Smart Card 650 (SC650)

A high assurance identification and authentication smart card that brings two-factor authentication to applications and networks where security is critical.


The SafeNet Assured Technologies Smart Card 650 (SC650) is the most secure, certificate-based smart card available today. Supporting numerous algorithms, X.509 digital certificates and on-card certificate validation, the SC650 enables strong two-factor authentication and proof-positive user identification in all Public Key Infrastructure (PKI) environments. The smart card contains a custom smart card ASIC, the SCC650, developed by SafeNet Assured Technologies. This SCC650 ASIC is a highly trusted design fabricated at a trusted foundry and implements a security architecture found in other SafeNet Assured Technologies certified ASICs.

The SC650 operating system supports the Java card platform specification v2.2.2 and Global platform card specification version 2.1.1. This operating system incorporates SafeNet Assured Technologies’ well-established High Assurance Suite B cryptographic eXtension (cGX) library to perform all cryptographic operations necessary for the smart card. Together, the hardware and firmware provide the user with features to facilitate and manage combined logical and physical access, while also enabling services to off-load cryptographic algorithm implementation and provide object access control.


The SC650 securely stores the user’s credentials, such as digitally-signed certificates, private keys, and network login credentials and seamlessly supports secure key generation, secure key storage, encryption/decryption, and digital signature processing (sign and verify). The SC650 is capable of performing all private and public key cryptographic functions directly on the smart card, thus eliminating potential threats resulting from private key exposure. In authentication scenarios where cryptographic keys are stored locally on a computer and protected only by software, the keys are vulnerable to accidental loss and malicious acts that could greatly compromise network security and result in unfortunate economic consequences. With the SafeNet Assured Technologies SC650, the private keys used for these functions are never exposed to a potentially vulnerable host system.

Additionally, the on-chip cryptographic functions enable users to perform Suite B and other FIPS- approved cryptographic operations on the card. This allows the user to carry out ECDSA, RSA (PKCS #1), or DSS (FIPS 186) digital signatures with confidence because the signing key cannot be tampered with by any software that could be running on the host computer. Similarly, security for the exchange of session encryption keys is supported by the on-board cryptographic functions, such as ECDH key agreement and key exchange. The SC650 also contains a log file for security events, providing secure audit log details for audit management purposes.


The SC650, combined with the SafeNet High Assurance Client (SHAC) middleware, is designed to support multi-domain usage by allowing the user’s credentials and certificates to be stored in cryptographically-separated key containers. This capability grants users more flexible and simplified access to sensitive networks and workstations because a user can use a single authentication device, the SC650, to securely authenticate to multiple independent networks (i.e., domains), each requiring its own set of unique private keys, credentials and certificates. The combination of the SC650 and SHAC middleware enables secure separation of all keys and certificates per network so appropriate access levels and network policies are enforced for each.


The SafeNet SC650 has been designed to provide built-in cryptographic and data container management for all private and sensitive functions, while giving enterprises the ability to add new applications/applets to address future requirements. The SC650 may be used with SafeNet AT-developed applets and middleware (SHAC). Custom application integration is facilitated by the cryptographic API support provided by the SHAC middleware and includes PKCS #11, Microsoft CAPI, and Microsoft and Apple PC/SC. The SC650 also accepts third-party applets to allow integration of the smart card into existing enterprise infrastructures. In addition, the SC650 interoperates with RedHat CMS 8.0 Secure.

Cryptographic Algorithms

  • DH/ECDH/DSA/ECDSA/RSA Key Generation
  •  DH/ECDH Key Agreement
  • ECDSA/DSA Sign & Verify
  • ECC curves supported: p-256, p-384,p-521
  • 3DES encryption/decryption
  • AES encryption/decryption (128 and256 key lengths)
  • RSA encrypt/decrypt (1024/2048)
  • RSA Sign & Verify (1024/2048)
  •  SHA1/256/384/512
  • HMAc SHA1/256/384/512


  • ISO 7816-2 for dimensions and location of the contact for smart cards
  • ISO/IEC7816 parts 3 and 4, standard for identification cards (i.e., smart cards)

Token Operating System

  • Java card v2.2.2
  • Global platform 2.1.1

OS Support

  • Microsoft Windows 2000
  • Microsoft Windows 2003
  • Microsoft Windows 7
  • Microsoft Windows XP Microsoft
  • Windows Vista
  • Apple MacOS 10.4.6 and above
  • High assurance user authentication
  • Multi-domain authentication support
  • Secure key storage
  • Signing and verifying encryption/decryption
  • Private/public key generation
  • Operationally secure token activation
  • Secure random number generation
  • Optional On-token certificate validation (includes path validation)
  • Interoperates with Red Hat CMS 8.0  Secure audit logging
Smart Card 650 Product Brief