eToken Pass resync failed

makay · September 22, 2022, 12:11pm

Hello all,
we installed PrivacyIDEA 3.7.3 on Ubuntu 18.04.6 LTS. It works fine with TOTP, Google-Authenticator, RADIUS, and some VPN in our test-environment.

Now we are testing the use of a hardware-token, eToken Pass. The import of aladdin-xml for a few test-tokens was successful, the token type is “hotp”

But if we resync token with the input of two consecutive hash-values it always responds “resync failed”.

After changing the sync window to “999999” the following is showing up in the debug-log:

[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.tokens.HMAC:186] Entering checkOtp with arguments (<privacyidea.lib.tokens.HMAC.HmacOtp object at 0x7f43bc090da0>, ‘129923’, 999999) and keywords {}
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.tokens.HMAC:153] OTP range counter: 1 - 1000000
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.crypto:186] Entering decrypt with arguments (…) and keywords {}
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.crypto:186] Entering aes_cbc_decrypt with arguments (…) and keywords {}
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.crypto:200] Exiting aes_cbc_decrypt with result HIDDEN
[2022-09-22 11:56:12,734][1743][139929312982784][DEBUG][privacyidea.lib.crypto:200] Exiting decrypt with result HIDDEN
[2022-09-22 11:56:15,827][1743][139929312982784][DEBUG][privacyidea.lib.tokens.HMAC:198] Exiting checkOtp with result 358927
[2022-09-22 11:56:15,828][1743][139929312982784][DEBUG][privacyidea.lib.tokens.hotptoken:591] exit. Failed to verify second otp: nextOtp: ‘402893’ != otp2: ‘192992’ ret: False
[2022-09-22 11:56:15,828][1743][139929312982784][DEBUG][privacyidea.lib.tokens.hotptoken:198] Exiting resync with result False

Does anyone have an approach to troubleshooting?
Thanks in advance
Jörg

cornelinux · September 22, 2022, 4:48pm

Expert knowledge: In roughly 2012 there have been a couple of etoken Pass, that used a quirky keylength of 192 bit. This would not comply to any standard.

makay · September 23, 2022, 8:46am

Thank you for your quick answer, cornelinux.
When importing the aladdin-xml there is a pgp public key shown up, which is of kind “RSA2048”. I assume, the keylength is also 2048 bit.
The etoken-pass has a production date 07/18/2022.
This is really strange to me.

cornelinux · September 25, 2022, 5:19pm

Do you have an excerpt from the XML file?
If the tokens are that new, the file might also have changed. Why did you parchase these, anyways?

makay · September 26, 2022, 10:08am

yes of course, here is an excerpt:

<?xml version="1.0" encoding="utf-8" ?>
<Tokens>
<Token serial="AB123456">
<CaseModel>5</CaseModel> 
<Model>123</Model>
<ProductionDate>07/07/2022</ProductionDate>
<ProductName>eTPass 6.20</ProductName>
<Applications>
<Application ConnectorID="{abcdef12-3456-abcd-ef12-3456abcdef12}">
<Seed>abcdef123456abcdef123456abcdef123456abcdef123456abcdef123456abcd</Seed>
<MovingFactor>1</MovingFactor>
</Application>
</Applications>
</Token>
</Tokens>

We bought this just to test how to handle an alternative authentication method. We think that not everyone wants to use their cell phone, but a separate token.

cornelinux · September 26, 2022, 4:12pm

I personally would recommand buying other hardware tokens!

cornelinux · September 26, 2022, 4:13pm

How long is the seed?

makay · September 27, 2022, 6:07am

64 chars x 16 bit = 1.024 bit

cornelinux · September 27, 2022, 6:12pm

64 Chars in Hex is 32byte = 256Bit.

So this looks like a SHA256.

Now you need to check if this is HOTP or TOTP.
…and in case of TOTP what is the time step.

makay · September 28, 2022, 12:10pm

Thank you for your patience, cornelinux. After I have imported the XML, the token type “hotp” appears in PI under “token detail”. I can’t change the token type via PI-surface.

etp

If I press the button of the eToken several times, the same 6-digit number appears for 30s, and then another. The packaging in which the tokens were delivered says “token bundle etoken pass time”

In addition to the XML, another file (alpine.dat) was supplied by the vendor, which contains more information:

# ===== SafeWord Authenticator Records $Version: 100$ =====
dn: sccAuthenticatorId=AB123456
objectclass: sccCompatibleToken
sccAuthenticatorId: AB123456
sccTokenType: eToken-PASS-TS
sccTokenData: sccKey=abcdef123456abcdef123456abcdef123456abcdef123456abcdef123456abcd;sccMode=T;sccPwLen=6;sccTick=30;sccPrTime=2022/07/07 11:11:11;crypto=HmacSHA256;sccVer=6.2;
sccSignature: FG0---some base64 stuff ---n2T=

However, I cannot import this file into PI.
Is it possible to change the token type, or manually create a hardware token in PI?

cornelinux · September 28, 2022, 3:53pm

Maybe this one works for you:

github.com

privacyidea/privacyidea/blob/master/tools/privacyidea-convert-xml-to-csv

#!/usr/bin/perl -w
# This program converts the Safeword Alpine import Data to the Aladdin XML file format

use strict;
use Getopt::Std;

my %options;
my @tokens;

my %token_db;
my $file;
my $showdb=0;
my $type="HOTP";
my $stepping="30";

sub help() {
    print STDERR "Usage: $0 [-h] \n";
    print STDERR "  This program converts the Aladdin XML file format to OATH CSV\n";
    print STDERR " -h : this help message\n";
    print STDERR " -f : this is the input file with the XML data. You can also use stdin\n";

This file has been truncated. show original

It is old. But basically you either

a) need to change the import file or
b) could change the data in the database

(It is old, because I did not know that anyone would buy etoken pass if it is not really, really, really necessary. Obviously you have quite a budget!