C.0 How Authentication Works

To successfully log in, NESCM must contain an X.509 certificate and the certificate’s private key. The following information details the process used by the method during the login:

  1. The Login Client Module (LCM) enumerates the certificates on the smart card and sends them to the Login Server Module (LSM).

  2. The LSM selects the certificate to use for login. To be selected, a certificate must be valid and must be associated with the user account. The validation process uses the PKI functionality in eDirectory to verify that the certificate meets the following requirements:

    • It has been issued by a trusted authority

    • It has not been revoked

    • It has not expired

    CRL and OCSP revocation checking are supported.

  3. The LSM sends a message to the LCM telling it which certificate to use and challenge. The challenge is random data, and is used in step 5.

  4. The LCM presents the PIN to the smart card for validation.

  5. The LCM requests for the smart card to sign the challenge (received in Step 3), using the certificate’s private key. The signature is SHA1 with RSA encryption or MD5 with RSA encryption.

    The LCM proves it has access to the certificate’s private key by being able to successfully sign the LSM challenge.

  6. The LCM sends the signed challenge to the LSM for verification. The LSM can verify the signature because it has the X.509 certificate from Step 1, which contains the certificate’s public key. If the challenge is verified, the LSM reports login success to the NMAS™ service.