FIM CM Smart Card Masterkeys

Hello everybody,

I have a question regarding to FIM CM. Currently Im implementing FIM CM in our customers infrastructure and everything works like it should :-).

But there was a question coming up regarding Smart Card Masterkeys. Does anybody know how FIM CM handle this keys? Ive never heard about them.

To clarify my question:

-we have the User PIN with which the user authenticates itself together with the Smart Card

-we have the Admin PIN also known as PUK for Smart Card initialization and Challenge/Response to reset the PIN of the Smart Card

-then there should be a Masterkey, which Ive never heard. Our customer claims, that anybody whom has this Masterkey has full control over the Smart Card and he wanted to know if FIM CM randomizes this key or whatever it does with it.

Can anybody answer this question for me or clarify this PIN/PUK/KEY Chaos?

Thank you very very much in advance!

Tom



  • Edited by ThomasIW Tuesday, June 02, 2015 12:45 PM Further information, correcting typos
June 2nd, 2015 12:43pm

Hi,

first of all, thank you everybody for your thoughts. How FIM handles the Admin is familiar to me. But I do not talk about the Admin Key. Im talking about the Master Key. Our customer claims that the KEK and MAC of the card for secure communiaction between the smart card and the minidriver are derived by the masterkey which is stored on the card and which you need, to rollout the file system on the smart card.

I dont know if the masterkeys of the cards which we are using (gemalto idprime .net) are familiar or if they are changed through the rollout of the filesystem. I also send a message to gemalto. Hopfully they have a answer for me. If they have I will post it here :-).

I think this is a pretty deep topic in smart card security. I hope if have cleared what I meant with the term "master key".

Thanks to everybody in advance!

Tom

Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2015 4:15am

Just to be sure: by "Mater key" you mean the key that is used during the card initialization process (loading OS to card / wiping card)?

Martin

June 3rd, 2015 4:19am

Hi Martin,

yes thats it. The key which is used for the very first initialization and the key from whom KEK and MAC are derived.

Cheers,

Tom

Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2015 4:22am

Do you use BaseCSP or custom middleware?

June 3rd, 2015 4:32am
We use BaseCSP respectively we use the gemalto minidriver.
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2015 4:36am

AFAIK if you use BaseCSP, card operating system is not reloaded, card is only wiped and AdminKey is changed. See https://msdn.microsoft.com/en-us/library/windows/desktop/bb468064%28v=vs.100%29.aspx for the process description.

Martin

June 3rd, 2015 5:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics