User Guide. Digital Signature

User Guide

Digital Signature

E

E

EN

N

NT

T

TR

R

RU

U

US

S

ST

T

T®

®

®

E

E

ES

S

SP

P

P

9

9

9.

.

.2

2

2

This guide is the exclusive property of Notarius Inc. All reproduction, printing or distribution of this guide by e-mail or other means is strictly forbidden. This guide may not be fully or partially reproduced without prior written permission from Notarius Inc.

TABLE OF CONTENTS

1. ABOUT THIS GUIDE ... 5

1.1 SPECIFIC OBJECTIVES ... 5

1.2 PREREQUISITES ... 5

1.3 KEYS ... 5

2. USING ENTRUST® ESP 9.2 ... 6

2.1 LOG IN ... 6

2.2 LOG OUT ... 7

2.3 BACKING UP A COPY OF AN .EPF FILE ... 8

3. SECURITY LEVELS ... 9

4. ENCRYPT A DOCUMENT FOR YOURSELF ... 10

5. ENCRYPTING A FILE FOR OTHERS ... 12

5.1 PROCEDURE ... 12

5.2 CREATING A QUICK LIST OF RECIPIENTS ... 15

6. DIGITALLY SIGNING A FILE ... 20

7. ENCRYPTING AND DIGITALLY SIGNING A FILE FOR YOURSELF AND FOR OTHERS ... 22

8. DECRYPTING AND CHECKING A SECURED FILE... 26

9. VERIFYING THE IDENTITY OF THE SIGNER OF A DOCUMENT ENCRYPTED FOR YOU ... 28

10. REJECTED FILES ... 30

10.1 NAME NOT ON THE RECIPIENTS LIST ... 30

10.2 ALTERED FILE ... 30

11. OTHER ENTRUST FEATURES ... 31

11.1 “ENROLL FOR ENTRUST DIGITAL ID…” ... 31

11.2 "RECOVER ENTRUST DIGITAL ID…”... 31

11.3 "OPTIONS…" ... 31

11.3.1 Change the Digital Signature Password ... 32

11.3.2 Setting a Logout Hot Key... 35

11.3.3 Password-Encrypting a File ... 35

11.3.4 Getting Information on the Entrust Security Store Type ... 41

11.4 ENTRUST CERTIFICATE EXPLORER ... 42

11.4.1 Creating a New Personal Encryption Group ... 42

11.4.2 Adding a Member to an Existing Group ... 45

11.4.3 Deleting a Member from a Personal Encryption Group ... 46

11.5 EMAILING CERTIFICATES TO ANOTHER CERTIFICATE USER ... 47

1. ABOUT THIS GUIDE

1.1

Specific Objectives

Readers of this guide will learn how to use their digital signature to confidentially and securely exchange electronic files using Entrust® ESP 9.2 software.

More specifically, digital signature holders will:

 Become familiar with the Entrust® ESP 9.2 software features  Know how to use the various security levels

1.2

Prerequisites

 Have the Entrust® ESP 9.2 software installed

 Hold an activated digital signature issued by the Quebec Certification Centre

1.3

Keys

The various symbols below are used in this guide to indicate a specific type of comment.



This symbol is used to indicate an in-depth comment that provides more detailed information on a concept.



2. USING ENTRUST® ESP 9.2

Using a digital signature with Entrust® ESP 9.2 means that operations such as encrypting and digitally signing a document can be securely carried out. A document secured in this way allows the signer’s identity to be checked, just like a driver’s licence or passport.

When the Entrust® ESP 9.2 software is installed on a workstation, an icon appears in the

lower-right corner of the screen.

This icon indicates that an Entrust session is currently ooppeenn:

This icon indicates that an Entrust session is currently cclloosseed: d

2.1

Log In

You first select your digital signature profile (i.e. the .epf file produced by creating your digital signature) and then enter your personal password to access Entrust®. This operation ensures that only you can use your digital signature to encrypt and digitally sign documents in your name.

PROCEDURE:

 Position the mouse cursor over the icon  Click the right mouse button

 Select Log in…

 If a profile1

is already installed on the workstation, an Entrust Security Store Login window appears with the profile name already displayed.

 Enter the digital signature password

 If your profile is not already installed on the workstation:

 Click on the dropdown menu to see if the profile name is listed on it and, if so, select it (If it is not listed, click Browse… to find the .epf file linked to the desired

profile)

 Enter the digital signature password

1_{The profile is the .epf file produced when the digital signature was created. Its filename consists of the username, followed by a}

.epf extension (e.g. John Smith.epf). This file is required to open an Entrust® session because it contains the private decryption key, private signature key and general Entrust® security parameters, such as the default encryption algorithm.

© Notarius Inc.

Page 6 of 49



Name



2.2

Log Out



Using a digital signature confers the same rights as your official signature affixed to a paper document. Using it for other purpose may constitute an offence.

An Entrust session automatically closes whenever any of the following events occurs:

 The session is closed manually (steps outlined below)  A keyboard shortcut created for closing sessions is used  End of Windows® session

 Activation of a Windows® screensaver  Windows® is locked

PROCEDURE FOR MANUALLY CLOSING A SSEESSSSIIOONN

 Position the mouse cursor over the icon  Right-click and select Log out

2.3

Backing Up a Copy of an .epf File

We strongly recommend saving a backup copy of the .epf signature file on a USB key, diskette or CD-ROM and storing it in a secure location that is only accessible to the holder of the digital signature.

Given that the .epf signature file is the holder’s private key, it is essential that a new backup copy be made whenever this file is updated or modified.



Whenever possible, users should always work online for maximum protection when securing a document for one or more of the list’s members or when checking data during decryption.

3. SECURITY LEVELS

Entrust ESP 9.2 provides several security levels that are defined below.

Type Definition

Encrypt the file Ensures document confidentiality and integrity by using a complex mathematical procedure that renders a file illegible if an unauthorized person attempts to open it.

Digitally sign the file Adds a certificate to the document which authenticates its signature and ensures that it cannot be repudiated. Anyone possessing a valid digital signature from the Quebec Certification Centre—even those not on a list of selected recipients—can open the document.

Encrypt and sign the file for yourself

Protects the document and add the user’s authentication certificate to it. Only the user can open it using his/her own digital signature.

Encrypt and digitally sign the file for other recipients

Equivalent to using Encrypt and Sign for yourself and also allowing other selected individuals (subscribers to the Quebec Certification Centre) to access the document.

When a file is secured, a new .p7m extension is immediately added after its existing name and extension (e.g. test.doc will become test.doc.p7m).





4. ENCRYPT A DOCUMENT FOR YOURSELF

This feature allows you to encrypt (secure) a file for yourself without attaching your signature certificate to it. Consequently, only you can decrypt (open) it using your digital signature.

PROCEDURE :

 Using My Computer or Windows® Explorer, browse to the location of the file to be encrypted

 Position your mouse cursor on the file and right-click  Select Encrypt file …

 Click Next

 Click Choose … to select your certificate if it is not already displayed



 Click Next

 Checkmark Delete the original files on finish if you prefer not to keep a non-encrypted copy of the file on your workstation.

If this box is left unchecked, you will have a non-encrypted copy as well as an encrypted copy of this document.

 Click Finish

5. ENCRYPTING A FILE FOR OTHERS

This feature enables users to secure a document for themselves and one or more recipients whom they must first select. It should be noted that a signature certificate will not be affixed to this document.

Example: Encrypting a document for a member in a specific list (Jules Boulerice in the present example).



This feature requires an Internet connection to access the directory that lists the members of the Quebec Certification Centre.

5.1

Procedure

 Using My Computer or Windows® Explorer, browse for the location of the (Word, Excel or other) file to be encrypted for one or more individuals with a digital signature from the QCC

 Position the mouse cursor on the file  Right-click and select Encrypt file …

 Click Next

 Click Choose . . . to select your certificate if it is not already displayed.



 Check the Encrypt the files for other people in addition to myself.  Click Next

 Click Add... to select the certificates of those individuals for whom you want to secure the file

 Enter the person’s name without any accented characters  Click Search to access the certificates directory

 Select the person’s name  Click OK



If two people have the same name, click View to display the certificate and avoid securing a document



 Click Next

 Check the Delete the original files on finish box if you prefer not to keep a non-encrypted copy on your workstation.



 Click Finish

The file is now secured for both yourself and your recipient(s).



5.2

Creating a Quick List of Recipients

It is possible to create a quick list of recipients for which you regularly secure files. This feature prevents you from searching the certificates directory each time you want to encrypt a file or encrypt and sign a file.

 Follow the steps described in “Encrypting a File for Others” (section 5.1) or “Encrypting

and Digitally Signing a File for Yourself and for Others“ (section 7)

 Click Add… to select the certificates of those individuals for whom you want to secure the file

 Enter the person’s name without any accented characters  Click Search to access the certificates directory

 Select the person’s name

 Click View to display the certificate

 Click Install Certificate…

 Click Next

 Select

Place all certificates in the following store

 Select

Trusted People

 The certificate store displays as follows:  Click Next

 Click Finish

 Click OK or close the dialog boxes by clicking the red X and start the operation over



The quick list will appear the next time you use Entrust to secure a file for other recipients. Simply select the desired recipients and click on the OK button.



This method saves you from conducting a search by person as explained in section 5.1

It is possible to create groups of recipients or personal groups for encryption, thereby including in a same group people for whom you want to encrypt and/or sign documents. See section 11.4.1.

6. DIGITALLY SIGNING A FILE

This feature allows users to add their signature certificate to a file, thereby identifying them as the signer and ensuring that their signature cannot be repudiated.



PROCEDURE:

 Using My Computer or Windows® Explorer, browse to the location of the file to be encrypted

 Position your mouse cursor on the file and right-click  Select Digitally sign file …

 Click Next

 Click Choose . . . to select your certificate if it is not already displayed



 Click Next



 Check the

Delete the original files on finish

copy on your workstation

If this box is left unchecked, you will have both a non-encrypted copy and an encrypted copy of this document.

 Click Finish





A signed file’s digital signature can only be verified by accessing the file properties (right-click on the File > Properties > State Security tab).

7. ENCRYPTING AND DIGITALLY SIGNING A FILE FOR YOURSELF

AND FOR OTHERS

This feature allows you to encrypt and digitally sign one or more files for yourself and for others holding a digital signature from the QCC. Once secured, the file can be emailed.

PROCEDURE:

 Using My Computer or Windows® Explorer, browse to the location of the (Word, Excel or other) file to be encrypted and signed for you or someone else with a digital signature

 Position the mouse cursor on the file, right-click and select Encrypt and digitally sign

file…

 Click Next

 Click Choose . . . to select your certificate if it is not already displayed



 Check the

Encrypt the files for other people in addition to myself



 Click Add... to select the certificates of those individuals for whom you want to secure the file

 Enter the person’s name and click Search to gain access to the certificate store



 Select the desired name

 Click View to see the certificate or click OK



 Click Next when done



 Check the

Delete the original files on finish

If this box is left unchecked, you will have both a non-encrypted copy and an encrypted copy of this document.

 Click Finish. The file is now secured for both yourself and your recipient(s)

8. DECRYPTING AND CHECKING A SECURED FILE

This feature allows you to decrypt, verify and open files that were encrypted and/or encrypted and signed with a digital signature.

PROCEDURE:

 Locate the encrypted or locked file to view

 Position the mouse cursor on the file

 Right-click and select one of the following options: Decrypt, verify and open or Decrypt

and verify

 Enter the password  Click OK

 Click Yes



#





If the document you want to decrypt is on a network drive, Entrust ESP9 will ask you to decrypt the file locally on your computer. This feature provides a higher level of security because your decrypted file is not found on shared networks where other people could access it.

9. VERIFYING THE IDENTITY OF THE SIGNER OF A DOCUMENT

ENCRYPTED FOR YOU

This feature allows you to verify the identity of the signer of a document encrypted for you. This verification confirms the identity of the signer and that the document has not been amended since it was signed.

PROCEDURE:

 Identify the file for which you want to verify the name of the signer  Position the mouse cursor on it

 Right-click and select Properties > Security Status

 Click View Certificate to view the signer’s information  Click OK

 Click Details in the File Security Properties window  Click Close

 Click OK



10. REJECTED FILES

10.1 Name Not on the Recipients List

If you forget to add a name of a recipient to the list when securing a file, the recipient will get an error message when attempting to open it.

SOLUTION:

The recipient must contact you so that you can resend the signed file after adding his or her name to the Recipients list.





10.2 Altered File

If a file has been changed (e.g. by inserting or deleting words, adding spaces, etc.) between the time when it was encrypted and/or signed and when the recipient attempts to open it, an error message indicating that the file cannot be opened because it has been altered will display.

SOLUTION:

Ask the person who sent you the file to forward you a new copy.

11. OTHER ENTRUST FEATURES

To access other Entrust features, position your mouse cursor over the Entrust icon in the lower-right corner of your screen and lower-right-click. Choose one of the options listed below.

11.1 “Enroll for Entrust Digital ID…”

An Entrust® digital ID contains cryptographic data that includes your keys and certificates. This option is only used when your digital signature is created.

When a request for a digital signature is accepted, the future holder receives two activation codes, i.e. a reference number and an authorization code. Upon receiving the codes, the recipient has to connect via Internet to the Quebec Certification Centre’s server and access the Enroll for

Entrust Digital ID . . . option.

Only one profile is created for each pair of activation codes. Once used, these codes are no longer valid and should be destroyed in a secure way.



11.2 "Recover Entrust Digital ID…”

A profile must be recovered in the following cases:

 The holder’s profile (.epf file) has been lost or stolen  The profile (.epf) was damaged

 The holder forgot his or her password

 The holder believes that an unauthorized person has accessed his or her profile You can recover your digital signature online. Go to www.notarius.com and click My Account in the top left corner of the website. Once you are in your account:

 Click on the My Subscriptions tab

 Click to select the digital signature you wish to recover  Click the Recover my digital signature button

 In the window that displays, click the Recover my digital signature button to confirm the recovery

The first of two codes necessary to recover your digital signature will be sent to you by email. Click on the hyperlink included within the email. You will be redirected to a web page containing your second code as well as instructions to help you complete the recovery.

11.3 "Options…"

The user accesses the Entrust® options to:

 Change the digital signature password

 Configure a keyboard shortcut for closing a session

 Get information on the Entrust security store type

 Position the mouse cursor over the icon appearing in the lower-right corner of the screen  Right-click

 Select Options . . . and the Log In window displays

 Enter your digital signature password and then click OK

11.3.1 Change the Digital Signature Password



 Click Change Password . . . and the Change Entrust Security Store Password window will display

 Click Next

 Enter the currently used password and then click Next

 Enter a new password that meets the stated requirements  Confirm the new password by entering it a second time  Click Next to confirm the change

 Click Finish



11.3.2 Setting a Logout Hot Key

In the Logout hot key field,

 Enter the logout hot key sequence you want to use (example: CTRL + E) in the

Logout

hot key

 Click OK to save this keyboard shortcut



11.3.3 Password-Encrypting a File

This feature is used to encrypt a file, thereby securing it, for you or for trusted individuals. Consequently, you or these individuals (with whom you will have shared your password beforehand) will be able to decrypt this file, that is, open the file with a password.

When a file is password encrypted, the .pp7m or .exe is added and a new icon appears at the selected location. For example:

This icon indicates that the file carries the .pp7m file extension:



This icon indicates that the file carries the .exe file extension:





PROCEDURE:

 PASSWORD-ENCRYPTING ONE FILE:

 Using My Computer or Windows® Explorer, browse for the location of the file to password encrypt

 Position the mouse cursor on the file and right-click  Select Encrypt File with Password...

 Click Next

 Enter a password that meets the stated requirements  Confirm the password by entering it a second time

 Click Next

 Click Browse to select a location for the password-encrypted file

By checking the Generate self-decrypting output file box, you are creating a password-encrypted file bearing the .exe extension. If this box is not selected, you will generate a .pp7m file by default.

 Click Next

If the Delete the original files on finish box is not checked, the original, non-encrypted file is saved on your PC along with the new, password-encrypted file.

By checking the Send files via email box, Outlook opens automatically.

 Click Finish. The file is now password encrypted.

 PASSWORD ENCRYPTING SEVERAL FILES:

 Using My Computer or Windows® Explorer, browse for the location of the files to password encrypt



 Right-click on the selected files

 Select Encrypt Files with Password…

 Click Next

 Enter a password that meets the stated requirements  Confirm the password by entering it a second time

 Click Browse to select a location for the password-encrypted files



single document. Then, simply select a final location and name the file before checking this box. Otherwise, the field will deactivated and you will not be able to make any changes.

By checking the Generate self-decrypting output file box, you are creating a password-encrypted file bearing the .exe extension. If this box is not selected, you will generate a .pp7m file by default.

 Click Next

If the Delete the original files on finish box is not checked, the original, non-encrypted file is saved on your PC along with the new, password-encrypted file.

By checking the Send files via email box, Outlook opens automatically.

 Click Finish. The merged file is now password encrypted.

 OPENING A PASSWORD-ENCRYPTED FILE:  Double-click on the password-encrypted file  Enter the password

 Click OK

11.3.4 Getting Information on the Entrust Security Store Type

 Refer to the Entrust Security Store Type pane to quickly find the path to your .epf file

11.4 Entrust Certificate Explorer

11.4.1 Creating a New Personal Encryption Group

Creating a new personal encryption group allows you to group together recipients for which you regularly secure files. It is therefore possible to secure a file for several people at once by selecting the group rather than all holders individually. This feature is very similar to creating a quick list of recipients, except that the latter does not allow grouping recipients together.

Example: Encrypt/sign for several individuals of the same group (e.g. a group for technical

support).

Create a group of recipients that includes the names of the members you want in this group. You can now select this group instead of selecting each name individually. (See section 5.1)

 Right-click on the Entrust® icon  Select Entrust Certificate Explorer

 In the File menu, select New Personal Encryption Group

 Enter a name for your group in the

Name

 Click Add… to add members to the newly created group

 Enter the person’s name you wish to add without accented characters in the field to the right of the image of the magnifying glass

 Click Search The search results display.

 Click on the desired name

 Click View to display that person’s certificate and confirm it is the correct person sought for

 Click OK twice to add this person to the group



 Click the Add... button to add another member to the group (please see the previous procedure)

 Click OK to finish creating the new group

 The newly created group displays in the left pane of the screen

11.4.2 Adding a Member to an Existing Group

The Entrust Certificate Explorer displays a window divided in two: the list of certificates and personal encryption groups in the left pane; the content of the selected element in the right pane.

DISPLAYING A GROUP’S CONTENT



ADDING A MEMBER TO AN ALREADY CREATED GROUP

 Right-click on the group to modify  Select Properties

The selected group and its member’s list displays.

 Click Add… to add new members

 Enter the new member’s name without accented characters in the field to the right of the image of the magnifying glass

 Click Search The search results display.

 Click on the desired name

 Click View to display that person’s certificate and confirm it is the correct person sought for

 Click OK

 Click OK again to add this person to the group



 Click OK to finish

11.4.3 Deleting a Member from a Personal Encryption Group

 Right-click on the personal encryption group that you want to modify  Select Properties

The group’s list of members displays.

 Select the member to delete

 Click Remove  Click OK

11.5 Emailing Certificates to Another Certificate User

Emailing your certificates to another certificate user allows the recipient to encrypt your files for you, thereby continuing the chain of trust of your digital signature.

There are two ways to access the Email Certificates window:

OPTION 1 :

 Click Start

 Select All Programs > Entrust Entelligence > Email Certificates

OPTION 2 :

 Position the mouse cursor over the icon  Right-click

 Select Email Certificates

STEPS TO FOLLOW WHEN THE EMAIL CERTIFICATES WINDOW DISPLAYS

 Click View Thumbprint…

 Record the thumbprint and share it with the recipient by telephone

Verifying the thumbprint guarantees that the certificates have not been altered in transit.  Click OK

 Click OK

The default email software opens to send your certificates to the designated recipient.