Smart Card HiPath SIcurity is an authentication and data storage system for information security in a company. Smart cards are a solution for creating an information security infrastructure in a company. The use of multifunctional smart cards of the latest generation with considerable computing power is very diverse. It is easy to handle them, and you can store secret keys, passwords, access codes on them, without fear that someone will be able to recognize them. As a global player in the market, Siemens offers smart cards with high capacity Infineon chips. We install on smart cards our high-tech operating system CardOS, which is compatible with world standards for smart cards. Before using a smart card, a large amount of information must be recorded on it, including information about its owner. For these purposes, we offer field-proven personalization and management systems. All processes are carried out centrally, for example, the distribution of keys through the so-called Certification Center at the time of personalization of the card and the processing of personal data of the cardholder. Simple and cost-effective infrastructure management flexibly adapts to diverse and ever-changing operating conditions. Access to applications is greatly facilitated with smart card security solutions. One card can store all credentials and passwords for Windows, Internet portals and intranets, SAP applications, while ensuring their secure use. All the user needs to remember is a personal identification number, or PIN.
HiPath SIcurity CardOS V4.2 Operating System HiPath SIcurity CardOS V4.2 is a multifunctional smart card operating system (OS) that supports active and passive data protection. The OS is designed with the latest security requirements in mind. CardOS V4.2 complies with ISO 7816 parts 3, 4, 5, 8 and 9. CardOS V4.2 is designed to meet the requirements of the German Digital Signature Act and is assessed for reliability under the Common Criteria EAL 4+ certification system. The versatile, feature-rich OS allows you to quickly develop smart card applications. If necessary, parameters can be assigned to almost every OS function even after the initial personalization of the card. The patented initialization and personalization system ensures cost-effective mass card issuance by manufacturers. Downloadable software packages extend and adapt the OS for specific applications. Siemens supplies standard packages for a wide range of applications; packages can be loaded into the map at any time. Almost all functions are now stored in read-only memory (ROM). In addition, Siemens offers customers the development of customized packages at competitive prices. Features of CardOS V4.2 OS Main features: CardOS V4.2 operates on Infineon SLE66CX322P (32 Kbyte EPROM) and SLE66CX642P (64 Kbyte EPROM) chips. The SLE66CX family of chips with an integrated asymmetric cryptographic controller and true random number generator has successfully passed the Common Criteria EAL 5+ certification. Protection against all attacks known to date. All commands comply with ISO standards, and Extended command set (44 commands). Supported APIs PC / SC- / PKCS # 11 / CSP and CT-API. Clearly structured security and key management architecture. Configuring services and commands on the card depending on customer and application requirements. Extending the OS by loading software components (packages), for example, to support additional cryptographic algorithms such as biometric authentication. The software packages run on both hardware platforms. The new licensing principle for CardOS packages allows new functions to be activated after the card is used (investment protection) RSA bit operations on the card (based on the Chinese residual theorem) are supported by the CardOS downloadable package (64KB SLE66CX642P EPROM recommended). Supports (on request) Elliptic Curve Cryptography (ECC). Supports (on request) Matchon-Card (MoC) biometric fingerprint authentication.
File system CardOS V4.2 has a dynamic and flexible file system, protected by cryptographic methods, taking into account the specifics of the chip: Arbitrary number of files (EF, DF). The number of DF attachments is limited only by the memory capacity. Dynamic memory management ensures optimal use of the EPROM. Protection against EPROM defects and power failures. Access control Up to 126 different programmer-definable access rights. Combining access rights according to the rules of Boolean algebra. Protection of all commands and data objects according to its own access conditions scheme. All security tests and keys are stored in the so-called. key objects. Therefore, no file ID backup is required for keys and PINs. The structure of the security system provides for step-by-step configuration after file creation without data loss. Message protection Conforms to the ISO standard For each command and each data object (files, keys), message protection can be set separately. Initialization and Personalization The patented circuitry ensures fast and safe volume production (physical personalization). Independent application personalization is supported. Alternative option: the card can be opened using commands for logical personalization. Communication T = 1 protocol support. Enhanced APDU support. Transaction support for individual commands and for sequences of commands. High-speed communication with the card (up to 115 Kbaud), automatic speed selection in accordance with ISO 7816 part 3. Cryptographic functions Implemented algorithms: RSA 1024 Bit (PKCS # 1), SHA-1, Triple-DES (ECB, CBC), DES ( ECB, CBC), MAC, Retail-MAC. Hardware accelerator DES: 100 times faster than a software solution. Differential Distortion Analysis (DFA, Bellcore-Attack) protection. Increased resilience against side-channel attacks. DES and RSA protection against simple voltage analysis (SPA) and differential voltage analysis (DPA). ISO Command Chaining Support On-chip asymmetric key generation using a built-in true random number generator. On-chip digital signature function. Possibility of connecting external certification services with a public key through the HiPath Sicurity Card crypto interface (Microsoft CSP & PKCS # 11). Support for session session keys and session key derivation. Support for card-validated certificates, public key retrieval and use, enclosed inside the certificate (thanks to this, it is possible to use certificate chains on the chip).
Additional integrated functions On-chip key generation Implemented asymmetric key generation for 1024-bit on-chip key pairs with or without a user-defined public exponent. After installing the 'RSA 2048 bit CRT' package, key pairs up to 2048 bit are supported (available by the end of Q1 2004). Algorithm for matching fingerprints on the card (on request, will be available by the end of the first quarter of 2004). The fingerprint matching process is done by a chip. Thus, the closed (private) fingerprint data never leaves the card and is reliably protected. Elliptical curves (on request, planned by the end of the 2nd quarter of 2004). Download packages conforming to ANSI X9.62 and IEEE P1363 standards: ECDSA key generation. ECDSA signature generation. ECDSA signature verification. Restrictions: Length of p and n in bits: bits. The length of p and n in bits must be a multiple of 8. The factor h must be 1. New commands to support ECDSA: EC CONTROL (internal command; initialization and personalization). GENERATE KEY PAIR Upgrade (ISO compliant; for use). PSO_CDS Update (ISO compliant; for use). PSO_VDS Upgrade (ISO compliant; for use).
HiPath SIcurity Card Login 1.0 HiPath SIcurity Card Login password management application that provides secure and PIN protected storage of all credentials (username and password) and other confidential information on HiPath SIcurity CardOS smart cards ... The Card Login application provides the following types of registration using smart cards: registration in the domain and Windows applications, registration in applications of other operating systems, registration in web browsers. Card Login supports four registration procedures: auto-complete, registration button, drag-and-drop registration, clipboard registration, depending on which procedure is allowed by the application. When filling out the form automatically, registration can be fully automated, and the user does not need to establish a correspondence between the stored information. Card Login automatically detects the application from the registration window and enters registration information in the appropriate fields. The second procedure "registration button" initiates the launch of the corresponding application and enters the corresponding registration information into the registration fields. If Card Login cannot independently identify the registration window, the user is given the opportunity to drag and drop registration data from the Card Login window to the registration window (Drag & Drop operation) or copy and enter it manually (Copy & Paste operation). In this case, you should not in any way remember or write down the password and username used. Card Login can be used not only locally on a PC, but also with Microsoft Windows Terminal Access Service and from a remote PC. Card Login is compatible with modern Windows XP / 2003 networks and meets the requirements of the terminal server concept. In addition, Card Login supports a backup function that saves encrypted credentials as a file. It is used when a smart card is lost or damaged to restore registration data to a blank card. Card Login provides automatic synchronization with the Windows environment. If the user changes the Windows password, the data on the smart card is automatically changed. Convenient password management using a smart card Windows registration HiPath SIcurity CardOS webmail Password management Intranet portal SAP registration One card One PIN code Access to procedures E-commerce portal Functions Safe storage of all registration information (user IDs and passwords for Windows, web applications, etc.) in a single hardware key. Protected memory for additional personal data such as credit card numbers, bank account numbers, bank transaction numbers. Easy data administration by the user. Customer Benefits Authentication for all applications using one hardware key and one PIN. No need to write down passwords. Ease of use and acceleration of registration procedures. Convenient use of strong passwords. Savings due to reduced administration operations to recover forgotten passwords.
In Card Login there is also a simple tool for managing the chip card, the Card Login Administrator utility. It can be used to create user accounts manually, or import them from Microsoft Active Directory or other databases. The Card Login Administration utility is used to manage smart cards, as well as when issuing a smart card to its holder. When using Card Login in enterprises, using the Card Login Administrator, profiles of various user groups are created. For each profile, individual policy settings are configured, which are written to the card when it is initialized. The profile can later be changed while maintaining the registration data. In this way, you can assign a different group policy to the user. The policy supports various settings: password quality; whether the user can independently change the settings (and if so, which ones); PC actions after removing the smart card from the reader. In large, complex systems, as well as when using smart cards in a public key infrastructure (PKI), instead of an administration tool, the more powerful HiPath SIcurity Card Maker smart card personalization system and the corresponding smart card management system are used instead of the administration tool. In addition, there is a password generator that generates strong passwords for the user (as specified in the policy). The user thus contributes to corporate security by using very strong passwords (long and complex) without having to remember them. Components HiPath SIcurity Card Login consists of two components: a client component (Card Login Client), installed on users' PCs, and an administrator component (Card Login Administrator), which is used on a single PC to issue new cards. It is not necessary to network the Card Login Administrator and Card Login Client applications. The Card Login Client can also be used on laptops and remote PCs. The administrative component is always shipped with the client component and is included in the Card Login Client license. Smart cards and readers are not included with the Card Login app. 7 The Card Login Client can also be used on laptops and remote PCs. The administrative component is always shipped with the client component and is included in the Card Login Client license. Smart cards and readers are not included with the Card Login app. 7 The Card Login Client can also be used on laptops and remote PCs. The administrative component is always shipped with the client component and is included in the Card Login Client license. Smart cards and readers are not included with the Card Login app.
Technical Data Card Login Client System Requirements PC Operating Systems: Windows XP Professional Windows 2003 Server Windows 2000 Professional (SP2 or later) Windows 2000 Server (SP2 or later) Windows NT 4.0 SP6 or later Windows ME (Windows Smart Registration is not supported. -cards) Windows 98 (registration in Windows using smart cards is not supported) Browser: Microsoft Internet Explorer 5.5 or higher Netscape 7.0 or higher PC hardware platform: Intel 32-bit processor (Pentium II with a clock speed of at least 400 MHz) Memory 128 MB 20 MB free hard disk space Card Login Administrator System requirements PC operating systems: Windows XP Professional Windows 2003 Server Windows 2000 Professional (SP2 or later) Windows 2000 Server (SP2 or later) Browser: Microsoft Internet Explorer 5.5 or higher Netscape 7.0 or higher PC hardware platform: 32-bit Intel processor (Pentium II with at least 400 MHz) Memory 128 MB 20 MB free hard disk space Smart cards: Siemens HiPath SIcurity CardOS V4.2 Siemens HiPath SIcurity CardOS M4.01A Siemens HiPath SIcurity CardOS M4.01 Siemens HiPath SIcurity CardOS M4.0 Smart Card Reader PC / SC Smart Card Reader: Omnikey CardMan 2011 serial Omnikey CardMan 2020 USB Omnikey CardMan 4000 PCMCIA 801 Siemens HiPath SIcurity CardOS M4.0 Smart Card Reader PC / SC Smart Card Reader: Omnikey CardMan 2011 serial Omnikey CardMan 2020 USB Omnikey CardMan 4000 PCMCIA 801 Siemens HiPath SIcurity CardOS M4.0 Smart Card Reader PC / SC Smart Card Reader: Omnikey CardMan 2011 serial Omnikey CardMan 2020 USB Omnikey CardMan 4000 PCMCIA.
HiPath SIcurity Card API HiPath SIcurity Card API is a software package for workstations and servers. The interface enhances the use of public key technology in a company by increasing the flexibility and security of using smart cards or other security authentication devices in conjunction with the Siemens HiPath SIcurity CardOS operating system. The API provides everything you need for cryptography, authentication, and digital signature applications, as well as popular business applications. The card API software package installs the CardOS PKCS # 11 library and contains the Cryptographic Service Provider (CSP) standard. As a result, the great capabilities of the smart card can be used for all operations that require security. Store private keys, certificates and personal data in a tamper-resistant device. Performing in a secure mode and independently of other components of the system, operations requiring increased security, such as key generation, key exchange and digital signatures. Guaranteed portability of accounting information (key pairs, corresponding certificates) and other personal information between computers installed at different workplaces: in the office, at home, etc. Crypto interfaces for certification of applications using smart cards Trusted networks and applications HiPath SIcurity Card API Module PKCS # 11 Cryptographic Service Provider (CSP) Applications with OC HiPath SLcurity CardOC Document signature PC access Application access Email protection Remote access to LAN Encryption ( VPN) Properties The interface between security hardware keys and applications using cryptographic functions. Parallel support for two standard crypto-interfaces. Using keys and certificates on one hardware key on two interfaces simultaneously by different applications. Customer Benefits Convenient use of keys and certificates in all business applications. Easy integration with existing IT systems through the use of standard interfaces. Support for common platforms.
The application interface provides the following functionality on one smart card: use of the same set of keys by different applications; use of the corresponding keys by one application; work in mixed mode, regardless of the type of application (PKCS # 11 or CSP). Windows Logon SSL Authentication Email Security Authentication Keys Signature Keys Encryption Keys Standards The HiPath SIcurity Card API and PKCS # 15 standard file system use a standard PC / SC environment to communicate with smart card terminals. Two standard interfaces are offered for interacting with Windows applications that use CardOS cryptographic operations and functions: Microsoft Crypto Service Provider API (MS CSP V2.0) RSA Public Key Cryptographic Standard, chapter # 11 (PKCS # 11, V2. 11) Components The Card API can be installed and used on common client workstations and on a Windows Terminal Server with different Interface Client License and Interface Server License. The API configuration for the client and the server is the same. When installing the interface, the CardOS ICC Service Provider (CardOS ICCSP) and the Card Viewer utility are also installed, which provides initialization of a blank card, changing PIN and PUK codes, importing keys, certificates and data objects. License An ICL (Interface Client License) license is required to install and use cryptographic drivers for CardOS smart cards on client workstations. The total number of systems on which the API is installed is taken into account. An ISL (Interface Server License) license is required to install cryptographic drivers for CardOS smart cards on a terminal server and use them from client workstations connected to the server. The maximum number of concurrent users on each server is taken into account. The ICC-Service-Provider application license is included in the ICL license. The Card API software package is supplied on a CD-ROM and consists of one installation package: Microsoft Crypto Service Provider for CardOS OS PKCS # 11 crypto protection module for CardOS OS ICC-Service-Provider for CardOS OS Card Viewer Utility Documentation ( user manual, installation guide, notes for this software version). ten connected to the server. The maximum number of concurrent users on each server is taken into account. The ICC-Service-Provider application license is included in the ICL license. The Card API software package is supplied on a CD-ROM and consists of one installation package: Microsoft Crypto Service Provider for CardOS OS PKCS # 11 crypto protection module for CardOS OS ICC-Service-Provider for CardOS OS Card Viewer Utility Documentation ( user manual, installation guide, notes for this software version). ten connected to the server. The maximum number of concurrent users on each server is taken into account. The ICC-Service-Provider application license is included in the ICL license. The Card API software package is supplied on a CD-ROM and consists of one installation package: Microsoft Crypto Service Provider for CardOS OS PKCS # 11 crypto protection module for CardOS OS ICC-Service-Provider for CardOS OS Card Viewer Utility Documentation ( user manual, installation guide, notes for this software version). ten The Card API software package is supplied on a CD-ROM and consists of one installation package: Microsoft Crypto Service Provider for CardOS OS PKCS # 11 crypto protection module for CardOS OS ICC-Service-Provider for CardOS OS Card Viewer Utility Documentation ( user manual, installation guide, notes for this software version). ten The Card API software package is supplied on a CD-ROM and consists of one installation package: Microsoft Crypto Service Provider for CardOS OS PKCS # 11 crypto protection module for CardOS OS ICC-Service-Provider for CardOS OS Card Viewer Utility Documentation ( user manual, installation guide, notes for this software version).
PKI Applications Supported by Cryptographic Drivers The Card API supports various PKI applications using standard interfaces. Thus, the proposed solution will be compatible with new business applications that use advanced PKI-based security features. Microsoft Internet Explorer V5.5, V6.0 Microsoft Outlook 2000 V9.0 Netscape Navigator V4.78, V7.01 Netscape Messenger V4.78 Lotus Notes R6.5 Mozilla V1.5 Check Point VPN-1 Client NG AI (SecuRemote / Secure Client) Cisco VPN Client V4.0 F-Secure VPN + V5.50 Entrust Entelligence V6.1 Entrust Entelligence Security Provider V7.0 Entrust Authority V6.0 Entrust Authority Security Manager V7.0 Adobe Acrobate V6. 0 Microsoft Windows 2000 PKI Microsoft Windows 2003 PKI Windows Smart Card Logon Windows Terminal Services Citrix MetaFrame (Windows Server) Developer Products For application developers Siemens offers: Application Development Kit for HiPath SIcurity CardOS - Application Development Kit (ADK). The toolkit contains all of the smart card application development tools as well as the libraries (APIs) needed to integrate smart cards with other applications. Software tools for developing Card API applications that support the card API (installer, script files, utilities). Software tools for developing CardOS ICCSP applications. CardOS Assist. Cryptographic library CardOS Crypto-Library. CardOS manuals. valid in European countries. CardOS operates on a security-certified crypto controller from Infineon Technologies; Generation of keys up to 1024 bits is supported, there is a built-in generator of truly random keys. Smart Card Reader Any device can be used for reading. Recommended PC / SC compatible hardware: Omnikey CardMan 2011 serial Omnikey CardMan 2020 USB Omnikey CardMan 4000 PCMCIA.
HiPath SIcurity Card Maker V1.0 Software Module HiPath SIcurity Card Maker is a reliable, high-performance chip card personalization system. The chipcard must be prepared for its intended use. It is assigned to one person, called the cardholder. Corresponding data is written to all components of the card. HiPath SIcurity Card Maker is a high-performance system that provides reliable optical and electrical personalization. This is a software module that works in conjunction with the Card Management System (CMS), which manages issued cards and controls their cycle (the status of cards and applications on them). HiPath SIcurity Card Maker is integrated and managed by the card management system, so there is no need for its own user interface. Along with the chip card, the HiPath SIcurity CardOS operating system and the CMS card management system, the HiPath SIcurity Card Maker module is one of the components required to build a complete chip card infrastructure, or public key infrastructure (PKI). HiPath SIcurity Card Maker has an interface to interact with existing user databases, allowing it to import personal data from, for example, a personnel database. In addition, the system adds new information, such as an employee's photo. The module supports the generation of keys for the signature key on the chip card itself, as well as the import of encryption keys generated by the certification center. The HiPath SIcurity Card Maker module itself also has a modular architecture that enables the distributed infrastructure of the chip cards. Local points of issue of cards, in which information processing and personalization of chip cards are performed, connected via a secure connection to the certification center where the certification center is located, keys to ciphers are generated and stored. The personalization process consists of several stages: initialization, pre-personalization, personalization, and post-personalization. During initialization, the same data for all cards is written to the EPROM. This data includes operating system extensions and data structures that are either left blank or filled with standard data. At this stage, all cards remain the same, except for the individual hardware chip number. Bell ID Data VPS Siemens SIPORT HiPath SIcurity Card Maker Card Management System Database HiPath SIcurity Card Maker Certification Center Database HiPath SIcurity CardOS Entrust CA Microsoft CA Guardeonic CA Secure, high-performance smart card personalization system Features One-step smart card personalization with contact and optional contactless chips ... Logging security data to a smart card for multiple applications (email encryption, room access control). Import of user information from existing databases. Integration with various certification centers and card management systems. Customer Benefits Flexible integration with various smart card management systems. Ability to work with any customer environment. One-step fast personalization when creating corporate identities, it is possible to use credentials immediately after creation. Post-personalization of already released smart cards for new applications.
HiPath SIcurity Card Maker V1.0 At the pre-personalization stage, the card is “individualized”, but not assigned to a specific person. In this case, card numbers are recorded, key pairs are generated and an individual card key is personalized. After this stage, all cards become different, but continue to remain anonymous. With personalization itself, the card is assigned to a specific person. The name, surname and photograph of the owner can be printed on it; personal data is written to the chip. Later, during post-personalization, when the card is already in use, new data can be added to it. Connectivity and Compatibility HiPath SIcurity Card Maker Connections to Management Systems (CMS): ANDiS and ANDiS Light by BellID icms and icard Office by VPS SIPORT NTVAS by Siemens Building Technology Authorization authorities: Microsoft 2003 CA Entrust Authority 7 Guardeonic TrustedCA Operating systems for chip card personalization: HiPath SIcurity CardOS V4.2 HiPath SIcurity CardOS M4.01A HiPath SIcurity CardOS M4.01 HiPath SIcurity CardOS M4.00 Other ISO-7816 Cards, Java Cards (Optional) Planned Languages HiPath SIcurity Card Maker has no user interface and is therefore language independent. HiPath SIcurity Card Maker is managed by the CMS card management system. Target group Companies building public key infrastructures (PKI) for working with chip cards. Companies that use chip cards to identify employees, as keys or digital certificates (identity). Companies, wishing to have several points of issue of cards distributed in the company. Companies that centrally generate keys with secure transfer to chip cards. Companies looking for an encryption key recovery solution. Small and medium-sized enterprises that want to use chip cards in the existing infrastructure of Microsoft 2003 without significant investments (registration in a Windows domain, email encryption, strong authentication). Benefits Hardware for integration with other widely used certificate authorization solutions (Microsoft, Entrust, Guardeonic). Integration of card management systems for different sizes of companies (scalability) Control of key generation on the chip card (signature key) and in the certification center (encryption key). Safe key transfer, generated directly in the certification center on an authorized chip card using secure messages (HiPath SIcurity Server for HiPath SIcurity Card Maker) Complete personalization of the chip card (optical and electrical) at the main office or branch in just a few minutes. Personalization of various types of smart cards with individual file structure, driven by simple editable scripts (various scripts can be entered into the Card Maker module). Recovery of "old" encryption keys of chip cards that were previously used by employees (old e-mail messages can be decrypted again). Strategic Advantages Simple and inexpensive integration with existing Microsoft infrastructures Employees use a digitally certified chip card for all authentication procedures (increasing company security). Rapid issuance of chip cards used for electronic identification of employees (no lengthy and complicated administrative process). Connecting multiple, non-secured, distributed card issuing points to a central, well-secured Certification Center.
Reduce costs Chip cards can be issued locally to individual users as needed. None: lengthy administrative procedures, postage, time delays. Fast issue of limited rights guest cards. HiPath SIcurity Card Maker's unique business offering provides low-cost, secure and fast issuance of smart cards (employee identification cards) with the ability to recover keys in a decentralized company. Increase productivity New employees can immediately receive an ID card and use it for all business operations. If the card is lost or damaged, a new card is issued for the employee and he can continue to work without any restrictions or delays.
HiPath SIcurity Smart Card Applications: Secure Physical Access Time Attendance Corporate Cashless Payments Secure PC and Application Access Control Web Application Access Email Security.
Our Capabilities Your Benefits Corporate Communications Networks offers the most advanced solutions to optimize your business through innovative communications systems and applications. The basis of the proposed solutions is the HiPath converged architecture developed by Siemens, which guarantees customers a flexible and safe transition to innovative IP solutions, Moscow, Malaya Kaluzhskaya Street, Siemens LLC Corporate communication networks.
HiPath SIcurity CardOS V4.2 Operating System HiPath SIcurity CardOS V4.2 is a multifunctional smart card operating system (OS) that supports active and passive data protection. The OS is designed with the latest security requirements in mind. CardOS V4.2 complies with ISO 7816 parts 3, 4, 5, 8 and 9. CardOS V4.2 is designed to meet the requirements of the German Digital Signature Act and is assessed for reliability under the Common Criteria EAL 4+ certification system. The versatile, feature-rich OS allows you to quickly develop smart card applications. If necessary, parameters can be assigned to almost every OS function even after the initial personalization of the card. The patented initialization and personalization system ensures cost-effective mass card issuance by manufacturers. Downloadable software packages extend and adapt the OS for specific applications. Siemens supplies standard packages for a wide range of applications; packages can be loaded into the map at any time. Almost all functions are now stored in read-only memory (ROM). In addition, Siemens offers customers the development of customized packages at competitive prices. Features of CardOS V4.2 OS Main features: CardOS V4.2 operates on Infineon SLE66CX322P (32 Kbyte EPROM) and SLE66CX642P (64 Kbyte EPROM) chips. The SLE66CX family of chips with an integrated asymmetric cryptographic controller and true random number generator has successfully passed the Common Criteria EAL 5+ certification. Protection against all attacks known to date. All commands comply with ISO standards, and Extended command set (44 commands). Supported APIs PC / SC- / PKCS # 11 / CSP and CT-API. Clearly structured security and key management architecture. Configuring services and commands on the card depending on customer and application requirements. Extending the OS by loading software components (packages), for example, to support additional cryptographic algorithms such as biometric authentication. The software packages run on both hardware platforms. The new licensing principle for CardOS packages allows new functions to be activated after the card is used (investment protection) RSA bit operations on the card (based on the Chinese residual theorem) are supported by the CardOS downloadable package (64KB SLE66CX642P EPROM recommended). Supports (on request) Elliptic Curve Cryptography (ECC). Supports (on request) Matchon-Card (MoC) biometric fingerprint authentication.
File system CardOS V4.2 has a dynamic and flexible file system, protected by cryptographic methods, taking into account the specifics of the chip: Arbitrary number of files (EF, DF). The number of DF attachments is limited only by the memory capacity. Dynamic memory management ensures optimal use of the EPROM. Protection against EPROM defects and power failures. Access control Up to 126 different programmer-definable access rights. Combining access rights according to the rules of Boolean algebra. Protection of all commands and data objects according to its own access conditions scheme. All security tests and keys are stored in the so-called. key objects. Therefore, no file ID backup is required for keys and PINs. The structure of the security system provides for step-by-step configuration after file creation without data loss. Message protection Conforms to the ISO standard For each command and each data object (files, keys), message protection can be set separately. Initialization and Personalization The patented circuitry ensures fast and safe volume production (physical personalization). Independent application personalization is supported. Alternative option: the card can be opened using commands for logical personalization. Communication T = 1 protocol support. Enhanced APDU support. Transaction support for individual commands and for sequences of commands. High-speed communication with the card (up to 115 Kbaud), automatic speed selection in accordance with ISO 7816 part 3. Cryptographic functions Implemented algorithms: RSA 1024 Bit (PKCS # 1), SHA-1, Triple-DES (ECB, CBC), DES ( ECB, CBC), MAC, Retail-MAC. Hardware accelerator DES: 100 times faster than a software solution. Differential Distortion Analysis (DFA, Bellcore-Attack) protection. Increased resilience against side-channel attacks. DES and RSA protection against simple voltage analysis (SPA) and differential voltage analysis (DPA). ISO Command Chaining Support On-chip asymmetric key generation using a built-in true random number generator. On-chip digital signature function. Possibility of connecting external certification services with a public key through the HiPath Sicurity Card crypto interface (Microsoft CSP & PKCS # 11). Support for session session keys and session key derivation. Support for card-validated certificates, public key retrieval and use, enclosed inside the certificate (thanks to this, it is possible to use certificate chains on the chip).
Additional integrated functions On-chip key generation Implemented asymmetric key generation for 1024-bit on-chip key pairs with or without a user-defined public exponent. After installing the 'RSA 2048 bit CRT' package, key pairs up to 2048 bit are supported (available by the end of Q1 2004). Algorithm for matching fingerprints on the card (on request, will be available by the end of the first quarter of 2004). The fingerprint matching process is done by a chip. Thus, the closed (private) fingerprint data never leaves the card and is reliably protected. Elliptical curves (on request, planned by the end of the 2nd quarter of 2004). Download packages conforming to ANSI X9.62 and IEEE P1363 standards: ECDSA key generation. ECDSA signature generation. ECDSA signature verification. Restrictions: Length of p and n in bits: bits. The length of p and n in bits must be a multiple of 8. The factor h must be 1. New commands to support ECDSA: EC CONTROL (internal command; initialization and personalization). GENERATE KEY PAIR Upgrade (ISO compliant; for use). PSO_CDS Update (ISO compliant; for use). PSO_VDS Upgrade (ISO compliant; for use).
HiPath SIcurity Card Login 1.0 HiPath SIcurity Card Login password management application that provides secure and PIN protected storage of all credentials (username and password) and other confidential information on HiPath SIcurity CardOS smart cards ... The Card Login application provides the following types of registration using smart cards: registration in the domain and Windows applications, registration in applications of other operating systems, registration in web browsers. Card Login supports four registration procedures: auto-complete, registration button, drag-and-drop registration, clipboard registration, depending on which procedure is allowed by the application. When filling out the form automatically, registration can be fully automated, and the user does not need to establish a correspondence between the stored information. Card Login automatically detects the application from the registration window and enters registration information in the appropriate fields. The second procedure "registration button" initiates the launch of the corresponding application and enters the corresponding registration information into the registration fields. If Card Login cannot independently identify the registration window, the user is given the opportunity to drag and drop registration data from the Card Login window to the registration window (Drag & Drop operation) or copy and enter it manually (Copy & Paste operation). In this case, you should not in any way remember or write down the password and username used. Card Login can be used not only locally on a PC, but also with Microsoft Windows Terminal Access Service and from a remote PC. Card Login is compatible with modern Windows XP / 2003 networks and meets the requirements of the terminal server concept. In addition, Card Login supports a backup function that saves encrypted credentials as a file. It is used when a smart card is lost or damaged to restore registration data to a blank card. Card Login provides automatic synchronization with the Windows environment. If the user changes the Windows password, the data on the smart card is automatically changed. Convenient password management using a smart card Windows registration HiPath SIcurity CardOS webmail Password management Intranet portal SAP registration One card One PIN code Access to procedures E-commerce portal Functions Safe storage of all registration information (user IDs and passwords for Windows, web applications, etc.) in a single hardware key. Protected memory for additional personal data such as credit card numbers, bank account numbers, bank transaction numbers. Easy data administration by the user. Customer Benefits Authentication for all applications using one hardware key and one PIN. No need to write down passwords. Ease of use and acceleration of registration procedures. Convenient use of strong passwords. Savings due to reduced administration operations to recover forgotten passwords.
In Card Login there is also a simple tool for managing the chip card, the Card Login Administrator utility. It can be used to create user accounts manually, or import them from Microsoft Active Directory or other databases. The Card Login Administration utility is used to manage smart cards, as well as when issuing a smart card to its holder. When using Card Login in enterprises, using the Card Login Administrator, profiles of various user groups are created. For each profile, individual policy settings are configured, which are written to the card when it is initialized. The profile can later be changed while maintaining the registration data. In this way, you can assign a different group policy to the user. The policy supports various settings: password quality; whether the user can independently change the settings (and if so, which ones); PC actions after removing the smart card from the reader. In large, complex systems, as well as when using smart cards in a public key infrastructure (PKI), instead of an administration tool, the more powerful HiPath SIcurity Card Maker smart card personalization system and the corresponding smart card management system are used instead of the administration tool. In addition, there is a password generator that generates strong passwords for the user (as specified in the policy). The user thus contributes to corporate security by using very strong passwords (long and complex) without having to remember them. Components HiPath SIcurity Card Login consists of two components: a client component (Card Login Client), installed on users' PCs, and an administrator component (Card Login Administrator), which is used on a single PC to issue new cards. It is not necessary to network the Card Login Administrator and Card Login Client applications. The Card Login Client can also be used on laptops and remote PCs. The administrative component is always shipped with the client component and is included in the Card Login Client license. Smart cards and readers are not included with the Card Login app. 7 The Card Login Client can also be used on laptops and remote PCs. The administrative component is always shipped with the client component and is included in the Card Login Client license. Smart cards and readers are not included with the Card Login app. 7 The Card Login Client can also be used on laptops and remote PCs. The administrative component is always shipped with the client component and is included in the Card Login Client license. Smart cards and readers are not included with the Card Login app.
Technical Data Card Login Client System Requirements PC Operating Systems: Windows XP Professional Windows 2003 Server Windows 2000 Professional (SP2 or later) Windows 2000 Server (SP2 or later) Windows NT 4.0 SP6 or later Windows ME (Windows Smart Registration is not supported. -cards) Windows 98 (registration in Windows using smart cards is not supported) Browser: Microsoft Internet Explorer 5.5 or higher Netscape 7.0 or higher PC hardware platform: Intel 32-bit processor (Pentium II with a clock speed of at least 400 MHz) Memory 128 MB 20 MB free hard disk space Card Login Administrator System requirements PC operating systems: Windows XP Professional Windows 2003 Server Windows 2000 Professional (SP2 or later) Windows 2000 Server (SP2 or later) Browser: Microsoft Internet Explorer 5.5 or higher Netscape 7.0 or higher PC hardware platform: 32-bit Intel processor (Pentium II with at least 400 MHz) Memory 128 MB 20 MB free hard disk space Smart cards: Siemens HiPath SIcurity CardOS V4.2 Siemens HiPath SIcurity CardOS M4.01A Siemens HiPath SIcurity CardOS M4.01 Siemens HiPath SIcurity CardOS M4.0 Smart Card Reader PC / SC Smart Card Reader: Omnikey CardMan 2011 serial Omnikey CardMan 2020 USB Omnikey CardMan 4000 PCMCIA 801 Siemens HiPath SIcurity CardOS M4.0 Smart Card Reader PC / SC Smart Card Reader: Omnikey CardMan 2011 serial Omnikey CardMan 2020 USB Omnikey CardMan 4000 PCMCIA 801 Siemens HiPath SIcurity CardOS M4.0 Smart Card Reader PC / SC Smart Card Reader: Omnikey CardMan 2011 serial Omnikey CardMan 2020 USB Omnikey CardMan 4000 PCMCIA.
HiPath SIcurity Card API HiPath SIcurity Card API is a software package for workstations and servers. The interface enhances the use of public key technology in a company by increasing the flexibility and security of using smart cards or other security authentication devices in conjunction with the Siemens HiPath SIcurity CardOS operating system. The API provides everything you need for cryptography, authentication, and digital signature applications, as well as popular business applications. The card API software package installs the CardOS PKCS # 11 library and contains the Cryptographic Service Provider (CSP) standard. As a result, the great capabilities of the smart card can be used for all operations that require security. Store private keys, certificates and personal data in a tamper-resistant device. Performing in a secure mode and independently of other components of the system, operations requiring increased security, such as key generation, key exchange and digital signatures. Guaranteed portability of accounting information (key pairs, corresponding certificates) and other personal information between computers installed at different workplaces: in the office, at home, etc. Crypto interfaces for certification of applications using smart cards Trusted networks and applications HiPath SIcurity Card API Module PKCS # 11 Cryptographic Service Provider (CSP) Applications with OC HiPath SLcurity CardOC Document signature PC access Application access Email protection Remote access to LAN Encryption ( VPN) Properties The interface between security hardware keys and applications using cryptographic functions. Parallel support for two standard crypto-interfaces. Using keys and certificates on one hardware key on two interfaces simultaneously by different applications. Customer Benefits Convenient use of keys and certificates in all business applications. Easy integration with existing IT systems through the use of standard interfaces. Support for common platforms.
The application interface provides the following functionality on one smart card: use of the same set of keys by different applications; use of the corresponding keys by one application; work in mixed mode, regardless of the type of application (PKCS # 11 or CSP). Windows Logon SSL Authentication Email Security Authentication Keys Signature Keys Encryption Keys Standards The HiPath SIcurity Card API and PKCS # 15 standard file system use a standard PC / SC environment to communicate with smart card terminals. Two standard interfaces are offered for interacting with Windows applications that use CardOS cryptographic operations and functions: Microsoft Crypto Service Provider API (MS CSP V2.0) RSA Public Key Cryptographic Standard, chapter # 11 (PKCS # 11, V2. 11) Components The Card API can be installed and used on common client workstations and on a Windows Terminal Server with different Interface Client License and Interface Server License. The API configuration for the client and the server is the same. When installing the interface, the CardOS ICC Service Provider (CardOS ICCSP) and the Card Viewer utility are also installed, which provides initialization of a blank card, changing PIN and PUK codes, importing keys, certificates and data objects. License An ICL (Interface Client License) license is required to install and use cryptographic drivers for CardOS smart cards on client workstations. The total number of systems on which the API is installed is taken into account. An ISL (Interface Server License) license is required to install cryptographic drivers for CardOS smart cards on a terminal server and use them from client workstations connected to the server. The maximum number of concurrent users on each server is taken into account. The ICC-Service-Provider application license is included in the ICL license. The Card API software package is supplied on a CD-ROM and consists of one installation package: Microsoft Crypto Service Provider for CardOS OS PKCS # 11 crypto protection module for CardOS OS ICC-Service-Provider for CardOS OS Card Viewer Utility Documentation ( user manual, installation guide, notes for this software version). ten connected to the server. The maximum number of concurrent users on each server is taken into account. The ICC-Service-Provider application license is included in the ICL license. The Card API software package is supplied on a CD-ROM and consists of one installation package: Microsoft Crypto Service Provider for CardOS OS PKCS # 11 crypto protection module for CardOS OS ICC-Service-Provider for CardOS OS Card Viewer Utility Documentation ( user manual, installation guide, notes for this software version). ten connected to the server. The maximum number of concurrent users on each server is taken into account. The ICC-Service-Provider application license is included in the ICL license. The Card API software package is supplied on a CD-ROM and consists of one installation package: Microsoft Crypto Service Provider for CardOS OS PKCS # 11 crypto protection module for CardOS OS ICC-Service-Provider for CardOS OS Card Viewer Utility Documentation ( user manual, installation guide, notes for this software version). ten The Card API software package is supplied on a CD-ROM and consists of one installation package: Microsoft Crypto Service Provider for CardOS OS PKCS # 11 crypto protection module for CardOS OS ICC-Service-Provider for CardOS OS Card Viewer Utility Documentation ( user manual, installation guide, notes for this software version). ten The Card API software package is supplied on a CD-ROM and consists of one installation package: Microsoft Crypto Service Provider for CardOS OS PKCS # 11 crypto protection module for CardOS OS ICC-Service-Provider for CardOS OS Card Viewer Utility Documentation ( user manual, installation guide, notes for this software version).
PKI Applications Supported by Cryptographic Drivers The Card API supports various PKI applications using standard interfaces. Thus, the proposed solution will be compatible with new business applications that use advanced PKI-based security features. Microsoft Internet Explorer V5.5, V6.0 Microsoft Outlook 2000 V9.0 Netscape Navigator V4.78, V7.01 Netscape Messenger V4.78 Lotus Notes R6.5 Mozilla V1.5 Check Point VPN-1 Client NG AI (SecuRemote / Secure Client) Cisco VPN Client V4.0 F-Secure VPN + V5.50 Entrust Entelligence V6.1 Entrust Entelligence Security Provider V7.0 Entrust Authority V6.0 Entrust Authority Security Manager V7.0 Adobe Acrobate V6. 0 Microsoft Windows 2000 PKI Microsoft Windows 2003 PKI Windows Smart Card Logon Windows Terminal Services Citrix MetaFrame (Windows Server) Developer Products For application developers Siemens offers: Application Development Kit for HiPath SIcurity CardOS - Application Development Kit (ADK). The toolkit contains all of the smart card application development tools as well as the libraries (APIs) needed to integrate smart cards with other applications. Software tools for developing Card API applications that support the card API (installer, script files, utilities). Software tools for developing CardOS ICCSP applications. CardOS Assist. Cryptographic library CardOS Crypto-Library. CardOS manuals. valid in European countries. CardOS operates on a security-certified crypto controller from Infineon Technologies; Generation of keys up to 1024 bits is supported, there is a built-in generator of truly random keys. Smart Card Reader Any device can be used for reading. Recommended PC / SC compatible hardware: Omnikey CardMan 2011 serial Omnikey CardMan 2020 USB Omnikey CardMan 4000 PCMCIA.
HiPath SIcurity Card Maker V1.0 Software Module HiPath SIcurity Card Maker is a reliable, high-performance chip card personalization system. The chipcard must be prepared for its intended use. It is assigned to one person, called the cardholder. Corresponding data is written to all components of the card. HiPath SIcurity Card Maker is a high-performance system that provides reliable optical and electrical personalization. This is a software module that works in conjunction with the Card Management System (CMS), which manages issued cards and controls their cycle (the status of cards and applications on them). HiPath SIcurity Card Maker is integrated and managed by the card management system, so there is no need for its own user interface. Along with the chip card, the HiPath SIcurity CardOS operating system and the CMS card management system, the HiPath SIcurity Card Maker module is one of the components required to build a complete chip card infrastructure, or public key infrastructure (PKI). HiPath SIcurity Card Maker has an interface to interact with existing user databases, allowing it to import personal data from, for example, a personnel database. In addition, the system adds new information, such as an employee's photo. The module supports the generation of keys for the signature key on the chip card itself, as well as the import of encryption keys generated by the certification center. The HiPath SIcurity Card Maker module itself also has a modular architecture that enables the distributed infrastructure of the chip cards. Local points of issue of cards, in which information processing and personalization of chip cards are performed, connected via a secure connection to the certification center where the certification center is located, keys to ciphers are generated and stored. The personalization process consists of several stages: initialization, pre-personalization, personalization, and post-personalization. During initialization, the same data for all cards is written to the EPROM. This data includes operating system extensions and data structures that are either left blank or filled with standard data. At this stage, all cards remain the same, except for the individual hardware chip number. Bell ID Data VPS Siemens SIPORT HiPath SIcurity Card Maker Card Management System Database HiPath SIcurity Card Maker Certification Center Database HiPath SIcurity CardOS Entrust CA Microsoft CA Guardeonic CA Secure, high-performance smart card personalization system Features One-step smart card personalization with contact and optional contactless chips ... Logging security data to a smart card for multiple applications (email encryption, room access control). Import of user information from existing databases. Integration with various certification centers and card management systems. Customer Benefits Flexible integration with various smart card management systems. Ability to work with any customer environment. One-step fast personalization when creating corporate identities, it is possible to use credentials immediately after creation. Post-personalization of already released smart cards for new applications.
HiPath SIcurity Card Maker V1.0 At the pre-personalization stage, the card is “individualized”, but not assigned to a specific person. In this case, card numbers are recorded, key pairs are generated and an individual card key is personalized. After this stage, all cards become different, but continue to remain anonymous. With personalization itself, the card is assigned to a specific person. The name, surname and photograph of the owner can be printed on it; personal data is written to the chip. Later, during post-personalization, when the card is already in use, new data can be added to it. Connectivity and Compatibility HiPath SIcurity Card Maker Connections to Management Systems (CMS): ANDiS and ANDiS Light by BellID icms and icard Office by VPS SIPORT NTVAS by Siemens Building Technology Authorization authorities: Microsoft 2003 CA Entrust Authority 7 Guardeonic TrustedCA Operating systems for chip card personalization: HiPath SIcurity CardOS V4.2 HiPath SIcurity CardOS M4.01A HiPath SIcurity CardOS M4.01 HiPath SIcurity CardOS M4.00 Other ISO-7816 Cards, Java Cards (Optional) Planned Languages HiPath SIcurity Card Maker has no user interface and is therefore language independent. HiPath SIcurity Card Maker is managed by the CMS card management system. Target group Companies building public key infrastructures (PKI) for working with chip cards. Companies that use chip cards to identify employees, as keys or digital certificates (identity). Companies, wishing to have several points of issue of cards distributed in the company. Companies that centrally generate keys with secure transfer to chip cards. Companies looking for an encryption key recovery solution. Small and medium-sized enterprises that want to use chip cards in the existing infrastructure of Microsoft 2003 without significant investments (registration in a Windows domain, email encryption, strong authentication). Benefits Hardware for integration with other widely used certificate authorization solutions (Microsoft, Entrust, Guardeonic). Integration of card management systems for different sizes of companies (scalability) Control of key generation on the chip card (signature key) and in the certification center (encryption key). Safe key transfer, generated directly in the certification center on an authorized chip card using secure messages (HiPath SIcurity Server for HiPath SIcurity Card Maker) Complete personalization of the chip card (optical and electrical) at the main office or branch in just a few minutes. Personalization of various types of smart cards with individual file structure, driven by simple editable scripts (various scripts can be entered into the Card Maker module). Recovery of "old" encryption keys of chip cards that were previously used by employees (old e-mail messages can be decrypted again). Strategic Advantages Simple and inexpensive integration with existing Microsoft infrastructures Employees use a digitally certified chip card for all authentication procedures (increasing company security). Rapid issuance of chip cards used for electronic identification of employees (no lengthy and complicated administrative process). Connecting multiple, non-secured, distributed card issuing points to a central, well-secured Certification Center.
Reduce costs Chip cards can be issued locally to individual users as needed. None: lengthy administrative procedures, postage, time delays. Fast issue of limited rights guest cards. HiPath SIcurity Card Maker's unique business offering provides low-cost, secure and fast issuance of smart cards (employee identification cards) with the ability to recover keys in a decentralized company. Increase productivity New employees can immediately receive an ID card and use it for all business operations. If the card is lost or damaged, a new card is issued for the employee and he can continue to work without any restrictions or delays.
HiPath SIcurity Smart Card Applications: Secure Physical Access Time Attendance Corporate Cashless Payments Secure PC and Application Access Control Web Application Access Email Security.
Our Capabilities Your Benefits Corporate Communications Networks offers the most advanced solutions to optimize your business through innovative communications systems and applications. The basis of the proposed solutions is the HiPath converged architecture developed by Siemens, which guarantees customers a flexible and safe transition to innovative IP solutions, Moscow, Malaya Kaluzhskaya Street, Siemens LLC Corporate communication networks.
