GemSAFE

User Guide
Version 2.1

CONTENTS
INTRODUCTION ...................................................................................1 Purpose............................................................................................1 Conventions .....................................................................................1 Documentation .................................................................................1 GEMSAFE BASICS ..............................................................................2 What Is GemSAFE? .........................................................................2 What Is a Smart Card? ......................................................................2 What Is the GemSAFE Smart Card? ..................................................3 Onboard Key Generation ...........................................................3 Increased Certificate Storage .....................................................3 Increased Signature and Unwrap................................................4 What Is Public Key Cryptography? ....................................................4 What Is a Key Pair?..........................................................................5 Are There Different Security Levels?.................................................6 What Is a Digital Certificate? ............................................................6 What Are Certificate Authorities?......................................................7 What Is a Digital Signature?..............................................................7 What Is S/MIME? ............................................................................8 What Is SSL? ...................................................................................8 GETTING STARTED ..........................................................................10 The GemSAFE Kit ......................................................................... 10 Requirements ................................................................................. 10 Platform ................................................................................. 10 Peripherals.............................................................................. 10 Browser ................................................................................. 10 Email Account ...................................................................... 10 Installation ..................................................................................... 11 Connecting the Card Reader .................................................... 11 Installing GemSAFE ............................................................... 11 WINDOWS 2000..................................................................................13 Installation on Windows 2000.......................................................... 13 Smart Card Logon .......................................................................... 13 Lock and Unlock Computer............................................................. 13 i

CONTENTS Signing Macros .............................................................................. 13 Opening Signed Documents ............................................................ 14 CERTIFICATE MANAGEMENT .........................................................15 Your Certificates ............................................................................ 15 Obtain Your Certificate ........................................................... 15 View Your Certificate ............................................................. 15 Delete Your Certificate............................................................ 16 User Certificates............................................................................. 18 Add User Certificates.............................................................. 18 View User Certificates ............................................................ 19 Delete User Certificates........................................................... 20 Public Directories.................................................................... 21 Web Site Certificates ...................................................................... 22 View Web Certificates ............................................................ 23 Install Web Site Certificates .................................................... 23 Select Your Certificate for the Web.......................................... 23 Certificate Authorities..................................................................... 24 View CAs .............................................................................. 24 Add CAs ................................................................................ 26 Delete CAs............................................................................. 26 CA Integrity............................................................................ 27 SECURE EMAIL................................................................................28 Link Your Certificate...................................................................... 28 Secure Email Settings.................................................................... 29 Change Session Key Length............................................................ 30 Test Secure Email ......................................................................... 31 Send Secure Email ........................................................................ 31 SECURE WEB SITES ........................................................................33 Test User Authentication................................................................. 33 CARD DETAILS TOOL ......................................................................34 Services ......................................................................................... 34 Card Selection ................................................................................ 35 Card Release.................................................................................. 35 Certificate Registration.................................................................... 35 PIN Code Management................................................................... 35 Verify PINs ............................................................................ 35 Change PINs .......................................................................... 36 Unblock PINs......................................................................... 36 Card Information ............................................................................ 36

ii

CONTENTS Card Initialization ........................................................................... 36 Diagnostic Information.................................................................... 37 EXPORT REGULATIONS ..................................................................38 ABOUT GEMPLUS.............................................................................39 TERMINOLOGY..................................................................................40 Abbreviations and Acronyms........................................................... 40 Glossary......................................................................................... 40

iii

INTRODUCTION
Purpose
The GemSAFE User Guide provides simple, easytofollow instructions to install, configure, and use GemSAFE 2.1 and the GemSAFE Card Details Tool, a simple administration tool for GemSAFE cards. The GemSAFE User Guide addresses topics to effectively use GemSAFE. The guide does not address all browserspecific topics related to using digital certificates. Refer to your browser documentation for additional information. The GemSAFE User Guide was validated on the Windows 2000 platform with the following versions of Microsoft and Netscape applications: Outlook Express 5.0, Outlook 2000, Microsoft Internet Explorer 5.0, and Netscape Communicator 4.6.1. If you are using a different platform or different versions of Microsoft or Netscape applications, you may encounter different options regarding the management and use of your digital certificates. The GemSAFE Quick Start Guide and GemSAFE User Guide are located in the \Doc folder of the GemSAFE CDROM. You can also refer to GemSAFE Online Help for quick and easy task instructions. Access GemSAFE Online Help from the GemSAFE CDROM. NOTE: Use Adobe Acrobat Reader to view all documentation on the GemSAFE CDROM. You can download Acrobat Reader from Adobes Web site at www.adobe.com/acrobat.

Conventions

Documentation

GEMSAFE BASICS
Learn basic information about GemSAFE, smart cards, public key cryptography, and current IT standards. GemSAFE is a smart cardbased solution designed to secure email communication and Internet transactions. The GemSAFE smart card supports encryption/decryption and signature functions. GemSAFE for Windows 2000 also supports secure logon and the capability to sign Office 2000 macros. The encryption/decryption function enables you to send and receive secure email to protect confidential or private information. You can use the signature function to sign your messages. By signing messages, you can prove to the recipient that you are who you claim to be. GemSAFE combines the privacy, integrity, and authentication functionalities provided by cryptographic algorithms with the simplicity, portability, and convenience of smart cards. Your private key, digital certificate, and other personal information are securely stored on your GemSAFE card to prevent fraudulent use of your electronic identity. The latest industry standards such as SSL3 (for Web access) and S/MIME (for email) enable interoperability of security services between any browser interface and any Web server. However, the security hole in SSL3 and S/MIME is the management of your private key and digital certificate. Without GemSAFE, your private key and digital certificate are stored on your hard drive, which makes them susceptible to unauthorized access and fraudulent use. Without GemSAFE, your electronic identity is at risk. GemSAFE provides doublebarreled security! With GemSAFE, you get the hardwarebased security inherent in smart cards and the softwarebased security of PIN codes. Hardwarebased security is a principal security advantage. It is significantly more secure than softwareonly solutions. Without possession of your smart card and knowledge of your PIN code, no one can use your identity. GemSAFE is your electronic passport to the digital world. Your private key never leaves your smart card. The smart card is hardwarebased security. The PIN code protects key use. GemSAFE is portable and convenient.

What Is GemSAFE?

What Is a Smart Card?

Smart cards are the latest addition to the IT world. The smart card is the size of a conventional credit card. But unlike the credit card, which has a magnetic stripe, the smart card has a silicon microprocessor chip to store and process electronic data and applications. The advantage of the smart card is SECURITY.

GEMSAFE BASICS Gemplus manufactures two types of smart cards: contact and contactless. Contact smart cards must be inserted into a smart card reader. Contactless smart cards use a microprocessor chip and antenna to process data. Smart cards provide the most sophisticated security available on the market. Your GemSAFE card stores your private key and digital certificate. In the past, your only option was to store your private key on your local hard drive, rendering it susceptible to theft and fraudulent use. With GemSAFE, your electronic identity is secure. You must have both the card and PIN code to use the card. The GemSAFE card is tamper resistant. The structure and operating system of the card make it practically impossible to penetrate, probe, or pilfer card data. Perhaps the most convenient aspect of the GemSAFE smart card is portability. With GemSAFE, you can carry your electronic passport with you at all times and use it on any GemSAFEequipped computer in the world. The GemSAFE smart card has a robust and flexible design. Three specific features offer greater freedom and enhanced security.

What Is the GemSAFE Smart Card?

Onboard Key Generation

The GemSAFE card offers onboard key generation. With this feature, every time you enroll a new certificate on your card, a NEW key pair is generated on your card. In other words, you are not limited to using the same key pair for every certificate that you enroll. One significant advantage of onboard key generation is the ability to monitor and control the life span of your RSA key pairs.

Increased Certificate Storage

You can store up to four key pairs and four digital certificates on your GemSAFE card. This feature provides the convenience of using up to four digital certificates for whatever purposes you want. For example, you can use one certificate and key pair with strong encryption (1024bit RSA key pair) to communicate securely with contacts in the United States and Canada. You can then use a second certificate and key pair (512bit RSA key pair) to communicate securely with international contacts. Another reason for obtaining more than one digital certificate is the level of certification the Certificate Authority (CA) requires. You may want to obtain and use a digital certificate from a CA that requires stringent identity certification if you are using the certificate for sensitive business communications or financial transactions. If, however, you want to encrypt/sign data for personal communications, you may decide that a certificate from a CA that requires minimal identity certification meets your needs. The costs of obtaining a digital certificate from a CA are, somewhat, based on the degree of identity certification the CA requires. Therefore, it would be to your advantage to obtain two digital certificates each which meets your particular security needs.

GEMSAFE BASICS

Increased Signature and Unwrap

There are two versions of the GemSAFE smart card: US/Canada and international. Both cards offer onboard key generation and store up to four key pairs and four certificates. The difference between the US/Canada and international versions of the GemSAFE smart card is the length of the key pairs that you can generate on the card. The US/Canada version offers the potential to generate two 512bit and two 1024bit RSA key pairs for encrypting and signing. The international version offers the potential to generate three 512bit RSA key pairs for signing and encrypting data. The international version also offers the potential to generate one 1024bit RSA key pair for signing data. You cannot use the international GemSAFE smart card to encrypt data with a 1024bit RSA key pair. Public key cryptography, or asymmetric cryptography, is the most advanced, secure cryptosystem for encryption and digital signatures. Traditional cryptography, symmetric cryptography, uses the same key to encrypt and decrypt data. Public key cryptography relies on a matched key pair to encrypt and decrypt data. Introducing the public key removes the need for the sender and recipient to share or transmit the single secret key used in symmetric cryptography. Therefore, public key cryptography is significantly more secure than traditional cryptosystems. Each user owns an RSA key pair. One key is private; one key is public. The private key remains private and accessible only to the owner of the key pair. The public key is made available by the owner of the key pair to public users.

What Is Public Key Cryptography?

Each key performs a oneway transformation on the data. One key is the inverse function of the other; so what one key does, only the other can undo. To send and receive secure data, the sender encrypts the data using the intended recipient's public key. Only the recipient's private key can decrypt the data. The sender also signs the data to provide the recipient with a means of authenticating the message. The private and public keys are always mathematically linked. Therefore, it is possible but not practical to attack the public key cryptosystem and derive the value of the private key after it has been used numerous times. To avoid cryptoanalysis, key pair owners should define an appropriate key pair life cycle. The shorter the key length, the shorter the key pair life cycle.

GEMSAFE BASICS Public key cryptography provides: Authentication which corroborates the identity of an entity or source of information. Confidentiality which protects data from view or access by unauthorized individuals. Access Control which restricts access to resources to privileged entities. Data Integrity which ensures information has not been altered by unauthorized or unknown means. NonRepudiation which prevents the denial of previous commitments or actions. A key pair is a matched set of keys used to encrypt/decrypt or sign message data. One key is the inverse of the other key. As such, what one key does only the other key can undo. For instance, if one key is used to encrypt a message, the only way to decrypt the message is to use the matching key. GemSAFE uses two types of keys: Session keys (symmetric) RSA keys (asymmetric)

What Is a Key Pair?

Session keys are single. They do not occur in pairs. The session key is used to encrypt/decrypt actual message data. They are included in the cryptographic functionality of both Microsoft IE and Netscape Communicator. The maximum session key length for US/Canada versions of Microsoft IE and Netscape Communicator is 128 bits. The maximum session key length for international versions is 40 bits. Session key lengths are specified in your browser. You can change the session key length by choosing a different encryption algorithm within your browser. You may need to reduce the encryption strength if you are communicating securely with international contacts. Session keys are shorter in length than RSA keys, which reduces the amount of time to encrypt/decrypt message data. It is not practical to encrypt/decrypt the entire message text using RSA keys. Although session keys are shorter in length than RSA keys, message security remains robust. After the entire message text is encrypted using the session key, the session key is encrypted using the RSA private key. GemSAFE uses RSA keys to sign data and encrypt/decrypt the session key. Using RSA keys to encrypt the session key ensures the greatest security at the greatest speed and convenience.

GEMSAFE BASICS

Are There Different Security Levels?

GemSAFE offers two versions, each which have different security levels due to export restrictions. The security level is directly related to the RSA key pair length. The longer the key length, the greater the security level. US/Canada GemSAFE for US/Canada markets includes a smart card that can store four certificates and key pairs. The key pairs on your smart card can include two 512bit key pairs and two 1024bit key pairs. Key pairs have the potential to unwrap a maximum of 512 bits; however, browser limitations result in a maximum unwrap capability of 128 bits. International GemSAFE for international markets includes a smart card that can store four certificates and key pairs. The key pairs on your smart card can include three 512bit key pairs for encryption/decryption and signature functions and one 1024bit key pair for signing. Key pairs have the potential to unwrap a maximum of 512 bits; however, browser limitations result in a maximum unwrap capability of 40 bits. Unwrap capacity refers to the length of the session (symmetric) keys that encrypt the actual message data. Encrypting the entire message data using RSA keys is not feasible due to time requirements. RSA keys are used to encrypt/decrypt the session key. It is important to know the cryptographic capacity of the person with whom you communicate securely. Though you may be able to encrypt and send data using the recipient's public key; the recipient may not be able to use your public key to encrypt and send data to you. For example, you may be able to generate a session key with a length of 128 bits. However, if the recipient is restricted to international key length limitations, 40 bits, the message cannot be decrypted. NOTE: Key length export restrictions are for encryption only. There is no key length restriction when keys are used for authentication purposes only. However, GemSAFE was designed to be compliant with Microsoft and Netscape email and browser applications, all of which are subject to key length restrictions.

What Is a Digital Certificate?

A digital certificate is a digital document that serves as your electronic passport. Your digital certificate stores your public key and other personal information about you and the certificate. The most widely accepted standard for digital certificates is defined by International Telecommunications Union standard ITUT X.509. Version three is the most current version of X.509. The X.509v3 certificate includes the following data fields: Version Serial number Signature algorithm ID Issuer name

GEMSAFE BASICS Expiration Date User name User public key information Issuer unique identifier User unique identifier Extensions Signature on the above fields

The public key in your digital certificate is signed by a trusted third party, or Certificate Authority (CA). As a convenience to recipients, it is standard practice to attach your digital certificate to every secure email that you send. The recipient uses your public key, which is in your digital certificate, to encrypt email addressed to you. If you do not attach your digital certificate to outgoing emails, recipients must retrieve your public key from a public directory. Upon receiving a secure email from you, recipients use the digital certificate to authenticate your public key. The recipient then uses the public key to verify the actual message. Only the CA public key is centrally stored and widely publicized. Certificate Authorities (CAs) are trusted third parties that issue digital certificates to individuals. CAs vouch for the identity of the individual to whom they are issuing a certificate. When you obtain your digital certificate, you provide the CA with your public key and the personal information requested by the CA. The CA verifies the information and checks the integrity of the public key. After the CA verification process, the CA issues your digital certificate. Many CAs issue certificates with varying levels of identification requirements. CA policies and the level of identification of the digital certificate determine the method and requirements for proving your identity to the CA. The most simple digital certificate only requires your email address and name. However, some CAs require a driver's license, notarized certificate request form, or other personal documentation attesting to your identity. Some CAs may even require biometric data such as fingerprints. The CA certificate must be widely available so that users can validate the authenticity of its public key. If a CA does not make its certificate available, it must provide a certificate from a higherlevel CA to provide users a means of verifying its public key. As a result, certification hierarchies are created. A digital signature is a piece of information created using message data and the owner's private key. Digital signatures provide message authentication, non repudiation of origin, and data integrity.

What Are Certificate Authorities?

What Is a Digital Signature?

GEMSAFE BASICS Digital signatures are typically created using hash and private signing functions. The oneway hash function produces a message digest, or fingerprint, a condensed version of the original text. The message digest is encrypted using the private key of the sender, turning it into a digital signature. The digital signature can only be decrypted using the public key of the same sender. The recipient of the data decrypts the digital signature and compares the result with a message digest recalculated from the original message text. If the two are identical, the message has not been tampered with. It is authentic. Secure/Multipurpose Internet Mail Extensions (S/MIME) is an open protocol standard developed by RSA Data Security, that provides encryption and digital signature functionality to Internet email. S/MIME uses public key cryptography standards to define email security services. S/MIME makes it possible for you to encrypt and digitally sign Internet email using Web messaging applications such as Microsoft Outlook, Microsoft Outlook Express, and Netscape Messenger. S/MIME also enables you to authenticate incoming messages. S/MIME provides the following security functions. Message Encryption to ensure that your messages remain private. Netscape Messenger and Microsoft Outlook Express support domestic and exportlevel public key and symmetric key encryption. Sender Authentication to verify the sender's identity. By reading the sender's digital signature, the recipient can see who signed the message and view the certificate for additional details. Data Integrity to guard against unauthorized manipulation of messages. S/MIME uses a secure hashing function to detect message tampering. Interoperability to work with other S/MIMEcompliant software. Secure Sockets Layer (SSL), developed by Netscape Communications and RSA Data Security, is a standard security protocol that provides security and privacy on the Web. The protocol allows client/server applications to communicate securely. SSL uses both asymmetric (public key cryptography) and symmetric cryptography to provide Web security. The SSL protocol is application independent, which enables higherlevel protocols such as HyperText Transfer Protocol (HTTP) to be layered on top of it transparently. Therefore, the SSL protocol can negotiate encryption and authentication with the server before data is exchanged by the higherlevel application. The SSL Handshake Protocol process includes two phases: 1. Server Authentication in which the client requests the server's certificate. In response, the server sends its digital certificate and signature. The certificate provides the server's public key. The signature proves that the server currently has the private key that corresponds to the certificate.

What Is S/MIME?

What Is SSL?

GEMSAFE BASICS 2. Client Authentication (optional) in which the server requests the client's certificate. In response, the client sends the digital certificate and signature to the server. The SSL process is repeated for every secure session you attempt to establish unless you specify a permanent session. The SSL process will not proceed if the Web server's certificate is expired. SSL provides the following security functions. Data Encryption to ensure data security and privacy. Both public key and symmetric key encryption is used to achieve maximum security. All traffic between an SSL server and SSL client is encrypted using both public key and symmetric key algorithms. Encryption thwarts the capture and decryption of TCP/IP sessions. Mutual Authentication to verify the identities of the server and client. Identities are digital certificates. The entity presenting the certificate must digitally sign the data to prove ownership of the certificate. The combination of the certificate and signature authenticates the entity. Data Integrity to ensure that SSL session data is not manipulated en route. SSL uses mathematical functions, or hash functions, to provide the integrity service.

GETTING STARTED
The GemSAFE Kit
GemSAFE includes: GemSAFE smart card Gemplus smart card reader CDROM with GemSAFE software and documentation

Requirements
Platform
GemSAFE requires one of the following platforms: Windows 95 (16 MB RAM) Windows 98 (16 MB RAM) Windows 2000 (64 MB RAM) RC2 or higher Windows NT 4.0 SP3, SP4, SP5 (32 MB RAM)

Peripherals

GemSAFE requires the following peripherals: 10 MB hard drive space available Available COM or PCMCIA port CDROM drive PS/2 keyboard

Browser

GemSAFE also requires a Web browser. Minimum versions: Microsoft IE 4.01 Netscape Communicator 4.5

NOTE: If you do not have either minimum version, you can obtain a standard or strong key length version from Microsoft at www.microsoft.com or Netscape at www.netscape.com.

Email Account

In order to use the secure email application provided with your Web browser, you need one of the following types of Internet email accounts: Post Office Protocol (POP) 3 account Internet Message Access Protocol (IMAP)compatible account

NOTE: You only need an email account if you want to take advantage of the signature and encryption/decryption capabilities offered by GemSAFE.

10

GETTING STARTED

Installation
Connecting the Card Reader

GemSAFE is easy to install and use. You must first connect your Gemplus card reader. Follow the instructions on the card reader packaging to connect your card reader to your computer. The GemPC400 card reader (GPR400) is designed for laptops; the GemPC410p card reader (GCR410p) is designed for desktops. Both card readers are plugandplay readers certified by Microsoft. You do not need to turn off your computer prior to connecting your card reader. Upon connecting your reader, your system should detect and automatically install the new hardware. If your system does not automatically install the reader, access the Add/Remove Hardware Wizard in the Control Panel window to install it. Click Start > Settings > Control Panel Doubleclick Add/Remove Hardware Follow the instructions for adding new hardware.

Installing GemSAFE

To install GemSAFE on Windows 2000, refer to the chapter on Windows 2000. The following installation is for users running Windows 95/98/NT. 1. Exit all Windows programs. 2. Insert your GemSAFE smart card into the card reader. 3. Insert the GemSAFE CDROM into your CDROM drive. The Setup.exe file runs automatically. 4. Confirm that you have exited all Windows programs and click Next. 5. The GemSAFE Setup program detects if you have Microsoft Smart Card Base Components. If you do not have them, they will be installed automatically. 6. If prompted, select the appropriate card reader driver and click Next. NOTE: If you are using Windows 95 or Windows 98, you can have only one smart card reader installed at a time. Uninstall the reader that you are not using. 7. If prompted, select the COM port into which you installed the card reader and click OK. 8. If prompted, specify a directory location in which to install GemSAFE. The default folder is C:\Program Files\GemSAFE\Tools . Click Browse to specify a different folder. Click Next after selecting a directory location. NOTE: Internet Explorer is automatically configured to work with GemSAFE. You can go ahead and restart your computer to activate GemSAFE components. 9. If you are using Netscape Navigator as a default browser, the GemSAFE Setup program will prompt you to specify a Netscape User Profile to enable with GemSAFE. Netscape also requires you to confirm the installation of

11

GETTING STARTED the Netscape security module (pk2priv.dll). Click OK to confirm the installation. 10. If you are using Netscape Communicator, you will be asked if you want to enable an additional Netscape User Profile. Click Yes or No, depending on your needs. You must install the security module for each Netscape User Profile you want to use with GemSAFE. 11. Restart your computer to activate GemSAFE components. If GemSAFE is properly installed, the Light Emitting Diode (LED) on the GemPC410p reader stops flashing and remains lighted when the card is in the reader.

12

WINDOWS 2000
Windows 2000 makes it easy to take advantage of GemSAFE smart card security in an enterprise environment. With GemSAFE and Windows 2000, you gain the following security advantages: Secure logon Secure email Secure Web access

To learn more about GemSAFE with Windows 2000, visit: www.gemplus.com/windows put here when have info

Installation on Windows 2000 Smart Card Logon

Logging on to Windows 2000 with a smart card is fast and easy. Simply insert your smart card into the card reader and enter your PIN. The default PIN for GemSAFE is 1234. Refer to the PIN Code Management section for more information. NOTE: You must use a Smartcard User or Smartcard Logon certificate. Your network administrator enrolls the certificate that is appropriate for your system.

Lock and Unlock Computer

To lock your computer using your smart card: Press Ctrl + Alt + Delete Click Lock Computer To unlock your computer using your smart card: Press Ctrl + Alt + Delete Insert your smart card into the card reader. Enter your password (PIN). Office 2000, delivered with Windows 2000, offers the capability to sign macros with your digital signature. In order to sign a macro with GemSAFE, you must use a digital certificate that is compatible with Microsoft Authenticode. You can use either of the following: Verisign Class 2 or 3 digital certificate

Signing Macros

13

GETTING STARTED Thawte Developer certificate

To sign a Visual Basic Application (VBA) macro: 1. Open the document that contains the macro you want to sign. 2. Open Visual Basic Editor. 3. In Project Explorer, select the VBA document you want to sign. 4. Click Tools > Digital Signature > Choose 5. Highlight the certificate you want to use. 6. Click OK 7. Save your document. The digital signing process works simultaneously with the saving process. 8. Enter your User PIN when prompted. 9. Click OK You can make changes to the file. When you save the document, your private key is used to resign the file. Office 2000 automatically tries to resign projects that have already been signed. If you do not have the private key, Office warns you and saves the document without a signature. When you open a document signed using Office 2000, a security warning is displayed. Click Details to review details about the author's certificate. Click Disable Macros to open the document without enabling the macro. Click Enable Macros to open the document with full file functionality. From the security warning, you can place a checkmark in the box next to Always trust macros from this source. If you do, you will not be presented with the security warning in the future. All macros created by the authenticated and approved author will be enabled without user intervention. NOTE: When Office 97 opens a document signed using Office 2000, you only receive the standard Office 97 security warning. Office 97 is not capable of reading digital signatures. To prevent you from inadvertently invalidating the signature, Office 97 will not allow you to edit the signed document. If you wish to edit the document, you must use Office 2000.

Opening Signed Documents

14

CERTIFICATE MANAGEMENT
Your Certificates
You must have a digital certificate to activate your smart card. If you do not have a Certificate Authority (CA) to issue your certificate, click Certificate Authorities on the GemSAFE Web site (www.gemplus.com/gemsafe/) to find a list of compatible CAs. Some CAs offer free certificates for testing and demonstration purposes. Contact a CA to obtain a certificate. You are only required to provide basic information such as your name and email address. Each CA has a similar process for obtaining a certificate. You may be prompted to specify a key length value. The default value is typically the maximum length authorized for a nation. The maximum setting for the United States and Canada is 1024; the maximum setting for all other areas is 512. Microsoft users are prompted to specify the Cryptographic Service Provider (CSP). You must choose Gemplus GemSAFE Card CSP. If you do not select the GemSAFE CSP, your digital certificate is stored on your hard drive and not your smart card. Netscape users are also prompted to specify a CSP. You must choose GemSAFE Smart Card or your certificate will be stored on your hard drive and not your smart card. NOTE: If you do not obtain a certificate using Microsoft IE, you must register your certificate with any computer on which you want to use IE and your digital certificate. Refer to the Certificate Registration section in the Card Details Tool chapter for more information.

Obtain Your Certificate

View Your Certificate

Internet Explorer

Your GemSAFE smart card can store up to four digital certificates. All of your certificates are displayed when you view your certificates. Click Tools > Internet Options > Content > Certificates Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Personal A list of your certificates is displayed. Highlight the certificate you want to view. Click View > Details Select <All> from the Show dropdown list.

15

CERTIFICATE MANAGEMENT Highlight a certificate field to view field information in the bottom frame. Outlook Express Click Tools > Options > Security > Digital IDs Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Personal Highlight the certificate you want to view. Click View > Details Select <All> from the Show dropdown list. Highlight a certificate field to view field information in the bottom frame. Outlook 2000 Click Tools > Options > Security > Setup Secure EMail Click Choose in the Signing Certificate section. Highlight the certificate you want to view. Click View Certificate Click Choose in the Encryption section. Highlight the certificate you want to view. Click View Certificate Netscape Navigator Click Security > Yours Enter your smart card PIN. A list of your certificates is displayed. Highlight the certificate you want to view. Click View NOTE: If you are using Netscape Communicator, you can manage all digital certificates in the Security Info window. Access the Security Info window in Netscape Navigator by clicking Security on the Navigation Toolbar or the lock icon in the bottom left corner of the main Navigator window. Access the Security Info window in Messenger by clicking Communicator > Tools > Security Info or the lock icon in the bottom left corner of the main Messenger window.

Delete Your Certificate

You may want to delete one or more of your digital certificates under the following circumstances: The certificate is expired. You no longer use the certificate.

16

CERTIFICATE MANAGEMENT You need to free space on your smart card to enroll a new certificate or application.

NOTE: Outlook 2000 does not offer the option to delete your certificates.

Internet Explorer

Click Tools > Internet Options > Content > Certificates Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Personal A list of your certificates is displayed. Highlight the certificate you want to delete. Click Remove The previous commands remove your certificate from the browser registry. You must now remove the certificate from the card using the Card Details Tool. Click Start > Programs > GemSAFE > GemSAFE Card Details Tool Click Card Click Reinitialize WARNING: When you reinitialize your smart card, all data on your card including your certificate is erased!

Outlook Express

Click Tools > Options > Security > Digital IDs Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Personal A list of your certificates is displayed. Highlight the certificate you want to delete. Click Remove You must now remove the certificate from the card using the Card Details Tool. Click Start > Programs > GemSAFE > GemSAFE Card Details Tool Click Card Click Reinitialize WARNING: When you reinitialize your smart card, all certificates and PKCS objects on your smart card are erased!

17

CERTIFICATE MANAGEMENT Netscape Navigator Click Security > Yours A list of your certificates is displayed. Highlight the certificate you want to delete. Click Delete User certificates are the digital certificates that belong to other people, the contacts to whom you can send secure email. User certificates must be listed in your Address Book (Outlook Express), Contacts (Outlook 2000), and Other Peoples Certificates list (Netscape users) prior to sending secure email to recipients. Before you can add a user certificate, you must receive a signed email from the user or retrieve their certificate from a public directory. After the user has sent a signed email to you, verify the authenticity of the certificate by comparing the certificate retrieved from the public directory with the certificate attached to the users email. NOTE: When you want to send an encrypted email to a list of persons, you need a certificate for each recipient or the email is not delivered to anyone.

User Certificates

Add User Certificates

Before you can send email to a user, you must have the user's digital certificate. You can obtain the certificate by two means: Receive a signed email from the user. The signed email will include the user's digital certificate. Obtain the user's certificate from a public directory.

Outlook Express

Outlook Express does not store certificates automatically. You must add user certificates to your Address Book from within the signed message you receive from the user. Open the signed email. Click Tools > Address Book Highlight a contact name. Click Properties > Digital IDs > Import Select a Digital ID file to import. Click Open Click OK

18

CERTIFICATE MANAGEMENT Outlook 2000 Outlook 2000 does not store certificates automatically. You must add user certificates from within the signed message you receive from the user. In Outlook 2000, you must save user certificates in a Contacts folder rather than your Address Book. Open the signed message. Rightclick in the From row. Select Add to Contacts Click the Certificates tab to verify the certificate has been added. Click Save and Close Netscape Messenger Netscape Messenger automatically stores certificates upon receiving signed messages. The email address of the sender is compared to the senders certificate to verify a match. You can view/edit, verify, and delete recipient certificates from within Netscape. Click Security > People

View User Certificates

Internet Explorer

View user certificate information to check the expiration date or verify the Certificate Authority. Click Tools > Internet Options > Content > Certificates Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Other People A list of certificates is displayed. Highlight the certificate you want to view. Click View > Details Select <All> from the Show dropdown list. Highlight a certificate field to view field information in the bottom frame.

Outlook Express

Click Tools > Options > Security > Digital IDs Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Other People A list of certificates is displayed.

19

CERTIFICATE MANAGEMENT Highlight the certificate you want to view. Click View > Details Select <All> from the Show dropdown list. Highlight a certificate field to view field information in the bottom frame. Outlook 2000 Click View > Go To > Contacts Doubleclick a contact name. Click Certificates A list of certificates for this user is displayed. Highlight the certificate you want to view. Click Properties > Details Select <All> from the Show dropdown list. Highlight a certificate field to view field information in the bottom frame. Netscape Navigator Click Security > People Highlight the certificate you want to view. Click View/Edit

Delete User Certificates

You may want to delete a user certificate under the following circumstances: The certificate is expired. The user has a new certificate. You no longer communicate via secure email with the user.

Internet Explorer

Click Tools > Internet Options > Content > Certificates Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Other People A list of certificates is displayed. Highlight the certificate you want to delete. Click Remove

Outlook Express

Click Tools > Options > Security > Digital IDs Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended.

20

CERTIFICATE MANAGEMENT Click Other People A list of certificates is displayed. Highlight the certificate you want to delete. Click Remove Outlook 2000 Click View > Go To > Contacts Doubleclick a contact name. Click Certificates A list of certificates for this user is displayed. Highlight the certificate you want to delete. Click Remove Netscape Navigator Click Security > People Highlight the certificate you want to delete. Click Delete

Public Directories

Obtaining certificates from a public directory is quick and efficient. It also allows you to send secure email to users even if you have not received a signed message from the user. After you receive a signed message from a user, you can compare the certificate in the message with the certificate obtained from a public directory to verify the authenticity of the certificate.

Outlook Express

Click Edit > Find > People Select a directory from the Look in dropdown list. Enter search criteria. Click Find Now NOTE: You can also access the Find People dialog box by clicking Tools > Address Book > Find People

Outlook 2000

Outlook 2000 is not configured to automatically provide public directory searches. However, you can add directory services in which to search for users and their corresponding digital signatures. To add a directory service:

21

CERTIFICATE MANAGEMENT Click Tools > Accounts > Directory Service > Add > Directory Service Enter an Internet directory server name and click Next. Click the Yes radio button if you want to use this directory to search for users. NOTE: You may need to consult your Internet Service Provider to obtain directory server names, and login and passwords to access the directory.

To search for a user in a public directory: Click the Inbox icon. Click New to open a new message. Click To > Find Select a directory from the Look in dropdown list. Enter search criteria. Click Find Now Upon finding a user, click Properties to view user information and import the user certificate. Netscape Navigator Click Security > People > Search Directory Select a directory in which to search from the Directory dropdown list. Enter the exact email address of the intended recipient. Click Search Every time you attempt to establish a session with a secure server, your browser automatically initiates the SSL process. In response, the server sends the Web site digital certificate and signature. The SSL process continues only if the servers certificate is valid. Web sites that request your certificate provide their certificate to you for authentication. Both Microsoft and Netscape browsers offer the option to save Web site certificates. The benefit to saving Web site certificates is faster access to the site upon your return. If you save the certificate, you avoid the process of receiving and verifying their certificate the next time you return to the site. You may choose to gain access to a Web site without verifying its certificate. In this case, select access for a single session or permanent access. Warning messages are displayed to remind you of the risks of connecting to a Web site without verifying its certificate. Refer to your browser documentation for more information.

Web Site Certificates

22

CERTIFICATE MANAGEMENT

View Web Certificates

Internet Explorer

Display Web server certificate information including the algorithm used to encrypt the secure page. Access a secure Web site. Click File > Properties > Certificates > Details Select <All> from the Show dropdown list. Highlight a certificate field to view field information in the bottom frame.

Netscape Navigator

Access a secure Web site. Click View > Page Info The Certificate field in the bottom frame displays certificate details.

Install Web Site Certificates

Internet Explorer

You can install Web site certificates to reduce the amount of time it takes to access the secure site upon your return visit. Access a secure Web site. Click File > Properties > Certificates > Install Certificate The Certificate Manager Import Wizard will guide you through the installation process. After installing a certificate, you can verify the installation by viewing the certificate. Refer to the previous section for instructions.

Netscape Navigator

Netscape automatically prompts you to store Web site certificates upon connecting to a secure server. If you have more than one certificate, configure your browser to use a specific certificate for connecting to secure Web sites. Internet Explorer uses the default certificate specified for client authentication. If you have more than one certificate specified for client authentication, you will be prompted to specify a certificate upon entering a secure Web site. You can verify that you have a certificate specified for client authentication. Click Tools > Internet Options > Content > Certificates Select <All> from the Intended purpose dropdown list. A list of certificates is displayed. The certificates in the list can be used for all purposes including client authentication.

Select Your Certificate for the Web

Internet Explorer

23

CERTIFICATE MANAGEMENT Select Client Authentication from the Intended purpose dropdown list to view certificates that are ONLY intended for client authentication. Netscape Navigator Click Security > Navigator You have two choices: Ask Every Time in which you can specify a certificate every time you connect to a secure server that requests client authentication. Select Automatically in which you can select and use a default certificate for client authentication.

Certificate Authorities

CAs are trusted organizations that issue and manage digital certificates. They sign all certificates that they issue so that you can use their signature to verify the authenticity of the CA certificate and thus verify the authenticity of the user certificate. When you first try to access a secure Web site or receive a secure email, you may receive a message stating that the CA that signed the servers certificate is unknown. This means that your browser does not have a certificate for this CA. You must add the certificate to your list if you want to proceed to a secure Web session or verify a users certificate.

View CAs

Your browser accepts some CAs by default. View the CAs that your browser is automatically configured to accept. Certificate Authorities are categorized as either Intermediate Certification Authorities or Trusted Root Certification Authorities. Most of the CAs that you will add to your browser will be Intermediate Certification Authorities. Typically, Trusted Root Certification Authorities are the highest authority in the certification hierarchy and provide certificates to the Intermediate Certification Authorities. Click Tools > Internet Options > Content > Certificates Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Intermediate Certification Authorities or Trusted Root Certification Authorities A list of certificates is displayed. Highlight the certificate you want to view. Click View > Details Select <All> from the Show dropdown list. Highlight a certificate field to view field information in the bottom frame. 24

Internet Explorer

CERTIFICATE MANAGEMENT Outlook Express Click Tools > Options > Security > Digital IDs Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Intermediate Certification Authorities or Trusted Root Certification Authorities A list of certificates is displayed. Highlight the certificate you want to view. Click View > Details Select <All> from the Show dropdown list. Highlight a certificate field to view field information in the bottom frame. Outlook 2000 Outlook 2000 does not provide a means for you to view a complete list of accepted Certificate Authorities. However, you can view the CA certificates for the user certificates that you have. (Recall that all user certificates are provided by a CA, and in many cases, a hierarchy of CAs.) Click View > Go To > Contacts Doubleclick a contact name. Click Certificates A list of certificates for this user is displayed. Highlight the certificate you want to view. Click Properties > Certification Path Highlight the CA certificate you want to view. Click View Certificate > Details Select <All> from the Show dropdown list. Highlight a certificate field to view field information in the bottom frame. Netscape Navigator Click Security > Signers You can also view the properties, such as CA fingerprint and expiration date, related to a specific CA certificate. Click Security > Signers Highlight the CA certificate you want to view. Click Edit

25

CERTIFICATE MANAGEMENT

Add CAs

Add a CA to the list of CAs in your browser. 1. Download a CA certificate from the CA Web site. 2. Verify certificate integrity by checking that the fingerprint (a digest of the certificate) matches the fingerprint sent to you independently.

Internet Explorer

The New Site Certificate dialog box prompts you to enable the certificate and specify available usages for the certificate. Check Enable Certificate Check all four usages (Issuer Types). Network client authentication Network server authentication Secure email Software publishing

Click OK The message Do you want to ADD the following certificate to the Root Store? is displayed. Click Yes Netscape Navigator The New Certificate Authority dialog box prompts you to accept this CA. Check all three usages. Network sites Email users Software developers

Delete CAs

Delete a CA certificate from your browser or email application. Microsoft users should exercise caution when deleting a Trusted Root Certification Authority; it may affect access to Intermediate Certification Authorities. NOTE: Outlook 2000 does not offer the option to delete CA certificates.

Internet Explorer

Click Tools > Internet Options > Content > Certificates Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Intermediate Certification Authorities or Trusted Root Certification Authorities A list of certificates is displayed.

26

CERTIFICATE MANAGEMENT Highlight the certificate you want to delete. Click Remove Outlook Express Click Tools > Options > Security > Digital IDs Select <All> from the Intended purpose dropdown list. You can also select Secure Email or Client Authentication if you are certain for what purpose the certificate has been intended. Click Intermediate Certification Authorities or Trusted Root Certification Authorities A list of certificates is displayed. Highlight the certificate you want to delete. Click Remove Netscape Navigator Click Security > Signers Highlight the CA certificate you want to delete. Click Delete

CA Integrity

Use the CAs public key, located in the CA certificate, to verify the integrity of the CA certificate. Compare the CA public key located in the CA certificate with the CA certificate obtained from the CA Web site or a public directory. You can also email the CA to request a public key.

27

SECURE EMAIL
GemSAFE makes sending secure email easy. There are a few simple steps you need to follow prior to sending GemSAFEsecure email. You must first link the digital certificate you want to use with your email account. Afterward, you can set default security settings. Click Tools > Accounts > Mail A list of your email accounts is displayed. Highlight the email account for which you want to define properties. Click Properties > Security Verify that the box next to Use a digital ID when sending secure messages from is checked. If the box is grayed, check that the email address in your certificate corresponds to the email address configured for Microsoft Outlook Express. Click Digital ID Highlight the digital certificate you want to associate with this email account. Click OK NOTE: You may be prompted to enter the PIN for your GemSAFE card. The default PIN is 1234.

Link Your Certificate

Outlook Express

Outlook 2000

Click Tools > Options > Security > Setup Secure EMail Click Choose in the Signing Certificate section. Select a certificate for signing data. Click OK Click Choose in the Encryption Certificate section. Select a certificate for encrypting data. Click OK Click Apply

Netscape Messenger

Click Communicator > Tools > Security Info > Messenger Select a digital certificate from the Certificate for your Signed and Encrypted Messages dropdown list.

28

SECURE EMAIL

Secure Email Settings

Outlook Express

You can configure default security settings to digitally sign and/or encrypt the contents and attachments for all outgoing messages. Click Tools > Options > Security Place a checkmark beside Encrypt contents and attachments for all outgoing messages. Place a checkmark beside Digitally sign all outgoing messages. Click Apply You can change the message settings for a single message from within the message. Click Tools Click Encrypt Click Digitally Sign NOTE: A checkmark beside Encrypt or Digitally Sign indicates the option is active

Outlook 2000

Click Tools > Options > Security The following secure email options are available: Encrypt contents and attachments for outgoing messages Check this option to encrypt the contents and attachments of all outgoing messages. Add digital signature to outgoing messages Check this option to add your digital signature to all outgoing messages. Send clear text messages Check this option to enable users whose email applications do not support S/MIME signatures to read your signed messages without verifying the digital signature.

Click Setup Secure EMail Refer to your email application documentation to create a Security Settings Name. Select S/MIME from the Secure Message Format dropdown list. Click Choose in the Signing Certificate section to display your digital certificate. If you have more than one certificate, select a certificate for signing data. Click OK Select an algorithm for signing data from the Hash Algorithm dropdown list. Click Choose in the Encryption Certificate section to display your digital certificate.

29

SECURE EMAIL If you have more than one certificate, select a certificate for encrypting data. Click OK Select an algorithm for encrypting data from the Encryption Algorithm dropdown list. If you want to send your digital certificate with all signed email, check the box next to Send these certificates with signed messages. NOTE: Microsoft uses the default certificate. You must change the default certificate prior to sending a secure email, if you want to use a different certificate.

Netscape Messenger

Click Communicator > Tools > Security Info > Messenger Place a checkmark beside Encrypt mail messages. Place a checkmark beside Sign mail messages. You can change the message settings for a single message from within the message. Click View > Options Check or uncheck Encrypted Check or uncheck Signe d NOTE: A checkmark beside Encrypted or Signe d indicates the option is active.

Change Session Key Length

Export regulations and national law dictate maximum session key lengths. The maximum session key length in the United States and Canada is 128 bits for both Microsoft IE and Netscape Navigator. The maximum session key length for the international version of both browsers is 40 bits. If you are sending a message internationally, you may need to change the session key length (or encryption algorithm) so that the recipient has the cryptographic capacity to decrypt your message.

Outlook Express

Click Tools > Options > Security > Advanced Settings Select an encryption algorithm from the Encryption level you wish to receive dropdown list. Click Tools > Options > Security > Setup Secure EMail Select an algorithm for signing data from the Hash Algorithm dropdown list. Select an algorithm for encrypting data from the Encryption Algorithm dropdown list.

Outlook 2000

30

SECURE EMAIL Netscape Messenger Click Communicator > Tools > Security Info > Messenger In the right column, scroll to Advanced S/MIME Configuration. Click Select S/MIME Ciphers Select a session key length. Use your GemSAFE smart card to send and receive secure email. The following instructions enable you to test sending secure email. 1. View your digital certificate to verify that your email address matches the address on your digital certificate. 2. Start your email application (Outlook Express, Outlook 2000, or Netscape Messenger). 3. Send a signed email to yourself. 4. Upon receiving the signed email, add the user (yourself) to your Address Book (Outlook Express) or Contacts folder (Outlook 2000). Refer to the Add User Certificates section for instructions. Skip this step if you are using Netscape Messenger. 5. Reply to yourself with an encrypted message. Congratulations! You have just sent your first encrypted email. The complex cryptographic computations are conveniently transparent to both sender and receiver. When you send a secure email, you can elect to sign or encrypt the email from within the message. You must have a users certificate prior to sending secure email to them. Refer to the User Certificates section for instructions to obtain user certificates. Both Microsoft and Netscape browsers automatically check that the name in the email address to which you are writing corresponds to the name in the certificate. Similarly, when you receive a secure message, your application checks that the email address of the sender matches the senders certificate. Outlook Express Click New Mail Address the email to a recipient. Click Tools Check or uncheck Encrypt Check or uncheck Digitally Sign NOTE: You can also click the Encrypt and/or Digitally Sign icons on the toolbar.

Test Secure Email

Send Secure Email

31

SECURE EMAIL Outlook 2000 Click New to open a new message. Address the message to a recipient. Click Options . Check or uncheck Encrypt message contents and attachments. Check or uncheck Add digital signature to outgoing message. Click Close Netscape Messenger Click New Msg (New Message) Address the email to a recipient. Click View > Options Check or uncheck Encrypted. Check or uncheck Signe d.

32

SECURE WEB SITES

Communicating and conducting business on the Web is quickly becoming the most convenient, effective means of transaction. Web sites, therefore, must be secure to protect the corporation, the individual, and the information. Use your GemSAFE smart card to connect to a secure Web site. If the Web server requests user authentication, your GemSAFE smart card can respond to the request by sending your digital certificate. Before attempting to establish a session with a secure Web site, make sure you meet the requirements. 1. Your browser must have a certificate on file for the CA corresponding to the secure Web site. 2. If user authentication is requested, you must have your digital certificate specified in your browser. You can verify that you have a digital certificate specified in your browser by viewing your certificate. Refer to View Your Certificate for instructions. NOTE: All secure Web site addresses must begin with https://. Both Microsoft and Netscape browsers display a lock icon at the bottom of the browser window. A closed lock indicates that you are operating in secure mode. An open lock indicates you are not operating in secure mode!

Refer to the Web Site Certificates section for more information about Web site certificates. Use your GemSAFE smart card to test user authentication functionality. 1. Go to www.verisign.com/demos/. 2. Insert your smart card into the card reader. 3. Follow the instructions to test user authentication.

Test User Authentication

33

CARD DETAILS TOOL

The Card Details Tool is a simple administration tool for GemSAFE smart cards. To access the GemSAFE Card Details Tool: 1. Insert your GemSAFE smart card into your card reader. 2. Click Start > Programs > GemSAFE > GemSAFE Card Details Tool 3. Highlight GEMPLUS GemCore Based readers . 4. Click OK 5. Enter your smart card User PIN. The default User PIN is 1234. 6. Click Verify If you entered the correct User PIN, the Card Details Tool will display the card information available from the Card Details Tool Examine service. Click OK to close this window and access the GemSAFE Card Details Tool application window. NOTE: You can also access the GemSAFE Card Details Tool in the Control Panel window. Click Start > Settings > Control Panel Doubleclick Card Details Tool

To exit the GemSAFE Card Details Tool: Click Device > Exit The Card Details Tool offers the following services: Card selection Card release Certificate registration PIN code management Card information Card initialization Diagnostic information

Services

Refer to the appropriate section to learn more about each service.

34

CARD DETAILS TOOL

Card Selection

If you have released a card and want to reactivate it, you must select the card. Insert your card into the card reader. Click Device > Select Card Highlight GEMPLUS GemCore Based readers . Click OK Enter your smart card User PIN. The default User PIN is 1234. Click Verify If you entered the correct User PIN, the Card Details Tool will display the card information available from the Card Details Tool Examine service. Click OK to close this window and access the GemSAFE Card Details Tool application window. This service is primarily designed for users who have more than one card reader connected to their system. You must end the session, or release, the card in one reader before you can open a session with a card in a different card reader. Users who have only one card reader may also use this service to close the session with the smart card inserted in the card reader. To release a card: Click Device > Release Card You must register your certificate on every computer on which you want to use your certificate with Microsoft IE, Outlook Express, or Outlook 2000. You do not need to register your certificate on the computer that you used to download the certificate if you used Internet Explorer to obtain the certificate. Click Certificate > Register Your GemSAFE card is protected by a PIN, which must be four to eight alphanumeric characters. The default User PIN is 1234. Use the GemSAFE Card Details Tool to access PIN code management. You can verify, change, and unblock PIN codes. Use the Verify service to verify your PIN code. Use this service after you have changed your User or Administrator PIN. Recall that after three failed attempts to verify the User PIN your card is blocked. After three failed attempts to verify the Administrator PIN, you cannot access or use your smart card. It is impossible to unblock the Administrator PIN.

Card Release

Certificate Registration

PIN Code Management

Verify PINs

35

CARD DETAILS TOOL Click PIN > Verify Select the appropriate radio button. Enter the PIN. Click Verify You can change both the User and Administrator PINs. Be sure to remember your new PIN! Click PIN > Change Select the appropriate radio button. Enter your Old PIN. Enter your New PIN. Enter New PIN to Confirm PIN. Click Change

Change PINs

Unblock PINs

Use the Administrator PIN to unblock the User PIN. The default Administrator PIN is 1234. You have three attempts to unblock a User PIN. After three failed attempts, you cannot access or use the card. Be careful! Click PIN > Unblock Enter the Admin PIN. Enter the New PIN. Enter New PIN to Confirm PIN. Click Unblock You can view your card information, such as encryption algorithm and certificate expiration date, from within your browser or the Card Details Tool. Click Card > Examine NOTE: You must release and reselect your GemSAFE card using the Card Details Tool to view any changes to your card after your initial logon. You can release and select your card from the Device menu.

Card Information

Card Initialization

Initialize your card to remove all information from the card. This service erases your keys, certificates, and all applications on the card. You must verify your User PIN before initializing a card. A warning reminds you of the severity of performing this service.

36

CARD DETAILS TOOL

Click Card > Reinitialize WARNING: When you reinitialize your smart card, all data on your card including your certificate is erased!

Diagnostic Information

Use this service to display system information such as GemSAFE, PC/SC, card reader, and Internet component versions. Click Diagnostic

37

EXPORT REGULATIONS
GemSAFE provides the strongest commercially available security for Web browsers. Both Microsoft Internet Explorer and Netscape Communicator are subject to export regulations. GemSAFE provides security commensurate to the cryptographic capability of both products. The difference between the US/Canada and international versions is the length of the RSA key pair, which directly affects cryptographic capability. The US/Canada version of GemSAFE cannot be exported outside of the United States or Canada without export approvals from the Department of Commerce and Bureau of Export Authority, respectively. The international version of GemSAFE is available for use worldwide except in countries subject to export control restrictions including: Cuba, India, Iran, Iraq, Libya, North Korea, Pakistan, Sudan, and Syria. France, Israel, Russia and South Africa have import restrictions on cryptography. France and Singapore require vendors to obtain a license before importing cryptographic devices. Consult the export/import agency in your country for more information.

38

ABOUT GEMPLUS
Gemplus leads the world in smart card solutions. Gemplus applies innovative smart card technology to offer both the hardware and software your enterprise needs to establish and maintain the best digital security for your network. Gemplus manufactures magnetic stripe cards, memory and microprocessor based cards, smart contactless cards, electronic smart labels and smart objects. All products manufactured by Gemplus can be customized to meet your specific needs. With Gemplus, you get the best smart card security system tailored for you based on Gemplus expertise and your needs. Gemplus' newest endeavor is creating software for smart cardbased solutions. Corporate enterprise can take advantage of products such as GemSAFE Enterprise, the perfect and necessary compliment to PKI networks. Developers can benefit from GemSAFE Software Development Kit, which provides the environment and tools to develop smart card applications based on industry standards. To learn more about Gemplus, visit www.gemplus.com.

39

TERMINOLOGY
Abbreviations and Acronyms
CA CSP ID IE IMAP LED PC/SC PIN POP RSA S/MIME SSL Certificate Authority Cryptographic Service Provider Identification Internet Explorer Internet Message Access Protocol Light Emitting Diode Personal Computer/Smart Card Personal Identification Number Post Office Protocol Rivest, Shamir, Adleman (inventors of public key cryptography standards) Secure/Multipurpose Internet Mail Extensions Secure Sockets Layer

Glossary

Algorithm

A mathematical formula used to perform computations that can be used for security purposes. A certificate provides identification for secure transactions. It consists of a public key and other data, all of which have been digitally signed by a CA. It is a condition of access to secure email or to secure Web sites. An entity with the authority and methods to certify the identity of one or more parties in an exchange (an essential function in public key cryptosystems). The science of transforming confidential information to make it unreadable to unauthorized parties. A data string produced using a Public Key Cryptosystem to prove the identity of the sender and the integrity of the message. A cryptographic procedure whereby a legible message is encrypted and made illegible to all but

Certificate

Certificate Authority

Cryptography

Digital Signature

Encryption

40

TERMINOLOGY the holder of the appropriate cryptographic key. Fingerprint Interoperability Key A compressed version of the message, or digest. The ability of products manufactured by different companies to operate correctly with one another. A value that is used with a cryptographic algorithm to encrypt, decrypt, or sign data. Secret key cryptosystems use only one secret key. Public key cryptosystems use a public key to encrypt data and a private key to decrypt data. The number of bits forming a key. The longer the key, the more secure the encryption. Government regulations limit the length of cryptographic keys. A cryptographic system that uses two different keys (public and private) for encrypting data. The most wellknown public key algorithm is RSA. Security protocol used between servers and browsers for secure Web sessions. The SSL handshake, which takes place each time you start a secure Web session, identifies the server. This is automatically performed by your browser. Standard offline message format for use in secure email applications.

Key Length

Public Key Cryptosystem SSL SSL Handshake

S/MIME

41

SPECIFIC WARNING NOTICE

All information herein is either public information or is the property of and owned solely by Gemplus who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemplus information. This document can be used for informational, noncommercial, internal and personal use only provided that: the copyright notice below, t he confidentiality and proprietary legend and this full warning notice appear in all copies. this document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemplus makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemplus reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. GEMPLUS HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE INFORMATION CONTAINED HEREIN, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. IN NO EVENT SHALL GEMPLUS BE LIABLE, WHETHER IN CONTRACT, TORT OR OTHERWISE, FOR ANY INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING BUT NOT LIMITED TO DAMAGES RESULTING FROM LOSS OF USE, DATA, PROFITS, REVENUES, OR CUSTOMERS, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION CONTAINED IN THIS DOCUMENT. Copyright GEMPLUS, 1999. Smart Cards and Smart Card Readers are patent protected by Innovatron and Bull CP8 and are produced by GEMPLUS under license. GemSAFE is a trademark of Gemplus, Inc. Gemplus is a registered trademark of Gemplus, Inc. Adobe Acrobat Reader is a registered trademark of Adobe Systems, Inc. Microsoft , Windows , and Windows NT are registered trademarks of Microsoft Corp. Netscape Communicator and Netscape Messenger are registered trademarks of Netscape Communications Corp. Printed in France. GEMPLUS, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90 Document Reference: GFGUG121