[RADIATOR] New eToken PASS import files have longer secret keys (64 chars vs. 48 chars)

Linuxchuck linuxchuck at n-force.com
Fri May 13 14:35:32 CDT 2011 

Hello again,

I've been successfully using eToken PASS tokens since we moved to Radiator without issue.  We've recently purchased an additional set of 100 tokens because we were running low, and the DigiPass Go-7 tokens we recently received turn out to be unable to support changing PINs. During the process of importing the new eToken PASS secret keys, I found that the token key import files shipped with the tokens have changed now since SafeNet has taken over ownership of Aladdin.

The new files are called "AlpineXml.xml" and "importAlpine.dat".  The first is an XML file formatted exactly like the old XML files I'm familiar with from the original Aladdin days.  The second file is an ldif-formatted file with basically the same information in it.  I built an XML parsing PHP script to perform bulk-imports for the older Aladdin import files, and it works fine with the new XML files as well.

I've noticed a particularly important change, however.  The token secrets are now 64 characters long, and will not properly import into the standard secret column in the hotpkeys MySQL table which is a varchar(60) based on the sql table built in hotp.cfg.  (FYI, the original keys in my first couple-hundred tokens were all 48 characters long.)  In addition, the "version" string in the older XML files is "6.0", and in the newer version, is "6.20".

I figured it would be a simple task to extend the storage of that column to compensate for the longer keys, and applied an alter table command to do just that.  I then updated the keys for each token, ran a few queries to ensure they matched exactly with the keys provided in the XML file, and reloaded my Radiator servers.  So far, so good...

However, even though the new and longer secret keys now fit in the column, I can not get any of these newly imported tokens to authenticate properly.  All of my older eToken PASS tokens with the shorter keys still work without issue.  It's these new tokens with the longer keys that refuse to authenticate.

Does anyone have an idea what could be going wrong here?  I am not a Perl coder by any stretch of the imagination, and my rudimentary scan of the HOTP-related modules in Radiator did not give me any clues where things could be going wrong.

Thanks in advance...

More information about the radiator mailing list