Multifactor authentication (one-time password)
ProtectToolkit supports multifactor authentication using the SafeNet 110 Time-Based OTP Token. This section describes this feature, how to activate an SafeNet 110 Time-Based OTP Token, initialize multifactor authentication, log on using multifactor authentication, and removing multifactor authentication from a role.
Overview
This authentication scheme adds another layer of security by requiring both the memorized token PIN and a 6-digit number randomly generated by the SafeNet 110 Time-Based OTP Token. When you press the button, a 6-digit number is generated. This number is valid for only 30 seconds (approximately the time that it is displayed on the token's screen). This time limit ensures that any person logging on to the HSM must have the physical device in hand.
If you are using multifactor authentication, PINs (userpin + OTP) must be:
-
10-38 characters, if you are using a firmware version older than ProtectServer 3 HSM Firmware 7.03.00.
-
14-38 characters, if you are using ProtectServer 3 HSM Firmware 7.03.00 or newer with the FIPS Algorithms Only security flag set. For more information about this flag, refer to FIPS Algorithms Only.
Note
This feature is not compatible with High Availability (HA) or Work Load Distribution (WLD) configurations.
You can activate multifactor authentication for:
-
the Administration Security Officer (ASO)) and/or Administrator roles on the Admin slot
-
the Security Officer (SO) and/or Token Owner (User) roles on individual token slots
Each person who holds one or more of these roles requires their own SafeNet 110 Time-Based OTP Token to use multifactor authentication. The physical tokens allow you to customize your authentication scheme to suit your security needs. Contact your Thales Customer Support representative to purchase SafeNet 110 Time-Based OTP Tokens.
SafeNet 110 Time-Based OTP Token (PN: 955-000237-001)
Activating your SafeNet 110 Time-Based OTP Token
When you order SafeNet 110 Time-Based OTP Tokens, Thales sends you a series of secure emails containing the information you need to activate them. Follow the instructions in the emails to unzip the following encrypted files:
-
TokenSeed.xml
-
PSKCPassword.txt
Initializing multifactor authentication
This procedure allows you to enable multifactor authentication for a role on a ProtectServer 3 HSM token slot.
Note
If you wish to perform Token replication between HSMs using multifactor authentication, you must use the same OTP Token to initialize multifactor on both HSMs.
Prerequisites
-
The HSM token must be initialized and a PIN set for the specified role (Administration SO, Administrator, Security Officer or User)
-
SafeNet 110 Time-Based OTP Token
-
TokenSeed.xml and PSKCPassword.txt files provided by Thales via secure email. The SafeNet 110 Time-Based OTP Token serial number must match one listed in the TokenSeed.xml file.
Note
If you are initializing multifactor authentication on a Linux client, run dos2unix on each file before continuing.
>dos2unix <filename>
To initialize multifactor authentication
-
Since the random numbers generated by the SafeNet OTP token are time-sensitive, sync the HSM time with the clock on the client machine (ctconf).
>ctconf -t ProtectToolkit C Configuration Utility 5.7.0 Copyright (c) Safenet, Inc. 2009-2018 Please enter Administrator's pin (Device 0, S/N: 518687): The clock is set to: 12/10/2018 16:18:28 (-5:00+DST)
-
Use the ctotp utility to initialize multifactor authentication for the desired role. You must specify the slot, the SafeNet 110 Time-Based OTP Token serial number, and filepaths to the TokenSeed.xml and PSKCPassword.txt files. Include the -O option to specify the Security Officer or Administration Security Officer role. When prompted, enter the role's standard token PIN (ctotp).
ctotp init -s<slotnum> -t<serialnum> -x<path_to_TokenSeed.xml> -p<path_to_PSCKPassword.txt> [-O]
>ctotp init -s0 -tGALT10282872 -xTokenSeed.xml -pPSKCPassword.txt -O Please Enter the Security Officer Token PIN: ================================= OTP Initialization Successful. ===================================
-
Use the ctotp utility to log on to the role. The first logon synchronizes the SafeNet 110 Time-Based OTP Token with the HSM's clock, so that the 30-second window will be accurate for future logins (ctotp).
-
Press the button on the SafeNet 110 Time-Based OTP Token. A six-digit one-time password is displayed on the screen.
-
At the PIN prompt, enter the token PIN for the specified role, together with the one-time password from the SafeNet 110 Time-Based OTP Token. For example, if your token PIN is tokenPIN, you would enter:
tokenPIN123456
>ctotp login -s0 -O Please Enter the Security Officer Token PIN: ================================= OTP Login Successful. ===================================
-
Note
Once multifactor authentication is initialized, the pin
and pinLen
parameters passed to C_Login() must contain the token PIN and the current 6-digit one-time password. See Logging on using multifactor authentication.
Logging on using multifactor authentication
This procedure describes how to log on to a ProtectServer 3 HSM slot using multifactor authentication.
Prerequisites
-
Multifactor authentication must be initialized for the role
-
Ensure that you have your token PIN and the correct SafeNet 110 Time-Based OTP Token ready
To log on using multifactor authentication
-
Use CTbrowse or one of the PTK command-line utilities to initiate logon or perform an action that requires logon. You will be prompted for the PIN associated with the role.
-
Press the button on the SafeNet 110 Time-Based OTP Token. A six-digit one-time password is displayed on the screen.
-
At the PIN prompt, enter the token PIN for the specified role, together with the one-time password from the SafeNet 110 Time-Based OTP Token. For example, if your token PIN is userPIN, you would enter:
userPIN123456
The password generated by the SafeNet 110 Time-Based OTP Token changes every 30 seconds, so you must complete the logon procedure within this time.
Re-initializing multifactor authentication for the User role
The Security Officer can re-initialize multifactor authentication for the User if required. This capability is useful if a SafeNet 110 Time-Based OTP Token associated with the User role is lost or damaged, and the User needs to initialize another one. There is no mechanism to re-initialize multifactor authentication for the Security Officer role.
This procedure is performed by the Security Officer with input from the User.
Prerequisites
-
The Security Officer must be present and prepared to log on with their token PIN (and SafeNet 110 Time-Based OTP Token, if applicable).
-
The User must be present and prepared to enter their standard token PIN.
-
A new or unused SafeNet 110 Time-Based OTP Token.
-
TokenSeed.xml and PSKCPassword.txt files provided by Thales via secure email. The SafeNet 110 Time-Based OTP Token serial number must match one listed in the TokenSeed.xml file.
To re-initialize multifactor authentication for the User role
-
Use the ctotp utility to re-initialize multifactor authentication for the User. You must specify the slot, the new SafeNet 110 Time-Based OTP Token serial number, and filepaths to the TokenSeed.xml and PSKCPassword.txt files (ctotp).
ctotp reinit -s<slotnum> -t<serialnum> -x<path_to_TokenSeed.xml> -p<path_to_PSCKPassword.txt>
-
You are prompted for the Security Officer PIN. If you have multifactor authentication enabled for the SO role, enter the standard SO PIN followed by the 6-digit one-time password from the SO's SafeNet 110 Time-Based OTP Token.
-
You are prompted for the token User PIN. Only the standard PIN is required.
>ctotp reinit -s0 -tGALT10282854 -xTokenSeed.xml -pPSKCPassword.txt Please Enter the Security Officer Token PIN: Please Enter the Token PIN: ================================= OTP Re-Initialization Successful. =================================
-
Removing multifactor authentication from a role
If you no longer wish to use multifactor authentication, you can use this procedure to remove the requirement from your own role.
Prerequisites
-
Standard PIN for the role
-
SafeNet 110 Time-Based OTP Token associated with the role
To remove multifactor authentication from a role
-
Use the ctotp utility to remove the multifactor authentication requirement from the desired role by specifying the slot for that role. If you are removing the multifactor requirement for the Security Officer or Administration Security Officer, include the -O option (ctotp).
You are prompted for the token PIN. Enter the token PIN for the specified role, together with the one-time password from the SafeNet 110 Time-Based OTP Token.
>ctotp del -s0 -O Please Enter the Security Officer Token PIN: ================================= OTP Deletion Successful. ===================================
In the future, logging on with this role requires only the standard token PIN.