Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Customer release notes

ProtectServer 3 HSM firmware releases

search

ProtectServer 3 HSM firmware releases

ProtectServer 3 HSM firmware releases

This section describes new features and enhancements that have been introduced with each ProtectServer 3 HSM firmware release to date. It also includes advisory notes you should be aware of before deploying a specific ProtectServer 3 HSM firmware.

Note

Thales recommends using matching minor versions of ProtectToolkit 7, the ProtectServer 3 HSM Firmware, and the ProtectServer 3 Network HSM Appliance Software for most deployments. Some new features and enhancements for a ProtectServer 3 HSM Firmware version listed below may require a specific version of ProtectToolkit 7. In such cases, the required ProtectToolkit 7 minor version is mentioned in parentheses.

The ProtectServer 3 HSM transitioned from FIPS 140-2 Level 3 to FIPS 140-3 Level 3 compliance and validation with the release of ProtectServer 3 HSM Firmware 7.03.00 (validation pending). The information below is grouped by the FIPS compliance and validation requirements that are relevant to your ProtectServer 3 HSM deployment.

The following ProtectServer 3 HSM Firmware versions have been released to date for FIPS 140-2 Level 3 deployments:

ProtectServer 3 HSM Firmware 7.02.02

Firmware 7.02.02 new features and enhancements

ProtectServer 3 HSM Firmware 7.02.02 supports the latest features and enhancements introduced with ProtectToolkit 7.2.1 and resolves a known issue described in Known and resolved issues.

Firmware 7.02.02 advisory notes

There are no advisory notes for this release.

ProtectServer 3 HSM Firmware 7.02.01

Firmware 7.02.01 new features and enhancements

ProtectServer 3 HSM Firmware 7.02.01 supports the latest features and enhancements introduced with ProtectToolkit 7.2.1, resolves various known issues described in Known and resolved issues, and introduces the following new features and enhancements:

New values for CKM_AES_KEY_WRAP and CKM_AES_KEY_WRAP_PAD (requires ProtectToolkit 7.2.1)

CKM_AES_KEY_WRAP and CKM_AES_KEY_WRAP_PAD have been assigned new values, as defined in PKCS#11 2.40.

Firmware 7.02.01 advisory notes

There are no advisory notes for this release.

ProtectServer 3 HSM Firmware 7.02.00

Firmware 7.02.00 new features and enhancements

ProtectServer 3 HSM Firmware 7.02.00 supports the latest features and enhancements introduced with ProtectToolkit 7.2.0, resolves various known issues described in Known and resolved issues, and introduces other new features and enhancements:

Larger messages can be exchanged between host applications and functionality modules using FMSC_SendReceive (requires ProtectToolkit 7.2.0)

FMSC_SendReceive now supports messages approximately 64 MB-large. For more information about this function, refer to FMSC_SendReceive.

Enhancements to elliptic-curve algorithms (require ProtectToolkit 7.2.0)

ProtectToolkit 7.2.0 supports ed448 Edwards curves for EC signatures and curve448 Montgomery curves for Diffie Hellman (DH) key derivation. ProtectServer 3 HSM Firmware 7.02.00 supports this enhancement with the following changes:

  • CKM_EC_MONTGOMERY_KEY_PAIR_GEN mechanism supported for Montgomery key generation. For more information about this mechanism, refer to CKM_EC_MONTGOMERY_KEY_PAIR_GEN.

  • CKM_EDDSA now accepts CK_EDDSA_PARAMS as an optional parameter. For more information, refer to CKM_EDDSA.

CKM_AES_CTR mechanism support (requires ProtectToolkit 7.2.0)

ProtectServer 3 HSM Firmware 7.02.00 supports CKM_AES_CTR. For more information about this mechanism, refer to CKM_AES_CTR.

Firmware 7.02.00 advisory notes

This section highlights important issues you should be aware of before deploying ProtectServer 3 HSM 7.02.00.

CKM_EC_EDWARDS_KEY_PAIR_GEN and CKK_EC_EDWARDS values updated to match PKCS#11 3.0

If you are using ProtectToolkit 7.2.0 or newer with ProtectServer 3 HSM Firmware 7.02.00 or newer, the values of CKM_EC_EDWARDS_KEY_PAIR_GEN and CKK_EC_EDWARDS match PKCS#11 3.0. Thales recommends using the ET_PTKC_GENERAL_LEGACY_EDDSA ProtectToolkit-C configuration item for applications recompiled with ProtectToolkit 7.2.0 or newer, if they were compiled with ProtectToolkit 7.1.0 or older. For more information, refer to ET_PTKC_GENERAL_LEGACY_EDDSA.

ProtectServer 3 HSM Firmware 7.01.02

Firmware 7.01.02 new features and enhancements

ProtectServer 3 HSM Firmware 7.01.02 supports the latest features and enhancements introduced with ProtectToolkit 7.1.0, resolves various known issues described in Known and resolved issues, and introduces other new features and enhancements:

CKA_EXPORTABLE attribute value can be changed from false to true

The value of CKA_EXPORTABLE can be changed from FALSE to TRUE by using the ctkmu m command when the Weak PKCS#11 Mechanisms security flag is set. For more information, refer to ctkmu and Weak PKCS#11 Mechanisms for more information.

Larger messages can be exchanged between host applications and functionality modules using MD_SendReceive (requires ProtectToolkit 7.2.0)

MD_SendReceive now supports messages approximately 64 MB-large. For more information about this function, refer to MD_SendReceive.

Firmware 7.01.02 advisory notes

There are no advisory notes for this release.

ProtectServer 3 HSM Firmware 7.01.01

Firmware 7.01.01 new features and enhancements

ProtectServer 3 HSM Firmware 7.01.01 supports the latest features and enhancements introduced with ProtectToolkit 7.1.0 and ProtectServer 3 HSM Firmware 7.01.00. It also resolves various known issues described in Known and resolved issues, introduces security fixes for certain configurations, and introduces the following new features and enhancements:

Modification to C_DigestKey function

The operation of C_DigestKey has been modified to improve overall security. This function now checks the CKA_MECHANISM_LIST attribute of an object. For more information, refer to CKA_MECHANISM_LIST.

Firmware 7.01.01 advisory notes

There are no advisory notes for this release.

ProtectServer 3 HSM Firmware 7.01.00

Firmware 7.01.00 new features and enhancements

ProtectServer 3 HSM Firmware 7.01.00 supports the latest features and enhancements introduced with ProtectToolkit 7.1.0 and resolves various known issues described in Known and resolved issues.

TR-31 key block format support (requires ProtectToolkit 7.1.0)

ProtectToolkit 7.1.0 introduces limited support for TR-31 key blocks. ProtectServer 3 HSMs can now import and export keys by performing key wrapping and unwrapping using the TR31 key block format. To support this feature, ProtectServer 3 HSM Firmware 7.01.00 supports a new Thales-proprietary key object attribute and three new mechanisms. For more information, refer to the following sections:

New and enhanced ProtectToolkit-C mechanisms (require ProtectToolkit 7.1.0)

ProtectServer 3 HSM Firmware 7.01.00 introduces support for the following new mechanisms:

ProtectServer 3 HSM Firmware 7.01.00 supports enhancements to the following mechanisms:

  • CKM_AES_GCM — this mechanism now returns the IV in the mechanism parameter during the C_EncryptInit call. Refer to CKM_AES_GCM.

  • CKM_AES_CMAC_GENERAL — this mechanism now uses the values defined in PKCS #11 2.40. Refer to CKM_AES_CMAC_GENERAL.

  • CKM_X9_42_DH_DERIVE is now available in FIPS Mode.

Firmware 7.01.00 advisory notes

This section highlights important issues you should be aware of before deploying ProtectServer 3 HSM Firmware 7.01.00.

Modifications to ProtectToolkit-C mechanisms

If you are using ProtectToolkit 7.1.0 or newer with ProtectServer 3 HSM Firmware 7.01.00 or newer, the following mechanisms have been modified, to comply with NIST requirements:

  • CKM_ECDH1_DERIVE

    The following key derive functions (KDFs) are no longer available when the FIPS Mode security flag is set:

    • CKD_SHA1_KDF

    • CKD_SHA224_KDF

    • CKD_SHA256_KDF

    • CKD_SHA384_KDF

    • CKD_SHA512_KDF

    Refer to FIPS Mode and CKM_ECDH1_DERIVE.

  • CKM_SHA1_HMAC and CKM_SHA1_HMAC_GENERAL

    The minimum supported key size in FIPS Mode is 14 bytes. Refer to CKM_SHA1_HMAC and CKM_SHA1_HMAC_GENERAL.

CKM_X9_42_DH_KEY_PAIR_GEN uses CKK_X9_42_DH instead of CKK_DH, to comply with PKCS #11 requirements.

Update to CKA_CHECK_VALUE Attribute

The value definition of CKA_CHECK_VALUE has been updated to match the PKCS #11 standard. For more information about CKA_CHECK_VALUE, refer to CKA_CHECK_VALUE.

FMs compiled with FMSDK 7.1.0 and newer not compatible with older firmware

FMs compiled using FMSDK/CProv 7.1.0 or newer are not compatible with HSM firmware 7.00.xx or older. The FM will fail to load and will be erased from the HSM.

If an FM is intended to run on a ProtectServer 3 HSM with firmware 7.01.xx or newer, use FMSDK 7.1.0 or the version that corresponds with the firmware release to build the FM. If the FM is intended for use with firmware 7.00.xx or older, use FMSDK 7.0.0 to build the FM.

ProtectServer 3 HSM Firmware 7.00.01

Firmware 7.00.01 new features and enhancements

ProtectServer 3 HSM Firmware 7.00.01 is FIPS-validated and supports the latest features and enhancements introduced with ProtectToolkit 7.0.0 and ProtectServer 3 HSM Firmware 7.00.00. It also resolves various known issues described in Known and resolved issues.

Firmware 7.00.01 advisory notes

There are no advisory notes for this release.

ProtectServer 3 HSM Firmware 7.00.00

Firmware 7.00.00 new features and enhancements

ProtectServer 3 HSM Firmware 7.00.00 supports the latest features and enhancements introduced with ProtectToolkit 7.0.0. It also introduces the following new features and enhancements to the ProtectServer HSM product line:

New ProtectServer 3 HSM uses the upgraded K7 cryptographic module

Thales is pleased to announce the new ProtectServer 3 line of HSM hardware, utilizing the next-generation K7 cryptographic module. The new HSM provides enhanced performance, functionality equivalent to the ProtectServer 2 HSM product line, and new features as described below. The new HSM is provided in the following variants to serve your deployment needs:

  • ProtectServer 3 PCIe HSM: Replaces the ProtectServer PCIe2 (also referred to as the SafeNet ProtectServer PCIe HSM), and is the new K7 cryptographic module installed directly into an application server to provide PKCS#11-compliant cryptographic services.

    Refer to ProtectServer 3 PCIe Hardware Installation.

  • ProtectServer 3 External HSM: Replaces the ProtectServer External 2 (also referred to as the SafeNet ProtectServer Network HSM), and includes the new K7 cryptographic module in the chassis, to be installed in a server rack and accessed over a network.

    Refer to ProtectServer 3 External installation and configuration.

  • ProtectServer 3+ External HSM: Replaces the ProtectServer External 2 Plus (also referred to as the SafeNet ProtectServer Network HSM Plus), and includes the new K7 cryptographic module installed in a new chassis with enhanced installation, maintenance, security, and usability features:

    • Four 1GB Ethernet ports with port bonding for redundancy and enhanced reliability.

    • A new LCD display provides a quick view of the appliance network configuration and connection health.

    • Two removable hot-swappable power supplies for redundancy and enhanced reliability.

    • Three removable cooling fans for easy cleaning.

    • Optional sliding mount rails provide simplified installation and improved access for performing maintenance and accessing the network ports.

    • Enhanced tamper/decommission logic.

    Refer to ProtectServer 3+ External installation and configuration.

Significant performance enhancements

The ProtectServer 3 HSM provides a large performance boost over the ProtectServer 2 HSM, completing more operations per second than its predecessor in every comparison test. The ProtectServer 3 HSM comes in the following performance level variants, to accommodate a wide range of customer needs:

  • ProtectServer 3 HSM PL-25

  • ProtectServer 3 HSM PL-220

  • ProtectServer 3 HSM PL-3500

Regardless which level you choose, you can expect increased performance and accelerated symmetric/asymmetric cryptography across the board from your new ProtectServer 3 HSM.

Firmware 7.00.00 advisory notes

This section highlights important issues you should be aware of before deploying ProtectServer 3 HSM Firmware 7.00.00.

Legacy serial smart card readers not compatible with ProtectServer 3 HSM

Only the Omnikey 3121 USB smart card reader (PN: 911-50002-001) is compatible with the new ProtectServer 3 HSM. Older readers that use a serial connection are not supported.

FMs compiled with FMSDK 5.x not compatible with ProtectServer 3 HSM

FMs compiled using FMSDK 5.x or older are not compatible with ProtectServer 3 HSM Firmware 7.00.00 or newer. To use your FMs with the new firmware, you must recompile them using the ProtectToolkit 7 FMSDK.

Refer to Migrating functionality modules from ProtectServer 2 HSMs to ProtectServer 3 HSMs for more information about recompiling FMs for a ProtectServer 3 HSM.

Note

If you are reconfiguring a ProtectServer 3 HSM deployment for FIPS 140-3 Level 3-compliance, read Firmware 7.03.00 advisory notes to take note of the operational changes that this firmware version introduces and reconfigure applications where necessary, before reconfiguring the deployment for 140-3 Level 3-compliance.

The following ProtectServer 3 HSM Firmware versions have been released to date for FIPS 140-3 Level 3 deployments:

ProtectServer 3 HSM Firmware 7.03.00

Note

ProtectServer 3 HSM Firmware 7.03.00 does not include all the changes that Thales introduced with ProtectServer 3 HSM Firmware 7.02.02. Refer to ProtectServer 3 HSM Firmware 7.02.02 for more information about which features, enhancements, and advisory notes are not applicable to ProtectServer 3 HSM Firmware 7.03.00.

Firmware 7.03.00 new features and enhancements

ProtectServer 3 HSM Firmware 7.03.00 supports the latest features and enhancements introduced with ProtectToolkit 7.3.0, resolves various known issues described in Known and resolved issues, and introduces other new features and enhancements.

ProtectServer 3 HSM factory reset capability (requires ProtectToolkit 7.3.0)

The ProtectServer 3 HSM can be reset to factory settings, erasing all cryptographic objects, ProtectServer identity keys and certificates, and functionality modules (FMs). For more information, refer to Resetting the HSM to factory settings.

ProtectServer 3 HSM runs periodic self-tests

The ProtectServer 3 HSM now runs periodic self-tests (PSTs) without any user intervention or on demand external triggers. For more information about these periodic self-tests, refer to Self-tests.

Firmware 7.03.00 advisory notes

This section highlights important issues you should be aware of before deploying ProtectServer 3 HSM Firmware 7.03.00.

Minimum PIN length increased from 4 characters to 8 characters in FIPS Mode

When the FIPS Algorithms Only security flag is set, all PINs, with the exception of smart card PINs, must be 8 to 32 characters in length. If PINs that are less than 8 characters long are carried over to FIPS Mode, you can continue using the PINs but are blocked from completing cryptographic operations until the PIN is reset.

CKM_KEY_WRAP_SET_OAEP not supported in FIPS Mode

CKM_KEY_WRAP_SET_OAEP can no longer be used in FIPS Mode.

Some mechanisms have new operational and key size restrictions in FIPS Mode

New operational and key size restrictions apply to the following mechanisms when they are used in FIPS mode: