Special Files Used In The File Authentication Process - VeriFone P200 Reference Manual

F A
ILE UTHENTICATION
Introduction to File Authentication
Special Files Used
in the File
Authentication
Process
36
P200/P400 R
EFERENCE
The following specially formatted files support the FA process:
•
A digital certificate (*crt file) is a digital public document used to verify the
signature of a file.
•
A digital signature (*.p7s file) is a piece of information based on both the file
and the signer's private cryptographic key. The file sender digitally signs the
file using a private key. The file receiver uses a digital certificate to verify the
sender's digital signature.
•
Signer private keys are securely conveyed to clients on smart cards. On
P200 and P400, private keys are not kept in files. The secret passwords
required by clients to generate signature files, using signer private keys, are
sent as PINs over a separate channel such as registered mail or encrypted e-
mail.
Digital certificates and signature files, do not need to be kept secure to safeguard
the overall security of VeriShield Retain.
The special file types that support the file authentication process are recognized
by their filename extensions.
Table 6 VeriShield File Signing Tool Filename Extensions
File Type
Signature
Digital certificate
All digital certificates are generated and managed by the Verifone CA, and are
distributed on request to PINpad clients—either internally within Verifone or
externally to sponsors.
All certificates issued by the Verifone CA for the PINpad platform, and for any
Verifone platform with the VeriShield Retain security architecture, are
hierarchically related. That is, a lower-level certificate can only be authenticated
under the authority of a higher-level certificate.
The security of the highest-level certificate, called the platform root certificate, is
tightly controlled by Verifone.
The required cryptographically related private keys that support the file
authentication process are also generated and distributed by the Verifone CA.
Certificates Contain Keys That Authenticate Signature Files
•
Sponsor certificate: Certifies a client's sponsorship of the PINpad. It does not,
however, convey the right to sign and authenticate files. To add flexibility to the
business relationships that are logically secured under the file authentication
process, a second type of certificate is usually required to sign files.
A sponsor certificate is authenticated under a higher-level system certificate,
called the application partition certificate.
G
UIDE
Extension
*.p7s
*.crt