Use of Cryptographic USB Tokens

• Digital Signature Certificates (DSCs) are stored in specialized USB tokens that meet defined security standards.
  
• These tokens are hardware devices designed to securely store the private key associated with the DSC.
  
• The key never leaves the token, which ensures that it cannot be copied or extracted.
  
• Tokens are tamper-resistant and comply with government-mandated encryption guidelines.
  
• Only authorized software can access the token through secure channels.
  

Hardware-Level Protection

• Tokens contain a secure microcontroller that manages key storage and cryptographic operations.
  
• They use built-in encryption to protect data against physical and logical attacks.
  
• Even if the token is connected to an infected or hostile computer, the private key remains secure.
  
• The internal hardware ensures that digital signatures are generated within the token.
  
• No raw private key is exposed during usage.
  

PIN-Based Access Control

• Each token is protected by a user-defined PIN or password, required to access the DSC.
  
• After multiple failed login attempts, the token locks itself to prevent brute-force attacks.
  
• The PIN ensures that even if the token is lost or stolen, unauthorized access is blocked.
  
• Admin PINs may be used for controlled reset or unblocking procedures.
  
• The PIN must be kept confidential and managed securely.
  

Compliance with Security Standards

• Tokens used for DSCs must comply with standards such as FIPS 140-2 Level 2 or higher.
  
• They are approved by regulatory bodies and audited periodically by certifying authorities.
  
• Certificate issuance and storage procedures follow guidelines set by the Controller of Certifying Authorities.
  
• Secure storage ensures legal validity and acceptance of digital signatures in official use.
  
• Tokens are periodically updated to address security vulnerabilities and firmware issues.
  

Best Practices for Token Security

• Do not share the token or its PIN with others.
  
• Remove the token from the system after use and store it in a safe place.
  
• Use the token only on trusted, malware-free devices.
  
• Regularly update token drivers and security patches.
  
• Replace the token immediately if it shows signs of damage or compromise.