Messing around with an eToken

Security is a very nice topic – especially if you are allowed to mess with them (or even break them). Today’s toy is an eToken by Aladdin.

Looking at it, you might mistake it for an USB Stick, but nevertheless – let’s plug it in and see what ‘lsusb’ might tell:

Bus 003 Device 003: ID 0529:0600 Aladdin Knowledge Systems eToken Pro 64k (4.2)

usb 3-1: new full speed USB device using uhci_hcd and address 2
usb 3-1: New USB device found, idVendor=0529, idProduct=0600
usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 3-1: Product: Token 4.28.1.0 2.7.195
usb 3-1: Manufacturer: Aladdin Knowledge Systems Ltd.
usb 3-1: configuration #1 chosen from 1 choice

The Token itself is – as far as I know – a SmartCard and a Reader packed together into one device. A good reason to install OpenSC, the SmartCard tools for Linux:

[ebuild N ] sys-apps/pcsc-lite-1.5.5 USE=”hal usb -static”
[ebuild N ] dev-libs/openct-0.6.17 USE=”pcsc-lite usb -doc”
[ebuild N ] dev-libs/opensc-0.11.9 USE=”nsplugin openct pcsc-lite -doc”

As soon as this has happened, it is time to launch the services and see if we can read some data from our unknown device:

# opensc-tool -l
[opensc-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[opensc-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
Readers known about:
Nr. Driver Name
0 openct Aladdin eToken PRO 64k
1 openct OpenCT reader (detached)

The sweet thing is, that we got something like a result – disregarding the error message so far. So let’s start by clearing the Token and doing a plain initialization:

# pkcs15-init -E
[pkcs15-init] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
Using reader with a card: Aladdin eToken PRO 64k

I doubt that this worked, but I am an optimist. For checking the result I will try to generate a X.509 Certificate on the token. If I can read it again, things worked:

# pkcs15-init -r 0 –erase-card –create-pkcs15 –no-so-pin –label ‘Stargazers’
[pkcs15-init] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found

No message so far. What now? Well – let’s check:

# opensc-tool -r 0 -f
[opensc-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[opensc-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
3f00 type: DF, size: 1024
select[N/A] lock[NONE] delete[NONE] create[NONE] rehab[NONE] inval[NONE] list[N/A] sec: 00:00:00:00:00:00:00:00:00:00
prop: 00:67:8C

3f005015 [\xA0\x00\x00\x00cPKCS-15] type: DF, size: 4096
select[N/A] lock[NEVR] delete[NONE] create[NONE] rehab[NONE] inval[NONE] list[N/A] sec: 00:FF:00:00:00:00:FF:00:00
prop: 00:67:8C

3f0050154401 type: wEF, ef structure: transpnt, size: 256
read[NONE] update[NONE] erase[NONE] write[NONE] rehab[NONE] inval[NONE] sec: 00:00:00:00:00:00:00:00:00
prop: 00

00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
3f0050155031 type: wEF, ef structure: transpnt, size: 256
read[NONE] update[NONE] erase[NONE] write[NONE] rehab[NONE] inval[NONE] sec: 00:00:00:00:00:00:00:00:00
prop: 00

00000000: A8 0A 30 08 04 06 3F 00 50 15 44 01 00 00 00 00 ..0…?.P.D…..
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
3f0050155032 type: wEF, ef structure: transpnt, size: 62
read[NONE] update[NONE] erase[NONE] write[NONE] rehab[NONE] inval[NONE] sec: 00:00:00:00:00:00:00:00:00
prop: 00

00000000: 30 3C 02 01 00 04 06 27 92 7A 13 21 2C 0C 0E 4F 0<.....'.z.!,..O 00000010: 70 65 6E 53 43 20 50 72 6F 6A 65 63 74 80 0A 53 penSC Project..S 00000020: 74 61 72 67 61 7A 65 72 73 03 02 04 10 85 0F 32 targazers......2 00000030: 30 30 39 30 39 32 30 31 35 33 37 32 32 5A 0090920153722Z 3f0050154946 type: wEF, ef structure: transpnt, size: 128 read[NONE] update[NONE] erase[NONE] write[NONE] rehab[NONE] inval[NONE] sec: 00:00:00:00:00:00:00:00:00 prop: 00 00000000: 01 06 70 6B 63 73 31 35 00 00 00 00 00 00 00 00 ..pkcs15........ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3f002f00 type: wEF, ef structure: transpnt, size: 128 read[NONE] update[NONE] erase[NONE] write[NONE] rehab[NONE] inval[NONE] sec: 00:00:00:00:00:00:00:00:00 prop: 00 00000000: 61 20 4F 0C A0 00 00 00 63 50 4B 43 53 2D 31 35 a O.....cPKCS-15 00000010: 50 0A 53 74 61 72 67 61 7A 65 72 73 51 04 3F 00 P.StargazersQ.?. 00000020: 50 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 P............... 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

The test showed a ton of data on the token. So I continue by adding PIN and PUK:

# pkcs15-init -r 0 –store-pin –label ‘Stargazers PIN’ –auth-id 01
[pkcs15-init] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional – press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:

Correct me if I am wrong, but what I did was generating a PKCS#15 structure with PIN/PUK – the basics for doing the first certificate which will be the next thing to do:

# pkcs15-init -r 0 –generate-key ‘rsa/1024’ –auth-id 01 –label ‘StarKey 01’ –public-key-label ‘Public StarKey 01’ –split-key
[pkcs15-init] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
User PIN required.
Please enter User PIN:

The only familiar thing here is the error message but as soon as the PIN is accepted I am able to relax and check. This doesn’t happen without the mandatory error message – but see for yourself:

# pkcs15-tool –reader 0 –list-pins
[pkcs15-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[pkcs15-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
PIN [Stargazers PIN]
Com. Flags: 0x3
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Path : 3f005015

# pkcs15-tool –reader 0 –list-keys
[pkcs15-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[pkcs15-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
Private RSA Key [StarKey 01]
Com. Flags : 3
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 16
Native : yes
Path : 3f005015
Auth ID : 01
ID : 45

# pkcs15-tool –reader 0 –list-public-keys
[pkcs15-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
[pkcs15-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
Public RSA Key [Public StarKey 01]
Com. Flags : 2
Usage : [0x4], sign
Access Flags: [0x0]
ModLength : 1024
Key ref : 0
Native : no
Path : 3f0050153048
Auth ID :
ID : 45

As far as I can see, things worked and I should continue thinking about Authentication and saving stuff on the Token. But that’s a topic for a different day.

Author:

2 thoughts on “Messing around with an eToken”

  • I have tested today reading the token with windows again and failed.

    As a rule of thumb:

    • Linux can only read Tokens initialized with the 3.60-compat options
    • Linux using open source cannot work with windows certificates
    • Windows cannot read the Linux certificates

    Maybe worth looking into the Aladdin Stuff for Linux or dropping the project – depends.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.