<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>
AladdinEtokenPro – OpenSC
</title><style type="text/css">
@import url(trac.css);
</style></head><body><div id="content" class="wiki">
<div class="wikipage searchable">
<h1 id="AladdineTokenPRO">Aladdin eToken PRO</h1>
<p>
<a style="padding:0; border:none" href="/opensc/attachment/wiki/AladdinEtokenPro/eToken.gif" shape="rect"><img src="/opensc/raw-attachment/wiki/AladdinEtokenPro/eToken.gif" alt="Image of eToken PRO 32K" title="Image of eToken PRO 32K"></img></a>
</p>
<p>
<a class="ext-link" href="http://www.ealaddin.com/" shape="rect"><span class="icon"> </span>Aladdin</a> offers the <a class="ext-link" href="http://www.aladdin.com/etoken/devices/pro-usb.aspx" shape="rect"><span class="icon"> </span>eToken PRO</a>, an USB crypto token with 32k or 64k memory and support for RSA keys up to 2048bit key length.
</p>
<p>
The eToken PRO is fully supported by OpenSC and is well tested.
</p>
<h2 id="Models">Models</h2>
<p>
The precise model of your token can be determined from the text moulded in the plastic enclosure.
</p>
<h3 id="Unsupportedmodels">Unsupported models</h3>
<p>
There is a rare version of the Aladdin eToken PRO with a G&D Starcos smart card inside. This version never went into mass production as far as we know, and is not supported by OpenSC.
</p>
<p>
Also there are some smart cards with the "Aladdin eToken" Name on them too. These cards are too old, they are not supported by OpenSC, as they lack some required features.
</p>
<h3 id="eTokenR1andR2">eToken R1 and R2</h3>
<p>
Those were the first generation of tokens produced. They use a proprietary protocol for communication between the host and token.
</p>
<ul><li><strong>USB IDs:</strong> 0529:030b through 0529:042a
</li><li><strong>Memory:</strong> (?)
</li><li><strong>Maximum RSA key size:</strong> (?)
</li><li><strong>Crypto chip:</strong> (?)
</li><li><strong>On-Chip OS:</strong> (?)
</li></ul><h3 id="eTokenPRO4.2B">eToken PRO 4.2B</h3>
<p>
This is the second public release of the device, that use a proprietary protocol for communication. These can still (2009) be found on the cheap on EBay or otherwise.
</p>
<ul><li><strong>USB IDs:</strong> 0529:0600
</li><li><strong>Memory:</strong> 32k
</li><li><strong>Maximum RSA key size:</strong> 2048 bits (it takes a long while to generate one such key, and the LED turns black while it does. Don't panic!)
</li><li><strong>Crypto chip:</strong> Infineon
</li><li><strong>On-Chip OS:</strong> Siemens CardOS M4.2B
</li></ul><h3 id="eToken64">eToken 64</h3>
<ul><li><strong>Memory:</strong> 64k
</li><li><strong>Maximum RSA key size:</strong> (?)
</li><li><strong>Crypto chip:</strong> (?)
</li><li><strong>On-Chip OS:</strong> CardOS M4.20 (?) or CardOS M4.3b (?)
</li></ul><h3 id="eTokenPROJavav4.29"><a class="ext-link" href="http://www.aladdin.com/etoken/devices/pro-usb.aspx" shape="rect"><span class="icon"> </span>eToken PRO (Java)</a> v4.29</h3>
<ul><li><strong>Microcontroller:</strong> <a class="ext-link" href="http://www.atmel.com/dyn/products/Product_card.asp?part_id=3727" shape="rect"><span class="icon"> </span>Atmel AT90SC25672RCT-USB Revision D</a>
</li><li><strong>Memory:</strong> 72KB EEPROM (64~67KB usable?; ~8KB reserved for firmware/patches?)
</li><li><strong>Software (default):</strong> GlobalPlatform v2.1.1, Java Card v2.2.2, <a class="ext-link" href="http://www.athena-scs.com/pdf/Athena_OS755_IDProtect_datasheet.pdf" shape="rect"><span class="icon"> </span>Athena OS755 IDProtect</a> v0106.x.x, Aladdin eToken Applet v1.x
</li><li><strong>USB IDs:</strong> 0529:0620
</li><li><strong>ATR:</strong> 3B D5 18 00 81 31 3A 7D 80 73 C8 21 10 30
</li><li><strong>FIPS:</strong> <a class="ext-link" href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm#1135" shape="rect"><span class="icon"> </span>140-2 Level 2</a> for USB and smart card versions. <a class="ext-link" href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm#1136" shape="rect"><span class="icon"> </span>Level 3</a> for HD (hardened) USB versions.
</li></ul><h4 id="SupportedCryptographicServices">Supported Cryptographic Services</h4>
<ul><li><strong>Random Number Generator:</strong> DRNG (ANSI X9.31 two key TDES deterministic RNG seeded with the hardware RNG)
</li><li><strong>Message Digests:</strong> SHA-1, SHA-256
</li><li><strong>Signatures:</strong> RSA PKCS#1 (1024- to 2048-bit in 32-bit increments)
</li><li><strong>Ciphers:</strong> TDES (112- and 168-bit ECB and CBC), TDES MAC (vendor affirmed), AES (128-, 192- and 256-bit ECB and CBC), RSA (1024- to 2048-bit in 32-bit increments)
</li><li><strong>On-Card Key Generation:</strong> RSA PKCS#1 (1024- to 2048-bit in 32-bit increments)
</li><li><strong>Key Establishment:</strong> RSA (1024- to 2048-bit in 32-bit increments [strength 80-bits for RSA 1024 to 112-bits for RSA 2048])
</li></ul><p>
There seems to be three different physical versions available: the regular PRO, the PRO HD (a hardened version offering additional physical security compliant with FIPS 140-1 Level 3 requirements), and the PRO SC (a smart card). However, differentiating between the PRO and PRO HD is difficult, as there is little info specific to the HD version available online, and the image used in the FIPS Security Policy documents is identical for the PRO and PRO HD.
</p>
<h3 id="eTokenNG-OTP"><a class="ext-link" href="http://www.aladdin.com/etoken/devices/ng-otp.aspx" shape="rect"><span class="icon"> </span>eToken NG-OTP</a></h3>
<p>
This device (and the others below) are compliant with the USB CCID (Chip/Smart Card Interface Devices) standard (see section “Smart Card Class” on <a class="ext-link" href="http://www.usb.org/developers/devclass_docs" shape="rect"><span class="icon"> </span>http://www.usb.org/developers/devclass_docs</a>). As such, they don't require a proprietary driver to work with OpenSC.
</p>
<ul><li><strong>USB IDs:</strong> (?)
</li><li><strong>Memory:</strong> (?)
</li><li><strong>Maximum RSA key size:</strong> (?)
</li><li><strong>Crypto chip:</strong> (?)
</li><li><strong>On-Chip OS:</strong> Siemens CardOS M4.20 (?)
</li></ul><h2 id="Support">Support</h2>
<p>
Aladdin is maybe the oldest player in the USB token field, and their hardware and software predates the standards such as CCID and PKCS#15, so you can't really blame them for not conforming to these standards (especially for older token hardware). See also the <i>Thanks</i> section below, they are a fair player!
</p>
<p>
Aladdin has an SDK with Documentation on their ftp server for public download, but to implement the OpenSC driver further documentation was necessary (by Siemens and available only under NDA as far as we know).
</p>
<h3 id="CardOS-basedversions">CardOS-based versions</h3>
<p>
CardOS versions up to and including M4.20 are supported. (Is CardOS M4.3b also working?) This includes all the CardOS-based token versions listed above except the evaluation boards. In order to make these work with OpenSC, one has to install the proprietary middleware; the proprietary key manager is not needed. See <a class="wiki" href="AladdinEtokenPro#InstallationNotes.html" shape="rect">below</a>.
</p>
<p>
One minor misfeature of the Siemens CardOS M4 is that an RSA key cannot be used for both signing and decryption. OpenSC has implemented a workaround: software key generation and storing that key twice, once marked as decryption key and once marked as signing key. To enable this workaround specify "--split-key" on the command line, when creating the key.
</p>
<h2 id="InstallationNotes">Installation Notes</h2>
<p>
Aladdin provides their own software, which comprises both the middleware (necessary for all CardOS-based tokens) and the key-management tool (<a class="ext-link" href="http://www.etokenonlinux.org" shape="rect"><span class="icon"> </span>also for Linux</a>) which is not compatible with PKCS<a class="closed ticket" href="/opensc/ticket/15" title="defect: opensc 0.9.6: --with-openssl doesn't work right (closed: fixed)" shape="rect">#15</a>. (However, as long as enough memory is available on the chip, it is possible to initialize the token with both OpenSC and this proprietary key manager, and thus install files and keys side by side - each software can then only handle their own structures.)
</p>
<h3 id="MacOSX">Mac OS X</h3>
<p>
Download the <a class="ext-link" href="ftp://ftp.aladdin.com/pub/etoken/PKI%20Client/PKI_Client_4_55_Mac/eToken_PKI_Client_4_55_Mac.zip" shape="rect"><span class="icon"> </span>PKIClient 4.55 software package</a>. If you are only interested in the middleware (and not the proprietary key manager), don't install everything at once; rather, follow these steps:
</p>
<ol><li>unpack and mount the <tt>pkiclient.4.55.41.dmg</tt> file
</li><li>explore the <tt>eToken PKI Client 4.55.mpkg</tt> directory on it (Ctrl-click then “Show package contents”), then open “Contents” and “Packages”
</li><li>double-click on the following packages <strong>in this order</strong> so as to install them:
<ul><li><tt>etokenframework.pkg</tt>: those are the shared libraries (that will go into <tt>/Library/Frameworks/eToken.framework</tt>) needed by all the other packages;
</li><li><tt>etokendriversleopard.pkg</tt> (for Mac OS 10.5.x) or <tt>etokendriverstiger.pkg</tt> (for Mac OS 10.4.x): this is the middleware, that goes under <tt>/usr/libexec/SmartCardServices/drivers/eTokenIfdh.bundle/</tt> . It consists of an auxillary daemon that will be run by <tt></tt>pcscd<tt></tt> in order to perform the necessary USB I/O.
</li></ul></li></ol><p>
To test this setup, plug your token in, then open a terminal and type the following commands:
</p>
<pre class="wiki" xml:space="preserve">sudo killall pcscd
sudo /usr/sbin/pcscd -a -d -f
</pre><p>
<tt>pcscd</tt> should start chatting, and the diode on the token should turn on. If <tt>pcscd</tt> instead says:
</p>
<pre class="wiki" xml:space="preserve">Error loading /usr/libexec/SmartCardServices/drivers/eTokenIfdh.bundle/Contents/MacOS/eTokenIfdh: dlopen(/usr/libexec/SmartCardServices/drivers/eTokenIfdh.bundle/Contents/MacOS/eTokenIfdh, 262)
</pre><p>
it means that the middleware is corectly installed, but <tt>etokenframework.pkg</tt> is not. This happens when one installs the former first (!) In that case, run the <tt>Uninstall eToken PKI Client 4.55</tt> program from the .dmg image and start over.
</p>
<h3 id="Linux">Linux</h3>
<p>
The middleware for Linux is available here: <a class="ext-link" href="ftp://ftp.ealaddin.com/pub/etoken/Linux" shape="rect"><span class="icon"> </span>ftp://ftp.ealaddin.com/pub/etoken/Linux</a> ; and a third party provides the the <a class="ext-link" href="http://www.etokenonlinux.org" shape="rect"><span class="icon"> </span>key-management tool for Linux</a> (you don't need the latter if you just want your token to work with OpenSC).
</p>
<h2 id="Thanks">Thanks</h2>
<p>
Big thanks to <a class="ext-link" href="http://www.aladdin.com" shape="rect"><span class="icon"> </span>Aladdin</a>, they sponsored an OpenSC workshop in 2003 by donating 30 Aladdin eToken PRO!
</p>
<p>
Big thanks to <a class="ext-link" href="http://www.startcom.org/" shape="rect"><span class="icon"> </span>Startcom</a> and Eddy Nigg for lots of time and support in adding support
for the Aladdin eToken PRO 64, for lots of testing and for donating one to us.
</p>
<p>
Big thanks to <a class="ext-link" href="http://www.aswsyst.cz/" shape="rect"><span class="icon"> </span>ASW</a>, they donated two Aladdin eToken PRO 64, so we could test our support for
those Tokens (not yet released, will be included in the next release).
</p>
<p>
Big thanks to Josef Gillhuber from <a class="ext-link" href="http://www.aladdin.com" shape="rect"><span class="icon"> </span>Aladdin</a>. He donated two eToken PRO (32k and 64k) on <a href="http://www.opensc-project.org/history.html#LinuxTag2006" shape="rect">LinuxTag 2006</a>.
</p>
<p>
Thanks to Roman Stahl, he donated two Aladdin eToken PRO 32k (4.2B), so we could verify: they work fine too.
</p>
</div>
<h3>Attachments</h3>
<ul>
<li>
<a href="/opensc/attachment/wiki/AladdinEtokenPro/eToken.gif" title="View attachment" shape="rect">eToken.gif</a>
<a href="/opensc/raw-attachment/wiki/AladdinEtokenPro/eToken.gif" title="Download" class="trac-rawlink" shape="rect"><img src="/trac/download.png" alt="Download"></img></a>
(<span title="3597 bytes">3.5 KB</span>) - added by <em>pk</em>
<a class="timeline" href="/opensc/timeline?from=2006-10-18T15%3A56%3A09Z&precision=second" title="2006-10-18T15:56:09Z in Timeline" shape="rect">3 years</a> ago.
<q>Image of eToken PRO 32K</q>
</li>
</ul>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
distrib
>
Fedora
>
13
>
x86_64
>
media
>
updates
>
by-pkgid
>
64d7525dee9596ae0eae9ecd4241861b
>
files
>
39
