Unblock of test PIV card - Error indicating the PUK supplied is incorrect
Jill Branton
Hi,
Believe that I managed to block my #16 PIV card trying to pair it with my Mac. Using OpenSC as outlined by David Cooper below, the return using 1234 and 9999999 (seven nines) is that the PUK is incorrect.
Was unable to find different information as to what the PUK should be. Also tried without user input as indicated it could be a problem with some readers.
>pkcs15-tool.exe --unblock-pin --puk 1234 --pin 123456
The sanity-check returns "Using reader with a card: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 not using the cardos driver, card is fine." My reader is rather old but seems to be working fine. Also have #15 with expired certificates.
Thanks,
Jill
From: David A. Cooper [david.cooper at nist.gov]
Sent: Friday, June 14, 2013 1:23 PM
To: Obremski, Christopher D.
Cc: piv-test-cards
Subject: Resetting the PIV Card Application PIN on a test PIV CardA status word of '69 83' does seem to indicate that the corresponding PIN has been locked. The PIV Card Application PINs and (where applicable) Global PINs on the test PIV Cards have been configured with a reset counter of 10. After 10 consecutive incorrect attempts to authenticate to the card using one of these PINs, the ability to authenticate to the card using that PIN will be blocked.
While there is no mechanism available to reset the Global PIN once it has become blocked, the PIV Card Application PIN may be reset using the RESET RETRY COUNTER card command, which is described in NIST Special Publication 800-73-3 Part 2<http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART2_piv-card-applic-card-common-interface.pdf>. The RESET RETRY COUNTER card command needs to be provided the PIN Unblocking Key (PUK) and the new value for the PIV Card Application PIN. The value of the PUK for test PIV Cards 1, 9, and 16, is "1234." The value of the PUK for all of the other test PIV Cards is "99999999."
So, the Application Protocol Data Unit (APDU) (i.e., card command) to send to test PIV Card 1, 9, or 16, to reset the PIV Card Application PIN to its original value of "123456" is:
00:2C:00:80:10:31:32:33:34:FF:FF:FF:FF:31:32:33:34:35:36:FF:FF
The APDU to send to test PIV Card 2, 4, 5, 6, 8, 10, 11, 12, 13, 14, or 15, to reset the PIV Card Application PIN to its original value of "123456" is:
00:2C:00:80:10:39:39:39:39:39:39:39:39:31:32:33:34:35:36:FF:FF
The APDU to send to test PIV Card 3 or 7 to reset the PIV Card Application PIN to its original value of "90909090" is:
00:2C:00:80:10:39:39:39:39:39:39:39:39:39:30:39:30:39:30:39:30As Doug mentioned, OpenSC may be used to send the APDU to the card to reset the PIN.
Dave
--
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
David A. Cooper
Douglas E Engert
On 11/3/2021 8:56 AM, 'Jill Branton' via piv-test-cards wrote:
> Hi,
>
> Believe that I managed to block my #16 PIV card trying to pair it with my Mac. Using OpenSC as outlined by David Cooper below, the return using 1234 and 9999999 (seven nines) is that the PUK is
> incorrect.
>
> Was unable to find different information as to what the PUK should be. Also tried without user input as indicated it could be a problem with some readers.
>
> >pkcs15-tool.exe --unblock-pin --puk 1234 --pin 123456
In any case the other way to do this is to use what is outlined in David's note:
Look at NIST 800-73-4 "3.2.3 RESET RETRY COUNTER Card Command"
opensc-tool -c default -s "00:2C:00:80:10:31:32:33:34:FF:FF:FF:FF:31:32:33:34:35:36:FF:FF"
The -c default is optional, it says to not use any special driver, just send the APDU.
The above sends the "3.2.3 RESET RETRY COUNTER Card Command" to change PIV pin 0x80 using 0x10 bytes of date
with PUK 31:32:33:34:FF:FF:FF:FF (as hex padded to 8 bytes) and new pin 31:32:33:34:35:36:FF:FF (as hex padded to 8 bytes)
If you get" '63' 'CX' "Reset failed, X indicates the number of further allowed resets" i.e. the pin is not blocked.
If you really don't know the pin, i.e. you may have changed it, you can try X number of times to use a bad PIN so it gets blocked.
Then try the above.
Note that the PUK can get blocked, be careful. Read NIST 800-73-3 says:
"If the PIV Card Application returns status word '63 CX', then the retry counter
associated with the PIN shall not be reset, the security status of the PIN’s key
reference shall be set to FALSE, and the PUK’s retry counter shall be decremented by one."
>
> The sanity-check returns "Using reader with a card: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 not using the cardos driver, card is fine." My reader is rather old but seems to be
>
> Perhaps all this information was in the package with the cards, however someone else in our organization distributed and did not forward.
>
> Thanks,
>
> Jill
>
> Sent: Friday, June 14, 2013 1:23 PM
> To: Obremski, Christopher D.
> Cc: piv-test-cards
> Subject: Resetting the PIV Card Application PIN on a test PIV Card
>
> A status word of '69 83' does seem to indicate that the corresponding PIN has been locked. The PIV Card Application PINs and (where applicable) Global PINs on the test PIV Cards have been
> configured with a reset counter of 10. After 10 consecutive incorrect attempts to authenticate to the card using one of these PINs, the ability to authenticate to the card using that PIN will be
> blocked.
>
> While there is no mechanism available to reset the Global PIN once it has become blocked, the PIV Card Application PIN may be reset using the RESET RETRY COUNTER card command, which is described
> in NIST Special Publication 800-73-3 Part 2<http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART2_piv-card-applic-card-common-interface.pdf
> <http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART2_piv-card-applic-card-common-interface.pdf>>. The RESET RETRY COUNTER card command needs to be provided the PIN Unblocking Key
> (PUK) and the new value for the PIV Card Application PIN. The value of the PUK for test PIV Cards 1, 9, and 16, is "1234." The value of the PUK for all of the other test PIV Cards is "99999999."
>
> So, the Application Protocol Data Unit (APDU) (i.e., card command) to send to test PIV Card 1, 9, or 16, to reset the PIV Card Application PIN to its original value of "123456" is:
> 00:2C:00:80:10:31:32:33:34:FF:FF:FF:FF:31:32:33:34:35:36:FF:FF
> The APDU to send to test PIV Card 2, 4, 5, 6, 8, 10, 11, 12, 13, 14, or 15, to reset the PIV Card Application PIN to its original value of "123456" is:
> 00:2C:00:80:10:39:39:39:39:39:39:39:39:31:32:33:34:35:36:FF:FF
> The APDU to send to test PIV Card 3 or 7 to reset the PIV Card Application PIN to its original value of "90909090" is:
> 00:2C:00:80:10:39:39:39:39:39:39:39:39:39:30:39:30:39:30:39:30
>
> As Doug mentioned, OpenSC may be used to send the APDU to the card to reset the PIN.
>
> Dave
>
>
> --
> Solutions Architect - Government
>
> Connect with us: Glassdoor logo <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> LinkedIn logo <https://www.linkedin.com/company/21870> twitter logo
> <https://twitter.com/pingidentity> facebook logo <https://www.facebook.com/pingidentitypage> youtube logo <https://www.youtube.com/user/PingIdentityTV> Blog logo
> <https://www.pingidentity.com/en/blog.html>
>
> <https://www.gartner.com/reviews/vendor/write/ping-identity/?utm_content=vlp-write&refVal=vlp-ping-identity-32202&utm_campaign=vendor&utm_source=ping-identity&utm_medium=web&arwol=false><https://hub.pingidentity.com/survey/3568-survey-remote-work-fuels-zero-trust><https://www.pingidentity.com/en/resources/client-library/misc/2021-consumer-survey-passwords-privacy-brand-loyalty.html><https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/2021/consumer-survey1.png><https://www.pingidentity.com/en/resources/client-library/misc/2021-consumer-survey-passwords-privacy-brand-loyalty.html>
>
>
>
>
> --
> <https://www.pingidentity.com>Ping Identity <https://www.pingidentity.com>
> Solutions Architect - Government
>
> Connect with us: Glassdoor logo <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> LinkedIn logo <https://www.linkedin.com/company/21870> twitter logo
> <https://twitter.com/pingidentity> facebook logo <https://www.facebook.com/pingidentitypage> youtube logo <https://www.youtube.com/user/PingIdentityTV> Blog logo
> <https://www.pingidentity.com/en/blog.html>
>
> <https://www.gartner.com/reviews/vendor/write/ping-identity/?utm_content=vlp-write&refVal=vlp-ping-identity-32202&utm_campaign=vendor&utm_source=ping-identity&utm_medium=web&arwol=false><https://hub.pingidentity.com/survey/3568-survey-remote-work-fuels-zero-trust><https://www.pingidentity.com/en/resources/client-library/misc/2021-consumer-survey-passwords-privacy-brand-loyalty.html><https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/2021/consumer-survey1.png><https://www.pingidentity.com/en/resources/client-library/misc/2021-consumer-survey-passwords-privacy-brand-loyalty.html>
>
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly
> prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you./
>
> --
> To unsubscribe from this group, send email to piv-test-card...@list.nist.gov
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards <https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards>
> ---
> To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-card...@list.nist.gov>.
--
Douglas E. Engert <DEEn...@gmail.com>
David A. Cooper
99999999 (eight nines) and so the command would be:
opensc-tool -c default -s