Leo Secure Smart Card Reader Providing PKI Authentication with Secure PIN Management

Leo secure smart card reader providing PKI authentication with secure PIN management

Ingenico Healthcare/e-ID – « River Seine » - 25, quai Gallieni – 92158 Suresnes cedex - France Tél. 33(0)1 46 25 80 80 - Fax 33 (0)1 46 25 80 30 – http://healthcare-eid.ingenico.com/

Table of contents

1. Glossary ______3

2. Introduction ______4

2.1. A secure professional reader ______4

2.2. Compatibility with middlewares ______5

3. Product description ______6

3.1. Product features ______6

3.2. USB interface ______9

3.3. Smart card interface ______9

3.4. Display Interface ______9

3.5. Keypad interface ______10

3.6. Secure PIN Entry feature ______10

4. Operating systems supported ______11

4.1. Windows® ______11

4.2. Linux ______11

4.3. MacOS® ______11

5. Windows platform: installation ______12

6. Packaging ______13

7. Certifications and standards ______14

7.1. Environmental ______14

7.2. Reliability ______14

7.3. Certifications ______14

Leo secure smart card reader  2/14

1. Glossary

Acronym Definition USB Universal Serial Bus LCD Liquid Crystal Display RoHS Reduction of Hazardous Substances WEEE Waste from Electric and Electronic Equipment EMV Europay Mastercard Visa PKI Public Key Infrastructure PC Personal Computer PIN Personal Identification Number CCID Chip/Smart Card Interface Devices WHQL Windows Hardware Quality Labs ETSI European Telecommunications Standards Institute DEEE Déchets d'Equipements Electriques et Electroniques EMC Electro Magnetic Compatibility

Leo secure smart card reader  3/14

2. Introduction

2.1. A secure professional reader

Leo is a secure card reader aimed at government offices and companies with a Public Key Infrastructure (PKI) looking for a secure desktop card reader to implement user authentication and electronic signature with secure PIN management.

Leo complies with PC/SC v2 part 10 standards which enable the PC to communicate with the smart card, ignoring the reader’s specificities. Then it provides additional security functions thanks to its Secure PIN Entry mechanism. This feature enables the user to locally enter his/her PIN code on the reader keyboard: this code is directly presented to the chip card, without going through the PC.

As no data is transferred to the PC during the PIN entry, there are no risks of compromising these sensitive data, even if the PC runs rogue softwares like Trojan horses, Keyloggers or other Spyware.

Connected to the PC via a USB port, Leo provides the full flexibility needed by security ap- plications for smart cards (the IAS-ECC standard, for example). Leo contains no sensitive data or secrets; therefore security cannot be compromised in case of loss or theft.

Leo secure smart card reader  4/14

2.2. Compatibility with middlewares

The use of secure identity documents such as electronic national identity cards, health cards or government agent cards frequently requires computer software solutions like middleware and hardware devices like smart card readers. These should work together to provide best ergonomics for the end user with a high security level.

Thanks to cross referencing efforts between Ingenico Healthcare/e-ID and market players, Leo secure reader is easy to integrate into work environments and market middlewares. Thus it enables any customer aiming at building a project to speed up its integration by using Leo readers and cross-referenced software solution for authentication and electronic signature compliant with industry standards.

Leo secure smart card reader  5/14

3. Product description

3.1. Product features

Leo

Leo Supported smart cards Compliant with ISO 7816-1 to -4 (microprocessor smart cards) Display  2 lines of 16 characters  5 x 7 matrix / character Keyboard 13 rubber keys Power supply Powered by USB port Size L 110 mm  W 77mm  H 61mm Weight 305g with USB cable (2 m) Standards / Certifications  EMV L1  CE  RoHS  WEEE  Common Criteria EAL 3+ PC connection USB 2.0 full-speed (& USB 1.1) Software environments  CCID  Microsoft Windows 2000, XP, Vista, Seven, 8 (WHQL certified drivers)  Mac OS 10.4, 10.5, 10.6 and 10.7  Linux (Ubuntu - Debian) Support PKI PC/SC v2 application with Secure PIN Entry

Leo secure smart card reader  6/14

The design of the Leo secure reader provides enhanced ergonomics facilitating countertop or desktop use. The keyboard is ideally tilted (20 degrees) to ease the PIN typing on large keypad.

The dimensions and the angle of the display screen have been especially designed to provide excellent visibility.

Two LEDs are positioned on the lens to show that the reader is functioning properly and indicate the secure management of the PIN when Secure PIN Entry feature is enabled.

Thanks to its hemispherical rubber pads, the reader does not slip on table and has maximum stability.

Security label 10 degrees 2 LEDs

20 degrees

The design of Leo reader takes into account all requirements regarding international security standards (Common Criteria). Security labels are positioned on each side of the smart card reader to ensure its integrity. NB The reader is certified with an evaluation assurance level (EAL) 3+.

A hanging system compliant with a standard lock (not included) is also available to attach the reader to the desktop securely.

Hanging system

Leo secure smart card reader  7/14

The card slot allows for easy use and includes a dust protection mechanism.

Protection against dust

In addition, Leo includes a protective mechanism of the smart card: it complies with the EMV standard on tests related to smart card disabling (powered off) when the USB cable is pulled out from computer (with or without APDU commands sent to the card). EMV standard requires that the reader is able to complete the deactivation sequence in less than 1 millisecond: the Leo smart card reader disables the card in a few tens of microseconds.

Leo secure smart card reader  8/14

3.2. USB interface

Parameter Value/Description DC characteristics Powered by USB port USB speed USB 2.0 Full Speed Device (12Mbit/s) Device class CCID

3.3. Smart card interface

Parameter Value/Description Smart card operating frequency 4MHz Maximum supported card baud rate Up to 230Kbps Cards supported Class A Class B and Class C Protocol Supported T=0, T=1

3.4. Display Interface

Parameter Value/Description Technology HTN reflective polarizer Number of lines of the Display 2 Number of characters per line 16 of the display Character 5x7 dot matrix

The “power” LED ( ) is ON when the reader is attached to the correct CCID driver. The “lock” LED ( ) is ON when reader requests the user to enter his PIN code (Secure PIN Entry).

The supported languages are English, French, German, Dutch, Spanish, Italian and Portuguese. For the very first power ON of the reader, the default language is English. As soon as a Secure PIN request is done by the host, the reader switches to the language specified by the host. If the value is not recognized by the reader, the reader keeps the default language.

Leo secure smart card reader  9/14

3.5. Keypad interface

Parameter Value/Description Number of rows 4 Number of columns 4 Default configuration 13 Keys 0-9 C CL OK Technology Rubber

3.6. Secure PIN Entry feature

Leo complies with PC/SC v2 part 10 standards (Secure PIN Entry). Leo features a secure PIN entry management that enables the user to locally enter his/her PIN code on the reader keyboard: this code is presented directly to the chip card, without going through the PC. This mode is indicated by the lighting of a padlock image on the reader lens. As no data is transferred to the PC during the PIN entry, there is no risk of compromising this sensitive data, even if the PC is running rogue softwares like Trojan horses, Keyloggers or other Spyware.

Leo secure smart card reader  10/14

4. Operating systems supported

4.1. Windows®

 Windows 2000  Windows XP 32 bits and 64 bits  Windows Vista 32 bits and 64 bits  Windows 7 32 bits and 64 bits  Windows 8 32 bits and 64 bits

Windows embeds a default CCID driver but does not support SPE. Therefore, in order to fully use Leo smart card reader, specific driver must be installed on the OS. An installer is available to help the user to install the driver. This specific CCID driver is available on Windows Update for downloading.

4.2. Linux

All distribution compliant with libccid 1.4.2 and newer version:  Ubuntu (LTS) 09.10, 10.04 et 10.10  OpenSuse 12, 13 et 14  Fedora 14  Debian

CCID driver source codes are available at : http://pcsclite.alioth.debian.org/ccid.html Source codes can be downloaded from this repository http://svn.debian.org/wsvn/pcsclite/trunk/Drivers/ccid/

4.3. MacOS®

 10.4: Tiger  10.5: Snow Leopard  10.6: Leopard  10.7 : Lion

An installation package is available for Mac OS X 10.4 Tiger, 10.5 Leopard, 10.6 Snow Leopard and 10.7 Lion.

Leo secure smart card reader  11/14

5. Windows platform: installation

Microsoft certified installer for Windows 2000, Windows XP and Windows Vista / Seven / 8 (32bit and 64 bit).

 Start executing the installation file by clicking Run DRIVER_LEO.exe.  Click on “Next” button to continue the installation.  Click on “I accept the terms of this contract” to begin installation.

 Click on “Finish” button to exit the installer.

 Connect your smart card reader into the USB port.

The reader is ready to use.

Leo secure smart card reader  12/14

6. Packaging

Leo smart card reader is delivered as standard in a single white box wrapped in a plastic bag protected by a bubble one.

A quick start guide (smart card format) is delivered describing the main installation steps.

Leo secure smart card reader  13/14

7. Certifications and standards

The Leo is designed for office use as defined in the ETSI standard.

7.1. Environmental

-25°C to +55°C; Storage temperature IEC 60068-2-1 (cold) 10% to 95% RH IEC 60068-2-2 (dry heat) +5°C to +40°C; Operating temperature IEC 60068-2-78 (damp heat) 5% to 85% RH non condensing

7.2. Reliability

 MTBF The theoretical reliability prediction (MTBF) of the product is calculated using the IEC62380 standard, 2004 version. According to this standard and to reported assumptions such as mission profile related, the calculated MTBF of Leo is around 900 805 hours ( = 1 110 FIT).

 Card connector The card connector is guaranteed for 100 000 insertion/extraction cycles.

 USB connector The USB connector is guaranteed for 5 000 insertion/extraction cycles.

 Keypad Each key of the keypad is guaranteed for 200 000 actuation cycles.

7.3. Certifications

Leo smart card reader has reached following certifications:  EMV L1  USB  Winqual (Microsoft driver certification)

The device id CE certified and conforms to the essential requirements of the EMC directive 2004/108/EC, based on the following specifications applied:  NF EN 55022:2006, A1  NF EN 55024 (1998), A1 (2001), A2 (2003)

The device is RoHS compliant (directive 2002/95/EC).

Leo secure smart card reader  14/14