PKCS#11
|
| Cryptographic Token Interface Standard |
PKCS#11 |
Using a private key protected by secondary authentication uses the same process, and call sequence, as using a private key that is only protected by the login PIN. In fact, applications written for Cryptoki Version 2.01 will use secondary authentication without modification.
When a cryptographic operation, such as a digital signature, is started using a key protected by secondary authentication, a combination of the Cryptoki implementation and the token will gather the required PIN value. If the PIN is correct, then the operation is allowed to complete. Otherwise, the function will return an appropriate error code. The application is not required to gather PIN information from the user and send it through Cryptoki to the token. It is completely transparent.
The application can detect when Cryptoki and the token will gather a PIN for secondary authentication by querying the key for the CKA_SECONDARY_AUTH attribute (see section 10.9). If the attribute value is TRUE, then the application can present a prompt to the user. Since Cryptoki Version 2.01 applications will not be aware of the CKA_SECONDARY_AUTH attribute, the PIN gathering mechanism should make an indication to the user that an authentication is required.