Sie sind auf Seite 1von 13

iKey 2000 Series Software Version 4.7.0 Maintenance Update 18 iKey 2000 README.

TXT Copyright (c) 1998-2004 SafeNet Inc. All Rights Reserved. ---------------------------------------------------------------------------Thank you for choosing the iKey 2000 Series Software from SafeNet, Inc! This README file provides information on new features and functions, operational limitations, known issues with this version of the software, and corrections made since the last version. It also includes information on how to report problems. Please see the User's Guide for detailed installation and operating instructions. The "iKey 2000 Series User's Guide" is provided in online format on the software CD. This manual is in Adobe Acrobat format--to view it you will need version 3.0 or later of Acrobat Reader. Visit the SafeNet Web site at for the most up-to-date product information. ----------------------------Table of Contents ----------------------------1.0 Operating Environment 1.1 Restrictions 1.2 PC/SC Support 2.0 What's New in The 4.7.0 Release? 2.1 Problems Fixed in This Maintenance Update Release 3.0 Known Issues in This Maintenance Update Release 3.1 Issues for Entrust Users 3.2 Issues for Netscape Users 3.3 Installation Issues 3.4 User Issues 3.5 Developer Issues 4.0 Files Included in This Release 4.1 Quality Agent Help Utility 4.2 Setup Utility and Verification Tool 4.3 Acknowledgements 5.0 Previous Release Information 6.0 Export Restrictions 7.0 Reporting Problems ---------------------------------------------------------1.0 OPERATING ENVIRONMENT ---------------------------------------------------------The iKey 2000 Series Software supports the following operating systems: Windows XP Professional, SP1 Windows 2000, SP2 Windows NT4, SP6a Windows 98 SE

This release iKey iKey iKey

supports the following iKey USB token models: 2000 (8K of memory) 2032 (32K of memory) 2032 FIPS (32K of memory)

The Datakey Model 330 Smartcard is also supported. Drivers are supplied for the following: iKey token Datakey Model DKR610 smart card reader ----------------------------1.1 Restrictions ----------------------------1) Windows XP and 2000 smart card logon only works with an iKey 2032 in PC/SC mode. 2) 2048-bit functions only work in a Windows XP or 2000 environment. Windows NT support of 2048-bit functions is limited, and NOT recommended. 2048-bit functions are NOT supported at all in a Windows 9x environment. ----------------------------1.2 PC/SC Support ----------------------------The iKey 2000 Series Software now uses the PC/SC resource manager as an alternative smart card reader source when used with the iKey 2032 token or Model 330 smart card. The list below shows the readers that have had preliminary testing. Other readers may work, but have not been qualified. Operation is limited to iKey 2032 tokens and Model 330 smart cards and a maximum key length of 1024-bits with these PC/SC readers, except for the iKey Virtual Reader, which supports 2048-bits in a Windows 2000 or XP environment only. 1. SafeNet Virtual Reader for iKey 2. Gemplus GCR410 or DKR610 serial port reader ---------------------------------------------------------2.0 WHAT'S NEW FOR THE 4.7.0 RELEASE? ---------------------------------------------------------The following features are new in this release: - After loading a Windows 2000 Logon certificate, the CIP Utility sets it as default to follow Microsoft guidelines. - The Update Token command is now extended to save the Certificate Friendly name that is set by the user using Inetrnet Explorer. - The Token Utilities application has been replaced with CIP Utilities. - Minor modifications to library files were made to support FIPS-configured tokens. - Changed the iKey 2000 middleware to run as a service. - Added the Auto Cert Registration Utility. This utility puts all

public certificates stored on a token into the Microsoft Windows Certificate Store for use in CAPI applications. - Installation now always registers the iKey for Windows 2000 and XP logon. - Added a P12 (PKCS#12) import API. - PCKS#11 Version 2.01 library is installed by default for all Entrust users. It will not be installed if the PKCS #11 Version 1.0 library is already installed. - All functions within CIP Utilities are configurable, allowing each issuer to determine what is delivered to the end user. - Added automated PKCS#11/CSP interoperability into the iKey 2000 software. This allows all objects put onto a token using the iKey 2000 4.7 software to be available for use by CAPI applications. This has been referred to as the "Dual Headed Driver" functionality. In past releases, this was a manual step. - Updated the iKey PC/SC driver to version 3.4.5. - The CSP encrypts the PIN at 128-bit instead of 40-bit. - The following attributes are now fully implemented: CKA_MODIFIABLE CKA_EXTRACTABLE CKA_LOCAL CKA_NEVER_EXTRACTABLE CKA_ALWAYS_SENSITIVE - Key Usage is now displayed in CIP Utilities. - C_Initialize now returns CKR_CRYPTOKI_ALREADY_INITIALIZED for tokens that have been previously initialized. - C_Encrypt_Final returns buffer size for symmetric key functions. - Support for Windows XP Professional - Newly supported third-party applications: Entrust 6.1 Microsoft VPN ----------------------------2.1 Problems Fixed in This Maintenance Update Release ----------------------------CIP 4.7.0 ( Maintenance Update 18 ---------------------------------------------------------------------SCR 1645 - crash when using a cert with a very long subject name SCR 1635 - Microsoft CSP Test Suite - KP_SALT_EX not supported SCR 1634 - Microsoft CSP Test Suite - CryptGetKeyParam(KP_SALT) fails to return required size SCR 1632 - PINs are sent to the smartcard in clear text SCR 1631 - Pre-existing FIPS mode tokens don't work with MU17.1 unless initializ ed SCR 1614 - Errors in the pin inactivity timer corrected SCR 1611 - Card login required for each private operation does not work

SCR 1605 SCR 1604 SCR 1603 SCR 1600 bjects SCR 1598 SCR 1597 SCR 1593 SCR 1587 SCR 1586 SCR 1584 SCR 1581 SCR 1579 fails SCR 1561 SCR 1530 SCR 1520 SCR 1509 SCR 1477 SCR 1411 SCR 1270

C_Login() with PIN="",length=0 returns CKR_OK Friendly name configuration changes apps don't always shutdown on XP Fast User Switch boxes CIP Utilities MU17 gets floating point error when viewing some data o Delete on removal option in the install Unable to create generic secret keys on-token Disable data object compression on Identrus cards MU15 and above can't do 'set default container' on MU3 tokens Support for Netscape 7.x in CIP C_Encrypt() with NULL output data does not return size Microsoft CSP Test Suite - Can't sign using exchange keys Microsoft CSP Test Suite - CryptAquireContext with CRYPT_DELETEKEYSET Fast user switching error when another user is already logged in Token Server fails to start on Windows 2003 Server CIP references dkck132e on computer with only Entrust RA PIN dialog does not show which card it is requesting PIN for Inactivity timer display box doesn't show actual values CSP doesn't support PP_KEYSPEC param C_Encrypt and C_Decrypt don't return CKR_BUFFER_TOO_SMALL

-----------------------------------------------------3.0 KNOWN ISSUES IN THIS MAINTENANCE UPDATE RELEASE -----------------------------------------------------The following are known issues in this release of the iKey 2000 Series Software. For more detailed information on these issues, please see the iKey 2000 v4.7.0 with MU 18 Release Notes, included in your iKey 2000 package. ----------------------------3.1 Issues for Netscape Users ----------------------------Registering the iKey 2000 software with Netscape will, by default, register the DKCK232.DLL. If PKCS#11 Version 2.01 commands are needed in a Netscape environment, the DKCK201.DLL can be manually registered. A Netscape profile must be available at time of install, or registering the DLL will fail. ----------------------------3.2 Installation Issues ----------------------------- Repair mode is not reliable. In order to replace existing components with originals, it is recommended you uninstall the software first. Then, reinstall from the original media. - Under the AS version, removing the component will result in an error message indicating that the "Install source cannot be located..." However, this will not prevent proper un-installation. Upon this error message, click OK to continue the un-installation. - When installing or upgrading to v4.7.0 of the iKey 2000 Series Software, all smart cards and tokens must be removed from the system. If they are not removed, installation will fail.

- Upgrading is not supported with the iKey 2000 Series Software. In order to install a newer version, prior versions must be removed . - After the system is rebooted following installation, you must log on as a user with Admin rights. This is to complete the installation of components. ----------------------------3.4 User Issues ----------------------------- dkTools - CertAddEncodedCertificateToStore fails on plugging in the token - Cryptoki does not enforce the token inactivity timer. - A maximum of 20,000 bytes can written to the token in one chunk. This is the same as v.4.6. - Windows 9x will only support one PC/SC smart card reader connected at a time. Please see the iKey Driver readme.txt file for more information about this issue. - There is no logging under Windows 95. - After loading a Windows 2000 Logon certificate, the container name cannot be changed. If it is changed, logon will fail. - To fully complete installation of the iKey 2000 software, the user who logs on after rebooting at the end of the installation process must have sufficient access rights to modify the HKEY_LocalMachine section of the registry, as well as the Windows "Win32" folder. These access rights are typically associated with system administrators ("Administrator privileges"). Windows may hang after installation if not rebooted by a user who has Administrator privileges. - On a Windows NT machine, if "Other PC/SC Reader" is selected and there is no PC/SC reader installed, the iKey 2000 software will fail. - PIN activity timer does not work in a Windows NT environment. - Removing and re-inserting an iKey quickly, multiple times, causes the Auto Cert Registration Utility to crash. If this occurs, restart the DKAutoReg Utility, or reboot. - When uninstalling the iKey 2000 software, the installation folders are not deleted. - In CIP Utilities, after the Test Token operation is run for the first time, 64 bytes of token memory is no longer available. - CIP Utilities crashes if closed during a Test Token operation. - When waking a laptop system from the Standby or Hibernate mode, you must remove and reinsert your iKey to resume using CIP Utilities. - After the Auto Cert Registration Utility completes certificate

registration, CIP Utilities is not automatically refreshed. - When used in a 40-bit weak encryption environment, you cannot send an encrypted message in Outlook using an iKey 2000 token. iKey 2000 series tokens are configured for use only in a strong encryption (1024-bit) environment. Please contact SafeNet Technical Support for more information about this issue. ----------------------------3.5 Developer Issues ----------------------------- C_GetAttributeValue returns incorrect attributes. - C_Find will sometimes return incorrect objects when a search template is used. - Using C_EncryptInit or C_Encrypt with a key generated with the CKM_DES3_KEY_GEN attribute returns CKR_MECHANISM_INVALID -----------------------------------------------------4.0 FILES INCLUDED IN THIS RELEASE -----------------------------------------------------The iKey 2000 software is made up of several hardware and software components: - iKey 2000 Getting Started Guide and User's Guide Provides detailed information needed to install this software and to configure compatible applications to use the hardware and software provided. - iKey 2000/2032 Token SafeNet's ISO-configured, FIPS 140-1 Level 2-certified token - dkcktkn.exe Token server. Manages one or more connected reader/writer devices. - dkstartup.exe Executable that can invoke other executable files after installation. - dklog.exe, dklog.dll, dklogmsg.dll CIP logging services. - dkcip.log Log for CIP Utilities. CIP has its own logger that is independent of any other CIP component. - dkck132.dll Datakey's implementation of the Cryptoki Version 1.0 API. May be used with any application that has been designed to use the industry standard PKCS#11 v1 API. - dkck132e.dll Datakey's implementation of the Cryptoki Version 1.0 API specific to Entrust. Used with Entrust Client Release 3.0 and

above only. - dkck201.dll Datakey's implementation of the Cryptoki Version 2.01 API. May be used with any application that has been designed to use the industry standard PKCS#11 v2.01 API. - dkck232.dll Datakey's implementation of the Cryptoki draft Version 2.0 API subset currently used with Netscape Communicator 4.0 and above. It is only supported in this role. - dkrsacsp.dll Datakey's implementation of an RSA 1024 token-based Cryptographic Service Provider. - dkdsacsp.dll Datakey's implementation of a DSA 512 token-based Cryptographic Service Provider. - dkcert.dll Datakey s X.509 certificate and PKCS#12 implementation. - dkcktknmsg.dll Contains the text of the messages DKCKTKN sends to the event logger. - dktool.dll Library used to import certificates to a token. - pbbase.dll Associate library file for dkcktkn.exe. -------------------------4.1 Quality Agent Help Utility -------------------------The Quality Agent Help Utility, QAgent.exe, will assist you in collecting information necessary to troubleshoot problems. The application is QAgent.exe. Run Quality Agent whenever you need to send information on a problem to Technical Support. You can use the Help Wizard in the application to assist you in filling out the necessary information that will be helpful. All information transmitted to Technical Support can be previewed in the report before it is sent. Information from the Registry, DLL versions, ports, readers, and iKey specific files are recorded in the report. You can set the scope of information collected in the Settings option of the Quality Agent application. The application uses the system e-mail, CIP Utilities, and WinDiff.exe to assist with advanced troubleshooting problems. If these applications are not installed, the application will still properly collect information and create a report form that can be sent to Technical Support. The application will run on Windows 98, NT, 2000 and XP operating systems and requires no other application to run in its

basic mode. For advanced features, contact Technical Support for assistance. ----------------------------------4.2 Setup Utility and Verification Tool ----------------------------------The Setup Utility and Verification Tool, SUV.EXE, is run automatically after installing the iKey 2000 software and rebooting the machine. It is run only once at startup. After the initial reboot, SUV.EXE is removed from the RunOnce registry. It is designed to catch potential installation reader selection errors and provide the user an option to reselect the choices made. It can also be run manually by activating the SUV.EXE application on the command line or from the Start/Run options. ----------------------------------4.3 Acknowledgements ----------------------------------This product includes cryptographic software written by Eric Young ( -----------------------------------------------------5.0 PREVIOUS RELEASE INFORMATION ---------------------------------------------------------------------------------2.1 Problems Fixed in This Maintenance Update Release ---------------------------->>4.7.0 MU15<< The following files were updated: - CIPUtils.exe - DKTools.dll - dkAutoReg.exe - DkCert.dll - Dkck132.dll - Dkck201.DLL - Dkcktkn.exe - dkdsacsp.dll - dklog.dll - dklog.exe - dkrsacsp.dll - PinUtil.exe - PinUtil.dll The following issues were fixed: -[66340] Future installer of iKey 2000 software should cleanly uninstall -[67214] Provide option to disable changing container name or option to synchronize the container name -[68007] Token Utilities loses IE Friendly names -[68461] Passphrase Utility - Buttons text needs to be in Sentence case -[68668] CryptAcquireContext is considerably slower than previous versions

-[68899] CIP fails to initialize with Error 190. -[69241] Support of PKCS #1 format on private key decryption. >>4.7.0 MU12<< -[66084] The help file cannot be access by clicking on the Help button for Change Inactivity Timer -[66102] CIP Utility: Auto refresh required to display the public key attributes for the .pfx file imported onto the iKey 20XX -[66103] Can't import p12 file that has no password -[66774] When changing to a new default logon certificate, a reboot is required for changes to take effect on Windows 2000 -[67155] Loading and unloading dkck201 library causes the handle count to increment -[67603] PassPhrase utility displays unrecognized token error msg in infinite loops until the unsupported token is removed -[67655] Provide support for PP_PROVTYPE using CryptGetProvParam -[67821] Provide common error message for Pin Block detection -[68054] GetMechanismList does not report DH functions, yet they do work and are supported -[68115] CIP crashes under Windows XP after importing a certificate -[68121] After A remote desktop connection, the token is no longer recognized. -[68359] CIP utility will not allow removal of certificate >>4.7.0 MU3.3R<< - Certificate parsing has been improved in CIP Utilities. - Warning dialog boxes in CIP Utilities have been resized to eliminate scrolling. - CIP Utilities Help files are now context sensitive. - The Maintenance Update version is now displayed in the CIP Utilities About box. - The Enter key is now honored in the in CIP Utilities interface. - CIP Utilities configuration has been improved. - In CIP Utilities, refreshing after a certificate is imported is now automatic. - Cycling a token no longer intermittently crashes CIP Utilities. - A Help link and button has been added in the Pass Phrase Utility. - The Pass Phrase Utility now automatically detects token

insertion and removal. - Automatic certificate registration (ACR) adds public key to token for Entrust certificates. - FIPS tokens will now honor 2048-bit RSA functions (OS and reader restrictions apply). - Enhanced certificate libraries for FIPS and parsing of certificates. - Improved certificate handling/import functionality. - Creation of cache files can be disabled via a registry setting. - Test Token function in CIP Utilities failed when executed with FIPS tokens. - FIPS tokens can be initialized via CIP Utilities. - Cryptoki library no longer reports unsupported mechanisms. - Tokens can be recognized by different versions of iKey 2000 software. - Microsoft Hotfix Q328145 applied to Windows 2000 or Windows XP no longer invalidates SafeNet's digitally signed driver. - Help file bitmaps updated, and context sensitive responses enabled. - In DkCert.dll, updated parsing of certificates and improved certificate handling. - CIP Utilities now operates correctly with certificates without a container name. This fix is located in DkTools.dll. - CIP Utilities provides correct feedback when pass phrases are too long or too short. - Updated header files and two updated dkck*.lib files are included. >>Version 4.7.0<< - Incorrect slot description in Datakey PKCS#11 module. - Can't import a CheckPoint certificate using Token Utilities - Memory leak on Windows NT4. - CSP logged numerous events (both normal and error events), even when the logging option was not selected. - Token occasionally not detected after removal and re-insertion on Windows 98 systems. - A .P12 file with root certificate caused Token Utilities to crash. - Imported certificate not recognized by CheckPoint SecuRemote NG.

- iKey 2000 software not interoperable with other iKey products. - Entrust TruePass 6.0 did not work as intended. - On Windows 2000 systems, after rebooting, tokens were occasionally unrecognizable. - In the PassPhrase Utility, blocking a token caused incorrect error message to appear, and an initialization failure. - On Windows 98 systems, you could not request a digital certificate from Verisign ( in Internet Explorer 5.5 or Netscape 4.6. >>Version 4.6.10<< - Added PassSafe, a password management utility which can store user names and passwords on a token. - Fixed: Applications can access a token through separate Datakey Crypto DLLs. - Fixed: Certificate viewing and P12 import problems in Token Utilities. - Verified that the Datakey CSP enforces timeout value set on token. - Fixed: Token Utilities "Cancel" button when viewing certificates. - Changed "Friendly Name" label to "Common Name" when viewing certificates in Token Utilities. - Fixed: In Netscape, the second certificate on the token can be used for authentication. - Fixed: Token swapping problems in Token Utilities. - CIP Startup and Shutdown improved. - Fixed: Token Utilities no longer errors when no token detected at startup. - Fixed: Token initialization problems for a token used in Windows 2000 logon. - Fixed: "0 bit encryption error" generated when allowing Outlook 2000 SR-1/2 to auto configure security after having imported a certificate into the system. It could also default to 40-bit encryption, decreasing the encryption strength. - Generating an on-token 3-key Triple DES key correctly results in a CKR_MECHANISM_INVALID error on a 330 Token. These tokens support 1-key single DES and 2-key Triple DES operations only. Previous versions of the iKey software would perform a 2-key Triple DES operation when a 3-key Triple DES operation was requested and no error was given. - Entrust 6.0 using PKCS#11 Version 2.01 Libraries now supported.

>>Version 4.5.10<< - Fixed: A bug in Token Utilities where if the default container was changed using Token Utilities, then Windows 2000 logon was not functional until a reboot. - Fixed: Various GUI bugs in Token Utilities. - Fixed: Logging errors. - Fixed: Bug in Windows 2000 logon that locked cards any time an incorrect PIN was entered. - Token Utility Help now available from Help menu button, and search features were added. >>Version 4.5<< - Redesigned the install interface, and added serial numbers for the install. - Added new logging capabilities for Windows98 and above. - Replaced "Token Manager" and "Certificate Utility" with new "Token Utility". - Revised slot number ordering for iKey as PC/SC device. ------------------------------------------------------6.0 EXPORT RESTRICTIONS ------------------------------------------------------Encryption strength (algorithms supported and max. key size) is controlled by a tamper-proof parameter installed in the smart card during the manufacturing process. The full strength version may be generally exported outside of the United States and Canada to all but the "nations of concern" and foreign governments. ------------------------------------------------------7.0 REPORTING PROBLEMS ------------------------------------------------------If you find any problems while using the iKey 2000 Series Software, please contact SafeNet Technical Support using any of the following methods: SafeNet CUSTOMER CONNECTION CENTER AMERICAS ================================================ Internet E-mail United States -----------------------------------------------Telephone (800) 959-9954


(949) 450-7450

EUROPE ================================================ E-mail France -----------------------------------------------Telephone 0825 341000 Fax 44 (0) 1932 570743 Germany -----------------------------------------------Telephone 01803 (7246269) Fax 44 (0) 1932 570743 United Kingdom -----------------------------------------------Telephone 0870 7529200 Fax 44 (0) 1932 570743 PACIFIC RIM ================================================ E-mail Australia and New Zealand -----------------------------------------------Telephone (61) 3 9882 8322 Fax (61) 3 9882 0588 China -----------------------------------------------Telephone (86) 10 8851 9191 Fax (86) 10 6872 7342 India -----------------------------------------------Telephone (91) 11 2691 7538 Fax (91) 11 2633 1555 Taiwan and Southeast Asia -----------------------------------------------Telephone (886) 2 6630 9388 Fax (886) 2 6630 6858

iKey 2000 MU18 README.TXT June 15, 2004 v.1.0a