|
Home > |
|---|
This section is HSM Partition setup for Luna G5 with Trusted Path Authentication. The activities in this section are required in two circumstances.
•if you just prepared an HSM on the Luna G5 for the first time and must now create your first HSM Partition, or
•if you have deleted or zeroized an HSM Partition and wish to create a new one to replace it.
At this point, the Luna G5 should already have its Security Officer assigned by Initializing an HSM.
Within the HSM, a separate cryptographic workspaces must be created. A workspace, or Partition, and all its contents are protected by encryption derived (in part) from its authentication. Only a User who presents the proper authentication is allowed to see the Partition and to work with its contents. That User and authentication can be separate from the Security Officer identity.
In this section, you will:
•Create an HSM Partition [the infrastructure of the partition]
•Set HSM Partition Policies (Optional)
•Create a challenge secret [generated by the PED and later presented/typed at the command line by the Crypto Officer when the CO needs to administer the partition]
•Create a Crypto User [and another secret generated by the PED and later presented programmatically or typed at the command line by the Crypto User when the user or client software needs to use the HSM Partition for cryptographic functions]
The above structure ensures the separation of roles between the end-users of the HSM and those who administer the partition.
To create HSM Partitions, you must login to the Luna G5 as Security Officer. At the lunacm:> prompt, type:
lunacm:> hsm login
You are directed to the Luna PED.
Authenticate as Security Officer by supplying the appropriate SO PED Key
(that was imprinted during the HSM initialization step. The PED prompts
you for the numeric password to unlock the SO PED Key, which in turn provides
the SO authentication secret to the Luna G5 HSM.
If you fail three consecutive login attempts as Security Officer, the HSM is zeroized and cannot be used — it must be re-initialized. Zeroizing destroys all key material. When you successfully login, the counter is reset to zero.
Note: If you present the wrong type of PED Key - a black or red key when a blue key is called for, for example - the PED merely tells you to try again, and no bad login attempt is reported. However, if you present the wrong PED Key of the correct type, OR you present the correct PED Key but the wrong PED PIN (the [optional] multi-digit number that is input from the PED keypad) then that IS recorded as a bad login attempt and the counter is incremented.
If you are not sure that you are currently logged in as Security Officer, perform an ‘hsm login’.
1.Have the Luna PED connected and ready (in SCP or Local mode and "Awaiting command...").
2.In a terminal
window (DOS command-line window in Windows), go to the LunaG5 directory
and start the lunacm utility:
lunacm:>
3.Log in as SO (the blue PED Key) with the lunacm command:
lunacm:> hsm login
4.Run the "partition create" command.
The following is an example of initialization dialog, with PED interactions inserted to show the sequence of events.
lunacm:> partition create
Please attend to the PED.
Luna PED asks preliminary setup questions, prior to imprinting the first SO PED Key.
Slot 01
Setting user PIN...
Would you like to
reuse an existing
keyset? YES/NO
5.If you say "NO" Luna PED needs to know if you wish to invoke MofN split-knowlege authentication for your partition, and if so, how many black PED Keys will be required to construct the partition authentication. Otherwise, proceed to the next step.
Slot 01
Setting user PIN...
M value? (1-16)
>00
a.Select "1" if you prefer to use a single black PED Key to access the without M of N. Otherwise, enter the number of black-key holders who must always be present (with their PED Keys) to authenticate to the partition.
b.Next Luna PED needs to know how big the set of "splits" should be.
Slot 01
Setting user PIN...
N value? (1-16)
>00
c.Select "1" for the "N" number if you prefer to use a single black PED Key without M of N - no splitting of the secret takes place. Otherwise, enter the number of splits into which the secret will be broken. This number must be at least "M" and is usually larger so that some of your black key holders can be away on business, vacation, illness, etc. while still leaving enough available to reconstruct the black-key secret when needed.
d.The PED now instructs you to insert a black PED Key for the operation of imprinting authentication secrets.
Slot 01
Setting user PIN...
Insert a USER /
Partition Owner
PED Key
Press ENTER
e.Next, you might present a factory-fresh black PED Key
Slot 01
Setting user PIN...
**WARNING**
This PED Key is blank
Overwrite YES/NO
Or a previously-used black PED Key - which could be one that you now want to overwrite with a new authentication secret, or one that is in current use for another HSM and has been mistakenly inserted.
Slot 01
Setting user PIN...
**WARNING**
This PED Key is for
USER/Partition Owner.
Overwrite ? YES/NO
f.Answer yes or no as follows (press the appropriate button on the PED keypad):
| NO | If the PED key that you provided carries any authentication data that must be preserved. In that case, the partition being created will be imprinted to recognize the existing Partition User authentication (that is, once this initialization is complete, this Partition User PED Key will be able to unlock the current Partition and the previous Partition(s) for which it carries the authentication secret - the secret that is already on the key will be preserved ) . |
| YES | If the PED should overwrite (if you overwrite a never-used PED Key, nothing is lost; if you overwrite a PED Key that contains authentication secret for another Partition, then this PED Key will no longer be able to access the other Partition, only the new Partition that you are currently initializing with a new, unique authentication secret - therefore "YES" means 'do not reuse; instead overwrite the key now' - therefore, be sure that this is what you wish to do) the PED Key with a new Partition authentication. (This will be matched on the Luna G5 during this initialization). |
g.The PED wants to make very sure you are intentionally overwriting whatever was found on the currently inserted black PED Key.
Slot 01
Setting user PIN...
**WARNING**
Are you sure you
want to overwrite
this PED Key? YES/NO
h.Say yes.
Slot 01
Setting user PIN...
Enter new PED PIN
*
Confirm new PED PIN
i.Once the black key has been imprinted with a new partition authentication secret from the HSM (or the HSM has accepted an existing secret that was already on the black key and applied it to the new partition), the PED inquires...
Slot 01
Setting user PIN...
Are you duplicating
this keyset> (Y/N)
j.At this point you can say [No] and have only as many copies of that black key secret as already exist (just the one if this is a newly generated secret), or you can say [Yes] and be prompted to make as many copies of the current black PED Key as you wish - most organizations' security policies would demand that you have at least one backup for safekeeping.
k.If you say [Yes], the process is much more concise, as there are almost no choices to make.
Slot 01
Setting user PIN...
Insert a USER /
Partition Owner
PED Key
Press ENTER
and then ... .
Slot 01
Setting user PIN...
Are you duplicating
this keyset> (Y/N)
l.As in the other option (expandable above), if you already have enough copies of this black PED Key, say [No] and continue the partition creation sequence. Otherwise say [Yes] for as long as you wish to keep making additional copies, then say [No] when you are done with copying.
m.Log in for the next part of the process...
Slot 01
User login...
Insert a USER /
Partition Owner
PED Key
and begin the final part of this sequence, which is assigning a Cloning Domain to the newly created HSM partition (so its contents can be securely copied to another Luna HSM partition, perhaps for backup, or perhaps for HA, or perhaps for both uses)...
Slot 01
Setting Domain...
Would you like to
reuse an existing
keyset? YES/NO
n.You could use an existing Cloning Domain for this partition - perhaps one that is shared by a partition on another Luna G5 HSM, or perhaps the one that is used by the current HSM (causing the HSM and its Partition to share the same domain). If you prefer to not share an existing Domain, then you get to sort through all the same options and prompts as for the black PED Key, above.
We will assume for this example that your new HSM partition is joining an existing Cloning domain, so the PED prompts.
Slot 01
Setting Domain...
Insert a Domain
PED Key
Press ENTER
o. The PED goes back to "Awaiting command...". and lunacm says:
Command Result : No Error
View the partition information, including Capabilities and Policies, to see if you need to change anything. Type:
lunacm:> partition show
For an example of the output, click here.
HSM Serial Number -> 65130
Token Flags ->
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_RESTORE_KEY_NOT_NEEDED
CKF_EXCLUSIVE_EXISTS
Slot Id -> 3
Session State -> CKS_RW_PUBLIC_SESSION
Partition Capabilities
0: Enable private key cloning : 0
1: Enable private key wrapping : 0
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 0
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
14: Enable PED use without challenge : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
30: Enable Remote Authentication : 1
Partition Policies
0: Allow private key cloning : 0
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 0
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
7: Allow secret key masking : 0
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
14: Challenge for authentication not needed : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
19: Max non-volatile storage space : 3
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
30: Allow Remote Authentication : 0
Command Result : No Error
lunacm:>
As an example of a change, you could type:
lunacm:> partition changePolicy -policy 16 -value 0
This would have the effect of switching off RSA blinding.
Having set up your Luna G5, you want to use it.
Either you have created an application of your own that can make use of an HSM, or you are using an existing third-party software. Examples might be Microsoft server applications like Certificate Services, IIS, ISA, RMS or others, which can perform their cryptographic functions in software, using local computer resources (CPU, memory, and hard disk) with their inherent security issues, or which can be configured to make use of an HSM like the Luna G5.
If you are using one of the indicated Microsoft products, you will need to install the Luna CSP software and then install the server application, or else re-configure an existing installation to make use of Luna CSP (which provides the bridge between the application and the Luna HSM).
Another option is a Java-based application, in which case you should install the Luna JSP, which comes with Javadocs and sample code.