User Guide Digital Signature ENTRUST ESP 9..2 Document version: 2.2 Publication date: January 2014
This guide is the exclusive property of Notarius Inc. All reproduction, printing or distribution of this guide by e-mail or other means is strictly forbidden. This guide may not be fully or partially reproduced without prior written permission from Notarius Inc. Notarius Inc. Page 2 of 49
TABLE OF CONTENTS 1. ABOUT THIS GUIDE... 5 1.1 SPECIFIC OBJECTIVES... 5 1.2 PREREQUISITES... 5 1.3 KEYS... 5 2. USING ENTRUST ESP 9.2... 6 2.1 LOG IN... 6 2.2 LOG OUT... 7 2.3 BACKING UP A COPY OF AN.EPF FILE... 8 3. SECURITY LEVELS... 9 4. ENCRYPT A DOCUMENT FOR YOURSELF... 10 5. ENCRYPTING A FILE FOR OTHERS... 12 5.1 PROCEDURE... 12 5.2 CREATING A QUICK LIST OF RECIPIENTS... 15 6. DIGITALLY SIGNING A FILE... 20 7. ENCRYPTING AND DIGITALLY SIGNING A FILE FOR YOURSELF AND FOR OTHERS... 22 8. DECRYPTING AND CHECKING A SECURED FILE... 26 9. VERIFYING THE IDENTITY OF THE SIGNER OF A DOCUMENT ENCRYPTED FOR YOU... 28 10. REJECTED FILES... 30 10.1 NAME NOT ON THE RECIPIENTS LIST... 30 10.2 ALTERED FILE... 30 11. OTHER ENTRUST FEATURES... 31 11.1 ENROLL FOR ENTRUST DIGITAL ID... 31 11.2 "RECOVER ENTRUST DIGITAL ID... 31 11.3 "OPTIONS "... 31 11.3.1 Change the Digital Signature Password... 32 11.3.2 Setting a Logout Hot Key... 35 11.3.3 Password-Encrypting a File... 35 11.3.4 Getting Information on the Entrust Security Store Type... 41 Notarius Inc. Page 3 of 49
11.4 ENTRUST CERTIFICATE EXPLORER... 42 11.4.1 Creating a New Personal Encryption Group... 42 11.4.2 Adding a Member to an Existing Group... 45 11.4.3 Deleting a Member from a Personal Encryption Group... 46 11.5 EMAILING CERTIFICATES TO ANOTHER CERTIFICATE USER... 47 Notarius Inc. Page 4 of 49
1. ABOUT THIS GUIDE 1.1 Specific Objectives Readers of this guide will learn how to use their digital signature to confidentially and securely exchange electronic files using Entrust ESP 9.2 software. More specifically, digital signature holders will: Become familiar with the Entrust ESP 9.2 software features Know how to use the various security levels 1.2 Prerequisites Have the Entrust ESP 9.2 software installed Hold an activated digital signature issued by the Quebec Certification Centre 1.3 Keys The various symbols below are used in this guide to indicate a specific type of comment. This symbol indicates a note to the reader. This symbol is used to indicate an in-depth comment that provides more detailed information on a concept. This symbol is used to represent a warning. Notarius Inc. Page 5 of 49
2. USING ENTRUST ESP 9.2 Using a digital signature with Entrust ESP 9.2 means that operations such as encrypting and digitally signing a document can be securely carried out. A document secured in this way allows the signer s identity to be checked, just like a driver s licence or passport. When the Entrust ESP 9.2 software is installed on a workstation, an icon appears in the lowerright corner of the screen. This icon indicates that an Entrust session is currently open: This icon indicates that an Entrust session is currently closed: 2.1 Log In You first select your digital signature profile (i.e. the.epf file produced by creating your digital signature) and then enter your personal password to access Entrust. This operation ensures that only you can use your digital signature to encrypt and digitally sign documents in your name. PROCEDURE: Position the mouse cursor over the icon Click the right mouse button Select Log in If a profile 1 is already installed on the workstation, an Entrust Security Store Login window appears with the profile name already displayed. Enter the digital signature password If your profile is not already installed on the workstation: Click on the dropdown menu to see if the profile name is listed on it and, if so, select it (If it is not listed, click Browse to find the.epf file linked to the desired profile) Enter the digital signature password 1 The profile is the.epf file produced when the digital signature was created. Its filename consists of the username, followed by a.epf extension (e.g. John Smith.epf). This file is required to open an Entrust session because it contains the private decryption key, private signature key and general Entrust security parameters, such as the default encryption algorithm. Notarius Inc. Page 6 of 49
Do not enter your name in the Name field. In the drop-down menu, select the file (your profile) that bears your name and the.epf extension. If the profile cannot be found, locate the.epf signature file according to the following steps: Click Start and enter *.epf in the Search Programs and Files field 2.2 Log Out Always make sure to close an Entrust session when exiting the workstation to prevent unauthorized use of your key (digital signature). Using a digital signature confers the same rights as your official signature affixed to a paper document. Using it for other purpose may constitute an offence. An Entrust session automatically closes whenever any of the following events occurs: The session is closed manually (steps outlined below) A keyboard shortcut created for closing sessions is used End of Windows session Activation of a Windows screensaver Windows is locked Notarius Inc. Page 7 of 49
PROCEDURE FOR MANUALLY CLOSING A SESSION Position the mouse cursor over the icon Right-click and select Log out 2.3 Backing Up a Copy of an.epf File We strongly recommend saving a backup copy of the.epf signature file on a USB key, diskette or CD-ROM and storing it in a secure location that is only accessible to the holder of the digital signature. Given that the.epf signature file is the holder s private key, it is essential that a new backup copy be made whenever this file is updated or modified. Private keys are automatically updated during the two months prior to the certificate s renewal date. If there is no activity during this period, the holder s private key will not be renewed and a new request must be submitted. Whenever possible, users should always work online for maximum protection when securing a document for one or more of the list s members or when checking data during decryption. Notarius Inc. Page 8 of 49
3. SECURITY LEVELS Entrust ESP 9.2 provides several security levels that are defined below. Encrypt the file Type Digitally sign the file Encrypt and sign the file for yourself Encrypt and digitally sign the file for other recipients Definition Ensures document confidentiality and integrity by using a complex mathematical procedure that renders a file illegible if an unauthorized person attempts to open it. Adds a certificate to the document which authenticates its signature and ensures that it cannot be repudiated. Anyone possessing a valid digital signature from the Quebec Certification Centre even those not on a list of selected recipients can open the document. Protects the document and add the user s authentication certificate to it. Only the user can open it using his/her own digital signature. Equivalent to using Encrypt and Sign for yourself and also allowing other selected individuals (subscribers to the Quebec Certification Centre) to access the document. When a file is secured, a new.p7m extension is immediately added after its existing name and extension (e.g. test.doc will become test.doc.p7m). It is possible to secure a file on a network drive. It is important to name the file correctly before securing it because the name itself is protected by encryption. Files renamed after being secured revert to their original name during decryption or unlocking. Notarius Inc. Page 9 of 49
4. ENCRYPT A DOCUMENT FOR YOURSELF January 2014 This feature allows you to encrypt (secure) a file for yourself without attaching your signature certificate to it. Consequently, only you can decrypt (open) it using your digital signature. PROCEDURE : Using My Computer or Windows Explorer, browse to the location of the file to be encrypted Position your mouse cursor on the file and right-click Select Encrypt file Click Next Click Choose to select your certificate if it is not already displayed Do not change the default Entrust algorithm, 3DES. Click Next Notarius Inc. Page 10 of 49
Checkmark Delete the original files on finish if you prefer not to keep a non-encrypted copy of the file on your workstation. If this box is left unchecked, you will have a non-encrypted copy as well as an encrypted copy of this document. Click Finish Notarius Inc. Page 11 of 49
5. ENCRYPTING A FILE FOR OTHERS January 2014 This feature enables users to secure a document for themselves and one or more recipients whom they must first select. It should be noted that a signature certificate will not be affixed to this document. Example: Encrypting a document for a member in a specific list (Jules Boulerice in the present example). The selected recipient(s) must have a valid digital signature issued by the QCC. This feature requires an Internet connection to access the directory that lists the members of the Quebec Certification Centre. 5.1 Procedure Using My Computer or Windows Explorer, browse for the location of the (Word, Excel or other) file to be encrypted for one or more individuals with a digital signature from the QCC Position the mouse cursor on the file Right-click and select Encrypt file Click Next Notarius Inc. Page 12 of 49
Click Choose... to select your certificate if it is not already displayed. January 2014 Do not change the default Entrust Encryption algorithm, 3DES. Check the Encrypt the files for other people in addition to myself. Click Next Click Add... to select the certificates of those individuals for whom you want to secure the file Enter the person s name without any accented characters Click Search to access the certificates directory Notarius Inc. Page 13 of 49
Select the person s name Click OK If two people have the same name, click View to display the certificate and avoid securing a document for an unauthorized person. Add as many recipients as you like by clicking the Add... button. Click Next Notarius Inc. Page 14 of 49
Check the Delete the original files on finish box if you prefer not to keep a nonencrypted copy on your workstation. If this box is left unchecked, you will have both a non-encrypted copy and an encrypted copy of this document Click Finish The file is now secured for both yourself and your recipient(s). Do not forget to email the signed document or to make it available by some other means. 5.2 Creating a Quick List of Recipients It is possible to create a quick list of recipients for which you regularly secure files. This feature prevents you from searching the certificates directory each time you want to encrypt a file or encrypt and sign a file. Follow the steps described in Encrypting a File for Others (section 5.1) or Encrypting and Digitally Signing a File for Yourself and for Others (section 7) Click Add to select the certificates of those individuals for whom you want to secure the file Notarius Inc. Page 15 of 49
Enter the person s name without any accented characters Click Search to access the certificates directory Select the person s name Click View to display the certificate Click Install Certificate Click Next Notarius Inc. Page 16 of 49
Select Place all certificates in the following store Click Browse... Select Trusted People Click OK Notarius Inc. Page 17 of 49
The certificate store displays as follows: January 2014 Click Next Click Finish Click OK or close the dialog boxes by clicking the red X and start the operation over To add more recipients repeat these steps. Notarius Inc. Page 18 of 49
The quick list will appear the next time you use Entrust to secure a file for other recipients. Simply select the desired recipients and click on the OK button. Use the CTRL key to select more than one name from your quick list. This method saves you from conducting a search by person as explained in section 5.1 It is possible to create groups of recipients or personal groups for encryption, thereby including in a same group people for whom you want to encrypt and/or sign documents. See section 11.4.1. Notarius Inc. Page 19 of 49
6. DIGITALLY SIGNING A FILE January 2014 This feature allows users to add their signature certificate to a file, thereby identifying them as the signer and ensuring that their signature cannot be repudiated. When a document is only signed, anyone possessing a digital signature from the QCC can open the file with their own digital signature. PROCEDURE: Using My Computer or Windows Explorer, browse to the location of the file to be encrypted Position your mouse cursor on the file and right-click Select Digitally sign file Click Next Click Choose... to select your certificate if it is not already displayed Do not change the default Entrust Hash algorithm, SHA1. Notarius Inc. Page 20 of 49
Click Next January 2014 If an Entrust session is open, this feature will run automatically, the Open session window will appear and the user will be asked to enter the digital signature password. Check the Delete the original files on finish box if you prefer not to keep a non-encrypted copy on your workstation If this box is left unchecked, you will have both a non-encrypted copy and an encrypted copy of this document. Click Finish Files that are only signed can be opened by all Quebec Certification Centre subscribers. It is therefore not necessary to select recipients for this type of file. Do not forget to email the signed file or make it available by some other means. A signed file s digital signature can only be verified by accessing the file properties (right-click on the File > Properties > State Security tab). Notarius Inc. Page 21 of 49
7. ENCRYPTING AND DIGITALLY SIGNING A FILE FOR YOURSELF AND FOR OTHERS This feature allows you to encrypt and digitally sign one or more files for yourself and for others holding a digital signature from the QCC. Once secured, the file can be emailed. PROCEDURE: Using My Computer or Windows Explorer, browse to the location of the (Word, Excel or other) file to be encrypted and signed for you or someone else with a digital signature Position the mouse cursor on the file, right-click and select Encrypt and digitally sign file Click Next Notarius Inc. Page 22 of 49
Click Choose... to select your certificate if it is not already displayed Do not change the default Entrust encryption algorithm 3DES or hash algorithm SHA1. January 2014 Check the Encrypt the files for other people in addition to myself box If left unchecked, the file will be encrypted and signed for you only. Click Next Click Add... to select the certificates of those individuals for whom you want to secure the file Notarius Inc. Page 23 of 49
Enter the person s name and click Search to gain access to the certificate store January 2014 Enter the person s name without accented characters. Select the desired name Click View to see the certificate or click OK Add more recipients by clicking Add... Click Next when done If an Entrust session is open, this feature will run automatically, the Open session window will appear and the user will be asked to enter the digital signature password. Check the Delete the original files on finish box if you prefer not to keep a non-encrypted copy on your workstation Notarius Inc. Page 24 of 49
If this box is left unchecked, you will have both a non-encrypted copy and an encrypted copy of this document. Click Finish. The file is now secured for both yourself and your recipient(s) Notarius Inc. Page 25 of 49
8. DECRYPTING AND CHECKING A SECURED FILE January 2014 This feature allows you to decrypt, verify and open files that were encrypted and/or encrypted and signed with a digital signature. PROCEDURE: Locate the encrypted or locked file to view Position the mouse cursor on the file Right-click and select one of the following options: Decrypt, verify and open or Decrypt and verify Enter the password Click OK Click Yes Notarius Inc. Page 26 of 49
If the Decrypt, verify and open option was selected, the document will open onscreen in its original format. # The Decrypt and verify option decrypts the file without opening it and verifies that the recipient is on the Recipients list. If not, an error message to that effect is displayed onscreen. Double-clicking an encrypted file is the equivalent of the Decrypt, verify and open option. Decrypting a file on a network drive: If the document you want to decrypt is on a network drive, Entrust ESP9 will ask you to decrypt the file locally on your computer. This feature provides a higher level of security because your decrypted file is not found on shared networks where other people could access it. Notarius Inc. Page 27 of 49
9. VERIFYING THE IDENTITY OF THE SIGNER OF A DOCUMENT ENCRYPTED FOR YOU This feature allows you to verify the identity of the signer of a document encrypted for you. This verification confirms the identity of the signer and that the document has not been amended since it was signed. PROCEDURE: Identify the file for which you want to verify the name of the signer Position the mouse cursor on it Right-click and select Properties > Security Status Click View Certificate to view the signer s information Click OK Notarius Inc. Page 28 of 49
Click Details in the File Security Properties window January 2014 Click Close Click OK You can verify the name of the signer of a document only if the document has been encrypted for you and you have opened an Entrust session beforehand. Notarius Inc. Page 29 of 49
10. REJECTED FILES 10.1 Name Not on the Recipients List If you forget to add a name of a recipient to the list when securing a file, the recipient will get an error message when attempting to open it. SOLUTION: The recipient must contact you so that you can resend the signed file after adding his or her name to the Recipients list. Recipients cannot be added to a file that has already been secured. The file has to be decrypted and the operation started over. To maintain the overall security of the system, you cannot see for whom files were secured. 10.2 Altered File If a file has been changed (e.g. by inserting or deleting words, adding spaces, etc.) between the time when it was encrypted and/or signed and when the recipient attempts to open it, an error message indicating that the file cannot be opened because it has been altered will display. SOLUTION: Ask the person who sent you the file to forward you a new copy. Notarius Inc. Page 30 of 49
11. OTHER ENTRUST FEATURES To access other Entrust features, position your mouse cursor over the Entrust icon in the lowerright corner of your screen and right-click. Choose one of the options listed below. 11.1 Enroll for Entrust Digital ID An Entrust digital ID contains cryptographic data that includes your keys and certificates. This option is only used when your digital signature is created. When a request for a digital signature is accepted, the future holder receives two activation codes, i.e. a reference number and an authorization code. Upon receiving the codes, the recipient has to connect via Internet to the Quebec Certification Centre s server and access the Enroll for Entrust Digital ID... option. Only one profile is created for each pair of activation codes. Once used, these codes are no longer valid and should be destroyed in a secure way. Holders who reuse their activation codes (i.e. their reference number and authorization code) risk corrupt the file containing their private signature key (.epf signature file). 11.2 "Recover Entrust Digital ID A profile must be recovered in the following cases: The holder s profile (.epf file) has been lost or stolen The profile (.epf) was damaged The holder forgot his or her password The holder believes that an unauthorized person has accessed his or her profile You can recover your digital signature online. Go to www.notarius.com and click My Account in the top left corner of the website. Once you are in your account: Click on the My Subscriptions tab Click to select the digital signature you wish to recover Click the Recover my digital signature button In the window that displays, click the Recover my digital signature button to confirm the recovery The first of two codes necessary to recover your digital signature will be sent to you by email. Click on the hyperlink included within the email. You will be redirected to a web page containing your second code as well as instructions to help you complete the recovery. 11.3 "Options " The user accesses the Entrust options to: Notarius Inc. Page 31 of 49
Change the digital signature password Configure a keyboard shortcut for closing a session Get information on the Entrust security store type January 2014 Position the mouse cursor over the icon appearing in the lower-right corner of the screen Right-click Select Options... and the Log In window displays Enter your digital signature password and then click OK 11.3.1 Change the Digital Signature Password You should never reveal your password or let anyone watch you entering your password. PROCEDURE: Notarius Inc. Page 32 of 49
Click Change Password... and the Change Entrust Security Store Password window will display Click Next Enter the currently used password and then click Next Notarius Inc. Page 33 of 49
Enter a new password that meets the stated requirements Confirm the new password by entering it a second time Click Next to confirm the change Click Finish Notarius Inc. Page 34 of 49
Since changing the password involves a change to the signature holder s profile, it is essential to save a backup copy of the.epf signature file on CD or other medium and to destroy the old copy. 11.3.2 Setting a Logout Hot Key In the Logout hot key field, Enter the logout hot key sequence you want to use (example: CTRL + E) in the Logout hot key field Click OK to save this keyboard shortcut This logout hot key will allow you to quickly close an Entrus t session. 11.3.3 Password-Encrypting a File This feature is used to encrypt a file, thereby securing it, for you or for trusted individuals. Consequently, you or these individuals (with whom you will have shared your password beforehand) will be able to decrypt this file, that is, open the file with a password. Notarius Inc. Page 35 of 49
When a file is password encrypted, the.pp7m or.exe is added and a new icon appears at the selected location. For example: This icon indicates that the file carries the.pp7m file extension: If you do not have a digital signature with an encryption certificate or the ESP client installed on your PC, go to http://www.notarius.com/help/downloads.dot to download the free Entrust Password Decrypt software which will enable you to open password-encrypted files. This icon indicates that the file carries the.exe file extension: If the password-encrypted file carries the.exe file extension, it will most likely not be possible to send via email due to security measures applied to email servers. In this case, there is no need to download the Entrust Password Decrypt application. Make sure to not lose the password for the password-encrypted file. Otherwise, it will be impossible to open the document. Notarius Inc. Page 36 of 49
PROCEDURE: January 2014 PASSWORD-ENCRYPTING ONE FILE: Using My Computer or Windows Explorer, browse for the location of the file to password encrypt Position the mouse cursor on the file and right-click Select Encrypt File with Password... Click Next Enter a password that meets the stated requirements Confirm the password by entering it a second time Notarius Inc. Page 37 of 49
Click Next Click Browse to select a location for the password-encrypted file By checking the Generate self-decrypting output file box, you are creating a password-encrypted file bearing the.exe extension. If this box is not selected, you will generate a.pp7m file by default. Click Next If the Delete the original files on finish box is not checked, the original, non-encrypted file is saved on your PC along with the new, password-encrypted file. Notarius Inc. Page 38 of 49
By checking the Send files via email box, Outlook opens automatically. Click Finish. The file is now password encrypted. PASSWORD ENCRYPTING SEVERAL FILES: Using My Computer or Windows Explorer, browse for the location of the files to password encrypt Use the CTRL button to select several files at once. You will have the option to merge all selected files into a single, password-encrypted file. Right-click on the selected files Select Encrypt Files with Password Click Next Notarius Inc. Page 39 of 49
Enter a password that meets the stated requirements Confirm the password by entering it a second time Click Browse to select a location for the password-encrypted files Check the Combine all files into single output file box to group all selected files into a single document. Then, simply select a final location and name the file before checking this box. Otherwise, the field will deactivated and you will not be able to make any changes. By checking the Generate self-decrypting output file box, you are creating a password-encrypted file bearing the.exe extension. If this box is not selected, you will generate a.pp7m file by default. Click Next Notarius Inc. Page 40 of 49
If the Delete the original files on finish box is not checked, the original, non-encrypted file is saved on your PC along with the new, password-encrypted file. By checking the Send files via email box, Outlook opens automatically. Click Finish. The merged file is now password encrypted. OPENING A PASSWORD-ENCRYPTED FILE: Double-click on the password-encrypted file Enter the password Click OK 11.3.4 Getting Information on the Entrust Security Store Type Refer to the Entrust Security Store Type pane to quickly find the path to your.epf file Notarius Inc. Page 41 of 49
11.4 Entrust Certificate Explorer 11.4.1 Creating a New Personal Encryption Group Creating a new personal encryption group allows you to group together recipients for which you regularly secure files. It is therefore possible to secure a file for several people at once by selecting the group rather than all holders individually. This feature is very similar to creating a quick list of recipients, except that the latter does not allow grouping recipients together. Example: Encrypt/sign for several individuals of the same group (e.g. a group for technical support). Create a group of recipients that includes the names of the members you want in this group. You can now select this group instead of selecting each name individually. (See section 5.1) Right-click on the Entrust icon Select Entrust Certificate Explorer In the File menu, select New Personal Encryption Group Notarius Inc. Page 42 of 49
Enter a name for your group in the Name field Click Add to add members to the newly created group Enter the person s name you wish to add without accented characters in the field to the right of the image of the magnifying glass Click Search The search results display. Click on the desired name Click View to display that person s certificate and confirm it is the correct person sought for Click OK twice to add this person to the group Notarius Inc. Page 43 of 49
The new group and its members list display. To add a new member, repeat the previous steps. Click the Add... button to add another member to the group (please see the previous procedure) Click OK to finish creating the new group The newly created group displays in the left pane of the screen Notarius Inc. Page 44 of 49
11.4.2 Adding a Member to an Existing Group January 2014 The Entrust Certificate Explorer displays a window divided in two: the list of certificates and personal encryption groups in the left pane; the content of the selected element in the right pane. DISPLAYING A GROUP S CONTENT Click on the desired group in the left pane of the screen. The selected group s members will display in the right pane ADDING A MEMBER TO AN ALREADY CREATED GROUP Right-click on the group to modify Select Properties The selected group and its member s list displays. Click Add to add new members Notarius Inc. Page 45 of 49
Enter the new member s name without accented characters in the field to the right of the image of the magnifying glass Click Search The search results display. Click on the desired name Click View to display that person s certificate and confirm it is the correct person sought for Click OK Click OK again to add this person to the group The new group and its members list display. To add a new member, repeat the previous steps. Click OK to finish 11.4.3 Deleting a Member from a Personal Encryption Group Right-click on the personal encryption group that you want to modify Select Properties The group s list of members displays. Select the member to delete Notarius Inc. Page 46 of 49
Click Remove January 2014 Click OK 11.5 Emailing Certificates to Another Certificate User Emailing your certificates to another certificate user allows the recipient to encrypt your files for you, thereby continuing the chain of trust of your digital signature. There are two ways to access the Email Certificates window: OPTION 1 : Click Start Select All Programs > Entrust Entelligence > Email Certificates OPTION 2 : Position the mouse cursor over the icon Right-click Select Email Certificates Notarius Inc. Page 47 of 49
STEPS TO FOLLOW WHEN THE EMAIL CERTIFICATES WINDOW DISPLAYS Click View Thumbprint Record the thumbprint and share it with the recipient by telephone Verifying the thumbprint guarantees that the certificates have not been altered in transit. Click OK Click OK Notarius Inc. Page 48 of 49
The default email software opens to send your certificates to the designated recipient. Notarius Inc. Page 49 of 49