Page 1
®
HP Encryption Smart Card
Security System
User’s Guide
Page 2
Copyright and trademark information
This document contains pro prietary infor matio n which is prot ected by copyright . All ri ghts res erved. No
part of this docu ment may be ph otocopied, repro duced or transl ated into an other language wi thout the pri or written consent of Hewlett-Packard company.
C Copyright Hewlett-Packard Company, 1998. All rights reserved.
Windows 95 and Windows NT are registered trademarks of the Microsoft Corporation.
Limited warranty
The information contained in this document is subject to change without notice.
Hewlett-Packard Company makes no warranty of any kind with regard to this document, including, but
not limited to, the implied warranties of merchantabili ty and fitness for a particular purpose.
Hewlett-Packard Company shall not be liable for errors contain ed herein or for incidental or consequential
damages in connection with the furnishing, performance, or use of this document.
In addition to the Limited Warranty Statement provided in the Support and Service booklet, and to the
extent permitted by local law, Hewlett-Packard Company expressly disclaims any warranty that this product will be error-free. Hewlett-Packard Company makes no warranty that any data stored or encrypted by
this product will be recoverable or accessable, or that access provided by this product will be maintained.
Page 3
HP Software Product License Agreement
CAREFULLY READ THIS LICENSE AGREEMENT BEFORE PROCEEDING TO OPERATE THIS
EQUIPMENT. RIGHTS IN THE SOFTWARE ARE OFFERED ONLY ON THE CONDITION THAT
THE CUSTOMER AGREES TO ALL TERMS AND CONDITIONS OF THE LICENSE AGREEMENT. PROCEEDING TO OPERATE THE EQUIPMENT INDICATES YOUR ACCEPTANCE OF
THESE TERMS AND CONDITIONS. IF YOU DO NOT AGREE WITH THE TERMS OF THE LICENSE AGREEMENT, YOU MUST NOW EITHER REMOVE THE SOFTWARE FROM YOUR
HARD DISK DRIVE AND DESTROY THE MASTER DISKETTES, OR RETURN THE COMPLETE
COMPUTER AND SOFTWARE FOR A FULL REFUND.
PROCEEDING WITH CONFIGURATION SIGNIFIES YOUR ACCEPTANCE OF THE LICENSE
TERMS.
UNLESS OTHERWISE STATED BELOW, THIS HP SOFTWARE PRODUCT LICENSE AGREEMENT SHALL GOVERN THE USE OF ALL SOFTWARE THAT IS PROVIDED TO YOU, THE
CUSTOMER, AS PART OF THE HP COMPUTER PRODUCT. IT SHALL SUPERSEDE ANY NONHP SOFTWARE LICENSE TERMS THAT MAY BE FOUND ON-LINE, OR IN ANY DOCUMENTATION OR OTHER MATERIALS CONTAINED IN THE COMPUTER PRODUCT PACKAGING.
Note: Operating System Software by Microsoft is licensed to you un der the Microsoft End User License
Agreement (EULA) contained in the Microsoft documentation.
The following License Terms govern the use of the software:
USE. Customer may use the software on any one computer. Customer may not network the software or
otherwise use it on more than one computer. Customer may not reverse assemble or decompile the software unless authorized by law.
COPIES AND ADAPTATIONS. Customer may make copies or adaptations of the software (a) for archival purposes or (b) when copying or adaptation is an essential step in the use of the software with a
computer so long as the copies and adaptations are used in no other manner.
OWNERSHIP. Customer agrees that he/she does not have any title or ownership of the software, other
than ownership of the physical media. Customer acknowledges and agrees that the software is copyrighted and protected under the copyright laws. Customer acknowledges and agrees that the software may
have been developed by a third party s oft ware s up pli er named in the copyright n oti ces incl u ded wi th t he
software, who shall be authorized t o ho ld the C us tomer responsible for any copyri g ht i nfr ingement or violation of this Agreement.
Page 4
PRODUCT RECOVERY CD-ROM. If your computer was shipped with a product recovery CDROM: (i) The product recovery CD-ROM and/or support utility software may only be used for restoring
the hard disk of the HP computer with which the product recovery CD-ROM was originally provided.
(ii) The use of any operating system software by Microsoft contained in any such product recovery CDROM shall be governed by the Microsoft End User License Agreement (EULA).
TRANSFER OF RIGHTS IN SOFTWARE. Customer may transfer rights in the software to a third
party only as part of the transfer of all rights and only if Customer obtains the prior ag reement of the third
party to be bound by the terms of this License Agreement. Upon such a transfer, Customer agrees that
his/her rights in the software are terminated and that he/she will either destroy his/her copies and adaptations or deliver them to the third party.
SUBLICENSING AND DISTRIBUTION. Customer may not lease, sublicense the software or distribute copies or adaptati ons of the software to t he public in ph ysical media or by t elecommunication wi thout
the prior written consent of Hewlett-Packard.
TERMINATION. Hewlett-Packard may terminate this software license for failure to comply with any
of these terms provided Hewlett-Packard has requested Customer to cure the failure and Customer has
failed to do so within thirty (30) days of such notice.
UPDATES AND UPGRADES. Customer agrees that the software does not include updates and upgrades which may be available from Hewlett-Packard under a separate support agreement.
EXPORT CLAUSE. Customer agrees not to export or re-export the sof tware or any copy or adaptation
in violation of the U.S. Export Administration regulations or other applicable regulation.
U.S. GOVERNMENT RESTRICTED RIGHTS. Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and
Computer Software clause in DF ARS 252.2 27-701 3. Hewl ett- Packard Company, 3000 Hanover St reet,
Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agen cies are as set
forth in FAR 52.227-19(c)(1,2).
Page 5
Contents
1. Understanding the HP Encryption Smart Card Security System. . . . . . . . . . . . . . . .1-1
What is the Encryption Smart Card Security System? . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
What is a smart card?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
What is Encryption?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
How does the HP Encryption Smart Card Security System work? . . . . . . . . . . . . . . . . . .1-2
2. Setting up your OmniBook to use a smart card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Checking the package contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Checking the requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-5
Installing the Encryption System software and Smart Card Reader . . . . . . . . . . . . . . . . .1-6
Smart card logon with Windows NT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-7
Initializing your smart card and creating a recovery file. . . . . . . . . . . . . . . . . . . . . . . . .1-10
3. Using your HP Encryption Smart Card Security System . . . . . . . . . . . . . . . . . . . . .1-13
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-13
Getting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-13
Entering the PIN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-14
NT Workstation lock (screen lock) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15
Using the Secure Folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15
Changing your Smart Card’s PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17
If you forget your PIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18
Creating a replacement smart card. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-19
4. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23
General Troubleshooting tips and tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23
Troubleshooting questions and answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-26
i
Page 6
Contents
ii
Page 7
Understanding the HP Encryption Smart Card
Security System
What is the Encryption Smart Card Security System?
The Encryption Smart Card Security System is an accessory for your OmniBook
that uses smart card technology to provide smart card protected logon for Windows
NT and strong fi le encryption on Windows NT and Windows 95. The E ncryption
Smart Card Security System consists of a smart card reader which inserts into a
PCMCIA slot on your OmniBook, and a smart card in which to store information
that ensures that only you can access your OmniBook and read the files you have
chosen to protect.
What is a smart card?
1
A smart card is a credit-card-sized card which carries a microchip containing
memory and a microprocessor. The card’s microchip lies beneath gold contact pads
and when the card is inserted in a smart card reader, the contents of the microchip
can be read and interpreted in a number of ways, depending on the application. A
Personal Identification Number (PIN) is normally needed to “unlock” the contents
of the microchip, meaning that only the p erson wh o kn ows the PIN can use the card.
What is Encryption?
Encryption is simply taking in telligible data and making it unintelligible by using a
mathematical function and a unique key. To return the data to intelligible form, we
use the same mathematical function and the same key. Therefore only the holder of
the key can take the unintelligible data and make it intelligible.
The type of encryption used in the HP Encryption System provides confidentiality,
as no one but the holder of the key can read the data.
1-1
Page 8
How does the HP Encryption Smart Card Security System work?
1
How does the HP Encryption Smart Card Security System work?
The Encryption Smart Card Security System provides two security features:
• Data encryption on your OmniBook’s hard drive (Windows 95 and Windows
NT).
• Smart card protected logon for Windows NT to prevent unauthorized access to
your OmniBook.
Data encryption
When you set up the Encryption Smart Card Security System on your OmniBook, as
part of the process you define a Secure folder on your OmniBook, and generate an
encryption key that is stored on your smart card. You will also define a PIN which
allows only someone with the PIN to use the smart card. When you place a file in
the Secure folder with the smart card inserted in the smart card reader, the file is
encrypted using a key stored on your smart card. The files in the Secure folder can
be accessed only when your smart card is present in the smart card reader and the
correct PIN has been provided. This means that for anyone to decrypt and read the
files placed in your Secure folder, that person must be in possession of your smart
card and also know your card’s PIN.
1-2
Page 9
How does the HP Encryption Smart Card Security System work?
Τηε βρο
Ridebis, et licet rideas. Ego i lle quem nosti
apros et quidem pulcherrimos cepi. Ipse?
inquis. Ipse; non tamen ut omnino ab inertia mea et quete discederem. Ad retia sedebam: erat in proximo non venabulum aut
lancea, sed stilus et pugilares: meditab ar
aliquid enotabamque, ut, si manus vacuas,
plenas tamen ceras reportarem.
Non est quod contemnas hoc studendi
genus. Mirum est ut animus agitatione
motuque corporis excit etut. Iam undique
silvae et solitudo ipsumque illud si le ntiu m
quod venationi datur magna cogitationis
incitamenta sunt. Pr oinde cum venabere,
licebit, auctore me, ut panarium et
lagunculam sic etiam pugillare s fera s.
ων φοξ
@*¿b
@*¿b
ϕυ
µπεδ οϖερ τηε λαζψ δογ.
@*¿b
brown fox jumped over the lazy dog.
Τη
ροµπεδ
@*¿bt&%?h
Tæhe bhe
rodogw&%?@*¿bn fto encrypt
ροων φοξ ϕυµπε
ownb
d @*¿b@*¿boδ
@er3^)**&^@]}\\ @@*¿& x öTæhe r
δογ
τηε λαζ
@jumped over
@*¿b
χαν νοω υ
σε
ψου
öõ%
&%?
@*¿b
δατα
@*¿b)**&
ρτ χαρδ το ενχ
βψ πλα
¿dh
ρ δεταιλσ ον
@*¿b
&%öõ%je¿¿dhr @*¿@
@*¿b
je¿
oægb
ψπτιον
δογ
@jumped over
Τηε
@*¿b
ρψπτ
¿dh
χινηγ ιτ ιν
σµα
je¿
τηε*¿ ιν τ ιν τ ενχρ
φολδερΦο
ενχρψπτ ογß ιν τ
&F&%?#tæ öTæhe r
τηε λαhροωνϕυµ
βρο
The
ψ δου
ρ
Plain file Encrypted file
An encryption key on the smart card
is used for encrypting the file as it is
placed in the private folder
1
Smart card containing
an encryption key
Smart card logon with Windows NT
Windows NT offers password-protected logon where you must enter a user name
and a password to access your Windows NT account. The Encryption Smart Card
Security System increases the security of Windows NT logon by using a smart card
in addition to your password. The smart card is registered with your Wind ows NT
logon the first time you log on after the Encryption System software is installed on
your OmniBook. Anytime you log on after this, the smart card must be present in a
smart card reader inserted in the PCMCIA slot of your OmniBook. When you enter
your user name and password, the system reads the smart card in the smart card
reader and verifies that the correct smart card is present. If not, then admission to
your Windows NT account is denied. Therefore for someone to log on to your
Windows NT account, that person must not only know your user name and
password, but must also be in possession of your smart card.
1-3
Page 10
How does the HP Encryption Smart Card Security System work?
1
1-4
Page 11
Setting up your OmniBook to use a smart card
Checking the package contents
Your Encryption Smart Card Security System package contains:
• 1 PCMCIA smart card reader
• 2 GPK4000 smart cards (one spare card for backup/recovery purposes)
• 1 CD-ROM containing the Encryption Smart Card Security System software
• 1 User’s Guide (this manual)
Note that an optional pack of five smart cards is also available as a separate
OmniBook accessory (order no. F1613A).
2
Checking the requirements
To use the Encryption Smart Card Security System, you need:
• An HP OmniBook Model 800, 2000, 3000, 5000, 4100, 7100, Sojourn or later
with Microsoft Windows 95 OSR2 or later installed
or
An HP OmniBook Model 2100, 3000, 4100, 7100, Sojourn or later with
Microsoft Windows NT 4.0 SP3 or later installed (you will need at least 2 NT
accounts; one for the NT Administrator and at least one User account for
everyday use)
• A CD-ROM drive installed in your OmniBook (no te that on certain models of
OmniBook, the CD-ROM drive is an option you need to purchase separately)
• 1 free PCMCIA slot on your OmniBook
• At least 5 Mbytes of free space on your hard disk
It is also recommended that you have a formatted diskette to hand, to use as a safe
place to store the recovery file generated during the smart card initialization process.
1-5
Page 12
Installing the Encryption System software and Smart Card Reader
2
Installing the Encryption System software and Smart Card Reader
Note Before you begin installation, make sure your OmniBook’s CD-ROM drive is
correctly installed.
1 Start your OmniBook (log on as Administrator for Windows NT). You should
have the Windows desktop displ ayed
2 Insert the HP Encryption System Software CD-ROM into the CD-ROM drive of
your OmniBook.
3 Start your Windows program installation utility (Start, Settings, Control panel,
Add/Remove Programs) and install the Encryption Sm art Card Security System
software from the CD-ROM.
During the installation process you will be asked to install the smart card read er
in an available PCMCIA slot in your OmniBook (the smart card reader is
installed with the label facing upwards).
1-6
The software will be installed in the
Packard\HP Encryption System\
specify a different one if you wish.
Your Secure folder will be
change this if you wish.
Your OmniBook will be restarted when the instal lation is complete.
If you are using Windows 95, you have now finished the installation. Proceed to
“Initializing your smart card and creating a recovery file” on page 10.
For Windows NT users, you are now ready to register the Administrator and User
smart cards for use with NT Logon.
C:\Private by default, and again, you may
C:\Program Files\Hewlett-
directory by default, but you can
Page 13
Smart card logon with Windows NT
Smart card logon with Windows NT
With Windows NT, the Encryption Smart Card Security System provides the
additional security feature of smart card logon. This makes the logon procedure
more secure as you need both your NT password an d your smart card during logon.
You must register your smart car d wit h your user n ame and p assword during the NT
logon process. After registration only your smart card can be used with your NT
password.
It is recommended to register a smart card for at least 2 different Users; one for your
normal User (everyday use) and one for the NT Administrator.
Registering your Administrator smart card for Windows NT logon
With Windows NT, it is highly recommended to register an Administrator smart
card for your OmniBook to allow access to the system Administrator account.
In cases where all NT accounts are centrally managed (for example in a corporate
environment), registering the A dministrator sm art card would ty pically be done by
your system Administrator. If you are not part of such an environment, you will
need to register an Administrator smart card for yourself.
2
Your Windows NT documentation will contain additional details on the system
Administrator account.
To register an Administrator smart card
Caution With Windows NT, if you lose yo ur origi nal smart car d or it gets damaged or stolen,
you will be unable to access your OmniBook unless you have a registered
Administrator card.
1 Insert a new smart card in the smart card reader.
2 Log on to your OmniBook using the system Administrator’s user name and
password.
When you have entered your Administrator’s user name and password, a message
appears telling you that the card in the reader is now registered for your
Administrator’s account . You must no w use this smart card every time yo u log on to
your Windows NT Administrator’s account.
1-7
Page 14
Smart card logon with Windows NT
2
Note The Administrator smart card allows access to the Windows NT Administrator
account and should be used only for administration and recovery purposes (should
your original User smart card get lost or damaged). Naturally, the Administrator
smart card should be kept in a safe place.
Registering your User smart card for Windows NT logon
To register your User smart card
1 Insert a new smart card in the smart card reader.
Note This smart card will be the card that you will use for subsequent NT logons. After
this card is successfully registered for your NT account, you will be unable to log on
to your OmniBook without the card inserted in the smart card reader.
2 Log on to your OmniBook fo llo wing the no rmal W indows NT logo n pr ocedure.
When you have entered your user name and password, a message appears
telling you that the card in the reader is now registered for your User account.
You now must use this smart card every time you log on to your Windows NT
User account.
Verification Mode
1-8
This completes the steps necessary to register your smart cards for Windows NT
logon.
The first time you log on after installation, you will be in Verification m ode.
When you first set up your HP Encryption Syst em t o wo rk wit h NT, it is put into an
insecure “Verification” mode, which allows you to continue to access your
OmniBook even if there are problems with accessing your smart card reader or
smart card.
This “Verification” mode is only available following first installation, and is only
destined to be used until you feel confident that everything is working as it should
(especially following a reboot). Once you are confident in the installation and
configuration, click on “Secure” in the Verification mode dialog box and the NT
Logon installation will be secured.
Page 15
Smart card logon with Windows NT
Note For security reasons, there is no way to return to this verification mode once you have
selected to remove it.
You will now need to initialize each card that you wish to use for file encryption.
2
1-9
Page 16
Initializing your smart card and creating a recovery file
2
Initializing your smart card and creating a recovery file
Purpose of initializing your smart card
Before you can use a smart card to encrypt files, you will need to initialize it. During
initialization, an encryption key is generated that is used to encrypt and decrypt your
data. This key is stored on your smart card, which means that the encry pted data can
be decrypted only when the smart card is inserted in the smart card reader connected
to your OmniBook.
The recovery file
As a safety measure, the encryption key generated and stored on your smart card is
also copied to a recovery file. If you subsequently lose your smart card, or it gets
damaged, this recovery file allows you to load the encryption key that was on your
original smart card to a new card, thus enabling you to access and decrypt the files
on your OmniBook.
To initialize your smart card
1 Make sure your smart card is inserted in the smart card reader.
2 Open the HP Encryption Smart Card Security System Manager, and select the
Smart Card tab.
1-10
Page 17
Initializing your smart card and creating a recovery file
2
3In the Smart Card page, click on Initialize to start the initialization process, and
generate your encryption key.
You will now be asked to enter a PIN number for the smart card.
4 Enter an 8-character PIN and confirm the PIN by retyping it exactly in the
Confirm PIN field.
Note Your PIN must be exactly 8 characters long. It is not case sensitive.
5 During the initialization process, you are prompted to define a recovery file
and an associated password.
The default directory for the recovery file is on a floppy disk (
a:\ ).
1-11
Page 18
Initializing your smart card and creating a recovery file
2
If you wish to define another location for the recovery file, click on ... to select
another directory.
Then enter the name of the recovery file and the password to prevent
unauthorized access to the file.
Caution The recovery file allows you to create a duplicate smart card to access and decrypt
the files in your Secure folder should you lose you r original smart card or it gets
damaged. For security reasons it is not recommended that you store this file on y our
OmniBook hard disk. A safe place would be on a floppy disk.
It is also important that you do not forget the password for the recovery file. If this
happens, you will be unable to use your recovery file.
6Click OK when you are done.
The encryption key is now generated and stored on your smart card and in the
recovery file. You can now use your smart card to encrypt files.
1-12
Page 19
Using your HP Encryption Smart Card Security
System
Introduction
When using your HP En cryption Smart Card S ecur ity S ys t em wit h the Windows 95
operating system, a smart card must be present to encrypt and decrypt files in your
Secure folder. When the card is introduced in the reader a message box will open
asking for the PIN. Only when the correct PIN is entered will you be able to access
your Secure folder and encrypt and decrypt your files.
With the Windows NT operating system, in addition to the above, the smart card is
required to log on. The PIN is requested, but is not necessary to log on (you can
cancel, without stopping the logon). However, only when the correct PIN has been
entered will you be able to access your Secure folder and encrypt and decrypt your
files.
3
Getting Information
In the Information page of the HP Encryption System manager, you can easily see
where the Secure folder is located. This location was specified during the product
installation and cannot be changed. Other information available includes the status
of the smart card and smart card reader and the status of the products software
components.
1-13
Page 20
Entering the PIN
3
Entering the PIN
Each time you insert a new smart card, or remove and insert the same smart card,
you will be asked to enter its PIN. When the Encryption System detects the card, it
opens a PIN dialog box. Enter the smart card’s PIN. Once the PIN has been
correctly entered, you will have access to your Secure folder. If a wrong PIN is
entered or the smart card is not present, you will not be allowed to access your
Secure folder.
Caution If you type the PIN wrong seven ti mes in a row, the car d i s lock ed fro m fu rt her u se.
This is a security feature to prevent someone from trying to guess your PIN.
See “If you forget your PIN” on page 18.
1-14
Page 21
NT Workstation lock (screen lock)
NT Workstation lock (screen lock)
3
The Logon tab and page are only accessible when you are logged on as the NT
Administrator. The workstation lock is located in the lower part of the Logon page.
Check the box to lock the workstation should the session owner’s smart card be
removed. The workstation can be unlocked only by the smart card that locked it.
Using the Secure Folder
By default, your Secure folder is located in C:\Private .
File structure
You can create directories and files within the Secure folder in exactly the same way
as outside the Secure folder, as long as your smart card is present, and you have
entered the correct PIN.
1-15
Page 22
Using the Secure Folder
3
Storing existing files in the Secure folder
Use your application or file manager to:
• Save as...
• Copy to...
• Move (using drag and drop)
from your normal file structure to your Secure folder. Note that both Save as and
Copy to will leave a copy in the unsecure part of your hard disk which pr esents a
potential security risk.
When you Move files out of your Secure folder they will be decrypted.
For security reasons, using Move from the Secure folder is not recommended..
Using an existing file in the Secure folder
Use your application to:
•Open
and then
•Save
• Save as
files stored in your Secure folder.
Deleting a file in the secure folder
You can use DELETE or SHIFT+DELETE to remove files from your Secure folder.
Caution For security reasons, deleting files using DELETE is not recommended (it will leave
a decrypted copy of the file in your Recycle Bin).
1-16
Page 23
Changing your Smart Card’s PIN
You can change the PIN of your smart card at any time using the Encryption System
Manager. In the center section of the Smart Card page, click on Change PIN.
Changing your Smart Card’s PIN
3
The Change PIN dialog box will open:
In the Change PIN dialog box you are asked for the old PIN and the new PIN (and
confirmation). When you have ent ered this information, click on OK. Your PIN will
be changed.
1-17
Page 24
If you forget your PIN
3
If you forget your PIN
If you forget your PIN, you should be aware that seven unsuccessful attempts at
entering the PIN will result in your smart card being locked. If your organization
does not have a centralized Smart Card Managem ent System (SCMS) and an SCMS
Administrator who can unlock your card, your card is now unusable and should be
disposed of following your local environmental laws . You will need to create and
register a new card as detailed in “Creating a replacement smart card” on page 19.
1-18
Page 25
Creating a replacement smart card
Creating a replacement smart card
If you lose your smart card
If you lose your smart card or it becomes damaged, you will need to create a
replacement smart card to allow you to access and decrypt the files stored in your
Secure folder on your OmniBook. The recovery file you created when you
initialized your smart card will allow you to create a replacement card. For
Windows NT users, you will first need to re-register your smart card for Windows
NT Logon.
To create a replacement smart card for use with Windows 95
1 Locate the recovery file (it may be on a diskette).
2 Insert a new smart card in the smart card reader.
3 Open the Encryption Smar t Card Secur ity Syst em Manager pr ogr am (if it is not
already running) and click on the Smart Card tab.
3
4 If you have stored the recovery file on a floppy disk, in sert the diskette into the
floppy drive of your OmniBook.
5Click on Recover.
1-19
Page 26
Creating a replacement smart card
3
You are now prompted to enter the name of the recovery file and the recovery
file password.
6 Click on ... to go to the folder containing the recovery file (or type the full path
name in the filename field) and enter the password for the recovery file.
7 You will be prompted to enter the (new) PIN for the new smart card.
The same key that was on your original smart card is now loaded in the new smart
card, and you can now access and decrypt the files in your Secure folder.
1-20
Page 27
Creating a replacement smart card
To create a replacement smart card for use with Windows NT
Note Since you can no longer use your smart card to access yo ur OmniBook, you will need
the NT Administrator smart card to regain access.
1 Insert the Administrator smart card in the smart card reader, and log on as the NT
Administrator.
2 Open the Encryption System Manager program.
3 Select the Logon tab (only accessible by the NT Administrator).
The list of active smart cards and users is now displayed.
3
4 Click on the user name for which you wish to re-register a new smart card, and
then click on the Allow renewal button. The card state will change from “Card
registered” to “Card renewal allowed”.
5 Log off from your NT Administrator ses sion and remove the NT Administ rators
smart card from the smart card reader.
6 Insert a new (blank) smart card in the smart card reader. Log on to your
OmniBook as the user for which you wish to re-register the new smart card,
following the normal Windows NT logon procedure.
7 When you have entered your user name an d password, a message appears tell ing
you that the card in the reader is now registered for your user account. You must
now use this smart card every time you log on to your Windows NT user
1-21
Page 28
Creating a replacement smart card
3
account. (This completes the steps necessary to register your smart card for
Windows NT logon).
8 Locate the recovery file (it may be on a diskette).
9 Open the Encryption Smar t Card Secur ity Syst em Manager pr ogr am (if it is not
already running) and click on the Smart Card tab.
10 If you have stored the recovery file on a floppy disk, in sert the diskette into the
floppy drive of your OmniBook.
11 Click on Recover.
You are now prompted to enter the name of the recovery file and the recovery
file password.
12 Click on ... to go to the folder containing the recovery file (or type the full path
name in the filename field) and enter the password for the recovery file.
13 You will be prompted to enter the (new) PIN for the new smart card.
The same key that was on your original smart card is now loaded in the new smart
card, and you can now access and decrypt the files in your Secure folder.
1-22
Page 29
Troubleshooting
General Troubleshooting tips and tricks
In the case of a problem with your HP Encryption Smart Card Security System, the
first place to check is the Information page of the Encryption System Manager.
4
In this page you will find:
Smart Card Status
The smart card status should be:
• smart card present and correctly initialized
1-23
Page 30
General Troubleshooting tips and tricks
4
However, if there is a problem, it could be:
• smart card present but badly initialized
Solution: re-initialize your smart card as detailed in “To initialize your smart
card” on page 10
• smart card present but not initialized
Solution: initialize your smart card as detailed in “To initialize your smart
card” on page 9
• no smart card in the reader
Solution: insert an initialized smart card
Smart Card Reader status
The smart card reader status should be:
• reader is present and is working correctly
However, in the case of a problem, it could be:
• unable to connect to the smart card reader
Solution: check the status of all software components as detailed in “Software
Components status” below, and follow th e directio ns given in this section.
If all seems in order, try rebooting your OmniBook.
Software Components status:
Note The Authentication module (GINA) is only presen t in Windows NT installations.
It is not present in Windows 95 installations.
1-24
Page 31
General Troubleshooting tips and tricks
The software components status should be:
• Running
(except for the Authentication Module (GINA) which is stateless, and marked n/a)
However, in the case of a problem, it could be:
•Stopped
Solution: If any components are marked as stopped, you will need to restart
them (reboot the OmniBook or start them using the file manager - double click
on the file name).
•Missing
Solution: If any (other than the Remote Procedure Call Service) are marked as
missing, you will need to uninstall th e Encryption System and then re-install it.
If the Remote Procedure Call Service is marked as missing, you will need to
reinstall it as documented in your Windows 95 or Windows NT Operating
System manuals.
If you are still having problems, the next place to check is the smart card reader
configuration: go to the Control Panel of your OmniBook, double click on PC Card
(PCMCIA) and make sure that the GEMPLUS GPR400 is connected to the correct
socket.
If you see “(Empty) - Socket x “: check the reader’s installation and retry.
4
If you are still having problems, you should try rebooting your OmniBo ok and
check if the problem persists.
1-25
Page 32
Troubleshooting questions and answers
4
Troubleshooting questions and answers
Problem Explanation Action
I have lost my smart card If you are using Windows NT,
you will now be unable to log on
to your NT account and gain
access to your OmniBook.
Now you can log on, but you will
be still be una ble to read the files
in your encryption folder.
If you are using Windows 95,
you will be unable to read the
files in your encryption folder.
I cannot log on to my NT
account
I could not remember my PIN, I
tried to enter it seven times and
now my card no longer works
Your smart card is not inserted
correctly in the smart card
reader, or the reader is not
connected correctly to the
OmniBook.
As a security measure to
prevent someone who has
obtained your smart card from
guessing your PIN, you are
allowed only seven attempts at
entering the correct PIN.
If you fail to e nter the correct PIN
on the seventh attempt your
card is locked.
Contact your system
administrator to regain ac cess to
your OmniBook using the
administrator smart card.
Register a new smart card for
your NT logon.
Use the recovery file to enable
your new smart card to decrypt
the files you encrypted w ith y ou r
old card.
Make a recovery card using the
recovery file. See “Creating a
replacement smart card” on
page 19 for details.
Check that the smart card is
inserted correctly and ch eck that
the reader is inserted correctly .
If your organization has a
centralized Smart Card
Management System (SCMS),
see the SCMS Administrator
who can unlock your card.
If not, your card is now unu sable
and should be disposed of
following your local
environmental laws.
If you are using Windows NT,
you must register a new smart
card with your NT logon and
then use the recovery file to load
the old encryption key on the
new card.
If you are using Windows 95,
use the recovery file to load the
old encryption key on the new
card.
1-26
Page 33
Troubleshooting questions and answers
Problem Explanation Action
4
Access to your Encr yption fo lder
is denied
Files copied into the secure
folder don’t seem to be
encrypted
Encrypted text decrypts badly The card inserted in the reader
I can’t delete a file in my Secure
folder using
DELETE.
The HP Encryption System
Manager is unable to retrieve
information stored on the smart
card.
The smart card you used to
move your files into the secure
folder is still inserted in the
reader, and you sti ll have access
to all the files you m oved into the
secure folder.
is not the one you used to
encrypt your files.
For security reasons, deleting
files using DELETE is not
supported (it would leav e a c opy
in the Recycle Bin).
Make sure your smart card is
properly inserted into the smart
card reader and the correct PIN
has been entered. If this isn’t
done, you will not be able to
access the secure folder.
If you are still unable to access
the Secure folder you may have
corrupted information on you
smart card. Use the recovery
procedure detailed in Chapter 3
to recover your smart card.
Insert another card into the
reader and check the content of
your files: they should be
unreadable.
Insert the correct card an d enter
your PIN number to access the
secure folder.
To delete a file from the Secure
folder use SHIFT+DELETE
A message tells me that access
to the smart card is denied.
The HP Encryption System
Manager is unable to retrieve
information stored on the smart
card.
Make sure that your smart card
reader is properly installed in
your OmniBook and that the
smart card is p roperly inse rted in
the smart card reader.
If the error message “Could not
access the card reader, please
check connection and retry” is
displayed, follow the indications
given in the message boxes.
1-27
Page 34
Troubleshooting questions and answers
4
If you have questions this manual doesn’t answer, you can:
Look at the online help in the HP Encryption System Manager.
Find additional information about this OmniBook accessory on the Internet - visit
the Support website at http://www.hp.com/omnibook.
Check with your system administrator, if you have one.
Contact your dealer, or contact Hewlett-Packard - see the OmniBook Support and
Service booklet.
Make sure you have the software version number (in the “General” page of the HP
Encryption System Manager) and all of the inform ation (i ncludi ng the ver sion of all
the installed components) in the “Software Component Status” window of the
“Information” page.
1-28
Loading...