SECUTECH SOLUTIONS UNIMATETOKEN UniMate USB/TRRS PKI Token User Manual

SECUTECH SOLUTIONS PTY LTD UniMate USB/TRRS PKI Token Users Manual

Users Manual

UNIMATE & UNITOKEN PRO MANUAL VERSIO N 3.0
I The data and information contained in this document cannot be altered without the express written permission of SecuTech Solution Inc. No part of this document can be reproduced or transmitted for any purpose whatsoever, either by electronic or mechanical means. The general terms of trade of SecuTech Solution Inc. apply. Diverging agreements must be made in writing. Copyright © SecuTech Solution Inc. All rights reserved. WINDOWS is a registered trademark of Microsoft Corporation. The WINDOWS-logo is a reg istered t rad emark (TM) of Microsoft Corporation. Software License The software and the enclosed documentation are copyright-protected. By installing the software, you agree to the conditions of the licensing agreement. Licensing Agreement SecuTech Solution Inc. (SecuTech for short) gives the buyer the simple, exclusive and non -transferable licensing right to use the software on one individual computer or networked computer system (LAN). Copying and any other form of reproduction of the software in full or in part as well as mixing and linking it with others is prohibited. The buyer is authorized to make one single copy of the software as backup. SecuTech reserves the right to change or improve the software without notice or to replace it with a new development. SecuTech is not obliged to inform the buyer of changes, improvements or new developmen ts or t o make these available to him. A legally binding promise of certain qualities is not given. SecuTech is not responsible for damage unless it is the result of deliberate action or negligence on the part of SecuTech or its aids and assistants. SecuTech accepts no responsibility of any kind for indirect, accompanying or subsequent damage.
II Contact Information HTTP: www.eSecuTech.com E-M ail: Sales@eSecuTech.com Please Email any comments, suggestions or questions regarding this document or our products to us at: Sales@eSecuTech.com Version Date
IV Table of Contents PART 1 AN OVERVIEW O F UNI MA TE & UNI TOKEN 2 CHAPTER 1: UNIMA TE & UNITO KEN DEVICE 2 1 .1 Features 2 1 .2 Sp ecification s 3 CHAPTER 2: UNIMA TE & UNITO KEN SOFTW A RE 3 2 .1 UniMate & UniToken driver installation 3 2 .2 The PKCS#11 and MS-CAPI Modules of UniToken 4 2 .3 Token API 4 2 .4 Supported Platforms 4 CHAPTER 3: SECURI TY 5 3 .1 Key 5 3 .2 Data transmission 7 3 .3 Factory Default Settings 7 PART 2 UNI MA TE & UNITO KEN SDK 7 CHAPTER 4: SDK OVERVIEW 7 4 .1 Driver installation 8 4 .2 Redistribution Package 8 4 .3 Console 12 4 .4 M onitor 42 PART 3 APPLYING DIGITAL CERTIFICA TES 55 CHAPTER 1: APPLYING DIGITAL CERTIFICATES 55 1 .1 Applying VeriSign Certificates 55 1 .2 Applying Microsoft Certificates 56 1 .3 Using Digi tal Certi fi cates 58 PART 4 DEVELO PER S GUI DE 59 1 .1 Device Initialization 59 CHAPTER 1: PKCS11 APPLICATION 59 1 .2 Introduction 59 1 .3 Supported PKCS#11 Algorithms and APIs 61 1 .4 UniMate & UniToken PKCS#11 Function Library 62 1 .5 Samples 65
V CHAPTER 2: M S-CAPI APPLICATIONS 67 2 .1 Introduction 67 2 .2 Supported Algorithms and APIs 68 2 .3 Samples 69 2 .4 UniMate & UniToken API 72
2 of 72 Part 1 An Overview of UniM ate & UniToken UniMate & UniToken, h ereinafter referred to as Token, is an in fo rmatio n secu ri ty product based on CCID technology. It is a secure container for digital credentials. Advanced processor and secure memory are built in the Token device to guarantee the secu ri ty fo r ex changing , sto ring and handling electronic information. Token has achieved an effective rights management and can provide a highly -secu red file system. A built-in computing engine accomplishes fast and efficient information processing. Token supports PKI applications and provides Token API for secondary development. Abundant samples bring ease to integrations. Chapter 1: UniM ate & UniToken Device 1.1 Features Key features of UniM ate & UniToken device:  Globally unique hardware ID  Customized software ID  Smartcard-based
3 of 72  On-board encryption  Two levels of PIN managemen t mechanism  A secure file system  Large memory up to 64K  Stylish and cute case  Lead free 1.2 Specifications Dimensions 57×16×8 mm Weight 9gM in. Operating Voltage 5V Current Consumption <= 50 mA Operation Temperature 0℃ to 70℃Storage Temperature -10℃ to 85℃ Humidity Rate 0-70% without condensation Casing Tamper-evident M etal M emory Data Retention At least 10 years M emory Cell Rewriters At least 100,000 times Chapter 2: UniM ate & UniToken Software 2.1 UniM ate & UniToken driver installation
4 of 72 2.2 The PKCS#11 and M S-CAPI M odules of UniToken PKCS#11 module of Token is implemented according to PKCS#11 standards V.2.20, which is a DLL file for C language running on Windows operating system. M S-CAPI Module of UniToken is implemented in line with MS-CAPI standard. These two modules can be used in cooperation with each other, i.e. the certificate applied with PKCS#11 can be used by MS-CAPI module of Token, and vice versa. 2.3 Token API Token provides a set of Token API, which allows users to manage one or several Token hardware keys, i.e. operation of Token attributes, permission, built -in algorithms and secure file system. Please install Token API package or Token full package to enable these features. 2.4 Supported Platforms Table 1.3: Supported Platforms Components OS UniMate Flex UniMate STD UniToken PRO Windows 2000 √ √ √ Windows 2003 √ √ √Windows XP √ √ √ Windows Vista √ √ √ Windows 7 √ √ √ Windows 2008 √ √ √ Windows 2012 √ √ √ Windows 8 √ √ √
5 of 72 iOS √ Android √ Chapter 3: Security Security is the most important part in Token system, which involves in identification and verification method, including not only the file access permission control mechanism inside the token, but also the information confidential control inside the token. The security attribute means the current state of the device when the card is reset or after the token finished some commands. 3.1 Key The following table describes different key types and use Key Type Use Transmission KeyEnsure the security during the card initialization, and provide encryption and decryption. PIN Directory level authentication. control differet users’ read ad write perissio PIN unlock key Used to unlock PIN PIN reload key used to reload PIN External authentication key Token uses this key to authenticate the exte rnal enti ty Internal authentication key External entity uses this key to authenticate the token device. M aster key Used to secure transmission Block encryption/ decry ption key Provide encryption/decryption for exte rnal enti ty. Transmission key: a 16-byte key that every device must have only one transmission key PIN: a personal identification number based on directory. The PIN is firstly hashed and then stored in the device PIN unlock key: a 16-byte key is used in unlock function. Its function is that encrypts PIN and calculates M AC of the cipher text as a key.
6 of 72 PIN reload key: not used in this version and will add this function in the following version. External authentication key: a 16-byte key that used for external authentication. The first 8-byte is the key1 and key3. Internal authentication key: a 16-byte key that used for internal authentication. The first 8-byte is the key1 and key3. The block encryption/decryption key: used to specified algorithm, length is from 8-byte to 16-byte. Currently the supported algorithms are DES (ECB, CBC), TDES (ECB, CBC), AES (EBC, CBC). Authentication type Key type Use method and algorithmAccess permission au t hen ti cation Transmission key Comparison in plaintext Ex ternal au then ti cati on (fo r examp le, format device in user state) PIN Ex ternal au th en ti cation (TDES) Extern authentication key Ex ternal au th en ti cation (TDES) In ternal au then ti cati on key In ternal au th en ti cation (TDES) Cipher text transmission Transmission key TDES encryption (use DES in M AC) Master key TDES encryption (use DES in M AC) PIN unlock key TDES encryption (use DES in M AC) PIN reload key TDES encryption (use DES in M AC) Provide encryption operation for external en t i ty Encryption key Depending on implemented encryption algo ri thm s.
7 of 72 3.2 Data transmission Data transmission means data transmitted between host machine and device, including 4 transmission modes. M ode Definition Security Integrity Plaintext Data is transferred directly without any process × × Plaintext with MAC Plaintext and M AC of the plaintext are transferred together × √ Cipher Plaintext is encrypted before transferred √ × Cipher with M AC Data is encryp ted and calculate the M AC o f th e encrypted data, and then transferred the cipher text and M AC √ √ 3.3 Factory Default Settings the master key to create and delete file. Part 2 UniM ate & UniToken SDK Chapter 4: SDK Overview Table1.6 Token SDK Contents Components Description Include Declaration of the standardized identifiers and interface of PKCS #11, CSP and Token API. Libraries Token libraries Documents M anual for Token PRO and API
8 of 72 reference Integration Guides Instruction about integration Token with other soft ware Redists Redistribution packages for developers and end users Samples Samples for CSP, PKCS and Token API W indows CCID Driver Token Drivers 4.1 Driver installation driver to make Token work. For some old versions, such like Windows VISTA and XP, driver must be installed to make the system recognise the device. After inserting Token to a computer, from Control Panel→ Hardware and Sound → Device M anager, open the Device manager. From the hardware list find the unknown device, update the driver, the driver is in the SDK\windows CCID Driver. 4.2 Redistribution Package Token provides two different redistribution packages for developers and end users respectively. Both the package provide Token PKI installation package. If you want to use the PKI application, you must install it.  Installation Token PKI package can be found in the redist folder of Token PRO SDK. For developers package Double click the icon to run the install shield wizard, and follow the illustration belo w:
9 of 72 In this section, user name and company name are required. And cl
10 of 72
11 of 72  Uninstallation To uninstall the software, there are two ways: start menu and control panel. Start M enu: -All Programs-SecuTech-Token-Uninstall Token
12 of 72 4.3 Console Token Console is used to manage devices, set user permission as well as control file system and certificates. 4.3.1 Check Token information 1. Start Console.exe and insert your device
13 of 72 The devide name will appear on the left side of the page. 2. Click on the name of the device to check the device information.
14 of 72 4.3.2 Initialize Token 1. On the main page, select the Token from the list.
15 of 72 2. On the left side, click on the initialization icon . In the pop up page, fill the in fo rmation , configure the key usage and input old issue key and set new issue key. 3. Click on O K to start initialization. After the token is initialized successfully, a message page will pop up. Click on O K to return the main page.
16 of 72 4.3.3 Change Key 1. Write a key for the folder by clicking on the writhe key icon. 2. In the pop up page, select the key usage, input the key value, the maximum at temp ts and input the master key of the folder.
17 of 72 3. Click on OK 4.3.4 Create folder (max 3 level) 1. Click on the create folder icon
18 of 72 2. In the pop up page, select folder type, input name, create delete key t ype, and input the key of the upper folder. 3. Click on OK, and the new folder will appear in the selected folder.
19 of 72 4.3.5 Create file Click on the create file icon under the selected folder.
20 of 72 1. Fill the general information in the pop up page (file name must be EF01-EFFF) and input file create key of the selected folder. 2. Click on OK, and the new file will appear in the selected folder.
21 of 72 4.3.6 Read/write file W rite file 1. Select the file and click on the update local file icon.
22 of 72 In the pop up page, select the file from you r PC The token will authenticate the write right of the selected file according to the file access right configured when the file is created. Read File 1. Select the file and click on the Save to local icon.
23 of 72 2. In the pop up page, input the directory and file name that the sel ected fil e to be samed. 3. Click on OK to save the file in token to the local PC. The token will authenticate the read right according to the access right configured when the file is created. The file will be found in your local PC 4.3.7 Delete file/ folder Delete folder 1. Select the folder and click on the delete icon.
24 of 72 2. Input the key of the upper level of the selected file and click on O K
25 of 72 D elete f ile 1. Selet the file to be deleted, and click on the delete icon 2. In the pop up page input the key of the upper folder and click on OK.
26 of 72 4.3.8 Symmetric Key Click on the symmetric keys i con .
27 of 72 Generate Key 1. Select a key file from the list and click on the generate key icon 2. In the pop up page, select key type and click on OK.
28 of 72  Import Key1. Select a key file and click on the import key icon. 2. In the pop up page, find your key file and select key type. Click on OK.
29 of 72  Encrypt/ decrypt Select the key file to be used to encrypt/decrypt. (ensure a key has been stored in the selected key file and key type) Select the algo ri thm and input the data in HEX to be encrypted/decrypted. Click on the encrypt/decrypt button.
30 of 72 Result will display in the output box.
31 of 72 4.3.9 Asymmetric Key Select the symmetric key pair i co n  Generate key 1. Select a key file from the list and click on the generate key icon.
32 of 72 2. In the pop up page select key pair type and click on OK  Import Key Pair 1. Select key file and click on the import icon.
33 of 72 2. In the pop up page, input the correct key, and click on O K
34 of 72  Encrypt/ decrypt 1. Select the key file 2. Select encrypt Input data in HEX to be encrypted and click on run.
35 of 72 In the same procedure, select decrypt and click on run to decrypt. Sign
36 of 72 Select sign Input data in HEX to be signed and click on run. Veri fy signatu re Input the signature, select verify signature and click on run.
37 of 72 4.3.10 Change certifiate Click on manage cert s icon.
38 of 72  Import certificate Click on import certs and select the certificate to be imported and input the password to the certificate. Click on OK to import the certificate. View certificate Click on the view certs and the cert i fi cate in fo rmat ion will display in the pop up page.
39 of 72 Expo rt cert i fi cate Click on the export certs and specified the directory that the certificate to be saved. Click on OK and the certificate will be saved to the directory.  Sign by a certificate Click on the sign icon and select hash algorithm.
40 of 72 Input data in HEX and click on sign.  Veri fi cati on In this page, click on verify to verify a signature signed by this certificate.  Delet e cert i fi cate Click on the delete icon
41 of 72 Click on OK Click on OK and in the pop up page input user PIN. Click on OK to delete the certificate.
42 of 72 4.4 Monitor UniToken Monitor is used to view the detailed information of certificates imported into the UniToken and register or unregister certificates. Here, it also provides a way to change User PIN. 4.4.1 Monitor device Start UniTokenM onitor.exe and insert token. Unplug device 4.4.2 Operation 1. Start Monitor.exe and select a target device.
43 of 72  Change password Click on ChangePwd, and in the pop up window input old password and new password.
44 of 72 Click on OK  Import certificate Click on the import. In the pop up page, input user password and click on login.
45 of 72 Find the certi fi cat e to be impo rted . Enter the password to the certi fi cate. Click on OK.
46 of 72 Certificate will display in the device.  Register certificate In IE-to ol -in tern et options-content-certificates check the registered certificates. There is no certificate if it s first used.
47 of 72 Select the certificate to be imported.
48 of 72 Click on Regi ster Fro m IE-internet options-content-cert ifi cates, the regi st ered certi fi cate can be foun d .
49 of 72  Unregister certificate Select the certificate to be unregistered.
50 of 72 Click on Un regi ster In IE-to ol -in tern et option-content-certi fi cates, the u n regi stered cert if i cat e i s rem oved .
51 of 72  View certificate information Select a certificate
52 of 72 Click on view, and the certificate in fo rmat ion will display in the pop up page.
53 of 72 4.4.3 Expiration reminder In onitor.exe, input ex pi ratio n remin der tim e
54 of 72 Click on OK If a certificate expire date is less than the reminding date, a reminding message will display shown as the following picture.
55 of 72 Part 3 Applying Digital Certificates Chapter 1: Applying Digital Certificates Token provides a perfect container for digital certificates. Token supports X.509 igital certificates. Token PKI package is the middleware software, which provides digital certificate usage. (See also 1.4.2) Digital certificate is used to certify that the Token is the right device. Without it, any op eration o f the Token is forbidden. In this part, we will introduce how to apply digital certificates. We will take the VeriSign certificate and Microsoft Certificate for example. 1.1 Applying VeriSign Certificates Insert one Token into USB port first, and start IE, type in https://digitalid.verisign.com/client/class1MS.htm to open the certificate applying page. Th ere are fou r steps fo r app lying a certificate. The page provides comprehensible instructions. It is easy to apply certificates by following the instructions step by step. In parti cular, at the step o f co mplet e the en roll men t , aft er fil ling all th e in fo rm ation required, select ST CSP v3.0 from the drop down list of Cryptographic Service Provider Name.
56 of 72 -m ail , pick up digital ID and then install the digital ID according to the page tips. RSA encryption key is generated in the Token. If more than one Token are inserted in USB ports, please select the Token you want to input. 1.2 Applying M icrosoft Certificates Insert one Token into USB port first, and start IE to open M icrosoft certificate applying page. This is the home page of the certificate applying site. Firstly, you should click Request a certificate. And then, select advanced certificate request.
57 of 72 On the page of Advanced Certificate Request, select create and submit a request to this CA. For certificate template, select smartcard logon in the list; for CSP, select ST CSP v3.0 Then, a window will appear to ask you to type in Token ”. The system will generate certificate automatically.
58 of 72 ”for installation. After installation, the system will prompt that certification has been successfully installed. 1.3 Using Digital Certificates SecuTech provides a series of solutions about the use of digital certificates, in the aspects of IE, Outlook, PDF, Office and so on. For the detailed instructions about that, please download relative integration guides from www.eSecuTech.com.
59 of 72 Part 4 Developer’s Guide Device Initialization Token has b een PKI initialization at f actory . You can use CCID token in PKI application the PKI application, you can use console in SDK\U ti li ties\Console\console.exe. To complete the format operation, you need to provide transmission key, which suggest security officer change this key to ensure the device security. For the third party developers, we provide PKI initialization library and sample which can be found in SDK\Libraries and SDK\Samples respectively. Chapter 1: PKCS11 Application 1.2 Introduction PKCS#11 is a Public-Key Cryptography Standard (PKCS) for public key cryptography, developed by RSA Laboratories and includes both algorithm -specifi c and algo ri th m-independent implementation standards. It is an industry standard that defines a technology independent programming interface for cryptographic devices such as smartcards and PCM CIA cards. This standard specifies an application program in t erf ace (API), cal led Cryp to ki (Cryp tog raphi c Token In terface), to devi ces, either physical or virtual, which hold cryptographic information (keys and other data) and perform cryptographic functions. This API is used across many platforms and is powerful enough for most security-related applications. SecuTech uses PKCS#11 as the main API for Token programming. Token supports PKCS#11 application via Token middleware.
60 of 72 The following files are needed when developing the Token PKCS#11 applications. Files Path Cryptpki.h Provided by RSA pkcs11.h Provided by RSA Pkcs11f.h Provided by RSA Pkcs11t.h Provided by RSA uktp11.dll C:\ Windows\system32\ PKCS#11 module of Token supports the creation of the following objects: Object Class Description CKO _D ATA For data structures defined by application CKO_SECRET_KEY For symmetric keys CKO_CERTIFICATE For X.509 v3 certificates CKO_PUBLIC_KEY For RSA/ DSA public key CKO_PRIVATE_KEY For RSA/DSA private key All
61 of 72 All the object s listed in the above t able can be created with Token. The secu re storage in Token is limited, so objects can only be created in memory but can NOT be stored in the Token secure storage. Only encryption keys and permanently present data need to be saved in the Token. 1.3 Supported PKCS#11 Algorithms and APIs M echanisms Encrypt/ D ecrypt Sign/ Verify Digest Generate key/ pair CKM_RSA_PKCS_KEY_PAIR_GEN √ CKM_RSA_PKCS CKM_DSA_KEY_PAIR_GEN √ CKM_DSA CKM _RC2_KEY_GEN √ CKM _RC2_ECB CKM _RC2_CBC CKM _RC2_CBC_PAD CKM _RC4_KEY_GEN √ CKM _RC4 CKM_DES_KEY_GEN √ CKM_DES_ECB CKM _DES_CBC CKM_DES3_KEY_GEN √ CKM _DES3_ECB CKM _DES3_CBC CKM _DES3_CBC_PAD CKM _M D 2
62 of 72 CKM _M D 5 CKM _SHA_1 CKM_DH_PKCS_KEY_PAIR_GEN √ CKM_AES_KEY_GEN √ CKM_AES_CBC CKM_AES_ECB The table below lists all the key sizes in Token PKCS#11.M echanisms Key Sizes CKM _RSA_PKCS_KEY_PAIR_GEN 512~2048bits CKM _DSA_KEY_PAIR_GEN 512~1024bits CKM _RC2_KEY_GEN 1~128bits CKM _RC4_KEY_GEN 1~256bits CKM _DES_KEY_GEN 8bits CKM _DES3_KEY_GEN 24bits CKM _AES_KEY_GEN 16~32bits CKM _DH_PKCS_KEY_PAIR_GEN 1~128bits 1.4 UniMate & UniToken PKCS#11 Function Library Token PKCS#11 library only implements the standard PKCS#11 APIs. Any other API beyond PKCS#11 is not implemented. If such API is called, an error return code like CKR_FUNCTION_NO_SUPPO RT will be returned. Category Function Supported
63 of 72 General Purpose Function C_Initialize YES C_Finalize YES C_GetInfo YES C_GetFunctionList YES Slot and Token Management Function C_GetSlotList YES C_GetSlotInfo YES C_GetTokenInfo YES C_WaitForSlotEvent YES C_GetM echanismList YES C_GetM echanismInfo YES C_InitToken YES C_InitPIN YES C_SetPIN YES Session M anagement Function C_OpenSession YES C_CloseSession YES C_CloseAllSessions YES C_GetSessionInfo YES C_GetOperationState YES C_SetOperationState YES C_Login YES C_Logout YES Objects M anagement Function C_CreateObject YES C_CopyO bject NO C_DestroyO bject YES
64 of 72 C_GetObjectSize YES C_GetAttributeValue NO C_SetAttributeValue YES C_FindObjectsInit YES C_FindO bjects YES C_FindO bjectsFinal YES Encryption Function C_EncryptInit YES C_Encrypt YES C_EncryptUpdate YES C_EncryptFinal YES Decryption Function C_DecryptInit YES C_Decrypt YES C_DecryptUpdate YES C_DecryptFinal YES Message Digesting Function C_DigestInit YES C_Digest YES C_DigestUpdate YES C_DigestKey YES C_DigestFinal YES Signing and Hashing Function (M AC) C_SignInit YES C_Sign YES C_SignUpdate YES C_SignFinal YES C_SignRecoverInit YES
65 of 72 C_SignRecover YES Functions for Verifying Signatures and Hashing (M AC) C_VerifyInit YES C_Verify YES C_VerifyUpdate YES C_VerifyFinal YES C_VerifyRecoverInit YES C_VerifyRecover YES Dual-purpose Cryptographic Function C_DigestEncryptUpdate YES C_DecryptDigestUpdate YES C_SignEncryptUpdate YES C_DecryptVerifyUpdate YES Key M anagement Function C_GenerateKey YES C_GenerateKeyPair YES C_WrapKey NO C_UnwrapKey YES C_DeriveKey NO Random Number Generation Function C_SeedRandom YES C_GenerateRandom YES Callback Function YES 1.5 Samples All the samples are implemented in C language, and they all support PKCS#11 standard v. 2.20. For this version, we provide the samples below:
66 of 72 FUNCTIO N SAM PLE DESCRIPTIO N To Initialize token Init Token The sample is used to initialize token. To get token information TokenInfo The sample is used to get token information. Encryption/ Decryption EDcrypt The sample is used to encrypt and decrypt data. Sign verification SignVerify The sample is used for sign verification. To initialize token Path: SDK\sam ple\PKCS\InitToken\STEPS FUNCTIO N 1. Initialize the PKCS#11 library C_Initialize 2. Get the slot list C_GetSlotList 3. Get token information C_GetTokenInfo 4. Initialize token C_InitToken 5. Open an session for token C_OpenSession 6. Log in C_Login 7. Initialize user PIN C_InitPIN 8. Log out C_C_Logout To get token information Path: SDK\sam ple\PKCS\TokenInfo\ STEPS FUNCTIO N 1. Initialize the PKCS#11 library C_Initialize 2. Get the information of PKCS#11 library C_GetInfo 3. Get the slot list C_GetSlotList
67 of 72 4. Get the slot information C_GetSlotInfo 5. Get the token information C_GetTokenInfo To verify signature Path: SDK\sam ple\PKCS\SignVerify\ STEPS FUNCTIO N 1. Initialize the PKCS#11 library C_Initialize 2. Get the slot list C_GetSlotList 3. Open an session for token C_OpenSession 4. Log in C_ C_Login 5. If not found, generate key pair. C_GenerateKeyPair 6. Initialize a signature C_SignInit 7. Sign data C_Sign 8. Initialize verification C_VerifyInit 9. Verify signature C_Verify Chapter 2: MS-CAPI Applications 2.1 Introduction CAPI (Cryptographic Application Programming Interface), developed by Microsoft as part of Microsoft Windows, is an interface to a library of functions software developers can call upon for security and cryptography services. It is intended for use by developers of applications for M S Windows platforms. CAPI allows multiple cryptographic service providers (CSP) to coexist on the same computer and to be used in the same application. It is also possible to associate a CSP with a particular smartcard , so th at sm art card -enabled Windows applications will call the correct CSP. M S W indows contains many helper functions that application developers may use to
68 of 72 simplify code when working with cryptographic functions or with complicated data stru ctu res (su ch as certificates). Choosing which API to use when developing applications is dependent on the needs of the particular application. 2.2 Supported Algorithms and APIs Connection Function CPAcquireContext Create a context and initialize access to CSP which must be specified CPReleaseContext Release the context created in CPAcquireContext and other resources CPGetProvParam Return information related to CSP CPSetProvParam Set parameters of CSP Key to generate and exchange function CPGenKey Generate key or key pair CPDeriveKey Derive a session key from a data hash and guarantee the generated key different CPSetKeyParam Set key attribute CPGetKeyParam Get the attribute of encryption-operating key CPExportKey Export key from container CPImportKey Import the key to CSP container CPDestroyKey Release key handle, after which the handle will be invalid and no access allowed CPDuplicateKey Create a duplicate of key CPGenRandom Generate random data CPGetUserKey Get the enduring key pair from CSP container Data encryption function
69 of 72 CPDecrypt Decrypt encrypted document CPEncrypt Encrypt unencrypted document CPCreateHash Create hashing objects and initialize them CPDestroyHash Delete hashing objects handle CPDuplicateHash Create a duplicate of hashing object CPHashData Hash the input number CPGetHashParam Get the computing result of hashing object CPHashSessionKey Hash a session key but no reveal of the key value to application CPSetHashParam Set the attribute of a hashing object CPSignHash Sign a hashing object CPVerifySignature Verify a digital signature 2.3 Samples All the samples are implemented in C language, and they all support M S-CAPI standard. For the standard, we provide the samples below: Path: SDK\sam ple\CAPI FUNCTIO N FILES DESCRIPTIO N Algorithm algorithmTest.cpp algorithmTest.h The sample provides the operations on symmetric keys, hashing and asymmetric keys. Container kcsTest .cpp kcsTest .h The sample provides the operations on enumeration, delete and creation of files. Certificates listcerts.cpp listcerts.h The sample provides the operations on certificate list. Algorithm sample
70 of 72 The samples include 3 functions: int GenerateAlgTest(ULONG ulALG); int DeviceAlgTest(ULONG ulALG); int RstTest(ULONG version); GenerateAlgTest is used for DES key generation, encryption and decryption op eration s. STEPS FUNCTIO N 1. Create a container CryptAcquireContext 2. Retrieve parameters that govern the operations of a CSP CryptGetProvParam 3. Generate a key CryptGenKey 4. Data Encryption CryptEncrypt 5. Data Decryption CryptDecrypt DeviceAlgTest is used for key derivation, data encryption and decryption operations. STEPS FUNCTIO N 1. Create a container CryptAcquireContext 2. Initiate the hashing of a stream of data CryptCreateHash 3. Add data to a specified hash object CryptHashData 4. Derive a key CryptDeriveKey 4. Data Encryption CryptEncrypt 5. Data Decryption CryptDecrypt RstTest is used for RSA key generation, data encryption and decryption operations. STEPS FUNCTIO N 1. Create a container CryptAcquireContext
71 of 72 2. Generate a key CryptGenKey 3. Data Encryption CryptEncrypt 4. Data Decryption CryptDecrypt Container Sample The sample demonstrates how to enumerate, add and delete containers with int kcsTest(ULONG ulActive) function. For enumerating a container STEPS FUNCTIO N 1. Acquire a " VERIFYCONTEXT" handle CryptAcquireContext 2. Enumerate the key containers CryptGetProvParam 3. Acquire a handle to the key container found CryptAcquireContext 4. Try to get a handle to the key pair CryptGetUserKey 5. Get key permissions CryptGetKeyParam 6. Display key permissions For adding a container STEPS FUNCTIO N 1. Check whether the container already exist s CryptAcquireContext 2. If not, create a container CryptAcquireContext For deleting a container STEPS FUNCTIO N 1. Check whether the container already CryptAcquireContext
72 of 72 exist s 2. If there is, release the handle to the context CryptReleaseContext 3. Delete the container CryptAcquireContext List Certificate Sample The sample demonstrates how to enumerate certificates with int listcerts(void) function For enumerating certificates STEPS FUNCTIO N 1. Open a handle to the MY\ \ TokenStore certificate store CertO penStore 2. Go over each and every certificate within the certificate store CertEnumCertificatesInStore 3. Get and display the subject name from the certificate CertGetNameString 2.4 UniMate & UniToken API (See also UniMate & UniToken API Reference in Token SDK\Documents\ ) About SecuTech
2 of 2 SecuTech Solution Inc. is a company specializing in data protection and strong authentication, providing t o tal cu stomer sati sfact ion in secu ri ty sy stem s & serv i ces fo r ban ks, fin an cial i nsti tu i tion s & o th er i ndu stries. Having extensive and in -depth experience within the information security market, SecuTech has drawn -edge technologies, enables enterprises, financial institutions, and government to safely adopt the economic benefits of mobile and cloud computing that are effective against increasingly sophisticated cyber att acks. www .eSecuTech.com SecuTech Solution Inc. North America 1250 Boulevard Ren é-Lévesque Ouest, #2200, Mon treal, QC, H3B 4W8, Can adaT: +1 -888-259-5825 F: + 1 -888-259-5825 ext.0 E: INFO@eSecuTech .co mChina Level 12, #67 Bei Si Hu an Xi Lu, Beijing, Chin a, 100080T: +8610-8288 8834F: + 8610-8288 8834 E: CN@eSecuTech.co m APAC Suite 5.14, 32 Delhi Rd, No rth Ryd e, NSW, 2113, AustraliaT: 00612-9888 6185F: 00612-9888 6185 E: AUS@eSecuTech.co m EM EA 4 Cours Bayard 69002 Lyon, Fran ce T: +33-042-6 00 -2810F: +33-042-600-2810M : +33-060-939 6463 E: Europ e@eSecuTech.co m © Co pyright 20 12 SecuTech Sol ut ion I nc. All right s reserved. Reproduct ion in whole or in part wit h out writ t en per m ission f rom Secu Tech is prohi bit ed. SecuTech Token a nd t he Secu Tech l og o are trademarks of SecuTech Inc. W indows a nd a ll ot her trademarks are properties of their respective owners. Features and specific at ions are subject t o cha nge w it ho ut not ice.

Navigation menu