What is eToken Enterprise? - tlk
What is eToken Enterprise? - tlk
What is eToken Enterprise? - tlk
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Reference Guide<br />
Version 2.0
COPYRIGHTS AND TRADEMARKS<br />
The <strong>eToken</strong> system and its documentation are copyrighted © 1985 to present, by<br />
Aladdin Knowledge Systems Ltd.<br />
All rights reserved.<br />
<strong>eToken</strong> <strong>is</strong> a trademark and ALADDIN KNOWLEDGE SYSTEMS LTD <strong>is</strong> a reg<strong>is</strong>tered trademark of<br />
Aladdin Knowledge Systems Ltd.<br />
All other trademarks, brands, and product names used in th<strong>is</strong> guide are trademarks of their respective<br />
owners.<br />
Th<strong>is</strong> manual and the information contained herein are confidential and proprietary to Aladdin<br />
Knowledge Systems Ltd. (hereinafter “Aladdin”). All intellectual property rights (including, without<br />
limitation, copyrights, trade secrets, trademarks, etc.) evidenced by or embodied in and/or attached/<br />
connected/related to th<strong>is</strong> manual, information contained herein and the Product, are and shall be<br />
owned solely by Aladdin. Aladdin does not convey to you an interest in or to th<strong>is</strong> manual, information<br />
contained herein and the Product, but only a limited right of use. Any unauthorized use, d<strong>is</strong>closure or<br />
reproduction <strong>is</strong> a violation of the licenses and/or Aladdin's proprietary rights and will be prosecuted to<br />
the full extent of the Law.<br />
DISCLAIMER<br />
NEITHER ALADDIN NOR ANY OF ITS WORLDWIDE SUBSIDIARIES AND DISTRIBUTORS<br />
SHALL BE OBLIGATED IN ANY MANNER IN RESPECT OF BODILY INJURY AND/OR<br />
PROPERTY DAMAGE ARISING FROM THIS PRODUCT OR THE USE THEREOF. EXCEPT AS<br />
STATED IN THE ETOKEN END USER LICENSE AGREEMENT, THERE ARE NO OTHER<br />
WARRANTIES, EXPRESSED OR IMPLIED, REGARDING ALADDIN'S PRODUCTS, INCLUDING,<br />
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS<br />
FOR A PARTICULAR PURPOSE. The product must be used and maintained in strict compliance<br />
with instructions and safety precautions contained herein, in all supplements hereto and according to<br />
all terms of its End User License Agreement. Th<strong>is</strong> product must not be modified or changed without<br />
the written perm<strong>is</strong>sion of the copyright holder.<br />
All attempts have been made to make the information in th<strong>is</strong> document complete and accurate.<br />
Aladdin <strong>is</strong> not responsible for any direct or indirect damages or loss of business resulting from<br />
inaccuracies or om<strong>is</strong>sions. The specifications in th<strong>is</strong> document are subject to change without notice.<br />
iii
iv<br />
ALADDIN KNOWLEDGE SYSTEMS LTD.<br />
ETOKEN ENTERPRISE END USER LICENSE AGREEMENT<br />
IMPORTANT INFORMATION - PLEASE READ THIS AGREEMENT CAREFULLY BEFORE<br />
OPENING THE PACKAGE AND/OR USING THE CONTENTS THEREOF AND/OR BEFORE<br />
DOWNLOADING OR INSTALLING THE SOFTWARE PROGRAM. ALL ORDERS FOR AND USE<br />
OF THE ETOKEN ENTERPRISE PRODUCTS (including without limitation, libraries, utilities,<br />
d<strong>is</strong>kettes, CD-ROM, <strong>eToken</strong> keys and the Integration Guide) (hereinafter “Product”) SUPPLIED BY<br />
ALADDIN KNOWLEDGE SYSTEMS LTD. (or any of its affiliates - either of them referred to as<br />
“ALADDIN”) ARE AND SHALL BE, SUBJECT TO THE TERMS AND CONDITIONS SET FORTH<br />
IN THIS AGREEMENT. BY OPENING THE PACKAGE CONTAINING THE PRODUCTS AND/OR<br />
BY DOWNLOADING THE SOFTWARE (as defined hereunder) AND/OR BY INSTALLING THE<br />
SOFTWARE ON YOUR COMPUTER AND/OR BY USING THE PRODUCT, YOU ARE ACCEPTING<br />
THIS AGREEMENT AND AGREEING TO BE BOUND BY ITS TERMS AND CONDITIONS.<br />
IF YOU DO NOT AGREE TO THIS AGREEMENT, DO NOT OPEN THE PACKAGE AND/OR<br />
DOWNLOAD AND/OR INSTALL THE SOFTWARE AND PROMPTLY (at least within 7 days from<br />
the date you received th<strong>is</strong> package) RETURN THE PRODUCTS WITH THE ORIGINAL PACKAGE<br />
AND THE PROOF OF PAYMENT TO ALADDIN, ERASE THE SOFTWARE, AND ANY PART<br />
THEREOF, FROM YOUR COMPUTER AND DO NOT USE IT IN ANY MANNER WHATSOEVER.<br />
1. Title & Ownership<br />
The object code version of the software component of Aladdin’s <strong>eToken</strong> Enterpr<strong>is</strong>e Product, including<br />
any rev<strong>is</strong>ions, corrections, modifications, enhancements, updates and/or upgrades thereto about to be<br />
installed by you, (hereinafter in whole or any part thereof defined as: “Software”), and the related<br />
documentation, ARE NOT FOR SALE and are and shall remain in Aladdin’s sole property. All<br />
intellectual property rights (including, without limitation, copyrights, trade secrets, trademarks, etc.)<br />
evidenced by or embodied in and/or attached/connected/related to the Product, are and shall be owned<br />
solely by Aladdin. Th<strong>is</strong> License Agreement does not convey to you an interest in or to the Software, but<br />
only a limited right of use revocable in accordance with the terms of th<strong>is</strong> License Agreement. Nothing<br />
in th<strong>is</strong> Agreement constitutes a waiver of Aladdin’s intellectual property rights under any law.<br />
2. License<br />
Subject to payment of applicable fees, Aladdin hereby grants to you, and you accept, a personal,<br />
nonexclusive and fully revocable limited License to use the Software, in executable form only, as<br />
described in the Software accompanying user documentation and only according to the terms of th<strong>is</strong><br />
Agreement:<br />
2.1. You may install the Software and use it on computers located in your place of business, as<br />
described in Aladdin’s related documentation.<br />
2.2. You may merge and link the Software into your computer programs for the sole purpose described<br />
in the Integration Guide.<br />
3. Prohibited Uses<br />
The Product must be used and maintained in strict compliance with the instruction, and safety<br />
precautions of Aladdin contained herein, in all supplements thereto and in any other written<br />
documents of Aladdin.<br />
Except as specifically permitted in Sections 1 and 2 above, you agree not to:<br />
3.1. Use, modify, merge or sub-license the Software or any other of Aladdin’s Products, except as<br />
expressly authorized in th<strong>is</strong> Agreement and in the Integration Guide.<br />
3.2. Sell, license (or sub-license), lease, assign, transfer, pledge, or share your rights under th<strong>is</strong> License<br />
with/to anyone else.
3.3. Modify, d<strong>is</strong>assemble, decompile, reverse engineer, rev<strong>is</strong>e or enhance the Software or attempt to<br />
d<strong>is</strong>cover the Software’s source code.<br />
3.4. Place the Software onto a server so that it <strong>is</strong> accessible via a public network.<br />
3.5. Use any back-up or archival copies of the Software (or allow someone else to use such copies) for<br />
any purpose other than to replace an original copy if it <strong>is</strong> destroyed or becomes defective. If you<br />
are a member of the European Union, th<strong>is</strong> agreement does not affect your rights under any<br />
leg<strong>is</strong>lation implementing the EC Council Directive on the Legal Protection of Computer<br />
Programs. If you seek any information within the meaning of that Directive you should initially<br />
approach Aladdin.<br />
4. Maintenance and Support<br />
Aladdin has no obligation to provide support, maintenance, upgrades, modifications, or new releases<br />
under th<strong>is</strong> Agreement.<br />
5. Limited Warranty<br />
Aladdin warrants, for your benefit alone, that:<br />
5.1. The Software, when and as delivered to you, and for a period of three (3) months after the date of<br />
delivery to you, will perform in substantial compliance with the Integration Guide, provided that<br />
it <strong>is</strong> used on the computer hardware and with the operating system for which it was designed.<br />
5.2. The <strong>eToken</strong> key, for a period of twelve (12) months after the date of delivery to you, will be<br />
substantially free from significant defects in materials and workmanship.<br />
6. Warranty D<strong>is</strong>claimer<br />
ALADDIN DOES NOT WARRANT THAT ANY OF ITS PRODUCT(S) WILL MEET YOUR<br />
REQUIREMENTS OR THAT ITS OPERATION WILL BE UNINTERRUPTED OR ERROR-FREE. TO<br />
THE EXTENT ALLOWED BY LAW, ALADDIN EXPRESSLY DISCLAIMS ALL EXPRESS<br />
WARRANTIES NOT STATED HEREIN AND ALL IMPLIED WARRANTIES, INCLUDING, BUT<br />
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A<br />
PARTICULAR PURPOSE. NO ALADDIN DEALER, DISTRIBUTOR, RESELLER, AGENT OR<br />
EMPLOYEE IS AUTHORIZED TO MAKE ANY MODIFICATIONS, EXTENSIONS, OR ADDITIONS<br />
TO THIS WARRANTY. If any modifications are made to the Software or to any other part of the<br />
Product by you during the warranty period; if the media and the <strong>eToken</strong> key <strong>is</strong> subjected to accident,<br />
abuse, or improper use; the Product has not been properly installed, operated, repaired or maintained<br />
in accordance with the instructions supplied by Aladdin; the Product has been subjected to abnormal<br />
physical or electrical stress, negligence or accident; or if you violate any of the terms of th<strong>is</strong><br />
Agreement, then the warranty in Section 5 above, shall immediately be terminated. The warranty<br />
shall not apply if the Software <strong>is</strong> used on or in conjunction with hardware or program other than the<br />
unmodified version of hardware and program with which the Software was designed to be used as<br />
described in the Integration Guide.<br />
v
7. Limitation of Remedies<br />
In the event of a breach of th<strong>is</strong> warranty, Aladdin's sole obligation shall be, at Aladdin's sole<br />
d<strong>is</strong>cretion:<br />
7.1. To replace or repair the Product, or component thereof, that does not meet the foregoing limited<br />
warranty, free of charge.<br />
7.2. To refund the price paid by you for the Product, or component thereof. Any replacement or<br />
repaired component will be warranted for the remainder of the original warranty period or 30<br />
days, whichever <strong>is</strong> longer. Warranty claims must be made in writing during the warranty period<br />
and within seven (7) days of the observation of the defect accompanied by evidence sat<strong>is</strong>factory to<br />
Aladdin. All Products should be returned to the d<strong>is</strong>tributor from which they were purchased (if<br />
not purchased directly from Aladdin) and shall be shipped by the returning party with freight and<br />
insurance paid. The Product or component thereof must be returned with a copy of your receipt.<br />
8. Exclusion of Consequential Damages<br />
The parties acknowledge that the Product <strong>is</strong> inherently complex and may not be completely free of<br />
errors. ALADDIN SHALL NOT BE LIABLE (WHETHER UNDER CONTRACT, TORT (INCLUDING<br />
NEGLIGENCE) OR OTHERWISE) TO YOU, OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE<br />
(INCLUDING INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES), INCLUDING, WITHOUT<br />
LIMITATION, ANY LOSS OR DAMAGE TO BUSINESS EARNINGS, LOST PROFITS OR<br />
GOODWILL AND LOST OR DAMAGED DATA OR DOCUMENTATION, SUFFERED BY ANY<br />
PERSON, ARISING FROM AND/OR RELATED WITH AND/OR CONNECTED TO DELIVERY,<br />
INSTALLATION, USE OR PERFORMANCE OF THE PRODUCT AND/OR ANY COMPONENT OF<br />
THE PRODUCT, EVEN IF ALADDIN IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.<br />
9. Limitation Of Liability<br />
IN THE EVENT THAT, NOTWITHSTANDING THE TERMS OF THIS AGREEMENT, ALADDIN IS<br />
FOUND LIABLE FOR DAMAGES BASED ON ANY DEFECT OR NONCONFORMITY OF ITS<br />
PRODUCT(S), ITS TOTAL LIABILITY FOR EACH DEFECTIVE PRODUCT SHALL NOT EXCEED<br />
THE PRICE PAID TO ALADDIN FOR SUCH DEFECTIVE PRODUCT.<br />
10. Termination<br />
Your failure to comply with the terms of th<strong>is</strong> Agreement shall terminate your license and th<strong>is</strong><br />
Agreement. Upon termination of th<strong>is</strong> License Agreement: (i) the License granted to you in th<strong>is</strong><br />
Agreement shall expire and you, upon termination, shall d<strong>is</strong>continue all further use of the Software<br />
and other licensed Product(s); and (ii) you shall promptly return to Aladdin all tangible property<br />
representing Aladdin’s intellectual property rights and all copies thereof and/or shall erase/delete any<br />
such information held by it in electronic form. Sections 1, 3, 6-11 shall survive any termination of th<strong>is</strong><br />
Agreement.<br />
11. Governing Law & Jur<strong>is</strong>diction<br />
Th<strong>is</strong> Agreement shall be construed and governed in accordance with the laws of Israel (except for<br />
conflict of law prov<strong>is</strong>ions), and only the courts in Israel shall have jur<strong>is</strong>diction in any conflict or<br />
d<strong>is</strong>pute ar<strong>is</strong>ing out of th<strong>is</strong> Agreement. The application of the United Nations Convention of Contracts<br />
for the International Sale of Goods <strong>is</strong> expressly excluded. The failure of either party to enforce any<br />
rights granted hereunder or to take action against the other party in the event of any breach<br />
hereunder shall not be deemed a waiver by that party as to subsequent enforcement of rights or<br />
subsequent actions in the event of future breaches.<br />
vi
12. Government Regulation and Export Control<br />
You agree that the Product will not be shipped, transferred, or exported into any country or used in<br />
any manner prohibited by law. The Product <strong>is</strong> subject to additional export control law applicable to<br />
you or in your jur<strong>is</strong>diction, including, without limitation, the United States. You warrant that you will<br />
comply in all respects with the export and reexport restriction applicable to the Product and will<br />
otherw<strong>is</strong>e comply with any United States law and regulations in effect from time to time.<br />
13. Third Party Software<br />
If the Product contains any software provided by third parties, such third party’s software are<br />
provided “As Is” and shall be subject to the terms of the prov<strong>is</strong>ions and conditions set forth in the<br />
agreements contained/attached to such software. In the event such agreements are not available, such<br />
third party software shall be provided “As Is” without any warranty of any kind and Sections 2, 3, 6, 8,<br />
9-12 of th<strong>is</strong> Agreement shall apply to all such third party software providers and third party software<br />
as if they were Aladdin and the Product respectively.<br />
14. M<strong>is</strong>cellaneous<br />
Th<strong>is</strong> Agreement represents the complete agreement concerning th<strong>is</strong> License and may be amended only<br />
by a written agreement executed by both parties. If any prov<strong>is</strong>ion of th<strong>is</strong> Agreement <strong>is</strong> held to be<br />
unenforceable, such prov<strong>is</strong>ion shall be reformed only to the extent necessary to make it enforceable.<br />
I HAVE READ AND UNDERSTOOD THIS LICENSE AGREEMENT AND AGREE TO BE BOUND<br />
BY ALL OF THE TERMS.<br />
FCC Compliance<br />
<strong>eToken</strong> USB has been tested and found to comply with the limits for a Class B digital device, pursuant<br />
to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against<br />
harmful interference in a residential installation.<br />
Th<strong>is</strong> equipment generates, uses and can radiate radio frequency energy and, if not installed and used<br />
in accordance with the instructions, may cause harmful interference to radio communications.<br />
However, there <strong>is</strong> no guarantee that interference will not occur in a particular installation.<br />
If th<strong>is</strong> equipment does cause harmful interference to radio or telev<strong>is</strong>ion reception, which can be<br />
determined by turning the equipment off and on, the user <strong>is</strong> encouraged to try to correct the<br />
interference by one of the following measures:<br />
a. Reorient or relocate the receiving antenna.<br />
b. Increase the separation between the equipment and receiver.<br />
c. Connect the equipment to an outlet on a circuit different from that to which the receiver <strong>is</strong><br />
connected.<br />
d. Consult the dealer or an experienced radio/TV technician.<br />
FCC Warning<br />
Modifications not expressly approved by the manufacturer could void the user authority to operate the<br />
equipment under FCC rules.<br />
All of the above applies also to the <strong>eToken</strong> USB.<br />
FCC authorities have determined that the rest of the <strong>eToken</strong> product line does not contain a Class B<br />
Computing Device Peripheral and therefore does not require FCC regulation.<br />
vii
CE Compliance<br />
UL Certification<br />
ISO 9002 Certification<br />
Certificate of Compliance<br />
viii<br />
The <strong>eToken</strong> product line complies with the CE EMC Directive<br />
and related standards*. <strong>eToken</strong> products are marked with the<br />
CE logo and an <strong>eToken</strong> CE conformity card <strong>is</strong> included in every<br />
shipment or upon demand.<br />
*EMC directive 89/336/EEC and related standards EN 55022,<br />
EN 50082-1.<br />
The <strong>eToken</strong> product line successfully completed UL 94 Tests for<br />
Flammability of Plastic Materials for Parts in Devices and<br />
Appliances. <strong>eToken</strong> products comply with UL 1950 Safety of<br />
Information Technology Equipment regulations.<br />
The <strong>eToken</strong> product line <strong>is</strong> designed and manufactured by<br />
Aladdin Knowledge Systems, an ISO 9002-certified company.<br />
Aladdin's quality assurance system <strong>is</strong> approved by the<br />
International Organization for Standardization (ISO),<br />
ensuring that Aladdin products and customer service<br />
standards cons<strong>is</strong>tently meet specifications in order to provide<br />
outstanding customer sat<strong>is</strong>faction.<br />
Upon request, Aladdin Knowledge Systems will supply a<br />
Certificate of Compliance to any software developer who w<strong>is</strong>hes<br />
to demonstrate that the <strong>eToken</strong> product line conforms to the<br />
specifications stated. Software developers can d<strong>is</strong>tribute th<strong>is</strong><br />
certificate to the end user along with their programs.
Table of Contents<br />
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1<br />
<strong>What</strong> <strong>is</strong> <strong>eToken</strong> Enterpr<strong>is</strong>e? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2<br />
<strong>What</strong> <strong>is</strong> <strong>eToken</strong>? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2<br />
Benefits of <strong>eToken</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
Security R<strong>is</strong>ks and Corporate Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
Security Solutions and PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
PKI Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
PKI Standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8<br />
<strong>eToken</strong> Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
<strong>eToken</strong> PRO Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
<strong>eToken</strong> R2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
<strong>eToken</strong> Enterpr<strong>is</strong>e Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Corporate Network Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
eBusiness Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
Digital Certificates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
Certificates and Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Enhancing PKI Security with <strong>eToken</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
Securing Email with Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Digitally Signing Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Encrypting and Decrypting Email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
CA Types and Hierarchies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
Standalone and Enterpr<strong>is</strong>e CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
Root and Subordinate CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
Password Storage and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22<br />
How Safe <strong>is</strong> a Password? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22<br />
Challenge-response Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
ix
Getting Started with <strong>eToken</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25<br />
Minimum Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26<br />
Installing the <strong>eToken</strong> RTE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26<br />
Connecting the <strong>eToken</strong> Extension Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
Personalizing the <strong>eToken</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31<br />
Changing the <strong>eToken</strong> Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31<br />
<strong>eToken</strong> Admin<strong>is</strong>tration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35<br />
Setting Up a New <strong>eToken</strong> User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
Issuing Replacement <strong>eToken</strong>s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
Recovering <strong>eToken</strong>s from Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
Appendix A - Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
Problems and Possible Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38<br />
Checking USB Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40<br />
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41<br />
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43<br />
x
Chapter1<br />
Introduction<br />
Th<strong>is</strong> Reference Guide <strong>is</strong> intended for those responsible for<br />
admin<strong>is</strong>tering data security and integrity in an organization.<br />
It provides an overview of the benefits and features of Aladdin’s<br />
<strong>eToken</strong> security key and of the <strong>eToken</strong> Enterpr<strong>is</strong>e set of<br />
ready-to-use security clients, explains some important securityrelated<br />
concepts and standards, and provides installation and<br />
admin<strong>is</strong>tration guidelines for <strong>eToken</strong>.<br />
The following sections are contained in th<strong>is</strong> chapter:<br />
<strong>What</strong> <strong>is</strong> <strong>eToken</strong> Enterpr<strong>is</strong>e?, page 2, describes the <strong>eToken</strong><br />
security key and l<strong>is</strong>ts the major benefits that <strong>eToken</strong> Enterpr<strong>is</strong>e<br />
offers your organization and its users.<br />
Security R<strong>is</strong>ks and Corporate Vulnerability, page 5, outlines<br />
the security r<strong>is</strong>ks and concerns that are relevant to all commercial<br />
and public organizations.<br />
Security Solutions and PKI, page 7, summarizes the basic<br />
concepts of public-key infrastructure (PKI) and describes the<br />
standards that <strong>eToken</strong> supports.<br />
<strong>eToken</strong> Models, page 9, describes the two models of the <strong>eToken</strong><br />
that are currently available.<br />
<strong>eToken</strong> Enterpr<strong>is</strong>e Security Solutions, page 12, l<strong>is</strong>ts the major<br />
applications that support <strong>eToken</strong> integration.<br />
For detailed instructions for specific <strong>eToken</strong> Enterpr<strong>is</strong>e solutions,<br />
please refer to the relevant <strong>eToken</strong> Enterpr<strong>is</strong>e Integration Guide.<br />
1
<strong>What</strong> <strong>is</strong> <strong>eToken</strong> Enterpr<strong>is</strong>e?<br />
<strong>What</strong> <strong>is</strong> <strong>eToken</strong>?<br />
<strong>eToken</strong> Enterpr<strong>is</strong>e <strong>is</strong> a set of ready-to-use security client solutions,<br />
based on Aladdin’s <strong>eToken</strong> security key.<br />
These solutions are specifically<br />
tailored to safeguard the integrity of<br />
secured data and user access rights<br />
throughout an organization, while<br />
providing maximum flexibility and<br />
control.<br />
Employing state-of-the-art <strong>eToken</strong><br />
technology, <strong>eToken</strong> Enterpr<strong>is</strong>e helps<br />
your organization protect its digital<br />
assets, conveniently and securely.<br />
<strong>eToken</strong> Enterpr<strong>is</strong>e <strong>is</strong> particularly<br />
interesting for an organization’s<br />
system admin<strong>is</strong>trators because it<br />
makes it easy to improve data<br />
security quickly, without having to<br />
write new code.<br />
System admin<strong>is</strong>trators can<br />
integrate <strong>eToken</strong> easily into an<br />
ex<strong>is</strong>ting IT security framework,<br />
providing increased protection for<br />
users’ everyday operations.<br />
With <strong>eToken</strong> Enterpr<strong>is</strong>e, user access<br />
<strong>is</strong> individual, exclusive and secure.<br />
<strong>eToken</strong> <strong>is</strong> a powerful and secure hardware device that enhances the<br />
security of data on public and private networks. The size of a normal<br />
house key, <strong>eToken</strong> can be used to generate and provide secure storage<br />
for passwords and digital certificates, for secure authentication,<br />
digital signing and encryption. <strong>eToken</strong> <strong>is</strong> based on smart card<br />
technology but requires no special readers.<br />
2 Introduction
Benefits of <strong>eToken</strong><br />
<strong>eToken</strong> provides security with portability. It has smart card<br />
functionality in the form of a Universal Serial Bus (USB)-based<br />
device. The USB’s “hot plug” capability allows one or more devices to<br />
be connected and d<strong>is</strong>connected without turning off the system.<br />
<strong>eToken</strong> can be used to hold secret information, certificates and private<br />
keys for use in authentication solutions for LANs, WANs, VPNs,<br />
e-commerce and mobile computing. Its USB functionality enables<br />
companies to minimize deployment costs, and to maximize<br />
user-friendliness without comprom<strong>is</strong>ing security.<br />
With its advanced technology, <strong>eToken</strong> enables organizations to trust<br />
the identity of individuals requesting access to protected content or<br />
applications through corporate networks or websites.<br />
<strong>eToken</strong> has the flexibility to hold the information required by the<br />
most advanced digital security systems, eliminating the added cost of<br />
integrating an expensive reader system. A single <strong>eToken</strong> can store a<br />
number of private keys, certificates and passwords concurrently, for<br />
use in a wide variety of applications.<br />
<strong>eToken</strong> PRO can also generate keys and perform sensitive encryption<br />
operations on-chip, ensuring that users’ keys are never exposed to the<br />
PC environment.<br />
The key benefits of <strong>eToken</strong> include:<br />
Strong authentication: <strong>eToken</strong> provides strong two-factor<br />
authentication, through the simultaneous use of something the user<br />
knows - a specific password or passphrase, and something the user<br />
has - the personalized <strong>eToken</strong>. The authentication method used by<br />
<strong>eToken</strong> employs strong, industry-standard encryption algorithm<br />
technology.<br />
<strong>What</strong> <strong>is</strong> <strong>eToken</strong> Enterpr<strong>is</strong>e? 3
High security: Using a hardware key provides a much higher<br />
degree of security than software-only solutions. Security credentials<br />
are not at r<strong>is</strong>k because they are held in a secure, tamper-evident<br />
container. <strong>eToken</strong> technology <strong>is</strong> completely res<strong>is</strong>tant to cracking,<br />
even with full knowledge of the encryption algorithms and protocols<br />
used. The <strong>eToken</strong> PRO provides full hardware-based protection for<br />
essential security information, with on-chip key generation.<br />
Cost-effectiveness: <strong>eToken</strong> <strong>is</strong> more cost-effective than any other<br />
hardware security system. While providing all the benefits of smart<br />
card technology, <strong>eToken</strong> requires no costly smart card readers.<br />
Compatibility and ease of integration: <strong>eToken</strong> can be used with<br />
various environments, USB-compatible devices and operating<br />
systems, including Windows 98, NT 4.0, ME and 2000, and supports<br />
the major cryptographic API standards, such as Microsoft CAPI and<br />
PKCS #11, allowing for seamless integration with applications.<br />
Convenience and portability: Easy to carry on a personal key<br />
ring, <strong>eToken</strong> <strong>is</strong> portable from one computer or site to another.<br />
Ease of use: No additional hardware <strong>is</strong> required. To obtain true<br />
two-factor authentication, users simply insert their personalized<br />
<strong>eToken</strong> into the USB port on a hub, desktop, laptop, keyboard or<br />
monitor, and enter their unique password or passphrase.<br />
Ease of admin<strong>is</strong>tration: <strong>eToken</strong> Enterpr<strong>is</strong>e provides easy-to-use<br />
security client solutions for admin<strong>is</strong>trators, simplifying the process<br />
of initial deployment and ongoing user and certificate management.<br />
Versatility: A single <strong>eToken</strong> can be used with different types of<br />
applications concurrently, and can contain multiple private keys<br />
and digital certificates. <strong>eToken</strong> <strong>is</strong> available in a range of memory<br />
sizes and colors.<br />
4 Introduction
Security R<strong>is</strong>ks and Corporate<br />
Vulnerability<br />
In today's ever-changing e-commerce world, security <strong>is</strong> an essential<br />
requirement for any organization. Corporations are caught between<br />
the need for remote, convenient Internet and network access, and the<br />
need for protection from vandal<strong>is</strong>m, espionage and theft.<br />
The growth of the Internet and e-commerce, together with the<br />
opportunities they bring, have increased the need for secure<br />
communication between company networks, individual users, and the<br />
outside world.<br />
As communication and commerce through the Internet increase,<br />
security r<strong>is</strong>ks for company networks also increase. Security <strong>is</strong>sues<br />
have now become a crucial factor in determining an organization's<br />
accessibility to the Internet.<br />
The diagram below illustrates how security r<strong>is</strong>ks increase as an<br />
organization opens itself up to Internet activity.<br />
Business<br />
Opportunity<br />
LAN<br />
Access to<br />
Internet<br />
Internet<br />
Presence<br />
(Website)<br />
VPN and<br />
Extranets<br />
E-Commerce<br />
Security<br />
R<strong>is</strong>k<br />
According to a survey recently conducted by the FBI, concerns over<br />
these security r<strong>is</strong>ks are not unfounded. In the 2000 CSI/FBI<br />
Computer Crime and Security Survey, in which over 600 companies<br />
were polled, losses were reported totalling some $265 million.<br />
These losses are due to saboteurs, viruses, laptop theft, financial<br />
fraud, telecommunications fraud and stolen proprietary information.<br />
Security R<strong>is</strong>ks and Corporate Vulnerability 5
Logging into a<br />
company desktop<br />
Remote accessing of<br />
corporate information<br />
Organizations are installing intranets and extranets, in order to<br />
connect an increasingly mobile workforce in need of remote access to<br />
corporate information systems.<br />
Corporations are creating direct sales sites for their business<br />
customers, making these companies more open to illegal access and<br />
computer crime.<br />
Every commercial enterpr<strong>is</strong>e should be aware of the following:<br />
Computer security breaches have r<strong>is</strong>en 16% in the last year,<br />
according to the 2000 CSI/FBI Computer Crime and Security<br />
Survey. The same survey also revealed that 74% of respondents<br />
acknowledged financial losses due to computer security breaches.<br />
Another recent survey, th<strong>is</strong> time from KPMG Peat Marwick in New<br />
York, revealed that some 41% of respondents found security<br />
concerns the most significant barrier to their ability to perform<br />
web-based e-commerce.<br />
Password files are regularly stolen by hackers using applications<br />
freely available on the Internet. These applications are easy enough<br />
for complete novices to master.<br />
Firewalls, the current popular security solution, do not provide<br />
complete security. Recent surveys have indicated that 80% of<br />
saboteurs are d<strong>is</strong>gruntled employees.<br />
As Ehud Tenenbaum, the 18-year-old hacker known internationally as<br />
the Analyzer, said: “I would move around the Internet asking myself:<br />
‘Who should die today?’ And by ‘die’, I mean cut off from the Internet.”<br />
The following diagram illustrates the vulnerability of communications<br />
networks to the r<strong>is</strong>ks of unauthorized access:<br />
Intranet Extranet<br />
VPN<br />
Internet<br />
Dialing in<br />
from home<br />
Bank customer<br />
buying a product<br />
6 Introduction
Security Solutions and PKI<br />
PKI Terms<br />
To help combat the security r<strong>is</strong>ks outlined above, the security<br />
industry <strong>is</strong> constantly seeking enhanced solutions to protect Internet<br />
access and e-commerce potential.<br />
One area that has emerged as essential for any enterpr<strong>is</strong>e w<strong>is</strong>hing to<br />
ensure secure access to the Internet <strong>is</strong> that of digital certificates and<br />
public-key infrastructure (PKI). Public-key cryptography enables an<br />
organization to integrate all its devices within and beyond the<br />
network boundaries, while ensuring security through the advanced<br />
use of a digital key system.<br />
<strong>eToken</strong> Enterpr<strong>is</strong>e fully supports and enhances PKI standards, and<br />
can be easily integrated into an organization’s PKI security<br />
framework.<br />
The following <strong>is</strong> a brief summary of the terms used in connection with<br />
PKI:<br />
Key pair: Two separate keys that operate as a pair, a public key<br />
that can be made widely available, and a private key, known only by<br />
its holder. The public key can be used, for example, to encrypt a<br />
message in such a way that only the private key can open it.<br />
Digital signature: A “digital seal” that proves the identity of the<br />
sender and the integrity of a digital message. Only the holder of the<br />
private key can create a digital signature. Anyone with access to the<br />
corresponding public key can verify the signature.<br />
Digital certificate: An encoded file that contains important user<br />
credentials, such as a user’s name and public key, and vouches for<br />
the user’s identity in the digital world. The certificate holder retains<br />
the corresponding private key. Digital certificates perform a similar<br />
function to passports. They are <strong>is</strong>sued and validated by a trusted<br />
third party, referred to as a Certification Authority.<br />
Certification Authority (CA): A trusted entity or service that<br />
<strong>is</strong>sues digital certificates, thereby authorizing the connection<br />
between the certificate holder’s details and the public key.<br />
Cryptographic Service Provider (CSP): Software used by<br />
applications and web browsers for various cryptographic and<br />
security-related functions, such as certificate storage and retrieval.<br />
For a more detailed description of PKI technology and concepts, and<br />
its use with <strong>eToken</strong>, see Chapter 2, “Security Concepts”.<br />
Security Solutions and PKI 7
PKI Standards<br />
<strong>eToken</strong> supports the major PKI standards used by today’s<br />
mainstream applications.<br />
CAPI<br />
The Microsoft Cryptographic Application Programming Interface<br />
(CryptoAPI or CAPI) standard supports the development of<br />
applications that include functions such as secure certificate, key and<br />
data storage, authentication, encryption, signature and verification.<br />
CAPI <strong>is</strong> used for certificate and key management by Microsoft<br />
products, such as Internet Explorer, Outlook and Outlook Express.<br />
<strong>eToken</strong> fully supports the Microsoft CAPI standard, using a<br />
Cryptographic Service Provider (CSP) developed by Aladdin. The<br />
<strong>eToken</strong> CSP, named <strong>eToken</strong> Base Cryptographic Provider, enables<br />
<strong>eToken</strong> integration with CAPI-based applications, and <strong>is</strong> installed<br />
with the <strong>eToken</strong> Runtime Environment (RTE).<br />
PKCS #11<br />
The PKCS #11 standard also specifies an application programming<br />
interface (API) for devices such as <strong>eToken</strong>, which hold cryptographic<br />
information and may perform cryptographic functions. Applications<br />
based on PKCS #11 include, for example, Netscape and Baltimore<br />
MailSecure.<br />
The <strong>eToken</strong> R2 fully supports the PKCS #11 standard. Please check<br />
with your supplier regarding PKCS #11 support for the <strong>eToken</strong><br />
PRO. For more information about the two <strong>eToken</strong> models, see “<strong>eToken</strong><br />
Models”, on page 9.<br />
8 Introduction
<strong>eToken</strong> Models<br />
<strong>eToken</strong> PRO Features<br />
The two <strong>eToken</strong> models currently available are the <strong>eToken</strong> R2 and the<br />
<strong>eToken</strong> PRO.<br />
The <strong>eToken</strong> PRO adds to the functionality and strong security<br />
features of the <strong>eToken</strong> R2, by providing full hardware-based<br />
protection for all security information stored on the <strong>eToken</strong>, together<br />
with on-chip key generation and cryptographic processing. The<br />
<strong>eToken</strong> PRO generates the keys on the token itself, and they never<br />
leave the secure environment of the <strong>eToken</strong>.<br />
Both <strong>eToken</strong> models are identical in their physical casing, size and<br />
shape, and are equally robust, tamper-res<strong>is</strong>tant and water-res<strong>is</strong>tant.<br />
The <strong>eToken</strong> PRO:<br />
Uses advanced smartcard chip technology, with on-chip<br />
cryptographic processing using RSA1024, 3xDES and SHA-1.<br />
Provides full on-chip RSA 1024-bit key generation.<br />
Private keys never leave the token.<br />
Supports CAPI and APDU APIs, for the . For details of PKCS #11<br />
support availability, please contact your <strong>eToken</strong> supplier.<br />
Has ITSEC 4 security certification approval.<br />
On-board Cryptographic Functionality.<br />
The <strong>eToken</strong> PRO uses advanced Smartcard Chip technology that<br />
provides the following on-chip cryptographic operations:<br />
Asymmetric encryption/decryption and signing/verification with<br />
RSA keys up to 1024 bits long.<br />
Symmetric DES and 3DES encryption, decryption and MACing<br />
with key lengths up to 168 bits long.<br />
Message digesting using SHA-1 and optionally MD5 (through a<br />
downloadable module).<br />
The <strong>eToken</strong> PRO can perform a dual digest and signing operation<br />
on-chip. The rich feature set allows the <strong>eToken</strong> PRO to be used as a<br />
secure signing device and as an encryption/decryption engine to<br />
protect information on a PC.<br />
Key Generation<br />
The <strong>eToken</strong> PRO can generate truly random asymmetric RSA keys up<br />
to 1024 bits long. On average, generating a 1024-bit key takes 25<br />
seconds.<br />
<strong>eToken</strong> Models 9
<strong>eToken</strong> R2 Features<br />
Hardware Random Number Generation<br />
The <strong>eToken</strong> PRO has a true hardware random number generator that<br />
<strong>is</strong> used internally for RSA key generation and authentication<br />
challenges.<br />
Physically Protected Chip<br />
The <strong>eToken</strong> PRO <strong>is</strong> implemented in a secure chipcard that meets the<br />
ITSEC 4 standard. All data stored on the <strong>eToken</strong> PRO <strong>is</strong> stored<br />
internally within th<strong>is</strong> chipcard and <strong>is</strong> intrinsically secure.<br />
Access Protection<br />
The <strong>eToken</strong> PRO possesses a comprehensive access control<br />
mechan<strong>is</strong>m that protects data and keys stored on the <strong>eToken</strong>. Access<br />
to data can be controlled by a variety of mechan<strong>is</strong>ms, such as<br />
challenge-response authentication or PIN entry.<br />
USB Data Traffic Encryption<br />
Data passing between the <strong>eToken</strong> PRO and the host computer <strong>is</strong><br />
protected using secure messaging, a mechan<strong>is</strong>m that enables selective<br />
encryption and/or authentication of data or traffic. Secure messaging<br />
uses the 3DES symmetric algorithm.<br />
The <strong>eToken</strong> R2:<br />
Uses a secure microcontroller (EEPROM), with 16K/32K bytes of<br />
secured memory, and a 128-bit DESX on-chip processor.<br />
Provides full support for storage of PKI-based keys and<br />
certificates.<br />
Enables compatible implementation with smartcard applications.<br />
Supports PKCS#11, CAPI and Application Protocol Data Unit<br />
(APDU) APIs.<br />
On-board Cryptographic Functionality.<br />
The <strong>eToken</strong> R2 supports the DESX symmetric algorithm with 120-bit<br />
keys. <strong>eToken</strong> R2 uses th<strong>is</strong> algorithm internally to encrypt all sensitive<br />
data and to perform the challenge-response user authentication<br />
protocol. The <strong>eToken</strong> R2 can be used as an encryption/decryption<br />
engine to protect information on a PC.<br />
10 Introduction
RNG-based Challenge-response Logon<br />
The <strong>eToken</strong> R2 has a pseudo-random number generator based on a<br />
truly random seed and the DESX function, which <strong>is</strong> believed to be<br />
pseudo-random. As such, the <strong>eToken</strong> R2 can be used only for logging<br />
in to the token.<br />
In order to verify the password, <strong>eToken</strong> R2 generates a random<br />
challenge and sends it to the PC. The response <strong>is</strong> verified against the<br />
stored password. Th<strong>is</strong> enables <strong>eToken</strong> to securely authenticate the<br />
user using two-factor authentication.<br />
Physically Protected Chip<br />
The <strong>eToken</strong> R2 <strong>is</strong> implemented as a secure microcontroller and<br />
external EEPROM pair. The EEPROM <strong>is</strong> used to store all <strong>eToken</strong><br />
data. Sensitive data, such as user data and encryption keys are<br />
encrypted on the EEPROM using DESX with keys stored in the<br />
microcontroller. These keys cannot be read or accessed in any way.<br />
Access Protection<br />
The <strong>eToken</strong> R2 differentiates between public, private and secret data.<br />
The <strong>eToken</strong> can be in either a logged in or logged out state. Only the<br />
<strong>eToken</strong> R2 user can log in to the token by using the challenge<br />
response mechan<strong>is</strong>m as detailed above. Once logged in, the user may<br />
read and write public and private data or write and use secret data. In<br />
the logged out state, it <strong>is</strong> only possible to read public data and use<br />
secret data.<br />
Secure On-token Memory Storage<br />
An <strong>eToken</strong> R2, together with the correct password, can be used to<br />
store secret data securely. For example, storage of a password for an<br />
application can utilize th<strong>is</strong> type of secure memory.<br />
<strong>eToken</strong> R2 provides a secure means for storing RSA keys. These keys<br />
can be used for signing messages and decrypting private information<br />
that was sent in a secure manner.<br />
USB Data Traffic Encryption<br />
Once the user <strong>is</strong> logged in to the <strong>eToken</strong> R2, sensitive data traffic <strong>is</strong><br />
always encrypted. <strong>eToken</strong> R2’s data traffic encryption uses DESX<br />
with a session key randomly generated during the login procedure.<br />
The secret information on the <strong>eToken</strong> <strong>is</strong> accessible only after the<br />
correct password <strong>is</strong> verified, and cannot be retrieved without it.<br />
<strong>eToken</strong> Models 11
<strong>eToken</strong> Enterpr<strong>is</strong>e Security Solutions<br />
<strong>eToken</strong> Enterpr<strong>is</strong>e <strong>is</strong> a range of ready-to-use security client solutions<br />
that can be easily implemented to suit your organization’s specific<br />
requirements, by integrating <strong>eToken</strong> with ex<strong>is</strong>ting applications.<br />
<strong>eToken</strong> Enterpr<strong>is</strong>e enables you to secure your corporate network and<br />
to implement strong eBusiness protection.<br />
Corporate Network Security Solutions<br />
Currently available solutions for corporate network security include:<br />
Remote access security for VPN systems, with Check Point <br />
SecuRemote .<br />
Secure smart card logon for Windows 2000 networks.<br />
Remote Access Server (RAS) dial-up connection management.<br />
eBusiness Security Solutions<br />
Note<br />
eBusiness security solutions include:<br />
PKI-based systems and services, such as:<br />
Baltimore Technologies UniCERT CA.<br />
VeriSign ® .<br />
Entrust ® Technologies.<br />
Digital Signature Trust (DST).<br />
RSA Keon ® .<br />
Web-based security clients, including SSLv3.<br />
Secure website access using Thin Client Technology (Active-X).<br />
In addition to the <strong>eToken</strong> Enterpr<strong>is</strong>e set of ready-to-use security<br />
solutions, the <strong>eToken</strong> Software Developer’s Kit (SDK) enables<br />
developers to integrate <strong>eToken</strong> with proprietary and third-party<br />
software applications.<br />
For more detailed information about individual <strong>eToken</strong> Enterpr<strong>is</strong>e<br />
solutions, downloads and documentation, and about the <strong>eToken</strong> SDK,<br />
please refer to: www.eAladdin.com/etoken.<br />
12 Introduction
Chapter2<br />
Security Concepts<br />
Th<strong>is</strong> chapter provides a brief explanation of some of the major<br />
concepts relevant to the <strong>is</strong>sue of corporate and eBusiness security.<br />
The following sections are contained in th<strong>is</strong> chapter:<br />
Digital Certificates Overview, page 14, describes the importance<br />
of digital certificates and public-key infrastructure (PKI), and shows<br />
how <strong>eToken</strong> enhances certificate-based security.<br />
Securing Email with Certificates, page 16, explains how email<br />
messages can be secured with digital signatures and encryption.<br />
CA Types and Hierarchies, page 18, describes the different<br />
Certification Authority (CA) types and structures, and the<br />
relationships between them.<br />
Password Storage and Authentication, page 22, explains the<br />
r<strong>is</strong>ks inherent in dependence on user passwords, and highlights the<br />
use of <strong>eToken</strong> for secure password storage.<br />
Challenge-response Authentication, page 23, summarizes the<br />
use of the challenge-response mechan<strong>is</strong>m for secure authentication.<br />
13
Digital Certificates Overview<br />
A digital certificate testifies to the holder’s unique identity, and can<br />
be regarded as an electronic form of a passport or identity card.<br />
Certificate holders use their certificates to establ<strong>is</strong>h their identity and<br />
to gain entry to secure areas in the digital world, such as websites and<br />
networks, and to secure the transfer and receipt of digital messages<br />
by email.<br />
Digital certificates are <strong>is</strong>sued and validated by Certification<br />
Authorities (CAs), in the same way that a passport office <strong>is</strong>sues and<br />
validates a passport. A CA <strong>is</strong> a body or entity that enables two<br />
individuals to trust each other’s authenticity, because the identity of<br />
each individual <strong>is</strong> certified by a common trusted third party.<br />
The concept of third-party trust through a CA <strong>is</strong> illustrated below:<br />
Certification<br />
Authority (CA)<br />
trust trust<br />
third-party trust<br />
For examples of <strong>eToken</strong> Enterpr<strong>is</strong>e solutions based on PKI, see<br />
“<strong>eToken</strong> Enterpr<strong>is</strong>e Security Solutions”, on page 12.<br />
For more detailed information about CA types, structure and<br />
interdependencies, see “CA Types and Hierarchies”, on page 18.<br />
14 Security Concepts
Certificates and Keys<br />
Digital certificates are based on the use of asymmetric key pairs. The<br />
CA certifies the owner’s public key and identity in the certificate. The<br />
public key can be freely d<strong>is</strong>tributed for encryption and verification<br />
purposes. Only the owner of the certificate has access to the private<br />
key for decrypting and signing messages, and for authentication<br />
purposes.<br />
Additional information held in a certificate usually includes details of<br />
the CA that <strong>is</strong>sued the certificate and the validity period. In addition,<br />
the certificate may contain the owner’s identification details, such as<br />
name, email address and/or web server URL.<br />
Enhancing PKI Security with <strong>eToken</strong><br />
Even with an advanced security system, the security of certificates<br />
and keys <strong>is</strong> still at r<strong>is</strong>k when they are stored on PC and laptop d<strong>is</strong>ks,<br />
and transmitted across a network or the Web. For th<strong>is</strong> reason, many<br />
certificate management systems support the use of tamper-res<strong>is</strong>tant<br />
cryptographic hardware, such as <strong>eToken</strong>.<br />
Certificates and keys are held securely on the <strong>eToken</strong>, allowing for<br />
portability of security credentials between computers, while<br />
protecting the user’s private key.<br />
When a certificate <strong>is</strong> <strong>is</strong>sued, it <strong>is</strong> saved with its keys directly on the<br />
<strong>eToken</strong>, and can be accessed and used with any appropriate<br />
certificate-based application. The <strong>eToken</strong> PRO generates the keys on<br />
the <strong>eToken</strong>. To use the certificate and keys, the user must insert the<br />
<strong>eToken</strong> and enter its password.<br />
Digital Certificates Overview 15
Securing Email with Certificates<br />
The globalization of the Internet means that communication between<br />
individuals and online organizations, as well as between individuals<br />
themselves, <strong>is</strong> largely by email. Unprotected emails can be easily<br />
intercepted and their contents read and/or altered. The securing of<br />
email messages has therefore become an important part of<br />
safeguarding an organization’s digital assets.<br />
Certificates provide the facility to protect incoming and outgoing<br />
email with digital signatures and encryption:<br />
Digital signatures allow verification of the sender’s identity, and<br />
provide proof that the message has not changed after being signed.<br />
Encryption protects the contents of messages by transforming plain<br />
text into unreadable form. Only the authorized recipient can<br />
decrypt the message.<br />
With the certificates and keys stored safely on an <strong>eToken</strong>, the security<br />
of the organization’s email <strong>is</strong> assured.<br />
Digitally Signing Email<br />
The first stage in securing your email messages <strong>is</strong> to digitally sign<br />
your messages using certificates. Digital signatures implement three<br />
important security principles:<br />
Verification: When a person sends an email that has been digitally<br />
signed, the recipient can immediately authenticate the identity of<br />
the sender.<br />
Non-repudiation: The sender cannot deny that he or she <strong>is</strong> the<br />
originator of the email.<br />
Integrity of content: Adding a digital signature to the email<br />
ensures that any subsequent changes to the content of the message<br />
are immediately detected. Digitally signing an email does not<br />
change the actual message content in any way.<br />
Netscape Messenger, Microsoft Outlook and Outlook Express enable<br />
you to sign individual messages. By configuring the email security<br />
options, you can automatically sign all outgoing emails.<br />
The private key held in the certificate <strong>is</strong> required to sign an email.<br />
When the email <strong>is</strong> sent to the recipient, a copy of the sender’s<br />
certificate and its corresponding public key are sent with it.<br />
16 Security Concepts
For example, when Alice sends Bob a signed email, Bob receives also<br />
Alice’s certificate and public key, as illustrated below:<br />
Encrypting and Decrypting Email<br />
The second stage in securing your email <strong>is</strong> to ensure that you protect<br />
the contents of messages by encrypting them as well as signing them.<br />
An encrypted message <strong>is</strong> illegible until it <strong>is</strong> decrypted.<br />
In order to encrypt a message, the sender must have a copy of the<br />
intended recipient’s public key. The encrypted message can only be<br />
decrypted and read by the owner of the corresponding private key.<br />
Now that Alice has sent Bob a signed message, Bob has her public key<br />
and can use it to encrypt the message that he sends back to Alice.<br />
Alice can then decrypt the message using the corresponding private<br />
key, and can read its contents, as illustrated below:<br />
Securing Email with Certificates 17
Note<br />
Whenever you receive a digitally signed message, you can store the<br />
sender’s certificate and public key in your email address book. You<br />
can also search the growing l<strong>is</strong>t of online directories that contain<br />
public keys and certificates, retrieve these items and use them to send<br />
encrypted email.<br />
When a certificate <strong>is</strong> <strong>is</strong>sued, it <strong>is</strong> linked to the current user name and<br />
the email address that you specified during the certificate request<br />
process. If you log in with a different user name, you will not be able<br />
to access the certificate. To use the certificate on a different computer,<br />
you must have the same email address set up on it, and you must be<br />
logged in with the same user name.<br />
CA Types and Hierarchies<br />
An organization can establ<strong>is</strong>h its own CA structure to support its<br />
digital security requirements, using Microsoft CA in Windows 2000,<br />
or other certificate services providers.<br />
Standalone and Enterpr<strong>is</strong>e CAs<br />
A CA can be configured as a standalone CA or an enterpr<strong>is</strong>e CA:<br />
Standalone CA: A trusted third-party entity that <strong>is</strong>sues and<br />
revokes certificates for all an organization’s users. Th<strong>is</strong> can be a<br />
commercial CA, such as VeriSign, or any other body that <strong>is</strong> trusted<br />
and provides similar services.<br />
Using a standalone CA provides users with a means of secure<br />
communication within the organization and with those outside it,<br />
but does not enable an organization to control its own certificate<br />
<strong>is</strong>suing and management policy.<br />
Enterpr<strong>is</strong>e CA: An organization can set up its own enterpr<strong>is</strong>e CA<br />
to meet its specific business requirements, enabling it to control the<br />
<strong>is</strong>suing and revoking of certificates for its users.<br />
An enterpr<strong>is</strong>e CA <strong>is</strong> an ideal framework for controlling access to<br />
internal resources or functions within an organization. By <strong>is</strong>suing<br />
certificates to selected personnel, for example, a company can<br />
ensure that certain goods and services are ordered only by<br />
authorized employees.<br />
18 Security Concepts
The following diagram presents a simplified example of the<br />
stand-alone and enterpr<strong>is</strong>e CA models:<br />
Standalone CA Enterpr<strong>is</strong>e CA<br />
Root CA Trusted<br />
3rd<br />
VeriSign<br />
Party or<br />
Commercial<br />
CA<br />
Root CA<br />
XYZ Inc.<br />
Certificate holders:<br />
General public, including<br />
individuals and organizations<br />
Root and Subordinate CAs<br />
Certificate holders:<br />
Authorized employees of<br />
XYZ Inc. only<br />
CAs can be organized in hierarchical CA structures, containing one<br />
root CA and any number of subordinate CAs, as follows:<br />
Root CA: The root CA <strong>is</strong> the fundamental trust point at the top of a<br />
CA hierarchy. The subordinate CAs obtain their certificates directly<br />
or indirectly from the root CA, and are trusted only because the root<br />
CA <strong>is</strong> trusted.<br />
Subordinate CAs: Organizations can create a CA hierarchy to suit<br />
their business requirements, cons<strong>is</strong>ting of subordinate CAs<br />
attached to the root enterpr<strong>is</strong>e CA. Subordinate CAs can be created,<br />
for example, for different branches, departments, and budget<br />
authorization levels. Each subordinate CA controls the <strong>is</strong>suing and<br />
revoking of its own certificates, while enabling certificate holders to<br />
communicate securely through a common root CA.<br />
A well-structured hierarchical CA model can provide a high level of<br />
flexible and decentralized control in an organization, with the added<br />
benefits of admin<strong>is</strong>trative security through a corporate root CA.<br />
CA Types and Hierarchies 19
Accounts<br />
Dept.<br />
Subordinate<br />
CA<br />
Certificate holders:<br />
Accounts dept.<br />
employees<br />
An example of a hierarchical model for an enterpr<strong>is</strong>e CA <strong>is</strong> illustrated<br />
below:<br />
Enterpr<strong>is</strong>e CA Hierarchy with Subordinates<br />
Root CA<br />
Subordinate<br />
CA<br />
Head Office<br />
Certificate holders:<br />
Senior budget<br />
approvers<br />
Sales<br />
Dept.<br />
XYZ Inc.<br />
Subordinate<br />
CA<br />
Certificate holders:<br />
Sales dept.<br />
employees<br />
Subordinate<br />
CA<br />
Chicago<br />
Branch<br />
Subordinate<br />
CA<br />
Certificate holders:<br />
Chicago branch<br />
employees<br />
In th<strong>is</strong> example, separate subordinate CAs have been created for the<br />
accounts and sales departments at the company’s head office. Within<br />
the accounts department, another subordinate CA has been set up to<br />
<strong>is</strong>sue certificates to senior employees who have the authority to<br />
approve budget expenditure. A further subordinate CA has been<br />
created for the Chicago branch of the company, with its own<br />
hierarchical structure.<br />
All the employees within the enterpr<strong>is</strong>e CA hierarchy can<br />
communicate securely with each other, since they share a common<br />
root CA.<br />
20 Security Concepts
A major d<strong>is</strong>advantage of the enterpr<strong>is</strong>e CA hierarchy model <strong>is</strong> that<br />
the benefits of secure communication are limited to the domain of the<br />
root CA. Users within the enterpr<strong>is</strong>e CA hierarchy need to<br />
communicate securely also with external entities such as customers,<br />
suppliers and business partners.<br />
The recommended enterpr<strong>is</strong>e CA model combines a well-structured<br />
enterpr<strong>is</strong>e CA hierarchy with a commercial root CA. Th<strong>is</strong> model<br />
provides a common denominator for external communication through<br />
a trusted third party, without comprom<strong>is</strong>ing the organization’s<br />
security framework.<br />
The following diagram provides an example of a combined enterpr<strong>is</strong>e<br />
and commercial CA model. Th<strong>is</strong> model enables secure transaction<br />
processing and data exchange between the sales and purchasing<br />
departments of two companies, through a common commercial<br />
root CA.<br />
Combined Standalone and Enterpr<strong>is</strong>e CA Hierarchy<br />
XYZ<br />
Inc.<br />
Subordinate<br />
CA<br />
Sales<br />
Dept.<br />
Trusted<br />
3rd Party or<br />
Commercial<br />
CA<br />
CA Types and Hierarchies 21<br />
ABC<br />
Inc.<br />
Subordinate<br />
CA<br />
Purchasing<br />
Dept.<br />
Certificate holders:<br />
XYZ Inc. Sales Dept. employees ABC Inc. Purchasing Dept. employees
Password Storage and Authentication<br />
In addition to storing digital certificates and keys, <strong>eToken</strong> can provide<br />
secure storage for user passwords.<br />
How Safe <strong>is</strong> a Password?<br />
Relying on one-factor authentication - a memorized password alone -<br />
seriously weakens the security of any system.<br />
Passwords that are typed in to the keyboard of a PC or laptop can be<br />
easily copied and can also be hacked. Users often have difficulty<br />
remembering several passwords for different applications, so they use<br />
the same password for all their access needs.<br />
They often select a short password that <strong>is</strong> easy<br />
to remember (and easy to guess), such as the<br />
name of one of their children or their birthday.<br />
In spite of all advice, passwords are seldom<br />
changed and are often written down and left in<br />
easily accessible places, such as in a desk<br />
drawer or on a sticky note on the monitor.<br />
Storing a user’s access details and<br />
authentication passwords on an <strong>eToken</strong> significantly enhances access<br />
security. <strong>eToken</strong> provides strong password protection, as well as<br />
portability and convenience.<br />
<strong>eToken</strong> provides full two-factor authentication - the user must both<br />
connect the <strong>eToken</strong> and enter the individual <strong>eToken</strong> password in<br />
order to gain authorized access.<br />
Copying or hacking the <strong>eToken</strong> password <strong>is</strong> of no value without the<br />
physical <strong>eToken</strong>. Users do not need to remember different passwords<br />
for access to different applications and accounts, only the password<br />
for their personal <strong>eToken</strong>. They can take all their authorization<br />
details with them, on their key chain or in their pocket or purse.<br />
For details of <strong>eToken</strong> integration for password storage for Virtual<br />
Private Network (VPN) access, see the <strong>eToken</strong> Enterpr<strong>is</strong>e Integration<br />
Guide for Check Point SecuRemote.<br />
22 Security Concepts
Challenge-response Authentication<br />
A challenge <strong>is</strong> a value sent by an authenticating party, such as a<br />
company’s server, to a party or device requesting to be authenticated.<br />
Since the connection between the two parties <strong>is</strong> usually not secure,<br />
the authentication process <strong>is</strong> vulnerable if the challenge and response<br />
are always the same. A secure challenge has a different value each<br />
time it <strong>is</strong> <strong>is</strong>sued, and requires a different response each time.<br />
The challenge <strong>is</strong> usually chosen as a purely random message. As a<br />
result, the challenge value <strong>is</strong> always unpredictable.<br />
The party being authenticated uses an algorithm and its own copy of a<br />
secret value to compute a response to the challenge. The server holds<br />
its copy of the same secret value, and computes a response using the<br />
same algorithm. If the returned response <strong>is</strong> identical to the server’s<br />
computed response, the challenged party <strong>is</strong> considered genuine.<br />
With <strong>eToken</strong>, the secret value <strong>is</strong> held on the <strong>eToken</strong> and <strong>is</strong> never<br />
revealed or transmitted between the two parties. The response that <strong>is</strong><br />
sent across the Internet or network <strong>is</strong> the computed result, produced<br />
entirely within the secure environment of the <strong>eToken</strong>.<br />
The following diagram illustrates a simple challenge-response<br />
mechan<strong>is</strong>m for client authentication:<br />
1. Client requests access to the server<br />
2. Server sends random challenge 786hgr456?>:$<br />
3. User logs in to <strong>eToken</strong> with <strong>eToken</strong> password<br />
4. <strong>eToken</strong> calculates response using secret value<br />
stored on the <strong>eToken</strong><br />
5. Client sends response u7y55frw#*+<br />
6. Server calculates response using copy of secret<br />
value and same algorithm and challenge<br />
7. Responses are identical - client <strong>is</strong> authenticated!!<br />
Th<strong>is</strong> mechan<strong>is</strong>m can be used in more complex authentication<br />
protocols. For example, SSLv3 combines challenge-response with the<br />
use of digital certificates and signatures, to achieve a highly secure<br />
method of authentication.<br />
For information about <strong>eToken</strong> integration with SSL v3 for secure web<br />
access, see the <strong>eToken</strong> Enterpr<strong>is</strong>e Integration Guide for SSL v3.<br />
Challenge-response Authentication 23
24 Security Concepts
Chapter3<br />
Getting Started with <strong>eToken</strong><br />
Th<strong>is</strong> chapter provides the basic information that you need in order to<br />
start using <strong>eToken</strong>, and gives detailed instructions for installing and<br />
personalizing <strong>eToken</strong>.<br />
The following sections are contained in th<strong>is</strong> chapter:<br />
Minimum Requirements, page 26, l<strong>is</strong>ts the hardware, software<br />
and operating system requirements for using <strong>eToken</strong>.<br />
Installing the <strong>eToken</strong> RTE, page 26, explains how to install the<br />
<strong>eToken</strong> runtime environment and <strong>eToken</strong> extension cable.<br />
Personalizing the <strong>eToken</strong>, page 31, explains how to change the<br />
<strong>eToken</strong> password and name.<br />
25
Minimum Requirements<br />
Note<br />
The following are the minimum requirements for using <strong>eToken</strong>:<br />
PC with at least 10 MB d<strong>is</strong>k space.<br />
Windows 98, Windows NT 4.0 (with Service Pack 4 installed),<br />
Windows ME or Windows 2000.<br />
Microsoft Windows Installer (MSI) 1.1 or later.<br />
Internet Explorer 5.0 or later.<br />
MSI 1.1 <strong>is</strong> included with all installations of Windows 2000,<br />
Windows ME and Internet Explorer 5.5 and above. Please see the<br />
<strong>eToken</strong> Support and Downloads web page for details.<br />
At least one USB port, with USB support enabled in the BIOS.<br />
Additional software may be required for individual <strong>eToken</strong><br />
Enterpr<strong>is</strong>e solutions. Please refer to the relevant <strong>eToken</strong> Enterpr<strong>is</strong>e<br />
Integration Guide for details.<br />
Installing the <strong>eToken</strong> RTE<br />
The <strong>eToken</strong> runtime environment (RTE) includes all the necessary<br />
files and drivers to support <strong>eToken</strong> integration. It also includes the<br />
<strong>eToken</strong> Properties facility, which enables easy user management of<br />
the <strong>eToken</strong> password and name.<br />
The <strong>eToken</strong> RTE 1.40 or above must be installed on each computer on<br />
which <strong>eToken</strong> <strong>is</strong> to be used.<br />
If a compatible version of the <strong>eToken</strong> RTE has already been installed<br />
on the computer, for example, for use with a different <strong>eToken</strong><br />
Enterpr<strong>is</strong>e security client, it does not need to be reinstalled.<br />
To install the <strong>eToken</strong> RTE:<br />
1 Close all currently opened applications<br />
2 Either:<br />
Download the <strong>eToken</strong> RTE (and MSI if necessary) from the <strong>eToken</strong><br />
Support and Downloads web page, and store it in your selected<br />
location.<br />
Double-click the downloaded rte.msi file, and proceed from step 3.<br />
or<br />
Insert the <strong>eToken</strong> Enterpr<strong>is</strong>e CD into your CD drive.<br />
26 Getting Started with <strong>eToken</strong>
Note<br />
The following splash screen <strong>is</strong> d<strong>is</strong>played:<br />
If the required version of MSI <strong>is</strong> not present, the <strong>eToken</strong> Installer will<br />
proceed to install it on your system.<br />
3 If the RTE 1.40 <strong>is</strong> not installed, the RTE installation window <strong>is</strong><br />
d<strong>is</strong>played:<br />
If a previous version of the <strong>eToken</strong> SDK, <strong>eToken</strong> Enterpr<strong>is</strong>e, or<br />
<strong>eToken</strong> RTE has been installed, these components need to be removed<br />
before the installation can proceed.<br />
Installing the <strong>eToken</strong> RTE 27
In th<strong>is</strong> case a warning message appears, as shown in the example<br />
below:<br />
Click OK to remove previous components.<br />
4 Click Next on the <strong>eToken</strong> RTE installation window. The License<br />
Agreement <strong>is</strong> d<strong>is</strong>played:<br />
28 Getting Started with <strong>eToken</strong>
5 Select I accept and click Next:<br />
6 Remove any <strong>eToken</strong>s that are connected to the computer, and click<br />
Install. The <strong>eToken</strong> RTE files are installed.<br />
7 When the installation <strong>is</strong> complete, click Fin<strong>is</strong>h.<br />
8 Connect an <strong>eToken</strong> to the USB port or cable. The new hardware <strong>is</strong><br />
processed and the <strong>eToken</strong> lights up. Th<strong>is</strong> process may take some time,<br />
depending on the operating system and computer. The installation <strong>is</strong><br />
successful.<br />
If the USB port <strong>is</strong> not easily accessible, an <strong>eToken</strong> USB extension<br />
cable can be used, as described below. Th<strong>is</strong> extension cable enables<br />
you to insert and remove the <strong>eToken</strong> easily without having to access<br />
the USB port directly.<br />
Connecting the <strong>eToken</strong> Extension Cable<br />
The <strong>eToken</strong> connects to the computer’s USB port. If the USB port <strong>is</strong><br />
located at the back of the PC, it <strong>is</strong> probably difficult to reach. The<br />
<strong>eToken</strong> extension cable enables easy access to the USB port for<br />
insertion and removal of the <strong>eToken</strong>. Extension cables are available<br />
from your local Aladdin dealer.<br />
If a USB port or hub <strong>is</strong> located on the keyboard or monitor, you may<br />
not need an <strong>eToken</strong> extension cable. If the port <strong>is</strong> on the monitor,<br />
make sure that the monitor <strong>is</strong> connected to the USB port of the PC<br />
through a standard USB type A to type B cable.<br />
Installing the <strong>eToken</strong> RTE 29
Your <strong>eToken</strong> extension cable package includes:<br />
A round, translucent sticker.<br />
A cable, two meters (approximately six linear feet) long, with USB<br />
type A to type B connectors.<br />
At one end of the cable <strong>is</strong> a socket and a special suction cup. Th<strong>is</strong> end<br />
should be mounted in a convenient place, so that you can easily insert<br />
and remove the <strong>eToken</strong>.<br />
At the other end of the cable <strong>is</strong> a small plug that connects to the<br />
ex<strong>is</strong>ting USB connector on the PC.<br />
USB connector plug<br />
Socket<br />
Suction cup<br />
Cable (approx 2 meters)<br />
To install the <strong>eToken</strong> extension cable:<br />
1 Locate the computer’s USB port, and insert the small USB connector<br />
plug into it.<br />
2 Peel off the sticker and paste it in a convenient place, for example, on<br />
the side of the monitor or on the casing of the PC.<br />
3 Affix the suction cup of the <strong>eToken</strong> extension cable to the smooth<br />
surface of the sticker, pressing it firmly in place.<br />
4 Plug the <strong>eToken</strong> into the cable socket and make sure it lights up.<br />
30 Getting Started with <strong>eToken</strong>
Personalizing the <strong>eToken</strong><br />
All <strong>eToken</strong>s are configured at manufacture with the factory default<br />
password. Th<strong>is</strong> password <strong>is</strong> 1234567890.<br />
To ensure strong, two-factor security, and to enable full user<br />
functionality, it <strong>is</strong> important that the user changes the factory default<br />
password to an <strong>eToken</strong> password of the user’s own choice, as soon as<br />
possible after receipt of a new <strong>eToken</strong>. For additional convenience and<br />
ease of identification, the <strong>eToken</strong> name can also be personalized.<br />
After an <strong>eToken</strong> password has been changed, the new password must<br />
be used with the <strong>eToken</strong> for all <strong>eToken</strong> applications. It <strong>is</strong> the user’s<br />
responsibility to remember the <strong>eToken</strong> password - without it, the<br />
<strong>eToken</strong> cannot be used for any purpose.<br />
Changing the <strong>eToken</strong> Properties<br />
When the <strong>eToken</strong> RTE <strong>is</strong> installed, the <strong>eToken</strong> Properties shortcut <strong>is</strong><br />
added to the Windows Start menu, in Programs\<strong>eToken</strong>. Th<strong>is</strong><br />
program provides a simple user interface to the <strong>eToken</strong>, enabling<br />
users to personalize their <strong>eToken</strong> by setting and changing their own<br />
<strong>eToken</strong> password and name whenever they w<strong>is</strong>h.<br />
Personalizing the <strong>eToken</strong> 31
To personalize the <strong>eToken</strong>:<br />
1 Insert an <strong>eToken</strong> to the USB port or cable.<br />
2 In the Windows Start menu, select Programs, <strong>eToken</strong>, then<br />
<strong>eToken</strong> Properties. The <strong>eToken</strong> details are d<strong>is</strong>played, as shown in<br />
the following example:<br />
The default <strong>eToken</strong> name <strong>is</strong> <strong>eToken</strong>.<br />
The Reader Name column identifies the USB slot to which the<br />
<strong>eToken</strong> <strong>is</strong> connected, and <strong>is</strong> used for development and support<br />
purposes.<br />
The <strong>eToken</strong> Type column shows the <strong>eToken</strong> model (R2 or PRO)<br />
and where appropriate, the version.<br />
3 Select the required <strong>eToken</strong> and right-click. The following options are<br />
available:<br />
Rename <strong>eToken</strong>: Enables you to assign a personal name to the<br />
<strong>eToken</strong>. The name may be d<strong>is</strong>played, for example, when the<br />
application prompts for the <strong>eToken</strong> password.<br />
Show <strong>eToken</strong> Info: D<strong>is</strong>plays information about the <strong>eToken</strong>.<br />
Change <strong>eToken</strong> Password: Enables you to change the <strong>eToken</strong><br />
password as required, if you know the ex<strong>is</strong>ting <strong>eToken</strong> password.<br />
32 Getting Started with <strong>eToken</strong>
4 To change the name for the <strong>eToken</strong>, select Rename <strong>eToken</strong>. The<br />
following dialog appears:<br />
5 Enter the <strong>eToken</strong> password and click OK. The <strong>eToken</strong> name <strong>is</strong> now<br />
highlighted for editing in the <strong>eToken</strong> Properties window. Change the<br />
name as required. The new name will be saved when you exit the<br />
program.<br />
6 To view information about the <strong>eToken</strong>, select Show <strong>eToken</strong> Info.<br />
7 The following details are d<strong>is</strong>played, as shown in the example below:<br />
The <strong>eToken</strong> firmware version.<br />
The unique ID for th<strong>is</strong> <strong>eToken</strong>, which <strong>is</strong> assigned to the <strong>eToken</strong> at<br />
manufacture.<br />
The total memory size of the <strong>eToken</strong>, in bytes.<br />
The amount of memory currently available for use, in bytes.<br />
8 To change the <strong>eToken</strong> password, select Change <strong>eToken</strong> Password.<br />
Personalizing the <strong>eToken</strong> 33
The following dialog appears:<br />
9 Enter the current password for the <strong>eToken</strong> (or the default password<br />
1234567890 for a new <strong>eToken</strong>).<br />
10 Enter a new password and re-enter it for confirmation.<br />
11 Click OK. The <strong>eToken</strong> password has been changed.<br />
12 Click Exit to close the <strong>eToken</strong> Properties utility.<br />
34 Getting Started with <strong>eToken</strong>
Chapter4<br />
<strong>eToken</strong> Admin<strong>is</strong>tration<br />
Admin<strong>is</strong>tering <strong>eToken</strong> in an organization <strong>is</strong> simple and<br />
straightforward. Th<strong>is</strong> chapter provides admin<strong>is</strong>tration guidelines for<br />
the following circumstances:<br />
Setting Up a New <strong>eToken</strong> User, page 36, outlines what needs to<br />
be done to set up a new user with <strong>eToken</strong>.<br />
Issuing Replacement <strong>eToken</strong>s, page 36, explains what actions to<br />
take in the event of damaged, lost or stolen , or forgotten <strong>eToken</strong><br />
passwords.<br />
Recovering <strong>eToken</strong>s from Employees, page 36, explains what to<br />
do when <strong>eToken</strong> users leave the organization.<br />
For detailed instructions for installing, integrating and using specific<br />
<strong>eToken</strong> Enterpr<strong>is</strong>e solutions, please refer to the relevant <strong>eToken</strong><br />
Enterpr<strong>is</strong>e Integration Guides.<br />
35
Setting Up a New <strong>eToken</strong> User<br />
When a new employee joins the organization, do the following:<br />
Install the <strong>eToken</strong> RTE on the employee’s computer.<br />
If required, install any additional installation for the relevant<br />
<strong>eToken</strong> Enterpr<strong>is</strong>e solution.<br />
Issue the employee a new <strong>eToken</strong>, with the instructions for<br />
personalizing it. See “Personalizing the <strong>eToken</strong>”, on page 31.<br />
Issuing Replacement <strong>eToken</strong>s<br />
A user’s <strong>eToken</strong> may need to be replaced if:<br />
The <strong>eToken</strong> <strong>is</strong> lost or damaged.<br />
The user forgets the <strong>eToken</strong> password.<br />
When a user reports a lost or damaged <strong>eToken</strong>, you should d<strong>is</strong>card the<br />
<strong>eToken</strong> and <strong>is</strong>sue the user another <strong>eToken</strong>, with a requirement to<br />
personalize it as soon as possible.<br />
If a user forgets the password for h<strong>is</strong> or her personal <strong>eToken</strong>, it cannot<br />
be used for any <strong>eToken</strong>-based operation. The <strong>eToken</strong> password <strong>is</strong><br />
stored securely on the <strong>eToken</strong>, and it <strong>is</strong> not possible to reset it or<br />
replace it without knowledge of the password itself.<br />
The procedure for dealing with a forgotten <strong>eToken</strong> password <strong>is</strong> exactly<br />
the same as for a lost or damaged <strong>eToken</strong>.<br />
Recovering <strong>eToken</strong>s from Employees<br />
When an employee leaves the organization, in addition to taking the<br />
standard actions, such as revoking any current certificates and<br />
closing network accounts, you should recover h<strong>is</strong> or her <strong>eToken</strong> and<br />
its password. You can then choose to d<strong>is</strong>card the <strong>eToken</strong>, or to change<br />
the current password and reuse the <strong>eToken</strong>.<br />
If you are unable to recover the <strong>eToken</strong> password from the employee,<br />
the <strong>eToken</strong> <strong>is</strong> unusable, and you should d<strong>is</strong>card it. An <strong>eToken</strong> can be<br />
used only on computers that have been set up for use with specific<br />
<strong>eToken</strong> Enterpr<strong>is</strong>e security applications.<br />
36 <strong>eToken</strong> Admin<strong>is</strong>tration
AppendixA<br />
Troubleshooting<br />
Th<strong>is</strong> appendix offers advice and proposes solutions to problems that<br />
you may encounter when installing or using <strong>eToken</strong>.<br />
The following sections are contained in th<strong>is</strong> appendix:<br />
Problems and Possible Solutions, page 38, l<strong>is</strong>ts the problems<br />
that might ar<strong>is</strong>e, and suggests their causes and solutions.<br />
Checking USB Support, page 40, explains how to check whether<br />
USB support <strong>is</strong> enabled in the BIOS for your system.<br />
Technical Support, page 41, provides contact information for<br />
technical ass<strong>is</strong>tance.<br />
37
Problems and Possible Solutions<br />
The following table l<strong>is</strong>ts the possible causes of each problem, and<br />
suggests the appropriate solutions.<br />
Table A.1: Problems, Diagnoses and Solutions<br />
Problem Possible Diagnos<strong>is</strong> Solution<br />
1 Operating system<br />
identifies new<br />
hardware, but<br />
fails to recognize<br />
it as a USB<br />
device.<br />
2 LED on <strong>eToken</strong><br />
does not light up.<br />
The <strong>eToken</strong> was<br />
inserted into the USB<br />
port before<br />
installation was<br />
fin<strong>is</strong>hed.<br />
Installation was not<br />
successful, or the<br />
driver was not<br />
installed correctly.<br />
The USB <strong>is</strong> not<br />
enabled in the<br />
BIOS. See<br />
“Checking USB<br />
Support”, on page<br />
40, for details.<br />
The operating<br />
system does not<br />
support USB.<br />
The <strong>eToken</strong> <strong>is</strong><br />
defective.<br />
The <strong>eToken</strong> was<br />
inserted during<br />
installation<br />
Remove the <strong>eToken</strong><br />
from the port and<br />
reinsert.<br />
Remove the <strong>eToken</strong><br />
RTE installation, if<br />
necessary, and<br />
reinstall.<br />
Enable the USB in<br />
the BIOS. If<br />
necessary, consult<br />
your technical<br />
support services<br />
supplier.<br />
Ensure that one of<br />
the following<br />
operating systems <strong>is</strong><br />
installed:<br />
Windows 98<br />
Windows NT4.0<br />
Windows ME<br />
Windows 2000<br />
Obtain a new<br />
<strong>eToken</strong>. Contact<br />
your local Aladdin<br />
office.<br />
Remove the <strong>eToken</strong><br />
and reinsert it in the<br />
USB port.<br />
38 Troubleshooting
Table A.1: Problems, Diagnoses and Solutions (Continued)<br />
Problem Possible Diagnos<strong>is</strong> Solution<br />
3 Application does<br />
not recognize the<br />
<strong>eToken</strong>.<br />
4 Operating<br />
system d<strong>is</strong>plays<br />
the “New<br />
Hardware”<br />
message when a<br />
different USB<br />
port <strong>is</strong> used.<br />
5 RTE<br />
installation<br />
failure on<br />
Windows<br />
NT 4.0<br />
Errors in the<br />
application.<br />
The <strong>eToken</strong> <strong>is</strong><br />
defective.<br />
Windows<br />
automatically<br />
recognizes a new<br />
port when it <strong>is</strong> used<br />
for the first time,<br />
including ports<br />
connected via a hub.<br />
The USB port <strong>is</strong> not<br />
enabled in the<br />
BIOS.<br />
Check the application<br />
for errors.<br />
Obtain a new <strong>eToken</strong>.<br />
Th<strong>is</strong> <strong>is</strong> normal<br />
operating system<br />
behavior and needs<br />
no further action.<br />
The current <strong>eToken</strong><br />
installation <strong>is</strong> valid<br />
for all USB ports.<br />
Make sure the USB<br />
interrupt <strong>is</strong> enabled<br />
in the BIOS<br />
settings.<br />
Problems and Possible Solutions 39
Checking USB Support<br />
In order for your system to recognize the USB port and your <strong>eToken</strong>,<br />
USB support must be enabled in the BIOS. Your technical support<br />
services supplier may need to make the necessary changes to your<br />
system setup.<br />
To check whether USB support <strong>is</strong> enabled for your Windows 98<br />
or Windows 2000 system:<br />
1 Open the Windows Control Panel.<br />
2 Select System Properties.<br />
3 Select Device Manager. A l<strong>is</strong>t <strong>is</strong> d<strong>is</strong>played of the devices currently<br />
enabled in your system.<br />
USB support <strong>is</strong> enabled if the l<strong>is</strong>t of devices includes one or more IFD<br />
Handler entries, and one or more <strong>eToken</strong>s, as shown in the example<br />
below:<br />
If the d<strong>is</strong>played l<strong>is</strong>t does not include an entry for an <strong>eToken</strong>, the<br />
<strong>eToken</strong> <strong>is</strong> not correctly inserted or may be defective. If the l<strong>is</strong>t does<br />
not include an entry for IFD Handler, the installation failed.<br />
Reinstall or contact Technical Support.<br />
40 Troubleshooting
To check whether USB support <strong>is</strong> enabled for your Windows NT<br />
4.0 system:<br />
1 Open the Windows Programs Menu.<br />
2 Select Settings.<br />
3 Select Devices . A l<strong>is</strong>t <strong>is</strong> d<strong>is</strong>played of the devices currently enabled in<br />
your system<br />
USB support <strong>is</strong> enabled if the status of the Phoenix USB driver and<br />
Phoenix USB Hub driver <strong>is</strong> shown as Started, as shown in the<br />
example below:,.<br />
If the Device l<strong>is</strong>t does not include entries for the Phoenix USB<br />
driver and Phoenix USB Hub driver, the installation failed.<br />
Reinstall or contact Technical Support.<br />
Technical Support<br />
If you are unable to solve the problems that you are experiencing and<br />
require technical support and ass<strong>is</strong>tance, please contact Aladdin by<br />
telephone, fax or email, as follows:<br />
Tel: +972 3 636 2266<br />
Fax: +972 3 537 5796<br />
Email: techsup@eAladdin.com<br />
Website: http://support.eAladdin.com<br />
Technical Support 41
42 Troubleshooting
Numerics<br />
3xDES . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
A<br />
Active-X . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Admin<strong>is</strong>trator . . . . . . . . . . . . . . . . . . . 2, 4<br />
APDU. . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
Authentication . . . . . . . . . . . . . . . . . 22, 23<br />
one-factor . . . . . . . . . . . . . . . . . . . . . . 22<br />
two-factor . . . . . . . . . . . . . . . . . . . . 3, 22<br />
B<br />
Baltimore UniCERT . . . . . . . . . . . . . . . 12<br />
BIOS . . . . . . . . . . . . . . . . . . . . . . . . 38, 40<br />
C<br />
CA . . . . . . . . . . . . . . . . . . . . . . . . . . . 7, 14<br />
CA hierarchies . . . . . . . . . . . . . . . . . . . . 18<br />
CA types . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
CAPI . . . . . . . . . . . . . . . . . . . . . . . . . 8, 10<br />
Certificates, digital . . . . . . . . . 4, 7, 14, 15<br />
Challenge-response . . . . . . . . . . . . . . . . 23<br />
Changing <strong>eToken</strong> name . . . . . . . . . . 31, 32<br />
Changing <strong>eToken</strong> password . . . . . . . 31, 32<br />
Check Point SecuRemote . . . . . . . . . . . . 12<br />
Compatibility . . . . . . . . . . . . . . . . . . . . . . 4<br />
Convenience. . . . . . . . . . . . . . . . . . . . . . . 4<br />
Cost-effectiveness . . . . . . . . . . . . . . . . . . 4<br />
Cryptographic Service Provider See CSP<br />
CSP . . . . . . . . . . . . . . . . . . . . . . . . . . . 7, 8<br />
D<br />
Damaged <strong>eToken</strong> . . . . . . . . . . . . . . . . . . 36<br />
Decrypting email . . . . . . . . . . . . . . . . . . 17<br />
DESX . . . . . . . . . . . . . . . . . . . . . . . . . 3, 10<br />
Dial-up connection management . . . . . . 12<br />
Digital certificates . . . . . . . . . . . . . 4, 7, 15<br />
Index<br />
Digital signature. . . . . . . . . . . . . . . . 7, 16<br />
Digital Signature Trust (DST) . . . . . . . 12<br />
E<br />
Email<br />
decrypting . . . . . . . . . . . . . . . . . . . . . 17<br />
digitally signing . . . . . . . . . . . . . . . . . 16<br />
encrypting . . . . . . . . . . . . . . . . . . . . . 17<br />
securing . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Encrypting email . . . . . . . . . . . . . . . . . 17<br />
Encryption . . . . . . . . . . . . . . . . . . . . . . 16<br />
Enterpr<strong>is</strong>e CA . . . . . . . . . . . . . . . . . . . . 18<br />
Entrust . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
<strong>eToken</strong><br />
damaged . . . . . . . . . . . . . . . . . . . . . . 36<br />
information, d<strong>is</strong>playing . . . . . . . . . . . 32<br />
lost . . . . . . . . . . . . . . . . . . . . . . . . . . . 36<br />
<strong>eToken</strong> name, changing . . . . . . . . . 31, 32<br />
<strong>eToken</strong> password. . . . . . . . . . . . . . . 15, 31<br />
changing . . . . . . . . . . . . . . . . . . . 31, 32<br />
forgotten . . . . . . . . . . . . . . . . . . . . . . 36<br />
<strong>eToken</strong> Properties . . . . . . . . . . . . . . . . . 31<br />
<strong>eToken</strong> RTE . . . . . . . . . . . . . . . . . . . . . 26<br />
Extension cable . . . . . . . . . . . . . . . . . . . 29<br />
F<br />
Factory default password . . . . . . . . . . . 31<br />
Forgotten <strong>eToken</strong> password . . . . . . . . . 36<br />
H<br />
Hardware-based protection. . . . . . . . . . . 4<br />
I<br />
Installation . . . . . . . . . . . . . . . . . . . . . . 38<br />
Integrity of content . . . . . . . . . . . . . . . . 16<br />
Internet Explorer . . . . . . . . . . . . . . . 8, 26<br />
ISO 9002 certification . . . . . . . . . . . . . .viii<br />
43
K<br />
Key<br />
generation . . . . . . . . . . . . . . . . . . . . . . 4<br />
private . . . . . . . . . . . . . . . . . . . . . . 7, 15<br />
public. . . . . . . . . . . . . . . . . . . . . . . 7, 15<br />
Key pair . . . . . . . . . . . . . . . . . . . . . . 7, 15<br />
Keys . . . . . . . . . . . . . . . . . . . . . . .7, 15, 18<br />
L<br />
Lost <strong>eToken</strong> . . . . . . . . . . . . . . . . . . . . . 36<br />
M<br />
Microsoft Windows Installer (MSI) . . . . 26<br />
Minimum requirements . . . . . . . . . . . . 26<br />
Models . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
N<br />
New employee. . . . . . . . . . . . . . . . . . . . 36<br />
Non-repudiation . . . . . . . . . . . . . . . . . . 16<br />
O<br />
On-chip cryptographic processing . . . . . . 9<br />
On-chip key generation. . . . . . . . . . . . . . 4<br />
One-factor authentication . . . . . . . . . . . 22<br />
Operating system . . . . . . . . . . . .26, 38, 39<br />
P<br />
Password. . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
authentication . . . . . . . . . . . . . . . . . . 22<br />
<strong>eToken</strong>. . . . . . . . . . . . . . . . . . . . . . . . 22<br />
<strong>eToken</strong> factory default . . . . . . . . . . . . 31<br />
<strong>eToken</strong>, changing. . . . . . . . . . . . . . . . 31<br />
r<strong>is</strong>ks. . . . . . . . . . . . . . . . . . . . . . . . . . 22<br />
Password storage . . . . . . . . . . . . . . . . . 22<br />
Personalizing the <strong>eToken</strong> . . . . . . . . . . . 31<br />
PKCS #11 . . . . . . . . . . . . . . . . . . . . . 8, 10<br />
PKI . . . . . . . . . . . . . . . . . . . . . . . . .7, 8, 14<br />
Portability. . . . . . . . . . . . . . . . . . . . . . 3, 4<br />
Private key . . . . . . . . . . . . . . . . . . . . 7, 15<br />
PRO . . . . . . . . . . . . . . . . . . . . . . . .8, 9, 15<br />
Public key . . . . . . . . . . . . . . . . . . . . . 7, 15<br />
R<br />
R2 . . . . . . . . . . . . . . . . . . . . . . . . . .8, 9, 10<br />
Reliability . . . . . . . . . . . . . . . . . . . . . . . . 2<br />
Remote Access Server (RAS). . . . . . . . . 12<br />
Replacement <strong>eToken</strong>s, <strong>is</strong>suing . . . . . . . 36<br />
Root CA. . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
RSA1024 . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
RSA-Keon . . . . . . . . . . . . . . . . . . . . . . . 12<br />
RTE. . . . . . . . . . . . . . . . . . . . . . . . . 26, 31<br />
Runtime environment (RTE) . . . . . . . . .26<br />
S<br />
SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . .12<br />
Securing email . . . . . . . . . . . . . . . . . . . .16<br />
Security . . . . . . . . . . . . . . . . . . . . . . . . 3, 4<br />
r<strong>is</strong>ks . . . . . . . . . . . . . . . . . . . . . . . . . . .5<br />
solutions . . . . . . . . . . . . . . . . . . . . . . .12<br />
SHA-1 . . . . . . . . . . . . . . . . . . . . . . . . . . .9<br />
Signature<br />
digital . . . . . . . . . . . . . . . . . . . . . . . . .16<br />
Signature, digital . . . . . . . . . . . . . . . . 7, 16<br />
Smart card<br />
logon . . . . . . . . . . . . . . . . . . . . . . . . . .12<br />
technology. . . . . . . . . . . . . . . . . . . . . . .2<br />
SSLv3. . . . . . . . . . . . . . . . . . . . . . . . 12, 23<br />
Standalone CA . . . . . . . . . . . . . . . . . . . .18<br />
Subordinate CA . . . . . . . . . . . . . . . . . . .19<br />
System admin<strong>is</strong>trator See Admin<strong>is</strong>trator<br />
T<br />
Technical support. . . . . . . . . . . . . . . . . .41<br />
The. . . . . . . . . . . . . . . . . . . . . . . . . . . . .11<br />
Thin Client Technology . . . . . . . . . . . . .12<br />
Third-party trust . . . . . . . . . . . . . . . . . .14<br />
Triple DES . . . . . . . . . . . . . . . . . . . . . . . .9<br />
Two-factor authentication . . . . . . . . . 3, 22<br />
U<br />
Universal Serial Bus See USB<br />
USB . . . . . . . . . . . . . . . . . . . . . . . . 3, 4, 29<br />
device . . . . . . . . . . . . . . . . . . . . . . . . .38<br />
extension cable . . . . . . . . . . . . . . . . . .29<br />
port . . . . . . . . . . . . . . . . . . 26, 29, 38, 39<br />
support . . . . . . . . . . . . . . . . . . 26, 38, 40<br />
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . .2<br />
V<br />
Verification . . . . . . . . . . . . . . . . . . . . . .16<br />
VeriSign . . . . . . . . . . . . . . . . . . . . . . . . .12<br />
Versatility . . . . . . . . . . . . . . . . . . . . . . . .4<br />
Virtual Private Network (VPN) . . . . . . .22<br />
W<br />
Windows 2000 . . . . . . . . . . . . . . 12, 18, 26<br />
Windows 98 . . . . . . . . . . . . . . . . . . . . . .26<br />
Windows ME . . . . . . . . . . . . . . . . . . . . .26<br />
Windows NT 4.0. . . . . . . . . . . . . . . . . . .26<br />
44 Index