Beruflich Dokumente
Kultur Dokumente
User’s Guide
Version 4.7
Datakey Inc is now SafeNet Inc.
In Q4 2004 Datakey Inc. was acquired by SafeNet Inc. In connection with this
acquisition all copyright and trademark information in this guide has been updated
to reflect the SafeNet name. Contact information has also been changed where
appropriate. For this release the name Datakey CIP is still being used as the product
name.
Trademarks
SafeNet and Datakey are registered trademarks of SafeNet, Inc. Datakey CIP is a
trademark of SafeNet, Inc. Microsoft is a registered trademark of Microsoft Corpo-
ration. Windows and Windows NT are registered trademarks of Microsoft Corpo-
ration. Netscape, Netscape Communications, and Netscape product names are
trademarks of Netscape Communications Corporation. All other brand names and
product names used in this manual are trademarks, registered trademarks, or trade
names of their respective holders.
Print history
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
The Datakey CIP interface software is recognized and validated by all PKCS #11 or
Microsoft CAPI-enabled security applications, which safeguards the user from any
attempt to compromise the key access software.
You may choose from two token formats: smart cards, which are credit-card sized
cards, or USB tokens, which fit on a key-ring. The complete Datakey CIP package
includes a token reader with the selected format (card or key), a blank token, and
the required interface software. Token readers attach to the computer a number of
ways: via an available serial port; or, when using a portable laptop computer, the
token reader can be a PCMCIA device that is inserted in an available PCMCIA slot.
What is a token?
A token is a tool that is ideally suited for use with applications that require the
secure storage of digital IDs and credentials. The tokens act as secure “digital car-
riers”—vehicles capable of storing one or more digital representations of a particu-
lar person. Datakey offers two main token formats:
z Smart cards, which are credit card-sized cards
z USB tokens, which are small, lightweight devices that fit on a key-ring
Benefits of tokens
Tokens provide a number of benefits:
z Security: Your private information never leaves the token, and is protected by
two-factor security—something that is owned (the token) and something that is
known (the token passphrase).
z Portability: Your digital credentials can go wherever you go.
z Flexibility: A token can be used to store a variety of information, including cer-
tificates, public keys, private key, user names and passwords, etc.
z Simplicity: Your many passwords can be stored on a single token. In addition,
you are less likely to lose a token than forget a password.
z Ease of use: A token is simply inserted into a token reader to activate an appli-
cation; no complex codes need be read or entered. Further, one token can be
used for several applications.
Encryption scrambles data so that only the intended recipients (who have the cor-
rect “key”) may view it. A digital signature is an electronic mark attached to a mes-
sage that creates a strong binding between the signer and the contents of the
document. No unauthorized changes to a message can be made. A digital signature
proves who the author of the message was—the author can’t deny sending the mes-
sage.
Your private key is the piece of information unique to you within the Public Key
Infrastructure (PKI). Anyone who has access to your private key can impersonate
you without detection. An impersonator can read messages meant for your eyes
only, or sign documents as you. Therefore, it is important to keep your private key
secure—this is the main benefit of a token. It serves as an impenetrable safe for
your private key, ensuring that only you have access to it.
Your certificate is the public part of your digital ID. It contains your name and other
identifying information. It also contains your public key, which is mathematically
related to your private key. Using your certificate, other people can verify that you
hold your private key, and therefore, must really be who you say you are.
While this sounds like a complicated process, in practice, it is really very simple.
Most of the details are handled for you behind the scenes in software.
This chapter provides the information you need to start using Datakey CIP.
System requirements
The computer on which you install Datakey CIP software must be running one of
the following Microsoft operating systems:
z Windows 98
z Windows 2000 Professional or Windows Server 2000
z Windows 2003 Server
z Windows XP Professional
z Microsoft Windows NT 4.0 Client, Service Pack 4 or higher
Compatible readers
Datakey CIP software is compatible with the following readers:
Datakey Serial Port Smart Card Reader
z DKR 810 (PC/SC) [SCM SCR 131]
z DKR 711 (PC/SC) [OMNIKEY CardMan 2011]
z DKR 610 (PC/SC) [Gemplus GemPC410]
z DKR 611 (PC/SC) [Gemplus GemPC Serial]
z 10SR
Datakey PCMCIA Smart Card Reader
z DKR 800 (PC/SC) [SCM SCR 241]
z DKR 700 (PC/SC) [OMNIKEY CardMan 4000]
z DKR 701 (PC/SC) [OMNIKEY CardMan 4040]
z DKR 600 (PC/SC) [Gemplus GemPC400]
Datakey USB Port Smart Key Reader
z DKR 830 (PC/SC) [SCM SCR 331]
z DKR 730 (PC/SC) [OMNIKEY CardMan 2020]
z DKR 731 (PC/SC) [OMNIKEY CardMan 3121]
z DKR 630 (PC/SC) [Gemplus GemPC430]
z DKR 631 (PC/SC) [Gemplus GemPC USB]
PIN Pad Card Readers
z Vasco Digipass DESK 850
Biometric Card Readers (Requires a Datakey 330m or 330g3 smart card)
z Precise Biometrics 100SC
z Precise Biometrics 100MC (USB only)
Note: Datakey CIP uses the PC/SC resource manager as an alternative smart card
reader source when used with the model 330 smart card. Please refer to the
readme.txt file on the installation CD or contact Datakey Support for a list
of qualified readers.
Note: Entrust and Citrix users must install their client software before installing
Datakey CIP.
1. Close all programs and applications.
2. Remove all previously installed versions of Datakey CIP.
Uninstall instructions are provided on page 18.
3. Insert the Datakey CIP CD-ROM.
It should automatically start the installation program. If it does not, navigate to
the CD and double-click the file named setup.exe.
The Welcome window is displayed.
4. Click Next.
5. Read the license information, then click Yes.
The Serial Number window is displayed.
7. Follow the instructions for choosing the folder in which to install Datakey CIP,
then click Next.
The CIP Install window is displayed.
8. Select the CIP options you would like to install, then click Next.
A description of each is displayed when you select the option. If you are unsure
which options to select, just take the default options.
Note: The CIP Options dialog that you see depends on the Windows operating
system you are using and whether you are installing standard Datakey
CIP, Datakey CIP ISign, or Datakey CIP Thin.
z Windows 2000 and Windows XP users: If you are installing on Windows
2000 or Windows XP and want to activate secure Windows logon, be sure
to enable the Windows 2000/XP Logon option.
z Non-PKI users: If you want users to be able to enroll their non-PKI cre-
dentials on their tokens during Windows logon, be sure to enable the
Windows 2000/XP GINA option. See page 24 for more information.
z Entrust users: If you want to use tokens in your Entrust environment, be
sure to enable the Entrust Application Support option. In addition, if you
are using a biometric (fingerprint) or a PIN pad card reader with your smart
card, be sure to also enable the Datakey Identity Device option.
z Passphrase Complexity Rules users: This option requires the Windows
2000/XP GINA option to also be enabled. See page 25 for information
about the passphrase complexity rules.
9. Select the CIP Desktop features you wish to install, then click Next.
A description of each feature is displayed when you select the option. The
SmartLogon and SmartNotes CIP Desktop features are available for selection
only if you have purchased the CIP Desktop option.
The Reader Install window is displayed.
10. Select the reader(s) you will be using with CIP, then click Next to continue.
If you are using a reader that is not listed, uncheck all reader options and use the
reader installation that came with your reader to install and configure it after
CIP is installed.
Note: If you are using Windows 98, only one PC/SC reader can be installed on
the PC. If you are using Windows 2000 or Windows XP, the operating
system will support more than one PC/SC reader, but only one can be
installed at a time. If you are using Window NT 4.0, you may install more
than one PC/SC reader but problems may occur.
The Start Copying Files window is displayed.
If a new update is available the View Readme and the Update and Install buttons
are activated.
4. To read information about the available update, click View Readme.
5. To download and install the update, click Update and Install.
The update is downloaded from the Datakey Web site. This may take a few
minutes depending on the size of the update and on the speed of your Internet
connection. When the update file has finished downloading to your computer a
dialog box similar to the following appears:
6. Click Next.
A dialog box similar to the following appears while the update is installed:
When the installation is complete a dialog box similar to the following appears:
IMPORTANT! You must restart your computer before the update will take effect.
Note: The following procedure does not remove any token reader software. Your
reader software must be uninstalled separately using a similar procedure.
1. From Start menu, select Settings -> Control Panel.
2. Double-click the Add/Remove Programs icon. The Add/Remove Programs
Properties dialog is displayed.
3. Select Datakey CIP.
Online help
An online help system is built into Datakey CIP Utilities and can be accessed by
selecting Help -> Help Topics at the CIP Utilities main menu.
Registration
If you did not complete the online registration, fill out the warranty/registration
card and mail or fax it to:
Mail: Fax:
SafeNet, Inc. (952) 890-2726
2051 Killebrew Drive
Suite #620
Bloomington, MN 55425
Online: http://www.datakey.com/products/registration
Overview
Smart card logons are controlled in a standard Windows environment by the
Microsoft GINA (Graphical Interface and Authentication). The standard Microsoft
GINA is a replaceable DLL component loaded and run by Winlogon. Datakey sup-
plements the standard Microsoft GINA by adding Datakey-specific GINA capabili-
ties to Datakey’s smart card software. A Datakey module, DKGINASR, is used for
Windows smart card logon and adds the following features to the standard
Microsoft GINA:
Allows secure smart card logon with PIN pad readers
Allows smart card logon using biometric card readers
Allows for Windows PKI-based smart card logon
Allows for Windows non-PKI smart card logon
Note: PIN pad readers are supported with Windows 2000 and Windows XP.
If you are using a secure PIN Pad smart card reader, you will see the following dia-
log box during smart card logon:
Enter your PIN on the secure PIN Pad smart card reader, then press OK. Due to the
nature of secure PIN pad readers, this dialog box contains no Cancel or Shutdown
buttons. Everything is controlled directly through the PIN pad reader. This pro-
vides additional protection for your PIN because the smart card is unlocked without
the PIN traversing any of your computer’s components (keyboard, memory, etc.).
- OR -
Log on using your fingerprint as described in “Using Biometric Smart Cards and
Card Readers” on page 79.
Note: This feature is supported with Windows 2000 and Windows XP.
The standard Microsoft Windows PKI-based smart card logon is supported trans-
parently by Datakey CIP. The smart card must contain a private/public key pair,
and a matching certificate must also be on the smart card.
To log on to a Windows PKI system using your smart card, insert your smart card
into the card reader and follow the on-screen instructions.
Note: Non-PKI smart card logon is supported with Windows 2000, Windows NT,
and Windows XP.
Instead of using a certificate and server, your logon credentials are stored on the
smart card. Your credentials consist of your user name, domain name, and pass-
word. Your credentials are stored privately and encrypted on the smart card, and
can only be retrieved after you have logged on to the smart card itself.
After enrolling your credentials, you can log on to your computer by simply log-
ging on to your smart card; your credentials are read securely from your smart card.
Troubleshooting
If you experience difficulty logging on to Windows using your smart card (for
example, if your password or user name changes), you can still log on to Windows
by pressing Ctrl-Alt-Delete.
If, through user name changes or password changes, the credentials on your smart
card become obsolete, you can use CIP utilities to re initialize your smart card and
re-enroll.
Non-conforming passphrases
If a user tries to create a new passphrase that does not conform to these rules, the
following dialog is displayed:
Overview
Identrus is a PKI business-to-business e-commerce solution when business-to-
financial authentication is required to verify transactions. Financial institutions act
as the trusted third parties enabling digital signatures to provide non-repudiation for
transactions. The Identrus infrastructure enables trading partners, through their
financial institutions, to conclusively identify one another over the Internet.
The PKI functionality is supported throughout the Identrus Infrastructure. The pri-
vate keys required by the PKI infrastructure are stored on a token. When a user
signs a document as part of a transaction, the Identrus signing interface (Datakey
ISign) uses the token to create a signature.
Datakey CIP ISign is installed by selecting the ISign option during installation of
Datakey CIP, provided you have licensed Datakey CIP ISign.
Requirements
z Microsoft Internet Explorer 5.5 or later
z Microsoft Java Virtual Machine
Identrus token
The Identrus token generally refers to a PKI smart card. This token is initialized at
an initialization station within an Identrus infrastructure and contains the keys and
PKI functions necessary for signing documents and transactions within that Iden-
trus infrastructure. It is designated the Datakey Model 330i smart card.
The token can also have a second optional RSA key pair, called the Identrus Utility
key. The Utility key is used for regular SSL and encryption.
Identity key
The Identity key is used to generate signatures in Identrus Identity applications.
This is done through a signing interface using the on-token key.
After token personalization, but before the end-user has received the token, the
Identity key is protected by the initial Identity PIN. The initial key PIN is normally
sent to the end-user via a PIN mailer.
Before signing a document with the identity key, you must unlock the key by
assigning a PIN known only to you. Use the Passphrase Utility to assign a new PIN.
The initial Identity PIN is entered as the current PIN.
Identity PIN
The Identity PIN must be entered for every signature and must be at least six alpha-
numeric characters. Each time a document is to be signed you must enter the Iden-
tity PIN. If the PIN is entered incorrectly, the document will not be signed. If you
enter the wrong PIN wrong several times in a row, the Identity key will be blocked
and you will need a special PIN to use the Identity key again. The number of con-
secutive wrong PINs that will block the key is set by the administrator. An unblock-
ing PIN (available from your administrator) will need to be used to unlock it.
Utility key
The Utility key is used to establish SSL or TLS sessions, encrypt S/MIME mes-
sages, E-Mail, etc. The use of this key is optional and is at the discretion of the par-
ties involved.
Utility PIN
The Utility PIN must be entered before the Utility key can be used for any function.
If the PIN is entered incorrectly, the function requesting the Utility key will be
denied access to the key.
Unblocking PINs
If the Identity PIN is entered incorrectly a specified number of times (this adminis-
trator-specified count is usually set to 5), the Identity key will be blocked and can-
not be used again until a valid unblocking PIN is entered.
Up to six unblocking PINs can be loaded during personalization. Each one is good
once to unblock the Identity key. If the Identity key is blocked after all the unblock-
ing PINs are used, the Identity key will be permanently blocked.
The Passphrase Utility is used when updating the PIN to a new value and to
unblock the Identity PIN. To unblock the Identity PIN, just enter the unblocking
PIN as the current PIN and enter a new Identity PIN. See Chapter 6 for more
details.
Note: The new Identity PIN must be different than both the unblocking PIN and the
previously valid Identity PIN.
Signing Interface
The Signing Interface can be a Plug-In for the browser or a Java Applet called dur-
ing the request for the document signature. This interface allows you to view the
document prior to performing the signing action.
Note: Before signing a document with the Identity Key, the user must unlock the
key by assigning a new PIN. The Identrus PIN Utility is used to assign a new
Identity PIN. The Initial Identity PIN is entered as the current PIN.
The Datakey Identrus Signing Interface is called "Datakey ISign." This interface is
automatically activated when an Identrus Signature is requested. The user has the
option to review, save, and sign the document at that time.
Note: The Datakey ISign signing interface only supports text documents at this
time. It is inadvisable to sign text you cannot read, so there are security
issues due to possible hidden text in PDF and Microsoft Word documents.
Overview
Datakey CIP Thin software is designed to be installed on servers such as Citrix
MetaFrame servers and on Windows Terminal Servers. Doing so gives a thin client
(a computer containing only the very basic hardware and software components) the
ability to access PKI and smart card-enabled applications that reside on those serv-
ers. And because the server applications are able to access a token reader that is
attached to the thin client, token-based authentication using certificates/keys and
user names/passwords is possible. Installing Datakey CIP Thin on servers there-
fore:
z Provides token-based security for thin clients that need access to PKI and smart
card-enabled applications that reside on a server
z Simplifies your ongoing integration and deployment tasks because software is
installed only on your servers and not on your workstations
Citrix features
The following list identifies the functionality supported by Datakey CIP Thin
within a Citrix environment.
z Token logon to Citrix MetaFrame servers (MetaFrame XP FR 2) from either a
thin client or a fat client.
z Token access by server applications to client card readers/tokens.
z Same token access by both fat client applications and server-based applications.
z Direct token logon to server console via a token attached to the server.
z Biometric and PIN Pad logon from a fat client to MetaFrame server.
z Connections between clients and server via Citrix Program Neighborhood.
z Connections between clients and server via NFuse/Web Interface.
z Reestablishment of disconnected sessions from a fat client (fat client roaming).
Citrix architecture
The following figure illustrates the use of Datakey CIP Thin in a Citrix environ-
ment.
Internet
Fat clients (clients with Datakey CIP installed) can do all that thin clients can do,
but in addition they have secure access to local applications.
face the user needs to authenticate to two servers; first to the NFuse/Web Interface
Web server, and then again to the MetaFrame server each time the user launches a
published application or published desktop. These two authentication steps can be
configured independent of each other. For example, you could configure the Web
server to require token/certificate-based authentication but configure MetaFrame to
allow user name/password-based authentication. With two ways to authenticate,
and two places to which to authenticate, there are four different possible configura-
tions:
NFuse/Web Interface
Configuration Web server MetaFrame server
1 User name/password User name/password
2 User name/password Certificate from token
3 Certificate from token User name/password
4 Certificate from token Certificate from token
Datakey CIP Thin supports all four configurations. There are, however, limitations
with some of the configurations. Configurations 3 and 4 are only supported from
fat clients because Datakey CIP must be present on the client machine to support
the retrieval of the certificate from the token.
Configurations 1 and 2 are supported on either thin or fat clients and do not require
any special configuration steps. The standard NFuse/Web Interface installation and
configuration instructions provided by Citrix will suffice. Configurations 3 and 4,
however, do require additional configuration steps beyond what is mentioned in the
Citrix documentation.
In addition to the steps listed in the Citrix administrator’s guides, the Web server
itself must be configured to require secure SSL connections and token/certificate-
based authentication. The following section describes a sample set of Microsoft IIS
settings which enables secure SSL connections and token/certificate-based authen-
tication to your NFuse/Web Interface Web site.
10. In the Secure communications section click Edit and then enable the following:
z Require secure channel (SSL)
z Require client certificates
z Enable client certificate mapping
11. In the Anonymous access and authentication control section, click Edit and
then:
z Clear the Anonymous access check box (disable it)
z Enable the Integrated Windows authentication check box.
If the Inheritance Overrides dialog box appears, click Select All and then click
OK.
If you are deploying both Citrix Secure Gateway and NFuse/Web Interface and you
wish to use authentication configurations 3 or 4, you must not configure the NFuse/
Web Interface to be behind the Citrix Secure Gateway; these two must be config-
ured to be in parallel. See Figure 1.1 in the Citrix document Best Practices for
Securing Citrix Secure Gateway Deployment.
Note: The following steps apply only to Windows NT 4.0 Terminal Server users.
Windows 2000 Server (or later) users can simply follow the instructions in
the MetaFrame Administrator's Guide.
1. Logon to the MetaFrame Server as Administrator.
2. Begin following the steps in the MetaFrame Administrator's Guide for publish-
ing an application.
3. When asked to enter the command line to run the application, click on the
Browse button and navigate to the folder in which Datakey CIP Thin is
installed.
This is typically W:\Program Files\Datakey\crypt32. Select the file
StartApp.bat and click Open.
4. Edit the command line entry that appears and add as a parameter to StartApp.bat
the path to the application to publish. For example:
“M:\Program Files\Datakey\Crypt32\StartApp.bat" M:\MyFolder\MyApp.exe
The path to the application must be outside the double quotes.
5. Change the working directory if a different one is desired.
6. Continue following the steps in the MetaFrame Administrator's Guide.
7. When finished, right-click on the new entry that appears in the Published Appli-
cation Manager display and select Properties.
8. Click the Change Icon button.
9. Navigate to the application just published (e.g. M:\MyFolder\MyApp.exe),
select it and click Open.
10. Click OK twice to exit the Properties dialog.
Thin Client
Terminal Server
- MS Remote
with:
Desktop software
- Datakey CIP
Connections via Thin
Remote Desktop - Windows 2003 Server
Protocol (RDP)
Fat Client
- Datakey CIP
- Windows 2000 Pro
or XP Pro
Note: You must install Datakey CIP Thin on any server that has terminal services
enabled. Failing to install Datakey CIP Thin on such a server will prevent
Datakey CIP from functioning.
1. Log directly onto the Terminal Server console as administrator.
2. From a command prompt, type the following command:
change user /install
3. Install Datakey CIP Thin from the CD using the serial number supplied (you
must use the CD; you cannot install Datakey CIP Thin from over a network).
If you have both Datakey CIP and Datakey CIP Thin serial numbers, be sure to
enter the Datakey CIP Thin serial number.
4. When presented with the list of reader types:
z If there is a card reader attached to the server be sure to select that reader.
z If there is no card reader attached to the server do not select a reader.
z If there are one or more thin clients in your network that use a Datakey
10SR reader, select the Datakey 10SR reader in addition to your server
reader.
5. When the installation is finished, reboot the Terminal Server and log on as the
administrator to complete the installation process.
Note: The administrator does this, and it is done once per workstation.
1. Logon to the client workstation as administrator.
2. Install Datakey CIP from the CD using the appropriate serial number.
3. Proceed with the installation using the standard Datakey CIP install process.
Fat clients (clients with Datakey CIP installed) can do all that thin clients can do,
but in addition they have secure access to local applications.
Architecture
The following figure illustrates how fat clients can interact with remote Windows
XP machines.
Fat Client
- Datakey CIP
- Windows 2000 Pro or
Windows XP Pro Remote
Windows XP
Connections via Machine
Remote Desktop - Datakey CIP
Protocol (RDP) Thin or
Datakey CIP
Fat Client
- Datakey CIP
- Windows 2000 Pro or
Windows XP Pro
Capabilities
z Remote desktop connections from a fat client to a remote Windows XP
machine.
z Token (smart card) logon to remote Windows XP machines from a fat client.
z Biometric and PIN Pad logon from a fat client to a remote Windows XP
machine.
z Reestablishment of disconnected Windows XP sessions from a fat client
(fat client roaming).
z Fast user switching (switching between different users on the same Windows
XP machine) is supported but is mutually exclusive with Remote Desktop—the
Windows XP machine cannot be configured for both fast user switching and
Remote Desktop.
The Datakey CIP Utilities is an intuitive, easy-to-use program that is used to view
and manage Datakey tokens and the objects contained on the tokens. The program
reports token and reader status and can be used for base-level diagnostics. Admin-
istrators can configure the functionality and features available for enterprise
deployment through an administrative wizard included with CIP Utilities.
This chapter describes how to use the CIP Utilities program. Not every menu
option described in this chapter may be available to every user. See page 56 for
more information.
To start CIP Utilities from the Windows Start button, select Start -> Programs ->
Datakey CIP -> CIP Utilities. The CIP Utilities window is displayed.
SmartMonitor
Left pane
Right pane
It is very simple to get information about any object displayed in the left pane.
Simply click the item that you want information about, and the information is auto-
matically displayed in the right pane.
Note: Many of the tasks performed within CIP Utilities involves right-clicking
objects to display a right-click menu. If you don’t have a mouse or if you
prefer to use the keyboard, pressing either Shift-F10 or the Windows Appli-
cation key will display the right-click menu.
You can copy some or all of the text displayed in the right pane to your computer’s
clipboard. You can also clear all text from the right pane. To perform either of
these actions, perform the following steps:
1. Position the cursor in the right pane.
2. (Conditional) If you wish to copy a specific block of text, select the desired text
from within the right pane.
3. Right-click the mouse.
The following menu appears:
Note: If you paste copied text into another application and the text is not visible,
it’s probably because your font color is set to white. Try changing the font
color within the application or within CIP Utilities (see page 51).
You can modify the appearance of the information displayed in the right pane by
changing the background color and font settings. To change the background color
in the right pane, perform the following steps:
1. Position the cursor in the right pane, then right-click the mouse.
The following menu appears:
To change the font settings in the right pane, perform the following steps:
1. Position the cursor in the right pane, then right-click the mouse.
The following menu appears:
Toolbar buttons
The toolbar contains the following buttons:
Refreshes the display.
Icons
Unique icons are used to identify the following object types within the left pane:
= a card reader
= a digital certificate
= a public key
(blue)
= a private key
(gold)
= a data object
z View -> Toolbar: Select this option to toggle the toolbar menu on and off. The
toolbar menu is located directly beneath the primary menu and contains the fol-
lowing icons:
z View -> Status Bar: Select this option to toggle the status bar on and off. The
status bar is located at the bottom of the CIP Utilities window.
z View -> Detailed Display: Select this option to specify how much information
is displayed in the right pane—either complete details about an item or just the
basic information.
z View -> Refresh: Select this option to refresh the CIP Utilities window with the
most current information.
Note: You must reboot your computer before any change takes effect.
For detailed information about the Auto Cert Registration Utility, refer to the
Datakey CIP Desktop User’s Guide.
Object
names
The CIP Utilities are shipped with all options fully enabled. If you, as an
administrator, wish to restrict the tasks your users can perform, you can do so
using the Configuration option. After setting the parameters the way you want,
click OK to save the new configuration to the DKAdmin.dat file. The DKAd-
min.dat file is a control file for CIP Utilities. When you install Datakey CIP on
your users’ computers, simply use the new configuration file rather than the
original file.
Note: If you have the Datakey CIP Desktop installed on your system, you can also
use the Passphrase Utility to change your token passphrase. See the
Datakey CIP Desktop User’s Guide for details.
1. Right-click the reader containing the token, then select Change Passphrase.
The Change Passphrase window appears.
4. Re-type the same new passphrase in the Reenter New Passphrase field.
5. Click OK.
Note: The Secure Authenticate fields are not used at this time.
To view the token label, select the reader containing the token; the label is dis-
played in the right pane.
Initializing a token
New tokens must be initialized before keys, certificates, or other items may be
stored on the token. The initialization process also removes existing items from the
token, leaving only the serial number and the token label intact. Initialization can
also be used to unlock a blocked token.
IMPORTANT! Do not perform this process once you have personalized your
token. Initialization removes all information except the serial
number and the token label. All your exchange and signature keys
are removed and your security administrator will need to replace
the exchange key for you.
IMPORTANT! Windows 2000/XP users only: If the token was used to logon to the
active Windows 2000 or Windows XP session, it should not be ini-
tialized. Log off of Windows and bring the token to another station
to be initialized or use another method to logon.
2. Read the warning messages, then either click Continue Initialization to continue
the initialization process or click Cancel to terminate the process.
3. If you click Continue Initialization, the token is initialized.
When the process is complete a window similar to the following appears.
4. Click OK.
5. See page 59 for information on changing the default passphrase to a more
secure passphrase.
Testing a token
You can test the token to verify it is working properly. The test function checks the
token for defects by exercising the basic cryptographic operations such as generat-
ing, storing, and deleting a public/private key pair.
2. Click OK.
Information about each step in the test process is displayed in the right pane.
When the test process is complete the following message is displayed:
Test Token Successful
2. Navigate to the location of the PKCS#12 file, select the file, then click Open.
The following window appears.
3. Type the password associated with the PKCS#12 file, then click OK.
The Select Container Name window appears.
4. Accept the default container name or type a new container name for the certifi-
cate, then click OK.
This is the CSP container name displayed in parentheses on the public and pri-
vate key names. See page 55 for information on displaying CSP container
names.
The PKCS#12 file is unwrapped and the certificate is copied to the token.
When the process is complete the following message box appears.
Library version
information
Note: The library version information is written to the bottom of the right pane
each time you perform this operation.
Certificate tasks
A certificate is used to positively identify yourself to others, or vice versa. A certif-
icate is a confirmation of your identity and contains information used to protect
data or to establish secure network connections. A certificate can be used to digi-
tally sign a piece of information so that you can determine the author of the infor-
mation. A copy of your public key is contained within a certificate.
There are a number of tasks you can perform on a certificate. Simply right-click on
a certificate and the following menu is displayed:
2. Navigate to the folder you want to save the file in, then type a name in the File
name field.
The file name must end with a .cer extension.
When the export process is complete an informational message is displayed in
the right pane.
procedure uses only the default container; if you are using Windows 2000 or Win-
dows XP logon you probably want to set the certificate and the keys used with Win-
dows 2000/XP logon as the default container.
To set a certificate and its related public/private keys as the default container, right-
click the desired certificate, then select Set to Default Container. The public key is
technically the component that defines the default container, so the public key
associated with the default container is displayed in a bold face font in order to
highlight the default container.
Updating a token
Sometimes certain components that should be available on a token are temporarily
“lost.” CIP Utilities provides the ability to restore certain missing components. For
example, a missing public key can be restored by retrieving it from the associated
private key.
To update a token, right-click the desired certificate, then select Update Token.
Missing components are retrieved and automatically displayed in the left pane. The
update token process also renames all three components to the same container name
as the related private key.
Note: Information about the key is exported, not the key itself.
1. Right-click the key, then select Export To File.
The Select the key file window is displayed.
2. Specify the name and location of the file, then click Save.
The default name for the file is KeyInfo.txt.
To set a key and its related components as the default container, right-click the
desired key, then select Set to Default Container. The public key is technically the
component that defines the default container, so the public key associated with the
default container is displayed in a bold face font in order to highlight the default
container. The public key associated with the default container also becomes the
first key on the token.
If you are editing a private key the Edit Private Key Attributes window appears.
To update a token, right-click the desired certificate, then select Update Token.
Missing components are retrieved and automatically displayed in the left pane. The
update token process also renames all three components to the same container name
as the related private key.
Help menu
To view the online Help system, click Help -> Help Topics.
To display version information about CIP Utilities and other Datakey software,
click Help -> About CIP Utilities.
To verify that your reader and token are functioning properly, do the following:
1. Ensure that your card reader is securely plugged into your machine and that
your token is fully inserted.
2. Shut down all applications that are currently running on your machine.
3. Reboot.
4. If you are using a serial token reader, watch the light on your token reader. It
should blink off, then on again shortly after reboot.
5. Launch CIP Utilities. After it launches, you should see your token label and
serial number displayed. This confirms that your machine is communicating
with your token.
Common problems
If the above tests do not succeed, your reader is not communicating with the
Datakey CIP drivers. Common causes of this problem include:
z Reader/token not securely plugged in.
z Software not installed or installed improperly.
z Serial port conflict. Another serial device is configured to use the same COM
port that your token reader is plugged into.
z Serial port interrupt conflict. You have a device configured to use a COM port
that shares an interrupt with the port that your token reader is plugged into. For
example, COM1 and COM3 usually share an interrupt, as do COM2 and
COM4.
Possible solutions
The following list provides suggestions to help get your reader to function properly:
z Check to ensure that the reader is plugged into the machine tightly and the card
is plugged in all the way.
z If you are using a serial reader and you suspect your reader may not have been
plugged in securely, reboot your machine. Your serial reader must be present at
startup in order to be recognized.
z If you have another COM port available, try swapping the reader into it.
z Try plugging another piece of hardware into the serial port, such as a 9-pin
serial mouse. If the device works, then you know the port is in proper working
order.
z Look for any serial devices in use on the machine in question. Common prob-
lem devices are internal modems and infrared ports on laptops. If you locate
such a device, try configuring it to use a different COM port or disable it to
complete the test.
Overview
A Datakey 330u token is similar to a Datakey 330 token, with the exception that a
Model 330u token contains up to six “one time use” unblocking PINs that can be
used in the event the token becomes blocked. A token becomes blocked if the pass-
phrase used to access the token is not entered correctly within a specified number of
attempts.
Note: Datakey 330 tokens cannot be unblocked. If they become blocked they must
be re-initialized.
If you have CIP Desktop installed on your computer, you can unblock a Datakey
330u token by launching the Passphrase Utility directly. To do so, perform the fol-
lowing steps:
1. Ask your administrator for the next available unblocking PIN.
1. Insert the blocked token into the reader.
2. Start the Passphrase Utility.
3. You can start the Passphrase Utility either by right-clicking the SmartMonitor
icon or by selecting Start -> Programs -> Datakey CIP -> Passphrase Utility.
4. Click the Update Passphrase button.
A dialog box appears asking you to enter the next available unblocking pass-
phrase.
5. Click OK.
Simply click the appropriate button and type the necessary information, using the
procedure described on page 76 as your guideline.
Overview
This chapter describes the biometric capabilities of Datakey CIP. The biometric
capabilities allow you to log on to a smart card by simply pressing a fingertip on a
card reader. Your fingerprint is read by the biometric card reader and the authenti-
cation process is then performed directly and securely on the smart card.
A Datakey 330m or a Datakey 330g3 smart card is required when using the biomet-
ric capabilities of Datakey CIP. The Datakey 330m smart card is designed specifi-
cally for use with biometric card readers. It is known as a match-on-card smart
card because the fingerprint authentication match takes place securely on the smart
card. The Datakey 330g3 is a GSA compatible smart card that ensures “any card,
any software” operation.
Note: See page 8 for more information about the biometric smart cards and card
readers supported by Datakey.
Before the smart card will recognize your fingerprint, you must enroll your finger-
print on the smart card. Up to four of your fingerprints may be enrolled at one time.
Enrolling multiple fingerprints enables you to use a different fingerprint to log on if
for some reason you can't use your usual fingerprint (for example, due to injury).
Enrollment
When you first receive your Datakey smart card your fingerprint information will
not be on the smart card. A good first step after receiving your Datakey smart card
is to initialize the card. You can then enroll your fingerprint information.
IMPORTANT! Initializing your smart card will erase anything already on the
smart card.
1. Start CIP Utilities by selecting Start -> Programs -> Datakey CIP ->
CIP Utilities.
2. In the left pane, right-click on the appropriate card reader.
A menu appears.
3. Select Initialize Token.
This will format your smart card and ensure it is ready for use.
After initializing the smart card, the passphrase for the smart card is set to the
default value PASSWORD (or 12345678 if you are using a PIN Pad reader).
By default all options but the first are initially off. Please read the following
descriptions carefully before enabling any of the options.
z False Acceptance Rate (FAR): The FAR determines how carefully the
smart card will look at your fingerprint. Setting the FAR very high (1 in
1,000,000) gives you very good security but can make it difficult to log in
sometimes. Depending on the condition of the smart card reader and your
fingerprint, your logon may be rejected when it shouldn't. Setting the FAR
very low (1 in 100) makes it easier to log on, but also makes it a little more
likely that a wrong fingerprint will be accepted for log on. The setting 1 in
10,000 provides a good balance between security and ease-of-use.
z Logon Mode: Specifies what a user must provide in order to log on to the
smart card. There are three choices:
(1) A fingerprint or a passphrase
(2) A fingerprint only (no passphrase allowed)
(3) A fingerprint and a passphrase (both required)
z Bad Fingerprint Logon Retry Limit: Specifies the number of times a user
can attempt to use their fingerprint to log on to the card before the finger-
print capability becomes locked. The fingerprint retry limit is different than
the passphrase retry limit, so it may be possible to log on using a passphrase
Follow the instructions on the screen to enroll each finger you selected in the
previous dialog box. A green dot highlights the finger currently being enrolled.
Pay close attention to the green dot so you don't accidentally use the wrong
finger.
For each fingerprint, you will press your finger on the biometric card reader
four times. The first three times are to get a good measure of your fingerprint,
and the fourth time is to verify that the first three worked correctly. The enroll-
ment process goes very quickly.
After pressing your finger on the reader the first time, the following dialog box
appears:
After your fingerprints are enrolled on the smart card, the following dialog box
appears:
9. Click OK.
Your fingerprint(s) are now enrolled on the smart card. The next time you log on to
the smart card you will be prompted for your fingerprint(s) instead of the pass-
phrase.
z Finger too wet or too dry: Sometimes your finger may be too dry or too wet
for the biometrics card reader to get a good reading:
If your fingerprint is too dry, either breath on your fingertip or wipe it on your
temple and try again. If your fingerprint is too wet, wipe it on a dry cloth and
try again.
z Card reader behaves erratically: If the biometrics card reader is acting errati-
cally (if the reader light is constantly flickering or it displays messages out of
context), try unplugging and reconnecting the reader and then restarting your
computer. Sometimes an electric static buildup occurs and the reader simply
needs to be reset.
Login
To log on to the smart card using your fingerprint, first make sure you have enrolled
your fingerprint properly. You can verify your fingerprint is enrolled by checking
in the Flags section in the right pane of CIP Utilities.
Verify fingerprint
enrollment
IMPORTANT! You can only log on with your fingerprint if you are using an
enrolled Datakey smart card in a Precise Biometrics Smart Card
Reader.
3. Put the appropriate fingertip on the card reader, then follow the instructions on
the screen.
Note: The dialog box above shows that four fingerprints are enrolled on the
smart card, with the right index finger currently selected.
3. If the correct finger is selected, press your fingerprint on the reader and follow
instructions. Otherwise, use the mouse to click on the fingerprint you want, and
then press your fingerprint on the reader.
Note: You can lift your finger at this point, because the fingerprint has already
been read.
z If the authentication succeeds, you'll be logged onto the smart card and the fol-
lowing dialog box appears:
Troubleshooting
The following are solutions to some of the most common problems that occur when
logging on using a fingerprint:
z If your fingerprint isn't placed in the center of the fingerprint reader, a dialog
box similar to the following appears:
If your fingerprint is too dry, either breath on your fingertip or wipe it on your
temple and try again. If your fingerprint is too wet, wipe it on a dry cloth and
try again.
The Datakey CIP Desktop suite of applications and utilities is an optional feature of
Datakey CIP. The applications and utilities are described in detail in the Datakey
CIP Desktop User Guide. For convenience, a brief description of each of the CIP
Desktop components is provided here.
SmartMonitor
SmartMonitor provides an easy method for launching and controlling your Datakey
CIP Desktop components. The CIP Desktop installation process places a Smart-
Monitor icon into your computer’s system tray. When active, you can left-click this
icon to use the SmartLogon Auto Fill feature, or you can right-click the icon to
quickly access CIP Utilities, the SmartLogon application, the SmartNotes applica-
tion, or the Passphrase utility.
When active, the SmartMonitor icon will appear in your computer’s system tray.
The SmartMonitor icon looks similar to a small computer chip.
SmartMonitor
SmartLogon
SmartLogon enables you to store user name and/or password entries on your
Datakey smart card. The program recognizes and remembers the application or
Web site associated with each entry. This simplifies the logon process because you
no longer need to remember which unique logon combination applies to which
application or Web site—SmartLogon automatically fills in the correct user name
and/or password for you.
For example, you might have unique user name/password entries for:
z Your bank’s Web site
z Your favorite airline Web site
z Your email service
z Your network applications
z Your desktop applications
z A Microsoft Word file that requires password authentication
z Other Web sites and applications that require a unique user name and/or pass-
word
Using SmartLogon you only need to remember one password—your smart card
password—to access any of these applications or Web sites. Your user names and
passwords are secure, and you can access your favorite applications and Web sites
worry-free.
SmartNotes
SmartNotes enables you to securely store personal notes and data on your Datakey
token. With SmartNotes your token becomes a portable electronic notebook,
allowing you to store account information, favorite URLs, personal reminder notes,
and other often-used data. And this information is safe, protected by the passphrase
needed to activate the token.
Passphrase Utility
The Passphrase Utility allows you to update and change the passphrase that protects
and activates your token. You can also use this utility to issue unblocking codes—
passphrases that unlock a token should it become blocked by too many incorrect
log-in attempts. Unblocking codes are available on Datakey Model 330U tokens.
Finally, the Passphrase Utility can be used to initiate the Identity PIN on a Datakey
Model 330i Identrus token and to change both the Identity PIN and the Utility PIN
on an Identrus token.
The Auto Cert Registration Utility does not need to be started. It runs automati-
cally, requiring no user intervention. The utility checks the token for unregistered
credentials each time the computer is started and each time a new token is inserted
into the token reader. If unregistered credentials are discovered on the token, the
utility automatically registers the credentials with Windows and any other applica-
tion that requires the use of digital credentials. It does this by placing copies of any
certificates contained on your token into the Windows certificate store.
CIP Utilities
The Datakey CIP Utilities is an intuitive, easy-to-use program that is used to view
and manage Datakey tokens and the objects contained on the tokens. The program
reports token and reader status and can be used for base-level diagnostics. Admin-
istrators can configure the functionality and features available for enterprise
deployment through an administrative wizard included with CIP Utilities.
Although it is treated as a Datakey CIP Desktop component, the CIP Utilities pro-
gram is originally provided with your Datakey CIP software. See Chapter 5 of this
guide for details about the CIP Utilities.
This appendix describes how to modify the PIN timeout and the Single Sign-On
(SSO) features supported by Datakey CIP.
PIN timeouts
The Datakey CIP PIN timeout policy controls the token timeout behavior. It deter-
mines how long the token can remain idle before it times out, and it controls what
happens when the timeout limit is reached. The PIN timeout feature enables
Datakey CIP to control the timeout rules and actions rather than allowing individual
applications to control their timeout behavior.
The Datakey CIP PIN timeout policy is controlled by three specific DWORD val-
ues within the Windows system registry. When Datakey CIP is initially installed
the DWORD values do not exist, so the system registry simply assumes the data
values are zero. The effect is that the PIN timeout is ignored. Therefore, by
default, each application requiring access to a token must initially log on to the
token, but then remains logged on until it logs off on its own accord.
To modify the PIN timeout policy using the Windows Registry Editor:
1. Choose Start -> Run.
2. Type regedit and then click OK.
Use the following tables to guide you when modifying any of the three DWORD
values.
AccessPolicy DWORD
The AccessPolicy DWORD controls the PIN timeout behavior.
Value
data Short description Long description
0 No PIN Cache Each application is required to supply a PIN to use
private objects on the token. Private objects are then
available until the application logs off. The Inactiv-
ity Timer is ignored.
The Single Sign-On feature (SSO) is unavailable.
1 PIN Cache Active/No One application is required to supply a PIN in order
Inactivity Timer to use private objects on the token. Private objects
are then available for use by all applications. The
Inactivity Timer is ignored and access is permitted
until the computer is rebooted or the token is
removed.
The Single Sign-On feature is available.
2 PIN Cache and One application is required to supply a PIN in order
Inactivity Timer Active to use private objects on the token. Private objects
are then available for use by all applications. When
the Inactivity Timer expires, the cached PIN is
erased and all applications are logged off.
The Single Sign-On feature is available.
4 PIN Cache Timeout on The Inactivity Timer expires only when the Win-
Screen Saver Active dows screen saver becomes active. The cached PIN
is erased and all applications are logged off.
6 PIN Cache Timeout or The Inactivity Timer expires according to the Time-
Screen Saver Active Period value or when the Windows screen saver
becomes active. The cached PIN is erased and all
applications are logged off.
ResetPolicy DWORD
The ResetPolicy DWORD determines what activities will reset the PIN timer.
Value
data Short description Long description
0 No Reset of PIN Cache/ Inactivity timer period is never restarted. The use of
Timeout private objects will time out upon expiration of the
inactivity timer period, and the PIN will need to be
supplied to re-enable access to private objects.
1 PIN Cache/Timeout Inactivity timer period is restarted by any signing/
Based on Private Token decryption operation performed by CIP.
Activity
2 PIN Cache/Timeout Inactivity timer period restarted by any CIP activity
Based on General that requires a PIN to access or operate. Activities
Private Activity include cryptographic operations that use, read,
write, create, or change private keys or objects,
regardless of whether the particular object is resi-
dent on a token, in PC memory, or some combina-
tion of both.
4 PIN Cache/Timeout Inactivity timer period is restarted when CIP has
Based on General any exchanges with the token for any type of
Token Activity access.
8 PIN Cache/Timeout Inactivity timer period is restarted by calls of any
Based on General type to the Cryptoki middleware.
Library Activity
16 Timeout Reset on Keyboard presses or mouse movement or clicks
Mouse/Keyboard restarts the inactivity timer period.
Activity
32 PIN Cache/Timeout Inactivity timer period is reset before it expires, so
Auto Reset as to allow access to private objects at all times.
Access is permitted until the computer is rebooted
or the token is removed.
TimePeriod DWORD
The TimePeriod DWORD specifies the length of the timeout period (in seconds).
When the inactivity timer expires, the Access policy (based on the registry
DWORD AccessPolicy), will be enforced. During the period that the inactivity
timer has not expired, individual applications may access the token as allowed by
the AccessPolicy.
Configuring SSO
SSO is controlled by the system registry. To enable or disable the SSO policy you
must modify the AccessPolicy DWORD value within the registry. This can be done
using either the Datakey CIP Utilities or by manually modifying the value using the
Windows Registry Editor (regedit).
SSO is controlled by the same timeouts as Datakey CIP via the ResetPolicy
DWORD value.
Since a Common Access Card (CAC) is a read only smart card, a number of fea-
tures and functions in Datakey CIP are not allowed when interfacing to a CAC.
Datakey CIP automatically detects when a CAC is present and will prevent these
features and functions from being used. The features and functions of Datakey CIP
that do not apply to CAC users are identified in the table on page 106.
What is a CAC?
A CAC is a tool that is ideally suited for use with applications that require the
secure storage of digital IDs and credentials. CACs act as secure “digital carri-
ers”—vehicles capable of storing one or more digital representations of a particular
person. A sample CAC is illustrated below:
Benefits of CACs
CACs provide a number of benefits:
z Security: Your private information never leaves the CAC, and is protected by
two-factor security—something that is owned (the CAC) and something that is
known (the CAC PIN).
z Portability: Your digital credentials can go wherever you go.
z Flexibility: A CAC can be used to store a variety of information, including cer-
tificates, public keys, private key, user names and passwords, etc.
z Simplicity: Your many passwords can be stored on a single CAC. In addition,
you are less likely to lose a CAC than forget a password.
z Ease of use: A CAC is simply inserted into a CAC reader to activate an applica-
tion; no complex codes need be read or entered. Further, one CAC can be used
for several applications.
Functional differences
If you are a CAC user, a few of the features and functions of Datakey CIP do not
apply to you. The following table shows the features and functions that do not
apply to CAC users.
This appendix provides a list of the CAPI 2.0 and the PKCS#11 functions
supported by Datakey CIP.
CAPI functions
All of the required functions for CAPI 2.0, and some of the optional functions, are
supported. Unsupported functions are labeled as such. The functions with asterisks
are optional and may be supported in the future. All nonsupported functions will
return valid error codes.
Type Function
Hash and Digital Signature
Functions CryptCreateHash
CryptDestroyHash
CryptDuplicateHash (currently not implemented, but
returns the correct error code)
CryptGetHashParam
CryptHashData
CryptHashSessionKey
CryptSetHashParam
CryptSignHash
CryptVerifySignature
Cont’d
Type Function
Key Generation and
Exchange Functions CryptAcquireCertificatePrivateKey*
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey (currently not implemented, but
returns the correct error code)
CryptExportKey
CryptGenKey
CryptGenRandom
CryptGetKeyParam
CryptGetUserKey
CryptImportKey
CryptSetKeyParam
Service Provider
Functions CryptAcquireContext
CryptContextAddRef*
CryptEnumProviders*
CryptEnumProviderTypes*
CryptGetDefaultProvider*
CryptGetProvParam
CryptInstallDefaultContext*
CryptReleaseContext
CryptSetProvider* (CryptSetProviderEx*)
CryptSetProvParam*
CryptUninstallDefaultContext*
Data Encryption/Decryption
Functions CryptDecrypt
CryptEncrypt
CryptProtectData*
CryptUnprotectData*
(Cont’d)
Type Function
CryptEncodeObject / Crypt-
DecodeObject Functions CryptDecodeObject*
CryptDecodeObjectEx*
CryptEncodeObject*
CryptEncodeObjectEx*
PKCS#11 functions
Supported functions are divided by the version of PKCS#11. For the specification
of the PKCS#11 cryptographic token standard, refer to http://www.rsalabs.com.
Type Function
General Purpose
Functions C_Initialize
C_GetInfo
Slot and Token Management
Functions C_GetSlotList
C_GetSlotInfo
C_GetTokenInfo
C_GetMechanismList
C_GetMechanismInfo
C_InitToken
C_InitPIN
C_SetPin
Session Management
Functions C_OpenSession
C_CloseSession
C_CloseAllSessions
(Cont’d)
Type Function
C_GetSessionInfo
C_Login
C_Logout
Object Management
Functions C_CreateObject
C_CopyObject
C_DestroyObject
C_GetObjectSize
C_GetAttributeValue
C_SetAttributeValue
C_FindObjectsInit
C_FindObjects
Encryption and
Decryption Functions EncryptInit
Encrypt
EncryptUpdate
EncryptFinal
DecryptInit
Decrypt
DecryptUpdate
DecryptFinal
Message Digesting
Functions DigestInit
Digest
DigestUpdate
DigestFinal
Signature and
Verification Functions SignInit
Sign
SignUpdate
SignFinal
(Cont’d)
Type Function
SignRecoverInit
SignRecover
VerifyInit
Verify
VerifyUpdate
VerifyFinal
VerifyRecoverInit
VerifyRecover
Key Management
Functions C_GenerateKey
C_GenerateKeyPair
C_WrapKey
C_UnwrapKey
C_DeriveKey
Random Number
Generation Functions C_SeedRandom
C_GenerateRandom
Parallel Function
Management Functions C_GetFunctionStatus
C_CancelFunction
Callback Function Notify
Type Function
General Purpose
Functions Initialize
Finalize
GetInfo
GetFunctionList
Slot and Token Management
Functions GetSlotList
GetSlotInfo
GetTokenInfo
GetMechanismList
GetMechanismInfo
InitToken
InitPIN
SetPin
Session Management
Functions C_OpenSession
C_CloseSession
C_CloseAllSessions
C_GetSessionInfo
C_GetOperationState
C_SetOperationState
C_Login
C_Logout
Object Management
Functions C_CreateObject
C_CopyObject
C_DestroyObject
C_GetObjectSize
Cont’d
Type Function
C_GetAttributeValue
C_SetAttributeValue
C_FindObjectsInit
C_FindObjects
C_FindObjectsFinal
Encryption
Functions EncryptInit
Encrypt
EncryptUpdate
EncryptFinal
Decryption
Functions DecryptInit
Decrypt
DecryptUpdate
DecryptFinal
Message Digesting
Functions DigestInit
Digest
DigestUpdate
DigestKey
DigestFinal
Signing and MACing
Functions SignInit
Sign
SignUpdate
SignFinal
SignRecoverInit
SignRecover
Verifying Signatures and
MACs Functions VerifyInit
Verify
Cont’d
Type Function
VerifyUpdate
VerifyFinal
VerifyRecoverInit
VerifyRecover
Dual-Function
Cryptographic Functions DigestEncryptUpdate
DecryptDigestUpdate
SignEncryptUpdate
DecryptVerifyUpdate
Key Management
Functions C_GenerateKey
C_GenerateKeyPair
C_WrapKey
C_UnwrapKey
C_DeriveKey
Random Number
Generation Functions C_SeedRandom
C_GenerateRandom
Parallel Function
Management Functions C_GetFunctionStatus
C_CancelFunction
Callback
Functions Token insertion callbacks
Token removal callbacks
Parallel function completion callbacks
Serial function surrender callbacks
Type Function
General Purpose
Functions C_Initialize
C_Finalize
C_GetInfo
C_GetFunctionList
Slot and Token Management
Functions C_GetSlotList
C_GetSlotInfo
C_GetTokenInfo
C_WaitForSlotEvent
C_GetMechanismList
C_GetMechanismInfo
C_InitToken
C_InitPIN
C_SetPin
Session Management
Functions C_OpenSession
C_CloseSession
C_CloseAllSessions
C_GetSessionInfo
C_GetOperationState
C_SetOperationState
C_Login
C_Logout
Object Management
Functions C_CreateObject
C_CopyObject
C_DestroyObject
C_GetObjectSize
Cont’d
Type Function
C_GetAttributeValue
C_SetAttributeValue
C_FindObjectsInit
C_FindObjects
C_FindObjectsFinal
Encryption
Functions C_EncryptInit
C_Encrypt
C_EncryptUpdate
C_EncryptFinal
Decryption
Functions C_DecryptInit
C_Decrypt
C_DecryptUpdate
C_DecryptFinal
Message Digesting
Functions C_DigestInit
C_Digest
C_DigestUpdate
C_DigestKey
C_DigestFinal
Signing and MACing
Functions C_SignInit
C_Sign
C_SignUpdate
C_SignFinal
C_SignRecoverInit
C_SignRecover
Verifying Signatures and
MACs Functions C_VerifyInit
C_Verify
Cont’d
Type Function
C_VerifyUpdate
C_VerifyFinal
C_VerifyRecoverInit
C_VerifyRecover
Dual-Function
Cryptographic Functions C_DigestEncryptUpdate
C_DecryptDigestUpdate
C_SignEncryptUpdate
C_DecryptVerifyUpdate
Key Management
Functions C_GenerateKey
C_GenerateKeyPair
C_WrapKey
C_UnwrapKey
C_DeriveKey
Random Number
Generation Functions C_SeedRandom
C_GenerateRandom
Parallel Function
Management Functions C_GetFunctionStatus
C_CancelFunction
Callback
Functions Surrender callbacks
Vendor-defined callbacks
INDEX
Numerics CIP 1
installing 9
10SR reader 35 uninstalling 18
330u token 75 CIP Desktop 12, 76
CIP Utilities 47, 96
background color 50
A basics 48
configuration 56
AccessPolicy DWORD value 100
configuring 53
Administrator 56
enable log 55
Auto Cert Registration Utility 55, 95
exit 74
font settings 51
B icons 52
left pane 49
Background color 50 log 55
Biometrics 79 right pane 49
starting 47
toolbar buttons 51
C troubleshooting 73
Citrix 9, 34, 35
CAC
Color 50
functional differences 106
Common problems 73
what is 105
Container 67, 70
CAC card 65
CryptoAPI 3
CAPI functions 97, 109
Cryptoki Trace settings 51, 54
Card readers 8
Certificate
attributes 68 D
default container 67, 70
deleting 66 Data object 72
exporting 67 deleting 72
moving 66 exporting 72
overview 4 Datakey CIP Desktop 47
Certificate Authority (CA) 4, 23 Datakey CIP Thin 33
Certificate store 66 Default container 67, 70
Change user/install command 35 Delete On Removal option 55
Detailed display 53
Digital ID 4
L
E
Library version 64
Enable access to the Configuration Dialog Log settings 54
option 57 Logging on/off 58
Entrust 9, 11, 19
M
F
Match-on-card 79
Fast user switching 45 MetaFrame 35
Fat client 33 Microsoft 19
Feedback Agent 51 Microsoft IIS 39
FIPS 140-2 3
Fonts 51
N
G Netscape 19
NFuse 37
GINA 21
O
H
Object name 55
Help system 20, 73 Online Help 20, 73
I P
Icons 52 Passphrase
Identrus token 27, 77 changing 59
IIS 39 Passphrase complexity rules 11, 25
iKey 2 Passphrase Utility 95
Inactivity timer 60 PIN pad reader 22
Initializing a token 61 PIN timeout 97
Installation 9 PKCS#11 1, 3
functions 111
PKCS#12 file 63
K PKI 4, 23
Private key 4, 23, 66, 69
Key
Public key 4, 23, 69, 70
attributes 70
Publishing Citrix applications 41
T
Terminal Server 42
Testing a token 63
Thin client 33
Timeout 97
TimePeriod DWORD value 102
Token 2, 8
features 2
initializing 17, 61
label 60
logging on/off 58