[Piv-test-cards] question: steps to unlock a card

90 views
Skip to first unread message

Obremski, Christopher D.

unread,
Jun 14, 2013, 12:06:01 PM6/14/13
to piv-tes...@list.nist.gov
I am currently working with the test card #4, and based on response (6983) code, I may have locked the card.

I am currently investigating my code, but want to find out if there were any steps that we could perform to reset the retry counter?

Thanks, in advance.

-------------------------------------
Chris Obremski
JHU Applied Physics Lab.

Douglas E. Engert

unread,
Jun 14, 2013, 12:49:51 PM6/14/13
to piv-tes...@list.nist.gov

On 6/14/2013 11:06 AM, Obremski, Christopher D. wrote:
> I am currently working with the test card #4, and based on response (6983) code, I may have locked the card.

Card 4 has both a PIV Card Application PIN and a Global Pin.
Are you sure you are using the correct PIN?

If NIST would state what the PUK was for the cards,
you could use OpenSC to reset the user PIN.

>
> I am currently investigating my code, but want to find out if there were any steps that we could perform to reset the retry counter?
>
> Thanks, in advance.
>
> -------------------------------------
> Chris Obremski
> JHU Applied Physics Lab.
>
>
>
>
>

> _______________________________________________
> PIV-test-cards mailing list
> PIV-test-cards at nist.gov
> https://groups.google.com/a/list.nist.gov/forum/#!forum/piv-test-cards
>

--

Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

Obremski, Christopher D.

unread,
Jun 14, 2013, 12:56:52 PM6/14/13
to piv-tes...@list.nist.gov
So, the funny thing about all of this is that I was successful in "verifying" to the card and pulled the printed info and facial image prior to receiving this status response. Subsequent tries have resulted in the "6983" response status.

Right now, we are using a 3rd party software to access the information on the card, and this did work at one point and now it is not.

We have an email out to the vendor requesting clarification, but was looking to see if any was documented to "reset" the card if this type of errors happen.

--------------------------
Chris Obremski
JHU Applied Physics Lab.

________________________________________
From: piv-test-cards-bounces at nist.gov [piv-test-cards-bounces at nist.gov] On Behalf Of Douglas E. Engert [deengert at anl.gov]
Sent: Friday, June 14, 2013 12:49 PM
To: piv-tes...@list.nist.gov
Subject: Re: [Piv-test-cards] question: steps to unlock a card

David A. Cooper

unread,
Jun 14, 2013, 1:23:23 PM6/14/13
to piv-tes...@list.nist.gov
An HTML attachment was scrubbed...

Obremski, Christopher D.

unread,
Jun 14, 2013, 1:34:05 PM6/14/13
to piv-tes...@list.nist.gov
Thank you very much for the information. My hope is that the vendor library is malfunctioning and unfortunately giving me the "6983" response code.

I also just noticed that my subject line was incorrect. I should have stated "how to unlock a test card", sorry for the confusion.


@Dave: Would it be possible for you provide the APDU string that would be needed to issue the "Reset Retry Counter"?


Thanks in advance.


----------------------------------
Chris Obremski
JHU Applied Physics Lab

________________________________________
From: David A. Cooper [david.cooper at nist.gov]
Sent: Friday, June 14, 2013 1:23 PM
To: Obremski, Christopher D.
Cc: piv-test-cards
Subject: Resetting the PIV Card Application PIN on a test PIV Card

A status word of '69 83' does seem to indicate that the corresponding PIN has been locked. The PIV Card Application PINs and (where applicable) Global PINs on the test PIV Cards have been configured with a reset counter of 10. After 10 consecutive incorrect attempts to authenticate to the card using one of these PINs, the ability to authenticate to the card using that PIN will be blocked.

While there is no mechanism available to reset the Global PIN once it has become blocked, the PIV Card Application PIN may be reset using the RESET RETRY COUNTER card command, which is described in NIST Special Publication 800-73-3 Part 2<http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART2_piv-card-applic-card-common-interface.pdf>. The RESET RETRY COUNTER card command needs to be provided the PIN Unblocking Key (PUK) and the new value for the PIV Card Application PIN. The value of the PUK for test PIV Cards 1, 9, and 16, is "1234." The value of the PUK for all of the other test PIV Cards is "99999999."

So, the Application Protocol Data Unit (APDU) (i.e., card command) to send to test PIV Card 1, 9, or 16, to reset the PIV Card Application PIN to its original value of "123456" is:
00:2C:00:80:10:31:32:33:34:FF:FF:FF:FF:31:32:33:34:35:36:FF:FF
The APDU to send to test PIV Card 2, 4, 5, 6, 8, 10, 11, 12, 13, 14, or 15, to reset the PIV Card Application PIN to its original value of "123456" is:
00:2C:00:80:10:39:39:39:39:39:39:39:39:31:32:33:34:35:36:FF:FF
The APDU to send to test PIV Card 3 or 7 to reset the PIV Card Application PIN to its original value of "90909090" is:
00:2C:00:80:10:39:39:39:39:39:39:39:39:39:30:39:30:39:30:39:30

As Doug mentioned, OpenSC may be used to send the APDU to the card to reset the PIN.

Dave

On 06/14/2013 12:56 PM, Obremski, Christopher D. wrote:

So, the funny thing about all of this is that I was successful in "verifying" to the card and pulled the printed info and facial image prior to receiving this status response. Subsequent tries have resulted in the "6983" response status.

Right now, we are using a 3rd party software to access the information on the card, and this did work at one point and now it is not.

We have an email out to the vendor requesting clarification, but was looking to see if any was documented to "reset" the card if this type of errors happen.

--------------------------


Chris Obremski
JHU Applied Physics Lab.

________________________________________
From: piv-test-cards-bounces at nist.gov<mailto:piv-test-cards-bounces at nist.gov> [piv-test-cards-bounces at nist.gov<mailto:piv-test-cards-bounces at nist.gov>] On Behalf Of Douglas E. Engert [deengert at anl.gov<mailto:deengert at anl.gov>]


Sent: Friday, June 14, 2013 12:49 PM

To: piv-tes...@list.nist.gov<mailto:piv-tes...@list.nist.gov>


Subject: Re: [Piv-test-cards] question: steps to unlock a card

On 6/14/2013 11:06 AM, Obremski, Christopher D. wrote:


I am currently working with the test card #4, and based on response (6983) code, I may have locked the card.

Card 4 has both a PIV Card Application PIN and a Global Pin.


Are you sure you are using the correct PIN?

If NIST would state what the PUK was for the cards,
you could use OpenSC to reset the user PIN.

David A. Cooper

unread,
Jun 14, 2013, 2:56:59 PM6/14/13
to piv-tes...@list.nist.gov
The ADPU strings are in the email below. For Card 4 is it
"00:2C:00:80:10:39:39:39:39:39:39:39:39:31:32:33:34:35:36:FF:FF"

So, using OpenSC, the command to reset the PIV Card Application PIN on
Card 4 would be:

opensc-tool --send-apdu

"00:2C:00:80:10:39:39:39:39:39:39:39:39:31:32:33:34:35:36:FF:FF"

> _______________________________________________
> PIV-test-cards mailing list
> PIV-test-cards at nist.gov
> https://groups.google.com/a/list.nist.gov/forum/#!forum/piv-test-cards

> .
>

Douglas E. Engert

unread,
Jun 16, 2013, 8:58:16 PM6/16/13
to piv-tes...@list.nist.gov

On 6/14/2013 12:34 PM, Obremski, Christopher D. wrote:
> Thank you very much for the information. My hope is that the vendor library is malfunctioning and unfortunately giving me the "6983" response code.
>

If you think your vendor's software is causing the 6983,
Can you get a USB trace, or pcscd debug output?
This would show the APDU commands and responses.

Does your vendor use a PKCS#11? If so have a look at the
OpenSC SPY code that can trace the PKCS#11 calls to any PKCS#11
lib.

> _______________________________________________
> PIV-test-cards mailing list
> PIV-test-cards at nist.gov
> https://groups.google.com/a/list.nist.gov/forum/#!forum/piv-test-cards
>

--

Reply all
Reply to author
Forward
0 new messages