|
Home > |
|---|
The SafeNet HSM Customer documentation uses "SafeNet PCI-E HSM" whenever it refers to either of the performance versions - SafeNet PCI-E HSM 1700 or SafeNet PCI-E HSM 7000, without need to specifically identify one version. Those two versions are so-named because their tested performance at repetitive RSA 1024-bit signings per second (under laboratory conditions was near one or the other of those numbers (1700 or 7000).
1024-bit RSA keys are actually outdated for most applications, due to their small size. However 1024-bit RSA signing has been an industry-standard way to convey application and HSM performance for many years and will continue to be used until an industry consensus is reached for an updated indicator.
An HSM is a Hardware Security Module. An HSM stores cryptographic objects (keys, certificates, etc.), creates and destroys crypto objects, and performs cryptographic operations (encrypt, decrypt, sign, verify, wrap, unwrap) using those objects within the secure physical confines of the HSM - not exposed on a computer file system. The HSM also controls access to its contents and its functions.
The SafeNet PCI-E HSM Cryptographic Module is an HSM. Here are the basic elements common to SafeNet HSMs:
SafeNet HSMs can contain both volatile and non-volatile data:
•Non-volatile data includes identification parameters and data objects (such as keys and certificates) that you wish to store for long-term re-use. Those objects persist on the HSM until you explicitly destroy or overwrite them.
•Volatile data is any data that should not persist when it is not in use. Volatile (or session) data disappears when the HSM loses power.
The SafeNet PCI-E HSM 5 [K6] HSM card is designed to the PCIe 1.1 standard, for use in PCIe x4 slots. The HSM card can be used in larger connector slots (from x4 up to x16).
Some x16 slots are intended by the computer motherboard manufacturer to be used for video cards, and might not work correctly with SafeNet PCI-E HSM 5. The symptom is that, at start-up, the system detects a card in the slot, but the card does not respond as a video card, and so the system stops booting. This could happen to any non-video PCIe card inserted in such a slot. If you encounter a problem, try another available slot. Modern motherboards tend to support PCIe 2.0 standard, which is backward compatible with 1.1, when correctly implemented.
Of the three major vendors of PCI bridge chips (including the one that we used), each has known problems either of performance, compatibility, or both. Due to the variety of systems and component combinations in the market, we are unable to test with all possible platforms. At the time that this Help was written we found greater incompatibility among server systems than among desktop/workstation systems. If you encounter a problem that is not solved by moving the SafeNet PCI-E HSM 5 card, contact SafeNet Technical Support -- e-mail: support@safenet-inc.com or phone 800-545-6608 (+1 410-931-7520 International).
Power consumption for the SafeNet PCI-E HSM card is rated at 12 Watts maximum, 8 Watts typical.
SafeNet PCI-E HSM is a versatile HSM capable of many roles. Part of that versatility is achieved by separating HSM management (the Security Officer or HSM Admin space) from HSM operation (the User or client). This is achieved by means of the HSM partition or virtual HSM within the physical HSM.
The owner of the partition:
•can see and manage the contents of the partition, and
•can enable or disable access by client applications as desired, entirely separately from the overall HSM management performed by the SO.
The SO:
• can perform HSM updates/upgrades,
•can modify operating parameters
•can deal with tamper events,
•can create or destroy a partition, reset the authentication of an existing partition (when someone forgot his password or lost his PED Key, or someone has left the organization ... or been fired...),
•can authorize the creation of a partition challenge secret, and
•can perform other global operations without ever being able to see or touch the contents of the User/Owner's partition.
The roles are kept separate.
SafeNet HSMs must be initialized before you can use them for the first time (or after an event, like too many consecutive failed login attempts on the SO account, which zeroizes the HSM). Initialization establishes several HSM parameters, including identification and authentication of HSM Security Officer (SO) and HSM Partition User who then have access to create and use HSM/Partition objects (keys, certificates, encrypted data, etc.). Once a SafeNet HSM is initialized, no one can access it unless they provide the passwords or keys that unlock that specific HSM or Partition. Initialization is meant to be performed only once on an HSM, and it erases any Authentication Data, and data or token objects contained on the token. Once the HSM is in use, be sure to avoid mistakenly initializing it again.
You can re-initialize a SafeNet HSM at any time (as SO). Re-initialization destroys all data on the token.
Note: On the other hand, until you put SafeNet PCI-E HSM into service with actual production data, keys, and certificates on it, you can reinitialize it and practice with a variety of optional settings, as many times as you wish.
Many applications from PKI and other cryptographic product vendors do not include the capability to initialize a SafeNet HSM, so SafeNet supplies the Lunacm utility program on all supported platforms, to perform that function and other maintenance functions.
Your SafeNet PCI-E HSM Cryptographic Module or HSM is shipped in a pre-initialized state, as part of the factory quality assurance process. However, in that state the HSM is not associated with Security Officer [SO] or User Authentication Data, and is not ready to receive or to create and store objects. You must perform a one-time initialization procedure with the lunacm utility before the HSM can operate with an application program.
When you access a SafeNet HSM or HSM Partition, by providing the passwords (Password Authentication versions) or the PED Keys (Trusted Path Authentication versions), you open a session. That session remains open until you (or your application) explicitly close it.
Removing power from a SafeNet HSM immediately closes all sessions and causes all volatile data to disappear.
Your application program might not be capable of logging into SafeNet PCI-E HSM, on its own. If not, then the program expects to encounter the HSM already in a logged-in state. For SafeNet PCI-E HSM to operate with such an application, you must log into the token with the lunacm utility. Find it in your LunaPCI directory, following installation. Every time you reboot your computer, you are required to log into the HSM with the lunacm utility before you can resume using SafeNet PCI-E HSM with your application, unless you have invoked Autoactivation.
| Feature | Description |
|---|---|
| a | K6 main board |
| b | Daughter board |
| c | Battery for Real Time Clock (RTC) and NVRAM |
| d | Header for Tamper2 (indicated as JP3 on the board), or the "decommission" circuit - closing/shunting those pins causes the KEK and any cached data to be erased. [ If used, this is intended to be wired to a normally-open switch, accessible outside the host computer. Such a switch should be shielded/shrouded to prevent accidental activation. To ship the SafeNet PCI-E HSM 6.x HSM to SafeNet (or other recipient) with assurance that your crypto objects cannot be recovered by anyone, just shunt this header momentarily, or touch a screw-driver blade to both pins simultaneously - the "decommission" action occurs instantly. ] |
| e | Header for Tamper1 (indicated as JP2 on the board), the physical tamper circuit - closing/shunting those pins, or closing a connected switch causes a tamper event and destroys the MTK, the Master Tamper Key that encrypts everything on the HSM. [ If used, this pin pair would usually be wired to a chassis switch that is held open when the lid or panel is in place. Opening the lid or panel would close the switch and tamper the HSM. ] |
| f | Serial Connector - not for customer use |
| g | PED port - same as the externally available PED port "m", below |
| h | Indicator LED D1 [ERROR] - glows red when the HSM is in an error state or system HALT [ when the HSM senses a tamper of any type, or upon start-up if the HSM cannot initialize the dual-port communication between itself and the host computer ] |
| i | Indicator LED D2 [ACTIVE] - glows or flickers green when the HSM is active |
| j | PCIe x4 card-edge connector - can be inserted in any PCIe 4-channel (or larger) socket |
| k | USB connector (for connection to backup HSM or a SafeNet DOCK 2 reader - appears as "Tunnel Slot" in LunaCM slot listing) |
| l | PED Port - connect a SafeNet SafeNet PED 2 PIN Entry Device, reads and imprints iKey PED Keys (a "something you have" authentication factor) that carry primary authentication for the HSM and HSM partitions; also provides a keypad interface for PED Key operation and for additional, optional "something you know" authentication factor ], Use a SafeNet-supplied PED cable |
Not every application environment will require rigorous security and paper-trail management, with respect to HSMs and their contents. However, in high-security environments where security and process auditing is mandated, you might be required to refer to a history of any sensitive materials and any systems associated with them -- who had access, what did they do, and when did they do it. Rehearse everyday operational activities, as well as maintenance and update activities (Authentication Data [password] update cycles, personnel changes, backups, logging) before implementation in your live environment.
Have all secure physical storage sites and all the related handling procedures prepared in advance. Log your receipt of the SafeNet hardware and then log all storage and handling events thereafter. In an operational environment, you should be able to refer back to a complete “paper trail” – an unbroken record that tracks the existence, storage, handling, and all transitions/hand-offs experienced by each token/HSM that you ever use. Once you take possession, never allow yourself or your organization to lose track, even briefly, of any of your HSMs. If your environment includes auditing, your security auditors will require such a record.