| Standard | FIPS 140-3 |
|---|---|
| Overall level | 3 |
| Module type | Hardware |
| Embodiment | Multi-Chip Embedded |
| Status | Active |
| Sunset date | 4/1/2029 |
| Caveat | When operated in approved mode |
| Vendor | Thales |
flowchart LR
%% Deterministic review-risk graph for Thales Luna K7 Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>Firmware Load<br/>recovery</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>kernel<br/>bootloader</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Thales Luna K7 Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>Firmware Load<br/>recovery</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>kernel<br/>bootloader</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Thales Luna K7 Cryptographic Module 002-010935-003 Rev. U January 31, 2025
Document Information Document Part Number 002-010935-003 Initial Release Date February 23, 2024 Update Release Date January 31, 2025 Thales and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. Disclaimer All information herein is either public information or is the property of and owned solely by Thales and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Thales’s information. This document can be copied or distributed for informational, non-commercial, internal and personal use only provided that: appear in all copies. > This document shall not be posted on any network computer or broadcast in any media other than on the NIST CMVP validation list and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Thales makes no warranty as to the value or accuracy of information contained herein. Thales hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and noninfringement. In no event shall Thales be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Thales does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Thales be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Thales products. Thales disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective,
incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy.
Acronyms and Abbreviations ACRONYMS AND ABBREVIATIONS Term Definition AES Advanced Encryption Standard ANSI American National Standards Institute AU Audit User API Application Programming Interface CBC Cipher Block Chaining CDH Cofactor Diffie-Hellman CID Client IDentity CITS Chrysalis ITS CKG Cryptographic Key Generation CFB Cipher FeedBack CMAC Cipher Block Chaining Message Authenticate Code CMVP Cryptographic Module Validation Program CO Crypto Officer CPV1 Cloning Protocol Version 1 CPV3 Cloning Protocol Version 3 CPV4 Cloning Protocol Version 4 CSP Critical Security Parameter CTR CounTeR CU Crypto User CVL Component Validation List DAK Device Authentication Key DAC Device Authentication Certificate DEK Data Encryption Key
Acronyms and Abbreviations Term Definition DH Diffie-Hellman DMK Data MAC Key DPK Data Protection Key DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EFP Environmental Failure Protection EFT Environmental Failure Testing EKA Ephemeral Key Agreement ELF Executable and Linkable Format EMC ElectroMagnetic Compatibility EMI ElectroMagnetic Interference ESV Entropy Source Validation FFC Finite Field Cryptography FIPS Federal Information Processing Standard FM Functionality Module GCM Galois Counter Mode GMAC Galois Message Authentication Code GSK Global Storage Key HMAC Keyed-Hash Message Authentication Code HA High Availability HOC Hardware Origin Certificate HOK Hardware Origin Key
Acronyms and Abbreviations Term Definition HSE-BBRAM High-speed erase battery backed RAM HSM Hardware Security Module / Host Security Module ICD Interface Control Design/Document IG Implementation Guidance ISO/IEC International Organization for Standardization / International Electrotechnical Commission I/O Input/Output IV Initialization Vector KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-Based Key Derivation Function KCV Key Cloning Vector KDF Key Derivation Function KDM Key Destruction Method KEK Key Encryption Key KEV Key Encryption Vector KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding LCO Limited Crypto Officer LED Light Emitting Diode LSB Least Significant Bit MAC Message Authentication Code Masking A Thales term to describe the encryption of a key for use only within a Thales cryptographic module Mbps Megabits per second MGF Mask Generation Function
Acronyms and Abbreviations Term Definition MIC Manufacturer’s Integrity Certificate MIK Manufacturer’s Integrity Key MK Master Key NIST National Institute of Science and Technology N/A Not Applicable OFB Output FeedBack PAC PED Authentication Certificate PAK PED Authentication Key PBKDF Password Based Key Derivation Function PCIe Peripheral Component Interconnect Express PCT Pair-wise Consistency Test PEC Password Encryption Certificate PED PIN Entry Device PEK Password Encryption Key PKCS Public-Key Cryptography Standards POST Power-on Self-Test PSK Partition Storage Key PSS Probabilistic Signature Scheme PST Periodic Self-Test RDK Role Domain Key RNG Random Number Generator RPV Remote PED Vector RSA Rivest Shamir Adleman RSADP RSA Decryption Primitive RSASVE RSA Secret-Value Encapsulation RTC Real Time Clock
Acronyms and Abbreviations Term Definition SALK Secure Audit Logging Key SHA Secure Hash Algorithm SKA Static Key Agreement SMFS Secure Memory File System SMK SKS Master Key SKS Scalable Key Storage SO Security Officer SSC Shared Secret Computation SSP Sensitive Security Parameter STC Secure Trusted Channel STM Secure Transport Mode Triple-DES Triple Data Encryption Standard TUK Token or Module Unwrapping Key TVK Token or Module Variable Key TWC Token or Module Wrapping Certificate USB Universal Serial Bus USK User’s Storage Key VPD Vital Product Data XEX XOR-encrypt-XOR XOR eXclusive OR XTS XEX Tweakable block cipher ciphertext Stealing
References REFERENCES [FIPS 140-3] Federal Information Processing Standards Publication 180-4, Security Requirements for Cryptographic Modules, March 2019. [FIPS 140-3 IG] NIST, Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program, May 4, 2021. [FIPS 180-4] Federal Information Processing Standards Publication 180-4, Secure Hash Standard (SHS), NIST, August 2015. [FIPS 186-4] Federal Information Processing Standards Publication 186-4, Digital Signature Standards (DSS), NIST, July 2013. [FIPS 197] Federal Information Processing Standards Publication 197, Specification for the Advanced Encryption Standard (AES), November 26, 2001. [FIPS 198-1] Federal Information Processing Standards Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), July 2008. [FIPS 202] Federal Information Processing Standards Publication 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, August 2015. [RFC 5639] Lochter M, Merkle J, ‘Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation’, Internet Engineering Task Force, RFC 5639, March 2010. [RFC 7748] Hamburg M, Turner S, “Elliptic Curves for Security”, Internet Research Task Force, RFC 7748, January 2016. [SEC 2] Certicom Research, ‘Standards for Efficient Cryptography - SEC2: Recommended Elliptic Curve Domain Parameters’, Version 2.0, January 27, 2010. [SP800-38A] NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation
References [SP800-56Cr2] NIST Special Publication 800-56C, Recommendation for Key-Derivation Methods in Key-Establishment Schemes, Revision 2, August 2020. [SP800-67r2] NIST Special Publication 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Revision 2, November 2017. [SP800-90Ar1] NIST Special Publication SP800-90A, Recommendation for Random Number Generation Using Deterministic Bit Generators, Revision 1, June 2015. [SP800-90B] NIST, SP800-90B, “Recommendation for the Entropy Sources Used for Random Bit Generation”, January 2018. [SP800-108r1] NIST Special Publication 800-108 revision 1, Recommendation for Key Derivation Using Pseudorandom Functions, August 2022. [SP800-131Ar2] NIST Special Publication 800-131A revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths, March 2019. [SP800-132] NIST Special Publication 800-132, Recommendation for Password-Based Key Derivation: Part 1: Storage Applications, December 2010. [SP800-133] NIST Special Publication 800-133 revision 2, Recommendation for Cryptographic Key Generation, June 2020. [SP800-135r1] NIST Special Publication 800-135, Recommendation for Existing Application-Specific Key Derivation Functions, December 2011. [SP800-140Cr1] NIST Special Publication 800-140C revision 1, CMVP Approved Security Functions: CMVP Validation Authority Updates to ISO/IEC 24759, May 2022. [SP800-140Dr1] NIST Special Publication 800-140D revision 1, CMVP Approved Sensitive Security Parameter Generation and Establishment Methods: CMVP Validation Authority Updates to ISO/IEC 24759, May 2022. [SP800-140E] NIST Special Publication 800-140E, CMVP Approved Authentication Mechanisms: CMVP Validation Authority Requirements for ISO/IEC 19790:2012 Annex E and ISO/IEC 24759 Section 6.17, March 2020. [SP800-140F] NIST Special Publication 800-140F, CMVP Approved Non-Invasive Attack Mitigation Test Metrics: CMVP Validation Authority Updates to ISO/IEC 24759, March 2020. [PKCS #1] PKCS #1: RSA Cryptographic Standard, RSA Laboratories, v2.1. [ANSI X9.42] American National Standard for Financial Services X9.42-2003 (R2013), Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography. [ANSI X9.62] American National Standard Institute ANSI X9.62, ‘Public Key Cryptography for the Financial Services Industry: the Elliptic Curve Digital Signature Algorithm (ECDSA)’, November 16, 2005. [ANSI X9.63] American National Standard for Financial Services X9.63-2011 (R2017), Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography. [ISO/IEC 14888-3:2018] ISO/IEC 14888-3:2018, ‘IT Security techniques
References [ISO/IEC 19790:2012] ISO/IEC 19790:2012 (Corrected 2015-12-15, IDT) Information technology
Preface PREFACE This document deals only with operations and capabilities of the Thales Luna K7 Cryptographic Module in the technical terms of [FIPS 140-3]. General information on Thales HSM alongside other Thales products is available from the following sources: > the Thales internet site contains information on the full line of available products at https://cpl.thalesgroup.com > product manuals and technical support literature is available from the Thales Customer Support Portal at https://supportportal.thalesgroup.com/csm > online manuals for the product can be found at https://www.thalesdocs.com > technical or sales representatives of Thales can be contacted through one of the channels listed on https://cpl.thalesgroup.com/contact-us NOTE: You require an account to access the Customer Support Portal. To create a new account, go to the portal and click on the REGISTER link.
The Thales Luna K7 Cryptographic Module meets all level 3 security requirements for [FIPS 140-3] as summarized in the table below: Table 1-1: Security Levels [ISO/IEC 24759:2017] FIPS 140-3 Section Title Security Level Section 6 [Number Below]
6 Operational Environment N/A
8 Non-Invasive Security N/A
12 Mitigation of Other Attacks N/A
The Thales Luna K7 Cryptographic Module is a multi-chip embedded hardware security module in the form of a PCIe card, which typically resides within a custom computing or security appliance. The cryptographic module is contained in its own secure enclosure, which provides physical resistance to tampering. The cryptographic boundary of the module is defined to encompass all components inside the secure enclosure on the PCIe card. The module must be explicitly configured to operate in an [FIPS 140-3] approved mode of operation using steps outlined in section 13.2 and where these are performed during the secure initialization of the module. The module only supports a single approved mode of operation and any configuration changes to settings defining that mode will trigger a zeroization of all partition Sensitive Security Parameter (SSP) and require the full reset and re-initialization of the module. NOTE Thales Luna K7 Cryptographic Module does not support degraded operation as defined in [ISO/IEC 19790:2012]. The module provides secure key generation and storage for symmetric keys and asymmetric key pairs along with support for a broad range of cryptographic services. Access to key material and cryptographic services for users and user application software is provided through the PKCS #11 programming API, which is implemented over the module’s proprietary command interface. The module may host multiple ‘user partitions’ which are cryptographically separated and are presented as ‘virtual tokens’ to user applications. A single ‘admin partition’ exists, which is dedicated to the HSM Security Officer (HSM SO) and Administrator roles. Each partition must be separately authenticated in order to make it available for use.
The cryptographic module, as defined in [ISO/IEC 19790:2012], is a hardware module of embodiment multichip embedded. NOTE The Thales Luna K7 Cryptographic Module can be used as follows: > as a standalone device called the Thales Luna PCIe HSM; or > as an embedded device in the Thales Luna Network HSM. The cryptographic boundary of the module is shown in Figure 2-1 and Figure 2-2 below with the module embedded in the Thales Luna Network HSM shown in Figure 2-3. The cryptographic boundary is defined as the metal enclosure on the top and bottom sides of the PCIe card as outlined. The fans and heatsinks depicted alongside the removable backup battery are inside the cryptographic boundary (i.e. included in the module versioning on the certificate), but excluded from the testing requirements of FIPS 140-3.
Cryptographic Module Specification Cryptographic Boundary Figure 2-1: Thales Luna K7 Cryptographic Module cryptographic boundary with fans Cryptographic Boundary Figure 2-2: Thales Luna K7 Cryptographic Module cryptographic boundary with heatsinks
Cryptographic Module Specification Figure 2-3: Thales Luna Network HSM The following figure highlights the logical boundary of the module covered by this certification: Figure 2-4
Cryptographic Module Specification loaded onto the module must be validated to [FIPS 140-3] to run on Thales Luna K7 Cryptographic Module. The scope of this certificate exclusively covers the bootloader and main firmware as approved for use by the module. Any FM approved to run on the module will have its own FIPS 140-3 certificate to run on top of the module and where it will most likely be of embodiment, firmware module if maintaining a FIPS 140-3, Level 3 approval overall.
The following tested configuration are covered in this security policy: Table 2-1: Cryptographic module tested configuration. Model Hardware Firmware Version Distinguishing Features [Part Number and Version] Thales Luna PCIe HSM 808-000048-002 Main firmware: 7.8.4 or Half-height PCIe card with factory installed fans. or 7.8.5; with Listed hardware parts are functionally identical 808-000048-003 Bootloader: 1.1.1, with the difference being a change of supplier 1.1.2, 1.1.4, or 1.1.5 for one of the internal components. Thales Luna K7 808-000066-001 Main firmware: 7.8.4 or Half-height PCIe card with factory installed Cryptographic Module as 7.8.5; with heatsinks. used in Thales Luna Bootloader: 1.1.1, Network HSM 1.1.2, 1.1.4, or 1.1.5 Thales Luna K7 808-000073-001 Main firmware: 7.8.4 or Half-height PCIe card with factory installed Cryptographic Module as or 7.8.5; with heatsinks. used in Thales Luna Bootloader: 1.1.1, This model is physically identical to 808Network HSM 808-000073-002 1.1.2, 1.1.4, or 1.1.5 000066-001. Listed hardware parts are functionally identical with the difference being a change of supplier for one of the internal components. This document covers both the PED and password authentication configurations of the Thales Luna K7 Cryptographic Module. NOTE The security features described in this document apply to the Thales Luna K7 Cryptographic Module only and do not include any feature that may be enforced by the host appliance, client or Thales Luna PED. NOTE As the module is a hardware module of embodiment multi-chip embedded
The following cryptographic library and associated CAVP certificates are used by the cryptographic module: > SafeNet Bootloader Cryptographic Library (Cert #C1701 and #A3164); > SafeNet Accelerated Cryptographic Library (Certs #C1707 and #A480); > SafeNet Accelerated Cryptographic Library
Cryptographic Module Specification Table 2-2: Approved Algorithms Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function Symmetric Encryption/Decryption #C1707 Algorithm: AES. Mode: CBC, CFB128, CFB8, CTR, ECB, Key size: 128 and 256-bit - all modes. Initialize the HSM, Create a user partition, Export/import GCM 2, KW, KWP 3, OFB, XTS 4. audit log secret key, Request partition STC identity, Initiate Standards: [FIPS 197], 192-bits
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function Hashing #C1707 Algorithm: SHA. Methods: SHA-1, SHA2-224, SHA2-256, N/A. Update firmware, Protect object integrity, Load SHA2-384, SHA2-512, SHA3-224, SHA3- configuration update file, Request partition STC identity, Standards: [FIPS 186256, SHA3-384, SHA3-512, SHAKE-128, Initiate STC tunnel, Clone SMK between partitions, Clone 4] and [FIPS 202]. SHAKE-256 (Byte Only). partition objects between partitions, Enable/disable STM, Request HSM self-test, Initialize role, Change authentication data, Configure partition for high-available recovery / login, Login as role, Initialize Remote PED Vector (RPV), Generate local symmetric or asymmetric key-pair, Generate domain parameters, Derive key from existing partition secret or private key object, Import secret or private key using key wrapping, Export secret or private key using key wrapping, Insert key from external storage using SKS, Re-seed partition DRBG, Extract entropy from partition DRBG, Perform digest operation on user supplied data, Perform encrypt operation on user supplied data object, Generate signature or MAC over user supplied data, Download FM, Activate SMFS, Store/retrieve data from SMFS, Setup Local PED Session, Setup Remote PED Session, Send or receive data over PED tunnel (remote PED). #C1718 Algorithm: SHA. Methods: SHA2-256, SHA2-512 (Byte N/A. Generate secure log record, Submit external messages for Only). entry into secure audit log, Validate the audit log, Request Standards: [FIPS 180HSM self-test. 4]. #C1701 Algorithm: SHA. Methods: SHA-1, SHA2-384 (Byte Only). N/A. Request authentication and execution of main firmware. Standards: [FIPS 1804]. Message Authentication Code #C1707 Algorithm: HMAC. Methods: HMAC-SHA-1, HMAC-SHA2-224, Mac size: 10-to-64 bytes (dependent Request HSM self-test, Send or receive data over PED tunnel HMAC-SHA2-256, HMAC-SHA2-384, on hash). (remote PED), Generate signature or MAC over user supplied Standard: [FIPS 198HMAC-SHA2-512, HMAC-SHA3-224, Key size: key size < block size, key size data, Validate signature or MAC over user supplied data, 1]. HMAC-SHA3-256, HMAC-SHA3-384, = block size, key size > block size. Store/retrieve data from SMFS, Initialize the HSM, Initialize HMAC-SHA3-512. role, Change authentication data, Login as role #C1718 Algorithm: HMAC. Methods: HMAC-SHA2-256. Mac size: 16, 24, 32 bytes. <as per SHA from Cert #C1718 covered above where this Key size: key size < block size, key size certificate covers the standalone algorithm implementation Standard: [FIPS 198= block size, key size > block size. exclusively used to support secure logging.> 1].
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function #C1707 Algorithm: Triple-DES. Methods: CMAC (MAC validate only). Key size: 168-bits (3-key). Validate signature or MAC over user supplied data, Request HSM self-test. Standard: [SP80067r2] and [SP80038B]. #C1707 Algorithm: AES. Methods: CMAC. Key size: 128, 192, 256-bits. Generate signature or MAC over user supplied data, Validate signature or MAC over user supplied data, Request HSM selfStandard: [FIPS 197] test. and [SP800-38B]. Asymmetric #C1707, Algorithm: RSA. Method: Key Generation, Signature Modulus length: 2048, 3072
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function #C1718, Algorithm: RSA. Method: Key Generation. Modulus length: 2048 and 3072-bit. Used for Generate local symmetric or asymmetric key-pair #C1719 as already mapped from the RSA listing above but where this Standard: [FIPS 186- Key Generation Method: [FIPS 186-4] implementation is used when HSM Policy (43) Enable low 4]. B.3.3 and B.3.6. level math acceleration is disabled. Of the two implementations, Algorithm implementation covered by Cert #C1718 used when Partition Policy (16) Operate Without RSA blinding is enabled and Cert #C1719 used when Partition Policy (16) Operate Without RSA blinding is disabled. #A480, Algorithm: RSA. Methods: Signature Generation, Modulus length: 4096-bit. Load configuration update file, Clone SMK between #A481. Signature Verification. partitions, Clone partition objects between partitions, , Standard: [FIPS 186- Vendor Note: Key sizes above 4096 Configure partition for high-available recovery / login, 4]. Signature Type: ANSI X9.31, PKCS #1-v1.5, and up to modulus length 8192-bit are Generate local symmetric or asymmetric key-pair, Request PKCS-PSS. supported for signature generation HSM self-test, Generate signature or MAC over user supplied Signature Generation (PKCS #1-v1.5 and verification by the module as data, Validate signature or MAC over user supplied data, and PKCS-PSS): SHA2-224, SHA2-256, permitted by [SP800-131Ar2] but were Download FM. SHA2-384, SHA2-512, SHA3-224, not supported for test by the NIST SHA3-256, SHA3-384, SHA3-512. CAVP program above modulus 4096Both algorithm implementations used when HSM Policy (43) bits at the time of module submission. Signature Generation (ANSI X9.31): Enable low-level math acceleration is enabled. SHA2-224, SHA2-256, SHA2-384, Modulus above 4096-bits may be used SHA2-512. in the approved mode but are Of the two implementations, Algorithm implementation untested for RSA as part of the covered by Cert #A480 used when Partition Policy (16) Signature Verification (PKCS #1-v1.5 Operate Without RSA blinding is enabled and Cert #A481 independent CAVP assurance activities and PKCS-PSS): SHA-1, SHA2-224, used when Partition Policy (16) Operate Without RSA performed. SHA2-256, SHA2-384, SHA2-512, blinding is disabled. SHA3-224, SHA3-256, SHA3-384, SHA3-512. Signature Verification (ANSI X9.31): SHA-1, SHA2-224, SHA2-256, SHA2384, SHA2-512. Vendor affirmed using [FIPS 140-3 IG], C.C, The Use and the Testing Requirements for the Family of Functions defined in FIPS 202, when using SHA-3.
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function #A478, Algorithm: RSA. Method: Key Generation. Modulus length: 4096-bit. Generate local symmetric or asymmetric key-pair. #A479, Standard: [FIPS 186- Key Generation Methods: B.3.3 and Vendor Note: Key sizes above 4096 #A480, Implementation covered by Cert #A480 used when HSM 4]. B.3.6. and up to modulus length 8192-bit are #A481. Policy (43) Enable low-level math acceleration is enabled supported for signature generation and Partition Policy (16) Operate Without RSA blinding is and verification by the module as enabled. permitted by [SP800-131Ar2] but were not supported for test by the NIST Implementation covered by Cert #A481 used when HSM CAVP program above modulus 4096Policy (43) Enable low-level math acceleration is enabled bits at the time of module submission. and Partition Policy (16) Operate Without RSA blinding is Modulus above 4096-bits may be used disabled. in the approved mode but are untested for RSA as part of the Implementation covered by Cert #A478 used when HSM independent CAVP assurance activities Policy (43) Enable low-level math acceleration is performed. disabled and Partition Policy (16) Operate Without RSA blinding is enabled. Implementation covered by Cert #A479 used when HSM Policy (43) Enable low-level math acceleration is disabled and Partition Policy (16) Operate Without RSA blinding is disabled. #A3164 Algorithm: RSA. Method: Signature Verification. Modulus length: 4096-bit. Request authentication and execution of main firmware. Standard: [FIPS 186- Signature Type: PKCS #1-v1.5. 4]. Hash options: SHA-1, SHA2-384.
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function #C1707 Algorithm: DSA. Methods: Parameter Generation, Key Modulus length: 2048 and 3072
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function #C1718 Algorithm: ECDSA. Methods: Key Generation, Signature Curves: B-233, B-283, As per services mapped to ECDSA for #C1707 above but Generation, Signature Verification. B-409, B-571, K-233, where this implementation is only exercised for the listed Standard: [FIPS 186K-283, K-409, K-571. curves and when HSM Policy (43) Enable low-level math 4]. Hash options: acceleration is disabled. Signature Generation: SHA2-224, Signature Verification additional SHA2-256, SHA2-384, SHA2-512, Curves: K-163 and B-163 SHA3-224, SHA3-256, SHA3-384, SHA3-512. Non-NIST (as per [FIPS 140-3] IG C.A): Signature Verification: SHA-1, SHA2- see Table 2-3 below for curves over a 224, SHA2-256, SHA2-384, SHA2-512, binary field
56Ar3] and [SP800- and 256 bits of encryption strength. 56Cr2]. Request HSM self-test, Derive key from existing partition #A480 Algorithm: KAS (KAS- Methods: ephemeralUnified and Curves: B-233, B-283, B-409, B-571, Ksecret or private key object. ECC-SSC (Cert #A480) onePassDH with X9.63 KDF [SP800-135r1] 233, K-283, K-409, K-571, P-224, Pand CVL (Cert #A480)). using SHA2-224, SHA2-256, SHA2-384 or 256, P-384, P-521. Algorithm implementation used when HSM Policy (43) SHA2-512. Standard: [SP800- Caveat: key establishment Enable low-level math acceleration is enabled. 56Ar3] and [SP800- methodology provides between 112 135r1]. and 256 bits of encryption strength. As per services mapped to KAS-ECC-SSC for Cert #A480 #A480, Algorithm: KAS (KAS- Methods: ephemeralUnified and Curves: B-233, B-283, B-409, B-571, Kabove but where this implementation is only exercised for #A478 ECC-SSC (#A478) and onePassDH with OneStep KDF from 233, K-283, K-409, K-571. the listed curves and when HSM Policy (43) Enable low-level KDA (#A480)). [SP800-56Cr2] 6 with Auxiliary function: Caveat: key establishment math acceleration is disabled. SHA1, SHA2-224, SHA2-256, SHA2-384, Standard: [SP800- methodology provides between 112 SHA2-512, SHA3-224, SHA3-256, SHA356Ar3] and [SP800- and 256 bits of encryption strength.
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function As per services mapped to KAS-ECC-SSC for Cert #A480 #A480, Algorithm: KAS (KAS- Methods: ephemeralUnified and Curves: B-233, B-283, B-409, B-571, Kabove but where this implementation is only exercised for #A478 ECC-SSC (#A478) and onePassDH with X9.63 KDF [SP800-135r1] 233, K-283, K-409, K-571. the listed curves and when HSM Policy (43) Enable low-level CVL (#A480)). using SHA2-224, SHA2-256, SHA2-384 or Caveat: key establishment math acceleration is disabled. SHA2-512. Standard: [SP800- methodology provides between 112 56Ar3] and [SP800- and 256 bits of encryption strength. 135r1]. Request HSM self-test, Derive key from existing partition #A480 Algorithm: KAS (KAS- Methods: dhHybrid1, dhEphem, Modulus length: 2048, 3072 and secret or private key object. FFC-SSC (Cert #A480) dhHybridOneFlow and dhOneFlow with 4096. and KDA (Cert OneStep KDF from [SP800-56Cr2] with Caveat: key establishment Implementation of KAS-FFC-SSC covered by Cert #A480 is #A480)). Auxiliary function: SHA1, SHA2-224, SHA2methodology provides between 112 used when HSM Policy (43) Enable low-level math 256, SHA2-384, SHA2-512, SHA3-224, Standard: [SP800- and 150-bits of encryption strength. acceleration is enabled. SHA3-256, SHA3-384 or SHA3-512. 56Ar3] and [SP80056Cr2]. Request HSM self-test, Derive key from existing partition #A480 Algorithm: KAS (KAS- Methods: dhHybrid1, dhEphem, Modulus length: 2048, 3072 and secret or private key object. FFC-SSC (Cert #A480) dhHybridOneFlow and dhOneFlow with 4096. and CVL (Cert #A480)). X9.42 KDF from [SP800-135r1] using Caveat: key establishment Implementation of KAS-FFC-SSC covered by Cert #A480 is SHA2-224, SHA2-256, SHA2-384, SHA2Standard: [SP800- methodology provides between 112 used when HSM Policy (43) Enable low-level math 512, SHA3-224, SHA3-256, SHA3-384 or 56Ar3] and [SP800- and 150-bits of encryption strength. acceleration is enabled. SHA3-512. 135r1]. Request HSM self-test, Derive key from existing partition #A480, Algorithm: KAS (KAS- Methods: dhHybrid1, dhEphem, Modulus length: 2048, 3072 and secret or private key object. #A478 FFC-SSC (Cert. #A478) dhHybridOneFlow and dhOneFlow with 4096. and KDA (Cert OneStep KDF from [SP800-56Cr2] with Caveat: key establishment Implementation of KAS-FFC-SSC covered by Cert #A478 is #A480)). Auxiliary function: SHA1, SHA2-224, SHA2methodology provides between 112 used when HSM Policy (43) Enable low-level math 256, SHA2-384, SHA2-512, SHA3-224, Standard: [SP800- and 150-bits of encryption strength. acceleration is disabled. SHA3-256, SHA3-384 or SHA3-512. 56Ar3] and [SP80056Cr2]. Request HSM self-test, Derive key from existing partition #A480, Algorithm: KAS (KAS- Methods: dhHybrid1, dhEphem, Modulus length: 2048, 3072 and secret or private key object. #A478 FFC-SSC (Cert. #A478) dhHybridOneFlow and dhOneFlow with 4096. and CVL (#A480)). X9.42 KDF from [SP800-135r1] using Caveat: key establishment Implementation of KAS-FFC-SSC covered by Cert #A478 is SHA2-224, SHA2-256, SHA2-384, SHA2Standard: [SP800- methodology provides between 112 used when HSM Policy (43) Enable low-level math 512, SHA3-224, SHA3-256, SHA3-384 or 56Ar3] and [SP800- and 150-bits of encryption strength. acceleration is disabled. SHA3-512. 135r1].
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function #A480 Algorithm: KAS-ECC. Methods: onePassDH with full key Setup Local PED Session. Curve: P-521. Standards: [SP800- validation and key pair generation 56Ar3] and [SP800- KDF: OneStep Key Derivation using SHA256Cr2]. 512. Key Confirmation: HMAC-SHA2-512 with 256-bit key and 512-bit MAC. #A480 Algorithm: KAS-ECC. Methods: fullUnified with full key Setup Remote PED Session. Curve: P-521. Standards: [SP800- validation and key-pair generation 56Ar3] and [SP800- KDF: OneStep using SHA2-512. 56Cr2]. Key Confirmation: HMAC-SHA2-512 with 256-bit key and 512-bit MAC. #A480 Algorithm: KAS-ECC. Methods: fullUnified with full key Curve: P-521. Initiate STC tunnel. Standards: [SP800- validation and key pair generation 56Ar3] and [SP800KDF: OneStep using SHA2-512. 56Cr2]. Key Confirmation: HMAC with 512-bit key and 512-bit MAC.
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function #A478, Algorithm: KAS-RSA. Method: KAS1-basic. Modulus length: 4096-bit. Clone SMK between partitions, Configure partition for high#A479, available recovery / login. Standards: [SP800#A480, Key generation method: rsakpg1-crt, 56Br2] and [SP800#A481 rsakpg2-crt Implementation covered by Cert #A480 used when HSM 56Cr2] Policy (43) Enable low-level math acceleration is enabled KDF method: One-Step Key Derivation and Partition Policy (16) Operate Without RSA blinding is from [SP800-56Cr2] using SHA2-512. enabled. Implementation covered by Cert #A481 used when HSM Policy (43) Enable low-level math acceleration is enabled and Partition Policy (16) Operate Without RSA blinding is disabled. Implementation covered by Cert #A478 used when HSM Policy (43) Enable low-level math acceleration is disabled and Partition Policy (16) Operate Without RSA blinding is enabled. Implementation covered by Cert #A479 used when HSM Policy (43) Enable low-level math acceleration is disabled and Partition Policy (16) Operate Without RSA blinding is disabled. #A480 Algorithm: KAS-ECC- Methods: ephemeralUnified, onePassDH. Curves: B-233, B-283, B-409, B-571, K- Request HSM self-test, Derive key from existing partition SSC. 233, K-283, K-409, K-571, P-224, P- secret or private key object. 256, P-384, P-521. Standards: [SP800Algorithm implementation used when HSM Policy (43) 56Ar3]. Enable low-level math acceleration is enabled. #A478 Algorithm: KAS-ECC- Methods: ephemeralUnified, onePassDH. Curves: B-233, B-283, As per services mapped to KAS-ECC-SSC for Cert #A480 SSC. B-409, B-571, K-233, above but where this implementation is only exercised for Standards: [SP800- K-283, K-409, K-571. the listed curves and when HSM Policy (43) Enable low-level 56Ar3]. math acceleration is disabled. #A478, Algorithm: KAS-FFC- Methods: dhHybrid1, dhEphem, Request HSM self-test, Derive key from existing partition Modulus length: 2048, 3072 and #A480 SSC. dhHybridOneFlow, dhOneFlow. secret or private key object. 4096-bit. Standards: [SP800Implementation covered by Cert #A480 is used when HSM 56Ar3]. Policy (43) Enable low-level math acceleration is enabled. Implementation covered by Cert #A478 is used when HSM Policy (43) Enable low-level math acceleration is disabled.
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function Key Transport #C1707 Algorithm: KTS (AES Modes: GCM, KW and KWP. Key size: 128, 192, and 256-bit. Export/import audit log secret key, Configure partition for Cert #C1707). high-available recovery / login, Export secret or private key Caveat: key establishment using key wrapping, Clone SMK between partitions, Clone Standards: [FIPS 197], methodology provides between 128 partition objects between partitions. [SP800-38D] and and 256 bit of encryption strength. [SP800-38F]. AES KW and AES KWP implementation covered by this KTS is used when data sizes being encrypted or decrypted are less than 2KB in size. When cloning objects using CPV3, KWP is used. When cloning objects with CPV4, GCM is one of two supported key transport options (CTR with HMAC-SHA2-512 is the other, as covered below). #C1718 Algorithm: KTS (AES Modes: KW and KWP. Key size: 128, 192, and 256-bit. Export/import audit log secret key, Configure partition for Cert #C1718). high-available recovery / login, Export secret or private key Standards: [FIPS 197] Caveat: key establishment using key wrapping, Clone SMK between partitions, Clone and [SP800-38F]. methodology provides between 128 partition objects between partitions. and 256 bit of encryption strength. AES KW and AES KWP implementation covered by this KTS are exclusively used when data sizes being encrypted or decrypted are 2KB or greater in size. When cloning objects using CPV3, KWP is used. #C1707. Algorithm: KTS (AES Modes: CTR. Key Size: 256-bits (separate Clone SMK between partitions, Clone partition objects Cert #C1707, HMAC encryption and MAC keys, each of between partitions
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function #A478, Algorithm: KTS-RSA. Method: KTS-OAEP-basic. Modulus length: 2048, 3072, 4096, Request HSM self-test, Import secret or private key using #A479, 6144, and 8192. key wrapping. Standards: [SP800- Key generation method: rsakpg1-crt and #A480, 56Br2] and [SP800- rsakpg2-crt. Caveat: key establishment #A481 Implementation covered by Cert #A480 used when HSM 56Cr2]. methodology provides between 112 Hash: SHA2-224, SHA2-256, SHA2-384, Policy (43) Enable low-level math acceleration is enabled SHA2-512, SHA3-224, SHA3-256, SHA3- and 201 bits of encryption strength. and Partition Policy (16) Operate Without RSA blinding is 384, SHA3-512. enabled. Mask Generation Function: SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3- Implementation covered by Cert #A481 used when HSM 224, SHA3-256, SHA3-384, SHA3-512 Policy (43) Enable low-level math acceleration is enabled and Partition Policy (16) Operate Without RSA blinding is disabled. Implementation covered by Cert #A478 used when HSM Policy (43) Enable low-level math acceleration is disabled and Partition Policy (16) Operate Without RSA blinding is enabled. Implementation covered by Cert #A479 used when HSM Policy (43) Enable low-level math acceleration is disabled and Partition Policy (16) Operate Without RSA blinding is disabled. Key Derivation Function, #C1707 Algorithm: Key-Based Mode: Counter. Supported Lengths: 1024, 1032, Initialize the HSM, Initialize role, Derive key from existing Key Derivation 2048, and 2056. partition secret or private key object, Change authentication MAC Mode: CMAC-AES128, CMACFunction (KBKDF). data, Login as role, Request HSM self-test. AES192, CMAC-AES256, HMAC-SHA-1, Fixed Data Order: Before Fixed Standards: [SP800- HMAC-SHA2-224, HMAC-SHA2-256, Data. 108r1]. HMAC-SHA2-384, HMAC-SHA2-512. Counter Length: 32. #A480 Algorithm: KDA 7. Method: One-Step Key Derivation. Shared secret length: 224-8192, Request HSM self-test, Derive key from existing partition increment 1 byte. secret or private key object, Clone SMK between partitions, Standards: [SP800- Hash: SHA-1, SHA2-224, SHA2-256, SHA2Derived Key length: 128
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function #A480 Algorithm: X9.42 Key Methods: SHA-1, SHA2-224, SHA2-256, Shared secret length: Request HSM self-test, Derive key from existing partition Derivation Algorithm SHA2-384, SHA2-512, SHA3-224, SHA3- 64-4096-bits, secret or private key object. (CVL). 256, SHA3-384, SHA3-512. increment 1 byte. Standards: [SP800- Derived Key Length: 384-bits. 133], [SP800-135r1] and [ANSI X9.42]. #A480 Algorithm: X9.63 Key Methods: SHA2-224, SHA2-256, SHA2- Field Size: 224, 256, 384, 521. Perform encrypt operation on user supplied data object Derivation Function 384, SHA2-512. Shared Secret Length: 128-4096 (CVL). Increment 8-bits. Standards: [ANSI X9.63]. #A480 Algorithm: PBKDF 8. Methods: HMAC-SHA2-512 (as covered Derived Key Length: Initialize the HSM, Initialize role, Change authentication under Cert #C1707). 256-bit. data, Login as role, Request HSM self-test. Standards: [SP800Password Length: 132]. 128-bit. Salt Length: 256-bits. Random Number Generation ESV (Cert Algorithm: Physical. Methods: Live noise source with SHA2- Security Strength: Initialize the HSM, Create a user partition, Request partition #98) Standards: [SP800- 512 vetted conditioning function. Full Entropy. STC identity, Initiate STC tunnel, Clone SMK between 90B], [FIPS 180-4]. partitions, Clone partition objects between partitions, Rollover SMK for a given partition, Enable/disable STM, Request HSM self-test, Initialize role, Configure partition for high-available recovery / login, Initialize Remote PED Vector (RPV), Setup Local PED Session, Setup Remote PED Session, Generate local symmetric or asymmetric key-pair, Generate domain parameters, Derive key from existing partition secret or private key object, Export secret or private key using key wrapping, Re-seed partition DRBG, Extract entropy from partition DRBG, Perform encrypt operation on user supplied data object, Generate signature or MAC over user supplied data, Activate SMFS #C1707 Algorithm: CTR_DRBG. Mode: AES-256. Security strength: <as per ESV (Cert #98) on row above> 256-bit. Standard: [SP80090Ar1]. Used internal to the cryptographic module to derive the storage encryption key used to encrypt the checkword used during password based authentication. The derived key is separately used to encrypt f or storage the USK which is independently also encrypted under the module generated KEK. The module uses method 1a f rom [SP800-132] where the derived Master Key (MK) is used directly as the Data Protection Key (DPK).
Cryptographic Module Specification Algorithm and Description / Key Size(s) / Key CAVP Cert Standard Mode / Method Strength(s) Use / Function Key Generation Vendor Algorithm: CKG. Method: symmetric keys and seed for Security strength: Initialize the HSM, Create a user partition, Request partition Affirmed asymmetric key generation are created 256-bit. STC identity, Initiate STC tunnel, Clone SMK between Standard: [SP800based on the direct output of the module partitions, Clone partition objects between partitions, 133]. DRBG (Cert #C1707). Rollover SMK for a given partition, Initialize role, Change authentication data, Initialize Remote PED Vector (RPV), Setup Remote PED Session, Generate local symmetric or asymmetric key-pair, Generate domain parameters, Activate SMFS.
Cryptographic Module Specification Table 2-3: Supported non-NIST elliptic curve as per [FIPS 140-3] IG C.A Curve Field Type Permitted Operations Curve Name Definition Security Strength Sign Verify Derive sect571r2 Binary field - GF(2m) [SEC 2]. 285-bit x x x sect571k2 Binary field - GF(2m) [SEC 2]. 285-bit x x x Brainpool P512r1 Prime field
Cryptographic Module Specification Curve Field Type Permitted Operations Curve Name Definition Security Strength Sign Verify Derive X9.62 c2pnb239v3 Binary field - GF(2m) [ANSI X9.62]. 119-bit x x x sect239k1 Binary field - GF(2m) [SEC 2]. 119-bit x x x sect233r1 Binary field - GF(2m) [SEC 2]. 116-bit x x x sect233k1 Binary field - GF(2m) [SEC 2]. 116-bit x x x secp224k1 Prime field
Cryptographic Module Specification Table 2-4 Non-approved algorithms allowed in the approved mode of operation Algorithm Caveat Use / Function Key Transport KTS (AES Cert Key unwrapping; key establishment methodology provides Clone partition objects between partitions, Clone #C1707) between 128 and 256 bits of encryption strength. SMK between partitions, Import secret or private Uses allowances in [FIPS 140-3 IG] D.G, Key transport key using key wrapping. methods, for key unwrapping using un-authenticated modes of encryption listed on Cert #C1707 without use of an additional approved hash function. KTS (Triple- Key unwrapping; key establishment methodology provides Import secret or private key using key wrapping. DES Cert 112 bits of encryption strength. #C1707) Uses allowances in [FIPS 140-3 IG] D.G, Key transport methods, for key unwrapping using un-authenticated modes of encryption listed on Cert #C1707 without use of an additional approved hash function. KAS-ECC-SSC Key establishment methodology provides between 112 and Derive key from existing partition secret or private (Cert #A480) 256-bits of encryption strength. key object. Curves Non-NIST (as per [FIPS 140-3 IG] C.A): see Table 2-3 Algorithm implementation used when HSM Policy above. (43) Enable low-level math acceleration is enabled. KAS-ECC-SSC Key establishment methodology provides between 112 and Derive key from existing partition secret or private (Cert #A478) 256-bits of encryption strength. key object. Curves Non-NIST (as per [FIPS 140-3 IG] C.A): see Table 2-3 As per services mapped to KAS-ECC-SSC for Cert above for curves over a binary field
Non-Approved security functions are not available for use when the module has been configured to operate in the approved mode (see section 13.2). The following table lists non-approved algorithms supported for use with certain user consumable services when the module is configured in the non-Approved mode of operation during secure initialization. NOTE The module is capable of supporting a single mode of operation. Transition from an approved to non-approved mode of operation automatically triggers HSM zeroize or decommission module service. Table 2-6: Non-approved algorithms not allowed in the approved mode of operation. Algorithm / Function Use / Function Symmetric Encryption / Decryption ARIA Perform decrypt operation on user supplied data object, Perform encrypt operation on CAST3 user supplied data object, Derive key from CAST5 existing partition secret or private key object, Import secret or private key using key DES wrapping RC2 RC4 RC5 RSA (non-compliant with less than 112 bits of encryption strength) RSA X.5099 SEED SM4 Triple-DES (non-compliant for encrypt operations) XOR 10 Hashing HAS-160 Derive key from existing partition secret or private key object, Validate signature or MAC KECCAK over user supplied data, Perform digest MD2 operation on user supplied data MD5 RIPEMD-160 SM3 Message Authentication Code ARIA-CMAC SEED-CMAC this algorithm allows RSA encryption of a supplied data object without the use of padding. Any required padding is added by the operator ahead of supplying the data to this variant of the RSA encrypt/decrypt f unction. this algorithm allows the operator to XOR supplied data with either a supplied base key or key derived f rom a base key. This f unction is deprecated f or use in any situation where security of the data or key is required.
Cryptographic Module Specification Algorithm / Function Use / Function Triple-DES-CMAC (non-compliant for MAC generation) Generate signature or MAC over user supplied data, Validate signature or MAC HMAC (non-compliant with less than 112 bits of encryption strength) over user supplied data HAS160-HMAC MD5-HMAC SM3-HMAC RIPEMD160-HMAC AES-MAC ARIA-MAC CAST3-MAC CAST5-MAC DES-MAC RC2-MAC RC5-MAC SEED-MAC SSL3-MD5-MAC SSL3-SHA1-MAC Triple-DES-MAC Triple-DES-x9.19-MAC TUAK MILENAGE COMP128 Asymmetric DSA (non-compliant with less than 112 bits of encryption strength) Generate signature or MAC over user supplied data, Validate signature or MAC ECDSA (non-compliant with less than 112 bits of encryption strength) over user supplied data EdDSA EdDSA PH KCDSA RSA (non-compliant with less than 112 bits of encryption strength) SM2 SM3 Key Derivation AES 11 Derive key from existing partition secret or private key object ARIA BIP32 DES
11 AES is non-approved for key derivation when used to derive keys using methods other than as permitted by NIST standard such
as [SP800-56Cr2] and [SP800-108r1] in particular, use of AES in ECB or CBC mode directly to derive keys.
Cryptographic Module Specification Algorithm / Function Use / Function MD5 SHA 12 SSL PRE-MASTER SSL3-MASTER SM3 Triple-DES XOR 13 Key Agreement ECC (non-compliant with less than 112 bits of encryption strength) Derive key from existing partition secret or private key object Diffie-Hellman (key agreement; key establishment methodology; non-compliant with less than 112 bits of encryption strength) Key Transport AES 14 Import secret or private key using key wrapping, Export secret or private key using ARIA key wrapping, Clone partition objects CAST3 between partitions 15 CAST5 DES RC2 RSA (key wrapping; key establishment methodology; non-compliant with less than
RSA 16 SEED SM4 TDES Asymmetric Key Generation Diffie-Hellman (non-compliant with less than 112 bits of encryption strength) Generate local symmetric or asymmetric keypair, Generate domain parameters . ECC (non-compliant with less than 112 bits of encryption strength) KCDSA RSA (non-compliant with less than 112 bits of encryption strength) SM2 X9.42 Domain Parameter Generation SHA1, SHA2 and SHA3 are non-approved f or key derivation when they are used to derive keys in a way that is non-compliant with NIST standards such as [SP800-56Cr2], [SP800-108r1], [SP800-132] and [SP800-135r1]. XOR is non-approved f or key derivation when selected as a mechanism to combine supplied user data with an existing module stored key. AES is non-approved f or key transport when used to encrypt keys using methods other than as permitted by NIST standards such as [SP80038F]. In particular, use of un-authenticated modes of AES f or encryption without a separate authentication tag (e.g. signature or MAC) is nonapproved. this service uses both [SP800-56Br2] non-compliant RSA encryption f or encryption of a nonce f ollowed by AES encryption of key objects in a [SP800-38F] non-compliant manner when Cloning Protocol Version 1 is used f or key export. Later versions of this protocol as separately mapped to this service use approved cryptography. non-compliant when used f or key transport using RSA variants that are [SP800-56Br2] non-compliant.
The following two figures identify the physical interfaces to the cryptographic module: USB 2.0 Decommission interf ace External tamper interf ace Backup supply PCIe Bus Connector Serial port RS232 Fan 1, 12V Fan 2, 12V Figure 3-1: Thales Luna K7 Cryptographic Module physical interfaces (non-LED).
Cryptographic Module Interfaces Tamper LED (Red) General status LED (Green) General status LED (Blue) Battery LED (Green) Figure 3-2: Thales Luna K7 Cryptographic Module status LED interfaces. Where physical interfaces identified in Figure 3-1 and Figure 3-2 are outside the defined cryptographic boundary shown in Figure 2-1 and Figure 2-2, the physical port as listed in the following table corresponds to the internal tracking on the PCB from the physical interface to the module at the point it crossed the cryptographic module boundary. The following table maps the physical interface to logical interfaces and supported data: Table 3-1: Ports and interfaces. Physical port Logical interfaces Data that passes over port/interface USB 2.0, 3.3v 17 Data input interface, data Encrypted channel for user authentication data entered using output interface, control input the Thales Luna PED alongside the USB-to-Serial dongle used interface, status output to provide serial access to FM. interface. Serial port RS232, 3-5.5V, up Data input interface, status Communication channel to the bootloader when put in to 1Mbps output interface. ‘interactive mode’ during startup. Boot sequence output during normal startup. Signals crossing the module boundary are the raw USB 2.0 data packets prior to the addition of physical layer signalling (PHY) and voltage level shif ting.
Cryptographic Module Interfaces Physical port Logical interfaces Data that passes over port/interface PCIe - Interface PCIe x4 gen3. Data input interface, data Diagnostics information when the main firmware is output interface, control input operational. interface, status output Primary interface for user interaction with the module using interface. the ICD protocol as maps to PKCS #11. Encrypted channel for Thales Luna PED when connected remotely. Encrypted channel with Thales Luna client when using the Secure Trusted Channel (STC) (client-to-partition) tunnel. External Event Interface. Control input interface. Control signal used to trigger tamper event. Decommission Interface Control input interface. Control signal used to trigger tamper event. Tamper LED (Red) Status output interface. LED is lit following a tamper event being detected and ahead of module being restarted. Battery LED (Green) Status output interface. LED is lit when the backup 3.6V supply is successful attached to the backup supply header. General status LED (Green) Status output interface. During boot sequence: > used to signal progress during the boot process, LED is toggled for each stage in the boot sequence that is successfully achieved; and > when the bootloader is put into interactive mode
Cryptographic Module Interfaces Physical port Logical interfaces Data that passes over port/interface Power, 3.6V Power interface N/A. Fan 1, 12V Power interface N/A. Fan 2, 12V Power interface N/A. NOTE Interactive mode is a state for the module bootloader where rather than following through a sequence of steps that lead directly to execution of the main firmware without operator intervention, the bootloader can be halted during boot and enters into a state where for a limited period of time, it will offer a number of services in response to commands it receives on the modules serial port. Services supported are as covered under the ‘bootloader services’ section of Table 4-2.
Roles, Services, and Authentication
The Thales Luna K7 Cryptographic Module supports the following roles: Table 4-1: Thales Luna K7 Cryptographic Module Roles Roles Principal Duties HSM Security Officer (HSM SO) The HSM SO is responsible for managing the HSM. As such, the HSM SO is authorized to install and configure the HSM, set and maintain global HSM security policies and [Admin Partition Role] install FMs. He/she is also able to request the load of new HSM firmware update files (FUF) and new Configuration Update Files (CUF). The HSM SO is able to create and delete partitions, but is not authorized to generate, load or use keys stored on the user partitions that have been created. The HSM SO is able to create, manage and use keys created in the Admin Partition alongside is responsible for initializing the ‘Administrator role’. The HSM SO can reset the Administrator password (configuration dependent). The HSM can have only one HSM SO. Administrator The Administrator is authorized to create, use, transfer and destroy key objects contained in the Admin partition. This role has privileges that are a subset of the HSM [Admin Partition Role] SO role. Partition Security Officer The Partition SO creates the partition level Partition CO role, sets and changes (Partition SO) partition-level policies. This role also has an option to reset the Partition CO password (configuration dependent) following lockout. [User Partition Role] Partition Crypto Officer The Partition CO role is authorized to create, use, destroy and transfer key objects for (Partition CO) a given partition. The Partition CO can optionally create the Partition LCO and Partition CU, and perform initial assignment of key authorization data. [User Partition Role] Partition Limited Crypto Officer The Partition LCO is an optional partition role authorized to create and use key objects, (Partition LCO) and perform initial assignment of key authorization data. The role is only permitted to delete key objects where per-key authorization is used and the correct authorization [User Partition Role] data for a given key object can be presented to the cryptographic module. Partition Crypto User (Partition The Partition CU is the partition role authorized to use the key objects within the CU) partition (e.g. sign, encrypt/decrypt). [User Partition Role] Audit User (AU) The AU initializes the secret key used to generate Message Authentication Code (MAC) for secure audit messages alongside configuring logging levels for the HSM. [Admin Partition Role]
Roles, Services, and Authentication Roles Principal Duties Public User Unauthenticated user with limited access to perform signature verification with public keys where CKA_PRIVATE = false, initialization of the module and roles and to read [Admin or User Partition Role] module status. NOTE All methods of authentication supported by the module (memorized secret or multifactor crypto device + memorized secret, incorporate the use of an ID alongside the presentation of the authentication data and are identity based. Guidance on assuming a given role is covered in section 13.5, ‘Assuming Roles’. The mapping of the cryptographic module’s roles services can be found in the table below. In this table, ‘Any role’ in the ‘role’ column signifies that any role identified in Table 4-1: Thales Luna K7 Cryptographic Module Roles can access the corresponding service. This includes the ‘public user’ that is an implicit role and unauthenticated by the module. Table 4-2: Roles, Service Command, Input and Output. Role Service Input Output HSM Management Any role. HSM Factory Reset. - Any role. Initialize the HSM. session, user ID, label, authentication data (if PED domain, authentication data authentication), return code. (if password authentication). HSM SO. Create a user partition. session, label. return code. HSM SO. Delete a user partition. session. return code. Any role. Query HSM status. status information type. status data, return code. Any role. Query partition status. status information type. status data, return code. Any role. Query HSM configuration. hsm policy number. policy status. Any role. Query partition configuration. partition policy numbers. policy status. HSM SO. Set HSM policy. hsm policy number, value. return code. HSM SO (admin partition). Set partition policy partition policy number, return code. Partition SO (user partition). value. HSM SO. Update firmware. session, signed firmware return code. image. Any role. Protect object integrity. object handle. Return code. Any role. HSM zeroize or decommission. session. return code. Any role. Trigger user partition zeroize. session. return code. HSM SO. Load configuration update file. session, signed configuration return code. update image. Any role. Query the audit log status. session. audit log status, return code.
Roles, Services, and Authentication Role Service Input Output Any role. Generate secure log record. session and app_ID, return code. message to log, message type. Any role. Submit external messages for session, message to be return code. entry into secure audit log. logged. AU. Configure the audit log. Session, log configuration return code. parameter and value. AU. Export/import audit log secret session, wrapped log secret wrapped log secret (export key. (import only). only), return code. HSM SO, AU. Set time on HSM real time session, time. return code. clock. AU. Validate the audit log. session, audit log segment, return code. audit log key ID. Any role. Request partition STC identity. session partition STC identity certificate, return code. HSM SO (admin or Manage STC client session, client identity return code. un-initialized user partition). certificate. Partition SO (user partition). HSM SO (admin or Query STC status session, client identity. client status, return code. un-initialized user partition). Partition SO (user partition). Any role. Initiate STC tunnel. - return code. Any role. Send commands to partition command data to tunnel. command response from with STC tunnel initiated. module. HSM SO, Partition CO. Clone SMK between partitions. session, SMK ID. return code. HSM SO, Administrator, Clone partition objects between session, object ID return code. Partition CO, Partition LCO, partitions. Partition CU HSM SO, Partition CO. Rollover SMK for a given session, SMK ID return code. partition. Any role. Enable/disable STM. verification data (disable). verification data (enable), calculated fingerprint (disabled), return code. Any role. Clear tamper event. session. return code. Any role. Request HSM self-test. session, self-test ID. return code. Role Management Any role. Query role status. session, role. role status, return code.
Roles, Services, and Authentication Role Service Input Output HSM SO (required to Initialize role. session, user ID, role ID, authentication data (if PED initialize Administrator). authentication data (if configuration), return code. HSM SO, Administrator, AU, password authentication). Partition SO, Partition CO, Partition LCO, Partition CU, Public User (required to initialize HSM SO, AU or Partition SO). Partition SO (required to initialize Partition LCO or Partition CU). HSM SO (required to change Change authentication data. session, user ID, role ID, authentication data (if PED HSM SO). authentication data. configuration), return code. AU (required to change AU). HSM SO or Administrator (required to change Administrator). Partition SO (required to change Partition SO and Partition CO) Partition CO or Partition LCO (required to change Partition LCO). Note: Roles are not changed, only the role authentication data. HSM SO, Administrator, AU, Configure partition for high- session, HA Login key return code. Partition SO, Partition CO, available recovery / login. handle. Partition LCO, Partition CU. HSM SO, Administrator, AU, Login as role. session, role ID, return code. Partition SO, Partition CO, authentication data. Partition LCO, Partition CU. Any role. Close authenticated sessions. - return code. Luna PED Configuration HSM SO. Initialize Remote PED Vector - return code. (RPV). Any role. Setup Local PED Session. - return code. Any role. Setup Remote PED Session. PED_ID. return code. Any role. Send or receive data over PED When receiving data: When receiving data: tunnel (local PED). encrypted payload. plaintext payload, return When sending data: code. Plaintext data to encrypt to When sending data: PED. Encrypted data, return code.
Roles, Services, and Authentication Role Service Input Output Any role. Send or receive data over PED When receiving data: When receiving data: tunnel (remote PED). encrypted payload. plaintext payload, return When sending data: code. Plaintext data to encrypt to When sending data: PED. Encrypted data, return code. Key Management Activities HSM SO, Administrator, Generate local symmetric or session, generation public key handle, private Partition CO, Partition LCO. asymmetric key-pair. algorithm, algorithm key handle, return code. parameters, public key attributes, private key attributes. Any role. Generate domain parameters. session, generation domain object handle, algorithm, algorithm return code. parameters. HSM SO, Administrator, Derive key from existing session, algorithm, key handle for resulting key, Partition CO, Partition LCO. partition secret or private key algorithm parameters, key return code. object. handles for input derivation keys. Any role. Import public key, certificate, session, object for import. imported object handle, domain object or data objects. return code. HSM SO, Administrator, Import secret or private key session, unwrapping unwrapped key handle, Partition CO, Partition LCO. using key wrapping. algorithm, algorithm return code. parameters, handle of wrapping key (asymmetric), handle of key to be unwrapped. HSM SO, Administrator, Export secret or private key session, wrapping algorithm, wrapped key, return code. Partition CO, Partition LCO. using key wrapping. algorithm parameters, handle of wrapping key, handle of key to be wrapped. Any role. Read non-sensitive key attribute session, object attributes. object data, return code. where CKA_PRIVATE = false for a given key object. HSM SO, Administrator, Read non-sensitive key attribute session, object attributes. object data, return code. Partition CO, Partition LCO, where CKA_PRIVATE = true for Partition CU, Public User. a given key object. HSM SO, Administrator, Insert key from external storage session, SKS key blob. inserted key object handle, Partition CO, Partition LCO, using SKS. return code. Partition CU. HSM SO, Administrator, Extract key to external storage session, key handle. SKS key blob, return code. Partition CO, Partition LCO, using SKS. Partition CU. Cryptographic Services HSM SO, Administrator, Re-seed partition DRBG. session, seed. return code. Partition SO, Partition CO, Partition LCO, Partition CU.
Roles, Services, and Authentication Role Service Input Output HSM SO, Administrator, Extract entropy from partition session, size of random data random data, return code. Partition SO, DRBG. requested. Partition CO, Partition LCO, Partition CU. HSM SO, Administrator, Perform digest operation on session, data to hash. hash result, return code. Partition SO, user supplied data. Partition CO, Partition LCO, Partition CU. Any role. Perform encrypt operation on session, algorithm, encrypted data, return code. user supplied data object. algorithm parameters, data to encrypt. HSM SO, Administrator, Perform decrypt operation on session, algorithm, decrypted data, return code. Partition CO, Partition LCO, user supplied data object. algorithm parameters, data Partition CU. to decrypt. HSM SO, Administrator, Generate signature or MAC over session, algorithm, signature, return code. Partition CO, Partition LCO, user supplied data. algorithm parameters, data Partition CU. to sign. HSM SO, Administrator, Validate signature or MAC over session, algorithm, return code. Partition SO 18, user supplied data. algorithm parameters, data Partition CO, Partition LCO, to verify, signature. Partition CU. Bootloader Services Any role. Set/read scratchpad flag to flag, value return code. signal to main firmware. Any role. Request complete erase of the - HSM main firmware image, loaded FM and key stores (excludes erase of bootloader). Any role. Read Vital Product Data - VPD contents. programmed at manufacture. Any role. Request authentication and - execution of main firmware. Functionality Module Management HSM SO. Download FM. signed binary for FM. return code. HSM SO, Administrator. Activate SMFS. - return code. Any role. Store/retrieve data from SMFS. data. return code. Any role. Delete FM. FM ID return code. Any role. Delete SMFS. - return code. Any role. Get FM status. FM ID FM status, return code. Partition SO is able to validate signatures using public keys where CKA_PRIVATE is set to 0.
Roles, Services, and Authentication
All roles, except for the Public User, must authenticate to the module by providing their authentication data. If configured with PED, all roles must authenticate using an iKey. When a role is initialized, a module generates the authentication data as a 48-byte random value and writes it to a iKey. Optionally, the Crypto-Officer, Limited Crypto Officer and Crypto-User roles can be configured to use two-factor authentication by also assigning a password to the role. If configured with Password, all roles must authenticate using a minimum of an 8-character password. When a role is initialized under this configuration, the operator enters the initial password for the role. Regardless of configuration (PED or Password), the password is delivered to the module encrypted with the public key from the Password Encryption Certificate (PEC) using KTS-OAEP-basic from [SP800-56Br2]. Table 4-3: Roles and Authentication Authentication Method [SP800-140E] Role Password Authentication Strength PED Configuration Configuration HSM SO Memorized Multi-Factor Crypto Device. iKey: 48-byte random authentication data generated when a Secret. role is initialized and stored on iKey. The probability of guessing the authentication data in a single attempt is 1 in 2384. With a Auditor Memorized Multi-Factor Crypto Device. maximum of 6000 failed login attempts per minute. Secret. User provided byte array (minimum 8 bytes): Memorized secret Partition SO Memorized Multi-Factor Crypto Device. when set using tools supplied with the module are limited to a Secret. character set of 86 characters 19 presented to the module as their ASCII byte representation. The strength of an 8 character Partition CO Memorized Multi-Factor Crypto Device Secret. + optional Memorized password with character set size of 86 is log2(868). This makes the probability of guessing the memorized secret in a single Secret. attempt 1 in 251 The module supports a maximum of 6000 failed Partition LCO Memorized Multi-Factor Crypto Device login attempts per minute when the failed login count for a Secret. + optional Memorized given role is disabled. Secret. Automatic lock-out: This feature, which is enabled by default, Partition CU Memorized Multi-Factor Crypto Device can be used to limit the impact of brute force attacks on login Secret. + optional Memorized and is covered in more detail in section 4.2.3. Secret. Administrator Memorized Multi-Factor Crypto Device. Secret. Public User Not Required. N/A. N/A. When using the password authentication mechanism, the module encrypts a known check-word under a key derived using PBKDF from [SP800-132] and option 1a from section 5.4, ‘Using the Derived Master Key to Protect Data’. During a login attempt, the module generates a key from the supplied password, and attempts to decrypt a known checkword. Successful login is achieved if the decrypted checkword matches the expected value. If successful, the PBKDF derived key is used to remove a layer of encryption from the module stored User Storage Key (USK) 20. Supported characters by tools used with the module to conf igure memorized secret are limited to: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*()-_=+[]{}/:',.~ When ‘decommission’ is enabled as a module capability, the USK is independently encrypted in storage under a 256-bit module generated AES key.
Roles, Services, and Authentication The length of the password used as input to the PBKDF function is consistent with the password length selected by the authenticating user, which is required to be between 7 and 255 characters long. Where passwords are randomly generated, the probability of successfully guessing the password and deriving the storage key for a minimum password length of 7 characters is 1 in 256. This probability is significantly reduced if random passwords are not used. Guidance in Appendix A, ‘Security Considerations’ of [SP800-132] should be consulted when picking an appropriate password length in situations where encryption layers derived from the user password are required to protect the confidentiality of module protected user keys. The module uses an iteration count of 1000 when generating the key used to decrypt the checkword. This limit has been set to account for the fact that objects encrypted under the [SP800-132] derived key are never exported from the module and are exclusively stored inside its cryptographic boundary where they are physically protected. In addition, the module supports lock-out of all identities following a configurable number of failed login attempts where this is the primary mechanism offered by the module to protect against bruteforcing of memorized secret.
If PED authentication is configured, the Crypto-Officer, Limited Crypto Officer and Crypto-User roles can be configured to use a two-step authentication process. The first stage is termed “Activation” and is performed using a PED key. Once activated, access to key material and cryptographic services is not allowed until the second stage of authentication, ‘User Login’, has been performed using the role’s password. Once activated, a role stays activated until the role is explicitly deactivated, deleted or the module is reset 21.
In addition to the cryptographic strength of the authentication mechanisms, all authenticating roles have the ability to maintain a failed authentication count that can be configured to stop attempts to brute force authentication data. The maximum supported failed authentication attempts can be set to between 3 and 10 for each role with the following lockout behaviors observed: > lockout of the HSM SO role will trigger the HSM zeroize or decommission service; > lockout of the Partition SO will trigger the Trigger user partition zeroize service; and > lockout of the Administrator, AU, Partition CO, Partition LCO, Partition CU roles will block future authentication attempts until the role is unlocked using the Change authentication data service.
All services listed in the table below can be accessed in approved mode and when in this mode exclusively use the security functions listed in Table 2-2 and When the module is operating in this mode, security functions in section 2.5 are disabled and blocked from being used. As notes on the content of Table 4-4: A module is reset in response to a trigger signal being received on the External Event input, Decommission signal and EFP violations, loss of power or a request f rom a host application.
Roles, Services, and Authentication > In the ‘Approved Security Functions’ column:
Roles, Services, and Authentication Table 4-4: Module Services Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator HSM Management HSM Factory Reset. Factory reset deletes all roles Algorithms: N/A. PSK, USK, DRBG Key, DRBG Any role. Z: (for ALL partition) IND_1. (including HSM SO), all users Key management Seed, DRBG V, KCV, SMK, PSK, USK, DRBG Key, DRBG and objects and sets all HSM technique: N/A. STC-PIDPUB, STC-PIDPRIV, STC- Seed, DRBG V, KCV, SMK, settings and policy to values CIDPUB, STC-PIDPUB, STC-PKAPUB, STC-PIDPUB, STC-PIDPRIV, STCdefined in pre-loaded Authentication STC-PKAPRIV, STC-CKAPUB, STC- CIDPUB, STC-PIDPUB, STCconfiguration update files. technique: N/A. PEN, STC-PMA, STC-PIV, STC- PKAPUB, STC-PKAPRIV, STCCEN, STC-CMA, STC-CIV , CKAPUB, STC-PEN, STC-PMA, HAPUB, HAPK, RND, STC-PIV, STC-CEN, STCAsymmetric Key Pairs CMA, STC-CIV. HAPUB, HAPK, (general partition or session RND, Asymmetric Key Pairs keys), Symmetric Keys (general partition or session (general partition or session keys), Symmetric Keys keys), DRBG Key, SALK, (general partition or session CWKHSM, CWKPED, DEKHSM, keys). DMKHSM, DEKPED, DMKPED, AEK, AEK-EK, AccessID. In addition, the following HSM level keys are erased: DRBG Key, SALK, CWKHSM, CWKPED, DEKHSM, DMKHSM, DEKPED, DMKPED. E: AEK, AEK-EK, AccessID.
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Initialize the HSM. This service is used to initialize Algorithms: AES (Cert For ALL partition if present
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Delete a user partition. This service is used to delete an Algorithms: N/A. PSK, USK, DRBG Key, DRBG HSM SO. Z: PSK, USK, DRBG Key, IND_1. existing user partition. Seed, DRBG V, KCV, SMK, DRBG Seed, DRBG V, KCV, Key management STC-PIDPUB, STC-PIDPRIV, STC- SMK, STC-PIDPUB, STCDuring deletion, the module technique: N/A. CIDPUB, AEK, AEK-EK, AccessID, PIDPRIV, STC-CIDPUB, zeroizes all objects associated Authentication Asymmetric Key Pairs Asymmetric Key Pairs with the partition. technique: N/A. (general partition or session (general partition or session keys), Symmetric Keys keys), Symmetric Keys (general partition or session (general partition or session keys) . keys). Query HSM status. This service is used to retrieve Algorithms: N/A. AEK, AEK-EK, AccessID. Any role. E: AEK, AEK-EK, AccessID. IND_1. general status information on Key management the module including items technique: N/A. such as: Authentication > hardware, bootloader and technique: N/A. main firmware versions; > module serial number; > module state (e.g. tampered, zeroized, initialized); > authenticated roles for active session (if present); > number of configured partitions; and > general error messages and logs.
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Query partition status. This service is used to retrieve Algorithms: N/A. AEK, AEK-EK, AccessID. Any role. E: AEK, AEK-EK, AccessID. IND_1. general status information on a Key management target partition including items technique: N/A. such as: Authentication > partition label and serial technique: N/A. number; > partition state (e.g. token initialized, user initialized, login required); > RPV and KCV state and active SMK ID. > number of stored objects; and > used and free storage space. Query HSM configuration. This service is used to retrieve Algorithms: N/A. AEK, AEK-EK, AccessID. Any role. E: AEK, AEK-EK, AccessID. IND_1. information on HSM Key management configuration and policy technique: N/A. settings. Authentication technique: N/A. Query partition This service is used to retrieve Algorithms: N/A. AEK, AEK-EK, AccessID. Any role. E: AEK, AEK-EK, AccessID. IND_1. configuration. information on the Key management configuration and policy technique: N/A. settings for a target partition. Authentication technique: N/A.
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Set HSM policy. This service is used to set Algorithms: N/A. Asymmetric Key Pairs HSM SO. Z: for all destructive IND_1. available HSM policy settings. (general partition or session policies
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Protect object integrity This is an internal module Algorithms: SHA (Cert AEK, AEK-EK, AccessID. Any role. E: AEK, AEK-EK, AccessID. IND_1. service used to protect the #C1707). integrity of all stored object Key management and configuration data. technique: N/A. All objects are stored with a Authentication SHA2-256 hash, which is technique: N/A. checked on retrieval ahead of object use. HSM zeroize or This service zeroizes the Algorithms: N/A. <As per service ‘HSM factory Any role. Z: <As per service ‘HSM IND_1. decommission. module with the exception of reset’ above but excluding: Factory reset’ above but Key management the following: SALK, RPV.> excluding: SALK, RPV.> technique: N/A. > SSP associated with the Authentication Audit partition and AU technique: N/A. role are not zeroized; > RPV persists allowing use of remote PED during reinitialization. Trigger user partition This service erases of keys Algorithms: N/A. USK, PSK, KCV, SMK, STC- Any role. Z: USK, PSK, KCV, SMK, STC- IND_1. zeroize. stored in a user partition and PIDPUB, STC-PIDPRIV, STC-CIDPUB, PIDPUB, STC-PIDPRIV, STCKey management resets Any role to their un- STC-PIDPUB, STC-PKAPUB, STC- CIDPUB, STC-PIDPUB, STCtechnique: N/A. initialized state. PKAPRIV, STC-CKAPUB, STC-PEN, PKAPUB, STC-PKAPRIV, STCAuthentication STC-PMA, STC-PIV, STC-CEN, CKAPUB, STC-PEN, STC-PMA, technique: N/A. STC-CMA, STC-CIV , HAPUB, STC-PIV, STC-CEN, STCHAPK, RND, , AEK, AEK-EK, CMA, STC-CIV , HAPUB, HAPK, AccessID, Asymmetric Key RND, Asymmetric Key Pairs Pairs (general partition or (general partition or session session keys), Symmetric Keys keys), Symmetric Keys (general partition or session (general partition or session keys). keys). E: AEK, AEK-EK, AccessID.
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Load configuration This service validated the Algorithms: RSA (Cert Root Certificate and License HSM SO. E: Root Certificate, License IND_1. update file. signature on a loaded #A480)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Configure the audit log. This service is used to configure Algorithms: N/A. AEK, AEK-EK, AccessID. AU. E: AEK, AEK-EK, AccessID. IND_1. which audit events are to be Key management recorded in the secure audit log technique: N/A. and in addition to configure the location of the secure logging Authentication daemon used to extract log technique: N/A. sections from the module. Events are selected based on logging categories assigned to different services with some events always logged unconditionally (e.g. tamper events and self-test failures). Export/import audit log This service exports or imports Algorithms: N/A. RDK, SALK, AEK, AEK-EK, AU. E: RDK, AEK, AEK-EK, IND_1. secret key. and encrypted copy of the AccessID. AccessID. Key management SALK. R: SALK technique: AES (Cert This service can be used to #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Request partition STC This service extracts a copy of Algorithms: AES (Cert DRBG Key, DRBG Seed, DRBG Any role (Admin E: DRBG Key, DRBG Seed, IND_1. identity. the partition identity and #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Initiate STC tunnel. 22 This service establishes a pre- Algorithms: AES DRBG Key, DRBG Seed, DRBG Any role. E: DRBG Key, DRBG Seed, IND_1. configured STC tunnel between (Cert #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Send commands to The service is used to tunnel Algorithms: AES (Cert STC-PEN, STC-PMA, STC-PIV, Any role. E: STC-PEN, STC-PMA, STC- IND_1. partition with STC tunnel commands from the client to a #C1707)
Roles, Services, and Authentication Clone SMK between This service uses the cloning Algorithms: DRBG Key, DRBG Seed, DRBG HSM SO is able to G/E: KEV s, KEV t, CPV4 Key IND_1. partitions. protocol to establish a shared CPV4: CTR_DRBG V, Root Certificate, MIC, HOC clone (or receive) Agreement Private Key, Key key between source and (Cert #C1707), AES (or FM equivalent), KCV and the SMK from/to Agreement Source Public destination partitions and then (Cert #C1707)
Destination Public Key, CPV4 MIC, HOC (or FM Key management Key Agreement Shared equivalent), TWC3, TWK3 technique: ESV (Cert Secret, CPV4 Key Transport TUK4, TWK4, CPV4 #98), CKG, SHA (Cert Key, CPV4 Session Key, CPV4 Messaging Private Key, #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Clone partition objects This service supports use of <as per service Clone <as per service Clone SMK HSM SO, <as per service Clone SMK IND_1. between partitions. CPV4, CPV3 for key object SMK between between partitions.> Administrator, between partitions.> import and export. partitions> Partition CO, Partition LCO, Partition CU. Rollover SMK for a given This service generates a new Algorithms: AES (Cert USK, DRBG Key, DRBG Seed, HSM SO, Partition E: USK, DRBG Key, DRBG IND_1. partition. SMK and demotes the current #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Clear tamper event. This service allows module Algorithms: N/A. AEK, AEK-EK, AccessID. HSM SO (required if E: AEK, AEK-EK, AccessID. IND_1. tamper event to be cleared. the tamper event Key management did not result in Following a tamper event, the technique: N/A. zeroization of the module will restart and the Authentication module). user is forced to acknowledge technique: N/A. the tamper event ahead of the Any role (in module returning to an situations where operational state. the tamper event triggered a module The role required to halt but did not acknowledge the tamper event zeroize the HSM). depends on the state the tamper event left the module. Request HSM self-test. This service allows components Algorithms: <All AEK, AEK-EK, AccessID. Any role. E: AEK, AEK-EK, AccessID. IND_1. of the power-on self-test to be general algorithms triggered on demand. from listed in Table 2-2 and Table 2-4> The service supports re-run of the entire power-on self-test Key management alongside selection of technique: <All Key individual tests to re-run. Establishment and Key Transport methods from listed in Table 2-2 and Table 2-4.> Authentication technique: N/A. Role Management Query role status. This service returns status in Algorithms: N/A. AEK, AEK-EK, AccessID. Any role. E: AEK, AEK-EK, AccessID. IND_1. relation to a target role (e.g. Key management whether the role is initialized or technique: N/A. not). Authentication technique: N/A.
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Initialize role. This service is used to initialize Algorithms: AES (Cert DRBG Key, DRBG Seed, DRBG HSM SO (required E: DRBG Key, DRBG Seed, IND_1. a role (admin partition or user #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Configure partition for This service is used to setup, Algorithms: AES (Cert DRBG Key, DRBG Seed, DRBG HSM SO, E: DRBG Key, DRBG Seed, IND_1. high-available recovery / authorize and use the high- #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Login as role. This service is used to login as a Algorithms: AES (Cert KEK, PEK (if password HSM SO, E: KEK, PEK (if password IND_1. given role to a session setup #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Luna PED Configuration Initialize Remote PED This service triggers creation of Algorithms: AES (Cert GSK, RPV, RPV-C, RPV-K, PED- HSM SO. E: GSK, AEK, AEK-EK, IND_1. Vector (RPV). the module Remote PED #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Setup Local PED Session. This service is used to derive a Algorithms: N/A. PED-EKA-C, HSM-SKA-KLOCAL, Any role. E: PED-EKA-C, HSM-SKA- IND_2. number of shared keys CWKHSM, CWKPED, PED Master KLOCAL, AEK, AEK-EK, Key management between the module and a Shared Secret, AEK, AEK-EK, AccessID. technique: ESV (Cert Thales Luna PED connected to AccessID. the modules USB port. #98), SHA (Cert G: PED Master Shared #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Setup Remote PED This service is used to derive a Algorithms: N/A. ECC MIC, ECC-HOCPED, PAC, Any role. E: ECC MIC, ECC-HOCPED, IND_2. Session. number of shared keys RPV-C, PED-SKA-C, PED-EKA-C PAC, RPV-C, PED-SKA-C, Key management between the module and a HSM-SKA-KLOCAL, HSM-EKA-C, PED-EKA-C HSM-SKA-KLOCAL, technique: ESV (Cert remote Thales Luna PED. G: PED Master Shared Secret, HSM-EKA-C, AEK, AEK-EK, #98), CKG, SHA (Cert CWKHSM, CWKPED, DEKHSM, AccessID. #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Send or receive data over This service is used following Algorithms: AES (Cert DEKHSM, DEKPED, DMKPED Any role. E: DEKHSM, DEKPED, DMKPED, IND_2. PED tunnel (remote PED) setup of an appropriate remote #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Generate domain This service is used to generate Algorithms: AES (Cert DRBG Key, DRBG Seed, DRBG Any role. E: DRBG Key, DRBG Seed, IND_1. parameters. 23 domain parameters requested #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Import public key, This service is used to import Algorithms: N/A. Asymmetric Key Pairs Any role. W: Asymmetric Key Pairs IND_1. certificate, domain object public key, certificate, domain (general partition or session (general partition or session Key management or data objects. 24 object or data objects. keys), AEK, AEK-EK, AccessID. keys). technique: N/A. When importing objects, if the E: AEK, AEK-EK, AccessID. Authentication CKA_PRIVATE or technique: N/A. CKA_SENSITIVE key attribute it set to true, the object will not be visible to the public user following creation. Import secret or private This service is used to import Algorithms: AES (Cert Asymmetric Key Pairs HSM SO, E: Asymmetric Key Pairs IND_1. key using key wrapping. secret or private key from the #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Export secret or private This service is used to export Algorithms: AES (Cert Asymmetric Key Pairs HSM SO, E: Asymmetric Key Pairs IND_1. key using key wrapping. secret or private key from the #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Insert key from external This service is used to import Algorithms: AES (Cert SMK, USK. Symmetric Keys HSM SO, E: SMK, USK, AEK, AEK-EK, IND_1. storage using SKS. key objects previously #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Cryptographic Services Re-seed partition DRBG. This service is used by a user to Algorithms: N/A. DRBG Key, DRBG Seed, DRBG HSM SO, E/W: DRBG Key, DRBG IND_1. trigger a manual re-seed V, AEK, AEK-EK, AccessID. Administrator, Seed, DRBG V. Key management operation of a partition DRBG Partition SO, technique: ESV (Cert E: AEK, AEK-EK, AccessID instance. Partition CO, #98), SHA (Cert Partition LCO, #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Perform encrypt This service is used by a user to Algorithms: AES (Cert USK (if request requires HSM SO, E: USK (if request requires IND_1. operation on user request encryption of a block of #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Generate signature or This service is used by a user to Algorithms: RSA (Cert USK (if request requires HSM SO, E: USK (if request requires IND_1. MAC over user supplied request a signature or MAC #C1707), ECDSA (Cert access to key in non-volatile Administrator, access to key in non-volatile data. over a block of user supplied #C1707), DSA (Cert storage), Symmetric Keys Partition CO, storage), Symmetric Keys data (or optionally a user #C1707), HMAC (Cert (general partition or session Partition LCO, (general partition or session supplied hash for signatures) #C1707), CMAC (Cert keys) or Asymmetric Key Pairs Partition CU keys) or Asymmetric Key using a module stored #C1707)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Bootloader Services Set/read scratchpad flag This service is used to set flags Algorithms: N/A. None. Any role. None. IND_3. to signal to main or read a series of flags in a Key management firmware. dedicated FRAM chip on the technique: N/A. module. Authentication Flags can be used to trigger technique: N/A. erasure on boot of option 1: a loaded FM and, option 2: the SMFS, non-volatile storage area available to FM. This feature is used (when enabled) to allow recovery of an HSM that is failing to start due to a malfunctioning FM during startup. Request complete erase This service is used to recover Algorithms: N/A. Asymmetric Key Pairs Any role. None. IND_3. of the HSM main from corrupt main firmware, or Key management (general partition or session firmware image, loaded FM and is performed as a technique: N/A. keys). FM and key stores factory operation. (excludes erase of Authentication Following erase, the card needs bootloader). technique: N/A. to repeat manufacturing process including loading factory signed keys before it can be operational again. Read Vital Product Data This service is used to read Algorithms: N/A. None. Any role. None. IND_3. programmed at product data set at Key management manufacture. manufacture in a EEPROM technique: N/A. device such as the HW ID and module serial number. Authentication technique: N/A.
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Request authentication This service is used to launch Algorithms: RSA (Cert Root Certificate and Any role. E: Root Certificate and IND_3. and execution of main the main firmware for the #A3164)
Roles, Services, and Authentication Approved Security Key and/or Access Rights to Keys Service Description Functions SSPs Roles and/or SSPs Indicator Store/retrieve data from This service is used to store and Algorithms: AES (Cert SMFSENC, SMFSINT, AEK, AEK- Any role (once E: SMFSENC, SMFSINT, AEK, IND_1. SMFS. 26 retrieve data in a secure #C1707)
Roles, Services, and Authentication
Non-approved services listed in the table below are not available when the module has been configured to operate in the approved mode (see section 13.2). As notes on the content of Table 2-6: > In the ‘Indicator Column’:
Roles, Services, and Authentication Table 4-5: Non-Approved Services Service Description Non-Approved Algorithms Accessed Roles Indicator Cryptographic Services Perform digest operation on This service is used by a user to HAS-160, KECCAK, MD2, MD5, RIPEMD-160, SM3. HSM SO, Administrator, Partition IND_1 user supplied data request a hash over a block of SO, Partition CO, Partition LCO, supplied data. Partition CU This service is not possible for the Backup configuration Perform encrypt operation This service is used by a user to ARIA, CAST3, CAST5, DES, RC2, RC4, RC5, RSA 27, RSA X.509, HSM SO, Administrator, Partition IND_1 on user supplied data object request encryption of a block of SEED, SM4, Triple-DES, XOR. CO, Partition LCO, Partition CU user-supplied data using a module stored cryptographic key. Ciphertext resulting from the service is returned the user and not stored. This service is not possible for the Backup configuration. Perform decrypt operation This service is used by a user to ARIA, CAST3, CAST5, DES, RC2, RC4, RC5, RSA 28, RSA X.509, HSM SO, Administrator, Partition IND_1 on user supplied data object request decryption of a block of SEED, SM4, Triple-DES 29, XOR. CO, Partition LCO, Partition CU user-supplied data using a module stored cryptographic key. Plaintext resulting from the service is returned the user and not stored. This service is not possible for the Backup configuration. Generate signature or MAC This service is used by a user to Symmetric Algorithms: ARIA-CMAC, SEED-CMAC, Triple-DES- HSM SO, Administrator, Partition IND_1 over user supplied data request a signature or MAC over a CMAC, HMAC 30, HAS160-MAC, MD5-HMAC, SM3-HMAC, CO, Partition LCO, Partition CU block of user supplied data (or RIPEMD160-HMAC, AES-MAC, ARIA-MAC, CAST3-MAC, CAST5optionally a user supplied hash for MAC, DES-MAC, RC2-MAC, RC5-MAC, SEED-MAC, SSL3-MD5signatures) using a module stored MAC, SSL3-SHA1-MAC, Triple-DES-MAC, Triple-DES-x9.19-MAC, cryptographic key. TUAK, MILENAGE, COMP128. The resulting signature from the operation is returned the user and not stored.
27 RSA is non-compliant when using PKCS#1, v1.5 padding for encryption or decryption.
Roles, Services, and Authentication Table 4-5: Non-Approved Services Service Description Non-Approved Algorithms Accessed Roles Indicator Asymmetric Algorithms: DSA 31, ECDSA 32, EdDSA, EdDSA PH, This service is not possible for the KCDSA, RSA 33, SM2, SM3. Backup configuration. Validate signature or MAC This service is used by a user to Symmetric Algorithms: ARIA-CMAC, SEED-CMAC, Triple-DES- HSM SO, Administrator, Partition IND_1 over user supplied data request validation of a signature or CMAC 34, HMAC 35, HAS160-MAC, MD5-HMAC, SM3-HMAC, CO, Partition LCO, Partition CU MAC over a block of user-supplied RIPEMD160-HMAC, AES-MAC, ARIA-MAC, CAST3-MAC, CAST5data using a module stored MAC, DES-MAC, RC2-MAC, RC5-MAC, SEED-MAC, SSL3-MD5cryptographic key. MAC, SSL3-SHA1-MAC, Triple-DES-MAC, Triple-DES-x9.19-MAC, TUAK, MILENAGE, COMP128. The service returns whether the validation was successful. Asymmetric Algorithms: DSA 36, ECDSA 37, EdDSA, EdDSA PH, This service is not possible for the KCDSA, RSA 38, SM2, SM3. Backup configuration. HSM Management Clone partition objects This service supports use of CPV1 AES, RSA. HSM SO, Administrator, Partition IND_1 between partitions 39 for key object import and export CO, Partition LCO, Partition CU exclusively. Key Management Activities Derive key from existing This service is used to derive keys AES 40, ARIA, BIP32, DES, MD5, SHA, SSL PRE-MASTER, SSL3- HSM SO, Administrator, Partition IND_1 partition secret or private based on other key material stored MASTER, SM3, Triple-DES, XOR. CO, Partition LCO key object in the module or supplied to it on request of the end-user. Derived keys are stored in the cryptographic module for use with other user consumable cryptographic services or to export DSA is non-compliant with less than 112 bits of encryption strength. ECDSA is non-compliant with less than 112 bits of encryption strength. RSA is non-compliant with less than 112 bits of encryption strength. Triple-DES-CMAC is non-compliant with less than 112-bits of encryption strength. HMAC is non-compliant with less than 112-bits of encryption strength. DSA is non-compliant with less than 112 bits of encryption strength. ECDSA is non-compliant with less than 112 bits of encryption strength. RSA is non-compliant with less than 112 bits of encryption strength. this service uses both [SP800-56Br2] non-compliant RSA encryption f or encryption of a nonce f ollowed by AES encryption of key objects in a [SP800-38F] non-compliant manner when Cloning Protocol Version
1 is used f or key export. Later versions of this protocol as separately mapped to this service use approved cryptography.
AES is non-approved f or key derivation when use to derive keys using methods other than as permitted by NIST standard such as [SP800-56Cr2] and [SP800-108r1] in particular, use of AES in ECB or CBC mode directly to derive keys.
Roles, Services, and Authentication Table 4-5: Non-Approved Services Service Description Non-Approved Algorithms Accessed Roles Indicator to other cryptographic modules or systems. This service is not possible for the Backup configuration. Generate local symmetric or This service is used to generate Diffie-Hellman 41, ECC 42, KCDSA, RSA 43, SM2. HSM SO, Administrator, Partition IND_1 asymmetric key-pair symmetric keys or asymmetric key CO, Partition LCO pairs requested by the end-user and stored in the cryptographic module for use with other user consumable cryptographic services or to export to other cryptographic modules or systems. This service is not possible for the Backup configuration Import secret or private key This service is used to import secret ARIA, CAST3, CAST5, DES, RC2, RSA 44, SEED, SM4. HSM SO, Administrator, Partition IND_1 using key wrapping or private key from the admin or CO, Partition LCO user partitions using key wrapping Unauthenticated symmetric encryption is permitted for key unwrapping under Uses allowances in [FIPS 140-3 IG] D.G, Key transport methods. This service is not possible for the Backup configuration. Export secret or private key This service is used to export secret AES 45, ARIA, CAST3, CAST5, DES, RC2, RSA, SEED, SM4, TDES. HSM SO, Administrator, Partition IND_1 using key wrapping or private key from the admin or CO, Partition LCO user partitions using key wrapping. This service is not possible for the Backup configuration. Dif f ie-Hellman key generation mechanisms are non-compliant with less than 112-bits of encryption strength. ECC key generation mechanisms are non-compliant with less than 112-bits of encryption strength. RSA key generation mechanisms are non-compliant with less than 112-bits of encryption strength. RSA is non-approved f or key transport when used with an encryption strength of 112-bits or when using PKCS #1, v1.5 padding f or encryption. AES is non-approved f or key transport when used to encrypt keys using methods other than as permitted by NIST standards such as [SP800-38F]. In particular, use of un-authenticated modes of AES f or encryption without a separate authentication tag (e.g. signature or MAC) is non-approved.
Roles, Services, and Authentication Table 4-5: Non-Approved Services Service Description Non-Approved Algorithms Accessed Roles Indicator Generate domain This service is used to generate X9.42 Domain Parameter Generation Any role IND_1 parameters. 46 domain parameters requested by the end-user and stored in the cryptographic module for use with other user consumable cryptographic services or to export to other cryptographic modules or systems. Public users cannot generate any objects where either CKA_SENSITIVE or CKA_PRIVATE attributes are true. As such, the service would not af f ect the security of the module or the security of the inf ormation being protected, as sought by 4.1.A.
The Thales Luna K7 Cryptographic Module’s firmware integrity is checked on startup as described in section 10.1. The bootloader runs the self-test functions to check the firmware integrity as well as the cryptographic algorithms used to check the bootloader and main firmware image authenticity. Any failures during these tests will result in a module halt in which an error message is output, the module halts all functions and data output is inhibited. The main firmware image is used to check the integrity of any loaded FM. The bootloader and firmware are stored as signed binaries using RSA PKCS #1-v1.5 with a 4096-bit module and SHA2-384. The operator can trigger an on-demand check of the module firmware using the CA_SelfTest Cryptoki API command. An example of the CA_SelfTest Cryptoki API command in use can be found in section 13.3. Periodic Self-Tests (PST) are performed every 24 hours and run the firmware integrity tests and a subset of the KAT tests. Failure of either of these self-tests during PST will trigger a module halt. Recovery from this state will require the module to be restarted and for the detected fault to have cleared otherwise the module will re-halt during POST following restart. See Section 10 for additional information about the PST.
All FM images downloaded into the module must have an assigned signature from the FM developer. FMs are only executed inside the HSM after this signature has been validated. The FM code authenticity and integrity is protected using RSA #1 v1.5 signature with SHA2-512 digest and a minimum of 2048-bit modulus.
When new main firmware is to be loaded using the hsm updatefw LunaCM command, a separate mechanism is used to authenticate the firmware than the pre-operational firmware self-test. An example of the hsm updatefw LunaCM command can be found in section 11.11. Once initiated the firmware load sequence uses a set series of ICD commands and all others are prohibited until the firmware update is completed. Updating the main firmware is a two stage process. The first stage is to download the main firmware to the module. The second stage involves subsequently re-authenticating and loading the main firmware following a module restart, this occurs based on the bootloader during power-on ahead of the communications module being started. The firmware load test can be found in Table 10-2.
The following are the firmware components included on the module: > hsm - this component is compiled as a 32bit LSB executable for PowerPC. This is identified throughout this document as the ‘main firmware’. > bootloader - the bootloader is an Executable and Linkable Format (ELF) executable. This is identified throughout this document as the ‘bootloader’.
Software/Firmware Security No source code, object code or just-in-time compiled code are included in the module. This scope of this certification does not currently include any certified FM where these are expected to have independent FIPS 140-3 certificates. As such, no components covering FM are listed in this section.
The module supports a limited operating environment as defined in [ISO/IEC 19790:2012]. The only changes to the environment permitted in the approved mode of operation is through the loading of FM where the loaded FM has been [FIPS 140-3] certified to run on Thales Luna K7 Cryptographic Module.
The module is of physical embodiment multi-chip embedded and supports physical security level 3. The module is enclosed in a strong metal enclosure that provides tamper-evidence. Any tampering that might compromise a module’s security is detectable by visual inspection of the physical integrity of a module. The HSM SO should perform a visual inspection of the module at regular intervals. Within the metal enclosure, a hard opaque epoxy covers the circuitry of the cryptographic module. Attempts to remove this epoxy will cause sufficient damage to the cryptographic module so that it is rendered inoperable. The module’s enclosure is opaque to resist visual inspection of the device design, physical probing of the device and attempts to access sensitive data on individual components of the device.
The module supports a physical interface for the input of an external event signal. The external event signal jumper is monitored in both the powered-on state and the powered-off state. In the event of an external event signal, the module will erase the Token Module Variable Key, reset itself, clear all working memory and log the event. The module can be reset and placed back into operation when the external event signal is removed.
The module detects removal from the PCI-E slot in both the powered-on state and the powered-off state. If the card is removed from the PCI-E slot, the Token Module Variable Key (TVK) is erased and the event is logged.
The module supports an EFP mechanism that will trigger module shutdown if low or high temperature extremes and out-of-range voltage conditions are detected whilst the module is active. This is covered in more detail in section 7.3.
The following routine inspections are recommended. Table 7-1: Physical Security Inspection Guidelines Physical Security Mechanism Recommended Frequency of Inspection/Test Inspection/Test Guidance Details Physical inspection of HSM On receipt of HSM following transport; <see below>. surfaces for signs of tamper. At any point following any un-authorized access to the environment hosting the HSM; and Following any extended periods of unattended storage for the module.
Physical Security Following manufacture, both the front and rear covers of the Thales Luna K7 Cryptographic Module are permanently adhered to the PCB assembly using epoxy resin and with the lid assemblies having feet set into the epoxy. Any attempts to remove the covers will result in significant physical damage to the card rendering it unusable. Example (but not exhaustive) pictures of potential attempts to tamper a card are shown in the figure below: Figure 7-1: Example indicators of a tamper event during shipping (prizing at module corners). In the event of any observed damage, photograph the card and contact Thales to confirm whether observed anomalies are to be expected or are confirmed signs of potential tampering.
The module’s hardware is designed to sense and respond to out-of-range temperature conditions as well as out-of-range voltage conditions. The temperature and voltage conditions are only monitored in the poweredon state. In the event that the module senses an out-of-range temperature or over voltage, the module will erase the TVK, reset itself, clear all working memory and log the event. The module can be reset and placed back into operation when in-bound operating conditions have been restored The module monitors three voltage rails: 5V, 3.3V and 1.8V each of which can independently trigger an EFP event. The following table covers the limits enforced by the module: Table 7-2: EFP/EFT Specify EFP or Specify if this condition results Temperature or voltage measurement EFT in a shutdown or zeroisation Low Temperature -2ºC EFP shutdown. High Temperature +80ºC EFP shutdown. Low Voltage 5V net
The module PCB is potted using an epoxy-based compound inside the area identified as cryptographic boundary in Figure 2-1 and Figure 2-2. The potting compound is applied directly to the PCB inside a fence. Heatsinks are anchored to the potted area during the curing process. The following table lists the temperature range tested during the assessment of the module.
Physical Security Table 7-3: Hardness testing temperature ranges Hardness tested temperature measurement Low Temperature -20ºC High Temperature +80ºC NOTE Hardness temperature covered the temperature range permitted for storage of the module. The modules operational temperature range sits within these values. Further details on the operating ranges for the module for both input voltage and temperature can be found in section 13.4.
N/A: [ISO/IEC 19790:2012] Section 6.8, Non-invasive security is non-applicable as there are currently no requirement in [SP800-140F].
The following table lists Sensitive Security Parameters (SSP) used to perform approved security function supported by the cryptographic module. The following notes should be observed when reading the table: > When reading the ’zeroization’ column, the following mapping for listed overwrite methods should be used:
SSP Management Table 9-1: Summary of SSPs Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number When administrators enable Decommission, the Key Encryption Key Zeroized in [SP800-90Ar1] KEK encrypts all sensitive values and is zeroized in (KEK) AES (Cert #C1707 HSE-BBRAM in response to 256-bit. CTR_DRBG with AES- Not Input or Output. N/A. response to a decommission signal. and #C1718). plaintext decommission
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number The X.509 public key certificate corresponding to Full HSM Wipe Hardware Origin the HOK. It is signed by the Manufacturer’s KDM3 Certificate (HOC) RSA (#C1707, Integrity Key (MIK) at the time the device is Loaded at Certificate Output in Flash memory in 150-bit. #C1717, #C1718 N/A. manufactured. Used in verifying all key material 4096-bit public key manufacturing Plaintext. plaintext Erased when FM and #C1719). signed by the HOK. certificate. policy is enabled
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number The X.509 public key certificate corresponding to FM ECC Hardware the FM ECC HOK. It is signed by the ECC Origin Certificate Manufacturing Integrity Key (ECC MIK). It is used (FM ECC HOC) ECDSA (Cert [FIPS 186-4], Certificate Output in Flash memory Full HSM Wipe - for a specific PKI implementation requiring 192-bit. #C1707 and N/A. ECC public certificate Appendix B.4.1. Plaintext. plaintext KDM3 assurance that a key or a specific action originated #C1718). for public key on within the hardware crypto module. curve P-384. This key is a PSP. Power Cycle Token or Module A 2048-bit RSA private key used with the Cloning KDM1 Unwrapping Key RSA (#C1707, Protocol Version 1 supported for key import only. [FIPS 186-4], Working SDRAM in Erased on user (TUK3) 112-bit. #C1717, #C1718 Not Input or Output. N/A. It is following initial request for the key. Appendix B.3.6. plaintext zeroize request or and #C1719). 2048-bit private key. destructive policy This key is a CSP. change. The X.509 public key certificate corresponding to Token or Module Power Cycle
4096 bit private key. destructive policy
This key is a CSP. change. Token or Module Power Cycle
destructive policy certificate. change. This key is a PSP. Cloning Key Exchanged during 384-bit nonce used with the cloning protocol and Encryption Vector
384 bit nonce. further details). This key is a CSP.
256-bit AES key derived during the cloning protocol and used to transfer key objects between Cloning Transfer Key Established using AES (Cert #C1707 OneStep KDF from Working SDRAM in Zeroized following source and target partitions using the cloning 256-bit. Not Input or Output. CPV3 as covered in 256-bit AES key. and #C1718). [SP800-56Cr2]. plaintext. use
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number CPV4 Key Agreement [FIPS 186-4], Not Input or Output. Used to establish the ECDH key agreement Source Private Key KAS-ECC (Cert Appendix B.4.1. Working SDRAM in Zeroized following between HSMs. ECC private key on 256-bit. N/A. #A480). Single use ephemeral plaintext. use
This key is a CSP. BrainpoolP512r1. Derived using OneStep KDF from [SP800-56Cr2] and SHA2-512 or SHA3- This key wraps the CPV4 Session Salt sent to the CPV4 Key Transport 512 as the PRF. Not Input/output. destination HSM and used as an input to the KDF Encryption Key AES (Cert Working SDRAM in Zeroized following used to derive the CPV4 Per-Blob Encryption Key 256-bit N/A. #C1707). Inputs to the KDF Single use ephemeral plaintext use
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number Derived using OneStep KDF from [SP800-56Cr2] and This key is used to MAC the encrypted object SHA2-512 or SHA3- containing the CPV4 Session Salt sent to the CPV4 Key Transport 512 as the PRF. Not Input/output. destination HSM and where the encryption MAC Key HMAC (Cert Working SDRAM in Zeroized following algorithm option used is used as an input to the 256-bit N/A. #C1707). Inputs to the KDF Single use ephemeral plaintext use
512 as the PRF. KDM1.
CPV4 Session Key Working SDRAM in Erased on user The key is used for the session lifetime (60 256-bit KDA (Cert #A480). Not Input/output. N/A. 256-bit key. Inputs to the KDF plaintext. zeroize request or minutes) for CPV4 ahead of being re-negotiated include the CPV4 Key destructive policy and replaced. Agreement Shared change. Secret alongside the This key is a CSP. Key Cloning Domain Vector (KCV). Exported as part of Salt value used as input to the KDF used to the CPV4 protocol generate the CPV4 Per-Blob Encryption Key and encrypted under the CPV4 Per-Blob MAC Key. CPV4 Transport Key Power Cycle
512. Power Cycle
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number Derived using Key derived from the CPV4 session key, CPV4 OneStep KDF from Session Salt and CPV4 Per-Blob Salt and used to [SP800-56Cr2] and encrypt individual keys in transport. either SHA2-512 or CPV4 Per-Blob SHA3-512 as the Not Input/output. The derived key is unique per key transferred. Encryption Key AES (Cert PRF. Working SDRAM in Zeroized following 256-bit N/A. #C1707). Single use ephemeral plaintext. use
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number The X.509 public key certificate corresponding to Device the CITS-DAK. Signed by the HOK. Used for a Authentication Key RSA (#C1707, specific PKI implementation requiring assurance (CITS-DAC) [FIPS 186-4], Certificate Output in Working SDRAM in Full HSM Wipe 150-bit. #C1717, #C1718 N/A. that a key or a specific action originated within the Appendix B.3.6. Plaintext. plaintext KDM3 4096-bit public key and #C1719). hardware crypto module. certificate. This key is a PSP. ECC Device Authentication Key ECDSA (Cert ECC P-384 private key. (ECC DAK) [FIPS 186-4], Flash memory Full HSM Wipe 192-bit. #C1707 and Not Input or Output. N/A. Appendix B.4.1. encrypted with GSK KDM3 ECC private key on #C1718). This key is a CSP. curve P-384. ECC Device Authentication Certificate The X.509 public key certificate corresponding to ECDSA (Cert (ECC DAC) N/A
Internal state DRBG Key implementation of the NIST SP 800-90Ar1 CTR CTR_DRBG (Cert generated using Working SDRAM in Power Cycle 256-bit. Not Input or Output. N/A. (AES) DRBG. 256-bit AES key. #C1707). CTR_DRBG from plaintext KDM2 [SP800-90Ar1]. This key is a CSP. Full-entropy conditioned output Random seed data drawn from the Hardware RBG from ESV (Cert and used to seed an implementation of the NIST DRBG Seed CTR_DRBG (Cert Working SDRAM in Power Cycle 384-bit. Not Input or Output. N/A. SP 800-90Ar1 CTR (AES) DRBG.
384 bits. #C1707). #98) approved plaintext KDM2
platform noise This key is a CSP. source.
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number Part of the secret state of the approved DRBG. Internal state The value is generated using the methods DRBG V CTR_DRBG (Cert generated using Working SDRAM in Power Cycle 128-bit. Not Input or Output. N/A. described in [SP800-90Ar1].
128 bits. #C1707). CTR_DRBG from plaintext. KDM2
[SP800-90Ar1]. This key is a CSP. 256-bit AES key that is the same for all users on a specific Luna cryptographic module. It is used to Global Storage Key [SP800-90Ar1] encrypt permanent parameters within the nonAES (Cert #C1707 Flash memory Full HSM Wipe (GSK) 256-bit. CTR_DRBG with AES- Not Input or Output. N/A. volatile memory area reserved for use by the and #C1718). encrypted with PSK. KDM3 256-bit AES key. 256. module. This key is a CSP. For PED configurations, this is a 256-bit value, the first 32-bytes of which are used as an AES KW 256bit key that is used to wrap/unwrap the SALK when it is exported / imported from / to the module. [SP800-90Ar1] It is either generated by the module or imprinted 256-bit. CTR_DRBG with AES- onto the module at the time audit user role is Role Domain Key
256 for PED Input / Output via initialized. The 48-byte random value is output
(RDK) Flash Memory Factory Reset Or KDA (Cert #A480). configuration. direct connection to N/A. from the original module onto an iKey to enable encrypted with USK. KDM1 PED. initializing the Auditor role on additional modules 256-bit key.
32 to 2040-bit. N/A for Password into the same domain.
configuration. For password configurations, this value is an 8 -
during configuration of the secure audit capability. This key is a CSP. A 256-bit key used to verify data integrity and Secure Audit Logging Input / Output Flash memory in [SP800-90Ar1] authentication of the log messages. Saved in the Key (SALK) HMAC (Cert encrypted under the plaintext, Factory Reset 256-bit. CTR_DRBG with AES- N/A. parameter area of Flash memory. #C1718). RDK and using AES- Flash memory KDM1 256-bit HMAC key. 256.
This key is a CSP. A 256-bit key used to create an HMAC of the AccessID to be used in the Secure Audit logs, to Secure Audit [SP800-90Ar1] prevent against the theft of the actual AccessID. A AccessID-HMAC Key HMAC (Cert Working SDRAM in Power Cycle 256-bit. CTR_DRBG with AES- Not Input or Output. N/A. new key will be generated at every module power#C1718). plaintext. KDM2 256-bit HMAC key. 256. on or firmware reset. This key is a CSP.
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number User Password (if Input from host PED configuration using ICD A salted hash of the User provided password input by the operator as a and optionally communication path PBKDF (Cert password stored in Partition deletion second factor of authentication data. selected) 32 to 256-bit. N/A. and encrypted under N/A. #A480). Flash memory - KDM1 the PEC and using
8 - 255 character encrypted with PSK. This key is a CSP.
KTS-OAEP-basic from data string. [SP800-56Br2]. A 256-bit key generated by the Thales Luna client and submitted to the HSM for use to wrap the AccessID Encryption HSM generated AEK for export to the Thales Luna Key
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number Input / Output via PED Authentication direct connection to A 256-bit random value that is generated by the Data (if PED PED. [SP800-90Ar1] Working SDRAM in module when a role is created and is written out configuration) KBKDF (Cert All messages sent to 256-bit. CTR_DRBG with AES- N/A. plaintext (during N/A to the iKey connected to the Thales Luna PED. #A480). the local PED are 48-byte random 256. generation). encrypted using HSM value. This key is a CSP. CSP Wrapping Key and AES KWP. Password Input from host (Authentication Data using ICD User provided password input by the operator as if Password communication path Working SDRAM in PBKDF (Cert authentication data. configuration) 32 to 2040-bit. N/A. and encrypted under N/A. plaintext (during N/A #A480). the PEC and using generation).
8 - 255 character This key is a CSP.
KTS-OAEP-basic from data string. [SP800-56Br2]. This key is used to encrypt all sensitive attributes Flash memory User Storage Key of all private objects owned by users of a partition [SP800-90Ar1] encrypted with (USK) AES (Cert #C1707 Partition deletion (e.g. HSM SO, Administration, Partition Crypto 256-bit. CTR_DRBG with AES- Not Input or Output. N/A. User’s and #C1718). - KDM1 Officer). 256-bit AES key. 256. Authentication Data and KEK. This key is a CSP. [SP800-90Ar1] This key is unique per-partition and used to Partition Storage Key CTR_DRBG with AES- encrypt all SSP that are shared by all roles of a (PSK) AES (Cert #C1707 Flash memory Partition deletion 256-bit. 256. Not Input or Output. N/A. given partition. and #C1718). encrypted with USK. - KDM1 256-bit AES key. This key is a CSP. [SP800-90Ar1] A randomly generated 256-bit secret used as the SKS Master Key CTR_DRBG with AES- master key for deriving all SKS key blob encryption (SMK) AES (Cert #C1707 Input/Output using Flash memory Zeroized via ICD 256-bit. 256. N/A. keys. and #C1718). CPV3 or CPV4. encrypted with USK. command - KDM1 256-bit AES key. This key is a CSP. HA Login Public Key A 4096-bit RSA public key used for the HA Login KAS1-basic (Cert [FIPS 186-4], (HA PUB) Certificate Output in Flash memory in Zeroized via ICD protocol. 150-bit. #A478, #A479, Appendix N/A. Plaintext. plaintext. command - KDM1 4096-bit public key. #A480, #A481). B.4.1. This key is a PSP. HA Login Private Key A 4096-bit RSA private key used for the HA Login [FIPS 186-4], (HA PK) KAS1-basic (Cert Flash memory Zeroized via ICD protocol. 150-bit. Appendix Not Input or Output. N/A. #C1707). encrypted with USK. command - KDM1 4096-bit private key. B.3.6. This key is a CSP.
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number Output encrypted HA Login using AES-256 in Zeroized via ICD A 256-bit encryption key used with AES to encrypt Authentication Data [SP800-90Ar1] KWP mode and using command - KDM1 authentication data for export to the primary HA Encryption Key PIN AES (Cert #C1707 Working SDRAM in 256-bit. CTR_DRBG with AES- a shared secret from N/A. Login instance. (RND) and #C1718). plaintext. 256. output of [SP800- Session closure 256-bit AES key. 56Br2], KAS1-basic KDM1 This key is a CSP. exchange. HA Login Ephemeral Zeroized via ICD A 256-bit encryption key used with AES to encrypt Wrapping Key [SP800-90Ar1] command - KDM1 authentication data for re-import from the primary AES (Cert #C1707 Output encrypted Working SDRAM in (KSESS) 256-bit. CTR_DRBG with AES- N/A. HA Login instance. and #C1718). with peer TWC. plaintext 256. Session closure 256-bits AES key. KDM1 This key is a CSP. Value that controls a partition’s ability to participate in the cloning protocol. In the case of PED configurations, it is generated by the module or imprinted onto the module at partition initialization time. [SP800-90Ar1] Key Cloning Domain CTR_DRBG with AESInput / Output via For password configurations, this 8 - 255 character Vector (KCV) 256. Flash Memory Partition deletion
32 to 2040-bit. KDA (Cert #A480). direct connection to N/A. data string is supplied by the user during partition
encrypted with PSK - KDM1 256-bit key. Thales PED. initialization. N/A for Password configuration. For PED configurations, the 48-byte random value is output from the original partition in the domain to a PED key to enable initializing additional modules into the domain. This key is a CSP. Zeroized via ICD A randomly generated 256-bit key, which must be Remote PED Vector command - KDM1 shared between a remote PED and a cryptographic (RPV) (if PED [SP800-90Ar1] Output via direct Flash memory module in order to establish a secure configuration) 256-bit. KDA (Cert #A480). CTR_DRBG with AES- connection to a Luna N/A. Erased on user encrypted with GSK communication channel between them. 256. PED. zeroize request or 256-bit key. destructive policy This key is a CSP. change. Power Cycle PED Authentication An ECC public key certificate used to verify KDM1 Certificate (PAC) ECDSA (Cert Output via direct certificates for local or remote connection with a [FIPS 186-4], Working SDRAM in Erased on user 256-bit. #C1707 and connection to a Luna N/A. Luna PED. ECC public key on Appendix B.4.1. plaintext zeroize request or #C1718). PED. curve P-521. destructive policy This key is a PSP. change.
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number Power Cycle PED Authentication An ECC private key used to sign certificates used KDM1 Key (PAK) ECDSA (Cert for local or remote connection with the Thales [FIPS 186-4], Working SDRAM in Erased on user 256-bit. #C1707 and Not Input or Output. N/A. Luna PED. ECC private key on Appendix B.4.1. plaintext zeroize request or #C1718). curve P-521. destructive policy This key is a CSP. change. HSM Static Key- Used by the Thales Luna PED to authenticate the Agreement Power Cycle local HSM to connect to and to extract the HSM’s Certificate for Local KDM1 Output via direct static ECC public key for C(1e,1s, ECC CDH) keyConnections (HSM- KAS-ECC (Cert [FIPS 186-4], Working SDRAM in Erased on user 256-bit. connection to a Luna N/A. agreement for local connection with a Thales Luna SKA-CLOCAL) #A480). Appendix B.4.1. plaintext zeroize request or PED. PED. destructive policy ECC public key on change. curve P-521. This key is a PSP. HSM Static KeyAgreement Private Power Cycle Used by the HSM as the static private key for Key for Local KDM1 C(1e,1s, ECC CDH) key-agreement agreement for Connections (HSM- KAS-ECC (Cert [FIPS 186-4], Working SDRAM in Erased on user 256-bit. Not Input or Output. N/A. local connection with a Thales Luna PED. SKA-KLOCAL) #A480). Appendix B.4.1. plaintext zeroize request or destructive policy ECC private key on This key is a CSP. change. curve P-521. Used by the Thales Luna PED to authenticate the HSM Static Key- Power Cycle - remote HSM to connect to and to extract the Agreement KDM1 HSM’s static ECC public key for: Certificate for Output via direct Remote Connections KAS-ECC (Cert [FIPS 186-4], Working SDRAM in Erased on user
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number HSM Ephemeral Key- Used by the Thales Luna PED to authenticate the Agreement remote HSM to connect to and to extract the Certificate (HSM- Output via direct HSM’s ephemeral public key for C(2e,2s, ECC CDH) KAS-ECC (Cert [FIPS 186-4], Working SDRAM in KDM1 - following EKA-C) 256-bit. connection to a Luna N/A. key-agreement agreement for remote connection #A480). Appendix B.4.1. plaintext use. PED. with a Thales Luna PED. ECC public key on curve P-521. This key is a PSP. Used by the Thales Luna PED to authenticate the HSM Ephemeral Key- remote HSM and to extract the HSM’s ephemeral Agreement Private public key for C(2e,2s, ECC CDH) key-agreement Key (HSM-EKA-K) KAS-ECC (Cert [FIPS 186-4], Working SDRAM in KDM1 - following 256-bit. Not Input or Output N/A. agreement for remote connection with a Thales #A480). Appendix B.4.1. plaintext use. ECC private key on Luna PED. curve P-521. This key is a CSP. Power Cycle KDM2 or KDM1 in response to erase Remote PED Vector request via ICD An ECC public key certificate used by the HSM Certificate (RPV-C) ECDSA (Cert Output via direct [FIPS 186-4], Working SDRAM in command. device to verify PED-SKA-C, PED-EKA-C. 256-bit. #C1707 and connection to a Luna N/A. ECC public key on Appendix B.4.1. plaintext #C1718). PED. curve P-521. Erased on user This key is a PSP. zeroize request or destructive policy change. Power Cycle KDM2 or KDM1 in response to erase Remote PED Vector request via ICD An ECC private key used by the HSM to sign PEDPrivate Key (RPV-K) ECDSA (Cert Output via direct [FIPS 186-4], Working SDRAM in command. SKA-C, and by the Luna PED to sign PED-EKA-C. 256-bit. #C1707 and connection to a Luna N/A. ECC private key on Appendix B.4.1. plaintext #C1718). PED. curve P-521. Erased on user This key is a CSP. zeroize request or destructive policy change.
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number Power Cycle KDM2 or KDM1 in PED Static Key- response to erase Agreement Used by the HSM to authenticate and extract the request via ICD Certificate for Luna PED’s ECC ephemeral public key for C(2e,2s, Output via direct command. Remote Connections KAS-ECC (Cert [FIPS 186-4], Working SDRAM in ECC CDH) or C(1e,1s ECC CDH) key-agreement. 256-bit. connection to a Luna N/A. (PED-SKA-C) #A480). Appendix B.4.1. plaintext PED. Uniquely generated for each use. Erased on user ECC public key on zeroize request or curve P-521. This key is a PSP. destructive policy change. Power Cycle KDM2 or KDM1 in Used by the Thales Luna PED for Remote PED Static Key- response to erase connections. Act as An ECC static private key for Agreement Private request via ICD C(2e,2s, ECC CDH) key-agreement. Key Output via direct KAS-ECC (Cert [FIPS 186-4], Working SDRAM in command. 256-bit. connection to a Luna N/A. (PED-SKA-K) #A480). Appendix B.4.1. plaintext Key is not used by the HSM as a SP but is PED. Erased on user generated by it for use by the Luna PED. ECC private key on zeroize request or curve P-521. destructive policy This key is a CSP. change. Intermediate key value used during setup of the Local and Remote PED channel. OneStep KDF PED Master Shared Key is the output of the ECDH function and used to from [SP800Secret KAS-ECC (Cert Working SRAM in Zeroized following generate HSM and PED CSP Wrapping Key, MAC 256-bit. 56Cr2] and using N/A. N/A. #A480). plaintext. use
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number PED Channel Termination PED CSP Wrapping OneStep KDF from [SP800-56Ar3] KDM1 Derived during Local and Remote PED Channel for Key (CWKPED) AES (Cert #C1707 [SP800-56Cr2] and fullUnified with full Working SDRAM in wrapping exchanged SSPs. 256-bit. Not Input or Output. and #C1718). using SHA2-512 as key validation and plaintext Erased on user 256-bit AES key. hash. key-pair generation. zeroize request or This key is a CSP. destructive policy change. PED Channel Termination HSM Data Encryption OneStep KDF from [SP800-56Ar3] KDM1 Derived during Remote PED Channel for encrypting Key (DEKHSM) AES (Cert #C1707 [SP800-56Cr2] and fullUnified with full Working SDRAM in communication messages (from HSM-to-PED). 256-bit. Not Input or Output. and #C1718). using SHA2-512 as key validation and plaintext Erased on user 256-bit AES key. hash. key-pair generation. zeroize request or This key is a CSP. destructive policy change. PED Channel Termination Derived during Remote PED Channel for message HSM MAC Key OneStep KDF from [SP800-56Ar3] KDM1 authentication of communication messages (from (DMKHSM) [SP800-56Cr2] and fullUnified with full Working SDRAM in 256-bit. HMAC (#C1707). Not Input or Output. HSM-to-PED). using SHA2-512 as key validation and plaintext Erased on user 256-bit HMAC key. hash. key-pair generation. zeroize request or This key is a CSP. destructive policy change. OneStep KDF from PED Channel [SP800-56Cr2] and Termination Derived during Remote PED Channel as the HSM Initialization using SHA2-512 as [SP800-56Ar3] KDM1 initialization vector for encrypting communication Vector (IVHSM) AES (Cert #C1707 hash. fullUnified with full Working SDRAM in 256-bit. Not Input or Output. messages (from HSM-to-PED). and #C1718). key validation and plaintext Erased on user 256-bit IV. key-pair generation. zeroize request or This key is a CSP. destructive policy change. OneStep KDF from PED Channel [SP800-56Cr2] and Termination PED Data Encryption using SHA2-512 as [SP800-56Ar3] KDM1 Derived during Remote PED Channel for encrypting Key (DEKPED) AES (Cert #C1707 hash. fullUnified with full Working SDRAM in communication messages (from PED-to-HSM). 256-bit. Not Input or Output. and #C1718). key validation and plaintext. Erased on user 256-bit AES key. key-pair generation. zeroize request or This key is a CSP. destructive policy change.
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number PED Channel Termination Derived during Remote PED Channel for message PED MAC Key OneStep KDF from [SP800-56Ar3] KDM1 authentication of communication messages (from (DMKPED) [SP800-56Cr2] and fullUnified with full Working SRAM in 256-bit. HMAC (#C1707). Not Input or Output. PED-to-HSM). using SHA2-512 as key validation and plaintext. Erased on user 256-bit HMAC key. hash. key-pair generation. zeroize request or This key is a CSP. destructive policy change. PED Channel Termination Derived during Remote PED Channel as the PED Initialization OneStep KDF from [SP800-56Ar3] KDM1 initialization vector for encrypting communication Vector (IVPED) AES (Cert #C1707 [SP800-56Cr2] and fullUnified with full Working RAM in 256-bit. Not Input or Output. messages (from PED-to-HSM). and #C1718). using SHA2-512 as key validation and plaintext. Erased on user 256-bit IV. hash. key-pair generation. zeroize request or This key is a CSP. destructive policy change. Power Cycle KDM1 A 4096-bit RSA private key used to decrypt user Password Encryption RSA (#C1707, [FIPS 186-4], passwords that are provided to the module. It is Key (PEK) Working RAM in 150-bit. #C1717, #C1718 Appendix Not Input or Output. N/A. Erased on user generated the first time it is required. plaintext.
4096 bit private key and #C1719). B.3.6. zeroize request or
destructive policy This key is a CSP. change. Power Cycle Password Encryption The X.509 public key certificate corresponding to KDM1 Certificate (PEC) RSA (#C1707, [FIPS 186-4], the PEK. It is created and signed by the HOK the Certificate Output in Working RAM in 150-bit. #C1717, #C1718 Appendix N/A. first it is required. 4096-bit public key Plaintext. plaintext. Zeroized via ICD and #C1719). B.3.6. certificate command - This key is a PSP. KDM1. Power Cycle Flash memory KDM1 FM SMFS Encryption This key is used to encrypt data submitted by an [SP800-90Ar1] encrypted with PSK Key (SMFSKENC) AES (Cert FM to the SMFS for storage. 256-bit. CTR_DRBG with AES- Not Input or Output N/A. or TVK (when SMFS #C1707). Zeroized via ICD 256-bit AES key. 256. auto-activation command. - This key is a CSP. enabled). KDM1. Power Cycle Flash memory KDM1 FM SMFS MAC Key This key is used to generate MAC over data [SP800-90Ar1] encrypted with PSK (SMFSKINT) submitted by an FM to the SMFS for storage. 256-bit. HMAC (#C1707). CTR_DRBG with AES- Not Input or Output N/A. or TVK (when SMFS Zeroized via ICD 256-bit AES key. 256. auto-activation command. - This key is a CSP. enabled). KDM1.
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number Partition STC Static Public ID Key A 521-bit ECC public key used as the partition’s (STC-PIDPUB) KAS-ECC (Cert [FIPS 186-4], Certificate Output in Flash memory in Zeroized via ICD static ID in the STC protocol. 256-bit. N/A. #A480). Appendix B.4.1. Plaintext. plaintext command - KDM1 ECC public key on This key is a PSP. curve P-521. Partition STC Static Private ID Key A 521-bit ECC private key used as the partition’s (STC-PIDPRIV ) KAS-ECC (Cert [FIPS 186-4], Flash memory Zeroized via ICD static ID in the STC protocol. 256-bit. Not Input or Output. N/A. #A480). Appendix B.4.1. encrypted with GSK command - KDM1 ECC private key on This key is a CSP. curve P-521. Partition STC Zeroized via ICD Ephemeral Public Key A 521-bit ECC public key used as the partition’s command - KDM1 (STC-PKA PUB) KAS-ECC (Cert [FIPS 186-4], Certificate Output in Working RAM in ephemeral key in the STC protocol. 256-bit. N/A. #A480). Appendix B.4.1. Plaintext. plaintext ECC public key on Session closure This key is a PSP. curve P-521. KDM1 Partition STC Ephemeral Private Zeroized via ICD A 521-bit ECC private key used as the partition’s Key command - KDM1 KAS-ECC (Cert [FIPS 186-4], Working RAM in ephemeral key in the STC protocol. (STC-PKA PRIV ) 256-bit. Not Input or Output. N/A. #A480). Appendix B.4.1. plaintext Session closure ECC private key on This key is a CSP. KDM1 curve P-521. Client STC Static Public ID Key A 521-bit ECC public key used as the client’s static (STC-CIDPUB) KAS-ECC (Cert Flash memory in Zeroized via ICD ID in the STC protocol. 256-bit. N/A (user imported) Input in Plaintext. N/A. #A480). plaintext command - KDM1 ECC public key on This key is a PSP. curve P-521. Client STC Ephemeral Zeroized via ICD Public Key A 521-bit ECC public key used as the client’s command - KDM1 (STC-CKA PUB) KAS-ECC (Cert Working RAM in ephemeral key in the STC protocol. 256-bit. N/A (user imported) Input in Plaintext. N/A. #A480). plaintext ECC public key on Session closure
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number Partition STC Session These keys are agreed upon with a client AES (Cert #C1707 Zeroized via ICD Encryption and OneStep KDF from [SP800-56Ar3] application for the purpose of encrypting and and #C1718). command - KDM1 Authentication Keys [SP800-56Cr2] and fullUnified with full Working RAM in generate MAC for message exchanges during an 256-bit Not Input or Output. (STC-PEN, STC-PMA, using SHA2-512 as key validation and plaintext STC session. HMAC (Cert Session closure STC-PIV, STC-CEN, hash. key pair generation. #C1707). KDM1 STC-CMA, STC-CIV). This key is a CSP. Input or output encrypted RSA (#C1707, using Symmetric #C1717, #C1718 Keys (general and #C1719). partition or session
keys) using key for ECC keys ECDSA (Cert wrap/unwrap ICD depending on #C1707 and commands using key the curve. #C1718). N/A (user imported) wrap/unwrap ICD commands and
DSA (Cert #C1707 Or [SP800-38F] for DSA keys and #C1718). encryption options. General use asymmetric key depending on [FIPS 186-4], pairs that can be modulus size. Zeroized via ICD Asymmetric Key Pairs KAS-ECC-SSC Appendix B.4.1.
112 to 201-bits N/A.
session keys) #A480). Keys (general encrypted with USK. for RSA keys Session closure
KAS-RSA (Certs keys. algorithms as for DH keys #A478 and permitted by [FIPS depending on #A480). 140-3 IG] D.G, Key modulus transport methods. length. KTS-RSA (Certs #A478 and When transferred #A480). between partitions using SKS, encrypted under the SMK.
SSP Management Key / SSP Name / Security Function Strength Generation Import/ Export Establishment Storage Zeroisation Use and Related Keys Type and Cert Number Input or output encrypted using Symmetric Keys (general partition or session keys) using key wrap/unwrap ICD commands and [SP800-38F] encryption options. AES (Cert #C1707 Input or output and #C1718). encrypted using Triple-DES (Cert Asymmetric Keys #C1707). (general partition or N/A (user imported) session keys) Can be established HMAC (Cert General use symmetric key Symmetric Keys 128, 192 or using key as the output of #C1707). Zeroized via ICD pairs that can be (general partition or 256-bit for AES Or wrap/unwrap ICD supported [SP800command - KDM1 exported/imported from/to the session keys) keys. commands and KTS- 56Ar3] compliant key Flash memory CMAC (Cert module or generated by the AES or Triple-DES [SP800-90Ar1] OAEP-basic from establishment using encrypted with USK. #C1707). Session closure
The module includes a non-deterministic Random Bit Generator (RBG) within the module boundary. The non-deterministic RBG is used exclusively to feed an approved conditioning function where in-turn the output of the conditioning function is used to seed the DRBG (Cert #C1707). The Non-Deterministic RBG complies with [SP800-90B] and has been validated using with guidance set out in [FIPS 140-3 IG] . Table 9-2: Non-Deterministic Random Number Generation Specification Entropy sources Minimum number of bits Details of entropy Non-deterministic jitter Full-entropy output [SP800-90B] compliant Non-Deterministic RBG using a hardware based noise in from FRO. internal to the module boundary. Digitized output from the noise source is fed through an approved conditioning function based on SHA2-512 (Cert #C1707). Raw noise is generated based on non-deterministic jitter built up in freerunning oscillators. The module achieves full entropy from the output of the conditioning function where every 384-bits used to seed the DRBG includes 384-bits of entropy. All outputs from the noise source are subjected to statistical testing ahead of being fed to the conditioning function. The output of the hardware noise source includes a total failure test to check for bit-patterns consistent with hardware failures.
Depending on the configuration of the module, the following methods of key import and export for ‘Asymmetric Key Pairs (general partition keys)’ and ‘Symmetric Keys (general partition keys)’ are available as a service: > Key Wrap / Unwrap using Cloning Protocol Version 4 (CPV4) CPV4 uses the following cryptography:
SSP Management > Key Wrap / Unwrap using Cloning Protocol Version 3 (CPV3) Cloning is a product feature where KAS1-basic from [SP800-56Br2] is used to negotiate a shared secret used to transfer partition objects between a source and destination partition and where these can be on the same or different cryptographic module. The protocol uses the following options with KAS1-basic:
SSP Management public/private key pair and where the resulting encrypt operation is not considered part of a key transport scheme as defined in [FIPS 140-3 IG], D.G.
The module performs the pre-operational self-tests upon power-up to confirm the firmware integrity, and to check the continued correct operation of the random number generator and each of the implemented cryptographic algorithms used in support of the integrity checks. While the module is running these self-tests, all interfaces are disabled until the successful completion of the self-tests. If any test fails an error message is output alongside being recorded in the error log, the module halts, and data output is inhibited. Table 10-1: Pre-operational self-tests Test Operations Performed Indicator SHA (SHA-1 and SHA2-384) KAT. Digest. Error output and module halt. RSA (4096-bit modulus) KAT. Sign and Verify. Error output and module halt. Boot loader performs an RSA PKCS #1-v1.5 signature with Verify and Digest. Error output and module halt. 4096-bit modulus and SHA2-384 signature verification of itself. Boot loader performs an RSA PKCS #1-v1.5 signature with Verify and Digest. Error output and module halt. 4096-bit modulus and SHA2-384 signature verification of the main firmware image. NOTE Signature verification pre-operational self-tests will always be preceded by the Conditional KAT on the bootloader implementations of RSA supporting a single mode of operation. Transition from an approved to non-approved mode of operation automatically triggers the HSM zeroize or decommission module service.
The module automatically performs conditional self-tests based on the module operation. These self-tests do not require operator input to initiate. NOTE When conditional tests are run as part of the pre-operational self-test, the HSM will test all possible implementations of a given algorithm independent of the HSM level configuration and settings. During PST, the module will exclusively test the implementation of a given algorithm in use for a given configuration and settings of the HSM at the time of a given conditional test executing, Implemented conditional tests are in one of the following forms: > Known Answer Test (KAT); > Pair-wise Consistency Test (PCT); > Statistical testing; or > Hardware failure testing.
Self-Tests All KAT alongside statistical testing of the noise source is performed immediately following the preoperational self-test at module power-on.
Self-Tests Table 10-2: Conditional self-tests (Firmware) Test Cryptographic Mechanism Tested Location When Performed Operations Performed Indicator SHA KAT. Pre-operational: SHA-1 and SHA2-384. Bootloader. Prior to first use. Digest. Error output and module halt. PST: N/A. RSA KAT. Pre-operational: RSA PKCS #1-v1.5, modulus Bootloader. Prior to first use. Sign and Verify. Error output and module halt. 4096, SHA2-384. PST: N/A. HRBG conditional tests. Continuous Test: Total failure test on the output Firmware. Continuous. N/A. Error output and module halt. from the hardware noise source, Repetition Count Test and Adaptive Proportion Test statistical tests. Firmware Load Test Continuous Test: RSA PKCS #1-v1.5, modulus Firmware On firmware update Verify. Error output and FW update request
4096 signature and SHA2-384. request. rejected.
RSA PCT. Performed for all RSA key generation mechanism. Firmware. On generation. Encrypt, Decrypt, Sign and Verify. Error output and module halt. DSA PCT. Performed for all DSA key generation mechanism. Firmware. On generation. Sign and Verify. Error output and module halt. ECC PCT (covers keys used Performed for all ECC key generation mechanism. Firmware. On generation. Sign, Verify and Derive. Error output and module halt. for ECDSA and ECDH). DRBG KAT. Pre-operational: Instantiate, Generate and Firmware. Prior to first use, PST. N/A. Error output and module halt. Reseed KAT for CTR_DRBG with AES-256. PST: <as per pre-operational self-test.> SHA KAT. Pre-operational: SHA1, SHA2-224, SHA2-256, Firmware. Prior to first use, PST. Digest. Error output and module halt. SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3384, SHA3-512, SHAKE-128, SHAKE-256. PST: hash are tested based on inclusion in the KAT for higher-order algorithms.
Self-Tests Test Cryptographic Mechanism Tested Location When Performed Operations Performed Indicator HMAC KAT (General). Pre-operational: HMAC-SHA1, HMAC-SHA2-224, Firmware. Prior to first use, PST. Digest. Error output and module halt. HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2512, HMAC-SHA3-224, HMAC-SHA3-256, HMACSHA3-384, HMAC-SHA3-512. PST: HMAC-SHA1, HMAC-SHA2-224, HMAC-SHA2384, SHA3-256. HMAC KAT (Secure log Pre-operational: HMAC-SHA2-256. Firmware Prior to first use, PST. Digest. Error output and module halt. implementation). PST: HMAC-SHA2-256. RSA KAT 47. Pre-operational: Signature Generation, Sig Firmware. Prior to first use, PST. Sign, Verify, Encrypt and Decrypt. Error output and module halt. Verification for RSA X9.31 with SHA2-256, RSA PKCS #1-v1.5 with SHA2-256, RSA PKCS #1-v1.5 (no hash), RSA PKCS #1-v1.5 PSS with SHA2-256 and SHA2-256 for MGF, [SP800-56Br2] RSA-OAEPbasic with 2048-bit modulus and SHA1, SHA2-256 and SHA2-384, SHA2-512 as MGF. PST: Signature Generation, Signature Verification for: PKCS-PSS with modulus of 8192-bits and SHA2-256, PKCS-PSS with modulus of 2048-bit and SHA2-256, RSA-OAEP-basic with 2048-bit modulus and SHA2-256 as MGF. DSA KAT 48 Pre-operational: Signature Generation, Signature Firmware. Prior to first use, PST. Sign and Verify. Error output and module halt. Verification for 2048-bit modulus with SHA2-224. Signature Verification with 1024-bit modulus and SHA-1. PST: Signature Generation, Signature Verification for 2048-bit modulus with SHA2-224. Diffie-Hellman KAT. Pre-operational: X9.42 Diffie-Hellman [SP800- Firmware. Prior to first use, PST. Derive. Error output and module halt. 56Ar3] key derive with 2048-bit modulus. PST: <as per pre-operational self-test.>
47 random values used during the KAT operation of the PKCS-PSS are fixed as per [FIPS 140-3 IG], 10.3.A with both signature generation and signature verification
48 random values used during the KAT operation are fixed as per [FIPS 140-3 IG], 10.3.A with both signature generation and signature verification operations tested
Self-Tests Test Cryptographic Mechanism Tested Location When Performed Operations Performed Indicator AES KAT. Pre-operational: ECB, CBC, OFB, CFB128, CFB8, Firmware. Prior to first use, PST. Encrypt and Decrypt. Error output and module halt. KW, KWP, GCM, XTS and CMAC covering 128bit,192-bit and 256-bit keys as supported by the different modes. PST: CBC, GCM, KWP (data object <=2KB), KWP (data object >2KB)
49 random values used during the KAT operation are fixed as per [FIPS 140-3 IG], 10.3.A with both signature generation and signature verification operations tested
Self-Tests Test Cryptographic Mechanism Tested Location When Performed Operations Performed Indicator KDF KAT. Pre-operational: OneStep KDF [SP800-56Cr2] Firmware. Prior to first use, PST. Derive. Error output and module halt. with SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3512. X9.42/X9.63 KDF using SHA1. PST: OneStep KDF [SP800-56Cr2] with SHA2-512. X9.42/X9.63 KDF using SHA1. KAS1-basic KAT. Pre-operational: KAS1-basic [SP800-56Br2] with Firmware. Prior to first use, PST. Encrypt and Decrypt. Error output and module halt. 4096-bit modulus. PST: <as per pre-operational self-test.> PBKDF KAT. Pre-Operational PBKDF [SP800-132] using HMAC- Firmware. Prior to first use, PST. Derive. Error output and module halt. SHA1, HMAC-SHA2-224, HMAC-SHA2-256, HMACSHA2-384, HMAC-SHA2-512. PST: PBKDF [SP800-132] using HMAC-SHA2-512.
The module will perform periodic self-tests (PST) at set intervals of time for the pre-operational tests and a subset of the KAT tests. These tests will be performed every 24 hours at which point the PSTs will be implemented as a single asynchronous command with multiple steps that make up all PSTs that must be executed. The command will be added to the HSM’s command scheduler run queue, alongside any other commands that have been sent to the HSM. Each time the PST command is given time to execute, it will perform a single step and then return priority to other commands in the queue. Each step will be consistent in size with other cryptographic commands so as not to impact overall performance of the HSM. Conditional tests performed periodically are identified in Table 10-2 above as tests with ‘PST’ in the ‘When Performed’ column.
Thales Luna K7 Cryptographic Module should be deployed in a secure environment that will protect the module from sophisticated attackers with direct access. This is standard practice for high-value assets such as HSMs and forms part of a defense-in-depth approach to security. Securing the environment of the HSM typically will include a combination of both: > securing its location using physical defenses; and > procedures for monitoring and managing authorized access to the HSM. The exact measures put in place will vary and should be commensurate with the potential consequences or costs associated with the complete compromise of the HSM and cryptographic keys (or data objects) it protects. Common components of a physical security solution often include: > dedicated areas (e.g. locked cage or cabinet) for the HSM as part of a general IT environment; > monitored and audited physical access controls on IT environments hosting the HSM; > hardened locks, doors and walls to increase the effort required to force access to the HSM; > out-of-hours alarm systems on areas containing the HSM; > 24hr/365day on-site or remote guard service that will respond to alarms; and > CCTV monitoring of areas containing the HSM to allow detection of activity in proximity to the HSM.
Ahead of using the module it must be initialized, after which it should be immediately configured into its approved mode of operation. Prior to secure initialization of the module, access control relies on procedural controls only and where the module should be received in the zeroised state with no initialized roles. NOTE The module shall be received in a zeroised state. To check the status of the module use the hsm showinfo LunaCM command as described in section 11.12, ‘Checking Module Status’. The module is confirmed as being in the zeroised state is the partition status for the administration slot reports zeroized. Initialized creates the HSM SO role, names the module and associates the admin partition with a key cloning domain. Initialization is performed using the hsm init command from LunaCM for Thales Luna PCIe HSM or LunaSH for Thales Luna Network HSM. It should be noted that the hsm init command should only be run when an individual has been assigned to the HSM SO role and usually is run either by them or with them present. Following initialization of the module, it should immediately be configured into its approved mode of operation ahead of initialization of any further roles or creation of any stored key objects. Guidance on configuring the approved mode of operation is provided in section 13.2.
Life-cycle Assurance NOTE As part of initialization when using PED based authentication, the end-user is asked if they wish to duplicate your iKey. It is strongly recommended that you do this and for duplicate keys to be retained in secure storage for backup purposes. It is not possible to copy iKey at a later point.
Security of the overall system including the HSM is only as strong as its weakest component. As such
The HSM maintains a host accessible log of events in PCIe accessible FRAM memory. This allows the log on the Thales Luna K7 Cryptographic Module to be read by the host driver even if the bootloader or firmware has failed during power-on leaving the card in an un-responsive state. > The FRAM log can viewed using the lunadiag tool installed with the Thales Luna client:
In order to maintain the separation of user roles throughout the life of the HSM deployment and to avoid compromise of a role, end users MUST:
Life-cycle Assurance > securely store authentication iKeys (where used) at all times; > avoid (where used) storing corresponding PIN alongside authentication iKeys; > never lend iKeys and/or disclose challenge-secret, PIN or passwords to anyone including other authorized end users of the HSM; > always inspect authentication iKey (where used) prior to use to check for any signs of possible tamper; and > avoid writing down challenge-secrets, PIN or passwords in plaintext form and/or ensure any printed or written copies of passwords are either separately encrypted or stored in a secure container only accessible to the owner of the password or challenge-secret. Should the end user fail to comply with these requirements this could lead to subsequent compromise or malicious misuse of the HSM and its cryptographic keys. CAUTION! Should the end user fail to comply with these requirements this could lead to subsequent compromise or malicious misuse of the HSM and its cryptographic keys. CAUTION! In order to securely use the Thales Luna PED in its remote configuration, it is important to check and acknowledge the serial number of the target HSM during setup of the Remote PED tunnel. If the displayed serial number does not match the expected target HSM serial number the user must reject the displayed serial number at the PED, which will halt channel setup.
Should an end user lose iKey or believe their iKey to have been compromised it is imperative for the security of the HSM deployment that immediate action is taken to: 1. minimize the chances of subsequent misuse of the lost or compromised iKey; and 2. check for evidence of misuse of the iKey to allow for wider compromise recovery actions to be considered. Following identification of a lost or compromised iKey, the following actions should be taken: > If a backup token was made and it includes a corresponding PIN, duplicate the iKey to allow re-issue (while retaining a backup) but ensure the PIN is changed on all residual copies of the duplicated iKey prior to re-deployment of the iKey. > If the iKey was originally issued with no PIN, the iKey should be considered compromised and will need to be recreated:
Life-cycle Assurance − If the AU token is lost, a copy of the Audit Logging Secret should be made and transferred to an iKey. − For the loss of an HSM SO token, LunaSH or LunaCM commands hsm factoryReset followed by hsm init should be run to re-create the iKey. This will result in a loss of all unbacked up objects on the HSM.
Should a role believe their PIN or password to have been compromised (where used) but access to the corresponding token or to the HSM was not possible, the following action should be taken: > the PIN or password should be changed using:
The KCV is used to register an HSM with a domain allowing it to transfer keys with other modules. Loss of a domain key should be considered a security event. Backups of the KCV or print-outs (optional) of the HSM-or-Partition domain secret should be retained. If this has not been performed, it is not possible to recreate or replace the domain secret. In order to recover from complete loss of a domain secret, the objects in the HSM (where configuration permits) need to be exported and re-imported into an HSM registered with a new domain.
When a Remote PED iKey is considered to be compromised, a new iKey should be generated and distributed to all remote PED on the Orange iKey. In order to create a new Remote PED iKey: > Thales Luna PCIe HSM:
Life-cycle Assurance
When an individual no longer has the requirement to hold the authorized role associated with the HSM, a hand-over of iKeys and corresponding PIN or password should be arranged. When a token has been lost for a role to be revoked, guidance on recovering from a lost end user authentication iKey in section 11.6 should be followed.
Keys can be deleted from a partition in one of a number of ways: > decommissioning the module as covered in section 11.10; > deleting the partition using the partition delete LunaCM command as the HSM SO; > calling in the C_DestroyObject Cryptoki API command that lets a Partition CO delete any partition object owned by them; > zeroization in response to authentication failure events (e.g. the HSM SO exceeding failed login threshold for the HSM zeroizes the entire HSM; the Partition SO exceeding failed login threshold for a user partition will zeroize the partition); and > the entire module flash is erased using the bootloader terase and tplease commands. This erases the firmware (excluding bootloader) and all keys on the module. NOTE Use of the terase and tplease bootloader commands to perform a complete erase of all Flash based storage is not intended to be performed by customers and is included here for completeness only. The Flash contains keys created during manufacture that cannot be replaced without repeating the full manufacturing process for the card. Following erase of the flash, only signed firmware in a format not made publicly available can be loaded onto the module.
Decommissioning is the process of removing all sensitive information from the cryptographic module and/or the appliance hosting it. The following sections cover the steps required in order to decommission.
The Thales Luna PCIe HSM is equipped with a two-pin decommission input, as covered in section 3.1. Short-circuiting the decommission jumper header decommissions the HSM. You can use the blade of a screwdriver, or other electrical conducting tool to short-circuit the two pins of the decommission header, or you can connect a switch to the decommission header if desired. Power is not required to decommission the HSM. That is, you can decommission the HSM after removing it from the chassis.
Life-cycle Assurance When you decommission a Thales Luna PCIe HSM, the HSM is zeroised, all user accounts are deleted, and the HSM is returned to its factory state. Any firmware or partition upgrade licenses installed on the HSM are retained. Following decommission of the HSM using this method, confirm the operation was successful using the hsm showinfo LunaCM command on the next power-cycle. The below text response should be shown: Manually Zeroized: Yes This confirms the decommission process was executed successfully. Alternatively, run the LunaCM hsm factoryreset command to decommission the HSM to factory default settings. Care should be taken to observe that the command executes to a successful completion. An example output from a successful factory reset is shown below: lunacm:>hsm factoryreset You are about to factory reset the HSM. All contents of the HSM will be destroyed. HSM policies will be reset and the remote PED vector will be erased. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Command Result : No Error Figure 11-1: Example successful factory reset console output from LunaCM
For full decommission (removing the unit from service, clearing the HSM of all your material, clearing the appliance of all identifying information) of a functioning Thales Luna Network HSM, follow these steps in LunaSH, using the serial connection:
Life-cycle Assurance 8. Power up the appliance. At this point, the HSM internally issues and executes its zeroise routine to erase all partitions and objects. This step takes about five minutes. The KEK is already gone at that point
Updating the module’s firmware requires the HSM SO and the firmware update file to complete. Run the LunaCM hsm updatefw command to update the current firmware to a new version. If any failures are detected during the update the command will fail and the module will continue running on the existing firmware. An example output from a successful firmware update is shown below: lunacm:>hsm updatefw -fuf fwupdateK7_testCert_7.0.1_RC327.fuf authcode fwupdateK7_testCert_7.0.1_RC327.fuf.txt You are about to update the firmware. The HSM will be reset. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Updating firmware. This may take several minutes. Firmware update passed. Resetting HSM Command Result : No Error Figure 11-3: Example successful FW update console output from LunaCM NOTE All updates of the firmware MUST be FIPS validated before they can be loaded for the module to remain in an approved mode of operation.
The module status can be assessed by running either the hsm showinfo LunaCM for Thales Luna PCIe HSM or the hsm show LunaSH command for Thales Luna Network HSM. Where physical access to the module is possible
The module does not require any periodic maintenance outside the routine inspection of Tamper Evidence as documented in Section 7.2.
Mitigation of Other Attacks
No assured mitigations to ‘other attacks’ are covered in this security policy.
Ahead of putting the module into its approved mode of operation, it is important to identify the hardware, main firmware and bootloader versions of the target module and to check these correspond to one of the tested modules listed in section Table 2-1. The following sections provide guidance on checking each element. NOTE Any module returning hardware, main firmware and bootloader versions not listed in this security policy is out of the scope of this validation and requires a separate FIPS 140-3 certificate. Two paths are supported to checking the hardware, bootloader and main firmware versions depending on whether the LunaCM or LunaSH management interfaces are being used 50: > hsm showinfo when using LunaCM; and > hsm show when using LunaSH. Both commands return status information on the target cryptographic module including the module name, version numbers for both bootloader and main firmware and separately the hardware identity. Example output for each command for a valid module is shown in the Figure 13-1 and Figure 13-2 below with relevant versions highlighted in red: lunacm:>hsm showinfo Partition Label -> myPCIeHSM Partition Manufacturer -> SafeNet Partition Model -> Luna K7 Partition Serial Number -> 67842 Partition Status -> L3 Device HSM Part Number -> 808-000048-002 Token Flags -> CKF_RNG CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED RPV Initialized -> Not Supported Slot Id -> 4 Session State -> CKS_RW_PUBLIC_SESSION Role Status -> none logged in Token Flags -> TOKEN_KCV_CREATED Partition OUID: 000000000000000002090100 Partition Storage: Total Storage Space: 393216 Used Storage Space: 0 Free Storage Space: 393216 Object Count: 0 Overhead: 9848 FM HW Status -> FM Bootloader Version -> 1.1.5 Firmware Version -> 7.8.5 Rollback Firmware Version -> 7.0.3
50 Both LunaCM and LunaSH map to the Luna ICD logical interface at the cryptographic module boundary.
Guidance Environmental: Fan 1 Status : active Fan 2 Status : active Battery Voltage : 3.093 V Battery Warning Threshold Voltage : 2.750 V System Temp : 38 deg. C System Temperature Warning Threshold : 75 deg. C HSM Storage: Total Storage Space: 33554432 Used Storage Space: 33554432 Free Storage Space: 0 Allowed Partitions: 1 Number of Partitions: 1 License Count -> 8 1. 621000068-000 K7 Base Configuration 2. 621010185-003 Key backup via cloning protocol 3. 621000135-002 Enable allow decommissioning 4. 621000134-002 Enable 32 megabytes of object storage 5. 621000154-001 Enable decommission on tamper with policy off 6. 621000021-002 Maximum performance 7. 621000138-001 Controlled tamper recovery 8. 621000074-001 Enable Functionality Modules Command Result: No Error Figure 13-1: Example output of hsm showinfo command from LunaCM lunash:>hsm show Appliance Details: ================== Software Version: 7.8.0-1 HSM Details: ============ HSM Label: myLunaHSM Serial #: 66331 Bootloader: 1.1.5 Firmware: 7.8.5 HSM Model: Luna K7 HSM Part Number: 808-000073-001 Authentication Method: Password HSM Admin login status: Not Logged In HSM Admin login attempts left: 3 before HSM zeroization! RPV Initialized: No Audit Role Initialized: No Remote Login Initialized: No Manually Zeroized: No Secure Transport Mode: No HSM Tamper State: No tamper(s) Partitions created on HSM: ============================== Partition: 154438865296, Name: mypar0 Number of partitions allowed: 100 Number of partitions created: 1 FIPS 140 Operation: ===================== The HSM is in FIPS 140 approved operation mode.
Guidance HSM Storage Information: ======================== Maximum HSM Storage Space (Bytes): 33554432 Space In Use (Bytes): 335544 Free Space Left (Bytes): 33218888 Environmental Information on HSM: ================================= Battery Voltage: 3.072 V Battery Warning Threshold Voltage: 2.750 V System Temp: 53 deg. C System Temp Warning Threshold: 75 deg. C Functionality Module HW: FM ======================= Command Result: 0 (Success) Figure 13-2: Example output of hsm show command from LunaSH Where Luna K7 is returned as the Partition Model in the output from LunaCM and HSM Model in the output from LunaSH, this can be mapped directly as an alias for ‘Thales Luna K7 Cryptographic Module’ as the module name.
The module is configured to be in an Approved Mode of Operation on a per-partition basis. To place a partition into its approved mode of operation, the HSM SO (Admin Partition) or Partition SO (User Partition) must check and, if necessary, set the following partition level policy: > Partition Policy (42) Enable CPv1– this is set to true by default when the HSM Policy (12), Allow Non FIPS Algorithms is set to true or is set to false (enforced by the module) if the same policy is set to false. The policy shall be set to false. > Partition Policy (43) Enable non-FIPS Algorithms - this policy is set to true by default if HSM Policy (12), Allow Non-FIPS Algorithms is separately set to true. If HSM Policy (12), Allow Non-FIPS Algorithms is set to false, the module will set this value to false (enforced by the module). This policy shall be set to false. Ahead of configuring the individual partitions, the HSM SO must set the following HSM level policies: > HSM Policy (56), Allow User Defined ECC Curves
Guidance NOTE While default setting is false, this setting is only relevant to a FIPS approved configuration following load of the ‘Enable Functionality Module CUF’. This unlocks the ability to enable the related ‘HSM Policy (50) Allow Functionality Modules’. Prior to HSM Policy (50) being set to true, the setting of HSM Policy (52) Restrict FM Privilege is redundant to the modules operation as FM can’t be loaded and the policy only relates to commands received by the module from within code executing within a sandboxed functionality module. Following entry into an approved mode of operation: > any changes to the HSM level policy will trigger an automatic zeroization of the HSM erasing all roles and partition stored key objects; and > any changes to the partition level policy will trigger an automatic zeroization of the partition erasing all partition stored key objects.
To make the module perform cryptographic self-tests ‘on demand’ this can be achieved using the following: > Self Test (Option #90) when using the ckdemo client tool. This will give you 3 options of self-tests to run on the module: > Option 1, H/W Test
Guidance [13] Inject error: infinite loop [14] List all enabled Sentry PKA engines (0:5) [15] Disable a Sentry PKA engine (0:5) [16] Enable a Sentry PKA engine (0:5) > 2 Status: Doing great, no errors (CKR_OK) (TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Status: Doing great, no errors (CKR_OK) 13-3: Example output of the Self Test command from CKDemo In addition to using CKDemo as a tool, on demand self-test can be requested using the CA_ PerformSelfTest command using the Cryptoki API.
The nominal temperature range for operation of the module is between 0 and 50°C. The nominal temperature range for storage and distribution of the module is between -20 and 80°C. The overall input operation voltage of the module as a PCI-E card is +12V ± 8% DC. This input is used to generate the voltages covered in section 7.3 and as are used internal to the module. The module’s tamper thresholds can be found in section 7.3.
To log into the module’s roles as described in section 4.1 you must first set the slot to the partition you wish to log into. To set the slot you must first use the slot list LunaCM command to view the available slots, once you have the chosen slot you wish to log into use the following: > set slot when using LunaCM. lunacm:> slot set -slot 4 Command Result : No Error 13-4: Example output of set slot command from LunaCM Once set you may now log into any of the available roles to the partition by using: > role login when using LunaCM. lunacm:> role list Roles (short) ============================ Partition SO po Crypto Officer co Limited Crypto Officer lco Crypto User cu Command Result : No Error
Guidance lunacm:>role login -name po Please attend to the PED. Command Result : No Error 13-5: Example output of role list and role login commands from LunaCM NOTE Some roles must first be initialized before they can be logged in. To do so you must use the role init command in LunaCM
In addition to the direct guidance provided in this security policy both Thales Luna PCIe HSM and Thales Luna Network HSM include extensive user guidance in their online free to access manual. The full manuals for these products can be accessed at www.thalesdocs.com where the target products can be found under ‘Luna HSMs’ and where the ‘read docs’ link will take you to the front page where the document portal for either Thales Luna PCIe HSM and Thales Luna Network HSM can be found. As part of the product documentation: > HSM Administration Guide