PIN Caching for "PIN Always" Private Keys

Some smart cards are configured to enforce a PIN prompt for every key operation; the most common example is the Personal Identity Verification (PIV) card, where the Signature Key is configured for "PIN Always", as defined in FIPS 201 and NIST Special Publication 800-73.

The intent of the PIN Always policy is to provide non-repudiation services. To improve ease of use while preserving the need for an explicit user action, required to meet the non-repudiation requirements, ActivClient includes an option where the user can ‘confirm’ the operation, without needing to re-enter their PIN code if the PIN has already been provided previously and is present in the middleware cache.

This behavior complies with NISTIR 7863.

Policy Name: Enable PIN caching for "PIN Always" private keys

Description:

Defines if the PIN cache is applicable for operations with a private key configured for "PIN Always".

If enabled with the PIN Cache Type - User Acknowledgement, then a confirmation dialog guarantees non-repudiation for these operations.

If enabled and the selected PIN Cache Type is Full Caching, then PIN entry is automatic without user action (not compliant with FIPS 201).

If this setting is not configured or disabled, then PIN entry is required for all operations with a private key configured for "PIN Always".

Organizations can select the middleware behavior for private keys configured for PIN Always based on their own security and usability policies. You can configure ActivClient to display either a:

• PIN prompt (default policy – same behavior as with ActivClient 6.x and 7.0 earlier than 7.0.0.51).

• Confirmation dialog (new option available with ActivClient 7.0.0.51 and later).

  When the "You are about to digitally sign a file or message. Please confirm that you want to use your smart card for this operation." message is displayed, users can either click:

  • Confirm to proceed with the operation.

  • Cancel to end the operation.

• No PIN prompt (new option with Full Caching mechanism which is not compliant with FIPS 201 is available from ActivClient 7.4 and later).

This behavior can be combined with other PIN cache policies, and applies to all applications that use the PIV Digital Signature key, such as:

• Microsoft Outlook

• Outlook Web Access / Outlook Web App (a Microsoft Exchange feature, using Internet Explorer as interface)

• IBM Lotus Notes

• Mozilla Thunderbird

• Adobe Acrobat

• And many more off-the-shelf or custom applications

Example

The following example uses a configuration with:

• PIN cache set to 'per process'

• PIN cache timeout set to 15 minutes

• PIN caching for "PIN Always" private keys set to Enabled with PIN Cache Type as User Acknowledgement

1. Insert your smart card into the reader and open Microsoft Outlook.

2. Compose and digitally sign an email, enter your PIN when prompted, and then send the email.

3. Five (5) minutes later, send a second signed email.

   The signature confirmation dialog displays.

   Confirm the operation.

   ActivClient sends the previously cached PIN code to the smart card.

4. Five (5) minutes later, you receive and attempt to open an encrypted email.

   Outlook decrypts it without prompting for the PIN, because the PIN is cached, and the Key Management key can access the PIN cache.

   Twenty (20) minutes later, you receive and attempt to open another encrypted email.

   As the PIN cache timeout has been reached, Outlook prompts you for the PIN in order to decrypt it.

5. Enter the correct PIN to decrypt the email.

6. Five (5) minutes later, open Adobe Acrobat and sign a document.

   You are prompted for the PIN again because it is a different Microsoft Windows process.

7. Five (5) minutes later, in the same Adobe Acrobat session, sign another document.

   The signature confirmation dialog displays.

   Confirm the operation.

   ActivClient sends the previously cached PIN code to the smart card.