Novell Documentation: Novell SecureLogin 6.0 - Enabling the Passphrase Security System

5.3 Enabling the Passphrase Security System

The Enable Passphrase Security System option determines if users can use a passphrase to encrypt SSO data. You can set the Enable Passphrase Security System preference to Yes, No, or Hidden depending on the enterprise security requirements. These preferences determine if SSO is available for users to authenticate using their smart card and PIN or a username and password. The Enable Passphrase Security System cannot be set to No unless Use smartcard to encrypt SSO data is set to PKI credentials.

During the first launch of SecureLogin, if the Enable Passphrase Security System is set either to Yes, which is the default preference; or set to Hidden, the user is prompted to set a passphrase question and answer.

Users have two options, depending on what you specified.

Users can create both the passphrase question and answer.
You predefine a list of questions and answers, and the user selects from the list.

Once users have set a passphrase, the application generates a random key and, a one-way hash of the passphrase answer encrypts this key. Later, the application key encrypts the new key. This key protects users’ SecureLogin credentials and passwords so that even administrators with Supervisor rights to the network and access to Microsoft Management Console (MMC) are unable to view a user's passwords to applications.

The next time, and every time after that a user logs on to the network, SecureLogin loads seamlessly. Typically, passphrase quested is never prompted. However, if an administrator resets the user's directory or network, the next time SecureLogin launches, users must answer passphrase question before SecureLogin continues. This prevents other users from changing the actual user's directory password, logging on as the actual user and obtaining access to their SecureLogin data and running applications.

5.3.1 Passphrases and Smart Cards

Administrators cannot toggle the Enable Passphrase Security System setting when the users forget their smartcard unless they had previously set a passphrase or had it randomly generated using the Hidden option.

If users are required to authenticate to the network using passwords, Enable Passphrase Security System must be set either to Yes or Hidden.

To enable passphrase security system:

Access the Administrative Management Utility of SecureLogin. For more information on how to access the Administrative Management Utility see, Section 1.2, Administrative Management Utility and Section 1.3, Accessing the SSO Plug-In Through iManager.
Click Preferences. The Preferences page is displayed.
Under Security, select either Yes or Hidden in the Enable passphrase security passphrase drop-down list.
Click Apply.
Click OK.

If the Yes preference is selected, users must select a passphrase question and answer when they log on to SecureLogin for the first time. With the passphrase system is enabled, users are prompted to answer their passphrase question if their password has been rest by the administrator.

NOTE:With Use smart card to encrypt SSO data option selected, you can use the passphrase to decrypt SSO data if the user’s smartcard is damaged or lost. This setting must be used in conjunction with the Lost card scenario preference to Allow passphrase and Store credentials on the smart card preference is set to No. You can toggle these preferences if t he user’s smartcard is forgotten providing the user’s passphrase has already been set. The user is prompted to answer their passphrase question before SecureLogin loads.
If the Hidden preference is selected, users are not prompted to set a user defined passphrase. A user key is generated automatically with any inputs from the user.

IMPORTANT:With the passphrase security system set to Hidden, a directory administrator can reset a user’s directory password. log on as the user, and access their SSO data as they are not prompted to answer a passphrase question.

If you select Yes, users must select a passphrase question and answer when the log on to SecureLogin for the first time. When the passphrase system is enabled, users are prompted to answer their passphrase question if their password has been reset by the administrator.

If you select, Use smart card to encrypt SSO data, you can use the passphrase to decrypt SSO data is the user’s smart card is forgotten if the user’s passphrase has already been set. The user is then prompted to answer the passphrase question before SecureLogin loads.

If you select Hidden, users are not prompted to set a user-defined passphrase. A user key is automatically generated.

IMPORTANT:With the passphrase security system set to Hidden, a directory administrator can reset a user’s directory password, log in as the user, and access SSO data, because they are not prompted to answer the passphrase question.

5.3.2 PKI Encryption and Passphrase Security

In the Preferences > Security properties, when the Use smartcard to encrypt SSO data option is set to PKI credentials, the user’s SSO data is encrypted using the public key from the selected certificate and the private key, and is stored in a PIN protected container on the user’s smart card. Both the user’s directory data store and local cache are now both protected by the PKI credentials.

For extra security, the SSO data can be encrypted using the private key, which is also PIN-protected and stored on the user’s smart card for extra security. Only the user who has physical possession of the smart card and knowledge of the PIN can decrypt the SSO data.

If the Use of smart card to encrypt SSO data option set to PKI credentials, the Enable passphrase security system can be optionally set to No.

Supported directory modes for disabling the passphrase security system are:

eDirectory™ (if Novell® SecretStore™ is used)
LDAP-compatible
Active Directory

To set the passphrase security system to No;

Access the Administrative Management Utility of SecureLogin.

For more information on how to access the Administrative Management Utility see, Section 1.2, Administrative Management Utility and Section 1.3, Accessing the SSO Plug-In Through iManager.
Click Preferences. The Preferences page is displayed.
Under Security, change the value for the Use of smart card to encrypt SSO data option under Securities to No.
Under Security, select No in Enable passphrase security system drop-down list.
Click Apply.
Click OK.

With this preference selected, the user’s passphrases are completely disabled and the user’s smart card is always required to decrypt SSO data.

IMPORTANT:If you set the passphrase security system preference to No, it removes the passphrase security, and administrators can access the user’s credential through resetting the network password.

To view three scenarios of what the user experience can be in environments where the passphrase security system has been enabled and disabled, see Section 5.5, Passphrase Security System Scenarios.