adulau/ootp
1
0
Fork 0
mirror of https://github.com/adulau/ootp.git synced 2024-11-22 10:07:12 +00:00
Code Issues Projects Releases Packages Wiki Activity
ootp/doc/otp-sca.html

890 lines
No EOL
20 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>otp-sca</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="AEN1"
></A
><SPAN
CLASS="APPLICATION"
>otp-sca</SPAN
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6"
></A
><H2
>Name</H2
><SPAN
CLASS="APPLICATION"
>otp-sca</SPAN
>&nbsp;--&nbsp;Smart Card Administration for One Time Password package.</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>otp-sca</B
> [-?hlp] [-a<TT
CLASS="REPLACEABLE"
><I
> admin_keyfile</I
></TT
>] [-c<TT
CLASS="REPLACEABLE"
><I
> count</I
></TT
>] [-d<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
>] [-i<TT
CLASS="REPLACEABLE"
><I
> index</I
></TT
>] [-m<TT
CLASS="REPLACEABLE"
><I
> command_mode</I
></TT
>] [-M<TT
CLASS="REPLACEABLE"
><I
> modifiers</I
></TT
>] [-r<TT
CLASS="REPLACEABLE"
><I
> reader</I
></TT
>] [-R<TT
CLASS="REPLACEABLE"
><I
> reader_keyfile</I
></TT
>] [-u<TT
CLASS="REPLACEABLE"
><I
> username</I
></TT
>] [-v<TT
CLASS="REPLACEABLE"
><I
> card_api_version</I
></TT
>]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN34"
></A
><H2
>DESCRIPTION</H2
><P
>The <B
CLASS="COMMAND"
>otp-sca</B
> command implements a terminal for an MCU based
Smart Card loaded with the OTP firmware (HOTPC.IMG). Host entries consisting
of {hostname,count,shared_key} are downloaded to the Smart Card using
<B
CLASS="COMMAND"
>otp-sca</B
>. Additionally commands implemented on the
Smart Card such as HOTP generation and PIN maintenance can be executed
with the appropriate administratative key.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN39"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-a, --sc-admin-key=<TT
CLASS="REPLACEABLE"
><I
> admin_keyfile</I
></TT
></DT
><DD
><P
>Smart Card administratative key. The admin-enable command and
administratative key are used to toggle the Smart Card into admin mode.
Once in admin mode commands admin-disable, adminkey-set, balancecard-set,
host-get, host-set, pin-set, and sc-clear can be executed. The default admin
key, "3030303030303030303030303030303030303030" (HEX), should be changed to
restrict access to the above commands.</P
></DD
><DT
>-c, --sc-count=<TT
CLASS="REPLACEABLE"
><I
> count</I
></TT
></DT
><DD
><P
>Configure the count parameter optionally used by the hotp-gen command.
A count value of 0 indicates the HOTP value is to be calculated with the
current stored count.</P
></DD
><DT
>-d, --debug=<TT
CLASS="REPLACEABLE"
><I
> debug_level</I
></TT
></DT
><DD
><P
>Set debug level.</P
></DD
><DT
>-h, --help</DT
><DD
><P
>Help.</P
></DD
><DT
>-i, --sc-index=<TT
CLASS="REPLACEABLE"
><I
> index</I
></TT
></DT
><DD
><P
>Set the 8 bit index. The Smart Card contains numerically indexed records
for each host of the form {hostname,count,shared_key}. The firmware
will support indexes in the range 0..254. 255 is reserved. Memory
capacity on the Smart Card may further restrict the index range. The
ZC3.9 BasicCard with firmware revision 3 supports up to 85 records.</P
></DD
><DT
>-l, --list-readers</DT
><DD
><P
>List SC Readers</P
></DD
><DT
>-m, --sc-command=<TT
CLASS="REPLACEABLE"
><I
> command_mode</I
></TT
></DT
><DD
><P
></P
><PRE
CLASS="SCREEN"
> Command Mode Description Notes Modifiers
---------------------------------------------------------------
admin-enable - Enable Admin Mode 1
admin-disable - Disable Admin Mode
adminkey-set - Set Admin Key 1
balancecard-set - Set Balance Card Index 1
capabilities-get - Get Capabilities
host-get - Get host entry 1,2,4 d
host-set - Set host entry 1,4
hostname-get - Get Hostname for Index 2,3
hotp-gen - Generate HOTP for Index 3 chr
pin-set - Set PIN 3
pin-test - Test/Verify PIN 3
reader-key-set - Set Reader Key 1
sc-clear - Clear all SC data 1
spyrus-ee-get - Spyrus EEProm read 5
spyrus-ee-set - Spyrus EEProm write 5
version - Firmware version
Notes (*):
1 Admin Enable required.
2 Iterate over all if no index specified.
3 PIN or Admin Enable required.
4 version 3 firmware supports 32 bit count, version 2 16 bit count.
5 Spyrus customization SC firmware
Modifiers: (version 3+ SC firmware)
c pass count to SC.
h return hostname from SC.
d output in otpdb load friendly format.
r include reader key in request.&#13;</PRE
></DD
><DT
>-M, --sc-command-modifier=<TT
CLASS="REPLACEABLE"
><I
> modifiers</I
></TT
></DT
><DD
><P
>Configure command_mode modifiers. Modifier d applied to the host-get
command will generate output in otpdb format. Count (c) and Host (h)
used with hotp-gen allow passing the Count and Host parameters
respectively. The Smart Card may not be configured to support
all variations of a command.</P
></DD
><DT
>-p, --no-pin</DT
><DD
><P
>Do not prompt for PIN. The Smart Card does not require a PIN when admin
mode is enabled.</P
></DD
><DT
>-r, --reader=<TT
CLASS="REPLACEABLE"
><I
> reader</I
></TT
></DT
><DD
><P
>Set Smart Card reader. Use -l to list available readers. A reader
is defined as class:reader:[<SPAN
CLASS="OPTIONAL"
>option</SPAN
>]. PCSC and embedded
are the two available classes. The embedded class contains the acr30s driver
which is specified as embedded:acr30s:[<SPAN
CLASS="OPTIONAL"
>serial_port</SPAN
>].
If pcscd is running the first PC/SC reader will be the default followed by
the embedded acr30s driver. Use PCSC: for the first available PC/SC
reader. Use embedded:acr30s:/dev/cuaU0 for the embedded acr30s driver
with serial port /dev/cuaU0.</P
></DD
><DT
>-R, --sc-reader-key=<TT
CLASS="REPLACEABLE"
><I
> reader_keyfile</I
></TT
></DT
><DD
><P
>Smart Card Reader key. The reader-key-set command can be used
to set this key in the Smart Card. To emulate the behavior of
a reader using the key the r modifier may be used with this option
and the hotp-gen command to pass the key to the Smart Card.</P
><P
>A key consists of 5 bytes in hexadecimal format. The default
key is "00000" or 3030303030.</P
><P
>This key must match the key set in the reader. With the Spyrus
PAR II reader this is set in the PAR II EEProm.</P
></DD
><DT
>-u, --sc-username=<TT
CLASS="REPLACEABLE"
><I
> username</I
></TT
></DT
><DD
><P
>Set username. The username is used with the host-get command and
d modifier.</P
></DD
><DT
>-v, --sc-version=<TT
CLASS="REPLACEABLE"
><I
> card_api_version</I
></TT
></DT
><DD
><P
>Set the Smart Card API version. The binary API between the terminal
and Smart Card changed between version 2 and 3. See command_mode notes
above. The default version is 3. Configuring version 2 will allow
maintenance of Smart Card with version 2 firmware.</P
></DD
><DT
>--version</DT
><DD
><P
>Display software version.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN113"
></A
><H2
>SMART CARD COMMANDS</H2
><P
><B
CLASS="COMMAND"
>admin-enable</B
>
: enable administrative mode. The commands admin-disable, admin-key-set,
balancecard-set, host-get, and sc-clear require admin mode to be enabled.
pin-set and commands accepting a PIN will not require the PIN to be valid
while the SC is in admin mode. A new key can be generated with
<B
CLASS="COMMAND"
>openssl rand 160 | openssl sha1</B
>. The hotp-gen
command will automatically disable admin mode.</P
><P
><B
CLASS="COMMAND"
>admin-disable</B
>
: disable administratative mode. Using the command hotp-gen will also
disable admin mode.</P
><P
><B
CLASS="COMMAND"
>adminkey-set</B
>
: set the 160 bit administrative key. The default key is
"00000000000000000000" ASCII or "3030303030303030303030303030303030303030" HEX.</P
><P
><B
CLASS="COMMAND"
>balancecard-set</B
>
: set host index for balance card reader, 0-254. 255 will disable
this command. Using a balance reader to generate a HOTP does not require
the use of a PIN, and is disabled by default.</P
><P
><B
CLASS="COMMAND"
>capabilities-get</B
>
: each command on the Smart Card is represented by a capabilities bit and
conditionally compiled into HOTPC.IMG.
capabilities-get will return the available, compiled-in commands. Commands
are defined in <TT
CLASS="FILENAME"
>HOTP.DEF</TT
>:
<PRE
CLASS="SCREEN"
>' ZC commands CLA=80
' b = Byte Idx,Mode,Version
' i = Integer Count
' l = Long Count32,Capabilities
' sn = String length n Hostname(12),ZCKey(20),*PIN(5),HOTP(5),
' AdminKey(20), eeBlock(16), readerKey(5)
' INS Name Format CapabilityID
'------------------------------------------------------------------------
' 00 PRDisplay (CLA=C8) - 00000001
' RecordNumber(byte), DataFormat(byte), DigitCount(byte)
' DecimalPoint(byte), Delay(byte), MoreData(byte),
' Data(String)
' 40 SetHost Idx,Count,Hostname,HOTPKey 00000002
' 42 GetHost Idx,Count,Hostname,HOTPKey 00000004
' 44 GetHostName Idx,myPIN,Hostname 00000008
' 46 GetHOTP Idx,myPIN,HOTP 00000010
' 48 SetAdminMode Mode,AdminKey 00000020
' 4A SetBalanceCardIndex Idx 00000040
' 4C SetPIN myPIN,newPIN 00000080
' 4E TestPIN myPIN 00000100
' 50 GetVersion Version 00000200
' 52 SetAdminKey AdminKey 00000400
' 54 SetHost32 Idx,Count32,Hostname,HOTPKey 00000800
' 56 GetHost32 Idx,Count32,Hostname,HOTPKey 00001000
' 58 GetHOTPCount32 Idx,myPIN,Count32,HOTP 00002000
' 5A GetHOTPHost Idx,myPIN,HOTP,Hostname 00004000
' 5C GetHOTPHostCount32 Idx,myPIN,Count,HOTP,Hostname 00008000
' 5E ClearAll 00010000
' 60 SetReaderKey readerKey 00020000
' 90 GetCapabilities Capabilities XXXXXXXX
' A0 GetEEBlock P1=Idx,eeBlock XXXXXXXX
' A1 SetEEBlock P1=Idx,eeBlock XXXXXXXX</PRE
></P
><P
><B
CLASS="COMMAND"
>host-get</B
>
: retrieve a host record, or all host records if the index is not set.
Fields {index,count,hostname,key} are : separated and represented in HEX.
An index up to 254 may be specified if the SC EEPROM is sufficient.
Count (32 bits) and key (160 bits) are used for generating a HOTP. The
hostname field (12 bytes) can be displayed on readers such as the Spyrus
PAR II. The high bit of each hostname character serve as 12 flag bits,
F0..F11.</P
><PRE
CLASS="SCREEN"
>F0: challenge (count) input is required by the user.
F1: enable reader authentication by the SC for the GetHOTP* commands.
F2: enable base10 display
F3..F7: reserved
F8-11: FMT3-FMT0. 0000=HEX40 0001=HEX40 0010=DEC31.6 0011=DEC31.7
0100=DEC31.8 0101=DEC31.9 0110=DEC31.10 0011=DHEX40
Example host record with index=0, count=7, hostname=dev1.eng,
key=E4AACE5EC7291C405ED28949BB6DACA05768319D
#index:count:hostname:key
00:00000007:646576312E656E6700000000:E4AACE5EC7291C405ED28949BB6DACA05768319D&#13;</PRE
><P
><B
CLASS="COMMAND"
>host-set</B
>
: set a host record. Multiple host records may be set, one record per
line.</P
><P
><B
CLASS="COMMAND"
>hostname-get</B
>
: return the hostname for an index, or all hostnames if no index is
specified. Hostnames tagged "**" require the reader PIN.</P
><P
><B
CLASS="COMMAND"
>hotp-gen</B
>
: generate an HOTP for an index. Index is 0 if not specified.
There are four versions of this command, GetHOTP, GetHOTPHost,
GetHOTPCount32, GetHOTPHostCount32 which can be selected
with the Modifiers option. The default SC build includes
the GetHOTPHostCount32 (-Mch), and GetHOTPCount32 (-Mc) commands.
Executing this command will disable administratative mode if set.</P
><P
><B
CLASS="COMMAND"
>pin-set</B
>
: set a user PIN. If the SC is in admin mode the current PIN is not
validated.</P
><P
><B
CLASS="COMMAND"
>pin-test</B
>
: test a user PIN. Specifing a PIN incorrectly more than ten times in
succession will lock the SC. Use the pin-test command in admin mode
to unlock a SC.</P
><P
><B
CLASS="COMMAND"
>reader-key-set</B
>
: set the 40 bit SC reader key. A reader will present this key to the
SC when executing the GetHOTP* commands. If the F1 (flag 1) bit of
the hostname is set, this key must match the key provided by the
reader. This functionality allows the reader to weakly authenticate
itself to the Smart Card and may be used to restrict HOTP generation to
a Spyrus PAR II reader.</P
><P
><B
CLASS="COMMAND"
>sc-clear</B
>
: reset the SC to defaults, erase all host entries.</P
><P
><B
CLASS="COMMAND"
>spyrus-ee-get</B
>
: get spyrus EEProm blocks. The HOTP firmware for the Spyrus Reader
will load run-time strings from the on-board EEProm programmable from
a SC loaded with the Spyrus Personalization firmware. The spyrus-ee-get
command will read these strings from a SC. The 256K Byte EEProm is read
organized into 16 byte blocks. The high bit of the index serves as a last
block flag indicator for the Spyrus reader, allowing for example only block
0 to be overwritten.</P
><PRE
CLASS="SCREEN"
>Spyrus EEProm Memory map and flash defaults:
Note the field length is defined by the number of characters between :'s.
The field length for EE_MAGIC is 3, EE_READER_KEY 5, and EE_CALC_MSG 12.
Symbol Contents/Length
---------------------------------------
EE_MAGIC :maf:
EE_READER_KEY :00000:
EE_CALC_MSG :OARnet:2009 :
EE_L1GREET : OARnet :
EE_L2GREET :PIN: :
EE_L1MAIN : OARnet :
EE_L2MAIN : Verified :
EE_CHALLENGE :Challenge: :
EE_L1LOCKED :10 Failures :
EE_L2LOCKED :Card Locked :
EE_L1ACCESS_DENY : Access :
EE_L2ACCESS_DENY : Denied :
EE_NOHOSTS : No Hosts :
EE_L1NEWPIN :Set New PIN :
EE_L2NEWPIN :NewPIN: :
EE_L3NEWPIN :Again: :
EE_PINCHANGED :PIN Changed :
EE_NOCARD :No Card :
EE_TRYHARDER :Try Harder :</PRE
><PRE
CLASS="SCREEN"
>00:6D616630303030304F41526E65743A32
01:303039202020204F41526E6574202020
02:50494E3A20202020202020202020204F
03:41526E65742020202020566572696669
04:656420204368616C6C656E67653A2020
05:3130204661696C757265732043617264
06:204C6F636B6564202020204163636573
07:7320202020202044656E696564202020
08:20204E6F20486F737473202053657420
09:4E65772050494E204E657750494E3A20
0A:20202020416761696E3A202020202020
0B:50494E204368616E676564204E6F2043
0C:61726420202020205472792048617264
8D:65722020000000000000000000000000</PRE
><P
>Note this command works with the Spyrus Personalization SC firmware only.</P
><P
><B
CLASS="COMMAND"
>spyrus-ee-set</B
>
: set spyrus EEProm blocks.</P
><P
>Note this command works with the Spyrus Personalization SC firmware only.</P
><P
><B
CLASS="COMMAND"
>version</B
>
: display firmware version of SC.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN155"
></A
><H2
>EXAMPLES</H2
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN157"
></A
><P
>Change the administratative key from the default. Disable admin mode
when done.</P
><PRE
CLASS="SCREEN"
><B
CLASS="COMMAND"
>echo "3030303030303030303030303030303030303030" &#62; default.key</B
>
<B
CLASS="COMMAND"
>otp-sca -a default.key -m admin-enable</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>AdminMode: enabled.</SAMP
>
<B
CLASS="COMMAND"
>openssl rand 160 | openssl sha1 &#62; secret.key </B
>
<B
CLASS="COMMAND"
>otp-sca -a secret.key -m adminkey-set</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>Set AdminKey: Done</SAMP
>
<B
CLASS="COMMAND"
>otp-sca -a secret.key -m admin-disable</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>AdminMode: disabled.</SAMP
>&#13;</PRE
><P
></P
></DIV
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN168"
></A
><P
>Use <B
CLASS="COMMAND"
>otp-control</B
> to create a new database for system dev1 with
user test, store the test user database entry to the Smart Card with
<B
CLASS="COMMAND"
>otp-sca</B
>.</P
><PRE
CLASS="SCREEN"
># Create a new new OTP database /tmp/otpdb
<B
CLASS="COMMAND"
>otp-control -no /tmp/otpdb -m create</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>Created db /tmp/otpdb.</SAMP
>
# add user test
<B
CLASS="COMMAND"
>otp-control -o /tmp/otpdb -u test -m add</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>Adding user test.</SAMP
>
# list user test entry in format ready for otp-sca to import. Hostname
# of system is dev1
<B
CLASS="COMMAND"
>otp-control -o /tmp/otpdb -u test -m list-sc -H dev1 | tail -1 &#62; /tmp/test.list</B
>
# copy card entry to Smart Card as index 0
<B
CLASS="COMMAND"
>echo -n "00:"| cat - /tmp/test.list | ./otp-sca -m host-set</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>SetHost (0): Done</SAMP
>&#13;</PRE
><P
></P
></DIV
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN180"
></A
><P
>Dump card contents to stdout. Note fields are encoded in HEX including
the hostname. A high bit set on the first character in the hostname
signals the terminal to prompt for a count.</P
><PRE
CLASS="SCREEN"
><B
CLASS="COMMAND"
>otp-sca -m host-get</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>#index:count:hostname:key
00:00000002:646576312E656E6700000000:E4AACE5EC7291C405ED28949BB6DACA05768319D
01:00000000:646576322E656E6700000000:4120522AAC6B9C32274E2B3D966000D790EFEBFA
02:00000021:646576332E656E6700000000:9CDF3C14792A512FBE0D530E4DCFC726841B21BD
03:00000000:76706E312E656E6700000000:B8A64BE3DDAE4B873683ACE9B9DBF95D72782CBE</SAMP
></PRE
><P
></P
></DIV
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN185"
></A
><P
>Reset user PIN for card with secret.key as the admin key.</P
><PRE
CLASS="SCREEN"
><B
CLASS="COMMAND"
>otp-sca -m admin-enable -a secret.key</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>AdminMode: enabled.</SAMP
>
<B
CLASS="COMMAND"
>otp-sca -p -m pin-set</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>New PIN: 23456
New PIN (again): 23456
SetPIN Good.</SAMP
>
<B
CLASS="COMMAND"
>otp-sca -m admin-disable -a secret.key</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>AdminMode: disabled.</SAMP
></PRE
><P
></P
></DIV
><DIV
CLASS="INFORMALEXAMPLE"
><P
></P
><A
NAME="AEN194"
></A
><P
>Generate HOTP for dev1. Use hostname-get to find the index for dev1. Use
the GetHOTPHostCount32 command with count 1 (modifiers c and h).</P
><PRE
CLASS="SCREEN"
><B
CLASS="COMMAND"
>otp-sca -m hostname-get</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>Enter PIN: 23456
00,dev1
01,dev2.eng
02,dev3.eng
03,vpn1.eng
04,base4.eng
05,base6.eng
06,base7.eng</SAMP
>
<B
CLASS="COMMAND"
>otp-sca -d99 -m hotp-gen -Mch -i 0 -c1</B
>
<SAMP
CLASS="COMPUTEROUTPUT"
>Enter PIN: 23456
HOTP: 52DCD05FE5 -- dev1</SAMP
>&#13;</PRE
><P
></P
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN201"
></A
><H2
>AUTHOR</H2
><P
>Mark Fullmer
<CODE
CLASS="EMAIL"
>&#60;<A
HREF="mailto:maf@splintered.net"
>maf@splintered.net</A
>&#62;</CODE
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN208"
></A
><H2
>SEE ALSO</H2
><P
><SPAN
CLASS="APPLICATION"
>otp-control</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>otp-sct</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>pam_otp</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>htsoft-downloader</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>otp-ov-plugin</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>bcload</SPAN
>(1)
<SPAN
CLASS="APPLICATION"
>urd</SPAN
>(1)
<SPAN
CLASS="HARDWARE"
>spyrus-par2</SPAN
>(7)</P
></DIV
></BODY
></HTML
>
Reference in a new issue View git blame Copy permalink