eToken Pass resync failed

Hello all,
we installed PrivacyIDEA 3.7.3 on Ubuntu 18.04.6 LTS. It works fine with TOTP, Google-Authenticator, RADIUS, and some VPN in our test-environment.

Now we are testing the use of a hardware-token, eToken Pass. The import of aladdin-xml for a few test-tokens was successful, the token type is “hotp”

But if we resync token with the input of two consecutive hash-values it always responds “resync failed”.

After changing the sync window to “999999” the following is showing up in the debug-log:

[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.tokens.HMAC:186] Entering checkOtp with arguments (<privacyidea.lib.tokens.HMAC.HmacOtp object at 0x7f43bc090da0>, ‘129923’, 999999) and keywords {}
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.tokens.HMAC:153] OTP range counter: 1 - 1000000
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.crypto:186] Entering decrypt with arguments (…) and keywords {}
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.crypto:186] Entering aes_cbc_decrypt with arguments (…) and keywords {}
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.crypto:200] Exiting aes_cbc_decrypt with result HIDDEN
[2022-09-22 11:56:12,734][1743][139929312982784][DEBUG][privacyidea.lib.crypto:200] Exiting decrypt with result HIDDEN
[2022-09-22 11:56:15,827][1743][139929312982784][DEBUG][privacyidea.lib.tokens.HMAC:198] Exiting checkOtp with result 358927
[2022-09-22 11:56:15,828][1743][139929312982784][DEBUG][privacyidea.lib.tokens.hotptoken:591] exit. Failed to verify second otp: nextOtp: ‘402893’ != otp2: ‘192992’ ret: False
[2022-09-22 11:56:15,828][1743][139929312982784][DEBUG][privacyidea.lib.tokens.hotptoken:198] Exiting resync with result False

Does anyone have an approach to troubleshooting?
Thanks in advance
Jörg

Expert knowledge: In roughly 2012 there have been a couple of etoken Pass, that used a quirky keylength of 192 bit. This would not comply to any standard.

Thank you for your quick answer, cornelinux.
When importing the aladdin-xml there is a pgp public key shown up, which is of kind “RSA2048”. I assume, the keylength is also 2048 bit.
The etoken-pass has a production date 07/18/2022.
This is really strange to me.

Do you have an excerpt from the XML file?
If the tokens are that new, the file might also have changed. Why did you parchase these, anyways?

yes of course, here is an excerpt:

<?xml version="1.0" encoding="utf-8" ?>
<Tokens>
<Token serial="AB123456">
<CaseModel>5</CaseModel> 
<Model>123</Model>
<ProductionDate>07/07/2022</ProductionDate>
<ProductName>eTPass 6.20</ProductName>
<Applications>
<Application ConnectorID="{abcdef12-3456-abcd-ef12-3456abcdef12}">
<Seed>abcdef123456abcdef123456abcdef123456abcdef123456abcdef123456abcd</Seed>
<MovingFactor>1</MovingFactor>
</Application>
</Applications>
</Token>
</Tokens>

We bought this just to test how to handle an alternative authentication method. We think that not everyone wants to use their cell phone, but a separate token.

I personally would recommand buying other hardware tokens!

How long is the seed?

64 chars x 16 bit = 1.024 bit

64 Chars in Hex is 32byte = 256Bit.

So this looks like a SHA256.

Now you need to check if this is HOTP or TOTP.
…and in case of TOTP what is the time step.