Luna HSM Firmware 7.4.2
New Features and Enhancements
Luna HSM firmware 7.4.2 includes the following new features and enhancements:
3GPP Cryptography for 5G Mobile Networks
The new 3GPP crypto functions support the authentication and re-synchronization of a mobile device to the back-end authentication center (AUC). Milenage, Tuak and Comp128 algorithms are available and are relevant to 2/2.5G, 3G, 4G(LTE) and newer 5G mobile networks. The primary benefit of using the Luna HSM ensures that the subscribers key (Ki) is never exposed in the clear outside the security perimeter of a hardware security device. Optionally the Operators Variant string (OP) may also be encrypted under a storage key only found inside the HSM. See 3GPP Mechanisms for 5G Mobile Networks.
SM2 is comparable to Elliptic Curve (EC) in terms of key structure though the signing algorithm is different. SM2 is required for sign/verify. There is a new key type CKK_SM2. SM4 is comparable to Advanced Encryption Standard (AES-128) in terms of key size though the encryption algorithm is different. SM4 is required for encrypt/decrypt (modes ECB, CBC, CBC-PAD). There is a new key type CKK_SM4. See SM2/SM4 Mechanisms.
SHA-3 Function Support
This provides a guide to using the SHA-3 crypto functions in the Luna HSM. The SHA-3 implementation conforms to the NIST publication FIPS PUB 202. The SHA-3 hash algorithm has been implemented in the K7 FW. This provides the ability to send message data to the Luna HSM in order to receive the SHA-3 digest of the data. The algorithm is implemented for digest bit lengths of 224, 256, 384 and 512 similar to the SHA-2 family of hash algorithms. Other mechanisms that make use of a digest include support for SHA-3 by either specifying the mechanism type or specifying mechanism parameters. See SHA-3 Mechanisms.
Refer to the following table for special firmware 7.3.3 and 7.4.2 update procedures for multifactor quorum-authenticated HSMs. These procedures apply depending on what firmware version was used to create the application partitions.
|Partition created in HSM at firmware version
|Normal firmware update procedure (see Updating the Luna HSM Firmware)
|7.1.0, 7.2.0, 7.3.0, or 7.4.0
with HSM Policy 15 set to ON*
|Normal firmware update procedure (see Updating the Luna HSM Firmware) - EXCEPT the Partition SO must reset the challenge secret(s) after the firmware update, so that partition objects become accessible again (see Resetting the Crypto Officer, Limited Crypto Officer, or Crypto User Credential).
|7.1.0, 7.2.0, 7.3.0, 7.4.0, or 7.4.1
with HSM Policy 15 set to OFF*
1. Before updating firmware, back up your partition contents.
2.Update your HSM to firmware version 7.3.3 or 7.4.2.
3.Your existing partition is no longer accessible; re-initialize the existing partition.
4.Restore your partition objects from backup.
* By default, HSM Policy 15 is OFF. Turning Policy 15 ON is destructive.
Valid Update Paths
You can update the Luna HSM firmware to version 7.4.2 from the following previous versions:
>7.3.3, 7.4.0, 7.4.1
This section highlights important issues you should be aware of before deploying HSM firmware 7.4.2.
Luna HSM Firmware 7.4.1 is No Longer Available
Luna HSM firmware 7.4.1 is no longer available for download from the Thales Customer Portal. Thales recommends that all customers using HSM firmware version 7.4.1 update to 7.4.2 or higher.