Luna HSM Firmware 7.0.3

Luna HSM firmware 7.0.3 was released in December 2017, and includes bug fixes and security updates for FIPS certification.

>Download Luna Network HSM Appliance Software 7.2.0 (includes Luna HSM Firmware 7.0.3 update)

Refer to NIST certificate #3205 for FIPS 140-2 Level 3 certification:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3205

New Features and Enhancements

Luna HSM firmware 7.0.3 includes the following new features and enhancements:

Partition Security Officer

All application partitions now have a Partition Security Officer (PO) role that is completely distinct from the HSM Security Officer (HSM SO) role. In this security model, the HSM SO is responsible only for initializing the HSM, setting HSM-level security policies, and creating and deleting partitions. After creating the partitions, the HSM SO has no access to the contents of the partitions. Partitions are owned by the PO, who is responsible for initializing the partition, setting the partition-level security policies and initializing the cryptographic roles on the partition. This model permits a complete separation of roles on the HSM, providing a highly secure multi-tenant solution.

See Partition Roles.

Best-in-Class Performance

Luna Network HSM 7 provides cryptographic performance that is 10x faster than the release 5.x and 6.x Luna HSMs.

Industry-Leading Security

Luna Network HSM 7 provides enhanced environmental failure protection and tamper resistance.

Improved Random Number Generation

The performance of Luna Network HSM 7's AES-256 CTR DRBG random number generation is significantly increased from previous versions. The RNG is fully compliant with the latest entropy standards:

>SP800-90B

>SP800-90C

>BSI DRG.4

New Cryptographic Mechanism Support

Luna Network HSM 7 adds support for the following cryptographic algorithms:

>SP800-108 HMAC (RSA & ECC)

>SP800-38F (KWP)

>Curve 25519

>AES-XTS - disk encryption standard

Increased Key Storage Capacity

Luna Network HSM 7 provides up to 32 MB of cryptographic object storage (depending on the model).

Secure Transport Mode Redesigned

Secure Transport Mode (STM) in Luna Network HSM 7 provides a simple, secure method for shipping an HSM to a new location and verifying its integrity upon receipt. When the HSM SO enables STM, it locks the HSM and its contents, and records the current configuration as a pair of unique strings. When the HSM is recovered from STM, the unique strings are redisplayed. If the strings match, the HSM has not been tampered or modified during transport.

See Secure Transport Mode.

Controlled Tamper Recovery

If Policy 48: Do Controlled Tamper Recovery is enabled (the default), the HSM SO must clear the tamper condition before the HSM is reset, to return the HSM to normal operation.

See Tamper Events.

Release 7.0.3 Advisory Notes

This section highlights important issues you should be aware of before deploying HSM firmware 7.0.3.

Resolved Issue LKX-3338

Thales has identified an issue with asymmetric digest-and-sign, or digest-and-verify mechanisms when the data length exceeds 64KB, for all SHAxxx_RSA_xxx, SHAxxx_DSA and SHAxxx_ECDSA mechanisms.

Please note:

>Simple (i.e. not combined with digest) RSA/ECDSA/DSA sign/verify operations are NOT affected, and work as expected for all HSM models.

>This issue only affects HSMs with standard- and enterprise-level performance (*700 and *750 models). Maximum-performance (*790) models are not affected.

This issue is resolved in both firmware 7.2.0 and 7.0.3.

Thales strongly recommends that you update to firmware 7.2.0 or later, or firmware 7.0.3, to avoid this issue in the future.

Resolved Issues LKX-2832/LUNA-956: CKA_EXTRACTABLE Default Setting

Formerly, the CKA_EXTRACTABLE attribute on new, unwrapped, and derived keys was incorrectly set to TRUE by default. This was resolved in Luna HSM firmware 7.0.2 and higher. In firmware 7.0.2 and higher, the CKA_EXTRACTABLE attribute on new, unwrapped, and derived keys is set to FALSE by default.

NOTE   If you have existing code or applications that expect keys to be extractable by default, you must modify them to explicitly set the CKA_EXTRACTABLE attribute value to TRUE.

PED Firmware Upgrade Needed for Luna 6 PEDs

If you have older PEDs that you intend to use with Luna HSM 7.0 or later, you must upgrade to firmware 2.7.1 (or newer). The upgrade and accompanying documentation (007-012337-003_PED_upgrade_2-7-1-5.pdf) are available from ThalesDocs.

Deprecated and Discontinued Features

The following features are deprecated or discontinued in Luna 7. If you have been using any of these Luna 5/6 features, plan for a new configuration and workflow that does not make use of the feature:

>Host trust links (HTL)

>NTLS keys in hardware

>PKI bundle

>Small form factor (SFF) backup

>Watchdog, CPU Governor

Special Instructions for Installing Firmware 7.0.3 if Your Current Firmware Version is 7.1.0

Firmware 7.0.3 is FIPS-certified Luna firmware. If you are using firmware 7.0.1 or 7.0.2, you can proceed with the standard update procedure. If you previously updated to firmware 7.1.0, and you wish to use firmware 7.0.3, follow this procedure to ensure a successful update.

Luna Network HSM does not allow you to update the firmware from a higher-numbered to a lower-numbered version. Therefore, if you are currently running firmware 7.1.0, you must first perform a firmware rollback.

CAUTION!   Firmware rollback is destructive; earlier firmware versions might have older mechanisms and security vulnerabilities that a new version does not. Back up any important materials before rolling back the firmware. This procedure zeroizes the HSM and all cryptographic objects are erased.

If you are using STC, or have ever enabled HSM policy 39, you may encounter a known issue LKX-3184 (see Known and Resolved Issues). If this is the case, do not roll back the HSM firmware.

To install firmware 7.0.3 on an HSM running firmware 7.1.0

1.Check the previous firmware version that is available on the HSM. The firmware available for rollback must be 7.0.1 or 7.0.2.

lunash:>hsm firmware show

2.Back up any important cryptographic objects currently stored on the HSM.

3.Log in as HSM SO.

lunash:>hsm login

4.Perform a firmware rollback.

lunash:>hsm firmware rollback

5.Initialize the HSM and log in as HSM SO.

6.Install the Luna Network HSM 7.2 update that includes firmware 7.0.3, as described in the product documentation.

7.Update the firmware to version 7.0.3, which is now stored on the appliance.

lunash:>hsm firmware upgrade

8.Recreate your application partition(s) and restore the contents from backup.