Luna EFT Customer Release Notes - PN007-011454-001 - RevT - M090900E

Customer Release Notes: Luna EFT, M090900E
PN: 007-011454-001, Rev. T, Copyright 2013 SafeNet, Inc., All rights reserved.
Page 1 of 13
Luna EFT
CUSTOMER RELEASE NOTES
Software Version: M090900E
Firmware Version
1
: 4.7.6
Issue Date: 25
th
J une 2013
Document Part Number: 007-011454-001, Rev. T

Contents
Product Description .................................................................................................................................................................... 2
New Features and Enhancements .............................................................................................................................................. 2
Introducing New Version of Module Application Loader (MAL) ............................................................................................ 2
Luna EFT Console Enhancements ...................................................................................................................................... 2
Previous Version Summary ........................................................................................................................................................ 2
Released Components ............................................................................................................................................................... 8
Components Available on CD .............................................................................................................................................. 8
Additional Components Available on C3 .............................................................................................................................. 9
Scope ......................................................................................................................................................................................... 9
Advisory Notes ............................................................................................................................................................................ 9
Resolved and Known Issues ....................................................................................................................................................... 9
Issue Severity and Classification ......................................................................................................................................... 9
Resolved Issues ................................................................................................................................................................. 10
Known Issues..................................................................................................................................................................... 10
Product Documentation ............................................................................................................................................................ 11
Support Contacts ...................................................................................................................................................................... 13

1
Firmware version refers to the version of the software running on the K5 cryptographic card of Luna EFT.

Product Description
The Luna EFT Mark II hardware security module (HSM) is a tamper-resistant device that provides cryptographic
services to secure transactions in financial networks. The device is managed via a console using a GUI display and
keyboard and provides services to one or more host computer systems. The services are provided in response to
requests from the host system(s). Typically, Luna EFT is used to secure and validate transactions to and from
ATMs, POS systems, card issuing facilities and funds transfer facilities.
New Features and Enhancements
Introducing New Version of Module Application Loader (MAL)
This release introduces a new version of Module Application Loader (MAL), a secure application loader that is
loaded on the HSM during the manufacturing process. This includes:
Firmware update
Crypto algorithm updates
Luna EFT Console Enhancements
The following console screens have been added/ updated under the Software Upgrade menu:
Installed OS Patches
Installed Licenses
Previous Version Summary
Mark II Version Reason For Update
M090800E This Luna EFT - Mark II version was released with the following key features and
enhancements:
Introduced License based Remote HSM Management support that enables the
administrator to perform Luna EFT Console administration tasks remotely without
physical access to the HSM.
Introduced 2-Tier PKI model for Secure Channel.
Luna EFT Console Enhancements
o Status Display
o Network Configuration
o SNMP Configuration
o Time zone
Merges from Mark II releases
enhancements:
Added new host functions to support decryption of data, using EFT stored RSA
private key.
Page 2 of 13

o EE3022: OBM Decrypt DataRSA
o EE3023: OBM Decrypt DataSymmetric
Provided Support for SHA-2 algorithms in Optimal Asymmetric Encryption
Padding (OAEP)
Updated Host Functions
The following host functions are updated as a result of performing OAEP
decoding on the basis of OAEP Hash algorithm and OAEP MGF as specified in
PKCS#1 parameter string.
o EE3002: OBM Verify PIN RSA-encrypted, 3624 Offset
o EE3003: OBM Change PIN RSA-encrypted, 3624 Offset
o EE3004: OBM SetPassword RSAEncrypted TPV
o EE3005: OBM VerifyPassword RSAEncrypted TPV
o EE3006: OBM ChangePassword RSAEncrypted TPV
o EE3019: OBM Translate PIN RSA-encrypted, PPK
M090701E The following host functions were updated to add NSICCS (National Standard
Indonesian Chip Card Specification) support in Luna EFT.
EE2018 (EMV_VERIFY_AC_GEN_ARPC)
EE2019 (EMV_AC_GEN_MULTI)
EE2020 (EMV_SCRIPT_CRYPTO_MULTI)
EE2021 (EMV_PIN_CHANGE_UNBLOCK_MULTI)
enhancements:
Addition of AES support to standard Mark II
o Support for new key specifiers - Format 52, 53 and 1C.
o New Host Functions to support AES: EE0712, EE0713, EE0714,
EE0808,
o EE0809, EE2065, EE2066
o Host Functions updated to support AES: EE0619
o Backup/restore on smart cards using AES KTP.
Merges from Mark II releases.
M090601E The following enhancements and issues were fixed in this release:
Host function PIN-TRAN-2 (EE0602) updated to support Format 20 in PPKo.
The HSM was not retaining OBM PIN Print parameters after a reboot. This has
been fixed in this release.
M090600E
This Luna EFT - Mark II version was released with the following key features and
enhancements:
Introduced a new key type (KI) as a bidirectional interchange keyencrypting key.
Host functions modified to be able to use either one bidirectional key or the two
individual keys.
Removed J apanese PIN and Clear PIN option check boxes from the console.
Merges from Mark II releases.
M090502E
The limitation of maximum 20 lines and columns for printing PIN in words has been
Page 3 of 13

modified to allow maximum 97 lines and columns instead of 20.
M090501E
The following issues are fixed in this release:
While running the following host functions under PCI HSM Mode and using HSM
Stored Key Pairs (with format 00-03) an unexpected error 0x04 was observed.
o PVV-VER: EE0605
o PVV- CALC-3624:EE0606
o PVV-CALC: EE0607
o CVV- GENERATE:EE0802
o CVV- VERIFY: EE0803
On running the host functions EMV_VERIFY_AC_GEN_ARPC: EE2018, and
EMV_AC_GEN_MULTI: EE2019 with AC Key Method 05, an unexpected error
code 0x04 was returned.
M090500E
enhancements:
Merging all Client Utilities
Introducing HSM Utilization
Introducing Certificate Generation and Transfer Utility
Secure Channel between Host and Luna EFT
Merges from Custom Releases
M090403E Introduced two new host Functions - MAM_ACTIVATE and MAM_DEACTIVATE
M090402E
This release introduces a new host function EE205A to generate ICC CRT key pair and
return RSA private key in PKCS#1 format.
M090401E
enhancements:
Introduced Logout Warning
Support for New Key Specifiers - Format 04-07 and 93
New Host Functions to support User Store
Host Functions updated for Format 04-07 and 93
M090400E
enhancements:
SHA-2 Support
Audit Logging
Advanced PIN Printing Capabilities
PCI HSM Compliance
TR-31 Key Block support for host storage of keys
Merges from Mark II releases
M090301E
enhancements:
New Key Specifier Formats (04-07)
Host function PIN-TRAN-2 (EE0602) was updated
Introduced new host functions Write User-Store Key (EE4100), Read User-Store
Key (EE4101), Write User-Store Data (EE4102), and Read User Store Data
Page 4 of 13

(EE4103)
M090300E
enhancements:
Hardware Refresh.
Enhanced Performance Levels.
Security Against Brute Force Attacks.
Enhanced Global Platform Support.
Additional Italian Debit Card Support.
Host Function Get_Key_Details Enhanced to Include MDC-2 Hashing Method.
Merges from Past Mark II Standard Releases.
M090203E
This custom version of Luna EFT was released with enhancements to function EE2021
that was updated to support a new value (02) for the PIN Confidentiality (PC) method.
M090202E
This Luna EFT custom version was released with enhanced Mark II Software for PIN
Mailer Functionality. The Mark II software was enhanced to increase the maximum
number of lines which can be printed on a PIN Mailer form/envelop console, to 120 lines.
The Print Parameters interface for the Luna EFT PIN Mailer console was updated to
accept the number of lines to be printed on an envelope in the range of 1 to 120.
M090201E
This Luna EFT custom version was released with support for additional ICC private key
format.
Host functions EE2048 and EE2058 were extended to support Function Modifier (FM)
value 0x03, added to support the additional ICC private key format.
M090200E This standard version was released with support for 3-D Secure Payment transactions.
M090102E
This Luna EFT - Mark II base version was released to implement OBM host function
(EE3021), to enable restricted characters for PIN/Password Generation.
M090101E
This Luna EFT - Mark II base version was released with the following key
features and enhancements:
Enhancements to support Global Platform.
Enhancements to support Italian Debit Card functionality.
Derived Unique Key Per Transaction (DUKPT) Updates
Host function EE0628 updated to generate and import MPK and KTM to Verifone
terminal
American Express Functions, extended to support CSC v 2.0 calculation
Mark II EMV functions, updated to support China UnionPay specific
implementation (CUPIC) of EMV
M090100E
(SafeNet Luna EFT
1.2 Release)
This standard version was released with the following key features and enhancements:
ANSI TR-31 (2005) Interoperability Support
TDES-Triple length Key Support
Derived Unique Key Per Transaction (DUKPT) functionality
Configurable Multiple Control for Console Operations
Partial Readiness to PCI HSM Compliance Standards
Expanded PIN Printing Capabilities
64 Concurrent Connections Capability
Page 5 of 13

Product rebranded to SafeNet Luna EFT (PH-EFT)
M090009E
A new host function, DECIPHER_4 (EE0807) was added to decipher data using the Data
Protect Key which is derived using the PIN-encrypting key derivation method as specified
in ANS X9.24-1.
M090008E
The following host functions were updated for RSA key type usage for TAS:
EE9009
EE9010
EE9011
EE9012
M090007E
The following enhancements were introduced to support the crypto processing defined in
the Global Platform and EMV CPS specifications:
Functions Added
TRANSLATE_SENSITIVE_DATA (EE0645)
Functions Updated
EE2048 - Generate ICC Key Pair, updated to support Key Specifier format 51 for
KTK, including support of both ECB and CBC for Card and Session methods.
EE2058 - Generate ICC CRT Key Pair, updated to support Key Specifier format
51 for KTK, including support of both ECB and CBC for Card and Session
methods.
EE2052 - Derive New ICC Key Set, updated to support key spec format 51 for
K1 and K2, including support of both ECB and CBC for Card and Session
methods.
EE2053 - Derive New ICC Key, updated to support key spec format 51 for KEK
and key spec formats 11, 13 and 51 for Key, including support of both ECB and
CBC for card and session methods.
Following enhancements were implemented to support the TAS Italian debit card:
Added new key types DK-KIS and DK-KIR.
Get_Key_Details (EE0202), updated to support key type DK-KIS and DKKIR.
Key_Derive (EE0409), updated to support derivation of key types DKKIS, DK-
KIR, KIS and KIR.
Random_Key_Generation (EF0618), updated to support the generation of DK-
KIS and DK-KIR.
The following functions were modified to accept any hex digits (0-F) in the PVKI under
the TSP-12:
EE0605
EE0606
EE0607
M090005E
(APACS Terminal
Key Management
Support)
Functions Added
APACS_MAC_VER_REQUEST (EE0703)
APACS_MAC_GEN (EE0704)
APACS_MAC_VER_CONFIRM (EE0705)
Functions Updated
EE2001
Page 6 of 13

EF2010
EF2011
Enhancements
Minimum number of set bits in the AC bitmap (IPB) was reduced from 16 to 8 to comply
with the VISA standards.
Updated Console Operation
The following Console operation was updated to support Dynamic Passcode
Authentication:
CAP Bitmap processing screen was updated to accept at least 8 set bits.
M090004E
(Italian Debit Card
Support)
Functions Added
DERIVE_KEY (EE0409)
Public Key Operations (EE9009)
Private Key Operations (EE9010)
Import EMV Certificate (EE9011)
Key Retrieve Operation (EE9012)
Functions Updated
EE9001 and EE9003 (to support key type Data Protect)
EF0618 (to support new derivation keys DK-DPK, DK-PPK and DK-MPK)
EE0202 (to support format-20 to derive DUKPT keys and support for new
derivation keys DK-DPK, DK-PPK and DK-MPK)
M090003E
Derived Unique Key
Per Transaction
(DUKPT) Updates
Functions Updated
Existing functions were updated to support Data encryption using DUKPTderived keys;
Data encryption and MACing using uni-directional or bidirectional derived keys. The
updated functions included:
Encipher-2 (EE0800)
Decipher-2 (EE0801)
MAC_GEN_UPDATE (EE0700)
MAC_GEN_FINAL(EE0701)
MAC_VER_FINAL(EE0702)
Updated Formats
Key specifier format-20 was updated to include 'Derived Key Type' value 12 to indicate
possible variant constants to be used.
M090000E
(SafeNet HSM
Payment 1.1
Release)
The following new features were introduced in M090000E (SHP v1.1). For feature
details, refer to the product documentation in the installation CD.
Enabled Support for the Second NIC
Second NIC port was enabled in order to provide network redundancy and
bonding or multi-pathing.
SNMP Support for Monitoring
SNMP support was added in order to enable administrator to monitor certain
vital/critical statistics/information
Configurable Key Store
Key storage configuration was raised in SHPv1.1 up to 15000 for KTM and up to
9999 for most of other key types.
Page 7 of 13

Communication Mode Change Over
Starting SHP 1.1, an administrator can switch the communication mode to Async
or Ethernet without any need to install configuration package.
RSA Performance Enhancement
RSA performance was improved to 600 modular exponentiations per second
with 1024 bit modulus length
Network Transfer of Keys
Administrators were provided with an ability to transfer keys through the network
at an individual key level.
Host Key Protection
In order to provide consistent key protection mechanism for all host stored keys,
host key protection mechanism was introduced. Please refer product
documentation for more detail.
Integrated Card Issuance and standard Mark II Modules
Starting SHP 1.1, the Card Issuance and Mark II modules were combined to fall
under common Mark II software.
Extended current support for 32K smart card to 64K
The backup/restore was extended to 64K smart card
Added facility to enter and save multiple PIN mailer
Facility was added to enter and save multiple PIN mailer configurations.
Released Components
Components Available on CD
Component File
Luna EFT Standard Mark II Software
Image
M090900E-General-U.tgz
Audit Logging Map File audit_settings_map_v-1.0.0
MIB Files SAFENET-LunaEFT-MIB-1.0.0.txt
Luna EFT Client Utility for Windows 32
LunaEFTClientUtilitySetup.exe
CertGenTransferUtil.exe
Certificate Generation and Transfer Utility
package for RHEL
RHEL 32 - CertGenTransferUtil-1.0-0.i386.rpm
RHEL 64 - CertGenTransferUtil-1.0-0.x86_64.rpm
package for Solaris 32/64
CertGenTransferUtil.ds
package for AIX 32/64
CertGenTransferUtil.bff
package for Windows 64
CertGenTransferUtil.exe
Instructions on Creating and Printing a
PostScript File
How to Create and Print a PostScript File.txt

Page 8 of 13

All the components above are also available on Customer Connection Center (C3). For additional components that are available on C3,
please refer to the section below.
Please login to c3.safenet-inc.com to download the latest software upgrades and access the SafeNet Knowledge Base repository. For
further assistance, please contact SafeNet Technical Support .
Additional Components Available on C3
Application Loader Image MAL1.1-General-U.tgz
OS Upgrade Patch (OS Patch 5) ospatch-05.00-00.tgz
Optional Deliverables
In case the RHM license has been purchased, the following additional components will be available:
RHM License RHM-serialnumber-L.tgz
RHM client image RHM_STD.1.0.0.iso

Scope
This version is released for general distribution. Please see Advisory Notes and Known Issues for limitations and
restrictions.
Advisory Notes
Starting M090100E (SafeNet Luna EFT 1.2) release, the device has been renamed as SafeNet Luna EFT (PH-
EFT) and referred to as Luna EFT.

NOTE: Please refer to Luna EFT Upgrade Sheet_PN007-011452-
001_RevG_M090900E.pdf document for upgrade instructions from previous
versions of Luna EFT.
Resolved and Known Issues
Issue Severity and Classification
The following table serves as a key to the severity and classification of the issues listed in the Resolved Issues
table and the Known Issues table, which can be found in the sections that follow.

Severity Classification Definition
C Critical No reasonable workaround exists
H High Reasonable workaround exists
M Medium Medium-level priority problems
L Low Low-level priority problems
Page 9 of 13

Resolved Issues
Severity Issue Synopsis
M 181666
Summary: Misleading warning message is displayed while loading the RHM
license.
Keys of all configurations will be destroyed if host communication type is
changed.
M 181693 Summary: Display goes to sleep on changing the date in Luna EFT.

Known Issues
H 164628
Summary: USB Keyboard and Mouse stop working after the unit is powered on,
reset or rebooted.
Status/Workaround: This is a hardware issue. As a workaround, we request
that the user unplug then re-plug the USB cables.
M 157639
Summary: The Serial printer prints garbage values while using OBM PIN
mailer. These garbage values are observed to get printed when a comparatively
larger string is to be printed.
Status/Workaround: To be fixed in future releases.
M 146105
Summary: If the Ignore data check length is enabled and the data is of 255
length then the test case is returning 03 instead of 00 in function EE0E06.
M 145831
Summary: The Network Key Transfer Utility returns status as Key package
Loaded even after the key package has been successfully installed.
M 182893
Summary: Secure channel: PKI mode not showing multiple CA certificates.
As a workaround user has two methods by which he can register multiple CA
certificates on the HSM.
Method 1: User can send CA certificate on the HSM and then register it before
sending the next certificate.
Method 2: User can concatenate all the certificates in one file and then send the
concatenated file on the HSM. On the HSM, the CA certificates will be shown as
per their CN name and the user can register each certificate one by one.
M 182630
Summary: Delete individual keys option for Domain master key is not allowed in
the HSM and the RHM Client.
As a workaround user can overwrite the KM that he wants to delete by a new
KM.
Page 10 of
13

Page 11 of
13

M 183063
Summary: All Client Utility not showing HSM status in case of N-tier PKI setup.
As a workaround user can create his own application (or use an existing one) to
call host functions over secure channel by validating certificates of either end
through n-tier PKI.
L 146028
Summary: When upgrading from PHeft 1.0 to M090400E and above, an
Internal Error is displayed on installing OS patch 2 (version 02.00.00 with
M090400E and above), without a prior installation of OS patch 1 (version 01.00-
00).
Status/Workaround: The OS patch 1 (version 01.00-00) should be installed
before attempting to install OS patch 2 (version 02.00.00 with M090400E and
above).
Product Documentation
The following product documentation is associated with this release, and available both on the Luna EFT CD as
well as SafeNet Customer Connection Center (C3).
Documentation Item Description Filename
Changed
for this
release
(Y/N)
Luna EFT Console
User Guide
Assists an operator to perform
Luna EFT Console administration
tasks.
Luna EFT Console User
Guide_PN007-007424-
001_RevAE_M090900E.pdf
Y
Luna EFT
Programmers Guide
Provides a complete function
reference for all the functions that
make up the Mark II and Card
Issuance function set.
Luna EFT Programmer's
Guide_PN007-003198-
002_RevBA_M090900E.pdf
Y
Luna EFT
Communications
Guide
Describes various
communication interfaces
available in Luna EFT that can be
used by host applications to
communicate with this appliance.
Luna EFT Communications
Guide_PN007-007427-
001_RevJ _M090900E.pdf
Y
Luna EFT Installation
Guide
Details the steps to perform
installation tasks on SafeNet
Luna EFT.
Luna EFT Installation Guide_PN007-
007428-001_RevK_M090900E.pdf
Y
Luna EFT Functional
Guide
Details the product features,
deployment scenarios and
various security mechanisms
implemented within Luna EFT
Luna EFT Functional Guide_PN007-
011231-001_RevH_M090900E.pdf
Y
Luna EFT Upgrade
Sheet
Provides upgrade steps for
administrators who wish to install
M090000E and later, or any
customized software based over
Luna EFT Upgrade Sheet_PN007-
011452-001_RevG_M090900E.pdf
Y

it, on their existing appliance.
Luna EFT Quick Start
Guide
Gets you started with Luna EFT. Luna EFT Quick Start Guide_PN007-
011453-001_RevH.pdf
Y
Client Utility Helps Provides instructions on using
various Luna EFT Client utilities.
HSM Software Loader
Network Key Transfer
HSM Utilization
Certificate Generation
and Transfer
Audit Log
Error Log
Luna EFT Client Utility Help Y
How to Create and
Print a PostScript File
Details the steps to create, load
and then print a postscript file.
How to Create and Print a PostScript
File.txt
N
Luna EFT J apan PIN
User Guide
Defines the extended J apanese
PIN option functionality for the
software operating on a Mark II
HSM.
Luna EFT J apan PIN User
Guide_PN007-012066-001_RevB.pdf
N
Luna EFT Clear PIN
User Guide
Defines the extended Clear PIN
option functionality for the
software operating on a Mark II
HSM.
Luna EFT Clear PIN User
Guide_PN007-012067-001_RevB.pdf
N
Luna EFT Remote
HSM Management
Guide
Assists an administrator to
perform SafeNet Luna EFT
Console administration tasks
remotely without physical access
to the HSM.
Luna EFT Remote HSM
Management Guide_PN007-012182-
001_RevB.pdf
Y
Luna EFT Customer
Release Notes
Provides information about the
new features, known issues, and
problems corrected in this
release.
Luna EFT Customer Release
Notes_PN007-011454-
001_RevT_M090900E.pdf
-

We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be
perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in
succeeding releases of the product.

Page 12 of
13

Page 13 of
13

Support Contacts
If you have questions or need additional assistance, contact SafeNet Customer Support through the listings below:
Contact Method Contact Information
Address SafeNet, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Phone 1-800-545-6608 (United States)
1-410-931-7520 (International)
Email support@safenet-inc.com
Support and
Downloads
www.safenet-inc.com/Support
Provides access to the SafeNet Knowledge Base and quick downloads for various products.
Customer
Connection
Center
c3.safenet-inc.com
Existing customers with a Customer Connection Center account can log in to manage
incidents, get the latest software upgrades, and access the SafeNet Knowledge Base.

Luna EFT Customer Release Notes - PN007-011454-001 - RevT - M090900E

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Luna EFT Customer Release Notes - PN007-011454-001 - RevT - M090900E

Transféré par

Droits d'auteur :

Formats disponibles

Customer Release Notes: Luna EFT, M090900E

Vous aimerez peut-être aussi