Luna HSMs have many capabilities that are not certified by NIST. To be FIPS-compliant, the HSM must be set to FIPS mode, where any mechanisms or cryptographic operations that are not FIPS-certified are blocked from use. FIPS mode is set using HSM or partition policies as described below.
Setting FIPS Mode on the HSM
You can set the HSM to FIPS mode using HSM policy 12: Allow non-FIPS algorithms. When this policy is set to 0, algorithms that are not FIPS-validated are blocked from use on every partition on the HSM, and the HSM is operating in FIPS mode. There are two methods of setting this policy:
>The HSM SO can use a policy template to set the policy at initialization (see Setting HSM Policies Using a Template). This method is recommended for auditing purposes -- it ensures that the HSM is in FIPS mode for its entire use cycle.
>The HSM SO can set the policy manually after initializing the HSM (see Setting HSM Policies Manually).
'Cryptography' 카테고리의 다른 글
| HOTP and TOTP (31) | 2024.03.21 |
|---|---|
| The group Zp* (31) | 2024.03.11 |
| Padding oracles and the decline of CBC-mode cipher suites (116) | 2024.03.08 |
| CBC-bit Flipping (55) | 2024.03.08 |
| AES Cipher (0) | 2024.03.07 |