Using Smartcards, PIV Cards, CACs with Symantec Endpoint Encryption for Preboot Authentication (SEE)

Products

Endpoint Encryption Encryption Management Server Drive Encryption Desktop Email Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP Encryption Suite

Issue/Introduction

This article will cover how to use smartcards with Symantec Endpoint Encryption.

Personal Identity Verification cards are commonly used by many government agencies and include a lot of information that would be specific to only the users, such as Digital Certificates, PIV Authentication Certificate, Biometric Information, etc.

A PIV Authentication Certificate is a mandatory certificate that is used for Windows authentication.

Key Management, Signature, and Card Authentication certificates are optional certificates.

Resolution

Symantec Endpoint Encryption typically supports any generic USB CCID-compatible readers that you connect to a USB 2.0 port, although not all readers are guaranteed to work, or are officially supported. Before deploying to production, ensure the card readers are thoroughly tested to ensure they will work in the production environment.

Historical:
Smart Cards are supported for BIOS systems beginning with Symantec Endpoint Encryption version 11.0.0 and above, while support for Smart Cards on UEFI systems was added with Symantec Endpoint Encryption version 11.0.1 and above. Current versions of the product support both BIOS and UEFI systems.

Symantec Endpoint Encryption supports the following Personal Identity Verification (PIV) cards and Answer to Reset (ATR) numbers:

Yubikey Smartcard added for SEE 12.0.1: YubiKey 5 FIPS NFC devices with ATR:
YubiKey 5 Series USB - ATR: 0x3b, 0xfd, 0x13, 0x00, 0x00, 0x81, 0x31, 0xfe, 0x15, 0x80, 0x73, 0xc0, 0x21, 0xc0, 0x57, 0x59, 0x75, 0x62, 0x69, 0x4b, 0x65, 0x79, 0x40

YubiKey 5 Series NFC - ATR: 0x3b, 0x8d, 0x80, 0x01, 0x80, 0x73, 0xc0, 0x21, 0xc0, 0x57, 0x59, 0x75, 0x62, 0x69, 0x4b, 0x65, 0x79, 0xf9

YubiKey 4 Series USB - ATR: 0x3b, 0xf8, 0x13, 0x00, 0x00, 0x81, 0x31, 0xfe, 0x15, 0x59, 0x75, 0x62, 0x69, 0x6b, 0x65, 0x79, 0x34, 0xd4

YubiKey NEO USB - ATR: 0x3b, 0xfc, 0x13, 0x00, 0x00, 0x81, 0x31, 0xfe, 0x15, 0x59, 0x75, 0x62, 0x69, 0x6b, 0x65, 0x79, 0x4e, 0x45, 0x4f, 0x72, 0x33, 0xe1

YubiKey NEO NFC - ATR: 0x3b, 0x8c, 0x80, 0x01, 0x59, 0x75, 0x62, 0x69, 0x6b, 0x65, 0x79, 0x4e, 0x45, 0x4f, 0x72, 0x33, 0x58

The following ATR Code is not included with SEE 12.0.1:
YubiKey 5 Series USB ATS - 0x12, 0x78, 0xb3, 0x84, 0x00, 0x80, 0x73, 0xc0, 0x21, 0xc0, 0x57, 0x59, 0x75, 0x62, 0x69, 0x4b, 0x65, 0x79
Please reach out to Symantec Encryption Support if you would like to use the token
IMSFR-694

Gemalto Cyberflex Access 64K v2c
ATR - 3b 95 95 40 ff ae 01 03 00 00
Gemalto ID Prime .NET
ATR - 3b 16 96 41 73 74 72 69 64
G&D Sm@rtCafé Expert 80K DI v3.2
ATR - 3b 7a 18 00 00 73 66 74 65 2d 63 64 30 38 30
G&D Sm@rtCafé Expert 144K DI v3.2
ATR - 3b 7a 18 00 00 73 66 74 65 20 63 64 31 34 34
Gemalto TOP DL GX4 144K FIPS
ATR - 3b 7d 96 00 00 80 31 80 65 b0 83 11 11 ac 83 00 90 00
HID Global Crescendo JCOP 21 version 2.4.1 R2 64K
ATR - 3b d9 96 ff 81 31 fe 45 43 52 45 53 43 45 4e 44 4f ff
Oberthur 64K CosmopolIC v5.2
ATR - 3b 7b 18 00 00 00 31 c0 64 77 e3 03 00 82 90 00
Oberthur CS PIV End Point v1.08 FIPS201 Certified
ATR - 3b db 96 00 81 b1 fe 45 1f 03 80 f9 a0 00 00 03 08 00 00 10 00 18
Oberthur ID-One Cosmos v7.0
ATR - 3b df 96 00 81 b1 fe 45 1f 83 80 73 cc 91 cb f9 a0 00 00 03 08 00 00 10 00 79
Oberthur ID-One 128 v5.5 Dual
ATR - 3b db 96 00 80 1f 03 00 31 c0 64 b0 f3 10 00 0f 90 00 88
ATR - 3b db 96 00 80 1f 03 00 31 c0 64 b0 f3 10 00 07 90 00 80

As of version 11.1.2, Symantec Endpoint Encryption supports the following PIV CAC v2 smart cards on systems runnning in BIOS mode:

G&D SmartCafe Expert 144K DI v3.2
ATR - 3b 7a 18 00 00 73 66 74 65 20 63 64 31 34 34
Oberthur C128K v5.5 Dual
ATR - 3b db 96 00 80 1f 03 00 31 c0 64 b0 f3 10 00 07 90 00 80
Gemalto TOP DL GX4 144K FIPS
ATR - 3b 7d 96 00 00 80 31 80 65 b0 83 11 17 d6 83 00 90 00

As of version 11.2.0, Symantec Endpoint Encryption supports the following PIV CAC v2 smart cards:

G&D SmartCafe Expert v7.0 144K DI
ATR: 3B F9 96 00 00 80 31 FE 45 53 43 45 37 20 03 00 20 46 42
Oberthur ID-One Cosmo v8.0 128K with PIV 2.4.0
ATR: 3B D6 97 00 81 B1 FE 45 1F 87 80 31 C1 52 21 19 48

Note: If your Smartcard ATR Code uses the following pattern, these are also supported:

3B D6 97 00 81 B1 FE 45 1F 87 80 31 C1 5X XX 1A XX, where X = mask

For example, the following Smartcard and its associated ATR code will work (See bolded values where the mask includes wildcard values):

3B D6 97 00 81 B1 FE 45 1F 87 80 31 C1 52 41 1A 2B

For more information about the latest Symantec Endpoint Encryption system requirements, see the System Requirements for each product.

Additional Information

160823 - Using Smartcards, PIV Cards, CACs with Symantec Endpoint Encryption for Preboot Authentication (SEE)

156452 - Using Smartcards, PIV Cards, CACs with PGP Encryption Desktop for Preboot Authentication (PGP)

IMSFR -985 - Simplify Preboot with Smartcards (F7 Function)

EPG-26617 - PIV Cards for Latitude 7410, 7420 - Dell Precision 3550, 3560
EPG-27004 - Incorrect PIN Entry may see some delays at preboot
EPG-32338 - additional ATRs for Oberthur and HID

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMSFR-905
Manufacturer: Oberthur Model: ID-One Cosmo v7.0 128K
ATR: 3B DB 96 00 80 B1 FE 45 1F 83 00 31 C0 64 B0 FC 10 00 0F 90 00 0D

Manufacturer: HID Global Model: Crescendo C11xx Cards
ATR : 3B DF 96 FF 81 31 FE 45 5A 01 80 48 49 44 43 31 31 58 58 73 00 01 1B 09

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~