Skip Navigation
HomeThales TCT Cyber Security Solutions  Enterprise Security Solutions  Crypto Key Management for Government  Hardware Security Models for Government  Luna SA for Government
  • Overview

    The FIPS-certified (certificate # 2488 and 2489) Luna SA for Government Hardware Security Module (HSM) is the choice for agencies requiring strong security for digital signatures, cryptographic key storage, transactional acceleration, certificate signing, code signing, bulk key generation, data encryption, DNSSEC, and more. Derived from industry leading technology, the Luna SA for Government is manufactured, sold, and supported in the United States exclusively by Thales Trusted Cyber Technologies.

    Approach to Key Security: Keys in Hardware

    Luna SA for Government is the most trusted general purpose HSM for Federal Government agencies. Luna SA for Government offers a unique approach to protecting cryptographic keys in hardware. Other methods of key storage move keys outside of the HSM’s validated security boundary into a “trusted layer,” which negates several of the physical security measures provided by an HSM. Storing keys within the FIPS 140-2 validated confines of the Luna SA for Government ensures that all keys are protected throughout their lifecycle. The result is a high assurance cryptographic module that serves as a hardware cryptographic root of trust for a variety of information systems.

    Luna SA for Government provides highly restricted server interfaces that allow keys to be used only within a strictly defined set of policies. This prevents unauthorized parties from using the keys and prevents even authorized users from using keys in potentially insecure ways. The HSM implements critical key management policies, such as eliminating the key export capability, directly in the hardware in a physically unchangeable manner.

    Strong Role Separation

    Luna SA for Government enables separation of duties. Roles can be separated between service activation, policy management activities, and HSM domain authorization. Isolating the role of domain authorization, the act of authorizing new HSM to store and use specific keys, enables tight control of key locality.

    Scalable Security for Virtual and Cloud Environments

    Luna SA for Government can be separated into cryptographically isolated partitions, with each partition acting as if it was an independent HSM. This provides a tremendous amount of scalability and flexibility, as a single HSM can protect the cryptographic keys of several independent applications. Luna SA for Government partitions are designed with independent access controls and key storage, allowing for use in multi-tenant environments.

    Robust High Availability

    Multiple HSMs can be grouped together to provide high availability (HA), load balancing and scalable performance. The HA group technology shares the transaction load, synchronizes data among members of the group, and redistributes the processing capacity in the event of failure in a member appliance to maintain uninterrupted service to up to 100 clients. The HA capability also enables easy recovery when a unit returns to service.

    Flexible Backup and Disaster Recovery Options

    Luna SA for Government provides secure, auditable and flexible options to simplify backup, duplication, and disaster recovery. Key backups can be performed locally or remotely to the Luna Backup HSM or other Luna HSMs.

    Secure Audit Logging

    Luna SA for Government can be configured to selectively log events for security auditing purposes. This allows for separation of duties between an Audit Officer/Team and the people they are auditing – preventing both the administrative and user personnel from tampering with the log files and the auditors from doing anything administrative or accessing keys.

    Network Shareable for Easy Deployment

    Ethernet connectivity enables flexible deployment and scalability. Built-in TCP/ IP support ensures that Luna SA for Government deploys easily into existing network infrastructures and communicates with other network devices. Multiple application servers can share cryptographic capabilities through Network Trust Links (NTLs).

    Common Luna Architecture

    All Luna HSMs benefit from a Common Luna Architecture where the supported client, APIs, algorithms, and authentication methods are consistent across the entire Luna HSM product line. This eliminates the need to design applications around a specific HSM, and provides the flexibility to move keys from form factor to form factor.

    Available in Two Performance Models

    Luna SA for Government is available in two performance models: Luna SA 7000 and Luna SA 1700. Luna SA 7000 is a high performance HSM capable of best in class performance across a breadth of algorithms including ECC, RSA, and symmetric transactions. Luna SA 7000 also features a dual, hot- swappable power supply that ensures consistent performance and no downtime. The low performance variant, Luna 1700, includes a single power supply, and is capable of 1700 RSA 1024-bit transactions per second (tps).

      Model
    Algorithm Luna SA 1700 Luna SA 7000
    RSA-1024 1,700 tps 7,000 tps
    RSA-2048 350 tps 1,200 tps
    ECC P256 570 tps 2,000 tps
    AES-GCM 3,600 tps 3,600 tps
  • Features and Benefits

    Most Secure

    • Keys in hardware
    • Remote Management
    • Secure transport mode for high-assurance delivery
    • Multi-level access control
    • Multi-part splits for all access control keys
    • Intrusion-resistant, tamper- evident hardware
    • Suite B algorithm support
    • Secure decommission
    • Secure Audit Logging
    • Strongest cryptographic algorithms

    Sample Applications

    • PKI key generation & key storage (online CA keys & offline CA keys)
    • Certificate validation & signing
    • Document signing
    • Transaction processing
    • Database encryption
    • Smart card issuance
  • Technical Specifications
    Operating System
    • Windows, RedHat Linux
    • Virtual: VMware, Hyper-V, Xen
    Cryptographic APIs
    • PKCS#11, Java (JCA/JCE), Microsoft CAPI and CNG, OpenSSL
    Cryptography
    • Full Suite B support
    • Asymmetric: RSA (1024-8192), DSA (1024-3072), Diffie-Hellman, Elliptic Curve Cryptography (ECDSA, ECDH, ECIES) with named, user-defined and Brainpool curves
    • Symmetric: AES, RC2, RC4, RC5, CAST, DES, Triple DES
    • Hash/Message Digest/HMAC: SHA-1, SHA-2 (224-512), SSL3-MD5-MAC, SSL3-SHA-1-MAC
    • Random Number Generation: FIPS 140-2 approved DRBG (SP 800-90 CTR mode)
    Physical Characteristics
    • Standard 1U 19in. rack mount chassis
    • Dimensions: 19” x 21” x 1.725” (482.6mm x 533.4mm x 43.815mm)
    • Weight: 28lb (12.7kg)
    • Input Voltage: 100-240V, 50-60Hz
    • Power Consumption: 180W maximum, 155W typical
    • Temperature: operating 0°C – 35°C, storage -20°C – 60°C
    • Relative Humidity: 5% to 95% (38°C) non-condensing
    Security Certifications
    • FIPS 140-2 Level 2 and Level 3 Validated
    Safety and Environmental Compliance
    • UL, CSA, CE
    • FCC, CE
    • RoHS, WEEE
    Host Interface
    • Dual Gigabit Ethernet ports
    Reliability
    • Mean Time Between Failure (MTBF) 66,561 hrs
  • Resources
    Luna SA for Government Product Brief
    Product overview with technical features and specifications.

    Download Now
    Roots of Trust: Five Things You Must Know
    The term Root of Trust (RoT) is commonly used in information security circles, but what does it mean? Why do we care? How does it apply to cryptographic controls? Modern computer systems are incredibly powerful and flexible. They can be molded to accomplish things that were unimaginable a mere decade ago. This same property makes them almost impossible to control and all too easy for malicious actors to find ways to disrupt them. To counter these threats, security experts have resorted to a wide range of cryptographic tools, and for these tools to function they need a trust worthy beginning.

    Download Now
    Best Practices for Cryptographic Key Management
    Once data is encrypted, the only way to gain access is by decrypting or unlocking secret content using the key. Haphazardly protecting these keys negates the entire process of encryption and creates a false sense of security. This white paper outlines best practices for deploying an effective cryptographic key management strategy.

    Download Now
    Securing Network-Attached HSMs - Three-Layer Authentication Model
    The Luna SA for Government uses a comprehensive three-layer authentication and access control model to achieve extremely strong security between the host application processes and the Luna SA for Government’s HSM partitions.This three-layer authentication and access control model was designed to allow the Luna SA for Government to offer network connectivity to clients without sacrificing the security requirements of HSM operations.

    Download Now

    Thales TCT How-To Video Series
    See how our solutions work in live environments. Our How-to Video series will demonstrate how to install, integrate and use our solutions in your network.

    Watch Videos

     

     
  

This site uses cookies to store information on your computer. Some are essential to make our site work properly; others help us improve the user experience.

By using the site, you consent to the placement of these cookies. For more information, read our cookie policy and our privacy policy.

Accept