Changing Admin PIN on PIV card

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Changing Admin PIN on PIV card

Ravneet Singh Khalsa

Hi,

 

Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?

 

Thanks.

 


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Changing Admin PIN on PIV card

helpcrypto helpcrypto
pkcs11's C_SetPin ?

On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa
<[hidden email]> wrote:

> Hi,
>
>
>
> Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?
>
>
>
> Thanks.
>
>
>
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Changing Admin PIN on PIV card

Ravneet Singh Khalsa
In reply to this post by Ravneet Singh Khalsa
C_SetPIN does not change Admin PIN.

From: [hidden email]
Sent: ‎12/‎11/‎2012 11:43 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [opensc-devel] Changing Admin PIN on PIV card

pkcs11's C_SetPin ?

On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa
<[hidden email]> wrote:

> Hi,
>
>
>
> Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?
>
>
>
> Thanks.
>
>
>
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Changing Admin PIN on PIV card

helpcrypto helpcrypto
According to PKCS#11 standard, "C_SetPIN modifies the PIN of the user
that is currently logged in, or the CKU_USER PIN if the session is not
logged in."


On Wed, Dec 12, 2012 at 2:26 PM, Ravneet Singh Khalsa
<[hidden email]> wrote:

> C_SetPIN does not change Admin PIN.
> ________________________________
> From: helpcrypto helpcrypto
> Sent: ‎12/‎11/‎2012 11:43 PM
> To: Ravneet Singh Khalsa
> Cc: [hidden email]
> Subject: Re: [opensc-devel] Changing Admin PIN on PIV card
>
> pkcs11's C_SetPin ?
>
> On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa
> <[hidden email]> wrote:
>> Hi,
>>
>>
>>
>> Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards
>> ?
>>
>>
>>
>> Thanks.
>>
>>
>>
>>
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Changing Admin PIN on PIV card

Douglas E. Engert
In reply to this post by Ravneet Singh Khalsa


On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote:
> Hi,
>
> Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?

If the card is following NIST 800-73-3 The piv-tool can do it.

800-73 leaves a lot of card management commands up to the vendor,
so check the vendor docs on this and what is the initial PUK. The PUK
is not used be the end user, and some commands to the card may
require the global pin vs the PIV application PIN or PUK as defined
in 800-73-3.


  piv-tool  -s 00:2C:00:81:10:$OLDPUK:$NEWPUK

Where $OLDPUK is the current and $NEWPUK is the new one
Both are hex representation of the numbers padded to 8 with FF

So to change from 1234567 to 112233
  piv-tool  -s 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff

On some cards the previous PUK may have been all hex zeros.

The attached  script could be used. It is assuming a $1 parameter that is a
card number ($CARDN) that is used to look up information about the card,
such as the previous PUK in ./cards/$CARDN/


>
> Thanks.
>
>
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

changepin.sh (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Changing Admin PIN on PIV card

Ravneet Singh Khalsa
Hi Douglas,

Thanks for your suggestion. I tried the following command.

piv-tool -s 00:2C:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF
(changing Admin Pin from 1234 to 1111)

It didn't work for me. The output of the command above is attached. See if
there is something that you can figure out.

Thanks.


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Douglas
E. Engert
Sent: Wednesday, December 12, 2012 7:31 AM
To: [hidden email]
Subject: Re: [opensc-devel] Changing Admin PIN on PIV card



On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote:
> Hi,
>
> Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards
?

If the card is following NIST 800-73-3 The piv-tool can do it.

800-73 leaves a lot of card management commands up to the vendor, so check
the vendor docs on this and what is the initial PUK. The PUK is not used be
the end user, and some commands to the card may require the global pin vs
the PIV application PIN or PUK as defined in 800-73-3.


  piv-tool  -s 00:2C:00:81:10:$OLDPUK:$NEWPUK

Where $OLDPUK is the current and $NEWPUK is the new one Both are hex
representation of the numbers padded to 8 with FF

So to change from 1234567 to 112233
  piv-tool  -s
00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff

On some cards the previous PUK may have been all hex zeros.

The attached  script could be used. It is assuming a $1 parameter that is a
card number ($CARDN) that is used to look up information about the card,
such as the previous PUK in ./cards/$CARDN/


>
> Thanks.
>
>
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

piv-tool-output.txt (35K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Changing Admin PIN on PIV card

Douglas E. Engert


On 12/12/2012 8:01 PM, Ravneet Singh Khalsa wrote:
> Hi Douglas,
>
> Thanks for your suggestion. I tried the following command.
>
> piv-tool -s 00:2C:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF
> (changing Admin Pin from 1234 to 1111)
>
> It didn't work for me. The output of the command above is attached. See if
> there is something that you can figure out.

That looks very strange, almost like it never ran the command.

What would help more would be to turn on debugging in the opensc.conf,
debug = 7; and change the debug_file = some.out.out.file;

This would show that OpenSC found that this was a PIV card, and
any other commands sent to the card to test what type of card
it is.

If you could send The debug output from opensc-tool -n


You say these are Gemalto PIV cards.

    Do they have actual data on the cards, even demo data?

    Are they Global Platform cards?

    What is the ATR?

    Do you have the Gemalto manual?

    Do they say anything about how to change the admin PIN?

    Did they say anything about unlocking the card before
    doing anything with the card?

    NIST requires blank cards with the PIV application
    on the card to be transported locked with the unlocking
    keys send in some other way. The locking may be
    done using GP.

    Did they send any pins or keys with the cards?
    (They must have, otherwise you would not know what was
     the admin PIN.)

>
> Thanks.
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Douglas
> E. Engert
> Sent: Wednesday, December 12, 2012 7:31 AM
> To: [hidden email]
> Subject: Re: [opensc-devel] Changing Admin PIN on PIV card
>
>
>
> On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote:
>> Hi,
>>
>> Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards
> ?
>
> If the card is following NIST 800-73-3 The piv-tool can do it.
>
> 800-73 leaves a lot of card management commands up to the vendor, so check
> the vendor docs on this and what is the initial PUK. The PUK is not used be
> the end user, and some commands to the card may require the global pin vs
> the PIV application PIN or PUK as defined in 800-73-3.
>
>
>    piv-tool  -s 00:2C:00:81:10:$OLDPUK:$NEWPUK
>
> Where $OLDPUK is the current and $NEWPUK is the new one Both are hex
> representation of the numbers padded to 8 with FF
>
> So to change from 1234567 to 112233
>    piv-tool  -s
> 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff
>
> On some cards the previous PUK may have been all hex zeros.
>
> The attached  script could be used. It is assuming a $1 parameter that is a
> card number ($CARDN) that is used to look up information about the card,
> such as the previous PUK in ./cards/$CARDN/
>
>
>>
>> Thanks.
>>
>>
>>
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

PK-01C PIN Attempts

Brian Thomas-10
Hello everybody,

I am using OpenSC 12.2 and a FTCOSPK01C smart card with the PKCS#15
profile.  The card works great except for the fact that I cannot seem to
increase the max number of incorrect PIN attempts allowed before the
card is blocked.  I have tried changing all user PIN and security
officer pin attempts from 3 to 4; however, the card still becomes
blocked upon the 3rd incorrect entry. The profiles I have modified are:
entersafe.profile and pkcs15.profile.

Does anybody have any suggestions?

Thanks,

Brian Thomas

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Changing Admin PIN on PIV card

Douglas E. Engert
In reply to this post by Ravneet Singh Khalsa
Two more things:

The command should be "24" not "2C". 2C is to reset the user pin if the pin
is locked. "24" is to reset one of the pins if the pin is known.
The script I sent you has an error. Sorry about that.

piv-tool -s 00:24:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF

BUT: NIST 800-73-2 part 2 Section 3.2.2 says:

"The ability to change reference data associated with key references '81' and
'00' using the PIV Card Application CHANGE REFERENCE DATA command is optional."

Thus you need to consult the Gemalto manuals to see if this is implemented



On 12/12/2012 8:01 PM, Ravneet Singh Khalsa wrote:

> Hi Douglas,
>
> Thanks for your suggestion. I tried the following command.
>
> piv-tool -s 00:2C:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF
> (changing Admin Pin from 1234 to 1111)
>
> It didn't work for me. The output of the command above is attached. See if
> there is something that you can figure out.
>
> Thanks.
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Douglas
> E. Engert
> Sent: Wednesday, December 12, 2012 7:31 AM
> To: [hidden email]
> Subject: Re: [opensc-devel] Changing Admin PIN on PIV card
>
>
>
> On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote:
>> Hi,
>>
>> Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards
> ?
>
> If the card is following NIST 800-73-3 The piv-tool can do it.
>
> 800-73 leaves a lot of card management commands up to the vendor, so check
> the vendor docs on this and what is the initial PUK. The PUK is not used be
> the end user, and some commands to the card may require the global pin vs
> the PIV application PIN or PUK as defined in 800-73-3.
>
>
>    piv-tool  -s 00:2C:00:81:10:$OLDPUK:$NEWPUK
>
> Where $OLDPUK is the current and $NEWPUK is the new one Both are hex
> representation of the numbers padded to 8 with FF
>
> So to change from 1234567 to 112233
>    piv-tool  -s
> 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff
>
> On some cards the previous PUK may have been all hex zeros.
>
> The attached  script could be used. It is assuming a $1 parameter that is a
> card number ($CARDN) that is used to look up information about the card,
> such as the previous PUK in ./cards/$CARDN/
>
>
>>
>> Thanks.
>>
>>
>>
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel