New Features and Enhancements
This release provides the following new features and enhancements:
Custom FM calls through Cryptoki, Secure Messaging, and HA/WLD
The new FMSC_ SendReceive function allows custom FMs to be called directly through the Cryptoki interface, rather than through the Message Dispatcher interface (ETHSM). A new sample FM, secfmenc , is provided to demonstrate the use of this function.
Custom FM calls can now use the following features:
- Secure Messaging : send and receive FM requests in encrypted form
- High Availability/Work Load Distribution : configurations can now be used with FMs
FM Compilation Support on Windows
SafeNet ProtectServer/ProtectToolkit 5.3 adds support for a Windows version of the FM emulation libraries, allowing the development, compilation, and testing of FMs on all supported Windows operating systems
Automated scripts are provided that build and install the cross- compiler and set up a MinGW environment.
Support for AIX 7.2
SafeNet ProtectServer/ProtectToolkit 5.3 adds support for the AIX 7.2 operating system.
Vulnerable Mechanisms Restricted by Default
Newly- discovered key extraction techniques have revealed vulnerabilities in some PKCS#11 mechanisms. These mechanisms are now restricted by default in the factory settings of all new HSMs, or when flags are set to ” 0 ” (all flags cleared). These mechanisms cannot be enabled in FIPS mode. The Weak PKCS#11 Mechanisms flag, when set ( ctconf – fw ), allows the use of these less- secure mechanisms.
The following mechanisms are affected:
- CKM_ CONCATENATE_ BASE_ AND_ DATA
- CKM_ CONCATENATE_ BASE_ AND_ KEY
- CKM_ CONCATENATE_ DATA_ AND_ BASE
- CKM_ XOR_ BASE_ AND_ DATA
- CKM_ XOR_ BASE_ AND_ KEY
- CKM_ EXTRACT_ KEY_ FROM_ KEY
Set Mode Tool for Changing Cryptoki Provider
In SafeNet ProtectServer/ProtectToolkit SDK 5.3 for Windows systems, the software emulation batch files for ctbrowse , KMU , and gCTAdmin have been removed, and a new executable binary file called setmode has been added. setmode allows the user to easily toggle between software emulator and hardware modes without manually editing the Windows registry.
SafeNet ProtectServer PCIe HSM Driver Timeout Configurable
SafeNet ProtectServer/ProtectToolkit now supports changing the environment variable ET_ HSM_ PCICLIENT_ READ_ TIMEOUT_ SECS, which determines the time (in seconds) the PCIe driver will wait before timing out on a read operation. It should be set long enough to avoid an unintentional timeout, shutting down the HSM.
PTK 5.3 can be downloaded from the Service Portal (https://serviceportal.safenet-inc.com) using the following document IDs:
- PTK 5.3 Software – DOW4557
- PTK 5.3 Documentation – DOW4558
- Firmware 5.00.06 – DOW4559
Customer release notes for the PTK5.3 release can be found at the following URL: http://www.securedbysafenet.com/releasenotes/ptk/crn_ptk_5-3.pdf