User's Manual

ePass2003 User Guide
Note: The EnterSafe Minidriver default maximum number of wrong PIN attempts is 10.
3.2.2.1 Example Unblock Procedure
The smart card unblock functionality require the use of an Administrative key that the regular end user should not
have direct access to. The user will require support from a Security Officer to complete this operation.
To protect the confidentiality of the Admin Key, the Unblock Card procedure does not require the end user to
present the Admin key directly. Instead, a challenge-response mechanism is used:
1.
The user retrieves a Challenge from the card.
2.
The user communicates the Challenge to the IT Admin/Helpdesk.
3.
IT Admin/Helpdesk combine the Challenge (8 bytes) and the users Admin Key (24 bytes) using the Triple
DES algorithm to calculate the unique Response (8 bytes) to the challenge.
4.
IT Admin/Helpdesk communicates the Response to the end user.
5.
The end user enters the Response value and defines a new value for the User PIN, which will be
established once the Card Unblock has completed.
6.
The smart card confirms that the Response provided is correct, by comparing the value entered by the
user with one generated within the card using the Challenge generated by the card and the Admin Key stored in
the card. If both values match, the card unblock is successful, the new user PIN is established and the PIN attempt
counter is reset.
It is important to note that, like the Verify PIN procedure, the Unblock Card procedure is protected by a maximum
number of unsuccessful unblock attempts. Once the maximum number of unsuccessful unblock attempts is
reached the card will be permanently blocked even to an administrator, and all data stored in the card becomes
permanently inaccessible. For this reason it is important to perform the unblock procedure with great care.
Like the Change PIN procedure, the process and tools used to unblock a Smart Card in Windows Vista/2008 and
the legacy versions of Windows operating systems are different.
3.2.2.2 Unblocking a Smart Card with Windows 2000, XP or Server 2003
For Windows 2000, XP, and Server 2003 and later, the Smart Card PIN Tool used for changing the value of the User
PIN can also be used to unblock the card.
Note that in order to use the PIN Tool the user must have access to a machine that is to be logged on. The user
cannot logon using smart card credentials because the card has already been blocked. Accordingly, if the users
organization security policy introduces a smart card logon mechanism, the user will have to access another already
logged machine in order to gain access to the PIN Tool to perform the Card Unblock procedure.
The PIN Tool provides the following dialog box to unblock the card:
Copyright © Feitian Technologies Co., Ltd.
Website: www.FTsafe.com
31