I'm working on a project two implement two factor authentication using a PKCS based smart card and a HSM.
Scheme which I have formulated so far is
1. get a public/private key pair generated on HSM
2. Store the public key from the above pair on the smartcard
3. Generate random bytes on smartcard, get it encrypted using the public key
4. Send the encrypted bytes and the original random bytes to HSM
5. Decrypt the encrypted bytes using the private key on the HSM and compare with the original bytes.
6. If bytes match then login else do not allow the user to login.
My restriction is that I do not want a third party application to be communicating with the HSM.
Just the dll to communicate with smart card and HSM.
Can anyone suggest some other scheme to implement two Factor on the HSM.
Gaurav Chander wrote:Smartcard will act as second factor as user will be able to authenticate to HSM only if smartcard is connected.
I don't see how? How will you stop the HSM being authenticated by its out-of-the-box approach?
I agree it is not actual two factor but let's just ignore that and please suggest some scheme to make use of smartcard to authenticate on HSM
The only HSM I have worked with used a card reader to authenticate the user so I don't understand your requirement. Even if I did I don't think I have enough expertise to help because as with anything like this you should employ an expert or you risk creating an insecure system.
subject: Two Factor authentication using HSM and Smart Card