Service Client Communication Protection
The connection between the Luna Cloud HSM Service Client and the Luna Cloud HSM Service has two layers of protection: Transport Layer Security (TLS) and Transferable Token Channel (XTC, or "Xferable Token Channel"). In addition, for client versions 10.2 and above, JSON Web Token (JWT) provides client authentication to the service. The below figure demonstrates these protection layers and their endpoints. The client first fetches a JWT from the identity provider, then establishes the TLS protection and JWT authentication with the Luna Cloud HSM Service, and then finally establishes XTC with the HSM partition.
The REST layer is TLS-protected and transports the request metadata in the header together with the XTC-encrypted payload body to the Luna Cloud HSM Service. For clients 10.2 and above, the authorization header field contains a JWT issued by DPoD's identity provider service.
The TLS session uses a basic TLS handshake and is terminated at the Luna Cloud HSM Service. For client versions 10.2 and above, the host system's trust store verifies the Luna Cloud HSM Service public certificate. Older clients verify with a file included in the client package, server-certificate.pem, which contains the server public certificate and certificate chain.
After the TLS session is established, the Luna Cloud HSM Service inspects the JWT. The JWT is valid for one hour, and attests to the client's access to the Luna Cloud HSM Service. The Luna Cloud HSM Service uses the OpenID Connect standard to validate that the JWT was issued by the approved identity provider. The service then validates that the token is not expired, that the Luna Cloud HSM Service is a valid recipient for the token, and finally which HSM partitions and permissions are included in the JWT's scope.
After JWT validation completes, the client fetches the partition certificate chain necessary to establish an XTC session with the HSM partition. The certificate chain exists temporarily in the client host RAM while the connection is ongoing. XTC uses an asymmetric key pair unique to the partition to negotiate a session key. XTC protects the message body in client requests, with an HSM partition as the endpoint. The XTC layer is the first level of encryption when a request leaves the client and the last level of decryption when the request arrives at the partition. The target partition in the HSM service can decrypt the message payload with the partition private key corresponding to the partition certificate chain.
Once the connection is established, initialized partitions use Luna Cloud HSM Service Client Roles to control access to partition settings and cryptographic keys.