|
Home > |
|---|
A SafeNet PED is required to authenticate to an HSM that requires PED (Trusted Path) Authentication.
The requirement for Trusted Path Authentication, as opposed to Password Authentication, is part of the specific model of HSM, as configured at the factory (the one exception is the SafeNet Backup HSM, which configures itself, at backup time, as either Password-authenticated or PED-authenticated, depending on the type of primary HSM it is backing up).
Figure 1: PED (2.x) front view
Figure 2: PED top view
HSM firmware version 6.24.0 introduces a change in how ongoing PED operations interact with cryptographic operations requested simultaneously.
PED operations interrupt other operations occuring at the same time on the HSM. The HSM waits for a PED operation to complete before processing requests for other operations. This can cause delays in production.
PED operations no longer interrupt other operations occurring at the same time on the HSM in most cases. The most beneficial effect is that PED operations acting on a partition no longer block operations occurring on other partitions on the same HSM. For example, you can now create new partitions or backups while running cryptographic operations on a separate partition. In this way, you can perform maintenance and configuration on your HSM without interrupting important client applications. PED operations might still block cryptographic operations occurring on the same partition, especially high volumes of write object requests.
PEDs are generally unit-interchangeable (with limitations within the version range, PED 2.x, see table), and more specifically interchangeable within the same PED-firmware version. That is, if a SafeNet PED with a given firmware supports your current operation with your current HSM version, then any SafeNet PED with the same, or newer, firmware can replace it.
Note: Exception - If you are using the Remote PED feature, only another PED with Remote capability can support that operation, regardless of firmware version.
Newer PED firmware versions are compatible with HSM versions shown in their row in the table, and backward compatible with any earlier HSM that requires a version 2.x PED.
| PED firmware version |
Local PED operation and Remote PED capable |
PED-mediated |
Field update-able |
Audit User (white PED Key) |
Small Form- factor Backup |
PED version is feature-compatible with SafeNet HSM firmware version(s) |
|---|---|---|---|---|---|---|
| 2.2.0 | Yes | No | No | No | No | SafeNet HSM 4, f/w 4.x |
| 2.4.0-3 | Yes | Yes | To 2.5.0 | No | No | SafeNet 5.0, f/w 6.0.8 SafeNet 5.1.x, f/w 6.2.1 |
| 2.5.0-3 | Yes | Yes | To 2.6.0 | Yes | No | SafeNet 5.2, f/w 6.10.2 SafeNet 5.3.1 f/w 6.20.0 |
| 2.6.0-6 | Yes | Yes | Yes | Yes | Yes |
SafeNet 5.4, f/w 6.21.0 |
PED firmware 2.2.0 is mentioned in the table above because many customers who first bought SafeNet HSM 5.0 were already in possession of older PEDs since they already had earlier SafeNet HSMs (f/w 4.x). SafeNet HSM 5.0 needed PED f/w 2.4.0-3 to access all functions.
PED firmware 2.5.0-3 or newer is suitable for all local and remote authentication and is required for some PED-mediated features added since SafeNet HSM 5.0.
PED firmware 2.6.0-x, available as a field upgrade or on newly-purchased PEDs, supports SafeNet Small Form-Factor Backup - a completely separate function mediated by SafeNet PED, and using different USB tokens - and also supports all previous PED 2.x authentication functions.
In this current discussion, we ignore SFF Backup, and focus on the HSM authentication function of SafeNet PED. The authentication information for your HSM roles is contained on the PED Key, and SafeNet PED is the device that provides the interface so that authentication data can pass between PED Key and HSM (see About PED Keys).
The keypad on the PED is used to acknowledge prompts (on the PED screen) and to optionally input a "something you know" additional secret, called a PED PIN (see What is a PED PIN?) to augment the "something you have" secret contained in the PED Key.
A locally-connected PED is powered by its connection to the HSM.
That connection - directly between the PED and the HSM card inside the host - bypasses your computer bus and the computer bus of the HSM host (if separate). It is the only data path between the HSM and the PED and therefore is considered much more secure (trusted) than any authentication path that passes through the appliance's computer data paths. The Trusted Path cannot be monitored by any software (whether authorized by you or not) on your administrative or client computer. Also, because you use the PED Keypad to input the optional PED PIN password (to unlock the secret that, in turn, unlocks your HSM see What is a PED PIN?), nothing is typed on a computer keyboard. No virus, trojan, spyware, remote-session software or other method can be used to acquire those secrets, because they never pass through the normal computer data pathways, never reside in computer memory or on disk.
With HSM appliances and host computers often tucked away in server farms, which are frequently run as "lights-off" facilities with the minimum possible human intervention, the PED cannot always be conveniently connected directly to the HSM. Instead, a callback server arrangement (Remote PED) uses a SafeNet PED connected to a separate computer, at a convenient location, to serve PED interactions over a network connection. The connection is strongly secured and, like the direct connection, prevents unauthorized persons from gaining access to the authentication data. A Remote PED does not have the direct connection to an HSM to provide power; it uses a USB connection for data exchange, which might not provide sufficient stable power for operation. Therefore a PED used in Remote mode also needs a dedicated power connection via the provided power block.
For both local and remote PED use, the only way for another person to discover a PED PIN password while you are inputting it is if you allow that person to observe while you use the PED keypad.
You need to use the PED whenever you perform any action with the HSM that causes it to look for authentication (with some exceptions, see below). For example, using the shell (lunash on SafeNet Network HSM) or Lunacm (for any SafeNet HSM) you might login as Security Officer, login as User, or initialize the HSM. When the HSM receives such a command, it requests the appropriate data from the PED - or in the case of initialization, the HSM might send data to the PED.
Therefore, you should have the PED connected and in its ready state ("Awaiting command...") when you issue a command that invokes the PED. One MDSM connector attaches to the matching connector on the HSM or appliance, and the other MDSM (Micro-D Sub-Miniature) connector attaches to its matching connector on the top of the PED (tighten the connector screws if you intend to leave the PED connected; this makes the most reliable connection and provides strain relief to the cable-connector junction during handling of the device).
If you are using the Activation/autoActivation feature then, after authentication, the data is cached on the HSM, where it remains until you deactivate or you remove power to the HSM. In that case, once the authentication is performed, you can disconnect the PED and store it until the next time it is required.
If you are not using activation, then authentication data is not cached and every time you or your client application needs access to the HSM, the HSM will look to the PED, which must remain connected.
For Remote PED connections, the MDSM connector is not used, and power and USB connections are used instead.
As soon as it receives power from a connection to a powered HSM, or from the supplied power block if you are using Remote PED, the PED performs its start-up and self-test routines and then goes to its normal operating mode, displaying the prompt "Awaiting command...". The PED is ready for use in Local mode, by default.
There are three things that you can do with the PED at this point:
•Wait for a prompt, which results when a program has caused the HSM to request authentication
•Change to the Remote Mode (which expects encrypted commands from a computer USB connection, where you would be running Pedserver, rather than from a direct PED-HSM connection)
•Perform standalone PED operations.
To perform prompted actions, just do what is asked on the PED screen. Normally the prompts are:
•Insert a PED Key
•Press "YES", "NO" or "ENTER" on the keypad
Insert and remove appropriate PED Keys, type numeric passwords (PED PINs) when requested, and so on. The particular sequence depends upon the operation that the HSM needs at the time, which in turn depends on the command-line administrative operations that you are performing (with lunacm, lunadiag, multitoken, or other SafeNet utilities), or operations triggered by your applications.
The operations Initializing a PED-Authenticated HSM and Prepare to Create a Partition (PED Authenticated) are described elsewhere in this documentation.
In normal practice, you would perform initial configuration operations one time before placing the unit in service, then perform only monitoring and occasional maintenance thereafter. See the table below for a simple breakdown of the normal tasks and if/how the PED and PED Keys might apply.
| Situation | Needs | Action with PED and PED Keys |
|---|---|---|
|
Setup/configuration |
Blue, red and black PED Keys and PED. Optionally a purple PED Key, if you or someone invoked Secure Transport Mode, and an orange PED Key if an RPK was already created, and you are performing these actions remotely. |
You perform the HSM initialization, possibly create Partition Groups with other HSMs, set up a redundant, load-sharing HA group with other SafeNet HSMs. This is the kind of chore you must perform before first putting the unit into "production", and then might never need to do again. The PED Keys are required at several stages, as well as the PED. |
|
Occasional Maintenance of HSM |
Appliance admin password, blue and black PED Keys, possibly the red if you need to initialize a new cluster member, and the PED. Network connection to the appliance. |
Add and remove cluster members, modify number and assignment of Partitions/Groups, enable and disable... you might need some or all PED Keys for authentication, depending on the activity. |
|
Client access to their assigned HA group partitions |
Clients need their own authentication that is set up before client applications are launched to use a partition or an HA group virtual partition; no PED Key or PED required, but you need the Crypto Officer and/or Crypto User challenge secrets. |
None. You would normally have activated the individual HSM or (in case of HA) the HA-group members (in other sections of this table), and put the PED and PED Keys away in safe storage. They aren't needed in ongoing operation. |
|
PED Key administration |
A PED and whichever PED Keys you wish. You can connect to any SafeNet HSM that has the proper connector - this is to power the PED only. Alternatively, you can use the PED power supply kit provided with Remote PED, and not need any HSM connection. |
While you can perform some PED Key admin during HSM operations (mentioned elsewhere), you can also just power up the PED, go to Admin mode (instead of the default "Local PED" mode), and perform actions like creating duplicates of your existing, imprinted PED Keys. No HSM access is required. See the next section on this page (below) for more detail. |
You can perform some operations on PED Keys without going through the HSM.
1.Press the "<" key to exit from Local PED mode.
2.Press "4" to enter Admin mode.
3.In Admin mode,
options are 1 PED Key or 7 Software Update. (The software update function is
rarely used and requires that you be sent a PED software file from SafeNet,
along with directions about how to use it. Therefore, we'll assume that
you are selecting "1 PED Key", which brings the PED to PED Key
mode.)
Press "1".
4.To perform an operation on a particular PED Key, insert that PED Key into the PED Key connector on top of the PED.
5.PED Key mode has an option "1" to login to that PED Key, which applies to models other than iKey 1000 PED Keys - just press "1" to get to the next menu, if you are using iKey 1000 PED Keys, which do not need login.
6.At the PED Key Mode menu you have options to Login (which you have just done, but the prompt is available in case you might wish to login to a different PED Key) , Logout, or Duplicate the PED Key. Only the "Duplicate" option is meaningful for your iKey 1000 PED Key. To duplicate the contents of the currently connected PED Key to another (blank or re-used) PED Key, press "7" on the PED keypad.
7.When prompted, insert a blank target PED Key, or a non-blank whose data is no longer needed, and press ENTER.
8.If data already
exists on the target PED Key, you are warned and required to press YES
two times, to confirm that you really do wish to overwrite whatever is
on the PED Key that is currently connected to the PED.
If the source PED Key had an optional PED PIN assigned, then that PED
PIN is automatically applied to the duplicate during this process.
9.Remove the newly imprinted PED Key and press ENTER. The PED goes back to "PED Key mode" awaiting further commands. If you wish to duplicate another PED Key, repeat the above steps. Otherwise, press "<" to go back to "Admin mode", and press "<" again to reach the main menu, and finally press "1" to resume "SCP mode", which is the normal operating mode of the PED, awaiting commands from the connected HSM.
10.Identify the new PED Key with a tag or other marker, and record a PED PIN (if any) in secure fashion, according to your security policies.
The PED will not perform a standalone copy operation (that is, without an HSM) of a purple PED Key. This is a security feature. You can copy a purple PED Key (just like any other PED Key for any other HSM role or function) during an imprinting operation controlled by a SafeNet HSM. Because purple PED Keys are specific to a single HSM, no other HSM can share a purple key or make a copy. The PED refusal to make standalone copies of purple keys is just an additional barrier to anyone wanting to attack an HSM that has been placed in Secure Transport Mode.
The Remote PED 2 functions as described earlier, when it is in Local or Admin mode. However, when it is placed in Remote mode, it is capable of setting up a secure connection, via a specially-configured computer workstation, to a remotely located HSM. The remote functionality is described separately at About Remote PED.