Logical Tokens

A logical token:

  • is a key

  • is not an application key

  • does not have an ACL (although individual shares do have ACLs)

  • may be DES3 or AES

  • can be split into shares and written to smartcards

  • can be used to protect keys

  • is protected (on smartcards) by a module key

  • is denoted LTsomething

Logical tokens are written to smartcards as follows:

  • The logical token and associated metadata are encrypted under the chosen module key.

  • The ciphertext is split into shares.

  • For each share a unique share key is derived from the module key, the passphrase (if any) and some additional information.

  • Each share is encrypted under its share key.

  • Each share is written to a smartcard.

Administrator Cardset Logical Tokens

An administrator cardset holds the following logical tokens:

Token Module Key Purpose Threshold

LTNSO

KMNULL

Protects KNSO

acs_k          

LTM

KMNULL

Protects KM

t_m

LTR

KM

Protects KRE

t_r

LTP

KM

Protects KP

t_p

LTNV

KM

Protects KNV

t_nv

LTRTC

KM

Protects KRTC

t_rtc

LTDSEE

KM

Protects KDSEE

t_dsee

LTFTO

KM

Protects KFTO

t_fto

LTFIPS

KM

Protects KFIPS

1

LTNSO and LTM always require a full quorum of administrator cards to reassemble.

LTFIPS only ever requires a single administrator card to reassemble. It is only present in strict-FIPS worlds.

The other logical tokens by default require a full quorum but this can be configured at world creation time.

In an NFKM_WorldInfo structure, the quorums of each logical token are given by the members shown in the table above.

Operator Cardset Logical Tokens

An operator cardset holds the following logical tokens:

Token Module Key Purpose

LTU

KM

Protects application keys

LTFIPS

KM

Protects KFIPS

LTU requires a full quorum of the operator cardset to reassemble. It is used to protect cardset-protected keys.

As above, LTFIPS only ever requires a single operator card to reassemble. It is only present in strict-FIPS worlds.

Softcard Logical Tokens

A softcard is a software emulation of a single smartcard. The single share of the token is stored in a file. Its contents can be supplied to the module with Cmd_InsertSoftToken and retrieved with Cmd_RemoveSoftToken.

This is used to implement passphrase-protected keys by storing a 1/1 logical token (called LTU) to it, protected by KM. Application keys are then protected by the softcard’s LTU.

Logical Token API Calls

  • Cmd_FormatToken prepares a smartcard for storage of logical token shares.

  • Cmd_GenerateLogicalToken constructs a new logical token. It would normally be followed by calls to Cmd_WriteShare to store token shares to smartcards.

  • Cmd_EraseShare erases a logical token share from a smartcard.

  • Cmd_LoadLogicalToken starts reassembly of a logical token. It would normally be followed by calls to Cmd_ReadShare to read successive token shares.

  • Cmd_GetSlotList identifies the token shares on smartcards.

  • Cmd_GetShareACL retrieves the ACL of an individual token share.

  • Cmd_GetLogicalTokenInfo and Cmd_GetLogicalTokenInfoEx return information about a logical token (including partially assembled ones).

  • Cmd_ChangeSharePIN changes the PIN (passphrase) on a token share.