HSPD-12 Logical Access Authentication and 2008 Active Directory Domains on Download Center

re: HSPD-12 Logical Access Authentication and 2008 Active Directory Domains on Download Center

pfox — Fri, 20 Jul 2012 19:19:30 GMT

The NIST PIV Test Cards used in this whitepaper are now available. More information can be found at csrc.nist.gov/.../testcards.html

Paul

re: HSPD-12 Logical Access Authentication and 2008 Active Directory Domains on Download Center

pfox — Mon, 23 Apr 2012 15:34:32 GMT

Script Kitty

Thank you for your feedback and question. When NIST releases the PIV Test Cards to the public they will publish documentation explaining how the cards are configured. This white paper was developed with the draft release of that document. NIST Test PIV Cards 3 & 7 implement the Discovery Object which says the Global PIN is primary. The smart card minidriver was developed to the 800-73-2 specifications and the Discovery Object was/is an optional feature that was not implemented. Therefore to unlock the PIV Card Applications the PIV Card Application PIN is used. The following is from the draft NIST PIV Test Cards documentation.

Card PIV Card Application PIN Global PIN

Test Card 3 90909090 111111

Test Card 7 90909090 111111

For cards 3 & 7 the Global PIN is the primary based upon the Discovery Object. More information about the Discovery Object can be found in section 3.2.6 of NIST SP800-73-3 (csrc.nist.gov/.../sp800-73-3_PART1_piv-card-applic-namespace-date-model-rep.pdf).

I have revised the white paper. Thank you for bringing this to my attention.

Paul

re: HSPD-12 Logical Access Authentication and 2008 Active Directory Domains on Download Center

Script Kitty — Thu, 22 Mar 2012 16:57:31 GMT

Very nice article.

One thing that confuse me (ok there is more than one), but the one that really stands out is the GLOBAL PIN.

From the little info I can find and make sense of, it looks like this is a second "user" PIN. And it seems to be a recent addition to the cards.

Here, in our secret underground lair (Moms Basement), we have begun to notice “issues” where the users are changing their PINS with Windows Mini-Driver, and then have trouble when the “badge office” has to do card work. It looks like Windows is only seeing / changing the User PIN, and leaving the Global PIN alone. Which later makes it confusing when you go to the “badge office” and they use both PINS.

Question:

Has anyone else started to see this?

Is there plans to evolve the HSPD-12 Mini-driver to see the Global PIN?

Does anyone know of a Mini-driver that does see the Global PIN?

And does anyone plan on using it?