Thales Luna PCIe HSM
Thales Luna PCIe HSM is a hardware security module of very high flexibility. Extensive features and a large number of available options make it the flagship device in Thales’ portfolio of general-purpose HSM modules. The presented model is a device in the form of a PCI Express card, for applications dedicated to a single server. For applications where multiple clients are required to be served, the network option is suitable, i.e. Thales Luna Network HSM, allowing to serve, in the appropriate performance version, a very large number of clients. For the most demanding solutions, it is possible to use multiple network devices working in parallel.
Security
The HSM has been certified according to FIPS 140-2 methodology to level 3 and according to CommonCriteria to EAL4+ level. The module can also be used for trust services as defined by the European eIDAS (Electronic Identification and Trust Services Regulation).
A specific element of the design is the possibility of using partitions, i.e. isolated spaces for storing cryptographic keys for different applications. This gives an additional layer of protection to the cryptographic material.
The HSM is equipped with mechanisms that are obvious in this class of devices, such as multi-component authentication with key partitioning and extensive operation recording. Convenient and advanced monitoring of device operation is also possible, as well as fully remote management.
The PCI version of the Luna module is a typical low-profile PCI Express card. Admittedly, compared to the network version, the number of available options is smaller, but nevertheless many important design decisions still need to be made. Therefore, each implementation requires careful preparation with the help of an experienced partner.
Datasheet
Performance
The current generation of Luna devices, designated as Luna 7, is available in three versions that have different capabilities. The detailed differences can be seen in the table below. The wide range of device performance allows you to choose the right solution for each application.
Performance is measured in transactions/signatures per second (TPS):
| Performance | RSA | ECC |
|---|---|---|
| model 700 Standard Performance Memory: 2MB Maximum Partitions:: 5 | 1000 - 2048 bit | 2000 - 256 bit |
| model 750 Enterprise Performance Memory: 16MB Maximum Partitions: 20 | 5000 - 2048 bit | 10000 - 256 bit |
| model 790 Maximum Performance Memory: 32MB Maximum Partitions: 100 | 10000 - 2048 bit | 20000 - 256 bit |
Note: performance may depend on the operating system, applications and other factors.
| Supported cryptographic algorithms | |
|---|---|
| Symmetric algorithms | AES, AES-GCM, Triple DES, DES, ARIA, SEED, RCS, RC4, RC5, CAST |
| Asymmetric algorithms | RSA, DSA, Diffie-Hellman, Elliptic Curve, Cryptography (ECDSA, ECDH, Ed25519, ECIES) |
| HASH algorithms | SHA-1, SHA-2, SHA-3, SM2, SM3, SM4 |
| Technical specification | |
|---|---|
| Physical characteristics | 69,6mm x 167mm x 187mm Power consumption: 18W max, 14W typical |
| Supported OS* | Windows Linux |
| API | PKCS#11 Microsoft CAPI and CNG Java JCA/JCE OpenSSL |
| Certifications &Compliances | FIPS 140-2 Level 3—Password and Multi-Factor (PED) eIDAS CC EAL4+ (AVA_VAN.5 and ALC_FLR.2) against the Protection Profile 419221-5 (w trakcie) UL, CSA, CE, FCC, CE, VCCI, C-TICK, KC MARK, RoHS2, WEEE, TAA |