PIN caching in Personal Desktop Client
This article contains information about the PIN caching mode for Nexus Personal Desktop Client.
CSP is deprecated and replaced by Minidriver
For details on PIN caching in the CSP module, see the sample configuration file for Personal Desktop Client which outlines and provides descriptions for configuration parameters related to CSP, and more. Nexus is not maintaining the CSP settings, and they should be treated as experimental only to mitigate issues manifested through the use of older generations of smart cards and tokens.
When Personal Desktop Client is run in PIN caching mode, it is possible to cache PIN codes in the PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 and the Smart Card Minidrivers (Windows only) modules. Personal Desktop Client can also run in PIN non-caching mode.
PIN caching applies to all tokens; both smart card and software tokens.
Run Personal Desktop in PIN caching mode
To enable PIN caching mode, do the following:
Set the configuration parameters
MD_EnableCachePIN
andP11_EnableCachePIN
to1
in the sample configuration file.Set the parameters to
0
to disable PIN caching mode.
Description of PIN caching mode
Each process that loads the PKCS#11 modules has its own PIN caching environment.
When a successful login is performed, the PIN is internally logged out and stored in the PIN caching environment in the given process. The cached PIN will later be used as soon as a private operation is performed. And then, as soon as a private operation is performed, the PIN is internally logged out.
If the PKCS#11 is loaded into the same process, they will share PIN caching environment. When running an application in PIN caching mode, the card is always accessible from other applications since the card will always be released when an operation that needs private card access has been performed.
PIN caching when using Minidriver is performed by Windows itself, instructed by the Personal Desktop minidriver module based on a configuration setting.
Minidriver applies for Windows only.
A PIN is cached on a token basis. In one process, all contexts accessing a specific token will have access to the cached PIN code. The PIN code is cleared from the cache as soon as the last context of a specific token is released, or when the token is removed from its reader.
Configuration details
For configuration details, see the sections DESCRIPTION [CSP_PKCS11] and DESCRIPTION [minidriver] in the sample configuration file.