Home > |
---|
(This page is background information that might help make some operations more obvious.)
After the first-ever SafeNet HSM, all succeeding generations have included both password-authenticated and PED-authenticated variants. This page describes how the current-generation PED-authenticated HSMs (firmware 6.x) interact with SafeNet PED and PED Keys, particularly during initialization - a time when important decisions are made. Other pages describe the PED and PED Keys. This is more about flow.
The diagram shows how the components are affected as you make choices during an initialization [ this sequence depicts events and choices if you initialize a new, factory-fresh HSM, or one on which you have recently run "hsm factoryReset"; as well the process would be very similar for creation of a partition ]. This flow depicts the SO / HSM Admin secret, but the interactions for other secrets follow the same pattern.
When you issue the "hsm init" command at the command-line, the HSM generates a secret, then turns over control to the SafeNet PED.
The first question from the PED is whether you wish to "Reuse" an existing SO / HSM Admin authentication secret (the same logic applies to the other PED Keys, so we use just the blue key in this example). This means that you have a blue PED Key from another HSM, or you have a blue PED Key from a previous initialization of this HSM. The PED is asking if you wish to import the secret from that key onto the HSM. The options at this point are:
a) you have only fresh blank PED Keys that have not been used previously with any HSM (No - do not reuse)
b) you have a previously used PED Key, but the secret it contains is not one you wish to preserve or re-use (No - do not reuse)
c) you have a previously used PED Key, with a secret from this HSM, and you don't mind reusing it (Yes - reuse)
d) you have a previously used PED Key, from another HSM, and you wish to reuse it so that the blue key can unlock both the current HSM and the other HSM. (Yes - reuse)
These options also apply to any other key color when they are being imprinted. If you elect to reuse the content of an existing key, then the secret that the current HSM generated is discarded, and the secret from the reused PED Key overwrites onto the HSM. This ensures that the PED Key and the HSM have the same authentication secret, and the key can unlock the HSM. If the secret on the key was from another HSM that is still operational, then the PED Key has become a "group PED Key" that unlocks the equivalent aspects of both HSMs. In this manner, you can include as many HSMs as you wish in a group. [ Note that this "group" of HSMs is related only by the convenience of being able to use one PED Key to unlock any of them. This "group" concept is not the same as (say) the HA Group concept for high availability.
The HSM slots that form an HA group interact with their client(s) via a virtual HSM slot, such that any of the real HSM slots behind the HA group is interchangeable and can be swapped in and out as needed. But members of an HA group do not need to be members of a PED Key group. In an HA group, any or all of the members could have the same or different authentication secrets, without affecting the HA function. Only the cloning domain must be identical across all HA group members. ]
If you choose to not reuse the content of an existing key, then the secret that the current HSM generated is copied onto the key that is currently inserted into the PED (after the PED verifies multiple times that this is what you wish to do). This ensures that the PED Key and the HSM have the same authentication secret, and the key can unlock the HSM. If the PED Key previously had a secret for another HSM, it no longer does. The PED Key can now unlock the current HSM but is useless with the previous HSM.
Note also that your organization's security policies govern whether you can allow multiple HSMs or HSM partitions to be unlockable by the same PED Key.
The second question from the PED would ask for M and N values,
so that you could set up MofN split-secret, multi-person access control. However, that option would greatly complicate this explanation, so we will assume that you choose M=1 and N=1, which means "no MofN invoked".
If you wish to see an explanation of how MofN works on the HSM, go to "HSM Authentication Model with MofN and No PED PINs".
The PED provides the opportunity to add an additional layer of authentication security to the handling of the current secret.
A PED PIN is a numeric secret typed on the PED keypad. If you just press enter, no PED PIN is created, and therefore no PED-PIN flag is set on the current PED Key. If you do type in some digits on the PED's keypad, then that sequence becomes a PED PIN, a numeric password that must be typed whenever you wish to use that key in future. Whatever your response, the PED asks you to confirm by typing it in again, before proceeding to the next question.
If you wish to see an explanation of how PED PINs work on the HSM go to "HSM Authentication Model with a PED PIN" or "HSM Authentication Model with Multiple PED PINs".
The next question from the PED is whether you wish to duplicate the current PED keyset.
[ The word "keyset" is used because you could have chosen to invoke MofN, splitting the (in this case) HSM secret across several blue keys, rather than just the one in this example. That is, a "keyset" can consist of one key, containing a complete secret, or multiple keys, each containing a portion of that secret.]
In general, it is a good idea to have several PED Keys with the HSM secret duplicated, so that you can have on-site and off-site backups, and to meet your other operational considerations.
The first opportunity to make copies is at initialization time, as the PED always asks this question during the process. Your answer to the "duplicate" question determines the end of the process for the current PED Key secret.
Again, your security policies dictate how many backup copies - or other operational copies - of a PED Key should be made, and how they should be handled and maintained.
Customers who are familiar with our legacy HSM products, and who are now preparing to use SafeNet Network HSM 6.x (a firmware 6.x HSM) would observe that much of the concept and action is similar to the previous generation, but with a few important differences, described below. This would be especially important for customers who are migrating keys and HSM contents from older HSMs to the current generation.
Differences in function are driven to a considerable extent by the updating of the (optional) MofN, split-secret, multi-person access control model.
In HSM firmware 4, the MofN concept was of a separate, self-contained single secret (on green keys, and no PED PIN), so all the other PED Key colors were just one secret each, which was a simple model that allowed certain possibilities and precluded others.
In that older model, if a PED PIN was created, it existed only in your head ("something you know), and was a transformation that you applied to the secret on the key ("something you have"), to make it into the secret on the HSM. In that model, it was not possible to have more than one PED PIN for (say) the SO secret on HSM1. However, it was possible to use that same key for another HSM (2) with a different PED PIN, because the secrets on the two HSMs didn’t have to match.
All that was needed was that whatever was on the blue key could be reliably transformed into what HSM1 wanted, and could also be transformed into whatever HSM2 wanted, by typing something on the keypad.
You could minimize the number of blue keys, while still ensuring that HSM1 and HSM2 had effectively different secrets – as long as you trusted that HSM1's SO and HSM2's SO were not going to talk to each other. But any duplicate blue keys were, indeed, exact duplicates. It was the HSMs in a group that had different secrets, not the keys. The same idea applied to the black keys.
(Key #1 + PED PIN #1) or (Key #2 + PED PIN #1) = Success on HSM1,
(Key #1 + PED PIN #2) or (Key #2 + PED PIN #2) = Success on HSM2
(Key #1 + PED PIN #1) or (Key #2 + PED PIN #1) = Failure on HSM2
(Key #1 + PED PIN #2) or (Key #2 + PED PIN #2) = Failure on HSM1
In HSM firmware 6 (SafeNet PCIe HSM 5, SafeNet Network HSM 5, SafeNet USB HSM), the new PED-mediated MofN-per-key-color model required some re-engineering. Additional infrastructure was needed, which makes this model incompatible with the previous method.
Functionally, in the current model, it doesn’t matter whether you choose M and N to be one (feels like no MofN) or you choose M and N to be greater than one (invoking secret-splitting) – the infrastructure is there, regardless.
One result is that the HSM takes on additional responsibility for validating splits (even if there’s only the one…), and the PED Key data now has a direct relationship to the PED PIN (which is part of the validation done when the PED Key is entered). Therefore, a “duplicate” is now a slightly fuzzier concept. Each duplicate PED Key can be given a different PED PIN (or none), and can still unlock the same HSM1. BUT, if you now make a group of HSMs by initializing a second HSM (HSM2) with the same basic secret (by imprinting the new HSM from one of the duplicate PED Keys), you must use the correct PED PIN for the Key used – any other choice will fail validation. The result is that the second HSM uses the same secret as the first - which is different from the firmware 4 case.
You can optionally have split each secret (M and N greater than 1 when you initialized HSM1), which just makes the combinations more interesting to track without a good set of notes, but that doesn’t change the concept… merely adds a layer.
In the following table, we illustrate your interactions with the PED as you initialize an HSM or create a partition, with a fresh secret (not reused), and then create two duplicates of the PED Key, each with a PED PIN different from the original and from each other, yet all three will unlock that HSM or that partition - to simplify this exercise, we ignore MofN. Assume that all keys are fresh blanks.
HSM1 PED prompt | Original key, No PED PIN (your action) |
First duplicate key PED PIN "1234" (your action) |
Second duplicate key PED PIN "4321" (your action) |
---|---|---|---|
"Do you wish to reuse an existing keyset" (creating new PED Keys during initialization) |
Press [ No ] | n/a | n/a |
Insert... | (insert a new key) | - | - |
Enter new PED PIN / Confirm new PED PIN | Press [ Enter ] | n/a | n/a |
"Are you duplicating this keyset?" | Press [ Yes ] | - | - |
Insert... | - | (insert a new key) | - |
Enter new PED PIN / Confirm new PED PIN | - | Type "1234" and press [ Enter ] |
|
"Are you duplicating this keyset?" | - | Press [ Yes ] | - |
Insert... | - | - | (insert a new key) |
Enter new PED PIN / Confirm new PED PIN | - | - | Type "4321" and press [ Enter ] |
"Are you duplicating this keyset?" | Press [ No ] | ||
All three PED Keys have different PED PINs, but any one of them can unlock this HSM. The combination of any of those PED Keys, with its own PED PIN will produce the same secret for the HSM. |
To round out the parallel concept that finished the firmware 4 discussion above, any duplicate blue keys are not necessarily exact duplicates, they just all contain a way (PED PIN secret) to get back to the same output secret. But in this model (firmware 6), if you want to use the same blue keys for several HSMs, all the HSMs must have exactly the same blue (SO) secret, because a duplicate of any blue key CAN have whatever PED PIN you choose (or none) but must still be able to generate the correct secret.
(Key #1 + PED PIN #1) or (Key #2 + PED PIN #2) = Success on HSM1
(Key #1 + PED PIN #1) or (Key #2 + PED PIN #2) = Success on HSM2
(Key #1 + PED PIN #2) or (Key #2 + PED PIN #1) = Failure on HSM1
(Key #1 + PED PIN #2) or (Key #2 + PED PIN #1) = Failure on HSM2
Some important implications of the above explanations deserve restating.
•If you choose to NOT reuse a secret from an existing PED Key, then the HSM and the new set of PED keys being created by initialization all receive secrets based on the secret that is newly generated by the HSM. This is how you ensure that no other HSM can be unlocked by the PED Key(s) that you are now associating with the current HSM. This exclusivity lasts as long as nobody initializes yet another HSM using the PED Key(s) that you just created for this current HSM. Reusing, or not, is chosen on a per-role basis, so that some PED Key secrets on an HSM could be shared with other HSMs, while others are not.
•It is crucially important to always control your PED Keys. Know where they are, know how many there are, and know who is handling them.
•If you choose to reuse a pre-existing secret, then the secret that the HSM generates at the start of initialization is discarded, in favor of the imported secret [ the secret that you accept from an existing imprinted PED Key when you say [ Yes ] to the PED question "Would you like to reuse an existing keyset?" ]. This is how you make group PED Keys that can unlock more than one HSM.
•The PED PIN, if you invoke one, exists not on the PED Key - it is the combination of the secret on the key, plus the PED PIN for that key, that produces the secret that the HSM sees (and requires).
An additional question that is sometimes asked, about reuse and duplicates...
•You can "reuse" an existing secret only for the same type of secret that is currently being requested by the HSM and the PED. That is, if you say [ Yes ] to "Would you like to reuse an existing keyset" while preparing to set the HSM's Security Officer (SO) secret, then you must present a valid, imprinted blue PED Key. Any other color, or a blank key, is rejected as a source to reuse. A Crypto Officer (black key) secret cannot be "reused" as an HSM SO (blue key) secret. Nor can a Domain (red), or RPK (orange), or SRK (purple key) secret. "Reuse" is the opposite of overwrite. For the "reuse" option, with any PED Key secret, the matching kind of pre-existing secret is needed.
SRKs, the purple key secrets, are unique per HSM and are not reused, ever.
SafeNet PED has the ability to make copies of PED Keys, without the intervention of an HSM. All the PED needs is power.
Insert any PED Key containing a secret that you wish to duplicate. The PED defaults to the local mode menu.
Press "<" to get to the Select Mode menu.
Press "4" for the Admin menu.
Press "1" for PED Key.
Press "1" again, for Login.
Press "7" for Duplicate. The PED reads the key that you already inserted, then prompts you:
Duplicate PED Key...
Insert target
PED Key.
Press ENTER.
When you press ENTER, the key in the slot gets the data that was read from the first key.
You can imprint as many new PED Keys as you wish.
Note that the PED does NOT prompt you for a PED PIN.
If the PED PIN flag was not set on the source key (the first key you inserted before invoking the Duplicate function), then the new copy also has that flag unset.
If the PED PIN flag was set on the original key, then that setting is automatically recorded on the duplicate. No HSM is involved in this PED-only transaction, so entering a PED PIN would have no effect in this case. Yet the correct PED PIN will be requested when you later use one of these duplicates to access the HSM.
This DIFFERS from the sequence when you are initializing and choose to make duplicates at that time - in that case you are prompted for PED PIN and can make several "duplicate" keys that have different PED PINS and yet unlock the same HSM. This method is called a "raw" duplication and works for every type of PED Key except a purple SRK.
Requires HSM |
Launched from command line |
Prompt (option) to set PED PIN |
"Copies" are identical |
"Copies" unlock same HSM |
|
---|---|---|---|---|---|
"Duplicating" (creating new PED Keys during initialization) |
Yes | Yes | Yes | Only if no PED PIN or if same PED PIN is repeatedly entered |
Yes, as long as you know the correct PED PIN for the key you have |
Duplicating "raw" key content via PED menu |
No (only a power connection needed) Note: does not work for purple PED Key. |
No | No | Yes | Yes, PED PIN is the same for all raw duplicates |