DSE200 Administrator Guidekifri.fri.uniza.sk/~chochlik/epodpis/nCipher... · overview This chapter...

DSE200 ADMINISTRATOR GUIDE

Installation, Configuration, and Operation

Date: 1 August 2006

Version: 4.0

© Copyright 2006 nCipher Corporation Limited, Cambridge, United Kingdom.

Neither the whole nor any part of the information contained in this document may be adapted or reproduced in any material or electronic form without the prior written consent of the copyright holder.

nCipher™, nFast™, nForce™, nShield™, payShield™, KeySafe™, CipherTools™, CodeSafe™, UltraSign™, SafeBuilder™, Trust Appliance™, Security World™, netHSM™, SEE™, userShield™, nToken™, and the SEE logo are trademarks of nCipher Corporation Limited.All other trademarks are the property of the respective trademark holders.

Information in this document is subject to change without notice.

nCipher Corporation Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness to a particular purpose. nCipher Corporation Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material.

Commercial Computer Software – proprietary

This computer software and documentation is Commercial Computer Software and Computer Software Documentation, as defined in sub-paragraphs (a)(1) and (a)(5) of DFAR § 252.227-7014, “Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation”. Use, duplication or disclosure by the Government is subject to nCipher’s standard US Terms And Conditions for the Product.

Patents

International Patent Applications PCT/GB01/00688, and PCT/GB02/03058 and corresponding national patents/applications.

EMC compliance

The use of hand held or mobile radio equipment with a rated output power of 4W or more should not be permitted within a radius of 2m of this equipment.

FCC class A notice

This device complies with Part 15 of the FCC rules. Operation is subject to the following two conditions:

(1) This device may not cause harmful interference, and

(2) this device must accept any interference received, including interference that may cause undesired operation.

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

European class A notice

This device has been tested and found to comply with the requirements of the EMC directive 89/336/EEC as a Class A product to be operated in a commercial environment at least 10m away from domestic television or radio. In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures.

Contents

Chapter 1: nCipher Document Sealing Engine – DSE200 ................7Welcome to accurate, auditable time.............................................................................................................7

Who should use this guide ...............................................................................................................7What’s in this guide ............................................................................................................................7Conventions used ...............................................................................................................................8

Technical support.................................................................................................................................................8

Chapter 2: DSE200 technology overview ............................................9Overview...............................................................................................................................................................9

Features .................................................................................................................................................................9

About time and time signing ...........................................................................................................................10

Time standards ..................................................................................................................................10Using a National Measurement Institute .....................................................................................10Time signing and business ...............................................................................................................10Public Key Infrastructure (PKI) ......................................................................................................11

How the DSE200 works ..................................................................................................................................11

The path of time................................................................................................................................11Time-stamp protocol support........................................................................................................12Signatures ............................................................................................................................................12About co-processors........................................................................................................................12Promise Raid Array Management (PAM) .....................................................................................13

Security worlds ..................................................................................................................................................13

Security................................................................................................................................................14Using Operator card sets to protect keys ..................................................................................15Robustness..........................................................................................................................................16

Chapter 3: Getting started.................................................................... 19Roles and responsibilities.................................................................................................................................19

Security Officer..................................................................................................................................19Network Manager.............................................................................................................................20

Getting an auditing services provider ...........................................................................................................20

TCP/IP requirements........................................................................................................................20

Preparing the DSE200 Environment..............................................................................................................21

Warnings .............................................................................................................................................22Hardware ............................................................................................................................................22Software ..............................................................................................................................................22

Secure location ..................................................................................................................................23Rack mounting ...................................................................................................................................23Temperature and humidity recommendations ...........................................................................23Primary power connection .............................................................................................................23

Setting up the hardware...................................................................................................................................24

On the back........................................................................................................................................24Connecting the smart-card reader ...............................................................................................24

Configuring the DSE200 on the network ...................................................................................................25

Get a static IP address .....................................................................................................................25Configuring the firewall....................................................................................................................26Starting up and logging in ................................................................................................................26Configuring the network connection ...........................................................................................27

Logging in.............................................................................................................................................................28

Adding an SSL certificate .................................................................................................................................28

Viewing the SSL certificate information.......................................................................................29

Chapter 4: Creating and managing security worlds ........................ 31Creating a security world ................................................................................................................................31

Replacing a security world...............................................................................................................................35

Joining an existing security world ..................................................................................................................35

Security world: SEE delegation .......................................................................................................................36

Viewing the security world status .................................................................................................................36

Chapter 5: Setting up the DSE200 ...................................................... 38Overview of Time Stamping Authority (TSA) keys...................................................................................38

About multiple TSAs ........................................................................................................................38How multiple TSAs work................................................................................................................39

Adding the CA certificates of an upper clock ............................................................................................39

Adding an upper clock......................................................................................................................................40

Creating a new TSA..........................................................................................................................................41

Configuring a TSA .............................................................................................................................................41

Initiating and fulfilling TSA certificate requests...........................................................................................43

Creating Operator card sets ..........................................................................................................43Initiating a TSA certificate request................................................................................................45Importing the CA certificate chain ...............................................................................................48Fulfilling a TSA certificate request.................................................................................................48

Loading a TSA.....................................................................................................................................................49

Registering a TSA ..............................................................................................................................................50

Checking the operational status ....................................................................................................................50

Chapter 6: Administering and using the DSE200............................. 53Restoring a TSA key..........................................................................................................................................53

Adding or removing an upper clock..............................................................................................................54

Enabling or disabling the clock .......................................................................................................................55

Viewing card set lists ........................................................................................................................................55

Viewing or changing card sets ........................................................................................................................56

Viewing the KeyStore information.................................................................................................................56

Viewing TSA certificate information .............................................................................................................57

Viewing time attribute certificate (TAC) information...............................................................................58

Viewing time-stamps issued ............................................................................................................................59

Viewing the uptime ...........................................................................................................................................60

Viewing Administrator and Board logs.........................................................................................................60

Viewing user login statistics ............................................................................................................................61

Viewing the log archive ....................................................................................................................................61

Adding a user......................................................................................................................................................62

Modifying or deleting users .............................................................................................................................63

Modifying user information .............................................................................................................................63

Restarting the server ........................................................................................................................................63

Chapter 7: DSE200 FAQs and solutions............................................ 65Overview.............................................................................................................................................................65

FAQ.......................................................................................................................................................................65

Digital certificates .............................................................................................................................65Leap seconds ......................................................................................................................................67Standards.............................................................................................................................................67Synchronization .................................................................................................................................67DSE200 ................................................................................................................................................68

Appendix A: Error messages and alerts............................................. 69Appendix B: Changing the module state............................................ 75

Changing to the initialization state ................................................................................................................75

Changing to the operational state .................................................................................................................76

Appendix C: Upgrading DSE200 software and firmware............... 77Installing nCipher DSE200 software..............................................................................................................77

Upgrading th nCipher module firmware of the DSE200..........................................................................78

After firmware installation ..............................................................................................................80

Appendix D: Replacing an ACS............................................................ 82Appendix E: Local Audit/NTP service ................................................ 83Appendix F: Time signing glossary ...................................................... 84Appendix G: TST TAC encoding and binding ................................... 98

CertificateChoices1 with ESSCertID (compatibility mode)....................................................98CertificateChoices2 with ESSCertID (RFC3369 & 3852) .......................................................98SignerAttribute (RFC3126 & ETSI) ...............................................................................................98

Index........................................................................................................... 99

Chapter 1: nCipher Document Sealing Engine – DSE200

Welcome to accurate, auditable timeWelcome to the nCipher Document Sealing Engine 200 (DSE200), the only fully secure and auditable stamp server available today.

With the DSE200 on your network, you will have the industry standard source of time signing for all your operations.

Who should use this guideThe DSE200 Administrator Guide is for network security officers and operators familiar with network configuration and operations.

What’s in this guideThe DSE200 Administrator Guide includes information on installing, configuring, and maintaining your DSE200.

While it is to your advantage to read from beginning to end before starting, we understand you are eager to just get going, so we have made every effort to put information where it will be most useful to you.

DSE200

nCipher DSE200 7Confidential and Proprietary

Technical support

Conventions usedThe following table illustrates the typographical and iconographic conventions used in this guide.

Technical supportIf you cannot find the information you need or you are unable to solve a problem with your nCipher product, contact Support at nCipher by sending E-mail to [email protected].

Term Definition

Bold Type in boldface indicates special terms and designates names of or labels for file, directories, menus, fields, tabs, and buttons.

Courier Examples of onscreen terminal display, both of data returned and of

your input, are represented in the Courier typeface.

Italic Variables are indicated by the italic typeface.

The exclamation mark within a warning triangle alerts you to information where improper use of the product could be harmful to equipment or data.!


mailto:[email protected]



Chapter 2: DSE200 technology overview

This chapter introduces the Document Sealing Engine (DSE200) and explains how it works. Sections in this chapter include:

• Overview on page 9

• Features on page 9

• About time and time signing on page 10

• How the DSE200 works on page 11

• Security worlds on page 13

OverviewThe DSE200 is a network appliance that provides secure and auditable time signing for any IT application, transaction, or log.

nCipher provides traceable and secure links to official Coordinated Universal Time (UTC) time sources. The DSE200 is calibrated by a dedicated service via an authenticated, secure network connection. After calibration, a DSE200 is ready to provide time signings to any Extended Public Key Infrastructure (PKIX) compliant time sign request.

Time signing includes the time, a hash of the digital information being time signed, and a time certification/calibration pointer. The pointer provides the necessary information to confirm that the time signing is accurate, valid, and traceable back to an official time authority.

FeaturesThe DSE200 includes the ability to:

• fulfill time signing requests from applications, transactions, or computer logs

• use an integrated nCipher cryptographic module

• implement time-signing as specified by the IETF PKIX Time-Stamp RFC (RFC 3161)

• execute 125 time stamps per second, 1024-bit RSA signing

• execute 50 time stamps per second, 2048-bit RSA signing

• offer full support for leap second events.


About time and time signing

For more information on how the DSE200 operates, see How the DSE200 works on page 11.

About time and time signingThe following material reviews time standards and time signing.

Time standardsThe international time standard is called Coordinated Universal Time (UTC). This standard was agreed upon in 1972 by worldwide representatives within the International Telecommunication Union. It is coordinated by the world’s International Bureau of Weights and Measures, or BIPM. (The designations UTC and BIPM were chosen as a compromise among all the countries’ abbreviations for the terms.)

The global availability and precision of UTC time makes it the ideal source of time for trusted time signing.

Using a National Measurement InstituteMost countries set their official time to a clock or clocks operated by their own National Measurement Institute (NMI).

By international agreement, the NMIs maintain audit records of their synchronization with BIPM UTC, thus providing verifiable sources of UTC time within their countries.

These clocks are disciplined to be within microseconds of UTC time.

Examples of NMIs

Time signing and businessReliable time is essential for doing business today. In the U.S., citizens make sure their taxes are paid by the April 15th deadline, and they point to the post office’s postmark to prove it.

Country Name of NMIAbbreviation

United Kingdom National Physical Laboratory NPL

France Laboratoire Primaire du Temps et des Fréquences LPTF

United States National Institute of Standards and Technology NIST

Japan Communications Research Laboratory CRL


How the DSE200 works

In the electronic world, where documents and time signings are simply bits and bytes, authoritative proof of when an event has occurred is vital. Since the security of time is absolutely linked to its coming from an official source, the reliance on easily manipulated time sources such as typical computer systems clocks is a problem.

Businesses are now seeing how vital it is to have a secure, authentic, and auditable “postmark” for electronic business transactions.

Public Key Infrastructure (PKI)A solution that guarantees authenticity, security, and auditability uses a combination of precision timing and Public Key Infrastructure (PKI) technology.

Briefly, PKI’s building blocks are digital certificates, which give proof that you are who you say you are by tying you to a specific public (widely available) key and a private (secret) key. What is encoded with one key can only be decoded with the other key.

PKI’s strength is that it ensures:

• privacy - no one but you can see the message

• integrity - what you receive is actually what was sent

• non-repudiation - the sender cannot deny the fact (repudiate) that they sent the message

• authenticity - the person who sent the message is really who they say they are.

PKI technology is used to ensure authenticity, integrity, and traceability. Traceability requires an unbroken chain of measurements from the time used in creating a time sign to the authorized source. PKI is used to digitally “sign” these measurements as well as the actual time signing.

PKI certification authorities (CAs) issue public key certificates, which authenticate the identity of a person, business entity, or system device such as a server. The certificate describes, by reference, the published practices and procedures of the CA. Knowing this, an end user can determine the level of trust to be placed in that certificate.

nCipher’s DSE200 uses X.509 public key certificates to sign the time signings and audit records.

How the DSE200 worksThe following is a “big picture” description of how the DSE200 works.

The path of timeTime is delivered from a National Measurement Institute (say, NIST in Colorado) to a Trusted Master Clock (TMC) at a Trust Authority. A Trust Authority (TA) provides an evidentiary trail showing the origin of the time. It operates in secure facilities. NIST also provides independent monitoring of the Trust Authority’s root clock operation.


How the DSE200 works

The TA certifies the time on a locally-installed DSE200 that services time signing requests from an application or transaction server. The certifications occur at regularly scheduled intervals depending on the accuracy required. All exchanges between the TA and the DSE200 are digitally signed and logged, and all communications are via an authenticated, secure network connection.

Once the TA completes the calibration and audit of the DSE200, it issues a signed Time Attribute Certificate (TAC) certificate to the DSE200 authorizing its operation.

The TAC certifies the calibration and traceability of the DSE200 clock. The DSE200 is then ready to provide time via signed time signings.

Time-stamp protocol supportThe DSE200 supports the following time-stamp protocols:

• RFC3161 Socket Base Protocol on TCP/318

• RFC3161 Time-stamp Protocol by HTTP at the following URL:

http://dse200-id/TSS/HttpTspServer

• A WebService interface at the following URL:

http://dse200-id/TSS/services/TimeStampService?wsdl

Note: In these URLs, dse200-id represents the IP address or domain name of your DSE200 unit.

SignaturesThe DSE200 uses certificates, issued by public certification authorities (CAs) to sign time stamps and authenticate audit records and communications between servers. Such signings, or signatures, consist of a block of data and a private key that together verify the identity of the signer and the integrity of the data that is signed.

The time sign includes the time and document hash signed by the DSE200. The user gets this and the TAC. The time sign and the TAC gives all the necessary information to confirm that the time sign is accurate, valid, and traceable back to the National Measurement Institute, in this case, NIST.

The time signings conform to the IETF Time-Stamp Protocol and Time-Stamp Token.

In PKI-based time signings, the actual document or file to be time signed does not leave the user’s computer. A message digest of the file is created using a one-way hash function. No bit of the original file may be modified without invalidating the hash.

About co-processorsAt the heart of the DSE200 is the nCipher cryptographic module with SEE, or the Secure Execution Engine. All cryptographic functions, including processing, time stamping, and clock operations are performed within the secure confines of the nCipher hardware


Security worlds

security module, or what is called the nShield. The nCipher nShield cryptographic module meets the internationally recognized FIPS 140-2 level 3 standards. nShield’s FIPS validation helps deliver confidence that the nShield protects the security of your private keys and software code. Also, there is advanced key management functionality.

The DSE200 comes with nCipher code running in it, and it implements Datum Secure Network Time Protocol (DS/NTP). It can issue up to 125 time stamps per second.

Together with the nCipher API, the DSE200 provides strong security for your network.

Promise Raid Array Management (PAM)The DSE200 chassis contains a Promise Raid Array Management (PAM) utility that enables you to monitor the status of the individual hard drives and the mirror drive array.

To access the data, log on to the nCipher-DSE200 array with the user name administrator and a blank password.

Further information about the PAM utility is available from the Promise Web site:http://www.promise.com/support/file/manual/PAMUtility_v6.pdf

Security worldsKey management is the hardest part of cryptography. Although designing secure cryptographic algorithms and protocols is not easy, there is a large body of academic research upon which to rely. Keeping the keys secret is much harder. nCipher has developed a paradigm, or construct, called a security world that provides secure life-cycle management for keys based on nCipher technology.

Key management involves the procedures and protocols, both manual and automated, that are used throughout the entire life cycle of cryptographic keys. These procedures and protocols include the generation, distribution, use, storage, destruction, and optional archiving and disaster recovery of cryptographic keys. The security world infrastructure lets you perform and control all these activities under your chosen security policy.

A security world consists of the following components:

• at least one nCipher cryptographic security module – the DSE200 includes an nShield cryptographic security module.

• an Administrator Card Set (ACS) – used to control access to security world configuration and recovery operations.

• optionally, a set, or sets, of Operator Smart Cards (OCS) – used to control access to application keys.

• some cryptographic key and certificate data – security world data is encrypted using the security world key and stored on hard disk.


http://www.promise.com/support/file/manual/PAMUtility_v6.pdf

Security worlds

SecurityThe most important task of a key management system is to store keys securely. Security must be designed into the system from the start; it cannot be added later.

The nCipher security world has been designed to ensure that keys remain secure throughout their life cycle. The security world uses multiple interlocking keys, and because of this, each key is always protected by another key, even during recovery operations.

Because the security world is built around nCipher modules, keys are only ever available in plain text inside DSE200.

At the time of security world creation, a cryptographic key is generated. This key protects the TSA keys and card sets that are later created and used in that security world. This cryptographic key, known as the security world key, can be a Triple DES key or an AES key depending on the option chosen when creating the security world.

Administrator and Operator card sets

A security world uses smart cards for two different purposes: administration or operation.

The Administrator Card Set (ACS) is used to control access to recovery functions. One or more Operator Card Sets (OCS) are used to protect access to signing operations for the TSAs in the DSE200.

Note: In strict FIPS 140-2 level 3 security worlds, smart cards are required to authorize some operations, including the creation of keys and card sets.

Each card set can consist of a number of smart cards, N, of which a number, K, is required to authorize an action. The required number, K, is sometimes called the quorum.

Note: The value for K is intended to be less than N. Although it is possible for K to equal N, this is not recommended as an error on one card will render the card set unusable. If this happens with your ACS, you will be forced to replace your security world and generate new keys.

The ACS is used to authorize several distinct actions. Each of these actions can have a different value for K.

All the card sets are distinct, that is, an individual smart card can only belong to the ACS, or to one OCS. Each user can access the keys protected by the security world and the keys protected by their OCS. They cannot access keys that are protected by any other OCS.

The smart cards that are used in an OCS use the security world key for a challenge-response operation with the DSE200. This means that Operator Cards can only be used in a DSE200 belonging to the same security world.


Security worlds

FIPS 140-2 compliance

All nCipher security worlds are FIPS 140-2 compliant. FIPS 140-2 level 2 is the default setting.

When you create a security world, you can choose whether you want the security world to comply with the roles and services section of the FIPS 140-2 standard at level 2 or level 3.

Note: This option provides compliance with the roles and services of the FIPS 140-2 level 3 standard. It is included for those customers who have a regulatory requirement for compliance.

A security world that complies with the roles and services section of FIPS 140-2 level 2 does not require any authorization to create an OCS or an application key.

FIPS 140-2 Level 3 compliance

This option is included for those customers who have a regulatory requirement for compliance with the FIPS 140-2 standard at level 3.

A security world that complies with FIPS 140-2 level 3 requires authorization from any smart card that is part of the security world’s ACS, or an OCS, before you can create or erase an OCS.

If you choose to create a security world that complies with FIPS 140-2 level 3, the DSE200 initializes in strict FIPS mode. This option ensures that the DSE200 complies with the roles and services, key management, and self-test sections of the FIPS 140-2 standard at level 3, as described in its validation certificate.

For more details of the nShield FIPS validation see:http://csrc.nist.gov/cryptval/140-2.htm

Using Operator card sets to protect keysIf you want to restrict key access to a particular user, you can create a set of smart cards known as an Operator Card Set (OCS). There is no limit to the number of card sets that you can create within a security world.

An OCS belongs to a specific security world. An OCS cannot be read, erased, or even formatted except by a DSE200 that is within the security world of the OCS.

An OCS stores a number of symmetric keys that are used to protect the working TSA keys. These keys can either be Triple DES or AES keys depending on the option chosen when creating the security world.

Each card in an OCS stores only a fragment of the OCS keys. These keys can only be re-created if you have access to enough of their fragments. Because cards sometimes fail or are lost, the number of fragments required to re-create the key (K) should usually be less than the total number of fragments (N).


http://csrc.nist.gov/cryptval/140-2.htm

Security worlds

Using card sets for extra security

If you want to create a card set for extra security, you need to make K large and N less than twice K (for example: 3 of 5, or 5 of 9). This practice ensures that if you have a set of K cards that can be used to re-create the key, you can be certain that there is no other such set in existence.

Using pass phrases

Each Operator Card can be given a pass phrase. The pass phrases are independent. You can choose to give only some cards in a card set. You can change the pass phrase on a card at any time. This requires the card, the existing pass phrase, and a DSE200 that belongs to the security world.

There is no absolute limit on the length of pass phrases, but you might encounter problems if they are longer than 255 characters. For maximum compatibility with future releases we recommend that pass phrases are limited to 80 characters.

The security world does not impose restrictions on what characters you can use, but only characters accepted by a normal HTML form can be used on your DSE200.

Using persistent Operator card sets

If you create a standard OCS, the TSA keys protected by the card can only be used while the card—or the last card loaded in the case of card sets—is in the DSE200’s smart card reader. The keys protected by this card are removed from the memory of the DSE200 as soon as the card is removed from the smart card reader. Although this feature provides added security, it means that only one user can load keys at any time because there is only one smart card reader on the DSE200.

The security world architecture gives you the option of making an OCS persistent. This means that the keys protected by a card persist after the card has been removed.

The DSE200 maintains strict separation between the TSA keys loaded by each user, and each user only has access to the keys protected by their OCS.

TSA keys protected by a persistent card set are automatically removed from the DSE200:

• after the time limit specified during the card set creation

• the Clear button on the DSE200 is pressed

• the DSE200 is turned off.

You are offered a choice as to whether or not to make an OCS persistent when you create the card set. Once you have made the decision, you cannot change it. Persistence is a property of the card set. A security world can contain a mix of persistent and non-persistent card sets.

RobustnessIf you are using cryptography in a production environment, you need to know that it will work 24 hours a day, 7 days a week. If something goes wrong, you must be able to


Security worlds

recover—and to do so without compromising your security. An nCipher security world offers all of these features.

Recovery

The nCipher security world data stored in the DSE200 is encrypted using Triple DES or AES depending on the option chosen when creating the security world. Back up the data stored in the kmdata directory regularly and safely with your normal backup procedures. It would not matter if an attacker were to obtain this data because it is worthless without the encryption keys stored in your DSE200, and the Administrator cards for that security world.

When you create a security world, it automatically creates recovery data for the security world key. As with all host data, this is encrypted with Triple DES or AES. The cryptographic keys that protect this data are stored on the ACS. The keys are split among the cards in the ACS using the same K-of-N mechanism as for an OCS. The ACS protects several keys that are used for different operations.

The cards in the ACS are only used for recovery operations and adding extra DSE200s to a security world. At all other times, these cards should each be stored separately, in secure locations.

Note: In strict FIPS 140-2 Level 3 security worlds, the ACS or an OCS will also need to be used to control the creation of keys and OCSs.

In addition to the security world data, also back up the /nfast/dse200/userfiles/ directory regularly. This directory contains the log files and the configuration files for your DSE200.

Replacing the ACS

If you lose one of the smart cards from the ACS, or if the card fails, you must immediately create a replacement set using the racs command-line utility. The DSE200 does not store recovery data for the ACS. It relies on there being at least enough smart cards to reach the number of cards in the quorum K from the original N cards created; therefore, it can re-create all the keys on the DSE200 even if the information from one of the cards is missing.

Although replacing the ACS deletes the copy of the recovery data on the host, the old ACS can still be used with the old host data, which may be on backup tapes and other hosts. To protect against this risk, you must immediately erase the old Administrator Cards after you create a new ACS.

!


Security worlds

Risk managementEven the best-designed tools cannot offer security against every risk. Although a security world can control which user has access to which keys, it cannot prevent a trusted user from using a key fraudulently. For example, a security world can only determine whether a user is authorized to use a TSA key; it cannot determine whether the message being time-stamped with that key is accurate.

A security world can only manage keys that were created inside the security world. Most failures of security systems are not the result of inherent flaws in the system, but result from carelessness on the part of the users. The following basic rules apply to any security system:

• Keep your smart cards safe.

• Always obtain smart cards from a trusted source: from nCipher or directly from Gemplus.

• Never insert a smart card used with nCipher key management into an untrusted smart card reader.

• Never insert any untrusted smart card into your DSE200.

• Never tell anyone your pass phrase.

• Never write down your pass phrase.

• Never use a pass phrase that is easy to guess.

Note: If you have any doubts about the security of a key or the security world or both, you should replace that key and/or security world with a newly generated one.


Chapter 3: Getting started

This chapter explains how to install and get started with your DSE200. Sections in this chapter include:

• Roles and responsibilities on page 19

• Getting an auditing services provider on page 20

• Setting up the hardware on page 24

• Configuring the DSE200 on the network on page 25

• Logging in on page 28

• Adding an SSL certificate on page 28

Roles and responsibilitiesSecurity Officer and Network Manager are the two roles that are involved in getting your DSE200 started.

Security OfficerThe Security Officer handles key and certificate management, and is reponsible for:

• contracting with an auditing services provider

• preparing the DSE200 environment

• installing the DSE200 hardware

• configuring the DSE200

• creating a security world

• adding an SSL Certificate on the DSE200

• creating and certifying TSA keys

• certifying upper clocks.

Check your DSE200 before you start. Inspect the packing list and each item in the box. If there is any damage or any items are missing, contact nCipher immediately.!


Chapter 3

Network ManagerThe Network Manager is the day-to-day manager and operator of the DSE200, and is responsible for:

• enabling or disabling time stamping and auditing

• configuring audit settings.

Getting an auditing services provider

Note: The following tasks and information are for your organization’s Security Officer.

Before you start, be certain you are contracted for auditing services with an auditing services provider. You must have an auditing services provider before you start working with your DSE200.

If you need more information about service providers, please contact your nCipher sales representative.

TCP/IP requirementsYour service provider will need the TCP/IP information regarding the DSE200. The following sections discuss the TCP/IP ports the DSE200 uses for listening and sending.

TCP/IP ports used for listening

The DSE200 listens on the following TCP/IP ports for time stamp, Datum Secure Network Time Protocol (DS/NTP), and administrative functions:

Listens on: For:

UDP/123 DS/NTP audits or for standard Network Time Protocol (NTP) if Local Audit with NTP Service is set up. This is the default port for the first TSA that you create. If you create multiple TSAs, you must configure a unique UDP port number for each TSA. See Chapter 5: Configuring a TSA on page 41 for the instructions.


Chapter 3

TCP/IP ports used for sending

The DSE200 sends outgoing TCP/IP on ports for DS/NTP and NTP:

What you get from your service provider

After you have signed your agreement with your auditing service provider, your provider will supply you with, at a minimum, the entire certificate chain for all upper clocks and the IP address for all upper clocks you will be using.

Preparing the DSE200 Environment


The following sections discuss the hardware, software, security, and physical environment for your DSE200.

TCP/318 RFC3161 Socket-Based Time-Stamp protocol (TSP).

TCP/80 and TCP/443

HTTP and HTTPS connections. HTTP and HTTPS are used for the administrative user interface. HTTP also supports:

• RFC3161 TSP over HTTP http://dse200-id/TSS/HttpTspServer

• WebServer interfacehttp://dse200-id/TSS/services/TimeStampService?wsdl.

Sends on: For:

UDP > 1023 DS/NTP Audit replies to DS/NTP server. In case of multiple TSAs, each TSA responds to the DS/NTP audit through one of these dynamic ports.

UDP/123 Local Audit with NTP Service if it is configured.

UDP/318 Audit Requests to a DS/NTP server.

Listens on: For:


Chapter 3

WarningsBefore you start, please note the following warnings:

HardwareUse the chassis, smart-card reader, keyboard, mouse, and power cord provided by nCipher along with your PC monitor and network cable.

Make sure you have enough smart cards to create the card sets you will need.

You also need a local TCP/IP connection to the DSE200.

SoftwareAll the software is pre-installed on the DSE200. You can use the following Web browsers to access DSE200:

• Microsoft Internet Explorer 5.0 or above

The DSE200 uses sophisticated security mechanisms to ensure physical and logical integrity. Attempting to use the DSE200 in suboptimal operating environments negatively affects performance.

WARNING: This product must be earthed.ATTENTION: Le système doit être mis à la terre conformément aux prescriptions.VORSICHT: Das System muß stets vorschriftsmäßig geerdet sein.

If the DSE200 is connected to a protective earth using the earth stud on the back panel, ensure when removing or adding other units to the rack that the integrity of the protective earth connection is maintained.

WARNING!To prevent electrical shock or injury, DO NOT remove the DSE200 cover.Dangerous voltages exist within this enclosure!

!

!

!

!


Chapter 3

• Netscape 6.0 or above.

• Firefox 1.0, Mozilla 1.75

• Opera 7.23

Secure locationThe DSE200 should be installed in a physically secure location with strong physical access controls.

Rack mountingThe DSE200 is designed for mounting in a standard 19-inch (48.26cm) rack. When mounting the DSE200 in the rack:

• it is important to keep the fan intake and outflow areas clear, to maintain air flow

• if the unit is installed in a closed or multi-unit rack assembly, the ambient temperature of the rack environment may become greater than that of the room, so allow for this

• be sure that the operating temperature of the rack is no higher than 50°C/122°F

• make sure the unit is properly balanced and grounded.

Temperature and humidity recommendationsnCipher recommends that you operate the DSE200 within the following temperature and humidity parameters:

• Ambient operating temperature: 10°C to 35°C (50°F to 95°F), subject to sufficient airflow.

• Storage temperature: -20°C to 60°C (-4°F to 158°F)

• Operating humidity: 10% to 85% (relative) non-condensing at 35°C (95°F)

• Storage humidity: 0% to 95% (relative) non-condensing at 35°C (95°F).

Adequate cooling of the DSE200 is essential for trouble free operation and a long operational life. Insufficient cooling shortens the life of the DSE200.

Primary power connectionThe DSE200 uses external AC power. The unit has a power cable with a PH-386, IEC 320-C-13 three-conductor female connector on the computer end of the cable. The configuration of the cable’s other end varies, depending on your country.


Chapter 3

Setting up the hardware


On the back

Note: Do not turn on the DSE200 yet.

1: Connect the RJ45-terminated Ethernet cable to one or both network ports on the DSE200.

Note: If only one network connection is required, it must use the bottom Ethernet port (eth0)

2: Connect the power cable to the DSE200. Figure 3-1 shows the DSE200 back panel configuration.

Connecting the smart-card readernCipher recommends that you only use nCipher smart-card readers.

Note: In order for an nCipher PCI module (as built in to the DSE200 unit) to comply with the FIPS 140-2 level 3 standard, it is necessary to fit an EMI filter (see Figure 3 - 2) between the module and the smart-card reader. Fitting the EMI filter provides compliance with the letter of the FIPS 140-2 level 3 standard but does not improve the security of your keys. The filter is provided for those customers who have a regulatory requirement for compliance.

If your module is supplied with an EMI filter fitting kit (including the EMI filter itself, 2 tubular spacers, 2 washers, and 2 threaded bolts), fit the EMI filter as follows:

1: Place a tubular spacer between the flanges on one side of the EMI filter.

Figure 3-1: DSE200 Back panel configuration

A B C D

E F G H J K

A PCI Card BracketB RJ45 Ethernet (eth1)C nCipher HSMD Power SupplyE USB ConnectorF Video Connector

G SCSI ConnectorH RJ45 Ethernet (eth0)I PS2 ConnectorJ RJ45 Serial PortK Video Connector

I


Chapter 3

2: Slide a washer onto one of the threaded bolts, pushing the washer up the bolt to rest under the head of the bolt.

3: From the male end of the EMI filter (the end with the 9 small metal pins), insert the bolt through the flanges and the tubular spacer. The threaded end of the bolt must protrude from the flange at the female end of the EMI filter (the end with the 9 small holes in black plastic).

4: Repeat the process above for the flanges on the other side of the EMI filter so that both bolts are inserted through the washers, filter flanges, and spacers.

5: Fit the female end of the EMI filter to the 9-pinned port on your nCipher PCI module (on the back of the DSE200 unit).

To connect the smart card reader, fit the smart card reader’s cable connector to the male end of the EMI filter (as fitted on the internal module’s PCI port).

Configuring the DSE200 on the network


The following sections explain how to configure your DSE200 on the network.

Get a static IP addressYour auditing service provider must be able to connect to your UDP port 123. This means that your DSE200 must have a static IP address.

Contact your IS department and request the following:

• an IP address

• a subnet mask

• a gateway

Figure 3 - 2: EMI Filter


Chapter 3

• DNS servers and, if available, an SMTP server. If you want e-mail alerts, you need an SMTP server with which your DSE200 can communicate.

Configuring the firewallCheck with your IS department about firewalls. Configure them now to allow your DSE200 to receive communications from your auditing services provider.

Starting up and logging inYou can install your DSE200 on Microsoft Windows 2000 or 2003. To start up and log in, follow these steps:

1: On the DSE200, install the cables for your keyboard, mouse, monitor, and at least one network cable. During normal operation, the System Status LED (item E in Figure 3 - 3) on the DSE200 front panel is lit green.

2: Turn on power to the DSE200. The DSE200 starts up and opens the Microsoft Windows log on dialog on your monitor.

3: Enter the following information:

Field Enter

User Name Administrator

Password Administrator

Figure 3 - 3: DSE200 Front panel configuration

A B C D E HA NIC 1 Activity LEDB NIC 2 Activity LEDC Power/Sleep LEDD Power ButtonE System Status LEDF Fixed Disk Drive Status LEDG ID LEDH ID ButtonI Front Accessible VideoJ NMI ButtonK USB PortL Reset Button

F G

I J K L


Chapter 3

Note: The user name and password are case sensitive.

Note: Change the default passwords as soon as possible to conform with your assigned security policies.

4: Click OK. The next stage is to configure the DSE200’s network connection.

Configuring the network connectionTo configure the DSE200 on your network, follow these steps:

1: From the Start menu, navigate to Settings > Network > Dial-up Connections.The Network and Dial-up Connections dialog opens.

2: Right-click Local Area Connection, and select Properties.

The Local Area Connection Properties dialog opens.

3: Select Internet Protocol (TCP/IP), and click Properties.

The Internet Protocol (TCP/IP) Properties dialog opens.

4: Select the Use the Following IP Address option, and enter the following information:

5: Click OK, then click OK again to close the dialogs.

6: Reboot the DSE200.

You can administer the DSE200 on any workstation with a network connection to DSE200. All you need is a Web browser such as Microsoft Internet Explorer 5.0 or above or Netscape 6.0 or above. The DSE200 has also been tested with Firefox 1.0, Mozilla 1.75, and Opera 7.23.

You can now log in and set up, administer, and use the DSE200. You do this by browsing to the DSE200’s Web-based administration pages and being authenticated.

Field/Option Enter

IP address The IP address given to you by your IS department.

subnet mask The subnet mask given to you by your IS department.

gateway The default gateway given to you by your IS department.

DNS server The DNS server address given to you by your IS department.


Chapter 3

Logging in1: In a Web browser, enter the following url:

https://DSE200-id/TSS/jsp/adminPage.jsp

Note: In this URL, DSE200-id represents the IP address or domain name of your DSE200 unit as configured during the process described in Configuring the DSE200 on the network on page 25.

The Administrator Login page appears.

2: Enter the appropriate user ID and password:

3: Click Login. The main administrative page opens.

Note: For security purposes, we recommend that you change the Security Officer user name and password as soon as possible. See Chapter 6: Modifying or deleting users on page 63 for more information.

Adding an SSL certificate

Note: The following task is for your organization’s Security Officer.

To ensure secure communication between the DSE200 and any workstation you use to connect with, you must install an SSL certificate.

1: Log in with the Security Officer responsibility.

2: Navigate to Server Management > SSL Certificate.

3: Click Initiate to initiate a certificate request of your Certificate Authority.


Field Security Officer Network Manager

Name superuser admin

Password superuser administrator

Field Enter/Select

Common Name A name for the certificate.

Organization The name of your organization.


Chapter 3

5: Click Submit Request. When prompted, click OK to confirm the information you have entered is correct.

The certificate request appears.

6: Click Select All, and right-click on the selected text. Copy and paste it into a text file and save to your preferred location.

7: Send the contents of the certificate request to your CA or to your internal SSL certificate issuer.

8: When you receive your SSL, navigate to Server Management > SSL Certificate > Fulfill.

The Fulfill SSL Certificate window appears.

9: Load the SSL certificate file or paste its contents into the SSL Certificate area and click Accept.

You can now be sure that you can communicate securely with your DSE200.

Viewing the SSL certificate information1: Log in with the Security Officer responsibility.

2: Navigate to Server Management > SSL Certificate > Info.

The SSL certificate dialog appears, displaying the following information:

Organizational Unit The name of the organizational unit.

Locality The locality information.

State The state information (optional).

Country The name of the country you live in.

Field Description

Version Version of the SSL certificate

Serial Number Unique serial number of the certificate

Signature Algorithm Signature type used for creating the certificate

Issued By Certificate details of the Certificate Authority (CA) issuing the certificate

Issued To Certificate details of the entity receiving the certificate

Field Enter/Select


Chapter 3

Valid From and Valid To

The validity dates determine the validity period of the SSL certificate

Public Key The public half of the generated key

Field Description


Chapter 4: Creating and managing security worlds

This chapter explains how to create and manage security worlds. Sections in this chapter include:

• Creating a security world on page 31

• Replacing a security world on page 35

• Joining an existing security world on page 35

• Security world: SEE delegation on page 36

• Viewing the security world status on page 36

Creating a security world


Note: Before you start, ensure you have enough smart cards to create the ACS needed in the security world.

When you create a security world, you generate the cryptographic key that protects the TSA keys and OCSs that are later created and used.

1: Having logged on as a Security Officer to the DSE200 using the Web interface, place the DSE200 in the pre-initialization state by switching the mode switch on the back of the DSE200 to the initialization position (I).

2: Press the Clear switch.

The DSE200 performs self-tests, during which the Status LED is on. When the self tests have been completed successfully, the DSE200 enters the initialization state, in which the Status LED emits repeated single short flashes.

3: Navigate to Server Management > Security World > Initialize New.

The Initialize Security World dialog opens.


Chapter 4


5: When you have provided the necessary information, click Next.

The Initialize Security World – Advanced Options dialog opens.

Field/Option Enter/Select

Total number of Administrator Cards in set (N):

The total number of cards (N) that you want to have in the ACS. This number (N) must be less than or equal to 64.

Number of Administrator Cards required for access (K):

The number of Administrator Cards that you want to require in order to authorize administrative actions (K). This number (K) must be less than or equal to the total number of cards (N).

Protection Mode AES/Rijndael or DES3

FIPS 140-2 level III compliant?

• Yes if you want the new security world to comply with the roles and services, key management, and self-test sections of the FIPS 140-2 standard at level III.This option provides compliance with the letter of the FIPS 140-2 level III standard, but does not improve the security of your keys. It is included for those customers who have a regulatory requirement for compliance.

• No to comply with the FIPS 140-2 level II standard only.

Permit receipt of remote Operator Card shares?

This option is not applicable to the DSE200. You will be able to set this option in the user interface, but the Remote Operator feature is currently disabled.


Chapter 4


Field/Option Enter/Select

Enable key recovery? Yes to enable key recovery.

Note: Currently, DSE200 only supports creating TSA keys. However, future versions of the DSE200 may support the creation of keys for which the key recovery option is desirable. Because of this, nCipher recommends you select Yes. If the security world supports key recovery, it is always possible to create a key with recovery disabled, but if the security world does not support key recovery, then you cannot create a key with recovery enabled without reinitializing your security world and discarding all your existing keys.

Number of Administrator Cards required to authorize key recovery:

The number of Administrator Cards that will be required to authorize key recovery (if you chose to enable key recovery).

Enable passphrase recovery?

Yes to enable pass phrase recovery. The default is No.

Number of Administrator Cards required to authorize pass phrase recovery:

The number of Administrator Cards that will be required to authorize pass phrase recovery (if you chose to enable pass phrase recovery).

Number of Administrator Cards required to load this security world onto a new module:

The number of Administrator Cards that will be required to load this security world onto a new nCipher cryptographic security module.

Generate foreign token (FTO) authorization key?

This option is not applicable to DSE200. You will be able to set this option in the user interface, but the FTO feature is currently disabled.

Number of Administrator Cards required to authorize FTO key operations:

-NA-


Chapter 4

7: Click Next.

The Initialize Security World – SEE Options dialog opens. When creating a security world for your DSE200, a real-time clock (RTC) authorization key and a nonvolatile memory (NVRAM) authorization key must be generated and Secure Execution Engine (SEE) debugging must be enabled without any access control. These features are all enabled by default and cannot be changed.


9: Click Next. You are prompted to insert the cards that will form the ACS.

10: For each card, follow the onscreen instructions to either set a pass phrase for the card or to format the card without a pass phrase. Each card can have a different pass phrase, and any card’s pass phrase can be changed later.

After you have formatted all the Administrator Cards, the DSE200 creates a module key. It takes a few moments to initialize the security world. When initialization is complete, the DSE200 displays this message: Security world successfully initialized.

11: Place the DSE200 in the operational state by switching the mode switch on the back of the DSE200 to the operational position (O).

12: Press the Clear switch.

The DSE200 performs self-tests, during which the Status LED is on. When the self tests complete successfully, the unit enters the operational state, in which the Status LED emits repeated single short flashes.

13: The DSE200 now directs you to load administrator keys to sign Secure Execution Engine delegation data. Follow the onscreen instructions, inserting cards from the ACS as prompted.

Note: If you discover at any time that one or more of the cards in your security world’s ACS has been damaged or lost, use the command-line utility racs.exe to create a new set

Field/Option Enter

Number of Administrator Cards required to authorize RTC key operations.

The number of Administrator Cards that will be required to authorize real-time clock (RTC) key operations.

Number of Administrator Cards required to authorize RTC key operations.

The number of Administrator Cards that will be required to authorize nonvolatile memory (NVRAM) key operations.


Chapter 4

immediately. See Appendix D: Replacing an ACS on page 82 for more information. If further cards are damaged or lost, you may not be able to recreate your security world.

Replacing a security worldYou can, if necessary, replace a security world.

If there is already a security world on your DSE200’s host computer, you will receive a warning when you try to initialize a security world.

Replacing an existing security world in this way does not delete the security world’s host and recovery data. It renames the existing kmdata directory in which these reside as kmdata_nn (where nn is an integer, 0 or greater, depending on how many security worlds have been previously saved during overwrites).

Operator cards

Any Operator Cards created in a previous security world cannot be used in a new security world.

If you are replacing a security world, you must erase all Operator Cards created in the previous security world before you create the new security world.

However, if you want to discard a security world, nCipher recommends that you erase all your Operator Cards first or create a backup of the C:\nfast\kmdata directory.

Joining an existing security worldYou can use this function to incorporate a new DSE200 into your security world or to restore an existing DSE200 after a firmware upgrade. Re-programing a DSE200 in this way copies the security world secrets that are stored on your ACS to the DSE200.

1: Ensure the DSE200 is in the pre-initialization state by switching the mode switch on the back of the DSE200 to the initialization position (I).

2: Select the Security World > Join Existing option.

3: From the Reprogram Module screen, select either the Yes or No radio button to specify whether you want to permit the receipt of Remote Operator Card Shares, and then click Next.

4: As prompted, insert the cards from the existing security world’s ACS that are required to authorize this action, and click OK. If a pass phrase is required, you must then enter it.

After you have loaded the required number of Administrator Cards, KeySafe loads the module key onto the DSE200.


Chapter 4

5: Put the DSE200 into the operational state, by switching the mode switch on the back of the DSE200 to the operational position (O). Also, return the Administrator Card Set to safe storage.

The DSE200 is now reprogrammed into the existing security world and can be used with keys and cards from that security world.

Security world: SEE delegationThe Security World > SEE Delegation option enables you to give the DSE200 SEE machine the permanent ability to set the real-time clock (RTC), allocate nonvolatile memory (NVRAM), and to originate keys.

When the SEE delegation operation is complete, the delegation certificate signatures are stored in the file C:\nfast\kmdata\local\dsedelegation.

Normally, these privileges are configured when the security world is first initialized, in which case you do not need to use the Security World > SEE Delegation option. However, in the event that security world creation is interrupted or you lose the dsedelegation file, you can use the Security World > SEE Delegation option to re-create the appropriate privileges.

Viewing the security world statusNavigate to Server Management > Security World > Display Settings to view the status information of your security world and its ACS. The Security World Settings dialog opens, displaying the following information:

Field Description

Total admin cards in the set (N)

The total number of cards in the ACS.

Admin cards required for access (K)

The total number of cards that are required for access.

FIPS 140-2 level III compliant

Enables you to know whether the security world is compliant with the guidelines specified in the FIPS 140-2 level III standard.

Key recovery If this is enabled, the security world enables you to recover individual keys. The DSE200 currently only supports creating TSA keys. However, future versions of the DSE200 may support the creation of keys.


Chapter 4

Pass phrase recovery If this is enabled, you will be able to recover the password of an operator card.

Cards required to load Security World onto new module

The number of Administrator cards required to load the security world to a new nCipher cryptographic security module.

Foreign token (FTO) authorization key

You will be able to set this option in the user interface, but the FTO feature is currently disabled in the DSE200.

Cards required to authorize FTO key operations

-NA-

Real-time clock (RTC) authorization key

The RTC key enables the setting of the RTC on the DSE200.

Cards required to authorize RTC key operations

The number of Administrator Cards required to authorize real-time clock (RTC) keyoperations.

Nonvolatile memory (NVRAM) authorization key

The NVRAM key enables the allocation of NVRAM files on the DSE200.

Cards required to authorize NVRAM key operations

The number of Administrator Cards required to authorize nonvolatile memory (NVRAM)key operations.

SEE Debugging This is always set to No Access Control on the DSE200.

Field Description


Chapter 5: Setting up the DSE200

This chapter explains how to set up the DSE200. Sections in this chapter include:

• Overview of Time Stamping Authority (TSA) keys on page 38

• Adding the CA certificates of an upper clock on page 39

• Adding an upper clock on page 40

• Creating a new TSA on page 41

• Configuring a TSA on page 41

• Initiating and fulfilling TSA certificate requests on page 43

• Loading a TSA on page 49

• Registering a TSA on page 50

• Checking the operational status on page 50

Overview of Time Stamping Authority (TSA) keysA Time Stamping Authority (TSA) key is used for signing time-stamps. You can either create a single TSA and use the same signature key for all time-stamps, or create multiple TSAs based on your requirements. TSA keys are created by your organization’s Security Officer.

About multiple TSAsDSE200 now supports the creation of multiple TSAs. You can create multiple TSAs for:

• departments: each department in your organization might need a different TSA.

• customers: if you are a service provider, you might want to operate a DSE200 for several customers. In such cases, you can create a separate TSA for each customer so that the TSA certificate name is related to the customer.

• policies: you might need different TSAs for different policies within your organization. For example, you might have policies that require different types of signatures (DSA or RSA) or different key sizes (1024-bit or 2048-bit).

DSE200 continues to support the use of a single TSA. The ability to create multiple TSAs does not affect the existing functionality. The number of TSAs that you can create depends on the NVRAM available in your DSE200.


Chapter 5

How multiple TSAs work

RFC3161 time-stampsThe DSE200 uses Policy Object Identifiers (OIDs) and hash algorithms (MD5, SHA1, SHA256, SHA384, and SHA512) to determine which TSA should be used to issue the time-stamp. However, the policy OIDs need not be unique for each TSA.

When you create multiple TSAs, you can assign one of them as the default TSA. You can configure each TSA to support a specific policy OID and a list of hash algorithms. When a client requests a time-stamp, the DSE200 checks the policy OID and the hash algorithm on the request and one of the following occurs:

• If the request does not include an OID, it is sent to the default TSA or the first TSA that supports the hash algorithm.

• If the request includes an OID, it is sent to the first TSA that supports the OID and the hash algorithm.

• If the request includes an OID and none of the TSAs support the OID and the hash algorithm, the DSE200 returns an error.

A TSA on DSE200 must receive a DS/NTP audit before it can issue time-stamps. When there are multiple TSAs, each TSA is assigned to a unique port. Each TSA listens to and receives the DS/NTP audit on the specified port.

Authenticode time-stampsAuthenticode time-stamp requests do not include policy OIDs. If you intend to support authenticode time-stamp requests, you must create a TSA that uses an authenticode time-stamp mode key. When the client requests an authenticode time-stamp, the DSE200 sends the request to this TSA.

Adding the CA certificates of an upper clock


The Upper Clock CA Cert Store holds the root CA certificate and intermediate CA certificates of upper clocks that are authorized to audit the DSE200. To add the certificate you have received from your auditing service provider:


2: Navigate to Certificate Management > Upper Clock Cert Store.

The UC Certificate Store dialog opens.

3: Click Add.

The Add Upper Clock Certificate dialog opens.


Chapter 5

4: Browse to locate the certificate, and click Add.

Note: To enable an upper clock to audit a TSA, you must not only add the root and intermediate CA certificates to the Upper Clock CA Cert Store, but also add the clock to the TSA. See Configuring a TSA on page 41 more information.

As the next task is meant for your organization’s Network Manager, log out of DSE200 and ask your Network Manager to log in.

At this stage, your organization’s Network Manager is responsible for configuring settings so that your service provider can audit your time settings.

Adding an upper clock

Note: The following tasks and information are for your organization’s Network Manager.

This section explains how to add an upper clock and configure its settings so that it can be audited by your service provider. If you have multiple TSAs, you can configure the audit settings of each TSA. Each TSA can have a different upper clock.

1: Log in with the Network Manager responsibility.

2: Navigate to TSA Management > Configuration.

The TSA Configuration dialog opens, listing all the TSAs that exist in the DSE200.

3: Select the TSA to which you would like to add the upper clock, then click Configure.

The TSA Configuration dialog opens.

4: Click Add.

5: Enter the following clock information:

Field Enter/Select

Upper Clock IP The IP address to your upper clock. The default port number is 318.

Note: Your audit service provider must be able to access this IP address.

Upper Clock Port The default port for your upper clock.

Audit Request Retry Delay

How long in seconds before your service provider should wait before trying to audit your clock.

Audit Request Max Retry

The maximum number of audit attempts in the case of communication failure.


Chapter 5

6: Click Add.

The new upper clock is added to your list.

7: Back in the Audit Configuration dialog, click Update to save the information you have entered. The information is lost if you don’t click Update.

See Chapter 6: Adding or removing an upper clock on page 54 for information on how to remove upper clocks.

Creating a new TSAA TSA key is used for signing time-stamps. You can either create a single TSA to issue a single type of signature across all departments in your organization, or create multiple TSAs based on your requirements.




3: Click Add.

The Create a New TSA dialog opens.

4: Enter a name for the TSA.

5: Enter a TSA policy identifier.

The policy OID is used to determine which TSA should sign the time-stamp request. When a time-stamp request is received, the DSE200 checks the policy OID and sends it to the TSA that supports the OID. It is possible to change the policy OID later. See Configuring a TSA on page 41 for more information.

6: Click Add.

7: Click OK to confirm the details of the TSA.

The TSA is created and the status appears as Uncertified. You can now configure the settings of the TSA. The TSA is not functional until you initiate and fulfill it.

Configuring a TSAAfter you create a TSA, you can configure its settings. The Configuration option enables you to:

• add or remove time-stamp policy OIDs

• select the acceptable time-stamp hashes

• configure the port on which the TSA must listen to DS/NTP audits

• select the DS/NTP audit source


Chapter 5

• add the root CA certificate of the upper clock that must audit the TSA.

To configure the TSA:



The TSA Configuration dialog opens, listing all the TSAs that exist in the DSE200.

3: Select the TSA that you would like to configure, then click Configure.


4: Enter the name of the TSA in the TSA Name field.

5: Optionally, to change the policy OID in the TSA, enter a new OID in the Acceptable Policy field.

6: Select the time-stamp hashes that the TSA must support.

7: Select a TST TAC encoding and binding option. These options determine in which part of the time-stamp token the TAC is stored. The ETSI option adds two additional signed attributes that are required by RFC3126. See Appendix G: TST TAC encoding and binding on page 98 for more information on these options.

8: Enter a DS/NTP port number on which the TSA will receive the audit. This port number has to be unique for each TSA.

9: Select a DS/NTP audit source:

• Upper Clock: if you choose this option, select the upper clocks that will audit the TSA. Optionally, select the Auto-trust New Upper Clock Certificates check box – when new upper clocks are added to the Upper Clock CA Cert Store, the TSA automatically starts trusting them.

Note: All TSAs share a single Upper Clock CA Cert Store, which holds all the root and intermediate CA certificates of the upper clocks that are authorized to audit the DSE200. By adding an upper clock to a TSA, you are choosing (from the upper clock CA cert store) the ones that will audit the TSA.

• Local Audit: if you choose this option, a Windows Administrator must log into the System console and restart the NTP Service. Also, a reference to an NTP server (on the local network) should be added to the file C:\winnt\system32\drivers\etc\ntp.conf. The Local Audit setting provides time that can be traced only to the DSE200 host PC clock.

If you select this option, nCipher recommends that you use a good security policy with regard to the physical security of the DSE200 and the network connection to the NTP server. See Appendix E: Local Audit/NTP service on page 83 for more information.

10: Click Update.


Chapter 5

The changes take effect immediately.

Initiating and fulfilling TSA certificate requestsThe following sections describe the steps involved in initiating and fulfilling certificate requests:

• Creating Operator card sets on page 43

• Initiating a TSA certificate request on page 45

• Importing the CA certificate chain on page 48

• Fulfilling a TSA certificate request on page 48

Creating Operator card setsThis section explains how to create an OCS for authorizing access to TSA keys. Creating an OCS is optional. If you do not create an OCS before you create a TSA Key, you will not be able to use the TSA backup/restore feature nor will you have a backup of the key.

Card sets belong to the security world in which they are created. When you create an OCS, the smart cards in that set can only be read by DSE200s belonging to the same security world. The cards cannot be read, erased, or reformatted by a DSE200 from a different security world.

If the OCS you create is to be used to protect TSA keys that have the Disable Unattended Start-up feature enabled (see Disable unattended startup for this key! on page 47), it is important that you understand the effect of the persistence and time-out options.

By default, the DSE200 creates non-persistent card sets, which means that keys protected by this card set become unavailable when the last card is removed. Thus, a TSA key can be fulfilled by the TSA only while a card remains in the slot. When the card is removed, the DSE200 essentially becomes non-operational. Moreover, if you define a time-out when creating the OCS, the TSA key is subject to this time-out.

However, if the TSA Key does not have the Disable Unattended Start-up feature enabled, time stamp requests can be fulfilled even after the card has been removed from the card reader, and the availability of the TSA key is not subject to a time-out.

To create an OCS:


2: Navigate to Card Set Management > Create Card Set.

The Create Operator Card Set dialog opens.


Chapter 5

3: Enter the following information to create an OCS you can use when creating a TSA key you want to be able to backup and restore:

4: Click Next.

The DSE200 prompts you to insert the cards that will form the OCS.

5: For each card, follow the onscreen instructions to either set a pass phrase for the card or to format the card without a pass phrase. Each card can have a different pass phrase, and any card’s pass phrase can be changed later. See Chapter 2: Using pass phrases on page 16 for more information on pass phrases.

Note: When creating a card set, the DSE200 recognizes a card that belongs to the set before the card set is complete. If you accidentally insert a card to be rewritten, you see a warning.

Field Description

Operator Card Set name

Enter a name for the OCS.

Total number of cards in set (N)

Enter the total number of cards (N) that you want to have in the OCS. This number (N) must be less than or equal to 64.

Number of cards required for access

Enter the number of cards (K) needed to restore the key. This number (K) must be less than or equal to the total number of cards (N).

Card set is persistent? The default value for this option is No. This means that any key protected by the OCS becomes unavailable when the last card is removed from the DSE200 card reader. When the last card is removed, the DSE200 essentially becomes non-operational.If you select Yes, the key will still be valid even after the last card has been removed.

Card set has a timeout?

Optionally select to enable a time-out value in seconds for the OCS. The time-out is the length of time that a card from the set can remain effective when inserted in the DSE200 card reader.After the time-out is reached, the card must be re-inserted before it can be used.

Timeout in seconds Enter the number of seconds to elapse before the timeout is enforced. The maximum value is 31622400 seconds.


Chapter 5

After you have formatted all the Operator Cards, the DSE200 displays a message indicating that the OCS has been successfully created.

Initiating a TSA certificate request A TSA is not functional until you initiate and fulfill it.


2: Navigate to TSA Management > Certification Status.

The TSA Certification Status dialog opens, listing all the TSAs that have been created.

3: Select the TSA that you would like to work with, then click Initiate to initiate a new TSA certificate request.

The Select Cardset for TSA Key Backup dialog opens. If there are no Operator Card Sets installed on the DSE200, the TSA Key Backup dialog does not open. Instead the TSA Certificate Request dialog opens, see step 6 below. The TSA keys you generate without an OCS will not have TSA Key Backup enabled.

Note: TSA keys cannot be restored if the OCS is lost. However, to restore keys from a disk crash or data corruption, take regular backups of the TSA key backup files and other security world data. See Chapter 6: Restoring a TSA key on page 53 for the instructions to restore a TSA key.

4: To enable TSA Key Backup for the TSA Key you are about to generate, select the OCS you want to use.

Note: If you choose the Do not enable TSA Key backup for this key option, you cannot enable key backup for this key later.

5: Click Next.

The Loading OCS:OCSName dialog opens. This dialog displays general information about the OCS followed by loading state information and a Next button. Each time you click Next, you are redirected to an updated display of this dialog.

The Loading OCS:OCSName dialog requests cards and PINs until you have presented the number of cards required to load the OCS. When the OCS is loaded, the Loading OCS:OCSName dialog displays the message Operator Card Set OCS Name loaded.

6: Click Next.

The TSA Certificate Request dialog opens.


Chapter 5


A message appears, asking you to confirm the details that you have entered.

8: Click OK to confirm the information that you have entered.

9: Click Next.

The TSA Certificate Request Parameters dialog opens.


Field Enter

Common Name A name for the TSA certificate.

Organization The name of your organization.

Organizational Unit The name of your organizational unit (optional).

Organizational Unit Any additional information you want to include in the certificate name (optional).

Locality The name of your locality (optional).

State The name of your state (optional).

Country The name of your country.

Field/Option Description

Key Length Select a length of 512, 1024, or 2048 bytes for the key.

Signature Algorithm Select an algorithm that is acceptable to your CA.

Time-stamp Mode Select the time-stamp mode. The available values are:RFC 3161 RFC 3161 is the Internet X.509 Public Key Infrastructure Time-Stamp Protocol.Authenticode Authenticode, from Microsoft, allows developers to include information about themselves and their code with their programs through the use of digital signatures.

Distinguished Name Review the information used for the certificate’s name.


Chapter 5

11: Click Submit Request.

The TSA PCKS10 Certificate Request dialog opens.

12: Click Download.

A browser window opens, asking if you want to open the file or if you want to save it to disk. This is a text file named TSAcertreq.txt or TSAcertreq.pem. Save the file in a secure location.

Note: Open .pem files using a text editor such as Notepad or Wordpad.

13: Send the TSA certificate request file to your CA. If the CA approves your request, then the CA returns a TSA certificate to you, by e-mail or another method.

14: Save the TSA certificate in a secure location. You use this certificate in Fulfilling a TSA certificate request on page 48, the next step.

The TSA certificates remain in the pending state until they are fulfilled. To view the list of all TSA certificates that are not fulfilled, navigate to TSA Management > Certification

Disable unattended startup for this key!

Select this option to disable the DSE200’s ability to startup unattended.By default, a DSE200 can start up and become completely operational without user intervention. However, in some environments, this is not appropriate. Disabling the DSE200’s unattended start-up ability allows the DSE200 to operate under such policies.The ability to disable unattended start-up of the DSE200 can be granted to a TSA Key only when it is created.This feature depends on the OCS protection that is part of the new TSA Key Backup and Restore feature. Therefore this option is only available on a TSA Key that is being created with the Backup feature enabled.

Note: This option is only available if you selected to enable TSA key backup for the TSA key.

Note: If you select this option, you must load the TSA key for the unit to operate.

Generate a self-signed certificate for this key.

Select this option to generate a self-signed certificate. This is useful for testing purposes.

Field/Option Description


Chapter 5

Status. The Key Status of any certificate that has not been fulfilled appears as UncertifiedPending.

Importing the CA certificate chainAfter the CA approves your certificate request, you must import the CA’s certificate chain into your TSA certificate store. The TSA Certificate Store contains one or more CA certificate chains that can be used to validate your TSA certificate during fulfillment.

A CA certificate chain typically includes a root certificate and an intermediate issuing CA certificate. A simple CA certificate chain might include a single root certificate, which is used as an issuing CA certificate. A more complex CA certificate chain might include a root certificate, intermediate CA certificate, and an issuing CA certificate.

You must add the certificates to the TSA certificate store in the following order:

• Root CA certificate

• Certificates signed by the root CA certificate in the order in which they are signed

• Issuing CA certificate

To import the CA certificate chain into the TSA certificate store:

1: Navigate to Certificate Management > TSA Cert Store.The TSA Certificate Store dialog opens.

2: Click Add.

The Add TSA Certificate dialog opens.

3: Do one of the following:

• Browse and locate the certificate, then click Load File.

• Copy and paste the contents of the certificate in the text box.

4: Click Add.

5: Repeat the steps until you have finished adding all the certificates in the CA certificate chain, including the issuing CA certificate.

Fulfilling a TSA certificate requestAfter you receive your TSA certificate from your CA, you can fulfill it. Before proceeding with this step, ensure that you have imported the complete CA certificate chain including the root, intermediate, and issuing CA certificates.


2: The TSA Certification Status dialog opens, listing all the TSAs that have been created.

Note: The Key Status of a pending certificate appears as UncertifiedPending.

3: Select the TSA certificate request that you would like to fulfill, then click Fulfill.


Chapter 5

The Fulfill TSA Certificate dialog opens.

4: Browse to the TSA certificate file you received from your CA, or copy it in base-64 format into the box.

Note: If your CA has sent the certificate in Binary DER or p7b format, ask for one in .pem or base-64 format.

5: Click Accept.

If you have chosen to enable key backup for this key, the DSE200 creates a unique backup file for the TSA on the system hard drive when the certificate request is fulfilled. Backup files are stored under C:\nfast\kmdata\local\key_dsetsa_tsakey(n), where ‘n’ is the number allotted to the TSA based on the order in which it is created. For example, the DSE assigns the filename key_dsetsa_tsakey(1) for the first TSA that you create.

Back up the contents of the C:\nfast\kmdata\directory to an appropriate storage device.

Loading a TSAWhenever the DSE200 software is restarted with a TSA Certificate with the Disable Unattended Startup feature enabled, the Key Status is Certified_NotLoaded (or CertifiedPending_NotLoaded). Before the DSE200 can be audited to start issuing time-stamps, you must load the TSA Key.


2: Navigate to TSA Management > Operational Status.

The Operational Status dialog opens, listing all the TSAs that exist in the DSE200.

3: Select the TSA that you would like to load, then click Details.

The Operational Status dialog opens. The last line of this dialog is the Key Status. If the Key Status includes the _NotLoaded label, the dialog also includes a Load button next to the indicated Key Status.

4: Click Load.

The Loading OCS:OCSName dialog is displayed. This dialog displays general information about the OCS followed by loading state information and a Next button. Each time you click Next, you are redirected to an updated display of this dialog. (This is the same dialog that was used to enable the TSA Key for backup.)

The Loading OCS:OCSName dialog requests cards and pass phrases until you have presented a quorum and the OCS is loaded. When the OCS is loaded, the Loading OCS:OCSName dialog displays the message Operator Card Set OCSName loaded.

5: Click Next.

The TSA Key is loaded, and you are directed back to the Operational Status dialog. The key state is now Certified or CertifiedPending.


Chapter 5

Note: The TSA Key remains loaded as long as the application continues to run and the protecting OCS allows the key to be loaded. If the protecting OCS is not persistent and the last card is removed from the card reader, the TSA key is unloaded. If the OCS has a time-out enabled, the TSA Key is unloaded when the time-out period expires. In such cases, the you must reload the TSA Key by following the instructions in this section.

Registering a TSAThe TSA Registration section of the Administrative Options menu focuses on a key part of the security used to register a TSA certificate with an auditing service provider.


2: Navigate to Certificate Management > TSA Registration.

The TSA Registration dialog opens, displaying the list of TSA certificates that exist in the DSE200.

3: Select the TSA that you would like to register, then click Details.

The TSA Registration dialog opens, displaying the TSA certificate and the DSE200 certificate. This information guarantees that the TSA certificate is in the DSE200. Also, the audit service provider can know for certain that the TSA certificate is controlled by the DSE200.

4: Click E-mail to send the TSARegistration.pem file (a binary file containing no useful plain-text information) to the audit services provider.

5: Add the appropriate information, then click Send Registration.

Checking the operational status

Note: The following task is for your organization’s Network Manager. If you are a Security Officer, you will only be able to view the details.

The final phase of getting started with your DSE200 is for the Network Manager to check operational status.



The Operational Status dialog opens, listing all the TSAs that exist in the DSE200.

3: Select the TSA that you would like to review, then click Details.


Chapter 5

The operational status for the selected TSA is displayed:

Parameter Description

Clock Status A green light indicates that the clock is running.

Audit Status A green light indicates that the auditing software is running, and that the clock can be audited.

time Stamping Status

A green light indicates that the DSE200 is ready to time-stamp documents.An amber light indicates that the DSE200 needs a new TAC before it can continue. A red light indicates that time-stamping has been disabled.

Time Attribute Certificate

This field tells you the status of the current TAC:

• Received: a valid, operational TAC has been received and can be used for time stamping.

• AntiTAC_Rcvd: a non-operational TAC has been received, which has halted time stamping until the next audit (which is likely to provide an operational TAC).

• Expired: the current time is later than the “Valid To:” time specified in the current TAC.

• Invalid: the current TAC has been invalidated, for instance, by rebooting the DSE200 or by disabling the clock.

For more information, see Chapter 6: Viewing time attribute certificate (TAC) information on page 58.

Key This field tells you the status of the TSA Key.

• Certified: the TSA is operational.

• CertifiedPending: the TSA has an operational certificate and also has an outstanding certificate request.

• Uncertified: the TSA does not have any certificate and does not have an outstanding certificate request.

• UncertifiedPending: the TSA does not have any certificate but has an outstanding certificate request.

• Expired: either the TSA is past its validity period, or the current time in the DSE200s board clock is set to a time outside the range defined by the TSA certificate.


Chapter 5

4: All objects should be green. If one or more are not, click the object’s Enable button.


Chapter 6: Administering and using the DSE200

This chapter includes information on the daily administration and usage tasks. Sections in this chapter include:

• Restoring a TSA key on page 53

• Adding or removing an upper clock on page 54

• Enabling or disabling the clock on page 55

• Viewing card set lists on page 55

• Viewing or changing card sets on page 56

• Viewing TSA certificate information on page 57

• Viewing time attribute certificate (TAC) information on page 58

• Viewing time-stamps issued on page 59

• Viewing the uptime on page 60

• Viewing Administrator and Board logs on page 60

• Viewing user login statistics on page 61

• Viewing the log archive on page 61

• Adding a user on page 62

• Modifying or deleting users on page 63

• Modifying user information on page 63

• Restarting the server on page 63

Restoring a TSA keyThe Restore option is enabled only if the TSA key status is Uncertified. If the key is in any other state, delete the TSA certificate from the TSA Certificate Store, cancel any pending TSA certification requests, and recreate the TSA certificate so that the Restore option is enabled.

Before attempting to restore a TSA key, ensure that the TSA Key Backup file key_dsetsa_tsakey(n) is present in the system hard drive’s C:\nfast\kmdata\local directory. If necessary, copy the back-up file you made at thetime of creation to this directory. Ensure that the C:\nfast\kmdata\local\key_dsetsa_tsakey(n) file is in place.



Chapter 6


The TSA Certification dialog opens, listing all the TSAs that exist in the DSE200.

3: Select the TSA that you would like to restore, then click Restore.

Note: Note: If the C:\nfast\kmdata\local\key_dsetsa_tsakey(n) file is not found, the DSE200 displays this message: The restore blob for the dsetsa,tsakey(n) could not be found. Unable to restore the TSA Certification.

The Loading OCS:OCSName dialog opens. This dialog displays general information about the OCS followed by loading state information and a Next button. Each time you click Next, you are redirected to an updated display of this dialog. (This is the same dialog that was used to enable the TSA Key for backup.) The Loading OCS:OCSName dialog requests cards and pass phrases until you have presented a quorum and the OCS is loaded.

Note: Note: If you cannot present the required number (K) of Operator Cards (for example, if you have lost too many cards from the OCS), then the TSA backup facility does not work. When the OCS is loaded, the Loading OCS:OCSName dialog displays this message: Operator Card Set OCSName loaded.

4: Click Next.

The TSA key and certificate are restored, and you are directed to the TSA Certificate Info dialog, which displays information about the restored certification.

Adding or removing an upper clockThe TSA Configuration dialog is where you manage audit settings, and add or remove upper clocks. See Chapter 5: Adding an upper clock on page 40 for information on how to add a new upper clock. To remove an upper clock:



The TSA Configuration dialog opens, listing all the TSAs that have been created.

3: Select the required TSA, and click Configure.

4: In the TSA Configuration dialog, select the clock you want to remove, then click Remove.

5: When prompted, click OK to confirm that you want to remove the clock.


Chapter 6

Enabling or disabling the clock

Note: Use this option only if you cannot import valid certificates or if the logs are showing that the DS/NTP transaction has failed due to the DSE200 claiming that valid certificates have expired or are not yet valid.


2: Navigate to TSA Management > Clock Management.

3: To enable or disable the clock, click Enable or Disable as appropriate, then click Set Clock to enable the DSE200 to synchronize the time to the host operating system clock. Ensure that the host clock is accurate.

To accurately set the time, the clock server and the time zone must be correct. Get the time close enough so that an audit can confirm or fix the time.

Viewing card set listsIt is often necessary to obtain information from card sets. For security reasons, card sets usually do not include identification marks.


2: Navigate to Card Set Management > List Card Sets.

The following details are displayed.

Object Description

Name This is the name the card set was given when it was created.

K of N This shows the number of Operator Cards that you want to require in order to re-create a key (K) and the number of the total number of cards (N).


Chapter 6

Viewing or changing card setsThe View/Change menu option enables you to examine cards inserted into a DSE200 from the same security world as the DSE200 on which they were created. To change a card pass phrase, you need the card and the old pass phrase.


2: Navigate to Card Set Management > View/Change.

The Card Utilities dialog opens.

3: Click Set Pass Phrase to change the pass phrase of a card that has been inserted.

For information on pass phrases, see Chapter 2: Using pass phrases on page 16.

4: Optionally, click Erase to erase all the data of a card that has been inserted.

Viewing the KeyStore informationWhen you receive your DSE200, the Tomcat alias is the SSL server. The KeyStore Info menu option enables you to view the Certificate entry for the CA that signed the DSE200’s SSL certificate, along with the Certificate chain.


2: Navigate to Server Management > SSL Certificate > KeyStore Info.

The certificate entry and the key entry details are displayed.

Persistent This shows whether or not a card set is persistent. By default, the DSE200 creates non-persistent card sets, which means that keys protected by this card set become unavailable when the last card is removed.

Timeout This shows the name the card set was given when it was created.The time-out is the length of time that an Operator Card from the set can remain effective when inserted in the card reader. After the time-out is reached, the card must be re-inserted before it can be used. You can not set a time-out value greater than a year (that is, 31622400 seconds).

Object Description


Chapter 6

Viewing TSA certificate informationUse this menu option to view details of a TSA certificate.



The TSA Certification Status dialog opens, displaying all the TSAs that exist in the DSE200.

3: Select the TSA you would like to work with, then click Details.

The Certification Status for the selected TSA is displayed.

4: Click Certificate Info.

The TSA certificate information dialog displays the following information for the selected TSA:

Field Description

TSA Key Status A green, amber, or red light here reminds you of the key status.

Export You can export (download) the certificate in base64 format by clicking here.

Version Refers to the version of ANSI X.509 that defines the certificate syntax. The DSE200 uses the V3 version, standard in the industry.

Serial Number A unique number assigned by the Certificate Authority that issues the certificate. It is simply a way to uniquely identify a specific certificate issued by a particular CA.

Signature algorithm These are:

• RSA with MD5

• RSA with SHA-1

• DSA with SHA-1

Issued by The issuer of the certificate.

Issued to The entity to whom the certificate is issued.

Valid from Beginning date that the certificate is valid.


Chapter 6

Viewing time attribute certificate (TAC) informationWhen the DSE200 is successfully audited, it gets a new TAC. The new TAC overlaps the previous TAC under which your DSE200 was issuing time stamps.

If you have an operational TAC and an audit fails because of time drift, the audit produces a non-operational TAC that overlaps the previous TAC. In such a case, the DSE200 is no longer able to issue time stamps until a successful audit is completed.

1: Login with either the Network Manager or the Security Officer responsibility.


The TSA Operational Status dialog opens, displaying all the TSAs that exist in the DSE200.

3: Select the required TSA, then click Details.

The Operational Status for the selected TSA is displayed.

4: Click TAC Info.

Valid to Date that ends the certificate’s validity. All dates in the DSE200 are displayed in the format yyyy/mm/dd and all times are displayed as hh/mm/ss.

Public key This field is a long string of characters.

Click on the words Public Key to see the key in its usual block format in the field here.Click on any of the tags, and a pop-up window opens with the information presented in block format.

Field Description

Figure 6 - 4: Sample Public Key


Chapter 6

The following information is displayed:

Viewing time-stamps issuedThe Status menu option enables you to view all the time-stamps that have been issued.

1: Login with the Network Manager responsibility.

2: Navigate to TSA Management > Time Stamps Issued.

The TSA Time-Stamps Issued dialog opens, listing all the TSAs that exist in the DSE200.

3: Select the TSA that you would like to work with, then click Details.

Field Description

TAC Status A green, amber, or red light reminds you of the status.

Initiate Audit When you click this button, an audit request is sent to the Upper Clock indicated in your network setup, as described in Chapter 5: Adding an upper clock on page 40. The display will not automatically refresh when the audit is received. Click the menu item again to refresh.

Delay The go around time, or round-trip communication delay between the DSE200 and the audit clock.

Offset Tells you how much your clock differs from the clock that audited it (an NMI-based Trusted Master Clock, using UTC).

Max Delay The maximum allowable network delay to receive a successful audit.

Max Offset The maximum time offset allowed to receive a successful audit. This is measured in seconds.

Valid From: Tells you the date the TAC became valid.

Valid To: Tells you the date the TAC will become invalid. All dates in the DSE200 are displayed in the format yyyy/mm/dd, and all times as hh/mm/ss.

Leap Event Any scheduled leap second event is noted here.

Timing Policy OID Refers to the timing policy statement of the upper clock which issued this TAC.


Chapter 6

The Time-stamps dialog opens, displaying the following time stamp statistics:

Viewing the uptimeThe Status menu enables you to know when the DSE200 service was last restarted.


2: Navigate to Server Management > Uptime.

The details of the DSE200, UTC, the current time of the browser, and time zone settings are displayed.

Viewing Administrator and Board logs1: Log in with either the Security Officer or the Network Manager responsibility.

2: Navigate to Logging and select one of the following:

• Administrator Log: records all DSE200 activities done within the Security Officer and Network Manager user interfaces

• Board Log: contains information about the internal state of the time-stamp server (for example, whether time-stamping and logging are enabled or disabled, records of audit requests generated by the expiration of a TAC, receipt of a TAC, and clock calibration). If you reset the Board Log, you must give the new Board Log a new name.

The Administrator Log or Board Log dialog opens depending on the option you select.

3: Click Show Log to display the Default User dialog.

Area/button Description

Total Displays in total and by percentage the time-stamps requested, granted, and rejected.

Under Current TAC Displays time-stamps requested, granted, and rejected under the current operational TAC.

Refresh Interval Here you can configure how often to refresh statistics.There are several choices within the range of five seconds to 30 minutes; the default is 10 seconds. There may be times you want the page updated frequently, such as on days when you are expecting a lot of time-stamping activity, so you can make the interval shorter.

Refresh Click this button to display the latest statistics.


Chapter 6

The appropriate Log dialog opens.

4: Choose the parameters for viewing the log, then click Display.

The logs records are displayed with the most recent entries at the bottom.

For more on Board log errors and alerts, see Appendix A: Error messages and alerts on page 69.

Viewing user login statisticsThe User Login Statistics menu option enables you to view the login statistics by user type. Server statistics displays the consolidated login details for all user types.

1: Login with either the Network Manager or Security Officer responsibility.

2: Navigate to Logging > User Login Info.

The User Login Statistics dialog opens, displaying login information by user and for the server as a whole.

3: To view login statistics by user type:

• Select a user type from the Statistics For drop-down menu.

• Click the Details button next to the Statistics For drop-down menu.

The login statistics for the selected user type are displayed

4: To view the consolidated login information for all user types, click the Details button next to Server Statistics.

Note: All dates in the DSE200 are displayed in the format yyyy/mm/dd, and all times as hh/mm/ss.

Viewing the log archiveThe archive stores the old Admin and Board logs.

1: Login with either the Network Manager or Security Officer responsibility.

2: Navigate to Logging > Archive.

The Log Archive dialog opens, displaying links to the Admin and Board logs.

3: Click the required link.

4: In the Log Archive dialog, select the required options and click Display.

The logs records are displayed, with the most recent entries at the bottom.


Chapter 6

Adding a userUser roles are defined as follows:

• Security Officer: authorized to perform key and certificate management. The Security Officer manages keys, certificates, and the log file. This person does not do the day-to-day tasks of managing the DSE200.

• Network Manager: authorized to manage time stamping and auditing. The Network Manager is the day-to-day DSE200 manager and operator. This person can enable or disable time stamping and auditing.

Any users you add must be assigned one of these roles. There may be more than one Security Officer and more than one Network Manager.


2: Navigate to User Management > Add User.

The Add User dialog opens.


Field Enter/Select

User Name The person’s first name or nickname.

User Role The person’s role: Security Officer or Network Manager.

E-mail The person’s e-mail address. This is just for display purposes; it can be the same e-mail address as in Notify E-Mail, described in the next sentence.

Notify E-mail The e-mail address to which notices from the board log are sent.

Notify E-Mail From The e-mail address from which the user receives Notify e-mails.

Notify E-Mail Subject

If left blank, the default value (%N DSE200 %E Notification) is used, where %N - Expands to the hostname of the DSE200 and %E expands to “Error”, “Alert”, or “Error/Alert” based on the log messages.

Notify SMTP The SMTP server handling such notices. This is the e-mail server (example: smtp.<servername>.com) that the DSE200 uses to send e-mail notifications.


Chapter 6

4: Click Add User.

If the Modify User screen opens (see next section), then the new user has been added.

Modifying or deleting usersTo change the status of a user, or to delete them altogether, use this option.


2: Navigate to User Management > Modify/Delete Users.

3: Enter their identifying data, then click the appropriate button to change its status: Update, Delete, or Change Password.

A confirming dialog box opens.

4: Click OK to complete the action to change the field.

5: The Change Password dialog asks you to enter, then re-enter, the new password.

Use the # and Next buttons to go to the previous or next user’s profile to be modified.

Modifying user informationIf you are a Network Manager, you can change your user information.


2: Navigate to User Management > Modify Users.

3: Change the information as required.

4: Optionally, click Change Password to change your password.

5: After you have made the required changes, click OK to save the changes.

Restarting the serverYou have the option to restart the DSE200. This is necessary if a new SSL certificate has been installed.


Password A password for the user. The maximum length of a password is 128 characters.

Verify password The password again to confirm it.

Field Enter/Select


Chapter 6

2: Navigate to Server Management, then click Restart Server.

Note: This option only enables you to reboot the DSE200 if the machine does not require any interaction. If, for example, a program does not exit because it is waiting for a confirmation, or if it is locked, the Restart Server option does nothing.


Chapter 7: DSE200 FAQs and solutions

OverviewThis section addresses the most frequently asked questions about the nCipher DSE200 and provides solutions to common problems.

FAQThe following answers to frequently-asked questions are in alphabetical order by topic.

Digital certificates

What are the roles and respective keys and certificates of the DSE200?

See this table for the answers:

Product Cert Type Role

DSE200 TSA Sign time stamps and authenticate DS/NTP communications

TSA Root Chain

Certificate fulfilment with CA

DI Root Chain

Authentication of devices for DS/NTP

Factory Register TSA certificate with NTMS

Https Enable https:// communication for browser-based communication


FAQ

In the DSE200, where are the keys and certificates?

See this table for the answer:

In each of the DSE200, how will these keys and certificates be generated?

See this table for the answers:

How are certificates obtained with the DSE200?

Administrators can use the local, browser-based administration system of the DSE200 to obtain TSA certificates.

In local certification, administrators generate a key pair and a certificate request. The PKCS #10 request can then be submitted to the appropriate CA for certificate fulfillment.

Product/Cert Type Private Key

DSE200 - TSA nCipher nShield UltraSign nCipher nShield UltraSign

DSE200 - TSA Root Chain nCipher nShield UltraSign

DSE200 - DI Root Chain nCipher nShield UltraSign

DSE200 - Factory nCipher nCipher nShield UltraSign

DSE200 - Https Host Hdd Host Hdd

Product/Cert Type How Keys Are Generated

DSE200 - TSA Keys and certificate request generated by DSE200 Security Officer. Certificate acquired from public or private CA.

DSE200 - Factory Generated at nCipher factory

DSE200 - Https Pre-installed at factory. Can be replaced by DSE200 Security Officer

DSE200 - DI Root Loaded by DSE200 Security Officer

DSE200 - TSA Root Chain

Loaded by DSE200 Security Officer


FAQ

Leap seconds

How will a DSE200 handle leap seconds? How should the customers set up and operate the DSE200 for leap second events?

The DSE200 supports leap second events held at any time and that are either insertion events or deletion events.

Information about the scheduling of leap second events is delivered to the DSE200 as part of the DS/NTP session with the Trusted Master Clock. Thus, you do not need to perform any setup or configuration to handle leap second events.

The DSE200 handles insertion events by repeating the second before the leap second event. For example, if the event is to take place at 00:00:00, the DSE200 counts 23:59:59 twice. Time-stamps cannot be issued during the repeated second, and any time-stamp request during this second is answered with an error indicating that the time is not available.

The DSE200 handles deletion events by skipping the second before the leap second event. For example, if the event is to take place at 00:00:00, the DSE200 counts from 23:59:58 to 00:00:00 (without counting 23:59:59).

Note: The DSE200 only controls the time used inside the DSE-SEE machine; it does not control the clock on the host machine.

Standards

What Time Stamp Protocol does the DSE200 support?

The DSE200 supports the IETF Time Stamp Protocol (RFC 3161). Time stamps are requested by means of either the Transmission Control Protocol (TCP) or Hypertext Transfer Protocol (HTTP), as described by RFC 3161.

A European standard (ETSI) says that a recommended time stamp protocol (RFC 3161) should be the http protocol. Do you support the http protocol for time stamping?

The DSE200 includes support for the RFC3161 Time-Stamp Protocol through HTTP (Hypertext Transfer Protocol).

Synchronization

Is the time that is used for Windows synchronized to the time stamp token’s time?

No, the time is not synchronized. The time for Windows is from the Windows system clock. The time stamp token’s time is from the nShield UltraSign clock.


FAQ

DSE200

In the customer’s installation, can the customer integrate the DSE200 in the firewall? Can the DSE200 operate correctly in the firewall? Specifically, can the DS/NTP and DSMP be transferred by NAT (Network Address Translation)?

Yes, you can use firewalls/NAT. Customers presently use TMCs to audit their DSE200s through a firewall and VPN.

What digital signature technologies does the DSE200 use to sign time stamps?

The DSE200 signs time stamps with either RSA/MD5, RSA/SHA-1 or DSA/SHA-1 signatures. Signatures are fixed at 512, 1024, or 2048 bits.

How many time stamps per second can the DSE200 produce?

RSA 1024-bit signatures: 125/sec.

RSA 2048-bit signatures: 50/sec.

What hardware cryptographic accelerator does the DSE200 use and what is the model number?

Mounted internally to the DSE200 is a single nShield UltraSign Hardware Security Module cryptographic accelerator, FIPS 140-2 level 3.

When the user employs the DSE200 with their application server, is a secure connection required between the DSE200 and the application server?

For the issue of time stamps, there is not a need for a secure connection between the application server and the DSE200. The PKIX TSP (time stamp protocol) includes all the security that should be needed. The data returned from the DSE200 is signed and includes the original hash and nonce; security is part of the reason that the time stamp request includes only a hash of the original data. Someone watching a session would see only hash information, which is safe.

If you need security for other reasons such as identifying the user, billing, and so forth, this security should be implemented on an application server that has a direct unsecured connection to one or more DSE200s.

How does the DSE200 acquire time after a reboot?

After reboot, the DSE200 does not have an operational Time Attribute Certificate and cannot provide time stamps.

The DSE200 initially contacts the assigned Upper Clock and requests an audit. The first Upper Clock audit may fail, depending on the clock drift rate, and issue a non-operational TAC. The DSE200 corrects its clock to this first audit. The DSE200 then does another audit request which is normally successful and receives an operational TAC from the Upper Clock. The Upper Clock then continues to audit the DSE200 per the configured interval.


Appendix A: Error messages and alerts

This section lists the error messages and alerts you might encounter while using the user interface.

Note: If you see debug messages in the logs, ignore them. They were included in earlier releases.

The default subject of e-mail notifications is: %N DSE %E NotificationIn this subject line, %N is the host name of the DSE200 that sent the message, and %E is one of “Error”, “Alert”, or “Error/Alert”.

If your DSE200 does not recognize the certificate from the Upper Clock, the body of the message sent contains lines of the form:

ERROR: 05-23-02 22:27.56 > DSNTP: Failure to Validate UC

Certificate.

ERROR: 05-23-02 22:27.56 > DSNTP: Failed to process UC’s Cert.

Note: Such errors can be fixed if the Security Officer adds the CA certificate chain for the Upper Clock certificate to the Upper Clock Cert Store. You can get the CA certificate chain from your audit service provider.

If an audit session fails due to a general communication error, message, the body of the message sent contains a line of the form:

ERROR: 05-02-02 14:01.07 > DSNTP: COMMUNICATION ERROR Failed to

read from socket.

Note: Such an error is usually the result of a temporary network failure, possibly due to heavy traffic on the Internet or on your local area network. The best thing to do is initiate a new audit from the DSE200, or your service provider may initiate a new audit from the Upper Clock. If this is a persistent problem, work with your audit services provider to identify the network issue.

When you reboot the DSE200, the body of the message sent contains lines of the form:ALERT: 05-24-02 19:10.08 > Logging Service has been Enabled.

ALERT: 05-24-02 19:10.38 > TSA Startup: Version: 1.1, Build 1.0

ALERT: 05-24-02 19:10.38 > Logging Service has been Enabled.

ALERT: 05-24-02 19:10.39 > DSNTP: Sent initiate request to upper

clock (172.16.33.1:318)

After the first audit and reboot, the body of the message sent contains lines of the form:


ALERT: 05-24-02 19:11.16 > Non-Operational TAC has been received:

offset = -19.792432, ntpTime = 19:11:16 - May/24/02, expiration =

19:11:16 - May/24/02, leapAction = 0, leapTime = 0.000000, delay =

0.022242


clock (172.16.33.1:318)

Note: The first audit after a reboot usually results in a non-operational TAC because the offset of the clock is large.

After an audit, the body of the message sent contains a line of the form:ALERT: 05-24-02 19:11.35 > Operational TAC has been received:

offset = 0.002194, ntpTime = 19:11:35 - May/24/02, expiration =

19:11:35 - May/31/02, leapAction = 0, leapTime = 0.000000, delay =

0.022087

When the Network Manager initiates an audit, the body of the message sent contains a line of the form:


clock (172.16.33.1:318)

When the Network Manager make changes under Network Configuration, the body of the message sent contains lines of the form:

ALERT: 04-25-02 14:32.01 > TSA: Upper Clock configuration changed.

172.16.33.1:318

ALERT: 04-25-02 14:32.01 > TSA: Lower Clock Public IP.

172.27.20.4:123


clock (172.16.33.1:318)

If the Network Manager disables the clock, the body of the message sent contains lines of the form:

ALERT: 04-10-02 18:58.06 > Clock Service has been Disabled.

ALERT: 04-10-02 18:58.06 > Operational TAC has been Invalidated!

If the Network Manager enables the clock, the body of the message sent contains a line of the form:

ALERT: 04-10-02 18:58.32 > Clock Service has been Enabled.

If the Network Manager disables the time stamping, the body of the message sent contains a line of the form:

ALERT: 04-10-02 18:56.39 > Time Stamping Service has been Disabled.

If the Network Manager enables the time stamping, the body of the message sent contains a line of the form:


ALERT: 04-10-02 18:57.32 > Time Stamping Service has been Enabled.

When the Security Officer initiates TSA certificate request, the body of the message sent contains a line of the form:

ALERT: 05-23-02 18:38.11 > TSA Certificate generation initiated for

DN: C=US\S=Massachusetts\L=Lexington\O=J Scott

Mustard\OU=Finance\CN=CompanyABC

When the Security Officer fulfills a TSA certificate request, the body of the message sent contains lines of the form:

ALERT: 05-21-02 20:14.57 > Audit Service has been Disabled.

ALERT: 05-21-02 20:14.57 > Time Stamping Service has been Disabled.

ALERT: 05-21-02 20:14.57 > Clock Service has been Disabled.

ALERT: 05-21-02 20:14.57 > TSA Certificate fulfillment successful

for DN: C=US\O=Datum, Inc\OU=Datum Trusted Time StampServer

SN:90D00217\CN=<host name>

ALERT: 05-21-02 20:14.57 > Clock Service has been Enabled.

ALERT: 05-21-02 20:14.57 > Time Stamping Service has been Enabled.

ALERT: 05-21-02 20:14.57 > Audit Service has been Enabled.

Audit alerts generate e-mails in which the body of the message sent contains lines of the form:

ALERT: Audit Service has been Disabled.

ALERT: Audit Service has been Enabled.

Certificate alert/errors generate e-mails in which the body of the message sent contains lines of the form:

ALERT: "Certificate has EXPIRED (<expiredDN>)"


Certificate and key management alerts/errors generate e-mails in which the body of the message sent contains lines of the form:

ALERT: TSA Certificate fulfillment successful for DN: <name>

ALERT: The TSA Certificate has expired.

ALERT: The TSA Certificate expires in <n> hours, <n> minutes.

ALERT: The TSA Certificate expires in <n> days, <n> hours.

ALERT: The TSA Certificate expires in <n> weeks, <n> days.

ALERT: Certificate added to TSA store. DN: <name>

ALERT: Certificate added to DI store. DN: <name>

ALERT: Certificate removed from TSA store. DN: <name>

ALERT: Certificate removed from DI store. DN: <name>

ALERT: TSA Certificate generation initiated for DN: <name>

ALERT: TSA Certificate generation has been canceled.

ERROR: CreateCertRequest: DecodeCRI failed <n>

ERROR: CreateCertRequest: GenerateKeyPair failed <n>

ERROR: CreateCertRequest: Unexpected private key cert mech <n>

ERROR: CreateCertRequest: GetHKM0 failed <n>

ERROR: CreateCertRequest: MakeModuleBlob failed <n>

ERROR: CreateCertRequest: ExportRSAPubKey failed <n>

ERROR: CreateCertRequest: EncodeRSAPublicKey failed <n>

ERROR: CreateCertRequest: ExportDSAPubKey failed <n>

ERROR: CreateCertRequest: EncodeDSAPublicKey failed <n>

ERROR: CreateCertRequest: EncodeCertificationRequestInfo failed <n>

ERROR: CreateCertRequest: Sign failed <n>

ERROR: CreateCertRequest: BEncCertificationRequest failed

ERROR: FulfillCertRequest: Failed to find stored key!

ERROR: FulfillCertRequest: DecodeCertificate failed <n>

ERROR: FulfillCertRequest: LoadModuleBlob failed <n>

ERROR: FulfillCertRequest: LoadRSAPubKey failed: <n>

ERROR: FulfillCertRequest: Sign failed <n>

ERROR: FulfillCertRequest: Public key mismatch.

ERROR: FulfillCertRequest: LoadDSAPubKey failed: <n>

ERROR: FulfillCertRequest: Sign failed <n>

ERROR: FulfillCertRequest: Public key mismatch.

ERROR: EncryptKeyStore: GetHKM0 failed <n>

ERROR: EncryptKeyStore: Encrypt failed <n>

ERROR: VerifyCertSignature, LoadRSAPubKey failed: <n>

ERROR: VerifyCertSignature, LoadDSAPubKey failed: <n>


ERROR: Unable to encode issuer or subject.

ERROR: EE Certificate failed validity time check!

ERROR: Failed to locate CA cert subject DN!

ERROR: CA Certificate failed validity time check!

ERROR: EE Cert validity time is not constrained by the CA Cent’s

validity time!

ERROR: EE Certificate signature invalid!

Clock alerts generate e-mails in which the body of the message sent contains lines of the form:

ALERT: Clock Service has been Enabled.

ALERT: Clock Service has been Disabled.

DS/NTP errors generate e-mails in which the body of the message sent contains lines of the form:

ERROR: DSNTP: CreateHello, Cryptographic random generation failed,

extended error: <n>

ERROR: DSNTP: ProcessUCHello, Hello message is invalid

ERROR: DSNTP: ProcessUCHello, Upper Clock name is too large

ERROR: DSNTP: ProcessUCCertificate, CreateCert returns <n>

ERROR: DSNTP: CreateLCKeyExchange, DH Key Pair generation failed:

<n>

ERROR: DSNTP: CreateLCKeyExchange, Export DH pub key failed: <n>

ERROR: DSNTP: CreateLCKeyExchange, Signing function failed: <n>

ERROR: DSNTP: ProcessUCKeyExchange, invalid DSNTP message received

ERROR: DSNTP: ProcessUCKeyExchange, LoadRSAPubKey failed: <n>

ERROR: DSNTP: ProcessUCKeyExchange, LoadDSAPubKey failed: <n>

ERROR: DSNTP: ProcessUCKeyExchange, Unknown key type

ERROR: DSNTP: ProcessUCKeyExchange, DH Key derivation failed: <n>

ERROR: DSNTP: ProcessUCKeyExchange, signature was invalid: <n>

ERROR: DSNTP: AuthenticateFrame, MAC size is invalid

ERROR: DSNTP: AuthenticateFrame, HMAC verification failed, error:

<n>

ERROR: DSNTP: ProcessHandshake, handshake length is invalid.

ERROR: DSNTP: ProcessHandshake, not expecting UC Certificate.

ERROR: DSNTP: ProcessHandshake, DSNTP_INVALID_MESSAGE

ERROR: DSNTP: ProcessHandshake, ProcessUCCertificate ERROR

ERROR: DSNTP: Upper clock, CertificateACK message was invalid

ERROR: DSNTP: ProcessHandshake, CreateLCKeyExchange ERROR

ERROR: DSNTP: Upper clock, CertificateACK processing failed


ERROR: DSNTP: Received invalid NTP frame, length < 48 bytes.

ERROR: DSNTP: VerifyTACSignature, signature invalid: <n>

ERROR: DSNTP: VerifyTACSignature, certInfo encode failed

ERROR: DSNTP: TAC Invalid, AttributeCertificate decode failed.

ERROR: DSNTP: Received TAC in unauthenticated state.

ERROR: DSNTP: GetTransportData, HMAC sign failed, <n>

Log alerts generate e-mails in which the body of the message sent contains lines of the form:

ALERT: Logging Service has been Enabled.

ALERT: Logging Service has been Disabled.

Time-stamping alerts/errors generate e-mails in which the body of the message sent contains lines of the form:

ALERT: Operational TAC has been Invalidated.

ALERT: Time Stamping Service has been Enabled.

ALERT: Time Stamping Service has been Disabled.

ERROR: IssueTimestamp: GetTime failed <n>

ERROR: IssueTimestamp: Sign failed: <n>


Appendix B: Changing the module state

This appendix contains instructions for changing the state of your DSE200’s internal module. You change the module state to perform maintenance and configuration tasks.

Changing to the initialization stateYou must have at least one module in the initialization state before you can create a security world. A module must be in the initialization state before you can add it to an existing security world.

Follow these steps to place the DSE200’s internal module in the initialization state:

1: Switch the mode switch on the back of the DSE200 to the initialization position (I), as shown in Figure B-1.

2: Reset the module by pressing the Clear button.

The module performs self tests, during which the Status LED is on. When the self tests are complete, the unit should enter the initialization state. In this state, the Status LED emits repeated single short flashes.

If the Status LED remains continuously on for more than a minute, it indicates that the self tests have failed terminally. In such a case, contact Support at nCipher.

Status LED

Clear switch

Mode switch

Smart cardconnector

DC power

MOI Initialization

Figure B-1: Mode Switch for Initialization Position


Changing to the operational state

Changing to the operational stateWhen you have created or restored a security world, return the DSE200’s internal module to the operational state by following these steps:

1: Switch the mode switch on the back of the DSE200 to the initialization position (O), as shown in Figure B - 2.

2: Reset the module by pressing the Clear button.

The module performs self tests, during which the Status LED is on. When the self tests are complete, the unit should enter the operational state. In this state the Status LED is mainly on, but blinks off regularly.

As the load on the unit increases, the length of time that the Status LED is off increases. If the module is fully loaded, the Status LED is off for as long as it is on.

Note: If the Status LED remains continuously on for more than a minute, it indicates that the self tests have failed terminally. In such a case, contact Support at nCipher.

Status LED

Clear switch

Mode switch

Smart cardconnector

DC power

MOI

Operational

igure B - 2: Mode Switch for Operational Position


Appendix C: Upgrading DSE200 software and firmware

This appendix describes how to update the DSE200 support software on your DSE200. It also describes how to update your DSE200’s HSM firmware.

Installing nCipher DSE200 softwareTo install the nCipher DSE200 software on Windows 2000 or 2003:

1: Log in as Administrator or as a user with local administrator rights.

2: Place the nCipher Support Software CD-ROM in the CD-ROM drive. If Autorun is enabled, the installer setup.exe, on the top level of the CD-ROM, runs, detects the version of Windows and launches the appropriate installation program. You can launch the installer manually if Autorun is not enabled.

3: The installer displays a list of installable components. You must install the following components:

• hwsp Hardware Support bundle

• ctls Core Tools bundle

• javasp Java Support (including KeySafe)

• DSE200 Server

Do not deselect any of the required components. However, you can choose to accept or deselect other listed components that you require.

By default, the installer places files in the C:\nfast directory.

4: Click Next, and the installer installs and performs basic configuration of the selected components. Follow the installer’s onscreen instructions until installation of nCipher Support Software is completed.

5: When prompted, enter port settings for the HTTP, HTTPS, and DSNTP protocols.

6: Follow the installer’s instructions until installation of the DSE200 software is completed.


Upgrading th nCipher module firmware of the DSE200


nCipher module firmware for your DSE200 is supplied on your nCipher Support Software CD-ROM. Firmware files are in the firmware directory on the CD-ROM, under a directory identified by the firmware version.

Note: The firmware upgrade process destroys all persistent data held in the DSE200. If your security system requires that the persistent data held in the internal module live beyond the upgrade or initialization of the module, a backup and recovery mechanism must be implemented.

nCipher recommends that you ensure you are using the latest firmware. To upgrade the firmware on your DSE200, follow these steps:

1: Log in to the host as Administrator.

2: Place the DSE200 in the maintenance state by switching the mode switch on the back of the DSE200 to the maintenance position (M), as shown in Figure C-1, and then pressing the Clear switch.

The module performs self-tests, during which the Status LED is on. When the self tests complete successfully, the unit enters the maintenance state.

3: Place the nCipher CD-ROM in the CD-ROM drive and mount it on your file system.

4: In order to load the new firmware, open a command prompt, and enter the following command:

Figure C-1: Mode Switch for Maintenance Position



C:\nfast\bin\loadrom E:\firmware\ver\filename.nff

In this command, E is the drive letter of your CD-ROM, ver is a firmware version number, and filename is the firmware file name. The firmware files are signed and encrypted: you can load only the correct version for your module.

5: Place the DSE200 in the pre-initialization state by switching the mode switch on the back of the DSE200 to the initialization position (I), as shown in Figure C - 2, and then pressing the Clear button.

The module performs self-tests, during which the Status LED is on. When the self tests complete successfully, the unit enters the pre-initialization state, in which the Status LED emits repeated single short flashes.

Status LED

Clear switch

Mode switch

Smart cardconnector

DC power

MOI Initialization

Figure C - 2: Mode Switch for Initialization Position



6: Place the module in the operational state by switching the mode switch on the back of the DSE200 to the operational position (O), as shown in Figure C - 3, and then pressing the Clear button.

The module performs self-tests, during which the Status LED is on. When the self tests complete successfully, the unit enters the operational state, in which the Status LED emits repeated single short flashes.

7: Log in to the host as normal.

After firmware installationAfter you have installed new firmware and initialized the module, you can create a new security world with the module or reinitialize the module into an existing security world.

If you are initializing the module into a new security world, see Chapter 4: Creating a security world on page 31.

If you are reinitializing the module into an existing security world, see Chapter 4: Joining an existing security world on page 35.

8: After the new-world.exe command-line utility has reprogrammed the module, place the module in the operational state by switching the mode switch on the back of the DSE200

Status LED

Clear switch

Mode switch

Smart cardconnector

DC power

MOI

Operational

Figure C - 3: Mode Switch for Operational Position



to the operational position (O), as shown in Figure C - 4, and then pressing the Clear button.

The module performs self-tests, during which the Status LED is on. When the self tests complete successfully, the unit enters the operational state, in which the Status LED emits repeated single short flashes.

Store the ACS in a safe place.

Note: If any error occurs (for example, if you do not enter the correct pass phrases), the module is reset to the factory state. The module does not form part of the security world unless you run the new-world.exe command-line utility again.

For more information about the new-world.exe command-line utility, see the nShield Administrator Guide.

Status LED

Clear switch

Mode switch

Smart cardconnector

DC power

MOI

Operational

Figure C - 4: Mode Switch for Operational Position



Appendix D: Replacing an ACS

If you discover at any time that one of the cards in your security world’s Administrator Card Set (ACS) has been damaged or lost, use the command-line utility racs.exe to create a new set immediately. If further cards are damaged or lost, you may not be able to recreate your security world.

Replacing the ACS uses K of the cards in the current ACS in order to:

• load the secret information that is to be used to protect the archived copy of the security world key.

• create a new secret that is to be shared between a new set of cards

• create a new archive that is to be protected by this secret.

Note: Before you start to replace an ACS, you must ensure that you have enough blank cards to create a complete new ACS. If you start the procedure without enough cards, you will have to cancel the procedure part way through.

The racs.exe utility creates a new ACS to replace a set that was created when the security world was created with the DSE200’s Web-based user interface. To create a new ACS, follow these steps:

1: Give the following command:C:\nfast\bin\racs.exe --module=1 --force

2: Insert blank cards as required to format them as replacement Administrator Cards.

3: When you have finished replacing the ACS, erase any remaining old Administrator Cards.

Note: nCipher recommends that you erase your old Administrator Cards as soon as you have created the new ACS. An attacker with the old ACS and a copy of the old host data could still recreate all your keys. With a copy of a current backup, they could even access keys that were created after you replaced the ACS.


Appendix E: Local Audit/NTP service

If you have selected Local Audit as the method by which the DSE200 secure clock is to be audited as described in Chapter 6: Viewing card set lists on page 55, this requires that the NTP Service be started and that the file C:\winnt\system32\drivers\etc\ntp.conf contain a reference to an NTP server on the local network. Configuration of the NTP Service requires a Windows Administrator to log in to the System console.

The Local Audit setting provides time that is traceable only to the DSE200 host PC clock. If you use the Local Audit setting, nCipher recommends also using a good security policy with regard to the physical security of the DSE200 and the network connection to the NTP server.

The Network Time Protocol (NTP) service must be set up for Automatic start-up. This is done with the Windows 2000 or 2003 Services applet.

The ntp.conf file must be configured to use a local NTP server. You can edit the ntp.conf file with Windows Notepad. The file is in the C:\winnt\system32\drivers\etc directory. The default file includes a line for the nist1.datum.com NTP server; this line should be changed to refer to a local NTP server.

Changes to the ntp.conf file do not take effect until the NTP service is restarted. This can be done by using the Windows 2000 or 2003 Services applet to stop and restart the Network Time Protocol Service or by rebooting Windows.

Appendix F: Time signing glossary

The following are time-related terms, and their definitions.

Term Definition

Access Control The mechanisms of limiting entry to resources based on users’ identities and their membership in various predefined groups. The network resources with these access restrictions typically are servers, directories, and files.

ACTS Automated Computer Time System, a NIST service that provides announced time via telephone.

Advanced Encryption Standard (AES)

Developed by NIST and private companies, this standard is 256-bit based and is a stronger defense for sensitive material when compared to 40-bit or 128-bit.

Algorithm A clearly specified mathematical process for computation, or set of rules which, if followed, will give a prescribed result.

ANSI American National Standards Institute, the organization responsible for approving US standards in many categories, including computers and communications. Standards approved by this organization are often called ANSI standards.

API Application Program Interface. This interface enables software developers to write their software so that it can communicate with the computer's operating system or other programs.

ASCII American Standards Code Information Interchange, a code in which each alphanumeric character is represented as a number from 0 to 127, in binary code so the computer can understand it. Its simplicity allows diverse computers to understand one another.

ATM Asynchronous Transfer Mode, or ATM switching. This is a type of packet switching that makes it possible to transmit data at high speeds over a network. It also allows dynamic allocation of bandwidth, meaning users get only the bandwidth they need and are charged accordingly.

nCipher DSE200 84

Attribute Certificate

A type of certificate that emphasizes certification of access rights and constraints. This is in contrast to Identity Certificate, which binds a distinguished name (DN) and a public key. Commonly, attribute certificates are issued with short validity periods and do not contain a public key value.

Audit Trail A series of events, usually kept in and managed by a computer-based log, that give proof of a defined activity.

Authentication The process by which people (or applications) who receive a certificate can verify the identity of the certificate’s owner and the validity of the certificate. Certificates are used to identify the author of a message or an entity such as a Web server or DSE200.

Authorization The granting of access rights to a user, program, or process. Once you have authenticated a user, the user may be allowed different types of access or activity.

BCD Binary Coded Decimal. Also called packed decimal, this is the representation of a number by using 0s and 1s, or four-bit binary numbers. So the number 29 would be encoded as 0010 1001.

Bureau International de l’Heure (BIPM)

The worldwide organization that coordinates standard frequencies and time signals, the BIPM maintains Coordinated Universal Time (UTC).

Calibration To fix the graduations of time measurement against the established national standard, including any periodic corrections that should be made.

CDMA Code Division Multiple Access, a technique of multiplexing, also called spread spectrum, in which analog signals are converted into digital form for transmission.

CDSA Common Data Security Architecture describes the security structure for an entire network. It is unique to each network because security is managed differently for each.

Certificate Certificates are used to verify the identity of an individual, organization, Web server, or hardware device. They are also used to ensure non-repudiation in business transactions, as well as enable confidentiality through the use of public-key encryption.

Term Definition

nCipher DSE200 85

Certificate Authority (CA)

A trusted entity that issues a certificate after verifying the identity of the person or program or process that the certificate is intended to identify. A CA also renews and revokes certificates and, at regular intervals, generates a list of revoked certificates.

Certificate Extension

An extension of the X.509 standard that lets the certificate hold additional identifying information.

Certificate Request

A request containing a user’s public key, distinguished name (DN), and other data that is submitted to a Certificate Authority (CA) in order to receive a certificate.

Certificate Revocation List (CRL)

CRLs list certificates that have been revoked by a particular CA. Revocation lists are vital when certificates have been stolen, for example.

Certification Path

A specified sequence of issued certificates necessary for the user to get their key.

Confidentiality Keeping secret data from unauthorized eyes.

Content Filtering

A filter that screens out data by checking (for example) URLs or key words.

Coordinated Universal Time (UTC)

The international time standard is called Coordinated Universal Time or, more commonly, UTC, for “Universal Time, Coordinated”. This standard has been in effect since being decided on 1972 by worldwide representatives within the International Telecommunication Union. UTC is maintained by the Bureau International de l’Heure (BIPM) which forms the basis of a coordinated dissemination of standard frequencies and time signals. The acronyms UTC and BIPM are each a compromise among all the participating nations.

CR See Certificate Request.

Credential(s) Much like a photo ID or birth certificate, electronic credentials are recognized as proof of a party's identity and security level. Examples: certificate, logon ID, secure ID, and so forth.

Term Definition

nCipher DSE200 86

Cross-Certificate

Two or more Certificate Authorities (CAs) which issue certificates (cross-certificates) to establish a trust relationship between themselves.

Cryptography See Encryption.

Data Encryption Standard (DES)

Encryption method in which both the sender and receiver of a message share a single key that decrypts the message.

DCLS Direct Current Level Shift, or digital IRIG. See also: IRIG.

Decryption The transformation of unintelligible data (ciphertext) into original data (clear text).

Denial of Service

When a network is flooded with traffic through any of a variety of methods, the systems cannot respond normally, so service is curtailed or denied. This is a favorite technique of network saboteurs.

DES See Data Encryption Standard (DES).

DHCP Dynamic Host Configuration Protocol is a standards-based protocol for dynamically allocating and managing IP addresses. DHCP runs between individual computers and a DHCP server to allocate and assign IP addresses to the computers as well as limit the time for which the computer can use the address.

Diffie-Hellman A key-agreement algorithm used to create a random number that can be used as a key over an insecure channel.

Digital Certificates

Digital Certificates are issued by a Certificate Authority (CA), which verifies the identification of the sender. The certificate is attached to an electronic message, so the recipient knows the sender is really who they claim to be.

Digital Fingerprint

Similar to digital signature, a digital fingerprint is the encryption of a message digest with a private key.

Digital Signature

Like a digital certificate, a digital signature is a data string that is verified by a Certificate Authority, and is attached to an electronic message so that it can verify that the sender is really who they claim to be. The difference between a digital certificate and a digital signature is found in how the message is encrypted and decrypted.

Term Definition

nCipher DSE200 87

Digital Signature Algorithm (DSA)

The asymmetric algorithm that is at the core of the digital signature standard. DSA is a public-key method based on the discrete logarithm problem.

Digital Signature Standard (DSS)

A NIST standard for digital signatures, used to authenticate both a message and the signer. DSS has a security level comparable to RSA (Rivest-Shamir-Adleman) cryptography, having 1,024-bit keys.

Digital Time-Stamp

See Time-Stamp.

Directory The directory is the storage area for network security information such as keys or server names.

DSA See Digital Signature Algorithm (DSA).

DS/NTP Datum Secure Network Time Protocol, the protocol used by Sovereign Time, Inc., based on NTP and which includes additional security features.

DSS See Digital Signature Standard (DSS).

Element Manager (ENMTMS)

Software that manages the components of an application.

Encryption The transformation of clear data (clear text) into unintelligible data (ciphertext). Asymmetric encryption, also known as Public Key encryption, allows for the trading of information without having to share the key used to encrypt the information. Information is encrypted using the recipient’s public key and then the recipient decrypts the information with their private key. Symmetric encryption, also known as Private Key encryption, allows information to be encrypted and decrypted with the same key. Thus the key must be shared with the decrypting party--but anyone who intercepts the key can also use it.

Ephemeris Time Time obtained from observing the motion of the moon around the earth.

Term Definition

nCipher DSE200 88

FIPS Federal (US) Information Processing Standards are a set of standards for document processing and for working within documents. Some commonly-used FIPS standards are 140-1, 140-2, and 180.

Firewall Firewalls are software and hardware systems that define access between two networks, offering protection from outside data that could be harmful, such as a virus sent via the Internet.

GMT Greenwich Mean Time, the mean solar time of the meridian of Greenwich, England, used until 1972 as a basis for calculating standard time throughout the world.

GPS Global Positioning System. The GPS is a constellation of 24 (or more) US Department of Defense satellites orbiting the earth twice a day.

Hack/crack Hackers are unauthorized programmers who write code that enables them to break into a computer network or program. Crackers are unauthorized programmers whose goal it is to break into computer networks or programs protected by security software or hardware.

Hash Also called hash function or hashing, used extensively in many encryption algorithms. Hashing transforms a string of characters usually into a shorter, fixed-length value or key. Information in a database is faster to search when you use a hashed key, than if you were to try to match the original data.

HTML HyperText Markup Language, the computer language used to create pages for the World Wide Web.

HTTP HyperText Transfer (or Transport) Protocol, the protocol most often used to transfer information from World Wide Web servers to users of the Web.

HTTPS HTTP over an SSL connection.

Identity Certificate

Also called Digital Certificates. The hash creates a message digest based on the contents of the message. The message is then encrypted using the publisher's private key, then it is appended to the original message.

Term Definition

nCipher DSE200 89

IEEE Institute of Electrical and Electronic Engineers, an international organization that sets standards for electrical and computer engineering.

IETF Internet Engineering Task Force, an international organization which sets standards for Internet protocols in their Request for Comment (RFC) papers.These papers are numbered (RFC 1305, RFC 868, and so on) and are referred to by engineers worldwide as they work on technologies that support IETF standards.

IKE Internet Key Exchange, a security system that uses a private key and an exchange key that encrypts private keys. Passwords are delivered via the Internet.

In-band Authentication

When you use PKI—which involves public keys and a private key— for authentication, it is called in-band authentication. See also: Out-of-band Authentication.

Integrity Data that has retained its integrity has not been modified or tampered with.

IPSec Internet Protocol Security describes the IETF protocols that protect the secure exchange of packets on the IP layer.

IRIG InteRange Instrumentation Group is an analog standard for serial time formats.

Irrefutable See Non-repudiation.

ITU International Telecommunications Union, the international organization that sets standards for data communication.

Key An alphanumeric string that encrypts and decrypts data.

Key Escrow A secure storage maintained by a trusted third party, which holds keys.

Key Generation Creation of a key.

Key Management

The process by which keys are created, authenticated, issued, distributed, stored, recovered, and revoked.

Key Pair Two integrated keys: one public, one private.

Term Definition

nCipher DSE200 90

Key Recovery The process of recovering a private decryption key from a secure archive for the purposes of recovering data that has been encrypted with the corresponding encryption key.

L1 Band, L2 Band

Each Navstar GPS satellite currently transmits in two dedicated frequency bands: L1 and L2, which is centered on 1227.6 MHz. L1 carries one encrypted signal, as does L2, both being reserved for the military. L1 also carries one unencrypted signal, for civilian use.

LDAP The Lightweight Directory Access Protocol is the standard Internet protocol for accessing directory servers over a network.

Leap Seconds Today’s scientists and engineers have perfected clocks based on a resonance in cesium atoms to an accuracy of better than one part in 10 trillion. These clocks keep pace with each other to within one two- or three-millionth of a second over a year’s time. The earth, on the other hand, might randomly accumulate nearly a full second’s error during a given year. To keep coordinated with the rotation of the earth, this error is added to (or deleted from) UTC time as a leap second, on the last day of the June or December in that year.

MD5 An algorithm for creating a cryptographic hash (or fingerprint) of a message or of data.

Message Authentication Code (MAC)

A MAC is a function that takes a variable length input and a key to produce a fixed-length output.

Message Digest The hash of a message. See also: Hash.

MIB Management Information Base, a database on the network that tracks, records, and corrects performance for each device on the network.

MTBF Mean Time Between Failure, a measure of reliability. The longer the time span between failures, the more reliable the device.

Multiplexing Process during which two or more signals are combined into one; at the other end, signals are unbundled by a demultiplexer. TDM is Time Division Multiplexing, FDM is Frequency Division Multiplexing, and CDMA is Code Division Multiple Access.

Term Definition

nCipher DSE200 91

National Measurement Institute (NMI)

Also known as National Metrology Institute(s), the National Measurement Institute(s) is the national authority in each country that is usually recognized as the source of official time.

NIST National Institute of Standards and Technology, the National Measurement Institute in the United States. NIST produces standards for security and cryptography through in the form of FIPS documents.

NOC A Network Operations Center is a centralized point of network management within a large-scale data network.

Non-repudiation The time-stamp creates an evidentiary trail to a reliable time source that prevents a party in a transaction from later denying when the transaction took place.

Notarization Certification of the identity of the party in a transaction based on identifying credentials.

NTP Network Time Protocol is a protocol that provides a reliable way of transmitting and receiving the time over the TCP/IP networks. The NTP, defined in IETF RFC 1305, is useful for synchronizing the internal clock of the computers to a common time source.

OCSP Online Certificate Status Protocol, a protocol defined in RFC 2560, enables applications to check the status of a certificate every time the certificate is used.

OID Object Identifier.

Online validation

A way of validating a key each time before it is used to verify that it has not expired or been revoked.

OSI Operations System Interface.

Out-of-band Authentication

When authentication is performed using relatively insecure methods, such as over the telephone, it is called out-of-band authentication. In-band authentication, which uses PKI, is preferred. See also: In-band Authentication

PCI Peripheral Component Interconnect, a local bus that supports high-speed connection with peripherals. It plugs into a PCI slot on the motherboard.

Term Definition

nCipher DSE200 92

PKCS Public Key Cryptography Standards. These standards allow compatibility among different cryptographic products.

PKI Public Key Infrastructure. The PKI includes the Certificate Authority (CA), key directory, and management. Other components such as key recovery, and registration, may be included. The result is a form of cryptography in which each user has a Public Key and a Private Key. Messages are sent encrypted with the receiver's public key; the receiver decrypts them using the private key.

PKI Certificate See Digital Certificates.

PKIX Extended Public Key Infrastructure, or PKI with additional features approved by the IETF.

Private Key This is a secret key, known to only one of the parties involved in a transaction.

PSTN Public Switched Telephone Network, a voice and data communications service for the general public which uses switched lines.

Public Key Messages are sent encrypted with the recipient's public key, which is known to others; the recipient decrypts them using their private key.

Public Key Certificate

Certificate in the form of data that holds a public key, authentication information, and private key information.

RA A Registration Authority (RA) does not issue certificates, but does the required identification for certain certificate data.

Resolution Resolution of a time code refers to the smallest increment of time, whether it is days, hours, seconds, or other.

Revocation The withdrawing of a certificate by a Certificate Authority before its expiration date or time. See also Certificate Revocation List (CRL).

Risk Management

The tasks and plans that help avoid security risk, and if security is breached, helps minimize damage.

Term Definition

nCipher DSE200 93

Root CA A Certificate Authority (CA) whose certificate is self-signed; that is, the issuer and the subject are the same. A root CA is at the top of a hierarchy.

Root Time Trust Authority (RTTA)

Also called Root Time Trust Services, these are end user organizations who provide time calibration and auditing services. Examples include Seiko Instruments, Inc., and Sovereign Time.

RSA The RSA (Rivest-Shamir-Andleman) algorithm is a public-key encryption technology developed by RSA Data Security.

SHA-1 Secure Hash Algorithm is an algorithm developed by the US National Institute of Standards and Technology (NIST). SHA-1 is used to create a cryptographic hash of a message or data. It has a larger message digest, so it is considered to be somewhat stronger than MD5.

Smart card A card the size of a credit card, which holds a microprocessor that stores information.

S/MIME Secure Multipurpose Internet Mail Extensions. The standard for secure messaging.

SNMP Simple Network Management Protocol is the Internet standard protocol for network management software. It monitors devices on the network, and gathers device performance data for management information (data)bases (MIB).

Solar Time Time based on the revolution of the earth around the sun.

SSL Secure Sockets Layer, a protocol that enables secure communications on the World Wide Web/Internet.

SSL Client Authentication

Part of the SSL handshake process, when the client responds to server requests for a key.

SSL-LDAP Secure Sockets Layer-Lightweight Directory Access Protocol.

SSL Server Authentication

Part of the SSL handshake process, when the server informs the client of its certificate (and other) preferences.

Term Definition

nCipher DSE200 94

Stratum Levels These are standards set by Network Time Protocol RFC 1305. The highest level are W3CStratum 0 devices such as GPS, which get their time from a primary time source such as a national atomic clock. Stratum 1 servers source their time from a Stratum 0 device. Stratum 2 and beyond obtain their time from Stratum 1 servers. The further removed in stratum layers a network is from a primary source, the greater the chance of signal degradations due to variations in communications lines and other factors.

Sysplex Timer The Sysplex Timer provides a synchronized Time-of-Day clock for multiple attached computers.

TCCert Time Calibration Certificate.

TCP/IP A mainstay of the Internet, the Transmission Control Protocol (TCP) provides dependable communication and multiplexing It is connection-oriented, meaning it requires a connection be established data transfer. It sits on top of the Internet Protocol (IP), which provides packet routing. This is connectionless, meaning each data packet has its source and destination data embedded, so it can bounce around a network and still get to its destination.

Telnet Telnet is a terminal emulation application protocol that enables a user to log in remotely across a TCP/IP network to any host supporting this protocol. The keystrokes that the user enters at the computer or terminal are delivered to the remote machine, and the remote computer response is delivered back to the user’s computer or terminal.

TFTP TFTP is a UDP-based, connectionless protocol.

Time Signing The process by which a stamp server issues a digital signature of the time stamp, then encrypts it.

Time-Stamp A record mathematically linking a piece of data to a time and date. Subset of a time signing.

Time-Stamping Authority

An authorized device that issues time-stamps, and its owner.

Term Definition

nCipher DSE200 95

TLS Transport Layer Security, security that protects the OSI layer that is responsible for reliable end-to-end data transfer between end systems.

Tool box A group of software applications that have similar functions.

TPC Third Party Certificate. See also: Certificate.

TPCA Third Party Certification/Certificate Authority. See also: Certificate Authority (CA).

Traceability Traceability infers that the time standard used on the time signing server was set using time directly or indirectly from a National Measurement Institute (NMI).

Transaction An activity, such as a request or an exchange.

Triple DES Also called Triple Data Encryption Algorithm (TDEA), Data Encryption Standard is an algorithm that encrypts blocks of data.

Trust In the network security context, trust refers to privacy (the data is not viewable by unauthorized people), integrity (the data stays in its true form), non-repudiation (the publisher cannot say they did not send it), and authentication (the publisher--and recipient--are who they say they are).

TSA See Time-Stamping Authority.

TSP Time-Stamp Protocol.

TTI Trusted Time Infrastructure is the clock and management system used by Digital Trust Authorities and National Measurement Institutes in support of Trusted Time StampServers.

UDP/IP User Datagram Protocol/Internet Protocol is a communications protocol that provides service when messages are exchanged between computers in a network that uses the Internet Protocol. It is an alternative to the Transmission Control Protocol.

USNO U.S. Naval Observatory, in Washington, D.C., where the atomic clock that serves as the official source of time for the United States is maintained.

UTC See Coordinated Universal Time (UTC).

Term Definition

nCipher DSE200 96

Vault Secure data storage facility.

Verification The process of making sure the identity of the parties involved in a transaction is what they claim it to be.

Virus An unwanted program that hides behind legitimate code, and which is activated when the legitimate program is activated.

VPN Virtual Private Network, a way that authorized individuals can gain secure access to an organization's intranet, usually via the Internet.

W3C The World Wide Web Consortium, based at the Massachusetts Institute of Technology (MIT), is an international organization which creates standards for the World Wide Web.

Wireless Application Protocol (WAP)

Wireless Application Protocol, a worldwide standard for applications used on wireless communication networks.

WPKI Wireless Public Key Infrastructure.

WTLS Wireless Transport Layer Security.

X.509 The ITU's X.509 standard defines a standard format for digital certificates, the most-widely used PKI standard.

X.509 v3 Certificate Extension

The X.509 standard with extended features approved by the IETF.

Term Definition

nCipher DSE200 97


Appendix G: TST TAC encoding and binding

Supporting RFC3852 and RFC3126 requires optional encoding formats for RFC3161 Time-Stamp Tokens. This relates to how the TAC is stored in the time-stamp token and how the TAC is cryptographically bound to the signature.

CertificateChoices1 with ESSCertID (compatibility mode) This is the current implementation. The Time Attribute Certificate is encoded in the CHOICE [1] field in the CertificateChoices and the SHA-1 hash of the TAC is stored in the ESSCertID.

CertificateChoices2 with ESSCertID (RFC3369 & 3852) This option puts the Time Attribute certificate into the CHOICE [2] field in the CertificateChoices and sets the CMS version of the Time Stamp Token to 4 (because a V2 attribute certificate is present).

Note: Adobe Acrobat time-stamping support rejects CMS V4 as a bad version number. If you are using Adobe Acrobat time-stamping, nCipher recommends continuing to use an older option that is Acrobat-compatible until a fix from Adobe is made available.

SignerAttribute (RFC3126 & ETSI) This option puts the entire TAC into a signed attribute. In this case, the hash of the TAC is not included in the ESSCertID because it would be redundant and RFC3126 requires it not to be present. This option also adds the SigningTime signed attribute (redundant but required by the RFC) and the SignaturePolicyId signed attribute. The policy is NULL because a time-stamp token already must include a PolicyID in the TSTInfo.

Index

AAcceptable Policy

See Policy Object Identifier (OID) 42Administrator Card Set (ACS) 14

replace 17, 82Administrator Log 60Advanced Encryption Standard (AES) 84Alerts 69Archived Logs 61Attribute Certificate 85Audit 59

status 51Audit Request

max retry 40port 21retry delay 40

Audit Trail 85Auditing Services Provider 20Authenticode 46

BBoard Log 60

CCA Certificate

add 39Card Set

change 56view 56

Certificate Revocation List (CRL) 86Certificates

obtain 66Clock Status 51Co-ordinated Universal Time (UTC) 10, 86Co-processors 12

DData Encryption Standard (DES) 87Digital Certificate Types 65Digital Signature 87Digital Signature Algorithm (DSA) 88

See Also Signature AlgorithmDisable Unattended Startup 47Document Sealing Engine (DSE200) 9

configure on the network 25features 9overview of 9rack mounting 23

DS/NTP Audit Port 20, 21configure 42

DS/NTP Audit Sourceselect 42

DSE200 Environment 21temperature and humidity 23warnings 22

EError Messages 69

FFAQ 65Features 9FIPS Compliance 15Firewall

configure 26Firmware 77

upgrade 78Foreign Token (FTO) Authorization Key 37Frequently Asked Questions (FAQ) 65

GGlossary 84

HHardware 22, 24

connect smart card reader 24power connection 23


set up 24Hardware Installation Warnings 22Hash 89

See Also Time Stamp Request HashHTTP and HTTPS Ports 21

IIP Address 25

obtain 25static 25

KKey Pair 90Key Recovery

enable 33Keys

how they are generated 66storage 66

KeyStoreview information 56

LLeap Seconds 67, 91Load TSA 49Local Audit 42Local Audit/NTP Service 83

port 21Log In

Network Manager 28Security Officer 28

LogsAdministrator 60archive 61Board 60

MMax Delay 59Max Offset 59MD5 Signature Algorithm 91

See Also Signature Algorithm 91Module

initialize 75operational state 76

NNational Measurement Institute (NMI) 10Network

configure connection 27configure DSE200 on 25

Network Manager 20, 62password 28username 28

NMI 10Non-volatile Memory (NVRAM) Authoriza-tion Key 37

OOCS

persistence 44timeout 43, 44

Offset 59Operational Status 50

check 50Operator Card Set (OCS) 14, 15

create 43pass phrase 16persistence 16

PPass Phrase 16Password


Persistence 16, 44PKIX 93Policy Object Identifier (OID) 39

change 42Power Connection 23Promise Raid Array Management (PAM) 13Public Key Infrastructure (PKI) 11

RRack Mounting 23


Real-time Authorization Key 37Replace ACS 82Restart Server 63RFC 3161 46RFC3161 Socket-based TSP Port 21Rivest-Shamir-Andleman Algorithm (RSA)94Roles and Responsibilities 19


Root CA Certificate 48import 48

SSecure Hash Algorithm (SHA) 94Security Officer 19, 62

password 28username 28

Security World 13ACS 14create 31FIPS Compliance 15join existing 35OCS 14recover 17replace 35SEE delegation 36view status 36

SEE Debugging 37SEE Delegation 36Self-signed Certificate 47Server

restart 63Signature Algorithm 46, 57Signatures 12Smart Card Reader

connect 24Smart Cards 14

ACS 14OCS 14

Software 22

install 77upgrade 77

SSL Certificate 28fulfill 29initiate 28KeyStore information 56view information 29

TTAC 51, 58TCP/318 21TCP/80 21TCP/IP Ports 20

for DS/NTP Audits 20for HTTP and HTTPS 21for listening 20for RFC3161 socket-based TSP 21for sending 21

TCP/IP Requirements 20Technical Support 8Temperature and Humidity Recommenda-tions 23Time Attribute Certificate (TAC) 58

view information 58Time Signing 12

status 51Time Stamp Request Hash

select 42Time Stamping Authority (TSA) 38

configure 41create new 41export 57fulfill 48initiate 45key status 51, 57keys 38load 49multiple TSAs 38public key 58register 50restore keys 53


serial number 57signature algorithm 57version 57view certificate information 57view pending 47

Time Standards 10Timeout 43, 44, 56

set value 56Time-stamp 59

mode 46protocols 12

Time-stamp ModeAuthenticode 46RFC 3161 46

Triple DES 96Trusted Master Clock (TMC) 11TST TAC Encoding and Binding 98

select option 42

UUDP >1023 21UDP/123 20, 21UDP/318 21Upper Clock 39

add 40, 54CA certificate store 39remove 54

Uptimeview 60

User 62add 62delete 63modify 63

User IDNetwork Manager 28Security Officer 28

User Informationmodify 63

User Login Statistics 61view 61

WWeb Browsers 22

XX.509 Certificate 97


nCipher addresses

Internet addresses

Note: nCipher also maintain international sales offices. Please contact the UK or the US head office for details of your nearest nCipher representative.

nCipher Corporation Ltd. nCipher Inc.

Cambridge, UK

Jupiter HouseStation RoadCambridgeCB1 2JDUK

Boston Metro Region, USA

92 Montvale AveSuite 4500Stoneham, MA. 02180USA

Tel:Fax:

+44 (0) 1223 723600+44 (0) 1223 723601

Tel:

Fax:

800-NCIPHER800-6247437+1 (781) 994 4000+1 (781) 994 4001

E-mail: [email protected]@ncipher.com

E-mail: [email protected]@ncipher.com

Web Site: http://www.ncipher.com

Online Documentation: http://active.ncipher.com/documentation

http://www.ncipher.com

http://active.ncipher.com/documentation/

Date post:	22-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

DSE200 Administrator Guidekifri.fri.uniza.sk/~chochlik/epodpis/nCipher... · overview This chapter...

Documents