KOBIL mIDentity V1.5.2 User Manual
Contents
1. JT Define ADK Additional Decryption Key Back Next 7 Cancel A Figure 3 8 Assign certificates miDentity initialisation assistant Step 3 of 4 Please select the certificate which should be imported available certificates lt My Certificate beuser bze poolrechner2 Certificate information Subject ae CN beuser C DE L Worms OU Development O Kobil Systems GmbH Figure 3 9 Select a certificate As a final step of the initialization the Wizard will display the current KOBIL mIDentity setup status 16 miDentity initialisation assistant xj Step 4 of 4 Summary PUK and PIN were successfuly created The certificate was imported successfully Cettificate s name lt My Certificate gt The certificate lt My Certificate gt will be used to encrypt your SSO accounts and Secure Data Storage Figure 3 10 Finish screen 3 3 2 Specifics of an T TeleSec E4 NetKey Card from T Systems Some of KOBIL mIDentity supported SmartCard s has a different behavior in delivery status The E4 NetKey Card is shipped in a transport or null PIN state This means after you reciept the card the PIN is already set A transport or null PIN is a six digit long PIN with all digits set to zero When using this card for the first time you have to change the PIN to an individual PIN which can be choosen by yourself A further specific is a so called ePUK ePUK means a PUK which is calculated automaticl2. Installshield Figure 2 5 Installation Path selection 8 In the last dialog box click Finish to complete the installation InstallShield Wizard InstallShield Wizard Complete KOBIL mlDentity Setup is almost complete Choose the options you want below 7 would like to view the README file If you copied or started the KOBIL mlDentity Setup from the memory of KOBIL mlDentity then disconnect and reconnect KOBIL mlDentity before further use Click Finish to complete KOBIL mlDentity Setup lt Back Cancel Figure 2 6 Complete the Installation Note Before using the KOBIL mIDentity Software for the first time please take a look into the installed user manual as well as the release notes to get the latest product information After successful installation please double click the KOBIL mIDentity icon on your computers desktop to start the KOBIL mIDentity Software The software runs in the Windows Tray Bar at the right bottom next to the system clock You can right click on this icon to open the fast access menu or perform a double click to open the main window 2 3 Entering the License Key As long as no KOBIL mIDentity device is plugged in all functionality except the user manual is disabled Depending on the KOBIL mIDentity package you have purchased not all functions of the software are enabled after inserting the device If you are using KOBIL mIDentity Light or KOBIL mIDentity Basic u
3. D Contents tak Figure 4 7 Learning the user name You can fill out more text areas by repeating that step as often as required 4 KOBIL mIDentity recognizes automatically password fields and opens the password dialog You can select either a static password enter twice or a one time password OTP generated by the KOBIL SecOVID system which requires a KOBIL SecOVID generator on your KOBIL mIDentity SmartCard Connect to yellow m Connecting to Yellow vm G test User name Password D Learning the input windows left mouse button choose input window right mouse button next ESC cancel learning procedure Figure 4 8 Learning the password 40 Choose password type x Please choose the type of the password to be used static password or one time password OTP Description a m Password type Passwor Static password m Validation C One time password OTP LS OK 7 Cancel Figure 4 9 Learning the password Note that one time passwords OTP require additionally the KOBIL SecOVID Server Please refer to your local KOBIL dealer or direclty to http www kobil com SecOVID if you have questions about KOBIL SecOVID 5 Right click in order to finish learning the password dialog Now you can finally select the OK button with a left mouse click which finishes the learning process 41 Connect to Source_sale j 1 7 x Connecting to Source_safe
4. Scrambled digest is called as signature Internet Digital MIEN Envelope Depart Chek Ty Public Key Of sender Decryption a session key LA 7T Recipient Private Key Recipient Private Key Figure A 11 Recipient Process in S MIME 109 Appendix B Glossary Algorithm A mathematical formula used to perform computations that can be used for security purposes Authenticate To determine the identity of the entity that signed a message entity authentication or to verify that a message was not altered data authentication Certificate Authority CA An entity with the authority and methods to certify the identity of one or more parties in an exchange an essential function in public key crypto systems Cryptography The art and science of transforming confidential information to make it unreadable to unauthorised parties Data Encryption Standard DES A block cipher that encrypts data in 64 bit blocks DES is a symmetric algorithm that uses the same algorithm and key for encryption and decryption Developed in the early 1970s DES is also known as the DEA Data Encryption Algorithm by ANSI and the DEA 1 by ISO Decryption The process in which ciphertext is converted to plaintext Digital Certificate A digital certificate provides identification for secure transactions It consists of a public key and other data about the user all of which is digitally signed by a Certificate Authority It is a conditi
5. e Supported Software Microsoft Internet Explorer 5 5 Microsoft Outlook from version 2000 SR 1 or Microsoft Office from version 2000 e Hardware 256 MB RAM 20 MB free Hard Disk space A free USB 1 1 or USB 2 0 port please find special Server Setup on CD Chapter 2 Getting started with KOBIL mIDentity 2 1 Insert your KOBIL mIDentity SmartCard Together with your KOBIL mIDentity you receive a SIM sized SmartCard which is either shipped together with KOBIL mlIDentity or seperately handed out from your system administrator You have to break out the SmartCard similar to mobile phones and insert it into KOBIL mIDentity 422000035335 aa4us0 Figure 2 1 Insert the KOBIL mIDentity SmartCard Note Please remove the KOBIL mIDentity SmartCard only when KOBIL mIDentity is NOT plugged into the computer s USB port Use the lit cover in order to simplify SmartCard remove Figure 2 2 Remove the SmartCard from KOBIL mIDentity 2 2 KOBIL mIDentity Software Installation The KOBIL mIDentity software can be used for all mIDentity models and either is shipped together with the KOBIL mIDen tity package on a CD ROM or you can download the most recent version in the internet under http www kobil com mIDentity Take a look here from time to time to see if new updates are available 1 Start your PC Note Please make sure that your KOBIL mIDentity is not plugged in while the software setup is running 2 M
6. not available SSO and Secure Data Storage not assigned certificate assignment Click Next to continue Back Next y Cancel y Figure 3 4 KOBIL mIDentity initialisation assistant empty card 1 Set up PIN and PUK PIN Personal Identification Number is used to access the KOBIL mIDentity storage You can choose your own PIN as a combination of 6 16 alphanumeric characters PUK PIN Unblocking Code is used to unlock a locked PIN You can define your own PUK or ask the system to generate a PUK for you The PUK must be a combination of 6 16 alphanumeric characters It is recommended to choose the system generated PUK option since human created character sequences tend to be highly predictable e g birthday Make sure you print the generated PUK and save it in a secure place see figureB 5 13 miDentity initialisation assistant Step 1 of 3 Enter PIN and PUK 6 16 chars long Pa PIN No exxexx confirm PIN Shama The PUK is required to unlock a locked PIN PUK oN confirm PUK N IV System generated PUK Print PUK xi Your PUK is iyOmevdf3y Note The PUK is needed to unlock your PIN OK d Y F Print 7 Figure 3 5 Set up PIN and PUK show and print the PUK 2 Create a certificate for encryption To encrypt data you require a certificate You can create your own certificate in PKCS 7 format or import a certificate in PKCS 12 format from your PC This certific
7. 75 nres tol File Edit view Favorites Tools Help Q px 2 gt Search Folders E Size Type 25KB K55fFile Open KOBIL mIDentity gt 5i e Open With ee Send To 3 Secure Erase Cut Copy E Create Shortcut Figure 5 17 Context menu for file directory signature verification 2 Choose KOBIL mIDentity gt Verify Signature 3 The status dialogue as shown in figure appears In the choice box you can see the verification status for each file Click on a file name to see the corresponding signature certificate below 76 File Directory Signature Yerification Status File List COZAR Secret doc k C Documents and Settings skobil My Documents My Files SIGNING TIME Tuesday 11 January 2005 10 36 35 Signer Signature Status Signature Certificate Detail 8949017200002174742 Subject CN 9949017200002174743 uer CN 894901 7200002174743 Serial Number 263BABEC8D 20C9424FAADEOBS74 Figure 5 18 Signature Verification Status 4 All verified files are stored without the ending kss in a new file If the signature file with the ending kss is deleted or not depends on the configuration as described in section 6 3 9 Signature verification for directories works exactly as for single files Just select a directory you want to verify with the right mouse All signed kss files in that directory will be extracted original files without signature and at
8. CLIENT 1 Create a random data D1 SERVER 1 Create a random Server Cert signature of D1 data D2 D2 2 Sign D1 2 Verify Server Cert 3 Verify the sig of D1 4 Sign D2 5 Create a random Data D3 3 6 Encrypt D3 with Client Cert signature of D2 Server Cert Encrypted D3 3 Verify Client Cert 4 Verify the sig of D2 5 Decrypt D3 SSL Web Session is established Internet 7 Calculate Session N ANS 6 Calculate Session Key with D1 D2 j INK Key with D1 D2 and D3 and D3 Figure A 9 Secure Socket Layer A 3 8 Secure Multipurpose Internet Mail Exchange S MIME Secure Multipurpose Internet Mail Extensions S MIME is an open protocol standard developed by the RSA Laboratories that provides encryption and digital signature functionality to Internet e mail S MIME uses public key cryptography standards to define e mail security services S MIME includes offline processes The sender s process is illustrated in figure A I0 the recipient s process is illustrated in figure A II 107 Scrambled digest is called as signature private Key epee T Signing senus epee T rneecper Digital Envelope Append Nb H Ag Encrtpt with ORIGINAL Session Key DATA Wrap with Random ini Encryption i gt Recipient session key Public Key Recipient Public Ke Sender does not have the recipient Private Key Figure A 10 Sender Process in S MIME 108
9. Code the PIN can be unlocked similar to mobile phones You get your PIN either together with the KOBIL mIDentity SmartCard from your system administrator or if the SmartCard is still empty you can set the initial PIN and PUK at the first usage of KOBIL mIDentity Please remember PIN and PUK very well since without them you cannot use KOBIL mIDentity 12 3 3 1 Initialization of the SmartCard Once the KOBIL mIDentity setup software have been installed on your PC see section P you can use the device Start the KOBIL mIDentity Control Centre application and plug KOBIL mIDentity into the docking station or directly to an USB port on your PC If your KOBIL mIDentity SmartCard has already been initialized i e PIN PUK and an encryption certificate were defined then you can proceed with entering the PIN number to access the card storage If your SmartCard is empty which means PIN PUK and an encryption certificate are not defined the KOBIL mIDentity Installation Wizard will guide you through KOBIL mIDentity installation procedure The Wizard will appear on your PC screen The very first screen of the Installation Wizard shows SmartCards current status see figureB 4 Follow the instructions on screens to complete installation miDentity initialisation assistant xj The mlDentity Initialization Wizard will guide you through the mlDentity setup iial Current Smart Card status PIN not defined PUK not defined Certificate
10. NT KOBIL mIDentity also decrypts files that were not encrypted using KOBIL mIDentity if they are in PKCS 7 format and you have the corresponding private key of course ioj xi File Edit view Favorites Tools Help w E Back o 7 i q Search Sar Folders ia Address jo C Documents and Settings kobil My Documer gt Go Name Size Type Date Modified Date Pictur Tt ie 10 26 Open KOBIL mIDentity gt Decrypt z Add Remove Recipients _DRROIE ne List Send To gt A e BO CUL Os thee Cut Copy 4 Create Shortcut Figure 5 13 Context menu for file directory decryption Directory decryption happens exactly the same way as file decryption just select the directory you want to decrypt with the right mouse instead of a single file All kse files in that directory will be decrypted in one pass but you have to enter your KOBIL mIDentity SmartCard s PIN only once If not all files in that directory could be processed either could not be decrypted or not all files are kse files you will get a corresponding warning 72 5 3 4 File and Directory Signature Important this section only covers simple or enhances signatures according to the European Signature Act If you KOBIL mIDentity version supports qualified signatures please refer to the section Qualified Signatures If you want to digitally sign a file proceed as follows 1 Right click on the file you want to sign The conte
11. R3 support please contact your certified KOBIL partner 96 Appendix A Cryptographic Basics and Standards A 1 Security Objectives Confidentiality Protection from disclosure to unauthorised persons who may try to listen to communication or to steal some information Integrity Maintaining data consistency Nobody except the originator can change the information while it is stored somewhere or transfered in an insecure media like the Internet Authentication Non repudiation Access control Assurance of identity of a person or an originator of data The originator of some data cant deny it later Unauthorized persons are kept out A 2 Terms and Basics Cryptography is the science of keeping information secure Cryptographic systems usually consist of two implemented processes encryption and decryption Encryption is the process of transforming a message the plaintext into another message the ciphertext such that it is computationally infeasible to derive the plaintext data by reversing the process without knowledge of secret parameters Many cryptographic algorithms mathematically combine input plaintext data and an encryption key to generate ciphertext data Decryption is the reverse process of encryption and transforms the ciphertext data back into the original plaintext data by using a complex function and a decryption key One of the goals of cryptography is to raise the cost of guessing the decryption key beyond what is practi
12. activating in the menu Extras gt Accounts gt Directory Service gt Properties tge option Check recipient addresses with this directory service Once you have successfully imported another user s certificate you can take a look at it in the Windows certificate manager under Other People sce section B 4 3 Es Find People 1 entries found i 2 xi Look in Veris ign Internet Directory Service x Web Site People Advanced Eind Now Name test user kobil Stop E mail Clear All Close Delete Add to Address Book E Mail Address kobil_1 kobil com tr test user kobil Figure 3 17 Find People Dialog 3 4 6 Import an existing certificate onto the KOBIL mIDentity SmartCard If you already possess a software certificate P you can import it into KOBIL mIDentity including the private keys these certificates are stored in PKCS 12 or PF X files instead of a SmartCard 26 You can import any software certificate stored in the Windows Certificate Manager that is marked as exportable Open the Control Centre Software and choose the option Properties gt Identity and click on the drawer Card the button Import If you have the software certificate only as a PKCS 12 or PFX file you should import it first into the Windows Certifi cate Manager by double clicking it Follow the import wizard s instructions and take care to mark the certificate as exportable F
13. inside so called Secure Data Storages also called Container A Secure Data Storage is a virtual hard disk with an own drive letter that is stored physically in one huge encrypted file ldoes not apply to KOBIL mIDentity Light 2does not apply to KOBIL mIDentity Light 59 inside your regular file system The Secure Data Storage is encrypted using the KOBIL mIDentity SmartCard so the Secure Data Storages content is always strongly encrypted Without the KOBIL mIDentity SmartCard and its PIN nobody can access the Secure Data Storage All KOBIL mIDentity models support encrypted Secure Data Storages on your local hard disk For real mobility you can have a Secure Data Storage on the KOBIL mIDentityf itself With them you can carry your senstive data around anywhere you go KOBIL mlDentity Secure Data Storages work different than Windows 2000 XP Encrypting File System EFS Unlike EFS the decryption keys are not bound to the user s Windows account but to the KOBIL mIDentity SmartCard By using SmartCard technology strong two factor authentication is achieved possession of SmartCard AND knowledge of PIN instead of only knowledge of the Windows user password Data recovery can be done seperately from the Administrator role see section f 4 5 2 1 Creating a Secure Data Storage on your local hard disk Important please read carefully section before starting to work with Secure Data Storage in order to keep your data accessible a
14. is possible to use predefined logon templates Those templates are then filled out with personal data by the end For more details regarding this solution please contact your KOBIL Partner e Transfer This feature does not apply for browser applications For all other applications you can define a method of interspersing personal data into the appropriate application field As a standard this happens via Windows messages but because some applications have problems with this methodology we introduced the possibility of using event based technology The event based technology simulates manual key entry which helps to solve the problem but is much slower than the message solution 49 4 1 6 Backup Logon Accounts Simple Sign On Simple Sign On simplifies access to services and applications on your computer You will only need to know the PIN of your SmartCard application access will be handled for you in the background It is therefore very important to double protect your logon data by taking regular backups We recommend you take a backup of your logon dialogs each time a new application access dialog has been added to your list or when the logon data has changed Logon Accounts Es New Logon Account Edit Password Transfer Delete Backup Figure 4 19 edit and view login data To take a backup of your access data choose the option Logon Accounts from the main menu Next select the Backupoption from the User Accounts screen a
15. on the local hard disk 3 Using the slide bar you can determine the size of the new Secure Data Storage Important We strongly recom mend NOT to use the whole free space on your hard disk for a Secure Data Storage since this may result in problems with the Windows operating system You should always keep 50 100 MB free space on your hard disk 4 Under Storage Name you can define a label that will be used to display the Secure Data Storage in the Windows Explorer 5 You can select a particular Drive Letter or ANY if the Secure Data Storage shall always be mounted to the next available drive letter A specific drive letter may be useful if you work with scripts 61 6 Click Create in order to start Secure Data Storage creation This process may take some time In order to encrypt your Secure Data Storage a random encryption key wil be generated by the smart card while creation 7 At the end you have to enter the KOBIL mIDentity SmartCard s PIN to mount and format the Secure Data Storage which completes the process At the end the new Secure Data Storage icon appears on the desktop for quick access 7 mIDentity Datasafe LW I Figure 5 3 Desktop Shortcut for new Secure Data Storage 5 2 2 Creating a Secure Data Storage on your network drive Important please read carefully section before starting to work with Secure Data Storages in order to keep your data accessible also in emergency situations All KOBIL mIDentity ve
16. signature process see section 5 3 4 e If the checkbox Encrypted files after decryption is active each encrypted file is deleted automatically after de cryption Note that this option cannot be changed per decryption process e If the checkbox Signed files after signature verification is active each signed file is deleted automatically after signature verification Note that this option cannot be changed per signature verification process 82 Show Report after Process If you enable this option you will see a report about how many files have been processed in case you selected multiple files or even complete folders to encrypt decrypt sign verify or secure erase Default Signature Certificate Check Default Signature Certifikate and click on Select You can select the default signature certificate from the list of all valid signature certificates see section 5 3 4 The button Remove disables the default signature certificate Important this setting does NOT have any impact on qualified signatues Default Encryption Certificate Check Default Encryption Certifikate and click on Select You can select the default encryption certificate from the list of all valid encryption certificates see section 5 3 1 The button Remove disables the default encryption certificate Additional Decryption Key Check Additional Decryption Key and click on Select You can select the Additional Decryption Key from the list of all valid encryptio
17. 00 xp 2003 with KOBIL mIDentity We assume that both your internet access and e mail account are properly configured If you are not sure about this contact your internet provider Email security functions can be combined with Outlook Synchronization see section Before starting to sign and encrypt emails you need a personal certificate that contains your email address Self signed certificates cannot be used for secure email communication since they dont contain an email address See section how to get a personal certificate 6 1 1 Configure your Certificate To send signed messages and receive encrypted messages you have to configure your e mail certificate If you don t select a default certificate and try to send a signed message Outlook Express prompts you with a list of certificates to choose from The big Outlook versions dont allow to send secured email unless you have configured your certificate manually The necessary steps differ a bit between Outlook Express and Outlook 98 2000 xp 2003 Outlook Express In Outlook Express your certificates are bound to your e mail account so you can select a default certificate for a each account 1 Start Outlook Express and select Tools gt Accounts 86 Internet Accounts mail default Any Available Figure 6 1 Internet Accounts Dialog 2 Choose your e mail account as shown in figure and click Properties gt Security The dialogue shown in figu
18. 1 Figure A J illustrates the data digestion process Digest function unique digest Figure A 1 Data Digest scheme A 3 2 Symmetric Encryption Algorithms With these type of algorithms the same key the so called session key is used to encrypt and the decrypt the message They are also known as session key algorithms Figure illustrates the symmetric encryption process The main advantage of symmetric algorithms is their speed of data encryption and decryption The main weakness is the key management Both sender and receiver must have the same secret session key which must be transferred securely It is convenient and secure to transfer session keys by using public key algorithms The most common session key algorithms currently are triple DES RC2 and RC4 98 symmetric symmetric encryption decryption algorithm algorithm SCRAMBLED f DATA Internet Encryption Decryption key is a N key is the session key same as the This key encryption should be key kept secret Everybody can use the internet and malicious people can easily listen any communication and modify any data in this unsecure public media Figure A 2 Symmetric Algorithm A 3 3 Public Key Algorithms Properties With these algorithms encryption and decryption keys are different Each user has at least one key pair consisting of two keys One is kept secret so it is called a private key and the other one is open w
19. ALT F10 if the logon window is activated by a mouse click you get the list of the learned password dialogs and you can select the desired password entry e ALT F12 In some cases KOBIL mIDentity does not recognize learned password dialogs Besides the possibility to press ALT F10 see above you invite KOBIL mIDentity by pressing ALT F12 to check again all open windows whether they contain a password dialog KOBIL mIDentity had already learned Advanced features of Simple Sign On The Simple Sign On solution is very tight related to the hardware and software environment on which it operates To avoid possible configuration problems and also to give you additional setup options we offer advanced features To reach the advanced features select the option Setup from the main menu and then choose the KOBIL mlIdentity Setup menu item From the KOBIL mldentity Setup screen select the Advanced Features option on the Logon Accounts screen 34 Figure 4 1 Simple Sign On Settings 35 Advanced Feartures x Learning parameter IV Recognize Internet Explorer logon element IV User defined label Dynamic setting V Detect known logon accounts IV Detect anew logon account IV Detect failed attempts to logon 3 attempts per o0 Min IV Show icon session restart required Std Settings i Shortcuts A OK if Cancel Figure 4 2 Simple Sign On advanced features e Learning parameters 1 Recognize Internet
20. COM Figure 5 7 Logon Logoff Secure Data Storages 5 2 5 Delete Secure Data Storages When you don t need a Secure Data Storage anymore you can delete it no matter if it s a local Secure Data Storage on your hard disk or a mobile Secure Data Storage on your KOBIL mIDentity Deleting a Secure Data Storage discards all information and files stored in that Secure Data Storage they cannot be recovered Be very careful deleting a Secure Data Storage In order to delete a Secure Data Storage open the Control Centre Software and click on Secure Data Storage gt Delete 65 and select the Secure Data Storage you want to delete You will be asked to confirm deletion to make sure that you selected the right Secure Data Storage to be deleted mIDentity Control Center oo MY IDENTITY KOBIL i J Logon Accounts A O02 MYOOrR FICE Mobile Office 7 003 MYDATASAFE Secure Data Storage mobile storage Drive H Log off Create Import RATION Manual J Close J WWW KOBI COM Figure 5 8 Delete Secure Data Storage 5 2 6 Delete a link to a Secure Data Storage If you have created a Secure Data Storage on a network drive which is currently not available you can delete the link to this Secure Data Storage If you do so the data inside this Secure Data Storage will not be affected The Secure Data Storage then will only not be recognized from the management software If the network d
21. Explorer logon element The Recognize Internet Explorer logon element option will save you one step in the application logon dialog learning process by automatically recognizing the login element 2 User defined label The User defined label option gives you an option to name your logon account rather than having the system do it for you e Dynamic settings 1 Detect known logon dialogs The SSO will logon automatically to a known account 2 Detect a new logon dialog The SSO will start a learning process as soon as an unknown window with a password field appears on screen 3 Detect failed attempts to logon The Simple Sign On feature can be configured to automatically detect a new application window and proceed with the logon dialog To avoid an infinite loop in case of a failure the max number of allowed failed logon attempts must be specified 36 4 Show icon The Advanced Features can be invoked as a separate mini application directly from the tray bar It offers addi tional functionality which can be reached via a menu triggered by clicking the right mouse button on the Advanced Features icon Settings Learn Learn Selection Detect selected Figure 4 3 additional icon for SSO e Buttons 1 Cancel Settings will be closed without saving the changes 2 OK Save settings and finish 3 Hotkeys Alter the hotkeys 37 Shortcuts x Shortcut Learn new account F11 ud Detect new account F
22. K certificate see section 5 4 1 If you want to use any other encryption certificate click on Add You can also Search for other people s certificates in directory services e Erase original file s This checkbox decides if the original files should be erased after encryption signature The default setting of this checkbox can be configured see section Attention If this checkbox is active and you are about to encrypt to a foreign certificate you will not be able to recover those files If all options are correctly set click on proceed to start the encryption signing process 78 File Directory Encryption and Signature Certificate List Recepient List 894901 7200002174742 f gt gt gt gt gt l Click here to search further certificates on a directory service LDAP server once SIGNATURE CERTIFICATE Subject CN 894901 7200002174743 Serial Number 263BABEC8D 20C9424F44DE0B3744DF19 vr gt Signature Certificat 9949017200002174743 Erase original file s after signing and encryption Proceed d Cancel d Figure 5 20 File directory encryption and signature options 4 Enter your KOBIL mIDentity SmartCard s PIN 5 The file e g all files inside the chosen directory are now encrypted and signed and stored with the ending ksk as shown in figure 6 21 79 a my ies OOOO icix File Edit view Favorites Tools Help Q Back v bi a Search ar Folders ies Address lo C Docum
23. KOBIL mIDentity V1 5 2 User Manual 16 07 2007 English Version Contents 2 ing started Dentity Se the KOB a What ie a Dita 9 4 W here ai our mlD a ntering 3 4 e a rust mpor me another User s ertificate digital certincate trom cate Manage sentre CA Certi EE ertinca D KOP bIL mlDentity Personalizatio Your mobile 4 1 Passwords and 6 ottware Update dentity imple a SSO oftware Installatio icense Key m Da Tam ard earning Password Working wit onsole App Rcationd Vianaging Logon Accoun Bac up Restore Windows mar ogon Accounts Simpe SEO ogon ACCOUN ogo N N N saww 10 10 11 11 12 16 17 17 18 19 19 21 23 24 25 27 30 31 31 32 32 32 33 37 43 46 49 51 53 56 58 5 2 g D g KOBIL m anada maa madda aa naa OZ 6 Delete a ink to a Secure Data Storagg 2 ee ee ee ee 65 j ile and Directory Encryption aa a coea aaa aaa aa a a ee a aa a ee OT ile and Directory Decryptio Ser Ae E A A E E e aca aie a a a GU a are AAU 4 ile and Directory Signatur 72 T auk os 74 6 ile and Directory Signature Veriiicatio Ak be ee Bla od de Eke ee ae ee ERA eae ae e FA ignature and Encryption of Files and Directoried 0 0000 eee eee ee es G 79 i ettings for File Security aoa a a ee ee ee ee ee BO 5 4 mercency Recovery s erens ana 4 2 a Ye OG a aaa a eee EE RRS a aaa aaa RA A Additional Dec
24. SA This standard defines the Secure Hash Algorithm SHA 1 for use with the Digital Signature Standard DSS Secure Sockets Layer SSL Security protocol used between servers and browsers for secure Web sessions SSL Handshake The SSL handshake which takes place each time you start a secure Web session identifies the server This is automatically performed by your browser Secure Multipurpose Internet Mail Extensions S MIME Standard offline message format for use in secure e mail applications Uniform Resource Locator URL Web address 111
25. T Folders ies Address jo C Documents and Settings kobil My Documents gt Go Name Size Type Date Modified Secret doc 24KB Microsoft Word Document 11 01 2005 10 32 25KB K55 File 11 01 2005 10 36 Type KSS File Date Modified 11 01 2005 10 36 Size 24 3 KB Figure 5 16 A signed file Signed files are stored in PKCS 7 format which enabled interoperability between different applications Directory signatures work exaclty the same way as file signatures just select the directory you want to sign with the right mouse instead of a single file All files in that directory will be signed in PKCS 7 format in one pass but you have to enter your KOBIL mIDentity SmartCard s PIN only once 5 3 5 Multiple Signatures In order to add further signatures to an already signed file just right click the kss file and select KOBIL mIDentity gt Add Signature As for the first signature you can select the signature certificate and you will be asked to enter the KOBIL mIDentity SmartCard s PIN 5 3 6 File and Directory Signature Verification Important this section only covers simple or enhances signatures according to the European Signature Act If your KOBIL mIDentity version supports qualified signatures please refer to the section Qualified Signatures To verify a file s digital signature proceed as follows 1 Right click on the file with the ending kss you want to verify The context menu shown in figure appears
26. TA Private Key This key D Public Key must be This key must be Everybody can use the internet hts s le and malicious people can easily ho Coat listen any communication and to cand ae modify any data in this unsecure encrypted public media dats Figure A 3 Asymmetric Algorithm 100 kept secret Wrap Session Key Bulk data is encrypted with a session key to supply fast speed The encryption session key must be sent to the recipient for decryption For a secure transfer the session key is encrypted with the public key of the recipient No one except the recipient can recover the session key because the private key of the recipient is needed to decrypt the scrambled session key Encrypted bulk data and the scrambled session key are merged to form a digital envelope Someone who wants to recover the original data must recover the session key first see figure A4 symmetric encryption algorithm Digital Envelope Internet A SCRAMBLED i DATA Asymmetric encryption algorithm Scrambled Encryption key i5 a session ees session key This key should be kept secret Recipient Public key Sender does not have the recipient Private Key Figure A 4 Wrap Session Key Unwrap Session Key The recipient of the digital envelope detaches the scrambled session key from the encrypted bulk data First the scrambled session key is decrypted with the private key of the recipient Second bu
27. User name Password If test C Remember my password Cancel E Learning the OK button left mouse button choose butkon right mouse button next ESC cancel learning procedure Figure 4 10 Learning the OK Button If the same password dialog appears the next time KOBIL mIDentity automatically recognizes it and asks if it should fill in the user name and password There are differences between Windows applications and and WEB applications 42 Connect to Source sale Connecting to Source_safe User name mlDentity has detected an input window Password Do you want to logon automatically Description Connect to Source_safe Window Connect to Source_safe Contents test Password see I Don t show this dialog anymore Logon 7 Cancel f Figure 4 11 automatic Windows application logon with KOBIL mIDentity In case of a WEB application you can choose between Fill in and Login furthermore Choose Fill in to fill in the learned elements but do not send the login information So you can enter additional elements by yourself because they change every time you visit the site for example 43 GMX LOGIN Passwort Passwort vergessen Fill out 4 Jetzt kostenlos Login 6 bine a 3x Sere itglied werden Figure 4 12 automatic WEB application logon with KOBIL mIDentity NOTE While logon to java applications there is a technical need to execute mouse movements and mouse clicks For tha
28. ake sure that you are logged in as Administrator only needed for installation 3 Finish all running programs 4 Insert the KOBIL mIDentity Software CD ROM into your CD ROM DVD ROM drive the setup will start automati cally If this is not the case please start it manually using the Windows Explorer and select the menu item KOBIL mIDentity Software Installation If you dont have any KOBIL mIDentity Software CD ROM at hand you can download the most recent version in the internet under http www kobil com mIDentity and start it by a double click 5 Choose the installation language and click on OK Wahlen Sie eine Setup Sprache aus x Wahlen Sie die Sprache dieser Installation aus der unten aufgef hrten Auswahl aus eutsch Englisch Figure 2 3 Choose the installation language 6 Please read carefully the licence agreement If you agree with it click Yes in order to continue the installation process If you dont agree please click No to cancel the software installation InstallShield Wizard License Agreement Please read the following license agreement carefully InstallShield Figure 2 4 Accept the Licence Agreement 7 Now you will be asked to define the installation folder for the KOBIL mIDentity Software Usually you can use the default values and just click on Continue to start the installation InstallShield Wizard Choose Destination Location Select folder where Setup will install files
29. ate for signature and encryption if your security policy allows this The dialogue is shown in figure 6 3 5 You can select the session key algorithm which will be used for bulk encryption and decryption as well as the hashing algorithm for digital signatures For strongest security 3DES or RC2 128 bit is recommended as encryption algorithm and SHA1 as hashing algorithm 90 Change Security Settings Figure 6 5 Outlook 98 2000 xp 2003 certificate selection 91 6 1 2 Setting up Outlook Security Buttons In order to comfortably sign and encrypt your emails you can set up the appropriate Outlook buttons Outlook Express In Outlook Express the buttons are already present but they are that much outside the window they are hidden To make them visible proceed as follows 1 Open a new email File gt New gt EMail Message A new email window is opened 2 Choose the menu View gt Menu Bar gt edit 3 The buttons Sign and Encrypt can be found under current buttons Mark them and move them towards the beginning of the menu using the arrow up button until they become visible Outlook 98 2000 xp 2003 By default the big Outlook versions hide the buttons To activate them proceed as follows 1 Open a new email message using the menu File gt New gt EMail message A new email window is opened 2 Choose the menu View gt Menu Bar gt edit 3 Choose the drawer Commands and select
30. ate will be used to encrypt data in your Safe Data Storages and also to encrypt all your application access logon dialogs containing your user ids and passwords You can also define an Additional Decryption Key ADK for even better data protection ADK see section f 4 14 miDentity initialisation assistant Step 2 of 4 Assign certificates for Single Sign On and Secure Data storage C Create a new certificate E Include personal data Import PKCS 12 certificate JT Define ADK Additional Decryption Key Figure 3 6 create a selfsigned certificate If you choose to create a certificate and use it for email signature you will be asked to fill out some personal information lisation assistant Step 3 of 4 Provide personal information to include in the certificate User name Test User e mail address test kobilcom Company KOBIL Systems GmbH Department Development City Worms State RP Country Germany J S Nett Coane sy Figure 3 7 create an own certificate 3 Assign a certificate for secure data storages and logon accounts Simple Sign On If you choose not to create your own certificate but to import one you will be given a list of certificates present on your PC to select the one you want to use 15 miDentity initialisation assistant Step 2 of 4 Assign certificates for Single Sign On and Secure Data storage C Create a new certificate FE Include personal data
31. aximize Logon Accounts Mobile Office 550 Emergency Assistant Secure Data Storage mIDenriry FAST CONTROL Manual Setup gt Remove mIDentity Close Control Center Figure 3 2 Tray Bar Menu 3 2 Remove KOBIL mIDentity securely Important If you want to unplug KOBIL mIDentity you have to use the secure remove function first to avoid data loss This is also necessary on Windows XP and 2003 to close any open datasafe Right click on the tray bar menu see figure and select remove mIDentity Alternatively you can click on the button remove mIDentity in the main window Maximize Logon Accounts Mobile Office 550 Emergency Assistant Secure Data Storage Manual mIDenriry FAST CONTROL Setup gt Remove mIDentity Close Control Center Figure 3 3 remove KOBIL mIDentity securely 3 3 The KOBIL mIDentity SmartCard The KOBIL mIDentity SmartCard is KOBIL mIDentity s secure core since it stores your personal information and keys securely Without the SmartCard no access to secured data is possible All KOBIL mIDentity functions are protected by the KOBIL mIDentity SmartCard s PIN personal identification number As only you know the PIN nobody else can use the functions or access secured data The PIN is protected by a failure counter that locks the SmartCard after three subsequent wrong PIN entries Only by entering the PUK PIN Unblocking
32. because you have entered a wrong PIN too many times you can unlock it using the PUK PIN Unblocking Code as you may know it from your mobile phone Click on Unlock PIN and enter the PUK followed by the new PIN 3 4 Digital Certificates Your KOBIL mIDentity SmartCard can do much more than store only passwords and Simple Sign On parameters It is a full fledged cryptographic SmartCard that can also operate with digital certificates and public key infrastructures PKI technology In this section you learn what a digital certificate is how you can obtain it and what you can do with it 19 3 4 1 What is a Digital Certificate Digital Certificates are electronic D cards you can use them as a digital identity This makes much sense in networks and in the internet because you cannot see your communications partners face to face Exactly as in your real D card a digital certificate contains your name and maybe some other informations about you and about usage constraints e g network logon encryption signatures For more details about digital certificates see section LZA There is also a special kind of certificates the so called Selbf Signed Certificates These certificates are not issued by a trust centre Everybody can create them they work completely without any PKI infrastructure This is why they are very easy to use but of course they offer a lower level of identification compared with real trust centre certificates Sel
33. cal The algorithm type and the key length are the most important measures against predictability of the key Cryptography has nothing to do with obscurity Cryptographic algorithms and protocols should be conform with standards to support interoperability Using non published algorithms is contraproductive to compatibility Moreover cryptography is not about hiding algorithms but it is about designing strong algorithms and secure mechanisms Security and interoperability must both be achieved in years by building and testing very well known algorithms mechanisms and protocols Security should be obtained only by storing the keys in a secure way and by making algorithms so strong that they are impractical to break 97 A 3 Standards A 3 1 Data Digestion Algorithms Data Digestion Algorithms are not used for encryption or decryption The main purpose of these algorithms is to produce a unique fingerprint typically 16 or 20 bytes in length of the original data Digestion algorithms are also called one way hash functions because it is computationally infeasible to recover the original data from its digest or even to find some other data which will produce the same digest Ideally each digest is unique and every bit is influenced by every bit of its input data These algorithms are used together with other types of algorithms to supply digital signature processes see below The most common digestion algorithms are MD5 RipeMD and SHA
34. ccess to your secret data 3 3 3 What happens if I enter the wrong PIN If you have entered the wrong PIN three times subsequently the KOBIL mIDentity SmartCard is locked in order to protect access to KOBIL mIDentity for unauthorized persons If you entered a wrong PIN please take care to enter the correct PIN the next time Once the PIN is locked it can be unlocked by entering the PUK similar to mobile phones see section B 3 4 If a wrong PUK is entered three times the SmartCard is irreversibly locked In this case you should replace it by a new SmartCard which can be ordered at your local KOBIL dealer If you have encrypted data on your hard disk files or datasafe s please read section 4 to learn how to recover them 3 3 4 Change Unlock the KOBIL mIDentity SmartCard PIN You can can change and unlock the SmartCard PIN using the preferences in the Control Centre software Please choose the option 18 Properties gt Identity and select the drawer Card and click on Change PIN You will be asked to enter the old PIN followed by the new PIN which has to be entered twice to avoid mistyping mIDentity Setup ax Logon Account Smart Card Certificate PIN functions Change PIN y Unblock PIN _ Card number Import o Erase card 7 www kobil com mlD entity OK 7 Cancel A Figure 3 12 KOBIL mIDentity SmartCard preferences change unlock PIN If KOBIL mIDentity SmartCard s PIN is locked
35. centre s URL for example TeleSec trust centre Germany www telesec de TC trust centre Germany www trustcenter de Verisign USA www verisign com 3 Most trust centres offer free test certificates also called Digital ID s Please note that those test certificates do not offer a high security level since users are not identified very deeply 20 4 Now you have to enter some data which will occur later in your certificate parameters vary between trust centres In most cases these are some personal data as well as your email address It is extremly important that you enter your exact email address case sensitive if you want to use that certificate for secure email 5 When asked for the CSP to generate the keys please select Kobil Smart CSP v1 0 6 Submit the certificate request to the trust centre Certificate Enrollment xi Status Available Slots Cert Exist mlDentity Certificate 1 Cert Exist mlDentity Certificate 2 Cert Exist mlDentity Certificate 3 Cert Exist Windows 2000 Logon Cettificate Certificate Slot Detail Subject CN 894901 72000021 74743 Issuer CN 894901 7200002174743 Serial Number of IV Do not unregister old certificate after renewal Please select a slot to enroll a new certificate Renew A Cancel y Figure 3 13 Selecting the certificate slot Figure shows the certificate slot selection on the KOBIL mIDentity SmartCard Here you can de
36. cide if the new certificate is stored on an empty certificate store or if you want to renew an existing ceritficate Important Never overwrite the self signed certificate in the first certificate slot since it is needed to decrypt the datasafe 7 The trust centre will send you an email with informations about how to obtain the final certificate In some cases you can immediately download it to the KOBIL mIDentity SmartCard Follow the instructions from the trust centre 8 Take a look at your new certificate in the Windows Certificate Manager as described in section If the new certificate is not valied because of missing information you have to manually import the trust centres root certificate as described in section BZA 21 Contents of Your Digital ID Fill in all felda Use only the English alphabet with no accented characters This information ia included in your Digital ID and is available to the public Choose 4 Full service Class 1 Digital ID or a 60 day Trial Class 1 Digital ID COptional Select The Cryptographic Service you have a domestic version of this browser you are offered an Enhanced Cryptographic option which provides 1024 bil key encryption The MS Base Cryptographic provider offers 512 bi key encryption which is adequate for most applications today but you may select the Enhanced option fs your browser offers this choice and you require the higher encryption strength f you use a specialized mechanism such as a
37. cure Data Storage icon appears on the desktop for quick access 5 2 4 Working with Secure Data Storages Open the Control Centre Software and click on Secure Data Storage in the main window Select the Secure Data Storage you want to open logon or close logoff Depending on the selected Secure Data Storage s state you can either logon if it is currently logged off or logoff if it is currently logged on Local Secure Data Storages stored on your hard disk are marked with a hard disk symbol Each time you want to open a Secure Data Storage you have to enter the KOBIL mIDentity SmartCard PIN no matter if the Secure Data Storage is stored locally on your hard disk or if it s a mobile Secure Data Storage on your KOBIL mIDentity After closing the Secure Data Storage all information is securely encrypted and visible to nobody Important please close all open Secure Data Storages before unplugging KOBIL mIDentity by clicking on remove mIDentity If you unplug KOBIL mIDentity without closing Secure Data Storages data might get lost mIDentity Control Center ool MY IDENTITY KOBIL Ij I Logon Accounts 7 MY OFFICE f f 002 Mobile Office d Ne SS oo3 MY DATASAFE gt Secure Data Storage rive H Log off E disc storage 1 Drive Log on 8 disc storage 2 Drive J Log off amp Bdisc storage 3 Drive Log on RATION Manual Open all Close Close all Delete WWW KOBIL
38. dely accepted standard for digital certificates is defined by International Telecommunications Union s ITU T X 509 standard A X 509v3 certificate includes the following data fields e Version Certificate s serial number Signature algorithm ID e Issuer name Expiration date e User name User public key information 104 e Issuer unique identifier optional e User unique identifier optional Extensions optional contain certificate usage instructions e Issuer s signature over the fields above A 3 5 Certificate Authorities A certificate authority CA also called trust centre is a trusted organisation that issues public key certificates A CA acts as a guarantor of the binding between the subject s public key and the subject s identity information that is contained in the certificates it issues The typical process of getting and using a certificate goes something like this the user is called Alied in this example 1 Alice creates a cryptographic key pair consisting of a private and a public key 2 Alice creates a certificate request that contains her name her public key and perhaps some additional information Alice signs her certificate request with her new corresponding private key Alice sends the signed request to a CA The CA creates a data set from Alice s request The CA signs the data set with its private key The CA forms a certificate with the data set and its signature o N
39. ds consisting of standard ASCII characters One time passwords OTP consist of 8 digits and can be used without any problem 4 1 5 Managing Logon Accounts To manage your logon accounts on mIDentity click on the push button My Logon Accounts on Control Center or in the Traybar Menii You will be requested to enter the PIN of the smartcard from your mIDentity to authenticate yourself for access to your personal data Only you can read and change your logon information Logon Accounts 4 x New Logon Account Edit Password Transfer_ Delete A Backup J FREENET GMX or pee Close f R i Figure 4 16 Edit Password Informations Editing Logon Data When you need to change your logon data e g your password has expired you have two options to do that Select the account you want to change and click on the push button Edit or simply double click on the account you want to edit You can change individual attributes in the dialog that follows 47 Dynamic entry xi Please edit your data Description GMX Module Title Type Description Content Class 1D Input id test id 255 Password p p 258 Action Button Login 260 Tl Do not ask for recognized window Enter data directly T Ignore this window IV Extended view OK fo Cancel A Figure 4 17 Editing Dynamic Accounts The following logon accounts attributes can be changed e Account Name Specify the account name e Entry Double cl
40. e Data Storage Import 00 CONFIGURATION Manual ee Close Z Remove miDentity A WWW KOBIL COM Figure 5 5 Creating a new Secure Data Storage 2 Activate the Checkbox Secure Data Storage on KOBIL mIDentity Please note that only one Secure Data Storage can be stored on KOBIL mIDentity Create Secure Data Storage N x You can create secure data storage on miDentity or on your PC ge lt fo size 1 27 GB of 1 42 GB 8 0 9 9 0 0 0 0 5 6 0 6 9 0 6 0 6 8 ih M nPE A define path Name Create Name A disc st J isc storage Close PA Drive any hd Figure 5 6 Creating a new Secure Data Storage on KOBIL mIDentity 3 Using the slide bar you can determine the size of the new Secure Data Storage It can vary between 3 MB and maximum free space on KOBIL mIDentity depending on the model 4 Under Storage Name you can define a label that will be used to display the Secure Data Storage in the Windows Explorer 5 You can select a particular Drive Letter or ANY if the Secure Data Storage shall always be mounted to the next available drive letter A specific drive letter may be useful if you work with scripts 6 Click Create in order to start Secure Data Storage creation This process may take some time 64 7 At the end you have to enter the KOBIL mIDentity SmartCard s PIN to mount and format the Secure Data Storage which completes the process At the end the new Se
41. ection B 4 5 As server name please enter the domain controller s full DNS name The search base must be written in the so called DC notation Example if your domain is called myDomain myCompany de the DC notation will be de myDomain dc myCompany dc de 84 5 4 Emergency Recovery 5 4 1 Additional Decryption Keys The cryptograhpic mechanisms used in KOBIL mIDentity are so strong that nobody can recover the encrypted text with out knowledge of the corresponding private key Your private key is well protected on your KOBIL mIDentity SmartCard But it can of course happen that you lose your KOBIL mIDentity or it is stolen As the KOBIL mIDentity SmartCard is PIN protected nobody can gain unauthorized access to your data To make those data accessible for yourself in such a case KOBIL mIDentity supports so called Additional Decryption Keys ADK Using Additional Decryption Keys every Secure Data Storage file and directory you encrypt with your certificate is also encrypted with another configurable certificate that we call Additional Decryption Certifikate Each Additional Decryption Certificate of course also has a corresponding private key This private key needs not to be located on a SmartCard Depending on your security policy the Additional Decryption private key is kept in a secure place like a bank tresor It is not needed during normal operation In case where a file cannot be decrypted anymore because the corres
42. ed user databases As your passwords are stored inside the KOBIL mIDentity SmartCard you only have to memorize its PIN code it protects all those informations KOBIL mIDentity automatically recognizes password entry dialog boxes and fills in your user name and password Both HTML forms and Windows dialog boxes e g network logon are supported Besides static passwords you can also use dynamic one time passwords OTP with KOBIL mIDentity One time passwords require additionally the KOBIL SecOVID server as a central authentication server AAA server which allows real Simple Sign On also for Administrators much cheaper than common SSO systems ldoes not apply to KOBIL mIDentity Light 33 4 1 2 Using Simple Sign On Survey The following short cuts help you to use KOBIL mIDentity in a comfortable way when you want to logon to securely to your applications e ALT F11 If your KOBIL mIDentity device should learn a password dialog you can initiate the learning procedure if the logon window is activated by a mouse click by pressing ALT F11 For details we refer to section 1 3 e ALT F10 Usually KOBIL mIDentity recognizes learned password dialogs and indicates this and you only have to confirm your intention to be logged on by clicking the Logon button Nevertheless in some cases e g when working with terminal consoles see section 1 4 KOBIL mIDentity does not know which of the learned password dialogs is to use By pressing
43. el Figure 3 19 Current KOBIL mIDentity certificates From the KOBIL mIDentity Setup screen select the Certificates option and then highlight on the given list of certificates currently residing on your KOBIL mIDentity the certificate you want to replace Select option Delete Note If the Delete option has been disabled contact your system administrator 2 The Initialization Wizard will appear to guide you through the next steps 28 mIDentity initialisation assistant xj The existing certificate for SSO and Secure Data Storage will be removed from mlDentity The Wizard will guide you through the steps to create a new certificate Current Smart Card status Certificate available SSO and Secure Data Storage not defined certificate assignment Click Next to continue Figure 3 20 Current KOBIL mIDentity setup 3 On the following screen you will be given options to create a new certificate use one of the certificates existing on your card or import a new certificate for your data encryption mIDentity initialisation assistant Step 2 of 4 Assign certificates for Single Sign On and Secure Data storage Create a new certificate E Include personal data I Define ADK Additional Decryption Key Back Next A Cancel Figure 3 21 Define new certificate 4 Once you selected the certificate you want to use the system will encrypt the data on your KOBIL mIDentity with the new certificate and
44. ency Assistant In case you need to access a backup but do not have KOBIL mIDentity to access the Control Centre we offer the SSO Emergency Assistant This service allows you to access a backup and displays logon data in plain text You will then use the data to individually sign into your applications The SSO Emergency Assistant can be started from the Traybar only if there is no KOBIL mlDentity device plugged into the PC 54 f a hy k tA T E mT Maximize Logon Accounts Mobile OFFice b O Emergency Assistant Secure Data storage Manual Setup Remove mibentity Figure 4 28 view login data KOBIL mIDentity SSO Emergency Assistant xi The SO emergency assistant will display your logon accounts in plaintext Choose the path to your encrypted accounts PKCS7 File Choose the path to your emergency certificate PKCS12 Filei Enter password Figure 4 29 view login data 55 To retrieve the data the SSO Emergency Assistant will ask you to select the backup file and your emergency password For security reasons your logon accounts will only be displayed for 5 minutes Logon Accounts x 291 pas New Logon Account y E ante Edit Password Transter Delete Le Beckup j GMX ee a rrr ee Close J Figure 4 30 view login data The SSO Emergency Assistant gives you also an option to print the list of your accounts Important Note Be cautious while using
45. entity KOBIL mIDentity is you electronic identity that you can carry with you anywhere you are your personal digital ID card Depending on the application several different technologies exist that can be used to authenticate yourself static passwords one time passwords OTP Simple Sign On SSO and certificates In this section you learn how to use those functions and how to realize your personal mobile identity 4 1 Passwords and Simple Sign On SSO Today passwords are omnipresent in your daily life Web Mail accounts network access VPN connections and many applications authenticate users using static passwords This requires the users to memorize a lot of different passwords or some users might use the same passwords for all applications which leads to severe security leaks Some users also note their passwords on little stick it papers at the monitor Using KOBIL mIDentity you can forget all your passwords because KOBIL mIDentity stores them high securely protected trough SmartCard technology on it s own mobile memory Instead of a lot of different passwords you only have to remember the KOBIL mIDentity SmartCard s PIN which is the key to all your passwords 4 1 1 What is Simple Sign On SSO Simple Sign On SSO is a techique that simplifies authentication procedures for both end users and administrators Users need to authenticate themselves only once for all applications while administrators can work on centraliz
46. ents and Settings kobil My Documents gt Go Name Size Type Date Modified Secret doc 24KB Microsoft Word Document 11 01 2005 10 41 Secret doc ksk 26KB KSK File 11 01 2005 10 4 Type KSK File Date Modified 11 01 2005 10 44 Size 25 0 KB Figure 5 21 A signed and encrypted file Encrypted and signed files are stored in PKCS 7 format which enabled interoperability between different applications Attention Never encrypt files necessary for your operating system to start You may destroy your system configuration 5 3 8 Signature Verification and Decryption of Files and Directories Signed and encrypted files have always attached the ending ksk in their name If you want to decrypt and verify the signature of a file or a directory in one step proceed as follows 1 Right click on the file or directory you want to decrypt and verify The context menu shown in figure appears 2 Choose KOBIL mIDentity gt Decrypt amp Veriy 80 a my Files File Edit view Favorites Tools Help Q x n X Search Folders EJ Address fe C Documents and Settings kobil My Documents Go r 4 Secret doc ksk 11 01 2005 10 4 b Decrypt amp Verify Add Remove Recipients Deeded OE gt eel Secure Erase Cut Copy JE Create Shortcut Figure 5 22 Context mennu for file directory signature verification and decryption 3 Enter your KOBIL mIDentity SmartCard s PIN 4 The file e g all file
47. eral Details Certification Path Certificate Information This certificate is intended to Guarantee your identity to a remote computer Ensure e mail came from sender Protect e mail from tampering Ensure the content of e mail cannot be viewed by others Refer to the certificate issuer s statement for details Issued to test user kobil Issued by VeriSign Class 1 CA Individual Subscriber Persona Not Validated Valid from 9 28 00 to 11 28 00 P You have a private key that corresponds to this certificate Figure 3 16 Certificate details The Windows Certificate Manager also allows to export certificates and to delete them If you delete a certificate in Windows Certificate Manager the certificate is only unregistered it is not deleted physically on the SmartCard If will automatically be registered again as soon as you plug in your KOBIL mIDentity the next time by the Control Centre software If you really want to delete a certificate from the card please refer to section 8 4 8 3 4 4 Importing a Trust Centre CA Certificate If you want to securely communicate with users of a foreign certification authority you have to import its CA certificate also called root certificate first If the CA certificate of a known certification authority expires you also have to import the new CA certificate 1 Download the root certificate from the CA s Web site 2 The certificate will be displayed with the hint tha
48. ertificate was saved in C Documents and Settings kobil mlDentity kobil RestoreCredential p12 file Figure 4 23 Backup your login data 4 1 7 Restore Logon Accounts To restore applications access accounts from a backup select the option Logon Accounts from the main menu then the Backupoption on the User Accounts screen and the Restore option on the following screen You will be presented with a screen allowing you to select the backup file In a situation where no certificate can be found on your KOBIL mIDentity you will be asked to provide your emergency certificate and your emergency password to restore the backup Logon Accounts x New Logon Account f Edit Password Transfer Delete y Backup Yo FREENET GMX Close He Figure 4 24 edit and view login data 52 miIDentity backup assistant xi Step 1 of 3 Backup Restore Logon Accounts Backup Restore Figure 4 25 restore login data mIDentity backup assistant xi Step 2 of 3 Restore logon accounts Select the file from which you want to restore your X eltings kobil miD entity kobil B ackupD ata p Browse ee Cancel Figure 4 26 restore login data 53 mIDentity backup assistant x Step 3 of 3 Your logon accounts have been restored They can be found in C Documents and Settings kobil mlDentity kobil BackupD ata p ee Finish Figure 4 27 restore login data 4 1 8 KOBIL mIDentity SSO Emerg
49. f signed certificates are used by KOBIL mIDentity to encrypt datasafes where they are no security risk since they are not used for communication with other people but only for access to local and mobile datasafes see section 6 2 Furthermore they can be used for a simple file encryption 3 4 2 Where do I get my digital certificate from There are many ways to obtain your personal certificate on KOBIL mIDentity which are suitable for different applications scenarios Here you find an overview of them Self signed Certificates The fastest way to your self signed certificate is about datasafes since a self signed certificate is automatically created as soon as you create your first datasafe You recognize it by its serial number in the Windows Certificate Manager for example 89491720000000026481 You can watch it in the KOBIL mIDentity preferences on the certificates drawer Running your own trust centre If you want to create your own public key infrastructure PKI you have to run a trust centre The corresponding software comes for example with Windows 2000 or 2003 Server see also section E2 You can also buy specialized PKI server solutions for example the KOBIL mIDentity Manager that can be configured to specific environments and requirements External trust centres You can store also certificates from third party trust centres on KOBIL mIDentity Proceed as follows 1 Start Internet Explorer 2 Surf to your preferred trust
50. g secure E mail If you receive a signed email it is marked with a red rope symbol see figure 6 8 Click on that symbol to verify the signature and watch the signer certificate When receiving an encrypted email you will be asked to enter your KOBIL mIDentity SmartCard s PIN in order to decrypt the email s content Encrypted emails are marked with a blue lock symbol as shown in figure 6 9 Click on that symbol to see the encryption strength and encryption certificate i Inbox Outlook Express Fie Edt View Took Message Heb BD amp 2 New Mal Repel konsid Ferh Inbox z Outlook Expeess GB Local Folders amp Inbox 1 B Dubos Sent Itema From Alice To Kob Test User Subject 1 got you cettifcate Security Help Digitally Signed amp Encrypted Message 9 This message has been digitally signed and encrypted by the sender Signed e mail from others allows you to verify the authenticity of a message thatthe message is fromthe supposed sender and that 1 message s 1 ureead BE Working Onine Figure 6 8 Receiving a signed email with Outlook Express 95 10 x Type a question for help Sasch Sascha Mizera 4 Contacts Deleted Items 8 Outbox Q Sent Items Figure 6 9 Receiving an encrypted email with Outlook Express 6 2 KOBIL eSecure fiir SAP R3 If you are interested in the optional KOBIL eSecure for SAP
51. hich is called public key Private keys are unique for each user and they are never transferred to other people If someone needs to send a data to you he needs your public key He encrypts data with your public key and no one except you can decrypt the scrambled data using your private key The transfer or distribution of your public key is secured by the help of trusted authorities Such a trusted authority will provide you a certificate for your public key This means that they provide a packet of data containing both your public key and the trusted authority s assurance that this is really your public key Figure A 3 illustrates the usage of public key process for a secure data transfer The main advantage of the public key algorithms is the secure key distribution Their main disadvantage is the slow processing speed for encryption and decryption of large data Because of this slowness public key algorithms are used with together with symmetric session key algorithms to supply the necessary speed To support confidentiality public key algorithms are used to wrap and unwrap the session keys for a secure session key transfer To support both integrity and authentication public key algorithms are used to sign and verify the output of data digestion algorithms The most common public key algorithm is RSA 99 Asymmetric Asymmetric encryption decryption algorithm algorithm NS S ORIGINAL DATA ORIGINAL DA
52. ick on this attribute to change the field value usually user name e Password Double click on this attribute to change the password field value optionally also a generator number of an OTP account Additionally you can define the following properties of an account e You can have your learnt account fields filled out automatically when the logon window is detected or you can have the system ask you each time for a confirmation e You can set an option to ignore the detected logon window e you can specify if you wanted en extended view of the account properties This view can help in error analysis in case a logon window is not properly handled Advanced Features Click on the push button on the right side of the title to get to the advanced features In this dialog you can change the properties which usually remain unchanged The advanced features give you an option to change some specific behaviour 48 or to use specific technology of the SSO solution in order to go around some known problems Please note Changes done to those advanced properties can dramatically influence the account functionality Please do not make any changes if you are not completely sure of an impact it may have on your system Extended Options i x T Titel contains elements like date time session ids GMX Microsoft Internet Explorer Wildcard Replace f ex lt Company XYZ Version 5 Aug 2004 14 02 h Browser gt with lt Com
53. ith gt foods KE a See b Pa es Secure Erase Figure 5 10 Context menu for file directory encryption 3 The dialogue shown in figure 5 11 appears In Recipients you see the default encryption certificate if it is set see section and the Additional Decryption Key ADK see section 6 4 1 With the Add and Remove buttons you can change those settings Your own certificates are marked with a key symbol other people s certificates are marked with a certificate symbol Note depending on the security settings the administrator can forbid users to remove the ADK certificate from the recipient list in order to enforce ADK usage 69 File Directory Encryption x Certificate List Recepient List z 894901 72000021 74742 kex lt lt lt gt Click here to search further certificates on a Find Certificat directory service LDAP server EPOE Subject CN 894901 72000021 74743 2004 12 21 09 12 27 I Erase original file s after encryption Proceed d Cancel 4 Figure 5 11 File directory encryption options The option Erase original file s determines if the original files will be deleted after encryption You can define the default setting for that option in the file security preferences see section 5 3 9 Warning If this option is set and you encrypt only to other s people s certificates you will not be able to read the files anymore When all settings are correct click on OK to start the encry
54. iz x Select from list Fo Edit account fiocked zj Delete account flocked Show Settings flocked v Show Cancel Esc h IV ALT Shift T Control Std Settings A ra OK P Cancel Figure 4 4 Alter hotkeys 4 Standard Reset settings 4 1 3 Learning Passwords If you want to personalize passwords centrally for many users please refer to section B 5 But KOBIL mIDentity can also learn password information very easily by end users This is done by a wizard that guides you step by step through the learning process After completing the process your passwords are stored securely inside KOBIL mIDentity 1 Open the logon dialog box for which you want KOBIL mIDentity to learn the password This can be any Web based application HTML or a windows dialog box e g network logon 38 Connect to yellow m Figure 4 5 Network Logon dialog 2 Press ALT F11 The KOBIL mIDentity password assistant is being started Connect to yellow m Figure 4 6 The KOBIL mIDentity Password Assistant 3 Click with the left mouse button onto a text area that you want to be filled out by KOBIL mIDentity for example the user name in this example the the text area connect as from the Windows network logon dialog box Then enter the value that shall be filled in by KOBIL mIDentity 39 Enter content xj Please complete the input window After mlDentity will complete the input window automatically Description
55. le Outlook 98 2000 xp 2003 In Outlook click on Find People in the menu Extras gt Address Book Figure B 17 shows the dialogue for all Outlook versions You can search for the recipient s name or e mail address Setting up a new directory service If you want to use any other than the pre installed directory services open the menu Extras gt Accounts gt Directory Service and click on the button Add gt Directory Service An assistant will be started that will guide you throught the process You will have to enter the following informations e Directory Server This is the address of the new directory server e Authorization Required If this checkbox is active you will have to enter a username and a password for user authentication Usually this option is not used e Check Addresses with this Directory Service If this checkbox is active the directory service will be used to resolve e mail addresses from user names and to search automatically for recipient s certificates 25 Once the directory service is configured it may be necessary to enter the directory service s Search Base To do that select the newly installed directory service once more and click on Properties In the drawer Extended you can enter the Search Base Ask your system administrator for the parameters suitable for your directory service You can also configure a directory service for automatic Search for certificates of e mail recipients by
56. lk data is decrypted with the recovered session decryption key as shown in figure A 5 101 symmetric decryption algorithm TA a Digital Envelope Internet Scrambled session 5 Decryption key Recipient Public Key Asymmetric decryption algorith Recipient Private Key Figure A 5 Unwrap Session Key Digital Signatures Digital signatures are needed for the authentication of identities A digital signature binds an individual to unique data That s why there are two inputs of the signing process first the data itself and second the private key of the signing individual Digestion algorithms are used to reduce the size of the bulk data because of the slowness of the public key algorithms First the message is digested and then the unique digest is encrypted with the originator s private key Output is the signature Anybody can decrypt this signature because anybody can get the corresponding public key of the sender The result of decryption is the unique digest and it is practically infeasible to find another message with the same digest 102 Digest Asymmetric function signature algorithm Scrambled digestis called as signature p p unique digest Private Key Figure A 6 Signature Creation Verification of Digital Signatures To verify a digital signature someone needs both the signature and the input data A recipient of the signature decrypts it with the sender s public key t
57. lso in emergency situations All KOBIL mIDentity versions can work with up to four Secure Data Storages on your local hard disk or on mounted network drives Each Secure Data Storage can be up to 4 GB in size if your hard disk is NTFS formatted there is no upper limit Additional you can also have a mobile Secure Data Storage onboardf to carry your sensitive data anywhere you go see section EZA In order to create a Secure Data Storage on your local hard disk please proceed as follows 1 Click in the Control Centre main window on Secure Data Storage gt create The Secure Data Storage creation dialog window will appear 3does not apply to KOBIL mIDentity Light 4does not apply to KOBIL mIDentity Light 60 Eg mibentity Control Center oF MY IDENTITY KOBIL Ij I 2 Logon Accounts 7 E Ne 003 MY DATA SARE Secure Data Storage Import CONFIGURATION 002 MY OFFICE Mobile Office 7 Manual Z ee Close 7 Remove miDentity A WWW KOBIL COM Figure 5 1 Creating a new Secure Data Storage 2 Activate the Checkbox Secure Data Storage on Hard Disk You can select the path where the Secure Data Storage files will be stored Create Secure Data Storage a xj You can create secure data storage on miDentity or on your PC I onmlDentity M onPC N defne path Name Create Name Adi tail 7 disc container 4 Close PA Drive any hd Figure 5 2 Creating a new Secure Data Storage
58. mIDentity gt Add Remove Recipients Now the same dialog as for file directory encryption appears You can add or remove encryption recipients After finishing you will be asked to enter you KOBIL mIDentity s SmartCard PIN because the file needs to be decrypted before being encrypted to the new recipient list Note that you can change the recipient list only if you can decrypt the file e g if your certificate is in the file s current recipient list This option is also available for files that are both signed and encrypted see section 6 3 7 5 3 3 File and Directory Decryption You can recognize encrypted files by the ending kse 71 1 Right click on the file you want to decrypt The context menu shown in figure is shown 2 Choose KOBIL mIDentity gt Decrypt 3 If that file is encrypted with more than one certificate and you have several decryption certificates or have the ADK registered as an own certificate you will be asked which certificate shall be used 4 Enter your KOBIL mIDentity SmartCard s PIN 5 The file is now decrypted and stored without the ending kse 6 If the encrypted file is deleted after decryption depends on the preferences see section 3 9 Alternatively you can also double click kse files In that case the file will be decrypted it will be opened using the appropiate application and after closing the application the file will be automatically encrypted again not available for Windows
59. n certificates The button Remove disables the Additional Decryption Key Important Please read section carefully before changing Additional Decryption Key configuration Important An ADK certificate has only impact on file and directory encryption NOT on e mail encryption Search Certificates Using this button you open a search dialogue that allows you to look up other people s certificates stored in so called directory services and store them in your local Windows certificate store This is a very useful function if you often encrypt files to other people Directory services are managed by Outlook and Outlook Express If you don t want to use one of the pre configured directory services you should configure your individual directory service first as described in section B 4 5 83 Search Users from LDAP Server x Available Accounts Name sascha mizera Email Search Result Saschi Figure 5 24 Search Certificates The dialogue shown in figure p 24 shows all directory services configured in Outlook and Outlook Express You can search for the person s name or email address If one or more results have been found you can show them and import them into the Windows certificate manager where they will be displayed in Other People as described in section Note If you want to search for user certificates in Active Directory please configure a new directory service account for Active Directory first as described in s
60. nd continue with the Backup option on the following screen You can choose a place where you want the backup to be stored miDentity backup assistant xi Step 1 of 3 Backup Restore Logon Accounts iiis Backup Restore Figure 4 20 Backup your login data 50 mIDentity backup assistant x Step 2 of 4 Backup Save as and Settings kobil mlDentity kobil BackupD ata p Browse J Z Create an emergency password Figure 4 21 Backup your login data The KOBIL mIDentity software gives you an option to create an emergency certificate This certificate will be crucial in case you lost the encrypted data or the KOBIL mlIDentity device In such case you will be able to restore the backup and decrypt the data with your emergency certificate miIDentity backup assistant x Step 3 of 4 Create an emergency password Emergency password N ee OO Confirm password N An emergency certificate will be created and stored in the file below A C Documents and Settings kobil mlDentity kobil Browse y Tu Back Next A Cancel Figure 4 22 Backup your login data Your successful backup will be confirmed to you by the system 51 mIDentity backup assistant E x Step 4 of 4 The backup of your logon accounts has been saved in C Documents and Settings kobil mlDentity kobil BackupD ata p file To restore your data in case of emergency you will require the emergency certificate The c
61. ngs to sign and encrypt all outgoing messages Click Tools gt Options gt Security and place checkmarks If you do not define a default behaviour for signing and encryption you can use Sign and Encrypt buttons of the new mail window Inbox Microsoft Outlook SS ioj x File Edit View Favorites Tools Actions Help Type a question for help amp inew amp RB X GeReply MpReply to all Y Forward Z Send Receive Bo Find Yq Type a contact to find A E Inf iy signed message Message Microsoft Word i 5 xj e lt File Edt view Insert Format Tools Table Window Help Type a question for help X oO ae Heakene R gt Ara A E Send 0 8 t 4 options Hm To test test de Subject signed message Hi 192 168 88 185 i 1 Inbox a gy Se this message is signed to send you my certificate KOBIL mIDentit xj Regards test Please enter your PIN RAA AADA N ARAARAARRAAAAR Contact Tasks v Cancel 7 My Shortcuts i tae REC TRK EXT OVR Engishtus As Figure 6 6 Digital Signature using Outlook Express 93 t Inbd amp Now we can send and receive secure messages Regards test ioj x Type a question for help A A Type a contact to find a a ie O x Type a question for help KOBIL mIDentity Figure 6 7 Encrypted and signed Email using Outlook Express 94 6 1 4 Receivin
62. o recover the data digest The recipient also digests the input data to get the original data digest If the recovered data digest is the same as the original digest the signature is correct Otherwise the sender is not the person who he claims to be or the original data was modified on its way Digital signatures support both authentication and integrity For confidentiality digital signing process is combined with the encryption process of session keys and the wrap operation of public keys 103 Digest function unique digest Asymmetric sty D decryption m a algorithm Scrambled digest is called as signature _ unique digest Sender s Public Key Recipient does not have the sender s Private Key Figure A 7 Signature Verification A 3 4 Digital Certificates A certificate is a set of data that includes a public key and other owner specific information to identify an entity The certificate owner has the corresponding private key Certificates are issued by certification authorities CA which are trusted organisations Each certificate is protected by a signature that is created by a CA Certification authorities and certificates make public key distribution secure Secure storage and usage of a certificate and its corresponding private key is the problem of its owner KOBIL Smart Key helps certificate owners with this problem by presenting a hardware based security system that uses SmartCards The most wi
63. on of access to secure e mail or to secure Web sites Digital Signature A data string produced using a public key crypto system to prove the identity of the sender and the integrity of the message Encryption A cryptographic procedure whereby a legible message is encrypted and made illegible to all but the holder of the appropriate cryptographic key Internet Explorer IE Microsoft Internet browser Inter operability The ability of products manufactured by different companies to operate correctly with one another 110 Key A value that is used with a cryptographic algorithm to encrypt decrypt or sign data Secret key symmetric crypto sys tems use only one secret key Public key asymmetric crypto systems rely on a matched key pair to encrypt and decrypt data Key Length The number of bits forming a key The longer the key the more secure the encryption MD5 A hashing algorithm that creates a 128 bit hash value which is twice the size of the block 64 bits Personal Computer Smart Card PC SC Standards that define the interface between smart cards and smart card readers Public Key Cryptography Standards PKCS A cryptographic system that uses two different keys public and private for encrypting data The most well known public key algorithm is RSA Rivest Shamir Adleman RSA Developers of the RSA public key crypto system and founders of RSA Data Security Inc Secure Hash Standard SHA A standard designed by NIST and N
64. or security reasons the software certificate will be deleted from the Windows Certificate Manager after importing it into KOBIL mIDentity Afterwards it will only be usable with KOBIL mIDentity Depending on your configuration this option may be disabled since it depends on the used SmartCard type miDentity Setup x Logon Account Smart Card Certificate PIN functions Change PIN Unblock PIN Card number Impot Erase card 7 waw Kobil com mlDentity OK Cancel Figure 3 18 SmartCard preferences 27 3 4 7 Replace current SSO and Secure Data Storage certificate If your certificate expires you move to another department or you change your e mail address you will probably need to re place your current KOBIL mIDentity certificate This can be accomplished by removing the existing certificate and creating a new one 1 To replace a certificate select the option Setup from the main menu and choose the KOBIL mIDentity Setup menu item mIDentity Setup xj Logon Account Smart Card Certificate m Configuratior Details A Register Unregister Delete Search certificates f Certificate information formlDentity Certificate 2 Subject CN 894901 7200002657523 mlDentity Certificate 2 Issuer miDentity Certificate 1 mlDentity Certificate 3 Windows 2000 Logon Cettificate Serial Number D63664E0084B86797442BDD1250115F65 www kobil com mlD entity OK 7 Canc
65. orage for all certificates It can be started in three ways 1 From Control Panel using Internet Optionen gt Content gt Certificates 22 2 From Internet Explorer using the pull down menu Extras gt Internet Options gt Content gt Certificates 3 From Outlook Express _ usign the pull down menu Extras gt Options gt Security gt Digital ID s Certificate Manager 21x Intended purpose lt All gt v Personal Other People Intermediate Certification Authorities Trusted Root Certification Ax 4 gt Kobi CSP Test 9 26 01 lt None gt Kobi CSP Test 10 5 01 lt None gt est user kobil VeriSign Class 1 CA In 11 28 00 lt None gt Import Export Remove Advanced Certificate Intended Purposes lt All gt Figure 3 15 The Windows Certificate Manager The windows certificate manager stores all your certificates your own certificates as well as other people s certificates and trust centre certificates You can see the details and the trust path of a certificate from the Certificate dialog Trust path includes the root and intermediate CA certificates that sign and approve this certificate in an hierarchical order If any of the certificates in the path is not trusted its signature is not valid or the root CA is unknown that certificate and all other certificates below will be marked with a red cross showing that those certificates can not be used 23 Certificate xi Gen
66. our sensitive data and carry it with you anywhere you gof Business documents private information everything is encrypted by KOBIL mIDentity using highly secure SmartCard technology 5 1 Strong Encryption for sensitive Data KOBIL mlDentity offers a lot of advantages compared with common encryption products since it is mobile independent efficient and highly secure You have the following possibilities to protect your sensitive data using KOBIL mIDentity e Mobile Secure Data Storage on KOBIL mIDentityf carry your sensitive data always with you in your pocket e Secure Data Storages on your Hard Disk local Secure Data Storages on your notebook or your home PC or business PC offer you enough space for sensitive data and are protected efficiently by the KOBIL mIDentity SmartCard during your absence e Secure Data Storages on network drives Secure Data Storages on network drives offer an additional advantage to Secure Data Storages on local hard disks With Secure Data Storages on network drives it is possible to reach your sensitive data from different workstations e File Encryption Encrypt even single files and directories with the same highly secure SmartCard technology You can exchange encrypted files with your friends and colleagues Further information about this can be found in section e Email Encryption see section B I 5 2 Secure Data Storages with KOBIL mIDentity KOBIL mIDentity allows secure storage for sensitive data
67. pany XYZ 4 Browser Put titles as f ex lt Company XYZ login Browser und lt Company XYZ buy Browser gt together to lt Company XYZ Browser gt IV Information from URL E yuww gms net de extended initialisation I Transfer NOT IE zi Default Event Message Figure 4 18 Advanced Configuration e Title contains data During the learning process of an application window some specific properties of that window are saved and used later to detect the site One of that features is the window title There are windows which contain dynamic parts which change each time the window is opened It is therefore hard to use title as an identifying feature With help of wildcards those dynamic parts can be ignored If a window title contains current time this part of the title must be taken out of the defined identifying feature Example The window title is Your Application 10 10 You must build a mask to define the time part as dynamic Your Application This way the time part of the title will not be considered in the window detection algorithm e Extract Information from URL This parameter is usually activated for browser applications because this window is generally detected by the URL and not the title To force detecting a browser application by its title deactivate this parameter e Advanced Initialization This feature is meant to be used by administrator In standardised environments it
68. pgrade further functionality may be enabled by entering a license key A message box with the neccessary information will appear when you plug in your KOBIL mIDentity device for the first time This license key is either shipped together with your KOBIL mIDentity package if you have purchased the full software features or you can purchase it later as an upgrade at your certified KOBIL partner Following packages can be purchased e KOBIL mIDentity Light Key request while using the software for the first time can be ignored cancel request e KOBIL mIDentity Light Enter the license key which was shipped together with your KOBIL mIDentity package when using the software for the first time How to enter this key later see beneath this section e KOBIL mlDentity Basic Key request while using the software for the first time can be ignored cancel request To enable the full functionality enter the key which is shipped together with your upgrade as described beneath this section e KOBIL mIDentity Classic Full functionality without any request To enter your license key please select Settings Other Info and enter the license key into the appropriate text fields Miscellaneous x Info PIN caching File security At the moment you use the following hardware KOBIL Systems KAAN SIM III 1 4 894901 7200002717723 and the following software KOBIL mlDentity V1 5 MSDI Build 2005091 4 1 Click www kobil com mlDentity to search fo
69. ponding private key is temporarily or forever unaccessi ble it can still be decrypted using the Additional Decryption private key To do so the file must be present on a machine where KOBIL mIDentity installed and where the Additional Decryption is registered either on another KOBIL mIDentity or as a software certificate In case of a software certificate you have to import it on your KOBIL mIDentity before using it Please refer to section BZA Should it be necessary to use the Additional Decryption Key on another SmartCard in your KOBIL mIDentity proceed as follows After inserting the KOBIL mIDentity with new SmartCard which contains the new Additional Decryption Key you will be called upon to enter the card PIN for the Simple Sign On solution Since only your secure data storages are encrypted with the ADK certificate and not the passwords please cancel the PIN entry otherwise an error message will occur After confirming the error message you can access the decrypted data except of passwords anyway Attention Additional Decryption Keys are not used for e mail encryption Please refer to section how to configure the ADK certificates 85 Chapter 6 Your mobile Office In this section you learn how to use KOBIL mIDentity to secure your daily digital communication 6 1 Secure Email Communication using Outlook amp Outlook Express In this section you ll learn how to secure your e mails using Microsoft Outlook Express 98 and 20
70. ption and signature are being combined e Secure Erase Files and directories are securely erased deleted by multiple overwriting You can immediately start using file security using the self signed certificates from Secure Data Storage management 1 This is the easiest way to obtain a certificate since there is no certificate request at a trust centre needed But for more comfort you should apply for a personal certificate at a trust centre which allows you to select certificates by user names In section B 4 3 you learn how to obtain such a personal certificate The following examples show how to work with personal certificates but the same functionality is available with self signed KOBIL mIDentity certificates that can be recognized by ther serial number for example 8949017230000024681 5 3 1 File and Directory Encryption Important please read carefully section before starting to encrypt files or directories in order to keep your data accessible also in emergency situations If you want to encrypt a file proceed as follows 1 Right click on the file you want to encrypt The context menu shown in figure p 10 appears 2 Choose KOBIL mIDentity gt Encrypt your self signed certificate will be generated as soon as you create the first Secure Data Storage 68 Co tox File Edit View Favorites Q 9 3 Address C Documents ar SE ie New Print KOBIL mIDentity gt Encrypt amp Sign Encrypt Open W
71. ption process An encrypted file will be stored with the file name extension kse as shown in figur Note If you want to encrypt files to persons whose certificates are not present locally they dont appear in the selection list you can click on Search to find the certificate in a directory service as explained in section 70 iolx File Edit View Favorites Tools Help E Back gt 7 9 Search io Folders fz Address D C Documents and Settings kobil iMy Documents gt Go Name Size Type Date Modified Secret doc 24KB Microsoft Word Document 11 01 2005 10 25 25K6 KSE File 11 01 2005 10 26 Type KSE File Date Modified 11 01 2005 10 26 Size 24 2 KB Figure 5 12 An encrypted file Encrypted files are stored in PKCS 7 format which enabled interoperability between different applications Folder Directory encryption works exactly as file encryption Just right click on the directory you want to encrypt If you encrypt a directory all files in that directory will be encrypted in PKCS 7 format even sub folders You can also add or remove encryption recipients on already encrypted files or directories see section 5 3 2 Attention Never encrypt files necessary for your operating system to start You may destroy your system configuration 5 3 2 Add Remove encryption Recipients If you want to change the list of encryption recipients of an already encrypted file right click that file and select KOBIL
72. r newer versions m KOBIL miDentity Software License Depending on your KOBIL mlDentity package you have to enter a valid license key in order to use the full KOBIL mlDentity functionality This key is either shipped together with the package or you can purchase it from your certified KOBIL partner Klick on Enter License Key to enter the license key now Enter License Key y www kobil com mlDentit Close Figure 2 7 Entering the License Key KOBIL mIDentity License Key Koil i Please enter your license key e e Figure 2 8 Entering the License Key 10 Chapter 3 First Steps 3 1 Your personal KOBIL mIDentity The KOBIL mIDentity Control Centre Software consists of a main window see figure and a traybar menu which resides in the Windows Tray Bar at the right bottom near the system clock see figure B 2 Ei midentity Control Center oor MI DENTITY KOBIL i Logon Accounts 002 MY OFFICE Mobile Oce Moved TANS ARE 0o03 N Secure Data Storage CONFIGURATION 00 Manual sae SOUP cece Close Remove miDentity J Www KOBIL COM Figure 3 1 KOBIL mIDentity Control Centre main window By double clicking the tray bar icon the main window is opened All functions can be used by both the main window and the tray bar menu The main window is better for untrained users while the tray bar menu allows fast work for power users 11 M
73. rds and Readers SmartCards are credit card sized devices with integrated circuit chips ICC on them They have their own security mech anisms to lock themselves against physical electrical and chemical attacks When private keys are loaded they never leave the SmartCard and a PIN code protects the key usage SmartCards are easy to use They can fit in a wallet and can be easily carried Terminals often called readers although they are usually able to write as well are the devices which enable communication between a SmartCard and a computer Smartcard terminals can be connected to computers via serial or USB ports An important advantage of some more expensive terminals is the secure PIN entry option which is possible if a reader has its own keypad display and special software on it Figure A 8 SmartCard Terminals A 3 7 Secure Socket Layer SSL Secure Sockets Layer SSL developed by Netscape Communications is a standard security protocol that provides security and privacy on the web The protocol allows client server applications to communicate securely This is achieved by an online interactive process which handles secure and authentic exchanges of some random data which is finally used to generate the session key on both sides SSL uses both public key and session key algorithms Work flow of the SSL is illustrated in figure A 9 In many cases client authentication is optional since clients may not have certificates 106
74. re b will appear 87 Kobil Test User Properties Figure 6 2 Internet Accounts properties Dialog 3 Click Select and choose a certificate from the list that shows all the certificates which can be associated with the account you selected above If there are other certificates which don t have the same e mail account information they will not be displayed in this list You can select the same certificate for signature and encryption if your security policy allows this The dialogue is shown in figure 88 Select Default Account Digital ID ntuser 4 Kobil CSP T Encrypting F None ntuser 4 Kobil CSP T Encrypting F None st user k None Figure 6 3 Select Digital ID Dialog 4 You can select the session key algorithm which will be used for bulk encryption and decryption For strongest security 3DES or RC2 128 bit is recommended Outlook 98 2000 xp 2003 1 Start Outlook and choose the menu Extras gt Options 2 Choose the drawer Security as shown in figure 6 4 89 Figure 6 4 Security Options dialogue in Outlook 98 2000 xp 2003 3 Click on the button Change Settings The dialogue shown in figure 6 5 will appear 4 You can now select two independent certificates for signature and encryption using the Choose buttons Be careful to select a certificate which contains the e mail address suitable for your e mail account You can select the same certific
75. rive is reachable again you can import the Secure Data Storage and proceed as normal In order to delete a link to a Secure Data Storage open the Control Centre Software and click on Secure Data Storage gt Delete data safe link and choose the one for which the link should be deleted Then you will be asked to confirm the deletion 66 mlDentity Control Center oI MY IDENTITY Logon Accounts A 02 MY OFFICE Mobile Office wy a 00a MY DATA SAF Secure Data Storage wADatensafe Drive H Log off E network storage Drive I Log off Create Import Manual A Close L Delete Delete data safe link WWW KOBIL COM Figure 5 9 Delete Secure Data Storage link 67 5 3 File Security KOBIL mlIDentity allows you not only to encrypt whole Secure Data Storages but also single files and directories using digital certificates The following options are available e Encryption Your files are encrypted with a certificate so that it can only be decrypted using the corresponding private key on your KOBIL mIDentity SmartCard Only the person owning both the right KOBIL mIDentity can access the file contents You can encrypt both files and directories e Digital Signature By means of a digital signature your data can be protected against unauthorized modification Furthermore the data can be assigned to the author You can sign files and directories e Encryption and Signature The advantages of encry
76. rsions can work with up to four Secure Data Storages on your local hard disk or on mounted network drives Each Secure Data Storage can be up to 4 GB in size if your hard disk is NTFS formatted there is no upper limit Additional you can also have a mobile Secure Data Storage onboardf to carry your sensitive data anywhere you go see section EZA In order to create a Secure Data Storage on your network drive please proceed as already explained for Secure Data Storages on your local hard disk If a network drive is mounted on your system you can choose it for destination when creating a new Secure Data Storage If you work with Secure Data Storages on network drives it could be that you change to a workstation on wich your network Secure Data Storage is not known To make the Secure Data Storage appear on this workstation please proceed as follows 1 Click in the Control Centre main window on Secure Data Storage gt import The import Secure Data Storage dialog window will appear 5does not apply to KOBIL mIDentity Light 62 Import from network Please select the network data storage you want to import automatic search manual search projekte on server Y eB network storage Import Cancel j ww a Figure 5 4 Importing a network Secure Data Storage 2 Choose the network Secure Data Storage you want to import and click Import Afterwards the Secure Data Storage adminis
77. ryption Keys 2 eee eee A OION OION ot Oy LS l lt AA O Le TR V D Oy 6 Your mobile Officd 85 0 ecure Email Communication using Outlook amp Outlook Express 2 02 2 2 85 onfigure your Certificatd oaoa ee ee ee ee BH 6 1 ending secure Email 2 aaas L Receiving secure E mail 2 ee ee ee ee A iA ryptographic Basics and andard 96 3 Data Digestion Algorithms 2 eee ee ee 9T A 3 2 Symmetric Encryption Algorithmd 0 ee ee ee ee eee 97 104 A 3 ecur Socket Layer SOL a 44 444 000 R44 ie an ar Ar ee ede Pee eda de wee eae 105 A 3 8 Secure Multipurpose Internet Mail Exchange 5 MIME 20 0 106 109 Chapter 1 What is KOBIL mIDentity KOBIL mIDentity is a completely new product which will help you to simplify your life No matter if you are in the office on the road or at home KOBIL mIDentity makes your world mobile since it is your mobile Identity your mobile Datasafe and your mobile Office 1 1 Content e KOBIL mIDentity Light Basic Classic e Key Ring e optional Docking Station with 1 8m USB 2 0 cable e optional SIM sized Smart Card e optional CD ROM e optional License Key only KOBIL mIDentity Light 1 2 System Requirements Operating Systems Microsoft Windows 2000 min Service Pack 3 or Microsoft Windows XP min Service Pack 1 or Microsoft Windows 2000 2003 Serverf
78. s inside the chosen directory are now decrypted and verified and stored without the ending ksk The signature verification result is shown as in figure p 19 If not all files in that directory could be processed either could not be decrypted or not all files are ksk files you will get a corresponding warning 5 3 9 Default Settings for File Security Open the Control Centre Software and select Setup gt Secure Data Storage and choose the drawer File Security 81 miDentity Setup x Datasafe File security Delete automatically I Source file after encryption T Source file after signature I Source file after decryption J Signed file after checking signature Summary for multiple encryption Select A Erase A C Default encryption certificate Search y Additional decryption key No certificate is selected www kobil com mlDentity OK j Cancel Figure 5 23 File Security Settings For getting more detailed information please visit http www kobil com and download the KOBIL mIDentity whitepaper wich will answer your questions Erase Options e If the checkbox Original files after encryption is active each original file is deleted automatically after encryption You can change this behaviour also per encryption process see sections and 5 3 7 e If the checkbox Original files after signing is active each original file is deleted automatically after signature You can change this behaviour also per
79. smartcard please select the appropriate provider as directed by the manufacturer Digital ID Subscriber Agreement You must read this subscriber agreement before applying for accepting or using Digital ID certificate If you do not agree to the terms of this subscriber agreement do not apply for accept or use the Digital ID certificate THIS SUNSCRISER AGREKMNENT will become effective on the date you aubmic the certificate application to the desigqneted Tasuing Authority TA By submitting thas Subscriber Agreement tand certificate application you are requesting that the IA asoue a Digital ID certiticate to you anc are expressing your eqgreement to the terms of this Subscriber Agreement Verisign s Public Certification Services are governed by Verisign s Certification Practice Statement the CPS as amended Crom time to time which is incorporated by reference imto this Subseraber Agreement The CPS 12 published on the Internet in Verisign s ReagCrs Download CPs If you aqree to the terms of the Subscriber Agreement please click ACCEPT to continuc Accept Dedine Figure 3 14 Certificate Request at VeriSign CA Import existing certificates into the KOBIL mIDentity SmartCard If you already have an existing software certificate you can import it onto you KOBIL mIDentity SmartCard Please refer to section B46 3 4 3 The Windows Certificate Manager The Windows Certificate Manager is Windows central st
80. t it is not trusted because it is not stored in the Trusted Root Certification Authorities store 3 Click on Install Certificate 4 The following dialogues can be skipped using the button nezt 5 The last dialogue box asks you to confirm the CA certificate s fingerprint You should obtain this fingerprint on a independent way for example on the CA s letter paper or on its web pages Tnote that the SmartCard s private key can never be exported 24 Note that you automatically get an implicit trust relationship to all users of the new certification authority when you import its CA certificate You should inform yourself about the certification policy of the new certification authority before importing its CA certificate After successful import you find the new CA certificate in the Windows Certificate Manager either in Intermediate Certification Authorities or in Trusted Root Certification Authorities see section B 4 3 3 4 5 Importing another User s Certificate Before you can send e mail to a user you must get the user s digital certificate and add it to your address book You can obtain the certificate by two ways e Receive a signed e mail from the user Signed e mail contain the user s digital certificate e Obtain the user s certificate from a public directory service e Save the user s certificate to your certificate store Outlook Express In Outlook Express choose the menu Edit gt Find gt Peop
81. t reason you should not do any input while KOBIL mIDentity automatic login to a application 4 1 4 Working with Console Applications As not all applications are based on Windows dialog boxes or HTML KOBIL mIDentity can also work with console windows DOS Box PuTTY See a FTP console as an example Please open your command prompt and press Alt F11 Enter user name and password in the input dialog You can use static passwords or one time passwords OTP with the additional KOBIL SecOVID system 44 i XP Version 5 1 26061 lt C Copyright 1985 2001 Microsoft Corp C Documents and Settings kobil gt Account data for the command line prompt Please enter the necessary data You can also enter a complete command line Description Commancine Usermame miDentity M Retur Static Password Eeee I Retum password validation ee o y C One Time Password OTP T Command line ACCI22CANLZ2PWD122CANL I Do not ask for recognized window Enter data directly OK Cancel Figure 4 13 Manual entry of passwords for console applications You can also enter complete command lines if you have choosen the option Command line Therefor you can use following aliases YACC1 User name 2 PWD1 Password 3 CRNL Carriage Return New Line Windows 4 WNL New Line Unix e g PuTTY 45 Microsoft lindows XP Version 5 1 26061 lt C gt Copyright 1985 2001 Microsoft Corp C Documents and Set
82. the SSO Emergency Assistant By having your user ids and passwords displayed on the screen and printed you are giving away very valuable information Make sure nobody has access to your secret data 56 Password Figure 4 31 view several accounts 4 2 Windows SmartCard Logon Windows 2000 and XP make it possible to deploy strong authentication using SmartCards by leveraging operating system features such as Kerberos Active Directory and the variety of administrative tools used to manage a public key infrastructure Instead of logging on with username and password you simply plug your KOBIL mIDentity in and enter your KOBIL mIDentity SmartCard s PIN If you want to log on to your computer using KOBIL mIDentity a SmartCard logon certificate must be stored on your KOBIL mIDentity SmartCard The computer needs to be member of a Windows 2000 or 2003 domain with Active Directory to allow SmartCard logon The SmartCard logon certificate will be issued from the Windows certificate services with are part of Windows 2000 and 2003 servers More information about setting up Windows SmartCard logon can be found in the KOBIL mIDentity White Paper that you can get from your local KOBIL dealer or directly in the internet at http www kobil com mIDentity 57 Figure 4 32 Windows SmartCard Logon PIN entry 58 Chapter 5 Your mobile Secure Data Storage KOBIL mIDentity s Secure Data Storage gives you the possibility to securely store y
83. the category Standard on the left side 4 In the selection field Commands you find them at the end sign message content and attachments and encrypt message contents Drag and drop them with the left mouse button to the menu bar 6 1 3 Sending secure Email To send a secure email proceed as follows 1 Write your email as usual If you add attachments to the email they will also be signed and or encrypted 2 If you want to digitally sign the email activate the button Sign Message as shown in figure 6 6 Outlook Express If the button is not visible please refer to section to configure it 92 3 If you want to encrypt the email activate the button encrypt message contents as shown in figure Outlook Express If the button is not visible please refer to section to configure it 4 You can combine encryption and signature 5 Send your email as usual using the Send button 6 If the email is to be signed you will be asked to enter the KOBIL mIDentity SmartCard s PIN to enable the private key for signing If the email will only be encrypted not signed step 6 PIN entry is omitted since the private key is not needed for encryption It may be that Outlook complains about a missing recipient certificate which is necessary to encrypt the email In this case you can look it up using a directory service Please refer to section B 4 5 to learn how to configure and use a directory service You can configure your default setti
84. the end of the process the verification status for all files will be displayed If not all files in that directory could be processed e g not all files are kss files you will get a corresponding warning 5 3 7 Signature and Encryption of Files and Directories Important please read carefully section before starting to encrypt files or directories in order to keep your data accessible also in emergency situations If you want to encrypt and sign a file or a directory in one step proceed as follows 1 Right click on the file or directory you want to encrypt and sign The context menu shown in figure appears 77 2 Choose KOBIL mlIDentity gt Encrypt amp Sign ioii Fie Edit view Favorites Tools Help E Back Y wi a Search o Folders ies Address E C Documents and SettingsikobihMy Documents gt Go Size Type Date Modified 24KB Microsoft Word Document 11 01 2005 10 41 Open gt Encrypt amp Sign Encrypt Open With gt Sign Send To E 4 Cut Pami Secure Erase Figure 5 19 Context mennu for file directory signature and encryption 3 The dialogue shown in figure p 20 appears The following options are possible e Signature Certificate This is the default signature certificate see section f 3 9 If you want to use any other signature certificate click on Choose e Recipients This is the default encryption certificate see section 6 3 9 and if set also the AD
85. the old certificate will be permanently deleted ATTENTION Encrypted data which is not reachable at this time couldn t be reencrypt and will not be usable any longer 29 mIDentity initialisation assistant Step 4 of 4 Summary PUK and PIN were successfuly created The certificate was imported successfully Certificate s name lt My Certificate gt The certificate lt My Cettificate gt will be used to encrypt your SSO accounts and Secure Data Storage Figure 3 22 Final KOBIL mIDentity status 30 3 4 8 Delete certificates from your KOBIL mIDentity SmartCard miDentity Setup x Logon Account Smart Card Certificate Configuration miDentity Certificate 1 mlDentity Certificate 3 Windows 2000 Logon Cettificate Sub Issuer Serial Number Not before Certificate information formlDentity Certificate 2 ubject CN 894901 7200002657523 mlDentity Certificate 2 Details Register Unregister Delete Search certificates CN 894901 7200002657523 mlDentity Certificate 2 D63664E 008486797442BDD1250115F65 BA www kobil com mlDentity OK y Cancel Figure 3 23 Certificate preferences Important Be very careful deleting a certificate since it is needed to decrypt datasafes emails files and folders that are encrypted with it If you delete a certificate any data encrypted with it may note be accessible anymore Especially the first cer
86. tificate slot contains the self signed KOBIL mIDentity certificate used for datasafe encryption Open the Control Centre Software and choose the option Properties gt Identity and choose the drawer certificates Select the certificate to delete from the list and click on delete Depending on your configuration this option may be disabled for security reasons If you need to enable this option please ask your system administrator 31 3 5 KOBIL mIDentity Personalization KOBIL mIDentity is immediately ready to use and can be personalized by the end user in the field by learning passwords see section and requesting certificates see section B 4 This way KOBIL mIDentity is immediately usable where no infrastructure is available as well as for individual users In bigger organisations with existing infrastructure this is not really useful For these situations KOBIL offers administrative tools and server software for KOBIL mIDentity Further information about this can be found at your local KOBIL dealer or in the internet at http www kobil com mIDentity 3 6 Software Updates The KOBIL mIDentity Control Centre Software is being continuously developed and extended with new functionality If you want to stay always up to date visit hitp www kobil com mIDentity from time to time Here you can download software updates and you find useful tipps and hints about your KOBIL mIDentity 32 Chapter 4 Your mobile Id
87. tings kobil gt ftp 192 168 1 4 Connected to 192 168 1 4 226 ultrai FIP server SunOS 5 7 ready User 192 168 1 4 lt none gt gt Account data for the comman prompt Please enter the necessary data You can also enter a complete command line Description Command Prompt ftp 192 168 1 4 Username miDentity Retum Static Password ronan I Retum password validation pee C One Time Password OTP M Command line ftp 192 168 1 4 CRNLACC14 CRNL PWD1 CRNL I Do not ask for recognized window Enter data directly Figure 4 14 Manual entry of command lines for console applications To paste a password or a command line from KOBIL mIDentity into a console application start your command prompt and press Alt F10 Choose your account and press OK Your account data will be filled in automatically as if you would have entered it using the computer s keyboard M dows XP Version 5 1 2600 lt C Copyright 1985 2001 Micr t Corp C Documents and Settings kobil gt ftp 192 168 1 4 ruer SunOS 5 7 ready nidentity rd required for midentity Beschreibung Lycos Meet you there DSL Chat Email SMS Homepage u v m Micr GMX Homepage Microsoft Intemet Explorer Command Prompt Abbrechen Figure 4 15 Manual Password Transfer Please note that this function can have problems with different character encodings This is why you should use only 46 passwor
88. tration include a further point to mount or unmount this network Secure Data Storage Please note as local Secure Data Storages are stored on your computer s hard disk they cannot be carried around with KOBIL mIDentity For those mobile Secure Data Storages please refer to the next section 5 2 3 Creating a mobile Secure Data Storage on KOBIL mIDentity Important please read carefully section before starting to work with Secure Data Storages in order to keep your data accessible also in emergency situations In addition to local Secure Data Storages stored on your local hard disk KOBIL mIDentity can also work with mobile Secure Data Storages that can be carried around directly on KOBIL mIDentityf Even if your notebook is stolen sensitive data are not only protected by hard disk encryption but they are also still available since you carry your backup in your pocket Mobile Secure Data Storages are more restriced in size depending on the KOBIL mIDentity model Apart from that creating a mobile Secure Data Storage is quite similar to creating a local Secure Data Storage see previous section 1 Click in the Control Centre main window on Secure Data Storage gt create The Secure Data Storage creation dialog window will appear Sdoes not apply to KOBIL mIDentity Light 63 mIDentity Control Center oo1 MY IDENTITY KOBIL if Z Logon Accounts 7 002 MY OFFICE Mobile Office A MY DATASARE Secur
89. x agn p g The CA returns the certificate to Alice who is now the owner of the certificate To give a real meaning to this process the CA would of course need to make sure that Alice really is Alice and not e g Bob claiming to be Alice This however causes additional costs and actions in real life so this is something which a pure Internet service cannot provide However there are companies offering that type of service Today s most popular browsers and e mail programs know the certificates of very well known and more or less trusted CAs So people can easily verify the signatures of many CAs This helps people to decide whether a certificate and its content is trustworthy or not If a certificate is signed and issued by an unknown CA and your browser does not have the public key of that CA then your browser gives a warning and asks whether to proceed or not The typical certificate distribution and verification between users 1 Alice sends her certificate to Bob to give him access to her public key This is typically achieved by sending a signed but not encrypted message to Bob 2 Bob verifies the signature of Alice s certificate by using the CA s public key If the signature proves to be valid he accepts the public key in the certificate as Alice s public key Today s browsers and e mail programs handle verification automatically lIn cryptographic protocols the users are often called Alice and Bob 105 A 3 6 SmartCa
90. xt menu shown in figure is shown my ries TST File Edit view Favorites Tools Help E Back Y gt a Search io Folders B Address E C Documents and Settings kobil My Docume gt Go Size Type Date Modified Date Pictur EY 11 01 2005 10 32 Open New Print KOBIL mIDentity gt Encrypt amp Sign Encrypt Open With b cgees ss a oo SAT Secure Erase Cut a Copy ropy Figure 5 14 Context menu for file signature 2 Choose KOBIL mIDentity gt Sign 3 The dialogue shown in figure B 15 appears The following options are available e Signature Certificate This is the default signature certificate configured see section 3 9 If you want to use any other signature certificate click on Choose e Erase original file s This checkbox decides if the original files should be erased after signature The default setting of this checkbox can be configured see section 73 File Directory Signing Signature Certificate Select Subject CN 894901 72000021 74743 I Erase original file s after signed Proceed PA Cancel Figure 5 15 File directory signature options If all options are correct click on proceed to start the signature process 4 Enter your KOBIL mIDentity SmartCard s PIN 5 The file is now signed and stored with the ending kss as shown in figure 5 16 74 CI iolx File Edit view Favorites Tools Help Q Back wi Search
91. y while manufacturing and stored direct on the card To obtain the ePUK you have to enter your PIN and then you can read out the ePUK Initialization of an E4 NetKey Card If you insert KOBIL mIDentity within an E4 NetKey Card for the first time the KOBIL mIDentity Control Centre software will automaticly detect whether this card is in a transport or null PIN state or not If the card is in such a state you will be asked to enter your new PIN twice Additionaly you can read out or print out your ePUK If you don t remember your ePUK after this initialization process you can read out the ePUK later as well Just click under Preferences gt Identity gt mIDentity Smart Card the button read ePUK You will be asked for your PIN to read out the ePUK Additionaly you can print out your ePUK Both buttons are only active if the inserted smart card is an E4 NetKey Card The knowledge about your ePUK is specially important if you need to unblock the PIN please refer to B 3 4 17 Passw rter 550 Datensafe Zertifikat mlDentity Smart Card m Des gt PIN Funktionen PIN ndem PIN freischalten M PUK Funktioner ePUK auslesen ePUK drucken Karte l schen Kartennummer Zert importieren Ihre ePUK lautet 71769752 www kobil com mlDentity Beenden Figure 3 11 KOBIL mIDentity SmartCard preferences ePUK reading printing IMPORTANT If you print out your ePUK please take care that nobody has a
Download Pdf Manuals
Related Search