I am new to cryptography and am learning PKI and PKCS etc. I understand the basic concept of PKI and its use for encryption / decryption. I am confused, however, about how a hardware token, such as a USB token or smart card, is used to securely log into your computer. Here are the steps that I understand to them, and the part that I am confusing (sorry in advance for the length of the question):
Scenario: An xyz computer on the network contains data that can only be accessed by users belonging to the SECRET group. Users Bob and Joe are in this group and USB tokens have been released that they can use to provide credentials that will allow them to access these resources. USB current uses two-factor authentication and requires input. The token is compatible with PKCS11.
- Bob inserts a USB token into a Linux machine
- The PAM-PKCS11 module recognizes this event and prompts Bob to input its output.
- As soon as Bob correctly enters his 4-digit PIN code, the module checks the authenticity of the certificate on Bob's token by (does this change, but what is minimal?) :
- Finding a root certificate to verify a trusted CA
- Checking certificate expiration dates and revocation lists
- Map identifier in token with user file (where ?, missing step) or directory (LDAP, etc.)
- If everything looks good, the module informs PAM about the successful result.
- This line is marked so that PAM accepts authentication, and Bob is logged in and can view information restricted to users from the SECRET group.
, , - , ( ) . , USB, (, ). ? , ( )? - USB 4- , , , , , ? , CA, , USB , , , ? , - , . . , ? , , ? !