Security Mode Flag Descriptions
Tamper Before Upgrade
When this flag is set, the HSM will automatically perform a soft tamper (erase all internal secure memory) as part of a firmware upgrade, FM download, or FM disable operation.
No Public Cryptography
When this flag is set, no user can perform a cryptographic operation without having authenticated themselves.
When this flag is set, each token in the system will have the PKCS #11 CKF_LOGIN_REQUIRED flag set, to indicate that applications must authenticate before operations. This security flag does not affect the Admin token, which always requires authentication for use.
NOTE This setting does not impede the ability to perform RSA or other public key processing. It ensures that crypto services cannot be performed by unauthenticated users.
Entrust Compliant
When this flag is set, Entrust Compliant Mode is operational, ensuring compatibility with the Entrust range of applications. These applications require a specific security profile to operate correctly.
No Clear PINs
When this flag is set, no user PINs or other sensitive information may be passed across the host interface in an unencrypted form. This enables secure messaging encryption between applications and the HSM. It will also disable certain functions that would otherwise result in the clear transmission of sensitive data. This flag will also not allow any keys to be created with the attribute CKA_SENSITIVE=FALSE.
Authentication Protection
This flag, when set, enforces secure messaging authentication between applications and the HSM. Each request to the HSM must be digitally signed and will be verified by the HSM. The key used for this signing process is derived from a key shared by the HSM and host application as well as the user PIN.
Applications will operate in a more secure manner with this flag set, but HSM performance will suffer due to the additional operations required to sign each request and response message.
Lock Security Mode
The Lock Security Mode flag, when set, disables further modification of the security mode flag settings. Once set, this flag (or any other security mode flag) cannot be modified. A new security mode can only be implemented after a tamper operation is performed.
Increased Security Level
The Increased Security Level flag, when set, disables the mechanism CKM_EXTRACT_KEY_FROM_KEY and also does not allow the CKA_MODIFIABLE attribute to be changed from False to True.
Only Allow FIPS Approved Algorithms
The Only Allow FIPS Approved Algorithms flag, when set, disables the following non-FIPS-approved algorithms: MD2, MD5, RIPE, CAST, IDEA, RC2, RC4 and RC5.
Full Secure Messaging Encryption
The Full Secure Messaging Encryption flag is similar to the No Clear PINs flag, except that every message is encrypted in both directions between the application and the HSM. The key used for the message encryption is generated using the PKCS#3 Diffie-Hellman Key Agreement Standard.
This flag only performs two-way encryption when using the ProtectToolkit-M client library in the client/server mode over TCP/IP.
Applications will operate in a more secure manner with this flag set, but HSM performance will suffer due to the additional operations required to sign each request and response message.
Full Secure Messaging Signing
The Full Secure Messaging Encryption flag is similar to the Authentication Protection flag, except that every request in both directions between the application and the HSM is digitally signed and verified. The key used for the message encryption is generated using the PKCS#3 Diffie-Hellman Key Agreement Standard.
This flag only performs two-way encryption when using the ProtectToolkit-M client library in the client/server mode over TCP/IP. Applications will operate in a more secure manner with this flag set, but HSM performance will suffer due to the additional operations required to sign each request and response message.