Local PED Setup

A Local PED connection is the simplest way to set up the Luna PED. In this configuration, the PED is connected directly to the HSM card. It is best suited for situations where all parties who need to authenticate credentials have convenient physical access to the HSM. When the HSM is stored in a secure data center and accessed remotely, you must use a Remote PED setup.

Setting Up a Local PED Connection

The Luna Network HSM 7 administrator can use these directions to set up a Local PED connection. You require:

>Luna PED with Luna PED Firmware 2.7.1 or newer

>USB mini-B to USB-A connector cable

>Luna PED DC power supply (if included with your Luna PED)

To set up a Local PED connection

1.Connect the Luna PED to the HSM using the supplied USB mini-B to USB-A connector cable.

NOTE   To operate in Local PED-USB mode, the Luna PED must be connected directly to the HSM card's USB port, and not one of the other USB connection ports on the appliance.

2.Luna PED Firmware 2.8.0 and newer is powered via the USB connection. If you are using Luna PED Firmware 2.7.1, connect it to power using the Luna PED DC power supply.

As soon as the PED receives power, it performs start-up and self-test routines. It verifies the connection type and automatically switches to the appropriate operation mode when it receives the first command from the HSM.

3.If you prefer to set the operation mode to Local PED-USB manually, see Changing Modes.

The Luna PED is now ready to perform authentication for the HSM. You may proceed with setting up or deploying your Luna Network HSM 7. All commands requiring authentication (HSM/partition initialization, login, etc.) will now prompt the user for action on the locally-connected Luna PED.

PED Actions

There are several things that you can do with the Luna PED at this point:

>Wait for a PED authentication prompt in response to a LunaSH or LunaCM command (see Performing Multifactor Quorum Authentication)

>Create copies of your PED keys (see Duplicating Existing PED keys)

>Change to the Admin Mode to run tests or update PED software (see Changing Modes)

>Prepare to set up a Remote PED server (see About Remote PED)

Secure Local PED

PED firmware can be updated to Luna PED Firmware 2.7.4 or newer on a PED with older CPU, and to Luna PED Firmware 2.9.0 or newer on a PED with new CPU.

>The firmware update is optional for multifactor quorum-authenticated HSMs with firmware versions older than Luna HSM Firmware 7.7.0, and required to work with HSMs at Luna HSM Firmware 7.7.0 and newer. This combination complies with an eIDAS-related requirement for an updated secure channel.

>The updated secure channel for Remote PED operation is now also replicated in the local channel, but because it is local it does not need to be mediated via an orange PED key. The Luna PED, however, sees both local and remote connections as equivalent.

NOTE   Pressing the "<" key on the Luna PED, to change menus, now warns that the RPV will be invalidated, even though the local connection does not use an orange PED Key. Simply ignore the message.

Secure Communication Between the Local PED and Luna Network HSM 7s With Firmware 7.7.0 and Newer

Luna HSM Firmware 7.7.0 introduces a level of protection for data that is exchanged between the Local PED (running Luna PED Firmware 2.7.4 or Luna PED Firmware 2.9.0) and Luna Network HSM 7. All exchanged data is protected in the following way:

>All CSPs exchanged between the Local PED and the Luna Network HSM 7 are protected using an AES-256-KWP CSP wrapping key (CWK).

>The CWK is established using the One-pass Diffie-Hellman key agreement scheme C(1e, 1s ECDH CDH) with unilateral key confirmation, as defined in NIST Special Publication 800-56A Revision 3.The key agreement scheme requires the following:

The Luna Network HSM 7 uses a static ECDH key pair. In this case, the HSM generates its own static P-521 ECDH key on startup and the key is assigned a certificate which chains back to the HSM’s ECC HOC.

The Local PED uses an ephemeral ECDH key pair. In this case, the Local PED generates its ephemeral P-521 ECDH key pair during the key agreement.

>The SHA-512 based Single-step key derivation function defined in NIST Special Publication 800-56C Revision 1 is used to derive the CWKs from the shared secret. The derivation function derives separate CWKs for HSM-to-Local PED and Local PED-to-HSM communication.