Overview

CSP^id is a virtual smartcard that maintains a central repository for private keys and X.509 certificates. It provides a secure environment for cryptographic operations that applications can access via Java, PKCS#11, or Microsoft CAPI. It is available for, and compatible between, all destop version of Windows, Linux/x86, and Solaris/SPARC.

The “Key” Benefits of CSP^id

CSP^id

• provides a common, operating system independent credential store that may be shared by all security-enabled applications
• simplifies enterprise-wide credential management; users need not replicate keys among applications, and may effortlessly migrate credentials between workstations
• provides administrative controls over user credentials; allows PKI enrollment, key rollover, credential backup, and other key management tasks to be automated in a user-transparent manner
• provides superior protection for private keys and overcomes password change/reset issues with Internet Explorer and Mozilla
• reduces help desk costs and PKI training requirements

CSPid 1.1 Architecture Diagram

CSP^id stores a user’s credentials in a single encrypted file on any designated storage device (e.g., a local hard drive, a network share, a flash drive, or any other removable memory device). That credential store may be opened by CSP^id on any platform once its owner has entered their password.

In this way CSP^id allows users to effortlessly migrate their public and private keys to any workstation in an OS-independent manner, without the need to physically replicate those keys. (The fewer persistent copies of a user’s private key that are created, the less likely it is to be compromised.)

CSP^id’s programmable interface simplifies certificate lifecycle management. By giving security officers control over employee credentials throughout their enterprise, it reduces help desk costs and PKI training requirements.

Security officers can configure CSP^id to force password change at designated intervals, prohibit password reuse, and enforce password quality requirements on cryptographic keys. These security policy settings are then enforced for all connected applications, including Microsoft IE and Mozilla (which do not provide such controls by themselves).

Features and Advantages

CSP^id

• affords your users the functionality of a physical smartcard for a fraction of the cost
• exposes a common store of certificates and private keys to applications via PKCS#11, Microsoft CAPI, and Java
• obviates the need to replicate keys among applications, and simplifies the migration of keys between workstations
• protects private keys independently of the operating system and browsers for greater flexibility and security; administrators can control password cache settings, mandate password quality and change requirements, and monitor credential use with better auditing capabilities
• links users to a specified CA to facilitate enrollment, certificate renewal, key rollover, etc., directly from the CSP^id system tray menu

Supported Applications

CSP^id works with all PKCS#11- or CAPI-enabled applications, as well as with all Java applications based on J2SE 5.0 or above, including, but not limited to, the following:

• Microsoft Internet Explorer 5.0 and above
• Outlook 2000, 2002, 2003, 2007, and Outlook Express
• Mozilla 1.1, 1.6, and above
• FireFox 1.0 and above
• Thunderbird 1.0 and above
• Netscape Communicator 4.75 and above
• Lotus Notes 6 and above
• SecretAgent 5.x/6.x and SpyProof! 1.x
• Cisco and Checkpoint VPNs

Technical Details

• Intuitive graphical user interface for credential management; command line interface for batch operations and automated tasks under end-user or administrative control
• Exports a PKCS#11 version 2.20 compliant API
• Includes a Microsoft smart card minidriver for CAPI support
• Imports and exports PKCS#12, PKCS#7, and ASN.1 DER-encoded X.509 certificates
• Generates RSA keys of 1024 to 8192 bits; manages RSA keys of any size
• Employs password-protected PKCS#15 PDUs for key storage on local, removable, or network-attached drives, using AES-256 for confidentiality and HMAC-SHA-512 for integrity checking

Standards Compliance and PKI Compatibility

CSP^id is built upon ISC's FIPS 140-certified Cryptographic Development Kit (CDK) version 7.0 and is FIPS 140-2 compliant. It works with X.509v3 credentials from most leading PKI vendors, including Entrust, Microsoft, RedHat, RSA Security, VeriSign, and ISC.

Licensing

CSP^id is normally licensed on an enterprise-wide basis under terms negotiated with ISC. The typical contract includes free updates and support for one year. Maintenance may be renewed on an annual basis in subsequent years for an agreed-upon percentage of the original site license fee.