Rutoken documentation

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

General information

Signs of correct connection of Rutoken devices to the computer 

The main signs of Rutoken devices connection are indicated in Table 1.

Table 1

Device name

Property

Token, Bluetooth Token, Token with Type-C, Token with NFC

the indicator lights up on the device

Smart Card

an indicator lights up on the smart card reader

During operations with the Rutoken device, do not disconnect it from the computer in any case. This may lead to an error.

Rutoken Control Panel

The Rutoken Control Panel is a software tool designed to service Rutoken devices in Microsoft Windows operating systems. The Rutoken Control Panel is installed in the system when installing the "Rutoken Drivers for Windows" kit.

Types of users in the Rutoken Control Panel:

  • User;
  • Administrator.

User's PIN code

The User's PIN code is a password that is used to access the main functions of the Rutoken device.

The default User PIN is 12345678.

Administrator's PIN code

The Administrator's PIN code is a password that is used to access the administrative functions of the Rutoken device.

The default Administrator PIN is 87654321.

Connecting Rutoken devices to a computer

Connecting the token

To connect the token, insert it into the USB port of the computer. If the token is connected correctly, then an indicator will light up on it.

Connecting a smart card

A smart card reader is used to connect the smart card to the computer.

Both an empty reader and a reader with an inserted smart card can be connected to the USB port of the computer.

To connect a smart card to a computer:

  1. Insert the smart card into the reader.
  2. Connect the reader to the computer's USB port. If the smart card is connected correctly, the indicator on the reader will light up. If the smart card is inserted into the reader incorrectly, the indicator on the reader may blink. 

 Connecting a Rutoken with a Type-C connector to a computer

A Rutoken with a Type-C connector connects to a computer that has a special USB Type-C port. On some computers, this port is designated as Thunderbolt 3 (USB-C).

If the token is connected correctly, then an indicator will light up on it.

Launching the Rutoken Control Panel

There are several ways to launch the Rutoken Control Panel:

Method 1.  Launching from the desktop of the computer (used if there is a Rutoken Control Panel icon on the desktop)

Use the left mouse button to double-click on the Control panel icon located on the desktop of the computer.

Method 2.  Launching from the Start menu (used if there is no Rutoken Control Panel icon on the desktop)

For Windows 10:

  1. Click Search in Windows.
  2. Enter the line "Rutoken" in the search box. If the English version of the operating system is used, then enter the line "Rutoken".
  3. Left-click on the name of the found program.

For  Windows 7:

  1. Click on Start.
  2. Enter the line "Rutoken" in the search box. If the English version of the operating system is used, then enter the line "Rutoken".
  3. Left-click on the name of the found program.

For  Windows XP:

  1. Click on Start.
  2. Left-click on the Search menu item.
  3. On the left side of the window called Search results left-click on the Files and Folders link.
  4. In the field for specifying the file name, enter the line "Rutoken". If the English version of the operating system is used, then enter the line "Rutoken".
  5. Click on Find
  6. In the right part of the window, left-click twice on the name of the found program.

Method 3.  Launching from the computer Control Panel (used if the taskbar is hidden)

  1. Launch the dialog box. To do this, press the Win+R key combination.
  2. In the dialog box, enter the "control panel" line and click OK.  
  3. In Control Panel click on the link Equipment and sound.
  4. Click on the link Rutoken Control Panel.

Device selection in the Rutoken Control Panel

If several Rutoken devices are connected to the computer at the same time, then before starting work, you need to select the device with which operations will be performed.

To select a device:

  1. Launch the Rutoken Control Panel.
  2. Select a device on the Administration tab in the drop-down list called Connected Rutoken.

Checking the correctness of the device selection

To check the correctness of the device selection:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Click on Information. The Information about Rutoken window will open.
  4. If a Bluetooth token is selected, then it is necessary to compare the value in the ID field (the last 5 digits) with the numbers indicated on the Bluetooth token case.
  5. If a token is selected, then it is necessary to compare the value in the ID field with the numbers indicated on the token body.

Viewing information about the Rutoken device

To view information about the Rutoken device:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Click on Information. The Information about Rutoken window will open.

The description of the information about the Rutoken device presented in the control panel is given in Table 2.

Table 2

Field

Description

Name

Personalized device label

Model

General name of the device

System name

The name used to designate the device in other applications

ID

Unique digital device identifier

Version

Rutoken device firmware version and status flags

Shared memory (bytes)

The total amount of memory of the selected device

Free memory (bytes)

The amount of device memory (available to the user)

The User's PIN code can be changed

The policy selected to change the User's PIN on the device

Using UTF-8 in PIN codes

The ability to safely use сyrillic characters when setting a PIN code

CryptoPro FKC Support

The device supports working with CryptoPro Rutoken CSP via a secure FKC channel

Microsoft Base Smart Card Crypto Provider

The device supports working with a standard cryptography provider for smart cards from Microsoft

The device is connected via RDP

Is the device connected via the RDP protocol

Viewing the version of the installed kit "Rutoken Drivers for Windows"

To view the version of the installed kit "Rutoken Drivers for Windows":

  1. Launch the Rutoken Control Panel.
  2. Go to the tab About the program. The current version of the Rutoken Drivers for Windows kit installed on the computer is indicated in the field Version of the Rutoken drivers

Entering the User's PIN code to work with the Rutoken device

After entering an incorrect User's PIN code several times in a row, the Rutoken device is blocked. Only the Administrator of the Rutoken device can unlock it.

To enter the User's PIN code:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Click on Enter the PIN code.
  5. Check that the switch is set to User.
  6. Enter the User's PIN.
  7. Click OK.
  8. If an incorrect PIN code is entered, a message about it will be displayed on the screen. The maximum number of of attempts to enter the PIN code is indicated in the attempts left field. 

The choice of the crypto provider used by default for the Rutoken device

Crypto provider is a dynamically connected library that implements cryptographic functions with a standardized interface.

Each cryptographic provider can have their own sets of algorithms and their own requirements for the format of keys and certificates.

To select the crypto provider used by default for the Rutoken device:

  1. Launch the Rutoken Control Panel.
  2. Go to the Settings tab.
  3. Click on Configuration.
  4. Select the name of the crypto provider from the drop-down list next to the device model.
  5. To apply the changes and continue working with the settings, click on Apply
  6. To confirm the choice of a cryptographic provider, click OK.
  7. In the window requesting permission to make changes on the computer, click Yes.

Selection of the method for generating RSA key pairs (for the Rutoken EDS device)

You should not use Microsoft crypto provider to generate key pairs if you are not sure about the security of your computer.

To select a cryptographic provider to generate RSA key pairs:

  1. Launch the Rutoken Control Panel.
  2. Go to the Settings tab.
  3.  Click on Configuration
  4. In the section Settings of the Aktive Co. Rutoken CSP v1.0 crypto provider  select a method for generating RSA 2048 bit key pairs for Rutoken EDS. To do this, set the switch to the desired position.
  5. To apply the changes and continue working with the settings, click on Apply
  6. To confirm the choice of a cryptographic provider, click OK.
  7. In the window requesting permission to make changes on the computer, click Yes.

Selecting PIN settings

You can set the settings for the PIN code in the Rutoken Control Panel. The list of settings is specified in Table 3.

Table 3

Setting

Result of setting selection

Remember the PIN code from the app...

The PIN code is entered once when using the Rutoken device for the first time in the application

Offer to change the PIN code every time...

Every time after entering the PIN code, a message is displayed on the screen with a suggestion to change the PIN code (if the user has not changed the default PIN code)

Encoding the PIN code in UTF-8...

The PIN code can consist of Cyrillic characters

The Remember PIN-code setting allows you to reduce the number of PIN-code entries in applications due to their short-term storage by the crypto provider in encrypted memory. Do not use this setting if you are not sure about the security of the computer.

The Encoding the PIN code in UTF-8 setting allows you to safely use PIN codes containing cyrillic characters. 

To select the settings for the PIN code:

  1. Launch the Rutoken Control Panel.
  2. Go to the Settings tab.
  3. Click on Settings. 
  4. Check the boxes next to the names of the required settings.
  5. To apply the changes and continue working with the settings, click on Apply
  6. To confirm the selection of settings, click OK.
  7. In the window requesting permission to make changes on the computer, click Yes.

Changing the User's PIN code

By default, the User's PIN code set for the Rutoken device is 12345678. For security reasons, before using the Rutoken device for the first time, it is recommended to change the default PIN code.

The recommended length of the PIN code is 6-10 characters. Using a short PIN (1-5 characters) significantly reduces the level of security, and a long PIN (more than 10 characters) can lead to an increase in the number of errors when entering it.

Access to the certificates stored on the device is possible only after specifying the PIN code. If the PIN code has been changed, then it must be remembered.

To change the PIN code:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Click Enter the PIN code and specify the User's PIN code.
  5. Click OK.
  6. Click on Change.
  7. Enter the new PIN in the fields Enter the new PIN and Confirm the new PIN. If the PIN security indicator located next to the field Enter a new PIN code is highlighted in red, then the PIN code is "weak", if yellow — then "medium", and if green - then "reliable".
  8. Click OK.

Indication of the Rutoken device name by the User

In order to distinguish Rutoken devices from each other, you should set a name for each device. It will not always be displayed in third-party applications.

It is recommended to specify the first and last name of the owner of the device or a short name of the scope of the device use.

To specify the Rutoken device name:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Click on Enter the PIN code.
  5. Set the switch to User.
  6. Enter the User's PIN.
  7. Click OK.
  8. Click on Change.
  9. Enter the name of the Rutoken device in the Name field.
  10. Click OK.

Entering the Administrator's PIN code to work with the Rutoken device

After entering the wrong Administrator PIN code several times in a row, the device is blocked. The Administrator's PIN code cannot be unlocked. If the Administrator's PIN code is blocked, it is necessary to format the Rutoken device, but all data stored on it will be permanently deleted.

To enter the Administrator's PIN code:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Click on Enter the PIN code.
  5. Set the switch to Administrator and enter the Administrator PIN.
  6. Click OK.

Changing the Administrator's PIN code

By default, the Administrator PIN code set for the Rutoken device is 87654321. For security reasons, it is recommended to change the default PIN code before using the Rutoken device for the first time.

The recommended length of the PIN code is 6-10 characters. Using a short PIN (1-5 characters) significantly reduces the level of security, and a long PIN (more than 10 characters) can lead to an increase in the number of errors when entering it.

To change the Administrator's PIN code:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Click on Enter the PIN code.
  5. Set the switch to Administrator and enter the Administrator PIN.
  6. Click OK.
  7. Click on Change.
  8. Make sure that the switch is set to the Administrator position.
  9. Enter the new PIN code in the fields Enter the new PIN and Confirm the new PIN code. If the PIN security indicator located next to the field Enter a new PIN code is highlighted in red, then the PIN code is "weak", if yellow - then "medium", and if green - then "reliable". 
  10. Click OK.

Change of the User's PIN code by the Administrator

The Administrator can change the User's PIN code only if the "User and Administrator" ("Administrator") PIN change policy was selected when formatting the device.

To view the current PIN change policy, open the Rutoken device details.

The recommended length of the PIN code is 6-10 characters. Using a short PIN (1-5 characters) significantly reduces the level of security, and a long PIN (more than 10 characters) can lead to an increase in the number of errors when entering it.

To change the User's PIN code:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Click on Enter the PIN code.
  5. Set the switch to Administrator and enter the Administrator PIN.
  6. Click OK.
  7. Click on Change.
  8. Set the switch to User.
  9. Enter the new PIN in the fields Enter the new PIN and Confirm the new PIN
  10. Click OK.

Unlocking the User's PIN code by the Administrator

The User's PIN code is blocked if the user has entered it with an error several times in a row. The User's PIN code can only be unlocked by the administrator.

After the User's PIN code is unlocked, the counter of failed authentication attempts will take its original value (set when formatting the Rutoken device).

After unlocking, the User's PIN code will not change. The Administrator can set a new User PIN code only when formatting the Rutoken device.

In order to unlock the User's PIN code:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Click on Enter the PIN code.
  5. Set the switch to Administrator and enter the Administrator PIN.
  6. Click OK
  7. In the section PIN Management click Unlock. In the window with the message about the successful completion of the operation, click OK.  As a result, the User's PIN code will be unlocked.

Formatting by the Administrator of the Rutoken device

During the formatting of the device, all objects created on it will be deleted. Only those objects that have been stored in protected memory (for Rutoken EDS Flash) will remain. Also, when formatting, new PIN values are set or default values are selected. If the user has exhausted all attempts to enter the Administrator's PIN code, then it is possible to return the device to the factory-fresh state. For such formatting, the Administrator's PIN code is not required. When returning the Rutoken EDS Flash device to the factory-fresh state, the contents of the Flash memory will also be cleared, and the information recorded in it will be permanently deleted.

When formatting a Rutoken device, all data on it, including keys and certificates, will be permanently deleted.
During the formatting process, do not disconnect the Rutoken device from the computer, as this may lead to its breakdown.

To start the Rutoken device formatting process:

  1. Launch the Rutoken Control Panel.
  2. Select the Rutoken device.
  3. Check the correctness of the device selection.
  4. Click on Enter the PIN code.
  5. Set the switch to Administrator and enter the Administrator PIN.
  6. Click OK.
  7. Click Format. A window called Formatting the token will open.
  8. Specify the name of the Rutoken device.
  9. Change the policy.
  10. When working with a Bluetooth token, specify the method of encrypting the radio channel.  In the Security section, set the switch to the desired position.
  11. Enter the new PIN code of the User (Administrator).
  12. Specify the minimum length of the User's (Administrator's) PIN code.
  13. Specify the maximum number of attempts to enter the PIN code of the User (Administrator).
  14. Click Start.
  15. In the window with a warning about deleting all data on the Rutoken device, click OK.
  16. Wait for the formatting process to finish.
  17. In the window with the message about successful formatting of the Rutoken device, click OK.

Specifying the name of the Rutoken device when formatting

To specify the name of the Rutoken device when formatting specify a new device name in the Token name field.

Changing the policy when formatting

Depending on the policy selected when formatting the Rutoken device, the User's PIN code may be changed:

  • only by the User (if the switch is set to "User");
  • by User and Administrator (if the switch is set to "User and Administrator");
  • only by the Administrator (if the switch is set to "Administrator").

In order to understand which policy to choose, follow the link "Which policy should I choose?" (located in the section the user's PIN code can be changed).

To change the policy in the section the user's PIN code can be changed, set the switch to the desired position.

Specifying the new PIN code of the User (Administrator) when formatting

In order to set a new PIN code of the User (Administrator), which will be available only after the formatting process is completed:

  1. in the corresponding section, uncheck the box Use the default PIN;
  2. enter the new PIN code in the fields New PIN code and Confirmation.

Specifying the minimum length of the User's (Administrator's) PIN code when formatting

The recommended length of the PIN code is 6-10 characters. Using a short PIN (1-5 characters) significantly reduces the level of security, and a long PIN (more than 10 characters) can lead to an increase in the number of errors when entering it.

In order to set the minimum length of the PIN code of the User (Administrator), select the desired value in the corresponding section in the drop-down list Minimum PIN code length.

Specifying the maximum number of attempts to enter the PIN code of the User (Administrator) during formatting

To increase the security level, you should change the original value. The recommended number of attempts to enter the PIN code is 5 times. A small number of attempts (1-4 times) can lead to accidental PIN code blocking, a large number (more than 5 times) - will reduce the level of information security.

In order to set the maximum number of attempts to enter the PIN code of the User (Administrator), select the desired value in the corresponding section in the drop-down list Attempts to enter the PIN code.


Working with PIN quality policies

PIN quality policies allow you to increase the level of PIN security.

In the Rutoken Control Panel, all PIN codes are divided into three categories by quality:

  • weak;
  • medium;
  • reliable.

There is a choice of policies that will be taken into account when assessing the quality of the PIN.

The following policies are used to control the quality of the PIN code:

  1. The minimum length of the PIN code.
  2. The policy of using the default PIN code.
  3. The policy of using a PIN code consisting of a single repeated character.
  4. The policy of using a PIN code consisting only of digits.
  5. The policy of using a PIN code consisting only of letters.
  6. The policy of using a PIN code that matches the previous PIN code.

When installing the "Rutoken Drivers for Windows" kit, the policy settings are set by default.

By default, all previously specified PIN quality policies are selected. 

By default, a password is considered "weak" if its length is less than one character.

PIN quality policies can be changed in the Rutoken Control Panel by a user with operating system administrator rights or a domain administrator.

Each new PIN must comply with the selected quality policies.

PIN quality policies are set in the Rutoken Control Panel for a specific computer.

In order to select the policies that will be taken into account when assessing the security level of the PIN:

  1. Launch the Rutoken Control Panel.
  2. Go to the Settings tab.
  3. Click on Configuration.
  4. In the drop-down list called Consider the PIN code as "weak" when the length is less than select the required number.
  5. In the section Policies check the boxes next to the policy names.
  6. In order to have a message warning that the PIN code does not comply with the selected policies displayed on the screen when entering an incorrect PIN code, select the value "Warn" in the drop-down list If a "weak" ("medium") PIN code is set.
  7. In order to prohibit the use of a "weak" password, select the value "Prohibit use" in the drop-down list If "weak" PIN code is set.
  8. To set the default policies and behavior when changing the PIN code, click Set Default.
  9. To confirm the changes, click OK.
  10. To apply the changes and continue working with the policies, click on Apply.
  11. In the window requesting permission to make changes on the computer, click Yes.
  • No labels