FIPS Compliance
Luna HSMs are compliant with the Federal Information Processing Standard (FIPS), defined by the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce. The full capabilities of Luna HSMs, however, extend far beyond the limitations prescribed by FIPS. If your organization requires FIPS compliance, you must configure the HSM to ensure compliance by restricting these extended capabilities. This section provides guidance on setting up and using the Luna HSM to comply with FIPS, and ensuring that compliance is maintained across firmware updates. ,Luna Network HSM 7 Luna PCIe HSM 7, Luna USB HSM 7 and Luna Backup HSM 7 are FIPS 140-3 Level 3 certified.
Refer to the following sections for guidance on FIPS compliance:
>Install Only FIPS-Validated Firmware
>Configuring the HSM to Operate in FIPS 140 Approved Configuration
>Changes to Mechanisms and Operations in FIPS 140 Approved Configuration by Firmware Version
Install Only FIPS-Validated Firmware
The Luna HSM firmware introduces new functionality with each new version, and to be compliant with FIPS, a new firmware version must be inspected and validated by NIST. Since this validation can take a long time, Thales does not submit every firmware version it releases to NIST as a FIPS candidate. In order to be compliant with the FIPS standard, you must have a FIPS-validated firmware version installed. If your organization requires FIPS validation, update the HSM firmware only to versions listed below.
NOTE Luna HSM Client software do
While older firmware versions on the list below are still considered validated, each new version contains changes to the HSM functions that ensure continued compliance with the revised standard. Certain mechanisms or specific operations that have fallen below the security standard set by NIST since the last certified version are restricted. Likewise, newer mechanisms that have been validated by NIST may be allowed in FIPS 140 approved configuration (formerly FIPS mode), where they were restricted in older versions. Thales recommends that you keep your Luna HSMs requiring FIPS compliance updated to the latest FIPS-validated version, as specified in the list below.
FIPS 140-3 Level 3 Certified Luna USB HSM 7 Firmware Versions
The following Luna USB HSM 7 firmware versions are FIPS 140-3 Level 3 certified per NIST certificate #4962:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4962
>Luna USB HSM 7 Firmware 7.7.3 (recommended)
FIPS 140-3 Level 3 Certified Luna Backup HSM 7 Firmware Versions
The following Luna Backup HSM 7 firmware versions are FIPS 140-3 Level 3 certified per NIST certificate #4962:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4962
>Luna Backup HSM 7 Firmware 7.7.3 (recommended)
Configuring the HSM to Operate in FIPS 140 Approved Configuration
Luna HSMs have many capabilities that are not certified by NIST. To be FIPS-compliant, the HSM must be set to FIPS 140 approved configuration, where any mechanisms or cryptographic operations that are not FIPS-certified are blocked from use. FIPS 140 approved configuration (formerly FIPS mode) is set using HSM or partition policies as described below.
Setting FIPS 140 Approved Configuration on the HSM
You can set the HSM to FIPS 140 approved configuration using HSM policy 12: Allow non-FIPS algorithms. When this policy is set to 0, algorithms that are not FIPS-validated are blocked from use on every partition on the HSM, and the HSM is operating in FIPS 140 approved configuration. There are two methods of setting this policy:
>The HSM SO can use a policy template to set the policy at initialization (see Setting HSM Policies Using a Template). This method is recommended for auditing purposes -- it ensures that the HSM is in FIPS 140 approved configuration for its entire use cycle.
>The HSM SO can set the policy manually after initializing the HSM (see Setting HSM Policies Manually).
NOTE HSM policy 12: Allow non-FIPS algorithms is destructive; changing it results in the entire HSM being zeroized and all partitions destroyed. This is to prevent keys that were created and used in a non-FIPS approved environment from existing in a FIPS-approved environment, and vice-versa.
To check the current status of FIPS 140 approved configuration on the HSM, log in to
*** The HSM is in FIPS 140-2 approved operation mode. ***
Setting FIPS 140 approved configuration on individual application partitions
Prerequisite
HSM policy 12: Allow non-FIPS algorithms must be set to 1 on the HSM.
To set FIPS 140 approved configuration on an application partition
You can set the partition to FIPS 140 approved configuration (formerly FIPS mode) using partition policy 43: Allow Non-FIPS algorithms. When this policy is set to 0, algorithms that are not FIPS-validated are blocked from use, and the partition is operating in FIPS 140 approved configuration. There are two methods of setting this policy:
>The Partition SO can use a policy template to set the policy to 0 at initialization (see Setting Partition Policies Using a Template). This method is recommended for auditing purposes -- it ensures that the partition is in FIPS 140 approved configuration for its entire use cycle.
>The Partition SO can set the policy to 0 manually after initializing the partition (see Setting Partition Policies Manually).
NOTE Partition policy 43: Allow Non-FIPS algorithms is destructive when changing from 0 to 1; this change results in the partition being zeroized. This is to prevent keys that were created and used in a FIPS-approved environment from existing in a non-FIPS-approved environment.
Setting FIPS 140 Approved Configuration on Luna Backup HSM 7
Luna Backup HSM 7 Firmware 7.7.1 and newer uses the same updated cloning protocol as Luna HSM Firmware 7.7.0 and newer. For the Luna Backup HSM 7 to be FIPS-compliant, it must restrict restore operations to application partitions that use the new protocol. This restriction is applied by setting HSM policy 55: Enable Restricted Restore to 1 on the backup HSM. The Luna Backup HSM 7 must be initialized and connected to a Luna HSM Client computer to set this policy.
When this policy is enabled on the Luna Backup HSM 7, objects that have been backed up from partitions using firmware older than Luna HSM Firmware 7.7.0 can be restored to Luna HSM Firmware 7.7.0 or newer (V0 or V1) partitions only.
CAUTION! FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware, and this includes restoring from Luna Backup HSM 7 firmware.
If you have backups already stored on the Luna Backup HSM 7 that were taken from pre-7.7.0 partitions, turning this policy ON will prevent you from restoring them to the same source partition. You must update the HSM containing the source partition to Luna HSM Firmware 7.7.0 or newer before restoring from backup.
NOTE HSM policy 12: Allow non-FIPS algorithms, which is used to set FIPS-compliant mode on other Luna HSMs, does not apply to the Luna Backup HSM 7. Attempts to change this policy will fail with the error CKR_CANCEL
.
To configure the Luna Backup HSM 7 for FIPS compliance
1.On the Luna HSM Client computer, run LunaCM.
2.Set the active slot to the Luna Backup HSM 7.
lunacm:> slot set -slot <slot_id>
3.Log in as Backup HSM SO.
lunacm:> role login -name so
4.Set HSM policy 55: Enable Restricted Restore to 1.
lunacm:> hsm changehsmpolicy -policy 55 -value 1
5.[Optional] Check that the Luna Backup HSM 7 is now in FIPS approved operation mode.
lunacm:> hsm showinfo
*** The HSM is in FIPS 140-2 approved operation mode. ***
Other FIPS Considerations
Certain Luna features can affect FIPS compliance, or the behavior of the HSM in FIPS 140 approved configuration (formerly FIPS mode). Those features and their effects on FIPS are described below.
NOTE By design (approved by NIST) HSS keys cannot be copied/cloned and therefore are not for use in an HA group, and cannot be backed-up or restored.
•Do not generate an HSS key pair on an HA virtual slot.
•Do not add a partition to an HA group if the partition has an HSS private key on it.
NOTE Luna USB HSM 7 does not support Functionality Modules (FMs).
Mixed FIPS/non-FIPS High-Availability Groups
Thales does not recommend creating HA groups using a combination of FIPS and non-FIPS partitions, as such groups would not be FIPS compliant for auditing purposes. If you do wish to create such groups, however, you require a minimum client version or the operation will be blocked
RSA-186 Mechanism Remapping for FIPS Compliance
Under FIPS 186-3/4, the only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. RSA PKCS and X9.31 key generation is not approved in a FIPS-compliant HSM. While Luna 6.10.9 firmware allows these older mechanisms, later firmware does not (and keys created using these mechanisms cannot be replicated to Luna 7 HSMs or Luna Cloud HSM services).
If you have older applications that use RSA PKCS and X9.31 key generation, you can remap these calls to use the newer, secure mechanisms. Add a line to the Chrystoki.conf/crystoki.ini configuration file as follows:
[Misc] RSAKeyGenMechRemap=1
NOTE This setting is intended for older applications that call outdated mechanisms, to redirect calls to FIPS-approved mechanisms. The ideal solution is to update your applications to call the approved mechanisms.
RNG Entropy
The Random Bit Generator and entropy source are FIPS 140-2 Level 3 certified per certificate #E97:
Changes to Mechanisms and Operations in FIPS 140 Approved Configuration by Firmware Version
This section provides details about changes to mechanisms and their functionality when in FIPS 140 approved configuration.
NOTE Thales is continuously updating FIPS criteria with each new firmware version; even if a particular firmware is not submitted for FIPS validation, it may include changes to the way mechanisms work in FIPS 140 approved configuration. It is possible to operate any Luna firmware version in FIPS 140 approved configuration, but only versions validated by NIST are considered compliant with the standard (see Install Only FIPS-Validated Firmware).
FIPS Changes in Luna USB HSM 7 Firmware 7.7.3 and Newer
New restrictions have been added to some mechanisms when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0), to comply with NIST SP800-131a Rev2 and SP800-56B Rev2, published in March 2019.
Migrate Keys From FIPS-Configured Luna USB HSM G5 Before Updating to This Version
Using Luna USB HSM 7 Firmware 7.7.3 or newer in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0), cloning from Luna USB HSM G5 with firmware 6.24.7 is disallowed. Therefore, you must migrate your keys to Luna USB HSM 7 with Luna USB HSM 7 Firmware 7.7.2 installed, before you update the firmware.
Mechanisms no longer available in FIPS approved configuration
The following mechanisms are no longer available in FIPS approved configuration:
>CKM_EC_MONTGOMERY_KEY_PAIR_GEN
NOTE If you need to generate FIPS-compliant domain parameters for this mechanism, use CKM_DSA_PARAMETER_GEN with modulus length 2048 or 3072.
DES/DES3 encryption not permitted using ECIES mechanisms
The following mechanisms are not permitted to encrypt in FIPS approved configuration (decrypt operations are permitted):
HMAC mechanisms not permitted to sign using DES3 keys
The following mechanisms are not permitted to sign objects with a DES3 key in FIPS approved configuration (verify operations are permitted):
Mechanisms now check for approved EC curves in FIPS mode
The following mechanisms now verify that the specified EC curve is FIPS-approved, and reject operations that specify non-approved curves:
>CKM_EC_KEY_PAIR_GEN_W_EXTRA_BITS
CKM_RSA_PKCS not permitted to decrypt/unwrap objects
To comply with FIPS 140-3 requirements, RSA-based key transport schemes that use only PKCS#1-v1.5 padding are disallowed. Therefore, CKM_RSA_PKCS is now restricted from performing decrypt/unwrap operations.
NOTE When the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0), CKM_RSA_PKCS is disabled even if partition policy 33: Allow RSA PKCS mechanism is set to 1.
3DES usage counter has been removed
The 3DES usage counter attribute (CKA_BYTES_REMAINING) has been removed in Luna USB HSM 7 Firmware 7.7.3 and newer, to comply with FIPS 140-3 requirements. This attribute is now ignored on any keys where it is already set.
FIPS Changes in Luna USB HSM 7 Firmware 7.7.2 and Newer
New restrictions have been added to some mechanisms when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0), to comply with FIPS SP800-131a Rev2, published in March 2019. Consider these functional changes when migrating from Luna USB HSM G5.
Mechanisms not permitted to wrap objects in FIPS mode
The following mechanisms are not permitted to wrap objects in FIPS mode (unwrap operations are permitted):
Mechanisms not permitted to sign data in FIPS mode
The following mechanisms are not permitted to sign data in FIPS mode (verify operations are permitted):
Mechanisms approved for use in FIPS mode
The following mechanisms are now approved for use in FIPS mode:
3DES Usage Counter
3DES keys have a usage counter attribute (CKA_BYTES_REMAINING) that limits each key instance to encrypting a maximum of 2^16 8-byte blocks of data when the HSM is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow Non-FIPS algorithms set to 0). When the counter runs out, that key can no longer be used for encryption, wrapping, deriving, or signing, but can still be used for decrypting, unwrapping, and verifying pre-existing objects. The CKA_BYTES_REMAINING attribute cannot be viewed if the HSM/partition is not in FIPS approved configuration.
The attribute is preserved through backup/restore using a Luna Backup HSM 7; restoring the key restores the counter's setting at the time of backup.
The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring the key resets the counter to the maximum.