Secure Transport Mode

Luna HSM 7 units are shipped from the factory in Secure Transport Mode (STM). The purpose of STM is to provide a logical check on the HSM firmware and critical security parameters (such as configuration, keys, policies, roles, etc.) so that the authorized recipient can determine if these have been altered while the HSM was in transit.

The Secure Transport Mode capability provides an additional layer of protection beyond the physical security controls provided by tamper-evident shipping bags.

Thales sends customers control validation information in two separate emails prior to shipment:

>Physical security control validation - an email containing the serial number of the HSM and the serial number of the associated tamper evident bag that encloses the HSM.

>Logical control validation - an email containing the serial number of each HSM in the shipment, along with the STM Random User String and the STM Verification String associated with each HSM.

Customers can use the logical and physical HSM controls to verify that HSMs shipped from the factory have not been modified in transit. The Thales shipping procedures are designed to prevent a possible man-in-the-middle attack, as attackers would need unobserved direct access to the HSM while in transit, along with simultaneous possession of both the STM Random User String and the STM Verification String for that HSM.

Thales customers can also implement STM when shipping pre-configured HSMs between their office locations or when pre-configured HSMs are to be put into storage. Customers implementing STM have added protection because only the HSM Security Officer can place an initialized HSM into STM, or recover the HSM from STM, further increasing the difficulty of man-in-the-middle attacks.

CAUTION!   Do not place the HSM into secure transport mode (STM) when there is already an active tamper. Such action would cause a mismatch of the verification string when the HSM is brought out of transport mode. Use hsm tamperclear to clear a tamper, if one is present, before proceeding with STM.

When STM is enabled on the HSM

1.The HSM generates a random string of 16 characters and presents that as the "Random User String" (suitable for copying and pasting into an e-mail).

2.The HSM gathers several sources of internal information reflecting the state of the HSM at that time, including a random nonce value generated for this purpose; the nonce value is not displayed, and never exists outside the HSM.

3.The HSM combines these items (the generated Random User String, the HSM state information, and the random nonce value), and produces the Verification String (suitable for copying and pasting into an e-mail).

4.The HSM then enters Secure Transport Mode, such that only limited operations are allowed until the HSM is brought out of STM.

5.The HSM can now be shipped from the factory to customers, or customers can place the HSM into storage or ship securely to another location. The HSM and the STM strings should not come together until they are in the possession of the intended recipient.

STM verification email

As part of the delivery process for your new HSM, Thales Client Services will send you an email containing two 16-digit strings: a Random User String and a Verification String. You require these strings to verify that your HSM has not been altered while in transit.

NOTE   If the STM verification process fails due to a lost or incorrect verification string, customers do have the option of proceeding with the recovery of the HSM from STM mode. If the STM verification process fails due to a tamper, customers can also choose to factory-reset the HSM to bring it back to a Factory state, and then re-initialize.

Refer to the CAUTION notes below to avoid inadvertently causing a spurious STM recovery failure that would mask whether a real event had occurred.

For information about the various tamper events, see Tamper Events.

Recovering an HSM From Secure Transport Mode

Only the HSM SO can recover an initialized HSM that has been placed into STM. When the HSM is zeroized, HSM SO log in is not required.

New HSMs

New HSMs are shipped from the factory in Secure Transport Mode (STM). You must recover from STM before you can initialize the HSM. As part of the delivery of your new HSM, you should have received an email from Thales Client Services containing two 16-digit strings:

>Random User String: XXXX-XXXX-XXXX-XXXX

>Verification String: XXXX-XXXX-XXXX-XXXX

To recover an HSM from STM

1.Ensure that you have the two strings that were presented when the HSM was placed into STM, or that were emailed to you if this is a new HSM.

2.If the HSM is initialized, log in as the HSM SO (see Logging In as HSM Security Officer). If this is a new or zeroized HSM, skip to the next step.

CAUTION!   Be very careful entering the HSM SO authentication. A single failed attempt increments a counter that results in a change of the generated comparison string, which will cause STM verification to fail during Secure Transport Mode recovery.

3.Recover from STM, specifying the random user string that was displayed when the HSM was placed in STM, or that was emailed to you if this is a new HSM:

lunacm:> stm recover -randomuserstring <XXXX-XXXX-XXXX-XXXX>

NOTE   The random user string is for verification purposes only. If you do not require STM validation, or you wish to bypass the STM validation, you can enter a different string to proceed with the recovery of the HSM from STM mode.

4.You are presented with a verification string. Visually compare the string with the original verification string that was sent via e-mail (or other means).

If the string matches the original verification string, the HSM has not been used or otherwise altered since STM was enabled, and can be safely re-deployed.

Enter proceed to recover from STM.

If the verification strings do not match

1.Reconfirm that you have entered the correct random user string for your HSM. Enter quit if you want to enter the string again.

2.If the verification strings still do not match:

If this is a new HSM, enter quit to leave the HSM in Secure Transport Mode, and contact Thales Technical Support.

Otherwise, if you feel that the verification failure was benign, enter proceed to release the HSM from Secure Transport Mode, and decide to either:

proceed with using the HSM

perform a factory reset and re-initialize the HSM as a safety precaution before proceeding further.

Placing an HSM In Secure Transport Mode

Only the HSM SO can place an initialized HSM into STM. When the HSM is zeroized, HSM SO log in is not required.

CAUTION!   Using Luna HSM Firmware 7.7.1-20 or older, before placing a multifactor quorum-authenticated HSM in Secure Transport Mode, ensure that CO, LCO and CU roles are deactivated, using role deactivate with each role name. For Luna Network HSM 7s, roles must be deactivated for all partitions, from LunaCM in a connected client. Failure to do so can result in mismatch when the generated strings are later compared during Secure Transport Mode recovery.

Using Luna HSM Firmware 7.7.2 or newer, this is not necessary, because placing the HSM in STM logs out and deactivates those roles, and prevents auto-reactivation. The sessions can be logged in and reactivated manually.

To place an HSM into Secure Transport Mode

1.Log in as the HSM SO (see Logging In as HSM Security Officer).

2.Back up the contents of all application partitions.

See Partition Backup and Restore for details.

3.Enter the following command to place the HSM into STM:

lunacm:> stm transport

4.After confirming the action, you are presented with:

Verification String: <XXXX-XXXX-XXXX-XXXX>

Random User String: <XXXX-XXXX-XXXX-XXXX>

Record both strings. They are required to verify that the HSM has not been altered while in STM.

CAUTION!   Transmit the verification string and random user string to the receiver of the HSM using a secure method, distinct from the transport of the physical HSM, so that it is not possible for an attacker to have access to both the HSM and the verification codes while the HSM is in STM.

This product uses semiconductors that can be damaged by electro-static discharge (ESD). When handling the device, avoid contact with exposed components, and always use an anti-static wrist strap connected to an earth ground. In rare cases, ESD can trigger a tamper or decommission event on the HSM. If this happens, all existing roles and cryptographic objects are deleted.