This is the main Hardware Support page and provides all the main support pages you require, including support, advice and Frequently Asked Questions [FAQs] about any hardware device used, or recommended, by Digi-Sign.
You can browse this Support Directory or you can view the Hardware KnowledgeBase [1] that contains specific Questions & Answers [Q&A] (this is free today but will be a 'Subscription Only' service soon).
Alternatively, you may wish to search all of the Digi-ID™ pages using the search facility below.
There are two types of USB devices on which private keys and public key certificates can be stored, a USB cryptographic device and a USB flash memory device. Each device can support a different key and digital certificate storage formats.
The correct and most secure method is to store the private key and public key certificates on a USB cryptographic device (also commonly referred to as a security token, hardware token or a cryptographic token). A Digi-Token™ is a cryptographic token.
The USB security token is an equivalent of a reader-less smart card with advanced onboard cryptographic processor and physical tamper protected memory for personal information storage (such as private keys and digital certificates). The advantage of using a USB security token is naturally a very high level of security and protection of personal information, safe on-board key generation and high assurance, that key material remains on the token at all times and can not be exported or copied by unauthorized parties. According to EU directives, this is the only acceptable way to generate, store and use qualified digital certificates, as requested in the document.
A USB security token is many times more expensive than an ordinary USB flash memory device because it has many security features (within both hardware and software layer) to protect the user's personal information. Aladdin offers good price for USB security tokens.
The other method of storing private keys and digital certificates is to use a software implementation of PKCS#12 standard, which introduces Personal Information Exchange Syntax in a form of password protected information stored in a software data file. PKCS#12 file is like any other software file (MP3, .DOC, .XLS, .PDF, etc) and can be stored on a standard USB flash memory device.
If you store private key and digital certificate as a software PKCS#12 file on a USB flash memory device, it is very simple and easy for an unauthorized party to copy the file and relatively easy to an experienced attacker to attempt to break password security, that is used to protect the user's personal information such as private key, so this is many times less secure than USB security tokens and does not introduce any hardware protection mechanisms. And as you know, USB flash memory devices can be purchased for a few cents.
Running under Windows 98, on a VeriSign affiliate website, the CSP failed to generate the keys on the token.
Workaround: Upgrade to iKey2000 software, version 4.5.10.
No, according to Datakey (ticket number: 20011221120225) the iKey20xx will only store one profile.
Currently (as of 02/27/02), the maximum RSA key size that can be generated onboard is 1024-bit for both iKey2000 and iKey2032. In the future we might increase this (RSA keys only) to 2048-bit.
If you do not want to include the whole 4.5.10 software, you need to go to THOR and download the "iKey driver installer - Driver Only v.3.1.0.27" and distribute that and your application.
For PKCS#11, the API is C_GetTokenInfo().
For MS CAPI, you can not get the serial number. MS CAPI can only get the container name.
For the 4.5.10 software, you can not reset this. You will have to re-initialize the token.
Yes. This is a Windows 2000 security feature. The physical insertion of the hardware token is the trigger for the logon event.
ikey 2032 contains FIPS 140-1 level 2 certified ASIC and firmware.
At this time, our ikey 2032 only supports Entrust 5.01, 5.02 and 5.1. We do not support Entrust Authority 6.0.
Yes, but only through Cryptoki APIs (not through one of our utilities). First you must login with the old password. Then you can call C_SetPin() to change it to the new password.
Only PKCS#11 and MSCAPI libraries can directly interface with the iKey2000. At this time there are no direct hardware API's exposed, so there are no controls available for the LED.
For Windows 2000 machines only! Please open up a DOS window and type in: "scardsvr reinstall" and hit Enter. Please re-boot and try Token Manager again.
The iKey 2000 can use slots 16-35. Here is a quick run-down on all the available slots:
Slot 0 is no longer used.
Slots 1 - 12 are for serial readers
Slot 13 is for the DKR500
Slots 14 & 15 are no longer used
Slots 16-25 are for PC/SC readers
Slots 26-35 are for USB readers
The iKey 2000 software does not support Netscape Communicator versions earlier than 4.0 or later than 4.79. Netscape 6.0/6.1 and later can not be used with iKey 2000 software.
The minor difference in the "valid to/from" time is due to Microsoft using GMT (Greenwich Mean Time) and iKey2000 software using local time.
In some circumstances the iKey driver can "crash". To resolve this issue, go to the device manager and under Smart Card Readers, right click on the iKey 2000 and select uninstall. You will be asked to reboot your machine. Please do so. After the machine has shut down, remove the iKey 2000. When the machine is fully rebooted, reinsert the iKey 2000 and the OS will detect a new device and resintall the driver correctly. Once this is done you should then be able to use the manager/utility.
Links:
[1] http://www2.digi-sign.com/en/support/knowledgebase/hardware
[2] http://www2.digi-sign.com/user/login
[3] http://www2.digi-sign.com/user/register