Multifactor Authentication (One-Time Password)
ProtectToolkit supports multifactor authentication using the SafeNet 110 OTP Token. This authentication scheme adds another layer of security by requiring both the memorized token PIN and a 6-digit number randomly generated by the SafeNet 110 OTP Token. When you press the button, a 6-digit number is generated. This number is valid for only 30 seconds (approximately the time that it is displayed on the token's screen). This time limit ensures that any person logging in to the HSM must have the physical device in hand.
User PINs are case-sensitive, and must be 4-32 characters in length. If you are using multifactor authentication, the PIN length becomes 10-38 characters (userpin + OTP).
NOTE This feature is not compatible with High Availability (HA) or Work Load Distribution (WLD) configurations.
You can activate multifactor authentication for:
>the Administration Security Officer (ASO) and/or Administrator roles on the Admin slot
>the Security Officer (SO) and/or Token Owner (User) roles on individual token slots
Each person who holds one or more of these roles requires their own SafeNet 110 OTP Token to use multifactor authentication. The physical tokens allow you to customize your authentication scheme to suit your security needs. Contact your Thales Customer Support representative to purchase SafeNet 110 OTP Tokens.
Figure 1: The SafeNet 110 OTP Token (PN: 955-000237-001)
This section contains instructions for the following tasks:
>Activating Your SafeNet 110 OTP Token
>Initializing Multifactor Authentication
>Logging In Using Multifactor Authentication
>Re-initializing Multifactor Authentication For the User Role
>Removing Multifactor Authentication From a Role
Activating Your SafeNet 110 OTP Token
When you order SafeNet 110 OTP Tokens, Thales sends you a series of secure emails containing the information you need to activate them. Follow the instructions in the emails to unzip the following encrypted files:
>TokenSeed.xml
>PSKCPassword.txt
Initializing Multifactor Authentication
This procedure allows you to enable multifactor authentication for a role on a ProtectServer HSM token slot.
NOTE If you wish to perform Token Replication between HSMs using multifactor authentication, you must use the same OTP Token to initialize multifactor on both HSMs.
Prerequisites
>The HSM token must be initialized and a PIN set for the specified role (Administration SO, Administrator, Security Officer or User)
>SafeNet 110 OTP Token
>TokenSeed.xml and PSKCPassword.txt files provided by Thales via secure email. The SafeNet 110 OTP Token serial number must match one listed in the TokenSeed.xml file.
NOTE If you are initializing multifactor authentication on a Linux client, run dos2unix on each file before continuing.
>dos2unix <filename>
To initialize multifactor authentication
1.Since the random numbers generated by the SafeNet OTP token are time-sensitive, sync the HSM time with the clock on the client machine (ctconf).
ctconf -t
>ctconf -t ProtectToolkit C Configuration Utility 5.7.0 Copyright (c) Safenet, Inc. 2009-2018 Please enter Administrator's pin (Device 0, S/N: 518687): The clock is set to: 12/10/2018 16:18:28 (-5:00+DST)
2.Use the ctotp utility to initialize multifactor authentication for the desired role. You must specify the slot, the SafeNet 110 OTP Token serial number, and filepaths to the TokenSeed.xml and PSKCPassword.txt files. Include the -O option to specify the Security Officer or Administration Security Officer role. When prompted, enter the role's standard token PIN (ctotp).
ctotp init -s<slotnum> -t<serialnum> -x<path_to_TokenSeed.xml> -p<path_to_PSCKPassword.txt> [-O]
>ctotp init -s0 -tGALT10282872 -xTokenSeed.xml -pPSKCPassword.txt -O Please Enter the Security Officer Token PIN: ================================= OTP Initialization Successful. ===================================
3.Use the ctotp utility to log in to the role. The first login synchronizes the SafeNet 110 OTP Token with the HSM's clock, so that the 30-second window will be accurate for future logins (ctotp).
ctotp login -s<slotnum> [-O]
a.Press the button on the SafeNet 110 OTP Token. A six-digit one-time password is displayed on the screen.
b.At the PIN prompt, enter the token PIN for the specified role, together with the one-time password from the SafeNet 110 OTP Token. For example, if your token PIN is tokenPIN, you would enter:
tokenPIN123456
>ctotp login -s0 -O Please Enter the Security Officer Token PIN: ================================= OTP Login Successful. ===================================
NOTE Once multifactor authentication is initialized, the pin
and pinLen
parameters passed to C_Login() must contain the token PIN and the current 6-digit one-time password. See Logging In Using Multifactor Authentication.
Logging In Using Multifactor Authentication
This procedure describes how to log in to a ProtectServer HSM slot using multifactor authentication.
Prerequisites
>Multifactor authentication must be initialized for the role
>Ensure that you have your token PIN and the correct SafeNet 110 OTP Token ready
To log in using multifactor authentication
1.Use CTbrowse or one of the PTK command-line utilities to initiate login or perform an action that requires login. You will be prompted for the PIN associated with the role.
2.Press the button on the SafeNet 110 OTP Token. A six-digit one-time password is displayed on the screen.
3.At the PIN prompt, enter the token PIN for the specified role, together with the one-time password from the SafeNet 110 OTP Token. For example, if your token PIN is userPIN, you would enter:
userPIN123456
The password generated by the SafeNet 110 OTP Token changes every 30 seconds, so you must complete the login procedure within this time.
Re-initializing Multifactor Authentication For the User Role
The Security Officer can re-initialize multifactor authentication for the User if required. This capability is useful if a SafeNet 110 OTP Token associated with the User role is lost or damaged, and the User needs to initialize another one. There is no mechanism to re-initialize multifactor authentication for the Security Officer role.
This procedure is performed by the Security Officer with input from the User.
Prerequisites
>The Security Officer must be present and prepared to log in with their token PIN (and SafeNet 110 OTP Token, if applicable)
>The User must be present and prepared to enter their standard token PIN
>A new or unused SafeNet 110 OTP Token
>TokenSeed.xml and PSKCPassword.txt files provided by Thales via secure email. The SafeNet 110 OTP Token serial number must match one listed in the TokenSeed.xml file.
To re-initialize multifactor authentication for the User role
1.Use the ctotp utility to re-initialize multifactor authentication for the User. You must specify the slot, the new SafeNet 110 OTP Token's serial number, and filepaths to the TokenSeed.xml and PSKCPassword.txt files (ctotp).
ctotp reinit -s<slotnum> -t<serialnum> -x<path_to_TokenSeed.xml> -p<path_to_PSCKPassword.txt>
a.You are prompted for the Security Officer PIN. If you have multifactor authentication enabled for the SO role, enter the standard SO PIN followed by the 6-digit one-time password from the SO's SafeNet 110 OTP Token.
b.You are prompted for the token User PIN. Only the standard PIN is required.
>ctotp reinit -s0 -tGALT10282854 -xTokenSeed.xml -pPSKCPassword.txt Please Enter the Security Officer Token PIN: Please Enter the Token PIN: ================================= OTP Re-Initialization Successful. =================================
Removing Multifactor Authentication From a Role
If you no longer wish to use multifactor authentication, you can use this procedure to remove the requirement from your own role.
Prerequisites
>Standard PIN for the role
>SafeNet 110 OTP Token associated with the role
To remove multifactor authentication from a role
1.Use the ctotp utility to remove the multifactor authentication requirement from the desired role by specifying the slot for that role. If you are removing the multifactor requirement for the Security Officer or Administration Security Officer, include the -O option (ctotp).
ctotp del -s<slotnum> [-O]
You are prompted for the token PIN. Enter the token PIN for the specified role, together with the one-time password from the SafeNet 110 OTP Token.
>ctotp del -s0 -O Please Enter the Security Officer Token PIN: ================================= OTP Deletion Successful. ===================================
In the future, logging in with this role requires only the standard token PIN.