activinit, cryptoinit, snkinit - modify or add user in ActivCard, CRYPTOCard,
or SNK-004 authentication system
tokeninit [-f] [-h] [-m mode] [-s] [-v] user_ID [...]
The tokeninit utility may also be invoked by one of the following names:
activinit, cryptoinit, or snkinit. Depending on the name it
was invoked
as, it will initialize the system information to allow one
to use the ActivCard,
CRYPTOCard, or SNK-004 digital encryption token to
login. The
tokeninit utility is intended for use by the system administrator.
Token card systems provide strong user authentication by
combining a user's
unique knowledge (a Personal Identification Number) and
a physical
object (the token) which the user must have in their possession to login.
The system administrator programs the token with a secret
encryption key
which is also stored in the database. The user programs the
token with a
PIN. To discourage exhaustive attempts to guess the PIN,
configuration
options permit the token to be programmed to erase knowledge
of the
shared secret should the user enter an excessive number of
incorrect PIN
entries.
The user activates the token by entering their PIN into the
token. After
activating the token, the user enters a random number challenge presented
by the host computer into the token. The challenge is encrypted by the
token and a response is displayed. The user then enters the
response at
the host computer's prompt, where it is compared with the
anticipated response.
Token cards typically support multiple unique encryption
keys. This facility
allows a single token to be used for multiple computer systems, or
multiple user instances on the same system.
The options are as follows:
-f Force reinitialization of an existing account. The
current
shared secret stored in the database will be replaced with a new
shared secret. The new shared secret must be entered into the
token, replacing the current one.
-h Read the shared secret as a 16 digit hexadecimal integer rather
than a sequence of 8 octets. This is not supported
when invoked
as snkinit.
-m Specify the input modes allowed for this user. Possible modes
are decimal (dec), hexadecimal (hex), phonebook
(phone), and reduced-input
(rim). Not all modes are available for
all types of
cards. Multiple -m options may be specified to enable multiple
modes. By default only the hexadecimal mode is enabled, except
for the SNK-004 token, which by default only enables
the decimal
mode. If an attempt is made to initialize a card
with only reduced-input,
the default mode for the card is
silently included.
-s By default, tokeninit prompts for a shared secret to
enter into
the authentication database. The -s option generates a 64-bit
cryptographically strong key for use in the token.
This shared
secret will be saved in the database for the user ID
specified on
the command line. After entering the shared secret
into the token,
determine that the checksum computed by the token matches
the one displayed by tokeninit.
-v Enable verbose mode. tokeninit will emit messages
on the status
of each user ID processed.
Reduced-input mode allows the token to predict the next
challenge, given
the current challenge. This may be used to eliminate the
need to enter
the challenge to the token or may also be used with a paper
list. Using
a program such as x99token(1) many challenges could be precomputed and
printed. This list should be kept secret. This list can
then take the
place of an actual token until the system has issued all the
challenges
printed. Challenges are predicted by the following algorithm:
* Encrypt the last challenge with the shared secret
key
* AND each byte of the response with 0x0f
* Modulo each byte by 10 (0x0a)
* ADD 0x30 (ASCII value of '0') to each byte
The resulting 8 bytes are all ASCII decimal digits and are
the next challenge.
/etc/activ.db database of information for ActivCard system
/etc/crypto.db database of information for CRYPTOCard system
/etc/snk.db database of information for SNK-004 system
Diagnostic messages are logged via syslog(3) with the
LOG_AUTH facility.
A supplier for ActivCard tokens may be obtained by contacting:
ActivCard, Inc.
303 Twin Dolphin Dr., Ste 420
Redwood City, CA 94065
Tel: (415) 654-1700
Fax: (415) 654-1701
CRYPTOCard tokens may be obtained by contacting:
CRYPTOCard Incorporated
Attn: Wade Clark
1649 Barclay Blvd.
Buffalo Grove, Illinois 60089
Tel: (800) 307-7042 / (708) 459-6500
Fax: (708) 459-6599
<token@cryptocard.com>
SNK-004 tokens are no longer available for purchase.
x99token(1), syslog(3), login_token(8), tokenadm(8)
Jack Flory <jpf@mig.com>
Not all modes of all cards are supported.
OpenBSD 3.6 September 26, 1995
[ Back ] |