| TOKENINIT(8) | System Manager's Manual | TOKENINIT(8) |
activinit,
cryptoinit, snkinit —
modify or add user in ActivCard, CRYPTOCard, or SNK-004
authentication system
tokeninit |
[-fhsv] [-m
mode] user ... |
The tokeninit utility may also be invoked
by one of the following names: activinit,
cryptoinit, or snkinit.
Depending on the name it was invoked as, it will initialize the system
information to allow one to use the ActivCard, CRYPTOCard, or SNK-004
digital encryption token to login. The tokeninit
utility is intended for use by the system administrator.
Token card systems provide strong user authentication by combining a user's unique knowledge (a Personal Identification Number) and a physical object (the token) which the user must have in their possession to login. The system administrator programs the token with a secret encryption key which is also stored in the database. The user programs the token with a PIN. To discourage exhaustive attempts to guess the PIN, configuration options permit the token to be programmed to erase knowledge of the shared secret should the user enter an excessive number of incorrect PIN entries.
The user activates the token by entering their PIN into the token. After activating the token, the user enters a random number challenge presented by the host computer into the token. The challenge is encrypted by the token and a response is displayed. The user then enters the response at the host computer's prompt, where it is compared with the anticipated response.
Token cards typically support multiple unique encryption keys. This facility allows a single token to be used for multiple computer systems, or multiple user instances on the same system.
The options are as follows:
-f-hsnkinit.-m
mode-m options may be specified to enable multiple
modes. By default only the hexadecimal mode is enabled, except for the
SNK-004 token, which by default only enables the decimal mode. If an
attempt is made to initialize a card with only reduced-input, the default
mode for the card is silently included.-stokeninit prompts for a shared secret
to enter into the authentication database. The -s
option generates a 64-bit cryptographically strong key for use in the
token. This shared secret will be saved in the database for the user ID
specified on the command line. After entering the shared secret into the
token, determine that the checksum computed by the token matches the one
displayed by tokeninit.-vtokeninit will emit messages
on the status of each user ID processed.Reduced-input mode allows the token to predict the next challenge, given the current challenge. This may be used to eliminate the need to enter the challenge to the token or may also be used with a paper list. Using a program such as x99token(1) many challenges could be precomputed and printed. This list should be kept secret. This list can then take the place of an actual token until the system has issued all the challenges printed. Challenges are predicted by the following algorithm:
* Encrypt the last challenge with the shared secret key * AND each byte of the response with 0x0f * Modulo each byte by 10 (0x0a) * ADD 0x30 (ASCII value of '0') to each byte
The resulting 8 bytes are all ASCII decimal digits and are the next challenge.
Diagnostic messages are logged via syslog(3) with the LOG_AUTH facility.
A supplier for ActivCard tokens may be obtained by contacting:
ActivCard, Inc. 303 Twin Dolphin Dr., Ste 420 Redwood City, CA 94065 Tel: (415) 654-1700 Fax: (415) 654-1701
CRYPTOCard tokens may be obtained by contacting:
CRYPTOCard Incorporated Attn: Wade Clark 1649 Barclay Blvd. Buffalo Grove, Illinois 60089 Tel: (800) 307-7042 / (708) 459-6500 Fax: (708) 459-6599 <token@cryptocard.com>
SNK-004 tokens are no longer available for purchase.
Jack Flory <jpf@mig.com>
Not all modes of all cards are supported.
| August 14, 2013 | OpenBSD-5.6 |