HP BRIO BA400, BRIO BA600, BRIO BA200, KAYAK XM600, KAYAK XU800 User Manual

GemSAFE

User Guide

Version 2.1

™

CONTENTS

INTRODUCTION...................................................................................1

Purpose............................................................................................ 1

Conventions ..................................................................................... 1

Documentation ................................................................................. 1

GEMSAFE BASICS..............................................................................2

What Is GemSAFE? ......................................................................... 2

What Is a Smart Card?...................................................................... 2

What Is the GemSAFE Smart Card? .................................................. 3

Onboard Key Generation ........................................................... 3

Increased Certificate Storage ..................................................... 3

Increased Signature and Unwrap................................................ 4

What Is Public Key Cryptography?.................................................... 4

What Is a Key Pair?.......................................................................... 5

Are There Different Security Levels?................................................. 6

What Is a Digital Certificate?............................................................ 6

What Are Certificate Authorities? ......................................................7

What Is a Digital Signature?.............................................................. 7

What Is S/MIME? ............................................................................ 8

What Is SSL?................................................................................... 8

GETTING STARTED..........................................................................10

The GemSAFE Kit .........................................................................10

Requirements .................................................................................10

Platform.................................................................................10

Peripherals..............................................................................10

Browser .................................................................................10

E–mail Account ......................................................................10

Installation .....................................................................................11

Connecting the Card Reader....................................................11

Installing GemSAFE ...............................................................11

WINDOWS 2000..................................................................................13

Installation on Windows 2000..........................................................13

Smart Card Logon ..........................................................................13

Lock and Unlock Computer.............................................................13

i

CONTENTS

Signing Macros ..............................................................................13

Opening Signed Documents ............................................................14

CERTIFICATE MANAGEMENT .........................................................15

Your Certificates............................................................................15

Obtain Your Certificate ...........................................................15

View Your Certificate .............................................................15

Delete Your Certificate ............................................................ 16

User Certificates.............................................................................18

Add User Certificates .............................................................. 18

View User Certificates ............................................................19

Delete User Certificates...........................................................20

Public Directories....................................................................21

Web Site Certificates......................................................................22

View Web Certificates ............................................................23

Install Web Site Certificates ....................................................23

Select Your Certificate for the Web..........................................23

Certificate Authorities ..................................................................... 24

View CAs ..............................................................................24

Add CAs................................................................................26

Delete CAs ............................................................................. 26

CA Integrity............................................................................27

SECURE E–MAIL................................................................................28

Link Your Certificate ...................................................................... 28

Secure E–mail Settings .................................................................... 29

Change Session Key Length ............................................................ 30

Test Secure E–mail.........................................................................31

Send Secure E–mail........................................................................31

SECURE WEB SITES ........................................................................33

Test User Authentication.................................................................33

CARD DETAILS TOOL ......................................................................34

Services.........................................................................................34

Card Selection................................................................................35

Card Release .................................................................................. 35

Certificate Registration....................................................................35

PIN Code Management ................................................................... 35

Verify PINs ............................................................................35

Change PINs ..........................................................................36

Unblock PINs ......................................................................... 36

Card Information ............................................................................36

ii

CONTENTS

Card Initialization...........................................................................36

Diagnostic Information....................................................................37

EXPORT REGULATIONS..................................................................38

ABOUT GEMPLUS.............................................................................39

TERMINOLOGY..................................................................................40

Abbreviations and Acronyms ........................................................... 40

Glossary.........................................................................................40

iii

INTRODUCTION

Purpose

Conventions

Documentation

The GemSAFE User Guide provides simple, easy–to–follow instructions
to install, configure, and use GemSAFE 2.1 and the GemSAFE Card Details
Tool, a simple administration tool for GemSAFE cards.

The GemSAFE User Guide addresses topics to effectively use GemSAFE.
The guide does not address all browser–specific topics related to using digital
certificates. Refer to your browser documentation for additional information.

The GemSAFE User Guide was validated on the Windows 2000 platform
with the following versions of Microsoft and Netscape applications: Outlook
Express 5.0, Outlook 2000, Microsoft Internet Explorer 5.0, and Netscape
Communicator 4.6.1.

If you are using a different platform or different versions of Microsoft
or Netscape applications, you may encounter different options regarding
the management and use of your digital certificates.

The GemSAFE Quick Start Guide and GemSAFE User Guide are located in the
\Doc folder of the GemSAFE CD–ROM. You can also refer to GemSAFE
Online Help for quick and easy task instructions. Access GemSAFE Online Help
from the GemSAFE CD–ROM.

NOTE: Use Adobe Acrobat Reader to view all documentation on the GemSAFE
CD–ROM. You can download Acrobat Reader from Adobe’s Web site at

www.adobe.com/acrobat.

1

GEMSAFE BASICS

What Is

What Is a

Learn basic information about GemSAFE, smart cards, public key cryptography,
and current IT standards.

GemSAFE is a smart card−based solution designed to secure e−mail
communication and Internet transactions. The GemSAFE smart card supports

GemSAFE?

encryption/decryption and signature functions. GemSAFE for Windows 2000
also supports secure logon and the capability to sign Office 2000 macros.

The encryption/decryption function enables you to send and receive secure
e–mail to protect confidential or private information. You can use the signature
function to sign your messages. By signing messages, you can prove to the
recipient that you are who you claim to be.

GemSAFE combines the privacy, integrity, and authentication functionalities
provided by cryptographic algorithms with the simplicity, portability, and
convenience of smart cards. Your private key, digital certificate, and other
personal information are securely stored on your GemSAFE card to prevent
fraudulent use of your electronic identity.

The latest industry standards such as SSL3 (for Web access) and S/MIME
(for e−mail) enable inter−operability of security services between any browser
interface and any Web server. However, the security hole in SSL3 and S/MIME
is the management of your private key and digital certificate. Without

GemSAFE, your private key and digital certificate are stored on your hard drive,
which makes them susceptible to unauthorized access and fraudulent use.
Without GemSAFE, your electronic identity is at risk.

Smart Card?

GemSAFE provides double–barreled security! With GemSAFE, you get the
hardware–based security inherent in smart cards and the software–based security
of PIN codes. Hardware–based security is a principal security advantage. It is
significantly more secure than software–only solutions. Without possession of
your smart card and knowledge of your PIN code, no one can use your identity.

GemSAFE is your electronic passport to the digital world.

• Your private key never leaves your smart card.

• The smart card is hardware–based security.

• The PIN code protects key use.

• GemSAFE is portable and convenient.

Smart cards are the latest addition to the IT world. The smart card is the size
of a conventional credit card. But unlike the credit card, which has a magnetic
stripe, the smart card has a silicon microprocessor chip to store and process
electronic data and applications. The advantage of the smart card is SECURITY.

2

GEMSAFE BASICS

Onboard Key

Increased

Gemplus manufactures two types of smart cards: contact and contactless.
Contact smart cards must be inserted into a smart card reader. Contactless smart
cards use a microprocessor chip and antenna to process data.

Smart cards provide the most sophisticated security available on the market.
Your GemSAFE card stores your private key and digital certificate. In the past,
your only option was to store your private key on your local hard drive,
rendering it susceptible to theft and fraudulent use. With GemSAFE, your
electronic identity is secure. You must have both the card and PIN code to use
the card.

The GemSAFE card is tamper resistant. The structure and operating system
of the card make it practically impossible to penetrate, probe, or pilfer card data.

Perhaps the most convenient aspect of the GemSAFE smart card is portability.
With GemSAFE, you can carry your electronic passport with you at all times
and use it on any GemSAFE–equipped computer in the world.

What Is the
GemSAFE

Smart Card?

Generation

Certificate
Storage

The GemSAFE smart card has a robust and flexible design. Three specific
features offer greater freedom and enhanced security.

The GemSAFE card offers onboard key generation. With this feature, every time
you enroll a new certificate on your card, a NEW key pair is generated on your
card. In other words, you are not limited to using the same key pair for every
certificate that you enroll.

One significant advantage of onboard key generation is the ability to monitor
and control the life span of your RSA key pairs.

You can store up to four key pairs and four digital certificates on your
GemSAFE card. This feature provides the convenience of using up to four
digital certificates for whatever purposes you want. For example, you can use
one certificate and key pair with strong encryption (1024–bit RSA key pair)
to communicate securely with contacts in the United States and Canada.
You can then use a second certificate and key pair (512–bit RSA key pair)
to communicate securely with international contacts.

Another reason for obtaining more than one digital certificate is the level
of certification the Certificate Authority (CA) requires. You may want
to obtain and use a digital certificate from a CA that requires stringent identity
certification if you are using the certificate for sensitive business
communications or financial transactions. If, however, you want to encrypt/sign
data for personal communications, you may decide that a certificate from a CA
that requires minimal identity certification meets your needs.

The costs of obtaining a digital certificate from a CA are, somewhat, based on
the degree of identity certification the CA requires. Therefore, it would be to
your advantage to obtain two digital certificates each which meets your
particular security needs.

3

GEMSAFE BASICS

Increased
Signature and
Unwrap

What Is
Public Key

Cryptography?

There are two versions of the GemSAFE smart card: US/Canada and
international. Both cards offer onboard key generation and store up to four key
pairs and four certificates.

The difference between the US/Canada and international versions of the
GemSAFE smart card is the length of the key pairs that you can generate
on the card.

The US/Canada version offers the potential to generate two 512–bit and two
1024–bit RSA key pairs for encrypting and signing.

The international version offers the potential to generate three 512–bit RSA key
pairs for signing and encrypting data. The international version also offers the
potential to generate one 1024–bit RSA key pair for signing data. You cannot
use the international GemSAFE smart card to encrypt data with a 1024–bit RSA
key pair.

Public key cryptography, or asymmetric cryptography, is the most advanced,
secure cryptosystem for encryption and digital signatures. Traditional
cryptography, symmetric cryptography, uses the same key to encrypt and
decrypt data. Public key cryptography relies on a matched key pair to encrypt
and decrypt data.

Introducing the public key removes the need for the sender and recipient to share
or transmit the single secret key used in symmetric cryptography. Therefore,
public key cryptography is significantly more secure than traditional
cryptosystems.

Each user owns an RSA key pair. One key is private; one key is public.

• The private key remains private and accessible only to the owner

of the key pair.

• The public key is made available by the owner of the key pair

to public users.

Each key performs a one–way transformation on the data. One key is the inverse
function of the other; so what one key does, only the other can undo.

To send and receive secure data, the sender encrypts the data using the intended
recipient's public key. Only the recipient's private key can decrypt the data. The
sender also signs the data to provide the recipient with a means of authenticating
the message.

The private and public keys are always mathematically linked. Therefore, it is
possible but not practical to attack the public key cryptosystem and derive the
value of the private key after it has been used numerous times. To avoid
cryptoanalysis, key pair owners should define an appropriate key pair life cycle.
The shorter the key length, the shorter the key pair life cycle.

4

What Is a

Key Pair?

GEMSAFE BASICS

Public key cryptography provides:
Authentication which corroborates the identity of an entity or source

of information.
Confidentiality which protects data from view or access by unauthorized

individuals.

Access Control which restricts access to resources to privileged entities.
Data Integrity which ensures information has not been altered by unauthorized

or unknown means.
Non–Repudiation which prevents the denial of previous commitments

or actions.

A key pair is a matched set of keys used to encrypt/decrypt or sign message data.
One key is the inverse of the other key. As such, what one key does only the
other key can undo. For instance, if one key is used to encrypt a message,
the only way to decrypt the message is to use the matching key.

GemSAFE uses two types of keys:

• Session keys (symmetric)

• RSA keys (asymmetric)

Session keys are single. They do not occur in pairs. The session key is used
to encrypt/decrypt actual message data. They are included in the cryptographic
functionality of both Microsoft IE and Netscape Communicator.

The maximum session key length for US/Canada versions of Microsoft IE
and Netscape Communicator is 128 bits. The maximum session key length
for international versions is 40 bits. Session key lengths are specified in your
browser. You can change the session key length by choosing a different
encryption algorithm within your browser. You may need to reduce the
encryption strength if you are communicating securely with international
contacts.

Session keys are shorter in length than RSA keys, which reduces the amount
of time to encrypt/decrypt message data. It is not practical to encrypt/decrypt
the entire message text using RSA keys.

Although session keys are shorter in length than RSA keys, message security
remains robust. After the entire message text is encrypted using the session key,
the session key is encrypted using the RSA private key.

GemSAFE uses RSA keys to sign data and encrypt/decrypt the session key.
Using RSA keys to encrypt the session key ensures the greatest security
at the greatest speed and convenience.

5

GEMSAFE BASICS

Are There
Different

Security Levels?

GemSAFE offers two versions, each which have different security levels due to
export restrictions. The security level is directly related to the RSA key pair
length. The longer the key length, the greater the security level.

US/Canada

GemSAFE for US/Canada markets includes a smart card that can store four
certificates and key pairs. The key pairs on your smart card can include two
512–bit key pairs and two 1024–bit key pairs. Key pairs have the potential
to unwrap a maximum of 512 bits; however, browser limitations result in a
maximum unwrap capability of 128 bits.

International

GemSAFE for international markets includes a smart card that can store four
certificates and key pairs. The key pairs on your smart card can include three
512–bit key pairs for encryption/decryption and signature functions and one
1024–bit key pair for signing. Key pairs have the potential to unwrap a
maximum of 512 bits; however, browser limitations result in a maximum
unwrap capability of 40 bits.

Unwrap capacity refers to the length of the session (symmetric) keys that
encrypt the actual message data. Encrypting the entire message data using RSA
keys is not feasible due to time requirements. RSA keys are used to
encrypt/decrypt the session key.

It is important to know the cryptographic capacity of the person with whom you
communicate securely. Though you may be able to encrypt and send data using
the recipient's public key; the recipient may not be able to use your public key to
encrypt and send data to you.

What Is a Digital
Certificate?

For example, you may be able to generate a session key with a length of 128
bits. However, if the recipient is restricted to international key length limitations,
40 bits, the message cannot be decrypted.

NOTE: Key length export restrictions are for encryption only. There is no key
length restriction when keys are used for authentication purposes only. However,
GemSAFE was designed to be compliant with Microsoft and Netscape e–mail
and browser applications, all of which are subject to key length restrictions.

A digital certificate is a digital document that serves as your electronic passport.
Your digital certificate stores your public key and other personal information
about you and the certificate.

The most widely accepted standard for digital certificates is defined by
International Telecommunications Union standard ITU–T X.509. Version three
is the most current version of X.509.

The X.509v3 certificate includes the following data fields:

• Version

• Serial number

• Signature algorithm ID

• Issuer name

6

GEMSAFE BASICS

What Are

• Expiration Date

• User name

• User public key information

• Issuer unique identifier

• User unique identifier

• Extensions

• Signature on the above fields

The public key in your digital certificate is signed by a trusted third party, or
Certificate Authority (CA).

As a convenience to recipients, it is standard practice to attach your digital
certificate to every secure e–mail that you send. The recipient uses your public
key, which is in your digital certificate, to encrypt e–mail addressed to you. If
you do not attach your digital certificate to outgoing e–mails, recipients must
retrieve your public key from a public directory.

Upon receiving a secure e–mail from you, recipients use the digital certificate to
authenticate your public key. The recipient then uses the public key to verify the
actual message. Only the CA public key is centrally stored and widely
publicized.

Certificate
Authorities?

What Is a Digital
Signature?

Certificate Authorities (CAs) are trusted third parties that issue digital
certificates to individuals. CAs vouch for the identity of the individual to whom
they are issuing a certificate.

When you obtain your digital certificate, you provide the CA with your public
key and the personal information requested by the CA. The CA verifies the
information and checks the integrity of the public key. After the CA verification
process, the CA issues your digital certificate.

Many CAs issue certificates with varying levels of identification requirements.
CA policies and the level of identification of the digital certificate determine the
method and requirements for proving your identity to the CA. The most simple
digital certificate only requires your e–mail address and name. However, some
CAs require a driver's license, notarized certificate request form, or other
personal documentation attesting to your identity. Some CAs may even require
biometric data such as fingerprints.

The CA certificate must be widely available so that users can validate the
authenticity of its public key. If a CA does not make its certificate available, it
must provide a certificate from a higher–level CA to provide users a means of
verifying its public key. As a result, certification hierarchies are created.

A digital signature is a piece of information created using message data and the
owner's private key. Digital signatures provide message authentication, non–
repudiation of origin, and data integrity.

7

What Is

S/MIME?

GEMSAFE BASICS

Digital signatures are typically created using hash and private signing functions.
The one–way hash function produces a message digest, or fingerprint,
a condensed version of the original text. The message digest is encrypted using
the private key of the sender, turning it into a digital signature.

The digital signature can only be decrypted using the public key of the same
sender. The recipient of the data decrypts the digital signature and compares the
result with a message digest recalculated from the original message text. If the
two are identical, the message has not been tampered with. It is authentic.

Secure/Multipurpose Internet Mail Extensions (S/MIME) is an open protocol
standard developed by RSA Data Security, that provides encryption and digital
signature functionality to Internet e–mail. S/MIME uses public key cryptography
standards to define e–mail security services.

S/MIME makes it possible for you to encrypt and digitally sign Internet e–mail
using Web messaging applications such as Microsoft Outlook, Microsoft
Outlook Express, and Netscape Messenger. S/MIME also enables you to
authenticate incoming messages.

S/MIME provides the following security functions.

What Is SSL?

Message Encryption to ensure that your messages remain private. Netscape
Messenger and Microsoft Outlook Express support domestic and export–level
public key and symmetric key encryption.

Sender Authentication to verify the sender's identity. By reading the sender's
digital signature, the recipient can see who signed the message and view the
certificate for additional details.

Data Integrity to guard against unauthorized manipulation of messages.
S/MIME uses a secure hashing function to detect message tampering.

Interoperability to work with other S/MIME–compliant software.

Secure Sockets Layer (SSL), developed by Netscape Communications and RSA
Data Security, is a standard security protocol that provides security and privacy
on the Web. The protocol allows client/server applications to communicate
securely. SSL uses both asymmetric (public key cryptography) and symmetric
cryptography to provide Web security.

The SSL protocol is application independent, which enables higher–level
protocols such as HyperText Transfer Protocol (HTTP) to be layered on top of it
transparently. Therefore, the SSL protocol can negotiate encryption and
authentication with the server before data is exchanged by the higher–level
application.

The SSL Handshake Protocol process includes two phases:

1. Server Authentication in which the client requests the server's certificate.

In response, the server sends its digital certificate and signature. The
certificate provides the server's public key. The signature proves that the
server currently has the private key that corresponds to the certificate.

8

GEMSAFE BASICS

2. Client Authentication (optional) in which the server requests the client's

certificate. In response, the client sends the digital certificate and signature
to the server.

The SSL process is repeated for every secure session you attempt to establish
unless you specify a permanent session. The SSL process will not proceed if the
Web server's certificate is expired.

SSL provides the following security functions.
Data Encryption to ensure data security and privacy. Both public key and

symmetric key encryption is used to achieve maximum security. All traffic
between an SSL server and SSL client is encrypted using both public key and
symmetric key algorithms. Encryption thwarts the capture and decryption of
TCP/IP sessions.

Mutual Authentication to verify the identities of the server and client.
Identities are digital certificates. The entity presenting the certificate must
digitally sign the data to prove ownership of the certificate. The combination
of the certificate and signature authenticates the entity.

Data Integrity to ensure that SSL session data is not manipulated en route. SSL
uses mathematical functions, or hash functions, to provide the integrity service.

9

GETTING STARTED

Peripherals

E–mail Account

The
GemSAFE Kit

Requirements

Platform

GemSAFE includes:

• GemSAFE smart card

• Gemplus smart card reader

• CD–ROM with GemSAFE software and documentation

GemSAFE requires one of the following platforms:

• Windows 95 (16 MB RAM)

• Windows 98 (16 MB RAM)

• Windows 2000 (64 MB RAM) RC2 or higher

• Windows NT 4.0 SP3, SP4, SP5 (32 MB RAM)

GemSAFE requires the following peripherals:

• 10 MB hard drive space available

• Available COM or PCMCIA port

• CD–ROM drive

Browser

• PS/2 keyboard

GemSAFE also requires a Web browser. Minimum versions:

• Microsoft IE 4.01

• Netscape Communicator 4.5

NOTE: If you do not have either minimum version, you can obtain a standard
or strong key length version from Microsoft at www.microsoft.com or Netscape
at www.netscape.com.

In order to use the secure e–mail application provided with your Web browser,
you need one of the following types of Internet e–mail accounts:

• Post Office Protocol (POP) 3 account

• Internet Message Access Protocol (IMAP)–compatible account

NOTE: You only need an e–mail account if you want to take advantage of the
signature and encryption/decryption capabilities offered by GemSAFE.

10