5.3 Supported features for Giesecke+Devrient smart cards
See section 2.1, Supported features for a description of the features supported by smart cards.
5.3.1 Features
The following MyID features are smart card or middleware specific. The table below indicates which smart card-dependent features are available in MyID with Giesecke+Devrient smart cards.
|
|
Features |
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Smart card |
||||||||||
|
Sm@rt Café® Expert 6.0 |
Y |
P |
|
|
Y |
|
|
|
Y |
Y |
|
SCE v7.0 |
|
P |
Y |
|
P |
P |
Y |
|
Y |
Y |
|
GieseckeDevrient – CoolKey |
Y |
P |
Y |
|
P |
|
|
|
Y |
Y |
Key:
- Y – Fully supported.
- P – Partially supported. See below for details.
- blank – Not supported.
5.3.1.1 PIN management
The following Giesecke+Devrient cards support a limited range of PIN management features:
|
|
Smart card |
||
|---|---|---|---|
|
Feature |
Sm@rt Café® Expert 6.0 |
SCE v7.0 |
GieseckeDevrient – CoolKey |
|
Lock the PIN after issuance. |
Y |
Y |
Y |
|
Identify when the PIN is locked. |
Y |
Y |
Y |
|
Replace the SOPIN with a randomized value. |
Y |
Y |
|
|
Replace the SOPIN with the factory SOPIN at cancellation. |
Y |
Y |
|
|
Unlock the PIN using the SOPIN. |
Y |
Y |
|
|
Provide a remote unlock code. |
Y |
Y |
|
|
Reset the PIN at cancellation. |
Y |
Y |
Y |
|
Configure on-card PIN policy. |
|
|
|
Key:
- Y – Fully supported.
- blank – Not supported.
5.3.1.2 PKI – RSA
The following Giesecke+Devrient smart card supports a limited range of PKI – RSA features:
|
|
Smart card |
|
|---|---|---|
|
Feature |
SCE v7.0 |
GieseckeDevrient – CoolKey |
|
Generate a private key for a certificate request. |
Y |
Y |
|
Write a certificate to the smart card. |
Y |
Y |
|
Cryptographically sign or encrypt data. |
Y |
Y |
|
Specify the default certificate for Windows logon. |
Y |
Y |
|
Write 1024 bit certificates. |
|
|
|
Write 2048 bit certificates.1 |
Y |
Y |
|
Remove certificates. |
Y |
Y |
|
Inject a private key for certificate recovery. |
Y |
Y |
|
Enumerate certificates on the card. |
|
Y |
Key:
- Y – Fully supported.
- blank – Not supported.
5.3.1.3 PKI – ECC
The following Giesecke+Devrient smart cards support a limited range of PKI – ECC features:
|
|
Smart card |
|---|---|
|
Feature |
SCE v7.0 |
|
Generate a private key for a certificate request. |
Y |
|
Write a certificate to the smart card. |
Y |
|
Specify the default certificate for Windows logon. |
Y |
|
ECC NIST P256 Curve |
Y |
|
ECC NIST P384 Curve |
|
|
ECC NIST P521 Curve |
|
|
Remove certificates. |
Y |
|
Archive certificates. |
|
|
Enumerate certificates on the card. |
|
Key:
- Y – Fully supported.
- blank – Not supported.
5.3.2 Remote unlock
Note: Not all Giesecke+Devrient cards support remote unlocking. Contact your card supplier for more details.
MyID supports remote unlocking of Giesecke+Devrient using the standard Unlock Credential workflow.
Note: If you set up your MyID system to use remote unlocking, you cannot issue any Giesecke+Devrient cards that do not support remote unlocking. If you attempt to issue a card that does not support remote unlocking, you will see any error similar to the following:
Initialize Error
-2147220734 Exception thrown: class CCardException
Message: A general smartcard error occurred
HRESULT: 80040302
PKCS Error: 30
From file: .\Card Drivers\GDSmartCard.cpp
From line: 395
Meaning: Smart Card Exception
5.3.2.1 Creating a secret key
- Start GenMaster from the Start menu.
- Select the option to Configure Secret Keys. Click Next.
-
The Configure Shared Secret Keys dialog is displayed.
- In Name, enter SafeSign Master Key.
- In Type, select Hexed Symmetric Key.
- Click Generate.
- Enter an appropriate Description.
- Click Next.
Note: Next is disabled until all information has been entered.
- A confirmation message is displayed – click Next to continue.
- Click Cancel to close GenMaster.
Note: The secret keys are written to the cards when they are issued, so you will not be able to use the remote unlock facility with any cards that were issued prior to creating this key.
5.3.2.2 Configuration settings
The Offline Unlock Method configuration option specifies which remote unlocking method you are going to use.
To specify the unlock method:
- Select Security Settings from the Configuration category.
- Select the PINs tab.
-
From the drop-down list for Offline Unlock Method, select one of the following:
- None – no remote unlocking
- Challenge – a 16-character challenge code is required
- Witness – a 56-character challenge code is required, that consists of both the challenge code and a HASH.
- Click Save Changes.
5.3.2.3 Operating instructions
If a cardholder repeatedly enters an incorrect PIN, the card will lock.
- The cardholder contacts the Helpdesk operator by telephone.
-
The Helpdesk operator uses the Unlock Credential workflow within MyID and guides the cardholder through generating a challenge using the Giesecke+Devrient Token Administration Utility.
When prompted, inform the cardholder to select Unlock PIN via off-line PIN unlock, then select
- 3DES ECB Challenge/Response
- 3DES ECB Witness/Challenge/Response
See the Unlocking a credential remotely section in the Operator's Guide for details of using the Unlock Credential workflow.
Note: Earlier versions of MyID used the Remote Unlock workflow for this procedure. From MyID 10.7, the Unlock Credential workflow supersedes Remote Unlock.
- The Helpdesk operator reads the unlocking code to the cardholder, who enters it into the Token Administration Utility. The code must be entered exactly as read, with no spaces. Case is not important.