|
Home > |
|---|
After you have created your PED keys, you may wish to change how you use the PED keys to authenticate, as follows:
•Revoking, Adding or Changing MofN
•Revoking, Adding or Changing PED PINs
•Updating PED Keys for a Backup Token
You can perform these operations locally or remotely.
The Luna PED automatically detects the active interface that it is plugged into, and defaults to the appropriate mode after the first command is sent to it. The Luna PED waits in either Remote PED-USB mode (if the PED is connected to a USB port) or in its Scanning state (if the PED is connected to an SCP port) until a command is received from the HSM.
•If the PED is directly connected to the HSM via USB port, it enters Local PED-USB mode.
•If the PED is remotely connected to the HSM via remote host, it enters Remote PED-USB mode.
•If the PED is directly connected to the HSM via SCP port, it enters Local PED-SCP mode.
If you need to manually switch between these modes, press < to navigate to the main menu. Then, press 1 to enter Local PED-SCP mode or press 0 to enter Local PED-USB mode.
If you wish to perform this operation remotely, see Remote PED Setup and Configuration
If you decided that you wanted to stop using MofN, or that you wanted to have MofN, but with a different total number of split-keys (N) or a different minimum quantity of keys that must be presented (M) to re-construct the secret, then you would need to zeroize and re-initialize the HSM. For individual partitions, you would need to delete the partition and create a new one with the new authentication. To preserve the HSM and partition contents, you would perform backup before re-initializing the HSM, and then restore from backup afterward.
If you wish to have two HSMs share the same MofN scheme, you must initialize one with the desired scheme, then initialize the second HSM and have it re-use the secret splits from the first HSM.
At secret-creation time for the HSM, when the PED is invoked, the PED asks if you wish to re-use an existing secret. If you say Yes to that question, then the PED expects you to offer a PED key that is already imprinted with a suitable secret. If you offer a key that contains a partial secret – a split from your other HSM – the PED accepts that key. The connected HSM recognizes that the secret is only a split, not a full SO secret, so the PED demands additional keys from that set, until it has received M of them, enough to reconstitute the secret. It will not accept fewer than M different portions of the secret, and it will not accept members of another set.
Once the reconstituted secret has been imprinted on the new HSM, then that HSM can accept any M splits out of the full set of N, even though it has never seen some of those splits. Both HSMs now accept the same MofN authentication secret.
Note: The PED requires different splits when combining quantity M splits to recreate the authentication secret. If you offer it one split and then a copy of the same split (because they all look alike and you accidentally gathered them into incorrect groups), the PED will reject the identical offering.
You can remove the requirement for a PED PIN by using the hsm changepw command (described in greater detail below). A new secret is generated on the HSM, and is imprinted onto the PED key (you are asked if you want to overwrite the existing data and you say Yes). You are given the opportunity to add a PED PIN and you just press Enter on the PED keypad to decline a PED PIN.
CAUTION: This action must be performed on all the PED keys associated with that HSM. If you have a group of HSMs that share the same authentication secret (meaning they can all be unlocked by the same PED keys then you must keep one unchanged PED key until you have logged in and performed the hsm changepw command on all the HSMs in that group.
Similarly, if you decide to increase the stringency of your security, you can use the hsm changepw command to change the secret on your PED keys and HSM(s) and at the same time, add new PED PINs.
You could leave some PED keys with the old secret. The result would be two groups of HSMs and associated PED keys that could not be interchanged (for authentication). In other words, you could use the technique to split a group of HSMs.
This does not apply to all PED key types:
•It does apply to the black PED key – use the LunaSH command partition changepw. This change is non-destructive to the HSM partition or its contents.
•For the orange PED key, you can use the LunaSH command hsm ped vector init to create a new Remote PED vector on the HSM and on the current orange PED key, or you can import a different RPV from a different orange key and imprint that RPV onto the HSM in place of the current one. This change is not destructive to the HSM or its contents.
•You cannot change an HSM Domain without a hard initialization of the HSM (destroys all contents), and you cannot change a partition Domain without deleting the current partition and creating a new partition.
CAUTION: You must retain at least one old-PIN PED key until all HSMs have the new PIN, or you will find yourself unable to access old-PIN HSMs.
1.Choose an HSM and login as SO (with a blue PED key).
2.Request a change of SO PED key:
lunash:> hsm changePw
3.Respond to the PED prompts as follows:
Getting current SO PIN… Reading SO PIN… Insert a blue Key
This is where you insert a currently valid SO PED key to confirm that you are the key holder.
<Press ENT>
The PED requests the key because an indeterminate amount of time might have elapsed since the last HSM login and confirmation is needed that the person asking for a change of secret is the person who logged in (and not an unauthorized person taking advantage of an unattended login session).
Reading SO PIN Please wait… Would you like to reuse an existing keyset? (Y/N)
Here you respond No so that a new SO secret is generated.
M value (1-16) >0 M value (1-16) >0 Writing SO PIN… Insert an SO Key
This is where you insert the first SO PED key to be overwritten; it might be the same one that you just inserted to authenticate as SO
<Press ENT> Writing SO PIN… PED key will be overwritten
The PED detects existing (old) data on the key and warns you that it will be overwritten if you proceed.
<Press ENT> Writing SO PIN… Enter new PED PIN
This is a new secret, so you have the opportunity to add a PED PIN to it, if you wish.
Writing PED PIN… Confirm new PED PIN Are you duplicating this keyset? (Y/N)
Answer Yes because you want to overwrite the old secret on two of the remaining three PED keys (in this example).
Writing SO PIN… Insert SO key
This is where you insert the second SO PED key.
<Press ENT> Writing SO PIN… PED key will be overwritten. <Press ENT> Writing SO PIN… Enter new PED PIN
You can add a PED PIN to this duplicate key if you wish, or not. If you add a PED PIN it does not need to be the same as on the other key.
Writing PED PIN… Confirm new PED PIN Would you like to make another duplicate set? (Y/N)
Respond Yes and make the change on the third SO key, but leave the fourth key with the old secret for now.
Command Result : 0 (Success) [luna22] lunash:>
At this point, you have one HSM and three of your four SO keys imprinted with the new SO authentication secret. Ensure that you keep the keys separate and well identified. One PED key must retain the old secret until all HSMs are updated to the new secret.
4.Go to the second of your SafeNet appliances, login as admin.
5.Request a change of SO PED key (this time you will not be changing key contents, you will be logging in with the old secret, then copying the new secret from one of the updated keys onto the second HSM):
lunash:> hsm changePw
6.Respond to the PED prompts as follows:
SO login…
This step shows that if you had not already logged in prior to requesting hsm changepw then a login is forced.
Note: You can explicitly login (with hsm login) before issuing hsm changepw, or you can wait until you issue the change command and be prompted to login.
Insert blue PED Key
Insert the old-secret PED key, to login – this HSM still has the old secret.
<Press ENT> Getting current SO PIN… Reading SO PIN… Insert a blue PED key
The system does not track how long ago the login occurred, so before a key change is permitted, it requires you to prove that you are the valid key holder by producing the key again.
<Press ENT> Reading SO PIN Please wait… Setting SO PIN Would you like to reuse an existing keyset? (Y/N)
Here you respond Yes so that the new SO secret will be read from the new-secret-containing key.
Reading SO PIN… Insert a blue PED Key
Insert a new-secret SO PED key so that its secret can be read and then imprinted on this second HSM.
<Press ENT> Would you like to make another duplicate set? (Y/N)
Respond No. This HSM now has the new secret.
Command Result : 0 (Success) [luna22] lunash:>
At this point, you have two HSMs and three of your four SO keys imprinted with the new SO authentication secret. Ensure that you keep the keys separate and well identified. One PED key must retain the old secret until all HSMs are updated to the new secret.
7.Remove the new-secret key from the PED and place it with the other new-secret keys.
8.Bring a PED and the remaining old-secret key to the third appliance and repeat steps 4 to 6.
When prompted:
<Press ENT> Would you like to make another duplicate set? (Y/N)
Respond Yes and supply the last old-secret PED key as the “blank” to overwrite it.
Command Result : 0 (Success) [luna22] lunash:>
At this point, you have all three HSMs and all four SO keys imprinted with the new SO authentication secret.
If you prefer to be more cautious, you could leave the final PED key with the old secret until you that all three HSMs are unlockable by the new secret, only then imprinting the last key with the new secret.
Alternatively, you can perform iKey PED key copying or duplication without invoking commands at the HSM (however you still require a connection between PED and HSM to power the PED).
Note: You can perform the same operations with blue SO PED keys in similar circumstances. This operation could be scaled up for larger groups of HSMs duplicate PED keys.
If you need to have new authentication for your Backup Tokens, then perform a new Backup operation.
Performing an HSM Backup or a Partition Backup will initialize the token and allow you either:
•Imprint a new authentication secret (say No to the “reuse ID” question, which causes a new random secret to be created and imprinted on both the PED key and the token),
Or else
•Share the authentication secret (say Yes to the “reuse ID” question, which takes the token authentication from the PED key you insert) that is already in use on other tokens or on a SafeNet Luna HSM.