Public Key Authentication

Public Key Authentication is an authentication method of the SmartCard-HSM, where the login to enable key access is performed using a challenge-response protocol. A custodian has a private authentication key on his personal token and the matching public key is registered in the SmartCard-HSM.

Authentication is performed by signing a random challenge with the authentication key. The signature is then validated and access granted.

Public Key Authentication supports a n-of-m threshold scheme. That means you can register more keys for authentication (m) that are required (n) to enable access. This allows configurations, where more than a single key custodian is required to authenticate in order to implement shared control.

The benefit of using Public Key Authentication over a User-PIN, is that the key can not be lost while the PIN value can be eavesdropped on. For this reason, entering a User-PIN in the PKI-as-a-Service for enabling TrustCenter tokens has been removed. Public Key Authentication is the recommended authentication mechanism for that use case. You can of course still authenticate locally with a User-PIN and then connect the authenticated device to the portal.

Creating an Authentication Key

Every key custodian involved in enabling access to keys on a SmartCard-HSM must generate a personal authentication key.

Log into the personal SmartCard-HSM and select Generate ECC Key from the context menu of the SmartCaard-HSM node of the outline.

Generate EC Key

Choose brainpoolP256r1 as curve parameter.

Choose brainpoolP256r1

Choose a good label for the key.

Choose Key Label

The key reference is what is encoded in the CV-Certificate in the CHR attribute. This field has a length constraint: It must be between 8 and 16 characters and should following the notation 2 character Country Code, 1 to 9 character Holder Name and 5 character Serial Number.

The key reference is stored in a SmartCard-HSM during public key registration for PKA. It is useful to assign unique identifiers for key custodians, so one can see who is registered or has authenticated already.

Choose Key Reference

For the key algorithm select ECDSA_SHA256 or leave the field empty.

Choose Key Algorithms

Next save the public key to a file. This file is required later to register the public key at the target SmartCard-HSM for which PKA should be enabled.

Save Public Key

Repeat the procedure for all key custodians you want to enroll.

Preparing for Public Key Authentication

To prepare for Public Key Authentication you need to select Public Key Authentication during initialization as authentication mechanism.

Select PKA as Authentication Mechanism

After that you are prompted to define how many public keys you want to register (The parameter m in n-of-m). For this session we choose 3.

Set Number of Keys

Next you define the threshold, which is the minimum number of keys that need to be authenticated for enabling access to the keys (The parameter n in n-of-m).

We choose 2 for this setup.

Set Threshold

If you answer the next question with "Yes", then you can replace authentication keys later, for example if key custodians should be replaced or lost their authentication key.

Allow Replacing Keys

After that continue the normal initialization steps.

The outline now shows the PKA status.

PKA Output in Outline

In the next step you register the public keys of your key custodians. Select Register Public Key from the context menu of the PKA node.

Start Registration

Open the file containing the public key of the authentication key.

Open PKA File

A confirmation follows, that this is what you want.

Confirm Registration

The outline is now updated with the registered public key.

One Key Registered

Repeat the procedure for the two other public keys. The outline then shows the full status.

Registration Complete

Performing Public Key Authentication

In order to do Public Key Authentication you need to have both tokens or cards connected. Start with connecting the SmartCard-HSM you want to open (Disable Automatically access card with Key Manager to that inserting the card or token does not restart the Key Manager).

Registration Complete

Select Authenticate with Public Key from the context menu of the PKA node.

Registration Complete

Next you need to select the token or card reader with the key custodians token containing the authentication key.

Registration Complete

You need to select the key to use for Public Key Authentication.

Registration Complete

After entering the PIN, authentication is performed and the outline updated accordingly.

One Authenticated

Repeat this for at least one other key to reach the quorum of two successfully authenticated public keys.

Fully Authenticated

Once the threshold has been reached, the authentication status changes to '9000', just like after successful authentication with a User-PIN.

Replacing a Public Key

If replacing a public key was enabled during initialization, you can select Replace Public Key for the existing key you want to replace.

Replace Key

As before read the new public key from the .pka file.