Performing Multifactor Quorum Authentication
When connected, the Luna PED responds to authentication commands in
>Role login commands (blue, black, gray, or white PED keys)
>Backup/restore commands (red PED keys)
>Remote PED connection commands (orange PED key)
NOTE The Luna PED screen prompts for a black PED key for any of
>"User",
>"Crypto Officer",
>"Limited Crypto Officer",
>"Crypto User".
The Luna PED is not aware that the key you present has a black or a gray sticker on it. The colored stickers are visual identifiers for your convenience in keeping track of your PED keys. You differentiate by how you label, and how you use, a given physical key that the Luna PED sees as "black" (once it has been imprinted with a secret).
When you issue a command that requires Luna PED interaction, the interface returns a message like the following:
lunash:>hsm login Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key.
The PED briefly displays the following message before prompting you for the appropriate PED key:
Whenever the Luna PED prompts you to insert a PED key, use the USB port on the top of the PED:
CAUTION! Multiple failed authentication attempts result in zeroization of the HSM or partition, or role lockout, depending on the role. This is a security measure designed to thwart repeated, unauthorized attempts to access cryptographic material. For details, see Logging In as HSM Security Officer or Logging In to the Application Partition.
To perform multifactor quorum authentication with the Luna PED
1.The PED prompts for the corresponding PED key. Insert the PED key (or the first M of N split-secret key) and press Enter.
lunacm:>role login -name po
Please attend to the PED.
•If the key you inserted has an associated PIN, continue to step 2.
•If the key you inserted has no PIN, but it is an M of N split, skip to step 3.
•Otherwise, authentication is complete and the Luna PED returns control to the command interface.
Command Result : No Error
2.The PED prompts for the PIN. Enter the PIN on the keypad and press Enter.
•If the key you inserted is an M of N split, continue to step 3.
•Otherwise, authentication is complete and the PED returns control to the command interface.
Command Result : No Error
3.The PED prompts for the next M of N split-secret key. Insert the next PED key and press Enter.
•If the key you inserted has an associated PIN, return to step 2.
•Repeat steps 2 and/or 3 until the requisite M number of keys have been presented to the Luna PED. At this point, authentication is complete and the PED returns control to the command interface.
Command Result : No Error
NOTE When authenticating an M of N split secret, the Luna USB HSM 7 cannot tell if an PED key PIN is entered incorrectly until the whole secret is reassembled. Therefore, PIN entry will appear to succeed and the authentication operation will only fail when all M PED keys have been presented.
