FIM CM Smart Card Masterkeys

Hello everybody,

I have a question regarding to FIM CM. Currently Im implementing FIM CM in our customers infrastructure and everything works like it should :-).

But there was a question coming up regarding Smart Card Masterkeys. Does anybody know how FIM CM handle this keys? Ive never heard about them.

To clarify my question:

-we have the User PIN with which the user authenticates itself together with the Smart Card

-we have the Admin PIN also known as PUK for Smart Card initialization and Challenge/Response to reset the PIN of the Smart Card

-then there should be a Masterkey, which Ive never heard. Our customer claims, that anybody whom has this Masterkey has full control over the Smart Card and he wanted to know if FIM CM randomizes this key or whatever it does with it.

Can anybody answer this question for me or clarify this PIN/PUK/KEY Chaos?

Thank you very very much in advance!

Tom



  • Edited by ThomasIW 18 hours 39 minutes ago Further information, correcting typos
June 2nd, 2015 8:45am

Hi,

admin key and master key are the same thing, almost. admin key is the term used in the Base Smart Card specs from Gemalto/Microsoft. An d I think master key was used from Aladin before or from other vendors.

To check your FIM settings:

In the FIM admin webgui go to Profile Templates, in the Profile details, click Smart Card
Configuration and check if the Diversify Admin Key check box is enabled

Hth,

Lutz

Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2015 6:24pm

Moreover, PUK are stored encrypted in the FIM database and are decryptable only by FIM CM Agent certificate and private key. If you are concerned about security of the private key you can use HSM in order to protect FIM CM Agent and certificate.

An intro into HSM/FIMCM topic can be found at:

(nCipher)

http://social.technet.microsoft.com/wiki/contents/articles/1730.installing-and-configuring-an-ncipher-hardware-security-module-hsm-with-fim-cm-2010.aspx

(SafeNet)

http://social.technet.microsoft.com/wiki/contents/articles/1731.installing-and-configuring-a-lunasa-hardware-security-module-hsm-with-fim-cm-2010.aspx

More thorough walthrough (by Brian Komar): http://www.amazon.com/Deploying-Microsoft-Forefront-Certificate-Management/dp/1450533086 there was a eBook donwloadable directly from Thales site but I'm unable to find it.

Martin

June 3rd, 2015 2:44am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics