SC-3 USB Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

Similar documents
SC-1 Smart Card Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

ST-1 Software Token. QUICK Reference

Token Guide for KT-4 for

Welcome Guide. SafeNet Authentication Service. RB-1 Tokens. SafeNet Authentication Service: Welcome Guide. RB-1 Tokens

RB-1 PIN Pad Token. QUICK Reference

Install and Issuing your first Full Feature Operator Card

Windows Smart Card Logon Use Case

Guide Installation and User Guide - Mac

CRYPTOCard BlackBerry Token Implementation Guide

KT-1 Token. Reference Guide. CRYPTOCard Token Guide

Implementing CRYPTOCard Authentication. for. Whale Communications. e-gap Remote Access SSL VPN

Guide Installation and User Guide - Windows

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

DigitalPersona Pro Enterprise

Guide Installation and User Guide - Linux

Document Signing Certificate Getting Started Guide

Pulse Secure Policy Secure

WatchGuard Firebox and MUVPN. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

Implementation Guide for Funk Steel-Belted RADIUS

Welcome Guide for MP-1 Token for Microsoft Windows

Avaya Event Processor Release 2.2 Operations, Administration, and Maintenance Interface

ISA 2006 and OWA 2003 Implementation Guide

USER MANUAL FOR SECURE E MAIL MICROSOFT OUTLOOK (2003)

Implementation Guide for protecting. CheckPoint Firewall-1 / VPN-1. with. BlackShield ID

Citrix Access Gateway Implementation Guide

Checkpoint VPN-1 NG/FP3

HyperPKI Manager User Guide For the HYP2003 PKI Token (Windows Version)

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

Activant Eagle PA-DSS Implementation Guide

SECUDRIVE USB Office

YubiKey Smart Card Deployment Guide

SafeNet Authentication Manager

MANAGING LOCAL AUTHENTICATION IN WINDOWS

TFS WorkstationControl White Paper

Welcome Guide for KT Series Token

Owner of the content within this article is Written by Marc Grote

Aladdin etoken PKI Client ReadMe 1

etoken Integration Guide etoken and ISA Server 2006

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

Cisco 802.1x Wireless using PEAP Quick Reference Guide

YubiKey Smart Card Deployment Guide

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

SecureLogin 8.7 Application Definition Wizard Administration Guide. December, 2018

Check Point GO R75. User Guide. 14 November Classification: [Public]

Barracuda Networks SSL VPN

VMware AirWatch Certificate Authentication for EAS with ADCS

Abstract. Avaya Solution & Interoperability Test Lab

Welcome Guide. SafeNet Authentication Service. MP-1 BlackBerry. SafeNet Authentication Service: Welcome Guide. MP-1 BlackBerry

CESecure Quick Start Guide

ZENworks 2017 Full Disk Encryption Pre-Boot Authentication Reference. December 2016

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

IBM Client Security Solutions. Client Security Software Version 1.0 Administrator's Guide

Security Cooperation Information Portal

This chapter provides information about managing end user directory information.

Oracle Enterprise Single Sign-on Authentication Manager. Installation and Setup Guide Release E

RSA SecurID Ready Implementation Guide

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

VMware Horizon Client Installation Guide (Windows)

QUICK SET-UP VERIFICATION...3

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Internet Explorer/ Edge/ Chrome/ Opera (Windows) Edition

SSH Communications Tectia SSH

Once a USB drive has been inserted into an encrypted machine, the Dell Data Protection software will recognize the unencrypted device.

External Authentication with Windows 2008R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Solution Composer. User's Guide

Steel-Belted RADIUS. Digipass Plug-In for SBR. SBR Plug-In SBR. G etting Started

Application User Configuration

Nortel Quality Monitoring Search and Replay Guide

Contents About This Guide... 5 About Notifications... 5 Managing User Accounts... 6 Managing Companies Managing Password Policies...

Token Guide for USB MP. with. BlackShield ID

6/21/12 Procedure to use Track-It (TI) Self Service version 10 and later

Common Access Card for Xerox VersaLink Printers

keyon / PKCS#11 to MS-CAPI Bridge User Guide V2.4

Configuring Imprivata OneSign with 10ZiG NOS Zero clients

ZENworks 11 Support Pack 4 Endpoint Security Utilities Reference. October 2016

IDGo Middleware and SDK for Mobile Devices

MyFloridaNet-2 (MFN-2) Customer Portal/Password Management Reference Guide

Administrator s Guide LV2015-AG-EN

ivest Client 4.0 Release User Guide

EasiShare ios User Guide

Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

ALTIRIS SECURITY SOLUTION 6.1 FOR HANDHELDS ADMINISTRATOR GUIDE

User Guide SecureLogin 8.1

Oracle EnterpriseSingle Sign-on Authentication Manager. Installation and Setup Guide Release E

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

MyFloridaNet-2 (MFN-2) Customer Portal/ Password Management/ VPN Reference Guide

AirWatch for Android Devices for AirWatch InBox

Specops Password Policy

BlackShield ID. Windows Logon Agent CRYPTOCard Corp. All rights reserved.

EOH-SASOL - Setup Sasol Mobile Express (Client)

Configuring an IMAP4 or POP3 Journal Account for Microsoft Exchange Server 2003

User Guide. Version R94. English

AirWatch for Android Devices for Skype for Business

This version of the IDGo 800 middleware contains the following components: IDGo 800 Credential Provider build 01

10.User Password and Object Security

SafeNet Authentication Client

ONE ID Identity and Access Management System

SafeNet Authentication Client

User Guide. Version R92. English

Transcription:

SC-3 USB Token QUICK Reference Copyright 2007 CRYPTOCard Corporation All Rights Reserved 091807 http://www.cryptocard.com

Table of Contents OVERVIEW... 1 OPERATING MODES & OPTIONS... 2 USING THE SC-3 USB TOKEN... 6 Generating a passcode (QuickLog TM mode)... 6 Using Manual Mode Authentication... 6 Generating a passcode (Challenge-response mode)... 7 User-changeable PIN... 7 GENERATING DIGITAL SIGNATURES... 8 PASSWORD RESYNCHRONIZATION... 9 LOADING CERTIFICATE(S) ON SC-3 (GEMALTO GEMPCKEY)...10 Section 1a...10 Section 1b...11 Copyright 2007 CRYPTOCard Corporation All Rights Reserved i

Overview The SC-3 token is an implementation of the CRYPTOCard software token on a USB Gemalto GemPCKey, and is designed for use with Windows 2000/2003/XP Professional and Linux RedHat 3.0/4.0 systems. The tokens can be used with a standard USB 1.0 or 2.0 port. The SC-3 token generates a new, pseudo-random passcode each time the token is activated. A SC-3 PIN consists of a string of 3 to 8 alphanumeric characters that is used to guard against unauthorized use. The PIN change period is selectable as are the PIN characters (digits and characters). The user must provide a PIN to generate a one-time password through the authenticator application. Multiple tokens, each protected by their own unique PIN, may reside on a single SC-3 USB token. The SC-3 USB token can also store digital certificates (PKCS11) generated by thirdparty PKI products. SC-3 tokens can support a combination of QUICKLog TM password, challenge-response password, and digital signature functions. When CRYPTO-Logon for Microsoft Windows, the following actions can be tied to removal of the SC-3 from the reader or activation of a screen saver: Lock the keyboard, with unlock restricted to the locking user Lock keyboard, with unlock restricted to valid SC-3 card holders Log the user off (SC-3 removal only) Copyright 2007 CRYPTOCard Corporation All Rights Reserved 1

Operating Modes & Options The USB DONGLE supports a wide range of operating modes that can be modified using the CRYPTO-Console GUI, according to organizational and security policy requirements. The USB Dongle is recognized by the CRYPTOCard server as a SC-3 Smart Card Token and is programmed and initialized accordingly. A brief list of the more common operating modes follows. Refer to the CRYPTO-Server Administrator Guide for a complete list of modes and options. Display Type: Hexadecimal: token generates passcodes comprised of digits and letters from 0 9 and A-F. Decimal: token generates passcodes comprised of digits from 0-9. Base32: token generates passcodes comprised of digits and letters from 0-9 and A-Z. Base64: token generates passcodes comprised of digits and letters from 0-9 and Aa-Zz, as well as other printable characters available via Shift + 0-9. Telephone mode: Yes: replaces the fourth character of a passcode with a dash (-). This is generally used in combination with Response length: 8 characters and Display type: Decimal to resemble the North American telephone number format. No: passcode is displayed as set by Response length and Display type. Response Length: Determines the passcode length. Options are 5, 6, 7, or 8 characters. PIN Style: Fixed PIN: the PIN created for the token at the time of initialization is permanent and cannot be modified by the user or operator. Fixed PIN can only be changed by re-initializing the token after selecting a new PIN value through this tab. This PIN must be entered into the token before a passcode is displayed. User-changeable PIN: the user may change the PIN at any time. The initial PIN set during initialization must be changed by the user on first use of the token. This PIN must be entered into the token before a passcode is displayed. The PIN value selected by the user must be within the limits set Copyright 2007 CRYPTOCard Corporation All Rights Reserved 2

under the Min PIN Length, Characters allowed, Try Attempts, and Allow Trivial PINs options. Initial PIN: The initial PIN value required for the token. The value is permanent if Fixed PIN is selected as the PIN Style. This value must be changed on first use of the token for User-changeable PIN. Use the Randomize button to change the initial value to a random number within the limits set under the Random PIN Length, Min PIN Length, and Characters allowed options. Note that the minimum initial PIN length can be longer than the minimum PIN length required by the user. Random PIN Length: The minimum PIN length generated when clicking the Randomize button. The valid range is 3 8 characters. Minimum PIN Length: The minimum PIN length required to authenticate. The valid range is 1-8 characters. Characters allowed: Digits only: permits the digits 0 9 in the PIN. Alpha-numeric: permits the digits 0 9 and the characters Aa Zz in the PIN. Strong Alpha-numeric: requires at least one uppercase character, one lowercase character, and one digit in the PIN. This setting is affected by the Allow Trivial PINs option. Try Attempts: Number of consecutive incorrect PIN attempts permitted. The valid range is 1 7 attempts. If this value is exceeded, the token will be locked and will not generate passcodes until it is re-initialized. Allow Trivial PINs: Copyright 2007 CRYPTOCard Corporation All Rights Reserved 3

No: prevents the use of sequences or consecutive digits/characters longer than 2. For example, 124 is permitted; 123 is not permitted. Yes: no sequence checking. For example, 123 is permitted. Mode: QUICKLog: passcode is displayed immediately by token (or after Display Name, if this option is enabled on the Display tab). Challenge-response: requires the user to key a numeric challenge into the token before a response is generated. QUICKLog TM is the recommended mode for all token types. Algorithm: Mk 2 Algorithm: supports 3DES. This mode is automatically selected for CRYPTO-Server 6.x SC-3 USB tokens. Start date: The first date, in yyyymmdd format, that the token may be used to authenticate. Expiry date: The last date, in yyyymmdd format, that the token may be used to authenticate. When an operator changes the Expiry date, the change immediately becomes active on the server and valid for the affected token. This is often used for periodic access typical of contractors. It permits the token to be issued once, while ensuring that the user can only authenticate with an active token during the set periods. Disconnected Authentications: The number of disconnected authentications the user can perform when disconnected from the network, in a range of 0 to 100. A value of 0 means disconnected authentications is disabled for this token. Copyright 2007 CRYPTOCard Corporation All Rights Reserved 4

Operational Flags: Force PIN change on next use: For USB DONGLE tokens, this flag is only valid for Initial PINs (i.e. PIN change after token initialization) and the flag is not cleared on PIN change. Property Flags: Delete token at expiry: This is not applicable for the SC-3 USB token. Don t change key at initialization: the encryption key used for this token is reused during re-initialization, if checked. It is recommended that this box remain clear to ensure that keys are changed with every initialization. Usage Flags: Authentication enabled: token can be used to authenticate, if checked. Signature enabled: token can be used to generate digital signatures, if checked. Copyright 2007 CRYPTOCard Corporation All Rights Reserved 5

Using the SC-3 USB Token Access to the SC-3 authentication and digital signature functions requires the user to enter a 3 to 8 character PIN. The PIN is generally unique for each token and known only to the owner of the token. Generating a passcode (QuickLog TM mode) The SC-3 automates authentication when used in conjunction with CRYPTOCard agents or compatible third-party plug-ins. The user simply enters his PIN and clicks OK when prompted and the SC-3 completes the authentication. Using Manual Mode Authentication In instances where a user is attempting to connect to a network entity or Web asset for which a CRYPTOCard agent or third-party plug-in does not exist, there is no automated means by which the Token Authenticator software can furnish the one-time password to the entity/asset for authentication. Therefore, SC-3 USB tokens enable the user to generate a one-time passcode that can then be entered manually when the user is prompted for a password by the application/entity interface. 1. Launch the Token Authenticator: For Windows, click on the toolbar icon or use Start Programs CRYPTOCard Authenticator. For Linux, type /user/bin/authenticator. 2. Select the token from the Token Name field (if more than one software token is installed) and click Generate Password. 3. Enter the PIN. 4. Cut and paste, or transcribe, the one-time passcode into the logon/password dialog of the application/entity interface you are authenticating against. Copyright 2007 CRYPTOCard Corporation All Rights Reserved 6

Generating a passcode (Challenge-response mode) QuickLog TM is the recommended mode for all CRYPTOCard tokens. Challenge-response mode should only be used if required. 1. Launch the Token Authenticator: For Windows, click on the toolbar icon or use Start Programs CRYPTOCard Authenticator. For Linux, type /user/bin/authenticator. 2. When you attempt to log in to the application or entity interface, you will receive an 8- digit challenge. 3. Click Generate Password on the Token Authenticator dialog window. 4. Enter the PIN and 8-digit challenge. A response will be displayed. 5. Cut and paste, or transcribe, the response into the application or entity interface logon dialog. User-changeable PIN If the SC-3 token is configured with a PIN Style of User-changeable PIN, the user will be forced to change the initial deployment PIN on first use. Thereafter, the user can change the PIN at any time, within the established security policy parameters. 1. Launch the Token Authenticator: For Windows, click on the toolbar icon or use Start Programs CRYPTOCard Authenticator. For Linux, type /user/bin/authenticator. 2. Select Tools Change PIN from the toolbar. 3. Enter the current PIN, new PIN, and new PIN confirmation. Click OK. Copyright 2007 CRYPTOCard Corporation All Rights Reserved 7

Generating Digital Signatures SC-3 tokens are able to generate digital signatures: 1. Launch the Token Authenticator: For Windows, click on the toolbar icon or use Start Programs CRYPTOCard Authenticator. For Linux, type /user/bin/authenticator. 2. Select Tools Signature from the toolbar. 3. Enter your PIN and the input data (i.e. the form hash/challenge) generated by the document to be signed. 4. Cut and paste, or transcribe, the digital signature that is displayed into the application/document. Copyright 2007 CRYPTOCard Corporation All Rights Reserved 8

Password Resynchronization Token resynchronization may be required if the user has generated a large number of passcodes without logging on (authenticating). Token resynchronization requires the user to enter a challenge into the token. The challenge must be provided by the Help Desk or via a Web-based resynchronization page. In the unlikely event that the token requires resynchronization with the authentication server: 1. Launch the Token Authenticator: For Windows, click on the toolbar icon or use Start Programs CRYPTOCard Authenticator. For Linux, type /user/bin/authenticator. 2. Select Tools Re-sync from the toolbar. 3. Enter your PIN and the resynchronization challenge. Removing SC-3 Token(s) Please ensure that the SC-3 token is plugged into the system first, and see section 3.10 of the CRYPTO-Server 6.4 Administrator Manual on how to remove SC-1 Tokens from the CRYPTOCard Authenticator. Copyright 2007 CRYPTOCard Corporation All Rights Reserved 9

Loading Certificate(s) on SC-3 (Gemalto GemPCKey) This document is split into 2 - Section 1a explains how to initialize a container and load a token onto the Smart Card Chip. Section 1b explains how to use the Cryptographic Object Viewer and Editor (COVE) to format the remaining space on the Smart Card Chip so a certificate can be loaded on. Note: If the Gemalto GemPCKey drivers have not been installed already, please install them. The drivers can be found at the following link: http://support.gemalto.com/gemdownload/readers/index.aspx Section 1a To initialize a container on the Gemalto token, go to Control Panel > Token Manager Click on Options > Container Manager Highlight the Gemplus USB Key Smart Card Reader 0 and select Initialize Container If the container is initialized properly, the output at the bottom of the window should be displayed as follows. Copyright 2007 CRYPTOCard Corporation All Rights Reserved 10

Highlight the Gemplus USB Key Smart Card Reader 0 and then click on Container Information If the container is initialized successfully then it should say Container is available for normal use. Unplug and plug the Gemalto token back in to make sure it re-detects properly. Launch the CRYPTO-Console, and log in. Assign a token to a user and select an SC-3 Token from the list of tokens that are available and initialize it locally. Section 1b Launch the COVE Admin tools. Click on the dropdown menu and select the Gemplus USB Key Smart Card Reader 0 and click the Connect button. Copyright 2007 CRYPTOCard Corporation All Rights Reserved 11

Click on the Personalize tab Browse to the Cove directory on the left pane. Select the desired cpf in the list on the right pane, or you could import a cpf that has already been created with the New button. Set the User PIN and Unblock PIN or you could leave it default. Click the Select Keys button and select the default COVE.ksf file. Select the Cyberflex Access 64k in the list. Once that is done, click on the Personalize button to have it create the PKI applet and load the correct files. Once it has finished personalizing the Smart Card Chip, Disconnect and Re-Connect to the Gemplus USB Key Smart Card Reader 0. It will ask you the PIN to gain access to the Smart Card now. Click on the Card tab and you will see the following: Copyright 2007 CRYPTOCard Corporation All Rights Reserved 12

Open up a browser and navigate to you CA server. Select Request a certificate Click on Advanced certificate request Select Create and submit a request to this CA Copyright 2007 CRYPTOCard Corporation All Rights Reserved 13

For the purpose of this document I have select the following: Certificate Template Select Smartcard Logon CSP Select Axalto Cryptographic Service Provider Request Format Select PKCS10 Once that is all selected, click Submit. It should the prompt you to enter your PIN (The PIN that was entered to in COVE to access the Smart Card) On the next screen, click Install this certificate The message that is displayed at the last step should be Your new certificate has been successfully installed To verify if the Certificate has been installed, log back into COVE and click on the Card tab again. Copyright 2007 CRYPTOCard Corporation All Rights Reserved 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback