Authentication

Each Luna HSM comes in one of two authentication types – password or multifactor quorum (also called PED-authenticated). PED stands for PIN Entry Device. The authentication type for Luna Network HSM 7 and Luna PCIe HSM 7 is configured at the factory and cannot be modified in the field. Luna USB HSM 7 can be initialized to use one or the other.

For an outline of the key differences between password and multifactor quorum authentication, see Authentication Types.

Table 1: Authentication Types

Password Authentication	Multifactor Quorum Authentication (PED keys/Luna PED)
Two-factor authentication is not available; relies on "something you know".	Two-factor authentication consisting of a physical PED key and optional PIN; that is, can require "something you know" in addition to "something you have" for authentication
Authentication can be input locally or from a remote terminal.	Authentication requires physical local connection or pre-configured Remote PED link.
Access to cryptographic keys is restricted to knowledge of partition CO (read/write) or CU (read-only) password.	Access to cryptographic keys is restricted to CO (read/write) and CU (read only); possession of appropriate PED key(s) and PIN is required.
Dual or multi-person access control is not available.	Dual or multi-person (quorum) access control is available by way of MofN (split-knowledge secret sharing); physical PED keys, each containing a portion of the role-authentication secret, can be held by separate people who must cooperate to perform authentication.
Key-custodian responsibility and role separation depend on password knowledge only.	Key-custodian responsibility and role separation depend on PED key(s) ownership; physical possession and PIN knowledge.

Password Authentication

For Luna HSMs using password authentication, the various, layered roles are protected by passwords. The Luna Network HSM 7 also provides password-protected appliance roles to access the Luna Shell (LunaSH) and configure the appliance and the HSM via SSH or a local serial connection (see Appliance Administration). Refer to User Access Control for descriptions of specific HSM roles and their responsibilities.

Authentication

 Objects on the HSM are encrypted by the owner of each application partition, and can be decrypted and accessed only by means of the specific secret (password) associated with the Crypto Officer or Crypto User.

If you cannot present the secret (the password) that encrypted the objects, then the HSM is just a secure storage device to which you have no access, and those objects might as well not exist.

NOTE   The administrative role secret is also the application-authentication secret: one plain-text secret used for two purposes. On a password-authenticated HSM, once the administrator (Crypto Officer or Crypto User) has distributed the secret to the application(s), the only way to restrict access by applications (or personnel) that have come into possession of that secret is to change the password - which also changes the authentication for the associated role.

Advantages

Using password authentication has the following advantages:

>Convenience: changing passwords and authentication secrets is easy in the case of personnel changes or suspected compromise

>Direct mapping to organizational policies: password change policies already existing in an organization are easy to map onto a password-authenticated framework

Disadvantages

Passwords are less secure than multifactor quorum authentication, and thus have the following disadvantages:

>Vulnerability to observation: passwords being typed can be easily observed in person, through a camera, or with malware like keystroke loggers

>Record-keeping: secure passwords are obscure and must be written, with its record securely stored

>Accountability: it is difficult to know who might have seen or been told a password

Multifactor Quorum Authentication

For Luna HSMs configured for multifactor quorum authentication, the various, layered HSM roles are protected by cryptographic secrets stored on physical USB PED keys, each of which may be assigned a memorized PIN, presented to the HSM using the Luna PED (PIN Entry Device). The connection between the Luna PED and the Luna HSM is a secure, trusted path. The Luna Network HSM 7 also provides password-protected appliance roles to access the Luna Shell (LunaSH) and configure the appliance and the HSM via SSH or a local serial connection (see Appliance Administration). Refer to User Access Control for descriptions of specific roles and their responsibilities.

>For the Luna Network HSM 7, the PED connection is on the appliance rear panel.

>For the Luna PCIe HSM 7, the PED connection is a slot-edge connector, directly on the HSM card, accessible at the exterior of a tower or server computer (not through the host computer).

>For the Luna USB HSM 7, the Luna PED is not required. PED keys are presented directly to the HSM via the USB-C connector and an adapter, and PINs are entered using the built-in touchscreen. You can also authenticate roles on the Luna USB HSM 7 using a Remote Luna PED connection.

For Local PED, the connection is a secure physical link, directly to the HSM, bypassing the computer memory and bus. At no time does an authentication secret exist in the clear, anywhere in computer memory or on any computer bus.

Remote Luna PED

By default, Luna PED is connected directly to the HSM via a USB cable. When it is not convenient to be physically near the host or client computer, Remote Luna PED allows you to operate the HSM remotely and securely.

The multifactor quorum-authenticated Luna HSM generates a unique Remote PED Vector and saves it on one or more orange PED keys. You can generate or regenerate this secret at any stage of your HSM deployment. If the HSM is not yet initialized, you can generate the RPV remotely using a one-time password. If the HSM is already initialized, the HSM SO must log in and generate the RPV using a locally-connected Luna PED. The RPV is used to authenticate the Remote PED server (a client computer with a Luna PED connected) for all future HSM role authentication processes, and the HSM itself can be located at a secure facility for its entire deployment.

Partition Activation and Challenge Secrets

Once initialized, a multifactor quorum-authenticated application partition can be configured to accept a password string, known as a challenge secret, as a secondary form of authentication. This is referred to as partition activation. For some use cases, such as key vaulting, the requirement to present a physical key to access objects on the partition may be desired. For most application use cases, however, requiring a physical key each time the application accesses the partition is impractical.

Activation allows the Crypto Officer or Crypto User PED key secrets to be cached, and for those users to authenticate their roles from then on using the secondary challenge secret. Activation is allowed or disallowed by the setting of partition policies by the Partition Security Officer (PO). The PO role cannot be activated; the PO must always log in using a physical PED key.

Auto-Activation

In the event of a restart or power outage, activated roles are deactivated and must re-authenticate by presenting the PED key and challenge secret. Auto-activation stores the cached PED key secrets for two hours in this event, so activation will survive any maintenance shut-down or reboot, or a power outage less than two hours in duration. Auto-activation is enabled by a separate partition policy.

Advantages

Using multifactor quorum authentication has the following advantages:

>Security: no written record of the secret or password exists, so it cannot be compromised

>Tracking: access and handling of physical devices (PED keys) can be tracked and controlled

>Duplication restrictions: duplication and promulgation can be prevented by physical security measures

>Physical device: using the Luna PED or Luna USB HSM 7 touchscreen to input passwords and PINs prevents key-logging exploits that typed passwords are vulnerable to

Disadvantages

PED keys are physical items that can be lost or misplaced, unlike passwords, and thus have the following disadvantages:

>Password change policies: scheduled or mandated password-change cycles in an organization can be logistically intensive when HSMs share PED key secrets

>Inconvenience: handling of secrets requires hands-on, physical action by personnel to perform changes of authentication secrets in case of compromise