Thales TCT Luna Network Hardware Security Module

Luna Network Hardware Security Module (HSM) from Thales Trusted Cyber Technologies (TCT) is the choice for government agencies when generating, storing, protecting and managing cryptographic keys used to secure sensitive data and critical applications. Meeting government mandates for U.S. Supply Chain, the high assurance, tamper-resistant Luna T-Series HSM is designed, developed, manufactured, sold, and supported in the United States.

Luna T-Series models offer secure storage of your cryptographic information in a controlled and highly secure environment. All Luna T-Series models can be initialized by the customer to protect proprietary information by using either multifactor (PED) authentication or password authentication.

Industry Leading Performance & Security

  • Industry leading cryptographic performance
  • Performance optimized for government mandated algorithms and key lengths
  • Up to 10 times the performance as compared to Luna SA for Government
  • Keys-in-hardware approach protects the entire life-cycle of keys within the FIPS 140-2 validated confines of the HSM
  • Addresses compliance requirements with FIPS 140-2 Level 3 certification
  • Approved by CNSS for use in National Security Systems PKI

Crypto Agility

Thales TCT’s Luna HSMs employ a crypto agile architecture that supports in-field introduction of new crypto algorithms. The Luna HSMs offer large amounts of memory (inside the crypto module) to support growth to larger key sizes. The Luna HSM’s CPU capabilities support new, compute intensive algorithms and features.

Post-Quantum Cryptography (PQC) Algorithms

Thales TCT’s Luna HSMs pre-standards implementations of NIST-selected PQC algorithms to facilitate agency and technology partner PQC testing. As a crypto agile product, Thales TCT will release software and firmware updates that comply with PQC standards once they are released.

Additionally, Thales TCT introduced the Leighton-Micali Signature (LMS) stateful hash-based signature mechanism, along with its multi-tree variant, the Hierarchical Signature Scheme (HSS). LMS/HSS enables customers to transition to quantum-resistant firmware/software signing in accordance with CNSA 2.0. Thales TCT’s Luna HSM implementation of LMS is compliant with SP 800-208 and PKCS#11 v3.1.

Quantum Enhanced Keys

By embedding a quantum random number generator (QRNG) chip within the Luna HSM, Thales TCT is offering the industry’s first FIPS 140-2 compliant HSM capable of generating quantum enhanced keys. Using principles of quantum physics, the QRNG chip produces high quality entropy which is the basis for all random numbers and cryptographic keys generated by the HSM.  With a choice of operating the HSM in FIPS-approved mode using either the embedded, classic physical RNG or the embedded quantum RNG, customers can dynamically change between classical key generation and quantum enhanced keys as threats emerge over time.

LEARN MORE ABOUT QUANTUM ENHANCED KEYS

First Available CNSA 2.0 Compliant Code Signing Solution

Download this white paper to learn more about Quantum Resistant Code Signing with Thales’ LMS/HSS implementations that are both compliant with SP 800-208 and PKCS#11 v3.

PQC Algorithms Now Offered in Luna T-Series HSMs

Luna T-Series 7.13.0 now includes pre-standards implementations of NIST-selected PQC algorithms and stateful hash-based signature algorithms.

Easy Transition for Deployed Solutions

  • Backward compatible with deployed applications
  • Supports previously deployed Luna Clients.
  • Zero changes required to applications integrated with Luna SA for Government
  • Migrate keys from Luna SAs for Government to T-Series HSMs

Broad Integration Ecosystem

  • Large number of integrations with industry-leading technology vendors
  • Documented, out-of-the-box integrations
  • Video tutorials expedite integration tasks

Security First Company

  • Trusted supplier to U.S government for several decades
  • HSM products are U.S designed, developed and manufactured
  • All employees are U.S citizens
  • All office locations in U.S.
  • All support requests answered from U.S. (no outsourcing or foreign call centers)
  • U.S. government approved Trusted Technology Import process
  • Follow security best practices for all product introduction

Available Models and Performance

Luna Network HSM T-2000

Standard performance

Luna Network HSM T-5000

Enterprise performance

16 MB memory

32 MB memory

2 partitions, upgradable to 10

5 partitions, upgradable to 20

RSA 2048 1,400 tps

RSA 2048 14,000 tps

RSA 4096 350 tps

RSA 4096 3,500 tps

ECC P-256 3,000 tps

ECC P-256 16,000 tps

ECC P-384 2,000 tps

ECC P-384 16,000 tps

Technical Specifications

Feature

Details

Cryptography

  • Full support for NSA Commercial National Security Algorithm (CNSA) Suite

  • Support for FIPS-approved and NIST recommended algorithms, modes, curves, and key sizes for RSA, DSA, Diffie-Hellman, AES, SHA-2, SHA-3 and Elliptic Curve Cryptography (ECC)

  • Pre-standard PQC algorithms CRYSTALS-Dilithium (ML-DSA), CRYSTALS-KYBER (ML-KEM), FALCON (NL-DSA), LMS/HSS

  • NIST 800-90A compliant Hardware Random Number Generator
    Classic hardware RNG entropy
    Quantum RNG entropy

  • Additional non-approved algorithms and key sizes are supported for use with legacy applications

  • Refer to product documentation for complete details

API Support

  • PKCS#11

  • Microsoft CAPI and CNG

  • Java (JCA/JCE)

  • REST

  • Pycryptoki

Supported Operating Systems

  • Windows 10

  • Windows Server: 2012R2, 2016, 2019

  • Linux: RHEL / CentOS 7, 8. Ubuntu 18, 20. Oracle Linux 7.9

Security Compliance

  • FIPS 140-2 Level 3

  • Approved by CNSS for use in National Security Systems PKI

Network Interface

  • 4x 1G Ethernet ports

  • Optional 2X 1G and 2X 10G Ethernet ports

  • 10G transceiver: Short Range (SR) Multimode LC connector

  • Port bonding

  • IPv4 and IPv6

Network Interface

  • 4x 1G Ethernet ports

  • Optional 2X 1G and 2X 10G Ethernet ports

  • 10G transceiver: Short Range (SR) Multimode LC connector

  • Port bonding

  • IPv4 and IPv6

Physical Characteristics

  • Standard 1U 19” rack mount chassis

  • Dimensions: 19” x 21” x 1.725” (482.6mm x 533.4mm x 43.815mm)

  • Weight: 28lb (12.7kg)

  • Input Voltage: 100-240V, 50-60Hz

  • Power Consumption: 180W maximum, 84W typical

  • Temperature: operating 0°C – 35°C, storage -20°C – 60°C

  • Relative Humidity: 5% to 95% (38°C) non-condensing

Safety and Environmental Compliance

  • FCC, CE, UL, RoHS, TAAFCC

Management and Monitoring

  • Remote configuration, administration, and monitoring

  • High-Availability disaster recovery

  • Backup and restore using FIPS 140-2 Level 3 Backup HSM

  • Secure audit logging

  • SNMP monitoring

  • Syslog diagnostics support

Resources

ImageTitleLink
CTO Sessions Webcast On Demand: Building a Root of Trust in How to Secure the Most Sensitive Data
Luna Network HSM Product Brief
On Demand Webinar: Building a Root of Trust to Secure the Most Sensitive Data
White Paper: Quantum Resistant Code Signing Secured by Hardware Security Modules
White Paper: Roots of Trust
White Paper: Securing Network-Attached HSMs