PKCS#11 Slot Smart Card Activation

Introduction

All sensitive cryptographic material of the Hardware Appliance is stored on a Hardware Security Module (HSM). This HSM protects your key material against physical attacks. The keys required by the Hardware Appliance and your infrastructure are organized in so-called slots, commonly used with the cryptographic API PKCS#11. To operate on these keys, these slots must be activated with some authentication code. Depending on your requirements for availability, usability and security, you can select whether those authentication codes should be stored on the Hardware Appliance or not. This can be chosen per slot. Slots with stored authentication codes can be auto-activated for immediate availability. The generated and automatically stored authentication codes are of very high quality. This choice can be changed even later during the operation of the Hardware Appliance.

For cases where manually entered authentication codes do not meet the security requirements, there is an option for two-factor authentication: It is possible to additionally require an activation with smart cards for one or more slots. This choice has to be done during the installation.

Installation/Configuration

During the installation of the Hardware Appliance it is possible to enable PKCS#11 slot smart card activation per slot . In order to do so, clear (Automatically generated) Authentication Code for the slot you want to give more security, and an option to use smart card activation will be provided. Go through the available options and choose smart card activation. Next, continue to set an authentication code per slot. This authentication code will be required upon activation of the slot, make sure to keep that code safe and always available when deactivating/activating the slot.

Number of users required

To further secure your installation you can choose how many smart cards are required to activate a slot. However, there is no quorum (such as "3 out of 5") available for this function. If Number of users required:5 is selected, then 5 different user credentials will be generated and written to 5 different smart cards, all of which need to be present when activating a slot. The default setting of the Hardware Appliance is to create only one user credentials.

Number/copies of user smart cards

Unlike the backup key share on the smart cards, the user credentials cannot be copied from card to card. A lost, broken or blocked smart card cannot be replaced. Therefore, the Hardware Appliance offers to create sufficient copies, once and for all.

The default setting of the Hardware Appliance is to create 2 smart cards with the same user credential.

Require smart cards to activate system after boot

For highest security concerns, smart card activation can also be enabled for PKCS#11 slot 0, which contains the key that is used to sign the audit log. Since EJBCA produces an audit log entry for every single action, it needs access to slot 0 for every single action, including start-up. This effectively means that EJBCA will not be reachable after a system startup unless slot 0 has been successfully activated by smart card.

Procedure

For every slot activation user that has been chosen, the following procedure will run during the installation:

  • The user credentials are generated in memory.
  • For every copy that has been chosen, the user credentials will be written to a smart card. It is required to enter the PIN (default PIN on delivery: 123456) and acknowledge with OK.
  • The user credentials (only public key) are read into the HSM, it will only be required to press the OK button.

Example with default values

After the installation, it is strongly advised to change the PINs of the smart cards through the WebConf.

The procedure with an Hardware Appliance Security Level of "2 out of 3" and slot smart card activation on slot 7 with default values 1 user and 2 copies will look like this:

  • Backup key shares handling
    • One audible alert (bee-beep)
    • Generation of the backup key and writing to three cards (with PIN and OK)
    • Reading of the backup key from two cards (with PIN and OK)
  • Handling of one slot activation user
    • Generation of user credentials
    • One audible alert (bee-beep)
    • User credential being written to one card (with PIN and OK)
    • One audible alert (bee-beep)
    • User credential being written to one card (with PIN and OK)
    • One audible alert (bee-beep)
    • Creation of the user within the HSM by reading the public key, (only OK)

Slots 0 and 1

If the installation is configured to have smart card activation on slot 0 and slot 1 (Management CA) Require smart cards to activate system after boot the installation procedure will be extended by more PIN pad operations since the installer needs access to these slots to create the keys needed for operation, audit log signature and Management CA respectively.

These extensions will be activation procedures as described in the next section.

Application/Activation of a slot

Whenever the application will attempt a "Login" to the slot (as when activating a Crypto- Token in EJBCA), the Hardware Appliance will automatically and immediately request the smart card(s) to be inserted to the PIN pad. This can be noticed by a small audible alert (bee- beep). The Hardware Appliance physical front display will give a short hint at which slot is being activated and user card is required to be inserted.

The user cards will always be required in ascending order, always starting with User 1.

Whenever some PKCS#11 slot activation with smart card goes wrong, the internal Hardware Appliance mechanism will restart all applications, which in turn requires that all slots need to be activated again.

Activation on boot/slot 0

If Require smart cards to activate system after boot was enabled during the installation, on every system start/boot, the Hardware Appliance will first require the successful activation of slot 0 before it can continue with startup. Smart card and PIN have to be entered within one hour after system start.