Emerson Sc2mdst User manual

Section 1 - Introduction

Secure MDR:



SC2MDST: 2-Port, USB



SC4MDST: 4-Port, USB

Rev: E

Doc No.: HDC10377

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Table of Contents

Introduction ....................................................................................... 3

Intended Audience ........................................................................ 3

Package Contents .......................................................................... 3

Revision.......................................................................................... 3

Overview ............................................................................................ 4

Safety Precautions ......................................................................... 4

Safety Precautions (French)........................................................... 5

User Guidance & Precautions........................................................ 6

Background.................................................................................... 8

Main Features................................................................................ 9

Tamper Evident Labels ................................................................ 11

Active Anti-Tampering System .................................................... 11

Product Enclosure Warning Label ............................................... 11

Panel Features (SC2MDST; SC4MDST)......................................... 12

Product Specifications ................................................................. 13

Before Installation ....................................................................... 14

Prerequisites .................................................................................... 15

PC Modes ......................................................................................... 15

Active Mode................................................................................. 15

Passive Mode............................................................................... 15

MDR Operational Modes ................................................................. 15

Typical system installation........................................................... 18

Operation......................................................................................... 19

Smart Card Removal Behavior..................................................... 19

Re-associating the MDR after Smart card Removal .................... 19

De-associating the MDR from a Specific PC................................. 19

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Section 1 - Introduction

Introduction

Thank you for purchasing this Secure MDR –Multi Domain Smart

Card Reader. This product is designed for use in secure defense and

intelligence installations. It offer a single point of secure login into

multiple domains.

This User Manual provides all the details you’ll need to install and

operate your new product.

Intended Audience

This document is intended for the following professionals:

•System Administrators/IT Managers

•End Users

Package Contents

Inside product packaging you will find the following:

Emerson Secure Product

AC Power Cord

User Guidance Documentation

Revision

A –Initial Release, 23 Feb 2015

B –Corrections, 19 April 2015

C –Corrections, 25 May 2015

D –User Guidance updates, 21 June 2015

E –Correction to Features section, 13 August 2015

Important Security Note:

If you are aware of potential security vulnerability while

installing or operating this product, we encourage you to

Web form: Emerson Support

Email: AvocentSecurityFLR@emerson.com

Tel: +1-888-793-8763

Important: This product is equipped with always-on active anti-

tampering system. Any attempt to open the product enclosure

will activate the anti-tamper triggers and render the unit

inoperable and warranty void.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Overview

Safety Precautions

Please read the following safety precautions carefully before using

the product:

• Before cleaning, disconnect the product from any electrical power

supply.

• Do not expose the product to excessive humidity or moisture.

• Do not store or use for extensive period of time in extreme

thermal conditions –it may shorten product lifetime.

• Install the product only on a clean secure surface.

• If the product is not used for a long period of time, disconnect it

from electrical power.

• If any of the following situations occurs, have the product checked

by a qualified service technician:

oLiquid penetrates the product’s case.

oThe product is exposed to excessive moisture,

water or any other liquid.

oThe product is not working well even after carefully

following the instructions in this user’s manual.

oThe product has been dropped or is physically

damaged.

oThe product shows obvious signs of breakage or

loose internal parts.

oIn case of external power supply –If power supply

overheats, is broken or damaged, or has a damaged

cable.

• The product should be stored and used only in temperature and

humidity controlled environments as defined in the product’s

environmental specifications.

• Never attempt to open the product enclosure. Any attempt to

open the enclosure will permanently damage the product.

• The product contains a non-replaceable internal battery. Never

attempt to replace the battery or open the enclosure.

• This product is equipped with always-on active anti-tampering

system. Any attempt to open the product enclosure will activate the

anti-tamper triggers and render the unit inoperable and warranty

void.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Safety Precautions (French)

Veuillez lire attentivement les précautions de sécurité suivantes

avant d’utiliser le produit:

Avant nettoyage, débranchez l’appareil de

l’alimentation DC / AC.

Assurez-vous de ne pas exposer l’appareil à une

humidité excessive.

Assurez-vous d’installer l’appareil sur une surface

sécurisée propre.

Ne placez pas le cordon d’alimentation DC en

travers d’un passage.

Si l’appareil n’est pas utilisé de longtemps, retirez

l’alimentation murale de la prise électrique.

L’appareil devra être rangé uniquement dans des

environnements à humidité et température

contrôlées comme défini dans les caractéristiques

environnementales du produit.

L’alimentation murale utilisée avec cet appareil

devra être du modèle fourni par le fabricant ou un

équivalent certifié fourni par le fabricant ou

fournisseur de service autorisé.

Si une des situations suivantes survenait, faites

vérifier l’appareil par un technicien de

maintenance qualifié:

oEn cas d'alimentation externe - L’alimentation

de l’appareil surchauffe, est endommagée,

cassée ou dégage de la fumée

oou provoque des court circuits de la prise du

secteur.

oUn liquide a pénétré dans le boîtier de

l’appareil.

oL’appareil est exposé à de l’humidité excessive

ou à l’eau.

oL’appareil ne fonctionne pas correctement

même après avoir suivi attentivement les

instructions contenues dans ce guide de

l’utilisateur.

oL’appareil est tombé ou est physiquement

endommagé.

oL’appareil présente des signes évidents de

pièce interne cassée ou desserrée

oL’appareil contient une batterie interne. La

batterie n’est pas remplaçable. N’essayez

jamais de remplacer la batterie car toute

tentative d’ouvrir le boîtier de l’appareil

entraînerait des dommages permanents à

l’appareil.

oCe produit est équipé d'toujours-sur le

système anti-sabotage active. Toute tentative

d'ouvrir le boîtier du produit va activer le

déclencheur anti-sabotage et de rendre l'unité

vide inutilisable et garantie.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

User Guidance & Precautions

Please read the following User Guidance & Precautions carefully

before using the product:

1. As product powers-up it performs a self-test procedure. In

case of self- test failure for any reason, including jammed

buttons, the product will be Inoperable. Self-test failure will

be indicated by the following abnormal LED behavior:

a. All channel-select LEDs will be turned ON and

then OFF;

b. A specific, predefined LED combination will be

turned ON;

c. The predefined LED combination will indicate the

problem type (jammed buttons, firmware integrity).

Try to power cycle product. If problem persists please

contact your system administrator or technical support.

2. Product power-up and RFD behavior:

a. By default, after product power-up, the active

channel will be computer #1, indicated by the

applicable front panel push button LED lit.

b. Product Restore-to-Factory-Default (RFD) function

is available via a physical control button on rear

panel. Use a sharp object or paper clip to hold RFD

button pressed for several seconds to initiate an

RFD action.

c. RFD action will be indicated by front panel LEDs

blinking all together.

d. When product boots after RFD, keyboard and

mouse will be mapped to the active channel #1 and

default settings will be restored, erasing all user-set

definitions.

3. The appropriate usage of peripherals (e.g. keyboard, mouse,

display, authentication device) is described in detail in this

User Manual's appropriate sections. Do not connect any

authentication device with an external power source to

product.

4. For security reasons products do not support wireless

keyboards and mice. In any case do not connect wireless

keyboard/mouse to product.

5. For security reasons products do not support

microphone/line-in audio input. In any case do not connect

a microphone to product audio output port, including

headsets.

6. Product is equipped with always-on active anti-tampering

system. Any attempt to open product enclosure will activate

the anti-tamper system indicated by all channel-select LEDs

flashing continuously. In this case, product will be

inoperable and warranty void. If product enclosure appears

disrupted or if all channel-select LEDs flash continuously,

please remove product from service immediately and

contact technical support.

7. In case a connected device is rejected in the console port

group the user will have the following visual indications:

a. When connecting a non-qualified keyboard, the

keyboard will be non-functional with no visible

keyboard strokes on screen when using the

keyboard.

b. When connecting a non-qualified mouse, the

mouse will be non-functional with mouse cursor

frozen on screen.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

c. When connecting a non-qualified display, the video

diagnostic LED will flash green and video will not

work.

d. When connecting a non-qualified USB device, fUSB

LED will flash green and USB device will be

inoperable.

8. Do not connect product to computing devices:

a. That are TEMPEST computers;

b. That include telecommunication equipment;

c. That include frame grabber video cards;

d. That include special audio processing cards.

9. Product has a remote control port in the back panel labeled

RCU. Do not use this port - it is inoperable and for future

use.

10. Important! Before re-allocating computers to channels, it is

mandatory to power cycle product, keeping it powered OFF

for more than 1 minute.

11. Product log access and administrator configuration options

are described in product Administrator Guide.

12. Authentication session will be terminated once product

power is down or user intentionally terminates session.

13. If you are aware of any potential security vulnerability while

installing or operating product, please remove product from

service immediately and contact us in one of the ways listed

in this manual.

14. MDR: When powering up a secure smart card reader with

the card inserted, the product will provide an auditory

warning signal and will be inoperable. Power recycling MDR

will terminate all mapped sessions.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Background

In organizations where users simultaneously work on multiple

computer environments, the use of smart cards to secure logons

and applications (such as email encryption) generates a costly and

administrative-intensive overhead.

Due to the fact that a dedicated smart card and smart card reader

have to be purchased, programmed and installed on both per user

and computer bases multiplied by the number of computers and

users in the organization, the TCO and administrative effort

required to support such environments is extremely high.

For example, an employee that has to access 3 computers

simultaneously would need to have 3 smart cards, one for every

computer environment (domain) plus 3 smart card readers, each

reader connected to a separate computer.

EMERSON MDR Solution

EMERSON developed the Secure Multi-Domain Smart Card Reader

(MDR) technology to provide a simple and yet secure solution to

this common problem.

The EMERSON Multi-Domain Smart Card Reader (MDR) is a single

secure smart card reader which connects simultaneously to multiple

computers thus allowing a user to utilize a single smart card while

working securely on multiple computer environments at the same

time.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Main Features

Product is designed, manufactured and delivered in security-

controlled environments. Below is a summary of the main advanced

features incorporated in product:

Advanced isolation between computers and shared peripherals

The emulations of keyboard, mouse and display EDID, prevent

direct contact between computers and shared peripherals. Product

design achieves maximal security by keeping the video path

separate with keyboard and mouse switched together, purging

keyboard buffer when switching channels. All these features

contribute to strong isolation between computer interfaces,

maintained even when product is powered off.

Unidirectional data flow: USB, audio and video

Unique hardware architecture components prevent unauthorized

data flow, including:

Optical unidirectional data flow diodes in the USB data path

that filtrate and reject unqualified USB devices;

Secure analog audio diodes that prevent audio

eavesdropping with no support for microphone or any other

audio-input device;

Video path is kept separate from all other traffic, enforcing

unidirectional native video flow. EDID emulation is done at

power up and blocks all EDID/MCCS writes. For DisplayPort

video, filtration of AUX channel exists to reject unauthorized

transactions.

Isolation of power domains

Complete isolation of power domains prevents signaling attacks.

Secure administrator access & log functions

Product incorporates secure administrator access and log functions

to provide auditable trail for all product security events, including

battery backup life for anti-tampering and log functions. Non-

reprogrammable firmware prevents the ability to tamper with

product logic.

Always-on, active anti-tamper system

Active anti-tampering system prevents malicious insertion of

hardware implant such as wireless key-logger inside product

enclosure. Any anti-tampering attempt causes isolation of all

computers and peripheral devices rendering product inoperable and

showing clear indications of tampering event to user.

Holographic security tamper-evident labels are placed on the

enclosure to provide a clear visual indication if product has been

opened or compromised.

Metal enclosure is designed to resist mechanical tampering with all

microcontrollers protected against firmware-read, modification and

rewrite.

TEMPEST Compliant Design

Assuring glavanic isolation betweem sources

Highest security by design:

The only smart-card reader that designed from early stages to

support high security isolation applications.

Unique in the market:

The only smart-card reader available today that can interface with

multiple isolated computers. Based on unique technology and

patents.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Compatibility:

The MDR design relies on Identive (formally SCM) readers. It is by

far the Industry's most popular and compatible smart-card reader.

Product supported by most OS in use today

All firmware is in ROM (Read Only Memory).

Cost effective:

This product was designed to provide an affordable solution for

agencies and organizations. Product cost can be easily justifiable

once compared with issuing and maintaining multiple cards for each

user

Ease of use:

The MDR automatically switches between channels. The user needs

minimal training in the device operation.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Tamper Evident Labels

Product uses holographic tamper evident labels to provide visual

indications in case of an enclosure intrusion attempt. When opening

product packaging inspect the tampering evident labels.

If for any reason one or more tamper-evident label is missing,

appears disrupted, or looks different than the example shown

here, please call Technical Support and avoid using that product.

Active Anti-Tampering System

Product is equipped with always-on active anti-tampering system. If

mechanical intrusion is detected by this system, the Product will be

permanently disabled and all LEDs will blink continuously.

If product indicates "tampered state" (all LEDs blinking) - please

call Technical Support and avoid using that product.

Product Enclosure Warning Label

Product has the following warning sticker on a prominent location

on the product enclosure:

Emerson Tamper Evident Label

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Panel Features (SC2MDST; SC4MDST)

Note: the model described in above image is SC4MDST. SC2MDST is identical except for having 2 ports.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Product Specifications

Enclosure: Plastic enclosure

No. of Users Supported: 1

No. of Smart Cards Supported: 2-SC2MDST

4- SC4MDST

MDR ports: 2/4 x USB Type-A to connect to

computers, 1m long cable for each

(model pending)

1 x DC Power supply jack

Controls and indications: 2/4 x Blue LEDs to indicate active

channel (model pending)

2/4 x Red LEDs to indicate

tampering attempt or failure to

read card (model pending)

Sound transducer to provide user

warnings (65dB maximum)

Smart Card Reader: Supports ISO7816 Class A and AB

Smartcards

T=1, T=0 protocol support

Communication speed up to

344,105 bps (PPS, FI parameter)

Frequency up to 12 MHz (PPS, DI

parameter)

Connector with sliding 8-contacts

designed for 150,000 insertions

Driver and OS Compatibility: CCID compliant & PC/SC

Compatible Reader

Supports All Operating Systems:

Windows® OS, XP version and

above, Linux, Mac OS

Computer Ports: USB Type B ports

Power: External, Wall-mounted power supply 12VDC, 5W maximum

User Channel Selection Methods:

Front panel push-buttons

Operating Temp: 32° to 104° F (0° to 40° C)

Storage Temp: -4° to 140° F (-20° to 60° C)

Humidity: 0-80% RH, non-condensing

Product design life-cycle: 10 years

Warranty: 2 years

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Before Installation

Unpacking the Product

Before opening the product packaging, inspect the packaging

condition to assure that product was not damaged during delivery.

When opening the package, inspect that the product Tamper

Evident Labels are intact.

Where to locate the Product?

The enclosure of the product is designed for desktop or under the

table configurations. An optional Mount Kit is available.

Product must be located in a secure and well protected

environment to prevent potential attacker access.

Consider the following when deciding where to place product:

Product front panel must be visible to the user at all times.

The location of the computers in relation to the product and

the length of available cables (typically 1.8 m)

Warning: Avoid placing cables near fluorescent lights, air-

conditioning equipment, RF equipment or machines that create

electrical noise (e.g., vacuum cleaners).

Important:

1. If the unit’s enclosure appears disrupted or if all channel-

select LEDs flash continuously, please remove product

from service immediately and contact Technical Support

at:

http://www.emersonnetworkpower.com/en-

US/Support/Technical-

Support/InfrastructureManagement/Pages/default.aspx

2. Do not connect product to computing devices:

a. That include telecommunication equipment;

b. That include frame grabber video cards

c. That include special audio processing cards.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Prerequisites

1. Obtain and install the applications, drivers and files of the

cryptographic software (CSP) which corresponds to your

selected smart card vendor.

2. Obtain a smart card from your selected smart card vendor.

3. Verify that your smart card setup works correctly on each

PC using a standard smart card reader prior to connecting

the MDR.

PC Modes

The MDR has a built-in association mechanism which allows the

smart card to be concurrently mapped to multiple PCs. PC Modes

determines which of the associated PCs is set as Active, while others

are set as Passive. An Active PC has full (read/write) access to the

smart card which is inserted into the MDR. A Passive PC recognizes

the smart card but has no access to it until it is made Active. At any

given time only one PC can be set as Active.

Active Mode

The smart card is inserted into the MDR.

The PC Association LED is ON.

The PC Number LED is ON.

The MDR appears under the computer’s operating system

device manager as a smart card reader.

The computer’s OS and applications have full (read/write)

access to the smart card.

Passive Mode

The smart card is inserted into the MDR.

The PC Association LED is ON.

The PC Number LED is OFF.

The MDR appears under the computer’s operating system

device manager as a smart card reader.

The computer’s OS and applications have NO access to the

smart card..

MDR Operational Modes

Operational Mode settings determines how Active/Passive PC

Modes are set. For example, when the MDR Operational Mode is

set to Manual, the user has to manually press the PC Number

Button corresponding to the PC that requires access to the smart

card.

When the MDR Operational Mode is set to dynamic, auto-

association methods are used to determine which PC will be set as

Active. For example, when the MDR operational mode is set to

Activity-Detection Auto Association, the MDR will automatically

actively associate itself to the computer which requires smart card

access based on an activity detection algorithm.

To preset which MDR Operational Mode is in use (Manual /

Auto…etc), a hardware dual in-line package (DIP) MDR has to be

configured. See the MDR configuration settings in Table 01, column

DIP MDR.

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Section 4 - Operation

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Section 4 - Operation

Typical system installation

SC2MDST

SC4MDST

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Section 4 - Operation

Operation

One completing the initial MDR configuration steps the MDR is

ready for use allowing simultaneous usage of a single smart card

with multiple PCs.

Smart Card Removal Behavior

Removing the smart card from the MDR immediately de-associates

the MDR from all coupled PCs. As a result, smart card-aware

applications will notice the smart card absence and respond

accordingly.

For example, a Windows PC that is configured to require smart

cards for user logon may be set to lock the user’s desktop once the

smart card is removed.

Re-associating the MDR after Smart card

Removal

In order to continue using the smart card (after it’s been

removed from the MDR), the user has to insert the smart

card into the MDR and complete steps 6-9 in order to re-

associated the MDR with all the corresponding PCs.

De-associating the MDR from a Specific PC

Long pressing a PC Number Button is the equivalent of removing the

smart card only from the PC which corresponds to that button

without effecting other associated PCs. To re-associate that PC with

the MDR, press the PC Number Button to initialize the MDR (as

described in step 7).

The de-association option is useful in any case a user wants to de-

associate the MDR from a specific PC, without interfering with other

PCs which are associated with the MDR.

For example, when a user has to lock PC#1 by removing the smart

card yet remain logged-on to PC#2, or when a certain PC is not

successfully associated with the MDR and the user wants to re-

associate it.

Important Security Note:

If you are aware of potential security vulnerability while installing or

operating this product, we encourage you to contact us immediately in

one of the following ways:

Web form: http://www.emersonnetworkpower.com/en-

US/Support/Technical-Support/KVM/Pages/default.aspx

Email: AvocentSecurityFLR@emerson.com

Tel: +1-888-793-8763

Important: If the unit’s enclosure appears disrupted or if all LEDs flash

continuously, please remove product from service immediately and

contact Technical Support at

http://www.emersonnetworkpower.com/en-US/Support/Technical-

Support/KVM/Pages/default.aspx

Important: This product is equipped with always-on active anti-

tampering system. Any attempt to open the product enclosure will

activate the anti-tamper triggers and render the unit inoperable and

warranty void.

Secure Multi-Domain Tempest Smart Card Reader (MDR) User Manual

Legal Notice

For important safety information, visit:

www.emersonnetworkpower.com/ComplianceRegulatoryInfo

Emerson, Emerson Network Power and the Emerson Network

Power logo are trademarks or service marks of Emerson Electric

Co. Avocent and the Avocent logo are trademarks or service marks

of Avocent Corporation. This document may contain confidential

and/or proprietary information of Avocent Corporation, and its

receipt or possession does not convey any right to reproduce,

disclose its contents, or to manufacture or sell anything that it may

describe. Reproduction, disclosure, or use without specific

authorization from Avocent Corporation is strictly prohibited.

The information and specifications in this document are subject to

change without prior notice.

Images are for demonstration purposes only.

This manual suits for next models

Table of contents

Emerson SC2MDST User manual

Popular Card Reader manuals by other brands