|
Home > |
|---|
For any role on a Luna HSM, the HSM keeps a count of failed login attempts, and applies rules that determine the action to take if the number reaches a threshold. For each role, a successful login resets the count.
| Role | Bad-login count threshold |
Action after threshold is reached |
|---|---|---|
| HSM Administrator / SO | 3 (non-adjustable) | All HSM contents become unrecoverable. [Note 1] |
| Application Partition SO [Note 2] | 10 (default, can be lowered by partition policy number 20, cannot be raised above 10; policy setting applies to all three roles - they cannot be adjusted individually) |
The role is locked out for 10 minutes; the duration is not modifiable. No effect on partition contents. |
| Crypto Officer | ||
| Crypto User | ||
| [Note 1 : This is equivalent to "zeroizing", as the HSM's Key Encryption Key is destroyed, leaving all objects in the HSM permanently unrecoverable. The HSM must be re-initialized (destroying all partitions and wiping all contents) before it can be used again. Recovery, if any, must come from restoring existing backups after re-initialization.] | ||
| [Note 2 : The Application Partition SO exists only for PPSO partitions. If the Application Partition SO exists, that role controls policy settings for the application partition and the HSM SO is not able to see or change partition policies. If the Application Partition SO does not exist (legacy partition type) then the HSM Administrator / SO controls the partition and can see and change partition policies.] |
||
If you fail three consecutive login attempts as HSM Security Officer, the HSM contents are rendered unrecoverable. This is a security feature (you DO have your important material backed up, don't you?) meant to thwart repeated, unauthorized attempts to access your cryptographic material. The number is not adjustable. Please note that the system must actually receive some erroneous/false information before it logs a failed attempt -- if you merely forget to insert a PED Key (for PED-authenticated HSMs), or insert a wrong-color PED Key, that is not counted as a failed attempt. For a password-authenticated HSM, if you just press [Enter] with no characters, that is not counted. However, any number of characters more than zero, followed by [Enter] is counted as a bad attempt.As soon as you successfully authenticate, the counter is reset to zero.
The same security feature applies to Owner logins/activations, with some differences:
Multiple failed attempts at the user or client level affect only the HSM Partition, and not the entire Luna HSM.
The HSM Admin (or Security Officer) can set the number of failed login attempts that trigger the feature (default is 10).
The configurable policy “SO/HSM Admin can reset User PIN” [HSM policy #15] allows you to control the outcome of too many consecutive bad authentication attempts. If the policy is “on” then the outcome is that the HSM Partition is locked out. This means that the Partition and its contents can be accessed again after the HSM Admin resets the HSM Partition Owner’s password. If the policy is “off”, then the partition is zeroized after too many bad attempts – meaning that all contents are lost and the partition must be recreated.
“Ignore failed challenge responses” can be set, which ensures that failed HSM Partition Password attempts do not cause the “failed login attempt” counter to increment.
If you are using the Crypto Officer / Crypto User model, the two IDs have their own independent "failed challenge response" counters. By default, each of Crypto Officer and Crypto User can make up to 10 consecutive attempts with an incorrect Password without triggering consequences on the Partition.