HSM Roles and Secrets

SafeNet Luna HSM products offer multiple identities, some mandatory, some optional, that you can invoke in different ways to map to roles and functions in your organization. The following topics offer some elements to consider before you commit to an HSM configuration.

Roles

Roles that access the HSM, the cryptographic engine within or connected to the host, include:

Mandatory Roles

>HSM Security Officer (SO): responsible for initialization of the HSM, setting and changing of HSM Policies (based on the HSM's Capabilities), creation and deletion of application partitions

>Partition Security Officer (PO): responsible for initializing the Crypto Officer role on the partition, resetting passwords, setting and changing partition-level Policies (based on the HSM's and the partition's Capabilities)

>Crypto Officer (CO): responsible for initializing the Crypto User role, and for creating and modifying cryptographic objects in the HSM partition (see HSM Roles and Secrets)

Optional Roles

>Auditor (Au): responsible for managing HSM audit logging, independent from other roles on the HSM

>Crypto User (CU): responsible for using cryptographic objects (encrypt/decrypt, sign/verify...) in the HSM partition (see HSM Roles and Secrets)

Secrets

In addition to the HSM roles listed above, certain other HSM-wide secrets exist for special purposes. Those include:

>Cloning domain: determines whether the "cloning" (secure copy of cryptographic objects) operation is possible between two HSMs (which must share identical domain secrets) - applies to password-authenticated HSMs and to PED-authenticated HSMs; cloning is used in some forms of backup, as well as in HA

>Remote PED vector (PED-authenticated HSMs only): permits establishing a secure path for the HSM to access remotely-located Luna PED and PED keys

Enhanced Cryptoki Model

The separation of roles on the SafeNet Luna PCIe HSM follows an enhanced Cryptoki model:

HSM Security Officer (SO)

The HSM SO has control of the HSM within the SafeNet Luna PCIe HSM appliance. To access HSM SO functions, you must first be logged in as appliance admin.

In addition to all the other appliance functions, a user who has authenticated with the HSM SO credential can:

>Create and delete partitions

>Backup and restore the HSM

>Change HSM Policies

Partition Security Officer (PO)

The Partition Security Officer has control of one or more partitions (virtual HSMs) within the SafeNet Luna PCIe HSM. To access Partition SO functions, you must log in using LunaCM on a registered Client computer.

The Partition SO, when logged in to the partition, can:

>Modify partition policies

>Backup and restore partition contents

>Initialize the Crypto Officer role

Crypto Officer (CO)

The Crypto Officer has full Read-Write access to the partition through the LunaCM utility on a registered Client computer. The Crypto Officer partition credential allows a Client application to perform any cryptographic operation, including:

>key generation/deletion

>wrap/unwrap

>encrypt/decrypt

>sign/verify

The Crypto Officer can also initialize the optional Crypto User role.

Crypto User (CU)

The Crypto User is a restricted Read-only Client user. Once initialized, the authenticated Crypto User can access cryptographic materials already existing on the partition (for signing, verifying, encrypting, decrypting), but cannot manipulate those objects (no generating, deleting, or wrapping/unwrapping).

The Crypto User role is optional. If you have no security requirement for this role, it can remain uninitialized and all Client applications can access the partition using the Crypto Officer credential.

Comparing Password and PED Authentication

SafeNet Luna PCIe HSM with PED Authentication splits the partition access into two layers, a primary and optional secondary credential. The primary credential is the secret contained on the CO or CU's PED key (and the optional PED PIN). The secondary credential is a password string, set by the CO or CU. The Partition SO can Activate a partition to allow the primary credential to be cached. Thereafter, the CO or CU (and their Client applications) can login to the partition using the secondary credential.

For SafeNet Luna PCIe HSM with Password Authentication, the partition password is the only layer of authentication to a partition. Therefore, any registered Client with that password has access to the partition.

Bad Login Attempts

By default, both the Crypto Officer and the Crypto User can each make 10 consecutive failed login attempts before invoking consequences.

Submissions of incorrect passwords are not counted as incorrect black PED key attempts.

NOTE   The HSM must actually receive some information before it logs a failed attempt, so if you merely forget to insert a PED key, or provide a wrong-color key, it is not logged as a failed attempt. When you successfully login, the bad-attempt counter is reset to zero.