Luna HSM Firmware 7.0.2
Luna HSM firmware 7.0.2 was released in December 2017, and includes bug fixes and security updates for FIPS certification.
Refer to NIST certificate #3205 for FIPS 140-2 Level 3 certification:
New Features and Enhancements
Luna HSM firmware 7.0.2 includes the following new features and enhancements:
Partition Security Officer
All application partitions now have a Partition Security Officer (PO) role that is completely distinct from the HSM Security Officer (HSM SO) role. In this security model, the HSM SO is responsible only for initializing the HSM, setting HSM-level security policies, and creating and deleting partitions. After creating the partitions, the HSM SO has no access to the contents of the partitions. Partitions are owned by the PO, who is responsible for initializing the partition, setting the partition-level security policies and initializing the cryptographic roles on the partition. This model permits a complete separation of roles on the HSM
See Partition Roles.
Luna Network HSM 7 provides cryptographic performance that is 10x faster than the release 5.x and 6.x Luna HSMs.
Luna Network HSM 7 provides enhanced environmental failure protection and tamper resistance.
Improved Random Number Generation
The performance of Luna Network HSM 7's AES-256 CTR DRBG random number generation is significantly increased from previous versions. The RNG is fully compliant with the latest entropy standards:
New Cryptographic Mechanism Support
Luna Network HSM 7 adds support for the following cryptographic algorithms:
>SP800-108 HMAC (RSA & ECC)
>AES-XTS - disk encryption standard
Increased Key Storage Capacity
Luna Network HSM 7 provides up to 32 MB of cryptographic object storage (depending on the model).
Secure Transport Mode Redesigned
Secure Transport Mode (STM) in Luna Network HSM 7 provides a simple, secure method for shipping an HSM to a new location and verifying its integrity upon receipt. When the HSM SO enables STM, it locks the HSM and its contents, and records the current configuration as a pair of unique strings. When the HSM is recovered from STM, the unique strings are redisplayed. If the strings match, the HSM has not been tampered or modified during transport.
Controlled Tamper Recovery
If Policy 48: Do Controlled Tamper Recovery is enabled (the default), the HSM SO must clear the tamper condition before the HSM is reset, to return the HSM to normal operation.
See Tamper Events.
Release 7.0.2 Advisory Notes
This section highlights important issues you should be aware of before deploying HSM firmware 7.0.2.
Resolved Issue LKX-3338
Thales has identified an issue with asymmetric digest-and-sign, or digest-and-verify mechanisms when the data length exceeds 64KB, for all SHAxxx_RSA_xxx, SHAxxx_DSA and SHAxxx_ECDSA mechanisms.
>Simple (i.e. not combined with digest) RSA/ECDSA/DSA sign/verify operations are NOT affected, and work as expected for all HSM models.
>This issue only affects HSMs with standard- and enterprise-level performance (*700 and *750 models). Maximum-performance (*790) models are not affected.
This issue is resolved in both firmware 7.2.0 and 7.0.3.
Thales strongly recommends that you update to firmware 7.2.0 or later, or firmware 7.0.3, to avoid this issue in the future.
Resolved Issues LKX-2832/LUNA-956: CKA_EXTRACTABLE Default Setting
Formerly, the CKA_EXTRACTABLE attribute on new, unwrapped, and derived keys was incorrectly set to TRUE by default. This was resolved in Luna HSM firmware 7.0.2 and higher. In firmware 7.0.2 and higher, the CKA_EXTRACTABLE attribute on new, unwrapped, and derived keys is set to FALSE by default.
NOTE If you have existing code or applications that expect keys to be extractable by default, you must modify them to explicitly set the CKA_EXTRACTABLE attribute value to TRUE.
PED Firmware Upgrade Needed for Luna 6 PEDs
If you have older PEDs that you intend to use with Luna HSM 7.0 or later, you must upgrade to firmware 2.7.1 (or newer). The upgrade and accompanying documentation (007-012337-003_PED_upgrade_2-7-1-5.pdf) are available from ThalesDocs.
Deprecated and Discontinued Features
The following features are deprecated or discontinued in Luna 7. If you have been using any of these Luna 5/6 features, plan for a new configuration and workflow that does not make use of the feature:
>Host trust links (HTL)
>NTLS keys in hardware
>Small form factor (SFF) backup
>Watchdog, CPU Governor