Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Content Encryption 2.5.0 Generic PKI Token

© SafeBoot N.V.
Content Encryption
Generic PKI Token
1
SafeBoot Content Encryption - Generic PKI token
SafeBoot N.V.
Edisonbaan 15, Nieuwegein, 3439 MN, The Netherlands
Tel: +31 (0)30 6348800
Fax: +31 (0)30 6348899
Email: info@safeboot.com
For more information regarding local SafeBoot representatives please take a look at:
www.safeboot.com
SafeBoot® Content Encryption™
Generic PKI Token
Technical white paper
Document:
SafeBoot Content Encryption - Generic PKI token
Product Version:
2.5.0.0
Last updated: Friday, 03 August 2007
Copyright © 2007 SafeBoot N.V. All rights reserved. Printed in The Netherlands.
No part of this document may be reproduced, transmitted, transcribed, stored in a retrieval
system, or translated into any language, in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise, without prior written permission from
SafeBoot N.V.
The information furnished herein is believed to be accurate and reliable. However, no
responsibility or liability is assumed by SafeBoot N.V., including its subsidiaries, for its use,
nor for any infringements of patents or other rights of third parties resulting from its use.
Microsoft®, Windows® and ActiveDirectory® are registered trademarks of Microsoft
Corporation. SafeBoot® is a registered trademark of SafeBoot N.V. All other trademarks
and registered trademarks are the property of their respective holders.
2
© SafeBoot N.V.
Table of Contents
INTRODUCTION ................................................................................... 4
WHAT IS THE GENERIC PKI TOKEN? .................................................................................... 4
AVAILABILITY............................................................................................................... 4
ABOUT THE CERTIFICATES ................................................................................................ 4
Microsoft compliance ................................................................................................................................................. 4
Certificates in SafeBoot database............................................................................................................................... 4
TECHNICAL INFORMATION .................................................................. 5
TECHNICAL DESCRIPTION ................................................................................................. 5
ARCHITECTURE ............................................................................................................. 5
FILES ........................................................................................................................ 7
INSTALLATION .............................................................................................................. 7
New database installation........................................................................................................................................... 8
Existing database........................................................................................................................................................ 9
3
SafeBoot Content Encryption - Generic PKI token
Introduction
This paper describes the SafeBoot Content Encryption Generic PKI token. It contains a
description of the solution, installation requirements and configurations. This document
accompanies the SafeBoot Content Encryption Administrators’ Guide.
What is the Generic PKI token?
The SafeBoot Content Encryption Generic PKI token (SBCEpkiToken) was developed with
the aim to support PKI tokens in a generic way using digital certificates as the means of
user identification.
The result is that any Microsoft based certificate stored on a smart card or as a soft
certificate (*.p12) may be used for authentication in SafeBoot Content Encryption.
Availability
The SBCEpkiToken files are available on the SafeBoot installation CD and the files may be
selected during the SafeBoot database install and the subsequent creation of the database.
About the certificates
Microsoft compliance
The certificates used together with the SBCEpkiToken need to be Microsoft compliant.
Microsoft compliant certificates can be used for e.g. Windows smart card logon. If the
certificate is not Microsoft compliant it will not work with the SBCEpkiToken.
Certificates in SafeBoot database
The certificates also must have been imported to the SafeBoot database and assigned to
each SafeBoot user that will use the SBCEpkiToken as the authentication token to use. For
certificate import from MS ActiveDirectory, the SafeBoot Connector Manager G2 for
ActiveDirectory is necessary. For documentation about the SafeBoot Connector Manager,
please contact your SafeBoot representative.
Also observe that the SBCEpkiToken only works with SafeBoot Content Encryption and not
any other SafeBoot product, e.g. SafeBoot Device Encryption. Please see the documentation
for other SafeBoot products regarding token support for each.
4
© SafeBoot N.V.
Technical information
Technical description
The SBCEpkiToken is using Microsoft supported certificates stored on standard tokens for
authentication to SafeBoot Content Encryption. A Microsoft supported certificate is a
certificate that is possible to use for logging on to e.g. Windows (Windows Smart Card logon
certificate).
The certificates on the token are used to encrypt and decrypt pieces of data for
authentication purposes. The encryption/decryption calls are made through the Microsoft
Windows CryptoAPI (MS CAPI).
The MS CAPI is in turn calling the corresponding Cryptographic Service Provider (CSP) for
the certificate token in use to execute the requested operations involving the certificate
container token, e.g. accessing the private key on a smart card and (eventually) carry out
the crypto calculations on the card. The CSP then returns the result of the requested
operations to the MS CAPI that in turn passes the result in an appropriate format to the
SBCEpkiToken.
The SBCEpkiToken requires the certificates used to be available in the SafeBoot central
Object Directory (SafeBoot database), imported from an external repository using any of
the available SafeBoot Connector modules. Each user in the SafeBoot database that will use
the SBCEpkiToken must have been set to use the public keys as tokens. This set-up can be
automated by using the SafeBoot Connector Manager.
As the name indicates, the SBCEpkiToken is generic such that any certificate container may
be used along with any CSP supporting the MS CAPI. I.e. it is possible to support any smart
card for which there is a CSP for Windows, and where the certificates can be used for
Windows smart card logon.
Architecture
The following schema depicts the working order and involved components when using the
SBCEpkiToken. It is included here more for reference and overview purposes rather than for
a detailed description of the involved components.
5
SafeBoot Content Encryption - Generic PKI token
Again, the picture above is just for a high-level overview of the working location of the
SBCEpkiToken. For a detailed technical description of how token authentication works in
Windows and how CSPs work under Windows, consider the following links:
Smart card Cryptographic Service Providers (A. Nirmalananthan, Microsoft):
http://msdn2.microsoft.com/en-us/library/ms953432.aspx
Using certificates in Windows (Microsoft):
http://msdn2.microsoft.com/en-us/library/ms731899.aspx
Smart card authentication (Microsoft):
http://msdn2.microsoft.com/en-us/library/aa380142.aspx
6
© SafeBoot N.V.
Files
The following files are included in the SBCEpkiToken package:
SbmSbTokCSP.INI
This file is transformed and renamed to the SBM.INI file when the files are imported to the
SafeBoot database. If imported manually by itself, it must be set to a “Merge INI” and also
renamed to SBM.INI. Please consult your SafeBoot representative before carrying out any
manual changes of this file.
SbTokCSP.DLL
The actual DLL for the SBCEpkiToken functionality.
SbTokCSP.INI
This is the configuration file that denotes what CSP shall be used together with
SBCEpkiToken through the MS CAPI. The exact name of the installed CSP must be
manually entered in this file in order for the SBCEpkiToken to work. You need to create this
file manually depending on what CSP(s) are used on the clients.
SbTokCSPDsk.INI
This file has no function in this version of SBCEpkiToken and may not even be included in
some builds.
SbTokCSPfiles.INI
This file specifies what files belong to the SBCEpkiToken file set when performing an import
of the files to the SafeBoot central object directory. Do not edit this file.
All files need to be in the SBAdmin program directory before being imported to the SafeBoot
central object directory.
Installation
This section describes the installation of SBCEpkiToken. There are two different scenarios:
a) Installing in a plain environment where there has been no SafeBoot database previously
installed
b) Upgrading an existing SafeBoot database with the SBCEpkiToken components.
For both scenarios above, the third-party CSP appointed in the SbTokCSP.INI file must first
be properly deployed and installed on all clients where the SBCE clients shall be installed
and interoperate with this CSP through MS CAPI.
In order to better understand the following paragraphs, knowledge about how the SafeBoot
Administration system works is required. Please contact your SafeBoot representative for
discussions regarding how you can attain this knowledge.
7
SafeBoot Content Encryption - Generic PKI token
New database installation
•
If there is new installation of the SafeBoot central database, assure that you select
the token file group called “Generic CSP Token files” when selecting the tokens to be
supported in the SafeBoot database (it is possible to add SBCEpkiToken later though,
see below). Also assure that you select the SafeBoot Content Encryption files and the
Smart Card support scripts.
•
Finish the installation of the SafeBoot database as you find appropriate. For details
regarding installation of the SafeBoot database, please consult the SafeBoot
Management Centre Administrator’s Guide, available from your SafeBoot
representative upon request.
•
Configure the SafeBoot Connectors and import user data and user certificates from
the repository holding the certificates to be used with SBCEpkiToken. Make sure that
the pre-requisites stated earlier in this document are met. For configuration of
Connectors, please consult the SafeBoot Management Centre Administrator’s Guide,
available from your SafeBoot representative upon request.
•
Next you need to create and edit a file called SbTokCSP.INI. First, create a textfile
called SbTokCSP.TXT outside the SafeBoot Management Centre. Open the file and
make the following entry:
[CSP]
Name=”Exact name of the CSP”
Obviously, you shall replace the string within the quotation marks above with the
name of the deployed CSP. For example, support for the RSA SID800 token and its
CSP require the entry to look as follows:
[CSP]
Name=RSA Sign-on Manager CSP
•
Then rename the file extension from SbTokCSP.TXT to SbTokCSP.INI, accept any
warning presented.
•
Now, in SafeBoot Management Centre, open the file group named “TOKEN: CSP
token for SBAdmin/Content Encryption”. Then import the file you created outside the
database containing the name of your CSP. For a complete description of file group
management within the SafeBoot database, please consult the SafeBoot
Management Centre Administrator’s Guide, available from your SafeBoot
representative upon request.
•
Then configure the SafeBoot database for SafeBoot Content Encryption to match
your security policy, i.e. create and assign encryption keys and encryption policies.
For guidance on configuration of SafeBoot Content Encryption, please consult the
SafeBoot Content Encryption Administrator’s Guide, available from your SafeBoot
representative upon request.
•
When creating the SafeBoot Content Encryption installation set, make sure that you
also include the file group “TOKEN: CSP token for SBAdmin/Content Encryption”.
Once the installation set has been created, it can be deployed to the machines and
the SBCEpkiToken functionality will be automatically available.
If you have made all configurations correct, users may now use their PKI tokens with
certificates to authenticate to SafeBoot Content Encryption.
8
© SafeBoot N.V.
Existing database
If you already have a SafeBoot database in place and want to add the SBCEpkiToken
support, follow these steps.
•
Assure that you have the latest version of the SafeBoot Content Encryption client
files in the database. For upgrading of SafeBoot Content Encryption files, please
consult the SafeBoot Management Centre (or Content Encryption) Administrator’s
Guide, available from your SafeBoot representative upon request.
•
Run the SafeBoot CD with the latest version and do a “new” installation. In the list of
various options, only select the token files “Generic CSP Token files”. Then finish the
setup and start the SafeBoot Management Centre.
•
Next you need to create and edit a file called SbTokCSP.INI. First, create a textfile
called SbTokCSP.TXT outside the SafeBoot Management Centre. Open the file and
make the following entry:
[CSP]
Name=”Exact name of the CSP”
Obviously, you shall replace the string within the quotation marks above with the
name of the deployed CSP. For example, support for the RSA SID800 token and its
CSP require the entry to look as follows:
[CSP]
Name=RSA Sign-on Manager CSP
•
Then rename the file extension from SbTokCSP.TXT to SbTokCSP.INI, accept any
warning presented. Leave this file for a moment and proceed as below.
•
If you have received the SBCEpkiToken files separately (i.e. not on a SafeBoot CD
that you run), place all the files you have received in the SBAdmin program
directory. Create a new file group in the database called “TOKEN: CSP token for
SBAdmin/Content Encryption”. Make it a controlled group with the Properties of
“Token files” and “C4 files”.
•
Open the new file group and select “Import file set”. Then browse for the file
SbTokCSPfiles.INI and finish the import. There should now be two files in the new
group:
o
SBM.INI, and
o
SbTokCSP.DLL
•
Now right-click in this group and select “Import file”. Browse for the file you recently
edited called SbTokCSP.INI. Assure this file is added to the group.
•
Create a new SafeBoot Content Encryption installation set and make sure that you
include the file group just created (“TOKEN: CSP token for SBAdmin/Content
Encryption”).
•
Then deploy the new SafeBoot Content Encryption client installation set in your
environment. There is no need to decrypt any data prior to the installation/upgrade
of the Content Encryption client.
9
SafeBoot Content Encryption - Generic PKI token
Observe that any user in the SafeBoot database that shall use SBCEpkiToken must have
been set to authenticate with tokens and certificates defined through the Connectors. Also,
the Connectors must have fetched user certificates from the appropriate external repository.
10
Related documents
Description
Description
cpt
cpt
VideoCase08:_Security
VideoCase08:_Security
CSS (PGY1-4) Application Form
CSS (PGY1-4) Application Form
Issue 73 Encryption Algorithm
Issue 73 Encryption Algorithm
Download