Adventures In Crypto Land Part 1: Setting up my Aladdin eToken PRO 32k on Linux
Ever since I discovered public key cryptography can be used for authentication and e-mail privacy, I’ve been itching to use it, but one thing always held me back. I feared that the possibility existed for a hacker to secretly breech my personal computer, copy out the sensitive private key, and spy on my communications or emulate my authentication with impunity, while I remained blissfully ignorant. Passwords were no better, but I never thought setting myself up with private key authentication and privacy was going to be worth the hassle of carefully guarding my private key.
My prayers were answered when I discovered smart cards (And their USB equivalent, the ’security token’). These nifty little devices interface with your computer, but they keep your private key secret, and perform all the decryption and cryptographic signing themselves. At no point, even during a cryptographic operation will the private key become known to the computer. Perfect!
The problem is that the software needs to know how to cooperate with the token in order to make use of the well concealed private key, and I’ve been waiting a long time for Linux software utilizing this technology to mature to a usable point. After an experience with a brute force SSH attacker at work, I’ve decided that time had come. So, I set out to achieve the following goals:
- Part 1: Buy a few USB cryptographic tokens online, and configure them under Linux, and generate public keys, private keys, and SSL certificates.
- Part 2: Establish secure authentication for SSH
- Part 3: Use a token with PGP
- Part 4: Establish secure authentication for my web server
- Part 5: Establish secure authentication for my OpenVPN server
First, I decided upon OpenSC as the software I’d like to use to interact with my smart card. It’s supported by directly an SSH patch, and it implements the PKCS#11 standard library, which I’ve learned is considered the defacto standard for software to interact with smart cards and other cryptographic tokens. So I went to the site and looked for which USB token to get, and it appeared that the device which had the most testing and support from the OpenSC team was the Aladdin eToken PRO USB 32k. I found a supplier on eBay that offered them in lots of ten for a reasonable price.
Here’s how I got it going under Linux:
- I installed openct (The smart card reader/driver software), and install opensc to use it. I did this under my Gentoo install by adding ’smartcard’, ‘openct’, and ‘opensc’ to my USE flags and running:
emerge opensc
- I was told by a site or two to ensure USB support, and hotplugging support were activated in my kernel, and the hotplug software has been installed, but this was already done.
- I popped in my token and ran:
$ opensc-tool –list-readers
Readers known about:
Nr. Driver Name
0 openct Aladdin eToken PRO
1 openct OpenCT reader (detached)
2 openct OpenCT reader (detached)
3 openct OpenCT reader (detached)
4 openct OpenCT reader (detached) - Success! My USB token was recognized. Here are the steps I used to create the PKCS#15 structure and my private keys:
$ pkcs15-init -EC
New Security Officer PIN (Optional – press return for no PIN).
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional – press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
$ pkcs15-init –store-pin –auth-id 01 –label “Daniel Benoy”
New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional – press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
Security officer PIN required.
Please enter Security officer PIN:
$ pkcs15-init –generate-key rsa/1024 –auth-id 01 –split-key -u sign,decrypt
Security officer PIN required.
Please enter Security officer PIN:
User PIN required.
Please enter User PIN:
Security officer PIN required.
Please enter Security officer PIN: - Watch out. I learned the hard way that if you don’t set a PUK on your SO PIN and your User PIN then three wrong PIN entries in a row will render your token useless! Luckily I found a copy of the Windows drivers and was able to use those to do a low level format and recover the use of my device (With the keys gone of course) I imagine if you did this on any other smart cards you may not be as lucky. Also be sure to use ‘-u sign,decrypt’ if you want to use your eToken for PGP decryption as well as authentication. The –split-keys part is an artifact of the eToken hardware, and is not needed on other cards.
- Next, I reconfigured OpenSSL to use the smart card to generate and self-sign a certificate. I installed the engine_pkcs11 plugin for openssl and put the following at the top of my openssl.cnf file.
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0And ran:
openssl req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509
SmartCard PIN:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:.CA
State or Province Name (full name) [Some-State]:.Ontario
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.Daniel Benoy
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:Daniel Benoy
Email Address []:Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Now the certificate has been generated so I put it on the card:
$ pkcs15-init –store-certificate req.pem –auth-id 01 –id 45 –format pem
Security officer PIN required.
Please enter Security officer PIN:
And then I was set. Next, it was time to set up my card to authenticate me with SSH. Keep watching my blog for more!
You wrote:
“Luckily I found a copy of the Windows drivers and was able to use those to do a low level format and recover the use of my device (With the keys gone of course).”
Did you find the drivers on the net?
I need to low-level format my Stick too, maybe you can help…
Sure!
You can grab the drivers from the Aladdin site (Or here, if you want to bypass the registration form: http://www.aladdin.ru/bitrix/redirect.php?event1=download&goto=/upload/iblock/2c0/RTE_3.65.zip)
Install it, then set this registry key:
HKLM\SOFTWARE\Aladdin\eToken\eTProperties\Advanced:DWORD = 0×1F
(The default is 0×01)
And then put in your eToken and you should see an icon (I think in the system tray) that you can right click on and bring up ‘Properties’. If you edited the registry properly, there should be an ‘Initialize’ button in there somewhere. That should wipe out the key at a lower level, ignoring PINs. Naturally, your keys will be lost too.
Did the stuff written here (under Windows), everything worked without errors (after some efforts, of course), but i don’t see certificates in Mozilla, for instance.
I didn’t try it in Windows, personally.
As for mozilla/firefox, I think you have to go under security in some configuration and select a PKCS#11 library that comes with the driver software you’re using (For both Linux and Windows)
wow, it works! Just had to remove etoken and insert it again :-)
thanks for the tutorial!
Hey!
I’m doing some research on the etoken pro on linux, i’ve gone pretty far, maybe we can exchange some knowledge about the eToken?
What do you want to know?
Have you already figured out pam_pkcs11 login? I’m a bit stuck with this.
This is a pretty good howto. Thanks.
In fact I was able to use these instructions to reinitialize an old key running in windows. The commands are a bit different to create the cert in openssl, but doable. Thanks again.
Daniel,
I’ve been looking for ages (well not too dilligently) for a device that will be able to store ssl client cert, pgp key and ssh key and work under linux.
Thanks for yor tutorial, it was most insightful, I see here, you’ve managed 2 out of three.
have you managed to store ssh key in the token and use it with openssh? How about openvpn?
Hi Alex,
you may want to try to play with
http://alon.barlev.googlepages.com/openssh-pkcs11
to get ssh with PKCS#11 going