TECHNOLOGY
CodeMeter speaks X.509
Server certificates are a ubiquitous sight. They offer users the certainty that they are indeed on the right website and have not
fallen prey to a phishing attack. By contrast, client certificates continue to be held in low regard. They are virtually ignored by
the wider public, even though they are a simple, safe, and fully compliant means of authenticating users. This is particularly true
when they are stored on secure hardware like CmDongles.
Authentication with certificates
The user possesses a private key and a
matching certificate. As part of the handshake
and key exchange, the user uses the private
key to sign the hash of the message. The
signature and the client certificate are then
transmitted to the server, where their validity
is checked and ascertained. If both are valid,
the identity of the user can be retrieved from
the certificate and used.
Applications (Firefox, Outlook, Explorer, Chrome, Safari)
PKCS#11 / Microsoft CSP
CodeMeter API
CmDongle
Layer model
Standard interfaces
■■ PKCS#11 for all computer platforms
■■ Microsoft Crypto Service Provider (CSP) for
Windows
■■ Token Daemon (tokenD) for Apple OS X.
Certificates on CmDongles
CodeMeter includes a PKI client application
as an add-on module (Charismatics Smart
Security Interface - CSSI). The CSSI middleware
comes with a Microsoft CSP and a PKCS#11
interface, which makes the private keys and
certificates stored on CmDongles available
for almost all applications, including Microsoft
Internet Explorer, Mozilla Firefox, Google
Chrome, Apple Safari, and Microsoft Outlook.
algorithm with a key length of up to 2048 bit.
The private key can either be imported from an
external source (using the pfx or p12 format)
or created immediately within the CSSI
middleware. It is stored in dedicated secret
data fields and protected from prying eyes.
The CSSI middleware can request a certificate
(Certificate Signing Request – CSR) from a
source issuing the certificates and import the
resulting certificate itself. Alternatively, it can
create a self-signed certificate from within the
CSSI middleware itself.
A CmDongle can store up to 8 private keys
and the matching certificates, using an RSA
■■ There are many versatile uses for
certificates, including:
■■ Email certificates to sign and encrypt
emails
■■ Client certificates to authenticate end user
devices in IT networks
■■ OPC UA certificates
■■ User certificates for authentication
on computers and in networks
There are many different software products
that rely on certificates, such as mail clients
or web browsers. At the same time, several
providers offer secure hardware that can be
used to store certificates or, in many cases,
purely software-based storage solutions.
The following interface standards have been
established to ensure a reasonable degree of
interoperability between all of these systems:
5