ENG_OPENLiMiT_SignCubes_UserGuide

Transcription

lmbkiájáq=páÖå`ìÄÉë=
rëÉêdìáÇÉ
lmbkiájáq=páÖå`ìÄÉë=sÉêëáçå=NKS=
ii
Contents
Contents
1.
OPENLIMIT SIGNCUBES USERGUIDE.................................................................................. 5
1.1. COPYRIGHT .................................................................................................................................. 7
COPYRIGHT © 2002 - 2004 BONNEVILLE GROUP AG............................................................................. 7
1.2. TYPOGRAPHICAL CONVENTIONS ................................................................................................ 9
1.3. HOW TO USE THIS DOCUMENTATION ....................................................................................... 11
2.
INTRODUCTION........................................................................................................................ 13
2.1. FIRST STEPS ................................................................................................................................ 14
INSTALLING THE SOFTWARE .................................................................................................................. 14
INSTALLING THE CARD READER ............................................................................................................ 16
FIRST USE OF YOUR OPENLIMIT® CARD ............................................................................................ 18
OPENLIMIT CERTIFICATES .................................................................................................................. 29
2.2. SIGNATURE AND ENCRYPTION BASICS ..................................................................................... 31
PUBLIC KEY PROCEDURE ...................................................................................................................... 31
SIGNATURE ............................................................................................................................................ 32
VERIFY SIGNATURE ............................................................................................................................... 34
ENCRYPTION .......................................................................................................................................... 36
DECRYPTION .......................................................................................................................................... 37
SIGNATURE LAWS .................................................................................................................................. 38
3.
BRIEF OUTLINE OF THE MODULES................................................................................... 41
3.1.
3.2.
3.3.
3.4.
3.5.
3.6.
4.
SECURITY ENVIRONMENT MANAGER (SEM) .......................................................................... 42
SIGNCUBES SHELL EXTENSION ................................................................................................ 43
SIGNCUBES CSP ........................................................................................................................ 44
SIGNCUBES WORKFLOW........................................................................................................... 45
SIGNCUBES VIEWER .................................................................................................................. 46
ADOBE PLUGIN .......................................................................................................................... 47
TUTORIAL .................................................................................................................................. 49
4.1.
4.2.
4.3.
4.4.
4.5.
4.6.
4.7.
4.8.
4.9.
4.10.
VISUALISATION .......................................................................................................................... 50
SIGN ............................................................................................................................................ 52
INSERTING ATTACHMENTS........................................................................................................ 55
ADDING MESSAGES .................................................................................................................... 56
ENCRYPT .................................................................................................................................... 57
SAVE ........................................................................................................................................... 59
SEND ........................................................................................................................................... 60
DECRYPT .................................................................................................................................... 61
VERIFYING A SIGNATURE .......................................................................................................... 63
INTEGRITY CHECK .................................................................................................................. 65
Contents
5.
iii
WORKING WITH THE OPENLIMIT SIGNCUBES SOFTWARE ..................................... 69
5.1. FILE FORMATS ........................................................................................................................... 70
5.2. THE SIGNCUBES MODULES ....................................................................................................... 71
SECURITY ENVIRONMENT MANAGER ................................................................................................... 71
SIGNCUBES SHELL EXTENSION ............................................................................................................. 87
SIGNCUBES CRYPTO SERVICE PROVIDER ............................................................................................. 88
SIGNCUBES WORKFLOW ....................................................................................................................... 93
SIGNCUBES VIEWER ............................................................................................................................ 111
ADOBE PLUGIN .................................................................................................................................... 116
6.
6.1.
6.2.
6.3.
6.4.
6.5.
6.6.
6.7.
OPERATIONAL PROCEDURES ........................................................................................... 121
SIGN .......................................................................................................................................... 122
VERIFYING SIGNATURES ......................................................................................................... 125
ENCRYPT .................................................................................................................................. 134
DECRYPT .................................................................................................................................. 138
EXPORTING CERTIFICATES ..................................................................................................... 139
INSTALLING CERTIFICATES .................................................................................................... 142
SAVING CERTIFICATES IN FILE FORM .................................................................................... 143
5
1. OPENLiMiT SignCubes UserGuide
Welcome to the OPENLiMiT SignCubes UserGuide
In this documentation you will find: a brief outline of the OPENLiMiT SignCubes modules, a
tutorial, a comprehensive user guide, and a summary of operational procedures.
For more precise information on secure operation of the software, the OPENLiMiT SignCubes
security components and their configurations, as well as an explanation of possible error messages,
please refer to the Online Help.
To pull up the Online Help choose Start –Programs – OPENLiMiT – Online Help.
7
1.1. Copyright
Copyright © 2002 - 2004 BonneVille Group AG
This documentation is the intellectual property of BonneVille Group AG.
It may not be duplicated or published (either completely or in part) without the prior written
consent of BonneVille Group AG, irrespective of the method or the means employed, be they
electronic or mechanical. The software or hardware descriptions used in this documentation, as
well as the company or brand names, are in most cases registered trademarks or brands and are, as
such, the property of the relevant manufacturers. They are used without their free and unrestricted
use having been warranted. We essentially conform to the writing conventions used by the
manufacturers. The inclusion of product and commercial names etc. in this documentation - even
without this being indicated specifically - does not justify the assumption that the use of such
names can be considered as being unrestricted under the terms of protective legislation on
trademarks and brand-names.
All the information contained in this documentation was compiled taking the utmost care and
attention. Nevertheless, the possibility that it may contain errors cannot be completely excluded.
BonneVille Group AG, SignCubes GmbH, the authors and the translators are not liable for possible
errors or their consequences. In particular, this documentation provides information on signature
laws and corresponding ordinances. This information is intended for contributing to the reader's
understanding but we cannot guarantee its completeness. It is the responsibility of every user to
obtain information regarding the legal basis underlying the outlined technology and to act
accordingly.
This documentation serves as a guide to using the software OPENLiMiT SignCubes. In individual
cases, differences may exist between the processes described in the documentation and the actual
application. BonneVille Group AG assumes no liability for possible differences or their
consequences.
Because the software is being continually developed, BonneVille Group AG reserves the right to
make changes to the contents of the documentation without prior notice.
Please send any remarks and comments to [email protected]
(mailto:[email protected]).
BonneVille Group AG
Zugerstrasse 74
6341 Baar
Switzerland
Tel: +49 (0) 30 81 87 98 20
E-mail: [email protected]
Web: www.signcubes.com
8
OPENLiMiT SignCubes UserGuide
9
1.2. Typographical conventions
To enable you to work with this manual more easily, it is essential to explain the typographical
conventions and specific terms.
The following text formats indicate special information:
Typographical convention
Type of information
9 List
Step-by-step instructions
Bold
These are words that appear as elements
of the software or the operating system,
such as menu items, buttons or items in a
selection list.
Start - Program Files - SignCubes
Several commands that are to be executed
one after the other.
Important
Words of special importance are written
in this way.
CAPITALS
Keys of the computer keyboard are
written in upper case letters, e.g. SHIFT,
CTRL or ALT.
KEY + KEY
Key combinations (shortcuts) for which
the user must keep one key depressed
while simultaneously pressing a different
one.
11
1.3. How to use this documentation
Background knowledge
Basic Windows skills are required. For example, the reader should know about drag & drop, the
right mouse button or Windows Explorer, and how to work with them. The chapter The SignCubes
Crypto Service Provider (siehe "SignCubes Crypto Service Provider" auf Seite 88) assumes that
the reader has a working knowledge of Microsoft Outlook or Outlook Express.
Chapters
The OPENLiMiT SignCubes documentation is divided into four chapters:

The introduction (auf Seite 13) describes the initial steps to be taken when using the card and
the software, as well as the basic theory of signatures and data encryption.

A brief outline of the individual modules (siehe "Brief outline of the modules" auf Seite 41)
designed to give the user a general idea about the software.

A tutorial (auf Seite 49), which demonstrates how to use SignCubes Workflow on the basis of
an example.

The chapter Working with the OPENLiMiT SignCubes software (auf Seite 69), which
describes the specific functions of the individual modules and the various operational
procedures.
13
2. Introduction
The introduction provides all the information required to quickly begin working with the
OPENLiMiT SignCubes software. What would you like to know?

How the signature and encryption function technically and organisationally (siehe
"Signature and encryption basics" auf Seite 31)

How the software is installed (siehe "Installing the software" auf Seite 14)

How to personalize your OPENLiMiT Card (siehe "First use of your OPENLiMiT® Card" auf
Seite 18)

How to learn working with the software quickly (siehe "Tutorial" auf Seite 49)
14
2.1. First steps
After the software and card reader have been installed, the first step is to start operating the card.
The card must initially be activated and assigned a personal and secret PIN (Personal Identification
Number).
Installing the software
First close all open applications.
The installation starts automatically when the CD is inserted (if this does not happen, double-click
the file autorun.exe on the CD).
In the Start dialog window, you can now choose which components you want to install: the
OPENLiMiT SignCubes software, the OPENLiMiT SignCubes Abode Plugin, the card reader
drivers or the additional programs Adobe Reader (for opening PDF files), Macromedia Flash (for
the OPENLiMiT Tower) and Internet Explorer 6.0 (see the system requirements). The installation
sequence is irrelevant.
9 Click the OPENLiMiT symbol to install the software. The installation wizard now guides you
through the different stages of the installation.
9 The first step is to choose the installation language.
Introduction
15
9 Then, the installation wizard checks if the system meets the minimum requirements. If the
minimum requirements are not met, an error message is displayed and the setup program quits
the installation. If the minimum requirements are met, the following window is diplayed.
You must first remove any older version of OPENLiMiT SignCubes already installed on your
computer. If components of the software have been deleted from your computer, you can also
repair the installation. Otherwise, simply click Install and then Next.
9 The licensing agreement is displayed when you start to install the software. You must accept
this agreement if you want to continue installing the software.
9 Next, the installation folder is displayed (default: C:\Program Files\SignCubes). A different
directory can be chosen by pressing Browse.
9 The software is installed automatically by clicking Next. Depending on your operating system,
you have to reboot the computer during the installation by clicking Restart. The installation
wizard resumes where it left off.
16
9 Click Finish to complete the installation of the OPENLiMiT SignCubes software and start
installing other software if applicable.
Installing the card reader
To install the card reader, first install the driver, and then connect the card reader and reboot the
computer.
Ö Installing the driver
9 When you click Card Reader in the start window, the following window opens where you can
choose the correct driver for your card reader.
Introduction
17
9 First select the appropriate language from the list in the bottom left corner.
9 Then click the symbol which represents your card reader to start the installation.
Serial card readers have two plugs: a serial interface with nine small holes (just like the monitor
jack) and a PS/2 connection for the power supply, which fits onto the socket for the mouse or
keyboard. USB card readers only have a flat, narrow plug. Hybrid card readers, may be installed as
USB or serial devices. Hybrid card readers come with USB and serial adapters.
9 The installation wizard for the card reader driver guides you through the installation. The
installation is completed by clicking Finish. You can now connect the card reader to the
computer.
Connecting the card reader
Ö USB Connection
9 If you are using a USB card reader, simply plug it into a free socket.
9 If you are using a hybrid card reader with a USB adapter, first connect the adapter to the card
reader, then plug the adapter into your PC.
Ö Serial Connection
9 If you are using a serial card reader, shut down and turn off your computer first, and then
connect the card reader.
Do not connect the card reader, while your computer is still running, since you may damage the
card reader or computer.
9 If you are using a hybrid card reader, first connect the serial adapter to the card reader.
9 Then, a serial card reader or serial adapter is connected to a serial (nine-pin) interface. The
small, round plug is connected to the mouse or keyboard interface. The plugs for the mouse or
keyboard are then connected at the back to the card reader plug.
9 Now reboot your computer. The operating system automatically detects the card reader and
loads the appropriate driver.
When the computer has restarted, an OPENLiMiT icon and a grey chip symbol are displayed in the
taskbar.
18
First use of your OPENLiMiT® Card
Prerequisites

Your personal certificate, which the trust center has sent to via e-mail (p7m-file).

The OPENLiMiT® Signcubes software must be installed on your computer

The card reader must be installed on your computer

Your OPENLiMiT® Card
Ö Preparation
9 Save the p7m-file that you received from the trust enter and
9 check if the number (filename) matches the OPENLiMiT® Card number (printed on the front side of
the card)
9 Insert your OPENLIMIT® Card into the card reader and wait until the chip icon in the taskbar
turns yellow.
9 To personalize your OPENLiMiT Card, click the yellow chip icon and choose Card Wizard from
the menu. By clicking Next, you advance to the next step. Click Back to go back one step.
Introduction
19
Before you personalize the card for the first time, it is absolutely necessary that you check the condition of the
OPENLiMiT® Card. If the following window displays one of these messages, the card has already been used.
The SigG-PIN has already
been activated.
If one of these messages is displayed, the card has already been used!
Do not personalize this card!
or
Send this card back to OPENLiMiT®!
The global PIN has already
been activated.
Do not activate this card!
Do not send this card’s certificate activation to TeleSec!
Ö Activating PINs
After inserting your card in the card reader and starting the Card Wizard, you will see the following
dialog window that displays the number of your card:
SigG-PIN
9 Choose Activate PIN for qualified electronic signature (aka SigG-PIN)
20
9 Enter a PIN (at least 6 characters long).
If you use a card reader with secure PIN-input, your PIN may only contain numbers. However, if you always use
a standard computer keyboard, you may choose a password containing letters and other characters.
Write down your SigG-PIN! If you enter the wrong SigG-PIN three consecutive times, your SigG-key is rendered
unusable. Then, you will no longer be able to produce qualified electronic signatures with this card.
9 Confirm your PIN by re-entering it.
Introduction
Next, a message confirming the successful activation of the PIN is displayed.
Global PIN
9 Choose Activate global PIN.
21
22
In case you enter the wrong global PIN three consecutive times, you may reset it with your PUK.
9 Enter a PIN (at least 6 characters long).
If you use a card reader with secure PIN-input, your PIN may only contain numbers. However, if you always use
a standard computer keyboard, you may choose a password containing letters and other characters.
Note down your global PIN. You will need it to read out your PUK.
9 Confirm your PIN by re-entering it.
Introduction
Next, a message confirming the successful activation of the PIN is displayed.
Ö Read out the PUK
Make sure to write down your PUK. In case your global PIN becomes invalid by entering the wrong PIN three
consecutive times, you can reset it using your PUK.
9 Choose Read out initial PUK.
9 The software will prompt you for your global PIN.
23
24
9 After entering the PIN, your PUK is displayed.
CAUTION: You can not use the PUK to reset the SigG-PIN! If you enter the wrong SigG-PIN three consecutive
times, you can no longer use the SigG-key.
Ö Card personalization
9
Choose personalize card.
Introduction
25
Next, the Card Wizard will ask you for the certificate file. The certificate file is the p7m-file, which the trust center
sent to you via e-mail.
9 Choose the p7m-file with your OPENLiMiT Card number,
9 and click Open.
9
Enter your global PIN
9 and then your tele-password (pay attention to upper and lower case!), to decrypt the certificate.
You chose the tele-password when filling out the card application form.
9 After entering the data, wait for a few seconds until the Result-Window is displayed.
9 Check, if the card has been personalized successfully.
26
If personalization of your card has been successful, you may quit the Card Wizard by clicking
Cancel. Next, you need to examine the certificates.
Ö Examination of certificates
After personalization of the card, please make sure, that the contents of the certificate is correct.

If the card is inserted in the card reader the chip symbol in the taskbar turns yellow.
9 Click the chip symbol, and choose Properties from the menu.
9 Under the tab Certificates you can now see the your signature certificate. The entry should
display your name.
The certificate for qualified electronic signatures is displayed with your name, but without an e-mail address.
9 After choosing the certificate, the bottom part of the window will display details such as
holder, issuer, validity. Check these entries.
9 Now, click the button Details in the lower right of the window.
Introduction
27
9 Then, choose the tab Details, to see the 9 digit serial number of the certificate.
The certificate serial number is the same number as the PKS-number, which you will be prompted for later on
the TeleSec website.
9 Note down the serial number. You will need it later on, to activate the certificate.
Ö Activating the certificate
9 After successful examination of your certificate, please activate it at
https://pks.telesec.de/registration/pks_auftrag/freischaltunghttps://pks.telesec.de/registration/
pks_auftrag/freischaltung. You need to activate the certificate for it to become valid.
CAUTION: Do not activate the certificate, if the card has already been activated the first time you used it.
Note: Make sure to correctly fill in the fields on the website. It may be helpful to have a copy of your card
application form with you.
9 Complete the form.
28
When you fill in the form fields:

Enter your last name (Name) and first name (Vorname) exactly as in the card application form.

The E4 NetKey card number (E4 NetKey Kartennummer) is the 19 digit number on your
OPENLiMiT® Card.

The PKS certificate number (PKS Zertifikatsnummer), is the certificate serial number which you
wrote down earlier during examination of your certificate.

Enter your tele-password (Telepasswort) exactly as in your card application form.
9 Confirm, that you were able to activate your OPENLiMiT® Card. (Check the button "Hiermit
bestätige ich, dass ...")
9 Click send form (Formular abschicken), to finish activation of the certificate.
Introduction
29
OPENLiMiT certificates
You also received an OPENLiMiT card with this software containing various certificates. If you
have not yet heard a lot about the Signature Act or the background to this technology, we
recommend that you read the section Signature and encryption basics (auf Seite 31).
Trust centre
The OPENLiMiT partner for issuing certificates and the card is T-TeleSec http://www.telesec.de,
which is the trust centre of Deutsche Telekom AG. Organisationally, T-TeleSec belongs to TSystems, a subsidiary of Deutsche Telekom AG. This certification service provider is the oldest
accredited trust centre in Europe and provides the highest possible security for cards and
certification services. The accreditation of T-TeleSec in accordance with the Signature Act can be
reviewed under www.regtp.dewww.regtp.de.
A T-TeleSec certificate is included on the OPENLiMiT card. This certificate is "qualified" in
compliance with SigG (the Signature Act) and it can be used to generate signatures which are
equivalent to the signer's personal handwritten signature. Other certificates are called OPENLiMiT
certificates and are used for other purposes. However, all certificates and keys are produced by the
trust centre of Deutsche Telekom AG and provide the same standard of security.
Certificates
Various certificates can be used with the OPENLiMiT card:
9 T-TeleSec PKS or SigG certificate: The SigG certificate is used for qualified signatures in
compliance with the German Signature Act.
9 OPENLiMiT encryption certificate: The encryption certificate is used for data encryption.
9 OPENLiMiT certificate for advanced signatures: This certificate is used, for example, for
signing e-mails in Outlook and for backing up data.
9 OPENLiMiT certificate for authentication: This certificate is used for authentication for the
OPENLiMiT Tower.
30
The certificates are mainly selected automatically by the software for the various functions. Each
certificate has a pair of keys. A certificate generally consists of the public key and various pieces of
information, such as the intended purpose and the holder's name. In the case of advanced
signatures, the certificate additionally contains your e-mail address so that you can make use of the
signature and encryption functions in Microsoft Outlook and Outlook Express. A private key
matches each public key. This private key is contained on the card, cannot be read out and is
additionally secured by means of a PIN.
The SigG certificate has a separate PIN. The other certificates have a shared PIN called the global
PIN. The two PINs must be activated (siehe "First use of your OPENLiMiT® Card" auf Seite 18)
before the card is used. That is taken care of when the card is personalised (siehe "First use of your
OPENLiMiT® Card" auf Seite 18). You receive an e-mail with the necessary supporting
documents and instructions on exactly how the personalisation works. Do not activate the card
before it has been personalised.
Please bear in mind that the e-mail signature (siehe "SignCubes Crypto Service Provider" auf Seite
88) in Outlook is not a qualified signature in compliance with signature laws. Please refer to the
Online Help for more information regarding the creation of qualified signatures. To view the
Online Help, open the SEM menu (siehe "SEM Menus" auf Seite 72) and choose help.
For precise information on signatures, certificates and keys please read the chapter “Basic priciples
of signatures and encryption” in the Online Help.
Introduction
31
2.2. Signature and encryption basics
Electronic data is easy to manipulate. Whether on the Internet or the computer, up to now it has not
yet been possible to exclude the possibility of manipulation. Passages can be easily deleted from a
document or added to it. It is not possible to determine the author of a document. By the same
token, data which is sent by e-mail or stored on the hard disk can be read by hackers or Trojan
horses. Furthermore, the Internet has one major drawback: Nobody knows who they are dealing
with at the other end.
That is another reason why the idea of attaching a signature to electronic data sent over the Internet
where one cannot see the communication party at the other end was long inconceivable.
Thanks to electronic signatures and encryption, we are now able to solve the following problems:

Data cannot be secretly manipulated.

The signee can be unambiguously identified.

Data cannot be read by unauthorised third parties.

The recipient(s) can be specifically selected.
The signature renders any kind of intentional or unintentional manipulation immediately evident.
The certificate verification function proves that the signature has not been forged, i.e. that the
certificate holder is genuine. In the process, none of the holder's personal details are revealed, only
his or her name.
Thanks to encryption, it is not possible for unauthorised third parties to view the data. The fact that
the document can only be decrypted by the person for whom it was encrypted is proof that it has
reached the right person.
In the following sections, the individual operations of the signature and encryption process are
explained in more detail.
Public Key Procedure
The signature and the encryption which are carried out with a signature card in combination with
this software are based on a Public Key Infrastructure (PKI). Asymmetrical encryption is used both
for the signature as well as for data encryption. Asymmetrical means that two different keys (the
private and public keys), which mutually complement each other, are always used. Data which has
been "locked" with one key can only be "unlocked" again using the other key.
32
In the case of Smartcards, the private key is contained on the card's chip and cannot be read out.
The data being processed is loaded onto the chip, where it is encrypted or decrypted and then
transferred back to the computer. The correct PIN is required in order to use the private key,
guaranteeing additional security. The public key is integrated into a certificate and is available to
everyone via Internet directory services, or it can be sent by e-mail. In order to ensure that this
certificate, and hence the key, has not been forged, it is possible to verify the signature of the
issuer.
The private key on the card is used to sign data. This proves beyond doubt that the signature can
only belong to the cardholder, and that only he is in possession of both the card and the PIN. The
public key is used when the signature is verified, as it must be verifiable by anybody. The
encryption operation uses the two keys in reverse order. The recipient's public key is used, so that
only he is able to decrypt the data again using his own private key.
Because the chip on a Smartcard would take a very long time to process large quantities of data, an
automatically generated random key is incorporated into the encryption process. A hash value
which is uniquely associated with a given document is encrypted in the signature.
Signature
Signatures have various purposes. On the one hand, a qualified signature is used to sign letters,
contracts etc. On the other hand, advanced signatures are also available which are mostly used for
the purpose of securing data for which one does not want to sign one's name. For instance, image or
sound files can also be signed. Although the signature does not safeguard against changes, it does
however render such changes clearly noticeable. If a signature is intact, that means that the data has
not been tampered with.
When a file is signed, a hash value is generated. In simple terms, this might also be described as a
Doc ID or a fingerprint, because the value generated is unique to any given document. Two
documents can never have the same hash value unless they are identical.
Introduction
33
This hash value is encrypted with 1024 bits (RSA). The hash value is encrypted on the chip of the
card. This minute processor can process small amounts of data. Having a process like this is crucial
because it guarantees that the private key never leaves the card. After all, every kind of data stored
on a computer is also potentially insecure. Thus, the key is only given the instruction to encrypt a
small quantity of data. The encrypted data is then sent back to the computer. The private key must
be enabled or activated beforehand using the correct PIN (personal identification number), i.e. the
card is opened.
This is the most sensitive element of the whole signature. It is not the technology which constitutes
the greatest security risk, but rather its human users. You should bear in mind the following points
without fail:

Never write the PIN on the card or the card reader, or leave it anywhere near your computer.

Do not allow anyone to watch you while you are entering the PIN.

Make sure that no-one can view your keyboard or the card reader, even from a distance (from
the window opposite etc.).

Do not under any circumstances pass on the PIN to another person.

If possible (and particularly when you sign important contracts etc.), use a card reader with
secure PIN input.

If the PIN is entered incorrectly three times, the private key is rendered unusable.

Never leave your card behind when you leave the room or you become distracted.
The procedures described here, which may appear complicated, are of course dealt with
automatically by the software. The user only has to click Sign and enter the PIN to immediately
obtain a signed file. This consists of a an encrypted hash value, the original file and the public key.
The question of whether to create a qualified signature or not depends on various factors. The
Signature Act (siehe "Signature laws" auf Seite 38), the associated legislation and justifications are
often formulated imprecisely and allow leeway for interpretation. Essentially, for a qualified
signature you require a qualified certificate, a means of creating the secure signature (the card) and
secure software (SignCubes Professional, SignCubes Shell Extension). However, some
interpretations of the law also demand a "trustworthy representation (siehe "Visualisation" auf
Seite 50)" or a "secure PIN input". Other "experts" maintain that this is superfluous. This software
provides you with all the alternatives. What you decide, and which interpretations you choose,
remain a matter of your own choice.
34
Verify signature
As far as verification is concerned, the following points are important:

Is the document really unaltered? Integrity of the data.

Is the holder of the signature genuine? Has his/her certificate been forged in the intervening
period? Authenticity of the holder.

Has the certificate been revoked? Certificate status.
9 The integrity of the document can be authenticated by means of the hash value:
The document is re-hashed. The old hash value is decrypted and checked against the new one:
If they are identical, that proves that the document has not been changed. The software takes
care of this, both automatically in the course of each check and in real- time, i.e. the software
continually verifies the hash value, and not just once. This also makes evident any
manipulation of the opened document. In order to decrypt the old hash value, the verifier
requires the public key of the signer because the signature was created with the card, i.e. using
the private key. This public key is attached to the signed document as a certificate.
Introduction
35
9 The authenticity and integrity of a certificate, i.e. of the public key sent with it, is verified using
the signature of the issuer: Every personal certificate is signed by a trust centre (CA). If this
signature is valid, the certificate has not been changed either (see Section 1). Of course, the
authenticity of an issuer's certificate which has frequently been issued by a different instance
can also be verified. This results in a path of certification which can be retraced all the way
back to a trustworthy instance (root CA or root certificate). If this certification path is
mathematically correct and the root is trustworthy, that proves the authenticity of the signature
holder.
In Germany, in the case of qualified signatures, the Regulation Authority on
Telecommunications and Post (RegTP) is the overriding instance (root). This point is also
verified by the software. However, the software can logically only verify whether the
certification path is complete / uninterrupted, i.e. mathematically correct. But in order to see
the various instances (CAs) of the path and the root certificate, the user must also look at the
certification path. Whether to trust the root (e.g. in the case of signatures from different
countries) is ultimately the decision of each individual.
9 The certificate status, i.e. the information as to whether a certificate has been revoked, can be
verified by asking the issuer: Trust centres provide revocation lists for downloading or have an
online certificate querying facility. If someone loses his signature card, he can have it revoked
by a 24-hour service and the signature will appear immediately on the list. This verification
necessitates the active intervention of the user. If the signature in question is an important one
(unlike one which is only required for protecting data) the up-to-date revocation list should be
downloaded before the signature is verified. If the relevant trust centre provides an online
querying service, the certificate status can be queried directly over the Internet.
For this purpose, the signature time is also always critical. Example: A signature was created
on July 1st, 2003 and is then verified one year later on July 1st, 2004. The certificate status
indicates that the certificate has been revoked since December 1st, 2003 (e.g. because the card
has been lost). That means that the signature is probably still valid because the cardholder was
still in possession of his card at the time when the signature was generated. The time is also
recorded when the signature is created. However, it is only possible to use the time set by the
operating system on the relevant computer. Therefore, if doubts exist, it is always safest to ask
or, if need be, to have the document signed again.
The verification of the trustworthiness of a signature necessitates meticulousness and careful
consideration. The final decision on whether a signature is trusted or not always rests with the user!
36
Encryption
Encryption protects against access by unauthorised third parties. You can encrypt any kind of data,
irrespective of whether this data is stored on the computer or sent by e-mail over the Internet.
However, because encryption does not protect against viruses, it is advisable to also archive
encrypted data on external data storage media.
First of all, the document is encrypted with a random key using the Triple DES algorithm. That
means that the document is encrypted three times in succession with 192 bits. The random key is
then encrypted once more with the recipient’s public key. 1024 bit RSA encryption is used here.
In order to encrypt data, therefore, the public key belonging to the recipient (or recipients) is
always required. This public key is integrated into an encryption certificate and can be retrieved
from the directory service (auf Seite 136) of the trust centre and installed on the computer. You can
also have the encryption certificates of your communication parties sent to you by e- mail. You can
export (siehe "Exporting certificates" auf Seite 139) your own certificate from the card. All
installed certificates are automatically displayed by the software. The encrypted document and the
encrypted random key are then archived together or sent via e-mail to the other parties for whom
data has been encrypted.
Fundamentally speaking, it is of course also appropriate to sign an encrypted file. The reason for
this is that only by means of the signature is it possible to ensure that the data has not been
manipulated. Of course, encrypted data cannot be manipulated deliberately, as the manipulated data
cannot be seen.
Introduction
37
Decryption
In order to be able to decrypt the document again, the random key is required in the form of plain
text. It can only be decrypted using the private key. To do this, the user needs the correct card with
the correct PIN.
If the random key is decrypted, the entire document can also be decrypted. These operations are
also dealt with automatically by the software.
It is thus obvious that only the cardholder can read the document with his PIN. Of course, the data
can also be encrypted for more than one certificate. We recommend that you encrypt all data you
wish to archive for two persons: for yourself and for another person of trust. In the case of data
which is being sent electronically, we recommend using your own certificate and that of the
recipient because, if your own card gets lost or if you enter the PIN incorrectly three times, the data
can still always be decrypted using the second card (that of the recipient or the person of trust). As
soon as you obtain a new card, you can re-encrypt the data again for the two certificates.
38
Signature laws
The use of electronic signatures is regulated by law. In the European Union, the directive
governing the general EU conditions for digital signatures came into force in January 2000. This
directive encompasses the commitment of each member state to implement the regulations into
national law. This means that electronic signatures can also be used in international business
dealings.
In Germany, the general conditions for legally binding electronic signatures are defined by the
Signature Act (SigG) and the Signature Ordinance (SigV).
In Switzerland, the legislation roughly complies with EU guidelines. There is an ordinance
pertaining to certification services, while the signature law has been the subject of consultation
since 2001. Furthermore, there is a bilateral treaty between Switzerland and the EU stating that
certificates and signatures are mutually recognised.
The most essential points of the European directive:
The laws recognise various forms of signatures. Simple signatures, advanced signatures and
qualified signatures. A signature is classified as qualified if it:

is exclusively associated with the signer,

enables the signer to be identified,

is created using means which are controlled solely by the signer,

renders any subsequent alteration made to the signed data noticeable,

and if it is based on a qualified certificate.
A qualified certificate is only issued by a qualified certification service provider (trust centre). Very
rigorous requirements are applied for that purpose as far as the security of the creation of the key
and the organisation of the trust centre are concerned. Compliance by the trust centres with legal
regulations is supervised by a national authority. In Germany, the relevant body is the German
Regulation Authority on Telecommunications and Post (RegTPRegTP). From this authority, you
can also obtain a list of qualified and accredited trust centres, the current signature laws and
additional information regarding the signature procedure.
The legal consequence of electronic signatures
Qualified signatures ...

satisfy the requirements in connection with electronic data in exactly the same way as a
handwritten signature satisfies requirements in connection with data that exists in hardcopy
form.

are admitted as evidence in a court of law.
... as defined by the European directives. The extent to which these stipulations have been
implemented in national law varies slightly from member state to member state.
But it does mean that the electronic signature is largely treated on a par with the personal
handwritten signature. In Germany, this has also been underlined by the adaptation of Paragraph §
126 of the Civil Code (BGB) relating to written signatures. This affirms that the qualified signature
and an electronic document can also be used in place of the written form of a signed document.
Introduction
39
Nevertheless, exceptions do exist. The electronic signature is not permitted in particularly sensitive
areas, e.g.

Termination of employment contracts

Certificates and employment references

Sureties

Notary-public authentications
Apart from that, qualified signatures are admitted as evidence in a court of law, but cannot take the
place of documentary evidence. The reason for this lies in the definition of documentary evidence.
However, the evidential quality of qualified signatures (see Paragraph § 126 of the German Civil
Code (BGB)) is such that that it may to all intents and purposes be considered almost as good as
that of documentary evidence.
41
3. Brief outline of the modules
The software consists of various different modules. These include basic modules which are
absolutely essential for the other modules, e.g. the card controller, to function correctly. Data can
be signed and encrypted in several different modules in such a manner that each one fulfils a
different purpose and is attuned to the particular working practices of the users.

Security Environment Manager - Core modules.

SignCubes Shell Extension - Sign and encrypt data directly from within Windows Explorer.

SignCubes CSP - Sign and encrypt data in Microsoft Outlook. This signature is an advanced
signature.

SignCubes Workflow - Sign and encrypt files with an easy-to-use interface with integrated
data compression.

SignCubes Viewer - Trustworthy representation of files for the viewing and checking of
documents before signing.

Adobe Plugin - signature plugin für Adobe Reader und Adobe Acrobat.
42
3.1. Security Environment Manager (SEM)
The Security Environment Manager takes care of the connection between the software and the card
reader or, more particularly, the card. It monitors the card in the reader and manages the settings
and options relating to the card.
Please make sure that the SEM has been launched. This should take place automatically when the
Windows operating system is started. You know that the SEM is running if you see the
OPENLiMiT icon at the bottom right in the taskbar next to the clock.
The SEM can also be launched manually:
Start - Program Files - OPENLiMiT SignCubes - Security Environment Manager
If your card reader has not been installed correctly, a grey chip symbol appears in the taskbar.
When you plug the card into the reader, the icon turns yellow and is superimposed with a green
question mark (make sure that the card clicks into place in the reader).
If the SEM has not recognised the card correctly, the question mark disappears and the chip turns
yellow.
A yellow chip with a red cross appears if the card has been inserted into the reader the wrong way
up or if it is incompatible.
If the chip is red, this means that you have "opened" your card, allowing multiple actions to be
performed without re-entering the PIN number. CAUTION: Do not leave your workstation
without removing the card!
Clicking the yellow chip opens the shortcut menu. The menu options refer to the functions of the
card or card reader. A different menu is opened by clicking the OPENLiMiT icon. Further
information can be found under SEM Menus (auf Seite 72).
Brief outline of the modules
43
3.2. SignCubes Shell Extension
SignCubes Shell Extension allows data to be signed and encrypted directly in Windows Explorer.
Of course, it also integrates signature verification and decryption functions. If you click a file with
the right mouse button, you will find the option OPENLiMiT SignCubes in the shortcut menu.
Depending upon the status of the file, various options are provided in SignCubes:

Sign file

Encrypt file

Sign and encrypt file

Verifying a signature

Decrypt file
The procedure for signing and encrypting files is described under operational procedures (auf
Seite 121).
44
3.3. SignCubes CSP
With the SignCubes CSP, you can sign and encrypt e-mails directly from within Microsoft Outlook
or Outlook Express. This signing involves the use of advanced signatures. If you wish to use a
qualified signature, something which is currently not possible using Outlook, you must use secure
software.
The Outlook signature is used for transport security and for identifying the communication partner.
You can also, of course, encrypt your e-mails, which provides an extra degree of security and
confirmation of your identity. This security standard is adequate for private communication.
However, in order to sign contracts, letters, quotations etc., the SignCubes software (preferably
Professional) should be used.
How to apply the required Outlook settings in order to work with the card is explained in more
detail in the section Outlook Security Settings (siehe "Outlook settings" auf Seite 89).
45
3.4. SignCubes Workflow
SignCubes Workflow unifies all the essential functions within an easy-to-use interface. SignCubes
Workflow creates a secure container, the so-called Secure Zip (*.scz). The data contained in this
container is compressed and can be extracted again using any off-the-shelf zip program. All
imaginable data can be imported into this container and signed, encrypted and verified there.
Alternatively, you can simply write some text (such as an e- mail), append a file as an attachment,
sign and encrypt everything, and then automatically send it as a secure, compressed package via the
Internet using your mail client.
The tutorial (siehe "Tutorial describes how to work with SignCubes Workflow.
46
3.5. SignCubes Viewer
SignCubes Viewer servers as a trustworthy representation unit for documents you want to sign.
Using SignCubes Viewer, you can make sure not to sign any hidden or active contents in a
document. If SignCubes Viewer detects active or hidden contents, it will warn you when you open
the document.
SignCubes Viewer can display TIFF and text files.
Documents which you produce using SignCubes Printer, are converted to TIFF files and then
opened by SignCubes Viewer. In this case, SignCubes Viewer starts automatically.
Otherwise you may start SignCubes Viewer by choosing:
Start – Programs – OPENLiMiT – OPENLiMiT SignCubes Viewer
47
3.6. Adobe Plugin
With Adobe Plugin installed, you can sign documents from within Adobe Acrobat 6.0 or newer. If
PDF forms have been provided with additional features (Adobe Forms Server Solutions), you may
sign them using Adobe Reader 6.0 or newer. Furthermore you can verify digital signatures in a
PDF form.
Government agencies and authorities, increasingly use these electronic PDF forms in e-government
projects.
If you already have Adobe Reader or Acrobat installed, the Adobe Plugin automatically installs
itself in the appropriate plug-in folder.
49
4. Tutorial
This tutorial demonstrates in a small number of steps how documents are signed, secured and then
saved or sent via e- mail. First of all, the various modules are explained briefly. That is followed by
a step-by-step guide on the basis of an example.
Detailed information which might have been omitted from this manual, or formulated too
concisely, can be found in Working with the OPENLiMiT SignCubes software (auf Seite 69).
50
4.1. Visualisation
Ö Trustworthy representation of data
9 In order to represent a file securely and to place it into an unalterable state, it is output to the
SignCubes printer from within the original software. The printer produces a graphical
representation of the document for SignCubes Professional.
9 In the application in which the document has been opened, click File - Print and choose the
printer SignCubes.
or
9 A pen button is integrated in Microsoft Word which takes care of this automatically.
9 After clicking OK, SignCubes Viewer opens after a short delay and displays the contents.
Ö Saving the visualisation
9 Click the save button.
9 Now choose a filename.
Tutorial
The visualisation is saved as a TIFF file.
Ö Transfering the visualisation to SignCubes Workflow
9 Click the SignCubes button.
Next, SignCubes Workflow opens. The visualisation file appears in the display window.
Ö Sending the visualisation via e-mail
9 Click the e-Mail Button.
9 Next, your e-mail client starts, provided it supports simple MAPI.
51
52
4.2. Sign
Ö Signing the visualisation
9 Insert the card into the card reader, make sure that it is recognised (after a green question mark
has been displayed, the chip icon in the taskbar should turn yellow) and
9 then click the Sign button.
A window showing the details of the signature request opens. Here you can see the certificate
which will be used for creating the signature, as well as the card, the necessary PIN, the card reader
and the data to be signed.
9 Click create signature.
Ö Entering the PIN
9 Enter the PIN in the PIN dialog window.
Tutorial
53
If you are using secure PIN-input, use the card reader’s pinpad to enter the PIN…
9 By clicking OK, you create the signature and a message confirming successful signature
creation is displayed.
If a message saying “the SigG-PIN you have entered has been rejected” is displayed, it means that
you entered the wrong PIN.
Now you can save or e-mail the visualisation, or simply transfer it to SignCubes Workflow.
Ö Saving the visualisation
9 Click the save button.
9 Now choose a filename.
The visualisation is saved as a TIFF file. The signature file (p7s-file) is save to the same directory
as the visualisation. The signature file is saved with the same name as the visualisation, so you can
easily tell which file it belongs to.
Ö Transfering the visualisation to SignCubes Workflow
9 Click the SignCubes button.
9 Next, SignCubes Workflow opens. The visualisation file and the signature file appear in the
display window.
54
The p7s-file is automatically assigned the same name as the signed file so that the file to which it
belongs can be easily identified. In an *.scz document, an arbitrary number of files can be signed.
Tutorial
55
4.3. Inserting attachments
You can insert all kinds of files into the document and sign or encrypt them there.
Ö Inserting attachments
9 Click Filing in the lower left area and
9 then My Computer or My Documents.
9 Windows Explorer now opens.
9 Using drag & drop, simply drag the data onto the Entire Document or into any prepared folders.
Of course, you can also import entire folders.
or
9 Click Edit - Add and in the dialog window choose the files or folders which are to be inserted.
9
The imported data can also be signed or encrypted.
9 To do this, it is only necessary to select (click) the required files.
9 Then click the button Signature
9 and enter the PIN.
Selected files can be deleted again using the DEL key.
56
4.4. Adding messages
You can also write and sign messages in the container.
Ö Creating and editing a new page of text
9 Click the button New page of text.
9 A window in which the text can be directly entered and formatted opens at the bottom of the
screen.
9 The page of text is saved automatically by clicking the Close button in the top right corner.
The page can now be found under Entire Document and is called "unnamed1".
9 You can rename it by clicking the name itself (not the file icon).
A page of text can be deleted from the Entire Document just like any other element of the container
simply by pressing the DEL key.
Tutorial
57
4.5. Encrypt
Ö Encrypting data in the container
9 In order to encrypt a file, click the tab Entire Document.
9 There, select the required file and
9 click the Encrypt button.
Of course, you can also encrypt a folder or the Entire Document.
Ö Selecting encryption certificates
9 When you click Encrypt, the dialog window opens in which you can select the encryption
certificates.
Every certificate installed on the computer is displayed here. If you do not see any certificates on
the left apart from your own certificate, you must first obtain the certificates belonging to the
recipients. This is explained under Directory Service (auf Seite 136). The holders of the selected
certificates will be able to decrypt the file again after receiving it. It is thus advisable to also attach
your own certificate.
9 When a certificate has been selected, the associated information can be viewed in the bottom
window.
9 The certificate is copied into the list on the right by clicking Add or by double-clicking the
certificate name.
58
9 Then click Apply to encrypt the data for the selected certificates.
Selected certificates can be moved from one window to the other using the options Add and
Remove. Under Details..., you can view the certificate. (siehe "Displaying a certificate" auf Seite
128) In order to ensure that the certificate has not been revoked, click Details... to check the online
status (if supported by the CA). Otherwise, a search in the Directory Service (auf Seite 136)
(button More...) usually works as well.
You can also encrypt and sign the entire document and its contents. After that, you are
automatically prompted as to whether you would like to save or mail the file.
Tutorial
59
4.6. Save
Ö Saving the whole container:
9 Click the Save button or select File - Save.
You are then asked whether the entire document (the container) should be additionally encrypted
again and/or signed.
9 If you wish, tick the check boxes in front of the options.
The remaining operations for encrypting and signing data have been outlined in the previous
sections. You can choose the certificates and enter the PIN if required.
9 If the container is not signed and encrypted, then it is saved as an *.scz file after clicking OK. A
signed or encrypted container is always a *.p7m file.
60
4.7. Send
Ö Send
9 Click the Send button.
You are then asked whether the entire document (the container) should be encrypted again and/or
signed.
9 Tick the check boxes in front of the options if required or simply click OK if you want to send
the document as it is.
9 The remaining operations for encrypting and signing data have been outlined in the previous
sections: You choose the certificates and enter the PIN if required.
The e-mail window of your default mail client then opens (provided it supports simple MAPI).
9 Here, choose the recipient as usual and send the e-mail with the *.scz document as an
attachment.
Tutorial
61
4.8. Decrypt
If you receive an encrypted OPENLiMiT SignCubes document, e.g. via e-mail, it can either be a
*.p7m file or an *.scz container with encrypted contents.
9 Insert your card into the reader.
9 Double-click the file.
Ö Decrypting p7m files
9 If it is an encrypted *.p7m file, it is now decrypted.
9 To do this, you must generally enter your global PIN.
Next, a message telling you that the file has been decrypted is displayed.
9 Click OK.
If the file has been signed, the signature is also verified automatically. After that, an *.scz container
opens showing its contents.
Ö Decrypting the contents of an scz container
9 If you double-click a *.scz container, which contains encrypted elements, it will open in
SignCubes Workflow.
9 Select the encrypted element (another *.p7m file).
9 Then click the Decrypt button.
62
9 Usually, you are now prompted to enter your PIN as outlined above.
Next, SignCubes Workflow opens a new window dislpaying the contents of the p7m file.
Tutorial
4.9. Verifying a signature
The presence of a signed file in an *.scz container is indicated by a *.p7s file of the same name.
Ö Verifying a signed file
9 Choose one of the two files (either the signature or the original file) and click the Verify
signature button.
The following dialog window opens:
63
64
The summary states that the signature is valid. This is, of course, what you want to see. If a
different message is shown, this does not automatically imply that the signature is invalid. An
example of a verification result might be:

The signature is mathematically correct.

The certificate status could not be fully verified.
That means that the signed data has not been changed, nor has the signature been forged. However,
it was not possible to verify the certificate status, i.e. a possible case of revocation.
9 Details can be found on the second tab bearing the name of the cardholder.
What the individual options mean:

Hash value verification: Integrity of the data (positive means the data has not been changed
since the signature was issued).

Verification of the signature and certification path: Violation of the signature and completeness
of the certification path. The certificate is not forged and can be traced back all the way to the
root.

Creation time of the signature: This is the time setting on the computer when the signature was
created.

Certificate status: Revocation and validity of the signature. Revocation lists are used to verify
whether the certificate has been revoked. If this cannot be verified here, it is advisable to
download the latest revocation lists (siehe "Updating revocation lists" auf Seite 131) or to
verify the certificate online (siehe "Online verification of certificates" auf Seite 133) by
clicking the button Online status...
9 In order to view the certification path, you should now display the certificate.
For more details, please read the section Verifying signatures (auf Seite 125).
Tutorial
4.10.
Integrity Check
You should regularly perform an integrity check to make sure that none of the OPENLiMiT
SignCubes modules have been damaged or intentionally manipulated. OPENLiMiT SignCubes
Integrity Check examines the individual modules, to make sure that the software is still in the
condition it was originally supplied.
Ö Running the SignCubes Integrity Check
9 Insert the original OPENLiMiT SignCubes installation CD-ROM.
9 Using Windows Explorer, find the directory SignCubes on the CD.
9 Double-click the file siqCheckOL16Pro.exe to start the integrity check.
65
66
9 Click Next.
Now the condition of the individual components is displayed.
9 Click Next, to see a summary of the integrity check.
9 Now you can quit the integrity check by clicking Finish.
Tutorial
67
If the installed version of OPENLiMiT SignCubes is not in it’s original condition, you need to scan
your computer for viruses, worms and trojans, and check it for intrusions by a third party. It is
further recommended, that you uninstall the software using the installation program on the CD, and
then install it anew.
69
5. Working with the OPENLiMiT
SignCubes software
This section gives an in-depth explanation of the working steps and features of OPENLiMiT
SignCubes. If you find these instructions too detailed, we recommend the tutorial (siehe "Tutorial,
where you can learn the most important working steps by studying an example.
70
5.1. File formats
The OPENLiMiT SignCubes software generates various file formats.
*.p7m files are PKCS#7 data. Signed, encrypted or signed and encrypted data may be concealed
inside them.
*.p7s files are also PKCS#7 data, but the relevant signature is a detached signature. This means that
the data and the signature are stored in two separate files. The advantage of this method is that you
can work with the original data. As long as the original data remains unaltered, the signature will
also remain valid. The signature is associated with the original file by virtue of having the same
name.
Encrypted data is always stored as *.p7m files. In the case of signatures in SignCubes Shell
Extension, it is possible to choose between p7s (data and signature in separate files) or p7m (data
and signature in one file) by changing the Settings (auf Seite 73). In the OPENLiMiT SignCubes
Professional interface, signatures are always stored in separate files.
*.scz files are SignCubes containers or documents which have been created using OPENLiMiT
SignCubes Professional. This format is also called SignCubes Zip (or secured zip), because the
relevant data may be any kind of compressed data stored in a container or "archive".
Working with the OPENLiMiT SignCubes software
71
5.2. The SignCubes modules
The software consists of various different modules. These include basic modules which are
absolutely essential for the other modules, e.g. the card controller, to function correctly. Data can
be signed and encrypted in several different modules in such a manner that each one fulfils a
different purpose and is attuned to the particular working practices of the users.

Security Environment Manager - Core modules.

SignCubes Shell Extension - Sign and encrypt data directly from within Windows Explorer.

SignCubes CSP - Sign and encrypt data in Microsoft Outlook. This signature is an advanced
signature.

SignCubes Workflow - Sign and encrypt files with an easy-to-use interface with integrated
data compression.

SignCubes Viewer - Trustworthy representation of files for the viewing and checking of
documents before signing.

Adobe Plugin - signature plugin für Adobe Reader und Adobe Acrobat.
Security Environment Manager
The Security Environment Manager (SEM) handles several tasks. It manages the security
environment, i.e. everything that has anything to do with the card or the card reader, and also
manages the updating of the required security files. It is an essential basic module of SignCubes
which, among other things, covers the following points:

Card control

Changing or activating / enabling the PIN

Exporting certificates

Settings or options

Updating revocation lists
First make sure that the Security Environment Manager is started. This is indicated by the
OPENLiMiT icon at the bottom right of the taskbar next to the clock. If your card reader is
correctly installed, then a grey chip icon appears in the taskbar. When you insert your card in the
reader, the icon turns yellow with a green question mark superimposed upon it. When the SEM has
detected the card correctly, the icon turns yellow.
72
The SEM can also be launched manually:
Start - Programs - OPENLiMiT - SignCubes Manager
SEM Menus
Chip menu
A click on the yellow chip opens the shortcut menu. The menu items refer to the functions of the
card or the reader.

Card Wizard: The Card Wizard unites all functions concerning your OPENLiMiT Card. Here,
you may read out the initial PUK, change the PUK, change the global PIN (siehe "Changing
the global PIN" auf Seite 83), change the PIN for the qualified electronic signatures (siehe
"Changing the SigG PIN" auf Seite 81) (SigG-PIN) and personalize your card.

Properties: The properties (auf Seite 78) of the installed card reader are displayed here. When a
card is inserted into the reader, the card's properties, such as its number and the certificates it
contains, are also displayed.

Preferences: The software settings (auf Seite 73) or options can be changed here.

Help: Click here to get to the OPENLiMiT online help.

Info: Copyright and version information details for the software are displayed here.

Exit: Use this command to quit the SEM. Data can then no longer be signed and decrypted
using the card.
Software menu
When you click the OPENLiMiT icon, a similar shortcut menu opens. This menu lists options
relevant to the software.
73

New file: This option opens a new *.scz file, i.e. the SignCubes Workflow (auf Seite 93)
interface starts without any contents.

Update revocation lists: In order to be able to accurately verify signatures, the latest security
files (revocation lists etc.) should be downloaded.

Properties: Details about the software are given here.

Preferences: The options and settings (auf Seite 73) can, of course, also be accessed by clicking
the chip icon.

Help: Click here to get to the OPENLiMiT online help.

Info: Copyright and version information details for the software are displayed here.

Exit: Use this command to quit the SEM. Data can then no longer be signed and decrypted
using the card.
Settings
In the settings, you can find all options you can change for the software. The file format for
signatures, the PIN entry prompt, the storage paths for security files and the certificate options can
all be edited here.
General
74
The following options can be selected here:
Automatically start the Security Environment Manager: If you would prefer to do this manually,
remove the tick from the check box.
Signature format: This setting only applies to SignCubes Shell Extension. In SignCubes Workflow,
signatures are always stored separately (detached signatures). In SignCubes Shell Extension, you
can choose whether to store the data and signatures together in one *.p7m file or in two separate
files, the original file and a signature file, in *.p7s format. Both formats are ISIS-MTT-compliant.
Datev-compatible PKCS#7 signatures are also available for some versions of SignCubes.
Directories
75
The storage paths for security-related files can be defined on the tab Directories. By default, the
path is set to "C:\Program Files\SignCubes\Data\", followed by the name of the relevant folder.
Revocation lists: Certificate Revocation Lists (CRLs) are lists published by trust centres which give
details of revoked certificates. The certificate status of signatures is checked on the basis of these
lists.

PKDs (Public Key Directories) are directories which list public keys, i.e. the certificates of
various issuers. Currently, these are the CA certificates issued by the RegTP.

CTLs (Certificate Trust Lists) are directories in which trustworthy root certificates can be
stored. The certificate issued by the RegTP, which we generally trust, is integrated into the
software. If you would like to trust a different root, store the certificate in this folder and place
any CA certificates under the PKDs.
PIN entry prompt
76
This dialog window lists options relating to the input or prompting of the PIN (Personal
Identification Number):
Automatically use secure PIN input:
The secure PIN input is only available for special card readers. It guarantees that the PIN cannot be
accessed by hackers while it is being entered. This settting is always active. Therefore, secure PIN
input is automatically activated, if you use a card reader that offers secure PIN input.
Open card for multiple actions:
If you have major working assignments ahead of you and these will necessitate entering the PIN
repeatedly, you can also open the card. You are prompted to enter the PIN as soon as you plug the
card into the reader, but no further PIN input is necessary. This is highly practical, for instance,
where a large number of documents have to be decrypted. This approach also saves time when a
large number of files need to be signed.
Request PIN...
Once the card has been opened, it is possible to specify that the user is still prompted to enter the
PIN for certain operations, for example for qualified signatures, signatures and for decrypting data.
The following alternatives are available for each application:

every time the card is used: The user is always prompted to enter the PIN.

automatically with restrictions: Utilisation is limited according to the restrictions set.

no further queries: No further prompt appears for entering the PIN.
For instance, if you only want to decrypt data, for qualified and other signatures select every time
the card is used and no further queries when decrypting data.
Limitation:
If you selected automatically with restrictions, you can set up a limitation below according to the
number or time. This is particularly recommendable in the case of qualified signatures to guarantee
enhanced security.
77
Certificates
In the tab Certificates, you can choose whether only the available signature certificates are displayed
during the signing operation, or whether other certificates should also always be offered for
selection (e.g. encryption certificates or certificates belonging to other persons working on the
same computer).
If this option has not been selected, a separate certificate selection dialog window may be displayed
before you sign or decrypt data.
Certificate selection
The signature certificates on the card are displayed in the certificate selection dialog window. In
many cases, this window is not shown because only one certificate is available for selection.
78
9 Choose a certificate by clicking it.
The bottom pane displays the name of the certificate holder, the issuer and the validity. If SigG is
entered in the issuer field, the certificate in question is generally a qualified certificate which
complies with the Signature Act.
9 Click Apply once you have selected the correct certificate.
Properties
79
The name and function of the card reader can be viewed using the Properties dialog.
On the Card tab, you can see the card's description (in most cases along with the issuer) and the
card number.
Under Certificates, you can display the certificates of the card which is currently plugged into the
reader. To do this, you must click the certificate in the list. The details are then listed at the bottom
of the window. You can read about how to export certificates in the next section (siehe "Exporting
an encryption certificate" auf Seite 79).
Exporting an encryption certificate
The Security Environment Manager allows you to export your encryption certificate. Then, you can
e-mail the certificate to someone else. This person can then use your certificate to encrypt
documents, that you can decrypt.
Ö How to export your certificate:
9 Insert your OPENLiMiT card in the card reader.
9 The chip icon in the taskbar turns yellow.
9 Click the chip icon and select Export encryption certificate from the menu.
9 Now save your certificate in the folder you have selected.
80
81
Changing your PIN
In the Security Environment Manager, you can change the PIN for your card (the card may hold
multiple PINs) whenever you wish. You should do so if you suspect that somebody else may know
your PIN.
Changing the SigG PIN
The SigG PIN is used for the qualified signing of documents in SignCubes Workflow oder dem
SignCubes Viewer.
If you use a card reader with secure PIN-input, your PIN may only contain numbers. However, if
you always use a standard computer keyboard, you may choose a password containing letters and
other characters.
Ö How to change your SigG PIN
9 Insert your OPENLiMiT card in the card reader.
The chip icon in the taskbar turns yellow.
9 Click the chip icon and select Card Wizard.
9 Wait for the Card Wizard to start and then click Next.
9 In the next window, check if the card reader has been recognized and then click Next.
82
9 Now, choose Change PIN for qualified electronic signature (SigG-PIN) and click Next.
The next window displays a message with several points to keep in mind when changing your
SigG-PIN.
9 Click Next.
9 Enter your current SigG-PIN and confirm your entry by clicking OK.
9 Now enter your new SigG-PIN (using at least 6 digits) and click OK.
9 Confirm your SigG-PIN by entering it again and then click OK.
83
9 A message is displayed, which tells you that your SigG-PIN has been successfully changed.
Click Cancel to quit the Card Wizard.
Changing the global PIN
The global PIN is used to encrypt and decrypt data in OPENLiMiT SignCubes, as well as to
generate advanced e- mail signatures in Outlook.
If you use a card reader with secure PIN-input, your PIN may only contain numbers. However, if
you always use a standard computer keyboard, you may choose a password containing letters and
other characters.
Ö How to change your global PIN
9 Insert your OPENLiMiT Card in the card reader.
The chip icon in the taskbar turns yellow.
9 Click the chip icon and select Change PIN.
9 Wait for the Card Wizard to start and then click Next.
84
9 In the next window, check if the card reader has been recognized and then click Next.
9 Now, choose Change global PIN and click Next.
The next window displays a message with several points to keep in mind when changing your
global PIN.
9 Click Next.
9 Enter your current global PIN and confirm your entry by clicking OK.
9 Now enter your new global PIN (using at least 6 digits) and confirm your entry by clicking OK.
85
9
9 Confirm your global PIN by re-entering it and then click OK.
9 A message is displayed which tells you that your global PIN has been successfully changed.
Click Cancel to quit the Card Wizard.
Security Object Loader (updating revocation lists)
When verifying signatures, you should download the latest security files prior to verifying in order
to always make sure you have the up-to-date status. These files are primarily revocation lists. Also
Public Key Directories provided by the RegTP should be updated at regular intervals.
Ö Downloading new revocation lists
9 Click the OPENLiMiT icon in the taskbar.
9 Choose Update CRL.
9 The CRL Loader opens with a starting dialog page, which you can confirm by clicking Next.
9 Select the required security files from the list by clicking the check boxes.
86
9 Click Next .
9 The listed files can be updated by clicking Start. You can change your selection again by
clicking Back.
The file status indicates the current progress of the download operation of the relevant file. When it
has been completed, a list of results is generated.
9 After that, click Finish.
87
SignCubes Shell Extension
SignCubes Shell Extension allows data to be signed and encrypted directly in Windows Explorer.
Of course, it also integrates signature verification and decryption functions. If you click a file with
the right mouse button, you will find the option OPENLiMiT SignCubes in the shortcut menu.
Shortcut menu
If you click a file in Windows Explorer, a shortcut menu opens in which the menu option
OPENLiMiT SignCubes is displayed. Below this menu option, you will generally find the following
options:

Sign file

Encrypt file

Sign and encrypt file
Other options such as

Verify signature(s)

Detach data and signature(s)

Decrypt file
are displayed if the files in question have already been signed or encrypted. The functions which
are initiated by these commands are explained in detail under operational procedures (auf Seite
121).
88
Files and icons in Explorer
Signed and encrypted files can also be recognised in Explorer from their icons (under Windows
2000 or later).

Encrypted files or files containing a signature (p7m) have a SignCubes icon with a red border.

Signatures as single files (p7s) have a SignCubes icon and a red seal.

A file with a detached signature which is in a separate file (p7s) is given the icon for the signed
document, a red seal.

SignCubes containers (*.scz) have a turquoise icon.
In the latest operating systems, however, these files are frequently hidden. To display them, select
Folder Options... in Windows Explorer (Tools menu) and enable the option Show hidden files and
folders under Hidden files and folders.
More information about the files can be found under File formats (auf Seite 70).
SignCubes Crypto Service Provider
Using the SignCubes Crypto Service Provider (CSP), you can sign and encrypt e-mails directly in
Microsoft Outlook or Outlook Express. To be precise, it must also be mentioned that SignCubes
CSP is not used for encrypting and verifying signatures. It is only used for the functions for which
the card is also used, i.e. for signing and decrypting data. This signature is an "advanced signature"
for which an advanced certificate is also used. The purpose of the Outlook signature is to secure
data during transport and to identify the communication parties. E-mails can, of course, also be
encrypted and decrypted.
The following explanations mainly relate to functions and settings in Microsoft Outlook or Outlook
Express, and are not exhaustive. If something has been left out here, you are advised to refer to the
online help or the manual of the relevant program.
In each case, you will require an installed account in one of the two programs that contains the email address of your certificate. You can read how to set up an e-mail account in the section "First
steps" in the Outlook (Express) online help.
89
Outlook settings
Outlook Express
In order to be able to execute all the available security functions using Outlook Express, you
require an e-mail account with the e-mail address contained in your certificate. This is the e-mail
address you specified when you completed the application for the card. When signing or decrypting
data, your certificate will then be used automatically when the card is inserted into the card reader.
9 Navigate to Extras - Options - Read and click Fonts.
9 Here you need to configure a 7-bit code. For instance, choose Unicode and UTF-7 for the
coding.
9 Then click the button As default in order to set this as the default encoding.
If you would like to sign and encrypt data automatically, you can set this option under Tools Options - Security. However, you can also sign and/or encrypt (siehe "Signing and encrypting" auf
Seite 92) each message individually.
Outlook
With Outlook, you must first select the signature certificate and the encryption certificate.
9 Under Tools - Options - Security, you will find the options for secure e-mail.
9 Click Settings....
9 Under Security Setting Preferences, choose S/MIME as the security format for messages.
9 Under Certificates and Algorithms, select the following settings:
90

Signing Certificate: Your e-mail signature certificate

Hash Algorithm: SHA1

Encryption Certificate: Your e-mail encryption certificate

Encryption Algorithm: 3DES

Enable the option "Send these certificates with signed messages".
9 Click OK.
In the tab Security, you can also select the option to automatically sign and encrypt messages.
However, this can also be done individually for each e-mail message.
9 Under Tools - Options - Mail Format, click International Settings and select a 7-bit encoding for
outgoing and incoming e-mails. We recommend UTF- 7.
Integrating encryption certificates into contacts
In order to encrypt data for a certain person, you require that person's certificate. To obtain it, ask
that person to send you a signed e-mail because such a message automatically contains his
certificate provided he has applied the settings as described above.
Ö So integrieren Sie ein Verschlüsselungszertifikat in einen Kontakt
9 When you have opened the signed message so that it appears in a separate window,
9 click the sender's name with the right mouse button.
91
9 Select Add to contacts.
If the contact already exists, the data is updated with the new information. A new contact is created
automatically. E-mails can now be encrypted for this recipient.
IMPORTANT: Do not attempt to use a different method to the one described here when integrating
encryption certificates into contacts! Outlook sends hidden information regarding the encryption
algorithms with the signed e-mail. If you integrate the certificate into the contact using another
method, e-mails to this address may be encrypted using an incorrect algorithm.
92
Signing and encrypting
In Outlook or Outlook Express, various security settings can be applied to all e-mails under Tools Options - Security. If you would like to decide yourself for each e-mail individually whether it is to
be encrypted and/or signed, this option can be set in the e-mail window.
Outlook Express
In Outlook Express, you can click Sign or Encrypt in the e-mail window. Then, when the e-mail is
sent, the CSP is started and you are (normally) prompted for your PIN. If you have set up more
than one e-mail account, you have to send the e-mail using the e-mail address of the account
contained in the certificate. Otherwise, Outlook Express cannot sign the e-mail.
Outlook
In Outlook, you must first click Options in the e-mail window, and then tick the appropriate check
boxes in order to individually sign and encrypt e-mails. Here too, if you have set up more than one
account, send the e-mail using the address contained in your certificate.
Outlook XP
The procedure in Outlook XP is slightly more complicated. In the e-mail window, click Options
and then Security Options in the top right corner. Then select Sign and Encrypt.
Sending signature and plain text
This setting applies to signed messages, but not to encrypted ones. If you send the signature and the
plain text separately (detached signature), the recipients whose client does not actually support
signed messages (e.g. AOL) can also read your e-mail. Some recipients (e.g. T-Online) are also
able to verify the signature.
In order to encrypt messages, the certificates of the recipients must be integrated into the
corresponding contacts.
Decrypting and verifying a signature
If you receive an encrypted e-mail, you can recognise this from the blue lock attached to the icon.
An encrypted e-mail is not displayed in the preview window. The e-mail is only be opened once
you have double-clicked it and entered your PIN.
93
Signed e-mails are indicated by a red seal. Signatures are verified automatically according to the
settings you have made. If you would like to perform the verification manually, click the red seal in
the top right corner of the opened e-mail. The verification is similar to that in SignCubes, but here
is performed by Outlook. Refer to the Outlook online help for further details.
SignCubes Workflow
SignCubes Workflow unifies all essential functions within an easy-to-use interface. SignCubes
Workflow creates a secure container, the so-called Secure Zip (*.scz). The data contained in this
container is compressed and can be extracted again using any off-the-shelf zip program. All
imaginable data can be imported into this container and signed, encrypted and verified there.
Alternatively, you can simply write some text (such as an e-mail), append a file as an attachment,
sign and encrypt everything, and then automatically send it as a secure, compressed package via the
Internet using your mail client.
Open
Ö Opening a SignCubes Workflow document
There are three different ways of opening a new *scz document.
9 Click Start - Programs - OPENLiMiT - OPENLiMiT - SignCubes.
9 or
9 click the OPENLiMiT icon in the taskbar and select New File...
94
or
9 transfer a visualization file from SignCubes Viewer to SignCubes Workflow.
Introduction to the user interface
Windows
The SignCubes Workflow user interface is split into four windows:

On the left with color gradient, the selection window. When one of the buttons Entire
Document, Visualisation or Filing is clicked, the relevant area opens displaying the
corresponding selection options.

Filing: Here, you can open the relevant folders in Windows Explorer.

Visualisations: Here you can select visualisations, which will then be displayed by the
SignCubes Viewer.

Entire Document: Here, the folders of the entire document can be found as shown in the
illustration below.

Above is the information window in which information is displayed regarding the elements
selected below.

Below is the browser area with the file tree in the middle. Here you can see which folders are
contained in the entire document.

At the bottom right of the display window, everything you selected in the file tree is listed.
Toolbars
There are three toolbars: Standard, Security and Insert.
Standard: Contains the familiar Windows commands:
Security: Encrypt / decrypt, Sign and Verify signature
Insert: New folder, Insert folder, Insert file
Menus
These commands ...
...are run from the menus
New document
File - New
Open document
File - Open
Save
File - Save
Save as
File - Save as
Copy
Edit - Copy
Paste
Edit - Paste
95
96
Sign
Security - Sign
Encrypt
Security - Encrypt
Decrypt
Security - Decrypt
Verify signature
Security - Verify signature
New folder
Edit - Add - New folder
Add folder
Edit - Add - Folder
Add file
Edit - Add - Files
Visualisation
In order to “display a file reliably”, which is required by the German Signature Act (SigG) under
certain conditions, SignCubes has integrates a so-called secure viewer (SignCubes Viewer). Using
this viewer, you can place all printable data in a visualisation, which has the additional advantage
that it is not possible to modify the data at will. This means that signatures cannot be violated
unintentionally.
Ö Visualisation
9 Print out the file in the program in which it was created. Normally, this is done using the
command File - Print.
Select the SignCubes printer and confirm by clicking OK.
97
In Word, a signature button is also available in most operating systems. This signature button
performs the abovementioned steps automatically.
9 After that, SignCubes Viewer opens and displays the file. Long delays in displaying the file in
SignCubes Viewer may be caused by unfavourable settings in the SignCubes printer properties.
SignCubes printer properties
Ö Changing the printer properties
9 In the program you are currently working with, select File - Print...
9 Under "Name" select SignCubes
9 Click Properties...
Several tabs are shown in the Properties of SignCubes dialog window:
Tab
Description
Device Settings
General printer settings
File Formats
Output format for the file
Filename Generation
Output name for the file
Start Application
Program which is started after printing
Embed Annotation
For adding remarks and comments
Watermark
This function has not been implemented
98
Device Settings
Paper Size
Paper
Here you can choose the paper size. If the selected paper
size is smaller than the document you want to print, parts
of it will not be shown in the SignCubes visualisation. If
this should be the case, a warning message is displayed as
soon as you click OK.
Paper width, Paper
height
The width and height of the paper you have selected are
displayed here. You can define which units are to be used
to represent the dimensions under Units.
Add FAX header
Does not have any function in SignCubes.
Advanced Paper Size This function is not available.
Force Fax
Resolution
Create faxable image This function optimises the resolution of the output format
when faxing documents. As the resolution is extremely
low, the quality of the visualisation of the document is
also poor. You are advised not to use this function.
Orientation
Portrait/Landscape
Here you can choose whether to use a portrait or
landscape layout.
Rotate Landscape
Image to Portrait
The document is printed using a landscape format rotated
by 90°.
Resolution
The graphical resolution of the visualisation is defined
here. Important: The settings in this section have a major
effect on the quality and size of the output file. You must
therefore be careful not to create files which are
unnecessarily bloated. Otherwise the visualisation will
take a very long time, and problems may arise due to the
size of the file when you send the signed version by e-mail.
Graphic
Resolution
High Resolution (default setting). This setting enhances
the appearance of the document, although visualisation
takes longer.
Medium Resolution. Faster visualisation, therefore the
quality is not as good. Suitable for text documents and
tables.
Draft Resolution. Extremely fast output, low quality.
CUSTOM Resolution. Here you can specify which
resolution you want to use by entering the appropriate
values in the two boxes below.
Horizontal
Resolution
The horizontal resolution is shown here.
Vertical Resolution
The vertical resolution is shown here.
Force Printer DPI
This function is not available in SignCubes.
Generated Image
Size
Shows the size of the file created by the SignCubes printer
for the visualisation. Generally speaking, the larger the
file, the higher the quality of the visualisation and the
longer it takes for it to be displayed, and vice-versa.
99
100
File Formats
This tab contains the options for the output format.
File Format
This menu shows the different file formats which can be used for
the visualisation.
Important: Retain the default format (TIFF Packed), as the file
will not be printed with some of the other settings.
Color Depth
1 bit, 8 bits, 8 bits Here you can define the number of colors. 1 bit (black & white), 8
gray scale, 24 bits bits (256 colours), 8 bits gray scale (256 grey tones), 24 bits
(thousands of colors). As is the case with the option Graphical
Resolution, the higher the quality of the visualisation, the larger
the created document will be and the longer it will take to print it.
Options
Create Multipage This option is enabled by default, as otherwise only one page of
the original document will be shown in the output.
Image
Disable Image
This function is not supported by SignCubes.
Eastern Character Support for printing Asian characters.
Support
Write Text File
The printer also creates a .txt file containing the contents of the
document.
TIFF Options
These functions are not available in SignCubes. Modifying the
default settings may result in visualisations not being displayed.
Photo Quality
These settings are not available in SignCubes.
101
102
Filename Generation
Name Generation Method
These settings determine how the filename (prefix) and
filename attachment (extension) are to be generated. Do
not change any of the settings in this section as otherwise
the visualisation may not function correctly.
Use this prefix
and extension
Filename
Default setting: The filename and extension are generated
automatically. Important: You are advised to retain these
settings.
No further input is required if the default setting for Name
Generation Method is retained.
Filename Prefix
No input is required if the default setting is retained.
Filename
Extension
No input is required if the default setting is retained.
Output Directory
The folder in which the printer stores the temporary files
for the visualisation is shown here.
Group File Options
This option is not available in SignCubes.
103
Start Application
Enable Start Application
This option should be enabled. If this is not the case,
SignCubes Viewer will not start (documents will not be
visualised). The default setting is restored when a user
logs onto the operating system or the computer is
rebooted.
Application
The program which is to be launched for the visualisation
is shown here. The default setting is restored here as well
when a user logs onto the operating system or the
computer is rebooted.
Start Before
Printing
Selecting this option will prevent SignCubes Viewer
from starting.
Start After
Printing
Default setting. The default setting is restored here as
well when a user logs onto the operating system or the
computer is rebooted.
Pass Parameters This option should be enabled, otherwise documents
cannot be visualised. The default setting is restored when
the computer is rebooted or a user logs onto the operating
system.
Disable the
Messaging
Interface
This function is not available.
104
105
Embed Annotation
All of the options selected in this tab are restored to the default settings when a user logs onto the
operating system or the computer is rebooted.
Embed Annotation
If you enable this option, you can add comments to the
file you want to sign. However, these comments are
embedded in the TIFF file (just like any other text).
Care should therefore be taken when using this option.
Text String
Enter your text here.
Font Selection
Date
Fonts can be defined here.
The current date is inserted if this option is enabled.
Date Format
Time
Here you can specify the date format.
Select this option to add the time.
Time Format
Here you can specify the time format, and choose
whether you want to include the minutes, seconds and
time zone.
Annotation Position
Here you can choose how the text is to be positioned.
Annotation Color
The colour of the text can be selected here.
106
Attachments
You can insert all kinds of files into the document and sign or encrypt them there.
Ö Inserting attachments
9 Click Filing in the lower left area and
9 then My Computer or My Documents.
9 Windows Explorer now opens.
9 Using drag & drop, simply drag the data onto the Entire Document or into any prepared folders.
107
Of course, you can also import entire folders.
or
9 Click Edit - Add and in the dialog window choose the files or folders which are to be inserted.
Pages of text
You can open pages of text directly in the SignCubes Workflow interface, enter text, format it and
resave. This is the alternative to signed e-mail, because this also involves "trustworthy
representation" in compliance with the Signature Act.
Ö Opening a page of text
9 Click the button Page of text.
108
An empty text window opens at the bottom of the screen.
9 Enter the text.
9 You can format the text using the list boxes and the format bar in the same manner familiar
from other programs.
9 The page of text is closed and automatically saved by clicking the X in the top right corner of
the text window.
You can find it in the Entire Document under the name "unnamed1.rtf".
9 You can rename the page of text using Edit - Rename.
9 You can also click the document with the right mouse button and select Rename. from the
shortcut menu.
Ö Opening TXT pages
9 If you click the arrow beside the text button, you can select between RTF and TXT. RTF pages
can be formatted as described above. TXT pages consist of pure characters without any
formatting.
Notes
Note attachments can be added to any element contained in the Entire Document.
Ö Attaching notes to a file
9 Select the element to which the note is to be attached.
109
9 Click the Note button.
A note opens in which you can enter the text.
9 Clicking Colour repeatedly causes the background colour of the note to change.
9 Clicking the pin symbol in the top right corner fixes the note to the desktop.
9 The contents are saved automatically and the note is closed by clicking the X in the top right
corner or by selecting Close.
The note does not appear in the Entire Document, but is opened automatically by clicking the
element to which the note is attached.
9 Click the arrow next to the button in order to display all the notes of the document individually.
They are also re- opened here.
Send
You can send the *.scz file by e-mail directly from within the interface. In principle, all e-mail
programs with a simple MAPI interface are supported. This includes Outlook, Outlook Express,
Eudora, Netscape Messenger and AOL 7.0. If an e- mail window does not open when you are
sending an e-mail, check whether your MAPI-enabled e-mail program is registered as the operating
system's default mail client.
Ö Send
9 Click the Send button.
110
You are then asked whether the entire document (the container) should be encrypted again and/or
signed.
9 Tick the check boxes in front of the options if required or simply click OK if you want to send
the document as it is.
9 The remaining operations for encrypting and signing data have been outlined in the previous
sections: You choose the certificates and enter the PIN if required.
The e-mail window of your default mail client then opens (provided it supports simple MAPI).
9 Here, choose the recipient as usual and send the e-mail with the *.scz document as an
attachment.
9
Save
Ö Saving the whole container:
9 Click the Save button or select File - Save.
You are then asked whether the entire document (the container) should be additionally encrypted
again and/or signed.
9 If you wish, tick the check boxes in front of the options.
111
The remaining operations for encrypting and signing data have been outlined in the previous
sections. You can choose the certificates and enter the PIN if required.
9 If the container is not signed and encrypted, then it is saved as an *.scz file after clicking OK. A
signed or encrypted container is always a *.p7m file.
9
SignCubes Viewer
SignCubes Viewer is one of the most important modules of OPENLiMiT SignCubes. It serves as a
secure display unit, which means you can use it to make sure not sign anything you don’t want to
sign. SignCubes Viewer offers several tools, to display and examine the contents of a document.
This is important, since documents may contain active or hidden contents which other programs
might not be able to display. If you sign a document without examining it in SignCubes Viewer,
you might sign something that you did not even see.
SignCubes Viewer can display TIFF or text files. If active or hidden contents are detected,
SignCubes Viewer warns you, when you open the document.
The SignCubes Viewer user interface
The SignCubes Viewer user interface is separated into 2 windows.
In the left window there’s a document preview, that shows you the individual pages of a document
and the page number. Click on one of the pages shown on the left, to display the contents of the
page in the window on the right.
The right window displays the contents of a page. It is used to examine the contents of a document.
112
The toolbars:
Standard
The following functions can be executed from this toolbar:

Open file: you can open TIFF or text files.

Save file as: Save a file, if you want to.

Page preview: Shows a print preview.

Print: Click here to print out you file.

Info: Displays version- and copyright information.
View
This toolbar is only active for TIFF files. Text files are always displayed in original size and blackand-white.

Fit width: The image gets resized to fit the width of the window.

Fit in window: The image is resized to display the entire page in the window.

Original Size: The image is displayed 1:1.

User defined: Zoom the image in or out. From 10% to 300%.

Black-and-white: Here, you may display a color or grayscale image in black-and-white.

Grayscale: Display the image in grayscale.

Original: Here, you can go back to the original display of an image that is currently shown in
black-and-white or grayscale.
Signature

Sign: Electronically sign the displayed file.

Verify signature: Check a file’s electronic signature.
Applications
113
114

e-mail: Transfer the opened file to a MAPI capable e-mail client.

Workflow: Transfer the file to SignCubes Workflow.

ELO: Transfer the file ELO.
Menus
In addition to the functions already described above, the menus contain functions that are not in the
toolbars. Below, all functions are briefly described.
File menu
The file menu lists the following:

Open file: you can open TIFF or text files.

Save as: Save a file, if you want to.

Print: Click here to print out you file.

Page preview: Shows a print preview.

Printer setup: Choose and configure a printer.

Properties: Shows the file's properties.

Quit: Exit the application.
Edit menu

Sign: Electronically sign the displayed file.

Verify signature: Check a file’s electronic signature.
View menu

Fit width: The image gets resized to fit the width of the window.

Fit in window: The image is resized to display the entire page in the window.

Original Size: The image is displayed 1:1.

User defined: Zoom the image in or out. From 10% to 300%.

Rotate left: Rotate the page 90 degrees counter clockwise.

Rotate right: Rotate the page 90 degrees clockwise.

Flip: Rotate the page 180 degrees.

Further file contents: Opens a window, which lists the contents of the file in great detail. Please
read the chapter Show further file contents (siehe "Show furhter file contents" auf Seite 115)
for more information.
115
Show furhter file contents
Choose View - further file contents, to open a window, which displays hidden or not clearly defined
contents of your file.
The information displayed in the window differs for text and TIFF files. The first screenshot shows
detailed information of a text file. The second screenshot shows information of a TIFF file.
116
In a TIFF file, for example, you can view either all the tags, just the text tags, or even just the
unknown tags. At the bottom of the window, this data is shown in hexadecimal code. You can also
switch the view to decimal figures. When you scroll down the window, you will see an area in
which the application attempts to show the information in the file as plain text. This allows you to
recognise any hidden contents and to decide, for example, whether you really want to sign this file
despite these contents. TIFF files frequently contain additional information such as the name of the
author. This information is often not displayed in image processing software. The SignCubes
Secure Viewer's analysis function enables you to view these hidden contents anyway.
For more detailed information regarding the analysis of files using SignCubes Viewer, please read
the chapter Working with the Secure Viewer in the Online Help.
Adobe Plugin
Ö Adjusting the basic settings
9 Open Adobe Reader or Adobe Acrobat.
9 Choose Edit – Preferences …
9 Choose Digital signatures from the left window.
9 Under Default method to use when signing choose OPENLiMiT SignCubes Adobe Plugin.
9 Check the option Verify signatures when the document is opened.
9 Choose OPENLiMiT SignCubes Adobe Plugin for Default method for verifying signatures.
117
9 Click OK to save the settings.
Signing PDF documents
If a PDF form contains one or more digital signature fields, you can use the OPENLiMiT
SignCubes Adobe Plugin to create a qualified digital signature in the document. Then, you can save
the file.
If you want to sign PDF form with Adobe Reader, the form must have been provided with
additional rights (Adobe forms server solutions). To sign a PDF form using Adobe Acrobat, it is
sufficient that the document has been created using Adobe Acrobat. To create a signature field in
Adobe Acrobat, please refer to the Adobe Acrobat help file.
Ö How to sign a PDF document
9 Open the file.
118
The PDF file contains one or more signature fields. A signature field is indicated by a red arrow in
the upper left of the filed.
9 Insert your OPENLiMiT Card into the card reader and wait for the chip icon in the task bar to
turn yellow.
9 Click the signature field. Adobe Reader or Adobe Acrobat will then open the following
window, where you can modify further settings.
9 Set the options as desired and click sign and save as…
119
Verifying a signature in a PDF form
If a PDF document already has a digital signature in a signature field, you can verify this signature
in Adobe Reader or Adobe Acrobat. Signature verification depends on the settings for Adobe
Reader or Adobe Acrobat.
9 Open the PDF document.
120
If the default method for verifying signatures is set to OPENLiMiT SignCubes Adobe Plugin, the
following dialog window will open.
The summary states that the signature is valid. This is, of course, what you want to see. If a
different message is shown, this does not automatically imply that the signature is invalid. An
example of a verification result might be:

The signature is mathematically correct.

The certificate status could not be fully verified.
That means that the signed data has not been changed, nor has the signature been forged. However,
it was not possible to verify the certificate status, i.e. a possible case of revocation.
9 Details can be found on the second tab bearing the name of the cardholder.
Operational procedures
121
What the individual points mean:

Hash value verification: Integrity of the data (positive means the data has not been changed
since the signature was issued).

of the certification path. The certificate is not forged and can be traced back all the way to the
root.

created.

Certificate status: Revocation and validity of the signature. Revocation lists are used to verify
whether the certificate has been revoked. If this cannot be verified here, it is advisable to
download the latest revocation lists (siehe "Updating revocation lists" auf Seite 131) or to
verify the certificate online (siehe "Online verification of certificates" auf Seite 133) by
clicking the button Online status...
9 In order to view the certification path, you should now display the certificate.
For more details, please read the section Verifying signatures (auf Seite 125).
6. Operational procedures
The operational procedures between the various SignCubes modules are always repeated. For this
reason, we will only outline the operational sequences in this separate section. How to start or
control these sequences is described under The SignCubes Modules (auf Seite 71).
122
6.1. Sign
The OPENLiMiT SignCubes software enables users to create a qualified signature in accordance
with the German Signature Act. Advanced or other signatures can also be created. The Signature
Act stipulates various requirements which must be fulfilled by qualified signatures. For example,
"if necessary" data is to be converted into a trustworthy form of representation. This facility is
provided using a visualisation or a page of text. Because there are various different interpretations
of this "necessity", the decision on how to proceed rests with the user. In the case of important
contracts and documents, we recommend the use of a "trustworthy representation".
Ö Sign the file
The certificate selection dialog show the card’s certificates. Often, this dialog is not displayed due
to the fact that only one certificate is available.
9 Choose a certificate.
In the bottom part of the window, holder, issuer and validity of the certificate are listed. If the
information displayed under isssuer includes “SigG”, then it is a certificate for qualified electronic
signatures according to the German Signature Act.
9 Once you have selected the appropriate certificate, click accept.
123
124
9 By clicking OK, you create the signature and a message confirming successful signature
creation is displayed.
If a message saying “the SigG-PIN you have entered has been rejected” is displayed, it means that
you entered the wrong PIN.
Secure PIN input
PIN numbers are usually entered securely using an external card reader with its own PIN keypad.
Keyboards with integrated card readers are also available, on which the number pad is blocked
while the PIN is being entered.The most secure card readers are certified.
With secure PIN input, the PIN is never transferred to the computer at all and it is also impossible
to read it out because the PIN is verified on the card. If the PIN is entered using a standard
keyboard, there is a risk that someone could tap the entered PIN.
For anyone exposed to particular risks or who uses the signature for very important purposes, it is
well worth investing in this extra element of security.
Ö Entering a PIN on a card reader with secure PIN input
If have a card reader with secure PIN input installed on your computer, then the secure PIN input
starts automatically.
9 Enter the PIN using the card reader's keypad.
9 Press the Confirm key on the reader (usually green).
Most card readers also have a Correct key, as well as a key to cancel the PIN input.
Card readers with secure PIN input have a time limit. If the time you have has expired, you must
enter the PIN again.
125
6.2. Verifying signatures
The verification of a signature requires meticulousness and careful consideration. The following
points should be verified:

Has the document really not been changed?

Is the holder of the signature genuine?

Has the certificate been revoked?
Several aspects of the verification are performed automatically by the software. However, the
decision whether to trust a certificate or not lies with the user. Qualified signatures in accordance
with the German Signature Act can be retraced without interruption all the way back to the German
Regulation Authority on Telecommunications and Post (RegTP). The issuer certificate of the
RegTP is integrated into the software. This certification path must be mathematically correct and
complete or uninterrupted. However, other root certificates can also be defined as trustworthy in
the operating system. That is why it is essentially the decision of the user as to which certificates
can be trusted or not trusted.
You can find further background information regarding signature verification under Signature and
encryption basics (auf Seite 31). Signature and encryption basics.
Summary
When you click Verify signature, the dialog window Details about verifying signatures is displayed:
126
The summary of the signature verification first of all indicates whether the signature is valid,
invalid or at least mathematically correct.
If a signature is invalid, then the data has been modified and this signature cannot be trusted.
Mathematically correct means that the file has not been modified since the time when the signature
was issued. In addition, the signature itself has not been manipulated either. However, in most
cases the problem of the certificate's status of trustworthiness still remains.
This can be analysed in greater depth under Details, i.e. in the tab with the name of the signature's
holder.
Details
127
What the individual options mean:

Hash value verification: Integrity of the data (it has not been altered since the signature was
issued).

of the certification path.

created.

Certificate status: Revocation of the signature. Revocation lists can be used to verify whether
the certificate has been disabled by revocation. If that cannot be verified here, it is advisable to
download the latest revocation lists or to verify the certificate online by clicking the button
Online status....
128
Displaying a certificate
Click Display certificate to open the Certificate dialog window.
General
The dialog window General tells the user more about the purposes of the certificate, e.g. the
signature, encryption or authentication. In addition, information about the holder (Issued for), the
issuer (Issued by) and the validity is provided.
129
The button Online status... only appears in the case of certificates whose CA supports the making of
such a query.
The certificate can be exported by clicking Copy to file. Give the certificate a name and choose the
storage path. By default, it has the file extension *.cer.
Details
All details of the certificate are listed here.
130
Certification path
The certification path permits conclusions to be drawn as to the trustworthiness of a certificate.
The certification path models the structure of the certificate issuer. A personal certificate is always
issued by a CA (trust centre or certification authority). This CA certificate can be retraced (if
necessary via other CAs) all the way back to a root certificate (root). Legally-compliant
certification of a German trust centre is a certificate of the RegTP (German Regulation Authority
on Telecommunications and Post).
Cross certificates are also available, which are not connected hierarchically with one another. A
cross-certificate implicitly declares that it is also trusted by the certificate with which it is
simultaneously connected. For example, the European Bridge CA is structured in this way. One CA
X trusts several other CAs: O, P and U. It signs their certificates. Thus, if I trust the X CA, then I
can also trust the CAs O, P and U in addition to every other certificates issued by the CA X.
131
Updating revocation lists
When verifying signatures, you should download the latest security files prior to verifying in order
to always make sure you have the up-to-date status. These files are primarily revocation lists. Also
Public Key Directories provided by the RegTP should be updated at regular intervals.
Ö Downloading new revocation lists
9 Click the OPENLiMiT icon in the taskbar.
9 Choose Update CRL.
9 The CRL Loader opens with a starting dialog page, which you can confirm by clicking Next.
9 Select the required security files from the list by clicking the check boxes.
132
9 Click Next .
9 The listed files can be updated by clicking Start. You can change your selection again by
clicking Back.
The file status indicates the current progress of the download operation of the relevant file. When it
has been completed, a list of results is generated.
9 After that, click Finish.
9
133
Online verification of certificates
In addition to the cross-check of the revocation list, the status of a certificate can also be queried
online.
Click Online status... to open the OSCP query. For the verification to be successful, you must be
connected to the Internet.
The status is ascertained automatically and then displayed. A certificate can be either valid, revoked
or unknown. The result of the online verification is not displayed in the normal verification dialog
window, which only relates to the revocation lists.
134
6.3. Encrypt
The encryption of data is not regulated by law. Nevertheless, it is advisable to encrypt data in
addition to furnishing it with a signature because that ensures that only certain persons can view the
data. SigG certificates are not generally used for encryption. That of course does not change the
security standard in any way. The validity of the encryption certificates can be verified in the same
way as the signature certificates. The keys are created using the same security algorithm and stored
on the card.
If you would like to encrypt data that is on hard disk, then you should make sure to delete the
original and also to empty the waste bin. Fundamentally speaking, you can encrypt data for any
number of certificates. Every certificate holder can open the data. If you encrypt data for archiving,
you should use at least two certificates (yours and that of a person of trust). If you were to lose your
card or if it were to become otherwise unusable, the encrypted data would be irretrievably lost. No
copies of your private key exist, thus making recovery of the encrypted data impossible. Of course,
you can also apply for a second card.
Encryption certificates
Ö Selecting encryption certificates
9 When you click Encrypt, the dialog window opens in which you can select the encryption
certificates.
135
Every certificate installed on the computer is displayed here. If you do not see any certificates on
the left apart from your own certificate, you must first obtain the certificates belonging to the
recipients. This is explained under Directory Service (auf Seite 136). The holders of the selected
certificates will be able to decrypt the file again after receiving it. It is thus advisable to also attach
your own certificate.
9 When a certificate has been selected, the associated information can be viewed in the bottom
window.
9 The certificate is copied into the list on the right by clicking Add or by double-clicking the
certificate name.
9 Then click Apply to encrypt the data for the selected certificates.
Selected certificates can be moved from one window to the other using the options Add and
Remove. Under Details..., you can view the certificate. (siehe "Displaying a certificate" auf Seite
128) In order to ensure that the certificate has not been revoked, click Details... to check the online
status (if supported by the CA). Otherwise, a search in the Directory Service (auf Seite 136)
(button More...) usually works as well.
136
Directory service
Click more... to open the directory client.
Search
You can use wildcards (*) in the search. Wildcards are placeholders which stand for unidentified
alphabetic characters. If you do not use wildcards, you must know the exact name. Preferably, enter
surnames using wildcards, for example *Smith*. If the name in question is a very common one,
then other search terms (such as the e-mail address or the given name) are probably more
appropriate.
Ö Searching for a certificate
9 Enter the search term(s) in the fields.
9 Choose the directory service of the CA that issued the certificate.
9 Click Start.
137
If you want to search, do not click Next. The Next and Back buttons enable you to start a new search
and to simply switch back and forth between the result and search dialogs.
If an error message appears indicating that the permissible range has been exceeded, your search
has produced too many search results. The purpose of this function is to ensure data privacy, so that
it is not possible for someone to retrieve all the certificates by simply using a * * search operation.
To avoid this error message, enter more characters in the search term.
Result
All the located certificates are displayed in the results dialog window.
Ö Accepting certificates
The certificate information is displayed on the right by clicking the name.
Click Details to review the certificate details (siehe "Displaying a certificate" auf Seite 128) again.
Most CAs remove revoked and invalid certificates from the directory service so that a status
verification is not required once a certificate has been retrieved.
A certificate can be installed (siehe "Installing certificates" auf Seite 142) in order for it to be
displayed automatically on the computer during each encryption operation. You should do this for
any certificates which you use frequently.
9 Tick the checkbox in front of the names of those certificates which are to be incorporated into
the encryption.
9 Click Apply.
The certificates then appear in the Certificate selection dialog window (Encrypt) on the right.
138
6.4. Decrypt
The PIN dialog window normally opens when you click Decrypt.
The data should now be shown again in plain text. In order to decrypt multiple files one after the
other without having to repeatedly enter the PIN, you can also "open" the card. This is explained in
more detail under PIN entry prompt.
6.5. Exporting certificates
In order to be able to send your encryption certificate to the parties with whom you are
communicating, you must first of all extract it from the card and export it to a file. You can then
simply send this file by e-mail.
Ö Exporting certificates
9 Insert the card into the reader and make sure that it has been recognised.
9 Click the yellow chip icon in the taskbar and
9 choose the option Properties.
9 In the Properties dialog window, click Certificates.
9 All the certificates available on the card are displayed here.
9 Click an item in the list in order to display the contents of the certificate.
If key encryption or data encryption (or both), are displayed as the intended purpose, then the
certificate in question is the encryption certificate.
9 Click Details... to display the certificate in a separate window.
139
140
The certificate is exported by clicking Copy to file....
9 In the dialog window Export certificate, you can specify the file name and select the storage
path. You will probably want to specify the name of the certificate holder, i.e. your own name.
9 Click Save to save the certificate as a *.cer file, which can be used by any standard encryption
software.
141
142
6.6. Installing certificates
You can easily install a certificate from the directory service (auf Seite 136) by clicking the Install
button in the Results dialog window. The next time you encrypt data, the certificate will appear
automatically in the certificate selection dialog.
The certificates contained on the card inserted into your card reader are installed automatically.
If you receive a certificate by a different method, e.g. by e-mail, it is sent in the form of a file. You
must install it using the Windows certificate dialog.
Ö Installing certificates under Windows
9 Double-click the certificate.
9 In the Windows certificate dialog window, click Install Certificate.
The validity details of the Windows certificate dialog are not always of interest to you because
Windows can deal with SigG certificates. Any negative statements are of no relevance. Apart from
incompatibility with signature standards, these might also be due to missing algorithms.
The installation wizard then opens:
9 In the Start dialog window, click Next to open the Save certificate dialog.
9 Select Save all certificates in the following storage path.
9 Click Browse...
9 Choose the folder My Certificates and confirm your selection by clicking OK.
9 In the wizard, click Next
9 and then Finish.
The next time you encrypt data, the certificate will appear automatically in the certificate selection
dialog.
143
6.7. Saving certificates in file form
In most cases, you will want to save encryption certificates as files so that you can send them by email. In order to save a certificate as a file, you must first display it.
9 To do this, click the button Details... in a certificate selection dialog window (e.g. after the
directory service search, in the properties dialog of the Security Environment Manager in
which the certificates of the card are displayed, or when signing and encrypting data).
9 The certificate is then displayed. Click Copy to file ... to open the dialog window for saving a
*.cer file.
9 Here, specify the name and the storage path. Click OK to save the certificate in a file.
145
Index
A
Adding messages • 54
Adobe Plugin • 45, 115
Attachments • 105
B
Brief outline of the modules • 9, 39
C
Certificates • 75
Changing the global PIN • 70, 81
Changing the SigG PIN • 70, 79
Changing your PIN • 79
Copyright • 5
D
Decrypt • 59, 137
Decrypting and verifying a signature • 91
Decryption • 35
Details • 125
Device Settings • 97
Directories • 72
Directory service • 34, 55, 56, 134, 135, 141
Displaying a certificate • 56, 127, 134, 136
E
Embed Annotation • 104
Encrypt • 55, 133
Encryption • 34
Encryption certificates • 133
Exporting an encryption certificate • 77
Exporting certificates • 34, 138
F
File formats • 68, 87
File Formats • 99
Filename Generation • 101
Files and icons in Explorer • 87
First steps • 12
First use of your OPENLiMiT® Card • 11, 16,
28
G
General • 71
H
How to use this documentation • 9
I
Inserting attachments • 53
Installing certificates • 136, 141
Installing the card reader • 14
Installing the software • 11, 12
Integrating encryption certificates into contacts
• 89
Integrity Check • 63
Introduction • 9, 11
Introduction to the user interface • 93
N
Notes • 107
O
Online verification of certificates • 62, 120,
132
Open • 92
OPENLiMiT certificates • 27
OPENLiMiT SignCubes UserGuide • 3
Operational procedures • 41, 86, 120
Outlook settings • 42, 88
P
Pages of text • 106
PIN entry prompt • 73
Properties • 70, 76
Public Key Procedure • 29
S
Save • 57, 109
Saving certificates in file form • 142
Secure PIN input • 123
Security Environment Manager • 69
Security Environment Manager (SEM) • 40
Security Object Loader (updating revocation
lists) • 84
SEM Menus • 28, 40, 70
Send • 58, 108
Settings • 68, 70, 71
Shortcut menu • 86
Show furhter file contents • 113, 114
Sign • 50, 121
Signature • 30
Signature and encryption basics • 11, 27, 29,
124
Signature laws • 31, 36
SignCubes Crypto Service Provider • 9, 28, 87
SignCubes CSP • 42
SignCubes printer properties • 96
SignCubes Shell Extension • 41, 85
SignCubes Viewer • 44, 110
SignCubes Workflow • 43, 71, 92
146
Signing and encrypting • 88, 91
Signing PDF documents • 116
Start Application • 102
Summary • 124
T
The SignCubes modules • 69, 120
The SignCubes Viewer user interface • 110
Tutorial • 9, 11, 43, 47, 67
Typographical conventions • 7
U
Updating revocation lists • 62, 120, 130
V
Verify signature • 32
Verifying a signature • 61
Verifying a signature in a PDF form • 118
Verifying signatures • 62, 120, 124
Visualisation • 31, 48, 95
W
Working with the OPENLiMiT SignCubes
software • 9, 47, 67