Intersoft Logo


 Site Search



SecureKeyAgent is a Microsoft Windows application designed to be a private security container for public/private keys used by SecureNetTerm and SecureFTP.  The key agent runs as a program in the windows tray, and provides digital certificate and SSH public/private key authentication support.  It supports disk based SSH keys and well as those contained on smart cards, USB tokens, and within the Microsoft browser certificate store for  the TLS, SSH-1 and SSH-2 protocols.

Requests for RSA private key authentication for those keys located on a smart card or USB token in done by the device itself, the private key never leaves the device.  The agent supports the SSH agent forwarding protocol, thus allowing all private keys to reside on the users workstation or within a smart card or USB token.

SecureKeyAgent supports SSH private keys created by SecureNetTerm, SecureFTP, Putty and those created by the SSH Data Communication SSH client.  If a SSH private key or certificate is  passphrase protected, the passphrase is requested upon the initial startup of SecureKeyAgent.  The agent has the ability to export the public key of a SSH disk based key, the public key of a certificate, and the certificate itself for uploading to the host.

Click Screen for Larger Image

SecureKeyAgent has been tested with all the smart cards and USB tokens supported by the Microsoft browser. The following is a summary of the benefits and abilities of these devices.



Smart Cards

A smart card is the size of a conventional credit card, and has an electronic microchip embedded in it.  The chip contains a complete computer with microprocessor, memory and internal operating system.  The smart card stores electronic data and programs that are protected by advanced security features.  There are two types of smart cards: a contact smart card which must be inserted into a smart card reader, and a contactless smart card that has an antenna embedded inside it.  Other types of identity tokens are also now becoming popular, in particular, the USB (Universal Serial Bus) token, which takes advantage of the fact that all modern PC's have a USB port, whereas smart card readers are not so commonplace.


Why USB?

If smart cards are used for access control, then a smart card reader has to be included in the package.  The perception is that a smart card plus reader is expensive, and messy for road warriors (the mobile workforce), with cables, connectors, and inevitable interoperability issues.  The user is likely to forget, lose, or leave behind one or other of the pieces of hardware.  The USB format is seen as the future token access of choice by the PC manufacturers because:

  • It does not require them to provide additional hardware within the PC.
  • It is a low cost port to produce in manufacture
  • The convenience factor is becoming more evident with the movement of the USB port from the rear of the machine to the front or side
  • Multiple USB ports are now being provided, not just one, as was the case several years ago

All future PCs are certain to have USB Ports, while the widespread availability of other token interfaces remains uncertain (reprts show that 400 million computers today have USB ports.)


USB Token or Smart Card?

From the point of view of physical security, the USB token is a more ruggedised solution, with all the critical components covered with an outer frame, whereas all the smart card components are exposed.  The card is seen as easily damaged, with the electronics more exposed to tampering. The iButton device, from Dallas Semiconductor, is adverstised as an  "Armored steel computer chip for everyday wear and tear".

From the PKI perspective, the Rainbow iKey2000 in particular has been specifically produced to work with all the main PKI vendors and features the PKCS-11libraries, Entrust libraries, MS-CAPI and is compatible with Baltimore, Entrust, Xcert, and Verisign.

Adherance to the PKCS-11 and MS-CAPI standards enable access to these devices over the Internet.  Examples of this type of access can be found at the Aladdin eToken site, and of course all the major PKI vendors have the ability to generate the public/private keys for a digital certificate directly on the device with HTML scripting.  A major advantage is that the RSA private key is generated on the device and never leaves it.  Digital certificates can be ordered online and placed on the device in a matter of minutes.   The GemPlus site provides an excellent example of the ability to issue a digital certificate online, for access to company protected data using standard browsers.  Corporations that produce and manage their own certificates can grant/revoke access to critical applications/data in a matter of minutes.


Identify Yourself

A digital identity can be achieved through the use of a two-factor authentication process: something you have and something you know.  The something you have could take various forms, i.e. a smart card or token; the something you know is the PIN.  The authentication information is never removed from the smart card or token and passed across the network, thereby ensuring a far higher level of security.  The Aladdin eToken is also available in various colors, and access to the color is available electronically.  This can be a very visual and effective way to provide different levels of access to sensitive areas/data.

However, as well as a smart card or tokens are as a method of security, they also benefit from network administration with single
sign-on and sign-off advantage, saving the administrator valuable time should the user's access change.


What is a Digital Certificate?

A digital certificate is a set of electronic credentials that uniquely identify an individual. There are two parts to a digital certificate: a private key and a certificate.

Your private key is the piece of information that uniquely identifies you within the Public Key Infrastructure. Anyone who has access to the private key can impersonate you without detection. An impersonator can read eyes-only messages or sign documents as you. As a result, it is important to keep the private key secure. This is the main benefit of these devices. They serve as an impenetrable safe for the private key, ensuring that only the intended user has access to it. The private key can be generated on-board and never leaves the device for signing and encryption operations.

The certificate is the public part of your digital certificate. It contains your name and other identifying information. It also contains the public key, which is mathematically related to the private key. Using your certificate, other people can verify that you hold your private key, and therefore, must really be who you say you are.


Biometric Fingerprint Devices

The USB compliant Sony FIU-810 sets a new standard for information security by combining fingerprint technology with robust encryption and digital signature capabilities. The FIU-810 scans, stores, and verifies fingerprints internally. The fingerprints are never stored on the host PC or network server, making the FIU-810 extremely secure.  Additionally, the FIU-810 is a PKCS-11/CryptoAPI compliant hardware token and is able to generate and store up to 2048-bit RSA key pairs via an on-board exponent processor and 62MB of available private storage memory.



With more and more workers accessing company networks remotely, the issue of network security has become of paramount importance, especially when considering the confidentiality of the information being accessed.  Many businesses are already using digital identity to combat these security risks. The combination of SSH or TLS/SSL protocols with one of these

devices for authentication provides far greater security to the average business than was possible just a few years ago. SecureKeyAgent, combined with SecureNetTerm provides state of the art communications, encryption and authentication for the client/server environment today.

Contact InterSoft International, Inc. for additional information.

Did you know security breaches cost companies $375 billion per year?

Today, SecureKeyAgent uses state-of-the-art hardware and software to ensure that the person accessing your confidential data is authorized, legitimate, and securely connected.

Issue #1: Is the person accessing our data who they claim to be?

SecureKeyAgent allows you to establish and confirm a users' digital identity. A digital identity can be achieved through the use of a two-factor authentication process: 1) something you have and 2) something you know. The 'something you have' can take the form
of a smart card or token while the 'something you know' is the remote users personal identification number (PIN).

SecureKeyAgent supports disk based SSH Keys as well as external readers through its Smart Card/USB token manager. These devices ensure that the person sitting at the computer has the authority to access the system. The software supports all the leading Smart Card / USB tokens using the RSA PKCS-11 standard. New external readers coming on the market (supported by SecureKeyAgent) include finger print verification to further enhance your security.

Issue #2: Is their connection secure?

Yes. SecureKeyAgent contains an SSH key agent that ensures that all traffic between the host and SecureNetTerm is kept secure via private key authentication over the secured SSH connections.

SecureKeyAgent, combined with SecureNetTerm provides state of the art communications, encryption and authentication for most client/server environments in use today.

Issue #3: Can this solution work in my environment?

Although SecureKeyAgent was designed primarily for use with SecureNetTerm, it can also be used as a standalone application for the management of PKCS-11 compliant Smart Card / USB tokens.

SecureKey Agent also works well with current applications such as browsers and email clients. Each application establishes its own unique session to obtain access to the Smart Card or USB token.

Smart Cards and tokens also help with network administration. Single sign-on and sign-off features save administrators valuable time should a user's access privileges change.

SecureKeyAgent has been tested with the iButton Java 2 token, Aladdin eToken R2/PRO, RainBow iKey 2000 series, and the GemPlus GemSAFE smart card.

Bottom line: SecureKeyAgent is all you need to ensure that your data stays in the hands of the people you authorize to use it.

Navigation Bar

Designed and Maintained by BHS Digital - Optimized for Mozilla Firefox and Microsoft Internet Explorer.
© Copyright 1997 to Present, InterSoft International, Inc. All Rights Reserved.