eToken AKS support

Hello All!

I try to provide user logon on eToken AKS application.
Token based on Cardos V4.2B. 

Aladdin's utility eToken Property use EXTERNAL_AUTHENTICATE
for this. 
Utility send adpu GET_CHALLENGE "00 84 00 00 08"
and 
EXTERNAL_AUTHENTICATE "00 82 00 81 08 2D 42 BC F8 C1 65
A3 D5"

But I don't know how built EXTERNAL_AUTHENTICATE data.
It's look like hashed pin + challenge response.
But how correctly combine pin and challenge response, and
which hash alg is 
using?  

If I try simple ASCII VERIFY:
00 20 00 81 A0 30 31 32 33 34 35 36 37 38 39
get error 0x6984 (BS Object has invalid format).

Maybe anybody know pin format for this application?



_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Hi Dmitry,

> I try to provide user logon on eToken AKS application.
> Token based on Cardos V4.2B. 

What kind of logon do you mean (ie. Windows-logon,
SSH-logon, ...)

> Aladdin's utility eToken Property use
EXTERNAL_AUTHENTICATE for this. 
> Utility send adpu GET_CHALLENGE "00 84 00 00
08" and 
> EXTERNAL_AUTHENTICATE "00 82 00 81 08 2D 42 BC F8
C1 65 A3 D5"
> 
> But I don't know how built EXTERNAL_AUTHENTICATE data.
> It's look like hashed pin + challenge response.
> But how correctly combine pin and challenge response,
and which hash alg is 
> using?  
> 
> If I try simple ASCII VERIFY:
> 00 20 00 81 A0 30 31 32 33 34 35 36 37 38 39
> get error 0x6984 (BS Object has invalid format).

Have a look at the following thread on the OpenSC devel
mailing list (from december 2006):
http://www.opensc-project.org/pipe
rmail/opensc-devel/2006-December/009396.html

Same problem ??

Aladdin does not protecet their private keys by a PIN
but uses a symmetric key instead. Therefore you must
use a GET_CHALLENGE/EXTERNAL_AUTHENTICATION-APDU instead of
a VERIFY-APDU.

This only happens if you are using an Aladdin eToken that
was formatted by the Aladdin-tools. If you format your
eToken with OpenSC your keys will be protected the
"normal" way.

Peter
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Hello Peter!
 
> What kind of logon do you mean (ie. Windows-logon,
SSH-logon, ...)

Just authenticate user for security operation.
 
> This only happens if you are using an Aladdin eToken
that
> was formatted by the Aladdin-tools. If you format your
> eToken with OpenSC your keys will be protected the
> "normal" way.
Yes I have problem only with AKS application, PKCS15 on
eToken is working 
correctly.  

> http://www.opensc-project.org/pipe
rmail/opensc-devel/2006-December/009396.html
> Same problem ??

not quite, I want to provide data signing with eToken
application AKS.
I have no problem with MSE and PSO, but first I need
authenticate user.

As I wrote,  

> Aladdin's utility eToken Property use
EXTERNAL_AUTHENTICATE for this. 
> Utility send adpu GET_CHALLENGE "00 84 00 00
08" and 
> EXTERNAL_AUTHENTICATE "00 82 00 81 08 2D 42 BC F8
C1 65 A3 D5"
> 
> But I don't know how built EXTERNAL_AUTHENTICATE data.
> It's look like hashed pin + challenge response.
> But how correctly combine pin and challenge response,
and which hash alg is 
> using?   

I don't have enough documentation for making
EXTERNAL_AUTHENTICATE data.
Aladdin don't publish it and promote theirs own pkcs11
library.




_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel