Introducing etoken. What is etoken?

Similar documents
TrustKey Tool User Manual

PROXKey Tool User Manual

SLE66CX322P or SLE66CX642P / CardOS V4.2B FIPS with Application for Digital Signature

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Moving to Multi-factor Authentication. Kevin Unthank

Draft Middleware Specification. Version X.X MM/DD/YYYY

CardOS API V3.2. Standard cryptographic interface for using applications with CardOS smart cards

1. Product Overview 2. Product Features 3. Comparison Chart 4. Product Applications 5. Order Information 6. Q & A

epass2003 User Guide V1.0 Feitian Technologies Co., Ltd. Website:

CRESCENDO SERIES Smart Cards. Smart Card Solutions

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Innovative Secure Boot System (SBS) with a smartcard.

etoken PKI Client Version 4.5 Reference Guide

Use of any trademarks in this report is not intended in any way to infringe upon the rights of the trademark holder.

FEITIAN PKI Authentication Token. epass2003 with FIPS Cer tification

eid Security Frank Cornelis Architect eid fedict All rights reserved

SafeNet Authentication Client (Windows)

RELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release corrections. ADYTON Release 2.12.

Converged Smart Card for Identity Assurance Solutions. Crescendo Series Smart Cards

etoken PKI Client (Windows) Administrator s Guide Version 5.1 SP1 Rev A

Global network of innovation. Svein Arne Lindøe Arnfinn Strand Security Competence Center Scandic Siemens Business Services (Norway)

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Customised version for ČSOB a.s. - English

SafeNet Authentication Client (Windows)

Issues in Smart Card Development

Secure Data Exchange Solution

Guidelines for Developing Cryptographic Service Providers (CSPs) for Acrobat on Windows

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Check Point FDE integration with Digipass Key devices

INTEGRATION GUIDE MS OUTLOOK 2003 VERSION 2.0

PrivateServer HSM Integration with Microsoft IIS

Two-factor authentication Free portable encryption for USB drive Hardware disk encryption Face recognition logon

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

etoken Single Sign-On 3.0

SafeNet Authentication Client (Mac)

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

Entrust Smartcard & USB Authentication

DoD CAC Middleware Requirements Release 4.0

IBM Client Security Solutions. Client Security User's Guide

MyKey is the digital signature software governed by Malaysia s Digital Signature Act 1997 & is accepted by the courts of law in Malaysia.

Secure web transactions system

Citrix MetaFrame XP Security Standards and Deployment Scenarios

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

PrivateServer HSM EKM Provider for Microsoft SQL Server

SecureDoc Disk Encryption Cryptographic Engine

Smart Card APDU Analysis

Description of the Technical Component:

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

ACER ProShield. Table of Contents

Overview ActivClient for Windows 6.2

Enhancing TAM E-SSO with smart phones, smart cards and other tokens. IBM Tivoli Talk

PKCS. PKCS: Public Key Cryptography Standards

Using etoken for Securing s Using Outlook and Outlook Express

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Managed Portable Security Devices

Yale Software Library

Deploying Smart Cards in Your Enterprise

DigitalPersona Pro Enterprise

22 nd NISS Conference

Smart Card Technology Capabilities

Token User Guide. Version 1.0/ July 2013

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

GoldKey Product Info. Do not leave your Information Assets at risk Read On... Detailed Product Catalogue for GoldKey

MetaFrame Presentation Server Security Standards and Deployment Scenarios Including Common Criteria Information

E-CERT C ONTROL M ANAGER

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate on Aladdin etoken (Personal eid)

Global eid Developments. Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa

Shakambaree Technologies Pvt. Ltd.

Ten Critical Success Factors for Successful Smart Card Projects

Ciphire Mail. Abstract

KOBIL Smart Key V3.0 User s Guide. August 15th, 2006 English Version

Gemalto SafeNet Minidriver 9.0

Secure Network Communications FIPS Non Proprietary Security Policy

SafeNet Authentication Client (Windows)

CALIFORNIA SOFTWARE LABS

The OpenEapSmartcard platform. Pr Pascal Urien ENST Paris

Enhancing Web Application Security

PKCS. PKCS: Public Key Cryptography Standards. Apple, Digital, Lotus, Microsoft, MIT, Northern Telecom, Novell, Sun

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

2 factor + 2. Authentication. way

Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012

USB etoken and USB Flash Features Support

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

APPLICATION PROGRAMMING INTERFACE

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

Simplifying Security with Datakey Axis Single Sign-On. White Paper

Kaspersky Lab s Full Disk Encryption Technology

Two factor strong authentication. Complex solution for two factor strong authentication

Transcription:

Introducing etoken Nirit Bear September 2002 What is etoken? Small & portable reader-less Smartcard Standard USB connectivity Logical and physical protection Tamper evident (vs. tamper proof) Water resistant container Smartcard Chip inside 2 1

etoken Is Used For: Strong 2-factor user authentication Digital signing (non repudiation) of business transactions Secure storage of PKI private keys, digital certificates, passwords, files etc. Single Sign On applications 3 What Can etoken Do? Secure ebusiness Services Secure Network Logon Secure VPN authentication Portable PKI authentication & signing device Secured email (Encrypt & Sign) Secure online Extranet & Website access PC Security 4 2

etoken Enterprise Generic application support Win2000/XP SC logon, win logon (GINA), aladdin SSO Check point VPN-1 client (SAA, NG) Various CA s certificates SSL v3 Secure email MS outlook, Netscape messenger etoken administrative Utilities Application viewer application level view of the token content Certificate converter etoken format Token management system (TMS) Token profile User profile Supported applications 5 etoken SDK The etoken Software Developer s kit is mainly intended for use by developers. The SDK contains everything a developer needs to evaluate and use etoken, and develop his own etoken application. The SDK includes a number of programming interfaces, utilities, tools, sample applications and documentation files. 6 3

Multiple Applications Support in one etoken Multiple Access Profiles On One etoken MS2K PKI Keys & Certificates NT Domain Access Profile SSL v3 PKI Keys & Certificates VPN authentication PKI certificates CheckPoint SAA Access Profiles MS Exchange PKI Keys & Certificates Remember!!! Only one password needed for all profiles 7 etoken Hardware Nirit Bear August 2002 4

Major Points - A USB key with a small chip With on-board memory Designed in a secure way 9 etoken Device Options etoken PRO Advanced Smartcard Technology Smartcard Chip inside etoken R2 Secure EEPROM 10 5

etoken R2 - Hardware Micro controller based External EEPROM memory 8, 16 & 32 KB memory models. 64K in the future. Protected chip serial ID (32-bit length). Access via smartcard APDU commands 11 etoken R2 Cryptographic Features Secure & encrypted EEPROM for PKI keys, certificates, profiles and passwords On-board 120-bit DES-X encryption/decryption Compatible implementation with Smartcards Variable key length - 2048 Strong 2-factor authentication. Security API s- CAPI, PKCS#11. 12 6

What makes etoken R2 Secure EEPROM is readable by standard devices But: All private data is written to the EEPROM encrypted by the DesX Engine Encrypted Communications with the PC etoken password is transmitted using a challenge-response protocol DESX Engine is used as a tool for pseudorandomness and MAC s Tamper - evident design Designed and reviewed by Cryptography experts 13 etoken PRO - Hardware Infineon smartcard chip - SLE66CX Siemens CardOS 4 16 & 32 KB memory models (storage). 64K in the future. Protected chip serial ID (32-bit length) Smartcard Chip inside 14 7

etoken PRO Cryptographic Features On-chip crypto processing of RSA1024bit, 3xDES,SHA-1. Secure on-board PKI key generation and storage. PKI certificates storage. 2-factor authentication and digital signatures. Cryptographic API s - CAPI, PKCS#11. 15 What makes etoken PRO secure? Security of CardOS/M4 ITSEC E4 Certified Tamper - Evident mechanisms Physical security data is physically distributed in a way that it is hard to locate Logical Security data is encrypted on the memory chip Encrypted communications with the PC 16 8

etoken OS Software that uses the etoken hardware to provide: A Smartcard file system Access to cryptographic capabilities Access to administrative capabilities etoken PRO OS on-token CardOS/M4 by Siemens etoken R2 OS included in software 17 etoken PRO CardOS/M4 Features General Features: Runs on Infineon SLE 66 chip family. (True RNG, asymmetric cryptography, ITSEC E4) All commands compliant with ISO 7816 standards PC/SC compliancy and CT-API Extendibility of the OS using loadable software components All functions can be parameterized. Secure messaging Encrypting data between host and card using predefined symmetric keys. 18 9

etoken PRO CardOS/M4 Features File System: Flexible file system, protected by chip cryptographic mechanisms: Arbitrary number of files File system tree supporting 8 levels Protection against EEPROM defects and power failure 19 etoken PRO CardOS/M4 Features Access control: 32 distinct programmer definable access rights Every command and data object can be protected by unique access condition scheme. Security tests and keys are stored as key-objects in DF bodies Security structure can be refined incrementally after file/object creation without data loss. Formatting and personalization are enabled 20 10

etoken PRO CardOS/M4 Features Cryptographic services: Implemented algorithms: RSA 1024 bit, SHA-1, Triple-DES, DES, MAC. Support of command chaining. Asymmetric key generation on chip, using the onboard Random Numbers Generator Digital signature functions on chip Connectivity to external Public key certification services 21 On-Token Algorithm Processing Processing is performed on-token PC Data to Sign signed Data Token Protected keys cannot be accessed by Viruses/Malicious code Enables true 2-factor authentication 22 11

Additional Security Mechanisms Time-Delay mechanism after wrong password entry etoken R2. Password Retry counter etoken PRO etoken Password Minimum length 4 bytes No maximum length limit Password quality check Access to sensitive data on memory and functions executed on the etoken require password based authentication to the etoken. 23 etoken PKI Client (the Run Time Environment) Nirit Bear January 2002 12

What is the PKI client? Software layer for enabling etokens on a host, including etoken drivers and the cryptographic libraries. Minimal end-user etoken management tools. etoken PKI Client Enables any Windows OS to access the etoken. Standard interface provides similar functional behavior of the two tokens 25 Low-Level Software Layers Application Ring 3 Aladdin CAPI & PKCS#11 APDU Commands Windows S/C Resource Manager (RM) Ring 0 Aladdin System Drivers Windows USB Drivers etoken Smartcard 26 13

High-Level Software Layers ISV etoken SDK etoken Enterprise CD Vendor-specific Solution PKI, WAC, CA, Win2000 SC Logon, SSL V3, Check Point VPN Client, Secure email + etoken PKI Client Client 27 The goal: Standards obtaining interoperability of several manufacturers in the same environment. Portability. The Solution: etoken had been developed to support Industry open standards: USB, PC/SC, APDU, CAPI, PKCS#11. 28 14

Hardware Standards in use by etoken Universal Serial Bus A universal standard for bus system and port communication. ISO 7816 part 3,4 specifies logical requirement for a smartcard device (file system, etc.) 29 Open Standards in use by etoken PC/SC The industry standard for smartcards in a PC environment. APDU - Application Protocol Data Units CAPI Microsoft Cryptographic Application Programming Interface. PKCS#11 Public Key Cryptographic Standard #11 (Cryptoki) 30 15

etoken and PC/SC etoken RTE installs a software component called etoken IFD Handler The IFDH simulates a smart card reader device Can interface with one token When token inserted, reports card in to the RM Number of installed IFDH devices determines how many tokens can be used simultaneously 31 PC/SC Architecture - Components ICC-Aware Applications Service Provider ICC Resource Manager IFD Handler IFD Handler IFD Handler IFD IFD IFD ICC ICC ICC 32 16

RTE Architecture etcapi etpkcs11 etprops Services (etsrv, etui, etcache) Microsoft RM R3/R0 Device drivers SW/HW Hardware 33 CAPI Microsoft Crypto API Microsoft s Cryptographic API standard. Applications normally use Microsoft CAPI (as default CSP) to perform crypto algorithms on the PC in Windows environment. The etoken CSP library (etcapi dll), installed as part of the PKI client provides CAPI support. Applications can choose the token as their Cryptographic Service Provider instead MS-CAPI. Applications etcapi CSP MS CAPI CSP 34 17

Microsoft CAPI vs. etcapi Win32 Cryptographic Functions etoken CSP MS CSP MS CSP uses the processor for algorithms and the Registry for storing keys etcapi CSP, enables integration with all Microsoft software that supports CAPI The etoken Smartcard chip is used for processing algorithms + on board key generation and storage etcapi enables support for etoken certificate store 35 PKCS#11 An open standard API proposed by RSA Laboratories. Presents a virtual token for applications. Enabling applications to access smartcard devices. Provides management functions to locate and manipulate cryptographic tokens. Allows easy integration into existing smartcard enabled applications. 36 18

etoken PKCS#11 Module provided by the etoken PKI client, implementing PKCS#11 v 2.01 Installed in the %System% directory Uses the token for object storage, and on PRO on board Decryption and Digital Signature Installed in applications by setting the path to the cryptographic module (etpkcs#11.dll) 37 CAPI, PKCS#11 and Certificates Both etcapi and etpkcs#11 provide functionality to write certificates to the token. etoken PKI client implements full interoperability between etcapi and etpkcs#11. Certificates and keys created by etcapi are visible by etpkcs#11 and vice versa. 38 19

APDU Library APDU Application Protocol Data Units Allows access to low-level commands of the token Unique commands to each type of etoken or smartcard PRO is compatible with Siemens-Infineon smart card Mostly used for custom application 39 Personalizing the etoken A user can personalize his etoken using the etoken Properties Utility. Rename etoken View etoken information Change the etoken personal password 40 20

etoken SDK Developing for etoken etoken SDK Overview SDK (Software Developer's Kit) enables integrating etoken functionality into any customized applications. Authentication Digital signatures Encryption and decryption Secure storage The SDK offers robust API's etpkcs#11 etcapi Card APDU commands OS support: Microsoft Win 9x, Me, NT, 2000, XP Real mode 16bit driver Linux drivers and smartcard support (APDU) 42 21

Examples of etoken Applications PC boot protection (laptop theft protection) File and Desktop access control Single sign-on applications Personal credential holder (e-wallet) Extranet and web access E -Banking Digitally Sign 43 Examples of etoken Applications User identification and authentication to a PC User identification and authentication to a LAN, including Windows logon. Remote access security clients Web authentication (subscription services) VPN applications Authenticate 44 22

Special Development kits etoken SDK for Linux Components: Drivers, Linux CT-API, PC/SC, Samples, Documentation Can be used for: PC Logon, Thin client etoken SDK for 16 bit 16 bit Static Library (Borland and Microsoft) that enables the communication with the USB device in real mode. Can be used for: Boot protection 45 etoken for specific Vendors etoken Vendor ID Provides a utility enabling a vendor to restrict the application to use only its related tokens. Utilization of the Vendor ID option requires: Developer utility Production facility 46 23

etoken Utilities Set Overview The etoken Certificate Converter Enables the transfer of digital certificates and keys from a computer to an etoken. The etoken PRO Format Restores an etoken PRO to its initial state, while retaining all essential support libraries and data. Resets the etoken default password. Determines the etoken administrator password. The etoken Application Viewer Enables viewing the certificates and application profiles which are stored on the etoken. 47 etoken in the Future Additional PIN entry systems like Biometric fingerprint and Voice signature. Flash memory on card. Different proximity coils for extra physical access control functionality. Java cards Additional applications (like the WSO, SSO, TMS) to our etoken platform. 48 24

Thank you Nirit Bear September 2002 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information