KT-1 Token Reference Guide CRYPTOCard Token Guide
Proprietary Notice License and Warranty Information CRYPTOCard Inc. and its affiliates retain all ownership rights to the computer program described in this manual, other computer programs offered by the company (hereinafter called CRYPTOCard) and any documentation accompanying those programs. Use of CRYPTOCard software is governed by the license agreement accompanying your original media. CRYPTOCard software source code is a confidential trade secret of CRYPTOCard. You may not attempt to decipher, de-compile, develop, or otherwise reverse engineer CRYPTOCard software, or allow others to do so. Information needed to achieve interoperability with products from other manufacturers may be obtained from CRYPTOCard upon request. This manual, as well as the software described in it, is furnished under license and may only be used or copied in accordance with the terms of such license. The material in this manual is furnished for information use only, is subject to change without notice, and should not be construed as a commitment by CRYPTOCard. CRYPTOCard assumes no liability for any errors or inaccuracies that may appear in this document. Except as permitted by such license, no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, recording or otherwise, without the prior written consent of CRYPTOCard. CRYPTOCard reserves the right to make changes in design or to make changes or improvements to these products without incurring the obligation to apply such changes or improvements to products previously manufactured. The foregoing is in lieu of all other warranties expressed or implied by any applicable laws. CRYPTOCard does not assume or authorize, nor has it authorized any person to assume for it, any other obligation or liability in connection with the sale or service of these products. In no event shall CRYPTOCard or any of its agents be responsible for special, incidental, or consequential damages arising from the use of these products or arising from any breach of warranty, breach of contract, negligence, or any other legal theory. Such damages include, but are not limited to, loss of profits or revenue, loss of use of these products or any associated equipment, cost of capital, cost of any substitute equipment, facilities or services, downtime costs, or claims of customers of the Purchaser for such damages. The Purchaser may have other rights under existing federal, state, or provincial laws in the USA, Canada, or other countries or jurisdictions, and where such laws prohibit any terms of this warranty, they are deemed null and void, but the remainder of the warranty shall remain in effect. Customer Obligation Shipping Damage: The purchaser must examine the goods upon receipt and any visible damage should immediately be reported to the carrier so that a claim can be made. Purchasers should also notify CRYPTOCard of such damage. The customer should verify that the goods operate correctly and report any deficiencies to CRYPTOCard within 30 days of delivery. In all cases, the customer should notify CRYPTOCard prior to returning goods. Goods returned under the terms of this warranty must be carefully packaged for shipment to avoid physical damage using materials and methods equal to or better than those with which the goods were originally shipped to the purchaser. Charges for insurance and shipping to the repair facility are the responsibility of the purchaser. CRYPTOCard will pay return charges for units repaired or replaced under the terms of this warranty. Copyright Copyright 2007, CRYPTOCard Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Inc. Trademarks CRYPTO-Server 6.4 Administrator s Manual viii CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO- VPN, CRYPTO-Shield, CRYPTO-MAS, are either registered trademarks or trademarks of CRYPTOCard Inc. Java is a registered trademarks of Sun Microsystems, Inc.; Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. SecurID is a registered trademark of RSA Security. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. KT-1 Token User Guide Quick Reference 2
Additional Information, Assistance, or Comments CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. This complimentary support service is available from your first evaluation system download. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your reseller directly for support needs. Contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 Email: support@cryptocard.com For information about obtaining a support contract, see our Support Web page at: http://www.cryptocard.com/support/cryptocardannualsupportandmaintenance/ Related Documentation Refer to the Technical Documentation section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com/support/technicaldocumentation/ KT-1 Token User Guide Quick Reference 3
Solution Overview Summary Product Name Vendor Site Pre-Requisites KT1 Token Guide CRYPTOCard See the Using your KT1 the First Time section. CRYPTOCard Product Requirements CRYPTOCard Service CRYPTO-MAS (Managed Authentication Service) KT-1 Token User Guide Quick Reference 4
Table of Contents SOLUTION OVERVIEW... 4 OVERVIEW... 6 TOKEN RESYNC INSTRUCTIONS... 7 ENTERING A CHALLENGE INTO A KT TOKEN... 8 TOKEN PIN CHANGE... 9 TOKEN PIN CHANGE INSTRUCTIONS... 9 MAS TOKEN TEMPLATE... 11 KT-1 Token User Guide Quick Reference 5
Overview The KT-1 Key Chain token generates a new, random one-time password each time the token is activated. Pressing the button located to the right and below the LCD display activates the token. Using Your KT-1 the First Time A PIN is an alphanumeric string of 3 to 8 characters that is used to guard against the unauthorized use of the token. If PIN protection is enabled, the user must provide a PIN with the one-time password to authenticate. Your initial PIN is 1234, and this must be changed to a PIN of your choosing on first use. Using Your KT-1 to Log In When prompted for a password, you must append the one-time password displayed by the token to your PIN. For example, if the the PIN is 4321 and the displayed one-time password is 12345678, the user must enter 432112345678 at the password prompt. Adjusting LCD Contrast 1. Press and hold the button (approximately 5 seconds) on the token until the prompt Init appears. Then release the button. 2. The token will cycle through a series of prompts: Init, LCD Test, Contrast, Chg PIN, ReSync?. The prompts and sequence will vary depending on the options enabled for the token. Press the button while the Contrast prompt is displayed. 3. The token will cycle through a series of prompts in the form of XX##XX- where ## are digits from 00 to 15 corresponding with lowest to highest contrast. The contrast will change as the digits change providing a visual indication of the selection. When the desired contrast is displayed, press the button two times to set. KT-1 Token User Guide Quick Reference 6
Token Resync The purpose of this section is to instruct end-users and administrators how to resynchronize tokens using the online CRYPTO-MAS resynchronization tool. If too many One-time password Codes (OTP s) have been generated by a token since the last time the server received a correct OTP, the server will not recognize the OTP and the token and server are said to be out of sync. For CRYPTO-MAS, the number of OTPs that needs to be generated by the token to cause the server and the token to become out-of-sync is defaulted to 25. Token Resync Instructions Step 1: Open up a browser (IE6, IE7, Mozilla Firefox 1.5+) and go to: http://resync.cryptocard.com/ The following dialog box will appear (Figure 1.0) Figure 1.0 Step 2: Enter the User ID and Authentication ID (Auth ID) and click OK. Contact your MAS Administrator if you don t know the Authentication ID. Step 3: You will be presented with a challenge to be entered into your token, along with a field to enter your next OTP (after the resync process has been completed) (Figure 1.1). Figure 1.1 KT-1 Token User Guide Quick Reference 7
Entering a Challenge into a KT Token a) Hold down the button on the KT Token until "Init" appears in the display then let go of the button. b) The token will automatically start scrolling through a menu, and when "Resync" appears, immediately click the button to stop the menu from scrolling. c) Resync plus a scrolling digit 0-9 will appear in the display. Press the button to stop the scrolling when the digit displayed is the first digit (from the left) in the challenge (Figure 1.2). d) The Resync will be replaced by the first digit selected, and scrolling for the next digit in the challenge will begin. Follow the same steps to stop the scolling at the correct digits until the complete 8- digit challenge appears. Figure 1.2 e) When the challenge number is correctly entered/displayed, click the button again and a new One Time Password (or response ) will be automatically generated by the token. Enter your PIN (if normally required) followed by the OTP displayed on your token into the dialog box and Click OK. Your token should now be synchronized with the server. KT-1 Token User Guide Quick Reference 8
Token PIN Change A KT Token user can change their Server Side, User Changeable PIN at any time. To change the PIN, browse to the User Self-service web page at: http://auth.cryptocard.com/hardware You must first authenticate before being presented with the PIN Change page. Token PIN Change Instructions Step 1: Open up a browser (IE6, IE7, Mozilla Firefox 1.5+) and go to http://auth.cryptocard.com/hardware. The following dialog box will appear. (Figure 2.0) Figure 2.0 Step 2: Enter the User ID, Authentication ID (Auth ID) and your OPT (PIN+Passcode) and click OK. Contact your MAS Administrator if you don t know the Authentication ID. Step 3: After successful authentication you are redirected to the PIN Change page where you are required to enter your current PIN and the new PIN to complete PIN change process. The PIN length and complexity reflects the minimum requirements for this specific token. (Figure 2.1) Figure 2.1 KT-1 Token User Guide Quick Reference 9
If the correct Current PIN is entered and the new PIN meets the complexity requirements of the token a PIN Change Success message is displayed and the new PIN is now in effect and must be used to authenticate with. Figure 2.2 KT-1 Token User Guide Quick Reference 10
MAS Token Template The following table identifies the KT-1 token configuration: MAS Token Attributes - KT-1 Display Display Type Base 32 Telephone Mode No Response Length 8 characters Automatic Shut-off 30 seconds PIN PIN Style Stored on server, User-changeable PIN Initial PIN 1234 Random PIN Length 4 Min PIN Length 3 Characters allowed Digit Only Try Attempts 7 Allow Trivial PINs Yes Operation Mode QuickLog Passwords per power cycle Single User can turn token off Yes Usage Operational Flags Force PIN change on next use KT-1 Token User Guide Quick Reference 11