Home >

SDK Reference Guide > Extensions to PKCS#11 > Secure PIN Port Authentication

Secure PIN Port Authentication

Generally, an application collects an authentication code or PIN from a user and/or other source controlled by the host computer. With SafeNet's FIPS 140-1 level 3-validated products (such as SafeNet Network HSM), the PIN must come from a device connected to the secure port of the physical interface. The SafeNet PED (PIN Entry Device) is used for secure entry of PINs.

A bit setting in the device's capabilities settings determines whether the HSM requires that PINs be entered through the secure port. If the appropriate configuration bit is set, PINs must be entered through the secure port.

If the device`s configuration bit is off, the application must provide the PIN through the existing mechanism. Through setting the PIN parameters, the application tells the token where to look for PINs.  A similar programming approach applies to define the key cloning domain identifier.

Applications wanting PINs to be collected via the secure port must pass a NULL pointer for the pPin parameter and a value of zero for the ulPinLen parameter in function calls with PIN parameters.  This restriction applies everywhere PINs are used.  The following functions are affected:

C_InitToken

C_InitIndirectToken

C_InitPIN

C_SetPIN

CA_InitIndirectPIN

C_Login

CA_IndirectLogin

When domains are generated/collected through the secure port during a C_InitToken call, the application must pass a NULL pointer for the pbDomainString parameter and a value of zero for the ulDomainStringLen parameter in the CA_SetCloningDomain function.