Releases for FIPS 140-2 Level 3 deployments
The following ProtectToolkit 7 versions have been released to date for FIPS 140-2 Level 3 deployments:
Note
Thales recommends using matching minor versions of ProtectToolkit 7, the ProtectServer 3 HSM Firmware, and the ProtectServer 3 Network HSM Appliance Software for most deployments. Some new features and enhancements for a version of ProtectToolkit 7 listed below may require a specific firmware version. In such cases, the required firmware minor version is mentioned in parentheses.
ProtectToolkit 7.2.3
New features and enhancements
ProtectToolkit 7.2.3 introduces several new features and enhancements, and resolves various known issues described in Known and resolved issues.
Note
The new features and enhancements described below are applicable to all ProtectToolkit versions newer than ProtectToolkit 7.2.3 except ProtectToolkit 7.3.0.
Key migration from ProtectServer 2 HSMs to ProtectServer 3 HSMs using token replication (requires firmware 7.02.03)
ProtectToolkit 7.2.3 allows users to migrate keys from ProtectServer 2 HSMs to ProtectServer 3 HSMs by replicating the ProtectServer 2 HSM tokens onto the ProtectServer 3 HSMs. This method of key migration must be followed to migrate ProtectServer 2 HSM keys that have their CKA_EXPORTABLE and CKA_MODIFIABLE attributes set to FALSE. Thales has introduced a new utility to ProtectToolkit 7, ptk7tokmigration, to support this method of key migration. For more information, refer to Migrating keys using token replication.
Support for RHEL 9.2 and 7.9
ProtectToolkit 7.2.3 can be installed on the following new operating systems:
-
RHEL 9.2
-
RHEL 7.9
For a complete list of supported ProtectToolkit 7 operating systems, refer to Supported ProtectToolkit 7 platforms.
EDDSA cipher object support for FMs (requires firmware 7.02.03)
FMs can now use EDDSA cipher objects for signing and verification operations. The FmCreateCipherObject function of the cipher object access API can now construct and initialize these cipher objects. For more information, refer to FmCreateCipherObject.
Thales has also updated the eccdemo FM sample to demonstrate EDDSA cipher object usage. For more information, refer to eccdemo.
Support for Java 17 and 21
The ProtectToolkit GUI utilities, JCPROV Java wrapper, and ProtectToolkit-J packages are now compatible with Java Runtime Environment (JRE) and OpenJDK versions 17 and 21.
Advisory notes
This section highlights important issues you should be aware of before deploying ProtectToolkit 7.2.3.
Note
The advisory notes described below are applicable to all ProtectToolkit versions newer than ProtectToolkit 7.2.3 except ProtectToolkit 7.3.0.
Compilation procedures for C sample programs now require CMake
The C sample programs included in the PTK-C SDK package are now compiled using CMake. For more information about these procedures, refer to C sample programs.
ProtectToolkit 7.2.1
New features and enhancements
ProtectToolkit 7.2.1 introduces several new features and enhancements, and resolves various known issues described in Known and resolved issues.
New ProtectToolkit 7 operating system support
ProtectToolkit 7.2.1 can be installed on the following new operating systems:
-
Windows Server 2022
-
RHEL 9.1
-
SUSE Linux Enterprise Server (SLES) 12 SP5
New values for CKM_AES_KEY_WRAP and CKM_AES_KEY_WRAP_PAD (requires firmware 7.02.01)
ProtectToolkit 7 now uses the values for CKM_AES_KEY_WRAP and CKM_AES_KEY_WRAP_PAD defined in PKCS#11 2.40. For more information about these mechanisms, refer to CKM_AES_KEY_WRAP and CKM_AES_KEY_WRAP_PAD, respectively.
Advisory notes
This section highlights important issues you should be aware of before deploying ProtectToolkit 7.2.1
New ProtectToolkit configuration item for applications that use CKM_AES_KEY_WRAP or CKM_AES_KEY_WRAP_PAD
A new configuration item, ET_PTKC_GENERAL_LEGACY_AESKW, should be used if an application that uses CKM_AES_KEY_WRAP or CKM_AES_KEY_WRAP_PAD is being used with ProtectToolkit 7.2.1 and ProtectServer 3 HSM Firmware 7.02.00 or older.
For more information about this configuration item, refer to ET_PTKC_GENERAL_LEGACY_AESKW.
ProtectToolkit 7.2.0
New features and enhancements
ProtectToolkit 7.2.0 introduces several new features and enhancements, and resolves various known issues described in Known and resolved issues.
New ProtectToolkit 7 operating system support
ProtectToolkit 7.2.0 can be installed on the following new operating systems:
-
64-bit Windows 11
-
AIX 7.1, 7.2, and 7.3
For a complete list of supported ProtectToolkit 7 operating systems, refer to Supported ProtectToolkit 7 platforms.
32-bit ProtectToolkit 7 client introduced
A 32-bit version of ProtectToolkit 7.2.0 is available and compatible with the following 64-bit operating systems:
-
64-bit Windows 10
-
64-bit AIX 7.1, 7.2, and 7.3
For a complete list of supported ProtectToolkit 7 operating systems, refer to Supported ProtectToolkit 7 platforms.
Larger messages can be exchanged between host applications and custom functionality modules using FMSC_SendReceive (requires firmware 7.02.00)
FMSC_SendReceive now supports messages approximately 64 MB-large. For more information about this function, refer to FMSC_SendReceive.
Larger messages can be exchanged between host applications and custom functionality modules using MD_SendReceive (requires firmware 7.01.02)
MD_SendReceive now support messages approximately 64 MB-large. For more information about this function, refer to MD_SendReceive.
Enhancements to elliptic-curve algorithms (require firmware 7.02.00)
ProtectToolkit 7.2.0 supports ed448 Edwards curves for EC signatures and curve448 Montgomery curves for Diffie Hellman (DH) key derivation. To support this enhancement, the following changes have been made to ProtectToolkit:
-
ec_mont is used to specify the creation of key pairs using Montgomery curves when using the --type=<type> option for ctkmu. For more information, refer to --type=<type>.
-
ed448 and curve448 can be specified when using the --curve-name=<label> option for ctkmu. For more information, refer to -C<curve_name>.
-
ctmultitoken supports prehashed message signing for edDSA signatures. For more information, refer to -prehash.
CKM_AES_CTR mechanism support (requires firmware 7.02.00)
ProtectToolkit 7.2.0 supports CKM_AES_CTR. For more information about this mechanism, refer to CKM_AES_CTR.
--show-info option added to mkfm utility
You can use the --show-info option with the mkfm utility to read the build information of a functionality module (FM) without downloading it to the HSM. For more information about this utility, refer to mkfm.
New SetHsmMode.ps1 PowerShell script introduced
The Windows version of ProtectToolkit 7.2.0 includes the SetHsmMode.ps1 PowerShell script, which is used to switch between Software Emulator and HSM operating modes after installing ProtectToolkit 7.2.0. For more information about using this script, refer to Using the SetHsmMode.ps1 Windows PowerShell script
ProtectToolkit 7 can be installed silently on Windows
The Windows installer for ProtectToolkit 7.2.0 can be set to run in silent mode, allowing you complete the installation process without any manual intervention. For more information about running the Windows installation in silent mode, refer to Silent Windows Installation.
Advisory notes
This section highlights important issues you should be aware of before deploying ProtectToolkit 7.2.0.
CKM_EC_EDWARDS_KEY_PAIR_GEN and CKK_EC_EDWARDS values updated to match PKCS#11 3.0
If you are using ProtectToolkit 7.2.0 or newer with ProtectServer 3 HSM Firmware 7.02.00 or newer, the values of CKM_EC_EDWARDS_KEY_PAIR_GEN and CKK_EC_EDWARDS match PKCS#11 3.0. Thales recommends using the ET_PTKC_GENERAL_LEGACY_EDDSA ProtectToolkit-C configuration item for applications recompiled with ProtectToolkit 7.2.0 or newer, if they were compiled with ProtectToolkit 7.1.0 or older. For more information, refer to ET_PTKC_GENERAL_LEGACY_EDDSA.
ProtectToolkit 7.1.0
New features and enhancements
ProtectToolkit 7.1.0 introduces several new features and enhancements, and resolves various known issues described in Known and resolved issues.
New ProtectToolkit 7 operating system support
ProtectToolkit 7.1.0 can be installed on the following new operating systems:
-
Red Hat Enterprise Linux 8 (RHEL 8.4)
-
Ubuntu (20.04 LTS)
For a complete list of supported ProtectToolkit 7 operating systems, refer to Supported ProtectToolkit 7 platforms.
TR-31 key block format support (requires firmware 7.01.00)
ProtectToolkit 7.1.0 introduces limited support for TR-31 key blocks. ProtectServer 3 HSMs can now import and export keys in TR-31 key block format. Once keys are imported, users can either write their own functionality modules (FMs) or, if the key mode is supported by the HSM, use them as PKCS#11 objects.
The following related features have been introduced:
-
ctkmu commands and options that can be used to import and export TR-31 key blocks.
-
A new Thales-proprietary key object attribute and three new mechanisms. For more information, refer to the following sections:
New and enhanced ProtectToolkit-C mechanisms (require firmware 7.01.00)
ProtectToolkit 7.1.0 introduces the following new mechanisms:
-
CKM_AES_GMAC — new mechanism for single and multiple-part signatures and verification. Refer to CKM_AES_GMAC.
-
CKM_AES_GCM_OLD — new mechanism to ensure compatibility between ProtectToolkit 7.1.0 and ProtectToolkit 7.0.0 applications that call CKM_AES_GCM. Refer to CKM_AES_GCM_OLD.
- To be used with the newly introduced ET_PTKC_GENERAL_LEGACY_GCM configuration item. Refer to ProtectToolkit-C mechanism configuration items.
ProtectToolkit 7.1.0 enhances the following mechanisms:
-
CKM_AES_GCM — this mechanism now returns the IV in the mechanism parameter during the C_EncryptInit call. Refer to CKM_AES_GCM.
-
CKM_AES_CMAC_GENERAL — this mechanism now uses the values defined in PKCS#11 2.40. Refer to CKM_AES_CMAC_GENERAL.
- Can be used with the newly introduced ET_PTKC_GENERAL_LEGACY_CMAC configuration item. Refer to ProtectToolkit-C mechanism configuration items.
-
CKM_X9_42_DH_DERIVE is now available in FIPS Mode.
Containerized ProtectToolkit deployment on Linux systems
ProtectToolkit 7 can be deployed in a Docker container on a Linux system, enabling the code to run in a consistent fashion. For the complete procedure, refer to Deploying ProtectToolkit 7 in a Docker container on Linux.
Improved Secure Messaging System (SMS) performance
Module performance while running in SMS mode has been enhanced significantly for larger packet sizes. For more information about this feature, refer to Secure messaging.
Advisory notes
This section highlights important issues you should be aware of before deploying ProtectToolkit 7.1.0.
Modifications to ProtectToolkit-C mechanisms
If you are using ProtectToolkit 7.1.0 or newer with ProtectServer 3 HSM Firmware 7.01.00 or newer, the following mechanisms have been modified, to comply with NIST requirements:
-
CKM_ECDH1_DERIVE
The following key derive functions (KDFs) are no longer available when the FIPS Mode security flag is set:
-
CKD_SHA1_KDF
-
CKD_SHA224_KDF
-
CKD_SHA256_KDF
-
CKD_SHA384_KDF
-
CKD_SHA512_KDF
Refer to FIPS Mode and CKM_ECDH1_DERIVE.
-
-
CKM_SHA1_HMAC and CKM_SHA1_HMAC_GENERAL
The minimum supported key size in FIPS Mode is 14 bytes. Refer to CKM_SHA1_HMAC and CKM_SHA1_HMAC_GENERAL.
CKM_X9_42_DH_KEY_PAIR_GEN uses CKK_X9_42_DH instead of CKK_DH, to comply with PKCS #11 requirements.
ProtectToolkit 7.0.0
New features and enhancements
ProtectToolkit 7.0.0 introduces several new features and enhancements.
New ProtectToolkit 7.0.0 client software
The new ProtectToolkit 7.0.0 client software is intended for use with the new line of ProtectServer 3 HSMs, and provides simplified installation and more control over which components you choose to install.
Refer to ProtectToolkit 7 software installation.
Support for Java 9, 10, and 11
The ProtectToolkit GUI utilities, JCPROV Java wrapper, and ProtectToolkit-J packages are now compatible with Java Runtime Environment (JRE) and OpenJDK versions 9, 10, and 11.
ProtectServer Identity Keys and Certificates provide enhanced, customizable trust relationships
ProtectToolkit 7 allows you to generate a unique identity key and certificate on the HSM, ensuring that cryptographic objects can be replicated only to other ProtectServer 3 HSMs you control, and to secure messages between the HSM and the PTK.
Refer to ProtectServer owner and identity certificates.
Enhanced secure messaging
ProtectServer Identity Keys/Certificates allow for enhanced secure messaging between the HSM and the PTK software, and are mandatory for use in FIPS Mode.
Refer to Secure messaging.
Enhanced secure token replication
ProtectServer Identity Keys/Certificates provide better security for token replication, ensuring better authentication between ProtectServer 3 HSMs that share cryptographic objects between them.
Refer to Token replication.
Advisory notes
This section highlights important issues you should be aware of before deploying ProtectToolkit 7.0.0.
setmode executable binary file not included in PTK 7
The setmode command cannot be used to switch between HSM and Software Emulation operating modes after installing PTK 7 on Windows. To switch between HSM and Software Emulation operating modes, use the PTK installer.
Refer to Modifying the ProtectToolkit Windows installation for more information.
External key storage no longer supported in PTK 7
The External Token Support Library (ExtToken) is no longer included with the PTK 7 client software.
ProtectToolkit 7 is not backwards compatible with ProtectServer 2 HSMs
ProtectToolkit 7 is supported for use with ProtectServer 3 External, ProtectServer 3+ External, and ProtectServer 3 PCIe HSMs only. Likewise, HA/WLD groups must consist of ProtectServer 3 HSMs only.
C sample programs cannot be compiled on Windows with NMAKE
The C sample programs included in the ProtectToolkit-C SDK package for Windows cannot be compiled with the Microsoft Program Maintenance Utility (NMAKE). Users should instead compile the samples by using the Microsoft Visual Studio compiler. For more information about compiling the C samples on Windows, refer to C sample programs.
