PED-Authenticated HSMs

In systems or applications using Luna Network HSMs, Luna PED is required for FIPS 140-2 level 3 security. In normal use, Luna PED supplies PINs and certain other critical security parameters to the token/HSM, invisibly to the user. This prevents other persons from viewing PINs, etc. on a computer screen or watching them typed on a keyboard, which in turn prevents such persons from illicitly cloning token or HSM contents.

Two classes of users operate Luna PED: the ordinary HSM Partition Owner, and the HSM Administrator, (also called Security Officer or SO). The person handling new HSMs and using Luna PED is normally the HSM SO, who:

>Initializes the HSM

>Conducts HSM maintenance, such as firmware and capability upgrades

>Initializes HSM Partitions and tokens

>Creates users (sets PINs)

>Changes policy settings

>Changes passwords

Following these initial activities, the Luna PED may be required to present the HSM Partition Owner’s PED key or keys (in case of MofN operations) to enable ordinary signing cryptographic operations carried out by your applications.

With the combination of Activation and AutoActivation, the black PED key is required only upon initial authentication and then not again unless the authentication is interrupted by power failure or by deliberate action on the part of the PED key holders.

About CKDemo with Luna PED

As its name suggests, CKDemo (CryptoKi Demonstration) is a demonstration program, allowing you to explore the capabilities and functions of several Luna products. The demo program breaks out a number of PKCS 11 functions, as well as the Luna extensions to Cryptoki that allow the enhanced capabilities of our HSMs. However the flexibility, combined with the bare-bones nature of the program, can result in some confusion as to whether certain operations and combinations are permissible. Where these come up, in the explanation of CKDemo with Luna Network HSM with PED [Trusted Path] Authentication, and Luna PED, they are mentioned and explained if necessary.

The demo program appears to make it optional to permit several of the security operations via the keyboard and program interface, or to require that they be done only via the Luna PED keypad. In fact, the option is dictated by the Luna Network HSM, as it was configured and shipped from the factory, and cannot be changed by you. That is, you can use CKDemo to work/experiment with either type of Luna Network HSM (i.e., Luna Network HSM with Password Authentication or Luna Network HSM with PED Authentication, requiring Luna PED), but you cannot make one type behave like the other.

Security and design requirements, enforced by the Luna Network HSM with PED Authentication HSM, dictate that use of Luna PED be mandatory within the applications that you develop for it.

Interchangeability

As mentioned above, several secrets and security parameters related to HSMs are imprinted on PED keys which provide "something you have" access control, as opposed to the "something you know" access control provided by password-authenticated HSMs. The HSM can create each type of secret, which is then also imprinted on a suitably labeled PED key. Alternatively, the secret can be accepted from a PED key (previously imprinted by another HSM) and imprinted on the current HSM. This is mandatory for the cloning domain, when HSMs (or HSM partitions) are to clone objects one to the other. It is optional for the other HSM secrets, as a matter of convenience or of your security policy, allowing more than one HSM to be accessed for administration by a single SO (blue PED key holder) or more than one HSM Partition to be administered by a single Partition Owner/User.

PED keys that have never been imprinted are completely interchangeable. They can be used with any modern Luna Network HSM, and can be imprinted with any of the various secrets. The self-stick labels are provided as a visual identifier of which type of secret has been imprinted on a PED key, or is about to be imprinted. Imprinted PED keys are tied to their associated HSMs and cannot be used to access HSMs or partitions that have been imprinted with different secrets.

Any Luna PED2 can be used with any Luna Network HSM - the PED itself contains no secrets; it simply provides the interface between you and your HSM(s). The exception is that only some Luna PEDs have the capability to be used remotely from the HSM. Any Remote-capable Luna PED2 is interchangeable with any other Remote-capable Luna PED2, and any Luna PED2 (remote-capable or not) is interchangeable with any other when locally connected to a Luna Network HSM.

HSM Partitions and Backup Tokens and PED keys can be “re-cycled” for use in different combinations, but this reuse requires re-initializing the HSM(s) and re-imprinting the PED keys with new secrets or security parameters. Re-initializing a token or HSM wipes previous information from it. Re-imprinting a PED key overwrites any previous information it carried (PIN, domain, etc.).

Startup

Luna PED expects to be connected to a Luna Network HSM with Trusted Path Authentication. At power-up, it presents a message showing its firmware version. After a few seconds, the message changes to "Awaiting command..." The Luna PED is waiting for a command from the token/HSM.

The Luna PED screen remains in this status until the CKDemo program, or your own application, initiates a command through the token/HSM.

For the purposes of demonstration, you would now go ahead and create some objects and perform other transactions with the HSM.

NOTE   To perform most actions you must be logged in. CKDemo may not remind you before you perform actions out-of-order, but it generates error messages after such attempts. If you receive an error message from the program, review your recent actions to determine if you have logged out or closed sessions and then not formally logged into a new session before attempting to create an object or perform other token/HSM actions. When you do wish to end activities, be sure to formally log out and close sessions. An orderly shutdown of your application should include logging out any users and closing all sessions on HSMs.

Cloning of Tokens

To securely copy the contents of a Luna Network HSM Partition to another Luna Network HSM Partition (on the same Luna Network HSM or on another), you must perform a backup to a Luna Backup HSM from the source HSM Partition followed by a restore operation from the Backup HSM to the new destination HSM Partition. This is done via LunaSH command line, and cannot be accomplished via CKDemo.