© Copyright 2006 by Eutron Infosecurity S.r.l. – Italy – 24048 Treviolo BG Via Gandhi, 12 © 2006 Eutron Infosecurity S.r.l. All rights reserved The names of the other products mentioned are trademarks of their respective owners.
CryptoIdentity User Guide – Index INDEX 1 INTRODUCTION TO CRYPTOIDENTITY AND CRYPTOKIT..........................................5 1. 1 WHAT IS CRYPTOIDENTITY...............................................................................................5 1. 1. 2 CRYPTOIDENTITY MODELS.......................................................................................6 1. 1. 3 CRYPTOIDENTITY DEFAULT PINs ............................................................................7 1. 1.
CryptoIdentity User Guide – Index 5. 1. 3. 2 SECURE EMAIL-S WITH NETSCAPE MESSENGER 4. 7................................72 5. 2 MICROSOFT VPN.................................................................................................................77 5. 3 MICROSOFT SMARTCARD LOGON.................................................................................77 5. 4 PKI PRODUCTS ....................................................................................................................77 5.
CryptoIdentity User Guide – 1. Introduction to CryptoIdentity and CryptoKit 1 INTRODUCTION TO CRYPTOIDENTITY AND CRYPTOKIT This chapter provides an introduction to CryptoIdentity and CryptoKit. For updated information and news about the CryptoIdentity USB token you could also visit: www.cryptoidentity.eutron.com 1. 1 WHAT IS CRYPTOIDENTITY CryptoIdentity is an USB token, the size of a door-key, which includes a cryptographic chip and combines both the functions of a smartcard and its reader.
CryptoIdentity User Guide – 1. Introduction to CryptoIdentity and CryptoKit Easily integrated with the applications compatible with PKCS#11 and MS CAPI (CryptoIdentity SDK includes libraries and examples). Strong cryptographic capabilities: - ATMEL AT903232C - 6464C Cryptographic processors - RSA key generation on token up to 2048 bit. - Encrypt/decrypt operations with RSA keys up to 2048 bit. - Digital signature and verification. - Hardware random number generator.
CryptoIdentity User Guide – 1. Introduction to CryptoIdentity and CryptoKit CryptoIdentity 2048 In addition to all the features of CryptoIdentity5, this model supports: RSA keys up to 2048 bit EEPROM memory 64KB Additional CryptoIdentity models (ITSEC I-P-FIPS), are also available. Please note that this guide and CryptoKit applies ONLY to the CryptoIdentity4, CryptoIdentity 5 & 2048 models. For details about the ITSEC models, please visit www.cryptoidentity.eutron.com. 1. 1.
CryptoIdentity User Guide – 1. Introduction to CryptoIdentity and CryptoKit For security reasons, if a wrong CryptoIdentity PIN is inserted consequently for 12 times, the CryptoIdentity PIN is LOCKED. If a wrong Security Officer PIN is inserted consequently for 6 times, the Security Officer PIN is LOCKED and NO MORE USABLE. It is possible to customize the counter of wrong attempts before the PIN and Security Officer PIN are locked. To do so, refer to section "1.1.4 CryptoIdentity default configuration.
CryptoIdentity User Guide – 1.
CryptoIdentity User Guide – 1. Introduction to CryptoIdentity and CryptoKit 1. 1. 5 CRYPTOIDENTITY REQUIREMENTS These are the CryptoIdentity requirements: CryptoKit properly installed (refer to sections “1.2.1 CryptoKit requirements” and “2.1.1 Installing CryptoKit ”) A free USB port USB protocol enabled in the BIOS settings USB 1.1 or 2.0 1. 2 WHAT IS CRYPTOKIT CryptoKit provides the basic software to work with the CryptoIdentity token.
CryptoIdentity User Guide – 2. Getting Started with CryptoIdentity 2. GETTING STARTED WITH CRYPTOIDENTITY This chapter explains how to install CryptoKit and the CryptoIdentity drivers. 2. 1 INSTALLING AND MAINTAINING CRYPTOKIT Before using the CryptoIdentity token for any purpose, it is mandatory to install CryptoKit. Next section will guide you through the process. Refer to section "1.2 What is CryptoKit" for details about CryptoKit. 2. 1.
CryptoIdentity User Guide – 2. Getting Started with CryptoIdentity To install the CryptoKit (standard installation): • Insert the original CryptoKit CD-ROM. • Run CryptoIdentity-setup.exe from the root directory on the Installation CD. • The installation process needs to extract into a folder the files used by the setup. Choose a folder (recommended is "C:\\Eutron\CryptoIdentity-Setup" The process automatically adds on the hard-disk the folder specified.
CryptoIdentity User Guide – 2. Getting Started with CryptoIdentity • Choose a Destination Folder. The default location is C:\Program Files\Eutron\CryptoKit.
CryptoIdentity User Guide – 2. Getting Started with CryptoIdentity Here is a brief description about the available components: Tokens It Installs the CryptoIdentity drivers. CryptoIdentity4 : installs the CryptoIdentity4 driver (optional, select it only if is used the CryptoIdentity4 model) CryptoIdentity5 or 2048: installs the CryptoIdentity USB token driver (mandatory, select it if the CryptoIdentity5 or 2048 model are used).
CryptoIdentity User Guide – 2. Getting Started with CryptoIdentity Netscape: enables Netscape to use CryptoKit as cryptographic engine by adding the CryptoKit security module (optional, select it only if Netscape is used). • Select the desired components and click Next. • If the Netscape option is selected, the Netscape browser opens automatically to display the following window (from Netscape 4.79): • Press OK to add the CryptoKit security module and close the browser to proceed.
CryptoIdentity User Guide – 2. Getting Started with CryptoIdentity • After the restart (if required), the CryptoKit installation must be completed by plugging a CryptoIdentity into an USB port. If the installation process did not ask to reboot the system, the CryptoIdentity must be plugged into an USB port at the end of the CryptoKit setup. The first time a CryptoIdentity is plugged after the CryptoKit setup, the CryptoIdentity driver installation procedure will start and complete automatically.
CryptoIdentity User Guide – 2. Getting Started with CryptoIdentity • Click Next, select or de-select components to install/uninstall, and complete the process. • At the end of the process a reboot\restart may be required. If required, reboot the system. It is also possible to repair a CryptoKit installation, if troubles are encountered during the usage of the installed components. To repair a previous CryptoKit installation: • Remove the CryptoIdentity token from the USB port.
CryptoIdentity User Guide – 2. Getting Started with CryptoIdentity 2. 1. 3 UNINSTALLING CRYPTOKIT If you wish to uninstall CryptoKit: • Remove the CryptoIdentity token from the USB port. • Run the uninstallation procedure (Start-> Programs-> Eutron CryptoKit-> Add Remove CryptoKit Components) or use the Add-Remove programs->CryptoKit in the Windows control panel. Windows NT, 2000, 2003 and XP require administrative privileges to uninstall CryptoKit.
CryptoIdentity User Guide – 3. Working with CryptoIdentity Utilies 3 WORKING WITH CRYPTOIDENTITY UTILITIES CryptoKit provides some utilities to work with the CryptoIdentity token. The next sections explain in details their usage. 3. 1 ARGENIE CryptoKit provides this utility to perform several operations with CryptoIdentity. It is possible to run the AR Genie utility in standard or advanced mode. Standard mode: • Run the program AR Genie from Windows Start Menu (Start-> Programs-> Eutron CryptoKit).
CryptoIdentity User Guide – 3. Working with CryptoIdentity Utilies • In the AR Genie shortcut properties, add to the "Target" field the "/br" parameter.
CryptoIdentity User Guide – 3. Working with CryptoIdentity Utilies The AR Genie utility in advanced mode provides these additional features: Slot menu - Get Information: provides general information about the CryptoIdentity token plugged. - Refresh List: refresh the "slots" list. Token menu - View objects: allows to view the public objects stored into the CryptoIdentity USB token.
CryptoIdentity User Guide – 3. Working with CryptoIdentity Utilies When a CryptoIdentity USB token is plugged, the symbol “+” appears near the slot description. To change the PIN of the CryptoIdentity USB token: • Select the slot where the token is plugged. • Insert the current PIN in the Old Pin field. If this is the first time that the CryptoIdentity PIN is about to be changed, insert as Old Pin the PIN “12345678” according to section "1.1.3 CryptoIdentity default PINs".
CryptoIdentity User Guide – 3. Working with CryptoIdentity Utilies • Choose whether initialize the CryptoIdentity (Initialize button) or change the Security Officer PIN (Change SO PIN button) To initialize the CryptoIdentity token: • To start the initialization procedure, choose the USB port where the CryptoIdentity token to be initialized is inserted. When a CryptoIdentity token is plugged, the symbol “+” appears near the slot description. • Press the button Initialize.
CryptoIdentity User Guide – 3. Working with CryptoIdentity Utilies To perform the token initialization the Security Officer PIN is required. If this is the first time that the CryptoIdentity USB token is about to be initialized and the Security Officer PIN was not changed previously, insert as Security Officer PIN the value “11111111” (refer to section "1.1.3 CryptoIdentity default PINs".
CryptoIdentity User Guide – 3. Working with CryptoIdentity Utilies • Wait while the initialization process runs; at the end a window pops up: The initialization process sets into CryptoIdentity the default configuration. To customize the CryptoIdentity configuration, refer to section "1.1.
CryptoIdentity User Guide – 3. Working with CryptoIdentity Utilies • A message confirms that the Security Officer PIN has been successfully changed: For security reasons, If a wrong Security Officer PIN is inserted consequently for 6 times, the Security Officer PIN is LOCKED and NO MORE USABLE. 3. 4 IMPORTPKCS12 CryptoKit provides the ImportPKCS12 utility. ImporPKCS12 can import a certificate stored in a PKCS#12 standard file (*.p12 or *.pfx) into the CryptoIdentity USB token.
CryptoIdentity User Guide – 3. Working with CryptoIdentity Utilies When a CryptoIdentity is plugged, the symbol “+” appears near the slot description. • Select the slot where the token is plugged. • Click Browse and select a valid .pfx or .p12 file • Insert the password protecting the .pfx or .p12 file selected • Press Import and insert the token PIN: • If the PIN and the other parameters specified are correct, the .p12/.
CryptoIdentity User Guide – 3. Working with CryptoIdentity Utilies 3. 5 TOKEN SERIAL NUMBER This utility shows the CryptoIdentity serial number. • To use it, run the program Token Serial Number from Windows Start Menu (Start-> Programs-> Eutron CryptoKit).
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity 4. MANAGING DIGITAL CERTIFICATES WITH CRYPTOIDENTITY This chapter explains how to manage Digital Certificates with the CryptoIdentity token. 4.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity To reach the Verisign Enrollment Page directly : (if Internet Explorer is used) https://digitalid.verisign.com/client/class1MS.htm (if Netscape is used) https://digitalid.verisign.com/client/class1Netscape.htm If you reached the Enrollment Page from a previous link, jump to "Complete enrollment form" sub-step.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity -Make sure to select 60 day Trial Class Digital ID: -Then follow the instructions regarding the browser used: -For Netscape: confirm the security strength is 1024 and submit the form. -At this stage Netscape asks where to generate the private key. Select the CryptoIdentity token, click OK, and then insert the CryptoIdentity PIN.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity Check e-mail -An email is sent few minutes after the enrollment form has been filled out and submitted/ accepted; this e-mail contains the instruction for the next steps and a unique Personal Identifier Number, copy that number on the clipboard. Pick up the Digital ID -Go to the URL address included in the email, paste in the proper field the Personal Identifier Number described in step 2, and click submit.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity 4. 1. 1. 2 THAWTE To obtain a Digital Certificate from the Thawte CA and store it into CryptoIdentity, follow these instructions carefully. • Plug a CryptoIdentity token into an USB port and then go to Thawte web site (www.thawte.com). • Select "Products" and click "Personal Email Certificates" from the loaded page. • Click "Join".
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity -Choose "AR Base Cryptographic Provider" as CSP. This is very important, otherwise the certificate is not stored into the CryptoIdentity token. Make sure the CryptoIdentity USB token is plugged in. Select Next. -Type the CryptoIdentity PIN in the window that pops up. Wait while the CryptoIdentity USB token generates the unique private key. -At the end of the process, select Certificate Manager.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity 4. 1. 2. 1 IMPORTING THROUGH NETSCAPE Using Netscape 4.x is possible to import certificates saved in PKCS#12 format into the CryptoIdentity token. Proceed with the following steps: • Plug CryptoIdentity into an USB port. • Launch Netscape Navigator. • Click on the Security button on the Navigation Toolbar (or from the menu bar select Communicator-> Tools-> Security Info).
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity Select the CryptoIdentity token. Press OK. • Insert the CryptoIdentity PIN and press OK. • Select the file where the .p12 or .p12 file certificate is stored. To view the .pfx file list change Files of type: to All Files (*.*).
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity • Press Open. A mask like this should pop up. Insert the password protecting the file: • A confirm message pops up. • To see the certificate choose Yours under Certificates in Security Info screen. • Now manage the imported certificate stored into CryptoIdentity for the desired purposes with Netscape.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity 4. 1. 2. 2 IMPORTING THROUGH IMPORTPKCS12 To import a certificate from a .p12 or .pfx file, please refer to section "3.4 ImportPKCS12". 4. 2 VIEWING DIGITAL CERTIFICATES Once there is a certificate stored into the CryptoIdentity token, it is possible to view it through the Microsoft System Certificates Store or the AR Genie utility. Next sections explain the detailed instructions. 4. 2.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity • Click on the Certificates button, the Certificates store appears : • From the Personal Tab is possible to view all the certificates (both the certificates stored into the CryptoIdentity token and the certificates present in the system certificate store). • From the certificates list, select a certificate stored into the token and then click View to see its details.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity • The certificate details window is displayed as follows: • Clicking on the Details tab is possible to see all the certificate details (Serial Number, Issuer, Expiration date, e-mail associated, etc.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity If a certificate stored into a CryptoIdentity is properly displayed in the system certificates list, it is available for the use with common Microsoft Applications and any other software compliant with the Microsoft Crypto API/CSP mechanism (e.g., Cisco VPN client). Further more, PKCS#11 applications (i.e. Netscape) will be able to work with the certificate.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity • The window contains a list of the digital certificates and other public keys and objects stored into the CryptoIdentity. To see also the private objects, login to the token (select Token->Login menu and insert the CryptoIdentity PIN). • To see the details of an object, just double-click it or select the Objects-> View menu. • You can sort the object list by object Size, Type, Label, ID, Private. 4.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity In the Verisign "Complete Enroll Form" page, DO NOT chose the "AR Base Cryptographic provider" as "CSP". To generate a certificate into the Microsoft System Store instead of into the CryptoIdentity token, select "Microsoft Base Cryptographic Provider v 1.0" as"CSP" : • Complete the procedure as described in the section "4.1.2.1 Verisign" to obtain your digital certificate (check e-mail ,pick-up digital ID, install digital ID).
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity • The digital certificate that has just been issued into the Certificate System Store should be present in the Certificates list. In the example, the "Eutron01" certificate issued from Verisign CA is present. • Select the certificate and press the Export button. • The "Certification Export Wizard" window appears. Click Next.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity • Select the PKCS#12 format to create a .pfx or .p12 file. • Set a password to protect your digital credentials and private key.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity • • Set the name of the .pfx or .p12 file that is about to be created. A summary appears. Click Finish to complete the Exporting process.
CryptoIdentity User Guide – 4. Managing Digital Certificates with CryptoIdentity • A warning message appears to inform that the private key associated to the digital certificate is about to be exported. Click OK. • A confirmation message appears. The .p12 or .pfx file is created and contains the backup of digital credentials (including the private key). • It is now possible to import the PKCS#12 file created into the CryptoIdentity token.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications 5. WORKING WITH CRYPTOIDENTITY AND APPLICATIONS This chapter provides detailed instructions on how to use CryptoIdentity with e-mail clients and PKI software (Entrust). 5. 1 MAIL CLIENTS Next sections explain the detailed instructions to configure Outlook Express, Microsoft Outlook and Netscape Messenger to send\receive secure e-mails.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Select the Mail tab from the Internet Accounts screen. • Select the e-mail account to be used for secure e-mails and press the Properties button. The properties screen for the selected mail account is displayed. Make sure to fill the "E-mail address" and "Reply address" fields with the email address for which the certificate has been issued.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Select the Security tab from the account properties screen. • Select the digital certificate issued to the current account (e-mail address) to allow Outlook Express to digitally sign the e-mails. Press the Select button in the Signing Certificate section. Outlook Express lists all the certificates issued to the current account, including the certificates stored into CryptoIdentity. • Highlight the certificate and press OK.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications If no digital certificates appear in the list, it means that no certificates issued to the current account are found in the System Certificate Store. Make sure that during the certificate enrollment, the e-mail address of the current account has been specified. • Repeat the process to select an Encryption Certificate if necessary. This allows other users to encrypt e-mails they send to you.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Fill the recipient e-mail address and the subject fields and compose the message as usually. Then click Send. • Outlook Express automatically signs the e-mail using the digital certificate stored into the CryptoIdentity.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Open the Sent Items list, the e-mail appears with a red ribbon. This means it has been digitally signed: To encrypt the e-mails: • Obtain the digital certificates of the recipients for which you want to encrypt the e-mails. Each certificate must be added into the Outlook Express address book.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications By receiving a signed e-mail from the recipient. Signing an e-mail usually appends the digital certificate to the e-mail message. -When a digitally signed e-mail is received and opened through Outlook Express (from version 5 on), a new contact (the e-mail sender) and the associated digital credentials are automatically added into the address book.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Press To:-> and select a recipient from the list. The recipients that have associated a Digital ID can be identified by a red ribbon in the address book: • Double click the recipient or click To: ->. • Click OK to add the recipient to the new e-mail message. • To make sure that the contact has associated a digital certificate, right click on the recipient in the To-> field and select Properties.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Click the Digital IDs tab. The certificate associated to the contact is showed: • Click Send to send the encrypted e-mail to the recipient. If no CryptoIdentity containing the sender digital credentials is plugged into an USB port, a message appears to advise that it will not be possible (for the sender) to decrypt the message anymore and to access it in the Sent items list.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications To open an encrypted e-mail: • Plug the CryptoIdentity containing the valid digital credentials to decrypt the message. • Click on an encrypted e-mail to open it. The encrypted e-mails are recognized by a blue padlock: • To decrypt and open the email, the CryptoIdentity PIN is required. Insert it to proceed: • A preview reminds that the message was encrypted.
CryptoIdentity User Guide – 5.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications 5. 1. 2 MICROSOFT OUTLOOK 2000 Next sections explain the detailed instructions to configure Microsoft Outlook 2000 to send\receive secure e-mails using the CryptoIdentity token. 5. 1. 2. 1 OUTLOOK EXPRESS CONFIGURATIONS To enable secure e-mails with Microsoft Outlook 2000 follow these steps: • Obtain a digital certificate and store it into CryptoIdentity. Refer to section "4.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications Make sure to fill the "E-mail address" and "Reply address" fields with the email address for which the certificate has been issued. You can obtain the e-mail address associated to the certificate by viewing the certificate details. Refer to section "4.2.1 Viewing Certificates through Microsoft certificates store" for detailed instructions. • Set the account settings and press OK. Return to the Microsoft Outlook 2000 main menu.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Click the Settings button. The Change Security Settings window appears: • To select the certificate to be used for digitally signing e-mails, press the Choose button in the Signing Certificate section. Microsoft Outlook 2000 lists all the certificates issued to the current account, including the certificates stored into CryptoIdentity. • Highlight the certificate issued to the current account and press OK.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications Make sure to select the digital certificate stored into CryptoIdentity that was issued for the mail account to be used for secure e-mails. • Repeat the process to select an Encryption Certificate if necessary. This allows other users to encrypt e-mails they send to you. • Choose an Encryption Algorithm from the drop down box.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications 5. 1. 2. 2 SECURE EMAIL-S WITH MICROSOFT OUTLOOK 2000 In order to send\receive secure e-mails with Microsoft Outlook 2000, follow carefully the instructions below. To digitally sign the e-mails: • Configure the Microsoft Outlook 2000 account as explained in the section "5.1.2.1 Microsoft Outlook 2000 configurations". • Require a personal certificate for the account used and store it into CryptoIdentity token. Refer to section "4.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Click Close to confirm the new settings. • In the message window, fill in the recipient e-mail address and the subject fields and compose the message as usually. Then click Send. • Microsoft Outlook2000 automatically signs the e-mail using the digital certificate stored into the CryptoIdentity. The CryptoIdentity PIN is required before the signed e-mail is sent: • Wait while the e-mail is digitally signed.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • There are two ways to obtain the digital credentials of a recipient and store them into the address book: By mailing or transferring on diskette the certificate file. Ask the recipient to provide his digital credentials included in a file, and then import then into the address book. -In the Contacts address book, find out the recipient (if it does not exist, create a new contact).
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • In the Message Options attachments option. • windows, mark the Encrypt message contents and Click Close to confirm the new settings. • In the message window, press To:-> and select a recipient from the list.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Double click the recipient or click To: ->. • Click OK to add the recipient to the new e-mail message. • To make sure that the contact has associated a digital certificate, right click on the recipient in the To-> field and select Properties. • Click the Digital IDs tab. The certificate associated to the contact is showed: • Click Send to send the encrypted e-mail to the recipient.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications To open an encrypted e-mail: • Plug the CryptoIdentity containing the valid digital credentials to decrypt the message. • Click on an encrypted e-mail to open it. The encrypted e-mails are recognized by a blue padlock: • To decrypt and open the email, the CryptoIdentity PIN is required. Insert it to proceed: • A preview reminds that the message was encrypted.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications Trying to open an encrypted e-mail without inserting the CryptoIdentity where the proper digital credentials are stored, an error appears: Microsoft Outlook 2000 does not allow to reply Encrypted to a Signed email. To do that you need to create a new Encrypted e-mail addressed to that specific contact. 5. 1. 3 NETSCAPE MESSENGER 4. 7 Next sections explain the detailed instructions to configure Netscape Messenger 4.7 to send\receiv
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • In the Security Info Panel, open the Cryptographic modules section and verify if the CryptoKit module is present: • If the CryptoKit security module is not installed, it is possible to add it by installing or maintaining the CryptoKit. When selecting the CryptoKit components to install, select the "Netscape" option. The CryptoKit security module will be automatically installed. For details refer to sections "2.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • If the certificate and related Certificate Signer's Certificate (which is the certificate of the Certification Authority who issued it) are available, this message appears: • If the certificate stored into CryptoIdentity or the related Certificate Signer are not available, an error appears. Using Netscape Messenger 4.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Select the menu Communicator->Tools->Security Info and open the Messenger section. Select the digital certificate stored into CryptoIdentity to be used to digitally sign the e-mails: • Click OK to confirm the new settings. More information is available in the Netscape Messenger Help. Open it and view the "Security" topic. 5. 1. 3. 2 SECURE EMAIL-S WITH NETSCAPE MESSENGER 4. 7 In order to send\receive secure e-mails with Netsca
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Require a personal certificate for the Identity used and store it into CryptoIdentity token. Refer to section "4.1 Storing certificates into CryptoIdentity " for detailed instructions. • Plug the CryptoIdentity containing the digital credentials used for digital sign into a free USB port.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications To encrypt the e-mails: • Obtain the digital credentials of the recipients for which you want to encrypt the e-mails. Each certificate must be added into the Netscape Messenger Other People's Certificates panel. To open the Other People's Certificates panel, Open the Security Info>Certificates->People section.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Fill in the recipient e-mail address and the subject fields and compose the message as usually. • Make sure that the recipient digital credentials are available to perform the encryption. To do this, click the Security button and open the Certificates->People section.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications To open an encrypted e-mail: • Plug the CryptoIdentity containing the valid digital credentials to decrypt the message. • Click on an encrypted e-mail to open it. The CryptoIdentity PIN is required. Insert it to proceed: • The e-mail is automatically decrypted using the digital credentials stored into the CryptoIdentity token.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications 5. 2 MICROSOFT VPN To authenticate to a Microsoft VPN using digital credentials stored into a CryptoIdentity token, please refer to the "Microsoft VPN PPTP with CryptoKit" guide (file "CK_VPN_PPTP.pdf") located in the "\doc" folder. 5.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • Entrust will be automatically adjusted to work with CryptoIdentity. For details regarding the CryptoKit installation refer to sections "2.1 Installing CryptoKit" and "2.1.2 Maintaining CryptoKit". • The process could takes some minutes: • At the end, reboot the machine • Log in to Windows. • Insert a CryptoIdentity into a free USB port.
CryptoIdentity User Guide – 5. Working with CryptoIdentity and Applications • When requested, select the Store profile on hardware token (card) option. Selecting it, the profile will be stored into CryptoIdentity. • Insert a Profile name, and click Next in the next windows to start the profile creation\recover. The CryptoIdentity PIN is required, insert it to proceed: • Wait while Entrust stores the profile into the CryptoIdentity token.
CryptoIdentity User Guide – 6. Developing Applications integrated with CryptoIdentity 6. DEVELOPING APPLICATIONS INTEGRATED WITH CRYPTOIDENTITY The Microsoft CAPI and PKCS#11 standard allow to create an application that takes advantage of the CryptoIdentity cryptographic functions. More information is available in the "AR CryptoKit Developer's Guide ver 3.6" (file " Ckit_360.pdf "). The next sections introduce the PKCS#11 standard and Microsoft CAPI. 6.
CryptoIdentity User Guide – 6. Developing Applications integrated with CryptoIdentity 6. 2 PKCS#11 STANDARD The PKCS#11 (or Cryptoki) standard specifies an application programming interface (API) for devices such as CryptoIdentity, which hold cryptographic information and may perform cryptographic functions.
CryptoIdentity User Guide – 7. Frequently Asked Questions and Troubleshooting 7. FREQUENTLY ASKED QUESTIONS AND TROUBLESHOOTING This chapter provides CryptoIdentity general troubleshooting and FAQ. To access the updated CryptoIdentity FAQ section you can visit :http://www.eutroninfosecurity.com/pub/CryptoIdentity/FAQ 1. I have lost the CryptoIdentity PIN, or the CryptoIdentity PIN is locked. What can I do? The solution is to re-initialize the CryptoIdentity, in order to set a new PIN.
CryptoIdentity User Guide – 7. Frequently Asked Questions and Troubleshooting Probably, there is an active process which accesses the CryptoIdentity, and this causes the problem. For example, if the Microsoft Smartcard logon mechanism is enabled, the CryptoIdentity is not available for the initialization because already in use by Smartcard logon related processes. To solve the problem, you may try to unplug the CryptoIdentity and re-plug it into the USB port.
CryptoIdentity User Guide – 7. Frequently Asked Questions and Troubleshooting button. You can export the certificate stored into CryptoIdentity in the same way you export a certificate stored into the System Store. An example of how to export a certificate from the System Store is described in section "4.3.1 How to backup digital credentials" (start from the "Select the certificate and press the Export button.." step). 8.
CryptoIdentity User Guide – 7. Frequently Asked Questions and Troubleshooting 12. Is it possible to enable Smartcard Logon through CryptoIdentity on a Terminal Server machine? Yes, it is possible if Terminal Server services are running on a Windows 2003 server machine. The client machines must have installed W2K, XP or 2003. In any other case, it is not possible because the smartcard support is not provided by the operating system. 13.
CryptoIdentity User Guide – Appendix APPENDIX EUTRON INFOSECURITY CUSTOMER SERVICE Eutron Infosecurity offers a free technical support. If you need technical assistance, do not hesitate to contact Eutron Infosecurity Customer Service at: e-mail: helpdesk@eutron.com Telephone: +39 035697055 (14.00 - 17.00 CET, from Monday to Friday) For other information, please contact: Internet site : http://www.eutron.com/ Email : info@eutron.