to cause a newly-created Partition to share an authentication secret that is already used on other HSMs' Partitions.
You will also require additional PED Keys if you decide to use the M of N security feature.
This section is a few suggestions for your handling of PED Keys. Naturally you should be guided primarily by your organization's security policies.
As indicated above, you might wish to physically mark your PED Keys, in order to help keep track of them. Colored, blank tags are suggested, in addition to the provided stickers, though you could use any identifier that does not interfere with the operation of the PED Key. At a minimum, in an operational environment, you should have at least one working set and one full backup set, and a way to tell them apart.
If multiple personnel will need access to the HSM, you might provide duplicates of some or all PED Keys that are associated with a particular HSM. It would be helpful to number them, or to write the name or title of the person who will hold each duplicate, to ease tracking. Your organization's security policy might have requirements in that regard.
If you have multiple HSMs or groups of HSMs in your organization, a thoughtful labeling convention can ease the task of tracking and differentiating the various PED Keys and key-holder personnel.
If you invoke the optional M of N security feature (see the “Using M of N” page in this Help, you could have multiple sets of several PED Keys (containing the secret splits for SO or for the Partition Owner) that might require unique visible identification. Possibly one person might be the designated holder of M of N secret shares belonging to more than one HSM in your company. If that person is carrying several PED Keys, it would be convenient to see, at a glance, which PED Key belonged to which M of N set so as to avoid making accidental bad login attempts due to mix-ups of PED Keys.
For example, if each department in your company had a SafeNet HSM, and you were using M of N feature, your key tags might be labeled something like:
Accounts Receivable
SO #4 of 3of5
So this would be Security Officer (SO) key-share number 4, of a 5-key M of N set that requires at least three key-holders to be present to unlock the administration functions of that HSM in the Accounts Receivable department. You might prefer to not mention the "N" quantity, so that an attacker would not know how many more he/she needed to acquire.
Alternatively, you might use something obscure like:
AR4
which could be a code representing a more descriptive entry that you would keep in a log book or in a database. Either way, by looking at the tag you can quickly find out which of various PED Keys you are currently holding.
Obviously, these are just basic suggestions, and you can use any identifying scheme that works for you.
This is described in detail "How to Use a Luna PED", and in the Configuration and setup section of this Help.
Briefly, when you perform an HSM operation that requires a PED Key, you should already have the PED connected to the HSM or appliance.
When the command is issued, the system tells you when to look to the PED.
The PED prompts you when to insert various PED Keys, appropriate to the task. When prompted, insert the indicated PED Key into the connector at the top of the PED, immediately to the right of the PED cable connection, then respond to further instructions on the PED display, until control is returned to the administrative command-line.
