|
Home > |
|---|
Luna PED is a PIN Entry Device, where PIN stands for Personal Identification Number. It provides PIN entry to SafeNet Luna HSMs and to backup tokens via secure data port, as part of FIPS 140-2 level 3 security (the Trusted Path).
The PED is shipped separately from your HSM product, because one PED can be used with any Trusted Path HSM.
This section contains the following:
•PED keys and Operational Roles
•Compare Password vs PED Authentication
The figure below shows a front view of the PED, with some important features indicated.
Figure 1: Luna PED
1.On the lower front face is the keypad for command and data entry.
2.On the upper front face is the 8-line liquid crystal display (LCD).
3.At the top on the far left is a DC power-adapter connector.
4.At the top, second from the left is a USB mini-B connector for connection to the HSM, and file transfer to/from the PED.
5.At the top in the middle is a micro-D subminiature (MDSM) connector (not used in Luna release 7.x).
6.At the top, on the far right, is the USB A-type connector for iKey-style PED keys.
7.Also shown is an iKey PED key, for insertion in the PED key connector.
A locally-connected PED is connected directly to the HSM via USB (or serial cable in legacy PED versions). You must place the PED in USB mode when using it locally. See Changing Modes. It needs a dedicated power connection via the provided power block.
That connection is the only data path between the HSM and the PED and therefore is considered much more secure than any authentication path that passes through the appliance's computer data paths. The Trusted Path cannot be monitored by any software (whether authorized by you or not) on your administrative or client computer.
A Remote PED uses a Luna PED connected to a separate computer, at a convenient location, to serve PED interactions over a network connection with PedServer.exe workstation software. It uses a USB connection for data exchange, and also needs a dedicated power connection via the provided power block.
Figure 2: PED Key
A PED key is an electrically-programmed authentication device, with USB interface, embedded in a molded plastic body for ease of handling. In conjunction with PED or PED Remote, a PED key can be electronically imprinted with a generated secret that might unlock one or more HSMs, which it retains until deliberately changed.
The PED and PED keys are the only means of authenticating and permitting access to the administrative interface of the PED-authenticated HSM, and are the first part of the two-part Client authentication of the FIPS 140-2 level 3 compliant SafeNet Luna HSM with Trusted Path Authentication. FIPS is the Federal Information Processing Standards of the United States government's National Institute of Standards and Technology -- FIPS 140-2 is an internationally recognized standard regarding security requirements for cryptographic modules, and level 3 is its second-highest level of security features/assurance.
The PED does not hold the HSM authentication secrets. The PED facilitates the creation and communication of those secrets, but the secrets themselves reside on the portable PED keys.
The current-model PED uses iKey USB-fob type PED keys for all functions. You can visually differentiate your PED keys by attaching tags or labels supplied with them.
The roles and uses of the PED keys employed with SafeNet Luna HSMs and the PED are as follows:
Security Officer (SO)’s PED key. The first actions with a new SafeNet Luna HSM involve initializing an HSM SO identity and imprinting an HSM SO PED key. The SO identity is used for further administrative actions on the HSMs, such as creating HSM Partition Users and changing passwords, backing up HSM objects, controlling HSM Policy settings, etc. The HSM SO is responsible for activating and verifying codes for Secure Transport Mode.
Crypto Officer Key. The Crypto Officer performs partition maintenance, creation and destruction of key objects, etc. Creates the optional Crypto User.
The Crypto User has restricted read-only administrative access to application partition objects. The challenge secret generated in conjunction with the Crypto User can grant client applications restricted, sign-verify access to partition objects.
Note: Creation of a challenge secret is forced for an application partition owned by the HSM SO, but is not forced for an application partition with its own SO.
Key Cloning Vector (KCV) or Domain ID key. This PED key carries the domain identifier for any group of HSMs for which key-cloning/backup is to be used. The red PED key is imprinted upon HSM initialization. Another is imprinted with each HSM Partition. Once imprinted, that domain identifier is intended to be permanent on the red Domain PED key and on any HSM Partitions or tokens that share its domain.
This PED key is required when you need to perform PED operations at a distance. The Remote PED key (RPK) carries the Remote PED Vector (RPV) and allows a Luna PED connected to a properly configured computer to substitute for a PED connected directly to the SafeNet appliance/HSM, when that local connection is not convenient.
Audit is an HSM role that takes care of audit logging, under independent control. The audit role is initialized and imprints a white PED key, without need for the SO or other role. The Auditor configures and maintains the audit logging feature, determining what HSM activity is logged, as well as other logging parameters such as rollover period, etc.
For SafeNet Luna USB HSM and SafeNet Luna PCIe HSM, see the audit commands in the LunaCM Command Reference Guide.
•Blue HSM SO Key
•Red Domain Key
•Black Crypto Officer Key
•Gray Crypto User key: in case you need a limited-capability client
•White Audit user key: if your situation requires audit logging
•Orange Remote PED key: if you expect to administer the HSM remotely
Below are some suggested holders of PED keys by role.
| Lifecycle | PED Key | Operational Role | Function | Custodian |
|---|---|---|---|---|
| HSM Admin |
|
Security Officer |
Manages provisioning activities and global security policies for the HSM: •HSM initialization, •Partition provisioning, •Global policy for the HSM and the partition within it. |
•CSO •CIO |
|
|
Domain Cloning Token Backup | Cryptographically defines the st of HSMs or partitions that can participate in cloning for the purposes of backup and high availability. |
•Domain Administrator •WAN Administrator |
|
|
|
Remote PED | Establish a Remote PED connection. | System Administrator | |
| Partition Admin |
|
Security Officer |
Manages provisioning activities and global security policies for the partition: •Partition initialization, •Role setting, •Policy setting. |
|
| Daily Operation |
|
Crypto Officer | This is the full user role associated with a partition. This role can perform both cryptographic services and key management functions on keys within the partition. | System Administrator |
|
|
Crypto User | This is a restricted user role on a partition. This role can perform cryptographic services using keys already existing within the partition only.* | System Administrator | |
| Ongoing Auditing |
|
Audit User | An independent role responsible for audit log management. This role has no access to other HSM services. | Auditor |
Note: *Functionally, the Crypto User (gray) PED key is a black PED key. The PED does not distinguish gray from black; the label is provided only for convenience. If administrative separation is not important in your setting, you can use a single black key that authenticates to both roles and still have two separate challenge secrets to distinguish read-write and read-only role privileges.
|
|
Password-authenticated HSM |
PED-authenticated HSM |
|---|---|---|
| Ability to restrict access to cryptographic keys |
•Knowledge of Partition Password is sufficient •For backup/restore, knowledge of partition domain password is sufficient |
•Ownership of the black PED key is mandatory •For backup/restore, ownership of both black and red PED keys is necessary •The Crypto User role is available to restrict access to usage of keys, with no key management •Option to associate a PED PIN (something you know) with any PED key (something you have), imposing a two-factor authentication requirement on any role |
| Dual Control |
•Not available |
•MofN (split-knowledge secret sharing) requires "M" different holders of portions of the role secret in order to authenticate to an HSM role - can be applied to any, all, or none of the administrative and management operations required on the HSM |
| Key-custodian responsibility |
•Linked to password knowledge only |
•Linked to partition password knowledge •Linked to black PED key(s) ownership |
| Role-based Access Control (RBAC) - ability to confer the least privileges necessary to perform a role |
Roles limited to: •Auditor •HSM Admin (SO) •Partition Owner |
Available roles: •Auditor •HSM Admin (Security Officer) •Domain (Cloning/Token-Backup) •Remote PED •Partition Owner (or Crypto Officer) •Crypto User (usage of keys only, no key management) For all roles, two-factor authentication (selectable option) and MofN (selectable option) |
| Two-factor authentication for remote access |
•Not available |
•Remote PED and orange (Remote PED Vector) PED key deliver highly secure remote management of HSM, including remote backup |