NOTE    

Using Luna HSM Firmware 7.7.0 and newer, 3DES keys have a usage counter attribute (CKA_BYTES_REMAINING) that limits each key instance to encrypting a maximum of 2^¹⁶ 8-byte blocks of data when the HSM is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow non-FIPS algorithms set to OFF/0). When the counter runs out, that key can no longer be used for encryption, wrapping, deriving, or signing, but can still be used for decrypting, unwrapping, and verifying pre-existing objects. The CKA_BYTES_REMAINING attribute cannot be viewed if the HSM/partition is not in FIPS approved configuration.

The attribute is preserved through backup/restore using a Luna Backup HSM 7; restoring the key restores the counter's setting at the time of backup.

The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring the key resets the counter to the maximum.

The 3DES usage counter attribute (CKA_BYTES_REMAINING) has been removed in Luna HSM Firmware 7.8.4 and newer, to comply with FIPS 140-3 requirements. This attribute is now ignored on any keys where it is already set.

NOTE    

> Using Luna HSM Firmware 7.7.0 or newer, to comply with FIPS SP800-131a Rev2 published in March 2019, this mechanism is not allowed to sign data when the HSM is in FIPS approved configuration.[ LUNA-14401 ] <conditioning out because the info has been available in the Firmware 7.x.x Mechanisms table since 7.7.0 - delete after 2022 if nobody notices>Conditioned back in to match the new CRN advisory Rajiv requested for FW 7.7.0 and newer.

>CKM_DES3_MAC is no longer supported for MAC generation in FIPS approved configuration.