Token Personalization Utility

User Guide
Unblocking (330u) and Identrus (330i) Tokens

Last Updated: November 1, 2001

 Table of Contents
1 Glossary................................................................................................................................... 3
2 Overview ................................................................................................................................. 4
3 Creating Test Tokens .............................................................................................................. 5
3.1 Token Tab ....................................................................................................................... 5
3.1.1 Reader...................................................................................................................... 6
3.1.2 Token Serial # ......................................................................................................... 6
3.1.3 Token Label............................................................................................................. 6
3.1.4 Retry Readers .......................................................................................................... 6
3.2 Identity Key Tab.............................................................................................................. 6
3.2.1 File Name ................................................................................................................ 7
3.2.2 Password.................................................................................................................. 7
3.3 Utility Key Tab................................................................................................................ 7
3.3.1 Include a Utility key on the token – Checkbox....................................................... 8
3.3.2 File Name ................................................................................................................ 8
3.3.3 Password.................................................................................................................. 8
3.4 Identity PIN Tab.............................................................................................................. 8
3.4.1 Initial Identity Key PIN........................................................................................... 9
3.4.2 Identity Key Unblocking......................................................................................... 9
3.4.3 Bad PIN Limit ......................................................................................................... 9
3.4.4 PIN Length MIN ..................................................................................................... 9
3.4.5 PIN Length MAX.................................................................................................... 9
3.5 User PIN Tab................................................................................................................. 10
3.5.1 User (Utility Key) PIN .......................................................................................... 10
3.5.2 Datakey SO PIN .................................................................................................... 10
3.5.3 Allow User PIN Unblocking – Checkbox............................................................. 11
3.6 About............................................................................................................................. 11
3.7 Close.............................................................................................................................. 11
3.8 Personalize Test Token ................................................................................................. 11
4 Appendix A – PIN Unblocking............................................................................................. 12
4.1 Unblocking Token (User PIN Unblocking) .................................................................. 12
4.2 Identrus Token (Identity PIN Unblocking) ................................................................... 12
5 Appendix B – Moving to Production .................................................................................... 13

Token Personalization User Guide.doc Page 2 Datakey, Inc.

1 Glossary

Term Description
330i Datakey Token loaded with the Identrus Application
330u Datakey Token loaded with the Unblocking Application
Bad PIN Limit The number of successive times a PIN can be entered before it becomes
blocked- This value is set during Personalization
Blocked PIN A PIN that has been entered incorrectly more successive times than the Bad PIN
Limit- Once this has happened the PIN and all Objects protected by that PIN
become unusable until Unblocked
Identity Key The RSA key pair stored on an Identrus Token and used to sign documents in
and Identrus Environment
Identity PIN The PIN that protects the Identity Key and its usage
Identrus Token Same as 330i
P12 File A file that contains Keys and Certificates in the PKCS#12 format- Often times
protected by a Pass Phrase
Personalization The process of setting Token Parameters and loading Keys, Certificates, and
PINs onto the Token
Unblocking PIN A PIN that is loaded during personalization onto the Token and is used to
unblock another PIN after it has become blocked
Unblocking Token Same as 330u
User PIN PIN that protects all objects, other than the Identrus objects, and user
configurable attributes on the Token
Utility Key Identrus term for a key not used in the Identrus Environment, but is on the
Identrus Token- Refers to any non-Identrus Key on a token
Utility PIN Same as the User PIN

Token Personalization User Guide.doc Page 3 Datakey, Inc.

2 Overview
The Token Personalization Utility is an application provided with Datakey CIP and CIP ISign for
the creation of test Unblocking (330u) and Identrus (330i) Tokens. This utility should not be
used in a production environment and will not work with Tokens that have been created for
production.

This Utility allows Keys and PINs to be loaded onto the 330u and 330i Tokens. These Tokens
must be ordered from Datakey as Unblocking or Identrus and can not be changed in the field.

Identrus Tokens are Personalized with an Identity Key, Identity PIN, and up to six Unblocking
PINs- which will unblock the Identity PIN only. The User PIN must be set on the Identrus
Token, even if there are no other Keys loaded onto the Token, and optionally a Utility Key can
be loaded.

Unblocking Tokens are Personalized with a User PIN and up to six Unblocking PINs- which will
unblock the User PIN only. A Utility Key can optionally be put on this Token as well.

Token Personalization User Guide.doc Page 4 Datakey, Inc.

3 Creating Test Tokens
Test Tokens can be created using the Token Personalization Utility that is provided in the CIP
software. To create the test Tokens, you will need the following:

• Datakey’s 330u or 330i SmartCard

• Identrus Only: Importable Identrus Key and Certificate file – Formatted in PKCS#12
• Optional: Utility Key and Certificate file – Formatted in PKCS#12
• Datakey’s Token Personalization Utility

NOTE: The Token Personalization Utility is for pilot and evaluation purposes only. It may be used to
personalize a Datakey 330u and 330i Tokens in a test environment only and is not to be used in a
production environment.

The Token Personalization Utility can be start by going to the Start Menu and selecting Start |
Programs | Datakey CIP | Token Personalization Utility.

There are five tabs on this utility. They are: Token, Identity Key, Utility Key, Identity PIN, and
User PIN tabs. After each tab is successfully completed, a check mark will appear above the tab.
If one of the tabs is not completed correctly a caution symbol will be displayed.

3.1 Token Tab

Once the Token Personalization Utility is started, the Token Tab is active. This tab shows Token
and Reader information as well as allows the user to select the Reader.

When the Token Personalization Utility is started it immediately looks for a Datakey Unblocking
(330u) or Identrus (330i) Token in an available reader. If neither of these tokens are found, the
application will display an error message and the application will have to be closed or “Retry
Readers” selected.

If more than one reader is present, the utility will select the reader with a Datakey Unblocking or
Identrus Token in it. If multiple tokens are present, the utility lets you choose which token to use.

Token Personalization User Guide.doc Page 5 Datakey, Inc.

3.1.1 Reader
This field allows the user to select the reader in which the Datakey Unblocking (330u) or
Identrus (330i) Token has been inserted. If only one reader is found the drop down box is grayed
out.

3.1.2 Token Serial #

The Token Serial # field displays the Token Serial Number that was assigned to the chip during
manufacturing. This can not be changed during personalization.

3.1.3 Token Label

The Token Label is normally set to a user-friendly string that helps to identify the token. The
Token Label field defaults to the Token Serial Number during manufacturing, but can be
changed by the issuer or user. The Token Label can be changed using Token Utilities, which is
installed with the Datakey CIP Product.

3.1.4 Retry Readers

The Retry Readers button allows you to force the application to recheck the readers for an
available Datakey Unblocking or Identrus Token.

3.2 Identity Key Tab

The Identity Key Tab can be displayed by clicking the mouse on small part of the tab that is
showing when any other tab is active. This is the area where the text “Identity Key” is located.

The Identity Key is a Public and Private Key Pair generated specifically for the Identrus
environment. The Key Pair along with the Certificate must be bundled into a PKCS#12 file and
then it can be imported onto the Token. This file must be provided by Identrus or an Identrus
Trusted Certificate Authority. In most cases, this file is protected using a Password. The
Password and File Name are entered on this Tab.

The Identity Key is protected by the Identity PIN. This means that the Identity PIN must be
successfully submitted to the Token before this Key can be used. The Identrus Signing Interface
allows this PIN to be entered before signing a document. See the CIP User Guide for more
information on the Identrus Signing Interface.

If you have a Datakey Unblocking Token, 330u, this key is not used and the options on this tab
will be grayed out.

Token Personalization User Guide.doc Page 6 Datakey, Inc.

3.2.1 File Name
The File Name field is where the file name of the PKCS#12 file is entered for loading onto the
Token. This file contains the Identity Key Pair and Certificate. The button just to the right of this
field allows you to search and select a file from any available drive.

3.2.2 Password
The Password field is where the password for the PKCS#12 file is entered. Asterisks will appear
in place of the actual text. This password will come from whoever created the file.

3.3 Utility Key Tab

The Utility Key Tab can be displayed by clicking the mouse on small part of the tab that is
showing when any other tab is active. This is the area where the text “Utility Key” is located.

The Utility Key is an optional Key Pair and Certificate put on the Token and can be put on at a
later time if desired. This is a multi-purpose Key that is protected by the User PIN. Outside of the
Identrus Environment, this can be any key you wish to put onto the Token.

Datakey 330 Tokens allow many Key Pairs and Certificates to be loaded onto the Token. Putting
a Utility Key on the Token does not prohibit other keys from being loaded. These keys are
protected using the User PIN, meaning that the User PIN must be successfully submitted to the
Token before these Keys can be used.

Token Personalization User Guide.doc Page 7 Datakey, Inc.

3.3.1 Include a Utility key on the token – Checkbox
This checkbox is by default unchecked and a Utility key will not be loaded on the Token. If you
have a Utility key that you want loaded, check this box and continue by entering the File Name
and Password.

3.3.2 File Name

The File Name field is where the file name of the PKCS#12 file is entered for loading onto the
Token. This file contains the Utility Key Pair and Certificate. The button just to the right of this
field allows you to search and select a file from any available drive. This field is not available
unless the checkbox is checked.

3.3.3 Password
The Password field is where the password for the PKCS#12 file is entered. Asterisks will appear
in place of the actual text. This password will come from whoever created the file. This field is
not available unless the checkbox is checked.

3.4 Identity PIN Tab

The Identity PIN Tab can be displayed by clicking the mouse on small part of the tab that is
showing when any other tab is active. This is the area where the text “Identity PIN” is located.

The Identity PIN protects the Identity Keys and Certificate. This PIN must be successfully
submitted to the Token before the Identity Keys can be used. The Identrus Signing Interface
allows this PIN to be entered before signing a document. See the CIP User Guide for more
information on the Identrus Signing Interface.

The Identity PIN can not be set during Personalization, per the Identrus Specifications, so an
Initial Identity PIN is used in it’s place. This PIN must be changed by the user before the Identity
Key is active. The Pass Phrase Utility can be used to change the Initial Identity PIN once the
Token has been personalized. See the CIP User Guide for more information on the Pass Phrase
Utility.

Token Personalization User Guide.doc Page 8 Datakey, Inc.

Identrus defines up to six Unblocking PINs can be put onto to the Token. These values can be set
in this Tab are used for Unblocking the Identity PIN if it has become Blocked from too many
successive incorrect PIN entry attempts. The number of successive incorrect PIN entry attempts
can be set in the “Bad PIN Limit” area on this Tab.

Default values are entered into each field, but it is recommended that they be changed to your
own secret values.

If you have a Datakey Unblocking Token, 330u, this PIN is not used and the options on this tab
will be grayed out.

3.4.1 Initial Identity Key PIN

The Initial Identity Key PIN is a temporary PIN put on the Token. Once the Token has been
personalized, the user must change the Initial Identity Key PIN before it the Token can be used
to sign Identrus documents.

3.4.2 Identity Key Unblocking

The Identity Key Unblocking fields allow you to enter up to six unblocking PINs for the Token.
These are alphanumeric fields and are case sensitive. You can also change the number of
Unblocking PINs by using the up and down arrows next to these fields. If you chose less than
six, only the number of PINs you have selected can be entered. The rest of the Unblocking PIN
fields will be grayed out.

3.4.3 Bad PIN Limit

The Bad PIN Limit field allows you to select the number of incorrect Identity PIN entries the
user has before the Identity PIN is blocked.

3.4.4 PIN Length MIN

This value is minimum number of characters needed for a valid Identity PIN.

3.4.5 PIN Length MAX

This value is the maximum number of characters that can be used for an Identity PIN.

Token Personalization User Guide.doc Page 9 Datakey, Inc.

3.5 User PIN Tab
The User PIN Tab can be displayed by clicking the mouse on small part of the tab that is
showing when any other tab is active. This is the area where the text “User PIN” is located.

The User PIN protects all of the Keys and Certificates on the Token other than the Identity Key.
This PIN must be successfully submitted to the Token before these Keys can be used. It also
protects the User Settings. These setting can be changed using Token Utilities. See the CIP User
Guide for more information on Token Utilities.

The User PIN is mandatory on every Token and is set during Personalization. The Pass Phrase
Utility can be used to change the User PIN once the Token has been personalized. See the CIP
User Guide for more information on the Pass Phrase Utility.

Up to six Unblocking PINs can be put onto to the Token. These Unblocking PINs are to unblock
the User PIN on an Unblocking Token (330u). They can be set in this Tab and are used if the
User PIN has become Blocked from too many successive incorrect PIN entry attempts. The
number of successive incorrect PIN entry attempts can be set in the “Bad PIN Limit” area on this
Tab.

Default values are entered into each field, but it is recommended that they be changed to your
own secret values.

3.5.1 User (Utility Key) PIN

The User (Utility Key) PIN must be entered even if a Utility Key is not being put on the Token.
This PIN is used to grant access to the Tokens private information and also allows the user to
change some Token properties, such as the Label. This is the User PIN present on all Datakey
330 Tokens.

3.5.2 Datakey SO PIN

This field is where the Security Officer PIN is entered. This PIN allows the same access to the
Token as the User PIN and should be maintained by the Security Officer- not the User.

Token Personalization User Guide.doc Page 10 Datakey, Inc.

3.5.3 Allow User PIN Unblocking – Checkbox
This checkbox allows PIN Unblocking for the User PIN. It is unchecked by default.

3.6 About
The About button shows the Token Personalization Utility version and product information.

3.7 Close
The Close button closes the dialog box and exits the Token Personalization Utility.

3.8 Personalize Test Token

Once all five tabs have been successfully completed, the “Personalize Token” button will
become active. Clicking on this button will begin loading the information specified in the tabs
onto the Token. This will take up to 30 seconds and a completion status is shown when finished.

Token Personalization User Guide.doc Page 11 Datakey, Inc.

4 Appendix A – PIN Unblocking
Both the Unblocking Token (330u) and Identrus Token (330i) have PIN Unblocking capabilities.
The Unblocking Token allows the User PIN to be unblocked and the Identrus Token allows the
Identity PIN to be unblocked.

4.1 Unblocking Token (User PIN Unblocking)

• Token is personalized with Max Login Attempts for the User PIN
• Once the User PIN has been entered incorrectly that many successive times, the User PIN
is blocked and the Objects on the Token are not accessible
• Standard 330 Token – Must Initialize Token (Which removes all objects from the Token)
• Unblocking 330u Token – Open Pass Phrase Utility and select “Update Pass Phrase”
• Enter the next available Unblocking PIN and a new User PIN
• All Objects on the Token can now be accessed with the new User PIN
• Note: Blocking the User PIN does not affect the Identity PIN or Identity Key on an
Identrus Token

4.2 Identrus Token (Identity PIN Unblocking)

• Token is personalized with Max Login Attempts for the Identity PIN
• Once the Identity PIN has been entered incorrectly that many successive times, the
Identity PIN is blocked and the Identity Key on the Token is not accessible
• Open Pass Phrase Utility and select “Update Identrus Identity PIN”
• Enter the next available Unblocking PIN and a new Identity PIN
• The Identity Key on the Token can now be accessed with the new Identity PIN
• Note: Blocking the Identity PIN does not affect the User PIN or any Objects on the
Token protected by it

Token Personalization User Guide.doc Page 12 Datakey, Inc.

5 Appendix B – Moving to Production
Once the Unblocking or Identrus Tokens have been successfully testing in a lab, production
Tokens can be ordered from Datakey. The keys and PINs can be securely loaded onto the Token
by Datakey or by the issuer. If Datakey does the personalization, some coordination will need to
be done to get the keys and PINs securely from the personalization site to the issuer.

Once the Token is personalized, managing the PINs is up to the issuer. Datakey can work with
the issuer to determine the best way to do this through a Card Management System (CMS),
legacy system, or custom application.

Token Personalization User Guide.doc Page 13 Datakey, Inc.