PKI Public Key Infrastructure

The PKI series of products are designed to meet the requirements of information security on the Internet, intranet and extranet. The goal is to build up a robust foundation of enterprise information security applications for ID control, electronic signature and data confidentiality. The Changingtec PKI places more attention on "simplified implementation of security control systems", "reduced management overhead", and "extended information security application scope" that may affect the core competence of enterprises. It provides both security control packages and tailored services to enhance business competitiveness, lower development costs required by security control systems, and enhance core values of business entities.


CA Certificate Authority

This product is a management center for digital certificate issuance. It serves as the core component of single- or multi-layer public key infrastructure built by specific enterprises.

RA Registration Authority

Provide service requirements such as application, termination, extension, and renewal.

OCSP Online certificate status inquiry system

Provide a system for looking up the certificate status to provide a verification mechanism of certificate status for organizations or units.

KRS-key backup recovery system

KRS: The platform for key backup and recovery offers a safe encryption environment for organizations or units. It aims to avoid losing the key, and it would be impossible to recover important electronic documents.

Single Sign On (SSO)

Users may sign on with multiple certificates including internal, commercial, natural person, as well as financial and medical ones.

Card Management System (CMS)

Working together with the certificate authority (CA), this system provides batch certificate release and creation function.

Secure Server(SS)- an encryption control system for key signature

Together with the Hardware Security Module (HSM), the SS features applications encryption and decryption as well as signature applying and verification mechanism.

FES-a platform for securing document license

Ensure document security within enterprises by fending off unauthorized access while maintaining convenient access by outsiders.

VA multi-certificate verification system

Provide application systems for multiple verification systems of digital certificate.

Secure file transmission system

A product of modularized design for secured transmission and automatic processing. The Audit Management Module keeps complete audit trail.

MOTP-a system that provides mobile and dynamic passwords

"Featuring "unpredictability, non-repetition, and discard-after-use" the MOTP is a solid protection lock with dual factor authentication.

Highly integrated flexibility

Changingtec's PKI (Public Key Infrastructure) products can seamless integrate with wide range of business applications including; internal ones like remote secure sign-on, email client, and mobile security control as well as external ones like order exchange, electronic notes, electronic purchasing, and electronic billing. In addition, every PKI product features one cross platform security control component for improved customization flexibility. This ensures all customized systems developed in future can enjoy the benefits of PKI by employing the application interfaces that came along with the security module. This PKI series supports scores of leading database systems and directory servers and can provide the best application possibility as all of them can be embedded in embedded systems bearing more restrictions.

Fast deployment

Changingtec's PKI products can operate in varying enterprise information environments of today. It integrates with existing information structure by integrating with a wide range of applications or products directly and supporting most leading back-end database and directory server systems.

Cost effective implementation and maintenance

Integration flexibility of the PKI series enables direct client-end application integration as required to save implementation costs. Custom adjustments are also available for seamless integration with customers' application systems. The user friendly web interface for system management of Changingtec's PKI products reduces operation overhead of enterprise system administrators and maintenance costs in future.

Open system structure

The PKI (Public Key Infrastructure) series is designed to comply with information security standards including: X.509v3, MS-CAPI, PKCS#7, PKCS#10, PKCS#11, PKCS#12 and OATH. The goal is to ensure enterprises implemented with series products can connect to the global network and enjoy the benefits of the PKI system continuously.

Enhanced security

Changingtec's PKI products fully support many leading brand hardware devices including HSM (turbocharged signature encryption card), USB Security Token, IC Card, and myPass USB drive for improved private key security at both server and client ends. This helps prevent key loss caused by system failure or key leakage from software key. PKI system integration module

PKI System integration module
Security toolkits for application development

  • Signature encryption components, file security control components, XML security control components, PDF security control components, ID authentication components, and IC card security control components.

Card Management System (CMS)- for card creation and release

  • IC card initialization,ard printing management and password slip printing

  • Online certificate status polling system (OCSP)

  • Immediate Search of Certificate

Secure Server(SS)-a key control system

  • Key management, signature encryption performance enhancement, and load balance/fail-over.

Validation Authority (VA) - multi certificate authentication server

  • Support varies certificates: MOICA, GCA, MOEACA, HCA, FXML CA, and in-house CA/p>

  • IC card、USB token、HSM

  • security certificate device

Case Study

Applications & Benefits Government agencies

Convenient online filing services./ Single signon integration solution / Official document / Signature Security control development kit / Electronic bill/receipt solution / Security control development kits for personnel attendance system / Document image management system (DIMS)

Banking and financing

Banking security control platform / FXML security control system / FEDI security control system / Electronic bill security control system / Online securities trading security control system / Mobile securities trading security control system / Online underwriting security control system / Electronic statement solution

Medicine

Hospital certificate management system / EMR solution / HIS security control development kits / Electronic timestamp integration kits

Enterprises

Enterprise certificates management system / Electronic purchasing security control platform / Electronic billing integration system / Secure email solution / DIMP integrated bank operation platform / Form recognition system / Access control integration

CA Certificate Authority

Digital certificate management mechanism

This product is a management center for digital certificate issuance. It serves as the core component of single- or multi-layer public key infrastructure built by specific enterprises. Based on relevant certificate issuance standards, this subsystem can process certificate application, revoke, lock, unlock, extend, and update requirements posed by a verified certificate registration system (RA) or lower tier CA system. In addition, this product provides the certificate revocation list (CRL) distribution service to ensure certificate validity assured by the certificate application system.

Certificate issuance fully controlled by individual enterprises

Enterprises can issue digital certificates to users, employees, partners and clients based on their own decisions to enjoy the benefits of policy autonomy and zero card lossing risk.

Robust public key infrastructure (PKI)

The Net-Sphinx network security control center creates robust and complete PKI for enterprises.

Secure ID verification and permission control

The security control center validates each users' ID and permission to ensure that only authorized users can enter relevant pages for certificate processing.

Flexible system management model

You may set up this system to be accessible by multiple certificate center supervisors to enable branches of global enterprises with their own certificate supervisors to engage in certificate issuance and management.

Convenient digital certificate management mechanism

The certificate management mechanism contains operations of certificate issuance, revocation, update, extension, and query in simple and easy pages through browsers. The system administrator may create a certification center and manage certificates while users may run a full range of personal certificate operations with ease.

Scalable three-tier structure adapts to your growth

This system is designed in a 3-tier structure for direct horizontal expansion when the system is overloaded by growing certificate requirements from users.

Flexible key strength up to 2048 bits

Common attributes of digital certificates set up by system administrators may cover key length, validity span, and certificate issuer basic data with optional key length of 2048 / 4096 bit or more.

Key backup and recovery services

This system supports key escrow mechanism, ensuring all issued digital certificates are logged and saved for full back / recovery services. In case of lost key or forgotten password the certificate administrator may replace it with a new one or change the password after careful review.

RA Registration Authority

user identification, accepts requests for certificate application.

Serving as the primary service window for general certificate users, this product authenticates general certificate user identification, accepts requests for certificate application, termination, extension, and renewal, relays these requests to the CA certificate management system for processing, and readies the certificate generated by the CA for users' downloads.

Supports Microsoft CAPI and RSA PKCS standards compliant

Microsoft CAPI and RSA PKCS standards compliant, supports functions most CA systems lack, e.g. PIN code replacements and dynamic data write-in.

Convenient use

Download and manage certificates through I.E.、Chrome、Edge、Firefox browser directly.Supports key gener

Supports key generation function

The client software supports RSA/ECC key generation function. Keys generated can be placed in files, USB tokens, IC cards, and HSMs.

Supports SSL 3.0/TLS 1.0、1.1、1.2

Supports SSL 3.0/TLS 1.0、1.1、1.2 standards and accepts HTTPS connection at client end for secured connection channel.

Web-based system operation interface

System administrators may carry out administration tasks of operation history query, certificates statistics reporting, system status monitoring, and abnormality feedback through web-based interface to learn up-to-date system status.

Supports users' information requests and certificate application

Supports certificate application with Certificate Signing Request.

VA Validation Authority

Support wide range of public certificates management center Government validation specification compliant Easy deployment

The multi-certificate authentication system.This is a validation server for digital signature. It serves as a multi-certificates validatio mechanism for portals and application systems and composes an ideal PKI process along with cross-platform security control components. Together with PKI relevant standards supports this product can manage certificate revocation list (CRL) issued by Public CAs and provides online certificate status protocol (OCSP) function.

Support wide range of public certificates management center

Support GCA, MOICA, MOEACA, XCA, HCA, FXML certificates (by TFCA), and MCA (by MoD).

Easy deployment

  • Providing a comprehensive cross-platform service.

    1.SOAP webservice。 2.RESTful API。

  • Supporting access interfaces for different system development environments, including C/C++, VB/ASP, .NET, JSP, Delphi, etc., to facilitate the integration of certificate application mechanisms in various application systems.

Government validation specification compliant

  • Compliant with certificate validation items given in Public Key Certificate Processing Security Checklist release by the GCA Management Center, Research, Development and Evaluation Commission, the Executive Yuan.

  • Integrable with the online approval operations of the official document management system and compliant with the File Management Information System Validation speciofication released by the National Archives Administration (NAA).

Provide electronic signature, validation, encryption and decryption functions

  • The electronic signature and validation function must support RSA and DSA algorithm.

  • Support symmetric encryption and decryption, including DES, 3DES, and AES.

CHANGING VA Multi-Certificate Verification System provides comprehensive features.

  • Supports the Ministry of the Interior's Natural Person Identity Confirmation Service (ICS).

    Through the use of Natural Person Certificates, it establishes a connection with the Ministry of the Interior's Identity Confirmation Service to verify the correctness of the identification number.

  • Validation standards (Security Toolkits)

    Support X509 certificate relevant validation standards, e.g. CRL and OCSP.

  • Support PKCS standards

    1.Data format should comply with international PKCS#7 and NAA's XML specification.

    2.Support PKCS#11 and certificate token (Smart card, USB Token) of Microsoft CAPI CSP.

  • Support time stamp validation generation function

    Comply with RFC 3161 (TSP) and support time stamp server request time stamp for GCA.

  • Management interface

    Features user friendly web based management interface for administrators' query and customer and certificate information management.

  • Complete audit trail

    Every piece of signature data and transaction log is saved in the audit log database of VA. Each record is uniue numbered to ensure auditability and nonrepudiation.

  • Validation function

    1.Provide Challenge-Response certificate ID authentication.

    2.Valid date of certificate can be validate.

    3.Once the user-generated signature value is verified, the user's identity can be retrieved through the agreed-upon certificate lookup.

  • Backup mechanism

    Features backup mechanism, support software auto fail-over and software load balance software load balance functions.

VA application model

  • Provide rack-mount server (plug-n-play), or VM server.

  • Security mechanism application like electronic invoice platform and signature verification.

  • Security mechanism application like electronic official document online approval systen, signature verification and digital packaging.

  • Security mechanism application like lectronic purchasing platform and signature verification.

  • Provide SSO, integrates with digital signature and validation, for security applications.

  • Electronic document archive and retrieval system integration.。

  • Electronic medical records signature verification integration.