all | frequencies |
|
exhibits | applications |
---|---|---|---|---|
manual |
app s | submitted / available | |||||||
---|---|---|---|---|---|---|---|---|
1 2 |
|
Users Manual | Users Manual | 640.06 KiB | October 07 2007 | |||
1 2 | Cover Letter(s) | December 06 2009 | ||||||
1 2 | Cover Letter(s) | December 06 2009 | ||||||
1 2 | External Photos | December 06 2009 | ||||||
1 2 | ID Label/Location Info | December 06 2009 | ||||||
1 2 | Internal Photos | December 06 2009 | ||||||
1 2 | Internal Photos | December 06 2009 | ||||||
1 2 | Internal Photos | December 06 2009 | ||||||
1 2 | Test Report | December 06 2009 | ||||||
1 2 | Cover Letter(s) | October 07 2007 | ||||||
1 2 | Cover Letter(s) | October 07 2007 | ||||||
1 2 | Internal Photos | October 07 2007 | ||||||
1 2 | ID Label/Location Info | October 07 2007 | ||||||
1 2 | ID Label/Location Info | October 07 2007 | ||||||
1 2 | Cover Letter(s) | October 07 2007 | ||||||
1 2 | Test Setup Photos | October 07 2007 |
1 2 | Users Manual | Users Manual | 640.06 KiB | October 07 2007 |
plugncrypt Overview V1.0"
plugncrypt Manual Copyright 2007 by charismathics gmbh, 47 sendlinger st, munich, germany 80331 2007 charismathics gmbh. All rights reserved The names of the other products mentioned are trademarks of their respective owners. This hardware key is in compliance with the following test specification:
CEI EN 61000-4-2; CEI EN 61000-4-3; CISPR22 as required by :
CEI EN 61000-6-1, CEI EN 61000-6-2, CEI EN 61000-6-3, CEI EN 61000-6-4 which are specified for the following test:
ESD Immunity test Radiated radio-frequency and electromagnetic field immunity test Radiated Emission Verification In compliance with the Essential Requisites for the EMC Directive 89/336/EEC. FCC ID: U5Y-AAB Charismathics GmbH plugncrypt Supply: 5V DC Absorption: 250 mA This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. NOTE: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
- Reorient or relocate the receiving antenna.
- Increase the separation between the equipment and receiver.
- Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
- Consult the dealer or an experienced radio/TV technician for help. Caution: changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. Contents 1. Preface ................................................................................................................................... 5 2. About this Manual ................................................................................................................... 7 3. Installation ............................................................................................................................... 8 Installation Requirements ............................................................................................................ 8 Supported Smart Cards ............................................................................................................... 9 Tested Card Readers ................................................................................................................ 10 3.1. 3.2. 3.3. 4.1. 4.2. 4.3. 4.4. 4. Administration Tool: Charismathics Smart Security Interface Manager................................ 11 User Interface ............................................................................................................................ 11 Tab "Manager"..................................................................................................................... 13 Tab "Edit"............................................................................................................................. 14 Tab "Token"......................................................................................................................... 14 Tab "Key Pair" ..................................................................................................................... 15 Tab "Certificate"................................................................................................................... 15 Tab "Info"............................................................................................................................. 16 Changing PINs........................................................................................................................... 17 Unlocking Smart Cards.............................................................................................................. 18 Generating and Importing Keys ................................................................................................. 19 Generation of a Key Pair ..................................................................................................... 19 Importing a Key Pair ............................................................................................................ 20 Generation of a Secret Key ................................................................................................. 20 Importing a Secret Key ........................................................................................................ 21 Generation and Import of Certificates ........................................................................................ 22 Generating self signed Certificates and Certificate Requests .............................................. 22 Import of Certificates............................................................................................................ 24 Creating Profiles .................................................................................................................... 25 in the case of a smart card with profile ............................................................................ 25 in the case of an empty smart card ................................................................................. 26 Preparing a Smart Card (Initialization and Personalization)....................................................... 27 Further Functions....................................................................................................................... 27 Directory "Certificates"......................................................................................................... 27 Directory "Data" ................................................................................................................... 28 Function "Open Token"........................................................................................................ 30 Function "Delete all" and "Delete Object" ............................................................................ 30 Function "Set Default Container" ......................................................................................... 30 Function "Show Certificate" ................................................................................................. 31 Function "Export Certificate" ................................................................................................ 31 4.7. 4.8. 4.5. 4.6. 2 Function "Register Certificate" ............................................................................................. 31 Function "Check Private Key" .............................................................................................. 31 Function "Check Secret Key"............................................................................................... 33 5. User Tool: Charismathics Smart Security Interface Utility..................................................... 34 Changing PINs........................................................................................................................... 34 Smart card Registration ............................................................................................................. 34 5.1. 5.2. 6. Register Tool......................................................................................................................... 35 Start CSSI Manager and Start CSSI Utility ................................................................................ 35 Pause / Continue ....................................................................................................................... 36 Settings...................................................................................................................................... 36 About ......................................................................................................................................... 37 Exit 37 6.1. 6.2. 6.3. 6.4. 6.5. 7. CSP of Charismathics Smart Security Interface ................................................................... 38 General Proceedings ................................................................................................................. 38 7.1. Smart Card Login to a Windows 2000 Domain .......................................................................... 39 7.2. SSL- Authentication with Smart Card over the Internet Explorer................................................ 39 7.3. Outlook Express with Electronic Signature and Encryption via Smart Card ............................... 40 7.4. 7.5. Windows VPN-Login with Smart Card ....................................................................................... 40 8. PKCS#11-Module of Charismathics Smart Security Interface .............................................. 41 General Methodology ................................................................................................................ 41 Smart Card Login to a Novell eDirectory (formerly NDS) ........................................................... 42 SSL- Authentication with Smart Card over Netscape................................................................. 43 Email-Security by Smart Cards with Netscapes Messenger...................................................... 44 8.1. 8.2. 8.3. 8.4. 9. PKCS#11 module register..................................................................................................... 45 10. References............................................................................................................................ 46 11. Information / Export Restrictions ........................................................................................... 47 Appendix A: Reference for Developers......................................................................................... 48 Functions according to PKCS#11-Standard ........................................................................................... 48 Synopsis of specific functions................................................................................................................. 51 C_Finalize............................................................................................................................ 51 C_GetSlotList ...................................................................................................................... 51 C_GetTokenInfo .................................................................................................................. 51 C_Initialize........................................................................................................................... 51 C_OpenSession .................................................................................................................. 52 C_WaitForSlotEvent ............................................................................................................ 52 Objects .................................................................................................................................................. 53 3 Mechanism ............................................................................................................................................. 55 Sign (RSA):.......................................................................................................................... 55 Verify (RSA):........................................................................................................................ 55 Encrypt (RSA):..................................................................................................................... 57 Decrypt (RSA): .................................................................................................................... 57 Digest (Hashfunctions SHA1, MD2, MD5): .......................................................................... 57 Appendix B: Log Information......................................................................................................... 58 Logger (win):........................................................................................................................ 58 Appendix C: Certificate Attributes (Key Usage) ............................................................................ 59 4 1. Preface Congratulations on your purchase of Charismathics Smart Security Interface!
Charismathics Smart Security Interface provides modules that you need to integrate CardOS M4.01(a), V4.2(b), V4.3(b), JCOP20/30, GemXpresso or ACOS EMV A03 smart cards in to your applications. Beginning with functions for the administration of the card, up to modules supporting the operating system to use the smart card. The following file structures (profiles) are supported:
- Charismathics corporate profile
- PKCS#15 profile
- Carta Nazionale dei Servizi (CNS) profile Charismathics Smart Security Interface comprises five modules:
the administration tool Charismathics Smart Security Interface Manager the user tool Charismathics Smart Security Interface Utility the Register Tool for the automatic registration of the certificates the CSP the PKCS#11-module With the user tool Charismathics Smart Security Interface Utility you can change your user PIN and register your smart card. You can manage your keys and certificates of the smart card with the administration tool Charismathics Smart Security Interface Manager. You can generate, im-
port or export keys and certificates on a CardOS smart card. Furthermore, you can display infor-
mation about the contents of a CardOS smart card, change the PIN of the smart card, unlock the smart card and create new profiles. Charismathics Smart Security Interface-CSP enables you to enhance applications and ser-
vices in a Microsoft environment and their use with a CardOS smart card. Charismathics Smart Security Interface-PKCS#11 enables you to use additional applications and services, that use this standard. PKCS#11-Modules are in use e.g. by Netscape and in Novell environments. Especially you can augment the following applications by smart card applications:
smart card login to Windows Domains or Novell eDirectory
- SSL- Authentication by smart card (Internet Explorer, Netscape, )
email security with cards (PGP, Netscape Messenger, Outlook, Outlook Express, ) 5
- VPN with smart cards (Microsoft, Cisco, ) This manual is meant for system administrators and users, that are entrusted with these tasks. Application developers, who develop their own applications that access modules of Charis-
mathics Smart Security Interface, e.g. PKCS#11, will find additional information in Appendix A. 6 2. About this Manual This manual begins with a description how to install Charismathics Smart Security Interface. If you have acquired Charismathics Smart Security Interface in the admin edition, you will find a description of the administration tool. It contains: how to manage keys and certificates, chang-
ing PINs, unlocking, initializing and personalizing smart cards. If you have acquired Charismathics Smart Security Interface in the user edition, you will find a description of the user tool. It contains: how to change PINs and register your smart card. Furthermore, you will find more precise information regarding the Register Tool, CSP and PKSC#11 and which applications can be employed with smart cards. A reference part consoli-
dates your knowledge. Application developers can find further information in appendix A how to access modules (e.g. accessing PKCS#11) of Charismathics Smart Security Interface, if they intent to develop a proprietary application. Appendix B is a concise description of the certificate attributes, i.e. information about key employment. Admittedly, there is no explanation how to configure environments of Microsoft or other produc-
ers. In these cases, please consult the documentation of the corresponding producer. NOTE: To understand this manual you need basic knowledge in IT-security. Especially, you should be familiar with the following notions: certificate, private, public, and secret key, digital sig-
nature, PKI, etc. If you want to consolidate your knowledge in IT-security and cryptography, there are homepage:
the http://www.charismathics.com/
charismathics informations service area the of in 7 3. Installation Before you can install Charismathics Smart Security Interface the card reader you purchased must be installed according to the producers guidelines and be fully operative. The installation of Charismathics Smart Security Interface is run from the program CD. Please execute the file SETUP.EXE as a user with administrator rights. Follow the installation instructions. 3.1. Installation Requirements If not explicitly required otherwise in the following:
Microsoft Windows NT 4.0 with Service Pack 6a or Windows 2000 with Service Pack 4 or Windows XP with Service Pack 2 or Windows Server 2003 or Windows Vista the PKCS#11 Module Note: During the installation the CSP Module is registered automatically in the Windows operat-
ing system. If there is a Netscape/Firefox version on your computer, there will be the possibility to register file "InstallNet-
scapePKCS11.html". With the help of the file "UninstallNetscapePKCS11.html" this procedure can be cancelled each time. Further the following application are supported:
the Netscape Navigator over the in
- Smart card login to a Windows 2000 or 2003-Domain:
ADS, Enterprise CA, Windows 2000 or 2003 Server and as Client: Windows 2000 Professional or Windows XP Professional
- SSL- Authentication with smart card using Internet Explorer:
Microsoft Internet Explorer 5.0, 5.5 or 6.0, High Encryption Pack, SSL V3 with Strong User Authentication
- Outlook with digital signature and encryption via smart card:
Outlook Express 5.0, 5.5 or 6.0 resp. Outlook 2000
Lotus Notes with digital signature and encryption via smart card:
Lotus Notes 6.5 or higher 8
- Windows VPN-Login with smart card:
Windows 2000 Server and as Client: Windows 2000 Professional or Windows 2003 Server and as Client: Windows 2000 or XP
- Smart card login to Novell eDirectory:
Netware 5.1 SP3, eDirectory 8.6.1, Novell Client 4.83 SP1, NMAS EE 2.0 (with the in-
cluded Universal Smartcard Login Method) with NICI 1.5.7 (Server and Client), NMAS 2.1 (with the included Universal Smartcard Login Method) with NICI 2.4.1 (Server and Client) or higher in each case
- Smart card login to Lotus Notes:
Lotus Notes 6.5 or higher
- SSL- Authentication with smart card with Netscape:
Netscape Navigator 4.72 (High Encryption), 4.73, 4.76, 6.x
- Email-Security via smart cards with the Netscape Messenger:
Netscape Messenger 4.72 (High Encryption), 4.73, 4.76, 7.x
- E-Mail-Security via PGP support (PKCS#11): PGP Personal Desktop 8.1 for Windows
- Compatibility/Smart card administration of the Baltimore-PKI (PKCS#11): Token Man-
ager fr Betrusted Unicert V5.2 for Windows
- Compatibility/Smart card administration of the Entrust-PKI (PKCS#11): Security Man-
ager Administration 7.0
. The products serving as examples do not need any further client requirements; please observe in case of other products the corresponding manuals. 3.2. Supported Smart Cards Charismathics Smart Security Interface supports the following smart cards:
- CardOS M4.01
- CardOS M4.01a
- CardOS V4.2 9
- CardOS 4.2b
- CardOS V4.3
- CardOS V4.3b
- Aladdin eToken
- ACOS EMV A03
JCOP 20 JCOP 30
- GemXpresso Pro R3.2
- NetKey PKS/2000/E4 3.3. Tested Card Readers Please observe, that your card reader has been installed according to the producers specifica-
tions and is operating. Charismathics Smart Security Interface has been tested with the follow-
ing card readers:
- SCM SCR241 PCMCIA
- SCM SCR331 USB
- SCM SCR333
- SCM SCR335 USB
- SCM SCR532 seriell/USB
- Omnikey Cardman 1010 seriell
- Omnikey Cardman 2011 seriell
- Omnikey Cardman 2020 USB
- Omnikey Cardman 3121 USB
- Omnikey Cardman 3620 USB
- ACS38 USB
- ORGA Card Mouse USB Note: All these card readers are PC/SC-readers, since only PC/SC-drivers are supported. Ob-
serve, there is no support for CT-API-drivers. 10 4. Administration Tool: Charismathics Smart Security Interface Man-
ager If you acquired Charismathics Smart Security Interface in the Admin edition, with this tool func-
tions relevant for you are available: like changing your PINs, unlocking smart card, generating profiles, keys and certificates and so on. These functions are now described. 4.1. User Interface After opening the administration tool of Charismathics Smart Security Interface you will see the following interface:
After you insert a smart card into the card reader, you can after one click on the smart card reader select the function "Open Token" with a click on the right mouse button. Alternatively you have the possibility to select this function under the menu "Manager". First you will receive the public information, e.g. name of the smart card, the profile and the free card memory. In this case, it is a CardOS V4.2 smart card with the corporate profile. Furthermore, certificates, public keys, container and data are displayed. 11 To display sensitive data of the smart card, you must login on the card. For this, select the item Login in the menu Token:
Now you are asked to insert your User PIN:
Here Charismathics Smart Security Interface offers you the possibility to register your certifi-
cates in the certificate store of Windows. Thus you can spare the later import of certificates into the operating system. The registration happens by a dialogue; for each certificate you will be asked, whether the registration of this certificate is desired. 12 Next other data, Private Keys and Secret Keys show up on the interface:
One can generate several keys with the corresponding certificates on the card. They will merged in containers. The functions available for you will be described in the following sections in more detail. Tab "Manager"
By this tab you access general functions for operating this tool. 13 Tab "Edit"
By this tab you can call specific functions the smart card provides. Tab "Token"
By this tab you can use the functions regarding the token itself in this case the CardOS smart card. 14 Tab "Key Pair"
This tab provides functions regarding the key pair on the CardOS smart card. Tab "Certificate"
This tab provides access to functions, that you need to work with certificates on the CardOS smart card. 15 Tab "Info"
By clicking the tab "Info" you obtain information about the version of the modules of Charis-
mathics Smart Security Interface and about the producer charismathics gmbh as well as an online link to this manual. 16 4.2. Changing PINs There are 3 PINs on a CardOS smart card: the User PIN, the SO PIN (PIN of the system opera-
tor, i.e. system administrator) and the Card-PIN. There are different functions to use with these 3 PINs:
The User PIN must be entered, if one wants to write on the card (e.g. key generation, storing a certificate), delete objects or when the cryptographic functions (e.g. signing or decryption) are used. The minimal length of the User PIN is four characters and the maximal length is ten charac-
ters. The Default-PIN is "11111111" (these are 8 ones). IMPORTANT: After three wrong inputs the User PIN will be locked. A locked User PIN can be unlocked by the SO PIN sometimes called PUK. The length of the SO PIN is fixed to ten characters. The Default-PIN is "1111111111" (these are 10 ones). The SO PIN will used solely for unlocking the User PIN. There are no functions like Create or De-
lete. IMPORTANT: After ten wrong inputs the SO PIN will be locked. With the Card-PIN one can delete an existing profile on a card by setting up a new profile. The Card-PIN will be determined during the initialization and cannot be changed afterwards. The length of the Card-PIN is ten characters. IMPORTANT: After ten wrong inputs the PIN is locked and the card cannot be deleted anymore. I.e. if the Card-PIN, the SO PIN and the User PIN are locked, the card is useless. You find all functions to change User and SO PIN in the menu "Token", as shown in the following figure:
17 4.3. Unlocking Smart Cards As a security measure a smart card will locked, if a user enters three times a wrong PIN. This provides security, because an unauthorized person can check all possible PINs by trial and error, if you lost your smart card or it has been stolen. But it might happen, that you as legitimate owner of the smart card have entered three times the wrong PIN. In this case the smart card will be locked too. Therefore, you can unlock the smart card with Charismathics Smart Security Interface, if you know the SO PIN. You need the SO PIN to unlock a User PIN. You find the function "Unlock User PIN" in the menu
"Token", as shown in the following figure:
18 4.4. Generating and Importing Keys To use the smart card for digital signatures or encryption, you need a key pair, which is com-
posed of a private and a public key. The private key must be stored very secretly and the public key must be accessible to communication partners by a certificate. These keys and certificates can be generated and managed by the administration tool. In principle there are several possibilities:
1. You can generate keys (key pairs comprising private and public keys and secret keys) with the administration tool of Charismathics Smart Security Interface. 2. You already own a key and/or key pair. Then, you can import the key pair if necessary to-
gether with certificate as a PFX-file. You can store Secret Keys by importing them e.g. with
"Copy and Paste". If you want to use this function, you must first login to the smart card: Confirm the menu "Token"-
>"Login". You can find all the functions to generate and import keys in the menu "Key Pair" and to import certificates in the menu Certificates,. Generation of a Key Pair The generation of a key pair (private and public key) takes place in the menu "Key Pair" over the item "Generate Key Pair". Then, you see these keys in the administration tool in the correspond-
ing container under "public key" and under "private key". 19 If you have a CardOS M4.01, M4.01a or V4.20 smart card they are RSA keys with 512 or 1024 bit. If you have a CardOS V4.30 smart card you can additionally generate RSA-keys with 1536 or 2048 bit. To generate RSA keys with 2048 bit on a CardOS V4.20 smart card you need a pack-
age. There exists also aprofile with ECC support for CardOS M4.01a, which supports curves up to 256 bit length. Importing a Key Pair If you already own a key pair, that you intend to employ, you can import it in the menu "Key Pair"
over the item "Import Key Pair from PFX-File". Thereby you have to enter your password on re-
quest. Remark: The key must be an RSA-key as pfx- or p12-file. Generation of a Secret Key To generate a secret key for encryption highlight Secret Keys and select the item Generate Secret Key in the menu Edit. 20 Here, you can generate a Triple-DES-key with 192 bits, a Triple-DES-key with 128 bits or a DES-
key with 64 bits. Note: Recommended are algorithms with at least 128 bits (Triple-DES). According to present day standard, lesser key lengths can not be considered as secure any more. Importing a Secret Key If you own a secret key, that you want to use, you can import it in the menu "Edit" over the menu item "Store Secret Key". The Secret Key must be specified hexadecimal and be in case of Triple-
DES 192 or 128 bits or in the case of DES 64 bits long. Importing takes place by inserting the bits into the field "Secret Key (hexadecimal)", e.g. copy and paste. 21 4.5. Generation and Import of Certificates In order to use the smart card for digital signatures or encryption you need a key pair comprising a private key and a public key. The public key should be accessible to communication partners by a certificate. These certificates can be generated and managed by the administration tool. In principle there are several possibilities:
1. You can sign the certificate corresponding to a public key by yourself or make a certificate request, such that another instance e.g. a trust center will authenticate the public key. 2. You already have a key and/or certificates. Then, you can import certificates, if needed to-
gether with the corresponding key. Generating self signed Certificates and Certificate Requests You can generate the certificate belonging to a public key by signing it yourself or make a certifi-
cate request, such that another instance e.g. a trust center authenticates the public key. To this end you highlight the Private Key and confirm in the menu "Edit" the item "Create Certificate Re-
quest" to generate a certificate request and the item "Create Self Signed Certificate" to sign the certificate by yourself. In order to generate the certificate, resp. request you enter the data into the corresponding fields. In case of a certificate request you create a file to send it to the authority, that should sign the certificate (e.g. trust center ). Therefore you store the request as a p10-file in a directory and at-
tach it to the email, that you send to the corresponding authority intended to sign the certificate. You have to observe the specifications of the issuing authority (e.g. trust center ). If the certificate of the issuer has been returned, you have to import the certificate over the menu item "Import Certificate". 22 Note: There is an explanation of the certificate attributes and how to employ the keys in the ap-
pendix B of this manual. 23 Import of Certificates In case you already own certificates, that you intent to employ, you can import them over the menu "Certificate" over the item "Import Certificate". Certificates, which belong to key pairs, are directly assigned to the associated "container" after the import. Certificates without keys - as for example CA certificates - are assigned to the file "Certificates". 24 4.6. Creating Profiles If you want to use a smart card, there must be a profile on this smart card. In a first step you have to setup the corporate profile on this smart card. Click the menu "Manager"->"Create Token Pro-
file". in the case of a smart card with profile If there is already a profile on the card and you want to create a new one, the existing one will be deleted as a first step. To this end enter the Card-PIN. If you have created the profile yourself, you have to enter the Card-PIN you have assigned to the card. If it is a Siemens-profile, enter the default-Card-PIN "0987654321" of Siemens. The further proceedings are the same, as in the following section "...in the case of an empty smart card". Please follow the instructions, which are described below. 25 in the case of an empty smart card If the profile is setup (Initialization) on an empty smart card, the "Card-PIN", the "SO PIN", the User PIN and a Serial Number must be defined. Further a Label of the token can be assigned. You can choose a profile if several are available. CSSI supports three profiles (corporate, PKCS#15 and CNS) for CardOS V4.x smartcards, and supports two profiles (corporate and PKCS#15) for JCOP smartcards. With the help of the Card PIN the smart card can be deleted later again and with the SO PIN the smart card can be unlocked. Therefore you should not assign "simple" PINs. The input of the SO PIN and the User PIN is also not displayed in plain text, but through * in the input mask. The input must be also confirmed. Further explanations regarding the PINs can be found in the section 4.2. 26 4.7. Preparing a Smart Card (Initialization and Personalization) In order that a user can employ his smart card, it must be prepared, i.e. the smart card must be initialized and personalized. In a first step you have to setup a profile on the smart card and in a second step setup keys and certificates on the smart card. First Step: Creating a Profile (Initialization) As a first step you must setup a profile on an empty smart card. You proceed as described in section 4.6 "Creating Profiles". Second Step: Creating Keys and Certificates (Personalization) As a second step you must setup for a user key and certificate on the smart card. You have the possibility to either generate keys and certificates or to import them. For this purpose you have a description in section 4.4 "Generating and Importing Keys" and in section 4.5 "Generation and Import of Certificates". 4.8. Further Functions Directory "Certificates"
There is the directory Certificates for all certificates, that are not directly corresponding to a key. These are intermediate certificates, that have to be imported into this directory. For this purpose select the item Import Certificate in the menu Certificate or choose the context menu over the right mouse button. 27 Directory "Data"
A smart card is the safest environment for the private key. Furthermore, the smart card is neces-
sary for application with at least daily logins or authentication. Thus, one carries it often or always around. Therefore it makes sense to store sensitive or necessary data on this medium, e.g. a text file with your PINS. To create data highlight Data and select the item Create Data in the menu Edit. Then, a further window is displayed for you, where you can create your data:
There you have the possibility to access the actual data only, if one is logged on to the smart card. To this end tick the field Save value secured. Your existing data can be deleted, updated or exported:
28 29 Function "Open Token"
The function "Open Token" of the menu "Manager" transfers data from the smart card to the user interface. This is recommended, if you work with different cards or card readers. Function "Delete all" and "Delete Object"
You can delete all objects, as keys and certificates with the function "Delete all" of the menu
"Edit". The function "Delete Object" gives you the possibility to remove objects, keys and certificates. You obtain this second function over the context menu, too: highlight the object, that you want to delete, right-click and chose there the item "Delete Object". Function "Set Default Container"
The function "Set Default Container" of the menu "Edit" is relevant to you, only if you use a smart card for login to a Windows-2000 domain via CSP. If you do not choose a container as Default Container, Windows will take the first key from the list for the login to a Windows-2000 domain via CSP. If you have chosen a Container as Default Container, it will shown in bold face in the interface of the administration tool:
30 Function "Show Certificate"
If you want to display a certificate, use the function "Show Certificate" from the menu "Certificate". You obtain this function over the context menu, too: highlight the certificate, that you want to dis-
play, rightclick and choose there the item "Show Certificate". Then you obtain the information con-
tained in the certificate:
Function "Export Certificate"
If you want to employ a certificate for other applications, you can export it from the smart card with the function "Export Certificate" from the menu "Certificate". You can also obtain this function over the context menu: highlight the certificate, that you want to export, rightclick and choose there the item "Export Certificate". Function "Register Certificate"
The function "Register Certificate" from the menu "Certificate" installs the certificate, that you want to register to make it accessible for Windows-applications (like Internet Explorer or Outlook Ex-
press). You can also obtain this function over the context menu: highlight the certificate, that you want to register, right click and choose there the item "Register Certificate". Additional you can configure the settings regarding the registration in the Register Tool. Read more for this in chapter 6 Register Tool. Function "Check Private Key"
With this function you can test generated keys, e. g. for signing or decryption. First you must be logged on, then highlight the private key you want to test and chose the function Check Private Key from the menu Edit. 31 To test the decryption key write text in the field Plaintext and click on the button Start. If the decrypted text is the same as the Plaintext, the decryption key works all right. To test the signing key you can chose the hash algorithm. If the Verify Result is true, the signing key works all right. 32 Function "Check Secret Key"
With this function you can test generated keys for encryption. First you must be logged on, then highlight the private key you want to test and chose the function Check Secret Key from the menu Edit. You can choose the cryptographic mode for testing the key. The different versions are the Cipher Block Chaining (CBC) and the Electronic CodeBook (ECB). And you can choose ISO or PKCS5 as Padding. To test the encryption key write text in the field Plaintext and click on the button Start. If you know the initializing vector you can insert it; otherwise it will be filled with zero. Is the decrypted text the same as the Plaintext, the encryption key works all right. 33 5. User Tool: Charismathics Smart Security Interface Utility If you acquired Charismathics Smart Security Interface in the user edition, with this tool all relevant functions are available: like changing your pin and the registration of your key/certificates of the smart card. These functions are now described. 5.1. Changing PINs Insert your smart card in the reader and open Charismathics Smart Security Interface Utility:
click on "Start" and then follow the path
"Programs"->"charismathics"->"smart security interface Utility". To change your PIN, first insert the old PIN and then the new PIN, which must be entered a sec-
ond time as confirmation. The minimal length of the User PIN is four characters and the maximal length is ten characters. Click on the button "Change PIN" and you receive a window with the confirmation. IMPORTANT: After three wrong inputs the User PIN will be locked. Please choose a PIN, which you can note well, but which cannot be easily guessed. Avoid e.g. birthdays or simple sequences of numbers like 1234 or 1111. 5.2. Unlock PIN To unlock your PIN, first insert the SO PIN and then the new PIN, which must be entered a sec-
ond time as confirmation. The minimal length of the User PIN is four characters and the maximal length is ten characters. Click on the button "Unlock PIN" and you receive a window with the confirmation. 5.3. Smart card Registration On your smart card are certificates and keys. These certificates must be once registered, so that applications can use these. Particularly it concerns the following registration of the certificate/keys in the Microsoft Windows certificate data base. IMPORTANT: THE REGISTRATION MUST BE ONLY ONCE ACCOMPLISHED. Insert your smart card in the reader and open Charismathics Smart Security Interface Utility:
click on "Start" and then follow the path
"Programs"->"charismathics "->"smart security interface" ->"Charismathics Smart Security Interface Utility". Now click on the tab "Registration" and on this window on the button "Register now". Follow the instructions on the monitor. 34 6. Register Tool If you acquired Charismathics Smart Security Interface in the Admin or in the User edition, this Register Tool makes more functions available for you. To make certificates accessible for Windows-applications like Internet Explorer or Outlook Ex-
press, you can automatically register the certificates from your smart card in the certificate store of Windows. The settings for this registration you can configure in this additional Register Tool. The default functionality is the following: as soon as a smart card is inserted into the card reader, the certificates are automatically registered, if the Register Tool is active. On smart card removal, the certificates are not automatically unregistered. If this is desired, you can adjust this over the
"Settings". You can call the Register Tool of Charismathics Smart Security Interface either over the start-
ing menu or over the tray icon:
Then you get the possibilities of starting the Administration Tool sc/interface Manager or the User Tool sc/interface Utility, to Pause the Register Tool, to configure Settings, to read information or to terminate the Register Tool, which is now explained. 6.1. Start Charismathics Smart Security Interface Manager and Start Charismathics Smart Security Interface Utility If you have the Admin Edition the function Start Charismathics Smart Security Interface Man-
ager gives you the possibility to start the Administration Tool Charismathics Smart Security In-
terface Manager. If you have the User Edition with the function Start Charismathics Smart Secu-
rity Interface Utility you can start the User Tool Charismathics Smart Security Interface Utility. Further explanations concerning this Administration Tool you find in chapter 4 and concerning the User Tool you find in chapter 5. 35 6.2. Pause / Continue If it is not desired that the certificates of the smart card are registered automatically, you can pause the Register Tool. For it you select the point "Pause" in the pop-up menu of the tray icons. Thereupon the tray icon changes, so that one recognises that the Register Tool is set to pause. In order to continue with the automatic registration, you select the now appeared point "Continue" in the pop-up menu of the tray icons:
6.3. Settings The default functionality of the Register Tool is, that certificates are registered automatically, as soon as a smart card is inserted into the card reader. On smart card removal the certificates are unregistered automatically. If this is desired, you can configure this over the "Settings". For this you select the point "Settings" in the pop-up menu of the tray icons and you receive the following dialog:
If you want, that the registered certificates are removed from the certificate store, if you remove the smart card from the card reader, you must activate the field. 36 6.4. About For information about the version of the Register Tools and the manufacturer charismathics gmbh select "About" in the menu of the tray icons:
6.5. Exit With Exit in the menu of the tray icon you can end the Register Tool. 37 7. CSP of Charismathics Smart Security Interface The Windows operating system supports cryptographic functionalities like encryption and digital signature by the so-called Crypto-API. Furthermore, CSPs (Cryptographic Service Providers) en-
able programs to support smart cards. During the installation of Charismathics Smart Security Interface the Charismathics Smart Security Interface-CSP abbr. cmCSP will be added. It supports the CardOS smart card. Now with this cmCSP you can use certain programs and functionalities delivered with Windows 2000, like Outlook Express, Internet Explorer, network login and VPN-login with the CardOS smart card. They will be explained in the following. NOTE: Here, you will not find a description how to configure your Microsoft environment for the use of smart cards. Please consult the help files for Outlook Express and the Internet Explorer. To configure the network login and the VPN-login for smart cards please consult the documentation of the Windows 2000 Server. If you need support for the implementation or realization, charismathicss team can help you. Feel free to contact your account manager. 7.1. General Proceedings General precondition is the installation of the cmCSP. Charismathics Smart Security Interface installs it automatically. In the following some general notes to employ the cmCSP will be given:
If you want to use a Microsoft product in connection with the CSP for the first time on a certain computer, you must register the certificate that you want to use. Please read in chapter 6 Register Tool or in section 4.8 "Register Certificate", if you need to know how to register your own certificate.
> You as a user need keys and certificates on the smart card. There are several different possi-
bilities. The most popular are:
- Generation of key pair and corresponding certificate directly on the smart card with the functions of standard browsers, like Internet Explorer or Netscape. This ensues an access on the modules of Charismathics Smart Security In-
terface, i.e. correspondingly on cmCSP or cmP11. NOTE: Enter into the browser http://<Servername of Enterprise-CA>/certsrv .
- Generation of key pair and corresponding certificate directly on the smart card with the Microsoft Certificate Server (in "Enterprise CA" and in "Stand Alone"
mode). 38 Import of existing keys and certificates on the smart card, that were generated by other CAs or trust centers, resp. request of certificate from a trust center.
- Generation of key pair and corresponding self signed certificate directly on the smart card by the administration tool Charismathics Smart Security Inter-
face. Please observe, that the employment of self signed certificates makes sense only in environments without a PKI or for testing. Note: If you request a certificate from a trust center, you might be requested to choose a security module, e.g. a token. In this case choose the corporate profile, the cmCSP or the cmP11. Furthermore, your smart card has to be inserted in the card reader, so that certificates can be written on it.
> Programs must be configured, so that they work with your smart card.
> The programs must be configured, so that they work with your keys and certificates. There you have to take into account the preconditions of the programs, that need certain input. E.g. some programs need root-certificates, that must be in certain directories or for other programs you must register your certificate. In the following chapters only the special features of the corresponding application will be ex-
plained. 7.2. Smart Card Login to a Windows 2000 Domain Here you should have very good command in the administration of Windows 2000 Servers. You proceed according the following steps:
Step 1 Step 2 Setup of ADS. Please observe the correct configuration of the DNS-Server. Installation of the Enterprise CA and at least the templates "Enrollment Agent",
"Smartcard Logon" and Smartcard User". Then an Enrollment-Agent-Certificate must be generated and registered on the computer, where the smart cards should be personalized. After that the smart cards for users may be issued over the Enrollment Station. Step 4 Furthermore, observe that "Set Default Private Key" must set the private key on the client (see in section 4.8). Step 3 7.3. SSL- Authentication with Smart Card over the Internet Explorer Here you must register the certificate with the administration tool of Charismathics Smart Secu-
rity Interface (see in chapter 6 Register Tool or in section 4.8 "Register Certificate"). 39 7.4. Outlook Express with Electronic Signature and Encryption via Smart Card Here you must register the certificate with the administration tool of Charismathics Smart Secu-
rity Interface (see in chapter 6 Register Tool or in section 4.8 "Register Certificate"). Then choose the desired certificate for signing and encryption over "Tools -> Accounts -> E-Mail ->
Preferences -> Security". Normally, there are pull down menus in the email windows, that you may click encryption and/or signing an email in order to use the security functionalities. The verification of incoming signed emails uses for instance the red "signet" symbol in the right corner of the email window, like here in the example:
In order that Outlook Express automatically acknowledges the right key, resp. certificate, the cer-
tificates should lie in the address book, i.e. the certificate should be imported into the "Digital IDs":
e.g. highlight the name in the address book and choose the tab "Digital IDs" over the context menu. On this tab you can import the certificate for the chosen contact. 7.5. Windows VPN-Login with Smart Card You should generate keys and certificates with the Microsoft Enterprise-CA. Furthermore, you must register the certificate with the administration tool of Charismathics Smart Security Inter-
face (see in chapter 6 Register Tool or in section 4.8 "Register Certificate"). 40 8. PKCS#11-Module of Charismathics Smart Security Interface If you use software, that supports PKCS#11, you can employ Charismathics Smart Security Interface-PKCS#11 -abbreviated cmP11- with the CardOS smart card. Here it is a matter of ap-
plications and functionalities with smart cards, like network login, SSL, email security with Net-
scape, certain Microsoft applications and products of other producers, that are explained briefly. NOTE: Here is no description, how to configure your environment for the employment with smart cards. For this purpose please consult the corresponding help-files of the corresponding pro-
grams. IMPORTANT: cmP11 is a DLL with the name "cmP11.dll and is after the installation in the system directory, e.g. in \WINNT\system32. Remark: Despite strict measures for the quality of PKCS#11 modules by the different manufac-
turers, charismathics gmbh can not guarantee for the compatibility with each PKCS#11 Module of a foreign manufacturer. 8.1. General Methodology In the following some general notes are made for the employment of cmP11. General precondi-
tion is the installation of cmP11. This will be installed automatically by Charismathics Smart Se-
curity Interface.
> You as a user need keys and certificates on the smart card. There are several different possi-
bilities. The most prevalent are mentioned below:
- Generation of key pairs and corresponding certificate directly on the smart card with the functions of standard browsers, like Internet Explorer or Netscape. This ensues access to the modules of Charismathics Smart Security Inter-
face, i.e. corresponding to cmCSP or cmP11. NOTE: For this purpose enter in the browser http://<Servername_of_Enterprise_CA>/certsrv.
- Generation of key pair and corresponding certificate directly on the smart card with Novells Certificate Server.
- Generation of key pair and corresponding certificate directly on the smart card with Microsofts Certificate Server (in "Enterprise CA" mode and in "Stand Alone" mode).
Import of existing keys and certificates on the smart card, that were generated by other CAs or trust centers, resp. requesting a certificate from a trust center. 41
- Generation of key pair and corresponding self signed certificate directly on the smart card with the delivered administration tool of Charismathics Smart Se-
curity Interface. Please observe that the employment of self signed certifi-
cates makes sense only in environments without PKI or for the purpose of test-
ing. NOTE: If you request a certificate from a trust center, you might be requested to choose a security module. Please choose in this case the corporate profile, the cmCSP or the cmP11. Furthermore, your smart card has to be inserted in the card reader, so that certificates can be written on it. As in section 3.3 described, the possibility is offered, to install charismathics's PKCS#11-Module here in Netscape. There is the possibility to install the module manually with the help of the file
"InstallNetsca-pePKCS11.html" and uninstall with
"UninstallNet-
scapePKCS11.html".
> The programs must be configured, so that they can work with your smart card.
> The programs must be configured, so that you can work with keys and certificates. Here you must take into account the preconditions of the programs, that have certain inputs. E.g. some programs need root certificates, that must be in certain directories or for other programs you have to register your certificate. the help of the file In the following chapters only the special features of the respective application will be explained. 8.2. Smart Card Login to a Novell eDirectory (formerly NDS) Here you should have a very good command in the administration of Novell servers and observe the installation preconditions. To realize a smart card login to an eDirectory you explicitly need the product NMAS and the corresponding Universal Smartcard Login Method. 42 8.3. SSL- Authentication with Smart Card over Netscape The notes for the employment of Netscape are presented by the example of version 7. Example: Netscape 7.01 You can call "Manage Security Devices" in Netscape 7.01 over "Edit"->"Preferences"->"Privacy &
Security"->"Certificates". There you can load the cmP11, so that applications like SSL and emails can be employed with smart cards:
Furthermore, you can call the Certificate Manager of Netscape on the same tab by clicking "Man-
age Certificates...". 43 8.4. Email-Security by Smart Cards with Netscapes Messenger The notes for the employment of Netscape and screen shots to manage certificates and modules are available in the example of version 7 in the previous section. Normally, there pull-down menus in the email windows, where you can tick whether an email should be encrypted and/or signed, resp. a function for verification of received signed emails, to employ the security functionality. 44 9. PKCS#11 module register For registration of PKCS#11 module in your Firefox or Netscape/Mozilla browser and email client you can use Charismatics Smart Security Interface PKCS#11 module register. Select your cho-
sen browser and click on button register/unregister. PKCS#11 module register will start your browser for registration of the PKCS#11 module. You can also use this tool to unregister PKCS#11 module. Note: java script must be enabled in your browser. 45 10. References
[PKCS#5]
[PKCS#11]
[MS_CA]
[MS_SC]
http://www.rsasecurity.com/rsalabs/pkcs/index.html http://www.rsasecurity.com/rsalabs/pkcs/index.html HOW TO: Configure a Certificate Authority to Issue Smart Card Certificates in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q313274&sd=tech Guidelines for Enabling Smart Card Logon with Third-Party Certification Au-
thorities:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q281245 Windows 2000 Server Documentation, Smart card Administration:
http://www.microsoft.com/windows2000/en/server/help/default.asp?ur l=/windows2000/en/server/help/sag_SC_admin.htm 46 11. Information / Export Restrictions Charismathics GmbH 47 Sendlinger St 80331 Munich Germany Release Date: May 31, 2006 Copyright Charismathics GmbH 2002-2006 All rights reserved. Without the express prior written consent of charismathics you must not dis-
tribute, edit or translate copyrighted material. Trade Mark All mentioned software and hardware names are in most of the cases trade marks and are liable to legal requirements. Please observe !
The product delivered to you is liable to export control. Please observe the legal require-
ments of specific countries. For export out of the EU an export approval is necessary. 47 Appendix A: Reference for Developers In this appendix there are detailed specification regarding the supported functions of the PKCS#11-standard, a synopsis of particular functions and a list of objects and mechanisms. These information are useful and necessary for application developers, who want to develop their own applications supporting the cmP11. Functions according to PKCS#11-Standard In the following there are three lists of functions according to PKCS#11-Standard. The list are supported, incompletely supported, and not supported functions by Charismathics Smart Secu-
rity Interface:
Supported Functions:
- C_Finalize
- C_GetInfo
- C_GetFunctionList
- C_GetSlotList
- C_GetSlotInfo
- C_GetMechanismList
- C_GetMechanismInfo
- C_InitPIN
- C_SetPIN
- C_CloseSession
- C_CloseAllSessions
- C_GetSessionInfo
- C_Login
- C_Logout
- C_CreateObject
- C_DestroyObject
- C_GetAttributeValue
- C_SetAttributeValue
- C_FindObjectsInit
- C_FindObjects
- C_FindObjectsFinal
- C_EncryptInit
- C_Encrypt
- C_EncryptUpdate
- C_EncryptFinal
- C_DecryptInit 48
- C_Decrypt
- C_DecryptUpdate
- C_DecryptFinal
- C_DigestInit
- C_Digest
- C_DigestUpdate
- C_DigestFinal
- C_SignInit
- C_Sign
- C_SignUpdate
- C_SignFinal
- C_VerifyInit
- C_Verify
- C_VerifyUpdate
- C_VerifyFinal
- C_VerifyRecoverInit
- C_VerifyRecover
- C_GenerateKeyPair
- C_GenerateKey
- C_GenerateRandom
- C_WrapKey
- C_UnwrapKey
- C_CancelFunction
- C_InitToken
(returns CKR_FUNCTION_NOT_PARALLEL) Incompletely Supported Functions / Deviations
- C_Initialize
- C_WaitForSlotEvent
- C_OpenSession
- C_GetTokenInfo
- C_GetObjectSize
- C_SignRecoverInit
- C_SignRecover
(use C_SignInit)
(use C_Sign) 49 Not supported functions:
- C_GetOperationState
- C_SetOperationState
- C_CopyObject
- C_DigestKey
- C_DigestEncryptUpdate
- C_DecryptDigestUpdate
- C_SignEncryptUpdate
- C_DecryptVerifyUpdate
- C_DeriveKey
- C_SeedRandom
- C_GetFunctionStatus 50 Synopsis of specific functions C_Finalize Parameter:
Description:
pReserved (CK_VOID_PTR) Sessions will be closed. Slots will be closed. Reserved Memory will be freed. pReserved will be ignored. C_Finalize will be called automatically on Finish. If C_Initialize is called n times in succession (without C_Finalize in be-
tween), C_Finalize will only be carried out after the n time. Deviation:
C_GetObjectSize Parameter:
Description:
Deviation:
C_GetSlotList Parameter:
Description:
C_GetTokenInfo Parameter:
Description:
Special Feature:
hSession CK_SESSION_HANDLE hObject CK_OBJECT_HANDLE pulSize CK_ULONG_PTR The size of an object will be returned The returned size, is the minimum size of an object, which means it do not contain id. The size of private objects are default values. attributes label, extra size like the for or
(CK_SLOT_ID_PTR)
(CK_ULONG_PTR) tokenPresent (CK_BBOOL) pSlotList pulCount Returns a list of identified Slots. It might occur, that installed but not connected Slots will be in the list. The number of Slots may be obtained by passing pSlotList a Null-Pointer. If you want only the Slots with an inserted card, set tokenPresent to true. slotID (CK_SLOT_ID) pInfo (CK_TOKEN_INFO_PTR) Returns whether a card is inserted in a Slot. If the card is not inserted, CKR_TOKEN_REMOVED will returned. Inserting or removing a card from a Slot, is an Event (see C_WaitForSlotEvent). If C_GetTokenInfo will be called, the Event will be fin-
ished, even if the card was removed and C_GetTokenInfo CKR_TOKEN_NOT_PRESENT has been returned. C_Initialize Parameter:
CinitArg (CK_VOID_PTR_PTR) 51 Description:
Deviation:
C_OpenSession Parameter:
Description:
Deviation:
Special Feature:
C_WaitForSlotEvent Parameter:
Description:
Special Feature:
Libary will be initialized. Slots will be created. Inserted cards are read. CinitArg is expected in the format CK_C_INITIALIZE_ARGS. From these the flags are picked out, in particular CKF_LIBRARY_CANT_CREATE_OS_THREADS which decides over Multi threading. The rest is ignored. If C_Initialize is called several times, CKR_CRYPTOKI_ALREADY_INITIALIZED is returned. The number is taken in account (see C_Finalize). slotID (CK_SLOT_ID) flags (CK_FLAGS) pApplication (CK_VOID_PTR) Notify (CK_NOTIFY) phSession (CK_SESSION_HANDLE_PTR) Opens a new session on the Slot. Notify and pApplication are ignored and should be set to NULL_PTR. Sessions can only be opened, if a card is inserted. If a session is opened and then the card will be removed, all sessions on the Slot will return CKR_DEVICE_REMOVED. If there is an error with CKR_ DEVICE_REMOVED, CKR_TOKEN_NOT_RECOGNIZED or CKR_TOKEN_NOT_PRESENT a pauseAllSessions is automatically pro-
duced on this Slot. If a paused session is used again, this session will be reopened automati-
cally. If a card is inserted into or removed from a Slot, then this is an Event (see C_WaitForSlotEvent). If C_OpenSession is called, the Event will be fin-
ished, even if the card has been removed and C_OpenSession returned CKR_TOKEN_NOT_PRESENT.
= NULL_PTR
(CK_FLAGS)
(CK_SLOT_ID_PTR)
(CK_VOID_PTR) flags pSlot pReserved flag
= 0;
The method waits until a Slot reports an Event. Then it returns the Slot with the Event in pSlot. flag The method displays the Slot with Event in pSlot. If there is no Event, CKR_NO_EVENT will be returned. If more Slots have an Event, they will be returned interchangeably. An Event persists until an access to the card occurs (e.g. by C_OpenSession or C_GetToken_Info), even if an error will be returned to the card.
= CKF_DONT_BLOCK 52 Access Read only Read/write read/write read/write read only read only read only(**) read only read only read only read only(**) Value CKO_CERTIFICATE
<alias>
<certificate> X509Format (DER)
<number>
CKC_X_509 TRUE FALSE
<alias>
<alias>
<number>
TRUE/FALSE Objects All objects will be stored on the card (CKA_TOKEN = true). Session- or other software-objects will not be supported. The ID (CKA_ID) indicates, which objects belong together. CKO_CERTIFICATE (CKC_X_509) Certificate in X.509 format Attribute CKA_CLASS CKA_LABEL CKA_VALUE CKA_ID CKA_CERTIFICATE_TYPE CKA_TOKEN CKA_PRIVATE CKA_SUBJECT CKA_ISSUER CKA_SERIAL_NUMBER CKA_MODIFIABLE
(**) returns no error on trying to write. CKO_PRIVATE_KEY (CKK_RSA) Attribute CKA_CLASS CKA_LABEL CKA_ID CKA_KEY_TYPE CKA_TOKEN CKA_PRIVATE CKA_SUBJECT CKA_SENSITIVE CKA_DECRYPT CKA_SIGN CKA_SIGN_RECOVER CKA_UNWRAP CKA_MODULUS CKA_PUBLIC_EXPONENT Value CKO_PRIVATE_KEY
<alias>
<number>
CKK_RSA TRUE TRUE
<alias>
FALSE TRUE TRUE FALSE FALSE Pkcs12 Format Pkcs12 Format 53 Access read only read/write read/write read only read only read only read only(*) read only read only(**) read only(**) read only(**) read only(**) read only read only not readable not readable not readable not readable not readable not readable read only(**)
(***) read only(**) read only(**) Access read only read/write read/write read only read only read only read only(*) read only(**) read only(**) read only(**) read only(**) read only read only read only(**)
(***) Pkcs12 Format Pkcs12 Format Pkcs12 Format Pkcs12 Format Pkcs12 Format Pkcs12 Format TRUE TRUE
<empty>
<empty>
FALSE TRUE CKA_PRIVATE_EXPONENT CKA_PRIME_1 CKA_PRIME_2 CKA_EXPONENT_1 CKA_EXPONENT_2 CKA_COEFICIENT CKA_MODIFIABLE CKA_LOCAL CKA_START CKA_STOP CKA_EXTRACTABLE8 CKA_NEVER_EXTRACTABLE2
(*) can only be read, if a corresponding certificate exists
(**) returns no error on trying to write.
(***) is not supported CKO_PUBLIC_KEY (CKK_RSA) Attribute CKA_CLASS CKA_LABEL CKA_ID CKA_KEY_TYPE CKA_TOKEN CKA_PRIVATE CKA_SUBJECT CKA_ENCRYPT CKA_VERIFY CKA_VERIFY_RECOVER CKA_WRAP CKA_MODULUS CKA_PUBLIC_EXPONENT CKA_MODIFIABLE CKA_LOCAL CKA_START CKA_STOP
(*) can only be read, if a corresponding certificate exists
(**) returns no error on trying to write Value CKO_PUBLIC_KEY
<alias>
<number>
CKK_RSA TRUE FALSE
<alias>
TRUE TRUE TRUE FALSE pkcs12 Format pkcs12 Format FALSE TRUE
<empty>
<empty>
54
(***) is not supported CKO_DATA General Data Value Attribute CKO_DATA CKA_CLASS
<alias>
CKA_LABEL
<data>
CKA_VALUE TRUE CKA_TOKEN FALSE CKA_PRIVATE
<alias>
CKA_APPLICATION CKA_ MODIFIABLE TRUE
(**) returns no error on trying to write. Access read only read/write read/write read only read only(**) read/write read only(**) Mechanism Sign (RSA):
Description:
Order:
Signs data C_SignInit, C_SignUpdate, C_SignFinal or C_SignInit, C_Sign C_Sign works as if C_SignUpdate and then C_SignFinal were called. C_SignUpdate processes the data immediately. Special Feature: Order C_SignInit, C_Sign(C_SignUpdate, C_SignFinal), C_Sign
(C_SignUpdate, C_SignFinal) where on the first C_Sign (resp. C_SignFinal) NULL_PTR will be passed for the signature and only the length of the signa-
ture will be returned. The signature will be returned on the second C_Sign
(resp. C_SignFinal). If C_SignUpdate is called for the second time, the data must match with the data of the first time. A third call is not possible. For an-
other signature C_SignInit must be called first. Verify (RSA):
Description:
Order:
Verifies a signature. VerifyRecover returns only the data (normally as a hash-
value) C_VerifyInit, C_VerifyUpdate, C_VerifyFinal or C_VerifyInit, C_Verify or C_VerifyRecoverInit, C_VerifyRecover C_Verify works as if _VerifyUpdate and then C_VerifyFinal were called. C_VerifyUpdate stores data only temporarily. C_VerifyRecover returns the signed data. 55 Special Feature: Order C_VerifyRecoverInit, C_VerifyRecover, C_VerifyRecover, where on the first C_VerifyRecover a NULL_PTR will be passed as data. It returns only the length of the data. The data will be returned on the second C_VerifyRecover. A third call is not possible. For further verifications C_VerifyRecoverInit must be called first. 56 Encrypt (RSA):
Description:
Order:
Encrypts data. C_EncryptInit, C_EncryptUpdate, C_EncryptFinal or C_EncryptInit, C_Encrypt C_Encrypt works as if C_EncryptUpdate and then C_EncryptFinal were called. Special Feature: C_EncryptUpdate stores the data temporarily. And you can pick up finished data with C_EncryptUpdate. If you dont do this, you receive with C_EncryptFinal all data at one time. The data is however only once available!
Decrypt (RSA):
Description:
Order:
Decrypts data. C_DecryptInit, C_DecryptUpdate, C_DecryptFinal or C_DecryptInit, C_Decrypt C_Decrypt works as if C_DecryptUpdate and then C_DecryptFinal were called. Special Feature: C_DecryptUpdate stores the data temporarily. And you can pick up finished data with C_DecryptUpdate. If you dont do this, you receive with C_DecryptFinal all data at one time. The data is however only once available!
Digest (Hashfunctions SHA1, MD2, MD5):
Description:
Order:
A hash value is calculated from the data. C_DigestInit, C_DigestUpdate, C_DigestFinal or C_DigestInit, C_Digest C_Digest works as if C_DigestUpdate and then C_DigestFinal were called. C_DigestUpdate processes the data immediately. 57 Appendix B: Log Information Logger (win):
Description:
Settings:
Log all CSP/PKCS11 function calls to a file. One entry contains the function name, the parameter before and after the function call and the result of the function. Private information are hidden by a static string [---------------------------
----------------------], so only the length are readable. The settings are written in the registry at HKEY_LOCAL_MACHINE, Soft-
ware\charismathics\smart security interface. LogFile_mode can be 0 for off or 1 for on.
[HKEY_LOCAL_MACHINE\SOFTWARE\ charismathics\smart security inter-
face]
"CSP_LogFile_name"="c:/CSP_log.txt"
"PKCS11_LogFile_name"="c:/PKCS11_log.txt"
"LogFile_mode"=dword:00000001 58 Appendix C: Certificate Attributes (Key Usage) The different uses of a key pair are shown by the example of a self signed certificate:
These are briefly explained in the following:
1. Digital Signature: Here you can verify digital signature (except those under two named purposes) e.g. authentication. 2. Authorized for Documents: Here you can verify signatures, that check the liability and bindingness of documents (except signatures of certificates and CRLs of CA). 3. Key Encryption: Encryption of keys for the purpose of their transmission. 4. Data Encryption: Encryption of data for the purpose of transmission, but not of keys. 5. Key exchange: Employment of the key to agree on other keys, e.g. a Diffie-Hellman key. 6. Signing the CRL: Employment of the public key to sign a CRL (Certificate Revocation List). 59
frequency | equipment class | purpose | ||
---|---|---|---|---|
1 | 2009-06-12 | JBP - Part 15 Class B Computing Device Peripheral | Class II permissive change or modification of presently authorized equipment | |
2 | 2007-07-10 | JBP - Part 15 Class B Computing Device Peripheral | Original Equipment |
app s | Applicant Information | |||||
---|---|---|---|---|---|---|
1 2 | Effective |
2009-06-12
|
||||
1 2 |
2007-07-10
|
|||||
1 2 | Applicant's complete, legal business name |
Charismathics GmbH
|
||||
1 2 | FCC Registration Number (FRN) |
0016244725
|
||||
1 2 | Physical Address |
Sendlinger Strasse 47
|
||||
1 2 |
Muenchen, N/A 80331
|
|||||
1 2 |
Germany
|
|||||
app s | TCB Information | |||||
1 2 | TCB Application Email Address |
k******@emcc.de
|
||||
1 2 |
k******@emcc.de
|
|||||
1 2 | TCB Scope |
A1: Low Power Transmitters below 1 GHz (except Spread Spectrum), Unintentional Radiators, EAS (Part 11) & Consumer ISM devices
|
||||
app s | FCC ID | |||||
1 2 | Grantee Code |
U5Y
|
||||
1 2 | Equipment Product Code |
AAB
|
||||
app s | Person at the applicant's address to receive grant or for contact | |||||
1 2 | Name |
D****** P****
|
||||
1 2 | Title |
Technical RESP
|
||||
1 2 | Telephone Number |
+49 8********
|
||||
1 2 | Fax Number |
+49 8********
|
||||
1 2 |
d******@charismathics.com
|
|||||
app s | Technical Contact | |||||
n/a | ||||||
app s | Non Technical Contact | |||||
n/a | ||||||
app s | Confidentiality (long or short term) | |||||
1 2 | Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | Yes | ||||
1 2 | Long-Term Confidentiality Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | No | ||||
if no date is supplied, the release date will be set to 45 calendar days past the date of grant. | ||||||
app s | Cognitive Radio & Software Defined Radio, Class, etc | |||||
1 2 | Is this application for software defined/cognitive radio authorization? | No | ||||
1 2 | Equipment Class | JBP - Part 15 Class B Computing Device Peripheral | ||||
1 2 | Description of product as it is marketed: (NOTE: This text will appear below the equipment class on the grant) | USB KEY | ||||
1 2 | USB Key | |||||
1 2 | Related OET KnowledgeDataBase Inquiry: Is there a KDB inquiry associated with this application? | No | ||||
1 2 | Modular Equipment Type | Does not apply | ||||
1 2 | Purpose / Application is for | Class II permissive change or modification of presently authorized equipment | ||||
1 2 | Original Equipment | |||||
1 2 | Composite Equipment: Is the equipment in this application a composite device subject to an additional equipment authorization? | No | ||||
1 2 | Related Equipment: Is the equipment in this application part of a system that operates with, or is marketed with, another device that requires an equipment authorization? | No | ||||
1 2 | Is there an equipment authorization waiver associated with this application? | No | ||||
1 2 | If there is an equipment authorization waiver associated with this application, has the associated waiver been approved and all information uploaded? | No | ||||
app s | Test Firm Name and Contact Information | |||||
1 2 | Firm Name |
Prima Ricerca & Sviluppo S.r.l.
|
||||
1 2 | Name |
E****** B******
|
||||
1 2 | Telephone Number |
39-03********
|
||||
1 2 | Fax Number |
39-03********
|
||||
1 2 |
e******@primaricerca.it
|
|||||
Equipment Specifications | |||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
1 | 1 | 15B | |||||||||||||||||||||||||||||||||||||||
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
2 | 1 | 15B |
some individual PII (Personally Identifiable Information) available on the public forms may be redacted, original source may include additional details
This product uses the FCC Data API but is not endorsed or certified by the FCC