Primary low-level tools for using the eToken on Linux.

This is a first attempt to revise the eToken on Unix documentation. The focus is getting the eToken to work for ssh authentication. Most of this was tested and developed on a Fedora 14 system using the packages that are part of the distribution.

eToken hardware

RSA Key Length

  • The eToken Pro 16k and eToken Pro 32k only support 1024-bit RSA keys.
  • The eToken Pro 64k (green at VT) supports 2048-bit RSA keys if that option is selected when they are initialized.
    • Tokens issued by the VT CA are initialized with the FIPS option set. This requires that the 2048-bit RSA key option not be enabled.
  • A 1024-bit RSA key has approximately 80-bits Key Strength.

Aladdin versus OpenSC/PKCS#15

  • Tokens distributed by the VT CA are initialized with the FIPS option. This prevents the user from creating a PKCS#15 application on the token.
  • You can re-initialize an old token without the FIPS option to allow creation of a PKCS#15 application.
  • You can generate and store an RSA key for authentication in the Aladdin app on a VT CA issued eToken.

If you have a working Aladdin RTE on your computer, you probably want to use PCSC and create your authentication keys within the Aladdin application. If you do not, you probably want to use OpenSC to create a PKCS#15 application and use OpenCT for the reader.

Aladdin RTE setup

  • If you have a working Aladdin RTE, you already have PCSC installed.
  • pcsc-tools is handy to have, but not required.
  • opensc provides pkcs11-tool which is required to generate the keys. Installation of opensc is suggested, but not strictly required.
  • If you have an eToken Pro 64k token and do not need a VT CA key/certificate, you can reformat it without the FIPS option and with the 2048-bit RSA key length.
# Aladdin RTE and token inserted.  The reader will
$ opensc-tool --list-readers
Readers known about:
Nr.    Driver     Name
0      pcsc       AKS ifdh 00 00

OpenSC setup

  • install opensc. If you are not using the Aladdin RTE and you are not using PCSC, you will also need openct. This will likely be installed as a requirement of opensc.
  • If you are not using PCSC and you are not using the Aladdin RTE, update the reader_drivers line in /etc/opensc.conf to only include openct.
# OpenCT reader should be seen.
$ opensc-tool --list-readers
Readers known about:
Nr.    Driver     Name
0      openct     OpenCT reader (detached)
1      openct     OpenCT reader (detached)

# Here's what you get with a token plugged in.
$ opensc-tool --list-readers
Readers known about:
Nr.    Driver     Name
0      openct     Aladdin eToken PRO 64k
1      openct     OpenCT reader (detached)

# OpenCT can see the token too
$ openct-tool list
  0 Aladdin eToken PRO 64k

# cardos-tool should be able to see your token
$ cardos-tool --info
Using reader with a card: Aladdin eToken PRO 64k
3b:f2:18:00:02:c1:0a:31:fe:58:c8:09:75
Info : CardOS V4.2B (C) Siemens AG 1994-2005
Chip type: 124
Serial number: 27 38 29 11 2f 1c
Full prom dump:
33 66 00 22 9A 9A 9A 9A 7C FF 27 38 29 11 2F 1C 3f."....|.'8)./.
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.9 (that's CardOS M4.2B)
Current life cycle: 32 (administration)
Security Status of current DF:
Free memory : 1024
ATR Status: 0x0 ROM-ATR
Packages installed:
Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63
Free eeprom memory: 38913
System keys: PackageLoadKey (version 0xfe, retries 10)
System keys: StartKey (version 0xff, retries 10)
Path to current DF:

PKCS#15 initialization

Do not do this on a token issued by the VT CA and holding a certificate and keypair you need.

  • Initialize the eToken with the Aladdin RTE. No FIPS, permit 2048-bit keys if you have a 64K eToken Pro.
  • You may wish to update /usr/share/opensc/cardos.profile to change the maximum allowed PIN length or the number of attempts before the PIN is locked out.
# Initialize and create the PKCS#15 application
$ pkcs15-init --erase --create-pkcs15 --no-so-pin --label green-pkcs15

# Create a user PIN
$ pkcs15-init --auth-id 01 --store-pin
# You will be prompted for both the PIN and PUK.

# Generate a key.
# You can also use the PKCS#11 driver to do this and you must use the PKCS#11 driver if
# you are storing your key in the Aladdin app.
$ pkcs15-init --generate-key rsa/1024 --auth-id 01  --id 20110907 --label "my-ssh-pkcs15"

# See the ssh key
pkcs15-tool --read-ssh-key 20110907

PKCS#11 driver

  • Most applications work with PKCS#11 although a few use libopensc and the PKCS#15 application.
  • For opensc the driver is /usr/lib/opensc-pkcs11.so. (lib64 with the 64-bit version.)
  • For the Aladdin RTE, the driver is /usr/lib/libeTPkcs11.so.
# Note: You will not see the token if it has not been initialized with a PKCS#15 application.
#       Until you do that, the slots will appear empty.
#
$ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so --list-slots
Available slots:
Slot 0           Aladdin eToken PRO
  token label:   OpenSC Card (User PIN)
  token manuf:   OpenSC Project
  token model:   PKCS#15
  token flags:   login required, PIN initialized, token initialized
  serial num  :  10ACE7010816
Slot 1           (empty)
Slot 2           (empty)
Slot 3           (empty)

# Aladdin driver and PC/SC.  Token in slot:
$ pkcs11-tool --module /usr/lib/libeTPkcs11.so --list-slots
Available slots:
Slot 0           AKS ifdh 00 00
  token label:   Phil-Old-VT
  token manuf:   SafeNet Inc.
  token model:   eToken
  token flags:   login required, PIN initialized, token initialized, other flags=0x200
  serial num  :  429a630c
Slot 1           (empty)
Slot 2           (empty)
Slot 3           (empty)
Slot 4           (empty)
Slot 5           (empty)

# Key generation
$ pkcs11-tool --module /usr/lib/libeTPkcs11.so --keypairgen --key-type rsa:1024 --login --label "me@vt.edu" --id 20110831

# Aladdin app with VT CA certificate/keypair and added ssh key
$ pkcs11-tool --module /usr/lib/libeTPkcs11.so  --list-objects --login
Please enter User PIN:
Private Key Object; RSA
  label:
  ID:         60b867e6dc2c5b6c
  Usage:      decrypt, sign, unwrap
Certificate Object, type = X.509 cert
  label:      12266
  ID:         60b867e6dc2c5b6c
Certificate Object, type = X.509 cert
  label:
Certificate Object, type = X.509 cert
  label:
Private Key Object; RSA
  label:      me@vt.edu
  ID:         20110831
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
  label:      me@vt.edu
  ID:         20110831
  Usage:      encrypt, verify, wrap