Smart cards are, substantially, Hardware Security Modules (HSM). Alternative names are chip cards or integrated circuit cards. SIM cards in cellular mobile phones are also smart cards.

The smart cards that come up with the Hardware Apparatus are preprogrammed cards with the TCOS operating organisation (TeleSec Chipcard Operating Organization). They are branded past the manufacturer of the HSM that is integrated in the Hardware Appliance.

Smart cards store information and organize this in data sets of so-called 'slots'. The information sets can exist protected with a Personal Identification Number (Pivot). Each slot can accept its own Pin. This principle of different information across dissimilar slots is the PKCS#11 slot activation user smart card foundation of the PKCS#11 standard.

The principle of buying and noesis - owning the card and knowing the PIN - is the foundation of Two-Factor Potency.

Smart Menu Reader with Pin Pad

Each Hardware Appliance is delivered with a smart carte reader with PIN pad for using and reading the smart cards. A smart carte du jour reader with Pin pad is necessary because yous accept to enter a Pivot for all Hardware Appliance functions of the smart cards. The Hardware Appliance HSM manufacturer recommends the model cyberJack due east-com from Reiner SCT. The smart card reader must be connected to ane of the USB ports at the front or the dorsum of the Hardware Apparatus. Using the smart card reader with Pin pad for Hardware Appliance purposes connected to your workstation or browser is currently not supported.

USB port of HSM

The Hardware Appliance HSM features an additional USB port. This port is non-functional. Do non employ it for smart card reader purposes.

Using Smart Cards

With the Hardware Appliance, smart cards are used to protect the cryptographic secrets of the HSM. These functionalities are offered by the vendor of the HSM and cover the post-obit:

  • Backup Key Share
  • PKCS#11 slot activation

The two functions operate on different slots. Each of these slots has a separate Pivot. These PINs are preset to 123456.

Information technology is possible to employ i smart bill of fare for both functions. However, the PINs for both functions/slots demand to exist changed independently. To avoid defoliation, it is  recommended to use a separate smart card for each function.

This smart menu function secures the backup of the HSM. Whenever data leaves the HSM, it is encrypted with the Fill-in Key, besides called the Main Fill-in Key (MBK).

Select 1 of the smart card options in the Hardware Security Module Settings of the WebConf installation wizard to offset the post-obit process:

  1. The Backup Key is generated in retention.
  2. The Backup Primal is written to the smart cards.
  3. The Fill-in Key is read back from the smart cards into the HSM.

Information that is downloaded from the HSM with administrative functions - such equally create fill-in - will then be encrypted with the Backup Cardinal. You will need to accept the smart cards set up for the following actions:

  • Restoring a backup: The Backup Key that encrypts the fill-in files needs to be uploaded to the HSM first.
  • Configuring your Hardware Appliance as a node of a cluster: We initially load the HSM.

The Fill-in Central is spread across these smart cards using a quorum. For more than details on quorums refer to the Quorum section below.

Y'all cannot restore a Backup Cardinal share if information technology has been overwritten by mistake. Nosotros therefore recommend the following:

  • Change the Pivot of a smart card right later the successful installation to forbid whatsoever mix-upwards or fault.
  • Create copies of Backup Key share smart cards to be stored in a condom place.

Note that the Backup Key cannot be changed after installation - this would invalidate all existing backup files.

PKCS#eleven slot activation user smart card

Smart cards can store user credentials that are needed to activate PKCS#11 slots. At that place is no quorum for user credentials on smart cards.For more information about PKCS#eleven slot smart card activation, see PKCS#11 Slot Smart Carte Activation.

User credentials on a smart bill of fare used for PKCS#11 slot activation cannot be copied one-to-1, unlike the Backup Key share on a smart bill of fare.

Quorum ('2 out of three' or '3 out of 5')

The Fill-in Key is distributed across multiple smart cards to increase security. This ensures that potential attackers cannot read a fill-in file even if they possess one smart card with the according PIN. Nonetheless, splitting a Backup Key between multiple smart cards can also have disadvantages. Usability is decreased if every unmarried menu owner needs to be present in example of a disaster recovery. In add-on, reliability also decreases because a single lost, cleaved or otherwise deactivated smart card ruins all your emergency precautions.

To ensure security, usability, and reliability, the Fill-in Key is distributed across the smart cards with a method chosen "Shamir's Hugger-mugger Sharing". The name refers to its inventor, Adi Shamir, a well-known and accepted cryptographer. The method is likewise known as Quorum, as k out of n, or as m out of n. With this method, a cryptographic symmetric fundamental is split into due north number of shares then that every combination of k number of shares is sufficient to reconstruct the complete key.

The Hardware Appliance software generates a 32 bytes long AES key (symmetric cryptography) and offers the following choices:

  • 2 out of 3: 2 out of 3 smart cards are required to reconstruct the complete primal.
  • 3 out of 5: iii out of 5 smart cards are required to reconstruct the complete key.
    This option represents a college level of security. However, 3 of the 5 smart carte owners must be available for whatever disaster recovery – a requirement that could make information technology difficult to bring the organization dorsum to life at 5 'o clock on a Sunday morning.

Installation example: 'ii out of 3' scenario

Timeout on smart carte operations

Please read the following documentation carefully earlier starting the process. You will not have fourth dimension for careful reading during the installation process: You volition adventure running into a timeout during a smart card operation.

Timeouts are not indicated on the Pin pad display. The display will plow bare and you volition find the timeout information in WebConf.

The post-obit instructions guide you through the process of installing a ii out of 3 quorum for the Backup Key share. The procedure includes the steps Preparation, Key generation, and Central reading:

Step 0: Grooming

Connect the smart card reader to one of the four USB ports on the forepart or back of the Hardware Apparatus. The post-obit text (or similar) will announced on the display:

            REINER SCT cyberJack east-com

Lawmaking

This text will disappear with any PIN pad performance. If y'all have multiple PIN pad operations in one session, the display screen might exist entirely blank when you showtime this operation.

Step 1: Key generation

With the following process, whatever existing Backup Key share on the smart cards will be overwritten. Each smart card can only store i Fill-in Key share. Y'all cannot use one smart card to save two different Backup Primal shares for ii different Hardware Apparatus environments. Every node in a cluster uses the same Backup Central, thus any prepare of Backup Fundamental share smart cards volition work with every node in a cluster.

A new Backup Key needs to be generated and the Backup Key shares need to be written to the smart cards.

  1. Beginning the installation (see Step five: Running WebConf Sorcerer). The Pin pad brandish indicates that the process to write the new fundamental shares to the smart cards tin beginning:

                    Write New Key press OK/Abolish

    Code

  2. Press the greenish OK button on the Pin pad. The PIN pad brandish will prompt y'all to insert the start smart card of the set:

                    Insert 1. card press OK/Cancel

    CODE

  3. Insert the first smart card and press the green OK button. The Pin pad will prompt you to enter the PIN:

  4. Enter the Pin of the smart card. For each digit of the Pin an asterisc appears.

    Entering the PIN

    • Default Pin: A new smart card delivered with the Hardware Apparatus comes with the PIN 123456. For details of how you can modify this Pivot manually, refer to Modify the Pivot of the backup key share on a smart menu.
    • PIN correction: To restart entering the Pivot printing the yellow Articulate button.
    • Cancel Pin entry: To arrest the entire functioning printing the red Cancel button.

  5. Press the green OK push to confirm the PIN. The display will before long indicate an ongoing operation.

  6. Brand sure the smart carte remains in the smart carte reader until y'all are prompted to insert the second smart card:

                    Insert ii. card printing OK/Cancel

    Lawmaking

  7. Remove the first smart menu from the smart card reader.
    Insert the 2d smart card and press the green OK push button. Y'all volition be prompted to enter the Pivot:

  8. Enter the PIN of the smart card and press the green OK button to confirm information technology.
    Make sure the smart carte remains in the smart card reader until you are prompted to insert the third smart menu:

                    Insert 3. card press OK/Abolish

    Code

  9. Remove the second smart carte.
    Insert the third smart card and press the green OK button. You will be prompted to enter the PIN:

  10. Enter the Pin of the third smart card and press the green OK button to confirm it.

Pace 2: Primal Reading

The Backup Key volition at present be loaded into the HSM past reading it from the smart cards. In our example, the Fill-in Key is based on the quorum 'two out of iii', therefore the complete Backup Cardinal can be reconstructed by reading only two smart cards. The smart cards tin can be read in whatever order.

  1. The PIN pad brandish indicates that the process to read the new key from the smart cards tin get-go:

                    Read New Central press OK/Cancel

    Code

  2. Printing the green OK button on the Pivot pad. The Pin pad brandish volition prompt y'all to insert the first smart card:

                    Insert one. card  printing OK/Cancel

    Code

    You can utilise any ii of the 3 smart cards that you used for the primal generation procedure. For your convenience, you can therefore get out the third smart carte du jour from the key generation process in the smart menu reader. You can then use it when prompted to Insert the ane. carte.

  3. Insert a smart bill of fare and printing the dark-green OK button. The PIN pad will prompt you to enter the PIN:

  4. Enter the PIN of the smart menu and confirm it with the green OK button.

  5. The display will shortly indicate an ongoing operation. You volition then be prompted to insert the second smart card:

                    Insert 2. bill of fare  press OK/Cancel

    CODE

  6. Insert one of the remaining 2 smart cards and press the green OK push button. Y'all volition be prompted to enter the Pin:

  7. Enter the PIN of the inserted smart card and press the green OK button to ostend it. This will complete the functioning.

Avoid any of the post-obit problems:

  • Running into a timeout during the Pin pad operations.
    A timeout message volition not exist visible on the Pivot pad display. You will only find it in WebConf.
  • Inbound a wrong Pivot for i smart card three times in a row.
    This will block the smart card.
  • Failing to enter the required number of different smart cards for the Central Reading.
    You need to enter 2 cards for "the 2 out of 3" scenario and three cards for the 'iii out of five' scenario.
  • Adventitious unplugging of the smart card reader.
  • Inserting smart cards that were not delivered by PrimeKey

Each of these issues will abort the installation. The machine will and so be in an inconsistent state. You lot will have to do a full Manufactory Reset every bit described in Step 1: External Erase and Factory Reset. After that, the installation process must be restarted.

WebConf offers multiple tools to aid handling smart cards properly. For more information, run into the WebConf HSM department.

Make a one-to-one copy of a Backup Key share on a smart card

This allows you to re-create the Backup Key share from 1 smart card to some other smart carte du jour. Thus you can create a second set of 'two out of 3' cards for your disaster recovery site. We recommend to create a backup prepare of the Backup Primal share smart cards. Never go on the Fill-in Central share smart cards near the backup of the Hardware Appliance.

Each smart card is unique, therefore this function cannot be used to recover lost smart cards in a set. However, if you need a '2 out of two' scenario, this function allows you to copy the information from the second smart card to the 3rd smart card, effectively overwriting the Backup Key share on the third smart card.

This allows you to change the PIN of the Backup Central share on a smart card:

  • We highly recommend this for each of the Backup Fundamental share smart cards to prevent a mixup or adventitious overwriting of the contents of a smart carte du jour.
  • Y'all tin can apply this office to assign a smart card to another person in the company.
  • You can use this function for a smart carte that comes originally from another Hardware Apparatus.

Change the Pivot of a PKCS#11 Slot User on a smart card

This allows yous to change the Pivot of the user credentials on a smart card:

  • We highly recommend this for each of the PKCS#11 slot activation user smart cards to forbid a mixup or accidental overwriting of the contents of a smart card.
  • Y'all tin utilize this office to assign a smart card to another person in the company.
  • Yous can use this role for a smart card that comes originally from another Hardware Apparatus.

For more than information about PKCS#11 slot smart card activation, see PKCS#11 Slot Smart Carte du jour Activation.