List Info

Thread: problem when unblocking pin
problem when unblocking pin
user name
 2008-03-26 09:48:04 
Hi there,

First I'm almost a newbie as far as smartcards are used.

I'm using the opensc 0.11.4-3 and openct 0.6.14-2 packages 
on a Debian box.

I'm using a Rainbow iKey 3000 and I've tested the same
commands with both OpenCT and with pcscd+Rainbow library,
each time with the same result : impossible to unblock the
pin

I've used this usb key with strongswan to create VPNs on
this very 
same machine and configuration, and it works flawlessly :
pin code 
is asked to me and vpn gets started. 

Unfortunately while playing with the key I've blocked it...

the pin can be unblocked from a Windows application using
the SO Pin. I don't remember the name of the app though,
but
I've seen it being done.

I suspect there's something fishy with the content of my
key,
since pkcs15-tool --unblock-pin doesn't seem to ask the
correct
unblocking PIN code to me :

--- CUT ---
jeromehoulala:~$ pkcs15-tool --list-pins
PIN [User Pin]
        Com. Flags: 0x3
        ID        : 82
        Flags     : [0x933], case-sensitive, local,
initialized, needs-padding, disable_allowed,
exchangeRefData
        Length    : min_len:4, max_len:8, stored_len:8
        Pad char  : 0x00
        Reference : 130
        Type      : ascii-numeric
        Path      : 3f005015

PIN [SO Pin]
        Com. Flags: 0x3
        ID        : 83
        Flags     : [0x9B3], case-sensitive, local,
initialized, needs-padding, soPin, disable_allowed,
exchangeRefData
        Length    : min_len:4, max_len:8, stored_len:8
        Pad char  : 0x00
        Reference : 131
        Type      : ascii-numeric
        Path      : 3f005015

jeromehoulala:~$ pkcs15-tool --unblock-pin
Enter PUK [User Pin]: 
Enter new PIN [User Pin]: 
Enter new PIN again [User Pin]: 
[pkcs15-tool] iso7816.c:99:iso7816_check_sw: Authentication
method blocked
[pkcs15-tool] sec.c:201:sc_pin_cmd: returning with:
Authentication method blocked
PIN unblocking failed: Authentication method blocked

jeromehoulala:~$ pkcs15-tool --unblock-pin --puk 12345678
Enter new PIN [User Pin]: 
Enter new PIN again [User Pin]: 
[pkcs15-tool] iso7816.c:99:iso7816_check_sw: Authentication
method blocked
[pkcs15-tool] sec.c:201:sc_pin_cmd: returning with:
Authentication method blocked
PIN unblocking failed: Authentication method blocked

jeromehoulala:~$ pkcs15-tool --unblock-pin --puk 12345678
--auth-id 83
Enter new PIN [SO Pin]: 
Enter new PIN again [SO Pin]: 
[pkcs15-tool] iso7816.c:99:iso7816_check_sw: Conditions of
use not satisfied
[pkcs15-tool] sec.c:201:sc_pin_cmd: returning with: Not
allowed
PIN unblocking failed: Not allowed
jeromehoulala:~$
--- CUT ---

There's something I don't get. Could someone explain this to
me ?

I think the key doesn't link the SO pin to the user pin when
unlocking,
or something like that, but I don't see why.

Is there something I had done wrong ?

NB : I didn't manually create this key, the SO created it
for me under
his Windows app, using the same procedure as for other
people, and
from Windows, the PIN can be blocked and then unblocked with
the
SO pin (here '12345678').

Thanks in advance

Jerome Alet
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: problem when unblocking pin
user name
 2008-03-27 06:19:43 
Am Mittwoch, 26. März 2008 15:48:04 schrieb Jerome Alet:
> Hi there,
>
> First I'm almost a newbie as far as smartcards are
used.
>
> I'm using the opensc 0.11.4-3 and openct 0.6.14-2
packages
> on a Debian box.
>
> I'm using a Rainbow iKey 3000 and I've tested the same
> commands with both OpenCT and with pcscd+Rainbow
library,
> each time with the same result : impossible to unblock
the pin

don't know about rainbow library. but with opensc I can
tell:
the ikey 3000 uses starcos, and with starcos you can only
unblock
the pin if it is blocked.

so for most cards the "unblock pin" also can be
used to change a pin.
with starcos cards such as the ikey 3000 you would need to
block the
pin first - enter the wrong pin too often - and then you can
do that.

note: I have read of the problem a number of times, but I
didn't test
this proposed solution at all. no warranty. good luck!

> I suspect there's something fishy with the content of
my key,
> since pkcs15-tool --unblock-pin doesn't seem to ask the
correct
> unblocking PIN code to me :

hmm, strange.

> jeromehoulala:~$ pkcs15-tool --unblock-pin
> Enter PUK [User Pin]:
> Enter new PIN [User Pin]:
> Enter new PIN again [User Pin]:
> [pkcs15-tool] iso7816.c:99:iso7816_check_sw:
Authentication method blocked
> [pkcs15-tool] sec.c:201:sc_pin_cmd: returning with:
Authentication method
> blocked PIN unblocking failed: Authentication method
blocked

puk is blocked? or mayb esomr problem that looks like this.

> jeromehoulala:~$ pkcs15-tool --unblock-pin --puk 12345678
--auth-id 83
> Enter new PIN [SO Pin]:
> Enter new PIN again [SO Pin]:
> [pkcs15-tool] iso7816.c:99:iso7816_check_sw: Conditions
of use not
> satisfied [pkcs15-tool] sec.c:201:sc_pin_cmd: returning
with: Not allowed
> PIN unblocking failed: Not allowed

maybe SO-PIN is not blocked, so SO-puk can't be used to
unblock it.

not sure how so-pin can be used to set pin. not even sure
all cards
allow it (or could depend on the profile).

> NB : I didn't manually create this key, the SO created
it for me under
> his Windows app, using the same procedure as for other
people, and
> from Windows, the PIN can be blocked and then unblocked
with the
> SO pin (here '12345678').

well, if the card was not initialized with opensc, there is
not much we can
do to help. even if that software creates pkcs#15 too as it
seems, it might
not be compatible for more than using the card (i.e. read
certs, sign/decrypt,
maybe change/unblock pin with puk).

I haven't heard of people trying this before - use software
A to initialize 
the card and then use opensc to change the PIN using the
SO-PIN.

I forwarded your mail to the author of the starcos driver,
maybe he can
help, as I don't have much clue about starcos.

good luck.

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: problem when unblocking pin
user name
 2008-03-27 06:47:03 
Hello,

On Thu, Mar 27, 2008 at 12:19:43PM +0100, Andreas
Jellinghaus wrote:
> Am Mittwoch, 26. März 2008 15:48:04 schrieb Jerome
Alet:
> >
> > I'm using a Rainbow iKey 3000 and I've tested the
same
> > commands with both OpenCT and with pcscd+Rainbow
library,
> > each time with the same result : impossible to
unblock the pin
> 
> don't know about rainbow library. but with opensc I can
tell:
> the ikey 3000 uses starcos, and with starcos you can
only unblock
> the pin if it is blocked.
> 
> so for most cards the "unblock pin" also can
be used to change a pin.
> with starcos cards such as the ikey 3000 you would need
to block the
> pin first - enter the wrong pin too often - and then
you can do that.

It was really blocked when I tried.

> maybe SO-PIN is not blocked, so SO-puk can't be used to
unblock it.
> 
> not sure how so-pin can be used to set pin. not even
sure all cards
> allow it (or could depend on the profile).

I don't know if this was the correct thing to try, I just
tried
a lot of things...

> > NB : I didn't manually create this key, the SO
created it for me under
> > his Windows app, using the same procedure as for
other people, and
> > from Windows, the PIN can be blocked and then
unblocked with the
> > SO pin (here '12345678').
> 
> well, if the card was not initialized with opensc,
there is not much we can
> do to help. even if that software creates pkcs#15 too
as it seems, it might
> not be compatible for more than using the card (i.e.
read certs, sign/decrypt,
> maybe change/unblock pin with puk).
> 
> I haven't heard of people trying this before - use
software A to initialize 
> the card and then use opensc to change the PIN using
the SO-PIN.
> 
> I forwarded your mail to the author of the starcos
driver, maybe he can
> help, as I don't have much clue about starcos.

Thanks for your help.

I asked the SO to unblock the token for me from his Windows
application
and it worked as expected using the PUK, so my immediate
problem is solved.
I think his app is SafeSign from 
http://www.thales-esecurity.com/ProductsServices/
SafeSign.shtml 

I'm sure the PUK I used is correct, but trying to use it as
SO-PIN 
like I did is probably incorrect, anyway simply using
'pkcs15-tool 
--unblock-pin' should have worked, and it didn't. 

When unblocked, I took the token again and tried to change
the PIN
code using opensc, I can tell you it works like a charm. 

However I've decided to not try to block it again to not
bore the 
SO... 

bye, and thanks for your help

Jerome Alet
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )