The ability to change the Admin Key is not provided for by the default tool from Gemalto. Changing the Admin Key is required to prevent compromise of a card.
Part of the “Temporary” card issue procedure used the Pin Unblock process to allow access to a card for provisioning and issue to a new user, this was achieved by access to the card using the default Admin Key.
If a SmartCard were found in public any body with Google Foo and access to the Gemalto site could change the Pin and gain access to the resources the user has access too. Possibly even remotely :(
There are other people who mention this “Vulnerability” on line and even point to reasons the vendors don’t provide the feature, to the point of claiming it to be a all about the money. One example is a blog post by Jason Fossen where he says:
Some smart card vendors and resellers deliberately refuse to give away (or to sell cheaply) a tool to change the default Administrator PIN. Why? It's a devious marketing trick to get you to try out their cards and then hopefully you'll come back to buy their PKI management suite, which of course includes this tool. This is devious because it is done deliberately, the web sites of these vendors and resellers scarsely mention the risk of not changing the default Administrator PIN (if at all), and often the salespeople of these vendors/resellers only discuss the risk after you've purchased the cards and done your testing.
Of course my solution is the same as his but I'm telling you about it because shortly I will document the Medium Business answer in my view which will include the use of vSED:CMS by Versatile Security
Download vSEC:CMS K Series and use the free tool to change the Admin PIN as shown
I don’t think it is the end of the world in a smaller environment to leave the Admin Key at the defaults either which I will discuss in detail in the next day or so
Of course now that you know how to change it, I would because it is no additional effort but it would mean using a tool from a third party and a little more documentation rigor.
Perhaps a job for me on the weekend.
Hi, i have the same problems at our company. We want to rollout aprox. 250 .net smartcarts to use it as out primary authentication.
ReplyDeleteeverything is working fine. Only to change the admin Key failed.
We also tried the vSEC:CMS K Series tool. But it's also failed. The "Change Key" Button is always greyed out.
So can you give me an update?
Greetings
Kai
Have you tried to change the key before you provision a Certificate to it?
ReplyDelete