What is M of N?

M of N is the Luna HSM (the Trusted Path version [FIPS 140-2 level 3 compliant] that uses Luna PED and PED Keys for authentication) access-control feature that implements a split-secret (or split-knowledge) threshold scheme to divide and distribute the HSM authentication among multiple holders. Also sometimes called Multi-person Control or quorum-based authentication, this model is part of a layered security strategy, and ensures that no single person has sufficient authority to access certain functions or operations.

The split secret can be the HSM Security Officer authentication secret, or the Cloning Domain secret, or the User secret, any of which can be divided into N different parts and distributed among multiple holders. The threshold is the number M of splits out of the total N that must be recombined in order to reconstruct the complete secret and gain access to the HSM.

Setting Up M of N

M of N is decided at initialization time. The Luna PED prompts for the number M and the number N before the newly generated secret is imprinted.

Enter a number for N (the size of the full set, the total number of shares into which this secret is to be split).

The PED performs the split and sets the threshold, and then begins prompting you to insert blank PED Keys, to be imprinted.

If M and N are set to 1, then the secret is not split, and the entire secret is imprinted onto a single PED Key. In that case, M of N is effectively turned off, or not used.

Note: You can make additional copies of the single PED Key (at a later step in the initialization), but each key in this situation will have the complete authentication secret, therefore any one of them will be sufficient to authenticate to the HSM. In contrast, if you had declared M and N to be greater than one, then any key that you duplicated would have a copy of only a split (an incomplete portion) of the authentication secret. Two identical PED Keys from an MofN split cannot be used as separate portions to recreate a split authentication secret - therefore, you must be very careful when handling and labeling PED Keys if you have:

Note: a) invoked MofN (by setting M and N greater than 1) and

Note: b) created duplicates of any/all of the PED Keys containing those splits.

Note: In other words, if you invoke MofN and you also create duplicates, be very careful to keep the "original" and the backup PED Key sets identified and separate from each other.

If M and N are set to greater than 1, then M must always be less than, or equal to N. The maximum is 16 splits of the secret. If M=N, then every one of the splits must be recombined in order to reconstruct the complete secret. In that case, you must be very sure of the reliability of all key holders, since if any of them is sick, away on vacation, or otherwise not available, then access to the HSM is not possible.

The usual practice is to determine a reasonable number M that is sufficient for your security policies, and then allow a few more splits as "spares", the total number being your chosen N. This allows some operational flexibility, at the cost of validating additional trusted key-holder personnel.

Additional Considerations

The Luna Identity Server HSM and Luna PED offer additional, optional security features, all of which can be used together in any combination, if desired. You and your security policy must determine which features are necessary in your situation. Keep in mind that your handling procedures will need to adapt to the results of your choices.

Duplicate PED Keys

During initialization, Luna PED offers the option to create duplicates of imprinted PED Keys. Without M of N, you can make as many duplicates as you wish of a PED Key, or as many as you have blanks. With M of N invoked, you are guided by the Luna PED to submit a full set of N blanks for each duplicate. That is, if you desired more than one backup duplicate, you would be prompted to insert N blank keys in succession to complete one M of N backup set and then asked if you wish to imprint another. You must have a full set of blanks available to create each backup set.

If you run out of PED Keys before a set is complete, the system eventually times out, possibly leaving itself in an indeterminate state. Therefore, you would need to restart the initialization and either arrange to have enough blanks available, or choose to make fewer duplicates.

Unless your security policy forbids, you should carefully label all PED Keys. This will make them much easier to administer in situations such as personnel turnover, mandated password-change cycles, and so on. Physical labelling will allow you to distinguish which PED Key belongs with which person, which keys belong to primary or backup sets, and possibly other operational considerations. If you make a duplicate set, the same splits are generated, in the same order.

PED PINs

If your security policy demands three-factor authentication ("something you know" [the alpha-numeric admin password] as well as "something you have" [the PED Key], along with an additional "something you know" [the numeric PED PIN]), then you can use the PED PIN option. A PED PIN is a number that you type in at the PED keypad, and which becomes associated with the secret-split on the PED Key, masking that partial secret.

Note: If you prefer not to use PED PINs, just press [ENT] at the prompt, without typing any digits on the PED keypad.

You can apply any PED PIN number to a PED Key when that PED Key is being imprinted. Thus you could use the same PED PIN on every Key, or a different one on every Key. You could use matching PED PINs on the matching Key from each of two (or more) sets, or make them all different. Each option affects the convenience or the effectiveness of the additional level of security.

The last sentence in the previous section said: If you make a duplicate set, the same splits are generated, in the same order. That is still true, when you invoke PED PIN security, but the PED PIN portion of the data on the PED Key is not necessarily the same ( Every time you are given an opportunity to impose a PED PIN onto a PED Key, you are free to give any number [either none, or a number from 4 to 48 digits] -- there is never a constraint to match any PED PIN that you used on other PED Keys, such as duplicates or M of N splits. The system dictates no requirements of that nature -- every time you are given the opportunity to impose a PED PIN, you have a new opportunity to decide whether or not to have a PED PIN and, if so, the digits that compose that PED PIN. Of course, when you later attempt to authenticate with a PED Key, you must supply the exact PED PIN that was set for this particular PED Key [if one was]. ) unless you choose to input the same PED PIN digits on equivalent splits of the new set.

Use PED PINs in conjunction with M of N only if you really need both features and are prepared to deal with the resulting logistic requirements.

Using M of N

Once M of N is set, and initialization completed, the HSM and Luna PED take care of enforcing the feature. Whenever you attempt an action that requires login, the Luna PED begins prompting for M different PED Keys of that type. It continues until it has collected enough parts (splits) to reconstruct the original secret. It detects attempts to re-use a key during a single authentication attempt, and is not satisfied until it has gathered M different components of the split secret.

Only the splits from the original secret are valid - that is, you cannot substitute a key from a different set; Luna PED refuses to accept any individual key that is not a unique member of the current split secret. When it has collected M different splits from the correct set, it offers the reconstructed secret to the HSM and login procedes.

To help implement such a policy around a Luna HSM, the M of N Access to those functions or operations can require the presence and co-operation of multiple trusted persons, simultaneously. Such a strategy is sometimes called shared integrity or split-secret threshold. For example, if you are a Security Officer for an HSM, your authentication key alone would not be sufficient for you to administer that HSM - you need the cooperation of a specified number of other SOs, who must concur and authenticate when you do.

The Luna Identity Server M of N feature provides a means by which organizations employing cryptographic modules for sensitive operations can enforce multi-person shared authentication control over access to the cryptographic module. The feature is available in all Luna Identity Servers configured to use Trusted Path authentication – using the PIN Entry Device (PED) and PED Keys.

M of N involves a modification of the SO PIN, User PIN or Domain secrets. M of N causes the PIN or Domain secret to be divided and shared (or “split”) among several PED Keys of one type (“split-knowledge access control”). M of N is optional at initialization time.

M of N is offered as a choice by the Luna PED when PED Keys are being imprinted. N is the size of the pool of shares or splits. M is the number of shares (each on its own PED Key) that must be brought together to reconstruct the full authentication secret.

The PED performs the split and sets the threshold, and then begins prompting you to insert blank PED Keys, to be imprinted.

The same general pattern applies to the red Domain PED Keys and the black Partition/group User PED Keys. You can choose to impose the M of N requirement on any of SO (blue), Domain (red) or User (black), without requiring M of N for the others. Similarly, if two or more kinds of PED Keys have the M of N secret sharing imposed, the M and N values can be different for each set. That is, if you invoked M of N as 3 of 5 for SO, you could require (say) the Domain to be 2 of 3 and the User authentication to be 4 of 6, or whatever combination suited your policies and procedures.

M of N is not a splitting of the private signing key; it is splitting of the Luna Identity Server HSM's authentication secret.