E-CommercePKI : Resources : FAQ : WISeKey Digital Certificates (English)

With a Digital Certificate for your compatible SSL Web Browser (Secure Socket Layer), you can be identified on Web sites and receive the authorization to reach private and protected data. You can use your personal certificate for the majority of low commercial value transactions, like purchases and subscriptions on line, as well as for encrypting data. On the other hand to connect to protected portals (PKI enabled) for example www.TrustePortal.com you will have the possibility of carrying out any type of transactions (strong commercial value, processing of confidential data, votes by Internet, etc.) in a completely sure way.

With compatible e-mail software S/MIME (Secure/Multipurpose Internet Mall Extensions), you can sign and protect your e-mail.

I.2 How does a digital certificate work?

A digital certificate assigns a private key to an individual or to an organization. The link between the public key and the individual or the organization is certified by a third to which one granted his trust. The Digital Certificates are based on the public key infrastructure a system that function with pairs of private and public keys.

The private key is known only to its owner and is used to create a digital signature. The user should never reveal this key. The public key is known and used to check the digital signature. Indeed, if you want to check a digital signature, you want to check the identity of the person who signed the message.

A pair of keys (public + private) is not really associated with an identity; it acts only as a pair of keys. Association is done by the means of the digital certificate that associates the public key with an identity.

A digital certificate makes it possible to check that somebody has the right to use a key, thus helping to prevent that a person uses a counterfeit key to appear as someone else. Combined with encryption, digital certificates provide a complete security solution, ensuring the identity of all the parties implied in a transaction.

The legislations of the various countries (p.ex Switzerland) is being modified for the legal recognition of the digital signature, countries like United States or European countries already have worked in that direction and most already recognise digital signature.

I.3 What does a digital certificate contain?

The digital certificate contains the public key of the user, his name, an expiration date, the name of the Certification Authority that issued the certificate, a serial number and some other information (digital fingerprint, type of encryption, etc).

I.4 What is a Certification Authority (CA)?

A digital certificate is delivered by a certification authority (CA) and signed by his own private key.

I.5 Why do I need a digital certificate?

From remote banking operations to subscription services and shopping on line, security remains a major issue.

The access control by username and password is not sure enough any more, especially when we know that in the majority of the cases those information are transmitted in clear on the Internet. To control the access by combining the use of the password and that of a possessed entity, the digital certificate, is more safe.

More and more of companies which make trade on Internet become aware of this reality and require their customers to use digital certificates.

Consumers are not the only ones to need digital certificates. Servers used for the trade via Internet also have a need for digital certificates. Thanks to the identity check carried out by CA before the delivery, the presence of a digital certificate attests the integrity of a trade, making it possible to the customer on line to be sure that it deals with a recognized trade entity.

I.6 What are the applications of a digital certificate?

· Private Life and confidentiality - people and organizations want certificates to encrypt and to decrypt messages.

· Integrity, authentication and non-repudiation (signature digital/verification) - organizations want to use certificates to prove the identity of the sender and to make sure that the message was not altered by anybody.

· Access control - requires digital certificates, which are installed in the navigators, on the discs, on an IKey or a smart card, in order to control the access to installations, Internet sites, Intranets or other digital communication networks.

· Proof of transmission of documents (time stamping) - organizations must use independent Authorities for time stamping to check the hour, the dispatch date and reception of messages of the highest importance, for legal or commercial use.

· Filing and document retrieval - the organizations must use digital certificates to certify that the filed messages were not deteriorated and to provide a controlled access to the authorized people.

· Identification and privileges - the organizations must have digital certificates to establish their rights and preferences, for example, exploitation of licence rights.

I.7 What configuration do I need to use a digital certificate?

I.8 What are the advantages of saving your certificate on an IKey?

· The private/public key is generated directly inside IKey, which does not leave any trace (copy, cache) of your key on the generating system and thus any possibility of copying it.

· Impossibility of exporting your private key from IKey on the hard disk (this functionality is imperative as badly disposed people (hackers) could break in your system and seize your private key).

· Access to the certificate contained in IKey is protected by a password that only you know. This password can be modified at any time.

· Depending on the model used you can back up several certificates on same IKey (storage capacity of the chip).

II Signing and encrypting e-mails

II.1 How to sign and encrypt e-mails?

After having received your personal certificate, you can immediately sign and encrypt your e-mail. The two operations are different: you can sign and/or encrypt messages. The two functions rely on the same technology but have different use.

II.2 Signing your e-mails :

In your e-mail software, you can configure the way of signing the messages: each time you send an e-mail (compose, answer or transmit) or only when you click on the button ' sign'.

In other words, when you sign a message, the recipient is sure that the message comes from you and that it is you who wrote what he reads.

To sign a message does not affect the contents of the message nor does it prevent the message from being intercepted or read by another person but the recipient. To make sure that only the recipient will be able to read the message, one also needs to encrypt the message.

II.3 Encrypt your e-mails :

If you wish to send a confidential message, you need to encrypt it. For encrypting a message in order that only the recipient can decrypt it, you will need to make a copy of its certificate (which contains the public key) in your list of contacts. To obtain the certificate of your recipient, you can ask him to send you a signed e-mail (which will then contain his certificate and his public key).

The procedure of encryption calls upon the public key of the recipient to guarantee the confidentiality of the message (you are then sure that only the recipient will be able to read the message).

II.4 Outlook 98/2000 - Install your certificate and configure your security settings:

To define the security settings and choose the certificate which you wish to use, you must define the default security settings. With this intention, you must click on the button ' Changes settings'. The following screen will then appear:

You can create different parameters of security and give them different names. You can define the following parameters:

The parameters of the digital signature enable you to choose the certificate you wish to use to sign your e-mail. You must click on ' Choose' and the following screen will appear:

This screen enables you to choose the certificate you wish to use with the parameters you are defining. You can visualize the certificate by clicking on the button ' view certificate'. You will then see a screen that will enable you to visualize your certificate. It will resemble the following illustration:

The parameters of the digital signature also enable you to define the type of algorithm that you will use to create your signatures (SHA-1, MD5). The parameters of encryption also enable you to choose the certificate used to encrypt your e-mail. You must click on the button ' choose' in order to display the same screen as the one above.

II.5 Digitally sign your e-mails with Outlook 98/2000 :

The first stage in the process of securing your e-mail consists in signing them with your digital certificate. Your digital signature makes it possible for the recipient of your message to check that you are the author and that it was not modified by anyone. When you sign your message, it does not mean that nobody can intercept or read your message. To sign a message does not affect its contents and does not prevent a third person from intercepting or from reading the message. To make sure that only the recipient will be able to read the message, one needs also to encrypt it. If the recipient of your signed message uses S/MIME compatible e-mail software, he will be able to read the message. Your signature then takes the form of an attachment. The icon ' Signed' means that the received message is signed.

The icon Untrusted Signature indicates that the received message was signed using a certificate issued by a CA to which you did not yet grant your confidence (because you did not install his Root certificate yet). This icon looks like the following:

You can sign your messages individually or configure your security parameters to sign using a defined certificate

II.6 Personalise Outlook 98/2000 in order to have the buttons sign

and encrypt

in your toolbar :

To see the "Encrypt Message" button in your toolbar click on it and drag it to the toolbar as per bellow:

Follow the same procedure for the "Digitally Sign Message" function, you will then have the following screen:

You will then just have to click on the button corresponding to the desired function (to sign and/or encrypt) during the preparation of your next e-mail.

II.7 Encrypt your messages with Outlook 98/2000 :

The second stage of the process of securing your e-mail is encryption. E-mail is rather easy to intercept and read. That can be avoided by encrypting your messages so that only the recipient can read them. Encrypting with Outlook 98/2000 is as easy as to sign with Outlook 98/2000.

To encrypt your message, you must have a copy of the certificate of the person to whom you want to send your message. When you receive a signed e-mail, you can back up the certificate of the sender by simply saving the sender in your contacts.

II.8 How do I know if an e-mail is encrypted?

When you receive an e-mail, the icon encrypted indicates that the message was encrypted.

This icon (blue lock)

appears in the lower right corner of your menu window. The process of encryption is done automatically. You can encrypt your messages one by one or configure your security settings so that the messages are signed each time there is a certificate corresponding in your contacts list.

When you receive a encrypted message, the icon ' encrypted' appears in the e-mail window.

II.9 Using the certificates of your correspondents:

To send an encrypted message to somebody, you must have a copy of his certificate in your contacts list. It is very easy to visualize, add or remove certificates with Outlook 98/2000.

II.10 To save a digital certificate from a signed or encrypted message:

When you receive a signed message, you can back up the certificate of this person in your contacts list. It is enough for you simply to carry out a right click on the name of the sender in the heading of an e-mail and select ' Add to Contacts' in the contextual menu. The contact window appears then automatically, just click on the button save and close.

III Managing your Ikey

III.1 How to install the "Token Manager" of your IKey ?

Insert the CD in your CD-Rom reader, the program should start automatically, if not;

Click on the start button then choose Run and seize the line X:\setup.exe command where X corresponds to the letter attributed to your CD-Rom and press " Enter ".

The installation program then requires you to choose the destination folder, it is recommended to leave it as it is and click " Next ";

You are then invited to choose the type of installation wished, check the option " Typical " and click "Next";

The installation program then invites you to choose the name of the program folder that will appear in your start menu at the end of the installation, click on the " Next " button;

The installation program then starts to copy the necessary files on your system. At the end of this process, the following message appears:

Click on the "Finish" button to restart your computer and finish the instalation procedure.

III.2 How to load your certificate on your system ?

Click on the "To System" button to pour copy your certificate from your Ikey to your system. Then click OK.

III.3 How to change your Ikey password?

Write your new password in the "New Pass Phrase" field, then confirm in the "Re-enter Pass Phrase";

I What is a digital certificate?

I.1 What can I do with a digital certificate?