Luna HSMs regularly qualify against relevant standards that are important in the information security, data protection, and transaction protection spaces, and for which a business case supports the resource expenditure. Validation is repeated/updated when product changes warrant doing so, according to the respective standards and the requirements of the qualified testing laboratories.. HSM validations are reacquired when major new versions of applicable standards are released, and are also kept up with minor submissions and adjustments when a standard is tweaked or when interpretations shift on the part of testing/validation laboratories.
Under Common Criteria, Thales has looked to qualify our Luna HSM products against eIDAS standards relevant to general purpose hardware security modules.
Luna HSMs are eIDAS certified as Qualified Signature Creation Devices and Qualified Seal Creation Devices (QSCD), and are used by Qualified Trust Service Providers (QTSP) in the role of their root of trust.
See https://cpl.thalesgroup.com/compliance/eidas and https://cpl.thalesgroup.com/compliance/americas/fips-140-2
CC takes the view that a solution is validated for a purpose, which generally means that a number of moving parts are considered in concert. Thus an HSM is evaluated as an element of an overall solution that also includes software products, procedures, and systems all interacting. The following documents provide expanded detail on the relevant topics.
DOW0006186 (KB0023049) is "Thales Luna K7(+) Cryptographic Module COMMON CRITERIA USER GUIDANCE - PART 1: PREPARATIVE PROCEDURES"
DOW0006187 (KB0023050) is "Thales Luna K7(+) Cryptographic Module COMMON CRITERIA USER GUIDANCE - PART 2: OPERATIONAL GUIDANCE"
DOW0006188 (KB0023051) is "Thales Luna K7(+) Cryptographic Module COMMON CRITERIA USER GUIDANCE - PART 3: EIDAS GUIDANCE"
DOW0006189 (KB0023052) is "Thales Luna K7(+) Cryptographic Module COMMON CRITERIA USER GUIDANCE - PART 4 TOE INTEGRATION FOR USE IN COMPOSITE EVALUATION"
The K7 module referred to, in those document titles,
>is the heart of the Luna Network HSM 7 (Luna Network HSM appliance) and
>is also available in a separate PCIe card format for insertion in a host system (Luna PCIe HSM).
| Roles | Principal Duties |
|---|---|
|
HSM Security Officer
|
The HSM SO is responsible for managing the HSM. As such, they are authorized to install and configure the HSM, set and maintain global HSM security policies. They are also able to request the load of new HSM firmware update files (FUF), new Configuration Update Files (CUF) and new Functional Modules (FM). The HSM SO is able to create and delete partitions, but is not authorized to generate, load or use keys stored on the user partitions that have been created. The HSM SO is able to create, manage and use keys created in the Admin Partition alongside is responsible for initializing the ‘Administrator role’. The HSM SO can reset the Administrator password (configuration dependent). The HSM can have only one HSM SO. |
|
[Admin Partition Role] |
The Administrator is authorized to create, use, transfer and destroy key objects contained in the Admin partition. This role has privileges that are a subset of the HSM SO role. |
|
Partition Security Officer (Partition SO)
[User Partition Role] |
The Partition SO creates the partition level Partition CO role, activates partition, sets and changes partition-level policies, with an option to reset the Partition CO password (configuration dependent). |
|
Partition Crypto Officer (Partition CO)
[User Partition Role] |
The Partition CO role is authorized to create, use, destroy and transfer key objects for a given partition. The Partition CO can optionally create the Partition LCO and Partition CU, and perform initial assignment of key authorization data. |
|
Partition Limited Crypto Officer (Partition LCO)
[User Partition Role] |
The Partition LCO is an optional partition role authorized to create and use key objects, and perform initial assignment of key authorization data. The role is only permitted to delete key objects where per-key authorization is used and the correct authorization data for a given key object can be presented to the cryptographic module. |
|
Partition Crypto User (Partition CU)
[User Partition Role] |
The Partition CU is the partition role authorized to use the key objects within the partition (e.g. sign, encrypt/decrypt). |
| Audit User [Admin Partition Role] | The Audit User initializes the secret key used to generate Message Authentication Code (MAC) for secure audit messages alongside configuring logging levels for the HSM. |
|
Key Owner [Admin or User Partition Role] |
Implicit role used to authenticate the owner of a key through verification of the related key authorization data. |
| STC User [Admin or User Partition Role] | The STC user is optional role used with a remote Thales Luna client to initiate a secure tunnel with a target partition. Once successfully authenticated based on pre-registered authentication credentials, the STC user is able to submit commands to the target partition over a trusted channel. |
Audit
The HSM logs events within the HSM. You must initialize the Audit role within the HSM, to configure the criteria (such as event severity, whether certain key usage is logged for first use only, or for every use, etc.), to ensure a balance between logging necessary for the regime under which you operate, and the effect on cryptographic performance as logging demands increase. The more events are logged, the faster the HSM memory fills, and the more urgent the need for you to configure rotation of log entries off the HSM and into log files in the host file-system. The secure audit function ensures that audit log integrity can be validated. It is then your responsibility to secure the further handling of such logs within your organization.
The appliance also logs system events, which is a separate function from HSM logging.
The HSM (cryptographic module) and the appliance that hosts it provide their logs (as configured), but what you do with them is determined by the security regime under which you operate.
Compliance
Common Criteria validation ensures that a given version of HSM is suitable and can be used in conformity with the stipulated behaviors within the larger framework of operational security for applications and services. Thales Group regularly submits HSM products for Common Criteria evaluation, and provides links and updates as appropriate.
