Key Authorization

When an application needs keys that are protected by an Operator Card Set or a Softcard, a user interface is invoked to prompt the application user to insert the smart card and/or enter appropriate passphrases.

The user interface prompt is not provided if your application is working in silent mode. The nShield CNG providers attempt to load the required authorization (for example, from an Operator Card that has already been inserted) but fail if no authorization can be found. For more information about silent mode, refer to the documentation of the CNG Key Storage Functions at: http://msdn2.microsoft.com/en-us/library/aa376208.aspx.
When the CNG application is running in Session 0 (that is, loaded by a Windows service), the user interface is provided by an agent process nShield Service Agent that is started when the user logs in. This agent, when running, is shown in the Windows System Tray. All user interaction requests from a CNG application running in Session 0 cause dialogs to be raised by the agent allowing the user to select cardsets, modules and enter passphrases. The interaction with the user is functionally identical to that described in this section.

There can only be one instance of the agent running (indicated by a blue globe in the Tray Notification area in the toolbar). Attempts to start a second instance will fail with a CreateNamedPipe error. If the agent is not running, attempts to invoke dialogs through it will fail and this is logged in the Windows Event Log. It can be restarted by logging off and on or by explicitly executing either %NFAST_HOME%\bin\nShield_service_agent64.exe or %NFAST_HOME%\bin\nShield_service_agent.exe. On 64 bit platforms either of these can be used irrespective of the bit size of the underlying application.

For more information about autoloadable Card Sets and the considerations of silent mode, see the authorisation requests diagram towards the end of this section.

You define key protection and authorization settings with the CNG Configuration Wizard on the Key Protection Setup screen. For more information about the CNG Configuration Wizard, see the User Guide for your HSM.

The options on this screen that are relevant to key protection and authorization are:

  • Module protection

    Select this option to make keys module protected by default.

  • Softcard Protection

    Select this option to generate new keys with a particular Softcard by default.

  • Operator Card Set protection

    Select this option to generate new keys with a particular Operator Card Set by default.

  • Allow any protection method to be selected in the GUI when generating

    Select this option to defer selection of the key protection until the key is generated. When generating a key, the choice between Module protection, or protection with an existing Softcard or Operator Card Set, will be offered.

If you select Softcard or Operator Card Set protection, you will be offered the choice between selecting an existing protection token and creating a new one on the next page.

The CNG Configuration Wizard can be re-run to change the default protection. Existing keys that were generated with a different protection can still be loaded even if they don’t match the protection that was selected in the wizard.

The nShield GUI is never enabled for calls with a valid Silent option. If the Use the GUI wizard.. option is selected, and the providers have been passed the Silent option, key generation will always fail. For Softcard and Operator Card Set protection, Silent mode will work only if the Softcard or Operator Card Set can be autoloaded without prompting for user interaction or passphrase entry.
key authorisation requests
FIPS 140 Level 3 environments always require card authorization for key creation. When using the CNG Primitive Functions the user is not prompted to provide card authorization, but the request fails if no card is provided.

The key storage providers always respect calls made with the Silent option. Primitive providers never display a user interface.

Applications may have a mechanism to disable silent mode operation, thereby allowing appropriate passphrases to be entered. Ensure that you configure applications to use an appropriate level of key protection. For example, in Microsoft Certificate Services, you must select the Use strong private key protection features provided by the CSP option to disable silent mode operation.