SafeNet IDPrime Virtual 2.8.0
Issue Month: Nobember 2024
Build Details
Server (Full version): 2.8.0
Product Description
SafeNet IDPrime Virtual (IDPV) is a PKI-based software authenticator that uses latest innovation in software-based smart token technology to combine the strong two-factor security of a smart card. It is cost effective and convenient for the software authentication. IDPV emulates the functionality of physical smart cards used for authentication, email, data encryption, and digital signing to enable the use cases such as VDI, BYOD, backup, and mobility on any device. It secures user private key on HSM with user authentication from OIDC compatible Identity providers (IDPs).
Release Description
SafeNet IDPrime Virtual v2.8.0 includes new features and bug fixes from the previous version.
New Features and Enhancements
Added the support for 3K/4K keys so that users can enroll the keys on the IDPV smartcards. Smartcards with 3K/4K keys support will be availabe for end users for all possible PKI operations.
To import 4K keys, HSM Firmware version must be 7.4 or above.
The following APIs are added:
IDPV Server APIs
-
Complete Provisioning API: This API allows administrators to complete the provisioning process for a Smart card.
Put
/IDPrimeVirtual/V1/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/CompleteProvisioning -
GetTokens API V2: The updated version of the GetToken API provides token details and the provisioning status of the card.
Get
/IDPrimeVirtual/V2/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}Response
{ "tokenID": "string", "metadata": "string", "keyIDs": [ "string" ], "isOfflineModeSupported": true, "isProvisioned": true, } -
CreateToken API V2: The updated version of the CreateToken API allows to create tokens, which are capable to contain 3K/4k keys. In the CreateToken API V2, the request signature is updated.
Post
/IDPrimeVirtual/V2/Tenants/{tenantId}/Users/{userId}/TokensResponse
{ "tokenID": "string", "metadata": "string", "keyIDs": [ "string" ], "isOfflineModeSupported": true, } -
GetToken List API V2: This API provides a list of all the tokens (tokens created with both the new and old versions of the GetToken List API).
Get
/IDPrimeVirtual/V2/Tenants/{tenantId}/Users/{userId}/TokensResponse
[ "string" ], -
Import API: This API is updated to import the RSA keys of sizes, such as 2048, 3072, or 4096. The user will need to provide a value to the newly added
keyAttributesattribute.For example,
"keyAttributes": { "000121": "4096", }If the user will not provide a value for this attribute, the system will take the default value, 2048, and the user will not be able to import 3K/4K certificates.
Post
/IDPrimeVirtual/V1/Tenants/{tenantId}/Users/{userId}/Keys:ImportRequest Body
{ "keyInfo": { "keyType": "string", "keyAttributes": { "000121": "2048",//3072/4096 "additionalProp2": "string", "additionalProp3": "string" } }, "transportKey": "string", "keyMaterial": "string", "mechanism": { "mechanismType": "string", "mechanismName": "string", "mechanismP11Type": 0, "parameters": { "additionalProp1": "string", "additionalProp2": "string", "additionalProp3": "string" } } }
Provisioning APIs
-
CreateToken API V2: This API is used to create tokens which are capable to contain 3K/4k keys. In the CreateToken API V2 version, the request signature is updated.
Post
/IDPrimeVirtual/Provisioning/V2.0/Tenants/{tenantId}/Users/{userId}/TokensResponse
"string" -
GetToken API V2: The updated version of the GetToken API provides a list and other details of all the tokens (tokens created with both the new and old versions of the CreateToken List API).
Get
/IDPrimeVirtual/Provisioning/V2.0/Tenants/{tenantId}/Users/{userId}/TokensResponse
[ { "tokenId": "string", "cardId": "string", "provisioned": true, "cardVersion": "string", "created": "2024-11-21T07:44:17.292Z", "lastChange": "2024-11-21T07:44:17.292Z", "provisionDate": 0 } ] -
Generate CSR API: This APIs is used to generate keys of various sizes such as, 2048, 3072, 4096. The
RSAKEYSIZEattribute is added to specify the size of the key to be generated. The default value of this attribute is 2048.Get
/IDPrimeVirtual/Provisioning/V1.0/Tenants/{tenantId}/Users/{userId}/CertificateSigningRequestRequest Body
{ "generateKeyPairAlgorithm": "1.2.840.113549.1.1.1", "signAlgorithm": "1.2.840.113549.1.1.11", "subjectDistinguishedName": "string", "keyUsage": [ 0 ], "extendedKeyUsage": [ "string" ], "subjectAlternativeName": "string", "rsaKeySize": "2048" }Response
{ "certificateSigningRequestData": "string", "keyId": "string" }
Default Password
Virtual IDPrime cards are supplied with the following default token password: “000000” (6 zeros) and the Administrator Password must be entered using 48 zeros.
Password Recommendations
We strongly recommend changing all device passwords upon receipt of a token/ smart card as follows:
-
User PIN should include at least 8 characters of different types.
-
PIN character types should include upper case, lower case, numbers, and special characters.
For more information, refer to the ‘Security Recommendations’ section in SafeNet IDPrime Virtual Server-Client Product Documentation.
Compatibility Information
Operating Systems
Following operating systems are supported:
Server Operating Systems
-
Ubuntu 22.04
-
RHEL 8
Middleware
-
SafeNet Authentication Client 10.9.4482.0
-
SafeNet Minidriver 10.9.4482.0
IDPV Windows Client
- Windows Client: 2.8.0.88
Virtual Smart Card Features
Below table specifies the various features that are supported by IDPV:
| Features: | Device: SafeNet IDPrime Virtual |
|---|---|
| Number of Keys | 15 max |
| RSA Key Size | 2048 bit, 3072 bit, and 4096 bit |
| RSA Padding | PKCS#1 v1.5 |
| Hash and Signature Schemes | • SHA-2 512-bit • CKM_SHA1_RSA_PKCS_PSS • CKM_SHA256_RSA_PKCS_PSS • CKM_SHA384_RSA_PKCS_PSS • CKM_SHA512_RSA_PKCS_PSS |
| Supported APIs | PKCS#11 V2.20, PKCS#15, MS CryptoAPI and CNG(CSP,KSP), PC/SC |
| Supported cryptographic algorithms | 3DES, SHA-256, RSA upto 2048/3072/4096, RSA PSS |
Execution of Third-Party Security Tools
-
Aqua Trivy 0.34.0
-
Anchore Grype 0.53.1
-
Open Collective Dockle 0.1.16
-
Anchore Syft 0.62.1
-
Cisco ClamAV 2.6.5
Compatibility with Thales Applications
Virtual IDPrime cards can be used with the following products:
-
SafeNet Authentication Service Private Cloud Edition (SAS PCE) with Keycloak / SafeNet Trusted Access (STA)
-
SafeNet Authentication Client (SAC) 10.9.4482.0
-
SafeNet Minidriver 10.9.4482.0
Known Issues
This section lists the known issues that exist in this release. The following table defines the severity of the issues listed in this section.
| Severity | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Below are the known issues that exist in this release.
| Issue | Severity | Synopsis |
|---|---|---|
| IDPV-5072 | H | Summary: DPoD is not working on Alpine based docker. Workaround: None |
| IDPV-5710 | H | Summary: Friendly name doesn't appear when certificate is imported via Import API. Workaround: None |
Related Product Documentation
The following documentation is associated with this release:
ThalesDocs
We have attempted to make the documentation complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product.
