|
Home > |
|---|
Luna PED with Remote Capability (Remote PED) allows you to administer HSMs that are housed away from their owners/administrators, at physically remote sites or inside heavily-secured premises, where obtaining local physical access to the HSM is difficult or time-consuming. Remote PED provides administrative convenience similar to remotely accessing a Password-authenticated HSM, but with the added security and role separation of PED authentication.
To use remote PED, you require the following:
•a Remote PED Server instance running on your local workstation. The remote PED server connects over a secure network link with a Remote PED client in the computer or appliance that contains the HSM to which you want to authenticate.
•A Luna PED with firmware 2.7.1 or newer
•An orange PED key that provides the authentication for the Remote PED connection between
–The workstation computer (with Luna PED connected and PED Server running), and
–The remotely located SafeNet Luna HSM with the PED Client running on the HSM's host.
The PED Client and Server are software components that allow the HSM and PED to communicate via a TCP/IP network:
•The PED Server resides on the host computer where a remote-capable Luna PED is USB connected. The PED Server acts as an intermediary, accepting requests and serving PED prompts and actions and data to requesting HSMs (usually located at a distance).
•The PED Client resides on the system hosting the HSM. That could be a workstation or server with a SafeNet Luna USB HSM connected or a SafeNet Luna PCIe HSM embedded, or it could be a SafeNet Luna Network HSM appliance, any of which can request PED services from the PED Server through the network connection.
Figure 1: PED Client and PED Server interaction for Remote PED
|
Remote PED |
A Luna PED, with Remote capability, connected, powered on, and set to Remote mode. |
|
RPV |
Remote PED Vector - a randomly generated, encrypted value used to authenticate between a Remote PED (via PED Server) and a distant SafeNet Luna HSM (PED Client). |
|
RPK |
Remote PED key - an orange PED key, the portable repository of an RPV value, for use in the Remote PED process. |
|
PED Server |
The PED server program that resides on a workstation and mediates between a locally-connected Remote PED and a distant PED Client (running at a distant SafeNet Luna HSM). |
|
PED Client |
The PED client program. For a SafeNet Luna Network HSM appliance, PED Client is embedded. For SafeNet Luna PCIe HSM, SafeNet Luna USB HSM, or SafeNet Luna Backup HSM, PED Client must be installed on the HSM's host computer. The PED client anchors the HSM end of the Remote PED service and initiates the contact with a PED Server instance, on behalf of its HSM. |
All communication between the Remote PED and the HSM in its host is transmitted within an AES-256 encrypted channel using session keys based on secrets that are shared out-of-band via the Remote PED role. This is considered a very secure query/response mechanism. The authentication conversation is between the HSM and the PED. Authentication data retrieved from the PED keys never exists unencrypted outside of the PED or the HSM. PED Client and PED Server provide the communication pathway between the PED and the HSM but along that path, the data remains encrypted.
Once the data path is established and the PED and HSM are communicating, they establish a common Data Encryption Key (DEK). DEK establishment is based on the Diffie-Hellman key establishment algorithm and an RPV (Remote PED Vector), shared between the HSM and the PED via the orange Remote PED iKey (RPK). Once a common Diffie-Hellman value is established between the parties via the Diffie-Hellman handshake, the RPV is mixed into the value to create a 256-bit AES DEK on each side. If the PED and the HSM do not hold the same RPV, the resulting DEKs will be different between them, and the parties won’t be able to communicate.
Mutual authentication is achieved by exchanging random nonces, encrypted using the derived data encryption key. The authentication scheme operates as follows:
|
HSM |
_ |
Remote PED |
|---|---|---|
|
Send 8 bytes random nonce, R1, |
{R1 || padding}Ke -> |
|
|
|
<- {R2 || R1}Ke |
Decrypt R1. Generate an 8 byte |
|
Decrypt R2 || R1. Verify that |
{padding || R2}Ke -> |
Verify that received R2 value is |
Following successful authentication, the random nonce values are used to initialize the feedback buffers needed to support AES-OFB mode encryption of the two communications streams (one for each direction).
Sensitive data in transition between a PED and an HSM is end-to-end encrypted: plaintext security-relevant data is never exposed beyond the HSM and the PED boundaries at any time. The sensitive data is also hashed, using a SHA-256 digest, to protect its integrity during transmission.
When a Remote PED connection is in force, the Local PED interface to the HSM is disabled. If a Local PED operation is in progress, it is not possible to start a Remote PED connection until the currently active Local-PED-mediated HSM operation completes. For example, if you had started an HSM command that began using a connected Local PED and PED key for authentication, and you started an SSH session in which you issued the ped connect (LunaCM) command or hsm ped connect (LunaSH) command, one of the following two things would happen:
•The remote PED connect command would begin executing, but would pause while the Local PED operation started in the other command session was in progress, and resume when the Local PED operation terminated.
•The remote PED connect command would begin executing, but would pause while the Local PED operation was in progress, and eventually time-out if the Local PED operation did not terminate sufficiently quickly.
If a Remote PED connection is in force, then the Local PED is ignored, and all PED requests are routed to the Remote PED. Attempts to start a different connection are refused until the current connection times out or is deliberately stopped.
In Local PED mode, one Luna PED is connected directly to the HSM. Timeouts are governed by the configuration of the appliance or host computer and the HSM and are not generally modifiable.
In Remote PED mode, the PED Server on each remote workstation has a timeout setting, and the HSM has a Remote PED timeout setting that can be shown (LunaSH command hsm ped timeout show on SafeNet Luna Network HSM) and modified (LunaSH command hsm ped timeout set on SafeNet Luna Network HSM). If nothing has been set, then the default value for the Remote PED connection timeout (1800 seconds) is in effect.
The Remote PED Server instances on workstations, and the Remote PED Client inside the SafeNet Luna Network HSM appliance or on an HSM host computer, are not aware of each other's timeout values. For a given Remote PED connection, the shorter timeout value rules.
Remote PED (via PedClient.exe) can provide PED services to only one HSM slot at a time. To provide PED interaction (remotely) to another slot, you must close PedClient.exe for that first slot/HSM and then open PedClient.exe for the next slot/HSM.
Once a slot has been set up with its authentication data cached (autoActivation), and PED Client has closed, you must not issue any command to that original slot that would require PED interaction. If you issue a command that invokes a PED operation when no PED is connected to the HSM, the affected HSM pauses until the requested operation times out. This means that client applications using that HSM stop for the duration of the timeout.
You can also initiate the connection between PED Server and HSM from the side of the PED Server. This is further detailed in Remote PED Connections. You can use either the legacy or the peer-to-peer method to connect your Remote PED.
Legacy connections between the Remote PED and the HSM require the connection between PED Server and HSM to be initiated by the HSM. The connection can only be made in this direction.
A SafeNet Luna HSM running the PED Client can establish a Remote PED connection with any workstation that meets the following criteria:
•It is running PedServer.exe.
•It has a suitable Remote PED connected.
•It has the correct PED keys (including the orange key) for that HSM.
The SafeNet Luna HSM can make only a single connection for Remote PED operation at one time. The current session must timeout or be deliberately stopped before another workstation can be called into a Remote PED connection with that SafeNet Luna HSM.
Similarly, a given workstation can enter into a Remote PED connection with any SafeNet Luna HSM with PED Client, but it can make only one such connection at a time. This contrasts with SSH connections, where a workstation could have multiple SSH windows open to multiple admin sessions on a single or multiple SafeNet Luna HSMs.
There is no requirement for the workstation providing the Remote PED connection to be the same one that provides SSH administrative access to the HSM, nor is there any requirement that they be different workstations.
PED Client runs on the computer that hosts the SafeNet Luna HSM, while the PED Server runs on the computer that hosts the Luna PED. Historically, this meant that PED Client was launched and tried to open a connection to a specified instance of PED Server. However, in some cases the network and firewall rules that surround the HSM host forbid that host from initiating the connection from inside the firewall. For those situations, PED Server now supports the ability to initiate the Remote PED connection from the PED Server side, over a link secured by means of the HSM host's server certificate.
Peer-to-peer connection is supported by pedserver -mode connect and -mode disconnect commands. The rules governing the connections are as follows:
•The default mode when PED Server starts is legacy mode (where PED Server waits for a connection to be initiated from an instance of PED Client).
•When you type the -mode connect command for PED Server (requesting the start of peer-to-peer mode), that command requires the registered HSM appliance name, which is stored in the PED Server configuration file. Each appliance name is associated with an IP address. That information, along with the appliance certificate is used to create the connection to an instance of PED Client on the HSM host computer.
•The -mode connect command detects if legacy mode is running.
–If legacy mode is not running, the -mode connect command initiates a connection to the indicated HSM host (normally SafeNet Luna Network HSM appliance).
–If legacy mode is running, then pedserver -mode connect checks if a legacy-mode connection currently exists. If it does, then -mode connect presents an error message informing you to terminate that connection before retrying the requested peer-to-peer connection. A -mode connect request for peer connection does not override an existing legacy connection; it just tells you about it and lets you make the decision.
–If legacy mode is running and pedserver -mode connect does not discover an existing legacy connection in effect, then the legacy mode is shut down and the peer-to-peer connection is initiated.
•The -mode disconnect command terminates an existing peer connection and returns the PED Server to legacy mode. If the PED Server is already in legacy mode, the -mode disconnect command is ignored.
Regardless of whether you use legacy mode or peer-to-peer, the connection is one-on-one. While a Remote PED connection is active between one HSM and one remote PED workstation, neither entity is able to make a similar connection with a different partner. The connection must time out, or be deliberately stopped before the HSM can connect with another PED Server workstation and enter a new remote PED authentication arrangement.
When an RPV is created, it is a randomly-generated value that exists nowhere else. You control which (and how many) HSMs will contain that RPV, and which (and how many) orange RPK PED keys will contain copies of it.
The following constraints apply to Remote PED connections:
•A maximum of twenty connections is supported on the PED Client.
•A maximum of 80 Network HSM appliances can be registered in PED Server.
•If the connection is terminated abnormally (for example, a router switch died), there is no auto-connection. The PED Server automatically restarts and runs in legacy mode.
•When running in peer connection mode, the PED Server does not engage the listening service, for security reasons and to simplify usability.
•Once the PED Server connection to the PED Client is established, the connection remains up until
–The -mode disconnect command is executed from the PED Server, or
–PED Client terminates the connection.