Home > Products > SafeSign Identity Client > Components
SafeSign Identity Client
Components
SafeSign IC Components
SafeSign Identity Client consists of the following main components:
PKCS#11 Library
PKCS #11 defines a technology-independent programming interface, called Cryptoki, for cryptographic devices such as smart cards. The SafeSign Identity Client PKCS #11 Library is the SafeSign Identity Client implementation of the PKCS #11 standard, integrating each PKCS #11 compatible application with a SafeSign Identity Client supported hardware token.
The SafeSign Identity Client PKCS #11 Library is built directly on top of PC/SC and can be regarded as the main component of SafeSign Identity Client. All cryptographic operations are handled by the PKCS #11 Library. Even when an application interacts with the CSP, the CSP will delegate cryptographic operations to the PKCS #11 Library.
The SafeSign Identity Client PKCS #11 Library is multi-application and multi-threaded, which means that multiple applications can access the PKCS #11 Library at the same time.
The SafeSign Identity Client PKCS #11 Library is built directly on top of PC/SC and can be regarded as the main component of SafeSign Identity Client. All cryptographic operations are handled by the PKCS #11 Library. Even when an application interacts with the CSP, the CSP will delegate cryptographic operations to the PKCS #11 Library.
The SafeSign Identity Client PKCS #11 Library is multi-application and multi-threaded, which means that multiple applications can access the PKCS #11 Library at the same time.
Cryptographic Service Provider (CSP)
The SafeSign Identity Client CSP is built on top of the SafeSign Identity Client PKCS#11 library. Its primary aim is to provide cryptographic functionality that involves private credentials stored on the SafeSign Identity Client Token. AET has a clear design principle when it comes to CSP functionality. We only implement functionality when it is actually used (that is, when it is being used by an application).
The SafeSign Identity Client CSP integrates each Microsoft CryptoAPI compatible application with a SafeSign Identity Client supported hardware token.
The SafeSign Identity Client Cryptographic Service Provider (CSP) is included in the SafeSign Identity Client product to enable Microsoft CryptoAPI applications to access the PKI functionality provided by the SafeSign Identity Client Token. Note that this does not include only Microsoft applications (such as Internet Explorer and Microsoft VPN), but also other applications that use Microsoft CryptoAPI to integrate tokens, such as Check Point VPN, Novell Groupwise etc.
The SafeSign Identity Client CSP integrates each Microsoft CryptoAPI compatible application with a SafeSign Identity Client supported hardware token.
The SafeSign Identity Client Cryptographic Service Provider (CSP) is included in the SafeSign Identity Client product to enable Microsoft CryptoAPI applications to access the PKI functionality provided by the SafeSign Identity Client Token. Note that this does not include only Microsoft applications (such as Internet Explorer and Microsoft VPN), but also other applications that use Microsoft CryptoAPI to integrate tokens, such as Check Point VPN, Novell Groupwise etc.
SafeSign Identity Client Token Utilities
SafeSign Identity Client Standard for Windows provides two separate token utilities, for end-users and administrators (in separate installers):
The SafeSign Identity Client TMU and TAU are the central management utilities for both end users and administrators. Administrators have the ability to remove certain functionality for the end-user, such as the ability to change the PUK of the token or wipe its entire contents. It provides a user-friendly view of the digital IDs on the token, .i.e the key pair and certificate stored on the token.
Basic functionality provided by the token utilities is such functionality as viewing the registered Digital IDs, with associated actions such as checking expiration, viewing and deleting Digital IDs; token functions, such as change PIN / PUK, view PKCS#11 objects (administrator only), and such information as version info.
The user may not even see much of the token utilities, nor would he have to use them frequently, as he will be using SafeSign Identity Client (the components PKCS#11 and CSP) with his secure applications. Only if the user himself should initialize the token or be allowed to change his PIN, would he require the use of the token utility (TMU).
The ease-of-use and flexibility of the TMU reduces support calls, as it only offers the functionality the user really needs. The administrator is able to use the advanced options of the TAU to view the objects on the token (keys, certificates, data objects, etc.), to add an as yet unrecognised version of an already supported Java card and to dump the token contents. If support is needed, the TMU / TAU give a detailed overview of all SafeSign Identity Client components and their versions.
SafeSign Identity Client includes a PKCS#12 import function, to import Digital IDs, such as key pairs and certificates. This feature allows users to transfer Digital IDs generated on the PC onto the token. This greatly increases security and is very cost-effective, as no new Digital IDs have to be generated by the organisation, when the use of tokens is implemented.
- The Token Management Utility (TMU) has been specifically designed for (end-)users. It allows users to perform some basic token operations (such as initialise token, change PIN) and provides users with an easy tool for viewing, importing and transferring their Digital IDs. Note that an administrator may have further restricted the functions available by default to the user.
- The Token Administration Utility (TAU) has been specifically designed for administrators, allowing them to perform advanced token operations.
The SafeSign Identity Client TMU and TAU are the central management utilities for both end users and administrators. Administrators have the ability to remove certain functionality for the end-user, such as the ability to change the PUK of the token or wipe its entire contents. It provides a user-friendly view of the digital IDs on the token, .i.e the key pair and certificate stored on the token.
Basic functionality provided by the token utilities is such functionality as viewing the registered Digital IDs, with associated actions such as checking expiration, viewing and deleting Digital IDs; token functions, such as change PIN / PUK, view PKCS#11 objects (administrator only), and such information as version info.
The user may not even see much of the token utilities, nor would he have to use them frequently, as he will be using SafeSign Identity Client (the components PKCS#11 and CSP) with his secure applications. Only if the user himself should initialize the token or be allowed to change his PIN, would he require the use of the token utility (TMU).
The ease-of-use and flexibility of the TMU reduces support calls, as it only offers the functionality the user really needs. The administrator is able to use the advanced options of the TAU to view the objects on the token (keys, certificates, data objects, etc.), to add an as yet unrecognised version of an already supported Java card and to dump the token contents. If support is needed, the TMU / TAU give a detailed overview of all SafeSign Identity Client components and their versions.
SafeSign Identity Client includes a PKCS#12 import function, to import Digital IDs, such as key pairs and certificates. This feature allows users to transfer Digital IDs generated on the PC onto the token. This greatly increases security and is very cost-effective, as no new Digital IDs have to be generated by the organisation, when the use of tokens is implemented.
SafeSign Identity Client Store Provider
The SafeSign Identity Client CryptoAPI Store Provider provides automatic registration of certificates when the hardware token is inserted and automatic deregistration of certificates when the hardware token is removed.
Especially in a multi-user environment, it is convenient to de-register certificates once the user has removed his token, or else all certificates will remain in the certificate store, which may be confusing if another user wants to connect to a secure web site and he is presented with all certificates registered in the Microsoft certificate store.
Especially in a multi-user environment, it is convenient to de-register certificates once the user has removed his token, or else all certificates will remain in the certificate store, which may be confusing if another user wants to connect to a secure web site and he is presented with all certificates registered in the Microsoft certificate store.
SafeSign Identity Client PKI applet
The SafeSign Identity Client PKI applet enables end-users to utilise any Java Card 2.1.1 and Java Card 2.2 (and higher) compliant card with the SafeSign Identity Client middleware. The applet manages the SafeSign Identity Client PKCS #15 file structure and the on-card RSA key-pairs. The applet is shipped together with SafeSign Identity Client in several different flavours that match specific classes of Java Cards and their specific benefits and limitations.
Applet loader
SafeSign Identity Client includes a universal Java Card applet loader. This applet loader can load the SafeSign Identity Client PKI applet out-of-the-box onto a variety of Java Cards equipped with a VISA/OP test key set (this includes most sample cards that can be purchased from Java Card vendors). The applet loader allows end-users rapid on-the-spot access to SafeSign Identity Client's capabilities. With the applet loader, SafeSign Identity Client offers end-users the possibility of testing a variety of cards without a hassle, allowing them to take the time to select the card that best matches their wishes.
The applet loader can also be used in a production environment during a mass rollout of Java Cards. It can be configured to load applets onto cards with a production key set, and can even be used to change the key set of a card on the fly.
The applet loader can also be used in a production environment during a mass rollout of Java Cards. It can be configured to load applets onto cards with a production key set, and can even be used to change the key set of a card on the fly.
SafeSign Identity Client PKCS #15
The PKCS #15 Standard is the Cryptographic Token Information Syntax Standard and is intended to standardize the use of cryptographic tokens to identify themselves to multiple, standards-aware applications - regardless of the application’s cryptographic token interface provider. The format specifies (a file and directory format) how keys, certificates and other application-specific data may be stored on cryptographic tokens. In doing so, it allows users to be able to use their tokens for identification purposes in all applications where this is necessary.
By the implementation of a PKCS#15 file structure on the token, SafeSign Identity Client not only adheres to an industry standard interface, but ensures that users can use SafeSign Identity Client and the tokens its supports with any application.
By the implementation of a PKCS#15 file structure on the token, SafeSign Identity Client not only adheres to an industry standard interface, but ensures that users can use SafeSign Identity Client and the tokens its supports with any application.
