Need second source for USB tokens that work with opensc - any tips?

Hi everybody,

First I'd like to thank the opensc project for their
wonderful work! Many
years ago I looked into Linux and crypto tokens and the
situation was not
good compared to windows, but these days things look a lot
better.

I have one problem though. I'm involved with a project that
currently uses
Aladdin eTokens, and they work very well. My customer
however insists that
we have a second supplier for all components, so I have to
find a well
supported alternative for Aladdin, that they can source
easily.

I've trawled the web and found:

'Schlumberger/Axalto Cryptoflex 32k e-gate card (pre-cut)
plus an e-gate
token adapter' - unavailable it appears?

'Rainbow iKey 3000' - no longer available,
http://engl
ish.cyprotect.com/main0152.php - I've emailed infocyprotect.com
about the replacement they mention, but got no response
yet.

'Rainbow iKey 2032' - available, but not really supported:
'OpenCT supports
the Rainbow iKey 2032. However this driver was not tested
ever, as there is
no linux software for the smart card inside of it, and no
documentation
available.'

'Eutron Crypto-Identity ITSEC'
https://www.opensc-project.org/opensc/wiki/CryptoI
dentityItsec notes that
there have been problems: 'We are currently trying to find a
solution for
this problem together with Siemens, Eutron and Andreas
Jellinghaus. If we
make further progress with this issue, we will publish them
on this Wiki 
page as soon as possible.'

So are there any recommendations for me to get a second
source of tokens
that work well with opensc? 

I can update the wiki with any feedback I get if that would
be appreciated.

Thanks!


-- 
http://www.PowerDNS.com  
   Open source, database driven DNS Software 
http://netherlabs.nl     
        Open and Closed source services
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bert hubert wrote:
> Hi everybody,
> 
> I have one problem though. I'm involved with a project
that currently uses
> Aladdin eTokens, and they work very well. My customer
however insists that
> we have a second supplier for all components, so I have
to find a well
> supported alternative for Aladdin, that they can source
easily.
> 

Hmm, i've been trying to get a hold of one or two of those,
but they
seem to be very hard to get here (if you only want one or
two, and not,
say, fifty).

> 
> 'Schlumberger/Axalto Cryptoflex 32k e-gate card
(pre-cut) plus an e-gate
> 'Rainbow iKey 3000' - no longer available,
> 'Rainbow iKey 2032' - available, but not really
supported: 'OpenCT supports
> 'Eutron Crypto-Identity ITSEC'
> https://www.opensc-project.org/opensc/wiki/CryptoI
dentityItsec notes that
> there have been problems: 'We are currently trying to
find a solution for
> this problem together with Siemens, Eutron and Andreas
Jellinghaus. If we
> make further progress with this issue, we will publish
them on this Wiki 
> page as soon as possible.'
> 

I only have experience with the Eutron, and it has not been
good. Now
that you mention it, i've been meaning to send this
(although it should
probably go to the openct list):

Apart from the problems described on the above link i've
encountered two
more within opensc/openct (with recent versions);


1. There seems to be an off-by-one error in openct (as
provided, the
token wouldn't work at all before i changed
566: if (n + 3 > rmax || block[2] >= 254)
to
566: if (n + 3 > rmax || block[2] > 254)

2. Due to the initialization problem i've been reluctant to
try and set
a PIN on it. However, when i received mine it already had a
key on it so
it does actually work. But only without a PIN, which i
presume is
against PKCS specification. Therefore i had to remove the
check in
engine_pkcs11 to force it to work (line 612 in
engine_pkcs11.c).

These are not solutions that I would build a system on,
though ;) It's
more battling symptons, and I haven't had time to figure out
whether
there are underlying fixables for this token.

Also due to the initialization problem I haven't been able
to change the
key on the token.

All in all, my personal advice would be to steer clear from
the eutron
token for now.

Jelte

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iEYEARECAAYFAkgGBWIACgkQ4nZCKsdOncXjPgCfUvOH7ViKK+SGYku4KN6Q
QDj5
NcAAoNyPsXtq55bOO0OdgHJkg6ouVg6U
=8jS6
-----END PGP SIGNATURE-----
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

bert hubert a écrit :
> Hi everybody,
>
> First I'd like to thank the opensc project for their
wonderful work! Many
> years ago I looked into Linux and crypto tokens and the
situation was not
> good compared to windows, but these days things look a
lot better.
>
> I have one problem though. I'm involved with a project
that currently uses
> Aladdin eTokens, and they work very well. My customer
however insists that
> we have a second supplier for all components, so I have
to find a well
> supported alternative for Aladdin, that they can source
easily.
>
>   
Hi Bert,

An other solution is to go with card reader like Cardman
6121
(http://www.omnikey.com/?id=products&tx_okprod_pi1[p
roduct]=29) and put
a well supported smartcard cutted in SIM-size format. The
CM6121 is a
CCID like the other readers from OmniKey.

Cheers,

Jean-Pierre

_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

El Miércoles, 16 de Abril de 2008 13:31:09 bert hubert
escribió:
> Hi everybody,
> 
> First I'd like to thank the opensc project for their
wonderful work! Many
> years ago I looked into Linux and crypto tokens and the
situation was not
> good compared to windows, but these days things look a
lot better.
> 
> I have one problem though. I'm involved with a project
that currently uses
> Aladdin eTokens, and they work very well. My customer
however insists that
> we have a second supplier for all components, so I have
to find a well
> supported alternative for Aladdin, that they can source
easily.
> 
> I've trawled the web and found:
> 
> 'Schlumberger/Axalto Cryptoflex 32k e-gate card
(pre-cut) plus an e-gate
> token adapter' - unavailable it appears?
> 
> 'Rainbow iKey 3000' - no longer available,
> http://engl
ish.cyprotect.com/main0152.php - I've emailed infocyprotect.com
> about the replacement they mention, but got no response
yet.
> 
> 'Rainbow iKey 2032' - available, but not really
supported: 'OpenCT supports
> the Rainbow iKey 2032. However this driver was not
tested ever, as there is
> no linux software for the smart card inside of it, and
no documentation
> available.'
> 
> 'Eutron Crypto-Identity ITSEC'
> https://www.opensc-project.org/opensc/wiki/CryptoI
dentityItsec notes that
> there have been problems: 'We are currently trying to
find a solution for
> this problem together with Siemens, Eutron and Andreas
Jellinghaus. If we
> make further progress with this issue, we will publish
them on this Wiki 
> page as soon as possible.'
> 
> So are there any recommendations for me to get a second
source of tokens
> that work well with opensc? 
> 
> I can update the wiki with any feedback I get if that
would be appreciated.
> 
> Thanks!
> 
> 
Hi!

For those cryptoflex e-gate, maybe at usasmartcard.com you
can find some. However, manufacturer has already retired
them from market since march.
Maybe some oberthur id one usb token work... not tested
however.

_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

On 4/16/08, bert hubert <bert.hubertnetherlabs.nl> wrote:
> Hi everybody,
>
>  First I'd like to thank the opensc project for their
wonderful work! Many
>  years ago I looked into Linux and crypto tokens and
the situation was not
>  good compared to windows, but these days things look a
lot better.
>
>  I have one problem though. I'm involved with a project
that currently uses
>  Aladdin eTokens, and they work very well. My customer
however insists that
>  we have a second supplier for all components, so I
have to find a well
>  supported alternative for Aladdin, that they can
source easily.
>

Athena works with trunk.
http://www.athena-scs.com

They also supported the development.

Alon
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

It should be noted that when ordering the tokens from Athena
you MUST
specify they are for use with PKCS15 otherwise you get
"personalized" tokens
and they will not work with OpenSC


--
Dan

-----Original Message-----
From: opensc-user-bounceslists.opensc-project.org
[mailto:opensc-user-bounceslists.opensc-project.org]
On Behalf Of Alon
Bar-Lev
Sent: Wednesday, April 16, 2008 12:12 PM
To: bert hubert
Cc: opensc-userlists.opensc-project.org
Subject: Re: [opensc-user] Need second source for USB tokens
that work with
opensc - any tips?

On 4/16/08, bert hubert <bert.hubertnetherlabs.nl> wrote:
> Hi everybody,
>
>  First I'd like to thank the opensc project for their
wonderful work!
> Many  years ago I looked into Linux and crypto tokens
and the
> situation was not  good compared to windows, but these
days things look a
lot better.
>
>  I have one problem though. I'm involved with a project
that currently
> uses  Aladdin eTokens, and they work very well. My
customer however
> insists that  we have a second supplier for all
components, so I have
> to find a well  supported alternative for Aladdin, that
they can source
easily.
>

Athena works with trunk.
http://www.athena-scs.com

They also supported the development.

Alon
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user



_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

On 4/16/08, Dan Peterson <drpetersones.net> wrote:
> It should be noted that when ordering the tokens from
Athena you MUST
>  specify they are for use with PKCS15 otherwise you get
"personalized" tokens
>  and they will not work with OpenSC

Are you sure?
I though that it was a local issue.
I had no problem in formating these either way.

Alon.
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

That is what they told me at the RSA conference.
They have said that they needed to know the PKCS15 format
was being used on the token.

I will try and find/forward you the message off list.

And that brings me to another issue:
I have a FreeBSD system that has latest's opensc (11.4) and
openct yet the reader cannot see the Athena token
The system works fine with Aladdin and it does see the
device in the USB port but cant get the reader to see the
token.
Or light the LED
--
Dan

-----Original Message-----
From: Alon Bar-Lev [mailto:alon.barlevgmail.com] 
Sent: Wednesday, April 16, 2008 12:54 PM
To: drpetersones.net
Cc: bert hubert; opensc-userlists.opensc-project.org
Subject: Re: [opensc-user] Need second source for USB tokens
that work with opensc - any tips?

On 4/16/08, Dan Peterson <drpetersones.net> wrote:
> It should be noted that when ordering the tokens from
Athena you MUST  
> specify they are for use with PKCS15 otherwise you get
"personalized" 
> tokens  and they will not work with OpenSC

Are you sure?
I though that it was a local issue.
I had no problem in formating these either way.

Alon.



_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

On Wed, Apr 16, 2008 at 01:28:46PM -0700, Dan Peterson
wrote:
> I have a FreeBSD system that has latest's opensc (11.4)
and openct yet the
> reader cannot see the Athena token The system works
fine with Aladdin and

Hmm, thanks for the information. I don't yet feel entirely
happy with Athena
given these two issues (special ordering, need trunk), are
there any other
solutions?

I'll see if I can update the wiki with information about
Athena though.

	Bert

-- 
http://www.PowerDNS.com  
   Open source, database driven DNS Software 
http://netherlabs.nl     
        Open and Closed source services
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user

On 4/17/08, bert hubert <bert.hubertnetherlabs.nl> wrote:
> Hmm, thanks for the information. I don't yet feel
entirely happy with Athena
>  given these two issues (special ordering, need trunk),
are there any other
>  solutions?

You should evaluate the source of information better... 

Athena provides their smartcard in several packages,
regular
smartcard, or few modules of integrated readers, what you
probably
call "tokens".

As far as smartcard is concerned, opensc trunk is ready.

If you want to use their integrated reader you may order
these
configured for CCID, so you can use pcsc-lite or openct
native CCID
drivers to access them. They also have a driver to their
integrated
reader for pcsc-lite, but better to use standard CCID.

It is much better than Aladdin case, as Aladdin does not
support open
source development, and provide proprietary reader
interface.

Alon.
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user