Notifications Star 1.6k Fork 546
Code Issues 124 Pull requests 19 Actions Projects 2 Wiki Security Insights
Code Issues Pull requests Actions Projects Wiki Security Insights
Aladdin eToken PRO
Jump to bottom
Krisztián Fekete edited this page Jul 28, 2015 · 8 revisions
Aladdin eToken PRO
Aladdin offers the eToken PRO , an USB crypto token with 32k or 64k memory and support for RSA keys up to 2048bit key length.
Đang xem: Aladdin etoken
The eToken PRO is fully supported by OpenSC and is well tested.
Note: some 72k Java cards do not work.
The precise model of your token can be determined from the text moulded in the plastic enclosure.
There is a rare version of the Aladdin eToken PRO with a G&D Starcos smart card inside. This version never went into mass production as far as we know, and is not supported by OpenSC.
Also there are some smart cards with the “Aladdin eToken” Name on them too. These cards are too old, they are not supported by OpenSC, as they lack some required features.
eToken R1 and R2
Those were the first generation of tokens produced. They use a proprietary protocol for communication between the host and token.
USB IDs: 0529:030b through 0529:042a Memory: (?) Maximum RSA key size: (?) Crypto chip: (?) On-Chip OS: (?)
eToken PRO 4.2B
This is the second public release of the device, that use a proprietary protocol for communication. These can still (2009) be found on the cheap on EBay or otherwise.
USB IDs: 0529:0600 Memory: 32k Maximum RSA key size: 2048 bits (it takes a long while to generate one such key, and the LED turns black while it does. Don’t panic!) Crypto chip: Infineon On-Chip OS: Siemens CardOS M4.2B
Aladdin eToken PRO 64k
USB IDs: 0529:0600 Vendor=0529 ProdID=0600 Rev=01.00 Memory: 64k (46506 Free) Maximum RSA key size: 2048 bits Crypto chip: (?) On-Chip OS: CardOS V4.2B © Siemens AG 1994-2005 ATR : 3B F2 18 00 02 C1 0A 31 FE 58 C8 09 75 Vendor Site: http://www.safenet-inc.com/aladdin-content/etoken/devices/pro-usb/
eToken PRO v4.29
Microcontroller: Atmel AT90SC25672RCT-USB Revision D Memory: 72KB EEPROM (64~67KB usable?; ~8KB reserved for firmware/patches?) Software (default): GlobalPlatform v2.1.1, Java Card v2.2.2, Athena OS755 IDProtect v0106.×.x, Aladdin eToken Applet v1.x USB IDs: 0529:0620 ATR : 3B D5 18 00 81 31 3A 7D 80 73 C8 21 10 30 FIPS : 140-2 Level 2 for USB and smart card versions. Level 3 for HD (hardened) USB versions. Supported Cryptographic Services Random Number Generator: DRNG (ANSI X9.31 two key TDES deterministic RNG seeded with the hardware RNG ) Message Digests: SHA -1, SHA -256 Signatures: RSA PKCS #1 (1024- to 2048-bit in 32-bit increments) Ciphers: TDES (112- and 168-bit ECB and CBC ), TDES MAC (vendor affirmed), AES (128-, 192- and 256-bit ECB and CBC ), RSA (1024- to 2048-bit in 32-bit increments) On-Card Key Generation: RSA PKCS #1 (1024- to 2048-bit in 32-bit increments) Key Establishment: RSA (1024- to 2048-bit in 32-bit increments
There seems to be three different physical versions available: the regular PRO , the PRO HD (a hardened version offering additional physical security compliant with FIPS 140-1 Level 3 requirements), and the PRO SC (a smart card). However, differentiating between the PRO and PRO HD is difficult, as there is little info specific to the HD version available online, and the image used in the FIPS Security Policy documents is identical for the PRO and PRO HD.
This device (and the others below) are compliant with the USB CCID (Chip/Smart Card Interface Devices) standard (see section “Smart Card Class” on http://www.usb.org/developers/devclass_docs).). As such, they don’t require a proprietary driver to work with OpenSC.
USB IDs: (?) Memory: (?) Maximum RSA key size: (?) Crypto chip: (?) On-Chip OS: Siemens CardOS M4.20 (?)
Aladdin is maybe the oldest player in the USB token field, and their hardware and software predates the standards such as CCID and PKCS #15, so you can’t really blame them for not conforming to these standards (especially for older token hardware). See also the Thanks section below, they are a fair player!
Aladdin has an SDK with Documentation on their ftp server for public download, but to implement the OpenSC driver further documentation was necessary (by Siemens and available only under NDA as far as we know).
CardOS versions up to and including M4.20 are supported. (Is CardOS M4.3b also working?) This includes all the CardOS-based token versions listed above except the evaluation boards. In order to make these work with OpenSC, one has to install the proprietary middleware; the proprietary key manager is not needed. See <#InstallationNotes below>.
One minor misfeature of the Siemens CardOS M4 is that an RSA key cannot be used for both signing and decryption. OpenSC has implemented a workaround: software key generation and storing that key twice, once marked as decryption key and once marked as signing key. To enable this workaround specify “—split-key” on the command line, when creating the key.
Aladdin provides their own software, which comprises both the middleware (necessary for all CardOS-based tokens) and the key-management tool (also for Linux (link outdated)) which is not compatible with PKCS #15. (However, as long as enough memory is available on the chip, it is possible to initialize the token with both OpenSC and this proprietary key manager, and thus install files and keys side by side – each software can then only handle their own structures.)
Mac OS X
1. unpack and mount the `pkiclient.4.55.41.dmg` file 2. explore the `eToken PKI Client 4.55.mpkg` directory on it (Ctrl-click then “Show package contents”), then open “Contents” and “Packages” 3. double-click on the following packages in this order so as to install them: `etokenframework.pkg`: those are the shared libraries (that will go into `/Library/Frameworks/eToken.framework`) needed by all the other packages; `etokendriversleopard.pkg` (for Mac OS 10.5.x) or `etokendriverstiger.pkg` (for Mac OS 10.4.x): this is the middleware, that goes under `/usr/libexec/SmartCardServices/drivers/eTokenIfdh.bundle/` . It consists of an auxillary daemon that will be run by “pcscd“ in order to perform the necessary USB I/O.
To test this setup, plug your token in, then open a terminal and type the following commands:
sudo killall pcscd sudo /usr/sbin/pcscd -a -d -f
`pcscd` should start chatting, and the diode on the token should turn on. If `pcscd` instead says:
Error loading /usr/libexec/SmartCardServices/drivers/eTokenIfdh.bundle/Contents/MacOS/eTokenIfdh: dlopen(/usr/libexec/SmartCardServices/drivers/eTokenIfdh.bundle/Contents/MacOS/eTokenIfdh, 262)
it means that the middleware is corectly installed, but `etokenframework.pkg` is not. This happens when one installs the former first (!) In that case, run the `Uninstall eToken PKI Client 4.55` program from the .dmg image and start over.
The middleware for Linux is available here: ftp://ftp.ealaddin.com/pub/etoken/Linux (link outdated) ; and a third party provides the “key-management tool for Linux” (you don’t need the latter if you just want your token to work with OpenSC).
Big thanks to Aladdin, they sponsored an OpenSC workshop in 2003 by donating 30 Aladdin eToken PRO !
Big thanks to Startcom and Eddy Nigg for lots of time and support in adding support
for the Aladdin eToken PRO 64, for lots of testing and for donating one to us.
Big thanks to ASW , they donated two Aladdin eToken PRO 64, so we could test our support for
those Tokens (not yet released, will be included in the next release).
Big thanks to Josef Gillhuber from Aladdin. He donated two eToken PRO (32k and 64k) on LinuxTag 2006.
Thanks to Roman Stahl, he donated two Aladdin eToken PRO 32k (4.2B), so we could verify: they work fine too.