HIGHSEC eid App Administration User Manual
Contents 1 Introduction... 3 2 Application overview... 3 3 Managing HIGHSEC eid App... 3 3.1 Deleting card pairings... 4 4 Inspecting smart card contents... 5 5 Operations on smart card... 5 5.1 Changing display message... 5 5.2 PIN operations... 6 5.2.1 ID-PIN... 7 5.2.2 ID-PIN Unblocking... 7 5.2.3 ESIGN-PIN... 9 5.2.4 ESIGN-PIN Unblocking... 10 5.3 Certificate operations... 11 5.3.1 Import Certificate... 11 5.3.2 Update Certificate... 14 5.3.3 Remove Certificate... 16 6 Additional features... 18 7 Third Party Software... 19 7.1 OpenSSL Toolkit... 19 7.1.1 OpenSSL License... 19 7.1.2 Original SSLeay License... 20 7.2 BouncyCastle Crypto APIs... 21 7.2.1 License... 21 Page 2 of 22
1 Introduction HIGHSEC eid App Administration application (in the rest of the text called Admin app or the application) is used to manage and control the functionality of the rest of eid App system. It is also used to inspect the contents of the smart card, as well as manage certificates stored in the smart card. The application requires.net Framework v3.5, and is using functionality provided by third party cryptography library Bouncy Castle, which is part of the installation. 2 Application overview The application has only one main window. Window is divided to two main parts, a tree view on the left and a free window space on the right. When user selects an item in tree view a corresponding form will be displayed in free window space. In the menu on the top the user can change the language of the application. 3 Managing HIGHSEC eid App Several options control the behavior of the rest of eid App system. All of them can be found and changed from the tree item Global settings. Here is the brief explanation of those options: Page 3 of 22
Allow more than one application to access the card: When this option is set several Windows applications can use the smart card. If the option is not set only one application is allowed to access smart card at any given time. Allow applications to cache PIN: PIN caching is only meaningful if more than one application can access the card. When this option is set the user will be asked for PIN only once per application, when the application accesses the smart card for the first time. If the option is not set user will be prompted for PIN each time an application request accesses to the smart card. Duration of OCSP stored information Time interval during which a certificate is deemed valid after it is verified through OCSP (Online Certificate check Status Protocol). Enable low level logging: When this option is set all communication between the smart card and eid App will be saved in a special log file. The communication is encrypted, so the user will only be able to see the communication in encrypted form. Enable verbose logging: When this option is set eid App will write additional and more detailed log in the log file. This option is useful when trying to diagnose a problem. If the user changes one or more options the Update button will become enabled. When the user clicks the Update button new options are saved. If user clicks on Cancel all options are reset to their previous state. 3.1 Deleting card pairings To use the smart card it must be paired to the computer. To remove all card pairings from the computer select tree item Delete pairings. In new page click Delete. Page 4 of 22
When the pairings are deleted to use a card you would have to pair it again to this computer. 4 Inspecting smart card contents When a smart card is inserted into a reader a new item named after the reader is added to the tree view and expanded with several sub-items. Browsing through sub-item Virtual tokens user may inspect the contents of the smart card. Various functionalities of smart card are employed through certificates. Certificates and corresponding keys are associated with entities called modules, which are contained within smart card applications, which reside in virtual tokens. Virtual tokens guard their access with PINs. The structure that binds all these elements is transformed into tree items. Ending tree items show the certificates assigned to each module. In most cases there is only one certificate per module, but for cases when there is more than one the user can select a certificate from drop down list where they are listed by their subjects. 5 Operations on smart card When smart card is inserted into reader the user may perform several operations that involve smart cards. All of them require for the user to enter PIN. 5.1 Changing display message Display message is a kind of security feature. This feature is enabled only for contactless smart card. Display message resides on smart card, and user should know its contents. Each time a smart card requires user s authentication this display message will be shown to the user for verification. Page 5 of 22
User can change this display message with the following procedure: Select tree item Display message. This tree item is not available if the smart card is not contactless. The page titled Change smart card display message will appear, and on the page current display message will be displayed. Replace the text of current display message with new display message. Enter ID-PIN in field PIN. Click on Update. A message will appear, confirming the success of the operation. 5.2 PIN operations SCeID contains two tokens used for different purposes: ID and ESIGN. Page 6 of 22
5.2.1 ID-PIN The only permitted operation on ID-PIN (except for unblocking) is to change the PIN. Use the following procedure to change ID PIN: Select tree item ID-PIN. The page titled Change smart card PIN will appear. In case of contactless card verify that display message is valid. If smart card is not contactless display message is not available. Enter current PIN in field Current PIN. Enter the same new PIN in fields New PIN and Repeat new PIN. If contents of fields New PIN and Repeat new PIN is identical, and field Current PIN is not empty button Update will be enabled. Click on Update. A message will appear, confirming the success of the operation. 5.2.2 ID-PIN Unblocking If a user enters ID-PIN incorrectly three times in a row as part of any operation requiring the PIN the smart card will block further attempts to use the PIN. In that case PIN must be unblocked using PUK (PIN Unlock Key). Use the following procedure to unblock ID-PIN if entering a new PIN is not required: Select tree item ID-PIN Unblocking. The page titled Unblock smart card PIN will appear. Enter valid PUK in field PUK. Page 7 of 22
Click on Update. A message will appear, confirming the success of the operation. Use the following procedure to unblock ID-PIN if entering a new PIN is required: Select tree item ID-PIN Unblocking. The page titled Unblock smart card PIN will appear. Enter valid PUK in field PUK. Enter new PIN in fields New PIN and Repeat new PIN. If contents of fields New PIN and Repeat new PIN is identical, and field PUK is not empty button Update will be enabled. Page 8 of 22
Click on Update. A message will appear, confirming the success of the operation. 5.2.3 ESIGN-PIN The only permitted operation on ESIGN-PIN (except for unblocking) is to change the PIN. Use the following procedure to change ESIGN-PIN: Select tree item ESIGN-PIN. The page titled Change ESIGN PIN will appear. In case of contactless card verify that display message is valid. If smart card is not contactless display message is not available. Enter current valid ESIGN-PIN in field Current PIN. Enter the same new PIN in fields New PIN and Repeat new PIN. If contents of fields New PIN and Repeat new PIN is identical, and field Current PIN is not empty button Update will be enabled. Click on Update. A message will appear, confirming the success of the operation. Page 9 of 22
5.2.4 ESIGN-PIN Unblocking If user enters ESIGN-PIN incorrectly three times in a row as part of any operation requiring the PIN the smart card will block further attempts to use the PIN. In that case PIN must be unblocked using PUK (PIN Unlock Key). Use the following procedure to unblock ESIGN-PIN: Select tree item ESIGN-PIN Unblocking. The page titled Unblock ESIGN PIN will appear. Enter valid PUK in field PUK. Click on Update. A message will appear, confirming the success of the operation. Page 10 of 22
5.3 Certificate operations Certificates are used to guarantee someone s identity. Owner of a certificate is a person that owns a private key paired with this certificate. Smart card can contain several certificates, each having a different purpose. If a certificate does not yet exist on smart card one must be imported first. If there already is certificate on smart card it can be updated with another one. A certificate can also be removed from the smart card. 5.3.1 Import Certificate Importing a certificate to a smart card is a process that is performed in several steps, some of which may be omitted depending on the situation. Use the following procedure to import a certificate: Precondition: type of the certificate to be imported must not already exist on smart card. Select tree item Import Certificate. The page titled Load Certificate will appear. This is the first page of the importing wizard. In the first field enter full path to the certificate. You may click on Open to easily find the certificate file. If importing certificate requires a password enter the password in the second field. Page 11 of 22
Click on Next. If there was a root certificate in importing certificate chain a page titled Verify Fingerprint will appear. If there is no root certificate skip to the next page. Click on Next. Page titled View Certificate will appear. Verify that this is the certificate you want imported. You may click on View Details to see all information related to certificate. In read only field Certificate Type a type of the certificate will be shown, if such information exist in the certificate. Page 12 of 22
Click on Next. If certificate type is not found in the certificate a page titled Select Certificate Type will appear. If type is already found skip to the next page. User must manually select a certificate type. First choice is to select one of predefined types not already found on card. Second choice is to introduce a new type name. New type name must begin with letter U followed by symbol _ (underscore), followed by new name. Click on Next. Page titled Import Certificate will appear. This is the ending page upon which the certificate is to be imported to smart card. Click on Update. Page titled Operation Status will appear, showing the result of the import. User may click now on Restart to import another certificate. Page 13 of 22
5.3.2 Update Certificate Updating a certificate to smart card is a process that is performed in several steps, some of which may be omitted depending on the situation. Use the following procedure to update a certificate: Precondition: type of the certificate to be updated must already exist on smart card. Select tree item Update Certificate. The page titled Load Certificate will appear. This is the first page of the updating wizard. Enter full path to the certificate in the field. You may click on Open to easily find the certificate file. Page 14 of 22
Click on Next. Page titled View Certificate will appear. Verify that this is the certificate you want updated. You may click on View Details to see all information related to certificate. In read only field Certificate Type a type of the certificate will be shown, if such information exist in the certificate. Click on Next. If certificate type is not found on a certificate a page titled Select Certificate Type will appear. If type is already found skip to the next page. User must manually select a certificate type. Only user defined certificate types already found on smart card can be given as an option. Page 15 of 22
Click on Next. Page titled Update Certificate will appear. This is the ending page upon which the certificate is to be updated to smart card. Click on Update. Page titled Operation Status will appear, showing the result of the update. User may click now on Restart to update another certificate. 5.3.3 Remove Certificate Removing a certificate from smart card is a process that is performed in two steps. Use the following procedure to remove a certificate: Precondition: type of the certificate to be removed must already exist on smart card. Page 16 of 22
Select tree item Remove Certificate. The page titled Select Certificate will appear. This is the first page of the removing wizard. User must manually select a certificate type. Only the types of deletable certificates already found on smart card can be given as an option. Click on Next. Page titled Remove Certificate will appear. Click on Remove. Page titled Operation Status will appear, showing the result of the removal. User may click now on Restart to remove another certificate. Page 17 of 22
6 Additional features In the page titled About user can find several pieces of information about this application, and some about the computer environment. In the page titled Support user can find additional information, such as card applications that eid App is currently supporting, paths to several log files, and direct access to three main certificate stores. Page 18 of 22
For all log files corresponding Open button will open the most recent and most appropriate file, but other log files of the same type are available if user selects button s down arrow and then selects the option Open Containing Folder. Usage log file contains actions taken from using CSP and PKCS#11 libraries. If no such actions have been performed log file will not exist. Installation log file is created during the installation process. Open button will display the most recent log file, but other log files are available in containing folder. Low level log file contains direct communication between a smart card and eid App service. This communication is protected with encryption, and messages in log file are also encrypted. Service log file contains actions performed by eid App service. Three buttons at the bottom of the page show the contents of corresponding certificate stores. When the list of certificates is displayed user can examine the details of each by selecting one, and following the link in the last line. Personal store contains certificates that belong to the user. Root store contains trusted root certificates. Root certificates are self signed and issuers of intermediate CA certificates. Intermediate store contains intermediate certification authority (CA) certificates. User certificates are signed by them, and they in turn are signed by root certificates. 7 Third Party Software The HIGHSEC eid App installation package contains software developed by third parties: 7.1 OpenSSL Toolkit This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). The usage of the OpenSSL Toolkit is provided under the license conditions as stated here: http://www.openssl.org/source/license.html. 7.1.1 OpenSSL License Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Page 19 of 22
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). 7.1.2 Original SSLeay License Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Page 20 of 22
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related :-). 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] 7.2 BouncyCastle Crypto APIs This product includes software developed by the Legon of Bouncy Castle http://www.bouncycastle.org. The usage of the BouncyCastle Crypto API is provided under the license terms as stated here: http://bouncycastle.org/licence.html Please note this should be read in the same way as the MIT license. 7.2.1 License Copyright (c) 2000-2013 The Legion of the Bouncy Castle Inc. (http://www.bouncycastle.org) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, Page 21 of 22
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Page 22 of 22