camanagement 2 0 english

Manual

CA MANAGEMENTVersion 2.0

SECUDE SicherheitstechnologieInformationssysteme GmbHLandwehrstraße 50aD-64293 Darmstadt

World Wide Web: http://www.secude.comSupport: [email protected]

Copyright SECUDE GmbH 1997-1999

SECUDE Library Version 5.2

CA MANAGEMENT Version 2.0.12

Version 2.0 / Spring 1999

Version 2.0 SECUDE CA MANAGEMENT

SECUDE GmbH i

Contents

1 INTRODUCTION 21.1 Functions of a CA 21.2 Personal Security Environment (PSE) 31.3 Issue Certificates for Users 41.4 Security Guidelines for Operating a CA 61.5 Distinguished Names 61.6 Passwords 7

2 CA MANAGEMENT INSTALLATION 92.1 Prepare the Installation 92.2 How to install CA MANAGEMENT 102.2.1 Installation via Internet 102.2.2 Installation from CD ROM or Network 102.3 Aborting the installation 15

3 ORGANISATION OF A SECURITY INFRASTRUCTURE 163.1 Basic Information on the Organisation of a Security Infrastructure 163.2 Create a Root Authority 183.2.1 Create a CA-PSE as a File 193.2.2 Creating a Smartcard CA-PSE 273.2.3 Create a Cryptoboard based CA-PSE 303.3 Create a Subordinate CA 32

4 OPTIONS 344.1 User-specific Settings 344.1.1 Program Options 344.1.2 SECUDE 364.1.3 X.500 384.1.4 Warning Periods 384.2 CA-specific Options 394.2.1 Issuer 394.2.2 PSE Options 404.2.3 User Options 424.2.4 Sphinx Pilot 43

5 MANAGEMENT OF THE CA 445.1 CA MANAGEMENT Overview 445.2 The Tool Bar 455.3 The Menu Bar 465.3.1 File 475.3.2 View 485.3.3 CA-PSE 495.3.4 User 575.3.5 Extras 615.3.6 Smartcard 655.3.7 Window 675.3.8 Help – (?) 67

SECUDE CA MANAGEMENT Version 2.0

ii SECUDE GmbH

6 MANAGEMENT OF USER DATA 696.1 User List and User Form 696.1.1 User List 696.1.2 User Form 706.2 Process User Entries 736.2.1 Register a New User 736.2.2 Enter PSE Data 736.2.3 Register Certificate 756.2.4 Create Further PSEs for Same User 766.2.5 Delete a User Entry 766.2.6 Delete a PSE Data Set 766.2.7 Delete a Certificate Data Set 766.3 Create User PSEs 766.3.1 Create Individual PSEs 776.3.2 Create Several PSEs 776.4 Certification of Incoming Prototype Certificates 786.5 Write Again User PSE 796.6 Subsequent Inclusion of an Existing PSE in a Smartcard 79

7 REVOCATION LIST MANAGEMENT 817.1 List Area 817.2 Information on the Digital Signature 827.3 Buttons 827.3.1 Add 827.3.2 Sign 837.3.3 Verify 837.3.4 Save in PSE 837.3.5 Save in PEM File 837.3.6 Save in Directory 837.3.7 Save in ldif File 84

8 IMPORT AND EXPORT OF USER DATA 858.1 Import of SAP R/3 User Data 858.2 Import of SECUDE Data 868.3 Inform of Transport Password: Export to Microsoft Word – Form

Letter 87

9 GLOSSARY 88

10 FIGURES AND TABLES 90

11 BIBLIOGRAPHY 92

12 APPENDIX 9312.1 Fields in the User Form 9312.2 Data Base Specification CA.MDB 95


SECUDE GmbH 1

Preliminary Remarks

Target GroupSystem administrators.

PreviewChapter 1 gives an overview of the tasks of a certification authority (CA).It describes the theoretical principles of key distribution and the securityguidelines for operating a CA.

Chapter 2 describes the installation. The installation program requests alluser entries and guides through the installation.

Chapters 3 to 8 explain how to use SECUDE CA MANAGEMENT. Theorganisation of a security infrastructure, the program options, the man-agement of a CA-PSE, and user management are discussed. Key genera-tion and import of external data are explained.

Chapter 9 contains a glossary of the most important terminology, Chap-ter 10 the list of illustrations and the list of tables, Chapter 11 the bibli-ography. The Appendix is contained in Chapter 12.

For quick information on the individual topics the chapters can be readseparately. Cross-references to related topics are provided.

Copyright

Cryptoflex is a registered trademark of Schlumberger IndustriesMicrosoft is a registered trademark of Microsoft Corporation.R/3 is a registered trademark of SAP AG Walldorf.SECUDE is a registered trademark of GMD – German National ResearchCenter for Information Technology.TCOS is a registered trademark of Deutsche Telekom AG


2 SECUDE GmbH

1 IntroductionA certification authority (CA) has the task of issuing certificates for us-ers, i.e. of making a connection between the user and his public key. Thisis achieved by means of the so-called digital signature. The CA signs –with a digital signature – a data package consisting of the user's publickey, a serial number issued by the CA, a period of validity, and the user'sname. The combination of this data package and the CA's signature iscalled the certificate.

1.1 Functions of a CAOperating a CA demands a number of organisational steps which at thispoint will not be further detailed. The following gives a short descriptionof the technical resources that are required to run a CA.

Generate CA keysFor certification operations a CA needs its own asymmetric key pair.SECUDE deposits this key pair in a CA-PSE, which is protected by apassword, the same as with a user's PSE. The CA key pair demands spe-cial protection. The CA's asymmetric keys should be at least 1024 bitslong. Depending on the intended validity period longer keys should beused. SECUDE in the present version supports key lengths between 512and 2048 bits. An RSA key with less than 512 bits is not advisable, as theprobability of it being cracked within a short time (several hours) is veryhigh. The renewal of a CA key involves considerable time and money.As all parties in the security infrastructure require the CA's key to bestored in their PSEs to check other certificates, a new CA key must besupplied to them all, and all the parties' certificates must be re-issued anddistributed. It is therefore recommended that the CA key be given a longperiod of validity (e.g. 5 or 6 years) and that it be given protection byusing a lengthy key (1536 bits usually).

Certify usersThe function of the CA is to issue certificates for the participants of thesecurity infrastructure. All partners in the communication to be safe-guarded (not only persons, but also, for example, printers and applica-tion servers) have to be included. When issuing a certificate the CA ties auser's name to his public key. This is achieved with the digital signatureof the CA under the user's certificate. This means that the CA guaranteesthat the name and public key in the certificate belong to one and thesame person.

The CA has two ways of issuing a certificate.

In the first, the user generates his own key pair and gives the public key,as a so-called prototype certificate, to the CA for certification. In this


SECUDE GmbH 3

case the CA must ensure that the name in the prototype certificate iscorrectly assigned before a signature is given, i.e. before the certificate isissued. This may require that the person legitimizes himself with a na-tional or company ID. Checking the name by phone or e-mail is notsufficient.

The advantage of this version is that only the user is in possession of hisprivate key and third parties are excluded. The user must now, however,take very good care of his private key so that, should a PSE be lost, itcan be re-created.

In the second, the CA generates the key pair for the user. With SECUDEthis means that a complete PSE is created for the user. When the PSEsare handed over to the users, the CA is obliged to ensure that each PSEgoes to the correct user.

SECUDE's CA MANAGEMENT safeguards the newly issued PSEs with atransport password. The user is informed of the password by separatemeans.

Maintain revocation listsThe CA keeps a list of compromised certificates issued by the CA. Thislist, the revocation list, has to be maintained by the CA. A compromisedcertificate must remain on the revocation list until its expiry date.

With SECUDE for SAP R/3 the updated revocation list must be put atthe disposal of the application servers at regular intervals. Only in thisway can abuse by attackers who obtain unauthorised possession of oth-ers' certificates and their private keys be prevented.

1.2 Personal Security Environment (PSE)In SECUDE security relevant information is stored in the PSE. This isnothing more than a secure memory. All the participants in the securityinfrastructure have their own PSE. All information required to partici-pate in the security infrastructure are stored in it.


4 SECUDE GmbH

Public RootKey

ForwardCertification

Path

Name

Signature

Name

Signature

Name

Signature

Private Key

Smith

Signature

CertificateCertificationRevocation

Lists

CertificationRevocation

Lists

Figure 1: Elements of a PSE

SECUDE offers the options either to store the PSE on a smartcard or asan encrypted file on the hard disk of the computer. According to theversion of the PSE (file or smartcard) it is more or less difficult to getpossession of these sensitive data. With a file PSE it may even happenthat the legitimate owner does not notice the loss. An attacker who man-ages to spy out the password and copy the file PSE has all necessaryinformation at his fingertips. This is different when the PSE is on asmartcard. The loss of the card would normally be noticed by the ownervery quickly (not when he is on holiday or in similar cases). However,special terminals are required for smartcards.

Should a user notice that someone else has found out his file PSE pass-word, the security administrator must be informed. The latter must de-cide whether a new PSE should be created or whether changing thepassword is sufficient. If it is suspected, even without conclusive evi-dence, that the PSE password is known to third parties, the PSEs should,to be on the safe side, be changed. With smartcards only the card pass-word need be changed.

1.3 Issue Certificates for UsersThere are two methods of generating key pairs. With the first method,the CA generates key pairs for the users. With the second, the user gen-erates the key pair himself and has his public key, or rather the prototypecertificate, certified by the relevant CA. Both methods have their prosand cons.

CA creates PSEWhen the CA generates the keys it is possible to leave either the certifi-cate (i.e. the certified public key), or the whole PSE (i.e. the certifiedpublic key plus the private key), in the CA's safekeeping. If the userneeds his PSE again in the future, for whatsoever reason, he can have ithanded out by the CA. This, however, has as a prerequisite a relationship


SECUDE GmbH 5

of trust between the infrastructure participants and the CA as the privatekey is also in the hands of the CA.

When the CA creates the PSEs for the user of the security infrastructure,the user is not responsible for any security measures. A further advantageof this procedure is its simplicity. The CA can create the PSE in a singlerun. It generates the key pair and certifies the public key. SECUDE CAMANAGEMENT generates a random password for the transport and thusencodes the PSE. The user is informed of the password by separatemeans.

Security Administrator User

PSE Memory

1. Generationof PSE

2. PSEstorage(encrypted)

3. Information of Password (offline)

4. Installation ofPSE and Changeof Password

Figure 2: CA creates PSE

In this way the CA ensures that only the user and the security adminis-trator know the transport password.

User creates PSEIf the user generates his key pair and PSE himself, it is advisable that hekeeps a copy of the PSE in a secure place, e.g. a safe, in case, should it belost, for example in a disk crash, he needs it again. Otherwise he has togenerate a new key pair and have the public key again certified by theCA.


6 SECUDE GmbH

Security Administrator User

1. Generate PSE

2. Prototype Certificate

3. Certify User’sPrototype Certificate

4. Certificateto User

5. Insert Certificateinto PSE

Figure 3: User creates PSE

This procedure gives the user the certainty that nobody else is in posses-sion of his private key. The user himself must take care of jobs such asmaking a backup copy of his PSE. The transport of the prototype certifi-cate from the user to the CA and the return of the certificate must alsobe dealt with. The user has then also to update the PSE with the certifi-cate from the CA.

The advantage of this procedure is that the information transmitted,such as the prototype certificate and the certificate, is not security sensi-tive. All information transported is public anyway. The CA must onlymake sure that the prototype certificate actually belongs to the user. Allsensitive data such as the password of the PSE or the private key remainwith the user.

1.4 Security Guidelines for Operating a CAA CA is comparable to a passport office. Should an unauthorised personget the opportunity to issue documents, big trouble can result. As thesecurity relevant information with which a CA deals is in electronic formprecautions must be taken to prevent its being compromised.

The computer with which the CA operates should be in a safe environ-ment. This can be a room or workplace to which only authorised per-sons have access. The computer should not be linked with a network.Access to this computer should be arranged so that only authorised andtrained personnel can work with it. The personnel in charge of the CAmust also maintain the necessary precautions.

Backup copies of the CA may and should be made. They should be keptin a secure place, e.g. a safe.

1.5 Distinguished NamesWhen operating a security infrastructure the participants are identified byso-called Distinguished Names, abbreviated DN. This is a naming scheme


SECUDE GmbH 7

in which persons are unambiguously named world-wide. DNs are de-fined in the standard ISO / ITU X.500.

The certifying authority and its users need such unambiguous names. ADistinguished Name can be composed of several components. The fol-lowing table gives an overview of the name components supported bySECUDE.

Abbreviation Meaning

BC Business Category

C Country

CN Common Name

D Description

L Location

O Organisation

OU Organisational Unit

S Surname

SN Serial Number

SP State or Province

ST Street Address

T TitleTable 1: Categories of Distinguished Names

The most widely used name components are in bold print. A DistinguishedName is made up of a combination of the above abbreviations and corre-sponding values.

Examples of Distinguished Names:

CN=Bill Bo, OU=R3Administration, O=SECUDE GmbH, L=Darmstadt, C=DECN=Bill Bo, O=SECUDE GmbH, C=DEO=SECUDE GmbH, C=DE

It is not necessary to use every name component in the name. What isimportant is the order of the components. First should come, if existent,the common name, then organisational unit, then organisation, location, andfinally country.It is advisable to use a short, unambiguous name for a CA. A CA certi-fies the public key of a user's asymmetric key pair. It is standard proce-dure that with the certification the user's certificates receive the name ofthe CA as a suffix to their name. The second and third lines of the aboveexample show how the name of a CA and one of its users can be com-posed: the participant Bill Bo has the name of the CA integrated – i.e. O= SECUDE GmbH, C = DE.

1.6 PasswordsA PSE password is comparable in its function to the PIN of an EC card.It is required for logging on and to allow other programs access to the


8 SECUDE GmbH

PSE. It protects the PSE from unauthorized use by third parties. Thepassword should be known only to the owner of the PSE. It should bemade up of a combination of letters (upper and lower case), special char-acters (blanks may also be used) and numerals. The length of the pass-word may be up to 50 places, the exception being that smartcards allowonly a password length of eight places.

To help users choose their passwords with care the CA can stipulatePassword Rules which the users are obliged to observe.

In any case, special care should be taken when choosing passwords. It isadvisable not to use any common names or terms and nothing that is inany way personally related to the owner of the PSE (e.g. phone no.,birthdates of family members, etc.).

Examples of poor passwords are:

Bill, clinton, 1234, test, ....

Examples of good passwords are:

EbTiN97!, or ?d1X3h:Ijk5, ...

It is very difficult to remember a password like ?d1X3h:Ijk5, even Ab-DiN97! is not much easier. It is, however, easy enough, when behind theapparent random series of letters and numerals, a sentence is hidden,whose first letters are used, e.g. “ A blue day in November 97!“With a memory jogger like this and a minimum length of 6 places thepassword is reasonably safe.


SECUDE GmbH 9

2 CA MANAGEMENT InstallationWhen operating a CA it is advisable to use a computer that is not acces-sible to everybody. Firstly this means that the computer should not bedirectly linked to a network or should be provided with specific protec-tive features (firewall or similar) to prevent unauthorized access throughthe network to this one special CA computer. Secondly the CA com-puter should be located in a secure room where no unauthorized personscan gain access to it. The private key of the CA must remain inviolable,otherwise all previously issued certificates become invalid.

2.1 Prepare the InstallationSECUDE CA MANAGEMENT is supplied on a CD ROM. The CD ROMcontains all programs and libraries required for the installation.

Installation of SECUDE CA MANAGEMENT is started from the CD-ROM. For Windows 95 and Windows NT the job is done by the instal-lation program Setup.Exe. This can be found on the CD-ROM in thedirectory \CAManagement.

What is installed whereSECUDE CA MANAGEMENT consists of an executable program –CAManagement – and the dynamic link libraries (DLL) guihlp.dll, psegui.dll,psewiz.dll, scsctgui.dll, passwordgui.dll, v3extensionsgui.dll and secude.dll. Whenoperating with smartcards further libraries, i.e. for the terminal and thesmartcard being used, are required e.g. ct32.dll, snsct.dll, tcos.dll. If anLDAP directory server is also to be addressed directly, then the libraryldap32.dll is required too. All the above mentioned libraries are installedautomatically with SECUDE CA MANAGEMENT.

Standard procedure is for SECUDECA MANAGEMENT to be installed in the directory\Programs\SECUDE.

The program and the DLLs are installed in the directory\Programs\SECUDE\CA Management. To store configuration files, e.g. theticket file and the sct_rc file, which configure the access to a possibly con-nected terminal, the directory %HOMEDRIVE%-\%HOMEPATH%\secude isused.

To operate SECUDE CA MANAGEMENT a data base driver (DAO, con-sisting of several DLLs) is required. This driver is automatically installedby CA MANAGEMENT.

SECUDE PSE MANAGEMENT and UPDATE CADB are also automaticallyinstalled with SECUDE CA MANAGEMENT.


10 SECUDE GmbH

2.2 How to install CA MANAGEMENT

The installation under both Windows NT and Windows 95 should bedone by someone familiar with the operating system. With Windows NTonly an administrator is authorized to carry out the installation.

2.2.1 Installation via InternetIf you are going to install from CD oder via a network, skip this sectionand proceed with section 2.2.2. If you install via Internet, startSECUDE20CAManagement.exe. The following dialog is displayed.

Figure 4: Internet Installation

Click Finish to unpack the actual installation program.

Figure 5: Unpacking

Wait until unpacking is done and proceed as described in section 2.2.2.

2.2.2 Installation from CD ROM or NetworkThe installation is started by double clicking the program Setup.

The installation program canalternatively be started via theStart menu and Run. To do thisenter the CD ROM drive letter,the path and the program namein the field Open of the windowRun. With a mouse click on the

button OK the setup of CA MANAGEMENT is started.


SECUDE GmbH 11

In the Welcome window of the setup program you are requested to endall other active applications. This is required as, otherwise, the setup pro-gram may not be able to carry out all the necessary steps for an error-freeinstallation of CA MANAGEMENT.

Figure 6: Welcome Window of the Installation

By clicking Next the installation is continued.

Figure 7: Software License Agreement

Please read the software license agreement. If all conditions of theagreement are acceptable, the button Yes is clicked, otherwise the buttonNo. (Note that clicking No stops the installation.)


12 SECUDE GmbH

Figure 8: User Information

The names of the user and her/his company are required for the instal-lation.

Figure 9: Set Destination Directory

Windows 95 and Windows NT from version 4.0 provide for the installa-tion of application programs the directory Program Files. It is recom-mended for the installation of CA MANAGEMENT to make a sub-directory SECUDE there. A change in the destination of the installationcan be made via the button Browse.If the path for the installation is accepted, the button Next can beclicked.


SECUDE GmbH 13

Figure 10: Select Program Folder

Here the name of the folder is entered under which the setup programcreates the icon to call CA MANAGEMENT. SECUDE is used as the stan-dard proposal. Next is clicked to confirm the entry.

Figure 11: Start of Installation

The directions of the installation program can be followed. After thebutton OK is clicked the installation program starts the setup.

Figure 12: Install SECUDE Ticket

To use secude.dll you need a valid license ticket. This generally comes withthe software package.


14 SECUDE GmbH

After clicking Next, the progress of the installation is shown.

When the setup is finished an information window appears showing theinstalled components.

Figure 13: Information on Installed Components

The window is closed by clicking on OK.

Figure 14: Setup complete

After CA MANAGEMENT is installed, it can be used immediately. Thecomputer does not need rebooting.

If you have already been working with an older version of CAMANAGEMENT, it may be necessary to update the database. From version1.3.5 please run the installed program UpdateCADB.exe for all existingCAs. If it is an earlier version, please ask the SECUDE hotline.


SECUDE GmbH 15

2.3 Aborting the installationThe installation program can be aborted at any time by pressing the keyEscape – ESC or with a mouse click on the button Cancel in any installa-tion window.

Figure 15: Exit Setup

To abort the installation, Exit Setup in the above window must be clickedor the key ESC pressed.


16 SECUDE GmbH

3 Organisation of a SecurityInfrastructure

CA MANAGEMENT can be started from the icon onthe left. In the Windows start menu the entry is under

c:\Program Files\SECUDE\CA Management

After the program has been loaded the dialog boxappears for log-on. When CA MANAGEMENT isstarted for the first time, no CA-PSE is available forlog-on.

A new security infrastructure must be organised, i.e. a CA-PSE created.First the so-called root authority is created by clicking the button Createin the dialog box Log On (see Chapter 3.2 Create a Root Authority).

Figure 16: Log On

The following sections lead the way through the Organization of a SecurityInfrastructure.

3.1 Basic Information on the Organisationof a Security InfrastructureSECUDE CA MANAGEMENT allows the generation of several independ-ent certification trees. A certification tree always begins with a CA whichperforms the functions of the root authority. A root authority is the toplevel certification authority, it is not certified by any other authority.Subordinate CAs can be inserted into a certification structure either byhaving them created by the appropriate higher CA (cf. Chapter 3.3 Createa Subordinate CA), or by generating themselves a so-called prototype cer-tificate that is sent to the intended higher CA and is then certified by this(cf. Chapter 5.3.3 CA-PSE under the item Write Certification Request).


SECUDE GmbH 17

Personal Security Environment as File or Smartcard?A CA has the function of issuing certificates for users. SECUDECA MANAGEMENT stores these certificates in a personal security envi-ronment (PSE). The PSE is stored either in a file or on a smartcard (seeChapter 1.2 Personal Security Environment (PSE)).It should be noted that smartcards have limited storage capacity. One'sown certificate and the certificate from the root authority can be com-fortably accommodated on today's smartcards. SECUDE, however,stores further elements in the PSE. These elements are, therefore, storedexternally in a file – the so-called software extension of a smartcard PSE.This, of course, puts limits on the interchangeability of workplaces whenusing a smartcard.

The size of a certificate is determined in part by the length of the key andthe Distinguished Names of the owner and issuer. With a key length of1024 bits and a DN of 70 characters the resultant PSE has a total size ofapprox. 1.5 Kbyte.

A smartcard PSE cannot be copied. From the security point of view thisis an advantage; on the other hand it can lead to problems when a card islost. A new PSE with a new key pair and a new certificate must then becreated.

Decisive for the choice between file and smartcard PSEs will be the in-dividual evaluation of the pros and cons.

The CA PSE based on the RACAL Cryptoboard?Besides storing the PSE as a file or on a smartcard CA MANAGEMENTalso offers a third possibility. The CA can be created based on a crypto-board. This version of SECUDE CA MANAGEMENT has integrated theRACAL cryptoboard RG700.

The use of the cryptoboard offers a CA the following two advantages:

When the CA creates user PSEs (see Chapter 1.3 Issue Certificates for Us-ers), it needs for the generation of the keys good random numbers. A goodrandom number generator is integrated in the cryptoboard and this isused by secude.dll when the cryptoboard is properly installed.

The second advantage is the secure storage of the CA's private key. Thisis generated on the cryptoboard, from where it cannot be read. Whendata requires signing with the private key, the data are sent to the cryp-toboard, which carries out the signature.

The cryptoboard has various physical security features built in, so thatthe usual attacks on hardware components such as radioactive radiation,changing the input current or exposing the chip to an electronic micro-scope examination do not lead to the discovery of the private key. Onthe contrary, the chip self-destroys when the cryptoboard is opened.

For more information on the cryptoboard please contact SECUDEGmbH.


18 SECUDE GmbH

Certification StructureBefore creating the root authority the structure of the certification proc-ess should have been planned. Is the root authority to certify all users(flat, simple structure) or is a hierarchic structure with several certifica-tion centers planned? With a hierarchic structure it is possible, for exam-ple, to have the users certified by different authorities according to thework they are doing. When a company has branches in different loca-tions, it would be possible to have one certification authority per branch.

In a hierarchic structure the root authority certifies CAs which then cer-tify the users. The hierarchy can be organised on several levels, accordingto local requirements (see Chapter 3.3 Create a Subordinate CA).

3.2 Create a Root AuthorityA root authority is the top level certification authority and can only becreated by CA MANAGEMENT when logged off (no CA-PSE opened).Additionally, a directory must be selected in which there is no CA-PSE.

Create CA-PSE

A CA-PSE can be created either with themenu item File/Create root CA or with thebutton Log On... and the button Create....

This calls the PSE Wizard. Here all parameters needed for the creation ofthe CA-PSE can be set. The parameters are valid for the whole life ofthe CA, which means that once the CA is created no changes can bemade to the settings. It is therefore advisable to give the settings a greatdeal of forethought.

While the parameters are being entered it is still possible to makechanges. For this purpose each of the dialog boxes of the PSE Wizarddescribed below is provided with three buttons. With the button Backthe previous mask can be returned to (perhaps to look something up orto make a change), with Next the next dialog box is reached, and withCancel the procedure can be cancelled.

A choice between a smartcard PSE, a file PSE on the hard disk or a PSEstored on a RACAL cryptoboard can be made. Pros and cons of thethree versions can be found in Chapter 1.2 Personal Security Environment(PSE) and in Chapter 3.1 Basic Information on the Organisation of a SecurityInfrastructure.The following chapter describes the creation of a PSE as file. It shouldbe read even if a smartcard PSE is to be created, since Chapter 3.2.2Creating a Smartcard CA-PSE only deals with the differences that occurwhen creating PSEs on smartcards.


SECUDE GmbH 19

3.2.1 Create a CA-PSE as a FileThe first PSE Wizard dialog box requests the type of CA-PSE.

Type of PSE

Figure 17: PSE-Wizard – Type of PSE

When a file PSE is to be created, File is chosen.

Distinguished Name

Figure 18: PSE-Wizard – Distinguished Name

A Distinguished Name is entered here. This DN identifies the CA unambi-guously. It is also called the Distinguished Name of the Owner and appears inevery certificate issued by the CA. The structure of the Distinguished Namecan be seen in Chapter 1.5 Distinguished Names. Special care must betaken when entering the Distinguished Name. All characters from which


20 SECUDE GmbH

the Distinguished Name is made up, such as blanks, commas, etc., areimportant for later operations.

Name of PSE

Figure 19: PSE-Wizard – Name of PSE

The complete data path, including the name under which the PSE is tobe stored, is entered here. By clicking the drive button the required di-rectory can be found in the dialog box Select PSE. If the directory se-lected does not yet exist, a query appears whether this directory is to becreated. Each CA should be provided with its own directory. In the ex-ample it is the directory C:\Certification Authority, which also contains thefile capse.cse. This file capse.cse. (the suffix cse stands for CA Security Envi-ronment) contains all relevant information on and keys of the CA.

CA Data

Figure 20: PSE-Wizard – CA Data


SECUDE GmbH 21

In the field CA Directory the directory which has been entered in the dia-log box PSE Name is shown again. All files concerning the CA are storedin this directory, especially the CA database. It should be noted that in adirectory there exists only one database per CA, as it might otherwisecome to undesirable side effects. Serial Number is a number automaticallyand uniquely assigned to a certificate by the CA, with which the CA un-ambiguously identifies its own created certificates. This number shouldnot be changed.

Version of Certificate

Figure 21: PSE-Wizard – Version of Certificate

The standard which the certificate is to meet is entered here. It is advis-able to create an X.509v3 certificate. Version X.509v1 is an older versionfrom 1988 and is being replaced more and more by version 3 from 1996.Version 3 contains several additional fields in which, among other things,alternative names for the DN can be entered.


22 SECUDE GmbH

Number of Key Pairs

Figure 22: PSE-Wizard – Number of Key Pairs

Here the entry is made whether the same key pair is to be used for sign-ing and encrypting – then One pair of keys is to be entered – or whetherseparate pairs are to be used for signing and encrypting – then Two pairsof keys is to be entered. As the certificate of a CA is used mainly only tosign and not for encryption One pair of keys can be selected here.

Signature Certificate

Figure 23: PSE-Wizard – Signature

The algorithm and key length for the signature key are determined here.If One pair of keys was selected, the key pair is used for both the signatureand encryption. Hence the data in this dialog box are relevant for bothtasks of the key pair that is to be generated.


SECUDE GmbH 23

The longer the key is, the better it is. SECUDE CA MANAGEMENTallows key lengths from 512 bits to 2048 bits. A key length of 1024 bitsmust be regarded as the minimum for a CA. The length of the key withwhich the CA signs the user certificates is defined here. The length of thekey is also dependent on the validity period of the certificate and where it isto be used. In general it can be said that the longer the period is duringwhich the CA issues certificates with this key, the longer the key must be.With a key length of 1024 bits it is realistic to perform certification worksecurely for at least two to three years. If the key pair is to be used for fiveyears or more, the key should be at least 1280 bits long.

If you have selected X.509v3-1996, you reach, using the button V3 Ex-tensions, another wizard where the certificate extensions specified in theX.509v3 standard (see [X.509 v3] Chapter 12.4.2, Certificate extension fields)can be entered. Additionally the V3 Extensions wizard allows the entryof Netscape specified certificate extensions (see also [Netscape Certifi-cates]).

Encryption CertificateThis dialog box appears only when Two pairs of keys has been selected.The algorithm and key length for the encryption certificate are deter-mined here. Entries are similar to those made in the signature dialog box.

Validity Period

Figure 24: PSE-Wizard – Validity Period

In the fields Valid from and Valid until the period is entered in which theCA's certificate is valid. The format for validity is determined by theWindows system settings. The standard format is MM.DD.YY (date) andhh:mm:ss (time). The abbreviations are as follows:



24 SECUDE GmbH


MM Month, Range 1 .. 12

DD Day, Range 1 .. 31

YY Year, Range80 .. 38 (i.e. 1980 – 2038)

hh Hour, Range 0 .. 24

mm Minute, Range 0 .. 59

ss Second, Range 0 .. 59

Table 2: Format of the Validity Fields

The validity period of user certificates issued should lie within the validityperiod of the issuing CA.

Sign Own Prototype Certificate

Figure 25: PSE-Wizard – Sign Own Prototype Certificate

The algorithm with which the prototype certificate is signed is chosenhere. It is advisable not to change the setting.

Certificates are designated as prototype certificates when they are selfsigned. As a root certificate is the highest certificate in the hierarchy, itcannot be signed by any other superordinate certificate.


SECUDE GmbH 25

Password

Figure 26: PSE-Wizard – Password

The password which will be used in future for log-on is entered here.The PSE file and the CA database are encrypted with the password. Inthis way no unauthorized person can gain access to the private key of theCA or the database.

Information on passwords can be found in Chapter 1.6 Passwords.

Log-on Profiles

Figure 27: PSE-Wizard – Log-on Profiles

You enter here a symbolic name with which you can later identify thisPSE when logging on.


26 SECUDE GmbH

0 5 10 15 20 25 30 35 40 45

768

896

1024

1280

1536

1792

2048

Key

leng

th (b

it)

Creation time of one PSE (sec)AMD K6 2; 300MhzRACAL RG 700

Settings – Overview

Figure 28: PSE-Wizard – Settings – Overview

An overview of the settings that have been made is given. If you wish tomake any changes to them this can be still done by clicking Back to theappropriate dialog box. When all parameters are in order the button Fin-ish is clicked to create the PSE.

Then the key generation, the creation of the certificates and of the wholePSE begins. This process takes – depending on the length of the key andthe speed of the computer – several seconds to several minutes.

The following table gives an overview of how long it takes to create,depending on the selected key length, a file PSE. The times were taken,on the one hand, on a PC with AMD K6 2; 300Mhz processor, and onthe other, the key generation took place in the RACAL cryptoboard.

Figure 29: Time Comparison (1)


SECUDE GmbH 27

The increase in computing time for longer keys is not linear. In general alonger key means that the time taken for the generation increases over-proportionately to the length of the key. The processor speed has noinfluence on this general behaviour.

The generation process is shown stepby step. CA MANAGEMENT confirms itscompletion. This window can be closedby clicking OK

After creating the CA-PSE all data should be checked again. If an errorhas slipped in and not been discovered before creating the CA-PSE,CA MANAGEMENT should be closed and the files created in the selectedCA Directory deleted. Delete also, using the menu option Tools/Log-onprofiles... the relevant log-on profiles. After this the CA can be re-createdwith the correct settings. Only after all data has been checked for cor-rectness, can the certification of users be started.

If certificates have already been issued with the CA-PSE, this PSE mustnot be deleted.

It is advisable, before starting to create user PSEs, to enter the generalsettings in the dialog box Options (see Chapter 4 Options).

3.2.2 Creating a Smartcard CA-PSECreating a PSE on a smartcard is, apart from a few settings, identical tocreating a software PSE. For this reason only the differences will betreated in detail in the following description.

Before creating a smartcard CA-PSE it is important to configure thesmartcard terminal under the menu option Configuresmartcard/terminal… (see Section 5.3.6 Smartcard).

Type of PSEWhen a smartcard PSE is to be created, select Smartcard.

Distinguished NameThe Distinguished Name of the CA is entered here. For the structure of aDistinguished Name see Chapter 1.5 Distinguished Names.


28 SECUDE GmbH

Smartcard

Figure 30: PSE-Wizard – Smartcard

As a smartcard does not have very much memory it is necessary for largeelements to have an extension of the PSE in form of an external file.

For this so-called software extension of the PSE the file must be estab-lished. By clicking the drive button in the dialog box Select PSE you cannavigate to the required directory.

When this dialog box is left by clicking on Next a check is made whetheran empty smartcard has been inserted in the smartcard terminal.

CA DataEnter the directory for the CA database and the first serial number foruser certificates.

Version of the CertificateThe standard which the certificate is to meet is entered here.

Number of Key PairsHere the entry is made whether the same key pair is to be used for sign-ing and encrypting (One pair of keys) or whether separate pairs are to beused (Two pairs of keys).

Signature CertificateAlgorithm and key length of the certificate signature.

Encryption CertificateIf you have selected Two pairs of keys, you determine here the algorithmand key length for the encryption certificate.


SECUDE GmbH 29

Validity PeriodIn the fields Valid from and Valid until the period is entered in which thePSE is valid. The format for validity is determined by Windows systemsettings. The standard format is MM.DD.YY (date) and hh:mm:ss (time).The abbreviations used can be found in Table 2: Format of the ValidityFields

Sign Own Prototype CertificateThe algorithm with which the root certificate is signed is chosen here. Itis advisable not to change the setting.

PasswordThe password for future log-ons is entered here. This password protectsthe smartcard from access by unauthorized parties. Information onpasswords can be found in Chapter 1.6 Passwords.

Password Unblocking Key – PUK

Figure 31: PSE-Wizard – Password Unblocking Key – PUK

With the PUK a card which has been blocked because of too many falsepassword entries can be unblocked. As it is not displayed when typed itmust be entered twice to ensure its correctness.

With the Error Limit the number of password tries is set after which thecard is blocked. Which values are permitted is dependent on the type ofcard used. When exiting the dialog box, however, the number entered ischecked for correctness.

Note: There also exists an error counter for the PUK – it is fixed, itsvalue is 3.


30 SECUDE GmbH

Take good note of your PUK. It allows you access to your smartcard whenthis is blocked after too many false entries of the password.

Log-on ProfilesYou enter here a symbolic name with which you can later identify thisPSE when logging on.

Settings – OverviewAn overview of the settings that have been made is given. If changes arerequired, this can be done by clicking Back to the appropriate dialog box.When all parameters are in order the button Finish is clicked to create thePSE.

Then the key generation for the PSE begins. The time taken to generatethe key depends on its length. Older cards support a mere 512 bits (e.g.the TCOS 1.2 card), the newer ones (e.g. the TCOS 2.0 card) 1024 bits.The process can be followed in the window. After it is completed a con-firmation comes from CA MANAGEMENT. This window can be closed byclicking OK.

3.2.3 Create a Cryptoboard based CA-PSECreating a CA-PSE on a RACAL cryptoboard is essentially identical tocreating one on a smartcard. As only the private key of the CA is storedon the cryptoboard, a software extension, analog to a smartcard, is nec-essary.

To create a CA-PSE based on a RACAL cryptoboard it is importantthat the cryptoboard is installed and configured in your PC according to themanufacturer's instructions.Additionally the two SECUDE libraries ‘pcsm.dll’ and ‘pcsmgen.dll’ mustbe present in the installation directory. Normally these two libraries areinstalled automatically with SECUDE CA MANAGEMENT.

Type of PSEIf you want to create a cryptoboard based CA-PSE, select here RACALRG 700.

Distinguished NameThe Distinguished Name of the CA is entered here. For the structure of aDistinguished Name see Chapter 1.5 Distinguished Names.


SECUDE GmbH 31

RACAL RG 700

Figure 32: PSE-Wizard – RACAL RG 700

Only the private key is stored in the RACAL cryptoboard, all other ele-ments are stored in a file PSE. The file PSE has a reference to the rele-vant private key in the RACAL cryptoboard.

For this so-called software extension of the PSE the file must be estab-lished. By clicking the drive button in the dialog box Select PSE you cannavigate to the required directory.

CA DataEnter the directory for the CA database and the first serial number foruser certificates.

Version of the CertificateThe standard which the certificate is to meet is entered here.

Number of Key PairsHere the entry is made whether the same key pair is to be used for sign-ing and encrypting (One pair of keys) or whether separate pairs are to beused (Two pairs of keys).

Signature CertificateAlgorithm and key length of the signature certificate.

Encryption CertificateIf you have selected Two pairs of keys, you determine here the algorithmand key length for the encryption certificate.


32 SECUDE GmbH

Validity PeriodIn the fields Valid from and Valid until the period is entered in which thePSE is valid. The format for validity is determined by the Windows sys-tem settings. The standard format is MM.DD.YY (date) and hh:mm:ss(time). The abbreviations used can be found in Table 2: Format of the Va-lidity Fields

Sign Own Prototype CertificateThe algorithm with which the root certificate is signed is chosen here. Itis advisable not to change the setting.

PasswordThe password for future log-ons is entered here. This password protectsthe smartcard from unauthorized access. Information on passwords canbe found in Chapter 1.6 Passwords.

Log-on ProfilesYou enter here a symbolic name with which you can later identify thisPSE when logging on.

Settings – OverviewAn overview of the settings that have been made is given. If changes arerequired, this can be done by clicking Back to the appropriate dialog box.When all parameters are in order the button Finish is clicked to create thePSE.

Then the key generation for the PSE begins. The time taken to generatethe key depends on its length.

3.3 Create a Subordinate CAA flat certification structure (i.e. one CA certifies all users) is not alwaysappropriate. For such cases SECUDE CA MANAGEMENT offers the pos-sibility of creating subordinate CAs.

A subordinate CA can only be created afterlogging on as a CA-PSE. The subordinateCA is certified by the CA-PSE which iscurrently logged on. The dialog box CreateCA-PSE is found under the menu itemFile/Create subordinate CA... .

The dialog box, i.e. the parameters, to create a subordinate CA is analo-gous to the one in Chapter 3.2 Create a Root Authority. Please refer to thischapter if you want to create a subordinate CA. The only difference isthat the issued CA does not certify itself (prototype certificate or rootcertificate), but that the certificate of the logged on CA-PSE is used.


SECUDE GmbH 33

Figure 33: PSE-Wizard – Issue PSE

Here you select the appropriate issuer algorithm for the logged on CA-PSE.

When all settings have been made the OK button is clicked. Dependingon the length of the key the creation of the subordinate CA-PSE maytake a few minutes.

After the CA-PSE has been created, it can be selected via the Log Ondialog box in the same way as the root authority CA. Moving betweenvarious CAs can be done by logging on and off.


34 SECUDE GmbH

4 OptionsWith the menu item Tools/Options the Options dialogbox can be opened. The options that can be sethere concern the presettings for the creation ofPSEs and general settings for CA MANAGEMENT. Itis advisable to make these settings as early as possi-ble.

The dialog box Options is made up of a number of areas that are arrangedas index cards. The settings under Program Settings, Secude, X.500 andWarning Times are common to all certification authorities operated by oneuser. The settings under Issuer, PSE Options and Sphinx Pilot [Sphinx] canbe set individually for each certification authority and are therefore onlyshown when you are logged on to a CA-PSE.

Button ApplyWhen a change has been made in the Options dialog box, the change issaved by clicking the button Apply. When OK is clicked the change isexecuted and the Options dialog box is closed. With the button Cancel thechange is rejected and the Options dialog box closed. The change can, ofcourse, only be rejected if it has not previously been saved with Apply.

4.1 User-specific Settings

4.1.1 Program OptionsWith Program Options the following options can be set:


SECUDE GmbH 35

Figure 34: Options – Program Options

General OptionsWith the field Verbose Level the degree of detail of error messages is con-trolled. A 0 means a short text, a 3 causes the most detailed explanationto be shown.

If problems occur in the execution of the program it is advisable to setthe more detailed Verbose Level and then to re-run the function that hascaused the error. The complete error message should be sent by e-mailto [email protected] or by ordinary mail to SECUDE GmbH.

Import SAP ReportIn the Import SAP-Report area the configuration can be made whether CAMANAGEMENT tests for duplicate names while importing the SAP reportRSUSR402. With a tick in the check box No Duplicate User Names thefunction is activated.

If, e.g., a user Miller already exists, CA MANAGEMENT ignores all userswith this name when importing the SAP report. The crucial point is theuser name entered in the field User in the user administration ofSAP R/3.

If the option Random Password has been selected, the user entries im-ported get the attribute Random Password, and when the PSE is created, arandom password is generated. When this option is not selected theUsername from the SAP report is automatically taken as a password.

The option User Distinguished Name Scheme determines how the data fromthe SAP report or the Distinguished Name of the CA is organized tocreate the Distinguished Names of the users. If, for example, the CA hasthe Distinguished Name "O=SECUDE GmbH, C=DE" and the user


36 SECUDE GmbH

the SAP user name "SMITH001“, the setting "<SAPUsername>, <Issu-erDName>" results in the following Distinguished Name of the user:

CN=SMITH001, O=SECUDE GmbH, C=DE

Create PSEWhen the option Add List of Public Keys is set, a file can be selected fromthe field below which contains a list of certificates, or rather the publickeys (for example, in PEM format) included in them. With the drivebutton in the file dialog box a file can easily be selected.

The list entered here is included as a further element in the PSE whenPSEs are later created. This option is advisable when, for example, allusers of one's own CA should trust an outside CA. By storing the out-side CA's certificate in a user PSE, the former is considered trustworthy.

4.1.2 SECUDEPresettings for the SECUDE security library are made here forCA MANAGEMENT. Their purpose is to define the parameters of thechecks carried out on digital signatures.

Figure 35: Options – SECUDE

Trust your own Forward Certification PathA CA-PSE can be embedded in a hierarchic certification structure (it isthen called a subordinate CA). The path between the root authority andCA-PSE is called the certification path. This path is checked when loggingon or as soon as the button for checking the CA-PSE is clicked. Thelonger the path, the longer the check takes.

By selecting this option the check is deactivated.


SECUDE GmbH 37

Verification includes Validity VerificationChecking the validity period of certificates is activated or deactivatedhere.

Verify Certificates against Revocation ListWhen a CA wishes to revoke a certificate, this latter is entered into arevocation list (see Chapter 5.3.3 CA-PSE under item Add RevocationList). A certificate posted in this list has thus become invalid. The CA isobliged to distribute the list to all its participants .

When a certificate, in course of checking the signature, is to be verifiedthis option can be used to control whether the revocation list is to beconsulted to check the validity.

SECUDE uses different methods to make the consultation of valid revo-cation lists possible:

The first possibility is to include the revocation list as an element in yourown PSE;If the check is to be made on an X.509v3 certificate, this may contain asan extension a URL, through which a search for revocation lists can bemade;The third possibility is that access to an LDAP directory has been con-figured in CA MANAGEMENT. In this case a search for a valid revocationlist is made in the directory.

When no valid revocation list of the certificate issuer can be found, theverification fails.

Verify your own Certificate when SigningBefore generating a signature a check is made whether the certificate ofthe CA-PSE is still valid.

Use aliasesFor the resolution or finding of certificates related to DistinguishedNames the alias list is accessed.

Verify according to "PEM subordination rule"The PEM subordination rule is defined in RFC 1422 ([RFC 1422], Chapter3.4.2.2 Ensuring the Uniqueness of Distinguished Names). The rule ensuresthat the name of the issuer is a component of the name of the personbeing certified.

ETC DirectoryIn the etc-directory you can store, for example, the smartcard configura-tion file. The setting depends on the PC and caution should be exercisedwhen changing it.


38 SECUDE GmbH

4.1.3 X.500With this index card the access to a directory service is determined. If,for example, when checking a certificate, one certificate out of the certi-fication path is missing in the PSE, the automatic search for the missingcertificate can be activated with this option. SECUDE supports two di-rectory services: X.500 based on an LDAP server and AFDB (abbrevia-tion for Authentication Framework Data Base; a SECUDE-developed sub-stitute for an X.500 Directory). When both services are selected AFDBhas the higher priority when reading. If access to LDAP is also required,the appropriate entries (ask your LDAP administrator for them) must bemade in the fields Server, Port and Tailor. An entry in the field Library isonly necessary when access to a library other than the standard libraryinstalled with SECUDE CA MANAGEMENT is required. With the buttonTest LDAP-LIB a check can be made whether the selected library exists.Your LDAP administrator will be able to inform you of the X.500 pass-word.

Figure 36: Options – X.500

4.1.4 Warning PeriodsYou can specify with this index card how much warning the programgives you before an event occurs.


SECUDE GmbH 39

Figure 37: Options – Warning Periods

CA-PSE Warning Period in DaysThe area CA-PSE Warning Period in days refers to the progress of the va-lidity period of elements of the CA-PSE. When the program is startedthe PSE elements Certificate, Certification Path, Root Certificate and RevocationList (if existent) are checked for correctness and validity. When the re-maining period of validity lies within the warning period the appropriatemessage is shown.

When the CA certificate or that of a higher CA expires, all users of theCA must be informed and the elements updated.

User Certificate Warning Period in DaysIn the field User Certificate Warning Period in Days you specify how manydays prior to a user certificate's expiry you should receive a warning mes-sage. The user might need a new certificate then. When the event occursthe corresponding symbol in the user list changes its appearance: theuser entry is marked with a red exclamation mark (see 6.1.1 User List).

4.2 CA-specific Options

4.2.1 Issuer

Issuer OptionsIn the area Issuer the issuer algorithm and the period of validity for cer-tificates and revocation lists are entered. The presetting here is 365 days,i.e. one year, and for revocation lists 30 days. By entering the period of


40 SECUDE GmbH

validity in days it is possible to issue certificates for very short as well aslong periods. The values set here are proposed as default values whensigning, but can be changed.

Figure 38: Options – Issuer

Revocation List DirectoryThis is the default directory where revocation lists issued by the CA arestored. More information on the creation and distribution of revocationlists can be found in Chapter 7 Revocation List Management.

Store PSEs and Certificates in DatabaseWhen this option is selected, on creation of a file PSE for a user thecomplete PSE is saved in a database. Should the user lose his PSE, thisbackup can be handed over to him. This option is not provided forsmartcard PSEs as the private key must not leave the smartcard.

4.2.2 PSE OptionsThe index card PSE Options shows options which are used as the basisfor the creation of user PSEs. The index card is divided into the areasOwner Options, Password Options and PUK Options.


SECUDE GmbH 41

Figure 39: Options – PSE Options

PSE DirectoryHere the directory is entered in which the users' PSEs created byCA MANAGEMENT are stored. With the button a dialog box isopened to select a directory. The directory is selected by a mouse click. Ifa directory is entered that does not yet exist, it is created.

Owner OptionsIn the area Owner Options the type of PSE can be set, either a PSE withone key pair or a PSE with two key pairs. This refers to the number ofasymmetric key pairs to be created, and their functions. When a PSE iscreated with a single key pair this is used for both signature and encryp-tion. With two key pairs each function has its own key pair. The valuewhich is entered in the field Key length depends on the validity periodgiven to the certificate. For certificates with a validity period of two tothree years a 1024 bit key length is sufficient.

Password OptionsIn the area Password Options either a standard initial password can be en-tered or the generation of a password can be left to the program. If thecheck box is not ticked and the second field remains empty, this optionhas to be set or a password entered every time a PSE is created. Thatmeans every time a PSE is created it must be decided how the passwordis generated.


42 SECUDE GmbH

PUK OptionsThe area PUK Options is important when creating smartcard PSEs. ThePUK is used to unblock a smartcard after too many retries have beenmade. For the PUK the same applies as for Password Options.

4.2.3 User OptionsHere you can specify the defaults for the user form.

Figure 40: Options – User Form

Default User Distinguished NameThis determines how from the entries under User Data in the User Formthe Distinguished Name for the corresponding certificate is formed. Ife.g. in the user form the mail address [email protected] is entered, thesetting <Mail Address> produces the default Distinguished [email protected] for that user.

Distinguished Name is PrefixIf this checkbox is ticked, the issuing CA's Distinguished Name is addedto the user's Distinguished Name.

Thus it is possible to use the Distinguished name for illustrating the cer-tification hierarchy.

Default PSE NameThis determins how from the entries under User Data in the User Formthe PSE name for the corresponding PSE is formed. If e.g. in the userform the identification (Id) jbond007 is entered, the setting <Id> pro-


SECUDE GmbH 43

duces the following default PSE name for the corresponding user:jbond007.pse.

4.2.4 Sphinx PilotThese options have been introduced in connection with SECUDEGmbH's participation in the Sphinx project of the German Federal Of-fice for Security Technology (see [Sphinx]). Before drawing up a revoca-tion list a special format can be determined with this option so that thelist is compatible with those of other participants in the Sphinx project.

This option should not be set in any other case.

Figure 41: Options – Sphinx Pilot


44 SECUDE GmbH

5 Management of the CAThe program can be started from the icon on the left.In the Windows start menu the entry can be foundunder:

\Program Files\SECUDE\CA Management

After the program has been loaded the dialog boxfor log-on appears. If SECUDE CA MANAGEMENTis being started for the first time, no CA-PSE is pre-sent with which log-on can be started. Chapter 3Organisation of a Security Infrastructure describes how anew CA-PSE is created.

If a CA-PSE has already been created, the symbolic name that you havegiven to address your CA-PSE is entered in the text bar Log-on Profiles ofthe Log-on dialog box (see Figure 27: PSE-Wizard – Log-on Profiles). Thepassword is then entered in the text bar Password and OK is clicked.

With the button you reach the dialog box Log-on Profiles (see Chapter5.3.5.3 Extras / Log-on Profiles…).

5.1 CA MANAGEMENT OverviewThe main window of CA MANAGEMENT displays some important itemsof information after log-on. The status bar at the bottom of the screenshows Ready, i.e. the program is ready for input. The Distinguished Nameof the certification authority currently logged on also appears.


SECUDE GmbH 45

Figure 42: Empty User List

The two buttons on the left of the tool bar allow a fast log-on or log-off.Log-on and -off can also be made via the menu item File.Via the drop-down menu View the tool bar and status bar can be hiddenor displayed.

Figure 43: Tool Bar Hidden

CA MANAGEMENT is designed according to Windows Style Guide andcan be operated accordingly.

5.2 The Tool BarThe tool bar consists of eight buttons. All buttons that are not greyedout are active, i.e. by clicking a button an action in the program islaunched. The greyed out buttons do not become active until certainactions have been taken. For example the button to change the passwordis not activated until after log-on.

Figure 44: Tool Bar Active

By clicking the left mouse button on the side of the tool bar and holding,the bar can be dragged to another position in the main window, e.g. tothe left side. It is also possible to drop it outside the main window.


46 SECUDE GmbH

Button Button FunctionLog on to your CA-PSE CA-PSE.The Log-on dialog box is opened.Only active when logged off.

Log off from the active CA-PSE.Only active when logged on.

Edit or create a User entry.The User form is opened.Only active when logged on.

Create a list of user PSEs.The PSE Creation dialog box is opened.Only active when entries in user list have been selected.

Change the CA-PSE Password.The Change Password dialog box is opened.Only active when logged on.

Verification of the CA-PSE.Only active when logged on.

Display Signature certificate.The Display Certificate dialog box is opened.Only active when logged on.

View all elements stored in the CA-PSE such as revocation lists,root certificate, own certificates, etc.The PSE Contents dialog box is opened.Only active when logged on.

Table 3: Toolbar

5.3 The Menu BarThis chapter explains the functions which can be carried out via themenu. All CA MANAGEMENT functions, including those from the toolbar, can be started from the menu.

Figure 45: Menu Bar

The menu consists of the standard components File, View, Tool, Window,and ? (for Help), and of CA MANAGEMENT-specific parts such as PSE,User, and Smartcard.


SECUDE

A menu item can be opened by a left mouse click or with the key com-bination Alt and the underlined letter in the menu item, e.g. the letter Fin File.

In the Status Bar of CA MANAGEMENT a short explanatory text for eachmenu item is displayed. For the menu item File/Log On the status bar(provided it is active) contains the explanatory text Log On as a CA.

5.3.1 FileThe menu File contains functions forlog-on and -off as a CA, for generating aCA-PSE, import functions for externaldata and for exiting CA MANAGEMENT,plus a list of the existing CAs.

5.3.1.1 File / Log On …The menu item File/Log On is active only when not logged on. The dia-log box Log On is opened. With this dialog box a CA-PSE can be chosenand the password entered. In this way the CA-PSE is opened and workwith it can be started. Creation of a CA-PSE can be started too with theLog on dialog box.

5.3.1.2

5.3.1.3

5.3.1.4

GmbH

File / Log OffThe menu item File/Log Off is active only when logged on. Use thismenu item to close the CA-PSE, to log off. Log-off does not involveexiting the program.

File / CreatThe menu itefor entering For details se

File / CreatThe menu itThe dialog bwith this men

Note: Function exists as a button.

Note:

47

e CA …m File/Create CA is active when logged off. The dialog boxand generating a CA-PSE is opened with this menu item.e Chapter 3.2 Create a Root Authority.

e Subordinate CA …em File/Create Subordinate CA… is active when logged on.ox for entering and generating a subordinate CA is openedu item. For details see Chapter 3.3 Create a Subordinate CA.

Function exists as button.


48 SECUDE GmbH

5.3.1.5 File / Import / SAP ReportThe menu item for importing external data into an existing CA-PSE isactive only when logged on. With this menu item, user data from SAPR/3 (from version 3.1G) can be imported. All data required for thecreation of a PSE are transmitted from R/3 (see Chapter 8.1 Import ofSAP R/3 User Data).

5.3.1.6 File / Import / SECUDEThe menu item for importing external data into an existing CA-PSE isactive only when logged on. Existing CA-PSE data created withSECUDE command line tools can be imported with this menu item.

5.3.1.7 File / Recent Log ListWhen SECUDE CA MANAGEMENT is called up for the first time this lineis empty. Later you can, with this menu item, circumvent the Log-on dia-log box by logging on with a previously opened CA-PSE. You need onlyenter the password.

If you are already logged on with a CA-PSE, you are logged off from thiswithout any check-back.

5.3.1.8 File / QuitThe program is exited immediately with this menu item. If logged on as aCA-PSE, this will be closed first and then the program exited.

5.3.2 ViewThe drop-down menu View consists of the menuitems to show or hide the tool bar and the status bar.The revocation lists of the CA and the user list can bedisplayed.

5.3.2.1 View / Tool Bar or Status BarWhen the tool bar or the status bar is active the respective menu item ismarked by a tick. When there is no tick the bar is hidden.

5.3.2.2 View / User List or Revocation ListWith the menu item View/User List the user list of the CA is displayed.Information on the CA revocation lists can be found under the menuitem View/Revocation List. The revocation lists can also be processedhere.

With the menu item View/User List the user list of the CA is displayed.Information on the CA revocation lists can be found under the menuitem View/Revocation List. The revocation lists can also be processedhere.


SECUDE GmbH 49

This menu item allows switching between User List and Revocation list. Tobring up the Revocation list choose the option View/Revocation list, to bringup the user list choose View/User List.

Note: Switching is also possible via the key combination <Ctrl+F6>.

The title bar of the program window of CA MANAGEMENT changes ac-cordingly:

or

In the view Revocation List the displayed revocation list can be processed.For details see Chapter 7 Revocation List Management.

Figure 46: Revocation List

The view User List is treated in Chapter 6 Management of User Data.

5.3.3 CA-PSEThe menu CA-PSE displays informationon the CA-PSE, and the PSE can beprocessed. Furthermore it is used to writerequests for certification of prototypecertificates and to add revocation listsinto the CA-PSE.


50 SECUDE GmbH

5.3.3.1 CA-PSE / Show Signature Certificate …With the menu item CA-PSE/Show Signature Certificate... the signaturecertificate can be displayed. The certificate information is shown clearlyin it. In the index card Owner the most important certificate data can befound – the Distinguished Name of the CA (owner), the Distinguished Nameof the issuing CA (issuer), the period of validity, the serial number andthe version number. If the CA is a root authority, the Distinguished Namesof owner and issuer are identical.

Figure 47: Signature Certificate – Owner

On the other index cards the remaining information on the certificatecan be found.


The menu item is only active when logged on.

5.3.3.2 CA-PSE / Show Encryption Certificate …If the PSE has two key pairs, the encryption certificate can be displayedwith CA-PSE/Show Encryption Certificate... The encryption certificate win-dow is structured analog to the one for the signature certificate.

This menu item is only active when logged on and with a PSE with twokey pairs. When the PSE has one key pair the menu item is grayed out.

5.3.3.3 CA-PSE / Write Certificate Request …With this menu item a request for certification can be written to the su-perior CA. In the dialog box Write Certification Request the name of the file(including the path) is entered in which the request is to be saved. Thesuperior CA should have access to this file. After asking the superior CAwhich formats it supports, you can determine in the field Type of Filewhether the file is to be saved in pem format or in PKCS#10 format


SECUDE GmbH 51

[PKCS#10]. If the file has been stored on a server accessible for otherpeople, the issuing CA should be asked for an unambiguous file name,so that no confusion can occur. The superior CA must now be informedwhere the request for certification is to be found or whether it will besent by e-mail or by floppy disk.

Figure 48: Write Certification Request

The menu item is only active when logged on.

5.3.3.4 CA-PSE / Read Certificate ResponseAfter the request for certification has been processed by the superior CAthe signed certificate can be inserted into your PSE with the menu itemCA-PSE/Read Certificate Response. In the dialog box that is then openedthe appropriate directory and file are selected where the response is lo-cated. The two formats pem and PKCS#7 (see [PKCS#7]) are supported.

Figure 49: Read Certification Response

If you have selected a certification response in pem format, you get in-formation on it in the window Process Certification Response.You can read if the certification response fits your certificate. This meansthe response also includes your public key.

In the following line you get information on the validity of the digitalsignature.

If you are being certified for the first time or if you have changed theCA, the certification response will contain a new root certificate not yet


52 SECUDE GmbH

included in your PSE. It is therefore essential to check the checksum(fingerprint) of the root certificate's public key. Only in this way can youmake certain that your certification response has been processed by theright CA.

The checksum (fingerprint) of the root certificate's public key should bepublished by the root authority – this can be done e.g. in a companypublication or in the daily newspapers.

Checking the checksum (fingerprint) is an important measure. A potentialattacker who tries to foist a false certificate (and thus his own public key)onto you can be identified by an incorrect checksum (fingerprint).

Only after the automatic verification of the certification response hasturned out positive, should you insert it by clicking on the button Add.

Figure 50: Process Certificate Response

Besides Add the dialog box has two other buttons. Clicking on Messagedisplays the pertaining (coded) PEM messages; Print... prints the contentsof the window.

If the certification response is in PKCS#7 format, the dialog box con-tains essentially the same information. Only the button Message is omittedbecause the response is not an ASCII file.

5.3.3.5 CA-PSE / Update Revocation List …If new revocation lists (from superior CAs) are to be inserted into thePSE, this is done by selecting in the menu CA-PSE the item Update Revo-cation List. This opens the dialog box PSE Revocation Lists, which displaysthe revocation lists in the PSE.


SECUDE GmbH 53

Figure 51: PSE Revocation Lists

To insert a new revocation list in the CA-PSE Insert from File is clickedand the file in which the new revocation list is located is selected fromthe window Read Revocation List from File. The administrator responsiblefor the revocation list will inform you which file it is.

Figure 52: Read Revocation List from File

It is also possible to request with Insert from Directory revocation lists froman LDAP/X.500 directory service. To do this the Distinguished Name ofthe CA from which the revocation list is requested must be entered intothe dialog box.

After a revocation list has been selected the following dialog box ap-pears. In this dialog box you can check the validity of the revocation listbefore actually inserting it. For this the button Verify is clicked.


54 SECUDE GmbH

Figure 53: Insert Revocation Lists in PSE

When the check is positive the revocation list can be inserted into thePSE by clicking the button Insert.

When revocation lists are used to verify a digital signature the check box"Verify Certificates against Revocation List" in the menu Tools/Options/SECUDE must be ticked.It must also be ensured that a valid revocation list from the superior CAs isavailable.

5.3.3.6 CA-PSE / Change PasswordWhen creating the CA-PSE a password is established. This protects notonly your CA-PSE, but also the CA database. For safety reasons itshould be changed regularly. Should a third party come into possessionof the password, he is able to work with the CA, whether legitimately ornot.

Great care should be taken when choosing the password. For details seeChapter 1.6 Passwords.

With the menu item CA-PSE/Change Password the dialog box ChangePassword is opened. In this box first the current password of the openedCA-PSE is entered.

Figure 54: Change Password

The old password is requested so that no unauthorised person can changeit in the owner's absence. The new password must be entered in the fieldNew Password and repeated in Re-enter Password. When the CA-PSE is on asmartcard, the password length is restricted to eight characters. Other-wise it is restricted to 14 characters, as this is the maximum length for aMicrosoft Access database. Then the OK button is clicked.


SECUDE GmbH 55

If the old password is entered incor-rectly, the message on the left isshown.

If, when entering the new password,a typing error occurs in either of thefields, the message on the left ap-pears. The OK button must beclicked and the entries retyped.

If no errors were made with eitherthe old password or the entry andrepetition of the new one the pro-gram changes the password of thePSE and confirms it with the mes-sage on the left.


5.3.3.7 CA-PSE / Verify…A CA-PSE consists of a number of elements such as one's own certifi-cates, root certificate, certification path, or revocation list. These ele-ments are valid for a limited time and are subject to dependencies. Withthe menu item CA-PSE /Verify all necessary verification checks for theCA-PSE are made.

Figure 55: Verify PSE

The following checks are made: current validity of the CA certificate,certificate path, current validity of the root certificate, revocation list, andall signatures. CA MANAGEMENT automatically verifies the elementswhenever the CA-PSE is opened. If a period of validity is about to ex-


56 SECUDE GmbH

pire, a warning is given. Warning periods are stipulated under Ex-tras/Options/ Warning Periods.


5.3.3.8 CA-PSE / Write Certification Path …This menu item is used to make the certificate path of the CA availableto other products (e.g. www-Server or Browser from Netscape or Micro-soft). After clicking CA-PSE/Write Certification Path a dialog box appearsin which the file name is entered under which the certificate path is to besaved, and the appropriate file format for the product is selected.

Figure 56: Save Certification Path

CA MANAGEMENT saves the certificates belonging to the certificate patheach in its own file – which leads to a chain of related files, e.g. CA-path.root.crt, CApath.path1.crt, ...., CApath.path5.crt. The last certificate inthe chain is from one's own CA.

5.3.3.9 CA-PSE / Display Contents…The PSE of a CA consists of several elements. All the elements are listedand displayed in the dialog box CA-PSE/Display Contents. The number ofindex cards varies according to the number of PSE elements included.

Note: Function exists as a button. The information shown varies according to the element.

The display of a certificate contains the name of the issuer, the serial num-ber, the period of validity, the checksum (fingerprint) of the public key,and data concerning the signature algorithm and the algorithm for whichthe key pair can be used. The key length is also shown.

Under Revocation List the revocation lists received from the superior CAsare listed.

Serial Number contains the serial number last issued by the CA.


SECUDE GmbH 57

Figure 57: PSE Contents

5.3.4 UserWith the drop-down menu User thedialog box to enter and to change userdata and to create PSEs is opened.Certificates in LDAP directories canalso be made available and be deletedfrom them.

5.3.4.1 User / Create User Entry …The menu item is active only when logged on. With User/Create UserEntry the dialog box to enter and change user data is opened. This func-tion is described in detail in Chapter 6 Management of User Data.


5.3.4.2 User / Create List of PSEsThe menu item is active only when logged on and when at least one userentry in the user list is selected.

The selection of a user is made with the left mouse button. Using the leftmouse button together with the shift key a block of entries can be selected.Using the left mouse button together with the control key individual entriescan be selected or deselected out of this block. By clicking User/Create


58 SECUDE GmbH

List of PSEs the selected PSEs are immediately created. Entries can alsobe selected for which a PSE has already been created. These entries areignored when new PSEs are created.

This function is described in detail in Chapter 6.3 Create User PSEs.


5.3.4.3 User / Write Certificates for LDAP …The CA can put its certificates at the disposal of other users in an LDAPdirectory. To do this the certificates concerned are marked in the user listand the menu item User/Write Certificates for LDAP... clicked. This opensthe window below:

Figure 58: Save LDIF File – Insert Certificates

The appropriate directory is selected and the name of an LDIF file isentered in the field File Name. CA MANAGEMENT then saves the markedcertificates in this file. The LDAP administrator can now update hisLDAP directory with this file.

5.3.4.4 User / Remove Certificates from LDAP …Certificates can also be deleted from the LDAP directory. The certifi-cates to be deleted are marked in the user list and the menu itemUser/Remove Certificate from LDAP clicked. The dialog box below isopened:


SECUDE GmbH 59

Figure 59: Save LDIF File – Delete Certificates

The appropriate directory is selected and the name of an LDIF file isentered in the field File Name. CA MANAGEMENT then saves the markedcertificates in this file. The LDAP administrator can now update hisLDAP directory with this file.

5.3.4.5 User / Write List of Public Keys …This function is intended for users who cannot get certificates from theparticipants in the certification infrastructure through a directory servicesuch as LDAP.

In this case the CA writes all public keys into a file (pem format), which italso digitally signs. This file must be distributed to the users who canthen copy it into their PSE using SECUDE PSE MANAGEMENT.

Figure 60: Write PK List

A choice can be made whether all certificates that the CA has ever issuedare copied into the file, or only the current ones. After clicking OK adialog box opens in which directory and file name have to be entered.

5.3.4.6 User / Write Certificates as ASN.1…With this function the CA can write issued certificates as an ASN.1structure. To do this the required certificates are marked in the user listand the menu item User / Write Certificates as ASN.1… is clicked. Thedialog box below is opened:


60 SECUDE GmbH

Figure 61: Write Certificates

Each certificate is written as its own ASN.1 file. Under Directory the di-rectory can be found in which the files are saved. With a click on thedisk button a dialog box is opened in which you can navigate to the ap-propriate directory. The file names are composed of the value enteredunder Prefix and a unique number. In this version only the format ASN.1can be set.

5.3.4.7 User / Genereate Password Form Letter…This function is used to select entries from the CA database for gener-ating an export file which in turn is used as a database for the MicrosoftWord form letter function (see section 8.3 Inform of Transport Password:Export to Microsoft Word – Form Letter). Thus it is very easy to inform thePSE recipients about their transport passwords via password form let-ters.

To do this, the respective certificates in the user list are selected andmarked. Clicking User / Generate password form letter opens the followingdialog.

Figure 62: Generate Password Form Letter

The list Available fields contains the fields that can be exported from theCA database. The list Export fields contains the fields actually to be ex-ported. Using the left/right buttons, entries can be moved from one list tothe other. In most cases it is neither necessary nor useful to export allfields. Using the up/down buttons, the order of the fields within the listcan be stipulated. With Delete the list is emptied.


SECUDE GmbH 61

If the fields to be exported and their order are determined, click OK. Afile dialog opens where directory and name for the export file are set.

The export file is in CSV file format (i.e. a list with entries separated bysemicolons). Each data set has its own line; fields within one data set areseparated by semicolon. The first line of the CSV file contains the namesof the exported fields.

Often the export file will contain security sensitive data, e.g. the passwords ofthe generated PSE files. For this reason the export file must always be keptin a secure environment and deleted as soon as it is no longer needed.

5.3.5 ExtrasIn the menu Extras special functions concerningthe CA can be found. Via the item Password Policyrules can be established which the CA can obligethe users to follow. With the menu item Optionsglobal settings for CA MANAGEMENT are made.Via the item Log-on Profiles... the log-on profiles canbe administered.

5.3.5.1 Extras / Password Rules…To support the choice of good passwords (cf. Chapter 1.6 Passwords) ofthe users for whom the CA creates PSEs, the CA can prescribe PasswordRules which the users' passwords have to meet. The dialog box for this isopened with the menu item Extras/Password Rules.


62 SECUDE GmbH

Figure 63: Password Rules – Rules Editor

In the Rules Editor norms can be set which the users' passwords mustmeet. With Length Restrictions the upper and lower limits for the length ofthe password are defined. In Character Set it is determined whether certainkinds of characters are required in the passwords. With Contents certainpasswords are totally excluded, e.g. names known to the system such as user,group, computer and domain names, previous passwords, entries from areferential file (to which the user has reading rights but only the CA writingrights) containing undesirable passwords, or entries from a referential listto be compiled in this dialog box (one entry per line). Furthermore thevalidity period of the user password and how many times the user canlog on after the validity has expired can be defined. The latter is neces-sary so that the password can be changed after its expiry.

Before insertion in the CA database the rules can be checked with Pre-view.


SECUDE GmbH 63

Figure 64: Password Rules – Preview

With Insert the rules are entered into the CA database. Sets of rules al-ready in the database can be modified with Change and deleted with De-lete. New cancels all entries in the Rules Editor to allow a new set of rulesto be entered.

When creating user PSEs a definition for each individual user can begiven in the user form as to which set of rules his password must meet(cf. Chapter 6.3 Create User PSEs).

The password rules are only available to users working with the programSECUDE PSE MANAGEMENT.

5.3.5.2 Extras / Options…The menu item Extras/Options is active both when logged on and off.The options that can be set with this item are the presettings for thecreation of PSEs and general settings for CA MANAGEMENT.

The settings in the dialog box Options have been treated in detail inChapter 4 Options.

5.3.5.3 Extras / Log-on Profiles…A CA is unambiguously addressed when a log-on profile is used. Thename of the log-on profile appears in the log-on dialog box of CAMANAGEMENT. If you are operating the CA on the same PC on which


64 SECUDE GmbH

you have created the log-on profile, you already have a log-on profile forthis CA.

If you want to operate the CA from another PC, however, you must firstenter a log-on profile before you can log on.

After selecting the menu item Extras/Log-on Profiles… the dialog boxbelow opens:

Figure 65: Log-on Profiles

The list shows all known log-on profiles. When you click Add, the fol-lowing dialog box opens:

Figure 66: Log-on Profile

Under Log-on Profile Name you enter the name by which you later want toaddress this profile. Under PSE Type you enter whether the PSE is savedin a file system, on a smartcard, or on a RACAL cryptoboard.

If you click File, you must complete the text bars PSE Name and CADirectory; with Smartcard you must complete the text bars Card Type, Soft-ware Extension and CA Directory; and with RACAL RG 700 the text barsSoftware Extension and CA Directory.


SECUDE GmbH 65

With a file PSE you must enter the complete path and the name of yourPSE in the text bar PSE Name. With a smartcard PSE you must enter theoperating system of the smartcard in the text bar Card Type. With smart-card and RACAL based PSEs you must enter the extension of the PSEin the file system in the text bar Software Extension. In the text bar CADirectory you must enter the directory in which the CA database is to befound.

Each disk button opens a file dialog box where you can navigate to theappropriate directory.

5.3.6 SmartcardWith SECUDE CA MANAGEMENT smartcardscan be used instead of a file PSE. Both the CA-PSE and the user PSEs can be stored on asmartcard. The required settings can be madewith the drop-down menu item Smartcard.

5.3.6.1 Smartcard / Terminal Setup …With the menu item Smartcard/ Terminal Setup it is possible to configuresmartcard terminals for both the CA and the user. The software supportsthe simultaneous operation of two terminals. The CA-PSE on a smart-card can be in the first terminal, whilst the user PSEs are being createdon smartcards in the second terminal.

Figure 67: Smartcard Terminal Setup

Different types of smartcard terminals can be configured. It is importantthat the terminal in use be chosen from the list, otherwise no guaranteecan be given for correct functioning.

The settings can be tested with the button Test.


66 SECUDE GmbH

If the terminal is not correctlyconfigured or cannot be ac-cessed, the message on the leftappears.

There are various reasons why a smartcard terminal cannot be addressed:• The terminal is not supported by the software.• The terminal is not connected to a power supply.• The terminal is not connected to the specified port.• The terminal is defective.

If the test is successful, the settings can be saved with Apply or OK. WithOK the window is also exited.

CA MANAGEMENT signals the successful installation.

The dialog box to set up smartcard terminals for user PSEs is identical tothe one for CA-PSEs.

5.3.6.2 Smartcard / Info User Smartcard …To get information on the smartcard plugin being used, the terminal, andthe card, insert the user smartcard in the terminal and use the menu itemSmartcard/Info User Card... .The main point of interest is the entry under Card. If the entry is "…withapplication", a PSE is already existing on the card, otherwise the entry is"…without application".

Figure 68: Info User Card

5.3.6.3 Smartcard / Unblock Password …When a smartcard has been blocked because of too many retries it canbe unblocked here by entering the PUK.


SECUDE GmbH 67

Figure 69: Unblock Password

5.3.6.4 Smartcard / Delete User Card …A smartcard that has been personalised by SECUDE can be deleted usingthis dialog box. All information stored on the card is irrevocably deleted.Deleting a smartcard can only be done when the password or – depend-ing on the type of card – the PUK is known.

When the password has been en-tered the program ensures beforedeleting that this action is reallydesired. Only when the button Yesis clicked, is the information onthe card deleted.

A smartcard can thus be provided with new PSEs several times.

5.3.7 WindowWith the drop-down menuWindow several windowswithin CA MANAGEMENTcan be arranged.

Switching between the userlist and revocation list canalso be made here. See alsoChapter 5.3.2 View.

5.3.8 Help – (?)With Help or the character ? the dialog boxes Infoand Info about SECUDE can be opened.

5.3.8.1 ? / Info…The dialog box Info shows among other things the current version num-ber of CA MANAGEMENT. Additionally, all addresses of SECUDEGmbH can be found here.


68 SECUDE GmbH

Figure 70: Info on CA MANAGEMENT

5.3.8.2 ? / Info on SECUDE…In the dialog box Info on SECUDE, information about the library usedby SECUDE is shown. Included are the version number, the options thathave been set in the SECUDE library, and the supported plugins.

Figure 71: Info on SECUDE

When making queries to SECUDE GmbH, the information from thisdialog box should be included.


SECUDE GmbH 69

6 Management of User Data

This chapter explains how a CA using SECUDE CA MANAGEMENT ful-fills its main task of maintaining user data and issuing certificates for theusers.

CA MANAGEMENT creates and administers its database using the inter-faces Microsoft Data Access Objects (DAO) and Microsoft Jet Database Engine.This database can be opened with, for example, Microsoft Access. It is,however, not advisable to process the database outside CAMANAGEMENT.

6.1 User List and User FormThe user list is opened with the menu item View/User List. After log-onthe user list (i.e. the user view in the CA database) is displayed automati-cally.

6.1.1 User ListThe user list shows the most important fields of the user table from theCA data base. Using the scroll bar the fields and records not on thescreen can be viewed.

Column widthThe width of a column can be changed by positioning the cursor be-tween the field names. The cursor changes its appearance in this posi-tion. By double clicking the mouse here the optimum width is achieved.The width can also be changed by dragging and dropping the dividingline.

SortingAfter log-on the user list is automatically sorted by the column Distin-guished Name. By clicking on the field buttons Distinguished Name, Validfrom, Valid to, Serial number or Name the table can be sorted as required.Sorting is done in ascending order.

Figure 72: User List


70 SECUDE GmbH

SymbolsThe user list displays a number of symbols in different colors on the leftof the window. The symbols are a quick way of showing the state ofcertificates already issued and those being processed.

(blue question mark)Data to issue a certificate have been transferred to the database but thecertificate has not yet been issued or the PSE not yet created.

(green tick)The certificate is still valid and will not expire within the set warningperiod (see Chapter 4.1.4 Warning Periods).

(red exclamation mark)The certificate is still valid but will expire within the set warning period(see Chapter 4.1.4 Warning Periods).

(red cross)The certificate has either already expired or its validity period has not yetbegun.

(black lightning)The certificate is revoked (see Chapter 7 Revocation List Management).

BehaviorDouble clicking the left mouse button opens the user form (see Chapter6.1.2 User Form). Once the user form is open a single left mouse clickdisplays the selected data set in the user form.

When the view of the revocation list is also open, a selected certificatecan be dragged and dropped into the revocation list.

6.1.2 User FormThe user form shows one user's complete user record. With the userform user data can be added, changed, or deleted. (An outline of thefields can be found in Chapter 12.1 Fields in the User Form.)

Open the User FormThe user form is opened either by a mouse click on the buttonshown on the left, or with the menu item User/Record, or sim-ply by a double click on a record in the user form.

To select an entry with a double click, the field Distinguished Name mustbe visible in the CA MANAGEMENT window.

Once the user form is open, user data records can be viewed by clickingon the required user entry in the user list. The window User List might


SECUDE GmbH 71

well be hidden behind the window User Form. Both windows can beviewed simultaneously by repositioning the window User Form.

Figure 73: User List and User Form

The user form is closed by clicking the button Close.

The Fields of the User FormThe user form is divided into the areas User Data, and (as index cards)PSE – with the subordinate fields Signature Certificate and Encryption Certifi-cate – and Certificate. According to which fields are required for the userbeing regarded, only some of these fields – with index cards it might bemore than one – may be visible.


72 SECUDE GmbH

Figure 74: User Form

User DataIn the area User Data general information can be entered. These data areoptional and have no significance for the creation of the PSE but canhelp to identify a user more quickly.

CertificateThis index card is visible when it is a PSE created by the user himselfand certified by the CA. The number behind the word "Certificate" inthe title bar is the serial number issued on certification. For further de-tails on the individual field please see Chapter 6.4 Certification of IncomingPrototype Certificates.

PSEThis index card shows a user PSE created or still to be created by theCA. When a date is shown in the title bar it means that the PSE was cre-ated at that time. When no date is shown it means that the PSE is not yetcreated. Details on the individual fields can be found in Chapter 6.2.2Enter PSE Data.


SECUDE GmbH 73

Signature / Encryption CertificateThis field contains all necessary certificate data. For a PSE with a singlekey pair there is only the field Signature Certificate, for a PSE with two keypairs there are the fields Signature Certificate and Encryption Certificate. De-tails on the individual fields can be found in Chapter 6.2.2 Enter PSEData.

6.2 Process User EntriesThe user form is used to enter the required data for each user and tocreate with these data the user's required certificate(s) or PSE. SECUDECA MANAGEMENT allows the PSE to be created immediately after en-tering the user's data. It is also possible to enter first a number of userentries, then select all the new user entries in the user view and create thePSEs for these en bloc (see Chapter 6.3 Create User PSEs).Different criteria apply for user entries for which certificates already ex-ist. The data can be processed only to a limited degree and cannot bedeleted.

A certificate once issued remains valid for the period defined in Validfrom and Valid until (unless it must be revoked for some reason). A CA isobliged to give information on the validity of a certificate. Even deletinga user entry from the data base would have no effect on this. Thereforeit is not possible to delete such a data entry.

When in the user form a user entry is displayed for which no PSE hasbeen created all fields can be processed. When a PSE has already beencreated for a user entry, all fields with the exception of User Data areblocked. This is shown by the gray-out of the inactive fields.

6.2.1 Register a New UserTo register a new user click the menu item User/Register... or clickon the appropriate button of the toolbar. An empty user formthen appears.

If the user form is already open and showing a user entry, a click on thebutton New will produce an empty form to register the new user.

The individual text bars in the field User Data are self-explanatory.

6.2.2 Enter PSE DataAfter a new user has been registered the message "No PSE or Certificatedata available" can be found in the lower field of the user form. Byclicking on New PSE the data set for the creation of a PSE for this useris set up.

As more than one PSE can be issued for a single user, New PSE can stillbe used when PSE data are shown in lower field of the user form. You


74 SECUDE GmbH

then get a new PSE index card. Please remember to give each new PSE anew PSE name.

All fields should be filled with default values. These can be determinedwith Options (see chapters 4.2.1 Issuer and 4.2.2 PSE Options).The meaning of the individual fields in the area PSE will be dealt with indetail in the following section.

When all entries have been made the button Update is clicked to enterthe record into the data base.

Meaning of the PSE FieldsThe field Profile is not supported in this version of CA MANAGEMENT, itis being reserved for a later version

The fields PSE Name and PSE Directory are active when you want to cre-ate a File PSE; they contain the directory and file names of file to cre-ated.

The field Card Type is active when you want to create a Smartcard PSE;you can select the required card type.

With the field One Key Pair you control whether you want to create a PSEwith one or two key pairs. In a PSE with two key pairs one pair is usedto authenticate, i.e. to sign, the other pair to encrypt. In a PSE with onlyone key pair (one certificate) this pair is used for both tasks.

In the field Password you can determine whether the PSE password is tobe generated automatically. The password text bar is then blocked. Thelength of the automatically generated password is set in Options. If thepassword is not to be generated automatically the selection box is clickedto remove the tick and a password is entered. The password can be up to50 places long. The exception is the smartcard password, which can onlyhave eight places. If the user has to follow certain rules for passwords,the name of the relevant set of rules is entered in the field Rules. Howpassword rules are entered can be seen in Chapter 5.3.5.1 Extras / Pass-word Rules….

It is not possible to stipulate password rules for smartcard PSEs. How-ever, an error limit for the smartcard password is required. The maximumvalue varies from card to card. The error limit details how often an in-correct password may be entered before the card blocks itself

In the area PUK the PUK (password unblocking key) is either generatedautomatically by ticking the selection box or is entered manually. ThePUK is used to unblock smartcards after too many false password en-tries; the field is therefore grayed out for file PSEs. The PUK also has anerror limit which is, however, preset at three by SECUDE CAMANAGEMENT.

Card Number is the serial number of the smartcard. This field is com-pleted automatically after the creation of a smartcard PSE.


SECUDE GmbH 75

Meaning of the Certificate FieldsIn the field Distinguished Name the Distinguished Name of the PSE owner(user) is entered.

When a tick appears in the field Distinguished Name is Prefix the Distin-guished Name of the CA is added to the entry in the field DistinguishedName on issue of the certificate. By this means the certification hierarchycan be illustrated through the Distinguished Name

Under Valid from please enter from which date the certificate is valid(default value is the current date) and under Valid until the end of thevalidity period. The format of the fields is defined by instructions in thesystem control.

In the field Issuer Algorithm the algorithm is entered with which the CAshould sign the certificate.

The field Algorithm contains the algorithm the user uses for signing andencrypting.

The field Key Size contains the length of the relevant keys.

Version shows whether it is an X.509v1 or X.509v3 certificate. If youwant to create an X.509v3 certificate, with the button V3 Extensions youreach the dialog box in which the certificate extensions supported bySECUDE CA MANAGEMENT can be set.

If a PSE with two key pairs is required, the same entries are made in thearea Encryption Certificate.

6.2.3 Register CertificateAs described in Chapter 1.3 Issue Certificates for Users under the item Usercreates PSE it is possible that not the CA, but the user himself creates thePSE.

In this case the user must send his public key to the CA for certification.

With the button Read Certificate a file dialog box can be opened where thecertification request can be read in. The certificate is then displayed sothat it can be checked whether the correct information has been read in.

The correctness of the data are verified by clicking on the index cardChecksums (Fingerprints) and comparing the contents Checksum of the Pub-lic Key with the value the user has sent you by other means. The two val-ues must be identical. If not, the suspicion arises that somebody is tryingto falsify his identity.

When you agree with the data click OK and you get a new certificateindex card.

All fields that are not blocked can be changed by the CA according to itsrequirements. The meaning of the individual fields can be found inChapter 6.2.2 Enter PSE Data under the item Meaning of the CertificateFields.


76 SECUDE GmbH

6.2.4 Create Further PSEs for Same UserAn entry can be amplified by further PSEs or certificates after clickingthe record in the user list and thereby opening the user form. By clickingthe button New PSE or Read Certificate a new index card for the additionalPSE is created in the user form. When updating, the relevant entry of thedata base is added again. Before it is added the entry can, of course, bechanged.

6.2.5 Delete a User EntryAs long as no PSE has been issued for a user, the complete entry can bedeleted from CA MANAGEMENT with the button Delete in the field UserData.

If a PSE has already been issued, the user entry cannot be deleted fromthe CA database as a protocol must be written.

6.2.6 Delete a PSE Data SetAs long as the PSE data set has been registered but the PSE not yet is-sued, the PSE data set can be deleted with the button Delete on the PSEindex card.

After a PSE has been created for a user only the general user data can bechanged. All other fields are blocked. A certificate once issued cannot bechanged. Should a certificate have to be declared invalid, it must be revokedthrough the revocation list.

6.2.7 Delete a Certificate Data SetAs long as the certification request has only been read in, but no certifi-cate issued, the certificate data set can be deleted with the button Deleteon the certificate index card.

A certificate once issued cannot be changed. Should a certificate have to bedeclared invalid, it must be revoked through the revocation list.

6.3 Create User PSEsSECUDE CA MANAGEMENT allows the creation of a PSE immediatelyafter the user entry has been registered. Another possibility is to registera number of user entries, to select these in the user list, and to createPSEs for these collectively. Both possibilities will be discussed here.


SECUDE GmbH 77

6.3.1 Create Individual PSEsAfter the PSE data have been registered (see Chapters 6.2.1 Register aNew User and 6.2.2 Enter PSE Data), the PSE for the user can be issued.

The PSE with the thus entered data is created by clicking the buttonCreate in the relevant index card. CA MANAGEMENT runs a check thenon the data entered.

The PSE creation process can be followed step by step. Generation ofthe authentication key takes the longest time.

Figure 75: PSE is being created

After the PSE has been created the messageon the left is shown. It is confirmed byclicking OK.

6.3.2 Create Several PSEsSeveral PSEs can be generated in one go by marking in the user formthose user entries for which a PSE is required. Several entries can bemarked by mouse click in combination with the control or shift key.

Then the menu item User/Create List of PSEs is selected or thetoolbar button shown on the left.

All the selected user PSEs are then created. Progress can be followed inthe status bar.


78 SECUDE GmbH

Figure 76: PSE Creation

After the PSEs have been created the above dialog box must be quitwith OK.

If a user entry for which a PSE has already been created is selected, thisentry is ignored by CA MANAGEMENT.

The certificates of the created PSEs can be regarded in detail by clickingthe button Display Certificate which is located at the bottom of the rele-vant index card. In particular, the user's public key and the serial numberof the certificate can be found there.

6.4 Certification of Incoming PrototypeCertificatesPSEs created by the user himself (or rather the relevant prototype cer-tificates) can be certified by the CA to include them in the certificationstructure.

To this end the user sends the prototype certificate he has created to theCA responsible for him. Once the CA has been informed by the userwhere the file containing the prototype certificate can be found, the cer-tificate request is processed.

Please read in Chapter 6.2.3 Register Certificate how the user's certificaterequest is read in.

Further processing of the prototype certificate can be carried out in theuser form. The number of certificates depends on the number of keypairs – one certificate per key pair. In addition to the user's key all pa-rameters can be modified at this stage. Further, the field User Data can becompleted.

By clicking the button Issue the certificate is signed by the CA and be-comes valid within the certification structure. Now no further changescan be made apart from to the user data – all fields are therefore grayedout. The serial number now also appears in the title bar of the indexcard.


SECUDE GmbH 79

Once the certificate has been issued, it can be copied into a file accessi-ble to the user with the button Export. Please note that the certificatescan only be issued as PEM files if the certificate request was written in aPEM file.

Figure 77: Export Certificate

The user must then only be informed where to find this file.

As all data in the prototype certificate and the certificate itself are publicthis procedure constitutes no security risk. For this reason no encryptionor password is required.

6.5 Write Again User PSEIn cases where the user, for whatsoever reason, has failed to install thePSEs issued for him or where he has inadvertently deleted them, thesame PSE can, using the button Write again on the PSE index card, bewritten into a file from which the user can call them.

This function can only be used with file PSEs and the option Save CreatedPSEs and Certificates in Database (see Chapter 4.2.1 Issuer), as the PSE isotherwise not saved in the database.

6.6 Subsequent Inclusion of an ExistingPSE in a SmartcardAn issued user PSE can be included in a smartcard at a later date. To dothis click the button Smartcard on the PSE index card.

However, the following conditions must be fulfilled: The PSE must beof the file type and the option Save Created PSEs and Certificates in Databaseset (see Chapter 4.2.1 Issuer), as the PSE is otherwise not saved in thedatabase.

The following dialog box opens:


80 SECUDE GmbH

Figure 78: Write PSE on Smartcard

The meaning of these fields can be seen in Chapter 6.2.3 Register Certifi-cate. After clicking OK the PSE is written on the inserted empty smart-card. While this is happening you get a Wait message.

Once the PSE has been written on the smartcard the user gets a newPSE index card with the corresponding entries.


SECUDE GmbH 81

7 Revocation List ManagementOne of the main functions of a CA is drawing up and maintaining revo-cation lists. The revocation list is a digitally signed list of all certificates aCA has issued and later revoked. The updated revocation lists must beregularly put at the disposal of the users.

To process a revocation list, Revocation List in the menu View must beclicked. The dialog box below appears:

Figure 79: CA Revocation List

The dialog box is split up into three areas. The list with the revoked cer-tificates, below that information on the last given digital signature, andon the right the buttons.

7.1 List AreaIn the list area the serial number, the date the certificate was revoked,and the Distinguished Name of the certificate owner are shown.

The actual structure, which later as the revocation list is put at the dis-posal of the users, does not contain the Distinguished Names any more,since the revoked certificate is unambiguously identified by the serialnumber.

The first column contains symbols, either a tick or a lightning flash .

The tick means that the certificate has been added to the revocationlist after the last digital signature to this. It is thus not yet visible for theuser – before the revocation list is distributed to the users it must bedigitally signed. At this moment the certificate can be removed from thelist by using the button Delete.The lightning shows that the certificate is in a valid signed list. It can-not be deleted from the list any more – a certificate once revoked cannotbe made valid again.


82 SECUDE GmbH

7.2 Information on the Digital SignatureIn the lower area of the dialog window you can find information on therevocation list's digital signature, i.e. the Distinguished Name of the Issuerof the revocation list (the CA), the Issuer Algorithm used, the validity pe-riod. The bar Last Update shows the date the last signature was per-formed, the bar Next Update shows the expiry date of the list. When thisdate has been passed, the user may no longer use this list to verify adigital signature or rather the verification fails because an invalid revoca-tion list was used.

7.3 ButtonsWith the buttons the revocation list can be processed.

7.3.1 AddWith Add… new entries can be made in the revocation list.

Figure 80: Add Entries to Revocation List

In the field Serial Number you can enter one or more (separate withcommas) serial numbers of certificates to be revoked. After clickingSearch CA MANAGEMENT searches for the relevant certificates in the cer-tificate database and enters the corresponding Distinguished Names inthe lower field. If the serial number does not originate from the CA or ifthe relevant certificate is already revoked, this is, of course, not enteredin the field.

You can now check the details you have entered. When you click Addthe entries are included in the revocation list. In the view of the revoca-tion list these entries are provided with a tick, as the amplified list hasnot been signed. At this point of time you can still delete certificatesfrom the list that have been erroneously included.


SECUDE GmbH 83

7.3.2 SignBefore a revocation list can be distributed to the users, it must be digi-tally signed so that the user is assured of its authenticity. By clickingSign... the following dialog box is opened:

Figure 81: Sign Revocation List

Here the Issuer Algorithm and the date of the Next Update can be set.Further information on the bar Next Update can be found in Chapter 7.2Information on the Digital Signature.

7.3.3 VerifyWith Verify the validity of the revocation list signature can be verified.

7.3.4 Save in PSEWith the button Save in PSE the revocation list is saved in one's ownCA-PSE.

7.3.5 Save in PEM FileThis and the next two buttons are concerned with the distribution of therevocation list to the users. With Save in PEM file… you can save the listin PEM format. After clicking the button a file dialog box is opened inwhich the directory can be selected and the file name entered. The PEMfile can then be distributed to the users by mail or by file server.

Further information on revocation lists in PEM format can be found in[RFC 1422], Chapter 3.5.2 PEM CRL Format.

7.3.6 Save in DirectoryUnder the Options index card X.500 (see Chapter 4.1.3) you have config-ured the directory service to be used. When you click on Save in Directorythe revocation list is saved in the appropriate directory. The participantsin the certification infrastructure can now retrieve the list there or it will


84 SECUDE GmbH

be automatically applied during the verification process when the usershave configured this correspondingly in PSE Management.

7.3.7 Save in ldif FileIf no direct access to the LDAP directory is possible from CAMANAGEMENT, because, for example, CA MANAGEMENT is running on aPC not linked to a network, the revocation list can be saved as an ldiffile. The ldif file is then given to the LDAP administrator who copies itinto the LDAP directory.


SECUDE GmbH 85

8 Import and Export of User DataSECUDE CA MANAGEMENTallows the import of data. Thedialog box for importing data isto be found in the menuFile/Import. Data from SAPR/3 (from Version 3.1G) andCA data created under Win-dows by the command lineversion of SECUDE can beimported.

8.1 Import of SAP R/3 User DataThe function File/Import/SAP-Report allows the transfer of user datafrom R/3 to CA MANAGEMENT. In R/3 the report RSUSR402 is pro-duced which generates an ASCII file with the same name, a file that isreadable with any text editor. The file RSUSR402 contains user data suchas name, first name, or the validity period of the SAP R/3 account.

A section of the contents of the file RSUSR402 can be seen below.

Figure 82: View of RSUSR402

Before importing external data it is advisable to make a backup copy of thecurrent state of the CA data base.

Options for Copying RSUSR402Before copying the SAP report you should turn to the Program Optionsof CA MANAGEMENT and check the following settings and if, necessary,adapt them to your requirements:

• Copy SAP Report (see Chapter 4.1.1 Program Options)• Issuer Options (see Chapter 4.2.1 Issuer)• Owner Options (See Chapter 4.2.2 PSE Options)

Import/SAP-ReportAfter selecting SAP Report a dialog box appears with which the file to beimported can be selected.


86 SECUDE GmbH

Figure 83: Import SAP Report

The file RSUSR402 is selected andthen the button Open clicked whichstarts a check of the file contents. Ifthe contents and structure of the filecorrespond with those of the report

RSUSR402, the query on the left appears and is confirmed with OK. Thedata are then read into CA MANAGEMENT.

8.2 Import of SECUDE DataIn rare cases it might be necessary to import data from a CA generatedby a previous version (command line version) of SECUDE.

Before the actual import or transfer of CA data from a previousSECUDE version the related CA-PSE must be opened. To do this theLog On button is clicked and the CA-PSE selected (see Chapter 5Management of the CA).

When the menu itemFile/Import/SECUDE is selectedthe query appears whether the dataare really to be imported.

When the query is confirmed withYes the data is read. For each cer-

tificate created with the previous SECUDE version a user entry is filed.CA MANAGEMENT does not distinguish between two certificates fromtwo different PSEs or one PSE with two key pairs. In either case twouser entries are created.

The successful execution of the import is acknowledged.

CA MANAGEMENT does not check whether the data sets that are to beloaded are already present in the data base. Before carrying out this function,therefore, a backup should be made.


SECUDE GmbH 87

8.3 Inform of Transport Password: Exportto Microsoft Word – Form LetterWhen Microsoft Office 95 (or higher) is installed, the Microsoft WordMail Merge function can be used, for example, to inform users of theirtransport password.

After having generated an export file from the CA database via User /Generate Password Form Letter (see section 5.3.4.7) the password form let-ters can be written using the Mail Merge function of Microsoft Word. Asan example we describe here how to proceed when using MicrosoftWord 97.

1. Open Microsoft Word and generate an empty document.

2. Click Tools / Mail Merge.3. In the Mail Merge Helper dialog select Main document / Create / Form

Letters and then click Active Window.

4. In the Mail Merge Helper dialog select Data source / Get Data / OpenData Source. In the file dialog set file type to All Files (*.*) and selectyour export file.

5. The toolbar for forms should now be displayed in the Word docu-ment window. If this is not the case, select View / Toolbars / Forms.

Figure 84: Form Letter Icon Bar of Word

With Insert Merge Field the merge fields can be inserted into the Worddocument. If you click the button , Word fills the merge fields withthe corresponding data; after this, the form letters are ready for print.

If you want to modify the CSV file generated by CA Management, selectin the Mail Merge Helper dialog the item Data source / Edit / <CSV file>.

Details about writing form letters in Word can be read in the Wordmanual. Help for Word is displayed after clicking the function key F1.All necessary information can be found under the term Mail Merge.

Never process the CA database via Access – it will become unusable forSECUDE. In particular, never change the CA password via Access!


88 SECUDE GmbH

9 Glossary

CA See Certification Authority.

Certification AuthorityA Certification Authority (CA) issues certificates for users of a securityinfrastructure and maintains revocation lists.

DESDES stands for Data Encryption Standard and is an encryption proce-dure in which the same key is used both for encryption and decryption.(Such procedures are called symmetrical.)

GSS-APIGeneric Security Service Application Programming Interface. An inter-face developed by the Internet Engineering Task Force (IETF) whichallows applications to be provided with security functionality.

Hybrid ProcessA combination of symmetric and asymmetric cryptography is called Hy-brid process.

PasswordA series of characters consisting of letters, signs and numerals withwhich protection, e.g. for a PSE, against unauthorised access is given.

PINPersonal Identification Number; a password consisting of figures only, e.g.for card terminals with their own key pads.

Prototype CertificateA prototype certificate is a certificate that has a signature created by itsown private key. Only when the prototype certificate has been certifiedby a certification authority does it become a certificate.

PSEThe PSE is a personal security environment which every SECUDE userneeds. In the PSE security relevant information is stored. This includesthe certificate and the corresponding secret key. The PSE can be storedas a DES encrypted file or on a smartcard.


SECUDE GmbH 89

Revocation ListA revocation list is a list of certificates that have been declared invalid bythe issuing certification authority before their expiry date. The certifica-tion authority maintains this list and must publish it, i.e. keep it up todate and at regular intervals make it available to all participants.

Root AuthorityThe root authority is a certification authority which is not certified byany other CA. Its certificate is signed by its own private key.

RSAA cryptographic algorithm named after Rivest, Shamir, and Adleman. Itis based on the presence of pairs of keys that have a special relationshipto each other. Anything that has been encrypted with one of the twokeys can only be decrypted with the other. (Such procedures are calledasymmetrical.)

SAPlpdSAPlpd denotes software from SAP AG which allows spooling for printjobs in the R/3 environment.

SNCSecure Network Communications denotes the module which deals with thecommunication to an external library in the SAP R/3 system. The libraryis addressed by means of GSS-API functions and allows R/3 access tosecurity functions as realised by SECUDE.

Transport PasswordA new PSE is encrypted by CA MANAGEMENT with a Transport Password.This password ensures the security of the PSE on its way from the CA tothe user. The user is informed of the password by the CA (e.g. by post)and is advised to change it immediately.


90 SECUDE GmbH

10 Figures and TablesFigure 1: Elements of a PSE ...........................................................................4Figure 2: CA creates PSE................................................................................5Figure 3: User creates PSE.............................................................................6Figure 4: Internet Installation .........................................................................10Figure 5: Unpacking ......................................................................................10Figure 6: Welcome Window of the Installation ..............................................11Figure 7: Software License Agreement .........................................................11Figure 8: User Information.............................................................................12Figure 9: Set Destination Directory................................................................12Figure 10: Select Program Folder .................................................................13Figure 11: Start of Installation........................................................................13Figure 12: Install SECUDE Ticket .................................................................13Figure 13: Information on Installed Components...........................................14Figure 14: Setup complete ............................................................................14Figure 15: Exit Setup .....................................................................................15Figure 16: Log On..........................................................................................16Figure 17: PSE-Wizard – Type of PSE..........................................................19Figure 18: PSE-Wizard – Distinguished Name..............................................19Figure 19: PSE-Wizard – Name of PSE........................................................20Figure 20: PSE-Wizard – CA Data ................................................................20Figure 21: PSE-Wizard – Version of Certificate ............................................21Figure 22: PSE-Wizard – Number of Key Pairs.............................................22Figure 23: PSE-Wizard – Signature ..............................................................22Figure 24: PSE-Wizard – Validity Period .......................................................23Figure 25: PSE-Wizard – Sign Own Prototype Certificate.............................24Figure 26: PSE-Wizard – Password ..............................................................25Figure 27: PSE-Wizard – Log-on Profiles......................................................25Figure 28: PSE-Wizard – Settings – Overview..............................................26Figure 29: Time Comparison (1) ...................................................................26Figure 30: PSE-Wizard – Smartcard .............................................................28Figure 31: PSE-Wizard – Password Unblocking Key – PUK.........................29Figure 32: PSE-Wizard – RACAL RG 700 ....................................................31Figure 33: PSE-Wizard – Issue PSE.............................................................33Figure 34: Options – Program Options..........................................................35Figure 35: Options – SECUDE ......................................................................36Figure 36: Options – X.500............................................................................38Figure 37: Options – Warning Periods ..........................................................39Figure 38: Options – Issuer ...........................................................................40Figure 39: Options – PSE Options.................................................................41Figure 40: Options – User Form ....................................................................42Figure 41: Options – Sphinx Pilot ..................................................................43Figure 42: Empty User List ............................................................................45Figure 43: Tool Bar Hidden............................................................................45Figure 44: Tool Bar Active .............................................................................45Figure 45: Menu Bar ......................................................................................46Figure 46: Revocation List .............................................................................49Figure 47: Signature Certificate – Owner ......................................................50Figure 48: Write Certification Request ..........................................................51Figure 49: Read Certification Response........................................................51Figure 50: Process Certificate Response......................................................52Figure 51: PSE Revocation Lists ...................................................................53Figure 52: Read Revocation List from File ....................................................53Figure 53: Insert Revocation Lists in PSE .....................................................54Figure 54: Change Password ........................................................................54Figure 55: Verify PSE ....................................................................................55


SECUDE GmbH 91

Figure 56: Save Certification Path.................................................................56Figure 57: PSE Contents...............................................................................57Figure 58: Save LDIF File – Insert Certificates .............................................58Figure 59: Save LDIF File – Delete Certificates ............................................59Figure 60: Write PK List ................................................................................59Figure 61: Write Certificates..........................................................................60Figure 62: Generate Password Form Letter..................................................60Figure 63: Password Rules – Rules Editor....................................................62Figure 64: Password Rules – Preview...........................................................63Figure 65: Log-on Profiles .............................................................................64Figure 66: Log-on Profile...............................................................................64Figure 67: Smartcard Terminal Setup ...........................................................65Figure 68: Info User Card..............................................................................66Figure 69: Unblock Password .......................................................................67Figure 70: Info on CA MANAGEMENT .........................................................68Figure 71: Info on SECUDE ..........................................................................68Figure 72: User List .......................................................................................69Figure 73: User List and User Form..............................................................71Figure 74: User Form ....................................................................................72Figure 75: PSE is being created....................................................................77Figure 76: PSE Creation................................................................................78Figure 77: Export Certificate..........................................................................79Figure 78: Write PSE on Smartcard..............................................................80Figure 79: CA Revocation List.......................................................................81Figure 80: Add Entries to Revocation List .....................................................82Figure 81: Sign Revocation List.....................................................................83Figure 82: View of RSUSR402......................................................................85Figure 83: Import SAP Report .......................................................................86Figure 84: Form Letter Icon Bar of Word ......................................................87

Table 1: Categories of Distinguished Names..................................................7Table 2: Format of the Validity Fields............................................................24Table 3: Toolbar ............................................................................................46Table 4: User Form – User Data ...................................................................93Table 5: User Form – PSE ............................................................................94Table 6: User Form – Signature / Encryption Certificates .............................94


92 SECUDE GmbH

11 Bibliography

[LDAP]http://www.umich.edu/~dirsvcs/ldap/index.html; Descriptionand software-downloads (development toolkit, client- and server soft-ware) for LDAP (Lightweight Directory Access Protocol).

[Netscape Certificates]http://home.netscape.com/eng/security/comm4-cert-exts.html;Draft from 13.8.1997, where the certificate extensions introduced byNetscape Communicator are described.

[PKCS#7]PKCS#7: Cryptographic Message Syntax Standard; An RSA Labo-ratories Technical Note; Version 1.5; November 1, 1993

[PKCS#10]PKCS#10: Certification Request Syntax Standard; An RSA Labora-tories Technical Note; Version 1.0; November 1, 1993

[RFC 1422]Privacy Enhancement for Internet Electronic Mail - Part II: Cer-tificate-Based Key Management; Network Working Group, Requestfor Comments: 1422, Obsoletes: 1114; S.Kent; BBN, IAB IRTF PSRG,IETF PEM; February 1993

[Sphinx]http://www.bsi.bund.de/aufgaben/projekte/sphinx/index.htm;Pilotprojekt der Koordinierungs- und Beratungsstelle der Bundesre-gierung für Informationstechnik in der Bundesverwaltung in Zusam-menarbeit mit den Bundesamt für Sicherheit in der Informationstechnik.

Inhalt ist die Erprobung produktübergreifender Interoperabilität derSicherheitslösungen verschiedener Anbieter.

[X.509 v3]ITU-T Recommendation X.509; DATA NETWORKS AND OPENSYSTEMS COMMUNICATIONS – DIRECTORY; Information Technology,Open Systems Interconnection, The Directory: Authentication Frame-work; (06/97)


SECUDE GmbH 93

12 Appendix

12.1 Fields in the User FormThe following user data are registered with the user form (cf. Chapter6.1.2 User Form) and administered by CA MANAGEMENT in the database:

User Form – User DataUser Data DescriptionName Name of person to be certifiedFirst name First name of person to be certifiedMail address E-mail address of person to be certifiedPersonnel number Personnel number of person to be certifiedDepartment Name of department in which person to be certi-

fied works.Table 4: User Form – User Data

User form – PSEUser Form – PSE DescriptionProfile A preset profile can be selected.PSE Name Name of file that PSE is to receive. �

PSE Directory The directory in which the PSE is to bestored; with a smartcard PSE: the directory fora possible extension.

Smartcard/File It is decided here whether the PSE is createdas a file or on a smartcard.

�

Card Type When a smartcard PSE is to be created themake of card is selected here. As options thereare the cards TCOS and Cryptoflex.

One key pair If the box is ticked, one key pair is generated –signature certificate. When both signature andencryption certificates are to be created thebox must remain unticked.

�

Automatic pass-word generation

When this box is ticked an automatically gen-erated password is given.If the box remains unticked, a transport pass-word for the PSE to be created must be givenmanually in the field on the right.

�

Rules If the user is to be obliged to follow certainpassword rules, the relevant set of rules are


94 SECUDE GmbH

User Form – PSE Descriptionentered here (only for file PSEs).

Automatic PUKgeneration

The PUK is important for the unblocking ofsmartcards. When a smartcard PSE is createda PUK should be given which is known onlyto the administrator. If the option is activated,the PUK is generated automatically. Other-wise it should be entered in the field on theright.

Card number When a smartcard PSE is created, the cardnumber is contained here.

�

Table 5: User Form – PSE

User Form – Signature / Encryption CertificatesIn the following table the explanation of the fields of the user form forsignature and encryption certificates is continued.

Signature / Encryp-tion Certificates

Description

Distinguished Name: Distinguished Name for the user �

Distinguished Name isprefix

When this box is ticked, the user's Distin-guished Name includes the issuing CA'sDistinguished Name.

Valid from Date and time in the currently set format(e.g. MM.DD.YY hh.mm.ss). From thispoint the certificate is valid.

�

Valid to Date and time in the currently set format(e.g. MM.DD.YY hh.mm.ss). The certifi-cate is valid up to this time.

�

Issuer algorithm Algorithm the certificate is signed with. �

Algorithm Here the algorithm is determined that canbe used with the key pair (for smartcards:depending on the card).

�

Key length Selection of key length (from 512 bits to2048 bits, for smartcards: depending on thecard).

�

Version Selection between X.509v1 or X.509v3certificates.

�

Table 6: User Form – Signature / Encryption Certificates

The numbers in the third column have the following meanings:

� The field must be filled out when a PSE is to be created.

� The field is set by CA MANAGEMENT.


SECUDE GmbH 95

� The field depends on the configuration. For the field Password auto-matic password generation can be activated with the menu item Ex-tras/Options and then PSE Options. When a new user is certified the pro-gram fills the field with a value.

� When a user certificate is created for a smartcard the field Card numbergets a 20-place number. On the card itself, however, 21 places areprinted. The last place of the number on the smartcard does not appearin this field as it is a check number and is not forwarded toCA MANAGEMENT when read.

12.2 Data Base Specification CA.MDB

Table UsersIn the table "Users" general user information is stored. This informationis not relevant to creating a certificate.

Field name Type Size CommentaryUserNo dbLong,

dbAutoIncrField

Unambiguous number of a user: is notdisplayed in CA MANAGEMENT. An asso-ciation takes place into the tables 'PSE'and 'Certificate'. Between the tables thereare 1 to n relationships.

Name dbText 30 Surname of user

Firstname dbText 30 First name of user

Mailaddress dbText 50 Mail address of user

Id dbText 10 Personnel number of user

Division dbText 20 Division (Dept.) of user

TransportPin dbText 50 This field is completed only to provideinformation. It can be used to print PINletters with serial letter option of MSWord.

Middlename dbText 1 Middle initial of user (taken from Ameri-can).

Company dbText 50 Company of user

Table PSEIn the table "PSE" the data for creating PSEs is stored.

Field name Type Size CommentaryPSENo dbLong,

dbAuto-IncrField

Unambiguous number of a PSE: is notdisplayed in CA Management. An asso-ciation takes place into the table 'PSE'.Between the tables there is a 1 to 1 or a 1to 2 relationship (A PSE can contain up totwo certificates).

UserNo dbLong Assigns the PSE to a user.


96 SECUDE GmbH

Field name Type Size CommentaryPSE dbLong-

BinaryCopy of a software PSE.

PSEName dbText 25 File name of the PSE.

IsSC dbBoolean

TRUE if smartcard PSE, FALSE if soft-ware PSE.

IssueDate dbDate Date when created.

NoOfKP dbInteger Number of key pairs of the PSE (1 or 2).

TransportPin dbText 50 Password with which the created PSE isencrypted.

PUK dbText 8 Password Unblocking Key for smartcardPSEs.

Cardnumber dbText 20 Card number of the smartcard.

PSEDir dbText 255 Directory in which the PSE is stored.

RandomPin dbBoolean

TRUE if the password is generated ran-domly, otherwise FALSE.

RandomPUK dbBoolean

TRUE if the PUK is generated randomly,otherwise FALSE.

ProfileName dbText 20 Reference to the table “Profile”. Is notused.

PinPolicy dbText 30 Reference to the table “PinPolicy”.

Cardtype dbInteger Make of a smartcard (0 for TCOS, 1 forCryptoflex). Is not used when smartcard isnot created.

PinErrorLimit dbInteger Number of tries for password entry

PukErrorLimit dbInteger Number of tries for PUK entry

Created dbBoolean

TRUE if PSE created, otherwise FALSE

CreationDate dbDate Creation date of PSE

Table CertificateIn the table "Certificate" data for the issuing of certificates is stored.

Field name Type Size CommentaryCertificateNo dbLong,

dbAutoIncrField

Unambiguous number of a certificate: isnot displayed in CA Management.

PSENo dbLong Assigns the certificate to a PSE.

UserNo dbLong Assigns the certificate to a user.

DN dbText 255 Distinguished Name of the certificate.

ValidFrom dbDate Validity of the certificate.

ValidUntil dbDate Validity of the certificate

SerialNo dbText 32 Serial number of the certificate, is givenautomatically.

Certificate dbLongBinary

Copy of the certificate or prototype certifi-cate (for file PSEs only).


SECUDE GmbH 97

Field name Type Size CommentaryIsRevoked dbBoole

anTRUE if certificate was revoked, otherwiseFALSE.

Usage dbInte-ger

1 if the certificate is used with two keypairs to encrypt PSEs, otherwise 0. Isused only when the CA generates thekeys.

IssuerAlg dbText 30 Issuer algorithm.

Algorithm dbText 30 Signature/Encryption algorithm

Keysize dbInte-ger

Key length

DNPrefix dbBoolean

TRUE if the Distinguished Name of theCA is to be appended to the DistinguishedName of the user when being certified,otherwise FALSE.

Version dbText 10 X.509v1 or X.509v3.

RequestType dbInte-ger

Format of the request type; proprietary.

Request dbLongBinary

Proprietary.

IsCA dbBoolean

TRUE if the certificate is issued for a CA,otherwise FALSE. Is only used with ver-sion=X.509v3.

Base64 dbBoolean

Proprietary.

Boundary1 dbLongBinary

Proprietary.

Boundary2 dbLongBinary

Proprietary

Extensions dbLong-Binary

Proprietary

Created dbBoolean

TRUE if certificate issue, FALSE if stillchangeable.

CreationDate dbDate Date of issue of certificate

CertifyState dbInte-ger

Reserved for later use

CertifyDate dbDate Reserved for later use

VSsigEnrInfo dbLong-Binary

Reserved for later use.

Table CRLIn the table "CRL" revocation lists are stored.

Field name Type Size CommentaryStringDName dbText 255 Readable depiction of the Distinguished

Names of CA, from which the revocationlist comes.

Octet-StringDName

dbLongBinary

Binary depiction of the DistinguishedNames.

IsDelta dbBoole TRUE = current signed revocation list of


98 SECUDE GmbH

Field name Type Size Commentaryan CA; FALSE = certificates added since last

signing

LastUpdate dbDate Date of the last signature in the revocationlist.

CRLWithCerts dbLongBinary

The revocation list itself.

Table LogIn the table "Log" protocol information is stored.

Field name Type Size CommentaryDateTime dbDate Date and time of the protocol entry.

Type dbInte-ger

0 = Log on; 1 = Log off; 2 = Create a CA;3 = Create a PSE; 4 = Issue a certificate;5 = Revoke a certificate; 6 = Issue a revo-cation list

Data dbText 80 PSE.PSENo if Type=2 or Type=3. Certifi-cate.CertificateNo if Type=4. Certifi-cate.SerialNo if Type=5.

SerialNo dbText 25 Is not used.

Table PINPolicyThe table "PINPolicy" stores password rules.

Field name Type Size CommentaryName dbText 30 Reference to table “PSE”.

PINPolicy dbLongBinary

Proprietary.

Table ProfilesThe table "Profiles" is not yet used.

Field name Type Size CommentaryProfileNo dbLong,

dbAuto-IncrField

ProfileName dbText 20

PSEDir dbText 255

NoOfKP dbInteger

ValidFrom dbDate

ValidUntil dbDate

EncAlg dbText 30

EncKeysize dbInteger

SignAlg dbText 30

SignKeysize dbInteger

RandomPin dbBoolea


SECUDE GmbH 99

Field name Type Size Commentaryn

PinLength dbInteger

DefaultPin dbText 50

DNIsPrefix dbBoolean

RandomPUK dbBoolean

PUKLength dbInteger

DefaultPUK dbText 8

Table ACLThe table "ACL" is not yet used.

Field name Type Size CommentarySerialNo dbLong

Binary

camanagement 2 0 english

Documents