Documentation

 

 

Released March 30, 2017

Use this guide to install and use the SecureAuth Hard Token Decrypt Tool, which decrypts HID hard OATH tokens to enable their use in Multi-Factor Authentication.

The SecureAuth Hard Token Decrypt Tool can decrypt batch or single HID hard tokens, in which administrators can provision user accounts, enabling users to use their HID hard tokens. By using the Account Management (Help Desk) realm, administrators can upload HID hard token OATH Seeds to user profiles for identity validation in other SecureAuth IdP realms for access to protected resources. 



Prerequisites

  • HID Hard tokens, the .pskc package, and the secret key
  • New or existing realm configured for Account Management (Help Desk)



Install SecureAuth Hard Token Decrypt tool

  1. Download the SecureAuth Hard Token Decrypt Tool from the Support Tools download page and save it to any Windows computer. 
  2. Run the SecureAuth-Decrypt-Seed-1.0.5.exe file to install and set up the tool. 
  3. Click Next.

  4. Select the location of the  SecureAuth Decrypt Seed and click Next.
    The path is hardcoded; however, distinct drives can be selected. 
  5. Confirm the settings and click Install.
  6. Wait for the installer to complete. 

  7. Once the installation is complete, click Finish



Decrypting HID hard tokens

The Decrypt Tool has the following decryption options:

  • Batch – Package of HID hard tokens, up to 25 at a time (use command-line tool)
  • Single – One HID hard token at a time (use command-line tool)
  • Online – Go to a website that enables single decryption of a HID hard token (no command-line tool)

Batch decryption of multiple HID hard tokens (command-line)

  1. Upload the HID token package (.pskc file) to the DecryptSeed folder. 
    The batch command decrypts one package at a time. 
  2. At the command prompt, cd to the \SecureAuth\DecryptSeed folder. 
  3. Run the DecryptSeed command, using the following values: 

    Code syntax in line 1 | Code example in line 2
    DecryptSeed.cmd /k <32 char Hex Key> /i <PSKC input file name> /o <CSV output file name>
    DecryptSeed.cmd /k 993E183A58C1287BE4E8FC3555C8438C /i 0654150_0000000794.pskc /o decryptedseeds.csv
    • Replace <32 char Hex Key> with the secret key of the HID package (for all tokens)
    • Replace <PSKC input file name> with the file name of the HID token package (.pskc)
    • Replace <CSV output file name> with the name of the existing or new output CSV file.  Take note that if a file exists, the data is appended to the existing file.
  4. In the DecryptSeed folder, locate the CSV output, which contains the serial numbers for the HID hard tokens with the decrypted OATH Seed value. (Serial numbers are located on the back of each HID hard token.)

Single decryption of a HID hard token (command-line)

  1. Upload the HID hard token package (.pskc file) to the DecryptSeed folder.
  2. At the command prompt, cd to the \SecureAuth\DecryptSeed folder.
  3. Run the DecryptSeed command, using the following values: 

    Code syntax in line 1 | Code example in line 2
    DecryptSeed.cmd /s <Cipher Value of Seed> /k <32 char Hex Key>
    DecryptSeed.cmd /s JYqUGPV7OEtnRULGzyVk5rU6V4reCOiwx8c+PkcTXFaIeFpCrSvJeq9rVNVGi88a /k 993E183A58C1287BE4E8FC3555C8438C
    • Replace <Cipher Value of Seed> with the cipher value of the single HID hard token, obtained from the HID token package file
    • Replace <32 char Hex Key> with the secret key of the HID package (for all tokens)
  4. In the command line, view the decrypted OATH Seed value. 

Single decryption of a HID hard token (online)

  1. Open any web browser and navigate to this seed decryption page

    The link works when you are not on a VPN. 

  2. Enter the Cipher Value of the HID hard token and the Hex Key (32-char value) of the hard token package.
  3. In the browser, view the resulting decrypted OATH Seed value.



SecureAuth IdP configuration

There are two distinct SecureAuth IdP realm configurations required to provision and use HID hard tokens:

Provisioning

HID hard token provisioning which assigns the token to the user profile.

To provision HID hard tokens for use in Multi-Factor Authentication, you can use the Account Management (Help Desk) page to add the OATH Seed value of the hard token to user profiles. 

Utilization

Utilization of HID hard tokens for Multi-Factor Authentication in other realms. 

To enable the use of HID hard tokens for Multi-Factor Authentication in other SecureAuth IdP realm(s), you will need to configure those applicable realms to support HID hard tokens. 

Hard token provisioning (Account Management) realm 

The following steps are required in addition to configuration of the Account Management (Help Desk) realm. This allows you to administer and assign HID hard tokens to user profiles. 

  1. Go to the Data tab.
  2. In the Profile Fields section, set the following: 

    OATH Seed Property

    Map this property to a directory field. 

    The directory field must meet the following requirements:

    • Directory string syntax (2..5.5.12)
    • rangeUpper of 4096+

    Data formatSet to Advanced Encryption.

    WriteableSelect this check box. 

  3. Save your changes. 
  4. Go to the Post Authentication tab. 
  5. In the  Post Authentication  section, set the Authenticated User Redirect field to  Account Management.
  6. Save your changes. 
  7. In the Identity Management section, click the Configure help desk page link. 
  8. In the OATH Seed field, set to Show Enabled
  9. Save your changes. 

Configure realms to use HID hard tokens 

Configuration is required in all realms using HID hard tokens for Multi-Factor Authentication.  

  1. Go to the Registration MethodsMulti-Factor Methods tab. 
  2. In the Registration Configuration / Multi-Factor Configuration section under Time-based Passcodes (OATH), set the following:  

    Passcode lengthSet to 8 digits.

    Passcode Change IntervalSet to 30 seconds.

    Passcode OffsetSet the time at least 5 minutes or longer. 

    Cache Lockout DurationSet to 10 minutes. 


  3. Save your changes.    

Next steps

Upload the OATH Seed values for the HID hard tokens to user profiles on the Account Management (Help Desk) page as described in Provision and assign HID hard tokens to user profiles.   



Provision and assign HID hard tokens to user profiles 

Use the Account Management (Help Desk) page to upload OATH Seed values of HID hard tokens to user profiles. 

  1. Log in to the Account Management realm, enter the username of the profile to update, and click Get User
  2. In the OATH Seed field, enter the decrypted OATH Seed value that matches the serial number of the HID hard token present in the CSV file (batch) or on the command line (single). 
  3. Click Update
    The user profile now contains the OATH Seed of the HID hard token and can be used for identity validation in other SecureAuth IdP realms for access to a protected resource. 
  • No labels