Administrating The Cryptographic Key; The Smart Card - Digittrade HS256S User Manual

If the 8-digit PIN was entered incorrectly 8 times the smart card is disabled and
useless. The cryptographic key is also irreversibly deleted.

1.3 Administrating the cryptographic key

With the device PIN the user can copy the cryptographic key to another smart
card, initialize new smart cards on the HS256S and manage the lock-out mode.
Instructions to this can be found in chapter 5.
Knowing the smart card PIN and the device PIN can be split between two people
for some usage scenarios, so that one person knows the device PIN and the other
the smart card PIN. Therefore if only the device PIN is known access to the data
is denied.
The cryptographic key needed for de- and encrypting of the data is externally cre-
ated and saved encrypted.
This means there is a physical separation between the encrypted data and the
cryptographic key, also making it impossible to read the cryptographic key from
the DIGITTRADE HS256S. After the PIN has been correctly entered the crypto-
graphic key is transferred to the encryption module of the HS256S to de-/encrypt
the data. The external storage of the cryptographic key develops a lot of application
possibilities which are described in chapter 10.

1.4 The smart card

Serially the HS256S works with two java based smart cards. The Oberthur Cosmo
64 v5.4 smart card is certified with FIPS 140-2 Level 3 and enables creation, copy-
ing, changing and destroying of the used cryptographic key. The administration of
the key works with the DIGITTRADE HS256S applet.
Optional available are BSI certified smart cards (NXP P5CD081 J3A081 JCOP v2.4.1
R3, BSI-DSZ-CC-0675-2011). These smart cards are equal to Oberthur Cosmo 64
v5.4 but in addition they are certified by the BSI (Federal Institute of Information
Technology) with EAL5.
54