TrustKey Tool User Manual 1
Table of Contents 1 Introduction... 5 2 TrustKey Product...6 2.1 TrustKey Tool... 6 2.2 TrustKey function modules...7 2.3 TrustKey using environment...7 3 TrustKey Tool Installation... 8 3.1 TrustKey Tool Installation... 8 4 TrustKey Tool... 10 4.1 Launching TrustKey Tool...10 4.2 TrustKey Tool Overview...11 4.2.1 Device Operations...11 4.2.2 PIN Operations...12 4.2.3 Certificate Operations...12 4.2.4 Admin...13 4.2.5 Options...13 4.3 Exit TrustKey tool... 14 4.4 Device Operations...15 4.4.1 Set User PIN... 15 4.4.2 Device Selection...16 2.4.3 Change Label...16 4.5 PIN Operations...17 2.5.1 Verify PIN... 17 2.5.2 Modify PIN... 18 4.6 Certificate Operations...20 4.6.1 View Certificate...20 4.6.2 Register Certificate... 21 4.6.3 Unregister Certificate...21 4.6.4 Delete Certificate... 22 2
4.6.5 Import Certificate...22 4.6.6 Publish Certificate...24 4.7 Admin...25 4.7. Reset PIN...25 4.7.2 Format Token...25 4.8 Options...28 5 Support...29 List of Figures Figure 1 Installation... 8 Figure 2 Installation Successful...9 Figure 3 Trust Key Tool Main Menu...10 Figure 4 Running Label of TrustKey Tool... 11 Figure 5 Trust Key Tool Exit...14 Figure 6 Setting up User PIN...15 Figure 7 Set PIN Successful and Warning... 16 Figure 8 Device Selection...16 Figure 9 Label Change Dialogue box...16 Figure 10 PIN Verification... 17 Figure 11 Wrong PIN entered warning...17 Figure 12 PIN Locked...18 Figure 13 PIN Modification... 18 Figure 14 PIN Modified Successfully...19 Figure 15 View Certificate...20 Figure 16 Certificate Registered... 21 Figure 17 Certificate Unregistered Successfully... 21 Figure 18 Delete certificate... 22 Figure 19 Importing Certificate...22 3
Figure 20 Importing certificate by entering PIN... 23 Figure 21 Imported Certificate in the token...24 Figure 22 Certificate Published Successfully...24 Figure 23 Reset PIN prompting Admin PIN...25 Figure 24 Format Token prompting Admin PIN...26 Figure 25 Warning before Formatting Token... 26 Figure 26 Token Formatted Successfully... 26 Figure 27 Initialization Window...27 Figure 28 Device Information... 28 Figure 29 Trust Key Support... 29 Figure 30 TrustKey Website...29 4
1 Introduction With the development of Internet and fast development of network technology a vast majority of people communicate with each other online, instead of traditional methods of face to face meeting. Due to this security authentication becomes vital for the network security, also the bank transactions and fund transfer becoming online it is very important to protect data. The USB tokens provide a secure way to store the Digital Signature Certificate. The TrustKey USB Token is a hardware cryptographic module with a USB form factor for twofactor authentication which has been validated against the FIPS 140-2 at security level 2. The public and private user s key is generated and is stored on the chip embedded inside the token; the key pairs are stored in EEPROM. Private Key is secured and cannot be exported. 5
2 TrustKey Product In internet applications, like e-business, e-government, network communication and e- transaction, it is very important to ensure the information security. TrustKey Product is developed as a solution of this security problem. It provides a convenient and reliable secure environment for customers. 2.1 TrustKey Tool High in security 1. Supporting 2048 bits RSA asymmetric cryptographic algorithms and SHA2. 2. Supporting password and hardware authentication. 3. Hardware device provide secure memory space which can be used to store password, private key and other secret data. The secret data is not exportable; the hardware device is not replicable. 4. Secure and reliable. All encryptions and decryptions are operated inside the TrustKey device. Uniformity specification 1. Following the worldwide universal standards: PKCS#11 v2.1 specification and Microsoft CSP 2.0 specification. 2. Completely realized the security communication functions supported by SSL and S/MIME. The specification covers application and storage of digital certificate, digital signature and verification, encryption/decryption, etc. 3. Using standard interface to connect with browsers, the communications is strictly abiding browser s secure communication operating regulations. 4. Supporting certificate s interoperability between CSP and PKCS#11. 5. Supporting certificate application and secure email exchange in the environment of IE/Outlook, Foxmail, NetScape, Mozilla and Firefox/Thunderbird. 6. Supporting X. 509 v3 certificate storage. Excellent compatibility 1. No need to install special TrustKey driver, the driver integrated inside the Windows Operating System is used there by eliminating the driver installation. 2. The hardware is a kind of USB device which is following USB1.1/USB 2.0 specification. It can be used conveniently in every USB supported facilities. 6
4. Uniform interfaces is used for UDK devices. One suite can supports both HID and UDK devices. 5. The UI is supported in Windows/ME/2000/2003/XP/Vista/Windows7/Windows 8 and Windows 8.1/ Linux Operating Systems are all supporting. Flexible design 1. Using modularized design to meet customer s dedicated requirements. 2. A convenient platform for user s certificates management is provided. 3. UI (User Interface) is designed up to customer s requirements. 4. Secondary development interface is provided. 2.2 TrustKey function modules TrustKey network security suite includes the following 5 modules: CSP module: 1. It is a basic interface module based on Microsoft CSP2.0 specification. 2. It is configured at registry. 3. It can be used in IE browser, Outlook and Foxmail for certificate application, security website visitation and security email service, etc. PKCS#11 Module: 1. Supporting PKCS#11 v2.1 interface. 2. It is applicable in NetScape/Mozilla browser and ThunderBird email server. Administrator s tool: It provides functions of key initialization, certificate operation and PIN operation, etc. User s tool: It provides not only PIN operations of verification and modification, but also certificate operations of checking and installation/uninstall. Background: At the time of TrustKey plug in and out, certificate registration/revocation will be automatically done, and application programs will automatically start and end. 2.3 TrustKey using environment The supporting operating systems are shown as below: WIN XP SP2 and above WIN 2000/2003/2008 Server WINDOWS 7, 8, 8.1 The supporting software includes: IE/Mozilla/Netscape/ browsers. Outlook/Foxmail/ThunderBird email clients. 7
3 TrustKey Tool Installation The TrustKey comes with the Autorun supported ND (No Driver) feature. User can install the TrustKey tool just by plugging the token into the USB slot, the installation and details of the TrustKey tool is explained in detail below. 3.1 TrustKey Tool Installation To begin with the installation just plug in the token into the USB slot of the Laptop or PC, the Autorun supported product will automatically install TrustKey tool on the system 1. Once the token is plugged into the USB slot the Autorun features asks for the installation of the token management tool as shown in the Figure 1, just click the install button to proceed with the installation of the software. Figure 1 Installation 8
2. The token management software installs as shown in the Figure 2 just click the finish button Figure 2 Installation Successful 9
4 TrustKey Tool 4.1 Launching TrustKey Tool The TrustKey tool can be launched using the short cut icon created on the desktop during installation, or can be found by clicking Start menu on windows and then finding the Trust Key Tool can selecting it, the Trust Key Token tool has a easy user Interface as shown in Figure 3. Figure 3 Trust Key Tool Main Menu 10
During TrustKey administrator s tool running, the label of the tool will display in the right bottom corner as Figure 4. Figure 4 Running Label of TrustKey Tool 4.2 TrustKey Tool Overview As shown in Figure 3 there are 5 operation available in the main menu for the TrustKey tool which include the 1. Device Operation 2. Pin Operation 3. Certificate Operations 4. Admin 5. Options 4.2.1 Device Operations :It enables device selection when several Trustkeys are available. :This function is used by administrator for change label. 11
: This function exits the administration tool 4.2.2 PIN Operations :PIN verification can identify the TrustKey holder for embezzle resistance. :It is used to modify the PIN. 4.2.3 Certificate Operations :It is used to view the certificates in the TrustKey. :It can be used to install the selected certificate in IE. :It is useful for uninstall the selected certificate from IE. :It is used to delete the selected certificate from the TrustKey. :It provides the function of import a certificate. : This Publishes the CA and the Root Certificate 12
4.2.4 Admin : It is used to reset the PIN : It is used to format the token completely 4.2.5 Options : This function enables administrators to view the device information like label, ATR information, CSP name, token version and free space. 13
4.3 Exit TrustKey tool Click the close button at upper right corner to exit TrustKey Administrator Interface. Can go to Device operations and can exit or Go to File and exit One can find the File and Help Icons on the top left had corner of the tool, the file Icon can be used to close the TrustKey Tool, upon clicking the File icon an Exit icon can be seen as shown in Figure 5 Figure 5 Trust Key Tool Exit 14
4.4 Device Operations 4.4.1 Set User PIN The token has to be entered a user defined PIN, once the TrustKey tool is installed. The length of the PIN should be between 6-32 (Alpha Numeric). The token prompts Set Pin once the installation is completed; where in the user need to define his/her PIN (this will be one time and may be needed if the token is formatted). Figure 6 shows the Set User PIN prompt and Figure 7(a) shows the successful PIN set. Figure 6 Setting up User PIN If the PIN is entered exceed the range of 6 to 32 characters, a warning window like Figure 7(b) will out to tell you PIN for the token requirements. (a) 15
(b) Figure 7 Set PIN Successful and Warning 4.4.2 Device Selection When more than one TrustKey tokens are plugged in, you can select a device as needed. It is illustrated in Figure 8 that there are two available TrustKey tokens: Trust_USB_token(1) and Trust_USB_token(2). Figure 8 Device Selection 2.4.3 Change Label Change Label provides administrators with the interface of change the label of user s device. It is shown in Figure 9. Figure 9 Label Change Dialogue box 16
4.5 PIN Operations 2.5.1 Verify PIN PIN verification is designed for confirm TrustKey holder s identity and avoid embezzlement (theft). The PIN verification interface can be seen in Figure 10. Figure 10 PIN Verification Maximum User PIN error counter is set by default to 10 so the user can try to verify the password a maximum 10 times in case if the user is not fully aware or forgotten his PIN and wants to guess his PIN. As shown in Figure 11 user gets 10 attempts by default in case of forgotten PIN. However if the user still not able to verify the set PIN after 10 guess attempts the token gets locked as shown in Figure 12. The user needs to contact the Trust Key customer care in case he/she has forgotten the PIN. Figure 11 Wrong PIN entered warning 17
Figure 12 PIN Locked 2.5.2 Modify PIN The function of PIN modify is provided by the interface like Figure 13. Figure 13 PIN Modification 18
The user can modify his User PIN by entering his currently used User PIN and then typing his/her new user PIN and then confirming the user PIN, in case the token is formatted the default user PIN would be set to 88888888. Once the PIN is modified the window as shown in Figure 14 will appear. Figure 14 PIN Modified Successfully 19
4.6 Certificate Operations Certificate operation contains 6 functions which are view certificate, install certificate, uninstall certificate, delete certificate, import certificate and publish certificate. 4.6.1 View Certificate After entered the certificate operation interface, all available certificates are listed in text area at upper-right side of TrustKey tool. Choose a certificate as you want, click View button at tool bar or click View certificate at the menu bar, a certificate window like Figure 15 will display and provides all the information about this certificate. Figure 15 View Certificate 20
4.6.2 Register Certificate Select a certificate you want to install and then click Register on the registration a dialogue as Shown in Figure 16 Figure 16 Certificate Registered 4.6.3 Unregister Certificate All the available certificates are listed inside the certificate text area please choose a certificate and press unregister for unregistering once it is successfully done a window appears as shown in Figure 17.. Figure 17 Certificate Unregistered Successfully 21
4.6.4 Delete Certificate This function enable administrators delete the selected certificate from the token. For safe, a confirmation is required as shown in Figure 18 and then the certificate is deleted. Figure 18 Delete certificate 4.6.5 Import Certificate Click on import certificate and choose the certificate as shown in Figure 19 Figure 19 Importing Certificate 22
Once the certificate is chosen then user needs to enter the password as shown in Figure 20 (a) Certificate Password (b) Token Password, the certificate gets imported into the token as shown in the Figure 21. (a) (b) Figure 20 Importing certificate by entering PIN 23
Figure 21 Imported Certificate in the token 4.6.6 Publish Certificate This publishes the CA and the root certificate chain once published a window as shown in Figure 22 appears. Figure 22 Certificate Published Successfully 24
4.7 Admin For any operation in the Admin sub menu the user need to obtain the Admin PIN and he should contact the customer care for any operations in Admin sub menu. 4.7. Reset PIN User needs to obtain the Admin PIN the user will need to contact customer care for this. User needs to enter the Admin PIN in the field as shown in Figure 23 (a) and then the tool asks the users confirmation for resetting the current user PIN as shown in Figure 23 (b) (a) (b) Figure 23 Reset PIN prompting Admin PIN 4.7.2 Format Token If the user wants to delete the user PIN and also all the certificates downloaded in the token then the user needs to format the token with the obtained admin key from the Trust Key customer care. The format token option asking for admin PIN is as shown in Figure 24. 25
Figure 24 Format Token prompting Admin PIN Once the Admin PIN is obtained and entered a Dialogue box as shown in Figure 25 will appear and upon the user s confirmation the token will be formatted and once the token is formatted and a dialogue box as shown in Figure 26 appears. Figure 25 Warning before Formatting Token Figure 26 Token Formatted Successfully Once the formatting of the token is done the Initialization settings are applied and then the user again needs to set the User PIN details, by default after formatting the PIN is set to 88888888 as shown in Figure 27. 26
Figure 27 Initialization Window More details about these initialization options are described as below: 1. Initialize user pin: is used to set initial administrator PIN. Usually, it is defaulted as 88888888. 2. User PIN Error Counter: provides a maximum of retry the user s PIN in an error. If users retry the PIN more than this number, the PIN will be locked. The Pin Error attempt set to 10 attempts default. 3. Label: can be used to set and change the name of user s device. 27
4.8 Options Device information can be read by click Options -> Device Information. Then, as illustrated in Figure 28, you can see the device information of label, ATR, CSP name, token version and free space. Figure 28 Device Information 28