Model 400 Security Policy Public version
This document may be reproduced only in its original entirely (without revision).
Copyright SafeNet
Page 26 of 45
The relatively high maximum limit (63) compared to the maximum smart card bad PIN limit
(15) reflects the reality that a user is more likely to inadvertently mismatch on a fingerprint
than a PIN.
The count of remaining bad fingerprint authentication attempts is kept internally on the
smart card, and is independent of the internal bad PIN counter. It is decremented with
every bad fingerprint logon attempt, regardless of which fingerprint is used. Switching
fingers does not clear the count. The count of remaining bad fingerprint authentication
attempts is set to maximum allowed by ADF with every successful fingerprint logon.
When the internal count of remaining bad fingerprint authentication attempts reaches 0,
logon via the fingerprint template is locked. Once locked, no fingerprint can be used to log
on until a new fingerprint template is enrolled onto the smart card.
A flag can be set during enrollment to lock this parameter. If locked, the maximum bad
fingerprint limit is fixed and cannot be changed during future enrollments. Once the lock
flag is set, it cannot be cleared during re-enrollment. It can only be cleared by deleting the
entire fingerprint template via either the Recycle command or by deleting the cryptoki
directory.
The following table summarizes the type of authentication and strength of mechanism for
each role.
Role
Authentication
Strength of Mechanism
Card Holder & Card Holder
Unblocking
PIN
8-20 characters 1/80^8 -
1/80^20
SO
PIN
8-20 characters 1/80^8 -
1/80^20
Card Holder
Fingerprint and PIN
At least 8-20 characters -
1/80^8 - 1/80^20 + biometric
strength
Card Holder
Challenge-Response
Strength of this mechanism is
equal to strength of key. For
TRIPLE-DES 2-Key: 1/2^112.
TRIPLE-DES 3-Key 1/2^168.
AES 128-bit: 1/2^128
AES 192-bit: 1/2^192
AES 256-bit: 1/2^256
6.4.5.
Security Relevant Data Item
The Security Relevant Data Items (SRDI) for the non-PIV DF of Model 400 smart card are:
1- Secure channel session key: TRIPLE-DES 2-Key or 128-bit AES key
2- Secure channel key exchange key
3- Card Holder PIN, 8-20 characters