Confirm the HSM's Authenticity

Hardware Security Modules have traditionally been deployed in the corporate data center’s most secure zone. Establishing trust with the HSM is, in part, achieved by physical access control. In cases of remote client usage (such as cloud cryptography), the client needs a way to verify the authenticity of the device protecting their most valued cryptographic keys.

Public Key Confirmations

Thales Group's SafeNet Luna HSMs include factory-issued device identities certified by a Thales Group authority. The root of this authority is maintained by Thales Group in HSMs locked in a vault with layered physical and logical access controls. These certificates are used as the root of trust for the issuance of “public key confirmations” (PKCs), certificates issued by the HSM attesting to the life cycle of a specific private key. A Luna HSM will issue confirmations only for private keys that were created by the HSM and that can never exist outside of the HSM. A valid confirmation is cryptographic proof that a specific key is inside the identified HSM. The confirmation is also proof that that the identified HSM is real.

The key pair within the HSM that signs the confirmation is called a Hardware Origin Key (HOK). It is protected inside the HSM’s FIPS 140-2 Level 3 security boundary. Each HOK is unique and there is no way to extract or replace it. The HOK is created in the HSM at the time of manufacture and certified by Thales Group’s secure manufacturing authority, which is certified by Thales Group’s root authority.

Public key confirmations are automatically generated for RSA key pairs in the HSM. A user can get a confirmation through the PKCS #11 API or the Luna cmu tool, and use it to verify that any RSA key is protected and has always been protected by a Luna HSM. A PKC bundle contains the following certificates:

>MIC: Manufacturing Integrity Certificate; corresponds to the Manufacturing Integrity Private Key (MIK), signed by the SafeNet Root.

>HOC: Hardware Origin Certificate; corresponds to the Hardware Origin Private Key (HOK). Unique to each HSM. Signed by MIK.

>DAC: Device Authentication Certificate; corresponds to the Device Authentication Private Key (DAK). Unique to each HSM. Signed by HOK.

>PKC: Public Key Confirmation Certificate; certificate for a private key on the HSM. Signed by DAK.

Public key confirmations are delivered as PKCS #7 files containing a certificate chain. The PKCS #7 files can be viewed using tools like OpenSSL and Microsoft’s Certificates snap-in for MMC.

NOTE   While third-party tools are capable of cryptographically validating the certificate signature chain, they may display some certificate errors, since they do not recognize some SafeNet-specific key usage attributes included in the certificates.

Chains of Trust

There are two chains of trust: Chrysalis-ITS and TC-TrustCenter. Chrysalis-ITS is built in by default, and originates from Thales's root certificate authority. It uses the MIC, HOC, DAC, and the PKC. TC-TrustCenter originates from the MAC (Manufacturer's Authentication Certificate), and uses the DAC and PKC. If you choose to use the TC-TrustCenter chain of trust, it will take the place of Chrysalis-ITS.

Confirming the HSM's Authenticity

The cmu also includes a command that tests an HSM’s authenticity by creating and verifying a confirmation on a temporary key created in the HSM (see cmu verifyhsm in the Utilities Guide). The test includes a proof of possession that asks the HSM to sign a user-entered string as proof the associated private key is present within the target HSM.

The test requires the SafeNet root certificate, provided below:

NOTE   The current certificate is valid until 2031-12-31, but it may change before this date at Thales Group's discretion. Ensure that you have the most recent version of this documentation.

To confirm the HSM's authenticity:

1.Right-click the link above and save the root certificate to the LunaClient directory.

2.Open a command line and navigate to the LunaClient directory.

3.Use the cmu utility to authenticate the HSM. You must specify a challenge string for the HSM to sign, and the root certificate file:

cmu verifyhsm -challenge <string> -rootcert safenet-root.pem

When prompted, specify the partition you wish to use and the Crypto Officer credential for that partition.

>cmu verifyhsm -challenge "1234567890" -rootcert safenet-root.pem
Select token
 [0] Token Label: mypartition-1
 [1] Token Label: mypartition-2
 Enter choice: 0
Please enter password for token in slot 0 : ********
Reading rootcert from file "safenet-root.pem"... ok.
Generating temporary RSA keypair in HSM... ok.
Extracting PKC bundle from HSM... ok.
Verifying PKC certificate... ok.
Verifying DAC certificate... ok.
Verifying HOC certificate... ok.
Verifying MIC certificate... ok.
Verifying MIC against rootcert... ok.
Signing and verifying challenge... ok.
Verifying HSM serial number... ok.
Overall status: Success.
 

If this test fails, contact the HSM SO.