Show the Table of Contents

You are here: Administration & Maintenance Manual > HSM Administration > Compare Password and PED Authentication

Compare Password and PED Authentication

 

  Password-authenticated HSM PED-authenticated HSM
Ability to restrict access to cryptographic keys
  • knowledge of Partition Password is sufficient  
  • for backup/restore, knowledge of partition domain password is sufficient
  • ownership of the black PED Key is mandatory  
  • for backup/restore, ownership of both black and red PED Keys is necessary  
  • the Crypto User role is available to restrict access to usage of keys, with no key management
  • option to associate a PED PIN (something-you-know) with any PED Key (something you have), imposing a two-factor authentication requirement on any role
Dual Control
  • not available  
  • Mof N (split-knowledge secret sharing) requires "M" different holders of portions of the role secret, in order to authenticate to an HSM role - can be applied to any, all, or none of the administrative and management operations required on the HSM
Key-custodian responsibility
  • linked to password knowledge, only  
  • linked to partition password knowledge,  
  • linked to black PED Key(s) ownership
Role-based Access Control (RBAC) - ability to confer the least privileges necessary to perform a role

roles limited to:

  • Appliance admin  
  • HSM Admin (SO)
  • Partition Owner

available roles:  

  • Appliance admin  
  • HSM Admin (Security Officer)
  • Domain (Cloning / Token-Backup)
  • Secure Recovery
  • Remote PED
  • Partition Owner (or Crypto Officer)
  • Crypto User (usage of keys only, no key management)

for all roles, two-factor authentication (selectable option) and MofN (selectable option)

 
Two-factor authentication for remote access
  • not available  
  • Remote PED and orange (Remote PED Vector) PED Key deliver highly secure remote management of HSM, including remote backup  

 

"About Password Authentication"

"About Trusted Path Authentication"

 

Password Authentication (option)

What is initialization?

PED Authentication (trusted path) (option)

What is initialization?

Luna PED 2.x - About

Luna PED [General]

PED Keys

What is a PED PIN?

What is a Group PED Key

What is a duplicate PED Key?

What is a Domain PED Key?

How to Use a Luna PED

HSM - PED interaction

About Remote PED

Remote PED Architecture

MofN, About

Luna PED and PED Keys

PED Keys and Operational Roles

Group PED Keys

Multiple or Duplicate PED Keys

How Many PED Keys Do I Need?

Complexity When Managing PED Keys

Updating PED-Keys Example

Updating PED Key for a Backup Token

Init an HSM with Existing Domain & Shared PED Keys

General Advice on PED Key Handling

Using M of N

Actions that need a PED Key - actions that don't

Remote HSM Admin Using Remote PED

Using the Remote PED Feature

Remote PED Architecture

Troubleshooting Remote PED

 

Show the Table of Contents