Enable private key cloning
|
Allow private key cloning
|
depends
|
If this is allowed, the private keys on the partition may be backed
up, the HSM Admin can turn this feature on or off. The value of this capability
depends on the HSM capability and policy “Enable cloning”. If this is
not allowed, private keys on this partition cannot be backed up and the
HSM Admin may not change this. Partition backup or partition network replication
is allowed for the SafeNet high availability feature.
|
Enable private key wrapping
|
Allow private key wrapping
|
depends
|
If this is allowed, private keys on the partition may be wrapped, and
the HSM Admin can turn this feature on or off. If not allowed, private
keys on the partition may not be wrapped off. This value is always set
to Disallowed for all partitions on a SafeNet HSM.
|
Enable private key unwrapping
|
Allow private key unwrapping
|
depends
|
If this is allowed, private keys may be unwrapped onto the partition,
and the HSM Admin can turn this feature on or off. If not allowed, private
key unwrapping is not available, and the HSM Admin cannot change this.
|
Enable private key masking
|
Allow private key masking
|
depends
|
If this is allowed, keys on the partition can use Scalable Key Storage and the HSM Admin
can turn this feature on or off. Encryption for this feature uses an AES 256-bit key. The value of this capability depends
on the HSM capability and policy “Enable masking”. If this is not allowed,
this partition cannot participate in Scalable Key Storage, and the HSM Admin cannot change
this.
|
Enable secret key cloning
|
Allow secret key cloning
|
depends
|
If this is allowed, secret keys on the partition can be backed up, and
the HSM Admin can turn this feature on or off. (i.e. the HSM Admin may
only wish to turn this feature on immediately before a scheduled backup,
and then turn it off again to prevent unauthorized backup.) If this is
not allowed, secret keys cannot be backed up, and the HSM Admin cannot
change this. Partition backup or partition network replication is allowed
for the SafeNet high availability feature.
|
Enable secret key wrapping
|
Allow secret key wrapping
|
depends
|
If this is allowed, secret keys can be wrapped off the partition, and
the HSM Admin can turn this feature on or off (i.e. the HSM Admin may
wish to not allow secret key wrapping, in which case he/she would set
the corresponding policy to “no”). If this is not allowed, the partition
does not support secret key wrapping and the HSM Admin cannot change this.
|
Enable secret key unwrapping
|
Allow secret key unwrapping
|
depends
|
If this is allowed, secret keys can be unwrapped onto the partition,
and the HSM Admin can turn this feature on or off. If this is not allowed,
the partition does not support secret key unwrapping and the HSM Admin
cannot change this.
|
Enable secret key masking
|
Allow secret key masking
|
depends
|
If this is allowed, secret keys on the partition can use Scalable Key Storage, and the
HSM Admin can turn this feature on or off. Encryption for this feature uses an AES 256-bit key. If it is not allowed, the partition
does not support Scalable Key Storage.
|
Enable multipurpose keys
|
Allow multipurpose keys
|
depends
|
If this is allowed, keys on the partition may be created for multiple
purposes such as signing and decrypting, and the HSM Admin can turn this
feature on or off. If not allowed, keys created on (or wrapped onto) the
partition must be for single function only. (i.e. specify only one function
in the attribute template).
|
Enable changing key attributes
|
Allow changing key attributes
|
depends
|
If this is allowed, non-sensitive attributes of the keys on the partition
are modifiable (i.e. the user can change the functions that the key can
use), and the HSM Admin has the ability to turn this feature on or off.
If not allowed, keys created on the partition cannot be modified. This policy affects the following "key function attributes": CKA_ENCRYPT CKA_DECRYPT CKA_WRAP CKA_UNWRAP CKA_SIGN CKA_SIGN_RECOVER CKA_VERIFY CKA_VERIFY_RECOVER CKA_DERIVE CKA_EXTRACTABLE All other attributes are not controlled by this policy.
|
Allow failed challenge responses
|
Ignore failed challenge responses
|
depends
|
If this is allowed, failed challenge responses (HSM Partition Passwords)
will not increment the counter for X consecutive bad login attempts, and
the HSM Admin can turn this feature on or off. If not allowed, failed
challenge responses (HSM Partition Passwords) will increment the failed
login counter. This capability/policy only pertains to HSMs that use the SafeNet PED for authentication. (The policy name is slightly different from
the capability name – if the policy is on, failed challenges are ignored,
which is the same as if the capability is allowed.)
|
Enable operation without RSA blinding
|
Operate without RSA blinding
|
depends
|
If this is allowed, the partition may run in a mode that does not use
RSA blinding (Blinding is a technique that introduces random elements
into the signature process to prevent timing attacks on the RSA private
key. Use of this technique may be required by certain security policies,
but it does reduce performance.) and the HSM Admin can turn this feature
on or off. If feature is disallowed, the partition will always run in RSA blinding
mode; performance will be lower than SafeNet published performance. (The
policy name is slightly different from the capability name - if the policy
is on, RSA blinding is not used, which is the same as if the capability
is allowed.)
|
Enable signing with non-local keys
|
Allow signing with non-local keys
|
depends
|
If this is allowed, keys that have been wrapped onto the partition may
be used (trusted) for signing, and the HSM Admin can turn this feature
on or off. If moving keys from software to hardware, this capability must
be allowed, and the corresponding policy must be set 'on', or the keys
will not be able to perform signing. If not allowed, only keys that were
created locally (on the hardware) can be used for signing.
|
Enable raw RSA operations
|
Allow raw RSA operations
|
depends
|
If this is allowed, the partition may allow raw RSA operations (mechanism
CKM_RSA_X_509), the HSM Admin can turn this feature on or off. If not
allowed, the partition will not support raw RSA operations.
|
Max failed user logins allowed
|
Max failed user logins allowed
|
depends
|
The number in the capability indicates the maximum number of consecutive
failed user logins allowed, as set by the partition policies. The HSM Admin
can set the corresponding policy to a value less than or equal to the
capability value. (i.e. if the capability shows 15, the policy can be
set to [1-15], although setting it to a really low number is not recommended.)
|
Enable high availability recovery
|
Allow high availability recovery
|
depends
|
If this is allowed, another partition that is in high availability mode
with this partition may be used to restore login state to this partition
after power outage or other deactivation, and the HSM Admin may turn this
feature on or off. If not allowed, this partition does not support the
SafeNet high availability feature.
|
Enable activation
|
Allow activation
|
depends
|
If this is allowed, PED Key data for the partition may be cached so
subsequent logins do not require PED Keys, and the HSM Admin may turn
this feature on or off. If not allowed (or if the policy is turned off)
PED Keys must be presented at each login (whether the call is local or
from a client application.) This policy only applies to partitions on
HSMs that use the SafeNet PED for authentication.
|
Enable auto-activation
|
Allow auto-activation
|
depends
|
If this is allowed, PED Key data for the partition may be semi-permanently
cached to hard disk (encrypted) so that the partition activations status
can be maintained after a short power loss, the HSM Admin can turn this
feature on or off. If power stays off more than a few minutes, the key
that was used to encrypt the data cached to hard disk is no longer valid,
so authentication cannot be re-instated. If this capability is not allowed,
the partition does not support auto-activation. This policy only applies
to partition on HSMs that use the SafeNet PED for authentication
|
Minimum pin length (inverted: 255 - min)
|
Minimum pin length (inverted: 255 - min)
|
yes
|
The minimum pin length value is determined as follows. Since a policy
can only be set to values that are lower (or equal to) the value in a
capability, if the min pin length capability was set to 7, the policy
could be set to 2, which is a less restrictive policy. This is not acceptable.
So, to keep all capabilities consistent, the value of this capability
must be interpreted. The formula to use is: (max pin) - (min pin) = (capability value) If the minimum pin length capability is set to 248, and the maximum pin
length capability is set to 255, the minimum pin is (255) - (min pin) = 248 -->
solving for min pin --> (min
pin) = 255 - 248 --> min pin is --> 7 The administrator can set the policy to select a new, more restrictive
minimum pin length. Continuing with the example above, assume the administrator
wants to set min pin length to 10 to force better password selection.
Solve for policy value in the following formula: (max pin) - (min pin) = (policy value) -->
substituting --> 255
- 10 = (policy value) -->
solving for policy value --> policy value is 245 To set the minimum pin length to 10, the HSM Admin would change the min
pin length policy to 245. Thus, the HSM Admin would select a number less than the capability (245
is less than 255) to set the minimum pin length to a greater value.
|
Maximum pin length
|
Maximum pin length
|
yes
|
The value here is the maximum value for the pin length. This value is
used in calculating the minimum pin length, and the value in the maximum
pin length policy must always be greater than the value in the minimum pin
length policy.
|
Enable Key Management Functions
|
Allow Key Management Functions
|
yes
|
The HSM Admin or Security Officer can disable access to any key management
functions by the user - all users become "Crypto-Users" (the
restricted-capability user) even if logged in as "Crypto-Officer".
|
Enable RSA signing without confirmation
|
Perform RSA signing without confirmation
|
yes
|
The HSM can perform an internal verification (confirmation) of a signing
operation, in order to validate the signature. By default, that confirmation
is disabled because it has a performance impact on signature operations.
|
Enable Remote Authentication (*)
|
Allow Remote Authentication
|
yes
|
Controls whether the Remote Authentication features can be used at the
Partition level ("partition activate" and "partition restore")
on a remote SafeNet Network HSM.
If this option is switched off but the HSM-level capability is on, then
the only Remote Administration tasks that you could perform would be those
requiring "hsm login" - no partition-level remote operations. (* Deprecated - Remote Admin and Remote Authentication no longer supported.)
|
Enable private key unmasking |
Allow private key unmasking |
Yes |
Remove encryption with AES 256-bit key from private key |
Enable secret key unmasking |
Allow secret key unmasking |
Yes |
Remove encryption with AES 256-bit key from secret key |
Enable RSA PKCS mechanism |
Allow RSA PKCS mechanism |
Yes |
Enables and disables PKCS #1 v1.5 |
Enable CBC-PAD (un)wrap keys of any size |
Allow CBC-PAD (un)wrap keys of any size |
Yes |
|
Enable private key SFF backup/restore |
Allow private key SFF backup/restore |
Yes |
Small Form-Factor backup/restore is a cloning operation between the current partition and an SFF token. Allow or disallow private keys to be cloned between the partition and the SFF token. |
Enable secret key SFF backup/restore |
Allow secret key SFF backup/restore |
Yes |
Small Form-Factor backup/restore is a cloning operation between the current partition and an SFF token. Allow or disallow secret keys to be cloned between the partition and the SFF token. |
Enable Secure Trusted Channel |
Force Secure Trusted Channel |
Yes |
Enable the use of Secure Trusted Channel (STC) for the partition. If this is enabled, you have the option to require STC for the current partition, or not. |