Embed Size (px)
Citation preview
Copyright © 2010 CRYPTOCard Inc. http:// www.cryptocard.com
BlackShield ID MP Token Guide
BlackShield ID MP Token Guide i
Trademarks
CRYPTOCard and the CRYPTOCard logo are registered trademarks of CRYPTOCard Corp. in the Canada and/or other
countries. All other goods and/or services mentioned are trademarks of their respective companies.
License agreement
This software and the associated documentation are proprietary and confidential to CRYPTOCard, are furnished
under license, and may be used and copied only in accordance with the terms of such license and with the
inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be
provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby
transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil
and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by CRYPTOCard.
Third-party licenses
This product may include software developed by parties other than CRYPTOCard. The text of the license
agreements applicable to third-party software in this product may be viewed in the \\CRYPTOCard\BlackShield
ID\Open Source Licenses folder of a default BlackShield ID installation.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of
encryption technologies, and current use, import, and export regulations should be followed when using,
importing or exporting this product.
Contact Information
CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard
in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can
suggest deployment procedures that provide a smooth, simple transition from existing access control systems and
a satisfying experience for network users. We can also help you leverage your existing network equipment and
systems to maximize your return on investment.
CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased
this product through a CRYPTOCard channel partner, please contact your partner directly for support needs.
To contact CRYPTOCard directly:
International Voice: +1-613-599-2441
North America Toll Free: 1-800-307-7042
Email: [email protected]
BlackShield ID MP Token Guide ii
For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com.
Go to the CRYPTOCard corporate web site for regional Customer Support telephone and fax numbers:
http://www.cryptocard.com
Publication History
Date Changes
January 10, 2010 Initial release
September 23, 2010 Minor updated
BlackShield ID MP Token Guide iii
Table of Contents
Overview........................................................................................................................................................................1
Operating Modes & Options..........................................................................................................................................2
Using the MP Token on Windows XP/2003/2008/Vista/7 ............................................................................................5
Installing the BlackShield ID Software Tools ............................................................................................................5
Loading an MP token file .........................................................................................................................................5
Generating a Token Code (QuickLogTM mode).......................................................................................................6
Generating a Token Code (Challenge-response mode) ...........................................................................................7
User-changeable PIN................................................................................................................................................7
Token Code Resynchronization................................................................................................................................8
Unlock Token (Remote Unlock) ...............................................................................................................................9
Using the MP Token on a BlackBerry Mobile Device...................................................................................................10
Using the MP Token on a Java Phone..........................................................................................................................10
Using the MP Token on an iPhone...............................................................................................................................10
BlackShield ID MP Token Guide 1
Overview
The MP token is a software implementation of the hardware token that can be installed on a range of devices
including hard drives, mobile devices such as BlackBerry®, Java phones, iPhone® and secure flash drives such as
IronKey® or SafeStick®, turning a device already in the hands of a user into a token.
The advantage of software tokens is mass deployment without hardware distribution. By thoughtful selection of
the type of device upon which a software token can be installed, Security Administrators can lock a user to a
specific machine, limit the user to using only secure platforms or provide complete machine independence. With
BlackShield ID, MP tokens can be issued, revoked and reissued without restriction or the need to recover the token
from the user. With the exception of BlackBerry and Java phones, multiple MP software tokens can be installed on
a single device (e.g. hard drive) provided the usernames are unique.
Window XP/2003/2008/Vista/7
BlackBerry®
Java Phones
IronKey®
SafeStick®
iPhone®
The MP token generates a new, pseudo-random token code each time the token is activated. An MP PIN consists
of a string of 3 to 8 alphanumeric characters that is used to guard against unauthorized use. If PIN protection is
enabled, the user must provide a PIN with the one-time token code to authenticate. Multiple tokens, each
protected by their own unique PIN, may reside on a single BlackShield Software Tools installation.
BlackShield ID MP Token Guide 2
Operating Modes & Options
The MP token supports a wide range of operating modes that can be modified from the Token Templates section
within the Policy Admin Tab of the BlackShield ID Manager.
The MP Token template settings will be used upon creation of MP tokens; they are not applied when issued.
Mode:
Tokens can operate in either Challenge-Response or Quick Log mode. Default value: Quick Log.
Quick Log mode is recommended because it greatly simplifies the User logon experience and strengthens security
by eliminating the requirement to have the user key a challenge into a token to get an OTP. In addition, Quick Log
mode is supported by all systems that require a logon password.
Complexity:
The OTPs generated by the token can be comprised of numbers, letters and additional characters as follows:
• Decimal: token generates passcodes comprised of digits from 0-9.
BlackShield ID MP Token Guide 3
• Hexadecimal: token generates passcodes comprised of digits and letters from 0–9 and A-F.
• Base32: token generates passcodes comprised of digits and letters from 0-9 and A-Z. (Default value).
• Base64: token generates passcodes comprised of digits and letters from 0-9 and Aa-Zz, as well as other
printable characters available via Shift + 0-9.
Length:
This option determines the number of characters displayed as the OTP. Options are 5, 6, 7 or 8 characters. Default
value: 8.
Display Mask:
If set to ‘Telephone Mode’, the 4th character of the OPT will always be a dash (“-“). Typically this is used with a
decimal OTP, length of 8. Example OTP: 123-5678. If set to ‘None’, the 4th character is unmodified. Example OTP:
12345678. Telephone mode can be used with any token complexity and length setting. Default value: Telephone
Mode.
Note: the dash is not entered as part of the OTP on login attempts, therefore it is not required for authentication.
Remote Unlock:
Allows a locked MP token to be unlocked using the unlock code provided for the token within the Secured Users
tab. This avoids the need to redeploy the MP token to the user.
PIN Type:
This setting determines the type of PIN to be used with the token.
• No PIN means the user doesn’t need to enter a PIN into the Token application to generate a TokenCode.
• Fixed PIN means that the PIN generated for the token during initialization is permanent and cannot be
changed without reissuing the token. This PIN must always be keyed into the token before a password is
generated
• User selected PIN means that the user must change the PIN generated for the token during initialization
before a password will be generated. Thereafter the user can change the PIN at any time. Note that the
PIN change must conform to the minimum requirements for PIN Length, Complexity and Maximum PIN
Attempts.
• Server-side Fixed means that the PIN generated for the token at initialization is permanent and cannot be
changed without reinitializing the token. An initial PIN number is used to install the token into the
BlackShield Software tools but token codes are generated without the need of a PIN. This PIN type is
evaluated at BlackShield ID during authentication.
BlackShield ID MP Token Guide 4
• Server-side User Select means that the PIN generated for the token can be changed by the User. An initial
PIN number is used to install the token into the BlackShield Software tools but token codes are generated
without the need of a PIN. The new PIN must conform to the minimum requirements set in the Server-
side PIN Policy Group on the Policy Admin Tab.
• Server-side Server Select means that the PIN generated for the token can be changed however the new
PIN will be generated by BlackShield ID and will conform to the minimum requirements set in the Server-
side PIN Policy Group on the Policy Admin Tab.
Note: Server-side PINs require the user to prepend the PIN to the token generated password during login, allowing
the PIN to be evaluated by BlackShield. For example, if the user PIN is ABCD and the password is 12345678, the
user would enter ABCD12345678 at the password prompt. All other PIN types require the user to key the correct
PIN into the token before a password is generated. In this case the user provides only the password at the
password prompt. For example, if the user PIN is 8432 and the password is 12345678, the user will enter 12345678
at the password prompt. Generally Server-side PINs are used with KT tokens
Initial PIN:
Determines the nature of the initial PIN created for a token during initialization. If ‘Random’, BlackShield ID will
generate a random PIN that conforms to the minimum PIN Policy options set in the dropdowns for this group for
each token during initialization. If ‘Fixed’, all tokens will be initialized with the same PIN. Default value: Random
Min. PIN Length:
Determines the minimum PIN length that can be used with the token.
• This option is disabled if PIN Type is set to ‘No PIN’. The user will not be required to use a PIN at any time.
• This option is disabled if PIN Type is set to Server-side Fixed, Server-side User Select or Server-side Server
Select. The user will be required to use a PIN according to the options set in the Server-side PIN Policy
Group.
• This option is enabled if PIN Type is set to Fixed PIN or User selected PIN. This requires that any PIN set for
the token meet the indicated minimum number of digits. The range is 1 to 8 digits.
Allow Trivial PINs:
If enabled, a PIN may be 3 or more consecutive numbers (i.e. 1234) or 3 or more identical digits (i.e. 2222). Default
value: selected.
BlackShield ID MP Token Guide 5
Max. PIN Attempts:
Determines the maximum number of consecutive failed PIN attempts permitted by the token. If this number is
exceeded, the token will enter the ‘Locked’ state and cannot be used for authentication until it is reinitialized or
unlocked via the unlock code provided in the BlackShield. This option is available only if PIN Type is set to Fixed PIN
or User selected PIN.
Click the ‘Apply’ button to apply changes to the template. Changes to the template will be applied to MP tokens
during creation. Previously initialized MP tokens will be unaffected by changes to a template.
Using the MP Token on Windows XP/2003/2008/Vista/7
Installing the BlackShield ID Software Tools
Locate and run the agent installer:
• BlackShield ID Software Tools.exe for 32-bit systems.
• BlackShield ID Software Tools x64.exe for 64-bit systems.
The following will be requested:
• Prompt to accept the license agreement.
• Selection of the installation location.
• Prompt to accept device driver installation.
Loading an MP token file
MP tokens can be activated in the BlackShield Token Authenticator via Self-Enrollment or by loading an MP token
file. For information on Self-Enrollment or manually issuing MP tokens, refer to the BlackShield Server
Administrator's Manual found in the support section of www.cryptocard.com or within your BlackShield
distribution package.
BlackShield ID MP Token Guide 6
Generating a Token Code (QuickLogTM mode)
The MP automates authentication when used in conjunction with CRYPTOCard agents or compatible third-party
plug-ins in a Windows environment. The user simply enters his PIN and clicks OK when prompted and the MP
completes the authentication.
If the token template was configured to use a Fixed or User Select PIN, access to the BlackShield Software Tools
application requires the user to enter a 3 to 8 character PIN. The PIN is generally unique for each token and known
only to the owner of the token.
If the token template was configured to use a Server Side PIN, the BlackShield Software Tools application will
generate the token code without a need to provide a PIN. Server-side PINs require the user to prepend the PIN to
the token generated password during login, allowing the PIN to be evaluated by BlackShield
In instances where a user is attempting to connect to a network device or web resource for which a CRYPTOCard
agent or third-party plug-in does not exist, there is no automated means by which the BlackShield Software Tools
application can furnish the one-time password to the entity/asset for authentication. Therefore, MP tokens enable
the user to generate a one-time Token Code that can then be entered manually when the user is prompted for a
password by the application/entity interface.
1. Launch the Token Authenticator from Start|All Programs|CRYPTOCard | Token.
2. Select the token from the Token field (if more than one software token is installed) and click Generate Token
Code.
3. Enter the PIN (if required).
BlackShield ID MP Token Guide 7
4. Cut and paste, or transcribe, the one-time Token Code into the logon/password dialog of the
application/entity interface you are authenticating against.
Generating a Token Code (Challenge-response mode)
QuickLog TM
is the recommended mode for all CRYPTOCard tokens. Challenge-response mode should only be used
if required.
1. Launch the Token Authenticator from Start|All Programs|CRYPTOCard |Token.
2. When you attempt to log in to the application or entity interface, you will receive an 8-digit challenge.
3. Click Generate Token Code on the Token Authenticator dialog window.
4. Enter the PIN and 8-digit challenge. A Token Code will be displayed.
5. Cut and paste, or transcribe, the response into the application or entity interface logon dialog.
User-changeable PIN
If the MP token is configured with a PIN Style of User-changeable PIN, the user will be forced to change the initial
deployment PIN on first use. Thereafter, the user can change the PIN at any time, within the established security
policy parameters.
1. Launch the Token Authenticator from Start|All Programs|CRYPTOCard |Token.
2. Select Tools|Change PIN from the toolbar.
BlackShield ID MP Token Guide 8
3. Enter the Current PIN, New PIN, and Verify new PIN. Click OK.
Token Code Resynchronization
Token resynchronization may be required if the user has generated a large number of token codes without logging
on (authenticating). Token resynchronization requires the user to enter a “challenge” into the token. The challenge
must be provided by the Help Desk or via a Web-based resynchronization page. In the unlikely event that the token
requires resynchronization with the authentication server:
1. Launch the Token Authenticator from Start|All Programs|CRYPTOCard |Token.
2. Select Tools|Resync from the toolbar.
BlackShield ID MP Token Guide 9
3. Enter your PIN and the resynchronization Challenge.
4. Cut and paste, or transcribe, the one-time Token Code into the logon/password dialog of the
application/entity interface you are authenticating against.
Unlock Token (Remote Unlock)
If the Max PIN Attempts threshold is exceeded, an MP token will enter a ‘Locked’ state and cannot be used for
authentication. The Unlock Token option allows for a token to be enabled without having to redeploy the token
file to the user.
1. Launch the Token Authenticator from Start|All Programs|CRYPTOCard |Token.
2. Select Tools|Unlock Token from the toolbar.
3. Provide the Unlock Challenge to the CRYPTOCard Administrator then enter the Server Response provided to
you.
4. Enter the New PIN, and Verify new PIN. Click OK.
5. A Token Unlocked message will appear. The MP token may now be used to generated Token Codes.
BlackShield ID MP Token Guide 10
Using the MP Token on a BlackBerry Mobile Device
The BlackBerry is a wireless handheld device, which supports e-mail, mobile telephone, text messaging, web
browsing and other wireless information services. There are various methods to deploying a CRYPTOCard MP
token to BlackBerry devices. Please refer to the BlackBerry Token Guide found in the support section of
www.cryptocard.com for more information.
Using the MP Token on a Java Phone
Security Administrators can transform Java ME mobile phones into tokens that will generate PIN protected one-
time passwords valid for strong authentication at VPNs, Web applications, Citrix and any other BlackShield ID
protected on-line resources. Please refer to the Java Phone Token Guide found in the support section of
www.cryptocard.com for more information.
Using the MP Token on an iPhone
MP tokens can be used on the iPhone or iPad. Please refer to the iPhone Token Guide found in the support
section of www.cryptocard.com for more information.
