How do I set up the KX906 Kits iOS App?
KX906 Kits iOS App

Download this user manual here.
https://keyxentictoken.com/kx906_kits_ios_app_usermanual_v1-0-7/

1. Download and install the KX906 Kits iOS App
Free iOS App and can be downloaded from Apple AppStore.
https://itunes.apple.com/us/app/kx906-kits/id1367051787?mt=8

2. Connect KX906 Smart Token

(1) Connect KX906 Smart Token to iOS device by Lightning Connector.
(2) With successfully connected KX906 Smart Token, the App launch dialog will be prompted. If none of the launch dialog is shown more than 5 seconds, remove and plug again to connect.
(3) On App launch dialog, click “Ignore” to get into the KX906 Kits App main page.



Key Management

Manage RSA/EC keys, X.509 certificate, fingerprint patterns, personal identification number (PIN) and other operations.

1. Manage Your Keys

(1) Select Smart Token or Smart Card First



Connect KX906 Smart Token before managing your keys within smart token or smart card. Insert smart card into smart token reader slot before managing your keys within smart card. Smart Token and smart card are two independent secure elements but the same functions.

(2) Key Management — Keys List / Key Import

Key List
RSA、EC type key pairs are supported.



Create a new key pair ( Authentication Required )
Authentication ( PIN or fingerprint ) is required if smart token is unauthenticated.
Choose key type to be generated. RSA : PKI/Login/Email, EC: Cryptocurrency (SECP256K1), Disk Encryption (RSA 2048).

https://keyxentictoken.com/wp-content/uploads/2019/03/keyxentictoken.com-keyxentic-smart-token-manual-06.jpg

Fill the key label and click “Create” to generate new key pair. Key id is assigned with random UUID value. In general, RSA 2048 bits key pair generation takes 15~50 seconds and EC 256 bits key pair generation takes 3~10 seconds.



Certificate Application

Apply a certificate for PKI application.



Fill the required fields and generate PKCS#10 data for testing CA and get the testing X.509 certificate immediately. For email security, email field should be the same as email account.



Tap on “Certificate” with “YES” status to view the details of certificate. Key list is with green label when the key pair with corresponding X.509 certificate.



Key Import ( Authentication Required )

Asymmetric key pair can be imported by PFX ( Personal Information Exchange ) file. In KX906 Smart Token, asymmetric key pair is imported in a secure way with DKEK ( Device Key Encryption Key ) encryption mechanism. For current version, only RSA type is supported.



Step 1 : Select PFX ( .pfx or .p12 ) file on MicroSD card storage first. Store the PFX file into MicroSD card storage before the select step.



Step 2 : Input DKEK( Device Key Encryption Key ), the DKEK is setup in initialization process. The default DKEK value in hexadecimal encode is as below.

“9C39685EB56A6F1984C793D6F7A548E8F04511B26A59E82620F682695F8FB9DC”



Step 3 : Input the PFX password.



After successfully import, check in the “ key list ” to see the imported one.

(3) Fingerprint Management —
Fingerprints Fingerprints ( Authentication Required )



KX906 Smart Token is equipped with a capacitive area fingerprint sensor of 160*160 pixels and 508 DPI spacial resolution. ISO 19794-2 CC format fingerprint pattern is enrolled and stored in secure element within both KX906 Smart Token and backup smart card.

When fingerprint sensor scanning performing, the “BLUE” and “RED” indicator lights will be flashing.

Fingerprint Enrollment

Step 1 : Place and press finger on fingerprint sensor. Once a valid fingerprint pattern is captured, a color area will be added and shown on gray fingerprint template. With a new color area shown, release finger then place again and keep overlapped.



Step 2 : Repeat step 1 until gray fingerprint template is fully covered by partial colored pieces and saved.



(4) PIN Management — Change User PIN / Unlock / Change User Pin by Initialization Code / Initialize

PIN code is a password-based authentication to secure element. User can manage PIN, such as change PIN. Default PIN code of KX906 Smart Token and backup smart card is 648219. Default SO PIN ( Initialization Code ) is 57621880.

Change User PIN

User PIN can be changed but not with a shorten length, the minimum length of PIN is 6. The retry counter of PIN will increase with longer PIN, eg. try counter max 3 for 6 bytes PIN length, max 5 for 7 bytes PIN length, max 10 for more than 7 bytes PIN length.



Unlock

Reset retry counter of blocked user PIN with SO ( Initialization Code ) PIN.



Change User Pin by Initialization Code

Change ( Reset ) user PIN by SO ( Initialization Code ) PIN.



Initialize

Initialize KX906 Smart Token and backup smart card with SO PIN ( Initialization Code ). User PIN and DKEK ( Device Key Encryption Key ) can be reset in initialize operation. DKEK is used for key backup, restore and PFX import. Write down DKEK and keep in a safe place.



2. Actions

(1) Initialize Both ( Authentication Required )

It’s the first step recommended to initialize both KX906 Smart Token and backup smart card before using the KX906 Smart Token. User PIN and DKEK can be set at both KX906 Smart Token and backup smart card at the same time. This process makes the KX906 Smart Token and backup smart card to be paired for later key backup and restore operations.



Step 1 : Insert backup smart card first before click the “Initialize Both” function button.
Step 2 : Authenticated by SO PIN code (Initialization Code) for both built-in secure element and backup smart card.
Step 3 : Input new user PIN with length from 6 ~ 15 characters. For longer user PIN length with bigger retry counter, eg. try counter max 3 for 6 bytes PIN length, max 5 for 7 bytes PIN length, max 10 for more than 7 bytes PIN length.
Step 4 : Input DKEK value, The default testing DKEK value in hexadecimal encode is as below. “9C39685EB56A6F1984C793D6F7A548E8F04511B26A59E82620F682695F8FB9DC”

Change the value to the one only you know and keep it in safe place.
User the “Random DKEK” to generate random value DKEK.
Use the “Copy DKEK” to copy the DKEK value to iOS clipper board to paste to other place.

(2) Keys Backup ( Authentication Required )

Whenever a new key pair is generated, use “Keys Backup” function to backup the key pair to backup smart card is recommended. Authentication is required for key backup process.



Step 1 : Insert backup smart card first before click the “Keys Backup” function button.
Step 2 : After getting key list from KX906 Smart Token, click “Check Backup Status” function button to check the key backup status first. If the key has been already backup, a tick sign with rounded green circle will show.
Step 3 : Click the key pair to start backup process. With successful operation, a tick sign with rounded green circle will show. Authentication is required for both KX906 Smart Token and backup smart card in order.



(3) Keys Restore ( Authentication Required )

For a new KX906 Smart Token or one with initialization process, key pair can be restored from backup smart card. Authentication is required for key restore process.



Step 1 : Insert backup smart card first before click the “Keys Restore” function button.
Step 2 : After getting key list from backup smart card, click “Check Backup Status” function button to check the key backup status first. If the key has been already restored, a tick sign with rounded green circle will show.
Step 3 : Click the key pair to start restore process. With successful operation, a tick sign with rounded green circle will show. Authentication is required for both KX906 Smart Token and backup smart card in order.



(4) Authentication scheme in actions

In “Initialize Both”, “Keys Backup” and “Keys Restore” process, authentication is required if either KX906 Smart Token or backup smart card is in unauthenticated status.

For example, in “Initialize Both” process with both KX906 Smart Token and backup smart card unauthenticated, the authentication dialog will be prompted in order from “Built-in SE” to “Smart Card” in combo view as following flow chart.



Another example, in “Keys Backup” process with both KX906 Smart Token and backup smart card unauthenticated, the authentication dialog will be prompted in order from “Built-in SE” to “Smart Card” as following flow. The already authenticated side will just pass without dialog prompted.



Another example, in “Keys Restore” process with both KX906 Smart Token and backup smart card unauthenticated, the authentication dialog will be prompted in order from “Smart Card” to “Built-in SE” as following flow. The already authenticated side will just pass without dialog prompted.



If the fingerprint authentication option is turned on ( Setting —> Enable fingerprint authentication ), the fingerprint authentication dialog will be prompted first for 10 seconds scanning.



With failed fingerprint authentication, the PIN authentication will then be prompted for the PIN code authentication.



3. Settings

(1) Device Info

“Device Info” shows the following information of connected KX906 Smart Token or backup smart card, ATR, initialization status, applet type, applet version and applet serial number.



(2) App Info

“App Info” shows the following information of connected KX906 Smart Token. Device version, App version, firmware version and hardware version.



(3) Fingerprint Authentication Switch

Fingerprint authentication can be set up by the “Enable fingerprint authentication” switch. Default value is off.

If fingerprint authentication is turned on, authentication process will first prompt the “Scanning fingerprints” dialog and keep scanning for 10 seconds, then the PIN authentication dialog will be prompted if fingerprint authentication failed.



If fingerprint authentication is turned off, only PIN authentication dialog will be prompted in authentication process.



(4) PC CCID Mode Settings

This function setting is to configure the CCID mode in PC environment when the slide switch is switched to icon.

Use “Set PC CCID to smart card mode” to set the KX906 Smart Token to be a smart card reader in PC environment. It will be a standard PC/SC smart card reader.

Use “Set PC CCID to Key mode” to set the KX906 Smart Token to be a key in PC environment.

KX906 Smart Token is set to be a key in PC environment in default.



(5) Upgrade Firmware

This function setting is to upgrade chipset firmwares of KX906 Smart Token. It’s a two phases firmware upgrade. When “Upgrade Firmware” process is performing, the following phases will be executed consecutively.

Phase 1 : Upgrade main controller. When phase 1 is finished successfully, unplug and plug KX906 Smart Token again is required for phase 2.



Phase 2 : Upgrade other parts. Unplug KX906 Smart Token and plug again.



Continue to upgrade other parts.



The estimated execution time for successful two-phase firmware upgrade is around 2 minutes, estimated time might differ based on different iOS device and operations.

ATTENTION — Do not remove KX906 Smart Token while firmware upgrade is performing. Fatal error may occur from unfinished process.

4. Storage

KX906 Smart Token is equipped with a MicroSD card reader. The maximum capacity supported is 64GB ( higher volume may be supported but with uncertain compatibility ).

User can preview the files default supported by iOS system.


Last Updated: 16 Mar 2019
Did you find this article helpful?
100%
0%
Total votes: 1