FIPS Compliance

Luna HSMs are compliant with the Federal Information Processing Standard (FIPS), defined by the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce. The full capabilities of Luna HSMs, however, extend far beyond the limitations prescribed by FIPS. If your organization requires FIPS compliance, you must configure the HSM to ensure compliance by restricting these extended capabilities. This section provides guidance on setting up and using the Luna HSM to comply with FIPS, and ensuring that compliance is maintained across firmware updates. Luna Network HSM 7 and Luna PCIe HSM 7 are FIPS 140-3 Level 3 certified; Luna USB HSM 7 and Luna Backup HSM 7 are currently FIPS 140-2 certified, with FIPS 140-3 certification pending approval by NIST.

Refer to the following sections for guidance on FIPS compliance:

>Install Only FIPS-Validated Firmware

>Configuring the HSM to Operate in FIPS Mode

>Other FIPS Considerations

>RNG Entropy

>Changes to FIPS Mode Mechanisms and Operations by Firmware Version

Install Only FIPS-Validated Firmware

The Luna HSM firmware introduces new functionality with each new version, and to be compliant with FIPS, a new firmware version must be inspected and validated by NIST. Since this validation can take a long time, Thales does not submit every firmware version it releases to NIST as a FIPS candidate. In order to be compliant with the FIPS standard, you must have a FIPS-validated firmware version installed. If your organization requires FIPS validation, update the HSM firmware only to versions listed below.

NOTE    Luna Network HSM 7 appliance software and Luna HSM Client software do not affect FIPS compliance; only the HSM firmware version. Thales recommends keeping your appliance software and clients updated to the latest version whenever possible, to take advantage of the latest functionality and bug fixes.

While older firmware versions on the list below are still considered validated, each new version contains changes to the HSM functions that ensure continued compliance with the revised standard. Certain mechanisms or specific operations that have fallen below the security standard set by NIST since the last certified version are restricted. Likewise, newer mechanisms that have been validated by NIST may be allowed in FIPS mode, where they were restricted in older versions. Thales recommends that you keep your Luna HSMs requiring FIPS compliance updated to the latest FIPS-validated version, as specified in the list below.

FIPS 140-3 Level 3 Certified Luna HSM Firmware Versions

The following Luna HSM firmware versions are FIPS 140-3 Level 3 certified per certificate #4684:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4684

>Luna HSM Firmware 7.8.4 (recommended)

FIPS 140-2 Level 3 Certified Luna HSM Firmware Versions

The following Luna HSM firmware versions are FIPS 140-2 Level 3 certified per certificate #4090:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4090

>Luna HSM Firmware 7.7.1-20

>Luna HSM Firmware 7.7.1

>Luna HSM Firmware 7.7.0

The following Luna HSM firmware versions are FIPS 140-2 Level 3 certified per certificate #3205:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3205

>Luna HSM Firmware 7.3.3

>Luna HSM Firmware 7.0.3

>Luna HSM Firmware 7.0.2

>Luna HSM Firmware 7.0.1

FIPS 140-2 Level 3 Certified Luna Backup HSM 7 Firmware Versions

The following Luna Backup HSM 7 firmware versions are FIPS 140-2 Level 3 certified per certificate #4195:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4195

>Luna Backup HSM 7 Firmware 7.7.1 (recommended)

Configuring the HSM to Operate in FIPS Mode

Luna HSMs have many capabilities that are not certified by NIST. To be FIPS-compliant, the HSM must be set to FIPS mode, where any mechanisms or cryptographic operations that are not FIPS-certified are blocked from use. FIPS mode is set using HSM or partition policies as described below.

Setting FIPS Mode on the HSM

You can set the HSM to FIPS mode using HSM policy 12: Allow non-FIPS algorithms. When this policy is set to OFF, algorithms that are not FIPS-validated are blocked from use on every partition on the HSM, and the HSM is operating in FIPS mode. There are two methods of setting this policy:

>The HSM SO can use a policy template to set the policy at initialization (see Setting HSM Policies Using a Template). This method is recommended for auditing purposes -- it ensures that the HSM is in FIPS mode for its entire use cycle.

>The HSM SO can set the policy manually after initializing the HSM (see Setting HSM Policies Manually).

NOTE   HSM policy 12: Allow non-FIPS algorithms is destructive; changing it results in the entire HSM being zeroized and all partitions destroyed. This is to prevent keys that were created and used in a non-FIPS approved environment from existing in a FIPS-approved environment, and vice-versa.

To check the current status of FIPS mode on the HSM, log in to LunaSH and use lunash:> hsm show. In FIPS mode, a variation of the following text is displayed:

   FIPS Operation:
   =====================
   The HSM is in FIPS approved operation mode.

Setting FIPS Mode on Individual Application Partitions

Using Luna HSM Firmware 7.7.1 or newer (Luna HSM Firmware 7.7.1-20 recommended), you can now set FIPS mode on individual application partitions, independently of other partitions on the same HSM.

Prerequisite

HSM policy 12: Allow non-FIPS algorithms must be set to ON on the HSM.

To set FIPS mode on an application partition

You can set the partition to FIPS mode using partition policy 43: Allow non-FIPS algorithms. When this policy is set to 0, algorithms that are not FIPS-validated are blocked from use, and the partition is operating in FIPS mode. There are two methods of setting this policy:

>The Partition SO can use a policy template to set the policy to 0 at initialization (see Setting Partition Policies Using a Template). This method is recommended for auditing purposes -- it ensures that the partition is in FIPS mode for its entire use cycle.

>The Partition SO can set the policy to 0 manually after initializing the partition (see Setting Partition Policies Manually).

NOTE   Partition policy 43: Allow non-FIPS algorithms is destructive when changing from 0 to 1; this change results in the partition being zeroized. This is to prevent keys that were created and used in a FIPS-approved environment from existing in a non-FIPS-approved environment.

Setting FIPS Mode on Luna Backup HSM 7

Luna Backup HSM 7 Firmware 7.7.1 and newer uses the same updated cloning protocol as Luna HSM Firmware 7.7.0 and newer. For the Luna Backup HSM 7 to be FIPS-compliant, it must restrict restore operations to application partitions that use the new protocol. This restriction is applied by setting HSM policy 55: Enable Restricted Restore to 1 on the backup HSM. The Luna Backup HSM 7 must be initialized and connected to a Luna HSM Client computer to set this policy.

When this policy is enabled on the Luna Backup HSM 7, objects that have been backed up from partitions using firmware older than Luna HSM Firmware 7.7.0 can be restored to Luna HSM Firmware 7.7.0 or newer (V0 or V1) partitions only.

NOTE   HSM policy 12: Allow non-FIPS algorithms, which is used to set FIPS-compliant mode on other Luna HSMs, does not apply to the Luna Backup HSM 7. Attempts to change this policy will fail with the error CKR_CANCEL.

To configure the Luna Backup HSM 7 for FIPS compliance

1.On the Luna HSM Client computer, run LunaCM.

2.Set the active slot to the Luna Backup HSM 7.

lunacm:> slot set -slot <slot_id>

3.Log in as Backup HSM SO.

lunacm:> role login -name so

4.Set HSM policy 55: Enable Restricted Restore to 1.

lunacm:> hsm changehsmpolicy -policy 55 -value 1

5.[Optional] Check that the Luna Backup HSM 7 is now in FIPS approved operation mode.

lunacm:> hsm showinfo

*** The HSM is in FIPS 140-2 approved operation mode. ***

Other FIPS Considerations

Certain Luna features can affect FIPS compliance, or the behavior of the HSM in FIPS mode. Those features and their effects on FIPS are described below.

Functionality Modules and FIPS Mode

FMs change the abilities of the HSM firmware, adding new cryptographic algorithms or other functions. Since the new functionality is not certified by NIST, be sure that your FM does not break FIPS compliance. To be certain that your organization is meeting FIPS requirements, ensure that you are using a FIPS-certified version of the Luna HSM firmware, and that your Luna Network HSM 7 has the following HSM policy settings:

>HSM policy 12: Allow non-FIPS algorithms: OFF

>HSM policy 50: Allow Functionality Modules: OFF

NOTE   Using Luna HSM Firmware 7.4.2 and older, this restriction is enforced; it is not possible to set HSM policy 50: Allow Functionality Modules to ON while HSM policy 12: Allow non-FIPS algorithms is OFF. Using newer firmware versions, it is possible to enable FMs in FIPS mode, but your FM functionality may not be FIPS-compliant; refer to NIST standards to ensure compliance.

If FIPS compliance is not required, then enabling FMs does not present an issue for you. Enabling Functionality Modules (setting HSM policy 50: Allow Functionality Modules to ON) is not reversible. For more information about HSM policies, see HSM Capabilities and Policies.

Mixed FIPS/non-FIPS High-Availability Groups

Thales does not recommend creating HA groups using a combination of FIPS and non-FIPS partitions, as such groups would not be FIPS compliant for auditing purposes. If you do wish to create such groups, however, you require a minimum client version or the operation will be blocked:

>If you are using Luna HSM Client 10.4.0 or newer, you can set up an HA group with a mix of FIPS and non-FIPS partitions as members. However, some limitations must be considered. For more information, refer to Key Replication.

>If you are using Luna HSM Client 10.3.0 or older, you cannot set up an HA group with a mix of FIPS and non-FIPS partitions as members.

RSA-186 Mechanism Remapping for FIPS Compliance

Under FIPS 186-3/4, the only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. RSA PKCS and X9.31 key generation is not approved in a FIPS-compliant HSM. While Luna 6.10.9 firmware allows these older mechanisms, later firmware does not (and keys created using these mechanisms cannot be replicated to Luna 7 HSMs or Luna Cloud HSM services).

If you have older applications that use RSA PKCS and X9.31 key generation, you can remap these calls to use the newer, secure mechanisms. Add a line to the Chrystoki.conf/crystoki.ini configuration file as follows:

[Misc]
RSAKeyGenMechRemap=1

RNG Entropy

Luna HSM 7 Firmware includes a FIPS 140-2 Level 3-certified Random Bit Generator with an SP 800-90B certified entropy source. The entropy source is the bit that generates the raw entropy bits, conditions these to increase entropy per-bit and health-tests the samples. These bits are then fed to a Deterministic Random Bit Generator (DRBG) which independently is NIST CAVP approved.

The Random Bit Generator and entropy source are FIPS 140-2 Level 3 certified per certificate #E98:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/entropy-validations/certificate/98

Changes to FIPS Mode Mechanisms and Operations by Firmware Version

This section provides details about changes to mechanisms and their functionality when in FIPS mode.

NOTE   Thales is continuously updating FIPS criteria with each new firmware version; even if a particular firmware is not submitted for FIPS validation, it may include changes to the way mechanisms work in FIPS mode. It is possible to operate any Luna firmware version in FIPS mode, but only versions validated by NIST are considered compliant with the standard (see Install Only FIPS-Validated Firmware).

FIPS Changes in Luna HSM Firmware 7.8.7 and Newer

New restrictions have been added to some mechanisms when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to OFF), to comply with FIPS 186-5 Digital Signature Standard (NIST SP 800-186).

Mechanisms no longer available in FIPS mode

The following mechanisms are now restricted from use in FIPS mode:

>CKM_AES_MAC

>CKM_AES_MAC_GENERAL

>CKM_DES3_MAC

>CKM_DES3_MAC_GENERAL

>CKM_DSA_KEY_PAIR_GEN

>CKM_DSA_PARAMETER_GEN

Mechanisms not permitted to sign objects in FIPS mode

The following mechanisms are not permitted to sign objects in FIPS mode:

>CKM_DSA

>CKM_DSA_SHA224

>CKM_DSA_SHA256

>CKM_RSA_X9_31

>CKM_SHA3_224_DSA

>CKM_SHA3_256_DSA

>CKM_SHA3_384_DSA

>CKM_SHA3_512_DSA

>CKM_SHA224_RSA_X9_31

>CKM_SHA256_RSA_X9_31

>CKM_SHA384_RSA_X9_31

>CKM_SHA512_RSA_X9_31

FIPS Changes in Luna HSM Firmware 7.8.4 and Newer

New restrictions have been added to some mechanisms when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to OFF), to comply with NIST's planned withdrawal of FIPS SP800-67 Rev2 on January 1, 2024.

Mechanisms not permitted to encrypt objects in FIPS mode

The following mechanisms are not permitted to encrypt objects in FIPS mode:

>CKM_DES_CFB8

>CKM_DES_CFB64

>CKM_DES_OFB64

>CKM_DES3_CBC

>CKM_DES3_CBC_PAD

>CKM_DES3_CTR

>CKM_DES3_ECB

The following encryption mechanisms are no longer available in FIPS mode:

>CKM_DES3_CBC_ENCRYPT_DATA

>CKM_DES3_ECB_ENCRYPT_DATA

DES3 encryption is blocked in ECIES mechanisms.

HMAC mechanisms are blocked from using a DES3 key for signing.

>CKM_SHA3_224_HMAC

>CKM_SHA3_224_HMAC_GENERAL

>CKM_SHA3_256_HMAC

>CKM_SHA3_256_HMAC_GENERAL

>CKM_SHA3_384_HMAC

>CKM_SHA3_384_HMAC_GENERAL

>CKM_SHA3_512_HMAC

>CKM_SHA3_512_HMAC_GENERAL

Mechanisms not permitted to sign objects in FIPS mode

The following mechanisms are not permitted to sign objects in FIPS mode:

>CKM_DES3_CMAC

>CKM_DES3_CMAC_GENERAL

CKM_RSA_PKCS not permitted to decrypt/unwrap objects in FIPS mode

CKM_RSA_PKCS is now restricted from performing decrypt/unwrap operations in FIPS mode.

Firmware 7.8.4 and newer - behavior notes

In addition to the above, if you update your HSM's firmware to version 7.8.4 or newer, be aware of the following.

Cloning protocol versions and interactions

Cloning protocol version 1 (CPv1) has been the standard protocol for many years,

>to clone keys and objects between Luna HSMs (between application partitions on the same or different HSMs) directly, including Luna Cloud HSM

>to clone keys and objects among members of HA groups

>to clone keys and objects when backing up to a Luna backup HSM or when restoring from backup.

CPv1 uses older mechanisms, and is being superseded by CPv4.

Noteworthy between the two is that CPv4 permits a selection of cipher suites to secure the cloning process. Most situations would be perfectly fine with whatever ciphers are negotiated from those available, while some industries or government standards might mandate excluding certain ciphers.

As of firmware 7.8.4, CPv1 is disallowed when the HSM is in FIPS mode (HSM Policy 12: Enable non-FIPS algorithms set to value 0), which means that only CPv4 is available for cloning. See Cloning Protocols and Cipher Suite Selection. This includes cloning in either direction between Luna Cloud HSM and on-premises Luna HSMs. When that HSM-level policy is 0 (known as FIPS mode) all application partitions in the HSM are forced to FIPS mode.

If the HSM is in non-FIPS mode (HSM Policy 12 set to value 1), then FIPS mode can be set ON or OFF for individual application partitions. This has the effect that CPv1 is still allowed for an individual partition within the HSM if Partition Policy 43 is set to value 0, for that partition.

Firmware update effects on crypto mechanism behaviors always prevail

Partition Policy 33: Allow RSA PKCS mechanism can still be set to value 1 to function as before, if you had been using that setting. However, the mechanism settings enforced by your current firmware version will prevent disallowed operations -- as newer and newer firmware versions are released, older/weaker mechanisms can be further restricted or disallowed, for reasons of security and of compliance with standards. Always check the latest documentation in case a new firmware might disrupt your use-case.

HA Login implication

High Availability Indirect Login is a form of High Availability grouping that some customers implement via the Luna Software Development Kit and Thales' extensions to PKCS#11. See High Availability Indirect Login. Older versions, prior to HSM firmware version 7.7.0 use RSA_PKCS to encrypt the RND value during HA Indirect Login Setup. Versions 1.x cannot be used (we block logging in from latest-FW primary to a secondary FW that uses Version 1.x). Version 2 (FW >= 7.7.0) uses AES-256-KWP instead.

FIPS Changes in Luna HSM Firmware 7.8.0 and Newer

The following mechanism is now restricted from use in FIPS mode:

>CKM_X9_42_DH_PARAMETER_GEN

FIPS Changes in Luna HSM Firmware 7.7.2 and Newer

The following mechanisms have new operation restrictions in FIPS mode:

>CKM_RSA_PKCS: cannot encrypt | Cannot legacy decrypt | Cannot legacy unwrap

>CKM_RSA_PKCS_OAEP: Cannot legacy decrypt | Cannot legacy unwrap

FIPS Changes in Luna HSM Firmware 7.7.0 and Newer

New restrictions have been added to some mechanisms when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to OFF), to comply with FIPS SP800-131a Rev2, published in March 2019.

Mechanisms not permitted to wrap objects in FIPS mode

The following mechanisms are not permitted to wrap objects in FIPS mode (unwrap operations are permitted):

>CKM_AES_CBC

>CKM_AES_CBC_PAD

>CKM_AES_CTR

>CKM_AES_ECB

>CKM_DES3_CBC

>CKM_DES3_CBC_PAD

>CKM_DES3_CTR

>CKM_DES3_ECB

>CKM_RSA_PKCS

Mechanisms not permitted to sign data in FIPS mode

The following mechanisms are not permitted to sign data in FIPS mode (verify operations are permitted):

>CKM_AES_MAC

>CKM_AES_MAC_GENERAL

>CKM_DES3_MAC

>CKM_DES3_MAC_GENERAL

>CKM_DSA_SHA1

>CKM_ECDSA_SHA1

>CKM_SHA1_RSA_PKCS

>CKM_SHA1_RSA_PKCS_PSS

>CKM_SHA1_RSA_X9_31

3DES Usage Counter

Using Luna HSM Firmware 7.7.0 and newer, 3DES keys have a usage counter attribute (CKA_BYTES_REMAINING) that limits each key instance to encrypting a maximum of 2^¹⁶ 8-byte blocks of data when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to OFF). When the counter runs out, that key can no longer be used for encryption, wrapping, deriving, or signing, but can still be used for decrypting, unwrapping, and verifying pre-existing objects.

The CKA_BYTES_REMAINING attribute is available when HSM policy 12: Allow non-FIPS algorithms is set to OFF, but cannot be viewed if the policy is set to ON.

The attribute is preserved through backup/restore using a Luna Backup HSM 7; restoring the key restores the counter's setting at the time of backup.

The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring the key resets the counter to the maximum.

Mechanisms approved for use in FIPS mode

The following mechanisms are now approved for use in FIPS mode:

>CKM_SHA3_224

>CKM_SHA3_224_DSA

>CKM_SHA3_224_ECDSA

>CKM_SHA3_224_RSA_PKCS

>CKM_SHA3_224_RSA_PKCS_PSS

>CKM_SHA3_256

>CKM_SHA3_256_DSA

>CKM_SHA3_256_ECDSA

>CKM_SHA3_256_RSA_PKCS

>CKM_SHA3_256_RSA_PKCS_PSS

>CKM_SHA3_384

>CKM_SHA3_384_DSA

>CKM_SHA3_384_ECDSA

>CKM_SHA3_384_RSA_PKCS

>CKM_SHA3_384_RSA_PKCS_PSS

>CKM_SHA3_512

>CKM_SHA3_512_DSA

>CKM_SHA3_512_ECDSA

>CKM_SHA3_512_RSA_PKCS

>CKM_SHA3_512_RSA_PKCS_PSS

>CKM_SHAKE_128

>CKM_SHAKE_256

FIPS Changes in Luna HSM Firmware 7.1.0 and Newer

The following mechanisms are now available in FIPS mode:

>CKM_EC_MONTGOMERY_KEY_PAIR_GEN