ootp/doc/otp-sca.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>otp-sca</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="AEN1"
></A
><SPAN
CLASS="APPLICATION"
>otp-sca</SPAN
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6"
></A
><H2
>Name</H2
><SPAN
CLASS="APPLICATION"
>otp-sca</SPAN
>&nbsp;--&nbsp;Smart Card Administration for One Time Password package.</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>otp-sca</B
>  [-?hlp] [-a<TT
CLASS="REPLACEABLE"
><I
> admin_keyfile</I
></TT
>] [-c<TT
CLASS="REPLACEABLE"
><I
> count</I
></TT
>] [-d<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
>] [-i<TT
CLASS="REPLACEABLE"
><I
> index</I
></TT
>] [-m<TT
CLASS="REPLACEABLE"
><I
> command_mode</I
></TT
>] [-M<TT
CLASS="REPLACEABLE"
><I
> modifiers</I
></TT
>] [-r<TT
CLASS="REPLACEABLE"
><I
> reader</I
></TT
>] [-R<TT
CLASS="REPLACEABLE"
><I
> reader_keyfile</I
></TT
>] [-u<TT
CLASS="REPLACEABLE"
><I
> username</I
></TT
>] [-v<TT
CLASS="REPLACEABLE"
><I
> card_api_version</I
></TT
>]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN34"
></A
><H2
>DESCRIPTION</H2
><P
>The <B
CLASS="COMMAND"
>otp-sca</B
> command implements a terminal for an MCU based
Smart Card loaded with the OTP firmware (HOTPC.IMG).  Host entries consisting
of {hostname,count,shared_key} are downloaded to the Smart Card using 
<B
CLASS="COMMAND"
>otp-sca</B
>.  Additionally commands implemented on the
Smart Card such as HOTP generation and PIN maintenance can be executed
with the appropriate administratative key.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN39"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-a, --sc-admin-key=<TT
CLASS="REPLACEABLE"
><I
> admin_keyfile</I
></TT
></DT
><DD
><P
>Smart Card administratative key.  The admin-enable command and
administratative key are used to toggle the Smart Card into admin mode.
Once in admin mode commands admin-disable, adminkey-set, balancecard-set,
host-get, host-set, pin-set, and sc-clear can be executed.  The default admin
key, "3030303030303030303030303030303030303030" (HEX), should be changed to
restrict access to the above commands.</P
></DD
><DT
>-c, --sc-count=<TT
CLASS="REPLACEABLE"
><I
> count</I
></TT
></DT
><DD
><P
>Configure the count parameter optionally used by the hotp-gen command.
A count value of 0 indicates the HOTP value is to be calculated with the
current stored count.</P
></DD
><DT
>-d, --debug=<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
></DT
><DD
><P
>Set debug level.</P
></DD
><DT
>-h, --help</DT
><DD
><P
>Help.</P
></DD
><DT
>-i, --sc-index=<TT
CLASS="REPLACEABLE"
><I
> index</I
></TT
></DT
><DD
><P
>Set the 8 bit index.  The Smart Card contains numerically indexed records
for each host of the form {hostname,count,shared_key}.  The firmware
will support indexes in the range 0..254.  255 is reserved.  Memory
capacity on the Smart Card may further restrict the index range.  The
ZC3.9 BasicCard with firmware revision 3 supports up to 85 records.</P
></DD
><DT
>-l, --list-readers</DT
><DD
><P
>List SC Readers</P
></DD
><DT
>-m, --sc-command=<TT
CLASS="REPLACEABLE"
><I
> command_mode</I
></TT
></DT
><DD
><P
></P
><PRE
CLASS="SCREEN"
>         Command Mode       Description                Notes    Modifiers
         ---------------------------------------------------------------
         admin-enable     - Enable Admin Mode          1
         admin-disable    - Disable Admin Mode
         adminkey-set     - Set Admin Key              1
         balancecard-set  - Set Balance Card Index     1
         capabilities-get - Get Capabilities
         host-get         - Get host entry             1,2,4    d
         host-set         - Set host entry             1,4
         hostname-get     - Get Hostname for Index     2,3
         hotp-gen         - Generate HOTP for Index    3        chr
         pin-set          - Set PIN                    3
         pin-test         - Test/Verify PIN            3
         reader-key-set   - Set Reader Key             1
         sc-clear         - Clear all SC data          1
         spyrus-ee-get    - Spyrus EEProm read         5
         spyrus-ee-set    - Spyrus EEProm write        5
         version          - Firmware version

 Notes (*):
   1 Admin Enable required.
   2 Iterate over all if no index specified.
   3 PIN or Admin Enable required.
   4 version 3 firmware supports 32 bit count, version 2 16 bit count.
   5 Spyrus customization SC firmware
 Modifiers: (version 3+ SC firmware)
   c pass count to SC.
   h return hostname from SC.
   d output in otpdb load friendly format.
   r include reader key in request.&#13;</PRE
></DD
><DT
>-M, --sc-command-modifier=<TT
CLASS="REPLACEABLE"
><I
> modifiers</I
></TT
></DT
><DD
><P
>Configure command_mode modifiers.  Modifier d applied to the host-get
command will generate output in otpdb format.  Count (c) and Host (h)
used with hotp-gen allow passing the Count and Host parameters 
respectively.  The Smart Card may not be configured to support
all variations of a command.</P
></DD
><DT
>-p, --no-pin</DT
><DD
><P
>Do not prompt for PIN.  The Smart Card does not require a PIN when admin
mode is enabled.</P
></DD
><DT
>-r, --reader=<TT
CLASS="REPLACEABLE"
><I
> reader</I
></TT
></DT
><DD
><P
>Set Smart Card reader.  Use -l to list available readers.  A reader
is defined as class:reader:[<SPAN
CLASS="OPTIONAL"
>option</SPAN
>].  PCSC and embedded
are the two available classes.  The embedded class contains the acr30s driver
which is specified as embedded:acr30s:[<SPAN
CLASS="OPTIONAL"
>serial_port</SPAN
>].
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver.  Use PCSC: for the first available PC/SC
reader.  Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0.</P
></DD
><DT
>-R, --sc-reader-key=<TT
CLASS="REPLACEABLE"
><I
> reader_keyfile</I
></TT
></DT
><DD
><P
>Smart Card Reader key.  The reader-key-set command can be used
to set this key in the Smart Card.  To emulate the behavior of
a reader using the key the r modifier may be used with this option
and the hotp-gen command to pass the key to the Smart Card.</P
><P
>A key consists of 5 bytes in hexadecimal format.  The default
key is "00000" or 3030303030.</P
><P
>This key must match the key set in the reader.  With the Spyrus
PAR II reader this is set in the PAR II EEProm.</P
></DD
><DT
>-u, --sc-username=<TT
CLASS="REPLACEABLE"
><I
> username</I
></TT
></DT
><DD
><P
>Set username.  The username is used with the host-get command and
d modifier.</P
></DD
><DT
>-v, --sc-version=<TT
CLASS="REPLACEABLE"
><I
> card_api_version</I
></TT
></DT
><DD
><P
>Set the Smart Card API version.  The binary API between the terminal
and Smart Card changed between version 2 and 3.  See command_mode notes
above.  The default version is 3.  Configuring version 2 will allow
maintenance of Smart Card with version 2 firmware.</P
></DD
><DT
>--version</DT
><DD
><P
>Display software version.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN113"
></A
><H2
>SMART CARD COMMANDS</H2
><P
><B
CLASS="COMMAND"
>admin-enable</B
>
: enable administrative mode.  The commands admin-disable, admin-key-set,
balancecard-set, host-get, and sc-clear require admin mode to be enabled.
pin-set and commands accepting a PIN will not require the PIN to be valid
while the SC is in admin mode.  A new key can be generated with
<B
CLASS="COMMAND"
>openssl rand 160 | openssl sha1</B
>.  The hotp-gen
command will automatically disable admin mode.</P
><P
><B
CLASS="COMMAND"
>admin-disable</B
>
: disable administratative mode.  Using the command hotp-gen will also
disable admin mode.</P
><P
><B
CLASS="COMMAND"
>adminkey-set</B
>
: set the 160 bit administrative key.  The default key is
"00000000000000000000" ASCII or "3030303030303030303030303030303030303030" HEX.</P
><P
><B
CLASS="COMMAND"
>balancecard-set</B
>
: set host index for balance card reader, 0-254.  255 will disable
this command.  Using a balance reader to generate a HOTP does not require
the use of a PIN, and is disabled by default.</P
><P
><B
CLASS="COMMAND"
>capabilities-get</B
>
: each command on the Smart Card is represented by a capabilities bit and
conditionally compiled into HOTPC.IMG.
capabilities-get will return the available, compiled-in commands.  Commands
are defined in <TT
CLASS="FILENAME"
>HOTP.DEF</TT
>:
<PRE
CLASS="SCREEN"
>' ZC commands CLA=80
'  b =  Byte             Idx,Mode,Version
'  i =  Integer          Count
'  l =  Long             Count32,Capabilities
'  sn = String length n  Hostname(12),ZCKey(20),*PIN(5),HOTP(5),
'                        AdminKey(20), eeBlock(16), readerKey(5)
'  INS  Name                       Format                    CapabilityID
'------------------------------------------------------------------------
'  00   PRDisplay  (CLA=C8)    -                             00000001
'                 RecordNumber(byte), DataFormat(byte), DigitCount(byte)
'                 DecimalPoint(byte), Delay(byte), MoreData(byte),
'                 Data(String)
'  40   SetHost                Idx,Count,Hostname,HOTPKey    00000002
'  42   GetHost                Idx,Count,Hostname,HOTPKey    00000004
'  44   GetHostName            Idx,myPIN,Hostname            00000008
'  46   GetHOTP                Idx,myPIN,HOTP                00000010
'  48   SetAdminMode           Mode,AdminKey                 00000020
'  4A   SetBalanceCardIndex    Idx                           00000040
'  4C   SetPIN                 myPIN,newPIN                  00000080
'  4E   TestPIN                myPIN                         00000100
'  50   GetVersion             Version                       00000200
'  52   SetAdminKey            AdminKey                      00000400
'  54   SetHost32              Idx,Count32,Hostname,HOTPKey  00000800
'  56   GetHost32              Idx,Count32,Hostname,HOTPKey  00001000
'  58   GetHOTPCount32         Idx,myPIN,Count32,HOTP        00002000
'  5A   GetHOTPHost            Idx,myPIN,HOTP,Hostname       00004000
'  5C   GetHOTPHostCount32     Idx,myPIN,Count,HOTP,Hostname 00008000
'  5E   ClearAll                                             00010000
'  60   SetReaderKey           readerKey                     00020000

'  90   GetCapabilities        Capabilities                  XXXXXXXX
'  A0   GetEEBlock             P1=Idx,eeBlock                XXXXXXXX
'  A1   SetEEBlock             P1=Idx,eeBlock                XXXXXXXX</PRE
></P
><P
><B
CLASS="COMMAND"
>host-get</B
>
: retrieve a host record, or all host records if the index is not set.
Fields {index,count,hostname,key} are : separated and represented in HEX.
An index up to 254 may be specified if the SC EEPROM is sufficient.
Count (32 bits) and key (160 bits) are used for generating a HOTP.  The
hostname field (12 bytes) can be displayed on readers such as the Spyrus
PAR II.  The high bit of each hostname character serve as 12 flag bits,
F0..F11.</P
><PRE
CLASS="SCREEN"
>F0: challenge (count) input is required by the user.

F1: enable reader authentication by the SC for the GetHOTP* commands.

F2: enable base10 display

F3..F7: reserved

F8-11: FMT3-FMT0. 0000=HEX40   0001=HEX40   0010=DEC31.6  0011=DEC31.7
                  0100=DEC31.8 0101=DEC31.9 0110=DEC31.10 0011=DHEX40 

Example host record with index=0, count=7, hostname=dev1.eng,
                         key=E4AACE5EC7291C405ED28949BB6DACA05768319D
#index:count:hostname:key
00:00000007:646576312E656E6700000000:E4AACE5EC7291C405ED28949BB6DACA05768319D&#13;</PRE
><P
><B
CLASS="COMMAND"
>host-set</B
>
: set a host record.  Multiple host records may be set, one record per
line.</P
><P
><B
CLASS="COMMAND"
>hostname-get</B
>
: return the hostname for an index, or all hostnames if no index is
specified.  Hostnames tagged "**" require the reader PIN.</P
><P
><B
CLASS="COMMAND"
>hotp-gen</B
>
: generate an HOTP for an index.  Index is 0 if not specified.
There are four versions of this command, GetHOTP, GetHOTPHost,
GetHOTPCount32, GetHOTPHostCount32 which can be selected
with the Modifiers option.  The default SC build includes
the GetHOTPHostCount32 (-Mch), and GetHOTPCount32 (-Mc) commands.
Executing this command will disable administratative mode if set.</P
><P
><B
CLASS="COMMAND"
>pin-set</B
>
: set a user PIN.  If the SC is in admin mode the current PIN is not
validated.</P
><P
><B
CLASS="COMMAND"
>pin-test</B
>
: test a user PIN.  Specifing a PIN incorrectly more than ten times in
succession will lock the SC.  Use the pin-test command in admin mode
to unlock a SC.</P
><P
><B
CLASS="COMMAND"
>reader-key-set</B
>
: set the 40 bit SC reader key.  A reader will present this key to the
SC when executing the GetHOTP* commands.  If the F1 (flag 1) bit of
the hostname is set, this key must match the key provided by the
reader.  This functionality allows the reader to weakly authenticate
itself to the Smart Card and may be used to restrict HOTP generation to
a Spyrus PAR II reader.</P
><P
><B
CLASS="COMMAND"
>sc-clear</B
>
: reset the SC to defaults, erase all host entries.</P
><P
><B
CLASS="COMMAND"
>spyrus-ee-get</B
>
: get spyrus EEProm blocks.  The HOTP firmware for the Spyrus Reader
will load run-time strings from the on-board EEProm programmable from
a SC loaded with the Spyrus Personalization firmware.  The spyrus-ee-get
command will read these strings from a SC.  The 256K Byte EEProm is read
organized into 16 byte blocks.  The high bit of the index serves as a last
block flag indicator for the Spyrus reader, allowing for example only block
0 to be overwritten.</P
><PRE
CLASS="SCREEN"
>Spyrus EEProm Memory map and flash defaults:

Note the field length is defined by the number of characters between :'s.
The field length for EE_MAGIC is 3, EE_READER_KEY 5, and EE_CALC_MSG 12.

Symbol             Contents/Length
---------------------------------------
EE_MAGIC           :maf:
EE_READER_KEY      :00000:
EE_CALC_MSG        :OARnet:2009 :
EE_L1GREET         :   OARnet   :
EE_L2GREET         :PIN:        :
EE_L1MAIN          :   OARnet   :
EE_L2MAIN          :  Verified  :
EE_CHALLENGE       :Challenge:  :
EE_L1LOCKED        :10 Failures :
EE_L2LOCKED        :Card Locked :
EE_L1ACCESS_DENY   :   Access   :
EE_L2ACCESS_DENY   :   Denied   :
EE_NOHOSTS         :  No Hosts  :
EE_L1NEWPIN        :Set New PIN :
EE_L2NEWPIN        :NewPIN:     :
EE_L3NEWPIN        :Again:      :
EE_PINCHANGED      :PIN Changed :
EE_NOCARD          :No Card     :
EE_TRYHARDER       :Try Harder  :</PRE
><PRE
CLASS="SCREEN"
>00:6D616630303030304F41526E65743A32
01:303039202020204F41526E6574202020
02:50494E3A20202020202020202020204F
03:41526E65742020202020566572696669
04:656420204368616C6C656E67653A2020
05:3130204661696C757265732043617264
06:204C6F636B6564202020204163636573
07:7320202020202044656E696564202020
08:20204E6F20486F737473202053657420
09:4E65772050494E204E657750494E3A20
0A:20202020416761696E3A202020202020
0B:50494E204368616E676564204E6F2043
0C:61726420202020205472792048617264
8D:65722020000000000000000000000000</PRE
><P
>Note this command works with the Spyrus Personalization SC firmware only.</P
><P
><B
CLASS="COMMAND"
>spyrus-ee-set</B
>
: set spyrus EEProm blocks.</P
><P
>Note this command works with the Spyrus Personalization SC firmware only.</P
><P
><B
CLASS="COMMAND"
>version</B
>
: display firmware version of SC.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN155"
></A
><H2
>EXAMPLES</H2
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN157"
></A
><P
>Change the administratative key from the default.  Disable admin mode
when done.</P
><PRE
CLASS="SCREEN"
><B
CLASS="COMMAND"
>echo "3030303030303030303030303030303030303030" &#62; default.key</B
>

<B
CLASS="COMMAND"
>otp-sca -a default.key -m admin-enable</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>AdminMode: enabled.</SAMP
>

<B
CLASS="COMMAND"
>openssl rand 160 | openssl sha1 &#62; secret.key </B
>

<B
CLASS="COMMAND"
>otp-sca -a secret.key -m adminkey-set</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>Set AdminKey: Done</SAMP
>

<B
CLASS="COMMAND"
>otp-sca -a secret.key -m admin-disable</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>AdminMode: disabled.</SAMP
>&#13;</PRE
><P
></P
></DIV
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN168"
></A
><P
>Use <B
CLASS="COMMAND"
>otp-control</B
> to create a new database for system dev1 with
user test, store the test user database entry to the Smart Card with
<B
CLASS="COMMAND"
>otp-sca</B
>.</P
><PRE
CLASS="SCREEN"
># Create a new new OTP database /tmp/otpdb
<B
CLASS="COMMAND"
>otp-control -no /tmp/otpdb -m create</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>Created db /tmp/otpdb.</SAMP
>

# add user test
<B
CLASS="COMMAND"
>otp-control -o /tmp/otpdb -u test -m add</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>Adding user test.</SAMP
>

# list user test entry in format ready for otp-sca to import.  Hostname
# of system is dev1
<B
CLASS="COMMAND"
>otp-control -o /tmp/otpdb -u test -m list-sc -H dev1 | tail -1 &#62; /tmp/test.list</B
>

# copy card entry to Smart Card as index 0
<B
CLASS="COMMAND"
>echo -n "00:"| cat - /tmp/test.list | ./otp-sca -m host-set</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>SetHost (0): Done</SAMP
>&#13;</PRE
><P
></P
></DIV
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN180"
></A
><P
>Dump card contents to stdout.  Note fields are encoded in HEX including
the hostname.  A high bit set on the first character in the hostname
signals the terminal to prompt for a count.</P
><PRE
CLASS="SCREEN"
><B
CLASS="COMMAND"
>otp-sca -m host-get</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>#index:count:hostname:key
00:00000002:646576312E656E6700000000:E4AACE5EC7291C405ED28949BB6DACA05768319D
01:00000000:646576322E656E6700000000:4120522AAC6B9C32274E2B3D966000D790EFEBFA
02:00000021:646576332E656E6700000000:9CDF3C14792A512FBE0D530E4DCFC726841B21BD
03:00000000:76706E312E656E6700000000:B8A64BE3DDAE4B873683ACE9B9DBF95D72782CBE</SAMP
></PRE
><P
></P
></DIV
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN185"
></A
><P
>Reset user PIN for card with secret.key as the admin key.</P
><PRE
CLASS="SCREEN"
><B
CLASS="COMMAND"
>otp-sca -m admin-enable -a secret.key</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>AdminMode: enabled.</SAMP
>

<B
CLASS="COMMAND"
>otp-sca -p -m pin-set</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>New PIN: 23456
New PIN (again): 23456
SetPIN Good.</SAMP
>

<B
CLASS="COMMAND"
>otp-sca -m admin-disable -a secret.key</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>AdminMode: disabled.</SAMP
></PRE
><P
></P
></DIV
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN194"
></A
><P
>Generate HOTP for dev1.  Use hostname-get to find the index for dev1.  Use
the GetHOTPHostCount32 command with count 1 (modifiers c and h).</P
><PRE
CLASS="SCREEN"
><B
CLASS="COMMAND"
>otp-sca -m hostname-get</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>Enter PIN: 23456
00,dev1
01,dev2.eng
02,dev3.eng
03,vpn1.eng
04,base4.eng
05,base6.eng
06,base7.eng</SAMP
>

<B
CLASS="COMMAND"
>otp-sca -d99 -m hotp-gen -Mch -i 0 -c1</B
>

<SAMP
CLASS="COMPUTEROUTPUT"
>Enter PIN: 23456
HOTP: 52DCD05FE5 -- dev1</SAMP
>&#13;</PRE
><P
></P
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN201"
></A
><H2
>AUTHOR</H2
><P
>Mark Fullmer
<CODE
CLASS="EMAIL"
>&#60;<A
HREF="mailto:maf@splintered.net"
>maf@splintered.net</A
>&#62;</CODE
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN208"
></A
><H2
>SEE ALSO</H2
><P
><SPAN
CLASS="APPLICATION"
>otp-control</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>otp-sct</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>pam_otp</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>htsoft-downloader</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>otp-ov-plugin</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>bcload</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>urd</SPAN
>(1)
<SPAN
CLASS="HARDWARE"
>spyrus-par2</SPAN
>(7)</P
></DIV
></BODY
></HTML
>