9.0 Roles and Services 2419.0 Roles and Services9.1 RolesThe HSM supports two roles. These are the User role and the SecurityOfficer role. Each role has a username and an iKey ID that are selectableby the security officer. The module must be handled in a secure mannerprior to initialization because authentication is not required to initialize themodule. Cryptographic keys and user-defined data which is created by aspecific authenticated user cannot be deleted or modified by another user,regardless of the role. For example, a specific user of the User role maynot delete or modify keys or data created by a different user of either theUser or SO roles. The SO and User roles cannot operate simultaneously.Only one authenticated user is allowed at a time.9.1.1 UserThe User role can perform cryptographic operations using private keyswhich are encrypted and stored in flash. The User role cannot create auser.9.1.2 Security OfficerThe Security Officer role can also perform cryptographic operations usingprivate keys which are encrypted and stored in flash. Additionally, theSecurity Officer may create a user, update the HSM firmware, or commandthe HSM to "uninitialize."9.2 AuthenticationThe HSM uses identity-based authentication to allow subjects to assumeone of the two roles. Usernames are transmitted to the HSM over thePCI interface to identify the user. A corresponding personal identificationnumber (SOPIN or UserPIN as described in section 8.0) is input to theHSM from an iKey token over the trusted USB interface. This PIN ishashed and compared with a hash value which is stored in flash andassociated with the user’s name on the HSM. If the two hash valuesmatch, the user is authenticated and assigned a role that is associatedwith the user’s name. To increase security in case the iKey token iscompromised, an iKey ID is used to unlock the plaintext PIN that is storedin the iKey. This plaintext iKey ID is input into the module in plaintextas part of the Login service. The module provides a SHA-1 of this iKeyID to the iKey token to unlock the PIN. Because the iKey ID does notauthenticate the user to the module, but rather unlocks the plaintext PINfrom the iKey, the iKey ID is not an SRDI.9.3 InitializationThe HSM is shipped in an un-initialized state. At this point, it containsno private or secret keys. The Security Officer initializes the board.Performing this function generates an internally stored master key,and generates a random PIN, which is stored in the Security Officer’sNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.