Home >

SDK Reference Guide > Design Considerations > PED-Authenticated HSMs

PED-Authenticated HSMs

In systems or applications using SafeNet HSMs, SafeNet PED is required for FIPS 140-2 level 3 security. In normal use, SafeNet PED supplies PINs and certain other critical security parameters to the token/HSM, invisibly to the user. This prevents other persons from viewing PINs, etc. on a computer screen or watching them typed on a keyboard, which in turn prevents such persons from illicitly cloning token or HSM contents.

Two classes of users operate SafeNet PED: the ordinary HSM Partition Owner, and the HSM Administrator, (also called Security Officer or SO). The person handling new HSMs and using SafeNet PED is normally the HSM SO, who:

initializes the HSM,

conducts HSM maintenance, such as firmware and capability upgrades,

initializes HSM Partitions and tokens,

creates users (sets PINs),

changes policy settings,

changes passwords.

Following these initial activities, the SafeNet PED may be required to present the HSM Partition Owner’s PED Key or keys (in case of MofN operations) to enable ordinary signing cryptographic operations carried out by your applications.

With the combination of Activation and AutoActivation, the black PED Key is required only upon initial authentication and then not again unless the authentication is interrupted by power failure or by deliberate action on the part of the PED Key holders.

About CKDemo with SafeNet PED

As its name suggests, CKDemo (CryptoKi Demonstration) is a demonstration program, allowing you to explore the capabilities and functions of several SafeNet products. The demo program breaks out a number of PKCS 11 functions, as well as the SafeNet extensions to Cryptoki that allow the enhanced capabilities of our HSMs.However the flexibility, combined with the bare-bones nature of the program, can result in some confusion as to whether certain operations and combinations are permissible. Where these come up, in the explanation of CKDemo with SafeNet HSM with PED [Trusted Path] Authentication, and SafeNet PED, they are mentioned and explained if necessary.

The demo program appears to make it optional to permit several of the security operations via the keyboard and program interface, or to require that they be done only via the SafeNet PED keypad. In fact, the option is dictated by the SafeNet HSM, as it was configured and shipped from the factory, and cannot be changed by you. That is, you can use CKDemo to work/experiment with either type of SafeNet HSM – i.e., SafeNet HSM with Password Authentication or SafeNet HSM with PED Authentication, requiring SafeNet PED), but you cannot make one type behave like the other.

Security and design requirements, enforced by the SafeNet HSM with PED Authentication HSM, dictate that use of SafeNet PED be mandatory within the applications that you develop for it.

Interchangeability

As mentioned above, several secrets and security parameters related to HSMs are imprinted on PED Keys which provide "something you have" access control, as opposed to the "something you know" access control provided by password-authenticated HSMs. The HSM can create each type of secret, which is then also imprinted on a suitably labeled PED Key. Alternatively, the secret can be accepted from a PED Key (previously imprinted by another HSM) and imprinted on the current HSM. This is mandatory for the cloning domain, when HSMs (or HSM partitions) are to clone objects one to the other. It is optional for the other HSM secrets, as a matter of convenience or of your security policy, allowing more than one HSM to be accessed for administration by a single SO (blue PED Key holder) or more than one HSM Partition to be administered by a single Partition Owner/User. The exception is the SRK (purple PED Key) which carries a secret unique to its HSM and which cannot be imprinted on any other HSM.

PED Keys that have never been imprinted are completely interchangeable. They can be used with any modern SafeNet HSM, and can be imprinted with any of the various secrets. The self-stick labels are provided as a visual identifier of which type of secret has been imprinted on a PED Key, or is about to be imprinted .Imprinted PED Keys are tied to their associated HSMs and cannot be used to access HSMs or partitions that have been imprinted with different secrets.

Any SafeNet PED2 can be used with any SafeNet HSM - the PED itself contains no secrets; it simply provides the interface between you and your HSM(s). The exception is that only some SafeNet PEDs have the capability to be used remotely from the HSM. Any Remote-capable SafeNet PED2 is interchangeable with any other Remote-capable SafeNet PED2, and any SafeNet PED2 (remote-capable or not) is interchangeable with any other when locally connected to a SafeNet HSM.

HSM Partitions and Backup Tokens and PED Keys can be “re-cycled” for use in different combinations, but this reuse requires re-initializing the HSM(s) and re-imprinting the PED Keys with new secrets or security parameters. Re-initializing a token or HSM wipes previous information from it. Re-imprinting a PED Key overwrites any previous information it carried (PIN, domain, etc.).

Startup

SafeNet PED expects to be connected to a SafeNet HSM with Trusted Path Authentication. At power-up, it presents a message showing its firmware version. After a few seconds, the message changes to "Awaiting command.." The SafeNet PED is waiting for a command from the token/HSM.

The SafeNet PED screen remains in this status until the CKDemo program, or your own application, initiates a command through the token/HSM.

For the purposes of demonstration, you would now go ahead and create some objects and perform other transactions with the HSM.

Note:  To perform most actions you must be logged in. CKDemo may not remind you before you perform actions out-of-order, but it generates error messages after such attempts. So, in general, if you receive an error message from the program, review your recent actions to determine if you have logged out or closed sessions and then not formally logged into a new session before attempting to create an object or perform other token/HSM actions. 

When you do wish to end activities, be sure to formally log out and close sessions. With CKDemo, it would be merely an inconvenience to have old sessions still open when you attempt new activities. An orderly shutdown of your application, however, should include logging out any users and closing all sessions on HSMs.

Cloning of Tokens

To securely copy the contents of a SafeNet Network HSM Partition to another SafeNet Network HSM Partition (on the same SafeNet Network HSM or on another), you must perform a backup to a SafeNet Backup HSM from the source HSM Partition followed by a restore operation from the Backup HSM to the new destination HSM Partition. This is done via lunash command line, and cannot be accomplished via CKDemo.