Back
to Strong Auth Index Page | Computing
Division| Fermilab at
Work | Fermilab
Home
|
||||||||||||
Strong Authentication at
Fermilab DRAFT (last updated: September 18, 2001) |
Chapter 5: Using your CRYPTOCard
5.1 How does your CRYPTOCard Work?
5.2 Caring for your CRYPTOCard
5.3 Usage Notes
5.4 The First Thing to do: Reset your PIN
5.4.1 Resetting Initial PIN
5.4.2 Resetting PIN (General)
5.5 Log in Using CRYPTOCard (the First Time)
5.6 Log in Using CRYPTOCard (Subsequently)
Chapter 5: Using your CRYPTOCard
Strengthened machines are configured to respond in portal mode when requests for access come from unKerberized machines. In portal mode the strengthened machine acts as a secure gateway into the strengthened realm, requiring a single-use password for authentication. A CRYPTOCard is a calculator-style, battery-powered device used for generating a single-use password.
5.1 How does your CRYPTOCard Work?
Before we issue you your CRYPTOCard, we initialize it and synchronize it with the Kerberos Key Distribution Center1 (KDC). This process (a) associates the card with your principal, (b) sets an initial PIN on the card, and (c) creates a secret encryption key stored in both the KDC and the card.
The KDC and the CRYPTOCard operate independently on the identical strings using the shared key, and they produce the same result. Roughly half of this resulting string is to be used as the first one-time password, the other half (plus/minus some overlapping bits) is stored for later use as the next string on which both parties will operate. And so on.
The string on which the shared key operates is called the challenge. The portion of the result used as the password is called the response. The first challenge is chosen by the KDC when you use the card.
5.2 Caring for your CRYPTOCard
You will find printed instructions with your new CRYPTOCard. Carefully read Use and Care of your RB-1 Authentication Token, and Battery Replacement.
Here we highlight a few points that we think are important:
- Your CRYPTOCard is relatively expensive; please don't lose it! Treat it as you would your house keys (if they were breakable!).
- Your CRYPTOCard looks the same as your colleague's, so make a note of the serial number printed on the back so that you can identify yours. Even though another person would need both your principal and your PIN to use your card, we recommend that you don't label your card with anything that resembles your principal. In most cases this means don't put your name on it. You can label it with a non-identifying word or sticker that you'll recognize.
- Don't drop, sit on or crush the card (don't carry it in your back pocket).
- Keep it dry and out of intense heat or cold. Don't let it go through the laundry, and don't leave it in your car in the winter or summer.
- When the display becomes dim, it's time to replace the batteries (two new CR2016, 3V lithium coin cells). CHANGE THEM ONE AT A TIME TO PREVENT DATA LOSS! Otherwise you will need to get the card reprogrammed.
5.3 Usage Notes
- We recommend using fingertips or a pencil eraser for pressing the CRYPTOCard buttons. Fingernails, pen tips and other sharp objects work less well. You don't need to remove it from the plastic cover to use it.
- When you first turn on the card, it takes a second or two to respond with a prompt.
- If you ever forget your PIN (see section 5.4) or if the card locks up (says "locked" when turned on), send email to compdiv@fnal.gov to arrange getting your CRYPTOCard reprogrammed. If you are on-site, you will need to come to WH8NE. If you are off-site, mention that in your email.
- Your CRYPTOCard will automatically turn itself off after 60 seconds unless it receives further input.
5.4 The First Thing to do: Reset your PIN
The CRYPTOCard comes with an initial PIN (personal code to prevent use by other individuals) that you are required to reset. The minimum length of the PIN is four digits, but it can be as long as eight. When entering your PIN, you are limited to seven consecutive wrong tries before lockout.
5.4.1 Resetting Initial PIN
- Press the ON/OFF button to turn on the card, enter your initial PIN and press ENT.
- At the prompt New PIN? enter a new PIN and press ENT.
- At the Verify prompt, enter your new PIN again and press ENT. The card displays a preconfigured string which you can ignore.
- If you're not going to log on now, you can turn off the card or let it do so automatically.
5.4.2 Resetting PIN (General)
For subsequent PIN changes, turn the card on and enter your PIN followed by ENT. At the Fermilab prompt, press CPIN and proceed from step (2), above.
5.5 Log in Using CRYPTOCard (the First Time)
- Turn on your CRYPTOCard and enter your new PIN, followed by ENT.
- The card is configured to display the id Fermilab. Press ENT when you see it. You'll see a preconfigured challenge, which you can ignore.
- Run ssh, slogin, telnet, or ftp normally on your nonKerberized machine to the strengthened host, and enter your login id at the host prompt. The first time you use the card, the host system (in portal mode) displays the message:
- On your CRYPTOCard, press CH/MAC, then type the challenge displayed on the host system into your CRYPTOCard. If you mistype, press CLR and re-enter the challenge. Press ENT to get a response of eight hex digits.
- Enter the CRYPTOCard response at the host system prompt (it is not case-sensitive). Press Return, and you should be logged in with Kerberos tickets.
- Turn off your CRYPTOCard, or let it do so automatically.
5.6 Log in Using CRYPTOCard (Subsequently)
- Turn on your CRYPTOCard and enter your PIN, followed by ENT. (You are limited to seven consecutive wrong-PIN tries before lockout.)
- The card is configured to display the id Fermilab. Press ENT when you see it. The CRYPTOCard displays a challenge.
- Run ssh, slogin, telnet, or ftp normally on your nonKerberized machine to the strengthened host, and enter your userid at the host prompt. The host system (in portal mode) displays the message:
Press ENTER and compare this challenge to the one on your display: [12345678]
- Compare the challenge on the host to the one on the CRYPTOCard:
- If the challenges are the same, press Ent again on the CRYPTOCard to get the response. (In this case the KDC and your CRYPTOCard are synchronized. As long as they remain in sync, the CRYPTOCard will generate the right response.)
- If the challenges are different (you may see all zeroes), press CH/MAC on the CRYPTOCard and enter the challenge displayed on the host system into the card. (This resynchronizes the CRYPTOCard.) Then press Ent to get the response.
- Enter the response at the host system prompt. Press Return and you should be logged in with tickets.
- Turn off your CRYPTOCard, or let it do so automatically.
1The KDC is the "keymaster" of the Kerberos authentication service for all the machines in the realm. It runs on a server maintained by Fermilab's computing security team. Every principal and every initialized CRYPTOCard shares a unique encryption key with the KDC, allowing the KDC to verify the identity of each user/service request.
|
|||||||||||
Back to Strong Auth Index Page | Computing Division| Fermilab at Work | Fermilab Home |