*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> cryptoinit (8)              
Title
Content
Arch
Section
 

TOKENINIT(8)

Contents


NAME    [Toc]    [Back]

     activinit, cryptoinit, snkinit - modify or add user  in  ActivCard, CRYPTOCard,
 or SNK-004 authentication system

SYNOPSIS    [Toc]    [Back]

     tokeninit [-f] [-h] [-m mode] [-s] [-v] user_ID [...]

DESCRIPTION    [Toc]    [Back]

     The tokeninit utility may also be invoked by one of the following names:
     activinit, cryptoinit, or snkinit.  Depending on the name it
was invoked
     as,  it  will initialize the system information to allow one
to use the ActivCard,
 CRYPTOCard, or SNK-004 digital encryption token  to
login.  The
     tokeninit utility is intended for use by the system administrator.

     Token card systems provide  strong  user  authentication  by
combining a user's
 unique knowledge (a Personal Identification Number) and
a physical
     object (the token) which the user must have in their possession to login.
     The  system  administrator  programs the token with a secret
encryption key
     which is also stored in the database.  The user programs the
token with a
     PIN.   To  discourage  exhaustive attempts to guess the PIN,
configuration
     options permit the token to be programmed to erase knowledge
of the
     shared  secret  should the user enter an excessive number of
incorrect PIN
     entries.

     The user activates the token by entering their PIN into  the
token.  After
     activating  the token, the user enters a random number challenge presented
     by the host computer into the token.  The challenge  is  encrypted by the
     token and a response is displayed.  The user then enters the
response at
     the host computer's prompt, where it is  compared  with  the
anticipated response.


     Token  cards  typically  support  multiple unique encryption
keys.  This facility
 allows a single token to be used for multiple computer systems, or
     multiple user instances on the same system.

     The options are as follows:

     -f       Force reinitialization of an existing account.  The
current
             shared secret stored in the  database  will  be  replaced with a new
             shared  secret.   The  new shared secret must be entered into the
             token, replacing the current one.

     -h      Read the shared secret as a 16 digit hexadecimal integer rather
             than  a sequence of 8 octets.  This is not supported
when invoked
             as snkinit.

     -m      Specify the input modes allowed for this user.  Possible modes
             are  decimal  (dec),  hexadecimal  (hex),  phonebook
(phone), and reduced-input
 (rim).  Not all modes are available  for
all types of
             cards.   Multiple -m options may be specified to enable multiple
             modes.  By default only the hexadecimal mode is  enabled, except
             for the SNK-004 token, which by default only enables
the decimal
             mode.  If an attempt is made to  initialize  a  card
with only reduced-input,
  the  default  mode  for  the  card  is
silently included.

     -s      By default, tokeninit prompts for a shared secret to
enter into
             the  authentication  database.  The -s option generates a 64-bit
             cryptographically strong key for use in  the  token.
This shared
             secret will be saved in the database for the user ID
specified on
             the command line.  After entering the shared  secret
into the token,
 determine that the checksum computed by the token matches
             the one displayed by tokeninit.

     -v      Enable verbose mode.  tokeninit will  emit  messages
on the status
             of each user ID processed.

REDUCED-INPUT MODE    [Toc]    [Back]

     Reduced-input  mode  allows  the  token  to predict the next
challenge, given
     the current challenge.  This may be used  to  eliminate  the
need to enter
     the  challenge to the token or may also be used with a paper
list.  Using
     a program such as x99token(1) many challenges could be  precomputed and
     printed.   This  list  should be kept secret.  This list can
then take the
     place of an actual token until the system has issued all the
challenges
     printed.   Challenges  are  predicted by the following algorithm:

           * Encrypt the last challenge with  the  shared  secret
key

           * AND each byte of the response with 0x0f

           * Modulo each byte by 10 (0x0a)

           * ADD 0x30 (ASCII value of '0') to each byte

     The  resulting  8 bytes are all ASCII decimal digits and are
the next challenge.

FILES    [Toc]    [Back]

     /etc/activ.db   database of information for ActivCard system
     /etc/crypto.db   database of information for CRYPTOCard system
     /etc/snk.db     database of information for SNK-004 system

DIAGNOSTICS    [Toc]    [Back]

     Diagnostic  messages  are  logged  via  syslog(3)  with  the
LOG_AUTH facility.

COMMENTS    [Toc]    [Back]

     A  supplier for ActivCard tokens may be obtained by contacting:

           ActivCard, Inc.
           303 Twin Dolphin Dr., Ste 420
           Redwood City, CA 94065
           Tel: (415) 654-1700
           Fax: (415) 654-1701

     CRYPTOCard tokens may be obtained by contacting:

           CRYPTOCard Incorporated
           Attn: Wade Clark
           1649 Barclay Blvd.
           Buffalo Grove, Illinois 60089
           Tel: (800) 307-7042 / (708) 459-6500
           Fax: (708) 459-6599
           <token@cryptocard.com>

     SNK-004 tokens are no longer available for purchase.

SEE ALSO    [Toc]    [Back]

      
      
     x99token(1), syslog(3), login_token(8), tokenadm(8)

AUTHORS    [Toc]    [Back]

     Jack Flory <jpf@mig.com>

BUGS    [Toc]    [Back]

     Not all modes of all cards are supported.

OpenBSD     3.6                       September     26,      1995
[ Back ]
 Similar pages
Name OS Title
cryptoadm OpenBSD manage the ActivCard, CRYPTOCard and
snkadm OpenBSD manage the ActivCard, CRYPTOCard and
activadm OpenBSD manage the ActivCard, CRYPTOCard and
login_token OpenBSD provide ActivCard, CRYPTOCard and SNK-004 authentication
login_snk OpenBSD provide ActivCard, CRYPTOCard and SNK-004 authentication
login_activ OpenBSD provide ActivCard, CRYPTOCard and SNK-004 authentication
login_crypto OpenBSD provide ActivCard, CRYPTOCard and SNK-004 authentication
usermod Linux Modify a user account
usermod OpenBSD modify user login information
usermod HP-UX modify a user login on the system
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service