You are here: Administration & Maintenance Manual > HSM Administration > Authenticating - PED and Password > PED Authentication (trusted path) (option) > MofN, About

About M of N

First, what is it?

The M of N feature provides a means by which organizations employing cryptographic modules for sensitive operations can enforce multi-person control over access to the cryptographic module.  The feature is available in all Luna SAs configured to use Trusted Path authentication – using the PIN Entry Device (PED) and PED Keys.

  

M of N involves a splitting of the authentication secret into multiple parts or splits. The shared secret is distributed (or “split”) among several PED Keys (“split-knowledge access control”). Every type of PED-administered HSM secret can be split when it is created: blue SO PED Key, black User/Partition Owner PED Key, red Cloning Domain PED Key, orange Remote PED Vector Key, purple Secure Recover Key, white Audit PED Key.

Without M of N, you can initialize an HSM such that you must produce a single blue HSM Admin/SO PED Key in order to login and perform HSM management functions, and you must produce a single black Partition Owner/User PED Key in order to activate a Partition to receive Client connections and allow Client applications to perform operations within the Partition, and so on. And that can be the extent of your security and oversight. If that is sufficient, you can stop reading.

With M of N, the authentication secret on one blue SO PED Key or one black Partition Owner PED Key (or red Domain key or orange Remote PED key or purple Secure Recovery key) is still necessary, but is no longer sufficient for authentication. Access now requires additional authentication by an overseer, or several overseers. That additional oversight is the M of N "split knowledge shared secret". What that means is that the SO secret, or partition User/Owner secret, or cloning Domain (as well as the Remote PED secret and the Secure Recovery secret and the Audit secret) can be split into portions (over several PED Keys of the current color, rather than just one), and those must be brought together in order to re-create the complete secret. At initialization time, you get to specify into how many splits or shares each authentication secret is divided - this is quantity N (which can be any number from 1 to 16). You also specify how many of those splits or shares must be joined together by Luna PED in order to re-create the secret - this is the quantity M. M can be less than or equal to N.

Where/when to use it

Use M of N when you want a particular type of HSM access to require the presence of more than one person. M of N is invoked per authentication secret. That is, it applies to only those secrets where you deliberately choose to invoke MofN as the secret is being created/imprinted. Thus you could have MofN multi-person control imposed for SO and Domain, but not for Partition owner/user, nor SRK, nor RPV... or any other combination that made sense in your environment.

During initialization of the HSM, the HSM Admin or Security Officer [SO] invokes M of N if desired as the procedure reaches the point of creating/imprinting each authentication secret. The SO specifies how many shares (also sometimes called “splits”) will make up the shared secret. This total number is N and may be any number up to 16. The SO then specifies how many of that total number of (current color) PED Keys are to be required at each login. This second number, M, can be any number up to N. From that point on, any future login or invocation of that particular authentication (blue key, black, red, orange, purple) to the HSM requires that quantity M of that-color share keys be provided. The result is that no single person can operate that aspect of the HSM. One holder of the Owner key or the HSM Admin/SO key must bring together M different share-holders, each with one of the black or blue keys, as appropriate, before the HSM can be unlocked.

M of N is not a splitting of the private signing key; it is splitting of the Luna HSM's individual authentication/access secrets. That is, M of N is a splitting of the secret that lets you into the HSM, but not a split of the working (encrypting, decrypting, signing, verifying) secrets - your keys and certificates - contained inside the HSM.

 

   Do not use M of N unless you will be giving each split-containing PED Key to a different person. We recommend that you not use M of N unless you have established a definite need for it. The additional security of split-knowledge shared-secret multi-person access control comes at the cost of additional administrative overhead, and increased possibility of making an administrative or handling error that could leave you unable to access your keys and certificates.

Historical Note

In previous versions of Luna HSM, M of N was a selection made at the command-line (either lunash:> or lunacm:>) via the hsm init command. You could elect to use M of N or not, by means of options to the hsm init command. M of N, was a separate secret, spread across N green keys. If you invoked M of N, then it was always in force for that HSM (until the HSM was re-initialized). If you invoked M of N, it was in force HSM-wide.

Current Practice

Beginning with Luna HSM 5.0, the green keys no longer exist. Each standard authentication secret (SO, User, Domain, RPK, SRK, Auditor) can itself be split into N different components, of which M of them are needed to reconstitute that authentication secret. The decision to invoke M of N for any of the HSM's authentication secrets is no longer made via the command line. Instead, M of N is a PED function, a choice that you make when the secret is created (such as during HSM initialization or partition creation). M of N can therefore be applied to some secrets of an HSM and not to others, at your discretion, and as your organization's security policy dictates.

In usual practice, you select a number M which is the number of trusted people who must be present when HSM authentication is performed - each of them is issued a colored PED Key containing one share of that total M of N secret. The larger the number, the more operationally difficult it can be to get them all together when needed. Then you select a number N which should be a little larger than M, to allow for substitutions. This allows you to achieve M different secret shares in order to access your HSM, even though some of the total key holders might be absent due to illness, travel, etc. That N is the total number of shares into which the M of N secret will be split.

To login with M of N in force, you are first prompted to supply a blue PED Key (or a black PED Key, as appropriate to the task), then you are prompted to supply each additional (different) key of that color until M splits have been presented - those can be any M of those keys, in any order, as long as all are different. That is, the secret is spread over N keys, but you need only M of them to recreate the complete secret when required (where M is usually less than N).

See Also