************************************************************* Notes on Strong Cryptography in pcANYWHERE32 August 1997 ************************************************************* ----------------- Table of Contents ----------------- 1. General Notes 1.1 Support by operating system 1.2 Known problems and limitations 2. Unsupported Utilities 2.1 MachKey.exe 2.1.1 Background 2.1.2 How to use 2.1.3 Feedback from the program 2.1.4 Common errors 2.2 CertCons.exe 2.2.1 Background 2.2.2 Specifications 2.2.3 How to use 2.2.4 Feedback from the program **************** 1. General Notes **************** 1.1 Support by operating system This matrix shows the minumum level of software that needs to be installed to support strong cryptography in pcANYWHERE32 8.0: | Symmetric (CryptoAPI 1.0) | Public-Key (CryptoAPI 2.0) ------------------------------------------------------------------------- Windows 95 | MSIE 3.0 | MSIE 4.0 Windows NT 4.0 | no software needed | Service Pack 2 Windows NT 3.51 | not supported | not supported -- MSIE 4.0 (Microsoft Internet Explorer) is currently in beta. There are known problems with Preview 2 which will be addressed by Microsoft. Any problems pcANYWHERE32 has with the released version will be addressed by patches once the released version is available. -- Although NT 4.0 supports Symmetric level as-is, Symantec strongly recommends installing Service Pack 3. Other features of pcANYWHERE32 require it. 1.2 Known problems and limitations - The Base CSP shipped with Microsoft Internet Explorer 4.0 Preview 2 has known problems which will be fixed in a future Microsoft release. Systems with this CSP will not be able to select a private key container for Public-Key level (the dropdown will be grayed). Some systems may not be able to use strong cryptography at all. - At this time pcANYWHERE32 cannot use certificates whose common name is stored in Unicode (e.g., certificates generated by SecureFile). This is being pursued with Microsoft. ************************ 2. Unsupported Utilities ************************ The utilities described here are provided for the convenience of users who have no other means of performing these functions. It will normally be preferable to perform these functions through your cryptographic administrative system. These utilities are not part of the pcANYWHERE32 product and are not supported by Symantec. The utilities can be found in the pcANYWHERE32 program directory (usually c:\Program Files\pcANYWHERE). ****************************** 2.1 Description of MachKey.exe ****************************** MachKey.exe is a utility that must be run to enable a Windows NT 4.0 Public-key encrypted host to run as a service. 2.1.1 Background ---------------- Key containers (public/private keypairs) are normally associated with the current logged-on user. When an NT host runs as a service, it runs in the local system account, not in any logged-in user context. Therefore it does not have access to any user's key containers. The MachKey utility copies a user key container to a global machine key container (CRYPT_MACHINEKEYSET), where it is accessible to services. This allows hosts running as a service to access the keys. Other users on the machine will not be able to launch remotes or non-service hosts using the machine keys, because user keys are used in those contexts. They will be able to launch service hosts using any machine keys. 2.1.2 How to use ---------------- This is a small, dialog-based application. It presents the user with a drop-down list-box of the user's key containers, and a Convert button. Simply choose the key-container that you want to copy and click the Convert button. 2.1.3 Feedback from the program ------------------------------- If the copy is successful, a confirmation message will be displayed. Otherwise an error message will appear. 2.1.4 Common errors ------------------- Object already exists - the key container has already been copied. You don't need to run this program. Bad Key - This is not a valid key container or is a container without any keys so the utility has nothing to copy. ******************************* 2.2 Description of CertCons.exe ******************************* CertCons.exe is a utility that creates a certificate store from a list of certificates or existing certificate stores. 2.2.1 Background ---------------- The "certificate store" used by pcANYWHERE32 can be a CryptoAPI-compatible certificate store, a PKCS#7 cryptographic message, or simply a certificate in a file. It will often be most convenient to collect several certificates into a CryptoAPI-compatible certificate store. The CertCons utility will add certificates in any of the three formats to such a store. 2.2.2 Specifications -------------------- CertCons.exe accepts certificates in three formats: * PKCS#7 certificates * Raw certificate file * An existing certificate store 2.2.3 How to use ---------------- CertCons is a console application. The command line is as follows: CertCons certificatestore PKCS#7msg|certificatestore PKCS#7msg|certificatestore... certificatestore - is the filename of the certificate store to which the certificates will be added. If the file does not exist, it will be created. PKCS#7msg|certificatestore - is the filename of the PKCS#7 file, raw certificate, or certificate store. Wildcards are accepted. Example: certcons C:\Cert.store JohnSmith.exe JaneDoe.exe OtherCertificate.store 2.2.4 Feedback from the program ------------------------------- This program doesn't give any feedback, it just modifies the certificate store.