1*8e0dec52Sjsg.\" $OpenBSD: tokeninit.8,v 1.14 2022/02/19 10:17:39 jsg Exp $ 2851d2d47Smillert.\" 3851d2d47Smillert.\" Copyright (c) 1995 Migration Associates Corporation. All rights reserved. 4851d2d47Smillert.\" 5851d2d47Smillert.\" Redistribution and use in source and binary forms, with or without 6851d2d47Smillert.\" modification, are permitted provided that the following conditions 7851d2d47Smillert.\" are met: 8851d2d47Smillert.\" 1. Redistributions of source code must retain the above copyright 9851d2d47Smillert.\" notice, this list of conditions and the following disclaimer. 10851d2d47Smillert.\" 2. Redistributions in binary form must reproduce the above copyright 11851d2d47Smillert.\" notice, this list of conditions and the following disclaimer in the 12851d2d47Smillert.\" documentation and/or other materials provided with the distribution. 13851d2d47Smillert.\" 3. All advertising materials mentioning features or use of this software 14851d2d47Smillert.\" must display the following acknowledgement: 15851d2d47Smillert.\" This product includes software developed by Berkeley Software Design, 16851d2d47Smillert.\" Inc. 17851d2d47Smillert.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse 18851d2d47Smillert.\" or promote products derived from this software without specific prior 19851d2d47Smillert.\" written permission. 20851d2d47Smillert.\" 21851d2d47Smillert.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 22851d2d47Smillert.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23851d2d47Smillert.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24851d2d47Smillert.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 25851d2d47Smillert.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26851d2d47Smillert.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27851d2d47Smillert.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28851d2d47Smillert.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29851d2d47Smillert.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30851d2d47Smillert.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31851d2d47Smillert.\" SUCH DAMAGE. 32851d2d47Smillert.\" 33851d2d47Smillert.\" BSDI $From: tokeninit.8,v 1.3 1997/01/16 03:23:11 bostic Exp $ 34851d2d47Smillert.\" 35*8e0dec52Sjsg.Dd $Mdocdate: February 19 2022 $ 36851d2d47Smillert.Dt TOKENINIT 8 37851d2d47Smillert.Os 38851d2d47Smillert.Sh NAME 39b50d00d1Saaron.Nm activinit , 40b50d00d1Saaron.Nm cryptoinit , 41b50d00d1Saaron.Nm snkinit 4273d4fc9bSjmc.Nd modify or add user in ActivCard, CRYPTOCard, or SNK-004 authentication system 43851d2d47Smillert.Sh SYNOPSIS 44851d2d47Smillert.Nm tokeninit 45d4acc1c4Sjmc.Op Fl fhsv 46851d2d47Smillert.Op Fl m Ar mode 47572c5e09Ssobrado.Ar user ... 48851d2d47Smillert.Sh DESCRIPTION 49851d2d47SmillertThe 50851d2d47Smillert.Nm tokeninit 51b50d00d1Saaronutility may also be invoked by one of the following names: 52b50d00d1Saaron.Nm activinit , 53b50d00d1Saaron.Nm cryptoinit , 54851d2d47Smillertor 55851d2d47Smillert.Nm snkinit . 56b50d00d1SaaronDepending on the name it was invoked as, it will 57851d2d47Smillertinitialize the system information to allow one to use the 58b50d00d1SaaronActivCard, CRYPTOCard, or SNK-004 digital encryption token to login. 59851d2d47SmillertThe 60851d2d47Smillert.Nm tokeninit 61851d2d47Smillertutility is intended for use by the system administrator. 62851d2d47Smillert.Pp 63b409d2e8SjmcToken card systems provide strong user authentication by combining a user's 64851d2d47Smillertunique knowledge (a Personal Identification Number) and a physical object 65851d2d47Smillert(the token) which the user must have in their possession to login. 66851d2d47SmillertThe system administrator programs the token with a secret encryption key 67b50d00d1Saaronwhich is also stored in the database. 68b50d00d1SaaronThe user programs the token with a PIN. 69b50d00d1SaaronTo discourage exhaustive attempts to guess the PIN, 70851d2d47Smillertconfiguration options permit the token to be programmed 71851d2d47Smillertto erase knowledge of the shared secret should the user enter 72851d2d47Smillertan excessive number of incorrect PIN entries. 73851d2d47Smillert.Pp 74851d2d47SmillertThe user activates the token by entering their PIN into the token. 75851d2d47SmillertAfter activating the token, the user enters a random number challenge 76b50d00d1Saaronpresented by the host computer into the token. 77b50d00d1SaaronThe challenge is encrypted by the token and a response is displayed. 78b50d00d1SaaronThe user then enters the response at the host computer's prompt, 79b50d00d1Saaronwhere it is compared with the anticipated response. 80851d2d47Smillert.Pp 81851d2d47SmillertToken cards typically support multiple unique encryption keys. 82851d2d47SmillertThis facility allows a single token to be used for multiple computer 83851d2d47Smillertsystems, or multiple user instances on the same system. 84b50d00d1Saaron.Pp 85b50d00d1SaaronThe options are as follows: 86b50d00d1Saaron.Bl -tag -width Ds 87851d2d47Smillert.It Fl f 88851d2d47SmillertForce reinitialization of an existing account. 89b50d00d1SaaronThe current shared secret stored in the database will be replaced with 90b50d00d1Saarona new shared secret. 91851d2d47SmillertThe new shared secret must be entered into the token, 92851d2d47Smillertreplacing the current one. 93851d2d47Smillert.It Fl h 94851d2d47SmillertRead the shared secret as a 16 digit hexadecimal integer rather than 95851d2d47Smillerta sequence of 8 octets. 96851d2d47SmillertThis is not supported when invoked as 97851d2d47Smillert.Nm snkinit . 98d4acc1c4Sjmc.It Fl m Ar mode 99b50d00d1SaaronSpecify the input modes allowed for this user. 100b50d00d1SaaronPossible modes are decimal (dec), hexadecimal (hex), phonebook (phone), 101b50d00d1Saaronand reduced-input (rim). 102b50d00d1SaaronNot all modes are available for all types of cards. 103b50d00d1SaaronMultiple 104851d2d47Smillert.Fl m 105851d2d47Smillertoptions may be specified to enable multiple modes. 106851d2d47SmillertBy default only the hexadecimal mode is enabled, except for the SNK-004 107851d2d47Smillerttoken, which by default only enables the decimal mode. 108851d2d47SmillertIf an attempt is made to initialize a card with only reduced-input, the 109851d2d47Smillertdefault mode for the card is silently included. 110851d2d47Smillert.It Fl s 111851d2d47SmillertBy default, 112851d2d47Smillert.Nm tokeninit 113851d2d47Smillertprompts for a shared secret to enter into the authentication database. 114851d2d47SmillertThe 115851d2d47Smillert.Fl s 116b50d00d1Saaronoption generates a 64-bit cryptographically strong key for use in the token. 117b50d00d1SaaronThis shared secret will be saved in the database for the user ID 118b50d00d1Saaronspecified on the command line. 119b50d00d1SaaronAfter entering the shared secret into the token, determine that the 120b50d00d1Saaronchecksum computed by the token matches the one displayed by 121851d2d47Smillert.Nm tokeninit . 122851d2d47Smillert.It Fl v 123851d2d47SmillertEnable verbose mode. 124851d2d47Smillert.Nm tokeninit 125851d2d47Smillertwill emit messages on the status of each user ID processed. 126851d2d47Smillert.El 127851d2d47Smillert.Sh REDUCED-INPUT MODE 128851d2d47SmillertReduced-input mode allows the token to predict the next challenge, 129b50d00d1Saarongiven the current challenge. 130b50d00d1SaaronThis may be used to eliminate the need to enter the challenge to the 131b50d00d1Saarontoken or may also be used with a paper list. 132851d2d47SmillertUsing a program such as 133851d2d47Smillert.Xr x99token 1 134b50d00d1Saaronmany challenges could be precomputed and printed. 135b50d00d1SaaronThis list should be kept secret. 136b50d00d1SaaronThis list can then take the place of an actual token until 137851d2d47Smillertthe system has issued all the challenges printed. 138851d2d47SmillertChallenges are predicted by the following algorithm: 1399d0b46bcSjmc.Bd -unfilled -offset indent 140851d2d47Smillert* Encrypt the last challenge with the shared secret key 141851d2d47Smillert 142851d2d47Smillert* AND each byte of the response with 0x0f 143851d2d47Smillert 144851d2d47Smillert* Modulo each byte by 10 (0x0a) 145851d2d47Smillert 146851d2d47Smillert* ADD 0x30 (ASCII value of '0') to each byte 1479d0b46bcSjmc.Ed 1489d0b46bcSjmc.Pp 149851d2d47SmillertThe resulting 8 bytes are all ASCII decimal digits and are the next challenge. 150851d2d47Smillert.Sh FILES 151b50d00d1Saaron.Bl -tag -width xetcxcrypto.db -compact 152851d2d47Smillert.It Pa /etc/activ.db 153851d2d47Smillertdatabase of information for ActivCard system 154851d2d47Smillert.It Pa /etc/crypto.db 155851d2d47Smillertdatabase of information for CRYPTOCard system 156851d2d47Smillert.It Pa /etc/snk.db 157851d2d47Smillertdatabase of information for SNK-004 system 158851d2d47Smillert.El 1599d0b46bcSjmc.Sh DIAGNOSTICS 160f7003cf3SsobradoDiagnostic messages are logged via 161f7003cf3Ssobrado.Xr syslog 3 162f7003cf3Ssobradowith the LOG_AUTH facility. 163851d2d47Smillert.Sh SEE ALSO 164851d2d47Smillert.Xr x99token 1 , 165851d2d47Smillert.Xr syslog 3 , 166b50d00d1Saaron.Xr login_token 8 , 167b4d7a29bSmpech.Xr tokenadm 8 168b50d00d1Saaron.Sh AUTHORS 16944e68d47Sschwarze.An Jack Flory Aq Mt jpf@mig.com 1709d0b46bcSjmc.Sh BUGS 1719d0b46bcSjmcNot all modes of all cards are supported. 172