{"id":1007,"date":"2009-09-22T19:13:03","date_gmt":"2009-09-22T18:13:03","guid":{"rendered":"http:\/\/my.stargazer.at\/?p=1007"},"modified":"2009-09-22T19:13:15","modified_gmt":"2009-09-22T18:13:15","slug":"etoken-games","status":"publish","type":"post","link":"https:\/\/my.stargazer.at\/de\/2009\/09\/22\/etoken-games\/","title":{"rendered":"Erste Spielereien mit einem eToken"},"content":{"rendered":"

Sicherheitssysteme sind doch immer wieder nett – vor allem wenn man sich daran versuchen darf, sie zu verstehen und wom\u00f6glich auszuhebeln. Mein heutiges Opfer ist der sogenannte eToken von Aladdin. <\/p>\n

\u00c4u\u00dferlich gesehen ist das Ding ein USB Stick, welchen es einmal anzust\u00f6pseln gilt. Ist das geschehen gibt es zwei Dinge zu bestaunen: eines davon ist die Ausgabe von ‚lsusb‘:<\/p>\n

<\/p>\n

Bus 003 Device 003: ID 0529:0600 Aladdin Knowledge Systems eToken Pro 64k (4.2)<\/p><\/blockquote>\n

und das Andere, die Nachrichten im Kernel Log:<\/p>\n

usb 3-1: new full speed USB device using uhci_hcd and address 2
\nusb 3-1: New USB device found, idVendor=0529, idProduct=0600
\nusb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
\nusb 3-1: Product: Token 4.28.1.0 2.7.195
\nusb 3-1: Manufacturer: Aladdin Knowledge Systems Ltd.
\nusb 3-1: configuration #1 chosen from 1 choice<\/p><\/blockquote>\n

Der eToken als Solches wird zur Authentifizierung wie eine SmartCard verwendet. Ich gehe also einmal davon aus, dass es im weitesten Sinne auch eine SmartCard mit eingebautem Reader sein wird, da der Speicherplatz von gerade einmal 32K sicher keinen USB Stick als solches ausmacht. Aus diesem Grund installiere ich mir die entsprechenden OpenSC Pakete:<\/p>\n

[ebuild N ] sys-apps\/pcsc-lite-1.5.5 USE=“hal usb -static“
\n[ebuild N ] dev-libs\/openct-0.6.17 USE=“pcsc-lite usb -doc“
\n[ebuild N ] dev-libs\/opensc-0.11.9 USE=“nsplugin openct pcsc-lite -doc“\n<\/p><\/blockquote>\n

Danach gab es nur noch einen OpenCT Dienst zu starten und wir waren so weit f\u00fcr den ersten Testlauf ger\u00fcstet, welchen ich einmal durch simples Auslesen der Fakten:<\/p>\n

# opensc-tool -l
\n[opensc-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
\n[opensc-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
\nReaders known about:
\nNr. Driver Name
\n0 openct Aladdin eToken PRO 64k
\n1 openct OpenCT reader (detached)<\/p><\/blockquote>\n

Ein Resultat und ein Erkennen der Karte nebst einer Fehlermeldung ist schon mal komisch. Also will ich es wissen und beginne mit der Initialisierung indem ich den Token l\u00f6sche:<\/p>\n

# pkcs15-init -E
\n[pkcs15-init] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
\n[pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
\nUsing reader with a card: Aladdin eToken PRO 64k<\/p><\/blockquote>\n

Ob das funktioniert hat, ist abermals fraglich, aber ich bin mal so frech und werte es als Erfolg und mache den n\u00e4chsten Schritt und lasse ein Profil nebst einem X.509 Zertifikat-Paar darauf generieren:<\/p>\n

# pkcs15-init -r 0 –erase-card –create-pkcs15 –no-so-pin –label ‚Stargazers‘
\n[pkcs15-init] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
\n[pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found<\/p><\/blockquote>\n

Da es keine genauere Meldung gab, bin ich nun etwas irritiert. Also \u00fcberpr\u00fcfe ich das mal:<\/p>\n

# opensc-tool -r 0 -f
\n[opensc-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
\n[opensc-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
\n3f00 type: DF, size: 1024
\nselect[N\/A] lock[NONE] delete[NONE] create[NONE] rehab[NONE] inval[NONE] list[N\/A] sec: 00:00:00:00:00:00:00:00:00:00
\nprop: 00:67:8C <\/p>\n

3f005015 [\\xA0\\x00\\x00\\x00cPKCS-15] type: DF, size: 4096
\n select[N\/A] lock[NEVR] delete[NONE] create[NONE] rehab[NONE] inval[NONE] list[N\/A] sec: 00:FF:00:00:00:00:FF:00:00
\n prop: 00:67:8C <\/p>\n

3f0050154401 type: wEF, ef structure: transpnt, size: 256
\n read[NONE] update[NONE] erase[NONE] write[NONE] rehab[NONE] inval[NONE] sec: 00:00:00:00:00:00:00:00:00
\n prop: 00 <\/p>\n

00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n 3f0050155031 type: wEF, ef structure: transpnt, size: 256
\n read[NONE] update[NONE] erase[NONE] write[NONE] rehab[NONE] inval[NONE] sec: 00:00:00:00:00:00:00:00:00
\n prop: 00 <\/p>\n

00000000: A8 0A 30 08 04 06 3F 00 50 15 44 01 00 00 00 00 ..0…?.P.D…..
\n00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
\n 3f0050155032 type: wEF, ef structure: transpnt, size: 62
\n read[NONE] update[NONE] erase[NONE] write[NONE] rehab[NONE] inval[NONE] sec: 00:00:00:00:00:00:00:00:00
\n prop: 00<\/p>\n

00000000: 30 3C 02 01 00 04 06 27 92 7A 13 21 2C 0C 0E 4F 0<.....'.z.!,..O\n00000010: 70 65 6E 53 43 20 50 72 6F 6A 65 63 74 80 0A 53 penSC Project..S\n00000020: 74 61 72 67 61 7A 65 72 73 03 02 04 10 85 0F 32 targazers......2\n00000030: 30 30 39 30 39 32 30 31 35 33 37 32 32 5A 0090920153722Z\n 3f0050154946 type: wEF, ef structure: transpnt, size: 128\n read[NONE] update[NONE] erase[NONE] write[NONE] rehab[NONE] inval[NONE] sec: 00:00:00:00:00:00:00:00:00\n prop: 00\n\n00000000: 01 06 70 6B 63 73 31 35 00 00 00 00 00 00 00 00 ..pkcs15........\n00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 3f002f00 type: wEF, ef structure: transpnt, size: 128\n read[NONE] update[NONE] erase[NONE] write[NONE] rehab[NONE] inval[NONE] sec: 00:00:00:00:00:00:00:00:00\n prop: 00\n\n00000000: 61 20 4F 0C A0 00 00 00 63 50 4B 43 53 2D 31 35 a O.....cPKCS-15\n00000010: 50 0A 53 74 61 72 67 61 7A 65 72 73 51 04 3F 00 P.StargazersQ.?.\n00000020: 50 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 P...............\n00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n<\/p><\/blockquote>\n

Der Test zeigt einen Haufen Daten, die offensichtlich auf den Token gepackt wurden. Um die Sache weiterzumachen, lege ich einen PIN- bzw. einen PUK Code an:<\/p>\n

# pkcs15-init -r 0 –store-pin –label ‚Stargazers PIN‘ –auth-id 01
\n[pkcs15-init] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
\n[pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
\nNew User PIN.
\nPlease enter User PIN:
\nPlease type again to verify:
\nUnblock Code for New User PIN (Optional – press return for no PIN).
\nPlease enter User unblocking PIN (PUK):
\nPlease type again to verify:<\/p><\/blockquote>\n

Wenn mich also nicht alles t\u00e4uscht, haben wir hiermit eine PKCS#15 Struktur mit PIN\/PUK angelegt und k\u00f6nnten uns dem ersten Zertifikat widmen und ein erstes ‚Na, wenn das mal gut geht…“ in den Raum werfen. Da wir paranoid sind, generieren wir das Ganze gleich am Key:<\/p>\n

# pkcs15-init -r 0 –generate-key ‚rsa\/1024‘ –auth-id 01 –label ‚StarKey 01‘ –public-key-label ‚Public StarKey 01‘ –split-key
\n[pkcs15-init] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
\n[pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
\nUser PIN required.
\nPlease enter User PIN:\n<\/p><\/blockquote>\n

Nach der inzwischen schon obligatorischen Fehlermeldung wurde der PIN prompt akzeptiert, was ich einmal als gutes Zeichen sehe. Aber um ganz sicher zu gehen, lesen wir uns mal alle Informationen aus, die wir kriegen k\u00f6nnen. Dass das nicht ohne die Fehlermeldungen geht, ist auch klar:<\/p>\n

# pkcs15-tool –reader 0 –list-pins
\n[pkcs15-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
\n[pkcs15-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
\nPIN [Stargazers PIN]
\n Com. Flags: 0x3
\n ID : 01
\n Flags : [0x32], local, initialized, needs-padding
\n Length : min_len:4, max_len:8, stored_len:8
\n Pad char : 0x00
\n Reference : 1
\n Type : ascii-numeric
\n Path : 3f005015<\/p>\n

# pkcs15-tool –reader 0 –list-keys
\n[pkcs15-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
\n[pkcs15-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
\nPrivate RSA Key [StarKey 01]
\n Com. Flags : 3
\n Usage : [0x4], sign
\n Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
\n ModLength : 1024
\n Key ref : 16
\n Native : yes
\n Path : 3f005015
\n Auth ID : 01
\n ID : 45<\/p>\n

# pkcs15-tool –reader 0 –list-public-keys
\n[pkcs15-tool] reader-pcsc.c:906:pcsc_detect_readers: SCardEstablishContext failed: 0x8010001d
\n[pkcs15-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found
\nPublic RSA Key [Public StarKey 01]
\n Com. Flags : 2
\n Usage : [0x4], sign
\n Access Flags: [0x0]
\n ModLength : 1024
\n Key ref : 0
\n Native : no
\n Path : 3f0050153048
\n Auth ID :
\n ID : 45\n<\/p><\/blockquote>\n

Offensichtlich scheint das Ganze geklappt zu haben und wir k\u00f6nnen uns Gedanken \u00fcber Authentifizierung und Co machen, was aber aufgrund des Umfangs wieder ein eigenes Thema wird.<\/p>","protected":false},"excerpt":{"rendered":"

Sicherheitssysteme sind doch immer wieder nett – vor allem wenn man sich daran versuchen darf, sie zu verstehen und wom\u00f6glich auszuhebeln. Mein heutiges Opfer ist der sogenannte eToken von Aladdin. \u00c4u\u00dferlich gesehen ist das Ding ein USB Stick, welchen es einmal anzust\u00f6pseln gilt. Ist das geschehen gibt es zwei Dinge zu bestaunen: eines davon ist die Ausgabe von […]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[22,170],"class_list":["post-1007","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-linux","tag-security"],"_links":{"self":[{"href":"https:\/\/my.stargazer.at\/de\/wp-json\/wp\/v2\/posts\/1007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.stargazer.at\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/my.stargazer.at\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/my.stargazer.at\/de\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/my.stargazer.at\/de\/wp-json\/wp\/v2\/comments?post=1007"}],"version-history":[{"count":0,"href":"https:\/\/my.stargazer.at\/de\/wp-json\/wp\/v2\/posts\/1007\/revisions"}],"wp:attachment":[{"href":"https:\/\/my.stargazer.at\/de\/wp-json\/wp\/v2\/media?parent=1007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/my.stargazer.at\/de\/wp-json\/wp\/v2\/categories?post=1007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/my.stargazer.at\/de\/wp-json\/wp\/v2\/tags?post=1007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}