Leo secure smart card reader providing PKI authentication with secure PIN management Ingenico Healthcare/e-ID «River Seine» - 25, quai Gallieni 92158 Suresnes cedex - France Tél. 33(0)1 46 25 80 80 - Fax 33 (0)1 46 25 80 30 http://healthcare-eid.ingenico.com/
Table of contents 1. Glossary 3 2. Introduction 4 2.1. A secure professional reader 4 2.2. Compatibility with middlewares 5 3. Product description 6 3.1. Product features 6 3.2. USB interface 9 3.3. Smart card interface 9 3.4. Display Interface 9 3.5. Keypad interface 10 3.6. Secure PIN Entry feature 10 4. Operating systems supported 11 4.1. Windows 11 4.2. Linux 11 4.3. MacOS 11 5. Windows platform: installation 12 6. Packaging 13 7. Certifications and standards 14 7.1. Environmental 14 7.2. Reliability 14 7.3. Certifications 14 Leo secure smart card reader 2/14
1. Glossary Acronym USB LCD RoHS WEEE EMV PKI PC PIN CCID WHQL ETSI DEEE EMC Definition Universal Serial Bus Liquid Crystal Display Reduction of Hazardous Substances Waste from Electric and Electronic Equipment Europay Mastercard Visa Public Key Infrastructure Personal Computer Personal Identification Number Chip/Smart Card Interface Devices Windows Hardware Quality Labs European Telecommunications Standards Institute Déchets d'equipements Electriques et Electroniques Electro Magnetic Compatibility Leo secure smart card reader 3/14
2. Introduction 2.1. A secure professional reader Leo is a secure card reader aimed at government offices and companies with a Public Key Infrastructure (PKI) looking for a secure desktop card reader to implement user authentication and electronic signature with secure PIN management. Leo complies with PC/SC v2 part 10 standards which enable the PC to communicate with the smart card, ignoring the reader s specificities. Then it provides additional security functions thanks to its Secure PIN Entry mechanism. This feature enables the user to locally enter his/her PIN code on the reader keyboard: this code is directly presented to the chip card, without going through the PC. As no data is transferred to the PC during the PIN entry, there are no risks of compromising these sensitive data, even if the PC runs rogue softwares like Trojan horses, Keyloggers or other Spyware. Connected to the PC via a USB port, Leo provides the full flexibility needed by security applications for smart cards (the IAS-ECC standard, for example). Leo contains no sensitive data or secrets; therefore security cannot be compromised in case of loss or theft. Leo secure smart card reader 4/14
2.2. Compatibility with middlewares The use of secure identity documents such as electronic national identity cards, health cards or government agent cards frequently requires computer software solutions like middleware and hardware devices like smart card readers. These should work together to provide best ergonomics for the end user with a high security level. Thanks to cross referencing efforts between Ingenico Healthcare/e-ID and market players, Leo secure reader is easy to integrate into work environments and market middlewares. Thus it enables any customer aiming at building a project to speed up its integration by using Leo readers and cross-referenced software solution for authentication and electronic signature compliant with industry standards. Leo secure smart card reader 5/14
3. Product description 3.1. Product features Leo Supported smart cards Display Keyboard Power supply Size Leo Compliant with ISO 7816-1 to -4 (microprocessor smart cards) 2 lines of 16 characters 5 x 7 matrix / character 13 rubber keys Powered by USB port L 110 mm W 77mm H 61mm Weight 305g with USB cable (2 m) Standards / Certifications EMV L1 CE RoHS WEEE Common Criteria EAL 3+ PC connection USB 2.0 full-speed (& USB 1.1) Software environments Support PKI CCID Microsoft Windows 2000, XP, Vista, Seven, 8 (WHQL certified drivers) Mac OS 10.4, 10.5, 10.6 and 10.7 Linux (Ubuntu - Debian) PC/SC v2 application with Secure PIN Entry Leo secure smart card reader 6/14
The design of the Leo secure reader provides enhanced ergonomics facilitating countertop or desktop use. The keyboard is ideally tilted (20 degrees) to ease the PIN typing on large keypad. The dimensions and the angle of the display screen have been especially designed to provide excellent visibility. Two LEDs are positioned on the lens to show that the reader is functioning properly and indicate the secure management of the PIN when Secure PIN Entry feature is enabled. Thanks to its hemispherical rubber pads, the reader does not slip on table and has maximum stability. 10 degrees Security label 2 LEDs 20 degrees The design of Leo reader takes into account all requirements regarding international security standards (Common Criteria). Security labels are positioned on each side of the smart card reader to ensure its integrity. NB The reader is certified with an evaluation assurance level (EAL) 3+. A hanging system compliant with a standard lock (not included) is also available to attach the reader to the desktop securely. Hanging system Leo secure smart card reader 7/14
The card slot allows for easy use and includes a dust protection mechanism. Protection against dust In addition, Leo includes a protective mechanism of the smart card: it complies with the EMV standard on tests related to smart card disabling (powered off) when the USB cable is pulled out from computer (with or without APDU commands sent to the card). EMV standard requires that the reader is able to complete the deactivation sequence in less than 1 millisecond: the Leo smart card reader disables the card in a few tens of microseconds. Leo secure smart card reader 8/14
3.2. USB interface Parameter DC characteristics USB speed Device class Value/Description Powered by USB port USB 2.0 Full Speed Device (12Mbit/s) CCID 3.3. Smart card interface Parameter Value/Description Smart card operating frequency 4MHz Maximum supported card baud rate Up to 230Kbps Cards supported Class A Class B and Class C Protocol Supported T=0, T=1 3.4. Display Interface Parameter Value/Description Technology HTN reflective polarizer Number of lines of the Display 2 Number of characters per line of the display 16 Character 5x7 dot matrix The power LED ( ) is ON when the reader is attached to the correct CCID driver. The lock LED ( ) is ON when reader requests the user to enter his PIN code (Secure PIN Entry). The supported languages are English, French, German, Dutch, Spanish, Italian and Portuguese. For the very first power ON of the reader, the default language is English. As soon as a Secure PIN request is done by the host, the reader switches to the language specified by the host. If the value is not recognized by the reader, the reader keeps the default language. Leo secure smart card reader 9/14
3.5. Keypad interface Parameter Value/Description Number of rows 4 Number of columns 4 Default configuration 13 Keys 0-9 C CL OK Technology Rubber 3.6. Secure PIN Entry feature Leo complies with PC/SC v2 part 10 standards (Secure PIN Entry). Leo features a secure PIN entry management that enables the user to locally enter his/her PIN code on the reader keyboard: this code is presented directly to the chip card, without going through the PC. This mode is indicated by the lighting of a padlock image on the reader lens. As no data is transferred to the PC during the PIN entry, there is no risk of compromising this sensitive data, even if the PC is running rogue softwares like Trojan horses, Keyloggers or other Spyware. Leo secure smart card reader 10/14
4. Operating systems supported 4.1. Windows Windows 2000 Windows XP 32 bits and 64 bits Windows Vista 32 bits and 64 bits Windows 7 32 bits and 64 bits Windows 8 32 bits and 64 bits Windows embeds a default CCID driver but does not support SPE. Therefore, in order to fully use Leo smart card reader, specific driver must be installed on the OS. An installer is available to help the user to install the driver. This specific CCID driver is available on Windows Update for downloading. 4.2. Linux All distribution compliant with libccid 1.4.2 and newer version: Ubuntu (LTS) 09.10, 10.04 et 10.10 OpenSuse 12, 13 et 14 Fedora 14 Debian CCID driver source codes are available at : http://pcsclite.alioth.debian.org/ccid.html Source codes can be downloaded from this repository http://svn.debian.org/wsvn/pcsclite/trunk/drivers/ccid/ 4.3. MacOS 10.4: Tiger 10.5: Snow Leopard 10.6: Leopard 10.7 : Lion An installation package is available for Mac OS X 10.4 Tiger, 10.5 Leopard, 10.6 Snow Leopard and 10.7 Lion. Leo secure smart card reader 11/14
5. Windows platform: installation Microsoft certified installer for Windows 2000, Windows XP and Windows Vista / Seven / 8 (32bit and 64 bit). Start executing the installation file by clicking Run DRIVER_LEO.exe. Click on Next button to continue the installation. Click on I accept the terms of this contract to begin installation. Click on Finish button to exit the installer. Connect your smart card reader into the USB port. The reader is ready to use. Leo secure smart card reader 12/14
6. Packaging Leo smart card reader is delivered as standard in a single white box wrapped in a plastic bag protected by a bubble one. A quick start guide (smart card format) is delivered describing the main installation steps. Leo secure smart card reader 13/14
7. Certifications and standards The Leo is designed for office use as defined in the ETSI standard. 7.1. Environmental Storage temperature Operating temperature -25 C to +55 C; 10% to 95% RH +5 C to +40 C; 5% to 85% RH non condensing IEC 60068-2-1 (cold) IEC 60068-2-2 (dry heat) IEC 60068-2-78 (damp heat) 7.2. Reliability MTBF The theoretical reliability prediction (MTBF) of the product is calculated using the IEC62380 standard, 2004 version. According to this standard and to reported assumptions such as mission profile related, the calculated MTBF of Leo is around 900 805 hours ( = 1 110 FIT). Card connector The card connector is guaranteed for 100 000 insertion/extraction cycles. USB connector The USB connector is guaranteed for 5 000 insertion/extraction cycles. Keypad Each key of the keypad is guaranteed for 200 000 actuation cycles. 7.3. Certifications Leo smart card reader has reached following certifications: EMV L1 USB Winqual (Microsoft driver certification) The device id CE certified and conforms to the essential requirements of the EMC directive 2004/108/EC, based on the following specifications applied: NF EN 55022:2006, A1 NF EN 55024 (1998), A1 (2001), A2 (2003) The device is RoHS compliant (directive 2002/95/EC). Leo secure smart card reader 14/14