Unblock PUK on PIV card

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Unblock PUK on PIV card

Ryan Chapman
Hi,

Does anyone know if there is a way to unblock a PUK on a PIV card or re-initialize the PIV applet?  

The card is a Gemalto IDPrime PIV Card v2.0 using SCP01
ATR: 3b:7d:96:00:00:80:31:80:65:b0:83:11:11:e5:83:00:90:00

I know the admin key for the card, but even when I authenticate to the card (which still works), I am unable to change the state of the PUK lockout. The PIN is also blocked, but I know how to unblock that if the PUK is unblocked (for anyone who wants to know, if your PUK is 12345 and you want to unblock the PIN and set the PIN to 1234, do: piv-tool -A M:9B:03 -s 00:2c:00:80:10:31:32:33:34:35:ff:ff:ff:31:32:33:34:ff:ff:ff:ff)

This command is used to change the PUK if the current one is known (it's 1234).  However, I'm told 0x6983, which according to ISO7816-4 means "Authentication method blocked"

$ piv-tool -A M:9B:03 -s 00:24:00:81:10:31:32:33:34:ff:ff:ff:ff:31:32:33:34:ff:ff:ff:ff
Using reader with a card: Gemalto Prox Dual USB PC Link Reader(2)
Sending: 00 24 00 81 10 31 32 33 34 FF FF FF FF 31 32 33 34 FF FF FF FF
Received (SW1=0x69, SW2=0x83)

According to the data sheet, the PUK is stored in the internal object tag 0xFF8101, but I am not sure if it is possible to write to that tag.

What got me here was that I was unable to generate a keypair on the card and thought I might be able to reset the PIV application like Yubikey NEO does it.  With their card, the PIN and PUK must be blocked, then you send "00 fb 00 00 00" and the PIV applet is reset with retry counters set at 3 again.  Not such much with Gemalto.  And I can't find anyone at Gemalto that will provide documentation, even if I am willing to pay for it.

Thought I would check here before I toss the card in the drawer and get a new one.

Thanks in advance

Ryan

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Unblock PUK on PIV card

Douglas E Engert
The NIST PIV specs leave a most of card management up to the vendor. Best I can tell this was done to allow vendors to have features that would allow them to sell their cards  based on their value added  features. In the NIST model, large federal agencies run the card management systems, issue cards and maintain the PUK.  Yubico on the other hand is selling tokens to individuals, and Yubico publishes how to reset the card so the PUK can also be reset.

So if you can't get the documentation on how to reset the card or the PuK  from the card vendor,  it may be the PUK can not be reset.
Well managed card management systems would not loose the PUK.  Yubico on the other hand understands users may loose the PUK.

Buy a new card.

On 1/24/2016 11:26 PM, Ryan Chapman wrote:
Hi,

Does anyone know if there is a way to unblock a PUK on a PIV card or re-initialize the PIV applet?  

The card is a Gemalto IDPrime PIV Card v2.0 using SCP01
ATR: 3b:7d:96:00:00:80:31:80:65:b0:83:11:11:e5:83:00:90:00

I know the admin key for the card, but even when I authenticate to the card (which still works), I am unable to change the state of the PUK lockout. The PIN is also blocked, but I know how to unblock that if the PUK is unblocked (for anyone who wants to know, if your PUK is 12345 and you want to unblock the PIN and set the PIN to 1234, do: piv-tool -A M:9B:03 -s 00:2c:00:80:10:31:32:33:34:35:ff:ff:ff:31:32:33:34:ff:ff:ff:ff)

This command is used to change the PUK if the current one is known (it's 1234).  However, I'm told 0x6983, which according to ISO7816-4 means "Authentication method blocked"

$ piv-tool -A M:9B:03 -s 00:24:00:81:10:31:32:33:34:ff:ff:ff:ff:31:32:33:34:ff:ff:ff:ff
Using reader with a card: Gemalto Prox Dual USB PC Link Reader(2)
Sending: 00 24 00 81 10 31 32 33 34 FF FF FF FF 31 32 33 34 FF FF FF FF
Received (SW1=0x69, SW2=0x83)

According to the data sheet, the PUK is stored in the internal object tag 0xFF8101, but I am not sure if it is possible to write to that tag.

What got me here was that I was unable to generate a keypair on the card and thought I might be able to reset the PIV application like Yubikey NEO does it.  With their card, the PIN and PUK must be blocked, then you send "00 fb 00 00 00" and the PIV applet is reset with retry counters set at 3 again.  Not such much with Gemalto.  And I can't find anyone at Gemalto that will provide documentation, even if I am willing to pay for it.

Thought I would check here before I toss the card in the drawer and get a new one.

Thanks in advance

Ryan


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel