Tokens, electronic keys for accessing important information, are becoming increasingly popular in Russia. A token is now not only a means for authentication in the operating system of a computer, but also a convenient device for storing and presenting personal information: encryption keys, certificates, licenses, and certificates. Tokens are more reliable than the standard “login / password” pair due to the two-factor identification mechanism: that is, the user must not only have a storage medium (the token itself), but also know the PIN code.
There are three main form factors in which tokens are issued: USB token, smart card and key fob. PIN protection is most commonly found in USB tokens, although recent USB tokens are available with RFID tag capability and LCD display to generate one-time passwords.
Let's dwell on the principles of functioning of tokens with a PIN code. A PIN is a specially assigned password that breaks down the authentication procedure into two stages: attaching a token to a computer and entering the actual PIN.
The most popular token models on the modern electronic market of Russia are Rutoken, eToken from Aladdin, and an electronic key from Aktiv. Let's consider the most frequently asked questions regarding PIN codes for a token using the example of tokens from these manufacturers.
1. What is the default PIN?
The table below provides information on the default PIN codes for Rutoken and eToken tokens. The default password is different for different owner levels.
| Owner | User | Administrator |
| Rutoken | 12345678 | 87654321 |
| eToken |
1234567890 | By default, no administrator password is set. Can be installed via the control panel only for eToken PRO, eToken NG-FLASH, eToken NG-OTP models. |
| JaCarta PKI | 11111111 | 00000000 |
| JaCarta GOST | Not set | 1234567890 |
| JaCarta PKI / GOST |
For PKI functionality: 11111111
When using JaCarta PKI with Backward Compatible - PIN - 1234567890 For GOST functionality: PIN not set |
For PKI functionality: 00000000
When using JaCarta PKI with Backward Compatible option - PIN not set For GOST functionality: 1234567890 |
| JaCarta PKI / GOST / SE |
For PKI functionality: 11111111
For GOST functionality: 0987654321 |
For PKI functionality: 00000000
For GOST functionality: 1234567890 |
| JaCarta PKI / BIO | 11111111 | 00000000 |
| JaCarta PKI / Flash | 11111111 | 00000000 |
| ESMART Token | 12345678 | 12345678 |
| IDPrime card | 0000 | 48 zeros |
| JaCarta PRO / JaCarta LT | 1234567890 | 1234567890 |
2. Do I need to change the default PIN? If so, at what point in the work with the token?
3. What to do if the PIN-codes on the token are unknown, but the default PIN-code has already been reset?
The only way out is to completely clear (format) the token.
4. What if the user's PIN is blocked?
You can unblock the user's PIN through the token control panel. To perform this operation, you need to know the Administrator PIN.
5. What if the Admin PIN is blocked?
You cannot unlock the Admin PIN. The only way out is to completely clear (format) the token.
6. What security measures have been taken by manufacturers to reduce the risk of brute-forcing a password?
The main points of the security policy for PIN-codes of USB-tokens of the Aladdin and Aktiv companies are presented in the table below. After analyzing the data in the table, we can conclude that the eToken will presumably have a more secure PIN code. Rutoken, although it allows you to set a password of just one character, which is unsafe, in other parameters is not inferior to the product of the Aladdin company.
| Parameter | eToken | Rutoken |
| Minimum PIN length | 4 | 1 |
|
PIN-code composition |
Letters, numbers, special characters | Numbers, letters of the Latin alphabet |
| Greater than or equal to 7 | Up to 16 | |
|
Administering PIN Security |
There is | There is |
| There is | There is |
The importance of keeping the PIN-code secret is known to all those who use tokens for personal purposes, keep their electronic signature, trusts electronic key information not only of a personal nature, but also the details of their business projects. The tokens of the Aladdin and Aktiv companies have pre-installed protective properties and together with a certain amount of precaution to be exercised by the user, they reduce the risk of brute-force password guessing to a minimum.
Rutoken and eToken software products are presented in various configurations and form factors. The offered assortment will allow you to choose exactly the token model that best suits your requirements, be it
Smart cards Rutoken (see Fig. 1) and Rutoken Lite (see Fig. 2) are used as carriers of key information. Detailed information about these media can be found on the website of the Aktiv company, a developer of Russian authentication tools.
Rice. 1. Rutoken Rice. 2. Rutoken Lite
Standard pin codes
12345678 - custom PIN-code for Rutoken and Rutoken Lite, set by the manufacturer.
When a window appears with a request to enter a pin-code (see Fig. 3), you must specify the value 12345678 ... For the convenience of work, check the box Remember pin.
Rice. 1. Window for entering a pin code
For the Rutoken bearer! If the standard pin-code (12345678) was independently changed using the Rutoken Control Panel, then in this window you should indicate the new pin-code assigned during the change. Information about the new pin-code is stored only by the subscriber and is not known to the special communication operator.
How to unlock Rutoken pin?
The pin code is blocked after 10 incorrect input attempts.
In order to unlock Rutoken or Rutoken Lite, you should:
1. Open the menu Start / Control Panel / Crypto Pro CSP... Go to tab Equipment and press the button Configure Media Types(see fig. 4).
Rice. 4. Setting up equipment in Crypto Pro CSP
2. Select Rutoken or Rutoken Lite and click on the button Properties(see Fig. 5).
If there are no such media in the list, then you should update the support module. To do this, it is recommended to use the service Diagnostics .
Rice. 5. Choosing a smart card
3. Go to the tab Information and press the button Unlock PIN(see fig. 6).
If the tab Information missing, the support module should be updated. To do this, it is recommended to use the service Diagnostics .
Rice. 6. Unlock Rutoken and Rutoken Lite
Button Unlock PIN will be inactive if the smart card is not locked. In this case, information about the remaining number of attempts to enter the PIN code will be displayed.
4. A message about successful unlocking will appear (see fig. 7).
Rice. 7. Unlock message
It is not possible to unlock the administrator pin code without losing your data.
There are three main form factors in which tokens are issued: USB token, smart card and key fob. PIN protection is most commonly found in USB tokens, although recent USB tokens are available with RFID tag capability and LCD display to generate one-time passwords.
Let's dwell on the principles of functioning of tokens with a PIN code. A PIN is a specially assigned password that breaks down the authentication procedure into two stages: attaching a token to a computer and entering the actual PIN.
The most popular token models on the modern electronic market of Russia are Rutoken, eToken from Aladdin, and an electronic key from Aktiv. Let's consider the most frequently asked questions regarding PIN codes for a token using the example of tokens from these manufacturers.
1. What is the default PIN?
The table below provides information on the default PIN codes for Rutoken and eToken tokens. The default password is different for different owner levels.
| Owner | User | Administrator |
| Rutoken | 12345678 | 87654321 |
| eToken | 1234567890 | By default, no administrator password is set. Can be installed via the control panel only for eToken PRO, eToken NG-FLASH, eToken NG-OTP models. |
| JaCarta PKI | 11111111 | 00000000 |
| JaCarta GOST | Not set | 1234567890 |
| JaCarta PKI / GOST | For PKI functionality: 11111111
When using JaCarta PKI with Backward Compatible - PIN - 1234567890 For GOST functionality: PIN not set |
For PKI functionality: 00000000
When using JaCarta PKI with Backward Compatible option - PIN not set For GOST functionality: 1234567890 |
| JaCarta PKI / BIO | 11111111 | 00000000 |
| JaCarta PKI / Flash | 11111111 | 00000000 |
| ESMART Token | 12345678 | 12345678 |
2. Do I need to change the default PIN? If so, at what point in the work with the token?
3. What to do if the PIN-codes on the token are unknown, but the default PIN-code has already been reset?
The only way out is to completely clear (format) the token.
4. What if the user's PIN is blocked?
You can unblock the user's PIN through the token control panel. To perform this operation, you need to know the Administrator PIN.
5. What if the Admin PIN is blocked?
You cannot unlock the Admin PIN. The only way out is to completely clear (format) the token.
6. What security measures have been taken by manufacturers to reduce the risk of brute-forcing a password?
The main points of the security policy for PIN-codes of USB-tokens of the Aladdin and Aktiv companies are presented in the table below. After analyzing the data in the table, we can conclude that the eToken will presumably have a more secure PIN code. Rutoken, although it allows you to set a password of just one character, which is unsafe, in other parameters is not inferior to the product of the Aladdin company.
| Parameter | eToken | Rutoken |
| Minimum PIN length | 4 | 1 |
|
PIN-code composition |
Letters, numbers, special characters | Numbers, letters of the Latin alphabet |
| Greater than or equal to 7 | Up to 16 | |
|
Administering PIN Security |
There is | There is |
|
Automatic blocking when the number of incorrect input attempts is exceeded |
There is | There is |
|
Resetting the counter at the first successful attempt to enter the PIN code |
There is | There is |
The importance of keeping the PIN-code secret is known to all those who use tokens for personal purposes, store their electronic signature on it, trust the electronic key with information not only of a personal nature, but also the details of their business projects. The tokens of the companies "Aladdin" and "Aktiv" have predefined protective properties and together with a certain degree of precaution, which will be shown by the user, they reduce the risk of guessing a password to a minimum.
Rutoken and Rutoken Light smart cards are used as carriers of key information. Detailed information about these media can be found on the website of the Aktiv company, a developer of Russian authentication tools.
Rutoken Rutoken Light
Standard pin codes
12345678 - user PIN-code for Rutoken and Rutoken Lite, set by the manufacturer.
When a window appears asking you to enter the PIN, you must specify the value 12345678.
For the Rutoken carrier, if the standard PIN-code (12345678) was independently changed using the "Rutoken Control Panel", then in this window you should indicate the new PIN-code assigned during the change. Information about the new pin-code is stored only by the subscriber and is not known to the special communication operator.
How to unblock Rutoken PIN?
The PIN is blocked after 10 incorrect input attempts.
There are 2 ways to unblock Rutoken or Rutoken Lite:
How to unblock a PIN using Rutoken control panel
1. Open the Start menu> Control Panel> Rutoken control panel". Go to the "Administration" tab and click on the "Enter PIN-code" button, select the item "Administrator", enter the standard PIN-to od - 87654321, press OK.
2. After entering the administrator PIN-code, the "Unblock" button will become available, you just need to click on it, a message will appear about successful unlocking.
How to unlock pin code viaCrypto Pro CSP
1. Open Start Menu> Control Panel> Crypto Pro CSP. Go to the "Hardware" tab and click on the "Configure Media Types" button.
2. Select Rutoken or Rutoken Lite and click on the "Properties" button. If there are no such media in the list, then the support module should be updated. To do this, it is recommended to use the Diagnostics service.
3. Go to the "Information" tab and click the "Unblock PIN-code" button. If the "Information" tab is missing, then the support module should be updated. To do this, it is recommended to use the Diagnostics service.
The Unblock PIN-code button will be inactive if the smart card is not blocked. In this case, information about the remaining number of attempts to enter the PIN code will be displayed.
4. A successful unlock message will appear.
It is not possible to unlock the administrator pin code without losing your data.