Introducing Dekart RSA Cryptoprovider
A Cryptographic Service Provider (CSP) is a mechanism that provides you with a secure area where digital certificates can be stored. Normally, the CSP is a part of the operating system, and it physically resides on the hard disk where the operating system itself is installed. The secure area is guaranteed to be protected from tampering, meaning that one’s secret key will never be revealed by somebody else.
Dekart RSA Cryptographic Provider goes beyond the functionality of a basic CSP, allowing you to use digital signatures and PKI-based mechanisms without being tied to a single computer. You can migrate your digital certificates to a smart card, token, or a removable disk, and use the digital certificate on another workstation without having to locally install it, not even temporarily. This makes electronic document interchange a quick and safe procedure, protecting you from the risks of identity theft.
Digital certificate storage media
Smart card, token, USB flash drive
Digital certificate mobility
Restricted: digital certificate can be exported to a .PFX file and installed on another system
Unrestricted: digital certificates are stored on the flash drive and read directly from it; local copies are not created.
Possibility of cloning a certificate illegally
Yes: one can clone the entire disk on which the CSP stores its data
No: a smart card or token cannot be cloned without knowing the PIN code
Yes: digital certificate imported on another system can be forgotten there, thus used by somebody else
None: digital certificates are never stored, nor cached on the computer itself
The data are encrypted, a brute force attack is possible
The data are encrypted, a brute force attack is not possible
No, if the key is not marked as exportable
A quick comparison chart between the standard Windows CSP and Dekart CSP
Facts about digital certificates:
A cryptoprovider will store the secret key of the digital certificate in a special repository, to which additional security mechanisms are applied. On the other hand, the digital certificate itself is not protected, since it does not contain any information that (if revealed) may have a negative impact on your privacy. Each digital certificate contains a reference, which allows the cryptoprovider to determine which of the stored secret keys correspond to a given digital certificate. Whenever an application tries to use the secret key, it accesses the digital certificate; afterwards the reference is used by the system to find out where to look for the secret key.
This is where Dekart RSA Cryptographic Provider steps in, allowing you to move the keys or the digital certificate itself to a smart card or token. In the chart below you can see two digital certificates, one of them uses the standard Windows cryptographic provider, and the other one uses the enhanced Dekart cryptographic provider. In the second case, it is clear that the sensitive data are separated from the operating system, and stored in an entirely different location, being invulnerable to any attack against the OS.
How it works:
- After downloading and installing Dekart RSA Cryptographic Provider, you will see the program’s applet in the Control Panel;
- Clicking it will bring up the application’s main window, from which you can control all its activities. The program’s interface is simple and intuitive, thus the only thing you have to decide is whether to migrate the key with or without the digital certificate.
The decision is determined by how often you need to use the digital certificate, and by the performance of your smart card and smart card reader. Reading data off a smart card is not as fast as reading data stored on a hard disk; the transfer speeds are much lower. If you are often requested to provide your digital certificate (ex: you have 50 new encrypted emails in your inbox – the system will access the digital certificate and the key 50 times), there will be many delays, making your work less pleasant. You can minimize this negative effect by migrating only the secret key to the smart card; in this case the digital certificate will be read from the local storage (e.g. flash drive), and only the key itself will be read from the card. In the long run, it saves a lot of time.
Another factor that may push you towards this decision is the card’s available storage capacity. Smart cards have a rather small storage capacity, so if you want to store several secret keys on it, as well as other data, it might be a good idea to leave the digital certificates on the PC.
In contrast, if your main concern is privacy and obscurity, you should migrate the digital certificate to the secret key as well.
Dekart RSA Cryptographic Provider gives you all the mobility you could wish for, making your infrastructure more secure. It allows you to engage in secure data transmissions from computers other than your home or office PC, while the risk to become a victim of identity theft is nil.
Dekart RSA Cryptographic Provider in a company
“We have adapted our internal resources (helpdesk, forum, financial database) to use PKI. All the employees of the company were issued digital certificates that are used to authenticate on the server and gain access to the requested data. Our personnel can access the resources on any Windows-system that has an internet connection; authentication is quick and extremely secure – keyloggers pose no threat to us, while the resources become unavailable as soon as the key is unplugged. We are extremely satisfied with this solution”