Updating Luna Network HSM with STC Partitions to 7.7.0 or Newer

The Luna 7.7.0 release includes substantial improvements to Secure Trusted Channel. If you have been using STC with an older version of the Luna software/firmware, your STC identities are no longer compatible with the updated STC. Follow the procedure below to ensure that your cryptographic objects are preserved during the update process. This procedure must be performed in part by the HSM SO, and by the Partition SO and Crypto Officer for each STC partition on the HSM.

CAUTION!   Certain essential steps in this procedure are destructive; ensure that all STC partitions on the HSM are fully backed up to avoid losing your cryptographic objects.

Cryptography is enhanced (requires firmware 7.7.0)

New FIPS and Common Criteria compliant cipher suites are added -- ECDH P-521 + AES-GCM and ECDH P-521 + AES-CTR + HMAC-SHA-512 -- for key derivation, encryption and authentication.

Key Derivation – Perfect forward secrecy

>Each party provides an ephemeral key and a static key

>Compromising the static key doesn’t compromise all past and future communications

Bilateral Key Confirmation and Unidirectional AES keys [NIST requirement]

>Both parties ensure that the other party has derived the same keys

>2 AES keys are derived: one for encryption and one for decryption

>Prevents reverse replay attacks

Prerequisites

>[PED-authenticated] You require access to a Luna PED, updated to a supported firmware version:

•Luna PED firmware 2.7.4 or newer for older PED

•Luna PED firmware 2.9.0 or newer for refreshed PED

See Updating Luna PED Firmware (for older-version PED that requires a power-block).

>Update the Luna HSM Client software on all clients to 10.3.0 or newer (see Updating the Luna HSM Client Software).

>You require a Luna Backup HSM (G5 or G7-based). Earlier firmware versions can be used for migration purposes, but after this procedure, the following minimum Backup HSM firmware versions are required to back up and restore the updated partitions:

•Luna Backup HSM (G7) firmware 7.7.1 or newer (see Updating the Luna Backup HSM (G7) Firmware)

•Luna Backup HSM (G5) firmware 6.28.0 or newer (see Updating the Luna Backup HSM (G5) Firmware)

To update Luna Network HSM with STC Partitions to 7.7.0 or Newer

1.Crypto Officer for each STC partition: Back up all cryptographic objects. Parts of the update process are destructive; ensure that your partitions are fully backed up before proceeding.

•Backup and Restore Using a Luna Backup HSM (G7)

•Backup and Restore Using a Luna Backup HSM (G5)

2.Partition SO for each STC partition: Disable partition policy 37: Force Secure Trusted Channel. This is a destructive action; ensure that the partition is backed up before proceeding (see Setting Partition Policies Manually).

At this point in the procedure, all affected partitions have been zeroized and are available to the client using NTLS connections. Partition roles and credentials are preserved.

3.HSM SO: If you have STC enabled on the admin channel, disable it (see Disabling the STC Admin Channel).

4.HSM SO: Disable HSM policy 39: Allow Secure Trusted Channel (see Setting HSM Policies Manually).

5.HSM SO: Proceed with the appliance software update (see Updating the Luna Network HSM Appliance Software).

6.HSM SO: Install the HSM firmware update (see Updating the Luna HSM Firmware).

7.Partition SO for each STC partition: Re-establish the STC connection for each client and partition. Since the partitions are already initialized, use the following procedure. You must re-create the STC client identity on each affected client:

•Converting Initialized NTLS Partitions to STC

If you have STC partitions that are being accessed by multiple clients, each client must re-create the STC client identity and re-establish connections using the following procedure:

•Connecting an Initialized STC Partition to Multiple Clients

8.Crypto Officer for each STC partition: You may now restore your cryptographic objects from backup.

•Restoring From a Client-Connected Luna Backup HSM (G7)

•Backup/Restore Using a Client-Connected Luna Backup HSM (G5)