|
|
 |
Rosetta CSI sToken
The Rosetta CSI sToken is a FIPS 140-2 Level 1 software cryptographic token that provides public key digital signature and encryption services for Microsoft Windows operating systems. The Rosetta CSI sToken represents the latest development in FORTEZZA software token technology. The Rosetta CSI sToken provides the strength of declassified and commercial cryptographic algorithms used in the SPYRUS FORTEZZA Crypto Card, completely in software to protect your most valuable digital property. Its design enables both commercial and U.S. Department of Defense (DoD) users to implement software-only security for MSCAPI and PKCS-11 applications such as Microsoft Internet Explorer and Netscape Navigator. Rosetta CSI sToken implements the required government suite of algorithms to enable authentication of users utilizing a “software token” for the Defense Message System (DMS) and for operations systems in the intelligence and tactical communities.
SPYRUS pioneered the use of the FORTEZZA Crypto Card within the U.S. Government. SPYRUS has distributed over 500,000 FORTEZZA and LYNKS tokens for use in the U.S. Government since first introducing them in 1993. SPYRUS continues to be the only provider of a FIPS-validated software token for the Defense Message System.
SPYRUS now provides a complete line of developer toolkits to add Rosetta CSI sToken and other SPYRUS technologies to any product or environment. The toolkits provide the flexibility for users to implement software only (system-high assurance) and/or hardware-based (high-assurance) security for a variety of applications.
The Rosetta CSI sToken can also be combined with Rosetta Executive Suite Authentication software and the SPYRUS Rosetta Smart Card, Rosetta USB tokens, or the LYNKS HSM to provide FORTEZZA PCMCIA equivalent functionality. An added benefit is the FIPS 140-1 Level 2 and 3 certification of the Rosetta hardware token product family.
Benefits
- Software form factor that is easy to deploy and use.
- Ideal for field use, for enclaves, for use on ships, and for use in other environments where use of a physical token may not be convenient for the user.
- FIPS 140-2 Level 1 validation give users the choice of implementing high assurance hardware or system-high assurance software based cryptography.
- Can be combined seamlessly with the Rosetta CSI software and the complementary Rosetta Smart Card, Rosetta USB, or LYNKS Privacy Card when higher assurance needs arise.
FIPS 140-2 Validation
The following table specifies the levels to which the Rosetta CSI sToken is FIPS 140-2 validated. The overall certification is FIPS 140-2, Level 1.
FIPS 140-2 Certification Levels
| FIPS 140-2 Category |
Level |
| 1. Cryptographic Module Specification |
1 |
| 2. Cryptographic Module Ports and Interfaces |
1 |
| 3. Roles, Services, and Authentication |
2 |
| 4. Finite State Model |
1 |
| 5. Physical Security |
1 |
| 6. Operational Environment |
1 |
| 7. Cryptographic Key Management |
1 |
| 8. EMI/EMC |
3 |
| 9. Self-tests |
1 |
| 10. Design Assurance |
1 |
| 11. Mitigation of Other Attacks |
None |
The following algorithms used in the Rosetta CSI sToken are FIPS 140-2 validated:
| Service |
Algorithm |
| Encryption & Decryption |
Skipjack |
| Digital Signatures |
DSA / SHA-1 |
| Key Transport / Key Agreement |
KEA |
| Random Number Generation |
Deterministic / X9.31, Appendix A.2.4 (TDES) |
Specifications and Features of the Rosetta CSI sToken
| Rosetta CSI sToken |
| Configurations |
- Will function properly on a workstation configuration equivalent to a 400 MHz minimum Pentium II-compatible CPU with a minimum of 128 MB of RAM for Windows 2000 and XP.
- Installation requires 15 MB of disk space.
|
| Operations performed in software |
- DSA, KEA, SHA-1, Skipjack.
- RNG (X9.31)
- Symmetric Key Generation, Management, Encryption.
- Asymmetric Key Generation, Management, Digital Signature Generation and Verification
|
| FIPS validation |
- Validated to FIPS 140-2 Level 1
|
| Assurance Level |
|
| Department of Defense Assurance |
|
| API Support |
- CI API – FORTEZZA Interface Control Document Revision P1.5 Compliant)
- PKCS #11 API – a Technology-Independent Programming Interface Called Cryptoki
|
| Access Controls |
- Cryptographic Functions may be Performed Only After a User has Successfully Entered His or Her PIN or MemPhrase to Log On to the User Token
- Separate, Administrator-settable User, and Administrator PINs or MemPhrases. PINs and MemPhrases are Encrypted in the User Token
- Separate Initializer MemPhrase
- Automatic Lockout of the User After 10 User Logon Failures
- Automatic Erasure of all User Token Contents After 10 Administrator Logon Failures
|
| Cryptographic Functions |
- Encryption and Decryption - SKIPJACK
- Generate and Load Initialization Vectors, and Generate Random Numbers
- Initialize, Hash, and Get Hash - NIST SHA-1 (FIPS Pub 180-1)
- Sign and Verify Signatures - NIST DSA (FIPS Pub 186)
- Set Cryptographic Mode (for temporary algorithm and mode switching)
- Load, Retrieve, Select and Delete Certificates
- Generate, Use and Delete Data Encryption Keys
- Set Default Algorithms and Modes Associated With Each User Personality
- Save and Restore Hash, Encryption, and Decryption Cryptographic States
- Generate, Load, Install and Extract Public/Private Keys -
- Wrap and Unwrap Keys - SKIPJACK
- User Token Management Functions - KEA
- User Token Configuration, Status, Cryptographic State
- List Keys and Certificate Registers Status
- Check and Change User and Administrator PINs and MemPhrases
- Initialize, Reset, and Zeroize the User Token
|
|
|
