Entrust nShield - 5.2.4. Logical token pass phrase guidance

phrase guidance for guidance on choosing strong pass phrases.

A register should be maintained of the individuals who have access to softcards to

support operation and any role transition.

You can use a single softcard to protect multiple keys. A threat analysis will determine

the number of keys that should be protected by a softcard.

It is possible to generate multiple softcards with the same name or pass phrase. This

option whilst convenient increases the attack surface as an attacker breaking the pass

phrase will then have access to all keys protected by the softcards. A threat analysis

should be performed to determine a safe number of keys that are protected by any

softcard and its associated pass phrase.

Softcards are persistent; after a softcard is loaded, it remains valid for loading the keys it

protects until its KeyID is destroyed. Ensure KeyIDs are destroyed once the required

operations are complete.

A timing delay feature is applied to password retries to add further protection, however

there is no retry lockout. Therefore, implementing a robust user password policy helps

mitigate a determined pass phrase attack. In support of this, a warning message can be

configured if pass phrases are too short and don’t comply with your security procedures.

The warning message can only be enabled during Security World creation.

The process for managing forgotten pass phrases should be set out in your security

procedures.

nShield® Security Manual 34 of 90