"RBS BS-Client. Private Client" v.2.2 Find out the initial values ​​of etoken pass

"RBS BS-Client. Private Client" v.2.2

version from 01/01/2001

1. Abstract

This document is intended for system administrators.

The document contains information on the principles of working with an analogue of the client’s handwritten signature – eToken.

1. Abstract. 2

2. Principles of working with eToken PASS. 4

3. Import eToken keys into the system. 4

4. Client work with eToken. 5

6. The procedure for resolving disputes regarding transactions carried out using eToken. 7

2. Principles of working with eToken PASS

eToken PASS implements an algorithm for generating one-time passwords using the HMAC algorithm and the SHA-1 hash function. For the client, eToken PASS looks like a keychain (Fig. 1), on the screen of which the generated password is displayed. This password is used to confirm financial transactions by the client in the “Private Client” system.

This use of eToken is based on Article 160 of the Civil Code of the Russian Federation, which states that, with the consent of the parties, the use of analogues of the client’s handwritten signature is allowed. However, it is not an electronic signature and therefore does not fall under the law “On Electronic Digital Signature”.

Rice. 1 eToken PASS

3. Import of eToken keys into the system

Each eToken keychain has its own serial number and secret value. This data is provided by Alladin.

It is not possible to generate this data using the Private Client system. The Private Client system receives information about eToken PASS keys by importing information from files received by the bank along with eToken key fobs. On the server, this data is stored in encrypted form.

F To import eToken keys into the CHK system you must:

· Select the menu item “Security -> Security -> List of eToken keys”.

ð This will open the “List of eToken Keys” dialog box (Fig. 2).

Rice. 2 eToken Key List dialog box

· To download new keys, you must click on the “Download” button located in the toolbar of the dialog box.

ð This will open the “Import eToken Keys” dialog box (Fig. 3).

Rice. 3 Import eToken Keys Dialog Box

· In the window that opens, you must specify the path to the xml file containing the keys.

4. Client work with eToken

To bind a new key, the client must come to the bank and receive a new key fob. Binding of a new key to the client is carried out by an authorized person of the bank standard means Cheka.

When signing a document, a field for entering a code appears on the screen of the Internet banking system. The client presses the key fob button to generate a new password value and enters the received code into the field. When a password is generated, the password counter is increased by one.

Information about the current counter is stored in the key fob itself and is synchronized with the CHK system. Upon receipt of a signed document, the correctness of the entered code is checked using the eToken PKI Client driver set.

Attention! For correct operation, the eToken PKI Client driver set must be installed on the same server as RTS.

The number of times you can enter an incorrect password is limited. If the client has exhausted all attempts, the key is blocked in the CHK system. The client cannot unlock the key on his own. The number of attempts to enter an incorrect key is set in the “InvalideTokenAttempt” parameter (Settings -> System parameters -> Authorization parameters -> InvalideTokenAttempt).

You can unlock the key in the Builder application. To do this, in the “eTokenKeys” table (Table structures -> eTokenKeys) for the entry corresponding to the blocked eToken key fob (the required entry is determined by ID), you must set the following values ​​for the parameters:

CountAttempt = 0

eTokenBlockDate = " " (empty)

eTokenStatusID = 1

When using a key fob, there is a possibility that the client accidentally pressed the button again and the password counter on the client key fob increased by more than one. In this case, the counter must be synchronized with the data in the CHK system. In this case, the check is performed not only for the current counter value, but runs forward by a set number of values. This will allow the client to successfully sign the document even if he accidentally clicked the button to generate the next password. To set the number of permissible “random” button presses on the key fob, use the “TokenCounterForCheck” setting (Settings -> System Parameters -> Authorization Parameters -> TokenCounterForCheck).

https://pandia.ru/text/78/645/images/image006_65.gif" width="623" height="626 src=">

6. The procedure for resolving disputes regarding transactions carried out using “eToken”

1. If a controversial transaction (electronic document) using “eToken” is detected, the Client has the right to contact the Bank to protest it. The operation can be protested no later than 30 calendar days from the date of its execution.

2. The specified protest is formalized in a written statement addressed to the Bank, drawn up in free form and including the following information: Full name of the Client; Date of operation; type of operation; transaction amount; reason for protest.

3. The Bank, within 10 working days, considers the Client’s application and satisfies the Client’s claim, or sends a written response to the Client about the unfoundedness of his claim.

4. In case of disagreement with the Bank’s conclusion, the Client sends to the Bank a written notification of his disagreement and the requirement to form a conflict commission to resolve disputes. The conflict commission is formed for a period of up to 10 working days, during which it must establish the legality and validity of the claim, as well as, if necessary, the authenticity and authorship of the disputed transaction.

5. The conflict commission includes an equal number of representatives from each of the Parties, determined by the Parties independently. The right to represent the relevant Party in the commission must be confirmed by a power of attorney issued to each representative for the duration of the commission’s work.

6. The Commission determines, including, but not limited to, the following:

· the subject of disagreement based on the Client’s claim and explanations of the Parties;

· the legality of filing a claim based on the text of the concluded Agreement and its Appendices;

· the fact that the Client logged into the System before sending the disputed transaction;

· correspondence serial number eToken PASS key fob used by the Client, the serial number of the key fob linked to the client in the Bank, and the legality of its use;

· date and time of receipt of the transaction.

7. The Parties agree that to analyze conflict situations, the commission accepts an electronic document for consideration and is obliged to use the following reference data recognized by the Parties:

· electronic archive data of accepted and sent documents;

· database data with information about eToken PASS;

· program stored by the Bank.

8. The Commission must make sure that the actions of the Parties were in accordance with the Agreement in force at the time the disputed transaction was created.

9. Confirmation of the correct execution by the Bank of the disputed document is simultaneous execution following conditions:

· the information contained in the disputed document is fully consistent with the Bank’s actions to execute it;

· the fact that the Client entered the System prior to sending the disputed document to the Bank was established;

· the fact that the system verified the one-time key entered by the client was established;

· the value of the password counter on the client's eToken keychain is greater than the value of the counter used when signing the document;

· at the time of sending the document, the eToken PASS used was linked to the client;

· at the time of sending the document, the eToken PASS used was active.

In this case, the Client’s claims against the Bank related to the consequences of execution of the specified document are recognized as unfounded. Failure to fulfill any of the listed conditions means that the correct use of the one-time key generated using the eToken PASS key fob and the correct execution of the document have not been confirmed, i.e. the document being checked is confirmed by an incorrect one-time key, or the document was not correctly executed by the Bank. In this case, the Client’s claims against the Bank related to the consequences of execution of the specified document are recognized as justified.

10. The results of the examination are formalized in the form of a written conclusion - an Act of the Conflict Commission, signed by all members of the commission. The report is drawn up immediately after the completion of the examination. The Report contains the results of the examination, as well as all the essential details of the disputed electronic document. The act is drawn up in two copies - one each for representatives of the Bank and the Client. The commission's report is final and not subject to revision.

11. The Parties have the right to challenge the result of the commission’s work in the manner established by the current legislation of the Russian Federation. The act drawn up by the conflict commission is evidence in further proceedings of the dispute in the judicial authorities.

A standalone one-time password generator that does not require connecting to a computer or installing additional software and can be used in any operating systems, as well as when accessing protected resources from mobile devices and terminals that do not have a USB connector or smart card reader.

  • Autonomous one-time password generator;
  • Does not require connection to a computer;
  • Centralized management of tokens using the eToken TMS system.

Purpose

The standalone one-time password generator eToken PASS can be used for authentication in any applications and services that support the RADIUS authentication protocol - VPN, Microsoft ISA, Microsoft IIS, Outlook Web Access, etc.

The eToken OTP SDK 2.0 makes it easy to add support for one-time password authentication to your own applications.

Advantages

  • Does not require installation of additional client software.
  • Does not require driver installation.
  • Works without connecting to a computer - no need for a free USB port.
  • Ability to work on any operating system.
  • Ability to work from mobile devices.
  • A one-time password is valid only for one communication session - the user does not have to worry about the password being snooped on or intercepted.
  • Low price.

Principle of operation

eToken PASS implements an algorithm for generating one-time passwords (One-Time Password - OTP), developed as part of the OATH initiative. This algorithm is based on the HMAC algorithm and the SHA-1 hash function. To calculate the OTP value, two input parameters are accepted - the secret key (the initial value for the generator) and the current counter value (the number of required generation cycles). The initial value is stored both in the device itself and on the server in the eToken TMS system. The counter in the device increases with each OTP generation, and on the server with each successful OTP authentication.

When an authentication request is made, OTP verification is carried out by a RADIUS server (Microsoft IAS, FreeRadius and others), which accesses the eToken TMS system, which generates OTP on the server side. If the OTP value entered by the user matches the value received on the server, the authentication is considered successful and the RADIUS server sends an appropriate response.

A batch of eToken PASS devices comes with an encrypted file containing initial values ​​for all devices in the batch. This file is imported by the administrator into the eToken TMS system. After this, to assign the device, the user must enter its serial number (printed on the device body).

If the synchronization of the generation counter in the device and on the server is disrupted, the eToken TMS system allows you to easily restore synchronization - bring the value on the server into line with the value stored in the device. To do this, the system administrator or the user himself (if he has the appropriate permissions) must generate two consecutive OTP values ​​and send them to the server via the eToken TMS Web interface.

To enhance security, the eToken TMS system allows the use of an additional OTP PIN value - in this case, for authentication, the user enters an additional secret OTP PIN value in addition to the username and OTP. This value is set when assigning a device to a user.

  • Offline one-time password generator.
  • Does not require connection to a computer.
  • As a one-time password generator, it is fully compatible with eToken NG-OTP.
  • Runs eToken TMS 2.0.
  • Guaranteed service life - 7 years or 14,000 generations.

eToken PASS can be used for authentication in any applications and services that support the RADIUS authentication protocol - VPN, Microsoft ISA, Microsoft IIS, Outlook Web Access and many others.

The eToken OTP SDK 2.0 makes it easy to add support for one-time password authentication to your own applications.

Advantages

  • Does not require installation of additional client software.
  • Does not require driver installation.
  • Works without connecting to a computer - no need for a free USB port.
  • Ability to work on any operating system.
  • Ability to work from mobile devices.
  • A one-time password is valid only for one communication session - the user does not have to worry about the password being sniffed or intercepted.
  • Low price.

Principle of operation eToken PASS implements a One-Time Password (OTP) generation algorithm developed as part of the OATH initiative. This algorithm is based on the HMAC algorithm and the SHA-1 hash function. To calculate the OTP value, two input parameters are accepted - the secret key (the initial value for the generator) and the current counter value (the number of required generation cycles). The initial value is stored both in the device itself and on the server in the eToken TMS system. The counter in the device increases with each OTP generation, and on the server with each successful OTP authentication.

When an authentication request is made, OTP verification is carried out by a RADIUS server (Microsoft IAS, FreeRadius and others), which accesses the eToken TMS system, which generates OTP on the server side. If the OTP value entered by the user matches the value received on the server, the authentication is considered successful and the RADIUS server sends an appropriate response.

A batch of eToken PASS devices comes with an encrypted file containing initial values ​​for all devices in the batch. This file is imported by the administrator into the eToken TMS system. After this, to assign the device, the user must enter its serial number (printed on the device body).

If the synchronization of the generation counter in the device and on the server is disrupted, the eToken TMS system allows you to easily restore synchronization - bring the value on the server into line with the value stored in the device. To do this, the system administrator or the user himself (if he has the appropriate permissions) must generate two consecutive OTP values ​​and send them to the server via the eToken TMS Web interface.

To enhance security, the eToken TMS system allows the use of an additional OTP PIN value - in this case, for authentication, the user enters an additional secret OTP PIN value in addition to the username and OTP. This value is set when assigning a device to a user.

2017: Removal from sales of eToken line products

Notice of plans to terminate the sale, support and maintenance of USB tokens and smart cards of the eToken PRO (Java), eToken and CIPF "Cryptotoken" family as part of eToken GOST products.

Products of the eToken line have been discontinued since the beginning of 2017. The conditions for completing the sales and life cycle of products of the eToken PRO (Java) line, indicated in the table below, apply to all existing form factors (USB token, smart card, etc.). The list includes both non-certified and certified products. A detailed list of models for all listed products is specified in the “Articles and Names” section of the Notice.

Model

  • last sale date March 31, 2017, end of support date December 1, 2020
  • eToken PRO (Java), eToken NG-FLASH (Java), eToken NG-OTP (Java), eToken PRO Anywhere
  • last sale date January 31, 2017, support end date December 1, 2020
  • eToken 4100 Smartcard, eToken 5100/5105, eToken 5200/5205
  • last sale date is August 31, 2017, end of support date is December 1, 2018.
  • Products containing CIPF "Cryptotoken" (eToken GOST)

Technical support for previously purchased products will be provided until the end of the paid technical support period.

Instead of eToken PRO (Java) and eToken electronic keys, the company "Aladdin R.D." offers new domestic USB tokens, smart cards, embedded security modules (chips), OTP tokens JaCarta PRO, JaCarta PKI, JaCarta WebPass, developed and produced by it in Russian Federation.

Replaced model

  • eToken, eToken PRO (Java), SafeNet eToken
    • JaCarta PRO - Compatible Model
    • JaCarta PKI - Functional analogue
  • eToken PRO Anywhere - no
  • eToken NG-FLASH (Java) - In 2018, it is planned to introduce a similar product in the JaCarta line
  • eToken NG-OTP (Java) - Functional analogue that generates the OTP value and transmits it via the USB port

2016: eToken PASS certified by FSTEC

August 26, 2016 Aladdin R.D. company announced the renewal of the certificate of the FSTEC of Russia for the software and hardware complex for authentication and storage of user information “Electronic key eToken 5”.

Certificate of Conformity No. 1883 of the FSTEC of Russia confirms the compliance of the software for authentication and storage of user information “Electronic key eToken 5” with the requirements of the governing document “Protection against unauthorized access to information. Part 1. Software information security tools. Classification according to the level of control over the absence of undeclared capabilities” (State Technical Commission of Russia, 1999), being a software and hardware means of protecting information from unauthorized access, has an estimated confidence level of OUD 2 at level 4 of control.

Request a certificate Install a certificate

In the “Internet client for legal entities” system, you can configure the parameters for exporting and importing documents, change the password, set up automatic numbering of documents, synchronize eToken PASS, execute additional settings, and request, install, and view a certificate. In order to make the setting you are interested in, go to the menu item Settings and click on the appropriate item.

Import/Export Options

To change the export settings, which determine the default export file name and file type, select Settings, then click on the item Import Export. A form with import and export parameters will be displayed on the right side of the system working window. You can set the following parameters:

  • Exchange parameters with 1C: format version, export file name and whether or not to replace changed documents.
  • Options for saving directories (.Csv). In field Field separator select which character will be the field separator in the .Csv file.
  • Parameters for importing currency payment orders (.Csv): an indication of whether or not to replace changed documents.

After all parameters have been specified, click the button Save.

Change Password

To change your password, go to the menu item Settings - Change password. In the window that opens, enter the old password, the new password, and the new password again. To save changes, click the button Change.

To clear filled fields, click on the button Clear.

To return to the previous page, click the button Back.

When creating a login and password, you need to follow the recommendations:

  • After logging in for the first time, change your password. This ensures that only you know the new password.
  • Change your password regularly.
  • Use passwords that are difficult to guess. For example, don't set passwords with the names of other family members.
  • Use both upper and lower case characters, numbers, and other acceptable characters in your passwords.

Automatic document numbering

The automatic document numbering mode allows you to automatically assign unique, sequentially increasing numbers to documents. To enable this mode, go to the menu item Settings - Auto numbering.

eToken PASS synchronization

This menu item is displayed if you have been assigned a token.

The token must be synchronized if the key fob button is pressed multiple times. To synchronize a token, select the item in the main menu of the program Settings - eToken PASS Synchronization. A dialog box will be displayed on the screen, in the fields of which enter two passwords sequentially generated by the eToken PASS device. To complete the actions, click on the button Synchronize.

Additional settings

To set other settings, go to the menu item Settings - Additional. A form will be displayed on the screen containing two tabs with settings:

To save your settings, click the button Save.

Cryptographic protection components

In menu item Settings - Cryptographic protection components You can view information about installed versions cryptographic protection component, as well as proceed to their installation or update. The screen displays information about the following components:

  • Adapter.
  • JC Web Client.
  • HTTPFile ActiveX.
  • MS CAPICOM.

This page also displays the identifier of the device from which you logged into the Internet Client for Legal Entities system (MAC address or equipment hash). If you want to link this device to your account, click on its ID. As a result, a letter will be generated with information about this device, which you can send to the bank.

mob_info