Table Of Contents

1 Introduction *

1.1 Assumptions *

1.2 Short Overview of our portfolio *

2 Transaction Security *

2.1 Turnkey solutions for end users *

2.2 Smartcard solutions for mainstream applications *

2.3 Corporate solutions *

3 Network Security (virtual private networks) *

3.1 Software based VPN gateways *

3.2 Hardware based VPN gateways *

  1. Introduction
    1. Assumptions
    2. The information provided in this document is based on the assupmtion that the Danish IT Security Council wants to evaluate the availability of end-user solutions for electronic commerce in its broadest sense. We therefor left out information regarding classic PC access control, disk/file encryption solutions or public key infrastructure and focus on solutions for transaction security and network security. We also asume that the reader is familiar with the basic concepts and technology of IT security.

    3. Short Overview of our portfolio

Utimaco is the leading European manufacturer of professional certified IT-security solutions with more than 1.5 million sold licenses and over 1000 clients. Our offer consists of integrated solutions from one source (one-stop-shopping) for end-to-end security requirements in organizations operating internationally. As a supplier of solutions, the company carries out security projects specific to the customer based on configurable standard products from the product range of SafeGuard®, with the Smart Card Reader CardMan® and CryptWare® technology. As an international company, Utimaco has 11 locations in 10 European countries and also has over 30 additional distribution partners (Value-Added-Resellers) in Europe, the USA, Australia and in South Africa.


Utimaco Safeware develops IT security solutions for the following application areas:

All Utimaco solutions are made in Europe and are not hindered by US export restrictions on strong cryptography.

For this document we have made a distinction between transaction oriented security solutions and network oriented security solutions. Both are relevant for e-commerce in its broadest sense.

  1. Transaction Security
    1. Turnkey solutions for end users
    2. The security objections against digital signatures no longer exist since the emergence of legal frameworks like the Euorpean Commission’s directive on electronic signatures (30/11/1999) or national laws like the German digital signature act. These initiatives enables trade, industry and the authorities to sign and verify electronic documents in a legally valid manner.

      With SafeGuardÒ Sign&Crypt, Utimaco is offering as one of the very first companies a solution for legally recognized digital signatures that is soon to be certified in accordance with ITSEC E2. Electronic data can be signed and verified with SafeGuardÒ Sign&Crypt. In addition to this, the data can be compressed and/or encrypted with very secure algorithms. In the standard applications Word, Exchange/Outlook and Lotus Notes (currently on a project basis only), SafeGuardÒ Sign&Crypt can be integrated through plug-ins. With the help of the Software Development Kit (SDK), all of the signature functions of SafeGuardÒ Sign&Crypt can also be integrated for use with other Windows applications.

      Special feature: Thanks to the WYSIWY or "what you see is what you sign" concept, the user sees precisely what he/she is signing irrespective of the parameters of an application. The viewer provides protection against macro manipulation of the signed document.

      SafeGuard Sign&Crypt

      type of users

      private and corporate end users

      application

      secure e-mail (Outlook, Exchange, Lotus Notes)
      document security (Word, Excel)
      secure transactions (can be integrated in other applications via a SDK)

      security functions

      confidentiality
      authentication
      non-repudiation of origin
      integrity

      security level

      ITSEC E2 high
      DES/3DES
      RSA 1024 bit (2048 bit version available soon)

      key storage

      encrypted key files
      RSA smartcards

      supported standards

      standard algorithms (see higher)
      X509 v3 certificates
      CLR v2 certificate revocation
      LDAP v2 certificate and CRL retrieval
      protocols S/MIME v2, PKCS#7 and MailTrust

      supported platforms

      Windows 95 / Windows 98 / Windows NT 4 (Windows 2000 is foreseen)

      distribution medium

      diskette or CD ROM

      price level

      approx. 40-120 Euro


       

    3. Smartcard solutions for mainstream applications
    4. The cardMan smartcard readers support all relevant smartcard standards and are available as stand-alone devices, integrated devices and PC Card devices for portables.

      CardMan smartcard readers

      type of users

      private and corporate end users

      application

      all smartcard enabled applications
      e.g. Netscape Navigator and Messenger, Internet Explorerer, etc.

      security level

      ITSEC E2

      supported standards

      ISO 7816
      PC/SC
      PKCS#11
      CT-API
      Home banking Computer Interface
      interfaces RS232 / USB / PC Card
      Microsoft label "Designed for Windows 95/98/NT"

      software and drivers

      PKCS#11 plug-in for Netscape
      PC/SC IFD for Microsoft Windows
      CardMan API software development kit
      proprietary drivers for DOS, Win3x and OS/2

      supported platforms

      DOS/Windows 3.x/Windows 95 / Windows 98 / Windows NT 4 (Windows 2000 is foreseen) and OS/2

      models

      external models "desktop" and ‘compact"
      integrated in a PC keyboard
      PC Card form factor II (PCMCIA)

      price level

      approx. 40-100 Euro

       

    5. Corporate solutions

    The CryptWareÒ Toolkit is an ANSI-C library which provides all necessary cryptographic and administrative functions to build secure electronic transaction systems easily, e.g. e-mail, EDI, telebanking, e-commerce systems and public key infrastructure components. CryptWareÒ Toolkit has an open architecture and is based on fast software implementations of industry approved algorithms i.e. RSA, triple-DES, IDEA, SQUARE, RIPE-MD160, MD5, SHA-1, etc. are all supported. Furthermore, protocols such as X.509, S/MIME, PKCS#7, MailTrust, PKCS#10, etc. are followed very closely. It is also designed to accommodate alternatives (e.g. PEM, PKIX, etc.) and various off-the-shelf hardware options including, RSA smartcard and the CardManÒ Compact reader, CryptWareÒ Board, CryptWareÒ Server, etc.

    CryptWare Toolkit

    type of users

    corporate transaction servers or integrated in corporate client applications

    application

    automated secure e-mail
    document security and secure file transfer/archiving
    secure transactions

    security functions

    confidentiality
    authentication
    non-repudiation of origin
    integrity

    security level

    DES/3DES/IDEA/RC2/SQUARE/SHA-1/MD2/MD5/RIPE-MD160
    RSA 2048 bit

    key storage

    encrypted key files
    RSA smartcards
    tamper proof hardware boards (own design and 3rd party)

    supported standards

    standard algorithms (see higher)
    X509 v3 certificates
    CLR v2 certificate revocation
    LDAP v2 certificate and CRL retrieval
    PKCS#11
    protocols S/MIME v2, PKCS#7, and MailTrust (dynamic protocol switching)

    supported platforms

    Windows 95 / Windows 98 / Windows NT 4 (Windows 2000 is foreseen)/Unix

    distribution medium

    diskette or CD ROM

    price level

    approx. 33-10.500 Euro

  2. Network Security (virtual private networks)
    1. Software based VPN gateways
    2. SafeGuardÒ VPN provides the possibility of setting up a Virtual Private Network in public networks, eliminating typical security deficiencies of such networks with little implementation and maintenance effort. This solution guarantees security when data is transferred between branches and head offices and when the company network is accessed by travelling employees. Access to the Virtual Private Network is protected reliably using a X.509 user certificate which is stored on the user´s smartcard (possession and knowledge). As soon as the user makes a connection between his/her usual application and a protected server, a log-on is carried out in the background with his/her certificate. The security here lies in the process employed, which is based on strong encryption with a 1024 bit-long key. Once the user has been recognized beyond doubt, all of the data that he or she exchanges with this server or a protected network is encrypted (e.g. with IDEA 128bit). The same principles are applied to establish secure site-to-site network connections.

      SafeGuard VPN

      type of users

      private and corporate end users, corporate site-to-site security

      application

      secure TCP/IP network connections (LAN/WAN/RAS/internet/…)

      security functions

      confidentiality
      authentication
      integrity
      IP packet filtering
      end-to-end, site-to-site and end-to-site

      security level

      DES/3DES
      RSA 1024 bit

      key storage

      encrypted key files
      RSA smartcards

      supported standards

      standard algorithms (see higher)
      X509 v3 certificates
      CRL v2 certificate revocation
      LDAP v2 certificate and CRL retrieval
      IPSEC RFC-1825..1829 ESP and AH
      Generic Security Services API

      supported platforms

      Windows 95 / Windows 98 / Windows NT 4 (Windows 2000 is foreseen)/UNIX

      distribution medium

      diskette or CD ROM

      price level

      approx. 175-1250 Euro

       

    3. Hardware based VPN gateways

KryptoGuard LANis a black box approach of a packet-filter and VPN encryptor. Its design addresses the need to connect multiple LAN’s over untrusted WAN’s. It is a security system that runs independently of terminals,servers, workstations and/or operating systems. It is used as a security bridge within a LAN or between LANs. A central Security Management Station can manage all VPN gateways within an organisation.

KryptoGuard LAN

type of users

corporate site-to-site security

application

secure TCP/IP network connections (LAN/WAN/internet/…)

security functions

confidentiality
integrity
audit
IP packet filtering
site-to-site and end-to-site

security level

DES/3DES

key storage

pre-shared symmetric keys

supported standards

standard algorithms (see higher)
IPSEC ESP

supported platforms

platform independent

models

19" rack or desktop model

price level

approx. 5000 Euro

 

Remark: In the course of 2000 a full IPSEC compliant version will permit interoperability with other IPSEC enabled sites.