Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
User Guide
Unblocking (330u) and Identrus (330i) Tokens
Term Description
330i Datakey Token loaded with the Identrus Application
330u Datakey Token loaded with the Unblocking Application
Bad PIN Limit The number of successive times a PIN can be entered before it becomes
blocked- This value is set during Personalization
Blocked PIN A PIN that has been entered incorrectly more successive times than the Bad PIN
Limit- Once this has happened the PIN and all Objects protected by that PIN
become unusable until Unblocked
Identity Key The RSA key pair stored on an Identrus Token and used to sign documents in
and Identrus Environment
Identity PIN The PIN that protects the Identity Key and its usage
Identrus Token Same as 330i
P12 File A file that contains Keys and Certificates in the PKCS#12 format- Often times
protected by a Pass Phrase
Personalization The process of setting Token Parameters and loading Keys, Certificates, and
PINs onto the Token
Unblocking PIN A PIN that is loaded during personalization onto the Token and is used to
unblock another PIN after it has become blocked
Unblocking Token Same as 330u
User PIN PIN that protects all objects, other than the Identrus objects, and user
configurable attributes on the Token
Utility Key Identrus term for a key not used in the Identrus Environment, but is on the
Identrus Token- Refers to any non-Identrus Key on a token
Utility PIN Same as the User PIN
This Utility allows Keys and PINs to be loaded onto the 330u and 330i Tokens. These Tokens
must be ordered from Datakey as Unblocking or Identrus and can not be changed in the field.
Identrus Tokens are Personalized with an Identity Key, Identity PIN, and up to six Unblocking
PINs- which will unblock the Identity PIN only. The User PIN must be set on the Identrus
Token, even if there are no other Keys loaded onto the Token, and optionally a Utility Key can
be loaded.
Unblocking Tokens are Personalized with a User PIN and up to six Unblocking PINs- which will
unblock the User PIN only. A Utility Key can optionally be put on this Token as well.
NOTE: The Token Personalization Utility is for pilot and evaluation purposes only. It may be used to
personalize a Datakey 330u and 330i Tokens in a test environment only and is not to be used in a
production environment.
The Token Personalization Utility can be start by going to the Start Menu and selecting Start |
Programs | Datakey CIP | Token Personalization Utility.
There are five tabs on this utility. They are: Token, Identity Key, Utility Key, Identity PIN, and
User PIN tabs. After each tab is successfully completed, a check mark will appear above the tab.
If one of the tabs is not completed correctly a caution symbol will be displayed.
When the Token Personalization Utility is started it immediately looks for a Datakey Unblocking
(330u) or Identrus (330i) Token in an available reader. If neither of these tokens are found, the
application will display an error message and the application will have to be closed or “Retry
Readers” selected.
If more than one reader is present, the utility will select the reader with a Datakey Unblocking or
Identrus Token in it. If multiple tokens are present, the utility lets you choose which token to use.
The Identity Key is a Public and Private Key Pair generated specifically for the Identrus
environment. The Key Pair along with the Certificate must be bundled into a PKCS#12 file and
then it can be imported onto the Token. This file must be provided by Identrus or an Identrus
Trusted Certificate Authority. In most cases, this file is protected using a Password. The
Password and File Name are entered on this Tab.
The Identity Key is protected by the Identity PIN. This means that the Identity PIN must be
successfully submitted to the Token before this Key can be used. The Identrus Signing Interface
allows this PIN to be entered before signing a document. See the CIP User Guide for more
information on the Identrus Signing Interface.
If you have a Datakey Unblocking Token, 330u, this key is not used and the options on this tab
will be grayed out.
3.2.2 Password
The Password field is where the password for the PKCS#12 file is entered. Asterisks will appear
in place of the actual text. This password will come from whoever created the file.
The Utility Key is an optional Key Pair and Certificate put on the Token and can be put on at a
later time if desired. This is a multi-purpose Key that is protected by the User PIN. Outside of the
Identrus Environment, this can be any key you wish to put onto the Token.
Datakey 330 Tokens allow many Key Pairs and Certificates to be loaded onto the Token. Putting
a Utility Key on the Token does not prohibit other keys from being loaded. These keys are
protected using the User PIN, meaning that the User PIN must be successfully submitted to the
Token before these Keys can be used.
3.3.3 Password
The Password field is where the password for the PKCS#12 file is entered. Asterisks will appear
in place of the actual text. This password will come from whoever created the file. This field is
not available unless the checkbox is checked.
The Identity PIN protects the Identity Keys and Certificate. This PIN must be successfully
submitted to the Token before the Identity Keys can be used. The Identrus Signing Interface
allows this PIN to be entered before signing a document. See the CIP User Guide for more
information on the Identrus Signing Interface.
The Identity PIN can not be set during Personalization, per the Identrus Specifications, so an
Initial Identity PIN is used in it’s place. This PIN must be changed by the user before the Identity
Key is active. The Pass Phrase Utility can be used to change the Initial Identity PIN once the
Token has been personalized. See the CIP User Guide for more information on the Pass Phrase
Utility.
Default values are entered into each field, but it is recommended that they be changed to your
own secret values.
If you have a Datakey Unblocking Token, 330u, this PIN is not used and the options on this tab
will be grayed out.
The User PIN protects all of the Keys and Certificates on the Token other than the Identity Key.
This PIN must be successfully submitted to the Token before these Keys can be used. It also
protects the User Settings. These setting can be changed using Token Utilities. See the CIP User
Guide for more information on Token Utilities.
The User PIN is mandatory on every Token and is set during Personalization. The Pass Phrase
Utility can be used to change the User PIN once the Token has been personalized. See the CIP
User Guide for more information on the Pass Phrase Utility.
Up to six Unblocking PINs can be put onto to the Token. These Unblocking PINs are to unblock
the User PIN on an Unblocking Token (330u). They can be set in this Tab and are used if the
User PIN has become Blocked from too many successive incorrect PIN entry attempts. The
number of successive incorrect PIN entry attempts can be set in the “Bad PIN Limit” area on this
Tab.
Default values are entered into each field, but it is recommended that they be changed to your
own secret values.
3.6 About
The About button shows the Token Personalization Utility version and product information.
3.7 Close
The Close button closes the dialog box and exits the Token Personalization Utility.
Once the Token is personalized, managing the PINs is up to the issuer. Datakey can work with
the issuer to determine the best way to do this through a Card Management System (CMS),
legacy system, or custom application.