Failed Logins
If you fail three consecutive login attempts as HSM Security Officer (or SO), the HSM contents are rendered unrecoverable. This is a security feature meant to thwart repeated, unauthorized attempts to access your cryptographic material. The number is not adjustable.
NOTE The system must actually receive some erroneous/false information before it logs a failed attempt -- if you merely forget to insert a PED key (for PED-authenticated HSMs), or inserted the wrong color key, that is not counted as a failed attempt.
To fail a login attempt on a Password-authenticated HSM, you would need to type an incorrect password. To fail a login attempt on a PED-authenticated HSM, you would need to insert an incorrect PED key of the correct color, type an incorrect PED PIN, or enter an incorrect challenge secret on an activated partition (see Control the Outcome).
As soon as you successfully authenticate, the counter is reset to zero.
CAUTION! SafeNet Luna 7.1's default settings have HSM policy 15: Enable SO reset of partition PIN set to 0. This policy causes the Crypto Officer role to be permanently locked out after too many bad login attempts (default: 10). If this is not the desired outcome, ensure that the HSM SO sets this destructive policy to 1 before creating and assigning partitions to clients.
To view a table that compares and contrasts various "deny access" events or actions that are sometimes confused, see Comparison of Destruction/Denial Actions.
Other roles and functions that need authentication on the HSM have their own responses to too many bad authentication attempts. Some functions do not keep a count of bad attempts; the simple failure of a multi-step or time-consuming operation is considered sufficient deterrent to a brute-force attack. The table in the next section summarizes the responses.
HSM Response When You Reach the Bad-attempt Threshold
| Role |
Threshold (number of tries) |
Result of too many bad login attempts | Recovery |
|---|---|---|---|
| HSM SO | 3 | HSM is zeroized (all HSM objects identities, and all partitions are gone) | HSM must be reinitialized. Contents can be restored from backup(s). |
| Partition SO | 10 | Partition is zeroized. | Partition must be reinitialized. Contents can be restored from backup. |
| Audit | 10 | Lockout | Unlocked automatically after 10 minutes. |
| Crypto Officer |
10 (can be decreased by Partition SO) | If HSM policy 15: Enable SO reset of partition PIN is set to 1 (enabled), the CO and CU roles are locked out. | CO role must be unlocked and the credential reset by the Partition SO, using role resetpw -name co. |
| If HSM policy 15: Enable SO reset of partition PIN is set to 0 (disabled), the CO and CU roles are permanently locked out and the partition contents are no longer accessible. This is the default setting. | The partition must be re-initialized, and key material restored from a backup device. | ||
| Crypto User | 10 (can be decreased by Partition SO) | The CU role is locked out. |
CU role must be unlocked and the credential reset by the Crypto Officer, using role resetpw -name cu. |
| Domain | n/a | Operation fails | Retry the operation with the correct Domain - usually that would be a backup or restore |
| Remote PED Key | n/a | Operation fails | Retry establishing a Remote PED connection, providing the correct orange PED key (PED-authenticated only). |
| Note: The Crypto User role is initialized by the Crypto Officer. Therefore, only the Crypto Officer, and not the Partition SO, is able to reset the Crypto User credential. | |||
Control the Outcome
The configurable HSM policy 15: SO can reset User PIN allows the Partition SO to control the HSM's response to a set number of consecutive bad Crypto Officer authentication attempts. When the threshold of bad attempts is reached, the CO is locked out of the partiton. If HSM policy 15 is set to 1 (enabled), the partition and its contents can be accessed again after the Partition SO resets the CO’s password. If HSM policy 15 is set to 0 (disabled), then the partition is permanently locked and the contents are lo longer accessible. The partition must be re-initialized and cryptographic material must be restored from backup by the Partition SO.
The configurable partition policy 15: Ignore failed challenge responses can be set by the Partition SO. This policy applies to Activated PED-authenticated partitions only (see Activation and Auto-Activation on PED-Authenticated Partitions). When partition policy 15 is set to 1 (enabled), incorrect partition challenge secret attempts will not apply toward the "failed login attempt" counter.
