Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

An encoding description contains the information for the electronic personalization of a card. To create an encoding description, you must import the encoding definition from a file. This can be used in Nexus PRIME.

This article describes how to block the PIN of a card right after personalization for security reasons, that is, the card can not be used further. Later - as soon as the user picks up the card from card administration office -  the user has to unblock the card to be able use it. 

See also Structure of an encoding description.

 Block a card

This use case describes how to block the PIN of a card right after personalization, for security reasons, that is, the card can not be used further. The user has to unblock the card in order to be able use it.

  1. Define like this in the encoding description:

    [Application_B]
BlockCard=true

    Description of the elements

    ElementDescription

    BlockCard=true

    		Triggers the card/PIN blocking mechanism


 Unblock the PIN of a card (online)

Online Unblocking with PUK

For unblocking via standard P11 you can use the InitialPUK to set a new PIN (and optionally a new PUK, unless that is prevented by the card profile).

  1. Define like this in the encoding description:

    [Description]
SetPIN=true
PIN=#123456
InitialPUK=#12345678
PUK=#13579

    Description of the elements

    ElementDescription

    SetPIN=true

    		Triggers to set PIN and/or PUK, that is, the Unblocking use case.
    PIN=...Defines the new PIN. (Theoretically also optional if you just want to set a new PUK, however, in the Unblocking use case, it is reasonable to set the new PIN here, for example, by "PIN=!FROM_USER_DIALOG_2_FIELD")
    InitialPUK=...Defines the old PUK. 
    Mandatory, except for Gemalto cards and pre-initialized CardOS cards that use a CardManagerKey instead
    PUK=... If you want to define a new PUK. (Optional, changing the PUK might not always be supported depending on the card profile)

Online Unblocking with CardManagerKey

The following applies to Gemalto middlewares and card, as well as to specially pre-initialized CardOS cards used with the CardOS 5.3 middleware (5.4W14 or later recommended).

It does not apply to offline-unblockable cards created with the Cryptovision middleware, which uses a different approach (see below).

Instead of InitialPUK / PUK,, the CardManagerKey attribute plus its NewCardManagerKey counterpart are used in the encoding descriptions.

The following example uses the current key to set the PIN as well as setting a new key:

  1. Define like this in the encoding description:

    [Fields]
ADMIN_KEY=
NEW_ADMIN_KEY=
PIN=

[Description]
SetPIN=true
PIN=PIN
CardManagerKey=ADMIN_KEY
NewCardManagerKey=NEW_ADMIN_KEY

    Description of the elements

    ElementDescription

    SetPIN=true

    		Triggers to set PIN and/or CardManagerKey, that is, the Unblocking use case.
    PIN=...Defines the new PIN. (Theoretically also optional if you just want to set a new PUK, however, in the Unblocking use case, it is reasonable to set the new PIN here, for example, by "PIN=!FROM_USER_DIALOG_2_FIELD")
    CardManagerKey=...Defines the old CardManagerKey. 
    NewCardManagerKey=... If you want to define a new CardManagerKey.

    Before you use any P11 operations on a card, make sure you first set the PIN via the CardManagerKey (like in the example code above) - once that is done, all P11 operations that require a PIN will work as usual (as long as no PUK/InitialPUK is involved as well!) and do not require the CardManagerKey.

 Produce an offline-unblockable card with Cryptovision

PRIME supports using the Cryptovision middleware to produce cards which can be unblocked offline, for example, through Windows.

To enable this functionality in the middleware, the following registry settings have to be imported into regedit:

Cryptovision registry settings
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\cv cryptovision\sc interface\pkcs11]
"extension"="{2B7D7904-E147-4A63-A26A-E179D2C6C30A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\cv cryptovision\sc interface\pkcs11]
"extension"="{2B7D7904-E147-4A63-A26A-E179D2C6C30A}"

The offline PIN unblocking (see Unblock PKI PIN - offlineis based on a shared secret (card manager key), that need to be available on the card and to the offline system, that allows an offline facility (Helpdesk Officer using Nexus PRIME) to support the card owner.

As the secret PRIME generates a 2DES key from which various other keys are then derived according to the Cryptovision specs.

Generate the card manager key

There's a predefined task for convenient creation of a correct key, see heading "Credentials: Create Minidriver Card Manager Key" in Credentials - Standard service tasks in Identity Manager.

Initialize the card

Define like this in the encoding description:

[Fields]
CARD_MANAGER_KEY=
 
[Description]
InitCRKey=true
UseCardManagerKey=true
CardManagerKey=CARD_MANAGER_KEY

Verifying card production

Once a card is produced you can use the cv act sc/interface Manager tool of the Cryptovision middleware to verify if it was produced with offline unblocking support:

  • card property Minidriver capable: yes
  • Challenge Response key present in Logins
  • Challenge Response key present in Secret Keys

Related information

  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions