Home > |
Product Overview > SafeNet HSM Authentication Types
|
---|
This chapter describes the types of authentication available on SafeNet HSMs. Each SafeNet HSM comes in one of two authentication types – Password authenticated or PED authenticated. The authentication type is configured at the factory and cannot be modified in the field. See the following sections for more information:
•About Password Authentication.
•Comparing Password and PED Authentication
Note: Authentication differences - Password-authenticated vs PED-authenticated:
- When the HSM is PED-authenticated,
-- the administrative role secret contained on a black or gray PED Key is one secret, used only by administrative personnel, while
-- the challenge-secret or password is a second secret (plain text, initially presented on the PED screen, but you can change it), which is the application-authentication secret, that allows the HSM verify that the presenting application is entitled to perform cryptographic operations on the particular application partition.
The application can submit its own authentication (that second secret) only after the PED Key secret has "opened" the HSM partition for operation (by Activating) - that is, there are two levels of protection, one administrative, and the other operational, where the operational level is gated by the administrative level.
- When the HSM is Password-authenticated,
-- the administrative role secret is also the application-authentication secret, one plain-text secret used for two purposes; the application that knows that secret declares the application partition open-for-business while in the act of accessing it with that single secret as its authentication - a single level of protection that is both administrative and operational. On a Password-authenticated HSM, once the administrator (Crypto Officer or Crypto User) has distributed the secret to the application(s), the only way to restrict access by applications (or personnel) that have come into possession of that secret is to change the password - which also changes the authentication for the associated administrative role.