How to cache eToken PIN for multiple processes

Question

I have a .NET (c#) application which uses the x509Certificate2 in the 'my' Certificate Store, originally coming from an eToken device.

When I use the certificate (to decrypt data or use it as a clientcert for web requests), it will ask for the device PIN once. After that, it is cached, the user isn't bothered with the password request every xx minutes.

Now, I have multiple processes, that all use the certificate. Each of these processes will request the device PIN. (the cache seems to be per process).

Is there an easy way around this? Can I 'cache' it somewhere, so that every process can access the token without requesting the PIN over and over again?

Answer 1

A word of caution: It is really bad security practice to do this kind of 'PIN' caching. Any credentials should be stored in memory only as briefly as possible in order to avoid attackers to gain information on the PIN by monitoring the system's memory. Although in general this would require local access to the machine, this is still considered a very relevant threat, because most of the time, you don't want sysadmins to snoop into PINs either :)

That said, it's a real PITA for users having to enter the PIN every other second. As with so many things security, there is the tradeoff between security and usability.

Many smart card drivers do this form of caching themselves, as you noticed. Often there are two certificates/keys on the card, one with non-repudiation key usage deemed for high security operations such as providing a signature on a document, the other one deemed an 'authentication certificate' that is used for ever-recurring chores such as authenticating with a service. Typically, you have to re-enter the PIN each time you access the non-repudiation key, whereas the driver often caches the PIN for the authentication key.

So it really depends on your particular use case - if you consider the operation to be highly critical, I would advise against doing any caching whatsoever. Try to 'educate' users instead. It's for their own good, etc. etc. :)

Otherwise, if you consider the risk to be acceptable, you may use any form of interprocess communication that suits you best to share the PIN across processes. A simple solution could be to create a 'PIN file' in a directory that only the application has read/write permissions on. Check for file existence whenever the PIN is needed (beware of race conditions!) - if the file is not present yet, ask for the PIN and write it to the file - otherwise simply read the PIN from the file. Make sure to overwrite the memory with zeroes that was used to convey the PIN.