Completely clear format the token. PIN code for tokens: password with special rules

If the user entered the wrong password several times, the eToken may be blocked.
To unlock eToken, you must follow the steps described below, and even give the user a link to a book on memory training, so in a friendly way.

I forgot my etoken password, what should I do?

We are all people, we all have our own problems and worries, things that we do not often use often fly out of our memory, such a thing can be for an etoken user, such a red or blue flash drive. Don't worry, we'll fix it.

Launch the eToken PKI Client program (install the program if necessary)

Select an eToken reader, then click "Show detailed view"

Click on the button "Login as Admin"

Enter the Administrator password, then click " OK" . By default, the eToken must have an administrator password set. 0987654321

If the administrator password was entered correctly, a message should appear "Logged in as Administrator"

Then click on the button "Set user password"

Set a new password and click " OK" (we strongly recommend that you use the default password) 1234567890 ) so you don't forget.

"By 2008, the number of USB keys in use will approach the number of other means of authentication"
IDC 2004

Introduction

Nowadays, due to the widespread use of computers, it is increasingly necessary to think about the security of processed information. The first step in security is to authenticate the legitimate user.
The most common means of authentication is a password. In addition, more than 60% of users, as practice shows, most often use the same passwords for different systems. Needless to say, this significantly reduces the level of security. What to do?
In my opinion, one of the solutions to the problem would be to use hardware authentication keys. Let's consider their application in more detail on the example of USB keys from Aladdin.

What is eToken?

eToken (Fig. 1) is a personal device for authentication and data storage, hardware-supported to work with digital certificates and electronic digital signature (EDS). eToken is issued in the form of:

  • eToken PRO is a USB dongle that allows two-factor authentication. Available in 32K and 64K versions.
  • eToken NG-OTP is a hybrid of a USB dongle and a device that generates one-time passwords (One Time Password, OTP). Available in 32K and 64K versions.
  • The eToken PRO smart card is a device that performs the same functions as a USB key, but in the form of a regular credit card. Available in 32K and 64K versions.

In the future, we will talk specifically about USB keys that are connected directly to the USB port of a computer and, unlike a smart card, do not require a special reader.
eToken has a secure non-volatile memory and is used to store passwords, certificates and other secret data.

Figure 1 eToken Pro 64k

eToken device

eToken PRO technology components:

  • Smart card chip Infineon SLE66CX322P or SLE66CX642P (EEPROM with a capacity of 32 or 64 KB, respectively);
  • Smart card OS Siemens CardOS V4.2;
  • Hardware-implemented algorithms: RSA 1024bit, DES, Triple-DES 168bit, SHA-1, MAC, Retail-MAC, HMAC-SHA1;
  • Hardware random number generator;
  • USB interface controller;
  • Source of power;
  • Housing made of hard plastic, not amenable to undetectable opening.

The following components are additionally included in the eToken NG-OTP device:

  • One-time password generator;
  • Button for their generation;
  • LCD display;

Interface support:

  • Microsoft Crypto API
  • PKCS#11.

PIN code

To gain access to the data stored in the memory of the eToken, you must enter a PIN (Personal Identification Number). It is not recommended to use spaces and Russian letters in the PIN code. However, the PIN must meet the quality criteria specified in the %systemroot%\system32\etcpass.ini file.
This file containing the PIN quality criteria is edited using the eToken Properties utility.

Access rights to eToken

Depending on the eToken model and the options selected during formatting, there are four types of access rights to the eToken:

  • guest– the ability to view objects in an open memory area; the ability to obtain general information regarding the eToken from the system memory area, including the name of the eToken, identifiers, and some other parameters. With guest access, knowing the PIN is not required;
  • custom– the right to view, modify and delete objects in the closed, open and free memory areas; the possibility of obtaining general information regarding the eToken; the right to change the PIN code and rename the eToken; the right to configure settings for caching the content of the private memory area and additional protection of private keys with a password (in the absence of an administrator password or with the permission of the administrator), the right to view and delete certificates in the eToken store and RSA key containers;
  • administrative– the right to change the user's PIN without knowing it; the right to change the administrator password; the right to configure settings for caching the contents of a private memory area and additional protection of private keys with a password, as well as the ability to make these settings available in user mode;
  • initialization– the right to format eToken PRO.

Only the first two types of rights apply to eToken R2, all four to eToken PRO and eToken NG-OTP.
Administrator access to eToken PRO can only be made after the correct administrator password has been entered. If the administrator password is not set during the formatting process, then you cannot apply with administrator rights.

Software for eToken

General information

eToken Run Time Environment 3.65
eToken Run Time Environment (eToken RTE) is a set of eToken drivers. This software package includes the eToken Properties utility.
With this utility you can:

  • configure the parameters of eToken and its drivers;
  • view general information regarding eToken;
  • import, view and delete certificates (excluding certificates from the eTokenEx store) and RSA key containers;
  • format eToken PRO and eToken NG-OTP;
  • configure PIN code quality criteria.

Local administrator rights are required to install this software. It should be remembered that before installing the eToken RTE, you cannot connect the eToken key.
The software must be installed in the following order:

  • eToken RTE 3.65;
  • eToken RTE 3.65 RUI (Russification of the interface);
  • eToken RTX.

Installation and removal on the local computer eToken RTE 3.65

Installation


Figure 2 eToken Run Time Environment 3.65 Setup

In the window (Fig. 3) you need to read the license agreement and agree to it.


Figure 3 End-User License Agreement

If you do not agree with the terms of the license agreement, then click the "Cancel" button and thereby abort the installation process.
If you agree with the license agreement, then select "I accept the license agreement" and click the "Next" button. On the screen you will see the following window (Fig. 4):


Figure 4 Ready to Install the Application

The installation will take some time.
At the end of the installation process (Fig. 5), click the "Finish" button.


Figure 5 eToken Run Time Environment 3.65 has been successfully installed
You may need to restart your computer at the end of the installation.

eToken RTE 3.65 RUI

Installation
To install eToken RTE 3.65 RUI, you need to run the installer.


Figure 6 Installing eToken 3.65 RUI
In the window that appears (Fig. 6), click the "Next" button.


Figure 7 Completing the installation of the Russian User Interface

Using the command line

You can use the command line to install and uninstall eToken RTE 3.65, eToken RTE 3.65 RUI and eToken RTX.
Command examples:

  • msiexec /qn /i
  • msiexec /qb /i
  • /q– installation of eToken RTE 3.65 (eToken RTE 3.65 RUI, eToken RTX) in automatic mode without dialog boxes with default parameters;
  • /qb– installation of eToken RTE 3.65 (eToken RTE 3.65 RUI, eToken RTX) in automatic mode with default parameters and display of the installation process on the screen;
  • msiexec /qn /x– removal of eToken RTE 3.65 (eToken RTE 3.65 RUI, eToken RTX) in automatic mode without dialog boxes;
  • msiexec /qb /x– removal of eToken RTE 3.65 (eToken RTE 3.65 RUI, eToken RTX) in automatic mode with display of the removal process on the screen.

Connecting the eToken USB Key to Your Computer for the First Time

If you have eToken RTE 3.65 installed on your computer, connect the eToken to a USB port or extension cable. After that, the process of processing new equipment will begin, which may take some time. When the process of processing new equipment is completed, the indicator light on the eToken will light up.

eToken Properties Utility


Figure 8 Program window "Properties of eToken"

The eToken Properties utility allows you to perform basic token management operations, such as changing passwords, viewing information and certificates located in the eToken memory. In addition, using the eToken Properties utility, you can quickly and easily transfer certificates between your computer and the eToken, as well as import keys into the eToken's memory.
The "Unblock" button is necessary if the user has forgotten his PIN code and cannot come to the eToken administrator (for example, the user is on a business trip). By contacting the administrator by e-mail, the user will be able to receive a hexadecimal request for this eToken from the administrator, generated on the basis of the data stored in the TMS database, by entering which in the "response" field the user will have access to change the PIN code.


Figure 9 Computer tab

Changing the PIN-code is carried out according to fig. ten:


Figure 10 Change PIN
When changing the PIN code, it is necessary that the new PIN code meets the quality requirements of the entered password. The password quality is checked according to the entered criteria.
To check if the password matches the selected criteria, enter the password in the line. Under this line, information is displayed on the reasons for the entered password not meeting the selected criteria in percentage terms, and the quality of the entered password is conditionally displayed graphically and in percentage according to the selected criteria.

List of criteria

The table lists the PIN quality criteria and their configurable values. A negative value, expressed as a percentage, can be used as a criterion value. This value is called a penalty.

Criterion

Description

Possible values

Default value

The PIN contains a sequence of characters in alphabetical order

character sequence length for ABCOrder criterion

the new password is equal to the current one

dictionary password

the new password is equal to one of the previous ones

DefaultPassChange

change default password

None (password change is not required);
Warning (a warning message is displayed);
Enforce (default password not available)

dictionary file

absolute path to the dictionary file

not set

password only numbers

having two identical characters

period of validity before the change warning appears (in days)

maximum validity in days

0
(not installed)

KeyboardProximity

having multiple characters in the same order as on the keyboard

KeyboardProximityBase

character sequence length for the KeyboardProximity criterion

the password is like a dictionary password

minimum expiration date in days

0
(not installed)

minimum length in characters

minimum resistance in percent

lack of numbers

lack of lowercase letters

the use of letters of the Russian alphabet, non-printable and some service characters

lack of punctuation and special characters

lack of capital letters

PhonesAndSerialNumbers

using phone numbers, serial numbers, etc. in the password.

the presence of repeated characters

the number of previously used passwords stored in the eToken memory for verification by the CheckOld-Passes criterion

password length is less than WarningLength

if the password length is less than WarningLength, a warning appears when checking the password quality

password contains spaces

Dictionary

To define a list of invalid or unwanted passwords, create a text file. Or you can use the so-called frequency dictionaries, which are used to guess passwords. Files of such dictionaries can be found on the website www.passwords.ru.
An example of such a dictionary:
Anna
annette
bill
password
william
Assign the "Dictionary" criterion the path to the created file. In this case, the path to the dictionary file on each computer must match the value of the "Dictionary" criterion.

Login to Windows with eToken

General information

eToken SecurLogon combines effective network security with convenience and mobility. Windows authentication uses the username and password stored in the eToken's memory. This makes it possible to apply strong authentication based on tokens.
At the same time, I would like to add that in large companies using a domain structure, it is necessary to think about the implementation of PKI and the centralized use of SmartCardLogon.
When using eToken SecurLogon, unknown random complex passwords may be used. In addition, you can use the certificates stored in the eToken memory for smart card enrollment, which increases the security of logging into Windows.
This is possible because Windows 2000/XP allows various access mechanisms that replace the default authentication method. The identification and authentication mechanisms for the Windows logon service (winlogon), which provides interactive logon, are built into a replaceable dynamic link library (DLL) called GINA (Graphical Identification and Authentication, Authentication Desktop). When the system needs a different authentication method that would replace the username/password mechanism (used by default), the standard msgina.dll is replaced with a new library.
Installing eToken SecurLogon replaces the authentication desktop library and creates new registry settings. GINA is responsible for the interactive connection policy and performs identification and dialogue with the user. The replacement of the Desktop Authentication Library makes eToken the primary authentication mechanism that extends the standard Windows 2000/XP authentication based on username and password.
Users can write to the memory of the eToken the information required to log on to Windows (profiles), if this is allowed by the enterprise security policy.
Profiles can be created using the eToken Windows Logon Profile Creation Wizard.

Getting Started

eToken SecurLogon authenticates a Windows 2000/XP/2003 user with an eToken using either the user's smartcard certificate or a username and password stored in the eToken's memory. eToken RTE includes all necessary files and drivers to support eToken in eToken Windows Logon.

Minimum Requirements

Conditions for installing eToken Windows Logon:

  • eToken Runtime Environment (version 3.65 or 3.65) must be installed on all workstations;
  • eToken SecurLogon is installed on a computer running Windows 2000 (SP4), Windows XP (SP2), or Windows 2003 (SP1). eToken SecurLogon supports the classic Windows Welcome dialog (but not the new Windows XP Welcome screen) and does not support quick user change mode in Windows XP.

Supported tokens

eToken SecurLogon supports the following eToken devices:

  • eToken PRO is a USB dongle that allows two-factor authentication. Available in 32K and 64K versions;
  • eToken NG-OTP is a hybrid of a USB key and a device that generates one-time passwords. Available in 32K and 64K versions;
  • eToken PRO smart card is a device that performs the same functions as a USB key, but has the form of a regular credit card. Available in 32K and 64K versions.

eToken Runtime Environment (RTE)

The eToken Runtime Environment (RTE) contains all files and drivers that provide support for eToken in eToken Windows Logon. This set also includes an eToken Properties utility that allows the user to easily manage the eToken PIN and name.
All new eTokens have the same PIN set by default during production. This PIN is 1234567890. To ensure strong, two-factor authentication and full functionality, it is mandatory for the user to replace the default PIN with their own PIN immediately after receiving a new eToken.
Important:The PIN should not be confused with the user's password Windows .

Installation

In order to installeTokenWindowsLogon:

  • log in as a user with administrator rights;
  • double click SecurLogon - 2.0.0.55.msi;
  • eToken SecurLogon installation wizard window will appear (Fig. 11);
  • click " next", eToken Enterprise license agreement will appear;
  • read the agreement, click the " Iaccept"(I accept), and then the button " next";
  • reboot at the end of the installation.


Figure 11 Installing SecurLogon


Installation via command line:
eToken SecurLogon can be installed using the command line:
msiexec /Option [optional]
Installation options:

  • – installation or configuration of the product;
  • /a - administrative installation - installation of the product on the network;
  • /j

Product announcement:

      • "m" – all users;
      • "u" – current user;
  • – Cancel product installation.

Display options:

  • /quiet - quiet mode, no user interaction;
  • /passive - automatic mode - progress bar only;
  • /q – user interface level selection;
      • n - no interface;
      • b – main interface;
      • r – abbreviated interface;
      • f - full interface (default);
  • /help - display usage help.

Restart options

  • /norestart - do not restart after installation is complete;
  • /promptrestart - prompt for reinstallation if necessary;
  • /forcerestart - always restart the computer after installation is complete.

Logging Options
/ l ;

  • i – status messages;
  • w - messages about recoverable errors;
  • e - all error messages;
  • a – action launches;
  • r - records specific to the action;
  • u – user requests;
  • c – initial parameters of the user interface;
  • m - information about the exit due to lack of memory or a fatal error;
  • o – messages about insufficient disk space;
  • p – terminal properties;
  • v - verbose output;
  • x – additional debugging information;
  • + - append to an existing log file;
  • ! - dumping each line in the log;
  • * - log all information except for the "v" and "x" options /log is equivalent to /l* .

Update options:

  • /update [;Update2.msp] – apply updates;
  • /uninstall [;Update2.msp] /package - Uninstall product updates.

Recovery options:
/f
Product recovery:

    • p - only if there is no file;
    • o - if the file is missing or an old version is installed (by default);
    • e - if the file is missing or the same or older version is installed;
    • d - if the file is missing or another version is installed;;
    • c - if the file is missing or the checksum does not match the calculated value;
    • a – causes all files to be reinstalled;
    • u – all required user-specific registry entries (default);
    • m - all necessary registry entries specific to the computer (default);
    • s - all existing shortcuts (default);
    • v - run from source with re-caching of local packages;

Setting General Properties:
See the Windows (R) Installer Developers Guide for more information on using the command line.

Automatic password generation.

When writing a user profile to the eToken memory, a password can be generated automatically or entered manually. During automatic generation, a random password, up to 128 characters long, is generated. In this case, the user will not know his password and will not be able to enter the network without the eToken key. The requirement to use only automatically generated passwords can be configured as mandatory.

Using eToken SecurLogon

eToken SecurLogon allows users to log in to Windows 2000/XP/2003 using an eToken with a stored password.

Registration in Windows

You can log in to Windows using an eToken, or by entering a Windows username and password.

To register with Windows using an eToken:

  1. Restart your computer;
  2. A Windows welcome message will appear;
  3. If the eToken is already connected, click on the Logon Using eToken hyperlink. If the eToken has not been connected, connect it to the USB port or cable. Either method of logging in will display the "Log On to Windows" window;
  4. Select a user and enter the eToken PIN;
  5. Click the "OK" button. You have opened a user session using credentials stored in the eToken memory.
  6. If you are using an eToken with a smart card user certificate, then you only need to enter the eToken PIN to connect to the computer.

Registration inWindows withouteToken:

  1. restart your computer, press the key combination CTRL + ALT + DEL, the "Log On to Windows / Log On to Windows" window will appear;
  2. click the "OK" button - you are logged in with your username and password.

password change

You can change your Windows password after logging in with eToken.
To change your password after logging in with eToken:

  1. log in using eToken;
  2. click " CTRL+ALT+DEL", a window will appear" SafetyWindows/ Windowssecurity";
  3. Click the " password change/ changePassword", if the current password was created manually, a window will appear " password change/ changePassword", but if the current password was generated randomly, then go to step 5;
  4. Enter a new password in the fields " New Password/ NewPassword"and " Confirmation/ ConfirmNewPassword"and press the button" OK";
  5. If the current password was generated randomly, then a new password will be generated automatically;
  6. in the dialog box that appears, enter the eToken PIN code and click the " OK"
  7. a confirmation message box will appear.

User session protection

You can use eToken to secure your work session.

Locking out your workstation

You can keep your computer secure without logging out by locking your computer. When eToken is disconnected from the USB port or cable (after successful registration), the operating system will automatically lock your computer.

To unlock your computer:

When your computer is locked, the " Computer lock computerLocked". Connect the eToken to the USB port or cable. In the window that appears, enter the PIN code in the " eTokenPassword"and press the button" OK"The computer is unlocked.
Note: in case of pressing " CTRL+ALT+DEL"and entering a password, the computer will be unlocked without using an eToken.

Manual removal

In the rare event that you need to remove the eToken SecurLogon manually, take the following steps:

  • restart your computer and boot it in safe mode;
  • register as a user with administrator rights;
  • using the registry editor, open the section HKEY_LOCAL_MAFROMHINE\SOFTWARE\Microsoft\WindowsNT\Currentversion\Winlogon and remove the " GinaDLL";
  • Reboot your computer, the next time you log on to Windows, the Microsoft Windows Logon window will appear.

General Troubleshooting

You may need to take the following steps to troubleshoot common problems:

Problem

Solution

You connected the eToken during the registration process (when the " Operating systemWindows/ WelcometoWindows") or when the computer is locked (the " Computer lock/ computerLocked"). The eToken SecurLogon window does not appear.

1. Disconnect all connected smart cards (not just the eToken) from the computer and reconnect the eToken.
2. The eToken may not be recognized by the system after installing the eToken RTE. In this case, try registering manually by clicking " CTRL+ALT+DEL". Connect your eToken and wait for the indicator light to turn on.

You connected the eToken immediately after waking up the computer from sleep or standby mode. eToken SecurLogon window does not appear .

1. Wait until the indicator light comes on. The window " Unlock your computer/ Unlockcomputer".
2. Take the actions described above.

You disconnected the eToken after waking the computer from hibernation or standby, and the computer does not lock up immediately.

Wait no more than 30 seconds until the computer is locked.

In Windows 2000, logging out or shutting down the computer takes a long time.

Install the latest service pack.

You connected a smart card reader or eToken after turning on the computer and the device is not recognized.

Restart your computer after connecting the reader.

Storing keys on hardware keys (Kaztoken, eToken) increases the security of storing and using the organization's EDS:

  • It is more difficult to covertly copy stored digital signatures from these devices than from a PC
  • If the token is lost, the use of the EDS is protected by a password

To use eToken devices, an organization must have valid EDS keys.

In the article:

Installing EDS keys on an eToken device (video lesson)

Installing an EDS on eToken carriers has some nuances (checked as of September 2015).

When using the eToken device for the first time, before writing keys to it, it requires a mandatory change of the default password (1234567890) to a more complex one, only after which it is possible to write EDS keys to the device. Therefore, if you simply insert a new eToken device into a PC and try to install certificates through the NCA website, after the installation is completed, you will receive a certificate installation error message.

Therefore, you will have to download the control program to the eToken device, reinitialize the device by unchecking the box Require password change before use.

And since the NCA website can write keys to the token only if the password for the eToken is 1234567890 (for other passwords, again, after installation, we get an error writing keys), we forcefully set the password 1234567890 in the control program, having previously unchecked the complex password requirement.

After the performed operations, you can successfully write the EDS keys to the eToken carrier.

Cleaning the eToken carrier (video tutorial)

Fixing the error More than one RSA key found

If you do not clean the eToken carrier before installing new keys, the installation through the NCA website will be successful, but when you try to enter the IS Treasury Client portal, you will encounter the following error: More than one RSA key was found:

The solution to this problem is to download the InfoToken() utility and use it to format the device. After that, you will have to rewrite the keys to the token.

Tip from our reader: you can try to remove extra keys using TumarCSP.

From the author:

If the problem is solved, one of the ways to say "Thank you" to the author is indicated -.

If the problem could not be resolved or additional questions appeared, you can ask them on ours, in our group.

Or, use our service "" entrusting the solution of the problem to a specialist.

Tokens, electronic keys for accessing important information, are becoming increasingly popular in Russia. The token is now not only a means for authentication in the operating system of a computer, but also a convenient device for storing and presenting personal information: encryption keys, certificates, licenses, certificates. Tokens are more reliable than a standard “login / password” pair due to the two-factor identification mechanism: that is, the user must not only have an information carrier (the token itself) available, but also know the PIN code.

There are three main form factors in which tokens are issued: a USB token, a smart card, and a key fob. PIN security is most commonly found in USB tokens, although recent USB tokens come with RFID tag capability and an LCD display to generate one-time passwords.

Let us dwell in more detail on the principles of functioning of tokens with a PIN code. A PIN code is a specially set password that breaks the authentication procedure into two stages: attaching a token to a computer and entering the actual PIN code.

The most popular token models in the modern Russian electronic market are Rutoken, eToken from the Aladdin company, and an electronic key from the Aktiv company. Let's consider the most frequently asked questions regarding token PIN codes using the example of tokens from these manufacturers.

1. What is the default PIN?

The table below provides information about the default PIN codes for Rutoken and eToken tokens. The default password is different for different owner levels.

Owner User Administrator
Rutoken 12345678 87654321
eToken
1234567890 By default, no administrator password is set. Can be set via control panel for eToken PRO, eToken NG-FLASH, eToken NG-OTP models only.
JaCarta PKI 11111111 00000000
JaCarta GOST Not set 1234567890
JaCarta PKI/GOST For PKI functionality: 11111111

When using JaCarta PKI with "Backward compatible" option - PIN - 1234567890

For GOST functionality: PIN code not set

 		For PKI functionality: 00000000

When using JaCarta PKI with "Backward compatible" option - PIN code is not set

For GOST functionality: 1234567890
JaCarta PKI/GOST/SE For PKI functionality: 11111111

For GOST functionality: 0987654321

 		For PKI functionality: 00000000

For GOST functionality: 1234567890
JaCarta PKI/BIO 11111111 00000000
JaCarta PKI/Flash 11111111 00000000
ESMART Token 12345678 12345678
IDPrime card 0000 48 zeros
JaCarta PRO/JaCarta LT 1234567890 1234567890

2. Should I change the default PIN? If so, at what point in working with the token?

3. What should I do if the PINs on the token are unknown and the default PIN has already been reset?

The only way out is to completely clear (format) the token.

4. What should I do if the user PIN is blocked?

You can unlock the user PIN through the control panel of the token. To perform this operation, you need to know the administrator PIN.

5. What should I do if the Admin PIN is blocked?

You cannot unlock the Admin PIN. The only way out is to completely clear (format) the token.

6. What security measures have manufacturers taken to reduce the risk of password guessing?

The main points of the security policy for PIN-codes of USB-tokens of Aladdin and Active companies are presented in the table below. After analyzing the data in the table, we can conclude that the eToken will presumably have a more secure PIN code. Rutoken, although it allows you to set a password of just one character, which is unsafe, in other respects it is not inferior to the Aladdin product.

Parameter eToken Rutoken
Minimum PIN length 4 1

Composition of the PIN

 Letters, numbers, special characters Numbers, letters of the Latin alphabet
Greater than or equal to 7 Up to 16

PIN security administration

 There is There is
There is There is

The importance of keeping the PIN code secret is known to all those who use tokens for personal purposes, store their electronic signature on it, trust the electronic key with information not only of a personal nature, but also with the details of their business projects. Tokens of Aladdin and Active companies have pre-installed protective properties and, together with a certain degree of precaution that will be taken by the user, reduce the risk of password guessing to a minimum.

Rutoken and eToken software products are presented in various configurations and form factors. The proposed range will allow you to choose exactly the model of the token that best meets your requirements, whether

RELATED ARTICLES