KT-1 Key Chain Token. QUICK Reference. Copyright 2005 CRYPTOCard Corporation All Rights Reserved 051004



Similar documents
BlackShield ID MP Token Guide. for Java Enabled Phones

Cisco VPN Concentrator Implementation Guide

Flexible Identity. OTP software tokens guide. Multi-Factor Authentication. version 1.0

Juniper Networks SSL VPN Implementation Guide

Hang Seng Business e-banking. New Security Device. Frequently Asked Questions

User Guide. SafeNet MobilePASS for Windows Phone

Check Point FW-1/VPN-1 NG/FP3

PaymentNet Federal Card Solutions Cardholder FAQs

Department of Supply & Services (CIMS) RSA Web Express User Guide v1.2

CRYPTOLogon Agent. for Windows Domain Logon Authentication. Deployment Guide. Copyright , CRYPTOCard Corporation, All Rights Reserved.

Implementation Guide for protecting

Apache Server Implementation Guide

SAS. Administration Guide. Version /aug/12

IMS Health Secure Outlook Web Access Portal. Quick Setup

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

RSA Authentication Manager 8.1 Help Desk Administrator s Guide

Desktop Programmer (DTP)

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

RSA Authentication Manager 8.1 Help Desk Administrator s Guide. Revision 1

LCD MONITOR / 8 CHANNEL DVR COMBO

Integration Guide. SafeNet Authentication Service. VMWare View 5.1

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

BlackShield ID PRO. Steel Belted RADIUS 6.x. Implementation Guide. Copyright 2008 to present CRYPTOCard Corporation. All Rights Reserved

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

Issue 1. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Welcome Guide for MP-1 Token for Microsoft Windows

BlackShield Authentication Service

SafeGuard Enterprise Web Helpdesk

RSA SecurID Token User Guide February 12, 2015

Flexible Identity. Tokenless authenticators guide. Multi-Factor Authentication. version 1.0

SafeNet MobilePASS Version 8.2.0, Revision B

Android support for Microsoft Exchange in pure Google devices

RSA SecurID Software Token 1.0 for Android Administrator s Guide

RSA SecurID Software Token Security Best Practices Guide

Business ebanking - User Sign On & Set Up

GENEVA COLLEGE INFORMATION TECHNOLOGY SERVICES. Password POLICY

Two-Factor Authentication

SafeNet Authentication Client (Windows)

Information Systems. Connecting Smartphones to NTU s System

Android Support on Galaxy Nexus, Nexus S, and Motorola Xoom for Microsoft Exchange Policies

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 5

Windows Live Mail Setup Guide

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

NODE4 SERVICE DESK SYSTEM

Quick Reference Guide. Online Courier: FTP. Signing On. Using FTP Pickup. To Access Online Courier.

progecad NLM User Guide

McAfee Endpoint Encryption 7.0 Users Guide and FAQ

Digital Signatures on iqmis User Access Request Form

BlackShield ID. Professional Edition Version 2.7 Administrator Guide CRYPTOCard Corp. All rights reserved.

RSA SecurID Software Token 1.3 for iphone and ipad Administrator s Guide

IBM Security Access Manager for Enterprise Single Sign-On Version User Guide IBM SC

ONE Mail Direct for Mobile Devices

Operating Manual QUESTOR

EMMA Application v. 4.9 User Manual

ipad in Business Security

iphone in Business How-To Setup Guide for Users

Question How do I access the router s web-based setup page? Answer

Setting up On line Account

Thank you for choosing Huwei E589 4G Mobile WiFi

RSA Authentication Manager 7.1 Basic Exercises

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Virtual Code Authentication User s Guide. June 25, 2015

1 of 10 1/31/2014 4:08 PM

Identikey Server Getting Started Guide 3.1

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Help for DTVP-M Users

New Brunswick Internal Services Agency. RSA Self-Service Console User Guide

Changing Passwords in Cisco Unity 8.x

Avalanche Enabler 5.3 User Guide

Managing Software Feature Licenses

Operating instructions TSE Wireless Software Home

NetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0

Merchant On The Move Android Professional Edition User Guide and Tutorial

RSA SecurID Certified Administrator (RSA Authentication Manager 8.0) Certification Examination Study Guide

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

User Guide. Version R91. English

Quest Soft Token for Windows Phone User Guide

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

DIS VPN Service Client Documentation

Symantec Endpoint Encryption Full Disk

BlackBerry Business Cloud Services. Policy Reference Guide

Sophos Mobile Control User guide for Apple ios. Product version: 4

F-Series Desktop User Manual F20. English - Europe/New Zealand

September 25, Programming YubiKeys for Okta Adaptive Multi-Factor Authentication

Moving Forward Together

Yubico PIV Management Tools

Active Directory User Management System (ADUMS)

Connec ng to Northwest s WIFI with Windows 7

Smart Card Authentication Client. Administrator's Guide

Objectives. At the end of this chapter students should be able to:

McAfee Endpoint Encryption (SafeBoot) User Documentation

Password Reset Server User Guide

Corporate and Payment Card Industry (PCI) compliance

Virtual Code Authentication User Guide for Administrators

Configuring Settings on the Cisco Unified Wireless IP Phone 7925G

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Employee Self Service Guide

Outlook Express IMAP Instructions - Bloomsburg University Students

Transcription:

KT-1 Key Chain Token QUICK Reference Copyright 2005 CRYPTOCard Corporation All Rights Reserved 051004 http://www.cryptocard.com

Table of Contents OVERVIEW... 1 Token control... 1 OPERATING MODES & OPTIONS... 2 USING THE KT-1, PIN STORED ON SERVER... 8 Generating a Passcode... 8 Changing PIN... 8 USING THE KT-1, TOKEN ACTIVATED BY PIN... 9 Generating a Passcode... 9 User-changeable PIN... 9 PASSWORD RESYNCHRONIZATION...11 ADJUSTING THE LCD CONTRAST...12 LCD DISPLAY TEST...12 TOKEN INITIALIZATION...13 BATTERY REPLACEMENT...14 Copyright 2005 CRYPTOCard Corporation All Rights Reserved i

Overview The KT-1 Key Chain token generates a new, pseudorandom passcode each time the token is activated. The token is activated by pressing the button located to the right and below the LCD display. A KT-1 PIN consists of a string of 3 to 8 characters that is used to guard against unauthorized use. If PIN protection is enabled, the user must provide a PIN with the one-time passcode to authenticate. Token control Depending upon the options enabled in the token, the user may be permitted to enter a PIN, adjust the LCD contrast, change his PIN, or resynchronize the token. These actions require the use of the button to accept options presented to the user through the LCD display. The token will provide prompts and allow the user to input the digits 0 through 9, the letter E, and the symbol <. Where input is required, the token will cycle through the input options. When the correct digit, letter, or symbol is displayed, the user pushes the button to accept the input. For example, to input the PIN 123, the user will press the button 3 times, once after each of the numbers 1, 2, and 3 is displayed. Pressing the button when the letter E is displayed indicates to the token that the user will provide no additional input. Pressing the button when the < symbol is displayed erases the input immediately to the left of the symbol. This is used to correct input errors. Copyright 2005 CRYPTOCard Corporation All Rights Reserved 1

Operating Modes & Options The KT-1 supports a wide range of operating modes that can be modified using the CRYPTO-Console GUI and a serial or USB token initializer, according to organizational and security policy requirements. The PIN length, complexity, and maximum number of incorrect consecutive PIN attempts must be configured during token initialization. If the PIN attempts threshold is exceeded, the token will not generate a passcode and will, depending on the configuration, either require reinitialization or a PIN reset before it can be used again. A brief list of the more common operating modes follows. Refer to the CRYPTO- Server Administrator Guide for a complete list of modes and options. Display Type: Hexadecimal: token generates passcodes comprised of digits and letters from 0 9 and A-F. Decimal: token generates passcodes comprised of digits from 0-9. Base32: token generates passcodes comprised of digits and letters from 0-9 and A-Z. Base64: token generates passcodes comprised of digits and letters from 0-9 and Aa-Zz, as well as other printable characters available via Shift + 0-9. Telephone mode: Yes: replaces the fourth character of a passcode with a dash (-). This is generally used in combination with Response length: 8 characters and Display type: Decimal to resemble the North American telephone number format. No: passcode is displayed as set by Response length and Display type. Response Length: Determines the passcode length. Options are 5, 6, 7, or 8 characters. Automatic shut-off: Determines the length of time a passcode is displayed on the token, after which the token display is cleared and the token turned off. Options are 30, 60, and 90 seconds. Also used to prevent the token from being reactivated before expiration of the shut-off period. Copyright 2005 CRYPTOCard Corporation All Rights Reserved 2

Display Name: The value entered (typically the UserID) is displayed by the token before the passcode is displayed. Maximum length is 8 characters. PIN Style: PIN styles are separated into two general groups: Stored on Server or Token Activated by PIN. The KT-1 also supports a No PIN option, although this is not recommended. Stored on Server requires the user to prepend the PIN to the passcode displayed on the token. The combination of the PIN and passcode form the password that is used to authenticate the user (the passcode cannot be used to authenticate unless the PIN is prepended). The PIN is not input into the token (i.e. it is not required to activate the token and generate a passcode). When operating in this mode, the PIN can consist of alphanumeric characters. Stored on server, Fixed PIN: this PIN must be prepended to the passcode. An Operator can change the PIN. This mode emulates SecurID PIN mode. Stored on server, User-changeable PIN: periodic PIN change is forced by the Server according to the PIN Change Period option. The user will determine the new PIN value within the limits set under the Min PIN Length, Characters allowed, Try Attempts, and Allow Trivial PINs options. This PIN must be prepended to the passcode. This mode emulates the SecurID PIN mode. If a token in this mode becomes locked by exceeding the Try Attempts value and is re-enabled, the user must authenticate at least once before the token Try Attempts is reset to its default value. Stored on server, Server-changeable PIN: periodic PIN change is forced by the Server according to the PIN Change Period option. The Server will determine the new PIN value within the limits set under the Min PIN Length, Characters allowed, Try Attempts, and Allow Trivial PINs options. This PIN must be prepended to the passcode. This mode emulates the SecurID PIN mode. This mode is currently not supported when performing MSCHAPv2 authentication requests. If a token in this mode becomes locked by exceeding the Try Attempts value and is reenabled, the user must authenticate at least once before the token Try Attempts is reset to its default value. Initial PIN modifications for a Stored on Server PIN only become active when Reset Server-side PIN is selected. Token Activated by PIN requires the user to key the PIN into the token before a passcode is generated. In this mode, only the passcode displayed by the token is sent to the Copyright 2005 CRYPTOCard Corporation All Rights Reserved 3

authentication server; the PIN is not transmitted across the network. When operating in this mode the PIN can only consist of numeric characters. Fixed PIN: the PIN created for the token at the time of initialization is permanent and cannot be modified by the user or operator. Fixed PIN can only be changed by re-initializing the token after selecting a new PIN value through this tab. This PIN must be entered into the token before a passcode is displayed. User-changeable PIN: the user may change the PIN at any time. The initial PIN set during initialization must be changed by the user on first use of the token. This PIN must be entered into the token before a passcode is displayed. The PIN value selected by the user must be within the limits set under the Min PIN Length, Characters allowed, Try Attempts, and Allow Trivial PINs options. Initial PIN: The initial PIN value required for the token. The value is permanent if Fixed PIN is selected as the PIN Style. This value must be changed on first use of the token for User-changeable PIN. Use the Randomize button to change the initial value to a random number within the limits set under the Random PIN Length, Min PIN Length, and Characters allowed options. Use this feature as a Deployment PIN with CRYPTO-Deploy to ensure that only valid users are registering their token. Note that the minimum initial PIN length can be longer than the minimum PIN length required by the user. Random PIN Length: The minimum PIN length generated when clicking the Randomize button. The valid range is 3 8 characters. Minimum PIN Length: The minimum PIN length required to authenticate. The valid range is 1-8 characters. Characters allowed: Digits only: permits the digits 0 9 in the PIN. Alpha-numeric: permits the digits 0 9 and the characters Aa Zz in the PIN. Strong Alpha-numeric: requires at least one uppercase character, one lowercase character, and one digit in the PIN. This setting is affected by the Allow Trivial PINs option. It is also affected by the PIN Style - if operating in a Token Activated by PIN mode, only digits are Copyright 2005 CRYPTOCard Corporation All Rights Reserved 4

permitted; if operating in a Stored on Server PIN mode, alpha-numeric characters are permitted. Try Attempts: Number of consecutive incorrect PIN attempts permitted. The valid range is 1 7 attempts. If this value is exceeded for Stored on Server PINs, authentication will not be permitted until the operator has reset the PIN value. If this value is exceeded for Token Activated by PIN options, the token will be locked and will not generate passcodes until it is re-initialized. Allow Trivial PINs: No: prevents the use of sequences or consecutive digits/characters longer than 2. For example, 124 or ABD are permitted; 123 or ABC are not permitted. Yes: no sequence checking. For example, 123 is permitted. PIN Change Period: Mode: The period in days between forced PIN changes. The value 0 means unlimited. This option is valid only with Stored on Server PINs.\ QUICKLog: password is displayed immediately by token (or after Display Name, if this option is enabled on the Display tab). Challenge-response: requires the user to key a numeric challenge into the token before a response is generated. QUICKLog is the recommended mode for all CRYPTOCard token types. Algorithm: Mk 1 Algorithm: supports older token types using DES only. Mk 2 Algorithm: supported on most token types and supports DES, 3DES, AES (128/192/256). This mode is automatically selected if supported by the token. KT-1 tokens with serial numbers beginning with 3121xxxxx support this algorithm. The encryption algorithm used in all other series is permanently factory preset. Copyright 2005 CRYPTOCard Corporation All Rights Reserved 5

Challenge in QUICKLog mode: No: a challenge is not displayed to the user. This is the recommended setting. Yes: a challenge is displayed if supported by network equipment. User will not need to key challenge into token unless token is out of synchronization. Passwords per power cycle: Single: only one passcode is provided after the token is activated. The token must be powered off and re-activated to generate another passcode. Multiple: the token will generate passcodes as required until it is powered off. The Single password (passcode) per power cycle option is recommended. For applications requiring dual authentication or where multiple consecutive logons are required, select Multiple mode. Note that the Automatic shut-off option will power the token off automatically after the specified time interval elapses. User can turn token off: Yes: user can force token off at any time. No: user cannot force token off. The token will automatically turn off (based on Automatic shut-off configuration). The No setting is recommended when using the KT-1 token. Start date: The first date, in yyyymmdd format, that the token may be used to authenticate. Expiry date: The last date, in yyyymmdd format, that the token may be used to authenticate. When an operator changes the Expiry date, the change immediately becomes active on the server and valid for the affected token. This is often used for periodic access typical of contractors. It permits the token to be issued once, while ensuring that the user can only authenticate with an active token during the set periods. Copyright 2005 CRYPTOCard Corporation All Rights Reserved 6

Operational Flags: Force PIN change on next use: If checked, the user must change his PIN on the next authentication attempt and the box is cleared on PIN change. Property Flags: Delete token at expiry: On expiry, this token is automatically removed from inventory, if checked. Don t change key at initialization: the encryption key used for this token is reused during re-initialization, if checked. It is recommended that this box remain clear to ensure that keys are changed with every initialization. Usage Flags: Authentication enabled: token can be used to authenticate, if checked. Copyright 2005 CRYPTOCard Corporation All Rights Reserved 7

Using the KT-1, PIN Stored on Server In this mode (assuming QUICKLog TM mode is being used), the token requires no input data to generate a new, one-time passcode, but the user must prepend his PIN to the passcode displayed by the token in order to generate an acceptable password. The Stored on server, Server-changeable PIN mode is currently not supported when performing MSCHAPv2 authentication requests. Generating a Passcode Press the button to activate the token. A one-time passcode is automatically generated. Enter the PIN (e.g. ABCD) and passcode (e.g. 12345678) at the password prompt (ABCD12345678). Changing PIN If enabled, this feature permits the PIN to be changed according to the established security policy. The CRYPTO-Server will enforce a PIN change at regular intervals. Depending on the options selected, the user will be prompted to enter a new PIN or will be provided with a new PIN generated by the CRYPTO-Server. In both cases, the PIN will meet the minimum PIN policy requirements (complexity, length, non-trivial, etc.) as configured on the Server. A CRYPTO- Server Operator may also force a PIN change for individual users, as required. When a PIN change is required, the user will be prompted through the process. Once complete, the user must re-authenticate to gain access to protected resources. Copyright 2005 CRYPTOCard Corporation All Rights Reserved 8

Using the KT-1, Token activated by PIN In this mode, the user must key a PIN into the token before a passcode is generated. The displayed passcode is then used during logon. The KT-1 supports numeric PINs only in this mode. Note that the PIN is not prepended to the passcode and is never sent across the network. Generating a Passcode Press button to enable token. The token will display the prompt: PIN? # where # corresponds to: the digits 0 through 9 that are used for the PIN. Press the button when the correct digit of the PIN is displayed. E, which is used to indicate that all digits of the PIN have been entered. This applies only where the PIN length is 7 or less. Press the button when E is displayed and all digits of the PIN have been entered. <, which is used to erase an incorrectly entered digit. Press the button to erase the digit to the left of the < symbol. For example, if the PIN is 123: Token Displays Action PIN? 1 Press Button *2 Press Button **3 Press Button ***E Press Button The token will display the one-time passcode. User-changeable PIN If configured, the KT-1 permits the user to change the PIN required to activate the token. The user can change the PIN when the Chg PIN prompt is displayed. When the user keys in the initial PIN (sometimes referred to as the deployment PIN), he will be prompted with Chg PIN to immediately change the PIN to a new value, within the parameters of the security policy established during initialization. Thereafter, the user can change their PIN as often as desired: Copyright 2005 CRYPTOCard Corporation All Rights Reserved 9

1. Press and hold the button (approximately 3-4 seconds) on the token until the Init prompt appears. Then release the button. 2. The token will cycle through a series of prompts: Init, LCD Test, Contrast, Chg PIN, and ReSync. The prompts and sequence will vary depending on the options enabled for the token. Press the button while the Chg PIN prompt is displayed. 3. Press the button as each digit of the current PIN is displayed. To accept the entered PIN, press the button when E is displayed. 4. At the New PIN? prompt, use the button to select the new PIN, one digit at a time as the correct digits are displayed. To accept the entered PIN, press the button when E is displayed. 5. At the Verify? Prompt, use the button to re-input the new PIN by repeating step 4. 6. The token displays a Token OK message to indicate that the new PIN has been accepted. For example, if the old PIN is 123, and the new PIN is 7835: Token Displays Action PIN? 1 Press Button *2 Press Button **3 Press Button ***E Press Button NewPIN? 7 Press Button 78 Press Button 783 Press Button 7835 Press Button 7835E Press Button Verify? 7 Press Button 78 Press Button 783 Press Button 7835 Press Button 7835E Press Button Copyright 2005 CRYPTOCard Corporation All Rights Reserved 10

Password Resynchronization Token resynchronization requires the user to enter a challenge into the token. The challenge must be provided by the Help Desk or via a Web-based resynchronization page. In the unlikely event that the token requires resynchronization with the authentication server: 1. Press and hold the button (approximately 3-4 seconds) on the token until the Init prompt appears. Then release the button. 2. The token will cycle through a series of prompts: Init, LCD Test, Contrast, Chg PIN, and ReSync. The prompts and sequence will vary depending on the options enabled for the token. Press the button while the Resync prompt is displayed. 3. The digits 0 through 9 will be displayed sequentially to the right of the Resync prompt. For every digit of the resynchronization challenge, press the button to accept the displayed digit. For example, if the resynchronization challenge is 16278371: Token Displays Action Resync 1 Press Button 16 Press Button 162 Press Button 1627 Press Button 16278 Press Button 162783 Press Button 1627837 Press Button 16278371 Press Button 16278371 Press Button Copyright 2005 CRYPTOCard Corporation All Rights Reserved 11

Adjusting the LCD Contrast The LCD display contrast can be adjusted to lighten or darken the displayed passcodes and prompts. To adjust the contrast: 1. Press and hold the button (approximately 3-4 seconds) on the token until the Init prompt appears. Then release the button. 2. The token will cycle through a series of prompts: Init, LCD Test, Contrast, Chg PIN, and ReSync. The prompts and sequence will vary depending on the options enabled for the token. Press the button while the Contrast prompt is displayed. 3. The token will prompt the user for his PIN. 4. The token will cycle through a series of prompts in the form of XX##XX- where ## are digits from 00 to 15 that represent the lowest to highest contrast. The contrast will change as the digits change providing a visual indication of the selection. When the desired contrast is displayed, press the button two times to set. LCD Display Test The KT-1 provides a test routine that checks all pixels of the LCD for proper operation. To enable the test: 1. Press and hold the button (approximately 3-4 seconds) on the token until the Init prompt appears. Then release the button. 2. The token will cycle through a series of prompts: Init, LCD Test, Contrast, Chg PIN, and ReSync. The prompts and sequence will vary depending on the options enabled for the token. Press the button while the LCD Test prompt is displayed. 3. The token will cycle through a series of displays that provide a visual indication of any malfunctioning pixels. The token will shut off automatically on completion of the test. Copyright 2005 CRYPTOCard Corporation All Rights Reserved 12

Token Initialization The KT-1 can be reprogrammed as often as required to enable new options, encryption modes, and keys. CRYPTO-Console, and a serial or USB token initializer are required. To initialize a token: 1. To prepare a KT token for initialization, start with the KT-1 token off, press and hold the KT-1 token button until the display shows Init (approximately 3-4 seconds). 2. Release and quickly press the button again. The display will show the prompt RDY 4 IR. The KT-1 token will remain in the RDY 4 IR state for approximately 1 minute. The token cannot be initialized while in any other state. 3. Insert the token into the initializer with the LCD display facing the front of the initializer. 4. Follow the instructions on the CRYPTO-Console. The token will display the Token OK message on successful initialization. The token will shut off automatically 10-15 seconds after initialization. Copyright 2005 CRYPTOCard Corporation All Rights Reserved 13

Battery Replacement CRYPTOCard tokens operate for approximately 5-6 years before battery replacement is required. Depending on the model, the token display will indicate a low battery condition about two months before failing (by displaying BATTERY!) or will grow noticeably dim. Each KT-1 token holds two coin-cell batteries. Replacement of one battery at a time permits the token to continue functioning. As long as only one battery at a time is removed and replaced, the token will not need to be returned to the Administrator for reprogramming. 1. Remove the battery compartment cover. 2. Remove one battery and replace it with a new battery (CR2016). 3. Remove the other battery and replace it. Copyright 2005 CRYPTOCard Corporation All Rights Reserved 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information