Thales TCT Product Updates

SafeNet AT is pleased to announce the release of Luna T-Series HSM 7.10. Version 7.10 includes the Luna Network HSM T-2000 and T-5000 models along with the Luna Client. The Luna T-Series HSM is the choice for government agencies when storing, protecting and managing cryptographic keys used to secure sensitive data and critical applications. Meeting government mandates for U.S. Supply Chain, the high assurance, tamper-resistant Luna T-Series HSM is designed, developed, manufactured, sold, and supported in the United States exclusively by SafeNet AT.

Luna T-Series HSMs were designed from the ground up as a drop-in replacement for the widely deployed Luna SA for Government HSMs. Luna T-Series HSMs offer secure storage of cryptographic information in a controlled and highly secure environment. All Luna T-Series models can be initialized by the customer to protect proprietary information by using either multifactor (PED) authentication or password authentication.

Industry Leading Performance

The T-Series of Luna Network HSM offers industry leading cryptographic performance and delivers up to 10 times the performance compared to the legacy Luna SA for Government while still providing the critical security features that government customers have relied on for decades.

Luna T-Series models are available at different performance levels:

Luna T-Series HSM Benefits

• Industry leading cryptographic performance: performance optimized for government mandated algorithms and key lengths
• Easy transition for deployed solutions: fully backwards compatible and zero changes required to applications integrated with Luna SA for Government
• Crypto agile: architecture supports in-field introduction of new crypto algorithms
• Broad integration ecosystem: large number of integrations with industry-leading technology vendors
• Security first company: HSM products are U.S designed, developed and manufactured

As cloud service providers such as Microsoft roll out new services at a staggering rate, customers must take advantage of these capabilities while still fulfilling their obligation to “own the data” by securing the data with encryption and cloud independent key management. Now, customers can leverage the encryption capabilities built into the Microsoft cloud while using SafeNet AT KeySecure for Government to manage and maintain ownership of their encryption keys.

Using the ProtectApp APIs supported by KeySecure for Government and Azure Key Vault, SafeNet AT has developed a reference tool called SafeNet AT ManageAKV that implements the integration between KeySecure for Government and Azure Key Vault. The ManageAKV tool securely authenticates to KeySecure for Government (using the ProtectApp Java/JCE SDK) and Azure (using the Azure APIs) and is used as the secure conduit to issue commands to KeySecure for Government and Azure Key Vault related to the management of customer managed keys.

The ManageAKV tool is provided as part of ProtectApp JCE. For more information, download the Azure Key Vault and KeySecure for Government Solution Brief. 

The ProtectV release 4.7.3 is a minor release that specifically addresses two high severity issues found in release 4.7.0. Refer to the ProtectV 4.7.3 Customer Release Notes for details. Details on release 4.7.0 are included below.

ProtectV 4.7.0 Release Summary (Released released 30 January 2019)

SafeNet ProtectV 4.7.0 release also supports ProtectV clients for Ubuntu 18.04 LTS and RHEL 7.6, and enable either automatic or manual control of disk encryption in Windows servers.

Feature Details:

• Password Expiration Policy – SafeNet ProtectV 4.7.0 incorporates a password expiration policy for SafeNet ProtectV users. Passwords of the users (including the SafeNet ProtectV administrators) now have an expiration period of 90 days.
• Password Complexity Validation – Complexity of the passwords of SafeNet ProtectV users and the SafeNet ProtectV Manager Database (SPVMDB) is now validated. The new passwords must be at least ten characters, contain at least one upper case letter, one lower case letter, one digit, and one special character.
• Enhanced Account Lockout – The account lockout feature has been enhanced. A user’s account will be locked for 10 minutes after three failed login attempts instead of five. The remaining time until the account is locked will be displayed on the login screen.
• Windows Auto Protection – A new option, Windows Auto Protection, is provided on the ProtectV Manager Console. This can be used to configure automatic encryption behavior of Windows client instances on registration. By default, encryption of a Windows client instance starts as soon as it is registered with SafeNet ProtectV Manager.
• Support for Oracle Cloud Infrastructure – SafeNet ProtectV 4.7.0 extends support for ProtectV Manager on Oracle Cloud Infrastructure. You can launch your ProtectV Manager virtual machine on Oracle Cloud Infrastructure.
• Improved User Name Conventions – SafeNet ProtectV now validates values entered in the Username and Display Name fields on the ProtectV Manager Console. These fields allow alphabets and numbers only; special characters are not allowed. If a special character is entered, the message “Username and Display Name should contain alphabets and numbers only.” is displayed.

KeySecure for Government 8.12.1 is now available. This release specifically addresses an issue found in release 8.12.0 concerning the SafeNet Virtual KeySecure G350v connected to a Remote HSM, both VMWare and AWS. It was discovered that after successfully registering a G350v to a remote HSM, object such as Keys, Local CAs, Certificates and Cluster Keys cannot be created. SafeNet AT strongly recommends implementing release 8.12.1 for VMWare instead of release 8.12.0 to forestall any possible issues with remote HSM functionality. Customers who use G350v on AWS should remain on version 8.11.0. This ONLY effects Virtual KeySecure G350vs that are registered to a Remote HSM. All other KeySecure platforms (G460 and G160) are NOT affected, nor are G350vs that do not register to a Remote HSM. If you are NOT using a Remote HSM then release 8.12.0 may be used for G350v (VMWare or AWS).

The SafeNet Ethernet Encryptor CN6140 is now available for sale to the U.S. Federal Government. The CN6140 is a multi-port (1 or 10 Gbps), high-assurance encryptor designed to provide up to 40 Gbps (4x10), full line rate transparent encryption for all voice, video, and data communications moving across dark fiber, and metro or wide area Ethernet networks (MAN or WAN).
 
CN6140 Highlights:

• 8 x SFP+ physical ports 
• Supports 1/10 Gbps interfacing
• Up to 40Gbps total throughput (4x10G)
• Industry Low Overhead
• Ultra-low Latency
• Crypto Agile Platform
• Supports Future Security Requirements

5.0.1 Firmware Release

In addition to the new hardware appliance, a firmware update is available for all HSE appliances and includes the following new features and enhancements:

• KeySecure for Government integration now available for all hardware platforms
• Meets NIST SP800-131A Key transition requirements
• FIPS 140-2 Level 3 certification in process. 
• DODIN APL certification to begin post-FIPS certification
• Forward Error Correction (FEC) on CN9120 devices

Note: Firmware is not backwards compatible due to changes in support of new NIST requirements.

Download the resources below to learn more about the SafeNet Ethernet Encryptor CN6140

• CN6140 Product Brief