1. Manuals
  2. Brands
  3. Swissbit Manuals
  4. Network Hardware
  5. iShield Pro
  6. User manual

Swissbit iShield Pro User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

User Manual
Swissbit iShield Key
iShield Key FIDO2 [USB-A/NFC]
iShield Key Pro [USB-A/NFC]
Date: 10 March 2023
Document Version: 1.0.0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the iShield Pro and is the answer not in the manual?

Questions and answers

Related Manuals for Swissbit iShield Pro

Summary of Contents for Swissbit iShield Pro

  • Page 1 User Manual Swissbit iShield Key iShield Key FIDO2 [USB-A/NFC] iShield Key Pro [USB-A/NFC] Date: 10 March 2023 Document Version: 1.0.0...
  • Page 2 The information or material contained in this document is property of Swissbit AG and any recipient of this document shall not disclose or divulge, directly or indirectly, this document or the information or material contained herein without the prior written consent of Swissbit AG.

  • Page 3: Table Of Contents

    Preconditions ............................11 PIN Setup of Swissbit iShield Key ......................11 Test Registration ..........................13 Test Login ..............................14 Register Swissbit iShield Key on an online Microsoft account .............16 Usernameless/Passwordless Sign-in on an online Microsoft account ........20 Sign-in with external Identity Provider ..................20 ................28...
  • Page 4 Setup Process ............................50 Use it to encrypt a Drive ........................56 ................57 CTIVE IRECTORY ITLOCKER Setup on Server............................57 Self-enroll Certificate on Client PC ....................62 Use it on Client.............................64 ................65 CTIVE IRECTORY LOGON Setup on Server............................65 Self-enroll Certificate on Client PC ....................65 Use it on Client.............................66 ....................67 ROUBLESHOOTING...

  • Page 5: Document Information

    Additionally, you can subscribe to receive emails for new blog posts and other product related content. 2 Overview iShield Key The Swissbit iShield Key FIDO2 security key has the FIDO2 applet installed only, and the Swissbit iShield Key Pro Page 5 of 69...
  • Page 6 security key has the FIDO2, HOTP and PIV applets installed. In this section, you can find the functionalities that support your use cases. The following table guides you to the correct section in this guide for a more detailed description of your use case: Use Case Description...

  • Page 7: Swissbit Management Tools

    HOTP (iShield Key Pro only) and PIV (iShield Key Pro only) applets on your iShield Key and assist the use cases presented in this guide. You can download the command line tool from the Swissbit iShield Key landing page. We recommend adding the iKMcli to your path. Then you can execute operations as follows: iKMcli <command>...

  • Page 8: Hotp Command

    HOTP Command The command has an option to show information about the HOTP applet on your iShield Key Pro: hotp iKMcli hotp --info The info contains the version of the applet and the serial number of your iShield Key Pro. The default PIN for authenticating an HOTP operation is 1234.
  • Page 9 iKMcli piv --change-puk <new puk> --puk <puk> A new management key can be set by iKMcli piv --set-management-key <new key> --management-key <key> You can list all certificates on the smartcard with the following command iKMcli piv --list-certificates In order to delete a certificate by its slot number use iKMcli piv --delete-certificates <slot>...

  • Page 10: Fido2 Applications (Standard)

    4 FIDO2 Applications (Standard) Overview The Swissbit iShield Key FIDO2 and iShield Key Pro are FIDO-certified plug-and-play security products that support FIDO2 and U2F standards to protect online accounts. They provide strongest and most trusted hardware authentication and allow users to securely access websites, applications, online services and company networks such as Google, Microsoft, Salesforce, Amazon Web Services, etc.

  • Page 11: Fido2 Login

    PIN Setup of Swissbit iShield Key Note: The Swissbit iShield Key is ready to use. If PIN is not required, jump to section 4.2.3 To manage the security PIN of the Swissbit iShield Key, a built-in functionality for security key management of Windows 10 might be used.
  • Page 12 Key. In case the Swissbit iShield Key is recognized, then you can either choose to create or change the PIN for the Swissbit iShield Key, which depends on whether there was a PIN stored previously. Meanwhile, the PIN of the Swissbit iShield Key can be reset if it was lost or forgotten.

  • Page 13: Test Registration

    You could set up a new PIN if there is no PIN stored in it. To change the security PIN, the current PIN is required. If you reset the Swissbit iShield Key, please note that the credentials are lost after reset.

  • Page 14: Test Login

    Please note that you have to register your key again after resetting. After security PIN is accepted, you have to touch the end of the Swissbit iShield Key, to make sure that a human is now operating it and not a machine. You will be prompted to touch your security key.
  • Page 15 Finally, you will see the success message as shown below and the credential information about the Swissbit iShield Key you used. It means that the Swissbit iShield Key is working properly. Page 15 of 69...

  • Page 16: Register Swissbit Ishield Key On An Online Microsoft Account

    You can easily sign into your Microsoft account with the Swissbit iShield Key without giving your e-mail address and password. In this section, we will guide you how to register the Swissbit iShield Key on an “online” Microsoft account. To log into an offline Microsoft account e.g. a local Windows PC account is not covered in this section.
  • Page 17 In the following page choose “Use a security key”. Connect your Swissbit iShield Key and click “Next”. As the Swissbit iShield Key is an USB security key with NFC, you could choose, either to plug it into your USB port, or to keep it close to your NFC reader.
  • Page 18 Follow the pop-up to setup your Swissbit iShield Key. Please note that Microsoft requires the user to create a PIN for the Swissbit iShield Key. After you finish your setup, you will see the success page as shown below. Page 18 of 69...
  • Page 19 Meanwhile, you will receive an e-mail from Microsoft. Back on the verification options page, your Swissbit iShield Key should already be listed and you can manage it anytime (in the screenshot it is named “iShield FIDO2”). Page 19 of 69...

  • Page 20: Usernameless/Passwordless Sign-In On An Online Microsoft Account

    Usernameless/Passwordless Sign-in on an online Microsoft account As the Swissbit iShield Key is already registered on Microsoft, you can now sign in without an e-mail address and password. Visit https://login.live.com/ to login, and click “Sign in with a security key”. If you don’t see this option, click “Sign-in Options”...
  • Page 21 A user, who has already enabled the passwordless login by registering his Swissbit iShield Key with Keycloak as an identifier could log into Dracoon with his user name and Swissbit iShield Key without a new registration. As a user is authenticated, Keycloak will then inform Dracoon that a user was successfully authenticated and provides the identity information of this user.
  • Page 22 For other configurations of OIDC client, please visit https://www.keycloak.org/docs/11.0/server_admin/#oidc- clients for more information. Please enable “WebAuthn Register Passwordless” in the tab “Required Actions”, and then setup a passwordless browser login flow. following this guide https://www.keycloak.org/docs/latest/server_admin/#creating-a-password-less-browser-login-flow. After this flow has been created, click on Authentication and switch to the Tab “Flows”. Then choose your flow (In our example it is “Browser WebAuthn”) from the drop down list.
  • Page 23 Click “System settings --- Authentication”, switch to the tab “OpenID Connect” Click “add” to add a new profile. This means Keycloak is applied as the Identity provider. (In the screenshot above, “Swissbit” is the profile name). The configuration value of Identity Provider can be fetched from <Keycloak- URL>/auth/realms/{realm-name}/.well-known/openid-configuration .
  • Page 24 The configuration value that you got from above should be entered in Dracoon as shown below. Page 24 of 69...
  • Page 25 You can visit https://cloud.support.dracoon.com/hc/en-us/articles/360001372679-OpenID-Connect-Keycloak more Information about OpenID connect client configuration. Swissbit iShield Key Registration When the user authenticates on the account site of Keycloak, the user may choose multiple ways to sign in. You <Keycloak-URL>/auth/realms/{realm-name}/account/ can find the account site at : Expand "Account Security"...
  • Page 26 Please follow the instructions to finish setting up your Swissbit iShield Key. The registered Swissbit iShield Key are listed below. In the screenshot above, the user has configured one passwordless security key (in screenshot it is named “iShield FIDO2”) Single Sign-On Test Now it is time to test the Single Sign-On functionality.
  • Page 27 You will automatically be redirected to Keycloaks login interface. Then enter your user name and choose the option “Use your security key for passwordless sign in” under the Sign in button instead of entering a password. Choose “Sign In with Security Key” Follow the pop up instruction to log in.

  • Page 28: Swissbit Ishield Key On Various Services

    Swissbit iShield Key (in the screenshot it is named “iShield FIDO2”). Swissbit iShield Key on various services In this section we would like to guide you how to register Swissbit iShield Key as a security key to enable 2-factor authentication on various services.
  • Page 29 For 2. Setting is shown below, you could change the verification condition when the Swissbit iShield Key is being registred as a security key. If you choose “If supported” or “Required”, a PIN is required when the Swissbit iShield Key is being used as a second authentication factor.
  • Page 30 After this settings, as the security key is not registered, user is asked to add one. Following the pop up to register your Swissbit iShield Key (in the screenshot it is named “iShield FIDO2”), then you could give an alias for it.
  • Page 31 Finally, you have successfully registered your Swissbit iShield Key. Now you could use it to login. Page 31 of 69...

  • Page 32: Bitbucket

    Bitbucket After Login, go to the Personal settings and click “Two-step verification” under the security group. Then you can see you must setup SSH on your account before you are able to enable the two step verification. You can visit https://support.atlassian.com/bitbucket-cloud/docs/set-up-an-ssh-key/ for more information about SSH configuration at Bitbucket.
  • Page 33 Now you could register your Swissbit iShield Key as a security key at Bitbucket. Give the device name and klick “Add security key” on the right side (in the screenshot it is named “iShield FIDO2”).

  • Page 34: Github

    Follow the pop-up instructions; finally, you have successfully registered your Swissbit iShield Key. Now you could use it to login. Github Go to settings, click “Password and authentication” under the tab “Access”, then choose “Security keys” from Two-factor methods. Page 34 of 69...
  • Page 35 Now you should confirm your account recovery settings. Please note that you must finish setting up an Authenticator app and Recovery code before next step. Page 35 of 69...
  • Page 36 Now you can give a name for your Swissbit iShield Key (in the screenshot it named “iShield FIDO2”). Page 36 of 69...

  • Page 37: Amazon Web Service (Aws)

    Follow the pop up instruction and finally you have successfully registered your Swissbit iShield Key. Now you could use it to login. Amazon Web Service (AWS) After you log into the AWS Management console, click your ID at top-right side, and choose “Security credentials”...
  • Page 38 Insert your Swissbit iShield Key and touch the end side of your Swissbit iShield Key. Your Swissbit iShield Key will be automatically detected. Finally, you have successfully registered your Swissbit iShield Key. Now you could use it to login. You could manage your security key by clicking the button “Manage MFA device”.

  • Page 39: Hotp Applications

    5 HOTP Applications Overview and Functionality The iShield Key Pro also offers one HMAC-based One Time Password slot. We recommend using HOTP for two- factor authentication on a service that does not support WebAuthn compliant FIDO2 security keys. The iShield Key Pro implements touch-triggered HOTP generation with the RFC 4226 algorithm by IETF.

  • Page 40: Password Generation And Authentication

    The iShield Key Pro implements secret key and counter-based HOTP generation using the HMAC based RFC 4226 algorithm. Given a secret key and counter value as input values, the iShield Key Pro computes a six or eight digit human-readable password. The counter is a moving factor. After computation of a new HOTP, the counter is incremented and the next HOTP is computed based on the incremented counter.

  • Page 41: Counter Resynchronization

    Counter Resynchronization It can happen that the token and server counter loose synchronization. For instance, if the user touches the token, generates a new password but does not authenticate to the associated service with it. In order to avoid unsuccessful authentication attempts, configure the look-ahead parameter on the server. This parameter defines how many counter increments are considered for password comparison, so some sort of tolerance is allowed.

  • Page 42: Piv Applications

    6 PIV Applications In this part of the guide, you will learn how to use your Swissbit iShield Key Pro as a personal identification and verification (PIV) device on Windows. The iShield Key Pro key with PIV applet provides different slots to store and provide various certificates for different use-cases.

  • Page 43: Logon

    Logon With the iShield Pro Key you implement a more secure logon based on a PKI hardware token, instead of a password. Your windows user account is configured to trust the certificate on your smartcard. Moreover, you only need to plug in your iShield Pro Key and provide a short PIN, which not only is more secure than passwords but also more convenient.

  • Page 44: Bitlocker

    Bitlocker Bitlocker is a Microsoft tool that is used to encrypt and decrypt data drives. This targets drives, that are installed in a PC internally or external drives, which typically connect to various different machines. Whenever you are storing data on the drive, Bitlocker encrypts it with a pre-defined certificate. As soon as a Bitlocker session terminates (for example by unplugging the external USB drive or powering down a PC) the data is encrypted and not readable anymore.

  • Page 45: Underlying Components

    Windows PIV driver to sign or decrypt with your iShield Key Pro. For write access, that is to say for provisioning OpenSC your card, the installation of the Minidriver Swissbit and configuration to use the iShield PIV Module for card administration is required. Authentication The iShield Key Pro has three passwords that are required for management operations and usage.

  • Page 46: Requirements

    9A, the next one in slot 9D, followed by the retired slots in order. Requirements For now, Swissbit has tested the following systems and applications with Swissbit iShield Key Pro for PIV.  PC Operating System: Windows 10 Pro; Home editions do not ship with Bitlocker or Domain Account support.
  • Page 47  Run the installer for your operating system. Make sure to select “Complete” installation  profiles/ Copy the .profile file to the directory in your OpenSC installation folder (Unless you have changed it, by default the OpenSC installation folder is in C:/Program Files/OpenSC Project/OpenSC/ Create Management Key configuration OpenSC expects a text file containing the management key in the following format:...
  • Page 48 app default { framework pkcs15 { pkcs15init PIV-II { module = "<ishield_piv_module_path>"; card_atr 3b:97:11:81:21:75:69:53:68:69:65:6c:64:05 { driver = "PIV-II"; Restart your PC now! Page 48 of 69...

  • Page 49: Preparation Of The Ishield Key Pro

    Preparation of the iShield Key Pro It is highly recommended to change the PIN, PUK and management key before using the iShield Key Pro. For this purpose, you can use the iKMcli. Please plug in your iShield Key Pro now and execute the following commands: iKMcli piv --change-pin <new pin>...

  • Page 50: Use Case: Local Account Bitlocker

    Use Case: Local Account Bitlocker In this scenario on the local account, the Bitlocker certificate is self-signed on the local PC, which requires a different setup procedure, than in other Bitlocker scenarios. This guide targets private customers that want to use the Bitlocker functionality on their home devices.
  • Page 51  Manage file encryption certificates Search for "certificates" and click  Next Next Click through the wizard: > "☑Create a new certificate" > Page 51 of 69...
  • Page 52  Next "☑ Make a new self-signed certificate and store it on my smart card" >  Provide the PIN for your iShield Key Pro  Cancel Click (You do not need to finish the procedure since by now, the utility has already written the certificate to the Smartcard).
  • Page 53 In the Windows Home Menu search for gpedit and open the "Group policy editor":  Local Computer Policy Computer Configuration Administrative Templates Windows Navigate to > > > Components Bitlocker Drive Encryption >  Edit the setting "Validate smart card certificate usage rule compliance" ☑...
  • Page 54 Enable Bitlocker for one storage medium After this step, you have prepared an external flash drive or (internal) data-disk for Bitlocker. All the present data will be encrypted retroactively and all future data stored there will be encrypted. Note that this does not work with boot drives, but only data disks.
  • Page 55  Next Check Use my smart card to unlock the drive and click  Store your recovery key in some secure place. In case you were to lose your iShield Key Pro in the Next future, you can still recover your encrypted drive. Click ...

  • Page 56: Use It To Encrypt A Drive

    Use it to encrypt a Drive As soon as the iShield Key Pro and external drive are prepared, the default Windows PIV driver is sufficient for usage with Bitlocker. You will not need to install the OpenSC Minidriver or iShield PIV module in this case. ...

  • Page 57: Use Case: Active Directory Bitlocker

    Use Case: Active Directory Bitlocker In this scenario, the PC, on which Bitlocker is used, is a workstation within an active directory domain. The domain server will manage all the domain information. Upon request, the certificate authority on the domain server will issue and sign the used certificate.
  • Page 58 General: Rename template Request Handling: Select purpose Encryption Page 58 of 69...
  • Page 59 Cryptography: Requests must use one of the following providers: Microsoft Base Smart Card Crypto Provider Extensions:  Application Policies: Edit... -> - Remove all; Page 59 of 69...
  • Page 60 Add... -> New... -> Name: your choice (e.g. “Bitlocker network unlock”), Object identifier: 1.3.6.1.4.1.311.67.1.1 (default in Bitlocker policies, must correspond to settings on client);  Key Usages: ☑ Allow key exchange only with key extension ☑ Make this extension critical extension. Page 60 of 69...
  • Page 61 Security: Authenticated Users > allow Read Enroll Subject Name: Supply in request -> Accept warning Page 61 of 69...

  • Page 62: Self-Enroll Certificate On Client Pc

    Enable the created Template: 5. Click Okay to save the template. 6. In certsrv: go to your current domain > right click Certificate Templates > New > Certificate Template to Issue and select the template you have just created. Self-enroll Certificate on Client PC This requires you to install the OpenSC Minidriver.
  • Page 63 Go to Start-Menu and search for "Manage User Certificates" 2. Open Certificates - Current User > Personal > Certificates and right-click in the blank space All Tasks Request New Certificate 3. Navigate to > . The Certificate Enrollment wizard should open Active Directory Enrollment Policy Next 4.

  • Page 64: Use It On Client

    Enable Bitlocker for one storage medium After this step, you have prepared an external flash drive or (internal) data-disk for Bitlocker. All the present data will be encrypted retroactively and all future data stored there will be encrypted. Note that this does not work with boot drives, but only data disks.

  • Page 65: Use Case: Active Directory Pc Logon

    Use Case: Active Directory PC logon In this scenario, the PC, on which Bitlocker is used, is a workstation within an active directory domain. The domain server will manage all the domain information. Upon request, the certificate authority on the domain server will issue and sign the used certificate.

  • Page 66: Use It On Client

    A prompt for the smartcards PIN will show up. After entering the PIN, Windows should display a success message. Use it on Client From now on, whenever you lock your PC or log out of your account, you will be able to use your Swissbit iShield Key Pro to logon to your account.

  • Page 67: Troubleshooting

    Troubleshooting Troubleshooting “The smart card is read-only / cannot perform the requested operation” If your iShield Key Pro is displayed to be read-only or to not support the requested operation, the OpenSC minidriver is not properly installed. For provisioning your key you need to use the OpenSC minidriver, see 6.2.1. Please verify that you correctly installed a compatible OpenSC version including the OpenSC minidriver.

  • Page 68: Glossary

    Personal Identification Number Personal Identity Verification PKCS Public-Key Cryptography Standard Personal Unblocking Key Single Sign-On Universal 2 Factor Virtual Private Network 8 Document History Version Updated on Updated by Short description 1.0.0 10.03.2023 Swissbit AG First Version Page 68 of 69...
  • Page 69 SWISSBIT makes no commitments to update or to keep current information contained in this document. The products listed in this document are not suitable for use in applications such as, but not limited to, aircraft control systems, aerospace equipment, submarine cables, nuclear reactor control systems and life support systems.

Table of Contents

Save PDF