New Features and Enhancements

Scalable Key Storage (SKS) is an optional feature that allows off-board storage of keys and objects in quantities greater than the capacity of an HSM - virtually unlimited storage, for use with your RSS (Remote Signing and Sealing) and other applications that require thousands or millions of keys. An SKS Master Key (SMK, which never leaves the HSM) securely encrypts extracted keys and objects, such that they remain within the HSM's security envelope, and can be reinserted (decrypted inside the HSM) for immediate use by your application.

Preserves key attributes through the life-cycle of a key.

Provides the option of new SKS function, or classic Luna "keys always in hardware" operation, on a partition-by-partition basis.

See Scalable Key Storage (SKS).

Per-Key Authorization (requires firmware 7.7.0)

PKA Allows granular control of key material for applications requiring high assurance by providing authorization on a per-key basis.

See Per-Key Authorization (PKA).

Luna Backup HSM (G5) and (G7)

Thales has previously introduced Luna Backup HSM (G7) models B700 and B750, and now introduces the new model B790 model, which includes 256 MB of storage and up to 100 backup partitions (model versions/sizes must be decided when purchasing, and are not field-installable upgrades of each other). Local backup is supported with Luna HSM 7.7.0 and later.

Luna Backup HSM (G5) at firmware 6.28.0 is supported with Luna HSM 7.7.0.

See Backup and Restore Using a Luna Backup HSM (G7).

Initialize the Orange RPV Key Remotely

You can now initialize the Luna PCIe HSM's Remote PED Vector (orange key) using a Luna PED connected to a remote workstation running PEDserver. A one-time numeric password is used to authenticate the Remote PED to the HSM before initializing the RPV. This optional method is useful if the HSM SO only has remote SSH access to the appliance. The HSM must be in a zeroized state (uninitialized), for security. Your firewall settings must allow an HSM-initiated Remote PED connection.

See Initializing the Remote PED Vector and Creating an Orange Remote PED Key.

Luna HSM Client 10.2.0

New Luna HSM Client Operating System Support

Luna HSM Client 10.2.0 can be installed on the following new operating systems:

>Windows Server Core 2016/2019

>Red Hat Enterprise Linux 8 (including variants like CentOS 8)

See Supported Luna HSM Client Operating Systems.

Support for New Mechanisms in Luna HSM Firmware 7.4.2

Luna HSM Client 10.2.0 includes support for Luna HSM firmware 7.4.2 mechanisms.

>3GPP Mechanisms for 5G Mobile Networks

>SM2/SM4 Mechanisms

>SHA-3 Mechanisms

Luna HSM Firmware 7.4.2

This release adds support for 3GPP, SM2/SM4, and SHA-3 cryptographic functions to Luna PCIe HSMs. It consists of:

>Luna HSM firmware 7.4.2

>Luna HSM Client 7.4.0 software patch

3GPP Cryptography for 5G Mobile Networks

The new 3GPP crypto functions support the authentication and re-synchronization of a mobile device to the back-end authentication center (AUC). Milenage, Tuak and Comp128 algorithms are available and are relevant to 2/2.5G, 3G, 4G(LTE) and newer 5G mobile networks. The primary benefit of using the Luna HSM ensures that the subscribers key (Ki) is never exposed in the clear outside the security perimeter of a hardware security device. Optionally the Operators Variant string (OP) may also be encrypted under a storage key only found inside the HSM.

See 3GPP Mechanisms for 5G Mobile Networks.

SM2/SM4 Support

SM2 is comparable to Elliptic Curve (EC) in terms of key structure though the signing algorithm is different. SM2 is required for sign/verify. There is a new key type CKK_SM2. SM4 is comparable to Advanced Encryption Standard (AES-128) in terms of key size though the encryption algorithm is different. SM4 is required for encrypt/decrypt (modes ECB, CBC, CBC-PAD). There is a new key type CKK_SM4.

See SM2/SM4 Mechanisms.

SHA-3 Function Support

This provides a guide to using the SHA-3 crypto functions in the Luna HSM. The SHA-3 implementation conforms to the NIST publication FIPS PUB 202. The SHA-3 hash algorithm has been implemented in the K7 FW. This provides the ability to send message data to the Luna HSM in order to receive the SHA-3 digest of the data. The algorithm is implemented for digest bit lengths of 224, 256, 384 and 512 similar to the SHA-2 family of hash algorithms. Other mechanisms that make use of a digest include support for SHA-3 by either specifying the mechanism type or specifying mechanism parameters.

See SHA-3 Mechanisms.

Luna HSM Client 10.1.0

This release consists of:

>Luna HSM Client 10.1.0

Luna HSM Client 10.1 Supports Both Luna HSMs and Luna Cloud HSM Services From Data Protection on Demand

Luna HSM Client can now be used with Luna Cloud HSM services provided by Thales Data Protection on Demand. This allows you to migrate keys from a password-authenticated Luna HSM partition to a Luna Cloud HSM service or vice-versa, set up High-Availability (HA) groups that include both password-authenticated Luna partitions and Luna Cloud HSM services, and operate your local (Luna PCIe), remote (Luna Network), and cloud HSM solutions on the same client workstation.

Luna Cloud HSM client compatibility is limited to Windows and Red Hat Enterprise Linux 7-based operating systems in this release.

Refer to the following sections:

>Adding a Luna Cloud HSM Service

>Cloning Keys Between Luna 6, Luna 7, and Luna Cloud HSM

Luna G7 Backup HSM

Thales is pleased to announce the availability of the Luna G7 Backup HSM – a full-featured, hand-held, USB-attached backup HSM that includes an informational full-color display.

You can use the Luna G7 Backup HSM to backup your Luna HSM 5.x, 6.x, and 7.x user partitions.

The Luna G7 Backup HSM connects easily to a client workstation using the included USB 3.0 Type C cable, and includes a universal 5V external power supply, which may be required to power the device in some instances.

NOTE The smart card slot located at the bottom front of the unit is reserved for future use and has been disabled in this release.

For detailed usage instructions, see Backup and Restore Using a Luna Backup HSM (G7).

Models

The Luna G7 Backup HSM is available in the following models. All models can be initialized in PED or password-authenticated mode for backing up either PED or password authenticated partitions. In-field storage upgrades are not available.

B700	32 MB storage, up to 100 partitions of the same authentication type
B750	128 MB storage, up to 100 partitions of the same authentication type
B790	256 MB storage, up to 100 partitions of the same authentication type

To use the Luna G7 Backup HSM, you must upgrade to Luna HSM Client 10.1, a client-only field update for Linux and Windows. Luna HSM Client 10.1 provides the drivers and software updates you need to use the Luna G7 Backup HSM.

Remote PED Support on Linux

You can now host Remote PED services on a Linux workstation.

See Remote PED Setup.

Windows Secure Boot Support

The drivers included with the Luna HSM Client software for Luna PCIe HSMs, Luna Backup HSMs, Luna USB HSMs, and Luna PEDs now support Windows Secure Boot.

Luna PCIe HSM Release 7.4

This release consists of:

>Luna HSM Client 7.4.0

>Luna HSM firmware 7.4.0

Functionality Modules

Luna PCIe HSM 7.4 introduces Functionality Modules (FMs). FMs consist of your own custom-developed code, loaded and operating within the logical and physical security of a Luna PCIe HSM as part of the HSM firmware. FMs allow you to customize your Luna PCIe HSM's functionality to suit the needs of your organization. Custom functionality provided by your own FMs can include:

>new cryptographic algorithms, including Quantum algorithms

>security-sensitive code, isolated from the rest of the HSM environment

>keys and critical parameters managed by the FM, independent from standard PKCS#11 objects, held in tamper-protected persistent storage

To create FMs, you will need the Functionality Module Software Development Kit (SDK), which is included with the Luna HSM Client software. Applications that use FM functions are supported on Windows and Linux.

CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset. Refer to FM Deployment Constraints for details before enabling.

See About the FM SDK Programming Guide and Functionality Modules for details and procedures.

View Utilization Metrics by Partition

Release 7.4 allows you to view utilization metrics for an individual partition or a specified list of partitions.

See Partition Utilization Metrics for details.

Ed25519ph Curve

Luna PCIe HSM firmware version 7.4.0 includes support for the ed25519ph curve variant.

See CKM_EDDSA for details.

Luna PCIe HSM Release 7.3

This release consists of:

>Luna HSM Client 7.3.0

>Luna HSM firmware 7.3.0

BIP32 Algorithm

Luna PCIe HSM 7.3 includes new mechanisms that use the BIP32 cryptographic algorithm. This allows Luna PCIe HSM to support applications that use Hierarchical Deterministic Wallets, used in Bitcoin and blockchain transactions (requires firmware 7.3.0).

JavaSP support for ECC Curve 25519

The Luna Java Provider now includes support for mechanisms using ECC Curve 25519.

Luna PCIe HSM Release 7.2

This release consists of:

>Luna HSM Client 7.2.0

>Luna HSM firmware 7.2.0

Improved Luna HSM Client

Release 7.2 adds improvements to the Luna HSM Client software:

>Enhanced Version Compatibility for Luna HSM Client — Version 7.2 and newer Luna HSM Client can be used with HSMs running Luna 6.2.1 or higher, or any Luna 7 version, without conflict. Luna HSM Client 7.2 and newer versions can coexist in large deployments. You can schedule client roll-outs at your convenience, without need to match versions across your organization. Future HSM features that do not have client-version dependencies will function without issue.

>Improved Client Installer with User-Defined Install Paths (Windows) — Luna HSM Client can be installed at user-selected locations (file paths with sufficient space), and installed Client software can be modified without uninstalling and reinstalling.

>User-Defined Client Install Paths (Linux) — Linux root-level users can install the Luna HSM Client software to an installation directory of their choice.

Relabel Partitions

The Partition SO can now change the label of an initialized partition. This allows partitions to be created ahead of time and renamed to something more suitable later, when they are allocated for a particular purpose (Requires firmware 7.2.0).

Crypto User Can Clone Public Objects

The Crypto User (CU) role has always been able to create public objects, but not clone them. In HA mode, this would cause the replication and subsequent object creation operations to fail. Firmware 7.2.0 allows the CU to clone public objects, and therefore to perform operations on HA groups without Crypto Officer authentication (Requires firmware 7.2.0).

Auto-Enabled HA Logging

Luna HSM Client now automatically enables HA logging, either when you create the first HA group, or when you update the Luna HSM Client to 7.2.0 and it detects a previously-configured HA group. If you manually turn HA logging off, logging is not auto-enabled for new HA groups.

SCP03 Encoding

The SCP03 encoding scheme, as defined in NIST SP 800-108, is now supported for Global Platform.

Luna PCIe HSM Release 7.1

This release consists of:

>Luna HSM Client 7.1.0

>Luna HSM firmware 7.1.0

Policy Templates

The HSM or Partition SO can save a copy of their organization's preferred HSM or partition policy settings to a template. They can then use this template to configure policy settings when initializing other HSMs or partitions.

This can save time and effort when deploying multiple HSMs or partitions. It also ensures consistency across your HSMs and partitions, which helps to simplify future audit and compliance requirements.

See Setting HSM Policies Using a Template and Setting Partition Policies Using a Template.

Configurable Policies for Export of Private Keys

The Partition SO can use partition policies to control whether or not the private keys in a given partition can be exported off the HSM. The ability to export private keys is particularly useful in use cases such as smart card & identity issuance, secure manufacturing, etc.

This gives organizations the ability to support a wider variety of use cases with their HSM, and also provides Partition SOs with more flexibility overall.

See Configuring the Partition for Cloning or Export of Private/Secret Keys.

Curve 25519 Available in FIPS Mode

Curve 25519 is now available for use in FIPS mode.

Luna PCIe HSM Release 7.0

This release consists of:

>New Luna PCIe HSM adapter

>Luna HSM Client 7.0.0

>Luna HSM firmware 7.0.1

Low-Profile Card

The Luna PCIe HSM 7 is smaller than its predecessors and can be installed in a half-height PCIe slot.

See Luna PCIe HSM Required Items.

Partition Security Officer

All application partitions now have a Partition Security Officer (PO) role that is completely distinct from the HSM Security Officer (HSM SO) role. In this security model, the HSM SO is responsible only for initializing the HSM, setting HSM-level security policies, and creating and deleting partitions. After creating the partitions, the HSM SO has no access to the contents of the partitions. Partitions are owned by the PO, who is responsible for initializing the partition, setting the partition-level security policies and initializing the cryptographic roles on the partition. This model permits a complete separation of roles on the HSM.

See Partition Roles.

Best-in-Class Performance

Luna PCIe HSM 7 provides cryptographic performance that is 10x faster than the release 5.x and 6.x Luna HSMs.

Industry-Leading Security

Luna PCIe HSM 7 provides enhanced environmental failure protection and tamper resistance.

Improved Random Number Generation

The performance of Luna PCIe HSM 7's AES-256 CTR DRBG random number generation is significantly increased from previous versions. The RNG is fully compliant with the latest entropy standards:

>SP800-90B

>SP800-90C

>BSI DRG.4

New Cryptographic Mechanism Support

Luna PCIe HSM 7 adds support for the following cryptographic algorithms:

>SP800-108 HMAC (RSA & ECC)

>SP800-38F (KWP)

>Curve 25519

>AES-XTS - disk encryption standard

Increased Key Storage Capacity

Luna PCIe HSM 7 provides up to 32 MB of cryptographic object storage (depending on the model).

Secure Transport Mode Redesigned

Secure Transport Mode (STM) in Luna PCIe HSM 7 provides a simple, secure method for shipping an HSM to a new location and verifying its integrity upon receipt. When the HSM SO enables STM, it locks the HSM and its contents, and records the current configuration as a pair of unique strings. When the HSM is recovered from STM, the unique strings are redisplayed. If the strings match, the HSM has not been tampered or modified during transport.

See Secure Transport Mode.