1.\" $OpenBSD: tokeninit.8,v 1.6 2003/06/12 12:59:53 jmc Exp $ 2.\" 3.\" Copyright (c) 1995 Migration Associates Corporation. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. All advertising materials mentioning features or use of this software 14.\" must display the following acknowledgement: 15.\" This product includes software developed by Berkeley Software Design, 16.\" Inc. 17.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse 18.\" or promote products derived from this software without specific prior 19.\" written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" BSDI $From: tokeninit.8,v 1.3 1997/01/16 03:23:11 bostic Exp $ 34.\" 35.Dd September 26, 1995 36.Dt TOKENINIT 8 37.Os 38.Sh NAME 39.Nm activinit , 40.Nm cryptoinit , 41.Nm snkinit 42.Nd "modify or add user in ActivCard, CRYPTOCard, or SNK-004 authentication system" 43.Sh SYNOPSIS 44.Nm tokeninit 45.Op Fl f 46.Op Fl h 47.Op Fl m Ar mode 48.Op Fl s 49.Op Fl v 50.Ar user_ID 51.Op Ar ... 52.Sh DESCRIPTION 53The 54.Nm tokeninit 55utility may also be invoked by one of the following names: 56.Nm activinit , 57.Nm cryptoinit , 58or 59.Nm snkinit . 60Depending on the name it was invoked as, it will 61initialize the system information to allow one to use the 62ActivCard, CRYPTOCard, or SNK-004 digital encryption token to login. 63The 64.Nm tokeninit 65utility is intended for use by the system administrator. 66.Pp 67Token card systems provide strong user authentication by combining a user's 68unique knowledge (a Personal Identification Number) and a physical object 69(the token) which the user must have in their possession to login. 70The system administrator programs the token with a secret encryption key 71which is also stored in the database. 72The user programs the token with a PIN. 73To discourage exhaustive attempts to guess the PIN, 74configuration options permit the token to be programmed 75to erase knowledge of the shared secret should the user enter 76an excessive number of incorrect PIN entries. 77.Pp 78The user activates the token by entering their PIN into the token. 79After activating the token, the user enters a random number challenge 80presented by the host computer into the token. 81The challenge is encrypted by the token and a response is displayed. 82The user then enters the response at the host computer's prompt, 83where it is compared with the anticipated response. 84.Pp 85Token cards typically support multiple unique encryption keys. 86This facility allows a single token to be used for multiple computer 87systems, or multiple user instances on the same system. 88.Pp 89The options are as follows: 90.Bl -tag -width Ds 91.It Fl f 92Force reinitialization of an existing account. 93The current shared secret stored in the database will be replaced with 94a new shared secret. 95The new shared secret must be entered into the token, 96replacing the current one. 97.It Fl h 98Read the shared secret as a 16 digit hexadecimal integer rather than 99a sequence of 8 octets. 100This is not supported when invoked as 101.Nm snkinit . 102.It Fl m 103Specify the input modes allowed for this user. 104Possible modes are decimal (dec), hexadecimal (hex), phonebook (phone), 105and reduced-input (rim). 106Not all modes are available for all types of cards. 107Multiple 108.Fl m 109options may be specified to enable multiple modes. 110By default only the hexadecimal mode is enabled, except for the SNK-004 111token, which by default only enables the decimal mode. 112If an attempt is made to initialize a card with only reduced-input, the 113default mode for the card is silently included. 114.It Fl s 115By default, 116.Nm tokeninit 117prompts for a shared secret to enter into the authentication database. 118The 119.Fl s 120option generates a 64-bit cryptographically strong key for use in the token. 121This shared secret will be saved in the database for the user ID 122specified on the command line. 123After entering the shared secret into the token, determine that the 124checksum computed by the token matches the one displayed by 125.Nm tokeninit . 126.It Fl v 127Enable verbose mode. 128.Nm tokeninit 129will emit messages on the status of each user ID processed. 130.El 131.Sh REDUCED-INPUT MODE 132Reduced-input mode allows the token to predict the next challenge, 133given the current challenge. 134This may be used to eliminate the need to enter the challenge to the 135token or may also be used with a paper list. 136Using a program such as 137.Xr x99token 1 138many challenges could be precomputed and printed. 139This list should be kept secret. 140This list can then take the place of an actual token until 141the system has issued all the challenges printed. 142Challenges are predicted by the following algorithm: 143.Pp 144.Bd -unfilled -offset indent 145* Encrypt the last challenge with the shared secret key 146 147* AND each byte of the response with 0x0f 148 149* Modulo each byte by 10 (0x0a) 150 151* ADD 0x30 (ASCII value of '0') to each byte 152.Ed 153.Pp 154The resulting 8 bytes are all ASCII decimal digits and are the next challenge. 155.Sh FILES 156.Bl -tag -width xetcxcrypto.db -compact 157.It Pa /etc/activ.db 158database of information for ActivCard system 159.It Pa /etc/crypto.db 160database of information for CRYPTOCard system 161.It Pa /etc/snk.db 162database of information for SNK-004 system 163.El 164.Sh DIAGNOSTICS 165Diagnostic messages are logged via syslog(3) with the LOG_AUTH facility. 166.Sh COMMENTS 167A supplier for ActivCard tokens may be obtained by contacting: 168.Pp 169.Bd -unfilled -offset indent 170ActivCard, Inc. 171303 Twin Dolphin Dr., Ste 420 172Redwood City, CA 94065 173Tel: (415) 654-1700 174Fax: (415) 654-1701 175.Ed 176.Pp 177CRYPTOCard tokens may be obtained by contacting: 178.Pp 179.Bd -unfilled -offset indent 180CRYPTOCard Incorporated 181Attn: Wade Clark 1821649 Barclay Blvd. 183Buffalo Grove, Illinois 60089 184Tel: (800) 307-7042 / (708) 459-6500 185Fax: (708) 459-6599 186<token@cryptocard.com> 187.Ed 188.Pp 189SNK-004 tokens may be obtained by contacting: 190.Pp 191.Bd -unfilled -offset indent 192Digital Pathways, Inc. 193Attn: Paul Kamian 194201 Ravendale Drive 195Mountain View, CA 94043-5216 196Tel: (415) 964-0707 197Fax: (415) 961-7487 198<paul@digpath.com> 199.Ed 200.Sh SEE ALSO 201.Xr x99token 1 , 202.Xr syslog 3 , 203.Xr login_token 8 , 204.Xr tokenadm 8 205.Sh AUTHORS 206.An Jack Flory Aq jpf@mig.com 207.Sh BUGS 208Not all modes of all cards are supported. 209