Documentation

 

 

Introduction

Use this guide to install and use the SecureAuth Hard Token Decrypt Tool, which decrypts HID hardware OATH tokens to enable their use in Multi-Factor Authentication.

The Hard Token Decrypt Tool can decrypt batch or single tokens, creating an efficient manner in which administrators can provision user accounts and end-users can utilize their hard tokens. By leveraging the Account Management (Help Desk) realm, administrators can easily upload end-users' hard token's OATH seeds to their profiles for identity validation in other SecureAuth IdP realms.

Released March 30, 2017

Prerequisites

1. Have HID Hard Tokens, the .pskc package, and the secret key

2. Create a New Realm or access an existing realm in the Web Admin configured for Account Management (Help Desk)

Decrypt Installation Tool

 

1. Download the Hard Token Decrypt Tool from the SecureAuth Downloads Page and save it to any Windows computer

2. Run the SecureAuth-Decrypt-Seed-1.0.5.exe file, which opens the SecureAuth Decrypt Seed wizard

3. Click Next

Setup

 

4. Select the location of the SecureAuth Decrypt Seed and click Next

The path is hardcoded; however, distinct drives can be selected

5. Confirm the settings and click Install

6. Wait for the installer to complete

 

Complete Installation

 

7. Once the installation is complete, check View README to automatically view the file

The README.txt file can be accessed in the DecryptSeed folder at any time

8. Click Finish
 

README.txt

-------------------------------------------------------------------------
SecureAuth Decrypt Seed
(v1.0.5 February 2017)
-------------------------------------------------------------------------
TERMS AND CONDITIONS:
THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND.
SECUREAUTH CORPORATION MAKES NO WARRANTY ABOUT THE OPERATION OR PERFORMANCE
OF THIS SOFTWARE NOR DOES IT WARRANT THAT THIS SOFTWARE IS ERROR FREE. TO
THE FULLEST EXTENT PERMITTED BY LAW, SECUREAUTH CORPORATION DISCLAIMS ALL
IMPLIED AND STATUTORY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A
PARTICULAR PURPOSE. THIS SOFTWARE IS SUBJECT TO CHANGE AND MODIFICATION,
INCLUDING, WITHOUT LIMITATION, CHANGES AND MODIFICATIONS WITH RESPECT
TO PERFORMANCE AND FUNCTIONALITY ANY TIME AT THE SOLE DISCRETION OF
SECUREAUTH CORPORATION.
-------------------------------------------------------------------------

Contents
--------
1. Locating the application
2. Running the application
3. Documentation
4. Support
5. About SecureAuth Corporation

 

1) Locating the application
================================
The application is located in this folder: [DRIVE]\SecureAuth\DecryptSeed

 

2) Running the application
================================
Run the application from within a console (CMD) window

Syntax for decrypting single seed:
DecryptSeed.cmd /s <Cipher Value of Seed> /k <32 char Hex Key>

Example: DecryptSeed.cmd /s JYqUGPV7OEtnRULGzyVk5rU6V4reCOiwx8c+PkcTXFaIeFpCrSvJeq9rVNVGi88a /k 993E183A58C1287BE4E8FC3555C8438C

Syntax for decrypting all seeds in HID PSKC file:
DecryptSeed.cmd /k <32 char Hex Key> /i <PSKC input file name> /o <CSV output file name>

Example: DecryptSeed.cmd /i 0654150_0000000794.pskc /o decryptedseeds.csv /k 993E183A58C1287BE4E8FC3555C8438C
Note: The CSV file will be created if it does not exist, or appended if it does exist.

 

3) Documentation
=================

Documentation for the SecureAuth Decrypt Seed can be found in our on-line documentation at:
https://docs.secureauth.com

 

4) Support
==========
SecureAuth offers 24x7 support for critical issues. You can contact us
using the methods listed below:

Web: https://www.secureauth.com/Support.aspx
Email: support@secureauth.com
Phone: +1.866.859.1526

 

5) About SecureAuth Corporation
===============================

SecureAuth IdP is the only solution that combines SSO with native two-factor authentication in a single product across all platforms.
In the same solution, SecureAuth includes Versatile Authentication (VAS) that enables IT to deploy single, two, or three-factor authentication
to meet current and future regulatory requirements for cloud and web applications whether accessed from desktop or mobile device.
Bringing the same level of security and control to cloud applications that enterprises experience with on-premise applications,
SecureAuth IdP makes multi-product deployments obsolete while minimizing risk, increasing productivity, and reducing management costs.

To learn more about our products please call or visit our website www.secureauth.com

Sales +1 (949) 777-6959
Channel Sales +1 (949) 777-6959

HID Hard Token Decryption Steps

The Decrypt Tool enables Batch or Single decryption (batch is the full package of HID hard tokens, 25 a time; single is one HID hard token at a time)

Another option is the Online Mode, which is a website that enables single decryption of the tokens (to use without CLI)

Batch Decryption

1. Upload the HID Token Package(s) (.pskc file) to the DecryptSeed folder

NOTE: The batch command can do one package at a time

2. Open a Command Prompt, and cd to the \SecureAuth\DecryptSeed folder

3. Run the following command, replacing:

  • <32 char Hex Key> with the HID package's secret key (for all tokens)
  • <PSKC input file name> with the HID Token Package's path (.pskc)
  • <CSV output file name> with the name of the existing or new output CSV file
    • NOTE: Data in this file is appended if it exists
DecryptSeed.cmd /k <32 char Hex Key> /i <PSKC input file name> /o <CSV output file name>
Example
DecryptSeed.cmd /k 993E183A58C1287BE4E8FC3555C8438C /i 0654150_0000000794.pskc /o decryptedseeds.csv

4. Locate the CSV output in the DecryptSeed folder, which contains the tokens' Serial Numbers (located on the back of each token) with the decrypted OATH Seed value

Single Decryption

1. Upload the HID Token Package(s) (.pskc file) to the DecryptSeed folder

2. Open a command line, and cd to the DecryptSeed folder

3. Run the following command, replacing:

  • <Cipher Value of Seed> with the cipher value of the single token, obtained from the HID Token Package file
  • <32 char Hex Key> with the HID package's secret key (for all tokens)
DecryptSeed.cmd /s <Cipher Value of Seed> /k <32 char Hex Key>
Example
DecryptSeed.cmd /s JYqUGPV7OEtnRULGzyVk5rU6V4reCOiwx8c+PkcTXFaIeFpCrSvJeq9rVNVGi88a /k 993E183A58C1287BE4E8FC3555C8438C

4. View the decrypted OATH Seed value in the command line window

Online Mode

1. Open any web browser and navigate to https://cent.secureauth.com/seed/

2. Type in the HID Token's Cipher Value and the Token Package's Hex Key (32-char value)

3. View the decrypted OATH Seed value in the browser

SecureAuth IdP Configuration Steps

There are two distinct realm configurations required for SecureAuth IdP

  • Provisioning: Hard Token provisioning to assign the token to the end-user
  • Utilization: Hard Token enablement for Multi-Factor Authentication in other realm(s)

To provision hard tokens for Multi-Factor Authentication use, administrators can leverage the Account Management (Help Desk) page to add the Hard Token's OATH Seed value to user profiles

To enable the use of hard tokens for Multi-Factor Authentication use in other SecureAuth IdP realm(s), follow the HID Hard Token-supported Realm(s) configuration steps

Hard Token Provisioning (Account Management) Realm

These steps are required in addition to the Account Management (Help Desk) realm configuration steps

 Account Management (Help Desk) Full Configuration Guide
Data

 

1. In the Profile Fields section, map the OATH Seed property to a directory field that fits the following requirements:

  • Directory String syntax (2.5.5.12)
  • rangeUpper of 4096+
  • Supports Advanced Encryption

2. Check Writable

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication

 

3. In the Post Authentication section, select Account Management from the Authenticated User Redirect dropdown

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Identity Management

 

4. Click Configure Help Desk Page

Self Service

 

5. Select Show Enabled from the OATH Seed dropdown

See the administrative provisioning experience below

Click Save once the configurations have been completed and before leaving the Help Desk page to avoid losing changes

HID Hard Token-supported Realm(s)

These configuration steps are required in all realms utilizing HID Hard Tokens for Multi-Factor Authentication

Registration Methods / Multi-Factor Methods

 

1. In the Registration Configuration section, under Time-based Passcodes (OATH), select Enabled from the Time-based Passcodes dropdown

2. Select 8 digits from the Passcode Length dropdown

3. Set the Passcode Change Interval to 30 seconds

4. Set the Passcode Offset to at least 5 minutes

5. Set the Cache Lockout Duration to 10 minutes

Click Save once the configurations have been completed and before leaving the Registration Methods / Multi-Factor Methods page to avoid losing changes

Administrative Hard Token Provisioning Experience

 

Administrators can use the Account Management (Help Desk) page to upload hard tokens' OATH Seed values to user profiles

1. Log into the Account Management realm, enter the username of the profile to update, and click Get User

2. Set the OATH Seed to the decrypted OATH Seed value that matches the token's serial number present in the CSV file (batch) or on the CLI (single)

3. Click Update

The user profile now contains the HID Hard Token's OATH Seed and can be used for identity validation in other SecureAuth IdP realms

  • No labels