• No results found

Technical notes for HIGHSEC eid App Middleware

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Technical notes for HIGHSEC eid App Middleware"

Copied!
12
0
0

Loading.... (view fulltext now)

Download now ( 12 Page )

Full text

(1)

1

Technical notes for HIGHSEC eID App

Middleware

Version 2.1 February 2014.

(2)

2 Contents

1 Technical Notes ... 3

1.1 All Operating Systems ... 3

1.1.1 Slowing down of the cards while pairing... 3

1.1.2 Load PKCS#11 into PGP Desktop ... 3

1.1.3 Web Browser Plugins detection for eID ... 3

1.1.3.1 Internet Explorer ... 3

1.1.3.2 Mozilla Firefox... 5

1.1.4 Detect PKCS#11 library in client applications ... 5

1.1.4.1 Internet Explorer ... 5

1.1.4.2 Mozilla Firefox... 6

1.1.4.3 Mozilla Thunderbird ... 8

1.1.5 PGP Desktop key generation... 9

1.1.6 Online authentication using Internet Explorer ... 9

1.1.7 File decryption using Abobe Acrobat ... 11

1.1.8 Admin application and PGP Desktop... 11

1.1.9 Windows logon and PGP desktop ... 11

1.1.10 Firefox/Thunderbird extensions for (new) users ... 11

1.1.11 Windows logoff/shutdown and user certificates... 11

1.2 Windows XP SP3 x32... 11

1.2.1 Word 2003 issue... 11

1.2.2 Internet Explorer 7 ... 11

1.2.3 Internet Explorer 8 ... 11

1.2.4 Mozilla Thunderbird ... 12

1.3 Windows 7 and Windows Vista ... 12

1.3.1 Office 2010... 12

1.3.2 Windows Live 2011... 12

1.3.3 Mozilla Thunderbird ... 12

1.3.4 CAN/PIN Dialog focus issue... 12

(3)

3

1 Technical Notes

1.1 All Operating Systems

Install latest updates and service packs for your operating system.

1.1.1

Slowing down of the cards while pairing

If several different cards are already paired on one computer, the pairing will be slower and slower. Solution: in HSMW-GUI find option “delete all current pairings” and delete them all.

1.1.2

Load PKCS#11 into PGP Desktop

To be able to use HSMW in PGP Desktop load PKCS#11 module first.

1. Install eID App Middleware.

2. Open PGP Desktop.

3. Select the Tools > PGP Options menu.

4. Select the Keys tab and change the “synchronize with smart cards and tokens” option to the Other and then choose your PKCS#11 module. You will find it in HSMW installation folder, hsmwp11_x86.dll.

5. Press OK and return to PGP Desktop root window.

6. Press Tools > Options > Keys.

7. Wait and PGP Desktop Import Certificate Assistant will be shown. 8. Press Cancel.

9. Restart PGP Desktop.

10. A good indication that you have been successful is whether or not a new keyring (e.g. All Keys, My Private Keys) within PGP Desktop called Smart Card Keys is now displayed.

1.1.3

Web Browser Plugins detection for eID

1.1.3.1 Internet Explorer

(4)

4

Picture 1: Click on Manage add-ons

In Manage add-ons dialog change Show option to All add-ons.

(5)

5

Picture 3: Installed eID App plugin

1.1.3.2 Mozilla Firefox

Start Firefox and open Add-ons Manager.

Picture 4: Open Firefox menu and click on Add-ons

In Add-ons Manager click on Plugins and find HIGSEC eID App Plugin

Picture 5: HIGSEC eID App plugin in Firefox

1.1.4

Detect PKCS#11 library in client applications

1.1.4.1 Internet Explorer

(6)

6

1.1.4.2 Mozilla Firefox

Start Mozilla Firefox and open options menu.

Picture 6: Options in Mozilla Firefox

In Options windows click on Advanced tab, Encryption tab inside Advanced tab and then on Security Devices button below.

(7)

7

Picture 7: Encryption tab into Advanced options

Then Device Manager will be shown. On the left side of the window you will find listed Security Modules and Devices. HIGHSEC eID App PKCS#11 Module will be in this list.

(8)

8

Picture 8: HIGHSEC eID App PKCS#11 Module

1.1.4.3 Mozilla Thunderbird

Click on Tools > Options > Advanced > Certificates and then on Security Devices button.

(9)

9

Then Device Manager will bew shown. On the left side of the window you will find listed Security Modules and Devices. HIGHSEC eID App PKCS#11 Module will be in this list.

Picture 10: Device Manager window

1.1.5

PGP Desktop key generation

PGP Desktop cannot be used to generate key pair on smart card, because it tries to create a key pair for encryption and digital signing, and that is not allowed by smart card.

1.1.6

Online authentication using Internet Explorer

In order to access web sites with online authentication using Internet Explorer, user have to add the web site to the trusted web sites list in Internet Explorer.

When Internet Explorer is started, select Tools > Security, then select Trusted Sites and click button Sites.

(10)

10

Picture 11: Security tab in Internet Options window

New dialog will open. Enter the name of the site (e.g https://www.eidusecase.com) and click Add. The name of the website will appear in the Websites section of Trusted sites dialog.

Picture 12: Trusted sites window

(11)

11

1.1.7

File decryption using Abobe Acrobat

If user tries to open a pdf document encrypted by Adobe Acrobat, Adobe Acrobat will ask user to enter smart card PIN twice.

1.1.8

Admin application and PGP Desktop

PGP deskop services cause problems concerning exclusive smart card access, which is required by eID App Administration application for some operations. In this case Administration application can report that “CAPI or PKCS#11 sessions are active”. In order to use Administration application fully functional, PGP Desktop should be uninstalled.

1.1.9

Windows logon and PGP desktop

If PGP Desktop is installed and user tries to logon on windows operating system, windows logon dialog can remain frozen until user enters CTRL+ALT+DELETE sequence. In order to prevent this behaviour PGP Desktop should be uninstalled.

1.1.10 Firefox/Thunderbird extensions for (new) users

Every user has to enable eID App extensions for it’s use. Firefox and Thunderbird extensions are disabled for users which have not yet enabled extensions. Also the extensions are disabled for users which are created after eID App was installed.

1.1.11 Windows logoff/shutdown and user certificates

Windows does not allow modification of user certificate store after shutdown and/or logof have been started. Therefore, eID App cannot uninstall end-entity certificates from user certificate store and they will be still available after Windows logon/startup even if card is not available anymore.

1.2 Windows XP SP3 x32

1.2.1

Word 2003 issue

Due to a Word 2003 issue, for digital signatures MS Word 2003 uses only certs and keys that have KeySpec value set to AT_KEYEXCHANGE. Certificates with KeySpec value AT_SIGNATURE are not processed (ignored). Solution: use newer versions of MS Word program (e.g. Word 2007) which takes into account certificates with AT_SIGNATURE KeySpec.

1.2.2

Internet Explorer 7

Provided web applications may require cipher suits for SSL that IE7 does not support. If SSL is turned off plugin works OK.

1.2.3

Internet Explorer 8

Provided web applications may require cipher suits for SSL that IE8 does not support. If SSL is turned off plugin works OK.

(12)

12

1.2.4

Mozilla Thunderbird

Root CA certificates or other CA certificates in the chain should be set as trusted in Thunderbird Authorities Certificate Store. If any of the certificates in the chain is not set as trusted, Thunderbird will not be able to validate user certificate.

1.3 Windows 7 and Windows Vista

1.3.1

Office 2010

Latest Word 2010 and MS Office 2010 updates and service pack should be inslalled. If user does not install latest updates and service pack, Word 2010 will try to use CNG Key Storage Provider in order to get private key associated to esign certificate from smart card and user will not be able to sign the document. Solution is to run MS Office 2010 in comaptibility mode for Windows XP SP3 or to install latest updates. Hotfix kb2412320 for Office 2010.

If user do not install latest service pack and updates and if certificate used for email encryption does not posses SMIME capabilities, Outlook 2010 will use RC2 encryption algorithm instead of 3DES (as it is set on Outlook e-mail security settings for particular account), so decryption will not be possible on Outlook 2010. Hotfix kb2475877 for Outlook 2010.

1.3.2

Windows Live 2011

Windows Live 2011 uses RC2 encryption algorithm instead of 3DES. 3DES should normally be used as it is set in account settings. Card is not usable.

1.3.3

Mozilla Thunderbird

Root CA certificates or other CA certificates in the chain should be set as trusted in Thunderbird Authorities Certificate Store. If any of the certificates in the chain is not set as trusted, Thunderbird will not be able to validate user certificate.

1.3.4

CAN/PIN Dialog focus issue

User must first click on CAN/PIN dialog and then enter CAN/PIN. It is not possible to steal focus in Windows Vista and later OS because this functionality is disabled in OS.

1.4 Windows 8 and Server 2012

References

Download now ( PDF - 12 Page - 0.98 MB )

Related documents

BC-20s-30s

Besides the count results, the analyzer also provides a PLT histogram which shows the PLT size distribution, As shown in below, most PLTs of a normal blood sample should fall into the

INDIANS JUNGLE. THE STORY Of "WEST VIRGINIA " :~. RHODODEN"DRON. t W.Va. /" ", ~ R qw52r ... ~,.. ~ :~... :';.) r: ~ '. ~/:-.

This is a Mohican Village, and there was such a camp at Kanawha Falls when first white explorers visited West Virginia.. The ' Conaervation Commiasion beiieves that

Integration Guide. Microsoft Internet Information Services (IIS) 7.0 and ncipher Modules. Windows Server 2008 (32-bit and 64-bit)

You have now set up the security world and the CNG wizard has registered the nCipher CNG providers (nCipher Primitive Provider and nCipher Security World Key Storage Provider)..

Plantings with people in mind: Increasing use in urban vacant lots through planting design

Site data and interview data work together to answer the research question: What planting design techniques and combinations are most preferred by residents in the Lykins

Security and Compliance in Clouds 1

In order to check the compliance demands for the required security level, the business processes of the cloud vendor, at least the ones regarding the security of the cloud service,

TENNESSEE DEPARTMENT OF REVENUE LETTER RULING #02-10 WARNING

If the Contractor purchases materials, then sells them to the Church (transferring title and possession) and finally uses the materials previously sold to the Church to construct

SALUS University. Pennsylvania College of Optometry SALUS

We were the first college of optometry to introduce early clinical experience, with students providing com- prehensive patient care in the second year and performing externships

Making Zines: Re-Reading European Trash Cinema (1988-1998)

hroughout its publication, Ledbetter’s interest in US production waned, giving way to coverage of European and oriental genre fare. Although Hi-Tech Terror had a small circulation