Luna Concepts
Luna Concepts
(This page is background information that might help make some operations more obvious.)
After the first-ever Luna HSM, all succeeding generations have included both password-authenticated and PED-authenticated variants. This page describes how the current-generation PED-authenticated HSMs (firmware 6.x) interact with Luna PED and PED Keys, particularly during initialization - a time when important decisions are made. Other pages describe the PED and PED Keys. This is more about flow.
The diagram shows how the components are affected as you make choices . This flow depicts the SO / HSM Admin secret, but the interactions for other secrets follow the same pattern.
Click the thumbnail picture below to view the diagram full size.
When you issue the "hsm init" command at the command-line, the HSM generates a secret, then turns over control to the Luna PED.
Reuse? (a.k.a. Group PED Key)
The first question from the PED is whether you wish to 
an existing SO / HSM Admin authentication secret (the same logic applies to the other PED Keys, so we use just the blue key in this example). This means that you have a blue PED Key from another HSM, or you have a blue PED Key from a previous initialization of this HSM. The PED is asking if you wish to import the secret from that key onto the HSM. The options at this point are:
a) you have only fresh blank PED Keys that have not been used previously with any HSM (No - do not reuse)
b) you have a previously used PED Key, but the secret it contains is not one you wish to preserve or re-use (No - do not reuse)
c) you have a previously used PED Key, with a secret from this HSM, and you don't mind reusing it (Yes - reuse)
d) you have a previously used PED Key, from another HSM, and you wish to reuse it so that the blue key can unlock both the current HSM and the other HSM. (Yes - reuse)
These options also apply to any other key color when they are being imprinted. If you elect to reuse the content of an existing key, then the secret that the current HSM generated is discarded, and the secret from the reused PED Key overwrites onto the HSM. This ensures that the PED Key and the HSM have the same authentication secret, and the key can unlock the HSM. If the secret on the key was from another HSM that is still operational, then the PED Key has become a "group PED Key" that unlocks the equivalent aspects of both HSMs. In this manner, you can include as many HSMs as you wish in a
If you choose to not reuse the content of an existing key, then the secret that the current HSM generated is copied onto the key that is currently inserted into the PED (after the PED verifies multiple times that this is what you wish to do). This ensures that the PED Key and the HSM have the same authentication secret, and the key can unlock the HSM. If the PED Key previously had a secret for another HSM, it no longer does. The PED Key can now unlock the current HSM but is useless with the previous HSM.
Note also that your organization's security policies govern whether you can allow multiple HSMs or HSM partitions to be unlockable by the same PED Key.
MofN?
The second question from the PED would ask for M and N values, 
so that you could set up MofN split-secret, multi-person access control. However, that option would greatly complicate this explanation, so we will assume that you choose M=1 and N=1, which means "no MofN invoked".
If you wish to see an explanation of how MofN works on the HSM, go to "HSM Authentication Model with MofN and No PED PINs".
PED PIN?
The PED provides the opportunity to add an 
of authentication security to the handling of the current secret. A PED PIN is a numeric secret typed on the PED keypad. If you just press enter, no PED PIN is created, and therefore no PED-PIN flag is set on the current PED Key. If you do type in some digits on the PED's keypad, then that sequence becomes a PED PIN, a numeric password that must be typed whenever you wish to use that key in future. Whatever your response, the PED asks you to confirm by typing it in again, before proceeding to the next question.
If you wish to see an explanation of how PED PINs work on the HSM go to "HSM Authentication Model with a PED PIN" or "HSM Authentication Model with Multiple PED PINs".
Duplicate? (make backups)
The next question from the PED is whether you wish to 
[ The word "keyset" is used because you could have chosen to invoke MofN, splitting the (in this case) HSM secret across several blue keys, rather than just the one in this example. That is, a "keyset" can consist of one key, containing a complete secret, or multiple keys, each containing a portion of that secret.]
In general, it is a good idea to have several PED Keys with the HSM secret duplicated, so that you can have on-site and off-site backups, and to meet your other operational considerations.
The first opportunity to make copies is at initialization time, as the PED always asks this question during the process. Your answer to the "duplicate" question determines the end of the process for the current PED Key secret.
Again, your security policies dictate how many backup copies - or other operational copies - of a PED Key should be made, and how they should be handled and maintained.
Customers who are familiar with our legacy HSM products, and who are now preparing to use Luna SA 5.x (a firmware 6.x HSM) would observe that much of the concept and action is similar to the previous generation, but with a few important differences, described below. This would be especially important for customers who are migrating keys and HSM contents from older HSMs to the current generation.
Differences in function are driven to a considerable extent by the updating of the (optional) M of N, split-secret, multi-person access control model.
In HSM firmware 4, the MofN concept was of a separate, self-contained single secret (on green keys, and no PED PIN), so all the other PED Key colors were just one secret each, which was a simple model that allowed certain possibilities and precluded others.
In that older model, if a PED PIN was created, it existed only in your head ("something you know), and was a transformation that you applied to the secret on the key ("something you have"), to make it into the secret on the HSM. In that model, it was not possible to have more than one PED PIN for (say) the SO secret on HSM1. However, it was possible to use that same key for another HSM (2) with a different PED PIN, because the secrets on the two HSMs didn’t have to match.
All that was needed was that whatever was on the blue key could be reliably transformed into what HSM1 wanted, and could also be transformed into whatever HSM2 wanted, by typing something on the keypad.
You could minimize the number of blue keys, while still ensuring that HSM1 and HSM2 had effectively different secrets – as long as you trusted that HSM1's SO and HSM2's SO were not going to talk to each other. But any duplicate blue keys were, indeed, exact duplicates. It was the HSMs in a group that had different secrets, not the keys. The same idea applied to the black keys.
(Key #1 + PED PIN #1) or (Key #2 + PED PIN #1) = Success on HSM1,
(Key #1 + PED PIN #2) or (Key #2 + PED PIN #2) = Success on HSM2
(Key #1 + PED PIN #1) or (Key #2 + PED PIN #1) = Failure on HSM2
(Key #1 + PED PIN #2) or (Key #2 + PED PIN #2) = Failure on HSM1
In HSM firmware 6 (Luna PCI-E 5, Luna SA 5, Luna G5), the new PED-mediated MofN-per-key-color model required some re-engineering. Additional infrastructure was needed, which makes this model incompatible with the previous method.
Functionally, in the current model, it doesn’t matter whether you choose M and N to be one (feels like no M of N) or you choose M and N to be greater than one (invoking secret-splitting) – the infrastructure is there, regardless.
One result is that the HSM takes on additional responsibility for validating splits (even if there’s only the one…), and the PED Key data now has a direct relationship to the PED PIN (which is part of the validation done when the PED Key is entered). Therefore, a “duplicate” is now a slightly fuzzier concept. Each duplicate PED Key can be given a different PED PIN (or none), and can still unlock the same HSM1. BUT, if you now make a group of HSMs by initializing a second HSM (HSM2) with the same basic secret (by imprinting the new HSM from one of the duplicate PED Keys), you must use the correct PED PIN for the Key used – any other choice will fail validation. The result is that the second HSM uses the same secret as the first - which is different from the firmware 4 case.
You can optionally have split each secret (M and N greater than 1 when you initialized HSM1), which just makes the combinations more interesting to track without a good set of notes, but that doesn’t change the concept… merely adds a layer.
In the following table, we illustrate your interactions with the PED as you initialize an HSM or create a partition, with a fresh secret (not reused), and then create two duplicates of the PED Key, each with a PED PIN different from the original and from each other, yet all three will unlock that HSM or that partition - to simplify this exercise, we ignore MofN. Assume that all keys are fresh blanks.
| HSM1 PED prompt | Original key, No PED PIN (your action) |
First duplicate key PED PIN "1234" (your action) |
Second duplicate key PED PIN "4321" (your action) |
|---|---|---|---|
| "Do you wish to reuse an existing keyset" (creating new PED Keys during initialization) |
Press [ No ] | n/a | n/a |
| Insert... | (insert a new key) | - | - |
| Enter new PED PIN / Confirm new PED PIN | Press [ Enter ] | n/a | n/a |
| "Are you duplicating this keyset?" | Press [ Yes ] | - | - |
| Insert... | - | (insert a new key) | - |
| Enter new PED PIN / Confirm new PED PIN | - | Type "1234" and press [ Enter ] |
|
| "Are you duplicating this keyset?" | - | Press [ Yes ] | - |
| Insert... | - | - | (insert a new key) |
| Enter new PED PIN / Confirm new PED PIN | - | - | Type "4321" and press [ Enter ] |
| "Are you duplicating this keyset?" | Press [ No ] | ||
| All three PED Keys have different PED PINs, but any one of them can unlock this HSM. The combination of any of those PED Keys, with its own PED PIN will produce the same secret for the HSM. | |||
To round out the parallel concept that finished the firmware 4 discussion above, any duplicate blue keys are not necessarily exact duplicates, they just all contain a way (PED PIN secret) to get back to the same output secret. But in this model (firmware 6), if you want to use the same blue keys for several HSMs, all the HSMs must have exactly the same blue (SO) secret, because a duplicate of any blue key CAN have whatever PED PIN you choose (or none) but must still be able to generate the correct secret.
(Key #1 + PED PIN #1) or (Key #2 + PED PIN #2) = Success on HSM1
(Key #1 + PED PIN #1) or (Key #2 + PED PIN #2) = Success on HSM2
(Key #1 + PED PIN #2) or (Key #2 + PED PIN #1) = Failure on HSM1
(Key #1 + PED PIN #2) or (Key #2 + PED PIN #1) = Failure on HSM2
Some important implications of the above explanations deserve restating.
An additional question that is sometimes asked, about reuse and duplicates...
Luna PED has the ability to make copies of PED Keys, without the intervention of an HSM. All the PED needs is power.
Insert any PED Key containing a secret that you wish to duplicate. The PED defaults to the local mode menu.
Press "<" to get to the Select Mode menu.
Press "4" for the Admin menu.
Press "1" for PED Key.
Press "1" again, for Login.
Press "7" for Duplicate. The PED reads the key that you already inserted, then prompts you:
Duplicate PED Key...
Insert target
PED Key.
Press ENTER.
When you press ENTER, the key in the slot gets the data that was read from the first key.
You can imprint as many new PED Keys as you wish.
Note that the PED does NOT prompt you for a PED PIN.
If the PED PIN flag was not set on the source key (the first key you inserted before invoking the Duplicate function), then the new copy also has that flag unset.
If the PED PIN flag was set on the original key, then that setting is automatically recorded on the duplicate. No HSM is involved in this PED-only transaction, so entering a PED PIN would have no effect in this case. Yet the correct PED PIN will be requested when you later use one of these duplicates to access the HSM.
This DIFFERS from the sequence when you are initializing and choose to make duplicates at that time - in that case you are prompted for PED PIN and can make several "duplicate" keys that have different PED PINS and yet unlock the same HSM. This method is called a "raw" duplication and works for every type of PED Key except a purple SRK.
| Requires HSM |
Launched from command line |
Prompt (option) to set PED PIN |
"Copies" are identical |
"Copies" unlock same HSM |
|
|---|---|---|---|---|---|
| "Duplicating" (creating new PED Keys during initialization) |
Yes | Yes | Yes | Only if no PED PIN or if same PED PIN is repeatedly entered |
Yes, as long as you know the correct PED PIN for the key you have |
| Duplicating "raw" key content via PED menu |
No (only a power connection needed) Note: does not work for purple PED Key. |
No | No | Yes | Yes, PED PIN is the same for all raw duplicates |