NOTE    

Using Luna HSM Firmware 7.7.0 and newer, 3DES keys have a usage counter attribute (CKA_BYTES_REMAINING) that limits each key instance to encrypting a maximum of 2^¹⁶ 8-byte blocks of data when the HSM is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow non-FIPS algorithms set to 0). When the counter runs out, that key can no longer be used for encryption, wrapping, deriving, or signing, but can still be used for decrypting, unwrapping, and verifying pre-existing objects. The CKA_BYTES_REMAINING attribute cannot be viewed if the HSM/partition is not in FIPS approved configuration.

The attribute is preserved through backup/restore using a Luna Backup HSM 7; restoring the key restores the counter's setting at the time of backup.

The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring the key resets the counter to the maximum.

The 3DES usage counter attribute (CKA_BYTES_REMAINING) has been removed in Luna HSM Firmware 7.8.4 and newer, to comply with FIPS 140-3 requirements. This attribute is now ignored on any keys where it is already set.

NOTE    

> Using Luna HSM Firmware 7.7.0 or newer, to comply with FIPS SP800-131a Rev2 published in March 2019, this mechanism is not allowed to sign data when the HSM is in FIPS approved configuration.[ LUNA-14401 ] <conditioning out because the info has been available in the Firmware 7.x.x Mechanisms table since 7.7.0 - delete after 2022 if nobody notices>Conditioned back in to match the new CRN advisory Rajiv requested for FW 7.7.0 and newer.

>CKM_DES3_MAC is no longer supported for MAC generation in FIPS approved configuration.