XML Signatures using Smart Cards

Similar Messages

• Digital Signatures with Smart Cards

  Hi folks,
  It is my first time with digital signatures on R/3 system. I’m at customer that uses smart cards (hardware cryptography). We are doing the SAPCRYPTOLIB and front end installations. After finish these tasks, we need to implement the signatures into 3 workflow processes. I already read the SSF programmers guide, API specifications and SSF user guide. But I still have some doubts:
  The SSF profile is stored into smart card with private key information, but where are the public keys stored? (PAB – Private Address Book of my trusted circle).
  Do I need the CRLs? Note: this is only for workflow processes that run inside of customer landscape; this is not a B2B scenario.
  We don’t have clear yet how we sign the data; we are thinking sign a BOR object. Create an attribute and use it to pass the signer data. Note: for the customer, the objective is user authenticity guarantee.
  The BOR object instance ends when the flows finish, so wee need to store the signed data for auditable reasons. A database table can be a good approach or there is another standard way?
  P.S.: anyone have documentation about this subject, something like how-to with guidelines?
  Thanks in advance,
  Ricardo.
  Message was edited by:
          Ricardo  Quintino

  The SmartCard device is present at the frontend PC - and that's the place where the digital signature operation has to take place. Important is the "What You See Is What You Sign" principle: it has to be ensured that the data that is to be signed (using the private key stored on the SmartCard) is exactly the same as the one that is displayed to the user.
  Notice: there is a different scenario where the server is signing the data (after prompting the user for userID and password and validating that information).
  The signed data is then transported back to the server where it is stored (to ensure auditibility); usually you'll have to keep the (archived) data for years; the public key need to be archived as well.
  Notice: it is possible to attach the certificate (-> public key) which has been used to sign the data to the signed data.
  Regards, Wolfgang

• Using Smart Cards for SSPR

  I'm working on ForeFront Identity Manager 2010. I'd like to enable AD users to use Smart Cards to reset their passwords. I watched this video www.youtube.com/watch?v=b4aGLnZHZN4. From this video (minute 2), it's said that we could use smart cards to authenticate
  to Self-service Password Reset instead of Q/A gate.
  I looked at ForeFront Identity Manager Portal but I couldn't find where to configure to use Smart Cards for this purpose. I only found "SMS authentication gate" and "Question and Answer Gate". Can somebody help me?
  Thanks,
  Hai

  I am still interested in Clients or other Inquiries in this
  Subject.

• Does any body knows how to capture signature using smart pen

  Hai
  I am developing an application to capture the signature using smart pen device how we can do it is it device independent or device dependent is it requires any SDK for that please if u know anything about it please Help me
  Thanks for your Help

  Why don't you use Tablet PC SDK ( Web Forms Asp ) for sig cap.
  Please have a look at the links
  http://msdn.microsoft.com/mobility/tabletpc/default.aspx?pull=/library/en-us/dntablet/html/tbconInkWebPers.asp
  http://msdn.microsoft.com/mobility/tabletpc/default.aspx?pull=/library/en-us/dnmobink/html/tbconMIJ3.asp
  http://msdn.microsoft.com/mobility/tabletpc/default.aspx?pull=/library/en-us/dntablet/html/tbconWebDoodle.asp
  http://msdn.microsoft.com/mobility/tabletpc/default.aspx?pull=/library/en-us/dntablet/html/tbconWebDoodle.asp
  Example Link:
  http://www.thedatafarm.com/doodle.aspx
  Ramana

• Outlook 2010 "The server is unavailable" using smart card Exchange 2010

  I have a XenApp 6.5 environment, that uses smart card authenication for login. All the office applications will open except for outlook. Outlook opens up and shows a prompt saying "Connecting" ...."Then server is unavailable".
  If I removed the smart card authenication from the XenApp environment, User are able to open Outlook with no problem.
  My question, is there something with exchange 2010 that needs to be turned on for smart card authenication?

  Hi,
  I suggest you remove any existing certificate-based credentials from the Credential Manager and use the
  EnableSmartCard registry setting to check the result. The Outlook client may not be properly configured to work with saved smart card credentials.
  Important
  Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it,
  back up the registry for restoration in
  case problems occur.
  Remove existing certificate based credentials
  The first step to prevent a PIN lockout is to delete any existing certificate based credentials that were saved by Outlook.
  Open Control Panel.
  Double-click Credential Manager.
  See whether there is a Certificate-Based credential similar to the following:
  @@BSUgiZQZ54Pf6cEtxKflWHH
  Also, see whether there is a Generic credential similar to one of the following:
  MS.Outlook.14:[email protected]:PUT
  MS.Outlook.15:[email protected]:PUT
  Note 14 indicates Outlook 2010 saved the credential and 15 indicates Outlook 2013.
  If these are both present and were created or changed at the same time, they are likely smart card credentials saved from Outlook. Click the first credential to expand it and to show the details. Then, click Remove to delete the
  credential from Credential Manager.
  Repeat step 4 for each one of the credentials listed in step 3.
  When you are finished, close Credential Manager.
  Configure the EnableSmartCard registry setting
  The second step to prevent a PIN lockout is to create the EnableSmartCard registry setting.
  Outlook 2010
  For Outlook 2010, the EnableSmartCard registry setting was introduced with the Microsoft Outlook 2010 hotfix package dated December 13, 2011 (KB2597028). We recommend that you install the most recent build of Outlook 2010. For more information
  about the latest applicable updates for Outlook, click the following article number to view the article in the Microsoft Knowledge Base:
  2625547 How to install the latest applicable updates for Microsoft Outlook (US English only)
  To create the EnableSmartCard registry value, follow these steps:
  Exit Outlook.
  Start Registry Editor.
  Create the following registry values at the specified locations:
  Note Manually create any registry keys or values if they do not exist.
  Key: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\RPC
  DWORD: EnableSmartCard
  Value: 1
  Exit Registry Editor.
  For this question, if you need to get more information about Exchange 2010, I suggest you post the question in Exchange forum:
  https://social.technet.microsoft.com/Forums/exchange/en-US/home?category=exchangeserver
  Regards,
  Melon Chen
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• Disabling normal login and only using smart card login?

  I've managed to setup login using BELPIC (Belgian Identity Card (smart card). However I can still login using username/password. Is it possible to restrict the system only using smart card login? (maybe via tweaking the authorize file?)
  Thanks

  The problem isn't with the provider part of the code - it has to do with security privleges. Java code running from the command line has full access to the file-system. Servlets running inside a container do not.
  In order to access cryptographic keystores, the JVM must allow the servlet code to access local files (and through them, the device drivers to the crypto token). Servlet code running inside a web/application server container, by design, are restricted in their ability to access local files on the servlet container machine (other than configuration files and application code under the servlet context root).
  In order to continue with my project, I had to temporarily provide the servlet full access to the machine's file-system in the java.policy file for your JVM, along the lines of the following:
  grant {
  permission java.security.SecurityPermission "authProvider.SunPKCS11-NSS", "getSignerPrivateKey";
  I hope to go back and restrict this access so that only the specific security grants are available to the servlet to access the private key (the above is too lenient).
  You will need to do something similar to your JVM's java.policy to allow the servlet to access the private key. Substitute the "authProvider.SunPKCS11-NSS" with the driver for your own token.

• How to use Smart Card API's (OCF) in Web Application

  Hi frnds,
  For our new smart card based project, i have few queries,
  1. Can we choose web based application for smart card based projects?
  2. How servlet will communicate with opencard CTListener class?
  3. While the card insertion and remove how the event will be reflet the servlet?
  4. For that is it needed to design the client UI by using Swing?
  5. Without Swing will servlet give all solution for smart card connection and events?
  Rgrds,
  dhaya.

  I am also looking for smart card Authentication using web. Any info really appreciated

• Using smart card/nfc tag for authentication on Windows 8 devices NOT in a domain

  Title says it all. We have Sony RC-S380 readers and Acer Iconia W510 tablets with builtin Broadcom NFC chips. We can read tags and configure them for the usual proximity stuff (URIs, mail, etc.) but we are looking for authentication purposes, however without
  using ADFS or domain security. Can anyone point us in the right direction?

  Hi,
  By default, smart card is not available for stand alone computer and local account.
  This authentication technology might be helpful to you:
  EIDAuthenticate - Smart card logon on stand alone computers and local accounts
  http://www.mysmartlogon.com/products/eidauthenticate.html
  Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Karen Hu
  TechNet Community Support

• XML Signature using an XPath filter

  I want to sign an XML document, just based on the content of a particular element in the document. Based on the jwsdp docs it looked pretty simple, but I'm getting strange results. I'll get the same digest value in the SignedInfo for different Xpath filter strings.
  Anybody out there have good luck trying to sign XML documents using Xpath filters?
  I'm using JDK 1.5.05 and JWSDP 1.6.
  Here is my simple XML doc
  <?xml version="1.0" encoding="UTF-8"?>
  <myns:whole_doc xmlns:myns="http://namespace.myns.com/test"
  attr1="attr_one" attr2="attr_two" attr3="attr_three">
  <myns:part_one attr="attr_one">
  <myns:tag1>this is part_one tag_one</myns:tag1>
  <myns:tag2>this is part_one tag_two</myns:tag2>
  </myns:part_one>
  <myns:part_two attr="attr_two">
  <myns:tag1>this is part_two tag_one</myns:tag1>
  <myns:tag2>this is part_two tag_two</myns:tag2>
  </myns:part_two>
  <myns:part_three attr="attr_three">
  <myns:tag1>this is part_three tag_one</myns:tag1>
  <myns:tag2>this is part_three tag_two</myns:tag2>
  </myns:part_three>
  </myns:whole_doc>
  When I use an XPath filter = "/myns:whole_doc/myns:part_one" I get the same digest as when I use "/myns:whole_doc/myns:part_two", which is the same digest when I don't use XPath filtering. See example output below
  <?xml version="1.0" encoding="UTF-8" ?>
  - <myns:whole_doc xmlns:myns="http://namespace.myns.com/test" attr1="attr_one" attr2="attr_two" attr3="attr_three">
  - <myns:part_one attr="attr_one">
  </myns:part_three>
  - <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  - <SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
  - <Reference URI="">
  - <Transforms>
  <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
  - <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
  <XPath>/myns:whole_doc/myns:part_two</XPath>
  </Transform>
  </Transforms>
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>9D5CFDkWd9bHx65txuHOeXWeTns=</DigestValue>
  </Reference>
  </SignedInfo>
  <SignatureValue>D686H//H5A0zDrlQx8+0fBNpVeJGgWdTXivlI8S/+WqB/E4oBYzeIQ==</SignatureValue>
  </Signature>
  </myns:whole_doc>

  It took me all day, but I did find the answer.
  When using XPath filters in references, you can't use XPath exactly the way you would use XPath to find nodes in a document. I can't exactly explain why, but it has to do with the fact that the XPath statement is acting as a filter.
  Anyway, to just include the part_one element from the following abbreviated XML
  <myns:whole_doc> .....
  <myns:part_one> ..... </myns:part_one>
  <myns:part_two> .... </myns:part_two>
  </myns:whole_doc>
  the XPath statement should be "ancestor-or-self::myns:part_one"
  to make sure that part_one was part of whole_doc you could use something like
  (ancestor-or-self::node() = /myns:whole_doc/myns:part_one)
  This allows me to sign a document, but still allow portions outside of whole_doc/part_one to change.

• Use smart card for 802.1x secured WiFi authentication

  Hi,
  is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
  I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
  WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
  and granted access.
  To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
  certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
  fails.
  As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
  the local client computer configuration or in the Safenet software on the client computer.
  I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
  Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
  Thanks + Best Regards
  Matt

  Hi,
  I found some links form technet site which can be helpful in this case
  Network access authentication and certificates
  http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
  Enable smart card or other certificate authentication
  http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
  Quote:
  Client certificate requirements
  With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
  The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
  The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
  by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
  The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
  For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
  For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
  Yolanda Zhu
  TechNet Community Support

• Email Authentication using smart cards

  can i use javamail and smartcards for email authentication

  I don't know how to do that. Likely it's possible, but I doubt that it's easy.
  The IMAP protocol provider supports the SASL API, and you can probably
  plug in smart card support underneath the SASL API, but I don't know
  what's involved in doing that. Other than that, you would probably have
  to modify JavaMail to add such support.

• How to create a 802.1X Profile Using Smart Card Certificate

  My company has just implemented a new wireless network that requires users to use a USB Smart Card security device.
  This works fine for Windows, as the OS will allow the end user to configure more advanced authentication/authorization methods (802.1X, etc.) Unfortunately, OS X removed this functionality several versions back; 802.1X and advanced Wi-Fi configurations must now be handled by some sort of profile creation utility. Unfortunately, I've yet to find a utility (iPhone Configuration Utility, Apple Configurator) that will allow the creation of an 802.1X / Wireless Network Configuration that allows the use of a smart card for authentication. They all require that you actually upload the entire key-pair combo(?) in the form of a .p12 file. This is impossible with a smart card; by design you are not allowed to export the private key.
  I'm wondering if there is some way around this? Is it even an option? I know Mac OS will allow me to select "EAP-TLS" when configuring a new wireless network in System Preferences, then even allows me to select my certificate/identity from the Smart Card. Unfortunately, the network I'm trying to connect to doesn't support EAP-TLS/needs some additional configuration options/settings (EAP-TTLS for one).
  Any help/ideas would be greatly appreciated. Thanks!!

  Hello,
  exactly my topic I have been fighting now for months and already gave up.
  My setup is a Lion Server and a Lion WLAN client. My goal is to have the system profile 802.1x WLAN authentication up and running but I just don't get it working. First I tried to create a machine certificate (TLS) but this did not work. Then I tried the option to use Computer Object credentials (TTLS) (Open Directory Computer Object account credentials) to establish network connection before a user logs on but also this does't work.
  As said I'm using Lion Server with Open Directory and Lion Server Radius.
  Any help or guide appreciated!
  Robert

• Connect smart card reader over usb and access digital signature certificate

  Hi,
  I got digital signature certificate stored in a smart card.I places smart card into card reader and plugged usb port of server.
  I can see card reader in windows environment.My problem is to connect card reader and access digital signature certificate using java code.
  I thinh it needs javax.smartcardio but i did not find necessary jar file for jdk 1.5.xx.
  1- Where can i download jar fiel for javax.smartcardio for jdk 1.5.xx
  2- Is there a blog or forum thread to help me to use smart card over usb?
  Thanks.

  One of the beauty of Java is that when the Java VM does not let you do something (here: accessing a Smart Card), there is no way that a purely Java solution will add this functionality.
  Hence, what you ask simply can not be done in pure Java (1.)5. Some machine-specific non-java code is required. And you did not specify your target.
  Unless a jar file could contain machine-specific code (I don't know if this is the case, and I never made one such jar file), there seems to be no way a jar file could help.

• Windows 7 Smart Card Logon

  Hi,
  Testing PKI with Windows 7 x64 under a (otherwise) working public key infrastructure (Windows 2008 CA) using Smart Card certificates based on V2 templates. I've enrolled an AD user successfully with a smartcard and validating the cert it looks all ok (via certutil -scinfo). For all intents and purposes the smart card appears ok but when I try to logon with the user and the smartcard inserted in the machine, I get the following error message:
  "The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."
  Kind of weird message :-/ The smart card reader is in-built on a Dell E6400 ATG... the smart card itself is a Gemalto .NET based card. I've validated that the cert is correctly written to the card via the netsolutions site at Gemalto ... Windows 7 reads the smart card and the user ID correctly from the GUI Logon screen ... it's only when I enter the PIN and it attempts to logon do I get the above message....
  Is there anything "special" I need to do in Windows 7 or in group policy to enable smart card support?? This has worked fine in the past on XP....
  Both the smart card service and the certificate propogation service are running...
  Regards,
  Mylo

  Stigh,
  OK..... I've got it working with Windows 7 on the 6400 together with the Mobile Internet Broadband using domain-based interactive logon.... so the pressures off at least at this end :-)
  "I actually disagree."
  I can see you're healthy motivated to fix the problem.. which is good :-)
  "As long as there is a EKU in the certificate, it should work for local logon."
  Agreed (kind of).. although in your case the common name (the username) is the key identifier for logon purposes..  a UPN in this case is moot as there is no domain to speak of.... I'm assuming the Smart Card Login OID is present in your certificate template together with Client Authentication, and that the purpose is set to "Signature and Smartcard Logon".. I'm working with V2 templates at the mo...
  "In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those.
  In my case I haven't tweaked any settings via GPO... to resolve the problem described earlier I ended adding the AMT HECI driver for the chipset and the Broadcom drivers from the Connection Manager packs.... I suspect it was the latter that was the problem. Again I haven't installed any Dell Connection Manager software so I'm relying purely on drivers.
  "Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store"
  The Gemalto drivers from Windows 7 RTM worked ok for me.
  "The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain.
  OK, but here's where I disagree :-) .. the machine in question will need to connect back to your Enterprise CA certificate distribution point (CDP) to check that the certificate is valid. That's part of basic PKI functionality to ensure certificates are valid. In your case, you'll need an HTTP-based CDP reachable from the local machine, i.e. reachable over a LAN or over the Internet from the "stand-alone" machine, as default LDAP CDP's are meaningless as your client is not domain-joined. Otherwise, you'll need to turn off certificate revokation on the local machine completely, which is diluting security even further. 
  "Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails."
  I was slight confused here.. so you don't intend to use the smartcard for local logon? If this is the case this is a workable scenario. You can use a smartcard from a non-domain joined machine to connect for RDP logon. S/MIME is also possible from Outlook, but YMMV as you may run into trust issues when sending encrypted mails to parties that don't trust your CA. Again, bear in mind the comments made earlier about the CDP... the "stand-alone" machine will still need to "connect" back to the CA to access the CDP/AIA, plus you'll have to do certificate renewals etc.
  On a parting note, you need to be clear about why you really need to use smart cards (in this scenario). You're working outside the normal working conventions of Windows with a non-domain joined machine and the pay-off in this case is negligible. I'm not trying to dissuade you from continuing but it's likely to be an uphill struggle.
  Good luck and post back if you want to discuss further!
  Regards,
  Mylo

• Smart card reader refusing to work on OS X Mavericks

  Hi,
  I am the owner of a bit4id Minilector EVO, a little smart card reader (manufactured by ACS Advanced Card Systems) who I use to comply with the digital signatures required by the Italian law.
  There is an official application to use the smart cards; however, I'm experiencing major issues with it.
  Shortly:
  - When I plug the bit4id smart card reader into the USB port of my MBP, the LED shows it is recognized; System Information also tells it has been fully implemented into OS X
  - When I then insert the smart card, no issues are reported and the bit4id LED becomes fixed;
  But, when I start the application to digitally sign, it tries to detect what cryptographic module I'm using. It detects the correct one but reports an «Internal error» halting the process.
  I know there is an implementation of PCSC for OS X called PCSC-Lite, and that there is a terminal command to show if all is working properly.
  Something like pcsc[something] .
  Can you help me?
  Thanks in advance,
  Tyrexionibus

  SCS is a very good app, since I've read that Apple has discontinued support for PC/SC interfaces after the release of Mountain Lion.
  (My previous installation was a Mavericks upgrade from Lion)
  However, I don't know what and how to debug using Smart Card Services. Do you know any commands to use?
  Apparently, the SC reader reports no issues: the LED is blinking blue when no smart card is present and becomes fixed blue when a smart card is inserted – according to the manuals, this shows that there is correct communication between the OS and the CCID reader.
  I don't know what to do; I'm beginning to hypothesize it's a digital signer issue. In fact, my smart card only supports one application called File Protector (by Actalis) to officially sign digital documents. This application seems to have major difficulties in identifying the miniLector EVO.
  The generic and ambiguous internal error comes when I try to manually identify the peripheral.
  Athena CNS is one of the Italian smart cards and is automatically recognized and configured (so it's correct – no doubts about this), while "ACS ACR 38U-CCID 00 00" seems to be the real name of the miniLector.
  (I'm assuming this because System Information also returns that the real manufacturer is ACS... bit4id is a re-brander)
  However, when I click on it and then tap OK, it returns internal error.
  As first attempt, I would try to completely erase&clean File Protector files to try a reinstall. Then, if this still doesn't work, I'd debug using the terminal.
  So:
  - Do you know any applications to 100% clean files created by an installer?
  - Do you have in mind any solutions that I might have forgotten?
  Thanks in advance from an OS X fan!