4991 DotNET Admin&User Guide

IDPrime .NET

Administration and User Guide

All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.

Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.

This document can be used for informational, non-commercial, internal and personal use only provided that:

• The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies.

• This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made.

Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.

The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.

The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time.

Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document.

Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy.

© Copyright 2007-13 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.

GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE.

Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90

Printed in France. Document Reference: DOC1292251A

May 16, 2013

www.gemalto.com

http//www.gemalto.com

Co

nte

nts

Introduction vii

Who Should Read This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiDocumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiConventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii

Windows Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiTypographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii

Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiFor Further Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiIf You Find an Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Chapter 1 Introduction to IDPrime .NET Smart Cards 1

Chapter 2 Installing the IDGo 500 Minidriver dll with Windows Update 3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 3 Installing Additional Components for Windows 7 & Later 8

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8The IDGo 500 Credential Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8The IDGo 5000 Biometric Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8The IDGo 500 Minidriver dll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Software and Middleware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Installation Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Installing the Smart Card Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Installing the IDPrime .NET Additional Components for Windows 7 and later . . . 9Modifying the IDPrime .NET Additional Components Installation . . . . . . . . . . . . 12

Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12User Certificate Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 4 PIN Use Cases 14

Changing the User PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Windows XP and Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Windows Vista or later (without IDGo 500 Credential Provider) . . . . . . . . . . . . . 15Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Unblocking the User PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18The Unblock Card Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Windows XP and Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Windows Vista or later (without IDGo 500 Credential Provider) . . . . . . . . . . . . . 20Administrator Tools for Card Unblock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Automated Card Unblock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 5 Other Use Cases 23

Logging on Using an IDPrime .NET Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

iv IDPrime .NET Administration and User Guide

Encrypting and Signing E-mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26In Microsoft Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26In Microsoft Live Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28In Mozilla Thunderbird . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Encrypting and Signing Other Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31SSL Authentication to Secure Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32How to Test and Manage IDPrime .NET Test Cards . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 6 The Gemalto IDGo 500 Credential Provider 34

IDGo 500 Credential Provider Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Multiple PIN Policy Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Change PIN at First Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

User Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Logging on Using an IDPrime .NET Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Changing a User PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Unblocking a User PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Appendix A Enabling Unblock Card in Windows Vista, 7 and 8 43

Appendix B Activating the IDGo 500 Credential Provider PIN List 47

Terminology 48

Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

References 50

Standards and Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Recommended Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Contents v

List of FiguresFigure 1 - Microsoft Update Catalog (Windows 8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Figure 2 - Microsoft Update Catalog (Other Windows Versions) . . . . . . . . . . . . . . . . . 4Figure 3 - MU Catalog - Download Options Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Figure 4 - Installing the Minidriver dll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Figure 5 - Update Driver Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Figure 6 - Select Your Device’s Type Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Figure 7 - Install From Disk Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Figure 8 - Select The Device’s Driver Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Figure 9 - Select Your Device’s Type Window (showing Minidriver) . . . . . . . . . . . . . . 7Figure 10 - Custom Setup Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Figure 11 - Custom Setup Window - Options For Each Item . . . . . . . . . . . . . . . . . . 11Figure 12 - Smart Card PIN Tool (Change PIN Tab) . . . . . . . . . . . . . . . . . . . . . . . . . 15Figure 13 - Windows Seven Secure Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Figure 14 - Windows Seven Smart Card Change PIN Window . . . . . . . . . . . . . . . . . 16Figure 15 - Mozilla Firefox Encryption Options Dialog . . . . . . . . . . . . . . . . . . . . . . . 17Figure 16 - Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Figure 17 - Change Master Password Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Figure 18 - Smart Card PIN Tool (Unblock PIN Tab) . . . . . . . . . . . . . . . . . . . . . . . . 20Figure 19 - Smart Card Unblock Screen (Windows Seven) . . . . . . . . . . . . . . . . . . . 21Figure 20 - Welcome to Windows Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Figure 21 - Windows Log On Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Figure 22 - First Windows Vista Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Figure 23 - Vista Logon Window 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Figure 24 - Window Vista – Select User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Figure 25 - Windows Vista – Insert a Smart Card Window . . . . . . . . . . . . . . . . . . . . 25Figure 26 - Windows Vista – Smart Card User Displayed . . . . . . . . . . . . . . . . . . . . . 26Figure 27 - Security Properties Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Figure 28 - Change Security Settings Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Figure 29 - Outlook 2007 – Encryption Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Figure 30 - Outlook 2007 – Signature Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Figure 31 - Thunderbird Write Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Figure 32 - Thunderbird – Encrypt This Message . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Figure 33 - Thunderbird – Account Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Figure 34 - Thunderbird – “Use Same Certificate” Message . . . . . . . . . . . . . . . . . . . 30Figure 35 - Thunderbird – Account Settings (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Figure 36 - Powerpoint Signature Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Figure 37 - The Sign Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Figure 38 - Choosing the Signature Details in Powerpoint . . . . . . . . . . . . . . . . . . . . 32Figure 39 - Gemalto’s .NET Utilities Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Figure 40 - Relationship Between PIN Roles, Keys and Files (Certificates) . . . . . . . 35Figure 41 - Change PIN at First Use Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Figure 42 - Windows 7 - Ctrl Alt Del Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Figure 43 - Windows 7 Password Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Figure 44 - Windows 7 – Select User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Figure 45 - Windows 7 – Insert a Smart Card Window . . . . . . . . . . . . . . . . . . . . . . . 38Figure 46 - Windows 7 – Smart Card User Displayed . . . . . . . . . . . . . . . . . . . . . . . . 38Figure 47 - Windows 7 Secure Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Figure 48 - Windows 7 Secure Desktop - Standard Password Prompt . . . . . . . . . . . 39Figure 49 - Standard Windows 7 Credential Provider . . . . . . . . . . . . . . . . . . . . . . . . 40Figure 50 - Windows 7 Gemalto Smart Card Credential - Change PIN Window . . . . 40Figure 51 - Windows 7 - Change PIN for a Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Figure 52 - Windows 7 - Unblock PIN for a Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Figure 53 - MMC in Programs Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Figure 54 - “Add or Remove Snap-Ins” dialog box . . . . . . . . . . . . . . . . . . . . . . . . . . 44

vi IDPrime .NET Administration and User Guide

Figure 55 - “Select Group Policy Object” dialog box . . . . . . . . . . . . . . . . . . . . . . . . . 44Figure 56 - “Browse for a Group Policy Object” dialog box . . . . . . . . . . . . . . . . . . . . 44Figure 57 - Local Computer Policy Objects for Smart Cards . . . . . . . . . . . . . . . . . . . 45Figure 58 - “Allow Integrated Unblock screen to be displayed” . . . . . . . . . . . . . . . . . 45Figure 59 - “Display string when smart card is blocked” dialog box . . . . . . . . . . . . . 46

Introduction

This document describes use cases for Gemalto’s IDPrime .NET cards in a Microsoft Windows environment, in particular those that involve a PIN.

Who Should Read This BookThis guide is intended for system integrators who want to integrate IDPrime .NET smart cards in their systems and in particular use the smart card PIN management tools. It describes the smart card framework architecture and provides PIN management use cases.

It is assumed that users are familiar with .NET smart cards/tokens and smart card reader technology, as well as computer hardware and software.

It is assumed that the IDPrime .NET Smart Cards user has:

■ an understanding of the basic operations in a computer OS.

■ administrative privileges for the computer on which PKCS#11 for .NET Smart Cards will be installed.

DocumentationFor documentation about .NET Cards, please go to Gemalto Product Catalog and consult the Download section at http://www.gemalto.com/products/dotnet_card/

ConventionsThe following conventions are used in this document:

Windows VersionsWhere this document refers to Windows 7 and 8, it is equally applicable to Windows Server 2008 R2 and Windows Server 2012.

Typographical ConventionsThe .NET Smart Cards documentation uses the following typographical conventions to assist the reader of this document.

Convention Example Description

Bold Type myscript.dll Actual user input or screen output.

> Select File > Open Indicates a menu selection. In this example you are instructed to select the “Open” option from the “File” menu.

http://www.gemalto.com/products/dotnet_card

viii IDPrime .NET Administration and User Guide

Additional ResourcesFor further information or more detailed use of IDPrime .NET Smart Cards, additional resources and documentation are available on the following web site:

www.gemalto.com/products/dotnet_card

For Further HelpYou can find information on how to contact your Gemalto representative by clicking Contact Us at the Gemalto web site, www.gemalto.com.

If You Find an ErrorGemalto makes every effort to prevent errors in its documentation. However, if you discover any errors or inaccuracies in this document, please inform your Gemalto representative. Please quote the document reference number found at the bottom of the legal notice on the inside front cover.

www.gemalto.com/products/dotnet_card

www.gemalto.com

1

Introduction to IDPrime .NET Smart Cards

The purpose of this document is to describe the main use cases for Gemalto’s IDPrime .NET card in a Microsoft Windows environment, in particular those concerning PINs.

The IDPrime .NET range is made up of various cards and tokens containing cards. the following table describes the range:

IDPrime .NET smart cards run a streamlined version of the .NET Framework in order to provide customizable two-factor authentication and full cryptographic capabilities seamlessly within the Windows environment. Now, organizations can easily leverage Gemalto's advanced smart card technology to secure their networks from end to end using a variety of security technologies to meet their needs while dramatically reducing implementation costs and complexity.

IDPrime .NET smart cards require Microsoft's Base Smart Card Cryptographic Service Provider (CSP) Package as follows:

■ Windows 7 and 8 (and Server 2008 R2 and Server 2012): The base CSP is V7 and is integrated already in Windows 7 and 8.

■ Windows Vista (and Server 2008): The base CSP is V6. For Vista SP1, base CSP V6 is already integrated in Vista. However for pre-SP1 base CSP V6 needs to be downloaded via Windows Update.

■ Windows XP and Server 2003: The base CSP is V5. The base CSP V5 must be downloaded via Windows Update.

In a Windows environment users do not need to install any proprietary middleware to use the IDPrime .NET Card. However, integrators of multi-platform solutions can also choose to use the PKCS#11 .NET libraries for portability purposes.

Table 1 - IDPrime .NET Card Range

Card / Token Description

IDPrime .NET 510 Standard version, contact only

IDPrime .NET 511 Standard version, hybrid card based on several contactless standards

IDPrime .NET 5500 Standard card with the biometric Match-On-Card option, contact only

IDPrime .NET 5501 Standard card with the biometric Match-On-Card option, hybrid card based on several contactless standards

IDPrime .NET 7510 .NET Display card, contact only

IDPrime .NET 7519 OTP USB token based on IDPrime .NET 510

2 IDPrime .NET Administration and User Guide

IDPrime .NET smart cards are also compatible with Microsoft's Forefront Identity Manager (FIM) and its predecessor Identity Lifecycle Manager (ILM), a policy and workflow solution for management of the lifecycle of digital certificates and smart cards.

Thanks to this high level of integration with Microsoft's operating systems and smart card related security solutions, IDPrime .NET smart cards offer the easiest and most cost efficient solution for implementation of a strong two-factor security infrastructure.

The IDPrime .NET smart card architecture also provides an open platform for the development and implementation of a wide range of security solutions. It works as a seamless companion to the Microsoft .NET environment and service oriented architectures to provide support for on-card applications and services within the Windows environment and to empower application developers through features such as advanced memory management, high security, and tight language integration.

Caution: As the security of the card is built around the Admin Key it is very important to change its value from the default one.

2

Installing the IDGo 500 Minidriver dll with Windows Update

IntroductionThe IDGo 500 minidriver dll needs to be installed manually using Windows Update if you are using any of the following operating systems:

■ Windows XP

■ Windows Server 2003

■ Windows Vista

■ Windows Server 2008

For Windows 7 (and Windows Server 2008 R2) and Windows 8 (and Windows Server 2012), the dll is installed automatically by the Windows “plug and play” feature when you insert the IDPrime .NET card. However if your administrator has blocked this function on your computer, you will need to install it using Windows Update as described here or as an additional component as described in “Installing the IDPrime .NET Additional Components for Windows 7 and later” on page 9.

In Windows 7 and Windows 8 you need to make sure that windows recognizes the smart card as a device as explained in “To make Windows 7 and 8 recognize the smart card as a device:” on page 5

To install the IDGo 500 minidriver dll using Windows Update:

1 Click one of the following links to the Microsoft Update (MU) Catalog, according to your version of Windows:

2 For Windows 8: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=gemalto%20minidriver%20idprime

For other versions of Windows: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=gemalto%20minidriver%20net

If you are prompted to install the MU Catalog ActiveX Control, do so by following the displayed instructions.

The catalog displays the list of Gemalto drivers for IDPrime .NET smart cards as shown in “Figure 1” on page 4.

http://catalog.update.microsoft.com/v7/site/Search.aspx?q=gemalto%20minidriver%20net


http://catalog.update.microsoft.com/v7/site/Search.aspx?q=gemalto%20minidriver%20idprime

http://catalog.update.microsoft.com/v7/site/Search.aspx?q=gemalto%20minidriver%20idprime


Figure 1 - Microsoft Update Catalog (Windows 8)

Figure 2 - Microsoft Update Catalog (Other Windows Versions)

3 Click Add on the latest version of the IDGo 500 minidriver dll.

4 Click View Basket.

5 Click Download. A Download Options page appears like the one shown in “Figure 3” on page 4.

Figure 3 - MU Catalog - Download Options Page

6 Either enter the path of the location where you want to download the driver or use the Browse button to navigate to it. When you have done this, the Continue button appears.

7 Click Continue.

8 The progress window indicates the status of the download. Wait until the Progress column displays Done, then click Close.

9 In Windows Explorer, go to the location where you downloaded the IDGo 500 minidriver dll. It appears as a zipped file with the .cab suffix.

10 Double-click the .cab file to open it.

11 Unzip the contents to a temporary directory on your computer.

12 Right-click the Gemalto.MiniDriver.NET.inf file and choose Install as shown in “Figure 4”.

Note: For Windows 8 this is the one in “Figure 1”.

Installing the IDGo 500 Minidriver dll with Windows Update 5

Figure 4 - Installing the Minidriver dll

The installation is done.

To make Windows 7 and 8 recognize the smart card as a device:

1 Open Computer Management (Start > Control Panel > System and Security > Administrative Tools > Computer Management).

2 In the left pane, select Device Manager.

3 In the right pane, select Smart Card, right-click and choose Update Driver Software as shown in “Figure 5”.

Figure 5 - Update Driver Software

4 In answer to the question How do you want to search for driver software? choose Browse my computer for driver software.

5 In the next window Browse for driver software on your computer, choose Let me pick from a list of device drivers on my computer. This displays the window shown in “Figure 6” on page 6.


Figure 6 - Select Your Device’s Type Window

6 Choose Smart cards and click Next.

7 In the Select the device driver you want to install for this hardware window, click Have Disk to display the Install From Disk window as shown in “Figure 7”.

Figure 7 - Install From Disk Window

8 In the Locate file window that opens, browse to the Gemalto.MiniDriver.NET.inf file (in Drivers 7) and click Open.

Installing the IDGo 500 Minidriver dll with Windows Update 7

9 This returns you to the Select the device driver you want to install for this hardware window. Notice that the minidriver now appears under Model as shown in “Figure 8”

Figure 8 - Select The Device’s Driver Window

10 Click Next. A window appears to tell you “Windows has successfully updated your driver software”. Click Close.

Notice that in the Select your device’s type window, the minidriver now appears under smart cards as shown in

Figure 9 - Select Your Device’s Type Window (showing Minidriver)

3

Installing Additional Components for Windows 7 & Later

IntroductionIDPrime .NET cards can be used with Microsoft applications without having to install any middleware or software. However, for Windows 7 and Server 2008 R2 and later, there are some additional components you may choose to install as follows:

The IDGo 500 Credential ProviderGemalto provides an enhanced credential provider which can be used instead of the standard Microsoft one. For a description of the features brought by this optional credential provider, please refer to “Chapter 6 - The Gemalto IDGo 500 Credential Provider”. If you want to use this credential provider, you will need to install it as described in this chapter.

The IDGo 5000 Biometric SolutionIn Windows 7 and later this application is one of the optional components that you can install. This is described in “Installing the IDPrime .NET Additional Components for Windows 7 and later” on page 9.

For Windows XP this application has its own installation setup, which is described in the IDGo 5000 Bio Solution for Windows XP Administrator Guide.

The IDGo 500 Minidriver dllIn Windows 7 and later, the IDGo 500 minidriver can be installed automatically using Windows Update as described on page 3. However, it is also included as one of the additional components that can be installed, so you can install it yourself if you prefer as described in “Installing the IDPrime .NET Additional Components for Windows 7 and later” on page 9.

Installing Additional Components for Windows 7 & Later 9

System Requirements

Software and Middleware RequirementsThe use of the IDGo 500 credential provider requires the following:

■ One of these versions of Windows:

– Windows 7 (32 and 64-bit platforms)

– Windows Server 2008 R2 (64-bit platforms)

– Windows 8 (32 and 64-bit platforms).

– Windows Server 2012 (64-bit platforms)

■ .NET 3.5 framework — this is already integrated in Windows 7 and later.

If you are going to use the IDGo 5000 Biometric Solution, there are additional requirements. Please refer to the IDGo 5000 Bio Solution for Windows 7 and 8 Administrator Guide for full details.

Hardware RequirementsThe use of the IDGo 500 credential provider requires a standard PC/SC smart card reader for the IDPrime .NET smart card.

Compatible Smart Card Readers The smart card reader may be integrated with the PC (or laptop) or it can be an external device that is connected via USB. The IDPrime .NET solution is compatible with any certified PC/SC Chip Card Interface Device (CCID), USB class or embedded smart card reader.

Installation

Installation RecommendationsMake sure you have the administrative rights to your PC in order to install the IDPrime .NET Solution.

Installing the Smart Card ReaderGemalto recommends that you use the Gemalto IDBridge CT30 (ex-GemPC Twin) smart card reader as it does not have any particular installation requirements. When you plug in the reader, Windows Update downloads and installs the required driver.

For other smart card readers, check the support web site of the card reader vendor for instructions on how to install it for Windows 7 and later.

Installing the IDPrime .NET Additional Components for Windows 7 and later

1 Click the following hyperlink to find the installation files:

http://www.gemalto.com/products/dotnet_card/resources/libraries.html

2 Double-click the installation file according to your version of Windows 7 and later:

– Gemalto.IDPrime.NET.Solution_x86.msi (32-bit)

– Gemalto.IDPrime.NET.Solution_x64.msi (64-bit)

http://www.gemalto.com/products/dotnet_card/resources/libraries.html


If you do not have one of the items listed in “Software and Middleware Requirements” on page 9 installed on the computer, a message appears telling you this.

3 When the Welcome dialog box appears, click Next to continue.

4 When the License Agreement dialog box appears, read and accept the terms and click Next to continue.

5 In Destination Folder, either choose a new location by clicking Change and navigating to a different location or accept the default installation directory (recommended). Click Next.

6 In Setup Type, do one of the following:

– Choose Complete to install the IDGo 500 minidriver, the IDGo 500 credential provider and the IDGo 5000 Biometric Solution, then click Next. Go to step 11.

– Choose Custom to display the Custom Setup window as shown in “Figure 10”.

Figure 10 - Custom Setup Window

7 For each icon in the list, click the icon to display the installation options as shown in “Figure 11”, using the IDGo 500 Credential Provider as an example.

Note: You can print the License Agreement from this dialog box.


Figure 11 - Custom Setup Window - Options For Each Item

8 Either choose the first option This feature will be installed on local hard drive to install the component or This feature will not be available if you don’t want to install the item. If you do nothing, the component is installed by default.

9 Optionally, you can perform the following operations:

– Find out if you have enough room on your local hard disk for the features you have chosen by clicking Space.

– Find out the installation status of the features by clicking Help. The icon for each feature reflects its installation status, and the Help window that opens describes the meaning of each icon.

10 When you have made your choice for each icon in the list, click Next.

11 When the Ready to Install the Program window appears, click Install. A progress bar displays during the installation.

12 If User Account Control is activated, a message may appear asking if you want to allow a program from an unknown publisher to make changes to the computer. Click Yes.

13 When the “completed” window appears, click Finish.

14 Reboot your computer if prompted. (Gemalto recommends that you reboot it anyway, as you will need to in order to use the IDPrime .NET solution.)

15 Connect the smart card reader.

16 Insert your smart card. This installs the IDGo 500 Minidriver for you automatically via Windows Update.

Note: The other items in the menu are not applicable to this installation.

Note: Do not use the Change button to modify the installation location. If you want to change the installation directory, click Back to return to the Destination Folder window.

Note: If you did not install the IDGo 500 Minidriver as one of your options and your IDPrime .NET card has not yet been connected to the machine, you will also need to perform the next two steps.


17 The installation is complete.

Modifying the IDPrime .NET Additional Components Installation You can modify your choices of additional components after installation, for example if you want to install an additional component that you forgot the first time or if you want to remove a component that you installed.

To modify the IDPrime .NET additional components installation:

1 Begin the installation wizard by doing one of the following:

– Double-click the executable file according to your version of Windows 7 or later (either Gemalto.IDPrime.NET.Solution_x86.msi (32-bit) or Gemalto.IDPrime.NET.Solution_x64.msi (64-bit)

– In the Control Panel, click Uninstall a Program, and select IDPrime .NET Solution for 32 bits (or 64 bits) in the list and click Change (the Change button appears at the top of the screen when you select IDPrime .NET Solution 32 bits (or 64 bits)).

2 If User Account Control is activated, a message may appear asking if you want to allow a program from an unknown publisher to make changes to the computer. Click Yes.

3 When the Welcome dialog box appears, click Next to continue.

4 In Program Maintenance, choose Modify. This displays the Custom Setup window.

5 For each icon in the list, click the icon to display the installation options as shown in “Figure 11”, using the IDGo 500 credential provider as an example.

6 Optionally, you can find out the installation status of the features by clicking Help. The icon for each feature reflects its installation status, and the Help window that opens describes the meaning of each icon.

7 When you have made your choice for each icon in the list, click Next.

8 When the Ready to Modify the Program window appears, click Install. A progress bar displays during the installation.

9 When the “completed” window appears, click Finish.

10 Reboot your computer if prompted.

UninstallationNormally you should not need to uninstall the IDPrime .NET Solution as this happens automatically when you install a new version. However, if you need to uninstall it manually, the procedure is:

To remove IDPrime .NET from your computer:

1 In the Control Panel, click Uninstall a Program.

Note: As the IDGo 500 credential provider (CP) is needed by the IDGo 5000 Biometric solution, if you choose to install the IDGo 5000 but NOT the IDGo 500 CP - the installation will install the CP for you anyway.

Note: Choosing This feature will not be available for a component that is already installed, uninstalls it.


2 Select IDPrime .NET Solution for 32 bits (or 64 bits) in the list and click Uninstall (the Uninstall button appears at the top of the screen when you select IDPrime .NET Solution 32 bits (or 64 bits)).

3 If a confirmation box appears, click Yes.

4 Depending on how Windows 7 or 8 is configured on the computer, if User Account Control is activated, the warning may appear asking you if you want to allow access to an unidentified program. Choose Yes.

5 Again, if User Account Control is activated, a message may appear to tell you to close certain applications. If it does, choose the Automatically close applications option and click OK.

6 A progress bar displays during the removal. At the end of the removal, the progress bar closes, removal is complete and IDPrime .NET is removed from your computer.

7 If prompted, restart your computer.

User Certificate EnrollmentAccording to your enrollment means, ask your administrator for instructions. Check the certificate is correctly enrolled by performing a standard smart card logon.

4

PIN Use Cases

This chapter describes how to use the smart card PIN management tools to change and unblock the PIN according to the different versions of Windows.

If you have Windows 7 or later and you installed the optional IDGo 500 credential provider, you can manage 6 user PINs (roles 1 and 3-7). Please refer to “Chapter 6 - The Gemalto IDGo 500 Credential Provider” for how to change and unblock the PINs using the IDGo 500 credential provider.

Changing the User PINThe PIN is a set of characters the user is asked to present whenever the card is being used for a cryptographic operation (Windows log on, e-mail signature, e-mail encryption, VPN access, and so on). It is 4-255 characters (4 by default) which respects the rules defined by the Administrator in the PIN Policy.

You can change a User PIN in an IDPrime .NET card in one of the following ways:

■ Use Gemalto’s .NET Utilities web page. For more information about .NET Utilities go to:

http://www.netsolutions.gemalto.com/netutils/Default.aspx

■ If your OS is Windows XP or Server 2003, use the Smart Card PIN Tool described in “Windows XP and Server 2003”

■ If your OS is Windows Vista or later, use the secure desktop as described in “Windows Vista or later (without IDGo 500 Credential Provider)” on page 15

■ If your OS is Windows 7 or Server 2008 R2 and you have the optional IDGo 500 credential provider, use the secure desktop as described in “Changing a User PIN” on page 39.

■ Use Mozilla Firefox, as described in “Firefox” on page 17.

Windows XP and Server 2003The Smart Card Pin Tool is included as part of the downloadable Smart Card Base CSP package # KB909520. available via Windows Update. It becomes available as soon as the Base CSP package is installed on the machine. The following procedure describes what to do, from the end-user’s point of view.

To change the User PIN using the smart card PIN Tool:

1 From Start, choose Run and type PINTool.

http://support.microsoft.com/kb/909520


PIN Use Cases 15

2 When prompted, insert an IDPrime .NET card in the reader. The PIN tool appears, as shown in “Figure 12”.

Figure 12 - Smart Card PIN Tool (Change PIN Tab)

3 In the Change PIN tab, enter the current PIN value in Old PIN, then the new PIN value in New PIN and again in Confirm New PIN. (Do not copy and paste the new PIN value.)

4 Click Change PIN. A message displays to tell you if the change operation succeeds or not.

5 Click Close to close the Smart Card PIN Tool.

Windows Vista or later (without IDGo 500 Credential Provider)In these versions of Windows, users can change their smart card user PIN using the secure desktop.

The secure desktop is the most trusted context in the operating system. The most common use of the secure desktop is the User Log on to Windows. However, it is also used for other secure operations with user credentials, such as password changes and now smart card PIN management.

The screens shown in these examples are Windows Seven, but the process is the same for the other OS.

The IDPrime .NET smart card default PIN Value is 0000.


To change the User PIN using the secure desktop:

1 Press the Ctrl+Alt+Del keys to launch the secure desktop in Windows Seven (“Figure 13” on page 16).

Figure 13 - Windows Seven Secure Desktop

2 Select Change a Password.

3 Insert the smart card in the smart card reader attached to the machine and click Other Credentials.

4 In the credential provider, select the smart card user tile. This displays the PIN change window as shown in “Figure 14”.

Figure 14 - Windows Seven Smart Card Change PIN Window

5 Enter the old PIN, the new PIN and confirm the new PIN in the appropriate fields, then click the arrow.

The IDPrime .NET smart card default PIN value is 0000.

PIN Use Cases 17

Firefox

To change a User PIN in an IDPrime .NET card using Mozilla Firefox:

1 Make sure your card/token is connected.

2 Open the Mozilla Firefox browser and from the Tools menu choose Options.

3 Click the Advanced icon, then the Encryption tab as shown in “Figure 15”.

Figure 15 - Mozilla Firefox Encryption Options Dialog

4 Click Security Devices to display the Device Manager window. This displays the modules currently available as shown in “Figure 16”.

Figure 16 - Device Manager

Note: You must have already installed IDGo 500 PKCS#11 on the computer. Please refer to the IDGo 500 PKCS#11 Library for Windows User Guide available at:

http://www.gemalto.com/products/dotnet_card/resources/technical_doc.html.

http://www.gemalto.com/products/dotnet_card/resources/technical_doc.html


5 In Device Manager, select the card whose PIN you want to change, as shown in “Figure 16”.

6 Click Change Password. The window shown in “Figure 17” appears.

Figure 17 - Change Master Password Window

7 In Current Password, enter the current PIN value.

8 In New Password and New Password (again), enter the new PIN value for the smart card.

9 Click OK.

Unblocking the User PINA Smart Card user can only attempt to present the value of the PIN a limited number of times. If the user presents repeatedly a wrong value for the PIN and reaches the maximum number of unsuccessful PIN attempts allowed, the card becomes blocked.

Once the card is blocked, it can no longer be used. The only way to restore it is by using the “Unblock Card” procedure.

The Unblock Card ProcedureThe smart card unblock feature requires the use of an Admin Key that the regular end user should not have direct access to. The user will require support from a Security Officer, IT Administrator or Helpdesk Service to complete this operation.

To protect the confidentiality of the Admin Key, the Unblock procedure does not require the end user to present the Admin Key directly. Instead, a challenge-response procedure is used as follows:

1 The user retrieves a Challenge from the card

2 The user communicates the Challenge to the IT Admin / Helpdesk

The IDPrime .NET smart card default maximum number of unsuccessful PIN attempts is 5.

Caution: If the Admin Key (or Admin PIN) is blocked, you can never unblock the card - not even by using the unblock card procedure.

As the security of the card is built around the Admin Key it is very important to change its value from the default one.

PIN Use Cases 19

3 The IT Admin / Helpdesk combines the 16-digit Challenge (8 bytes) and the user's Admin Key (24 bytes) using the Triple DES algorithm to calculate the unique Response (8 bytes) to the challenge.

4 The IT Admin / Helpdesk communicates the Response to the end user.

5 The end user enters the Response value and defines a new value for the user PIN, which will be established once the Card Unblock procedure is completed.

6 The smart card confirms that the Response provided is correct, by comparing the value entered by the user with the one generated within the card using the Challenge generated by the card and the Admin Key stored in the card. If both values match, the card is successfully unblocked, the new user PIN is established and the PIN attempt counter is reset.

It is important to note that, as with the Verify PIN procedure, the Unblock Card procedure is protected by a maximum number of unsuccessful unblock attempts. Once the maximum number of unsuccessful unblock attempts is reached the card is permanently blocked even to an administrator, and all data stored in the card becomes permanently inaccessible. For this reason it is important to perform the unblock procedure with great care.

As with the Change PIN procedure, the process and tools used to unblock a Smart Card in Windows Vista and 7 is different to earlier operating systems.

Windows XP and Server 2003In order to use the PIN Tool, the user must log in to a machine normally (that is, without using the smart card).

The following procedure describes what to do, from the end-user’s point of view.

To unblock the User PIN using the smart card PIN Tool:

1 From Start, choose Run and type PINTool.

2 When prompted, insert an IDPrime .NET card in the reader. The PIN tool appears.

3 Click the Unblock tab as shown in “Figure 18” on page 20.

The IDPrime .NET smart card default Admin Key value is 0000..0000 (24 bytes, 48 digits long).


Figure 18 - Smart Card PIN Tool (Unblock PIN Tab)

4 Click Unblock. The card generates the 16-digit challenge and displays it in Challenge.

5 Tell your IT Admin / Helpdesk the value of this challenge. They will give you a 16-digit (8 byte) response.

6 Enter this response in Response.

7 Enter the new PIN value in New PIN and again in Confirm New PIN. (Do not copy and paste the new PIN value.)

8 Click OK. A message displays to tell you if the unblock operation succeeds or not.

9 Click Close to close the Smart Card PIN Tool.

Windows Vista or later (without IDGo 500 Credential Provider)As with the Change PIN functionality, the Smart Card Unblock is integrated into the Windows Vista and Seven secure desktops. However, it is not configured by default and must be explicitly enabled via Group Policy (See “Appendix A - Enabling Unblock Card in Windows Vista, 7 and 8” for details on how to Enable Smart Card PIN Unblock in Windows Vista and Seven).

When this feature is enabled, the user is presented with the Smart Card Unblock screen (“Figure 19”) when logon is attempted using a blocked smart card.

PIN Use Cases 21

Figure 19 - Smart Card Unblock Screen (Windows Seven)

To unblock the User PIN using the secure desktop:

1 The card generates the 16-digit challenge and displays it above the three empty fields as shown in “Figure 19”.


3 Enter this response in the first field.

4 Enter the new PIN value in the second and third fields and click the arrow next to the third field. A message displays to tell you if the unblock operation succeeds or not.

Administrator Tools for Card UnblockThe Smart Card Unblock process requires the administrator to be able to calculate the response to a Challenge provided by the smart card of any end users that he/she is responsible for. This in turn means that the administrator must:

1 Know or somehow have access to, the Admin Key values for all smart cards in use.

And

2 Have access to a Triple DES tool to calculate the Response based on the Challenge and the Admin Key of a given user's smart card.

None of the Windows operating systems provide any means for administrators to handle the secure back-end storage of the users' smart cards Admin Keys. Nor do they provide a back-end tool to calculate the response to a challenge.


These features will be commonly provided by any commercial Base CSP compliant Card Management System (CMS), including Microsoft's Forefront Identity Manager (FIM) and its predecessor Identity Lifecycle Manager (ILM) or Gemalto’s Device Administration Service (DAS).

Automated Card UnblockThe unblock card process, as described previously, forces the end user to interact with an administrator that verifies the end user's identity prior to providing the response code. It is perfectly possible, however, to automate the response calculation process in order to avoid involvement of the administrator. In this case, the identity check performed by the administrator could be replaced by an online identity questionnaire. This capability could be provided by or customized for any given Card Management System. This scenario is out of the scope of this document.

Test user's of IDPrime .NET cards can find an Unblock Card tool in the Gemalto .NET Utilities portal. Please refer to “How to Test and Manage IDPrime .NET Test Cards” on page 33 for more

information.

5

Other Use Cases

This chapter describes how to use the IDPrime .NET smart card for other tasks, such as signing e-mails and accessing secure web sites.

If you have Windows 7 and you installed the optional IDGo 500 credential provider, logging on with an IDPrime .NET card is slightly different. Please refer to “Chapter 6 - The Gemalto IDGo 500 Credential Provider” for how to log on with an IDPrime .NET card using the IDGo 500 credential provider.

Logging on Using an IDPrime .NET CardLogging on to Windows with a smart card/token is fast and easy.

To log on to Windows XP and Windows Server 2003 with a smart card/token

1 Start Windows. A Welcome to Windows message box similar to the one in “Figure 20” opens.

Figure 20 - Welcome to Windows Screen

2 Connect your smart card/token to open a Log On to Windows dialog box like the one shown in “Figure 21”.


Figure 21 - Windows Log On Dialog Box

3 Enter your PIN then click OK.

To log on to Windows Vista or later (and Windows Server versions) with a smart card/token

This procedure shows the standard case where the IDGo 500 credential provider for Windows 7 is not installed. In this case, setting the single sign-on (SSO) has no effect, and you must enter the PIN whenever prompted. The screen shots were taken from Windows Vista, but the procedure is the same for the other OS.

1 Start Windows. The window shown in “Figure 22” opens.

Figure 22 - First Windows Vista Screen

2 Press <CTRL> <ALT> <DEL>. The window that displays next can be one of the following different cases:

■ If an administrator or user icon displays, as shown in “Figure 23”, follow the steps that follow “Figure 23”.

■ If all the user icons and smart card icon display, as shown in “Figure 24”, follow the steps that follow “Figure 24”.

■ If the smart card icon displays on its own with the text “Insert a smart card” as shown in “Figure 25”, follow the steps that follow “Figure 25”.

■ If the smart card icon displays on its own with the name of the card/token user underneath as shown in “Figure 26”, follow the steps that follow “Figure 26”.

Note: If you are using the IDGo 5000 Biometric Solution, the window is almost the same but shows the .NET Bio logo.

Caution: If the “Change PIN at First Use” option is activated for your cards, you will have to change the PIN manually before you can use the card. To do this, you will need to log on first with a different card or log on normally without using a smart card at all.

Other Use Cases 25

Figure 23 - Vista Logon Window 2

3 Click Switch User to display the window shown in “Figure 24”.

Figure 24 - Window Vista – Select User

4 Click the smart card icon .

If the text underneath the smart card icon says Insert a smart card, the window in “Figure 25” appears. Follow the steps that follow “Figure 25”.

If the text underneath the smart card icon has the name of the card/token user, the window in “Figure 26” appears. Follow the steps that follow “Figure 26”.

Figure 25 - Windows Vista – Insert a Smart Card Window

5 Connect your smart card/token. If the card/token is valid, the window changes to display the name of the card/token user as shown in “Figure 26”.


Figure 26 - Windows Vista – Smart Card User Displayed

6 Enter the PIN and click . If your PIN is correct, the Welcome message appears during logon and disappears when the logon is successful.

Encrypting and Signing E-mailsDigital signatures are valuable for proving that you signed the contents of a document or message and that the contents have not been altered in transit. This is called “non-repudiation”. For additional privacy, you can also encrypt documents and messages. The message contents are encrypted using the shared digital certificates of both the sender and the recipient.

The procedure is the same for all the supported versions of Windows.

In Microsoft OutlookYou must first configure Outlook to encrypt and sign e-mail. You only need to do this once. Make sure your IDPrime .NET card is correctly inserted in the card reader and that the reader is connected to the computer.

To configure Microsoft Outlook to sign and encrypt e-mails:

1 In Outlook, click Options > Message Options and click Security Settings.

2 In the Security Properties dialog box that opens, check the box “Encrypt message contents and attachment” if you want to encrypt e-mails and “Add digital signature to this message” if you want to sign e-mails, as shown in “Figure 27” on page 27.

Note: You cannot use a PIN pad reader to enter the PIN for a smart card logon (even if the External PIN property has been set in the card. However, you can use a PIN pad reader to enter the PIN for other authentications, such as an SSL connection, digital signature, mail encryption and so on.

Caution: If the “Change PIN at First Use” option is activated for your cards, you will have to change the PIN manually before you can use the card. To do this, you will need to log on first with a different card or log on normally without using a smart card at all.

Note: To perform these operations, the IDPrime .NET card must contain an encryption certificate and/or a certificate signature.

Other Use Cases 27

Figure 27 - Security Properties Dialog Box

3 If you have more than one digital certificate stored on the card, click Change Settings. This opens the Change Security Settings dialog box.

Figure 28 - Change Security Settings Dialog Box

4 Enter or choose the appropriate information in the entry fields.

– In Security Settings Name, enter a name for your settings

– Make sure that S/MIME is selected in the Cryptography Format box.

– Click Choose beside Signing Certificate. In the Select Certificate window, select a certificate and click OK.

– Click Choose beside Encryption Certificate and do the same thing.

– Select the Hash Algorithm and Encryption Algorithm from the respective lists.

5 Click OK to close the Change Security Settings dialog box.

To encrypt and sign e-mails:

1 Click New to open the message editor and write your e-mail as normal.

2 If you want to encrypt the e-mail, click the Encrypt icon shown in “Figure 29”. If you want to sign the e-mail, click the Sign icon shown in “Figure 30”.


Figure 29 - Outlook 2007 – Encryption Icon

Figure 30 - Outlook 2007 – Signature Icon

3 In the message editor, click Send.

4 Enter your PIN when prompted. The message is placed in your Outbox or “Sent” folder.

In Microsoft Live MailThis is slightly different from Outlook. You can configure Live Mail so that by default it will encrypt and / or sign all your e-mails or just encrypt/sign each e-mail case by case. If you choose to configure the default options, and your card has only one certificate, Live Mail uses that certificate for the encryption/signature. However if there is more than one certificate on the card, you cannot choose a default certificate - instead Live Mail asks you to choose the certificate each time you encrypt/sign an e-mail.

Make sure your IDPrime .NET card is correctly inserted in the card reader and that the reader is connected to the computer.

To configure Microsoft Live Mail to sign and encrypt all e-mails by default:

1 In Live Mail, from the Tools Menu, choose Safety Options.

2 In the Safety Options dialog box that opens, check the box “Encrypt message contents and attachment” if you want to encrypt all your e-mails by default and “Add digital signature to this message” if you want to sign all e-mails by default.

In Mozilla Thunderbird

1 Make sure your IDPrime .NET card is correctly inserted in the card reader and that the reader is connected to the computer.

2 First configure Thunderbird to encrypt e-mail. In Thunderbird, click the Write icon as shown in “Figure 31”.

Figure 31 - Thunderbird Write Icon

Note: You only need to enter your PIN once during an Outlook session (if the card is in its default operating mode).

Note: You must have already installed IDGo 500 PKCS#11 on the computer.

Other Use Cases 29

This opens the Compose window.

3 In the Compose window’s Options menu, choose Security > Encrypt this Message as shown in “Figure 32”.

Figure 32 - Thunderbird – Encrypt This Message

As the certificates in the card/token are not yet set up, the following message appears:

4 Click Yes. This opens the Account Settings window for your e-mail account as shown in “Figure 33”.

Figure 33 - Thunderbird – Account Settings


5 In Digital Signing, click Select and choose the certificate you want to use from the list that appears. The following message appears:

Figure 34 - Thunderbird – “Use Same Certificate” Message

6 If you want to use the same certificate to encrypt and decrypt messages, click OK. This selects the certificate for you in the Encryption panel as shown in “Figure 35” on page 30. Otherwise click Cancel.

Figure 35 - Thunderbird – Account Settings (2)

7 If you want all of your e-mails to be digitally signed by default, check the box Digitally sign messages (by default).

8 In Encryption, if you chose not to use the same certificate as the one used for digital signing, click Select and choose the certificate from the list that appears. A message similar to the one in “Figure 34” on page 30 appears, but this time asking if you want to use the Encryption certificate for digital signing. This is just in case you select your encryption certificate before you select your digital signature certificate.

9 In Default encryption setting when sending messages, choose one of the option buttons Never or Required.

10 Click OK to close the Account Settings window.

Note: If you want to modify the account settings at any point, open the Account Settings window from the Tools menu by choosing Account Settings. This can be done either from the Compose window or directly in Thunderbird.

Other Use Cases 31

Encrypting and Signing Other InformationBesides e-mails, IDPrime .NET cards can be used by many applications that run in the Windows desktop, including those in Microsoft Office. The example that follows shows you how to sign a Microsoft Powerpoint 2007 presentation. You can use it with EFS for file and folder encryption and if you have Windows 7 Ultimate, with Bitlocker To Go to encrypt an entire drive or USB key. It can also be used with VPN clients for secure remote authentication.

To sign a Microsoft Powerpoint 2007 presentation:

1 From inside the Powerpoint presentation, click the Microsoft office button on the top left of the slide and choose Prepare then Add a Digital Signature. The following window appears:

Figure 36 - Powerpoint Signature Window

2 Click OK. The Sign window appears as shown:

Figure 37 - The Sign Window

3 In Purpose for signing this document enter some descriptive text, then click Sign.

4 When the Insert Smart Card dialog box appears, insert the IDPrime .NET smart card and click OK.

5 When the Smart Card PIN dialog box appears, enter the User PIN and click OK.

6 When the Signature Confirmation dialog box appears, click OK.

To check the signature details:

1 After a Powerpoint presentation is signed, a panel called Signatures appears to the right inside Powerpoint. The authors of new signatures are added to the Valid Signatures list. Select the signature whose details you want to check and in the drop-down list for that signature, choose Signature Details as shown:


Figure 38 - Choosing the Signature Details in Powerpoint

The Signature Details dialog box appears:

2 Click View to see the details of the certificate used for the signature.

SSL Authentication to Secure Web SitesYou can use IDPrime .NET smart cards to authenticate yourself to a secure web site (SSL authentication). To do this with Mozilla Firefox, you need to have Gemalto’s IDGo 500 PKCS#11 Library for Smart Cards installed on the computer.

For information on how to install the IDGo 500 PKCS#11 Library and how to access secure web sites with an IDPrime .NET card in Mozilla Firefox, please refer to the IDGo 500 PKCS#11 Library for Windows User Guide available at:

http://www.gemalto.com/products/dotnet_card/resources/technical_doc.html.

For browsers that do not need the IDGo 500 PKCS#11 Library (using Internet Explorer as an example), the procedure to access secure web sites with an IDPrime .NET card is as follows:

To perform SSL authentication:

1 Launch Internet Explorer.

2 Go to your SSL web site.

3 If several certificates are present in your smart card, Internet Explorer asks you to select one. Select your certificate and click OK.

4 Authenticate yourself by entering the IDPrime .NET card’s User PIN and click OK.

http://www.gemalto.com/products/dotnet_card/resources/technical_doc.html

Other Use Cases 33

How to Test and Manage IDPrime .NET Test Cards.NET Utilities is a portal offering a set of web based tools that enable, among others, the following operations:

PIN Management

Change PIN

Unblock PIN

Certificate Management

View on-card certificates

Reset Card

Import P12 Certificates

Card Management

Get Card Characteristics

Check active on-card services

All these services are freely available and fully functional on IDPrime .NET cards. The only restriction is that the card Admin Key must not have changed from its default value.

To use Gemalto’s .NET Utilities click


The web site appears as shown:

Figure 39 - Gemalto’s .NET Utilities Web Site

The IDPrime .NET smart card default Admin Key value is 0000..0000 (24 bytes, 48 digits long).


6

The Gemalto IDGo 500 Credential Provider

This optional credential provider (CP) has been developed as a wrapper around the IDGo 500 minidriver in order to provide a GUI that enables you to use the new features described in the next section.

IDGo 500 Credential Provider FeaturesThe additional features provided by Gemalto’s IDGo 500 credential provider are as follows:

Multiple PIN Policy SupportIDPrime .NET cards support up to 7 PIN roles (the Admin Key role and 6 user PIN roles) defined in the Microsoft Minidriver specifications. The 6 user PIN roles each have their own PIN with their own PIN Policy. The 6 user PIN roles are:

■ User PIN (PIN#1)

■ PIN#3

■ PIN#4

■ PIN#5

■ PIN#6

■ PIN#7

The Gemalto CP enables you to log on to the computer using one of these roles and change and unblock any of the 6 user PIN roles.

Each certificate file in the card can be associated with a private key stored in a key container (for example a signature key or an encryption key). Each key container can be protected by one of the user PINs. In the example below, certificate file #1 is associated with the private key in container #1. You need to present the User PIN #1 to use the private key in container #1. Similarly, certificate file #N is associated with the private key in container #15. You need to present the User PIN #3 to use the private key in container #15.

Note: The CP is available for Windows 7 and 8 only (and their corresponding Windows Server versions). The examples shown are for Windows 7.

Note: The Admin Key role (PIN#2) is not associated with a PIN Policy.

The Gemalto IDGo 500 Credential Provider 35

Figure 40 - Relationship Between PIN Roles, Keys and Files (Certificates)

Change PIN at First UseIf this option is activated for your cards, the IDGo 500 credential provider detects this the first time you try to use your IDPrime .NET card (as described in “Logging on Using an IDPrime .NET Card” on page 36). It forces you to change the PIN as shown in “Figure 41”.

Figure 41 - Change PIN at First Use Window

In the PIN field, enter the default PIN (0000) then enter the PIN value you want in the New PIN and NEW PIN Confirmation fields. Then click OK.

User PIN #1

PIN #3PIN #4PIN #5PIN #6PIN #7

Key Container #1 Key Container #2……..Key Container #15

Certificate File #1 Certificate File #2……..Certificate File #N


Single Sign-OnThe single sign-on (SSO) feature is activated (or not) by setting the SSO parameter in the PIN policy of the card. If activated, the user needs to present the User PIN once only during a session, as long as the IDPrime .NET card is not removed or the smart card is reset.

User TasksThis section shows you how to log on to the computer, change and unblock PINs using the IDGo 500 credential provider.

Logging on Using an IDPrime .NET Card1 Start Windows. The window shown in “Figure 42” opens.

Figure 42 - Windows 7 - Ctrl Alt Del Prompt

2 Press <CTRL> <ALT> <DEL>. The window that displays next can be one of the following different cases:

■ If an administrator or user icon displays, as shown in “Figure 43”, follow the steps that follow “Figure 43”.

■ If all the user icons and smart card icon display, as shown in “Figure 44”, follow the steps that follow “Figure 44”.

■ If the smart card icon displays on its own with the text “Insert a smart card” as shown in “Figure 45”, follow the steps that follow “Figure 45”.

■ If the smart card icon displays on its own with the name of the card/token user underneath as shown in “Figure 46”, follow the steps that follow “Figure 46”.

Note: There is a bug in the Base CSP that causes this window to display imperfectly (typically the OK and Cancel buttons do not appear. If this happens, click Enter or Escape to re-display the window correctly.

Note: If you do not have the IDGo 500 CP or you are using Windows XP or Vista, this window does not appear. You will have to change the PIN manually before you can use the card. To do this, you will need to log on first with a different card or log on normally without using a smart card at all.


Figure 43 - Windows 7 Password Logon

3 Click Switch User to display the window shown in “Figure 44”.

Figure 44 - Windows 7 – Select User

In the example in “Figure 44”, there are two certificates in the card, each indicated by a smart card icon. With the IDGo 500 credential provider’s multiple PIN policy feature, it is possible to protect each certificate by a different private key, and protect each private key by a different user PIN.

4 Click the smart card icon that corresponds to the certificate you want to use.

If the text underneath the smart card icon says Insert a smart card, the window in “Figure 45” appears. Follow the steps that follow “Figure 45”.

If the text underneath the smart card icon has the name of the card/token user, the window in “Figure 46” appears. Follow the steps that follow “Figure 46”.


Figure 45 - Windows 7 – Insert a Smart Card Window

5 Connect your smart card/token. If the card/token is valid, the window changes to display the name of the card/token user as shown in “Figure 46”.

Figure 46 - Windows 7 – Smart Card User Displayed

6 Enter the PIN and click . If your PIN is correct, the Welcome message appears. Click OK to remove this message.

Note: You cannot use a PIN pad reader to enter the PIN for a smart card logon (even if the External PIN property has been set in the card). This is a limitation of the Windows Base CSP layer. However, you can use a PIN pad reader to enter the PIN for other authentications, such as an SSL connection, digital signature, mail encryption and so on.


Changing a User PINIf you have the IDGo 500 credential provider, you can change any of the PINs that are associated with the 6 user PIN roles.

To change the User PIN using the IDGo 500 Credential Provider:

1 Press the Ctrl+Alt+Del keys to launch the secure desktop in Windows 7 (“Figure 47”).

Figure 47 - Windows 7 Secure Desktop

2 Select Change a Password. This displays the window in “Figure 48”.

Figure 48 - Windows 7 Secure Desktop - Standard Password Prompt

Note: The Change PIN operation can take several seconds if the PIN policy is complex. This is due to the verification of the new PIN value. As the hourglass does not display, it may appear that the screen is frozen or the PIN entry has been ignored. Please allow a few seconds for the operation to take place.


3 Insert the smart card in the smart card reader attached to the machine and click Other Credentials. This displays the standard Windows credential provider, as shown in “Figure 49”.

Figure 49 - Standard Windows 7 Credential Provider

4 In the credential provider, select the smart card user tile. This displays the PIN change window as shown in “Figure 50”.

Figure 50 - Windows 7 Gemalto Smart Card Credential - Change PIN Window

5 Select the role whose PIN value you want to change, and check the Change PIN box. The fields change as shown in “Figure 51”.

Note: The role drop-down list appears only if the “Activate PIN list” key has been set in the registry. For details on setting this bit, please refer to “Appendix B - Activating the IDGo 500 Credential Provider PIN List”.


Figure 51 - Windows 7 - Change PIN for a Role.

6 Enter the old PIN, the new PIN and confirm the new PIN in the appropriate fields, then click the arrow.

7 A message displays to tell you if the change operation succeeds or not.

Unblocking a User PINIf you have the IDGo 500 credential provider, you can unblock any of the PINs that are associated with the 6 user PIN roles.

To unblock the User PIN using the IDGo 500 Credential Provider:

1 Follow steps 1 - 4 in “To change the User PIN using the IDGo 500 Credential Provider:” on page 39, so you arrive at “Figure 50” on page 40.

2 Select the role whose PIN value you want to unblock, and check the Unblock PIN box. The fields change as shown in “Figure 51”.

The IDPrime .NET smart card default value for all PINs is 0000.

Note: The Unblock PIN operation can take several seconds if the PIN policy is complex. This is due to the verification of the new PIN value. As the hourglass does not display, it may appear that the screen is frozen or the PIN entry has been ignored. Please allow a few seconds for the operation to take place.

Note: The role drop-down list appears only if the “Activate PIN list” key has been set in the registry. For details on setting this bit, please refer to “Appendix B - Activating the IDGo 500 Credential Provider PIN List”.


Figure 52 - Windows 7 - Unblock PIN for a Role.

The card generates the 16-digit challenge and displays it above the three empty fields as shown in “Figure 52”.


4 Enter this response in the first field.

5 Enter the new PIN value in the second and third fields and click the arrow next to the third field. A message displays to tell you if the unblock operation succeeds or not.

A

Enabling Unblock Card in Windows Vista, 7 and 8

The Unblock Card feature in the secure desktop user interface is not enabled by default in Windows Vista, 7 and 8. It can be enabled by an administrator modifying the Group Policy. If you want to enable the Unblock Card feature for all the machines in the domain, use the Microsoft Management Console (MMC). If you want to modify the local computer only, use the group policy editor gpedit.msc.

To integrate the Smart Card Unblock for the domain using MMC:

For this procedure, you must be logged to a Domain Controller as a Domain Administrator.

1 From the Start menu, type MMC in the “Search” box and then press Enter.

If prompted to run Command Prompt as an administrator, click Allow. This opens the Microsoft Management Console window.

In Windows 7, the following window appears:

Figure 53 - MMC in Programs Window

Click MMC to open the Microsoft Management Console window.

2 If User Access Control is activated, a warning appears asking if you want to allow the following program to make changes to your computer. Click Yes.

3 In the Console1 window, from the File menu and select Add/Remove Snap-in.

4 In the Add or Remove Snap-ins dialog box, select Group Policy Object Editor in the Available Snap-ins pane on the left side, and then click Add.


Figure 54 - “Add or Remove Snap-Ins” dialog box

This starts the Group Policy Wizard, shown in the following figure:

Figure 55 - “Select Group Policy Object” dialog box

5 Click Browse and select Default Domain Policy in the Group Policy Object control (“Figure 56”). Click OK, then Finish to close the Select Group Policy Object dialog box.

Figure 56 - “Browse for a Group Policy Object” dialog box

Enabling Unblock Card in Windows Vista, 7 and 8 45

6 Click OK In the Add or Remove Snap-ins dialog box to close it.

7 Back in the Console1 window, click on the Local Computer Policy node in the left side pane, then click on Computer Configuration > Administrative Templates > Windows Components, and finally double-click Smart Card.

8 Double-click Allow Integrated Unblock screen to be displayed at time of logon in the center pane, as shown in “Figure 57”.

Figure 57 - Local Computer Policy Objects for Smart Cards

9 In the Setting tab, choose Enabled and click OK (“Figure 58”).

Figure 58 - “Allow Integrated Unblock screen to be displayed”


At this point, we can also define a custom message to be displayed when the Smart Card is blocked. The main use of this message is to provide a phone number for users to call and obtain the response to challenge to unblock the card. You can see an example of such a message in the Unblock card secure desktop interface in “Figure 19” on page 21.

To integrate the Smart Card Unblock for the local computer using the group policy editor gpedit.msc:

For this procedure, you must be logged on to the local computer as the Administrator.

1 From the Start menu, type gpedit.msc in the “Search” box and then press Enter. This opens the Local Computer Policy.

2 Click on the Local Computer Policy node in the left side pane, then click on Computer Configuration > Administrative Templates > Windows Components, and finally double-click Smart Card.

3 Follow the same instructions as in the previous section from step 8 on page 45.

To include a custom message in the Smart Card Unblock Screen:

1 Back in the Console1 window, still with Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Smart Card selected in the left pane (as in “Figure 57” on page 45), double-click Display string when smart card is blocked in the right pane.

2 In the Setting tab, choose Enabled and type the string to be displayed on the Unblock screen in Display string when smart card is blocked, and then click OK as shown in (“Figure 59”)

Figure 59 - “Display string when smart card is blocked” dialog box

B

Activating the IDGo 500 Credential Provider PIN List

As mentioned in “Chapter 6 - The Gemalto IDGo 500 Credential Provider”, the IDGo 500 credential provider displays the drop down list of PINs, only if this list is activated in the registry.

This appendix tells you which is the necessary registry key to set.

For 32-bit versions of Windows 7 and 8:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6012D512-EEBB-41E2-8842-28611CD7FE9E}]

“Mode”=dword:00000000

Type: REG_DWORD

Value: 00000000: PIN list is not activated

00000004: PIN list is activated

For 64-bit versions of Windows 7 and 8:

You need to set both of the following registry keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6012D512-EEBB-41E2-8842-28611CD7FE9E}]


Type: REG_DWORD



[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6012D512-EEBB-41E2-8842-28611CD7FE9E}]


Type: REG_DWORD



Note: The default value in all cases is “Mode”=dword:00000000.

Terminology

Abbreviations

Glossary

API Application Programming Interface

CAPI Cryptographic Application Programming Interface

CCID Chip Card Interface Device

CMS Card Management System

CNG Crypto API Next Generation

CP Credential Provider

CSP Cryptographic Service Provider

FIM Forefront Identity Manager

GUI Graphical User Interface

ILM Identity Lifecycle Manager

KSP Key Storage Provider

MU Microsoft Update

OS Operating System

PC/SC Personal Computer/Smart Card

PIN Personal Identification Number

PKI Public Key Infrastructure

SSO Single Sign-on

.NET Utilities A series of utilities developed by Gemalto to provide operations for IDPrime .NET smart cards. They include changing and unblocking a PIN and managing certificates.

Admin Key A 3DES key used by the administrator to calculate the response to a challenge when unblocking the card.

Base (CSP) Microsoft’s default software library that implements the Cryptographic Application Programming Interface (CAPI).

Terminology 49

Certificate A certificate provides identification for secure transactions. It consists of a public key and other data, all of which have been digitally signed by a CA. It is a condition of access to secure e-mail or to secure Web sites.

Certificate Authority An entity with the authority and methods to certify the identity of one or more parties in an exchange (an essential function in public key crypto systems).

Cryptography The science of transforming confidential information to make it unreadable to unauthorized parties.

Digital Signature A data string produced using a Public Key Crypto system to prove the identity of the sender and the integrity of the message.

Encryption A cryptographic procedure whereby a legible message is encrypted and made illegible to all but the holder of the appropriate cryptographic key.

Key A value that is used with a cryptographic algorithm to encrypt, decrypt, or sign data. Secret key crypto systems use only one secret key. Public key crypto systems use a public key to encrypt data and a private key to decrypt data.

Key Length The number of bits forming a key. The longer the key, the more secure the encryption. Government regulations limit the length of cryptographic keys.

Microsoft Update Catalog

Microsoft web site where you can download the IDGo 500 minidriver dll

PKCS#11 Standard and open software library specified by RSA Laboratories and implementing smart card cryptographic functions. Refer to http://www.rsa.com/rsalabs/node.asp?id=2133

Public Key Crypto system

A cryptographic system that uses two different keys (public and private) for encrypting data. The most well-known public key algorithm is RSA.

Single Sign-on (SSO) A mechanism provided with the IDGo 500 credential provider, where the user needs to present the User PIN once only during a session, as long as the IDPrime .NET card is not removed. If the standard Microsoft credential provider is used, activating the SSO mechanism has no effect and the user PIN may need to be presented more than once during a session.

http://www.rsa.com/rsalabs/node.asp?id=2133


References

Standards and Specifications■ Microsoft Base CSP / Minidriver specifications: http://www.microsoft.com/whdc/device/input/

smartcard/sc-minidriver.mspx

■ Microsoft Update site: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=gemalto%20minidriver%20net

■ PKCS#11 site: http://www.rsa.com/rsalabs/node.asp?id=2133

Recommended Reading■ Enterprise Smart Card Deployment in the Microsoft Windows Smart Card Framework - Derek

Adam, Microsoft, June'06

■ For further reading about Gemalto .NET Cards, please go to the Gemalto product catalog at http://www.gemalto.com/products/dotnet_card/



http://www.microsoft.com/whdc/device/input/smartcard/sc-minidriver.mspx

http://www.microsoft.com/whdc/device/input/smartcard/sc-minidriver.mspx




Documents

4991 DotNET Admin&User Guide