Spyrus PAR II 7 Spyrus PAR II Spyrus PAR II reader with HOTP firmware A HOTP token is obtained by activating the reader, authenticating with a 5 digit PIN, and picking a numerically indexed host. Interactive menu and two digit shortcut methods are provided for host selection. Additional functionality includes Smart Card PIN change, overriding default increment-on-generate per-host HOTP count behavior, and firmware management. With the HOTP displayed, press Enter to repeat the host selection process for additional token generation. Use the host selection shortcut to extend battery life. Card/ON Power up reader. Calc/OFF Power down reader, firmware menu. The reader should be powered down after utilizing the HOTP to extend battery life. A timeout will turn off the reader off without intervention. 0123456789 5 digit PIN. Default is 28165. Clear Clear input. Enter Accept PIN sequence. Enter Select host. A single digit + Enter will select host 0..9. Minus other digits, Enter will select index 0. 0123456789 2 digit host index. Clear Clear host digit. * Change PIN. # Toggle Challenge/Count input. The per-host count, incremented by 1 and stored on the SC after each HOTP generation can be overridden with this option. DOWN Enable host menu. Enter Select host. UP Cursor up one line. DOWN Cursor down one line. The PAR II is factory loaded with the HI-TECH Software Bootloaders for Microchip 16F87x version 1. The download will progress and end in an error resetting the PIC. This is a bug in the PAR II downloader and can be safely ignored. connect the Spyrus download cable to a workstation with htsoft-downloader or pic-downloader. start htsoft-downloader or pic-downloader. press CALC/OFF then down arrow 3 times to select DownloadApp. press Enter to initiate the download. press CARD/ON to verify new firmware is loaded. The Spyrus PAR II HOTP application utilizes the onboard EEPROM for string storage allowing customization without re-compiling. A fixed memory map is as follows: Offset Length Default Description ------------------------------------------------------------------------- 0 3 "maf" EEPROM Signature. Reset if no match. 3 5 "00000" Reader Key 8 12 "OARnet:2009 " Calculator message 20 12 " OARnet " Line 1 initial 32 12 "PIN: " Line 2 initial 44 12 " OARnet " Line 1 after PIN success 56 12 " Verified " Line 2 after PIN success 68 12 "Challenge: " Message to indicate count entry 80 12 "10 Failures " Line 1 card locked / excessive PIN fail 92 12 "Card Locked " Line 2 card locked / excessive PIN fail 104 12 " Access " Line 1 incorrect PIN 116 12 " Denied " Line 2 incorrect PIN 128 12 " No Hosts " Line 1, SC with no host entries 140 12 "Set New PIN " Line 1 reset PIN 152 12 "NewPIN: " Line 2 reset PIN 164 12 "Again: " Line 3 reset PIN 176 12 "PIN Changed " PIN Change notification 188 12 "No Card " No SC at powerup 200 12 "Try Harder " all PIN digits equal The EEPROM is customized with a Smart Card loaded with the Spyrus Personalization software SPYRUSP.IMG. Blocks of 16 bytes are loaded sequentially until the 8 bit block id has the high bit set. Use bcload to load a SC with SPYRUSP.IMG then the command spyrus-ee-set with otp-sca to store the EEPROM image on the SC. A default EEPROM configuration is supplied in the file oar.str which is converted to oar.ee with the str2ee utility. oar.ee is suitable for otp-sca. Insert the SC loaded with SPYRUSP.IMG and configured using spyrus-ee-set with otp-sca>. Press Card/ON. Enter the magic PIN 3#. The Spyrus reader will reset after the last block is loaded. Mark Fullmer maf@splintered.net The Spyrus reader is not waterproof and will not survive a permanent-press cycle. The Smart Card will survive your back pocket when seated, the reader may not. otp-sca(1) otp-sct(1) otp-control(1) pam_otp(1) htsoft-downloader(1) urd(1) bcload(1) OpenVPN(8)