Luna EFT 2

Operation

Assaf Cohen
Training Manager
Let’s talk about…
 Key generation
 Smartcard key transfer
 Network package transfer
 Upgrading the EFT
 The UI
Key Generation
Key Generation
 Luna EFT can generate two types of keys
 HSM keys
 Host keys
 HSM keys are stored inside the HSM
 Host keys are encrypted and stored on a remote host
 The master key is used to encrypt host stored keys
Key Generation
 You must login as the Partition Owner
 Keys are entered directly to the HSM
 Security standards dictate that keys cannot be created remotely
 A physical keyboard must be attached to the HSM
 All keys are entered via the console interface
Key Generation
Workflow

KeyMgmt

Generate

HSM Host

Key Type
 Key Generation
Workflow

 Key generation requires specific input from the key owner

[local_host] Keymgmt generate hsm [KeyType] -index [INDEX]

-keybit [BIT SIZE]
-keylen [LEN]
-clearComp [NUMBER]
-encryptedComp [NUMBER]
-algo [DES/AES]

Keymgmt generate hsm km -index 1 –keybit 256 –keylen 2 –clearComp 2 –encryptedComp 0 –algo DES
Key Verification Codes (KVC)
 Key Verification Codes (KVC)
 Are used to verify, without compromising secrecy, that a key or a key
component has been entered correctly, or to confirm that the value of a
stored key is as expected.
 During key entry at the Luna EFT console, a KVC is automatically
calculated and displayed for each key component and for the resultant key.
 There are various methods used to calculate KVCs, consult the Console
User’s Guide for more info.

 Most popular, standardized KVC Algorithm (KL6):

Use the key (or key component) to encrypt a plain text made up of 8 zero value bytes. The left most 3 octets (bytes)
of the ciphertext is taken as the result. The value is displayed as 6 hexadecimal characters.

Example:
Key: 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10
Plaintext: 00 00 00 00 00 00 00 00
Ciphertext: 08 D7 B4 FB 62 9D 08 85
KVC: 08 D7 B4
Smartcard Key Transfer
Smartcard Transfer

 Smartcards are used to store keys for transfer between Luna EFT
devices
 A KTP must be created prior to smartcard transfer
 This is a DES/AES Transfer Protect Key
 Used to derive keys who protect data
Smartcard Transfer
The KTP

 KTP restrictions change depending on PCI status

Mode TDES KTP AES KTP

Non PCI • Encrypted key – TDES/DES • Encrypted key – AES/TDES
• KTP key length – 16/24 bytes • KTP key length – 128, 192
and 256 bytes
PCI • Encrypted key – TDES • Encrypted key – AES/TDES
• KTP key length – 24 bytes • KTP key length – 256 bytes
Smartcard Transfer

 Have the smartcard reader attached the EFT

 5 SafeNet smartcards are included in in the box
 Only official smartcards are supported
 Multiple sets of smartcards are supported

[local_host] support backup smartcard -cardsetid [ID]

Smartcard Transfer
Protection

 Cards and data have multi-layer protection

 User PIN
 The user PIN is determined during the transfer process and is bound to a card set
ID
 Transfer Protection Key
 The KTP is used to derive keys for encryption
 Partition owners must use the same KTP on other EFT’s to decrypt the card set
 Card set ID
 Each card set is given a name
 A partition owner trying to decrypt keys must know this name in advance
Smartcard Transfer
Restore

 The amount of smartcards for a single backup depend on the amount of

data
 Cards are automatically erased during a new backup process
 Cards are no erased after a successful restore process

[local_host] support restore smartcard -cardsetid [ID]

Network Key Transfer
Network Key Transfer
 Key distribution management could be challenging
 Replication of keys to remote sites
 Requires a common infrastructure (network)
 Schemes are used to simplify the process
Network Key Transfer
Schemes

 Keys are partitioned into groups

 Groups can overlap
 assist the operator in managing keys belonging to more than one
application
 Schemes provide the ability to control key transfer at the individual
key level
 The HSM keeps track of what keys have been already exported
Network Key Transfer
Schemes

Group A Group B Group C

Network Key Transfer
Models - Centralized

 Keys are entered manually at the central site

 Keys are centrally distributed to all other location via the network

Site

Site Site

Central
Site Site
Site

Site
Site

Site
Network Key Transfer
Models – Peer to Peer

 Each HSM can be the source/target

 Works just like a smartcard key transfer
 HSM’s in peer-to-peer mode are considered a ‘cluster’
 Easy way to distribute keys to new HSM’s
 Can be used as a backup system to export keys to a host file and then
import back on demand

Source/Target Source/Target
Network Key Transfer
Process Workflow

Key Keys are

Packages Packages
Custodians encoded into
are imported are exported
enter new packages by
to a host to target
keys into an
machine HSM’s
Luna EFT Administrator
Upgrade and Migration
Upgrading the Luna EFT
Hardware

 There is no upgrade path from Luna EFT 1.x to 2.x

 New generation hardware, firmware and software
 Keys can still be migrated from Luna EFT 1.x to 2.x
 By using Smartcard key transfer
 By using Network key transfer
Upgrading the Luna EFT
Software

 Upgrading the EFT software is a one-way operation

 No downgrade is available
 The software upgrade process is composed of a few steps
 SCP the package file to the EFT
 Verify the package to make sure it’s not curropted
 Update the software version using the appropriate package
The UI
Accessing the web UI
 Luna EFT 2.0 has a brand new web UI
 Not all browsers are supported
 Firefox is supported

 Landing page is https://<Luna EFT IP address>/eftweb

Accessing the web UI
 Login as the Administrator or the Partition Owner
 Provide tokens as needed
 Provide the appropriate password
Accessing the web UI
 SafeNet Authentication Client (SAC) must be installed
Accessing the web UI
Administrator

 The Administrator can view

 EFT’s health status
 SNMP settings
 Network configuration
 He can also change
 Network configuration*
 SNMP configuration
 Timeout values
 Printer settings
 Log level

* You can only add L3 routes and set web/SNMP services, not actual network configuration
Accessing the web UI
Partition Owner – Function Control

 Specific functions can be turned on/off

 Depending on actual need, policies and restrictions
 Functions are divided to groups
 Best policy is to disable what you don’t need
Accessing the web UI
Partition Owner – Key Settings

 Cast key restrictions such as

 Allow DES KM
 Disable DES
 Disable RAS (<1024)

 Specify restrictions on host-store keys

Accessing the web UI
Partition Owner – PIN Security

 Set applicable PIN block formats

 ISO
 IBM 3624
 Docutel
 Set PIN block format conversion restrictions
 Set PIN verification settings
 PVV
 IBM 3624 offset
Accessing the web UI
Partition Owner – OBM & Envelope Setup

 Configure the Online Banking Module

 Set password restrictions

 Configure printing for

 OBM
 PIN
 Keys
Accessing the web UI
Partition Owner – Network Configuration

 Host connections
 Access to the Luna EFT is based on access control lists
 You have to specify in advance which IP addresses are allowed to communicate
 The Luna EFT can handle up to 128 simultaneous connections
 These 128 connections can be allocated as you see fit between allows hosts

 Services
 Set on which NIC are host connections allowed
 Default port is 1000
 Set on which NIC 3rd party emulation is allowed
 Default port is 1001

 SSL
 Set whether you want to secure host connections with SSL
Accessing the web UI
Partition Owner – Certificate Management

 Create certificates for applications

 Self-Signed certificates can be created
 CA signed certificates are also supported
 CA certificates must be registered in order to valid

 Import existing certificates

 Export created certificates
 Manage certificates (register/delete)
Accessing the web UI
Partition Owner – 3rd Party Emulation

 Set configuration for 3rd party emulation

 ZMK characteristics
 Acceptable PIN block formats
 Control which LMK’s you want to use
 General security configuration
Thank you!