CryptoCard Token User Guide
See also:
CryptoCard - Frequently
Asked Questions
-
Introduction
-
Obtaining a Token & Returning Tokens
-
Token Types & Special Notes for each Type
- First Time Use Of Token
-
a) Token Initialization and Initial PIN Entry
- Additional Token Information
- a) Voluntary PIN Change
- b) Generic
Log-on Instructions for BNL Services
- c) Specific Log-on Instructions (SSH, VPN,
etc.)
- Getting Help
- a) Re-syncing a Token (Symptom:
repeated failed logins)
- b) “Locked” Tokens
- c) Lost or Damaged Hardware Tokens
- d) Reinstalling Software Token Applications
- e) Other Help
- Sample Screen Shots
1) Introduction
When you log onto your computer or computer network, you identify
yourself with two things:
The user ID tells the computer/network who you are, and the password
tells the computer/network that you can be trusted. However, most password
systems can be easily compromised, allowing an unauthorized user to assume
your identity and gain access to networked systems and resources. CRYPTOCard
tokens provide an easy-to-use system that generates a new and random
password for each login attempt. These passwords can be neither guessed nor
deduced and are immediately discarded after each use, preventing a stolen
password from being used to gain network access. Tokens are loaded with
secret keys and other operating information in a process called
initialization, which programs the token with information specific to the
token’s owner.
The Perimeter Defense Network at BNL requires the use of CRYPTOCard
tokens at various access points (such as through VPN) when remotely accessing
resources at BNL. Certain internal access within BNL may also require CRYPTOCard
tokens for authentication.
NOTE: Services, such as VPN or SSH, that require
CRYPTOCards for
authentication also require that you install and/or configure the
appropriate client software on your computer to connect to the VPN or SSH service. The CRYPTOCard User Guide
does not provide information on installing or
configuring VPN or SSH clients; rather you must visit the VPN or SSH web
pages for that information. Once you have installed/configured VPN or
SSH clients, general information on how to use CRYPTOCards
with these services is contained in this User Guide as well as some screen
shot examples of its use.
For more specific details about the VPN or SSH
services, please visit the the VPN or SSH web pages;
for problems relating directly to the VPN or SSH services, please contact
the Help Desk at x5522.
Be sure to
BOOKMARK this User Guide for future reference, as it will be very useful
if
you fail logins repeatedly or you need to acquire a replacement CRYPTOCard
token, or need any additional help with CRYPTOCard-related services.
2)
Obtaining a Token & Returning Tokens
To obtain a token:
Returning tokens & terminating accounts:
- Hardware Token (such as the RB-1) users are required to turn in the
physical token to the Account Management Office when either
the account is no longer needed or
user is leaving the lab.
- Software Token (such as the ST-1 or PT-1) users are required to notify
the Account Management Office if their token account is no longer needed
or if user is leaving the lab; software token users do not need to ‘turn
in’ the software tokens, rather they should simply remove the software token
application from their computer or device.
3) Token Types & Special Notes for each Type
There
are both hardware-based and software-based CRYPTOCard tokens
available. Much of the information in this User Guide
generically applies to all types of tokens, with a few exceptions, which are noted along the way.
Refer to the Special Notes for
your specific token type as an addendum to the general
instructions included in this User Guide.
RB-1 Token
(hardware-based) – a
metal-encased token that resembles a small hand-held calculator
with an alphanumeric keypad, liquid crystal display and
batteries; contains a powerful microcomputer designed to
generate a cryptographic response to a host-generated challenge.
RB-1 SPECIAL NOTES
ST-1 Token (software-based) - a Java™ software token
application which can be loaded and used on a wide range of
platforms, such as Windows 2000/NT/98/95/ME, Linux, Unix (Solaris)
and Mac OS 9/X. (NOTE: Although
the ST-1 may also run on other platforms, which support the Java RunTime Environment (JRE) 1.1.7+,
the current version in use at BNL is not officially supported
for anything other than the platforms specifically mentioned in
this paragraph.)
ST-1 SPECIAL NOTES
PT-1
Token (software-based)
– a PalmPilot based token which, when loaded on a PalmPilot,
visually emulates the
RB-1 handheld token.
PT-1 SPECIAL NOTES
4) First
Time Use of Token
a)
Token Initialization and Initial PIN Entry
All new tokens must be initialized (or programmed) for use by a
specific user... each token is unique to its owner due to
initialization. In addition, first time use of a token
requires that you reset the Initial PIN given you by the Account
Management Office.
For hardware tokens:
- Click on RB-1 SPECIAL
NOTES for Initial PIN Entry and Handling Instructions
for RB-1 hardware tokens.
For software tokens:
- Click on ST-1 SPECIAL
NOTES for Installation/Initialization/Initial PIN Entry
instructions for ST-1 software tokens.
- Click on PT-1 SPECIAL
NOTES for Installation/Initialization/Initial PIN Entry
instructions for PT-1 PalmPilot software tokens.
5)
Additional
Token Information
a)
Voluntary PIN Change
All tokens allow for the
user to change the PIN on their token if desired. See
instructions below for changing your token's PIN...
For software tokens (Vers. 5.16 and greater):
- Turn token 'ON';
- Select 'Change PIN' button;
- Enter OLD PIN, and then NEW PIN; click 'OK'
For newer hardware tokens (with Serial Number beginning with "202"):
- Press CHGPIN and enter the current PIN at the PIN? prompt; token displays “NEW PIN?”.
- Enter a new PIN just as was done for the initial forced PIN
change, pressing ENT button when done. For security reasons, asterisks “*” are displayed in
place of the actual decimal digit keyed.
- If new PIN is acceptable, token
displays “Verify” and you must repeat the entry of the new PIN.
If the two new PINs match, the token signals completion
of this task by displaying “CARD OK” (If
“Verify” PIN entry does not match the “New PIN?”
entry, token re-displays
“NEW PIN?” so you can repeat the process of typing in a valid new
PIN.)
For older hardware tokens (with Serial Number beginning
with "4990" and "2000") and older software tokens (prior to Vers.
5.16):
- While token says “Ready”, press CPIN key; token displays “New PIN?”.
- Enter a new PIN just as was done for the forced PIN
change. For security reasons, asterisks “*” are displayed in
place of the actual decimal digit keyed.
- If new PIN is acceptable, token
displays “Verify” and you must repeat the entry of the new PIN.
If the two new PINs match, the token signals completion
of this task by displaying“Ready” (If
“Verify” PIN entry does not match the “New PIN?”
entry, token re-displays
“New
PIN?” so you can repeat the process of typing in a valid new
PIN.)
b)
Generic
Log-on Instructions for BNL Services
- Access a service at BNL that requires use of a CRYPTOCard token (e.g.,
start up your VPN client application and try to 'Connect' to
BNL).
- At
‘Username’ (or similar) prompt of the BNL device (i.e., VPN or SSH gateway), type in your CRYPTOCard username.
- Turn on your token and generate a CRYPTOCard password.
- At 'Password' (or similar) prompt of the BNL device,
enter the CRYPTOCard password from your CRYPTOCard token (it
looks like a telephone#; be sure to include the dash!).
- If you fail login with an incorrect password,
the BNL device typically will display an 8-digit 'challenge’ (8
digits, no dash) to you at the next login attempt, make note
of the 'challenge' as it will help you to resync your token if
you are having trouble completing a successful login. See Resyncing a Token
instructions in Section 6 below for more info.
To generate a password on
Software tokens (Vers. 5.16 & greater):
- Start up software token application
- Click 'ON' button;
- Enter PIN, and click 'OK';
- CRYPTOCard password will be displayed (looks like a telephone#); use this
password to complete login to the BNL device (such as VPN or SSH).
See Screen
Captured Images
To generate a password on newer
Hardware tokens (with Serial Number beginning with "202"):
- Press the PASSWORD button to turn on
token; token display shows the PIN? prompt.
- Use keypad to enter in PIN; use CLR button to erase mistakes;
press ENT when done (token display says READY);
- Token displays the CRYPTOCard password (which looks like a telephone#)...
this is your response/password (including the dash)
which will be used to complete login to a BNL device.
To generate a password on older
Hardware tokens (with Serial Number beginning with "4990" or "2000") and older
software tokens (prior to Vers. 5.16):
- Turn on
token;
- Enter in PIN; hit ENT when done (token display says READY);
- Hit ENT again
on token to see token’s current 8-digit challenge (8 digits, no
dash);
- Hit ENT again
on token to see the CRYPTOCard password (which looks like a telephone#)
on the token
display… this is your response/password (including the dash)
which will be used to complete login to a BNL device.
c)
Specific Log-on Instructions
- See Sample Screen Shots below (Section 7) for
specific examples of using CRYPTOCards.
- For more detailed
configuration and login instructions for Perimeter Defense services
requiring CRYPTOCards for authentication,
refer to the web pages corresponding to the desired service…
-
SSH at the BNL perimeter
-
VPN
a) Resyncing a Token (Symptom:
repeated failed logins)
When a CRYPTOCard token is used, there will be times where you will
fail authentication due to entering an incorrect password. If you fail
authentication with an incorrect password, the BNL device you are trying
to authenticate through will
present to you an 8-digit 'challenge'.
See
screen captured images.
To resynchronize your token,
you will enter this 'challenge' into your token, which
updates your token, allowing for successful authentication at
your next login attempt.
To overwrite your token's challenge...
-
Software Tokens (V.5.16 and greater): The Vers. 5.16 tokens (and
greater) do not
display a challenge for you to compare against a BNL device's
challenge; instead select OPTIONS/RESYNCHRONIZE on the token and simply enter the challenge
presented to you by the BNL device & click OK. The token's
password is updated now and can be used at your next login attempt.
See Screen Captured
Image
-
Newer Hardware Tokens (with Serial Number beginning with "202"): If connecting to a BNL device that
displays the 'challenge' to you, note the current challenge and press MENU key on token, entering PIN if required.
The CONTRAST prompt will be displayed. Press MENU again until RESYNC is displayed. Press ENT to select this option.
Enter the resynchronization challenge using the numeric keypad. Press ENT when done and use the new
password response for your next login attempt.
-
Older Hardware Tokens (with Serial Number beginning with "4990" and "2000") and older software tokens (prior to
Vers. 5.16): If connecting to a BNL device that
displays the 'challenge' to you, note the current challenge and while the
incorrect challenge is displayed on token, hit CH/MAC key on token and
enter the correct challenge into the token; hit ENT twice and use the new
password response for your next login attempt.
If connecting to a BNL device that does NOT
display the 'challenge' after the first failed login...
Refer to one of the
following web pages, select [Sync your CRYPTOCard] on the web page, enter
your CRYPTOCard username, and it will display an 8-digit 'challenge'. Enter
challenge into your token, which will generate a new password, which you can use
for your next login attempt.
b) “Locked ” Tokens
If the token displays the word
“Locked”, you will no longer be able to use it! Contact the
Account Management Office immediately to have your token reinitialized!
This is the un-initialized state of the unit. This state is one in which
all setup parameters and cryptographic keys have been erased from the
token's memory. The token will be in this state whenever…
- A user enters an incorrect PIN more than a preset number of times
(usually 3 attempts allowed); or
- For hardware tokens (the RB-1), when both batteries have been
removed from the unit at the same time.
c)
Lost or Damaged Hardware Tokens:
Contact the Account Management Office if you
have lost or damaged your hardware token.
d) Reinstalling Software Token Applications:
If for some reason you have a need to reinstall a software token on your
computer, you will need to reinstall both the software token application as
well as the unique initialization program file that is tied to your
username. Contact the Account Management Office
if you need to reinstall a software token.
e) Other Help:
If this User Guide does not answer your questions...
- Reference the CRYPTOCard Token FAQs
link for tips and answers to common CRYPTOCard questions and concerns, OR
- Contact the Account Management Office for
questions pertaining to your CRYPTOCard
account, OR
- Contact the
ITD Help Desk at 631.344.5522 for questions
pertaining to the usage or installation of CryptoCard tokens or using
CRYPTOCards with BNL’s Perimeter Defense
services (i.e., SSH, VPN)
7)
Sample
Screen Shots
If you have a question that is not addressed in these pages, please send
an email to itdhelp@bnl.gov.
Last Modified: January 31, 2008
Please forward all questions about this site to:
Web Services
|
