ePass2003 User Guide V1.1 Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Revision History: Date Revision Description May. 2011 V1.0 Release of the first version Sept. 2011 V1.1 Update some pictures and text Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Software Developer’s Agreement All Products of Feitian Technologies Co., Ltd. (Feitian) including, but not limited to, evaluation copies, diskettes, CD-ROMs, hardware and documentation, and all future orders, are subject to the terms of this Agreement.
ePass2003 User Guide 6. Termination – This Agreement shall terminate if you fail to comply with the terms herein. Items 2, 3, 4 and 5 shall survive any termination of this Agreement. Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Contents Chapter 1 RunTime Installation ................................................................................................................ 4 1.1 Supported Platform ....................................................................................................................................... 4 1.2 Preparing for Installing ePass2003 ................................................................................................................. 4 1.
ePass2003 User Guide Chapter 1 RunTime Installation 1.1 Supported Platform Windows Platform: Windows 2000 Windows XP x86/x64 Windows 2003 x86/x64 Windows Vista x86/64 Windows 2008 x86/x64 Windows 7 x86/x64 Linux Mac OS 1.
ePass2003 User Guide Figure 1 select language 2. After select language, click “OK”, the following welcome interface appears: Figure 2 welcome interface 3. Click “Next”, the following select install path interface appears: Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Figure 3 select install path 4. Click “Next”, the following choose CSP interface appears: Figure 4 choose CSP Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Note: ePass2003 supports Private CSP and Microsoft CSP. For older windows systems such as Windows2000/XP, users must install patch KB909520 to enable the option ‘Microsoft CSP’. Private CSP is provided by FEITIAN, the CSP name is “EnterSafe ePass2003 CSP v1.0”.
ePass2003 User Guide Figure 6 install completed 7. Click “Finish” to finish the installation. 1.4 Uninstalling ePass2003 Runtime After install the ePass2003 runtime, you can uninstall it through following methods: Use “Add or Remove Programs” to uninstall Open “start” menu select “Control Panel”, double click “Add or Remove Programs”, choose “ePass2003 (Remove only)” in the “Currently installed programs” list, then click “Change/Remove”.
ePass2003 User Guide Figure 7 uninstall wizard interface 2. Click “Uninstall”, the following uninstall process interface appears: Figure 8 uninstall process Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide 3. After uninstall process finish, the following interface appears: Figure 9 uninstall completed 4. Click “Finish” to close uninstall wizard, now ePass2003 has been already uninstalled from your computer. Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Chapter 2 ePass2003 Token Manager 2.1 Prerequisite Because the Manager is based on the middleware of ePass2003 and it needs to access the token, you must have installed ePass2003 product on your computer before using the Manager. The token must be PKI initialized before use. 2.2 Overview 2.2.1 Interface without USB Key Insertion You can find the shortcut for the Manager by clicking Start -> All Programs -> EnterSafe -> ePass2003. Click the shortcut to start the Manager.
ePass2003 User Guide 2.2.2 Interface with USB Key Insertion Connect ePass2003 to a USB port on your computer. The Manager will recognize it immediately as follows: Figure 11 USB Key Inserted Note: The total private memory space and the free private memory space refer to the PIN protected spaces. Since the private key is extremely sensitive and it is managed by the COS, it doesn’t show the total private memory space and the free private memory space. 2.2.
ePass2003 User Guide Figure 12 Login dialog box Note: When the PIN input dialog is displayed, the Manager will start the safe desktop. In this status, only the box is highlighted. Except input in the box, most of other operations are disabled. Optionally, you can use a soft keyboard by checking Soft keyboard option here to avoid monitoring of a potential Trojan program. Figure 13 Soft Keyboard Note: The physical keyboard is disabled when you are using the soft keyboard.
ePass2003 User Guide Figure 14 Logged In If you type an incorrect password in the PIN input box, the following interface appears: Figure 15 Incorrect PIN Prompt Note: There is a limit on the number of incorrect PIN inputs. If this number reaches 9, the token will be locked. You cannot perform any operations with it in this case. 2.4 Certificate Management After you have logged into the Manager, you can view certificate information, import a certificate, delete a Copyright © Feitian Technologies Co.
ePass2003 User Guide certificate etc. 2.4.1 Viewing Certificate Information 1. Click the “+” on the left side of a container (folder icon) in the token list or double-click the icon to display its content. Click the “+” on the left side of a certificate icon to display the key-pair. When a certificate is selected, the Certificate View button is enabled. Figure 16 Viewing Certificate Information 2.
ePass2003 User Guide Figure 17 Certificate Information You can view the information of your interest. 2.4.2 Importing Currently, ePass2003 supports the following certificate types: P12, PFX, P7B, CRT and CER. The P12 and PFX types contain a key-pair (a public key and a private key), while the P7B, CRT and CER types do not. The PFX and CER types are used as examples below. 2.4.2.1 Importing PFX Certificate Click Import button in the main interface of the Manager. The following interface appears.
ePass2003 User Guide Figure 18 Certificate Import 2.4.2.2 Importing P7B Certificate Click Import button in the main interface of the Manager. The following interface appears. Click Browse button to choose a P7B certificate to be imported. You must create a container to store the certificate. Since the P7B certificate does not contain a key-pair, it can only be used for exchanging. Click OK. Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Figure 19 Certificate Import 2.4.3 Exporting You can export a certificate from the token to a file. From the tree view in the main interface of the Manager, choose the certificate to be exported and click Export button. A dialog box appears. Specify a path to the certificate file and its name. Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Figure 20 Certificate Export Path Click Save. If the operation has succeeded, the following message will appear: Figure 21 Successful Export Note: The private/public key-pair cannot be exported. 2.4.4 Deletion 1. From the tree view of the main interface of the Manager, choose the certificate you want to delete and click Delete. The following interface appears: Figure 22 Deleting Certificate Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide 2. Click Yes to delete the selected certificate if you do want. By the same way, you can delete the keys or containers in ePass2003. If you select ePass2003 and click Delete, all containers, certificates and keys in the token will be deleted. 2.5 Changing Token Name Generally, the token is distinguished by serial number. For intuitive purpose, the token can be given a common name. 1. Click Change Token Name button.
ePass2003 User Guide Figure 24 Changing User PIN You can also enter the PINs by a soft keyboard. To do so, check Soft keyboard. Figure 25 Soft Keyboard Input You can check Check intensity option to get aware of the security strength of the PIN you have set. “L” surrounded by red means “Low”. Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Figure 26 Low Strength If the strength is higher, the following interface appears: Figure 27 Medium Strength We recommend long PINs made up of lower and upper-case letters, numbers and special characters. Figure 28 High Strength By clicking OK, the following interface may appear: Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Figure 29 PIN Changed The above description is for the user version of Manager. The admin version incorporates some additional functions. The main interface includes a triangle button for switching buttons. Figure 30 Admin Version – Main Interface 1 Click this button. The following interface appears: Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Figure 31 Admin Version – Main Interface 2 2.7 Unlocking (Admin Version Only) The Admin version can be used to unlock a token. Click Unlock button in the main interface. The following interface appears: Figure 32 Unlock Dialog Box You can use a soft keyboard to enter PINs. If you select Soft keyboard option, the following interface appears: Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Figure 33 Soft Keyboard You can also select Check intensity option to get aware of the security strength of the PIN you have set. Enter a SO PIN and type and confirm a new PIN. Click OK. The following interface may appear: Figure 34 Unlocking Succeeded 2.8 Initializing (Admin Version Only) Click Initialize button in the main interface. The following interface appears: Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Figure 35 Initialization Dialog Box After completing all parameters, click OK. The following prompt is displayed: Figure 36 Confirming Initialization Click Yes to start initializing operation. If the operation is performed successfully, the following interface appears: Figure 37 Successful Initialization 2.9 Changing SO PIN (Admin Version Only) Click Change SO PIN in the main interface. The following interface appears: Copyright © Feitian Technologies Co., Ltd. Website: www.
ePass2003 User Guide Figure 38 Changing SO PIN Use a soft keyboard to avoid potential attacks. If you select Soft keyboard option, the following interface appears: Figure 39 Changing SO PIN Using Soft Keyboard You can also select Check intensity option to get aware of the security strength of the SO PIN you have set. Enter the old SO PIN, a new SO PIN and confirm the new PIN. Click OK.
ePass2003 User Guide Chapter 3 Windows PIN Management 3.1 Overview EnterSafe Minidriver is a new smart card minidriver developed by EnterSafe according to Microsoft Windows Smart Card Framework. The new Windows smart card architecture leverages the fact that the cryptography required in common at the top is separate from the unique smart card hardware interfaces at the bottom.
ePass2003 User Guide legacy versions of Windows. Users can change the PIN as described below. 3.2.1.1 Changing a User PIN with Windows 2000, XP or Server 2003 Before changing a user PIN with Windows 2000, XP or 2003, users should download and install the update package # KB909520 to enable the Smart Card PIN Tool. After installing the update package, users can use the PIN Tool to change a User PIN as follows: 1. Select the Option Start/Run and type PinTool. The following dialog box appears.
ePass2003 User Guide such as password changes and now smart card PIN management. To change the PIN of the smart card in Windows Vista, perform operations as follows: 1. 2. 3. 4. 5. Press Ctrl+Alt+Delete to access the Secure Desktop screen. Select the Change a Password option. Attach EnterSafe Minidriver to a USB Port of the computer. Select the smart card user tile. Enter the old PIN, the new PIN and confirm the new PIN in the appropriate fields.
ePass2003 User Guide Note: The EnterSafe Minidriver default maximum number of wrong PIN attempts is 10. 3.2.2.1 Example Unblock Procedure The smart card unblock functionality require the use of an Administrative key that the regular end user should not have direct access to. The user will require support from a Security Officer to complete this operation. To protect the confidentiality of the Admin Key, the Unblock Card procedure does not require the end user to present the Admin key directly.
ePass2003 User Guide Figure 43 Smart Card PIN Tool – Unblock With the blocked Token attached to the USB port, when the user clicks on the Unblock button, the Smart Card will return the 16 digits of Challenge, and will enable the Response, New PIN and Confirm New PIN fields to allow the user to enter the corresponding values according to the process previously described.
ePass2003 User Guide Object Editor snap-in in the Microsoft Management Console (MMC). 1. 2. Click Start button, type MMC in the Start Search field and then press Enter. When prompted to run Command Prompt as an administrator, click Allow. This will open the Microsoft Management Console dialog. 3. 4. In the Console 1 dialog, click on the File menu and select Add/Remove Snap-in.
ePass2003 User Guide Figure 45 Unblock Smart Card setting 8. Select the Enabled option button, and then click OK, as shown in following image: Copyright © Feitian Technologies Co., Ltd. Website: www.FTsafe.
ePass2003 User Guide Figure 46 Enabled Unblock Smart Card At this point, the Smart Card Unblock screen can also be configured via Group Policy to display a custom string. This string can be used to provide a deployment-specific phone number for users to call to obtain the response to the smart card administrator challenge. You can set the custom string as follows: 9.
ePass2003 User Guide Figure 47 Display string when smart card is blocked Properties 3.2.2.3.2 Unblocking a Smart Card with Windows Vista, 2008 and Windows 7 Same as for the Change PIN function, the Smart Card Unblock is integrated into the Windows Vista, 2008 and Windows 7 Secure Desktop. However, it is not configured by default and must be explicitly enabled via Group Policy as 2.2.3.1 described.
ePass2003 User Guide Figure 48 Secure Desktop – Smart Card Unblock 3.2.2.4 Administrator Tools for Card Unblock The Smart Card Unblock procedure requires the administrator to be able to calculate the Response to a Challenge provided by the smart card of any end users that he/she is responsible for. This in turn means that the administrator shall: 1. 2. Know or somehow have access to, the administrative key values for all smart cards in use.
ePass2003 User Guide Appendix: Terms and Abbreviations Entry ePass2003 Description A smart card based token with FIPS proved for PKI applications, introduced by Feitian Technologies. It is designed for PKI application systems. CryptoAPI Interface (CAPI) An interface used for cryptography operations, provided by Microsoft. It provides cryptographic algorithm encapsulation of equipment irrelevant or implemented by software.
ePass2003 User Guide This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation. Attention that changes or modification not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment. Copyright © Feitian Technologies Co., Ltd.