Technical notes for HIGHSEC eid App Middleware Version 2.1 February 2014. 1
Contents 1 Technical Notes... 3 1.1 All Operating Systems... 3 1.1.1 Slowing down of the cards while pairing... 3 1.1.2 Load PKCS#11 into PGP Desktop... 3 1.1.3 Web Browser Plugins detection for eid... 3 1.1.3.1 Internet Explorer... 3 1.1.3.2 Mozilla Firefox... 5 1.1.4 Detect PKCS#11 library in client applications... 5 1.1.4.1 Internet Explorer... 5 1.1.4.2 Mozilla Firefox... 6 1.1.4.3 Mozilla Thunderbird... 8 1.1.5 PGP Desktop key generation... 9 1.1.6 Online authentication using Internet Explorer... 9 1.1.7 File decryption using Abobe Acrobat... 11 1.1.8 Admin application and PGP Desktop... 11 1.1.9 Windows logon and PGP desktop... 11 1.1.10 Firefox/Thunderbird extensions for (new) users... 11 1.1.11 Windows logoff/shutdown and user certificates... 11 1.2 Windows XP SP3 x32... 11 1.2.1 Word 2003 issue... 11 1.2.2 Internet Explorer 7... 11 1.2.3 Internet Explorer 8... 11 1.2.4 Mozilla Thunderbird... 12 1.3 Windows 7 and Windows Vista... 12 1.3.1 Office 2010... 12 1.3.2 Windows Live 2011... 12 1.3.3 Mozilla Thunderbird... 12 1.3.4 CAN/PIN Dialog focus issue... 12 1.4 Windows 8 and Server 2012... 12 2
1 Technical Notes 1.1 All Operating Systems Install latest updates and service packs for your operating system. 1.1.1 Slowing down of the cards while pairing If several different cards are already paired on one computer, the pairing will be slower and slower. Solution: in HSMW-GUI find option delete all current pairings and delete them all. 1.1.2 Load PKCS#11 into PGP Desktop To be able to use HSMW in PGP Desktop load PKCS#11 module first. 1. Install eid App Middleware. 2. Open PGP Desktop. 3. Select the Tools > PGP Options menu. 4. Select the Keys tab and change the synchronize with smart cards and tokens option to the Other and then choose your PKCS#11 module. You will find it in HSMW installation folder, hsmwp11_x86.dll. 5. Press OK and return to PGP Desktop root window. 6. Press Tools > Options > Keys. 7. Wait and PGP Desktop Import Certificate Assistant will be shown. 8. Press Cancel. 9. Restart PGP Desktop. 10. A good indication that you have been successful is whether or not a new keyring (e.g. All Keys, My Private Keys) within PGP Desktop called Smart Card Keys is now displayed. 1.1.3 Web Browser Plugins detection for eid 1.1.3.1 Internet Explorer Start Internet Explorer and click on Tools, Manage add-ons. 3
Picture 1: Click on Manage add-ons In Manage add-ons dialog change Show option to All add-ons. 4 Picture 2: All add-ons in Show option
Picture 3: Installed eid App plugin 1.1.3.2 Mozilla Firefox Start Firefox and open Add-ons Manager. Picture 4: Open Firefox menu and click on Add-ons In Add-ons Manager click on Plugins and find HIGSEC eid App Plugin Picture 5: HIGSEC eid App plugin in Firefox 1.1.4 Detect PKCS#11 library in client applications 1.1.4.1 Internet Explorer Internet Explorer does not use PKCS#11 library because it is CSP application. 5
1.1.4.2 Mozilla Firefox Start Mozilla Firefox and open options menu. Picture 6: Options in Mozilla Firefox In Options windows click on Advanced tab, Encryption tab inside Advanced tab and then on Security Devices button below. 6
Picture 7: Encryption tab into Advanced options Then Device Manager will be shown. On the left side of the window you will find listed Security Modules and Devices. HIGHSEC eid App PKCS#11 Module will be in this list. 7
1.1.4.3 Mozilla Thunderbird Picture 8: HIGHSEC eid App PKCS#11 Module Click on Tools > Options > Advanced > Certificates and then on Security Devices button. Picture 9: Options menu in Thunderbird 8
Then Device Manager will bew shown. On the left side of the window you will find listed Security Modules and Devices. HIGHSEC eid App PKCS#11 Module will be in this list. 1.1.5 PGP Desktop key generation Picture 10: Device Manager window PGP Desktop cannot be used to generate key pair on smart card, because it tries to create a key pair for encryption and digital signing, and that is not allowed by smart card. 1.1.6 Online authentication using Internet Explorer In order to access web sites with online authentication using Internet Explorer, user have to add the web site to the trusted web sites list in Internet Explorer. When Internet Explorer is started, select Tools > Security, then select Trusted Sites and click button Sites. 9
Picture 11: Security tab in Internet Options window New dialog will open. Enter the name of the site (e.g https://www.eidusecase.com) and click Add. The name of the website will appear in the Websites section of Trusted sites dialog. Close the dialog and apply the changes. 10 Picture 12: Trusted sites window
1.1.7 File decryption using Abobe Acrobat If user tries to open a pdf document encrypted by Adobe Acrobat, Adobe Acrobat will ask user to enter smart card PIN twice. 1.1.8 Admin application and PGP Desktop PGP deskop services cause problems concerning exclusive smart card access, which is required by eid App Administration application for some operations. In this case Administration application can report that CAPI or PKCS#11 sessions are active. In order to use Administration application fully functional, PGP Desktop should be uninstalled. 1.1.9 Windows logon and PGP desktop If PGP Desktop is installed and user tries to logon on windows operating system, windows logon dialog can remain frozen until user enters CTRL+ALT+DELETE sequence. In order to prevent this behaviour PGP Desktop should be uninstalled. 1.1.10 Firefox/Thunderbird extensions for (new) users Every user has to enable eid App extensions for it s use. Firefox and Thunderbird extensions are disabled for users which have not yet enabled extensions. Also the extensions are disabled for users which are created after eid App was installed. 1.1.11 Windows logoff/shutdown and user certificates Windows does not allow modification of user certificate store after shutdown and/or logof have been started. Therefore, eid App cannot uninstall end-entity certificates from user certificate store and they will be still available after Windows logon/startup even if card is not available anymore. 1.2 Windows XP SP3 x32 1.2.1 Word 2003 issue Due to a Word 2003 issue, for digital signatures MS Word 2003 uses only certs and keys that have KeySpec value set to AT_KEYEXCHANGE. Certificates with KeySpec value AT_SIGNATURE are not processed (ignored). Solution: use newer versions of MS Word program (e.g. Word 2007) which takes into account certificates with AT_SIGNATURE KeySpec. 1.2.2 Internet Explorer 7 Provided web applications may require cipher suits for SSL that IE7 does not support. If SSL is turned off plugin works OK. 1.2.3 Internet Explorer 8 Provided web applications may require cipher suits for SSL that IE8 does not support. If SSL is turned off plugin works OK. 11
1.2.4 Mozilla Thunderbird Root CA certificates or other CA certificates in the chain should be set as trusted in Thunderbird Authorities Certificate Store. If any of the certificates in the chain is not set as trusted, Thunderbird will not be able to validate user certificate. 1.3 Windows 7 and Windows Vista 1.3.1 Office 2010 Latest Word 2010 and MS Office 2010 updates and service pack should be inslalled. If user does not install latest updates and service pack, Word 2010 will try to use CNG Key Storage Provider in order to get private key associated to esign certificate from smart card and user will not be able to sign the document. Solution is to run MS Office 2010 in comaptibility mode for Windows XP SP3 or to install latest updates. Hotfix kb2412320 for Office 2010. If user do not install latest service pack and updates and if certificate used for email encryption does not posses SMIME capabilities, Outlook 2010 will use RC2 encryption algorithm instead of 3DES (as it is set on Outlook e-mail security settings for particular account), so decryption will not be possible on Outlook 2010. Hotfix kb2475877 for Outlook 2010. 1.3.2 Windows Live 2011 Windows Live 2011 uses RC2 encryption algorithm instead of 3DES. 3DES should normally be used as it is set in account settings. Card is not usable. 1.3.3 Mozilla Thunderbird Root CA certificates or other CA certificates in the chain should be set as trusted in Thunderbird Authorities Certificate Store. If any of the certificates in the chain is not set as trusted, Thunderbird will not be able to validate user certificate. 1.3.4 CAN/PIN Dialog focus issue User must first click on CAN/PIN dialog and then enter CAN/PIN. It is not possible to steal focus in Windows Vista and later OS because this functionality is disabled in OS. 1.4 Windows 8 and Server 2012 Install latest updates and service packs for your operating system. 12