Table of Contents
Advertisement
The Concept of iKey Authentication
Access to sensitive data on a ASA 310-FIPS is protected by a combination of hardware tokens
(called iKeys), passwords, and encryption procedures.
The iKey is a cryptographic token that is used as part of the authentication process for certain
operations involving the HSM cards. Whenever you perform an operation on the ASA 310-
FIPS calling for iKey authentication, you are prompted by the Command Line Interface to insert
the requested iKey into the USB port on the appropriate HSM card. (When prompted for a
particular iKey, a flashing LED always directs you to the correct HSM card.)
Types of iKeys
For each HSM card there are two unique iKeys used for identity-based authentication: the
HSM-SO iKey, and the HSM-USER iKey. Each of these iKeys define the two user roles
available: Security Officer and User. A password must be defined for each user role, and the
passwords are directly associated with the corresponding iKey. The ASA 310-FIPS is equipped
with two HSM cards, and you therefore need to maintain two pairs of HSM-SO and HSM-USER
iKeys with their associated passwords for each single ASA 310-FIPS ASA 310-FIPS device.
After an HSM card has been initialized, that card will only accept the HSM-SO and HSM-USER
iKeys that were used when initializing that particular card. You cannot create backup copies
of the associated HSM-SO iKey and HSM-USER iKey, and a lost HSM-SO or HSM-USER
password cannot be retrieved. It is therefore extremely important that you establish routines
for how the iKeys are handled.
Wrap Keys for ASA 310-FIPS Clusters
In addition to the HSM-SO and HSM-USER iKeys specific for each HSM card, one pair of iKeys
(the black HSM-CODE iKeys) need also be maintained for each cluster of ASA 310-FIPS
units.
Note:
You are strongly recommended to label two of the black HSM-CODE iKeys "CODE-SO" and
"CODE-USER" respectively; these iKeys will be referred to as such both in the
documentation and in the Command Line Interface.
During the initialization of the first ASA 310-FIPS in a cluster, a wrap key is automatically
generated. The wrap key is a secret shared among all ASA 310-FIPS in the cluster. It encrypts
and decrypts sensitive information that is sent over the PCI bus within an ASA 310-FIPS, and
over the network among the ASA 310-FIPS devices in the cluster. By inserting the CODE-SO
iKey and the CODE-USER iKey in turns when requested by the Setup utility, the wrap key is
User Guide
The Concept of iKey Authentication
April 2013
33
Advertisement
Table of Contents
