[RADIATOR] New eToken PASS import files have longer secret keys (64 chars vs. 48 chars)
Linuxchuck
linuxchuck at n-force.com
Mon May 16 09:54:20 CDT 2011
Mike, apologies in advance for the double-post to you. Since this is a little time-sensitive, I am posting this to the list.
I just received an update from Safenet. Here is the quoted response:
"""
eToken PASS 6.2 use SHA256 as default hashing algorithm, hence the longer seed.
See for example http://www.openauthentication.org/webfm_send/47.
We have 3 options:
1) Ask your radius vendor to support HMAC-SHA256
2) Reprogram the tokens with SHA1 (Programmer is available, part number 13681, around 390.- €)
3) Replace the tokens with SHA1 programmed tokens.
For the latter I have to first check the current process on ordering them.
"""
So my questions are: how long will it take to add SHA256 support, and is that even a feasible request?
If this is something I need to request through our official support channel (we have a support contract), just say the word, and I'll send it through.
This is something of a time-sensitive issue. We have clients waiting to be issued their tokens.
Thanks
On 05/13/2011 08:16 PM, Mike McCauley wrote:
> Hi,
>
> Can you please send an example of a key, counter and resulting correct OTP, so
> we can investigate?
>
> Cheers.
>
> On Saturday 14 May 2011 05:35:32 am Linuxchuck wrote:
>> Hello again,
>>
>> I've been successfully using eToken PASS tokens since we moved to Radiator
>> without issue. We've recently purchased an additional set of 100 tokens
>> because we were running low, and the DigiPass Go-7 tokens we recently
>> received turn out to be unable to support changing PINs. During the process
>> of importing the new eToken PASS secret keys, I found that the token key
>> import files shipped with the tokens have changed now since SafeNet has
>> taken over ownership of Aladdin.
>>
>> The new files are called "AlpineXml.xml" and "importAlpine.dat". The first
>> is an XML file formatted exactly like the old XML files I'm familiar with
>> from the original Aladdin days. The second file is an ldif-formatted file
>> with basically the same information in it. I built an XML parsing PHP
>> script to perform bulk-imports for the older Aladdin import files, and it
>> works fine with the new XML files as well.
>>
>> I've noticed a particularly important change, however. The token secrets
>> are now 64 characters long, and will not properly import into the standard
>> secret column in the hotpkeys MySQL table which is a varchar(60) based on
>> the sql table built in hotp.cfg. (FYI, the original keys in my first
>> couple-hundred tokens were all 48 characters long.) In addition, the
>> "version" string in the older XML files is "6.0", and in the newer version,
>> is "6.20".
>>
>> I figured it would be a simple task to extend the storage of that column to
>> compensate for the longer keys, and applied an alter table command to do
>> just that. I then updated the keys for each token, ran a few queries to
>> ensure they matched exactly with the keys provided in the XML file, and
>> reloaded my Radiator servers. So far, so good...
>>
>> However, even though the new and longer secret keys now fit in the column,
>> I can not get any of these newly imported tokens to authenticate properly.
>> All of my older eToken PASS tokens with the shorter keys still work without
>> issue. It's these new tokens with the longer keys that refuse to
>> authenticate.
>>
>> Does anyone have an idea what could be going wrong here? I am not a Perl
>> coder by any stretch of the imagination, and my rudimentary scan of the
>> HOTP-related modules in Radiator did not give me any clues where things
>> could be going wrong.
>>
>> Thanks in advance...
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
More information about the radiator
mailing list