IDPrime .

NET
Administration and User Guide

All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemaltos information. This document can be used for informational, non-commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made.

Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. Copyright 2007-13 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90

Printed in France.

Document Reference: DOC1292251A May 16, 2013

www.gemalto.com

Contents

Introduction

vii Who Should Read This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Windows Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii For Further Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii If You Find an Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Chapter 1 Chapter 2

Introduction to IDPrime .NET Smart Cards Installing the IDGo 500 Minidriver dll with Windows Update

1 3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Chapter 3 Installing Additional Components for Windows 7 & Later 8

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 The IDGo 500 Credential Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 The IDGo 5000 Biometric Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 The IDGo 500 Minidriver dll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Software and Middleware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Installation Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Installing the Smart Card Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Installing the IDPrime .NET Additional Components for Windows 7 and later . . . 9 Modifying the IDPrime .NET Additional Components Installation . . . . . . . . . . . . 12 Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 User Certificate Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Chapter 4 PIN Use Cases Changing the User PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows XP and Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows Vista or later (without IDGo 500 Credential Provider) . . . . . . . . . . . . . Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unblocking the User PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Unblock Card Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows XP and Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows Vista or later (without IDGo 500 Credential Provider) . . . . . . . . . . . . . Administrator Tools for Card Unblock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automated Card Unblock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 5 Other Use Cases 14 14 14 15 17 18 18 19 20 21 22 23

Logging on Using an IDPrime .NET Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

iv

IDPrime .NET Administration and User Guide

Encrypting and Signing E-mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . In Microsoft Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . In Microsoft Live Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . In Mozilla Thunderbird . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encrypting and Signing Other Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL Authentication to Secure Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to Test and Manage IDPrime .NET Test Cards . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 6 The Gemalto IDGo 500 Credential Provider IDGo 500 Credential Provider Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multiple PIN Policy Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Change PIN at First Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logging on Using an IDPrime .NET Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing a User PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unblocking a User PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix A Appendix B Terminology Enabling Unblock Card in Windows Vista, 7 and 8 Activating the IDGo 500 Credential Provider PIN List

26 26 28 28 31 32 33 34 34 34 35 36 36 36 39 41 43 47 48

Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 References 50 Standards and Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Recommended Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Contents

List of Figures
Figure 1 - Microsoft Update Catalog (Windows 8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Figure 2 - Microsoft Update Catalog (Other Windows Versions) . . . . . . . . . . . . . . . . . 4 Figure 3 - MU Catalog - Download Options Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Figure 4 - Installing the Minidriver dll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Figure 5 - Update Driver Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Figure 6 - Select Your Devices Type Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Figure 7 - Install From Disk Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Figure 8 - Select The Devices Driver Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Figure 9 - Select Your Devices Type Window (showing Minidriver) . . . . . . . . . . . . . . 7 Figure 10 - Custom Setup Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Figure 11 - Custom Setup Window - Options For Each Item . . . . . . . . . . . . . . . . . . 11 Figure 12 - Smart Card PIN Tool (Change PIN Tab) . . . . . . . . . . . . . . . . . . . . . . . . . 15 Figure 13 - Windows Seven Secure Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Figure 14 - Windows Seven Smart Card Change PIN Window . . . . . . . . . . . . . . . . . 16 Figure 15 - Mozilla Firefox Encryption Options Dialog . . . . . . . . . . . . . . . . . . . . . . . 17 Figure 16 - Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Figure 17 - Change Master Password Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Figure 18 - Smart Card PIN Tool (Unblock PIN Tab) . . . . . . . . . . . . . . . . . . . . . . . . 20 Figure 19 - Smart Card Unblock Screen (Windows Seven) . . . . . . . . . . . . . . . . . . . 21 Figure 20 - Welcome to Windows Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Figure 21 - Windows Log On Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Figure 22 - First Windows Vista Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Figure 23 - Vista Logon Window 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Figure 24 - Window Vista Select User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Figure 25 - Windows Vista Insert a Smart Card Window . . . . . . . . . . . . . . . . . . . . 25 Figure 26 - Windows Vista Smart Card User Displayed . . . . . . . . . . . . . . . . . . . . . 26 Figure 27 - Security Properties Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Figure 28 - Change Security Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Figure 29 - Outlook 2007 Encryption Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Figure 30 - Outlook 2007 Signature Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Figure 31 - Thunderbird Write Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Figure 32 - Thunderbird Encrypt This Message . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Figure 33 - Thunderbird Account Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Figure 34 - Thunderbird Use Same Certificate Message . . . . . . . . . . . . . . . . . . . 30 Figure 35 - Thunderbird Account Settings (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Figure 36 - Powerpoint Signature Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Figure 37 - The Sign Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Figure 38 - Choosing the Signature Details in Powerpoint . . . . . . . . . . . . . . . . . . . . 32 Figure 39 - Gemaltos .NET Utilities Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Figure 40 - Relationship Between PIN Roles, Keys and Files (Certificates) . . . . . . . 35 Figure 41 - Change PIN at First Use Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Figure 42 - Windows 7 - Ctrl Alt Del Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Figure 43 - Windows 7 Password Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Figure 44 - Windows 7 Select User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Figure 45 - Windows 7 Insert a Smart Card Window . . . . . . . . . . . . . . . . . . . . . . . 38 Figure 46 - Windows 7 Smart Card User Displayed . . . . . . . . . . . . . . . . . . . . . . . . 38 Figure 47 - Windows 7 Secure Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Figure 48 - Windows 7 Secure Desktop - Standard Password Prompt . . . . . . . . . . . 39 Figure 49 - Standard Windows 7 Credential Provider . . . . . . . . . . . . . . . . . . . . . . . . 40 Figure 50 - Windows 7 Gemalto Smart Card Credential - Change PIN Window . . . . 40 Figure 51 - Windows 7 - Change PIN for a Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Figure 52 - Windows 7 - Unblock PIN for a Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Figure 53 - MMC in Programs Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Figure 54 - Add or Remove Snap-Ins dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . 44

vi

IDPrime .NET Administration and User Guide

Figure 55 - Select Group Policy Object dialog box . . . . . . . . . . . . . . . . . . . . . . . . . Figure 56 - Browse for a Group Policy Object dialog box . . . . . . . . . . . . . . . . . . . . Figure 57 - Local Computer Policy Objects for Smart Cards . . . . . . . . . . . . . . . . . . . Figure 58 - Allow Integrated Unblock screen to be displayed . . . . . . . . . . . . . . . . . Figure 59 - Display string when smart card is blocked dialog box . . . . . . . . . . . . .

44 44 45 45 46

Introduction

This document describes use cases for Gemaltos IDPrime .NET cards in a Microsoft Windows environment, in particular those that involve a PIN.

Who Should Read This Book

This guide is intended for system integrators who want to integrate IDPrime .NET smart cards in their systems and in particular use the smart card PIN management tools. It describes the smart card framework architecture and provides PIN management use cases. It is assumed that users are familiar with .NET smart cards/tokens and smart card reader technology, as well as computer hardware and software. It is assumed that the IDPrime .NET Smart Cards user has:

an understanding of the basic operations in a computer OS. administrative privileges for the computer on which PKCS#11 for .NET Smart Cards will be installed.

Documentation
For documentation about .NET Cards, please go to Gemalto Product Catalog and consult the Download section at http://www.gemalto.com/products/dotnet_card/

Conventions
The following conventions are used in this document:

Windows Versions
Where this document refers to Windows 7 and 8, it is equally applicable to Windows Server 2008 R2 and Windows Server 2012.

Typographical Conventions
The .NET Smart Cards documentation uses the following typographical conventions to assist the reader of this document.
Convention Bold > Example Type myscript.dll Select File > Open Description Actual user input or screen output. Indicates a menu selection. In this example you are instructed to select the Open option from the File menu.

viii

IDPrime .NET Administration and User Guide

Additional Resources
For further information or more detailed use of IDPrime .NET Smart Cards, additional resources and documentation are available on the following web site: www.gemalto.com/products/dotnet_card

For Further Help

You can find information on how to contact your Gemalto representative by clicking Contact Us at the Gemalto web site, www.gemalto.com.

If You Find an Error

Gemalto makes every effort to prevent errors in its documentation. However, if you discover any errors or inaccuracies in this document, please inform your Gemalto representative. Please quote the document reference number found at the bottom of the legal notice on the inside front cover.

1
Introduction to IDPrime .NET Smart Cards
The purpose of this document is to describe the main use cases for Gemaltos IDPrime .NET card in a Microsoft Windows environment, in particular those concerning PINs. The IDPrime .NET range is made up of various cards and tokens containing cards. the following table describes the range: Table 1 - IDPrime .NET Card Range
Card / Token IDPrime .NET 510 IDPrime .NET 511 IDPrime .NET 5500 IDPrime .NET 5501 IDPrime .NET 7510 IDPrime .NET 7519 Description Standard version, contact only Standard version, hybrid card based on several contactless standards Standard card with the biometric Match-On-Card option, contact only Standard card with the biometric Match-On-Card option, hybrid card based on several contactless standards .NET Display card, contact only OTP USB token based on IDPrime .NET 510

IDPrime .NET smart cards run a streamlined version of the .NET Framework in order to provide customizable two-factor authentication and full cryptographic capabilities seamlessly within the Windows environment. Now, organizations can easily leverage Gemalto's advanced smart card technology to secure their networks from end to end using a variety of security technologies to meet their needs while dramatically reducing implementation costs and complexity. IDPrime .NET smart cards require Microsoft's Base Smart Card Cryptographic Service Provider (CSP) Package as follows:

Windows 7 and 8 (and Server 2008 R2 and Server 2012): The base CSP is V7 and is integrated already in Windows 7 and 8. Windows Vista (and Server 2008): The base CSP is V6. For Vista SP1, base CSP V6 is already integrated in Vista. However for pre-SP1 base CSP V6 needs to be downloaded via Windows Update. Windows XP and Server 2003: The base CSP is V5. The base CSP V5 must be downloaded via Windows Update.

In a Windows environment users do not need to install any proprietary middleware to use the IDPrime .NET Card. However, integrators of multi-platform solutions can also choose to use the PKCS#11 .NET libraries for portability purposes.

IDPrime .NET Administration and User Guide

IDPrime .NET smart cards are also compatible with Microsoft's Forefront Identity Manager (FIM) and its predecessor Identity Lifecycle Manager (ILM), a policy and workflow solution for management of the lifecycle of digital certificates and smart cards. Thanks to this high level of integration with Microsoft's operating systems and smart card related security solutions, IDPrime .NET smart cards offer the easiest and most cost efficient solution for implementation of a strong two-factor security infrastructure. The IDPrime .NET smart card architecture also provides an open platform for the development and implementation of a wide range of security solutions. It works as a seamless companion to the Microsoft .NET environment and service oriented architectures to provide support for on-card applications and services within the Windows environment and to empower application developers through features such as advanced memory management, high security, and tight language integration. Caution: As the security of the card is built around the Admin Key it is very important to change its value from the default one.

2
Installing the IDGo 500 Minidriver dll with Windows Update
Introduction
The IDGo 500 minidriver dll needs to be installed manually using Windows Update if you are using any of the following operating systems:

Windows XP Windows Server 2003 Windows Vista Windows Server 2008

For Windows 7 (and Windows Server 2008 R2) and Windows 8 (and Windows Server 2012), the dll is installed automatically by the Windows plug and play feature when you insert the IDPrime .NET card. However if your administrator has blocked this function on your computer, you will need to install it using Windows Update as described here or as an additional component as described in Installing the IDPrime .NET Additional Components for Windows 7 and later on page 9. In Windows 7 and Windows 8 you need to make sure that windows recognizes the smart card as a device as explained in To make Windows 7 and 8 recognize the smart card as a device: on page 5 To install the IDGo 500 minidriver dll using Windows Update: 1 2 Click one of the following links to the Microsoft Update (MU) Catalog, according to your version of Windows: For Windows 8: http://catalog.update.microsoft.com/v7/site/ Search.aspx?q=gemalto%20minidriver%20idprime For other versions of Windows: http://catalog.update.microsoft.com/v7/site/ Search.aspx?q=gemalto%20minidriver%20net If you are prompted to install the MU Catalog ActiveX Control, do so by following the displayed instructions. The catalog displays the list of Gemalto drivers for IDPrime .NET smart cards as shown in Figure 1 on page 4.

IDPrime .NET Administration and User Guide

Figure 1 - Microsoft Update Catalog (Windows 8)

Figure 2 - Microsoft Update Catalog (Other Windows Versions)

Click Add on the latest version of the IDGo 500 minidriver dll.

Note: For Windows 8 this is the one in Figure 1. 4 5 Click View Basket. Click Download. A Download Options page appears like the one shown in Figure 3 on page 4.

Figure 3 - MU Catalog - Download Options Page

Either enter the path of the location where you want to download the driver or use the Browse button to navigate to it. When you have done this, the Continue button appears. Click Continue. The progress window indicates the status of the download. Wait until the Progress column displays Done, then click Close. In Windows Explorer, go to the location where you downloaded the IDGo 500 minidriver dll. It appears as a zipped file with the .cab suffix.

7 8 9

10 Double-click the .cab file to open it. 11 Unzip the contents to a temporary directory on your computer. 12 Right-click the Gemalto.MiniDriver.NET.inf file and choose Install as shown in Figure 4.

Installing the IDGo 500 Minidriver dll with Windows Update

Figure 4 - Installing the Minidriver dll

The installation is done. To make Windows 7 and 8 recognize the smart card as a device: 1 2 3 Open Computer Management (Start > Control Panel > System and Security > Administrative Tools > Computer Management). In the left pane, select Device Manager. In the right pane, select Smart Card, right-click and choose Update Driver Software as shown in Figure 5.

Figure 5 - Update Driver Software

4 5

In answer to the question How do you want to search for driver software? choose Browse my computer for driver software. In the next window Browse for driver software on your computer, choose Let me pick from a list of device drivers on my computer. This displays the window shown in Figure 6 on page 6.

IDPrime .NET Administration and User Guide

Figure 6 - Select Your Devices Type Window

6 7

Choose Smart cards and click Next. In the Select the device driver you want to install for this hardware window, click Have Disk to display the Install From Disk window as shown in Figure 7.

Figure 7 - Install From Disk Window

In the Locate file window that opens, browse to the Gemalto.MiniDriver.NET.inf file (in Drivers 7) and click Open.

Installing the IDGo 500 Minidriver dll with Windows Update

This returns you to the Select the device driver you want to install for this hardware window. Notice that the minidriver now appears under Model as shown in Figure 8

Figure 8 - Select The Devices Driver Window

10 Click Next. A window appears to tell you Windows has successfully updated your driver software. Click Close. Notice that in the Select your devices type window, the minidriver now appears under smart cards as shown in Figure 9 - Select Your Devices Type Window (showing Minidriver)

3
Installing Additional Components for Windows 7 & Later
Introduction
IDPrime .NET cards can be used with Microsoft applications without having to install any middleware or software. However, for Windows 7 and Server 2008 R2 and later, there are some additional components you may choose to install as follows:

The IDGo 500 Credential Provider

Gemalto provides an enhanced credential provider which can be used instead of the standard Microsoft one. For a description of the features brought by this optional credential provider, please refer to Chapter 6 - The Gemalto IDGo 500 Credential Provider. If you want to use this credential provider, you will need to install it as described in this chapter.

The IDGo 5000 Biometric Solution

In Windows 7 and later this application is one of the optional components that you can install. This is described in Installing the IDPrime .NET Additional Components for Windows 7 and later on page 9. For Windows XP this application has its own installation setup, which is described in the IDGo 5000 Bio Solution for Windows XP Administrator Guide.

The IDGo 500 Minidriver dll

In Windows 7 and later, the IDGo 500 minidriver can be installed automatically using Windows Update as described on page 3. However, it is also included as one of the additional components that can be installed, so you can install it yourself if you prefer as described in Installing the IDPrime .NET Additional Components for Windows 7 and later on page 9.

Installing Additional Components for Windows 7 & Later

System Requirements
Software and Middleware Requirements
The use of the IDGo 500 credential provider requires the following:

One of these versions of Windows: Windows 7 (32 and 64-bit platforms) Windows Server 2008 R2 (64-bit platforms) Windows 8 (32 and 64-bit platforms). Windows Server 2012 (64-bit platforms)

.NET 3.5 framework this is already integrated in Windows 7 and later.

If you are going to use the IDGo 5000 Biometric Solution, there are additional requirements. Please refer to the IDGo 5000 Bio Solution for Windows 7 and 8 Administrator Guide for full details.

Hardware Requirements
The use of the IDGo 500 credential provider requires a standard PC/SC smart card reader for the IDPrime .NET smart card.

Compatible Smart Card Readers

The smart card reader may be integrated with the PC (or laptop) or it can be an external device that is connected via USB. The IDPrime .NET solution is compatible with any certified PC/SC Chip Card Interface Device (CCID), USB class or embedded smart card reader.

Installation
Installation Recommendations
Make sure you have the administrative rights to your PC in order to install the IDPrime .NET Solution.

Installing the Smart Card Reader

Gemalto recommends that you use the Gemalto IDBridge CT30 (ex-GemPC Twin) smart card reader as it does not have any particular installation requirements. When you plug in the reader, Windows Update downloads and installs the required driver. For other smart card readers, check the support web site of the card reader vendor for instructions on how to install it for Windows 7 and later.

Installing the IDPrime .NET Additional Components for Windows 7 and later
1 2 Click the following hyperlink to find the installation files: http://www.gemalto.com/products/dotnet_card/resources/libraries.html Double-click the installation file according to your version of Windows 7 and later: Gemalto.IDPrime.NET.Solution_x86.msi (32-bit) Gemalto.IDPrime.NET.Solution_x64.msi (64-bit)

10

IDPrime .NET Administration and User Guide

If you do not have one of the items listed in Software and Middleware Requirements on page 9 installed on the computer, a message appears telling you this. 3 4 When the Welcome dialog box appears, click Next to continue. When the License Agreement dialog box appears, read and accept the terms and click Next to continue.

Note: You can print the License Agreement from this dialog box. 5 In Destination Folder, either choose a new location by clicking Change and navigating to a different location or accept the default installation directory (recommended). Click Next. In Setup Type, do one of the following: Choose Complete to install the IDGo 500 minidriver, the IDGo 500 credential provider and the IDGo 5000 Biometric Solution, then click Next. Go to step 11. Choose Custom to display the Custom Setup window as shown in Figure 10.

Figure 10 - Custom Setup Window

For each icon in the list, click the icon to display the installation options as shown in Figure 11, using the IDGo 500 Credential Provider as an example.

Installing Additional Components for Windows 7 & Later

11

Figure 11 - Custom Setup Window - Options For Each Item

Either choose the first option This feature will be installed on local hard drive to install the component or This feature will not be available if you dont want to install the item. If you do nothing, the component is installed by default.

Note: The other items in the menu are not applicable to this installation. 9 Optionally, you can perform the following operations: Find out if you have enough room on your local hard disk for the features you have chosen by clicking Space. Find out the installation status of the features by clicking Help. The icon for each feature reflects its installation status, and the Help window that opens describes the meaning of each icon.

Note: Do not use the Change button to modify the installation location. If you want to change the installation directory, click Back to return to the Destination Folder window. 10 When you have made your choice for each icon in the list, click Next. 11 When the Ready to Install the Program window appears, click Install. A progress bar displays during the installation. 12 If User Account Control is activated, a message may appear asking if you want to allow a program from an unknown publisher to make changes to the computer. Click Yes. 13 When the completed window appears, click Finish. 14 Reboot your computer if prompted. (Gemalto recommends that you reboot it anyway, as you will need to in order to use the IDPrime .NET solution.) Note: If you did not install the IDGo 500 Minidriver as one of your options and your IDPrime .NET card has not yet been connected to the machine, you will also need to perform the next two steps. 15 Connect the smart card reader. 16 Insert your smart card. This installs the IDGo 500 Minidriver for you automatically via Windows Update.

12

IDPrime .NET Administration and User Guide

17 The installation is complete. Note: As the IDGo 500 credential provider (CP) is needed by the IDGo 5000 Biometric solution, if you choose to install the IDGo 5000 but NOT the IDGo 500 CP - the installation will install the CP for you anyway.

Modifying the IDPrime .NET Additional Components Installation

You can modify your choices of additional components after installation, for example if you want to install an additional component that you forgot the first time or if you want to remove a component that you installed. To modify the IDPrime .NET additional components installation: 1 Begin the installation wizard by doing one of the following: Double-click the executable file according to your version of Windows 7 or later (either Gemalto.IDPrime.NET.Solution_x86.msi (32-bit) or Gemalto.IDPrime.NET.Solution_x64.msi (64-bit) In the Control Panel, click Uninstall a Program, and select IDPrime .NET Solution for 32 bits (or 64 bits) in the list and click Change (the Change button appears at the top of the screen when you select IDPrime .NET Solution 32 bits (or 64 bits)).

If User Account Control is activated, a message may appear asking if you want to allow a program from an unknown publisher to make changes to the computer. Click Yes. When the Welcome dialog box appears, click Next to continue. In Program Maintenance, choose Modify. This displays the Custom Setup window. For each icon in the list, click the icon to display the installation options as shown in Figure 11, using the IDGo 500 credential provider as an example.

3 4 5

Note: Choosing This feature will not be available for a component that is already installed, uninstalls it. 6 Optionally, you can find out the installation status of the features by clicking Help. The icon for each feature reflects its installation status, and the Help window that opens describes the meaning of each icon. When you have made your choice for each icon in the list, click Next. When the Ready to Modify the Program window appears, click Install. A progress bar displays during the installation. When the completed window appears, click Finish.

7 8 9

10 Reboot your computer if prompted.

Uninstallation
Normally you should not need to uninstall the IDPrime .NET Solution as this happens automatically when you install a new version. However, if you need to uninstall it manually, the procedure is: To remove IDPrime .NET from your computer: 1 In the Control Panel, click Uninstall a Program.

Installing Additional Components for Windows 7 & Later

13

Select IDPrime .NET Solution for 32 bits (or 64 bits) in the list and click Uninstall (the Uninstall button appears at the top of the screen when you select IDPrime .NET Solution 32 bits (or 64 bits)). If a confirmation box appears, click Yes. Depending on how Windows 7 or 8 is configured on the computer, if User Account Control is activated, the warning may appear asking you if you want to allow access to an unidentified program. Choose Yes. Again, if User Account Control is activated, a message may appear to tell you to close certain applications. If it does, choose the Automatically close applications option and click OK. A progress bar displays during the removal. At the end of the removal, the progress bar closes, removal is complete and IDPrime .NET is removed from your computer. If prompted, restart your computer.

3 4

6 7

User Certificate Enrollment

According to your enrollment means, ask your administrator for instructions. Check the certificate is correctly enrolled by performing a standard smart card logon.

4
PIN Use Cases

This chapter describes how to use the smart card PIN management tools to change and unblock the PIN according to the different versions of Windows. If you have Windows 7 or later and you installed the optional IDGo 500 credential provider, you can manage 6 user PINs (roles 1 and 3-7). Please refer to Chapter 6 - The Gemalto IDGo 500 Credential Provider for how to change and unblock the PINs using the IDGo 500 credential provider.

Changing the User PIN

The PIN is a set of characters the user is asked to present whenever the card is being used for a cryptographic operation (Windows log on, e-mail signature, e-mail encryption, VPN access, and so on). It is 4-255 characters (4 by default) which respects the rules defined by the Administrator in the PIN Policy. You can change a User PIN in an IDPrime .NET card in one of the following ways:

Use Gemaltos .NET Utilities web page. For more information about .NET Utilities go to: http://www.netsolutions.gemalto.com/netutils/Default.aspx If your OS is Windows XP or Server 2003, use the Smart Card PIN Tool described in Windows XP and Server 2003 If your OS is Windows Vista or later, use the secure desktop as described in Windows Vista or later (without IDGo 500 Credential Provider) on page 15 If your OS is Windows 7 or Server 2008 R2 and you have the optional IDGo 500 credential provider, use the secure desktop as described in Changing a User PIN on page 39. Use Mozilla Firefox, as described in Firefox on page 17.

Windows XP and Server 2003

The Smart Card Pin Tool is included as part of the downloadable Smart Card Base CSP package # KB909520. available via Windows Update. It becomes available as soon as the Base CSP package is installed on the machine. The following procedure describes what to do, from the end-users point of view. To change the User PIN using the smart card PIN Tool: 1 From Start, choose Run and type PINTool.

PIN Use Cases

15

When prompted, insert an IDPrime .NET card in the reader. The PIN tool appears, as shown in Figure 12.

Figure 12 - Smart Card PIN Tool (Change PIN Tab)

In the Change PIN tab, enter the current PIN value in Old PIN, then the new PIN value in New PIN and again in Confirm New PIN. (Do not copy and paste the new PIN value.) Click Change PIN. A message displays to tell you if the change operation succeeds or not. Click Close to close the Smart Card PIN Tool. The IDPrime .NET smart card default PIN Value is 0000.

4 5

Windows Vista or later (without IDGo 500 Credential Provider)

In these versions of Windows, users can change their smart card user PIN using the secure desktop. The secure desktop is the most trusted context in the operating system. The most common use of the secure desktop is the User Log on to Windows. However, it is also used for other secure operations with user credentials, such as password changes and now smart card PIN management. The screens shown in these examples are Windows Seven, but the process is the same for the other OS.

16

IDPrime .NET Administration and User Guide

To change the User PIN using the secure desktop: 1 Press the Ctrl+Alt+Del keys to launch the secure desktop in Windows Seven (Figure 13 on page 16).

Figure 13 - Windows Seven Secure Desktop

2 3 4

Select Change a Password. Insert the smart card in the smart card reader attached to the machine and click Other Credentials. In the credential provider, select the smart card user tile. This displays the PIN change window as shown in Figure 14.

Figure 14 - Windows Seven Smart Card Change PIN Window

Enter the old PIN, the new PIN and confirm the new PIN in the appropriate fields, then click the arrow. The IDPrime .NET smart card default PIN value is 0000.

PIN Use Cases

17

Firefox
Note: You must have already installed IDGo 500 PKCS#11 on the computer. Please refer to the IDGo 500 PKCS#11 Library for Windows User Guide available at: http://www.gemalto.com/products/dotnet_card/resources/technical_doc.html. To change a User PIN in an IDPrime .NET card using Mozilla Firefox: 1 2 3 Make sure your card/token is connected. Open the Mozilla Firefox browser and from the Tools menu choose Options. Click the Advanced icon, then the Encryption tab as shown in Figure 15.

Figure 15 - Mozilla Firefox Encryption Options Dialog

Click Security Devices to display the Device Manager window. This displays the modules currently available as shown in Figure 16.

Figure 16 - Device Manager

18

IDPrime .NET Administration and User Guide

5 6

In Device Manager, select the card whose PIN you want to change, as shown in Figure 16. Click Change Password. The window shown in Figure 17 appears.

Figure 17 - Change Master Password Window

7 8 9

In Current Password, enter the current PIN value. In New Password and New Password (again), enter the new PIN value for the smart card. Click OK.

Unblocking the User PIN

A Smart Card user can only attempt to present the value of the PIN a limited number of times. If the user presents repeatedly a wrong value for the PIN and reaches the maximum number of unsuccessful PIN attempts allowed, the card becomes blocked. The IDPrime .NET smart card default maximum number of unsuccessful PIN attempts is 5. Once the card is blocked, it can no longer be used. The only way to restore it is by using the Unblock Card procedure. Caution: If the Admin Key (or Admin PIN) is blocked, you can never unblock the card - not even by using the unblock card procedure. As the security of the card is built around the Admin Key it is very important to change its value from the default one.

The Unblock Card Procedure

The smart card unblock feature requires the use of an Admin Key that the regular end user should not have direct access to. The user will require support from a Security Officer, IT Administrator or Helpdesk Service to complete this operation. To protect the confidentiality of the Admin Key, the Unblock procedure does not require the end user to present the Admin Key directly. Instead, a challenge-response procedure is used as follows: 1 2 The user retrieves a Challenge from the card The user communicates the Challenge to the IT Admin / Helpdesk

PIN Use Cases

19

The IT Admin / Helpdesk combines the 16-digit Challenge (8 bytes) and the user's Admin Key (24 bytes) using the Triple DES algorithm to calculate the unique Response (8 bytes) to the challenge. The IDPrime .NET smart card default Admin Key value is 0000..0000 (24 bytes, 48 digits long).

4 5 6

The IT Admin / Helpdesk communicates the Response to the end user. The end user enters the Response value and defines a new value for the user PIN, which will be established once the Card Unblock procedure is completed. The smart card confirms that the Response provided is correct, by comparing the value entered by the user with the one generated within the card using the Challenge generated by the card and the Admin Key stored in the card. If both values match, the card is successfully unblocked, the new user PIN is established and the PIN attempt counter is reset.

It is important to note that, as with the Verify PIN procedure, the Unblock Card procedure is protected by a maximum number of unsuccessful unblock attempts. Once the maximum number of unsuccessful unblock attempts is reached the card is permanently blocked even to an administrator, and all data stored in the card becomes permanently inaccessible. For this reason it is important to perform the unblock procedure with great care. As with the Change PIN procedure, the process and tools used to unblock a Smart Card in Windows Vista and 7 is different to earlier operating systems.

Windows XP and Server 2003

In order to use the PIN Tool, the user must log in to a machine normally (that is, without using the smart card). The following procedure describes what to do, from the end-users point of view. To unblock the User PIN using the smart card PIN Tool: 1 2 3 From Start, choose Run and type PINTool. When prompted, insert an IDPrime .NET card in the reader. The PIN tool appears. Click the Unblock tab as shown in Figure 18 on page 20.

20

IDPrime .NET Administration and User Guide

Figure 18 - Smart Card PIN Tool (Unblock PIN Tab)

4 5 6 7 8 9

Click Unblock. The card generates the 16-digit challenge and displays it in Challenge. Tell your IT Admin / Helpdesk the value of this challenge. They will give you a 16digit (8 byte) response. Enter this response in Response. Enter the new PIN value in New PIN and again in Confirm New PIN. (Do not copy and paste the new PIN value.) Click OK. A message displays to tell you if the unblock operation succeeds or not. Click Close to close the Smart Card PIN Tool.

Windows Vista or later (without IDGo 500 Credential Provider)

As with the Change PIN functionality, the Smart Card Unblock is integrated into the Windows Vista and Seven secure desktops. However, it is not configured by default and must be explicitly enabled via Group Policy (See Appendix A - Enabling Unblock Card in Windows Vista, 7 and 8 for details on how to Enable Smart Card PIN Unblock in Windows Vista and Seven). When this feature is enabled, the user is presented with the Smart Card Unblock screen (Figure 19) when logon is attempted using a blocked smart card.

PIN Use Cases

21

Figure 19 - Smart Card Unblock Screen (Windows Seven)

To unblock the User PIN using the secure desktop: 1 2 3 4 The card generates the 16-digit challenge and displays it above the three empty fields as shown in Figure 19. Tell your IT Admin / Helpdesk the value of this challenge. They will give you a 16digit (8 byte) response. Enter this response in the first field. Enter the new PIN value in the second and third fields and click the arrow next to the third field. A message displays to tell you if the unblock operation succeeds or not.

Administrator Tools for Card Unblock

The Smart Card Unblock process requires the administrator to be able to calculate the response to a Challenge provided by the smart card of any end users that he/she is responsible for. This in turn means that the administrator must: 1 2 Know or somehow have access to, the Admin Key values for all smart cards in use. And Have access to a Triple DES tool to calculate the Response based on the Challenge and the Admin Key of a given user's smart card.

None of the Windows operating systems provide any means for administrators to handle the secure back-end storage of the users' smart cards Admin Keys. Nor do they provide a back-end tool to calculate the response to a challenge.

22

IDPrime .NET Administration and User Guide

These features will be commonly provided by any commercial Base CSP compliant Card Management System (CMS), including Microsoft's Forefront Identity Manager (FIM) and its predecessor Identity Lifecycle Manager (ILM) or Gemaltos Device Administration Service (DAS). Test user's of IDPrime .NET cards can find an Unblock Card tool in the Gemalto .NET Utilities portal. Please refer to How to Test and Manage IDPrime .NET Test Cards on page 33 for more information.

Automated Card Unblock

The unblock card process, as described previously, forces the end user to interact with an administrator that verifies the end user's identity prior to providing the response code. It is perfectly possible, however, to automate the response calculation process in order to avoid involvement of the administrator. In this case, the identity check performed by the administrator could be replaced by an online identity questionnaire. This capability could be provided by or customized for any given Card Management System. This scenario is out of the scope of this document.

5
Other Use Cases

This chapter describes how to use the IDPrime .NET smart card for other tasks, such as signing e-mails and accessing secure web sites. If you have Windows 7 and you installed the optional IDGo 500 credential provider, logging on with an IDPrime .NET card is slightly different. Please refer to Chapter 6 - The Gemalto IDGo 500 Credential Provider for how to log on with an IDPrime .NET card using the IDGo 500 credential provider.

Logging on Using an IDPrime .NET Card

Logging on to Windows with a smart card/token is fast and easy. To log on to Windows XP and Windows Server 2003 with a smart card/token 1 Start Windows. A Welcome to Windows message box similar to the one in Figure 20 opens.

Figure 20 - Welcome to Windows Screen

Connect your smart card/token to open a Log On to Windows dialog box like the one shown in Figure 21.

24

IDPrime .NET Administration and User Guide

Figure 21 - Windows Log On Dialog Box

Enter your PIN then click OK.

Note: If you are using the IDGo 5000 Biometric Solution, the window is almost the same but shows the .NET Bio logo. Caution: If the Change PIN at First Use option is activated for your cards, you will have to change the PIN manually before you can use the card. To do this, you will need to log on first with a different card or log on normally without using a smart card at all. To log on to Windows Vista or later (and Windows Server versions) with a smart card/token This procedure shows the standard case where the IDGo 500 credential provider for Windows 7 is not installed. In this case, setting the single sign-on (SSO) has no effect, and you must enter the PIN whenever prompted. The screen shots were taken from Windows Vista, but the procedure is the same for the other OS. 1 Start Windows. The window shown in Figure 22 opens.

Figure 22 - First Windows Vista Screen

Press <CTRL> <ALT> <DEL>. The window that displays next can be one of the following different cases: If an administrator or user icon displays, as shown in Figure 23, follow the steps that follow Figure 23. If all the user icons and smart card icon follow the steps that follow Figure 24. display, as shown in Figure 24,

If the smart card icon displays on its own with the text Insert a smart card as shown in Figure 25, follow the steps that follow Figure 25. If the smart card icon displays on its own with the name of the card/token user underneath as shown in Figure 26, follow the steps that follow Figure 26.

Other Use Cases

25

Figure 23 - Vista Logon Window 2

Click Switch User to display the window shown in Figure 24.

Figure 24 - Window Vista Select User

Click the smart card icon

If the text underneath the smart card icon says Insert a smart card, the window in Figure 25 appears. Follow the steps that follow Figure 25. If the text underneath the smart card icon has the name of the card/token user, the window in Figure 26 appears. Follow the steps that follow Figure 26. Figure 25 - Windows Vista Insert a Smart Card Window

Connect your smart card/token. If the card/token is valid, the window changes to display the name of the card/token user as shown in Figure 26.

26

IDPrime .NET Administration and User Guide

Figure 26 - Windows Vista Smart Card User Displayed

Enter the PIN and click . If your PIN is correct, the Welcome message appears during logon and disappears when the logon is successful.

Note: You cannot use a PIN pad reader to enter the PIN for a smart card logon (even if the External PIN property has been set in the card. However, you can use a PIN pad reader to enter the PIN for other authentications, such as an SSL connection, digital signature, mail encryption and so on. Caution: If the Change PIN at First Use option is activated for your cards, you will have to change the PIN manually before you can use the card. To do this, you will need to log on first with a different card or log on normally without using a smart card at all.

Encrypting and Signing E-mails

Digital signatures are valuable for proving that you signed the contents of a document or message and that the contents have not been altered in transit. This is called nonrepudiation. For additional privacy, you can also encrypt documents and messages. The message contents are encrypted using the shared digital certificates of both the sender and the recipient. The procedure is the same for all the supported versions of Windows. Note: To perform these operations, the IDPrime .NET card must contain an encryption certificate and/or a certificate signature.

In Microsoft Outlook
You must first configure Outlook to encrypt and sign e-mail. You only need to do this once. Make sure your IDPrime .NET card is correctly inserted in the card reader and that the reader is connected to the computer. To configure Microsoft Outlook to sign and encrypt e-mails: 1 2 In Outlook, click Options > Message Options and click Security Settings. In the Security Properties dialog box that opens, check the box Encrypt message contents and attachment if you want to encrypt e-mails and Add digital signature to this message if you want to sign e-mails, as shown in Figure 27 on page 27.

Other Use Cases

27

Figure 27 - Security Properties Dialog Box

If you have more than one digital certificate stored on the card, click Change Settings. This opens the Change Security Settings dialog box.

Figure 28 - Change Security Settings Dialog Box

Enter or choose the appropriate information in the entry fields. In Security Settings Name, enter a name for your settings Make sure that S/MIME is selected in the Cryptography Format box. Click Choose beside Signing Certificate. In the Select Certificate window, select a certificate and click OK. Click Choose beside Encryption Certificate and do the same thing. Select the Hash Algorithm and Encryption Algorithm from the respective lists.

Click OK to close the Change Security Settings dialog box.

To encrypt and sign e-mails: 1 2 Click New to open the message editor and write your e-mail as normal. If you want to encrypt the e-mail, click the Encrypt icon shown in Figure 29. If you want to sign the e-mail, click the Sign icon shown in Figure 30.

28

IDPrime .NET Administration and User Guide

Figure 29 - Outlook 2007 Encryption Icon

Figure 30 - Outlook 2007 Signature Icon

3 4

In the message editor, click Send. Enter your PIN when prompted. The message is placed in your Outbox or Sent folder.

Note: You only need to enter your PIN once during an Outlook session (if the card is in its default operating mode).

In Microsoft Live Mail

This is slightly different from Outlook. You can configure Live Mail so that by default it will encrypt and / or sign all your e-mails or just encrypt/sign each e-mail case by case. If you choose to configure the default options, and your card has only one certificate, Live Mail uses that certificate for the encryption/signature. However if there is more than one certificate on the card, you cannot choose a default certificate - instead Live Mail asks you to choose the certificate each time you encrypt/sign an e-mail. Make sure your IDPrime .NET card is correctly inserted in the card reader and that the reader is connected to the computer. To configure Microsoft Live Mail to sign and encrypt all e-mails by default: 1 2 In Live Mail, from the Tools Menu, choose Safety Options. In the Safety Options dialog box that opens, check the box Encrypt message contents and attachment if you want to encrypt all your e-mails by default and Add digital signature to this message if you want to sign all e-mails by default.

In Mozilla Thunderbird
Note: You must have already installed IDGo 500 PKCS#11 on the computer. 1 2 Make sure your IDPrime .NET card is correctly inserted in the card reader and that the reader is connected to the computer. First configure Thunderbird to encrypt e-mail. In Thunderbird, click the Write icon as shown in Figure 31.

Figure 31 - Thunderbird Write Icon

Other Use Cases

29

This opens the Compose window. 3 In the Compose windows Options menu, choose Security > Encrypt this Message as shown in Figure 32.

Figure 32 - Thunderbird Encrypt This Message

As the certificates in the card/token are not yet set up, the following message appears:

Click Yes. This opens the Account Settings window for your e-mail account as shown in Figure 33.

Figure 33 - Thunderbird Account Settings

30

IDPrime .NET Administration and User Guide

In Digital Signing, click Select and choose the certificate you want to use from the list that appears. The following message appears:

Figure 34 - Thunderbird Use Same Certificate Message

If you want to use the same certificate to encrypt and decrypt messages, click OK. This selects the certificate for you in the Encryption panel as shown in Figure 35 on page 30. Otherwise click Cancel.

Figure 35 - Thunderbird Account Settings (2)

7 8

If you want all of your e-mails to be digitally signed by default, check the box Digitally sign messages (by default). In Encryption, if you chose not to use the same certificate as the one used for digital signing, click Select and choose the certificate from the list that appears. A message similar to the one in Figure 34 on page 30 appears, but this time asking if you want to use the Encryption certificate for digital signing. This is just in case you select your encryption certificate before you select your digital signature certificate. In Default encryption setting when sending messages, choose one of the option buttons Never or Required.

10 Click OK to close the Account Settings window. Note: If you want to modify the account settings at any point, open the Account Settings window from the Tools menu by choosing Account Settings. This can be done either from the Compose window or directly in Thunderbird.

Other Use Cases

31

Encrypting and Signing Other Information

Besides e-mails, IDPrime .NET cards can be used by many applications that run in the Windows desktop, including those in Microsoft Office. The example that follows shows you how to sign a Microsoft Powerpoint 2007 presentation. You can use it with EFS for file and folder encryption and if you have Windows 7 Ultimate, with Bitlocker To Go to encrypt an entire drive or USB key. It can also be used with VPN clients for secure remote authentication. To sign a Microsoft Powerpoint 2007 presentation: 1 From inside the Powerpoint presentation, click the Microsoft office button on the top left of the slide and choose Prepare then Add a Digital Signature. The following window appears:

Figure 36 - Powerpoint Signature Window

Click OK. The Sign window appears as shown:

Figure 37 - The Sign Window

3 4 5 6

In Purpose for signing this document enter some descriptive text, then click Sign. When the Insert Smart Card dialog box appears, insert the IDPrime .NET smart card and click OK. When the Smart Card PIN dialog box appears, enter the User PIN and click OK. When the Signature Confirmation dialog box appears, click OK.

To check the signature details: 1 After a Powerpoint presentation is signed, a panel called Signatures appears to the right inside Powerpoint. The authors of new signatures are added to the Valid Signatures list. Select the signature whose details you want to check and in the drop-down list for that signature, choose Signature Details as shown:

32

IDPrime .NET Administration and User Guide

Figure 38 - Choosing the Signature Details in Powerpoint

The Signature Details dialog box appears:

Click View to see the details of the certificate used for the signature.

SSL Authentication to Secure Web Sites

You can use IDPrime .NET smart cards to authenticate yourself to a secure web site (SSL authentication). To do this with Mozilla Firefox, you need to have Gemaltos IDGo 500 PKCS#11 Library for Smart Cards installed on the computer. For information on how to install the IDGo 500 PKCS#11 Library and how to access secure web sites with an IDPrime .NET card in Mozilla Firefox, please refer to the IDGo 500 PKCS#11 Library for Windows User Guide available at: http://www.gemalto.com/products/dotnet_card/resources/technical_doc.html. For browsers that do not need the IDGo 500 PKCS#11 Library (using Internet Explorer as an example), the procedure to access secure web sites with an IDPrime .NET card is as follows: To perform SSL authentication: 1 2 3 4 Launch Internet Explorer. Go to your SSL web site. If several certificates are present in your smart card, Internet Explorer asks you to select one. Select your certificate and click OK. Authenticate yourself by entering the IDPrime .NET cards User PIN and click OK.

Other Use Cases

33

How to Test and Manage IDPrime .NET Test Cards

.NET Utilities is a portal offering a set of web based tools that enable, among others, the following operations: PIN Management Change PIN Unblock PIN Certificate Management View on-card certificates Reset Card Import P12 Certificates Card Management Get Card Characteristics Check active on-card services All these services are freely available and fully functional on IDPrime .NET cards. The only restriction is that the card Admin Key must not have changed from its default value. The IDPrime .NET smart card default Admin Key value is 0000..0000 (24 bytes, 48 digits long). To use Gemaltos .NET Utilities click http://www.netsolutions.gemalto.com/netutils/Default.aspx The web site appears as shown: Figure 39 - Gemaltos .NET Utilities Web Site

6
The Gemalto IDGo 500 Credential Provider
This optional credential provider (CP) has been developed as a wrapper around the IDGo 500 minidriver in order to provide a GUI that enables you to use the new features described in the next section. Note: The CP is available for Windows 7 and 8 only (and their corresponding Windows Server versions). The examples shown are for Windows 7.

IDGo 500 Credential Provider Features

The additional features provided by Gemaltos IDGo 500 credential provider are as follows:

Multiple PIN Policy Support

IDPrime .NET cards support up to 7 PIN roles (the Admin Key role and 6 user PIN roles) defined in the Microsoft Minidriver specifications. The 6 user PIN roles each have their own PIN with their own PIN Policy. The 6 user PIN roles are:

User PIN (PIN#1) PIN#3 PIN#4 PIN#5 PIN#6 PIN#7

Note: The Admin Key role (PIN#2) is not associated with a PIN Policy. The Gemalto CP enables you to log on to the computer using one of these roles and change and unblock any of the 6 user PIN roles. Each certificate file in the card can be associated with a private key stored in a key container (for example a signature key or an encryption key). Each key container can be protected by one of the user PINs. In the example below, certificate file #1 is associated with the private key in container #1. You need to present the User PIN #1 to use the private key in container #1. Similarly, certificate file #N is associated with the private key in container #15. You need to present the User PIN #3 to use the private key in container #15.

The Gemalto IDGo 500 Credential Provider

35

Figure 40 - Relationship Between PIN Roles, Keys and Files (Certificates)

User PIN #1 PIN #3 PIN #4 PIN #5 PIN #6 PIN #7

Key Container #1 Key Container #2 .. Key Container #15

Certificate File #1 Certificate File #2 .. Certificate File #N

Change PIN at First Use

If this option is activated for your cards, the IDGo 500 credential provider detects this the first time you try to use your IDPrime .NET card (as described in Logging on Using an IDPrime .NET Card on page 36). It forces you to change the PIN as shown in Figure 41. Figure 41 - Change PIN at First Use Window

In the PIN field, enter the default PIN (0000) then enter the PIN value you want in the New PIN and NEW PIN Confirmation fields. Then click OK.

36

IDPrime .NET Administration and User Guide

Note: There is a bug in the Base CSP that causes this window to display imperfectly (typically the OK and Cancel buttons do not appear. If this happens, click Enter or Escape to re-display the window correctly. Note: If you do not have the IDGo 500 CP or you are using Windows XP or Vista, this window does not appear. You will have to change the PIN manually before you can use the card. To do this, you will need to log on first with a different card or log on normally without using a smart card at all.

Single Sign-On
The single sign-on (SSO) feature is activated (or not) by setting the SSO parameter in the PIN policy of the card. If activated, the user needs to present the User PIN once only during a session, as long as the IDPrime .NET card is not removed or the smart card is reset.

User Tasks
This section shows you how to log on to the computer, change and unblock PINs using the IDGo 500 credential provider.

Logging on Using an IDPrime .NET Card

1 Start Windows. The window shown in Figure 42 opens. Figure 42 - Windows 7 - Ctrl Alt Del Prompt

Press <CTRL> <ALT> <DEL>. The window that displays next can be one of the following different cases: If an administrator or user icon displays, as shown in Figure 43, follow the steps that follow Figure 43. If all the user icons and smart card icon follow the steps that follow Figure 44. display, as shown in Figure 44,

If the smart card icon displays on its own with the text Insert a smart card as shown in Figure 45, follow the steps that follow Figure 45. If the smart card icon displays on its own with the name of the card/token user underneath as shown in Figure 46, follow the steps that follow Figure 46.

The Gemalto IDGo 500 Credential Provider

37

Figure 43 - Windows 7 Password Logon

Click Switch User to display the window shown in Figure 44.

Figure 44 - Windows 7 Select User

In the example in Figure 44, there are two certificates in the card, each indicated by a smart card icon. With the IDGo 500 credential providers multiple PIN policy feature, it is possible to protect each certificate by a different private key, and protect each private key by a different user PIN. 4 Click the smart card icon that corresponds to the certificate you want to use. If the text underneath the smart card icon says Insert a smart card, the window in Figure 45 appears. Follow the steps that follow Figure 45. If the text underneath the smart card icon has the name of the card/token user, the window in Figure 46 appears. Follow the steps that follow Figure 46.

38

IDPrime .NET Administration and User Guide

Figure 45 - Windows 7 Insert a Smart Card Window

Connect your smart card/token. If the card/token is valid, the window changes to display the name of the card/token user as shown in Figure 46.

Figure 46 - Windows 7 Smart Card User Displayed

Enter the PIN and click . If your PIN is correct, the Welcome message appears. Click OK to remove this message.

Note: You cannot use a PIN pad reader to enter the PIN for a smart card logon (even if the External PIN property has been set in the card). This is a limitation of the Windows Base CSP layer. However, you can use a PIN pad reader to enter the PIN for other authentications, such as an SSL connection, digital signature, mail encryption and so on.

The Gemalto IDGo 500 Credential Provider

39

Changing a User PIN

If you have the IDGo 500 credential provider, you can change any of the PINs that are associated with the 6 user PIN roles. Note: The Change PIN operation can take several seconds if the PIN policy is complex. This is due to the verification of the new PIN value. As the hourglass does not display, it may appear that the screen is frozen or the PIN entry has been ignored. Please allow a few seconds for the operation to take place. To change the User PIN using the IDGo 500 Credential Provider: 1 Press the Ctrl+Alt+Del keys to launch the secure desktop in Windows 7 (Figure 47).

Figure 47 - Windows 7 Secure Desktop

Select Change a Password. This displays the window in Figure 48.

Figure 48 - Windows 7 Secure Desktop - Standard Password Prompt

40

IDPrime .NET Administration and User Guide

Insert the smart card in the smart card reader attached to the machine and click Other Credentials. This displays the standard Windows credential provider, as shown in Figure 49.

Figure 49 - Standard Windows 7 Credential Provider

In the credential provider, select the smart card user tile. This displays the PIN change window as shown in Figure 50.

Figure 50 - Windows 7 Gemalto Smart Card Credential - Change PIN Window

Select the role whose PIN value you want to change, and check the Change PIN box. The fields change as shown in Figure 51.

Note: The role drop-down list appears only if the Activate PIN list key has been set in the registry. For details on setting this bit, please refer to Appendix B - Activating the IDGo 500 Credential Provider PIN List.

The Gemalto IDGo 500 Credential Provider

41

Figure 51 - Windows 7 - Change PIN for a Role.

Enter the old PIN, the new PIN and confirm the new PIN in the appropriate fields, then click the arrow. The IDPrime .NET smart card default value for all PINs is 0000.

A message displays to tell you if the change operation succeeds or not.

Unblocking a User PIN

If you have the IDGo 500 credential provider, you can unblock any of the PINs that are associated with the 6 user PIN roles. Note: The Unblock PIN operation can take several seconds if the PIN policy is complex. This is due to the verification of the new PIN value. As the hourglass does not display, it may appear that the screen is frozen or the PIN entry has been ignored. Please allow a few seconds for the operation to take place. To unblock the User PIN using the IDGo 500 Credential Provider: 1 2 Follow steps 1 - 4 in To change the User PIN using the IDGo 500 Credential Provider: on page 39, so you arrive at Figure 50 on page 40. Select the role whose PIN value you want to unblock, and check the Unblock PIN box. The fields change as shown in Figure 51.

Note: The role drop-down list appears only if the Activate PIN list key has been set in the registry. For details on setting this bit, please refer to Appendix B - Activating the IDGo 500 Credential Provider PIN List.

42

IDPrime .NET Administration and User Guide

Figure 52 - Windows 7 - Unblock PIN for a Role.

The card generates the 16-digit challenge and displays it above the three empty fields as shown in Figure 52. 3 4 5 Tell your IT Admin / Helpdesk the value of this challenge. They will give you a 16digit (8 byte) response. Enter this response in the first field. Enter the new PIN value in the second and third fields and click the arrow next to the third field. A message displays to tell you if the unblock operation succeeds or not.

A
Enabling Unblock Card in Windows Vista, 7 and 8
The Unblock Card feature in the secure desktop user interface is not enabled by default in Windows Vista, 7 and 8. It can be enabled by an administrator modifying the Group Policy. If you want to enable the Unblock Card feature for all the machines in the domain, use the Microsoft Management Console (MMC). If you want to modify the local computer only, use the group policy editor gpedit.msc. To integrate the Smart Card Unblock for the domain using MMC: For this procedure, you must be logged to a Domain Controller as a Domain Administrator. 1 From the Start menu, type MMC in the Search box and then press Enter. If prompted to run Command Prompt as an administrator, click Allow. This opens the Microsoft Management Console window. In Windows 7, the following window appears: Figure 53 - MMC in Programs Window

Click MMC to open the Microsoft Management Console window. 2 3 4 If User Access Control is activated, a warning appears asking if you want to allow the following program to make changes to your computer. Click Yes. In the Console1 window, from the File menu and select Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, select Group Policy Object Editor in the Available Snap-ins pane on the left side, and then click Add.

44

IDPrime .NET Administration and User Guide

Figure 54 - Add or Remove Snap-Ins dialog box

This starts the Group Policy Wizard, shown in the following figure: Figure 55 - Select Group Policy Object dialog box

Click Browse and select Default Domain Policy in the Group Policy Object control (Figure 56). Click OK, then Finish to close the Select Group Policy Object dialog box.

Figure 56 - Browse for a Group Policy Object dialog box

Enabling Unblock Card in Windows Vista, 7 and 8

45

6 7

Click OK In the Add or Remove Snap-ins dialog box to close it. Back in the Console1 window, click on the Local Computer Policy node in the left side pane, then click on Computer Configuration > Administrative Templates > Windows Components, and finally double-click Smart Card. Double-click Allow Integrated Unblock screen to be displayed at time of logon in the center pane, as shown in Figure 57.

Figure 57 - Local Computer Policy Objects for Smart Cards

In the Setting tab, choose Enabled and click OK (Figure 58).

Figure 58 - Allow Integrated Unblock screen to be displayed

46

IDPrime .NET Administration and User Guide

At this point, we can also define a custom message to be displayed when the Smart Card is blocked. The main use of this message is to provide a phone number for users to call and obtain the response to challenge to unblock the card. You can see an example of such a message in the Unblock card secure desktop interface in Figure 19 on page 21. To integrate the Smart Card Unblock for the local computer using the group policy editor gpedit.msc: For this procedure, you must be logged on to the local computer as the Administrator. 1 2 From the Start menu, type gpedit.msc in the Search box and then press Enter. This opens the Local Computer Policy. Click on the Local Computer Policy node in the left side pane, then click on Computer Configuration > Administrative Templates > Windows Components, and finally double-click Smart Card. Follow the same instructions as in the previous section from step 8 on page 45.

To include a custom message in the Smart Card Unblock Screen: 1 Back in the Console1 window, still with Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Smart Card selected in the left pane (as in Figure 57 on page 45), double-click Display string when smart card is blocked in the right pane. In the Setting tab, choose Enabled and type the string to be displayed on the Unblock screen in Display string when smart card is blocked, and then click OK as shown in (Figure 59)

Figure 59 - Display string when smart card is blocked dialog box

B
Activating the IDGo 500 Credential Provider PIN List
As mentioned in Chapter 6 - The Gemalto IDGo 500 Credential Provider, the IDGo 500 credential provider displays the drop down list of PINs, only if this list is activated in the registry. This appendix tells you which is the necessary registry key to set. Note: The default value in all cases is Mode=dword:00000000. For 32-bit versions of Windows 7 and 8: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Authentication\Credential Providers\{6012D512-EEBB-41E2-8842-28611CD7FE9E}] Mode=dword:00000000 Type: Value: REG_DWORD 00000000: PIN list is not activated 00000004: PIN list is activated For 64-bit versions of Windows 7 and 8: You need to set both of the following registry keys [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Authentication\Credential Providers\{6012D512-EEBB-41E2-8842-28611CD7FE9E}] Mode=dword:00000000 Type: Value: REG_DWORD 00000000: PIN list is not activated 00000004: PIN list is activated [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\ CurrentVersion\Authentication\Credential Providers\{6012D512-EEBB-41E2-884228611CD7FE9E}] Mode=dword:00000000 Type: Value: REG_DWORD 00000000: PIN list is not activated 00000004: PIN list is activated

Terminology

Abbreviations
API CAPI CCID CMS CNG CP CSP FIM GUI ILM KSP MU OS PC/SC PIN PKI SSO Application Programming Interface Cryptographic Application Programming Interface Chip Card Interface Device Card Management System Crypto API Next Generation Credential Provider Cryptographic Service Provider Forefront Identity Manager Graphical User Interface Identity Lifecycle Manager Key Storage Provider Microsoft Update Operating System Personal Computer/Smart Card Personal Identification Number Public Key Infrastructure Single Sign-on

Glossary
.NET Utilities A series of utilities developed by Gemalto to provide operations for IDPrime .NET smart cards. They include changing and unblocking a PIN and managing certificates. A 3DES key used by the administrator to calculate the response to a challenge when unblocking the card. Microsofts default software library that implements the Cryptographic Application Programming Interface (CAPI).

Admin Key Base (CSP)

Terminology

49

Certificate

A certificate provides identification for secure transactions. It consists of a public key and other data, all of which have been digitally signed by a CA. It is a condition of access to secure e-mail or to secure Web sites. An entity with the authority and methods to certify the identity of one or more parties in an exchange (an essential function in public key crypto systems). The science of transforming confidential information to make it unreadable to unauthorized parties. A data string produced using a Public Key Crypto system to prove the identity of the sender and the integrity of the message. A cryptographic procedure whereby a legible message is encrypted and made illegible to all but the holder of the appropriate cryptographic key. A value that is used with a cryptographic algorithm to encrypt, decrypt, or sign data. Secret key crypto systems use only one secret key. Public key crypto systems use a public key to encrypt data and a private key to decrypt data. The number of bits forming a key. The longer the key, the more secure the encryption. Government regulations limit the length of cryptographic keys. Microsoft web site where you can download the IDGo 500 minidriver dll Standard and open software library specified by RSA Laboratories and implementing smart card cryptographic functions. Refer to http://www.rsa.com/ rsalabs/node.asp?id=2133 A cryptographic system that uses two different keys (public and private) for encrypting data. The most wellknown public key algorithm is RSA. A mechanism provided with the IDGo 500 credential provider, where the user needs to present the User PIN once only during a session, as long as the IDPrime .NET card is not removed. If the standard Microsoft credential provider is used, activating the SSO mechanism has no effect and the user PIN may need to be presented more than once during a session.

Certificate Authority

Cryptography Digital Signature

Encryption

Key

Key Length

Microsoft Update Catalog PKCS#11

Public Key Crypto system Single Sign-on (SSO)

References

Standards and Specifications

Microsoft Base CSP / Minidriver specifications: http://www.microsoft.com/whdc/device/input/ smartcard/sc-minidriver.mspx Microsoft Update site: http://catalog.update.microsoft.com/v7/site/ Search.aspx?q=gemalto%20minidriver%20net PKCS#11 site: http://www.rsa.com/rsalabs/node.asp?id=2133

Recommended Reading

Enterprise Smart Card Deployment in the Microsoft Windows Smart Card Framework - Derek Adam, Microsoft, June'06 For further reading about Gemalto .NET Cards, please go to the Gemalto product catalog at http:// www.gemalto.com/products/dotnet_card/