Home > |
---|
This section discusses how objects are protected on the HSM, how authentication works, and how authentication credentials are protected.
The general authentication model applies to both Password Authenticated and PED Authenticated SafeNet HSMs. SafeNet HSMs do not keep any objects in the clear. All objects are encrypted by multiple layers, and are fully decrypted in temporary (volatile) memory only while needed.
One general storage key (GSK), for the HSM, protects general storage objects that might be needed by various roles in the performance of their duties. A separate user storage key (USK) for each role, protects the contents of the partition accessed by that role. The hierarchy of protection, depicted in the diagram below, is repeated for each role. The USK for each separate role on the HSM encrypts objects that are owned by that role, ensuring that each person, authenticating as a role, sees and touches only what belongs to them.
The password is not stored; whether it is a true password for a Password-authenticated HSM, or is a PED Key value for a PED-authenticated HSM, the HSM does not keep a copy. For each partition, and the role that authenticates to it, the HSM has a checkword, an encrypted block consisting of a fixed value plus the GSK plus the appropriate USK. The encryption is derived from the PIN Key for that role. An operation using SHA-512 derives an AES key, then AES CBC is used to decrypt the checkword. If the fixed-value portion verifies, then the HSM proceeds to use the decrypted GSK and USK where needed in operations by that authenticated role, until the session ends.
If multiple roles for a given partition have access to the objects (for example, the Crypto Officer and Crypto User), then both their checkwords contain the same USK, but encrypted under their own respective credentials.
For clarity, the following diagram depicts the general case, that applies to either Password-authenticated or PED-authenticated HSMs, without some of the optional features (MofN, PED PINs) that could additionally be invoked for some, or all, roles on a PED-authenticated HSM.
For a description, based on the above, but adding MofN split-knowledge, multi-person access control, see HSM authentication model with MofN split secret.
For a description, based on the above, but adding a PED PIN (something you know) to the secret contained on a physical PED Key (something you have), see HSM Authentication with One PED PIN.
For a description, based on the above, but showing the addition of both MofN and PED PINs, see HSM Authentication Model with both PED PIN and MofN.