|
Home > |
|---|
| Password-authenticated HSM | PED-authenticated HSM | |
|---|---|---|
| Ability to restrict access to cryptographic keys |
•knowledge of Partition Password is sufficient •for backup/restore, knowledge of partition domain password is sufficient |
•ownership of the black PED Key is mandatory •for backup/restore, ownership of both black and red PED Keys is necessary •the Crypto User role is available to restrict access to usage of keys, with no key management •option to associate a PED PIN (something-you-know) with any PED Key (something you have), imposing a two-factor authentication requirement on any role |
| Dual Control |
•not available |
•Mof N (split-knowledge secret sharing) requires "M" different holders of portions of the role secret, in order to authenticate to an HSM role - can be applied to any, all, or none of the administrative and management operations required on the HSM |
| Key-custodian responsibility |
•linked to password knowledge, only |
•linked to partition password knowledge, •linked to black PED Key(s) ownership |
| Role-based Access Control (RBAC) - ability to confer the least privileges necessary to perform a role |
roles limited to: •Auditor •HSM Admin (SO) •Partition Owner |
available roles: •Auditor •HSM Admin (Security Officer) •Domain (Cloning / Token-Backup) •Secure Recovery •Remote PED •Partition Owner (or Crypto Officer) •Crypto User (usage of keys only, no key management) for all roles, two-factor authentication (selectable option) and MofN (selectable option) |
| Two-factor authentication for remote access |
•not available |
•Remote PED and orange (Remote PED Vector) PED Key deliver highly secure remote management of HSM, including remote backup |