Re: [Opensc-devel] Unblock PUK on PIV card

[Douglas E E. <dee...@gm...>]

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    The NIST PIV specs leave a most of card management up to the vendor.
    Best I can tell this was done to allow vendors to have features that
    would allow them to sell their cards  based on their value added 
    features. In the NIST model, large federal agencies run the card
    management systems, issue cards and maintain the PUK.  Yubico on the
    other hand is selling tokens to individuals, and Yubico publishes
    how to reset the card so the PUK can also be reset.<br>
    <br>
    So if you can't get the documentation on how to reset the card or
    the PuK  from the card vendor,  it may be the PUK can not be reset.<br>
    Well managed card management systems would not loose the PUK. 
    Yubico on the other hand understands users may loose the PUK. <br>
    <br>
    Buy a new card. <br>
    <br>
    <div class="moz-cite-prefix">On 1/24/2016 11:26 PM, Ryan Chapman
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAE...@ma..."
      type="cite">
      <div dir="ltr">Hi,
        <div><br>
        </div>
        <div>Does anyone know if there is a way to unblock a PUK on a
          PIV card or re-initialize the PIV applet?  </div>
        <div><br>
        </div>
        <div>The card is a Gemalto IDPrime PIV Card v2.0 using SCP01</div>
        <div>ATR: 3b:7d:96:00:00:80:31:80:65:b0:83:11:11:e5:83:00:90:00</div>
        <div><br>
        </div>
        <div>I know the admin key for the card, but even when I
          authenticate to the card (which still works), I am unable to
          change the state of the PUK lockout. The PIN is also blocked,
          but I know how to unblock that if the PUK is unblocked (for
          anyone who wants to know, if your PUK is 12345 and you want to
          unblock the PIN and set the PIN to 1234, do: <span
            style="font-family:'Courier New';font-size:14px">piv-tool -A M:9B:03 -s 00:2c:00:80:10:31:32:33:34:35:ff:ff:ff:31:32:33:34:ff:ff:ff:ff</span>)</div>
        <div><br>
        </div>
        <div>
          <div>This command is used to change the PUK if the current one
            is known (it's 1234).  However, I'm told 0x6983, which
            according to ISO7816-4 means "Authentication method blocked"<br>
          </div>
        </div>
        <div>
          <div><br>
          </div>
          <div><font face="monospace, monospace">$ piv-tool -A M:9B:03
              -s
              00:24:00:81:10:31:32:33:34:ff:ff:ff:ff:31:32:33:34:ff:ff:ff:ff</font></div>
          <div><font face="monospace, monospace">Using reader with a
              card: Gemalto Prox Dual USB PC Link Reader(2)</font></div>
          <div><font face="monospace, monospace">Sending: 00 24 00 81 10
              31 32 33 34 FF FF FF FF 31 32 33 34 FF FF FF FF</font></div>
          <div><font face="monospace, monospace">Received (SW1=0x69,
              SW2=0x83)</font></div>
        </div>
        <div><br>
        </div>
        <div>According to the data sheet, the PUK is stored in the
          internal object tag 0xFF8101, but I am not sure if it is
          possible to write to that tag.</div>
        <div><a moz-do-not-send="true"
href="http://www.gemalto.com/products/piv_card/download/IDPrime_PIV_Card_v2_0_SCP01_OTP_Data_Model_Samples.pdf">http://www.gemalto.com/products/piv_card/download/IDPrime_PIV_Card_v2_0_SCP01_OTP_Data_Model_Samples.pdf</a><br>
        </div>
        <div><br>
        </div>
        <div>What got me here was that I was unable to generate a
          keypair on the card and thought I might be able to reset the
          PIV application like Yubikey NEO does it.  With their card,
          the PIN and PUK must be blocked, then you send "00 fb 00 00
          00" and the PIV applet is reset with retry counters set at 3
          again.  Not such much with Gemalto.  And I can't find anyone
          at Gemalto that will provide documentation, even if I am
          willing to pay for it.</div>
        <div><br>
        </div>
        <div>Thought I would check here before I toss the card in the
          drawer and get a new one.</div>
        <div><br>
        </div>
        <div>Thanks in advance</div>
        <div><br>
        </div>
        <div>Ryan</div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
<a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/gampad/clk?id=267308311&amp;iu=/4140">http://pubads.g.doubleclick.net/gampad/clk?id=267308311&amp;iu=/4140</a></pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="200">-- 

 Douglas E. Engert  <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm...">&lt;DEE...@gm...&gt;</a>
 
</pre>
  </body>
</html>