Secure PIN Port Authentication

Generally, an application collects an authentication code or PIN from a user and/or other source controlled by the host computer. With Thales's multifactor quorum-authenticated products (such as Luna PCIe HSM 7), the PIN must come from a device connected to the secure port of the physical interface (or connected via a secure Remote PED protocol connection). The Luna PED (PIN Entry Device) or Luna USB HSM touchscreen is used for secure entry of PINs.

A bit setting in the device's capabilities settings determines whether the HSM requires that PINs be entered through the secure port. If the appropriate configuration bit is set, PINs must be entered through the secure port.

If the device's configuration bit is off, the application must provide the PIN through the existing mechanism. Through setting the PIN parameters, the application tells the token where to look for PINs.  A similar programming approach applies to define the key cloning domain identifier.

Applications wanting PINs to be collected via the secure port must pass a NULL pointer for the pPin parameter and a value of zero for the ulPinLen parameter in function calls with PIN parameters.  This restriction applies everywhere PINs are used. The following functions are affected:

>C_InitToken

>C_InitIndirectToken

>C_InitPIN

>C_SetPIN

>CA_InitIndirectPIN

>C_Login

>CA_IndirectLogin

When domains are generated/collected through the secure port during a C_InitToken call, the application must pass a NULL pointer for the pbDomainString parameter and a value of zero for the ulDomainStringLen parameter in the CA_SetCloningDomain function.