Application Note
Gemalto Access Client for windows
smart card and
EFS on Microsoft Windows Vista
nicolas.BATAILLE@gemalto.com
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
• The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. • This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy.
© Copyright 2007 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.
Table of contents
Table of contents ... 3 List of figure... 4 Overview... 5 Infrastructure Configuration ... 6Architecture ...6
Microsoft Encrypted File System ...6
Prerequisite for Gemalto Access Client for Windows Smart card...8
List of figure
Figure 1: General Infrastructure...6
Figure 2: Encryption File System General Properties ...7
Figure 3: Encryption File System Cache Properties...7
Figure 4: User selection ...8
Figure 5: Smart card logon ...8
Figure 6: Advanced attributes ...9
Figure 7: Options window ...9
Figure 8: Smart card usage ...10
Figure 9: User certificate ...10
Figure 10: PIN verification...11
Figure 11: Access denied message box ...11
Overview
In this document we will describe uses cases regarding the Microsoft Encrypted File System on Windows Vista and the Gemalto Access Client smart cards.
Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system.
• Microsoft
o Windows Vista
You need a computer running Microsoft Vista A user account who has administration right o Encrypted File System
The Microsoft EFS provides the core file encryption technology to store Windows NT file system (NTFS) files encrypted on disk.
• Gemalto
o We are going to use the Gemalto Access Client 5.3 CR C middleware. This driver will allow the use of the Gemalto Access Client for Windows smart card on a computer.
The main steps are:
• Certificate installation on the Access Client smart card (not explain in this document)
• Folder creation • Folder encryption Important:
Infrastructure Configuration
Architecture
The general infrastructure needed to accomplish the following tests is the following.
Active
Directory
Certification
Authority
Microsoft Vista
Client on an
NTFS partition
Figure 1: General Infrastructure
Microsoft Encrypted File System
First of all, we should remember that in order to have access to the Encrypted File System, the File System Type must be set as Windows NT File system (NTFS). This is decided when installing the operating system.
To activate the EFS using the Gemalto Access Client smart card, you have to proceed as following:
1. On the Windows Vista Control Panel, select Administrative Tools,
2. Click on Local Security Policy( you have to be member of the Administrator Group), 3. On the Public Key Policies right click on Encrypting File System and select Proprieties, 4. Check Allow on the File encryption using Encryption File System (EFS),
5. Check Require a smart card for EFS on the Option Panel,
6. Uncheck Allow EFS to generate self-signed certificates when a certification authority is
not available.
7. Click on OK.
Figure 2: Encryption File System General Properties
Figure 3:Encryption File System Cache Properties
Prerequisite for Gemalto Access Client for Windows Smart card
We have already installed a certificate on the Gemalto Access Client smart card.Note: The certificate is delivered to the User_EFS user.
The certificate has to have EFS attribute. Please refer to your CA admin guide in order to create the appropriate certificate template.
Because we first use the smart card to logon to the workstation, the certificate has to have also the smart card logon attribute.
In this example we have used a Microsoft CA but any CA compliant with Active Directory technology, can be used.
Gemalto Access Client for Windows smart card use cases
After PC start up press Ctlr-Alt-Del. You might be prompted for the previous user password. If so click on “Switch User” button. The user selector is displayed. Insert the Gemalto Access Client smart card. The smart card user name is now displayed under the smart card Icon. Click on the icon.
Figure 4: User selection
After logon on the workstation using the User_EFS smart card, we create a folder on witch we create a file named User_EFS.
To encrypt the folder and its files, proceed as following:
1. Right click on the User_EFS folder and then click on Properties,
2. Click on Advanced,
3. Check Encrypt contents to secure data and then click on OK twice
Figure 6: Advanced attributes
4. Chose Apply changes to this folder, subfolder and files and then click on OK,
5. Click on Use an existing smart card certificate,
Figure 8: Smart card usage
6. Select the user certificate and then click on OK
7. Enter your PIN code and then click on OK,
Figure 10: PIN verification
8. The User_EFS folder is now encrypted.
The folder is now accessible only for the User_EFS and he have to use his smart card to allow access to the files. If an other user logon to the work station he can’t open the User_EFS encrypted file, even with a user with administration right.
Figure 11: Access denied message box
If the User_EFS don’t have his smart card, he won’t access his encrypted files.
