HP OmniBook 7100, Encryption Smart Card User Manual

Page 1

HP Encryption Smart Card Security System

User’s Guide

Page 2

This document contains propriet ary infor matio n which is pr otected by copyri ght. All right s reserv ed. No part of this docu ment may be ph otocopied, reproduced or tran slated int o another langu age without the prior written consent of Hewlett-Packard company.

Windows 95 and Windows NT are registered trademarks of the Microsoft Corporation.

Limited warranty

The information contained in this document is subject to change without notice.

Hewlett-Packard Company makes no warranty of any kind with regard to this document, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.

Hewlett-Packard Company shall not be liable for erro rs contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this document.

In addition to the Limited Warranty Statement p r ovided in the Support and Service booklet, and to the extent permitted by local law, Hewlett-Packard Company expressly disclaims any warranty that this product will be error-free. Hewlett-Packard Company makes no warranty that any data stored or encrypted by this product will be recoverable or accessable, or that access provided by this product will be maintained.

Page 3

HP Software Product License Agreement

CAREFULLY READ THIS LICENSE AGREEMENT BEFORE PROCEEDING TO OPERATE THIS EQUIPMENT. RIGHTS IN THE SOFTWARE ARE OFFERED ONLY ON THE CONDITION THAT THE CUSTOMER AGREES TO ALL TERMS AND CONDITIONS OF THE LICENSE AGREEMENT. PROCEEDING TO OPERATE THE EQUIPMENT INDICATES YOUR ACCEPTANCE OF THESE TERMS AND CONDITIONS. IF YOU DO NOT AGREE WITH THE TERMS OF THE LICENSE AGREEMENT, YOU MUST NOW EITHER REMOVE THE SOFTWARE FROM YOUR HARD DISK DRIVE AND DESTROY THE MASTER DISKETTES, OR RETURN THE COMPLETE COMPUTER AND SOFTWARE FOR A FULL REFUND.

PROCEEDING WITH CONFIGURATION SIGNIFIES YOUR ACCEPTANCE OF THE LICENSE TERMS.

UNLESS OTHERWISE STATED BELOW, THIS HP SOFTWARE PRODUCT LICENSE AGREEMENT SHALL GOVERN THE USE OF ALL SOFTWARE THAT IS PROVIDED TO YOU, THE CUSTOMER, AS PART OF THE HP COMPUTER PRODUCT. IT SHALL SUPERSEDE ANY NONHP SOFTWARE LICENSE TERMS THAT MAY BE FOUND ON-LINE, OR IN ANY DOCUMENTATION OR OTHER MATERIALS CONTAINED IN THE COMPUTER PRODUCT PACKAGING.

Note: Operating System So ftware by Microsoft is licensed to yo u un der the Microsoft End User License Agreement (EULA) contained in the Microsoft documentation.

The following License Terms govern the use of the software:

USE. Customer may use the software on any one computer. Customer may not network the software or otherwise use it on more than one computer. Customer may not reverse assemble or decompile the software unless authorized by law.

COPIES AND ADAPTATIONS. Customer may make copies or adaptations of the software (a) for archival purposes or (b) when copying or adaptation is an essential step in the use of the software with a computer so long as the copies and adaptations are used in no other manner.

OWNERSHIP. Customer agrees that he/she does not have any title or ownership of the software, other than ownership of the physical media. Customer acknowledges and agrees that the software is copyrighted and protected under the copyright laws. Customer acknowledges and agrees that the software may have been developed by a third part y s oft ware supplier named in the copy ri gh t n ot ices i ncl u ded wit h t he software, who shall be author ized to ho l d the C ust omer resp onsible for any copyrig ht infringement or violation of this Agreement.

Page 4

PRODUCT RECOVERY CD-ROM. If your computer was shipped with a product recovery CDROM: (i) The product recovery CD-ROM and/or support utility software may only be used for restoring the hard disk of the HP computer with which the product recovery CD-ROM was originally provided. (ii) The use of any operating system software by Microsoft contained in any such product recovery CDROM shall be governed by the Microsoft End User License Agreement (EULA).

TRANSFER OF RIGHTS IN SOFTWARE. Customer may transfer rights in the software to a third party only as part of the transfer of all rights and only if Customer obtains the pr ior agreement of the third party to be bound by the terms of this License Agreement. Upon such a transfer, Customer agrees that his/her rights in the software are terminated and that he/she will either destroy his/her copies and adaptations or deliver them to the third party.

SUBLICENSING AND DISTRIBUTION. Customer may not lease, sublicense the software or distribute copies or adaptat ions of the software t o the public in physical media or by telecommunication without the prior written consent of Hewlett-Packard.

TERMINATION. Hewlett-Packard may terminate this software license for failure to comply with any of these terms provided Hewlett-Packard has requested Customer to cure the failure and Customer has failed to do so within thirty (30) days of such notice.

UPDATES AND UPGRADES. Customer agrees that the software does not include updates and upgrades which may be available from Hewlett-Packard under a separate support agreement.

EXPORT CLAUSE. Customer agrees not to export or re-expor t the software or any copy or adaptation in violation of the U.S. Export Administration regulations or other applicable regulation.

U.S. GOVERNMENT RESTRICTED RIGHTS. Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 2 52.227- 7013. Hewlett- Packard Company , 3000 Hanover S treet, Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agen cies are as set forth in FAR 52.227-19(c)(1,2).

Page 5

Contents

1. Understanding the HP Encryption Smart Card Security System. . . . . . . . . . . . . . . .1-1

What is the Encryption Smart Card Security System? . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

What is a smart card?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

What is Encryption?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

How does the HP Encryption Smart Card Security System work? . . . . . . . . . . . . . . . . . .1-2

2. Setting up your OmniBook to use a smart card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5

Checking the package contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5

Checking the requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5

Installing the Encryption System software and Smart Card Reader . . . . . . . . . . . . . . . . .1-6

Smart card logon with Windows NT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-7

Initializing your smart card and creating a recovery file. . . . . . . . . . . . . . . . . . . . . . . . .1-10

3. Using your HP Encryption Smart Card Security System . . . . . . . . . . . . . . . . . . . . .1-13

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-13

Getting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-13

Entering the PIN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-14

NT Workstation lock (screen lock) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15

Using the Secure Folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15

Changing your Smart Card’s PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17

If you forget your PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18

Creating a replacement smart card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-19

4. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23

General Troubleshooting tips and tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23

Troubleshooting questions and answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-26

Page 6

Contents

Page 7

Understanding the HP Encryption Smart Card Security System

What is the Encryption Smart Card Security System?

The Encryption Smart Card Security System is an accessory for your OmniBook that uses smart card technology to provide smart card protected logon for Windows NT and strong file encryption on Windows NT a nd Windows 95. The Encryption Smart Card Security System consists of a smart card reader which inserts into a PCMCIA slot on your OmniBook, and a smart card in which to store information that ensures that only you can access your OmniBook and read the files you have chosen to protect.

What is a smart card?

A smart card is a credit-card-sized card which carries a microchip containing

memory and a microprocessor. The card’s microchip lies beneath gold cont act pads and when the card is inserted in a smart card reader, the contents of the microchip can be read and interpreted in a number of ways, depending on the application. A Personal Identification Number (PIN) is normally needed to “unlock” the contents of the microchip, meaning that only the p erso n who kn ows the PIN can use the car d.

What is Encryption?

Encryption is simply taking intelligible data and making it unintell igible by using a mathematical function and a unique key. To return the data to intelligible form, we use the same mathematical function and the same key. Therefore only the holder of the key can take the unintelligible data and make it intelligible.

The type of encryption used in the HP Encryption System provides confidentiality, as no one but the holder of the key can read the data.

1-1

Page 8

How does the HP Encryption Smart Card Security System work?

The Encryption Smart Card Security System provides two security features:

• Data encryption on your OmniBook’s hard drive (Windows 95 and Windows NT).

• Smart card protected logon for Windows NT to prevent unauthorized access to your OmniBook.

Data encryption

When you set up the Encryption Smart Card Security System on your OmniBook, as part of the process you define a Secure folder on your OmniBook, and generate an encryption key that is stored on your smart card. You will also define a PIN which allows only someone with the PIN to use the smart card. When you place a file in the Secure folder with the smart card inserted in the smart card reader, the file is encrypted using a key stored on your smart card. The files in the Secure folder can be accessed only when your smart card is present in the smart card reader and the correct PIN has been provided. This means that for anyone to decrypt and read the files placed in your Secure folder, that person must be in possession of your smart card and also know your card’s PIN.

1-2

Page 9

How does the HP Encryption Smart Card Security System work?

Τηε βρο

Ridebis, et licet rideas. E go ille quem nosti apros et quidem pulcherrimos cepi. Ipse? inquis. Ipse; non tamen ut omnino ab inertia mea et quete discederem. Ad retia sedebam: erat in proximo non venabulum aut lancea, sed stilus et pugilares: me ditab ar aliquid enotabamque, ut, si manus vacua s, plenas tamen ceras reportarem.

Non est quod conte mnas hoc studendi genus. Mirum est ut animus agitatione motuque corporis exc itetut. Iam undique silvae et solitudo ipsumqu e illud si le ntiu m quod venationi da tur magna cogitationis incitamenta sunt. Proinde cum venabere, licebit, auctore me, ut panarium et lagunculam sic etiam pugillar e s fer as.

ων φοξ

@*¿b

ϕυ

µπεδ οϖερ τηε λαζψ δογ.

@*¿b

brown fox jumped over the lazy dog.

Τη

ροµπεδ

@*¿bt&%?h

Tæhe bhe

rodogw&%?@*¿bn fto encrypt

ροων φοξ ϕυµπε

ownb

d @*¿b@*¿boδ

@er3^)**&^@]}\\ @@*¿& x öTæhe r

δογ

τηε λαζ

@jumped over

@*¿b

δατα

@*¿b)**&

σε

öõ%

ρτ χαρδ το ενχ

βψ πλα

¿dh

ρ δεταιλσ ον

@*¿b

&%öõ%je¿¿dhr @*¿@

&%?

@*¿b je¿

δογ

oægb

@*¿b

ψου

@*¿b

ρψπτ

¿dh

χινηγ ιτ ιν

ψπτιον

@jumped over

Τηε

χαν νοω υ σµα

je¿

τηε*¿ ιν τ ιν τ ενχρ φολδερΦο ενχρψπτ ογß ιν τ

&F&%?#tæ öTæhe r

τηε λαhροωνϕυµ βρο

ψ δου

The

Plain file Encrypted file

An encryption key on the smart card is used for encrypting the file as it is

placed in the private folder

Smart card containing an encryption key

Smart card logon with Windows NT

Windows NT offers password-protected logon where you must enter a user name and a password to access your Windows NT account. The Encryption Smart Card Security System increases the security of Windows NT logon by using a smart card in addition to your password. The smart card is registered with your Windows NT logon the first time you log on after the Encryption System software is installed on your OmniBook. Anytime you log on after this, the smart card must be present in a smart card reader inserted in the PCMCIA slot of your OmniBook. When you enter your user name and password, the system reads the smart card in the smart card reader and verifies that the correct smart card is present. If not, then admission to your Windows NT account is denied. Therefore for someone to log on to your Windows NT account, that person must not only know your user name and password, but must also be in possession of your smart card.

1-3

Page 10

How does the HP Encryption Smart Card Security System work?

1-4

Page 11

Setting up your OmniBook to use a smart card

Checking the package contents

Your Encryption Smart Card Security System package contains:

• 1 PCMCIA smart card reader

• 2 GPK4000 smart cards (one spare card for backup/recovery purposes)

• 1 CD-ROM containing the Encryption Smart Card Security System software

• 1 User’s Guide (this manual)

Note that an optional pack of five smart cards is also available as a separate OmniBook accessory (order no. F1613A).

Checking the requirements

To use the Encryption Smart Card Security System, you need:

• An HP OmniBook Model 800, 2000, 3000, 5000, 4100, 7100, Sojourn or later with Microsoft Windows 95 OSR2 or later ins talled

An HP OmniBook Model 2100, 3000, 4100, 7100, Sojourn or later with Microsoft Windows NT 4.0 SP3 or later installed (you will need at least 2 NT accounts; one for the NT Administrator and at least one User account for everyday use)

• A CD-ROM drive installed in your OmniBook (note that on certain models of OmniBook, the CD-ROM drive is an option you need to purchase separately)

• 1 free PCMCIA slot on your OmniBook

• At least 5 Mbytes of free space on your hard disk

It is also recommended that you have a formatted diskette to hand, to use as a safe place to store the recovery file generated during the smart card initialization process.

1-5

Page 12

Installing the Encryption System software and Smart Card Reader

Note Before you begin installation, make sure your OmniBook’s CD-ROM drive is

correctly installed.

1 Start your OmniBook (log on as Administrator for Windows NT). You should

have the Windows desktop disp l ayed

2 Insert the HP Encryption System Software CD-ROM into the CD-ROM drive of

your OmniBook.

3 Start your Windows program installation utility (Start, Settings, Control panel,

Add/Remove Programs) and install the Encrypti on Smart Card Security System software from the CD-ROM. During the installation process you will be asked to install the smart card reader in an available PCMCIA slot in your OmniBook (the smart card reader is installed with the label facing upwards).

The software will be installed in the

Packard\HP Encryption System\

specify a different one if you wish. Your Secure folder will be change this if you wish.

Your OmniBook will be restarted when the installation is complete.

If you are using Windows 95, you have now finished the installation. Proceed to “Initializing your smart card and creating a recovery file” on page 10.

For Windows NT users, you are now ready to register the Administrator and User smart cards for use with NT Logon.

1-6

C:\Program Files\Hewlett-

directory by default, but you can

C:\Private by default, and again, you may

Page 13

Smart card logon with Windows NT

With Windows NT, the Encryption Smart Card Security System provides the additional security feature of smart card logon. This makes the logon procedure more secure as you need both your NT passwo rd an d your smart card during log on. You must register y our s mart card wi th yo ur us er name an d pass word d uring the NT logon process. After registration only your smart card can be used with your NT password.

It is recommended to register a smart card for at least 2 dif ferent Users; one for you r normal User (everyday use) and one for the NT Administrator.

Registering your Administrator smart card for Windows NT logon

With Windows NT, it is highly recommended to register an Administrator smart card for your OmniBook to allow access to the system Administrator account.

In cases where all NT accounts are centrally managed (for example in a corporate environmen t), registering th e Administrator smart card would typically be d one by your system Administrator. If you are not part of such an environment, you will need to register an Administrator smart card for yourself.

Your Windows NT documentation will contain additional details o n the system Administrator account.

To register an Administrator smart card

Caution With Windows NT, if you lo se your orig inal smart car d or it gets damag ed or stolen,

you will be unable to access your OmniBook unless you have a registered Administrator card.

1 Insert a new smart card in the smart card reader. 2 Log on to your OmniBook using the system Administrator’s user name and

password.

When you have entered your Administrator’s user name and password, a message appears telling you that the card in the reader is now registered for your Administrator’s accoun t. You must no w use this s mart card every ti me you log on to your Windows NT Administrator’s account.

1-7

Page 14

Smart card logon with Windows NT

Note The Administrator smart card allows access to the Windows NT Administrator

account and should be used only for administration and recovery purposes (should your original User smart card get lost or damaged). Naturally, the Administrator smart card should be kept in a safe place.

Registering your User smart card for Windows NT logon

To register your User smart card

1 Insert a new smart card in the smart card reader.

Note This smart card will be the card that you will use for subsequent NT logons. After

this card is successfully registered for your NT account, you will be unable to log on to your OmniBook without the card inserted in the smart card reader.

2 Log on to your OmniBoo k follo wing t he normal W indows NT l ogon pr ocedure.

Verification Mode

When you have entered your user name and password, a message appears telling you that the card in the reader is now registered for your User account. You now must use this smart card every time you log on to your Windows NT User account.

This completes the steps necessary to register your smart cards for Windows NT logon.

The first time you log on after installation, you will be in Verification mode.

When you first se t up you r HP Encryption System to work with NT, it is put into an

insecure “Verification” mode, which allows you to continue to access your OmniBook even if there are problems with accessing your smart card reader or smart card.

This “Verification” mode is only available following first installation, and is only destined to be used until you feel confident that everything is working as it should (especially following a reboot). Once you are confident in the installation and configuration, click on “Secure” in the Verification mode dialog box and the NT Logon installation will be secured.

1-8

Page 15

Smart card logon with Windows NT

Note For security reasons, there is no way to return to this verification mode once you have

selected to remove it.

You will now need to initialize each card that you wish to use for file encryption.

1-9

Page 16

Initializing your smart card and creating a recovery file

Purpose of initializing your smart card

Before you can use a smart card to encrypt files, you will need to initialize it. During initialization, an encryption key is generated that is used to encrypt and decrypt your data. This key is stored on your smart card, which means that the encrypted data can be decrypted only when the smart card is inserted in the smart card reader connected to your Omni Book.

The recovery file

As a safety measure, the encryption key generated and stored on your smart card is also copied to a recovery file. If you subsequently lose your smart card, or it gets damaged, this recovery file allows you to load the encryption key that was on your original smart card to a new card, thus enabling you to access and decrypt the files on your OmniBook.

To initialize your smart card

1 Make sure your smart card is inserted in the smart card reader. 2 Open the HP Encryption Smart Card Security System Manager, and select the

Smart Card tab.

1-10

Page 17

Initializing your smart card and creating a recovery file

3In the Smart Card page, click o n Initialize to start the initialization process, and

generate your encryption key. You will now be asked to enter a PIN number for the smart card.

4 Enter an 8-character PIN and confirm the PIN by retyping it exactly in the

Confirm PIN field.

Note Your PIN must be exactly 8 characters long. It is not case sensitive.

5 During the initialization process, you are prompted to define a recovery file

and an associated password. The default directory for the recovery file is on a floppy disk (

a:\ ).

1-11

Page 18

Initializing your smart card and creating a recovery file

If you wish to define another location for the recovery file, click on ... to select another directory. Then enter the name of the recovery file and the password to prevent unauthorized access to the file.

Caution The recovery file allows you to create a duplicate smart card to access and decrypt

the files in your Secure folder should you lose yo ur original smart card or it gets damaged. For security reasons it is not reco mmend ed that y ou store this file on y our OmniBook hard disk. A safe place would be on a floppy disk.

It is also important that you do not forget the password for the recove ry file. If this happens, you will be unable to use your recovery file.

6Click OK when you are done.

The encryption key is now generated and stored on your smart card and in the recovery file. You can now use your smart card to encrypt files.

1-12

Page 19

Using your HP Encryption Smart Card Security System

Introduction

When using your HP En cryp t io n Smart Card Security S ys tem wi t h th e Wi n dows 95 operating system, a smart card must be present to encrypt and decrypt files in your Secure folder. When the card is introduced in the reader a message box will open asking for the PIN. Only when the correct PIN is entered will you be able to access your Secure folder and encrypt and decrypt your files.

With the Windows NT operating system, in addition to the above, the smart card is required to log on. The PIN is requested, but is not necessary to log on (you can cancel, without stopping the logon). However, only when the correct PIN has been entered will you be able to access your Secure folder and encrypt and decrypt your files.

Getting Information

In the Information page of the HP Encryption System manager, you can easily see where the Secure folder is located. This location was specified during the product installation and cannot be changed. Other information available includes the status of the smart card and smart card reader and the status of the products software components.

1-13

Page 20

Entering the PIN

Each time you insert a new smart card, or remove and insert the same smart card, you will be asked to enter its PIN. When the Encryption System detects the card, it

opens a PIN dialog box. Enter the smart card’s PIN. Once the PIN has been correctly entered, you will have access to your Secure folder. If a wrong PIN is entered or the smart card is not present, you will not be allowed to access your Secure folder.

Caution If you type the PIN wrong se ven ti mes in a row, t he car d i s lock ed fro m fu rther u se.

This is a security feature to prevent someone from trying to guess your PIN. See “If you forget your PIN” on page 18.

1-14

Page 21

NT Workstation lock (screen lock)

The Logon tab and page are only accessible when you are logged on as the NT Administrator. The workstation lock is located in the lower part of the Logon page.

Check the box to lock the workstation s ho uld the session owner’s smart card be removed. The workstation can be unlocked only by the smart card that locked it.

Using the Secure Folder

By default, your Secure folder is located in C:\Private .

File structure

You can create directories and files within the Secure folder in exactly the same way as outside the Secure folder, as long as your smart card is present, and you have entered the correct PIN.

1-15

Page 22

Using the Secure Folder

Storing existing files in the Secure folder

Use your application or file manager to:

• Save as...

• Copy to...

• Move (using drag and drop)

from your normal file structure to your Secure folder. Note that both Save as and Copy to will leave a copy in the unsecure part of your hard disk which presents a potential security risk.

When you Move files out of your Secure folder they will be decrypted. For security reasons, using Move from the Secure folder is not recommended..

Using an existing file in the Secure folder

Use your application to:

•Open

and then

•Save

• Save as

files stored in your Secure folder.

Deleting a file in the secure folder

You can use DELETE or SHIFT+DELETE to remove files from your Secure folder.

Caution For security reasons, deleting files us ing DELETE is not recommended (it will leave

a decrypted copy of the file in your Recycle Bin).

1-16

Page 23

Changing your Smart Card’s PIN

You can change the PIN of your smart card at any time using the Encryption System Manager. In the center section of the Smart Card page, click on Change PIN.

Changing your Smart Card’s PIN

The Change PIN dialog box will open:

In the Change PIN dialog box you are asked for the old PIN and the new PIN (and confirmation). Whe n you have entered this informati on, click on OK. Your PIN will be changed.

1-17

Page 24

If you forget your PIN

If you forget your PIN, you should be aware that seven unsuccessful attempts at entering the PIN will result in your smart card being locked. If your organization does not have a centralized Smart Card Management System ( SCMS) and an SCMS Administrator who can unlock your card, your card is now unusable and should be disposed of following your local environ mental laws. You will need to create and

1-18

Page 25

Creating a replacement smart card

If you lose your smart card

If you lose your smart card or it becomes damaged, you will need to create a replacement smart card to allow you to access and decrypt the files stored in your Secure folder on your OmniBook. The recovery file you created when you initialized your smart card will allow you to create a replacement card. For Windows NT users, you will first need to re-register your smart card for Windows NT Logon.

To create a replacement smart card for use with Windows 95

1 Locate the recovery file (it may be on a diskette). 2 Insert a new smart card in the smart card reader. 3 Open the Encryption Smar t Card S ecuri ty Sy stem Mana ger progr am (if it is not

already running) and click on the Smart Card tab.

4 If you have stored the recovery file on a floppy disk, insert the diskette i nto th e

floppy drive of your OmniBook.

5Click on Recover.

1-19

Page 26

Creating a replacement smart card

You are now prompted to enter the name of the recovery file and the recovery file pass word.

6 Click on ... to go to the folder containing the recovery file (or type the full path

name in the filename field) and enter the password for the recovery file.

7 You will be prompted to enter the (new) PIN for the new smart card.

The same key that was on your original smart card is now loaded in the new smart card, and you can now access and decrypt the files in your Secure folder.

1-20

Page 27

Creating a replacement smart card

To create a replacement smart card for use with Windows NT

Note Since you can no longer use your smart card to access your OmniBook, you will need

the NT Administrator smart card to regain access.

1 Insert the Administrator smart card in the smart card reader, and log on as the NT

Administrator.

2 Open the Encryption System Manager program. 3 Select the Logon tab (only accessible by the NT Administrator).

The list of active smart cards and users is now displayed.

4 Click on the user name for which you wish to re-register a new smart card, and

then click on the Allow renewal button. The card state will change from “Card

registered” to “Card renewal allowed”.

5 Log off from your NT Administrator session and remove the NT Adminis trators

smart card from the smart card reader.

6 Insert a new (blank) smart card in the smart card reader. Log on to your

OmniBook as the user for which you wish to re-register the new smart card, following the normal Windows NT logon procedure.

7 When you have entered your user name an d password, a message appears tel ling

you that the card in the reader is now registered for your user account. You must now use this smart card every time you log on to your Windows NT user

1-21

Page 28

Creating a replacement smart card

account. (This completes the steps necessary to register your smart card for

Windows NT logon). 8 Locate the recovery file (it may be on a diskette). 9 Open the Encryption Smar t Card S ecuri ty Sy stem Mana ger progr am (if it is not

already running) and click on the Smart Card tab.

10 If you have stored the recovery file on a flop py disk, in sert the diskette into the

floppy drive of your OmniBook.

11 Click on Recover.

You are now prompted to enter the name of the recovery file and the recovery

file pass word.

12 Click on ... to go to the folder containing the recovery file (or type the full path

name in the filename field) and enter the password for the recovery file.

13 You will be prompted to enter the (new) PIN for the new smart card.

The same key that was on your original smart card is now loaded in the new smart card, and you can now access and decrypt the files in your Secure folder.

1-22

Page 29

Troubleshooting

General Troubleshooting tips and tricks

In the case of a problem with your HP Encryption Smart Card Security System, the first place to check is the Information page of the Encryption System Manager.

In this page you will find:

Smart Card Status

The smart card status should be:

• smart card present and correctly initialized

1-23

Page 30

General Troubleshooting tips and tricks

However, if there is a problem, it could be:

• smart card present but badly initialized

Solution: re-initialize your smart card as detailed in “To initialize your smart

card” on page 10

• smart card present but not initialized

Solution: initialize your smart card as detai led in “To initialize your smart

card” on page 9

• no smart card in the reader

Solution: insert an initialized smart card

Smart Card Reader status

The smart card reader status should be:

• reader is present and is working correctly

However, in the case of a problem, it could be:

• unable to connect to the smart card reader

Solution: check the status of all software components as detailed in “Software

Components status” below, and follo w the directions given in this section.

If all seems in order, try rebooting your OmniBook.

Software Components status:

Note The Authentication module (GINA) is only present in Windows NT installations.

It is not present in Windows 95 in stallations.

1-24

Page 31

General Troubleshooting tips and tricks

The software components status should be:

• Running

(except for the Authentication Module (GINA) which is stateless, and marked n/a)

However, in the case of a problem, it could be:

•Stopped

Solution: If any components are marked as stopped, you will need to restart them (reboot the OmniBook or start them using the file manager - double click on the file name).

•Missing

Solution: If any (other than the Remote Procedure Call Service) are marked as missing, you will need to unin stall the Encryption System and then re-install it.

If the Remote Procedure Call Service is marked as missing, you will need to reinstall it as documented in your Windows 95 or Windows NT Operating System manuals.

If you are still having problems, the next place to check is the smart card reader configuration: go to the Control Panel of your OmniBook, double click on PC Card (PCMCIA) and make sure that the GEMPLUS GPR400 is connected to the correct socket. If you see “(Empty) - Socket x “: check the reader’s installation and retry.

If you are still having problems, you should try rebooting your OmniBook and check if the problem persists.

1-25

Page 32

Troubleshooting questions and answers

Problem Explanation Action

I have lost my smart card If you are using Windows NT,

you will now be unable to log on to your NT account and gain access to your OmniBook.

Now you can log on , but you will be still be unable to re ad the file s in your encryption folder.

If you are using Windows 95, you will be unable to read the files in your encryp tion folder.

I cannot log on to my NT account

I could not remember my PIN, I tried to enter it seven times and now my card no longer works

Your smart card is not inserted correctly in the smart card reader, or the reader is not connected correctly to the OmniBook.

As a security measure to prevent someone who has obtained your smart card from guessing your PIN, you are allowed only seven attempts at entering the correct PIN. If you fail to e nter the corre ct PIN on the seventh attempt your card is lo cked.

Contact your system administrator to regain ac cess to your OmniBook using the administrator smart card.

Use the recovery file to enable your new smart card to decrypt the files yo u encrypted with your old card.

Make a recovery card using the recovery file. See “Creating a

replacement smart card” on page 19 for details.

Check that the smart card is inserted correctly an d check that the reader is inserted correct ly.

If your organization has a centralized Smart Card Management System (SCMS), see the SCMS Administrator who can unlock your card. If not, your card is now unu sable and should be disposed of following your local environmental laws.

1-26

If you are using Windows NT, you must register a new smart card with your NT logon and then use the recovery file to load the old encryption key on the new card.

If you are using Windows 95, use the recovery file to load the old encryption key on the new card.

Page 33

Troubleshooting questions and answers

Problem Explanation Action

Access to your En cryption fo lder is denied

Files copied into the secure folder don’t seem to be encrypted

Encrypted text decrypts badly The card inserted in the reader

The HP Encryption System Manager is unable to retrieve information stored on the smart card.

The smart card you used to move your files into the secure folder is still inserted in the reader, and you sti ll have acces s to all the files you m oved into the secure folder.

is not the one you used to encrypt your files.

Make sure your smart card is properly inserted into the smart card reader and the correct PIN

has been entered. If this isn’t done, you will not be able to access the secure folder.

If you are still unable to access the Secure folder you may have corrupted information on you smart card. Use the recovery procedure detailed in Chapter 3 to recover your smart card.

Insert another card into the reader and check the content of your files: they should be unreadable.

Insert the correct car d an d en ter your PIN number to access the secure folder.

I can’t dele te a file in my Secure folder using

A message tells me that access to the smart card is denied.

DELETE.

For security reasons, deleting files using DELETE is not supported (it wo uld le ave a cop y in the Recycle Bin).

The HP Encryption System Manager is unable to retrieve information stored on the smart card.

To delete a file from the Secure folder use SHIFT+DELETE

Make sure that your smart card reader is properly installed in your OmniBook and that the smart card is p roperly inse rted in the smart card reader.

If the error message “Could not access the card reader, please check connection and retry” is displayed, follow the indications given in the message boxes.

1-27

Page 34

Troubleshooting questions and answers

If you have questions this manual doesn’t answer, you can: Look at the online help in the HP Encryption System Manager. Find additional information about this OmniBook accessory on the Internet - visit the Support website at http://www.hp.com/omnibook. Check with your system administrator, if you have one. Contact your dealer, or contact Hewlett-Packard - see the OmniBook Support and Service booklet.

Make sure you have the software version number (in the “General” page of the HP Encryption System Manager) and all of the inform atio n (includ ing the ver sion of all the installed components) in the “Software Component Status” window of the “Information” page.

1-28

HP OmniBook 7100, Encryption Smart Card User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual