Symantec Endpoint Encryption Smart Card Support for preboot authentication

Products

Endpoint Encryption Encryption Management Server Drive Encryption Desktop Email Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Endpoint Encryption 11.x typically supports any generic USB CCID-compatible readers that you connect to a USB 2.0 port, although not all readers are guaranteed to work, or are officially supported. Before deploying to production, ensure the card readers are thoroughly tested to ensure they will work in the production environment. USB 3.0 is supported starting in Symantec Endpoint Encryption 11.1.3 for UEFI systems only.

Smart Cards are supported for BIOS systems beginning with Symantec Endpoint Encryption version 11.0.0 and above, while support for Smart Cards on UEFI systems was added with Symantec Endpoint Encryption version 11.0.1 and above. Current versions of the product support both BIOS and UEFI systems.

Resolution

Symantec Endpoint Encryption 11.x supports the following Personal Identity Verification (PIV) cards and Answer to Reset (ATR) numbers:

Gemalto Cyberflex Access 64K v2c
ATR - 3b 95 95 40 ff ae 01 03 00 00
Gemalto ID Prime .NET
ATR - 3b 16 96 41 73 74 72 69 64
G&D Sm@rtCafé Expert 80K DI v3.2
ATR - 3b 7a 18 00 00 73 66 74 65 2d 63 64 30 38 30
G&D Sm@rtCafé Expert 144K DI v3.2
ATR - 3b 7a 18 00 00 73 66 74 65 20 63 64 31 34 34
Gemalto TOP DL GX4 144K FIPS
ATR - 3b 7d 96 00 00 80 31 80 65 b0 83 11 11 ac 83 00 90 00
HID Global Crescendo JCOP 21 version 2.4.1 R2 64K
ATR - 3b d9 96 ff 81 31 fe 45 43 52 45 53 43 45 4e 44 4f ff
Oberthur 64K CosmopolIC v5.2
ATR - 3b 7b 18 00 00 00 31 c0 64 77 e3 03 00 82 90 00
Oberthur CS PIV End Point v1.08 FIPS201 Certified
ATR - 3b db 96 00 81 b1 fe 45 1f 03 80 f9 a0 00 00 03 08 00 00 10 00 18
Oberthur ID-One Cosmos v7.0
ATR - 3b df 96 00 81 b1 fe 45 1f 83 80 73 cc 91 cb f9 a0 00 00 03 08 00 00 10 00 79
Oberthur ID-One 128 v5.5 Dual
ATR - 3b db 96 00 80 1f 03 00 31 c0 64 b0 f3 10 00 0f 90 00 88
ATR - 3b db 96 00 80 1f 03 00 31 c0 64 b0 f3 10 00 07 90 00 80

As of version 11.1.2, Symantec Endpoint Encryption supports the following PIV CAC v2 smart cards on systems runnning in BIOS mode:

G&D SmartCafe Expert 144K DI v3.2
ATR - 3b 7a 18 00 00 73 66 74 65 20 63 64 31 34 34
Oberthur C128K v5.5 Dual
ATR - 3b db 96 00 80 1f 03 00 31 c0 64 b0 f3 10 00 07 90 00 80
Gemalto TOP DL GX4 144K FIPS
ATR - 3b 7d 96 00 00 80 31 80 65 b0 83 11 17 d6 83 00 90 00

As of version 11.2.0, Symantec Endpoint Encryption supports the following PIV CAC v2 smart cards:

G&D SmartCafe Expert v7.0 144K DI
ATR: 3B F9 96 00 00 80 31 FE 45 53 43 45 37 20 03 00 20 46 42
Oberthur ID-One Cosmo v8.0 128K with PIV 2.4.0
ATR: 3B D6 97 00 81 B1 FE 45 1F 87 80 31 C1 52 21 19 48

For more information about the latest Symantec Endpoint Encryption system requirements, see the System Requirements for each product.

Additional Information

EPG-26617 - PIV Cards for Latitude 7410, 7420 - Dell Precision 3550, 3560
EPG-27004 - Incorrect PIN Entry may see some delays at preboot
EPG-32338 - additional ATRs for Oberthur and HID

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMSFR-905
Manufacturer: Oberthur Model: ID-One Cosmo v7.0 128K
ATR: 3B DB 96 00 80 B1 FE 45 1F 83 00 31 C0 64 B0 FC 10 00 0F 90 00 0D

Manufacturer: HID Global Model: Crescendo C11xx Cards
ATR : 3B DF 96 FF 81 31 FE 45 5A 01 80 48 49 44 43 31 31 58 58 73 00 01 1B 09

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~