SMS Token Guide - SafeNet To… · ™ Security without Complexity BlackShield ID SMS Token Guide ii Publication History Date Changes Version February 26, 2010 Document created 1.0

© 2010 CRYPTOCard Corp. http:// www.cryptocard.com bsid-tg-sms-v01

All rights reserved.

™

SMS Token Guide

™ Security without Complexity

BlackShield ID SMS Token Guide i

Copyright

Copyright © 2010, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted,

transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the

written permission of CRYPTOCard.

Trademarks

CRYPTOCard and the CRYPTOCard logo are registered trademarks of CRYPTOCard Inc. in the Canada and/or other

countries. All other goods and/or services mentioned are trademarks of their respective companies.

License agreement

This software and the associated documentation are proprietary and confidential to CRYPTOCard, are furnished

under license, and may be used and copied only in accordance with the terms of such license and with the

inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be

provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby

transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil

and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by CRYPTOCard.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of

encryption technologies, and current use, import, and export regulations should be followed when using,

importing or exporting this product.

Contact Information

CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard

in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can

suggest deployment procedures that provide a smooth, simple transition from existing access control systems and

a satisfying experience for network users. We can also help you leverage your existing network equipment and

systems to maximize your return on investment.

CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased

this product through a CRYPTOCard channel partner, please contact your partner directly for support needs.

To contact CRYPTOCard directly:

International Voice: +1-613-599-2441

North America Toll Free: 1-800-307-7042

[email protected]

For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com.

Related Documentation

Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and

interoperability guides: http://www.cryptocard.com.

mailto:[email protected]

http://www.cryptocard.com/

http://www.cryptocard.com/


BlackShield ID SMS Token Guide ii

Publication History

Date Changes Version

February 26, 2010 Document created 1.0


BlackShield ID SMS Token Guide iii

Table of Contents

Overview ........................................................................................................................................................... 1

SMS Token Deployment Process ........................................................................................................................ 1

SMS Token Authentication Process .................................................................................................................... 2

Applicability ....................................................................................................................................................... 5

Preparation and Prerequisites ............................................................................................................................ 5

Configuring SMS Functionality ............................................................................................................................ 5

SMS Gateway configuration examples .................................................................................................................... 6

Clickatell ........................................................................................................................................................................ 6

SMS Telnet Modem ....................................................................................................................................................... 6

Managing SMS tokens ........................................................................................................................................ 7

Creating a SMS token ............................................................................................................................................... 7

Deploying a SMS token ............................................................................................................................................ 7

Modes of Operation ........................................................................................................................................... 8

Configuring Modes of Operation ........................................................................................................................ 9

SMS No Waiting ....................................................................................................................................................... 9

SMS No Waiting Plus ................................................................................................................................................ 9

SMS Challenge-Response ....................................................................................................................................... 10

SMS Single Sign On ................................................................................................................................................. 12

Customizing Messages ...................................................................................................................................... 13

Default message .................................................................................................................................................... 13

How to customize .................................................................................................................................................. 14

Customizing the message ............................................................................................................................................ 14

Troubleshooting ................................................................................................................................................ 15

Messages are not sending to users ............................................................................................................................. 15

Cannot create an SMS token ....................................................................................................................................... 15

Can’t assign an SMS token to a user ............................................................................................................................ 15


BlackShield ID SMS Token Guide 1

Overview

BlackShield ID supports sending token codes to mobile phones via SMS messages. This allows the user to use their

phone as a hardware token without requiring any additional software on the phone. When the user authenticates

with a token code from their phone, another is sent from the BlackShield ID server to the phone via an SMS

message and is ready to be used at the user’s leisure.

SMS Token Deployment Process

Diagram 1.0 – SMS Token Deployment Process

1. The BlackShield ID administrator assigns a token from the inventory to a user. If no SMS token is available

from inventory, follow procedures in the ‘Creating a SMS token’ section.

2. Upon assigning the token to the user, the SMS token is delivered immediately to the user’s phone.



SMS Token Authentication Process

SMS No Waiting/No Waiting Plus

Diagram 2.0 – SMS No Waiting/No Waiting Plus authentication process

1. A user attempts to authenticate using their user name and SMS OTP

2. After successfully authenticating, the user then receives

a. Their next SMS token code if using ‘No Waiting’ mode.

or

b. Their next 5 SMS token codes if using ‘No Waiting plus’ mode.



SMS Challenge Response

Diagram 3.0 – SMS Challenge-Response authentication process

1. A user attempts to authenticate using only their user name (blank password).

2. BlackShield ID server immediately sends the user a token code to be used.

3. User then uses their OTP to authenticate.



SMS Single Sign On

Diagram 4.0 – SMS Single Sign On authentication process

1. A user attempts to authenticate using their LDAP user name and password

2. If LDAP credentials are correct, the user is then sent a new token code.

3. User then uses their OTP to authenticate.



Applicability

This integration guide is applicable to:

Summary

Authentication Server BlackShield ID Pro

Minimum server version 2.6.392 or higher

Supported Mobile Phones Any mobile phone which is able to receive SMS messages

Additional Software Components N/A

Supported Token modes SMS No waiting, SMS No waiting plus, SMS Challenge

Response, SMS Single Sign on.

Supported SMS Modems (Tested) MultiTech Systems MTCBA-G-U-F4 (Quad Band)

Supported 3rd party SMS Gateways Clickatell, AQL, TynTec

Required token types MP (Must have available MP token capacity)

Preparation and Prerequisites

1. The SMS settings within the System Admin tab are configured correctly.

a. You can verify the settings are correct by using the test functionality.

b. Enter in a test phone number then click Test.

2. You have an available MP token within your inventory.

a. Refer to the ‘Creating SMS Tokens’ section.

3. The user you are assigning an SMS token to has a cell phone number assigned.

Configuring SMS Functionality

Before you begin working with SMS tokens, you will need to configure the SMS functionality.

1. Log into the BlackShield ID manager via Start Menu | All programs | CRYPTOCard |BlackShield ID |

BlackShield ID Manager

2. Click the System Admin tab



3. Click the Configure button within the

SMS Settings section

4. Select either the correct SMS modem or

select a 3rd party SMS gateway provider

from the drop down list. If your selection

requires input of connection information

enter that now, then click the Save

button. (The save button becomes active

after making a selection)

SMS Gateway configuration examples

Here are some connection setting details for some of our SMS provider options.

Clickatell

User name: Something123 Field can contain letters and numbers. Provided by Clickatell

Password: PassWord123 Field can contain letters and numbers. Provided by Clickatell

SMS URL: http://api.clickatell.com/http/sendmsg This is the current URL that Clickatell uses. It normally won’t

change.

API ID: 1234567 Normally a 7 digit number. Provided by Clickatell

SMS Telnet Modem

Remote Modem Host: 123.123.123.123 IP address of the SMS Telnet modem.

Remote Modem Port: 5000 Port the SMS Telnet modem is listening on.



Managing SMS tokens

Creating a SMS token

To assign SMS tokens to a user, you must first create an SMS token into the token availability pool.

1. Open the BlackShield ID console manager, and login using an operator account

2. Click the Assignment tab

3. Click the Create button within the Token Mgt section

4. Select SMS Token, then select Create

You should see a message which says

‘A token 76xxxxxx has been successfully created successfully’

5. Click the close button.

6. You have now created an SMS token, and can now assign an SMS token to a user

Deploying a SMS token

Deploying a SMS token is done simply by assigning one to a user. This is because the act of assigning an SMS token

triggers the BlackShield ID server to instantly send the user a TxT message with their SMS token code.

1. Open the BlackShield ID console manager, and login using an operator account

2. Click the Assignment tab

3. Within the user assignment search, locate the user you wish to assign the SMS token to.

4. Locate the SMS token within the token availability, by using the Token Search functionality.

5. Click the user from the left, click the token from the list in the middle, and then click the Assign button on

the right.

6. The SMS message will immediately be sent to the user with a one-time password.



Modes of Operation

There are 4 modes of operation for the SMS tokens. These modes allow you to achieve The mode of operation is

not necessarily one configuration option, but rather a set of configuration options together to form a mode.

Mode Description

SMS No Waiting In this mode a new passcode is delivered by SMS immediately

following each successful authenticated logon. The advantage is

that a user always has a valid passcode (which cannot be used

without their secret PIN) on their phone. This method most

closely mimics a traditional logon.

SMS No Waiting Plus This mode is very similar to SMS No Waiting, except that it will

send 5 passcodes in each SMS message. This is ideal for users

that are frequently in areas with sporadic or unreliable SMS

delivery because they are not dependant on the SMS service

until all passcodes have been consumed.

SMS Challenge-Response This method is ideal for organizations that want delivery of the

OTP to occur during the logon process. Only after the user has

submitted their valid UserID is the passcode delivered by SMS,

allowing the user to submit their OTP and complete the logon

process. This method has the added benefit of a passcode

“time-to-live”, not only limiting the passcode to a single use, but

also requiring the passcode to be consumed within a limited

period of time. If it is not used within the time-to-live period,

the passcode automatically expires and cannot be used for

authentication.

SMS Single Sign On This method is a variation of SMS Challenge/Response that lets

organizations take advantage of 2-stage SSO authentication

supported by leading SSL VPN and on-demand computing

solutions from vendors such as Juniper Networks™, Fortigate™,

Cisco Systems™, Citrix™ and others. In this mode users must

submit their Logon ID and Active Directory password. If this is

validated by Active Directory, BlackShield ID sends a time-limited

passcode to the user who combines this with their PIN and

submits this as a second stage of authentication. The result is all

of the benefits of SSO with the added security and protection of

one-time passwords and the convenience and economy of SMS.



Configuring Modes of Operation

SMS No Waiting

This mode of operation really only has one item which needs configuring. After completing these procedures,

users will get a txt message with 1 new OTP after successfully authenticating.













SMS No Waiting Plus

This mode of operation requires the same procedures as SMS No Waiting, however a slight change to the number

of OTP’s per SMS are changed from 1 to 5. After completing these procedures, users will get a txt message with 5

new OTP’s after successfully authenticating.















5. Click the pull down menu beside OTP’s

per SMS and select 5, then click the

upper right Apply button.

SMS Challenge-Response

This mode of operation requires a small change within the SMS token templates. After completing these

procedures, users will receive an OTP to use for authentication, after providing only their UserID during a logon

request.

NOTE: These setting changes will only effect newly created SMS tokens. It will not apply to already created

tokens.















5. Click the Policy Admin tab which is located along the top with all the other tabs.

6. Within the Token Templates section,

click the pull down menu beside Type,

and select SMS, then click the Edit

button.

7. Click the pull down beside the Mode and

select Challenge Response. Then click

the Apply button.

8. Click the System Admin tab to reveal the

Time to live and Challenge interval

settings.

SMS Time to Live: The amount of time in

minutes a sent OTP is valid for. Default is

5 minutes.

SMS CR Interval: How many minutes a

user must wait to ask for a new token



code. This mitigates OTP request

flooding. Default value is 0 for no limit.

9. You can now create new SMS tokens which will be configured as Challenge-Response tokens.

SMS Single Sign On

This mode of operation requires a few changes within the Pre-Authentication Rules. After completing these

procedures, users will receive an OTP to use for authentication after first providing their LDAP password (Most

likely their Microsoft A/D password).






4. Select either the correct SMS modem

or select a 3rd party SMS gateway

provider from the drop down list. If

your selection requires input of

connection information enter that

now, then click the Save button. (The

save button becomes active after

making a selection)


Pre-Authentication Rules section

6. A new Pre-Authentication rule window

now appears.

Note: This section simply shows you what rule you will require to allow SMS messages to be used in Single Sign On

mode. Please consult the Administrators guide for further information on working with Pre-Authentication rules.



7. Click the Enable Pre-authentication Rules check

box, and then click the Add button. Another

window will appear where you can create your

rule.

8. Give your rule a name such as ‘SMS Single Sign

On’

9. Click the pull down beside Filter and select

LDAP password pass through.

10. Leave all values default except change the last

pull down to force challenge response.

11. Click Add, then click Done.

Customizing Messages

Default message

The default token assignment message appears as follows:

BlackShield ID

User ID: <USER_ID>

Initial PIN: <PIN>

TokenCode: <NEXT_OTP>

OTP=[PIN][TokenCode]

USER_ID = The user who was assigned the token

PIN = Users initial PIN

TokenCode = The current token code

The default token code message appears as follows:

BlackShield ID

User ID: <USER_ID>

TokenCode: <NEXT_OTP>

OTP=[PIN][TokenCode]

USER_ID = The user who was assigned the token

TokenCode = The current token code

Note: With this message the PIN is not displayed.



How to customize

There are multiple files where you can customize SMS message text. Based on whether tokens use server side

PIN’s and what authentication mode you are using, it will use different pre-defined text.

Here is a list of files and line numbers.

All files are located in C:\Program Files\CRYPTOCard\BlackShield ID\Languages\en

Initial assignment of token with PIN assignmentDynamic.ccl Line 128

Initial assignment of token without PIN assignmentDynamic.ccl Line 135

SMS No Waiting – 1 token code – With PIN

message

TokenValidator.ccl Line 33

SMS No Waiting – 1 token code – Without PIN

message

TokenValidator.ccl Line 34

SMS No Waiting plus – 5 token codes TokenValidator.ccl Line 35

SMS Challenge/Response/Single Sign-on TokenValidator.ccl Line 36

Customizing the message

1. Using a text editor, open the appropriate CCL file

2. Scroll down until you see the line number. Ex. 33=, or 135=

3. All text after the ‘=’ sign, is what will be displayed in the SMS message.

NOTE: Text messages are limited to 160 Characters before it has to send the message in an additional

message.

Applying the message changes

After any changes are made within the SMS language CCL files, you must do the following:

1. Open IIS Manager, and expand Applications Pools

2. Right click on BlackShield ID and click Recycle.

3. Right click on TokenValidator and select Recycle.



Troubleshooting

Messages are not sending to users

If messages are not sending to users, test the SMS capabilities with a phone number you can test with

1. Log into the BlackShield ID manager

2. Click the system Admin tab

3. Within the Phone Number box in the SMS Settings section, enter the phone number of the user you are

having trouble with, then click test.

4. If everything is configured correctly for SMS it should return a message saying ‘Test message sent’.

5. If the test goes through successfully, but the message is still not received by the phone, there is a problem

with the phones carrier. Contact the carrier to troubleshoot further.

Cannot create an SMS token

If after you click the Create button within the Assignment tab, and you are not able to create an SMS token, it

means that you have not configured the SMS functionality within the System Admin tab. Reference the

‘Configurint SMS Functionality above’ to configure the SMS functionality.

Can’t assign an SMS token to a user

If after you have selected a user to give a SMS token to, but the assign button remains inactive (greyed out), then

this user most likely does not have a phone number in the Mobile filed. If this user is an LDAP user, they will need

this configured via Active Directory. If they are a SQL user, edit the user via the Edit button and input their Mobile

number.

Documents

SMS Token Guide - SafeNet To… · ™ Security without Complexity BlackShield ID SMS Token Guide ii Publication History Date Changes Version February 26, 2010 Document created 1.0