unable to import secureid token about stoken HOT 6 CLOSED

"I am specifying the token (from the url I was sent) and have tried entering the IMEI, IMEI SV, SIM, and the DeviceID from the RSA application."

Does the failure look like this?

$ stoken import --token=http://127.0.0.1/securid/ctf?ctfData=283144849057951431261040462445741631217721155333513374645173124460220200360477563
This token is bound to a specific device.
Enter device serial number (IMEI): 123
IMEI does not match the token.
Enter device serial number (IMEI): abc
IMEI does not match the token.
Enter device serial number (IMEI):
error: invalid IMEI

"I am loath to post the specifics in this ticket since the values are highly sensitive."

Right, please don't send that info to anyone.

from stoken.

Yes. That is exactly what i am seeing.

Clint
On Mar 14, 2013 10:32 PM, "Kevin Cernekee" [email protected] wrote:

"I am specifying the token (from the url I was sent) and have tried
entering the IMEI, IMEI SV, SIM, and the DeviceID from the RSA application."

Does the failure look like this?

$ stoken import --token=
http://127.0.0.1/securid/ctf?ctfData=283144849057951431261040462445741631217721155333513374645173124460220200360477563
This token is bound to a specific device.
Enter device serial number (IMEI): 123
IMEI does not match the token.
Enter device serial number (IMEI): abc
IMEI does not match the token.
Enter device serial number (IMEI):
error: invalid IMEI

"I am loath to post the specifics in this ticket since the values are
highly sensitive."

Right, please don't send that info to anyone.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/1#issuecomment-14940883
.

from stoken.

OK let's try this as an experiment:

diff --git a/src/securid.c b/src/securid.c
index 5abcaa7..ee657a5 100644
--- a/src/securid.c
+++ b/src/securid.c
@@ -257,7 +257,7 @@ static int generate_key_hash(uint8_t *key_hash, const char *

                /* skip anything that isn't a digit */
                for (; *devid; devid++) {
-                       if (*devid >= '0' && *devid <= '9') {
+                       if (1 || *devid >= '0' && *devid <= '9') {
                                if (len++ > DEVID_CHARS)
                                        return ERR_BAD_PASSWORD;
                                *(p++) = *devid;
@@ -265,7 +265,7 @@ static int generate_key_hash(uint8_t *key_hash, const char *
                }
                if (device_id_hash)
                        *device_id_hash = securid_shortmac(&key[pos],
-                               DEVID_CHARS);
+                               40);
                pos += len;
        } else if (device_id_hash) {
                /* just hash the zeroed devid buffer */

from stoken.

fantastic. this patch allows me to import the token using my phone's deviceID (as reported in the RSA app). once imported the KEY it generates is the same one as the RSA app on my phone.

When I view the countdown timer via (stoken-gui) it appears to be 13 seconds behind the timer in the RSA app.

from stoken.

Thanks for the feedback.

It looks like there are at least two different ways to handle the device ID: one which strips out non-numeric characters and hashes over 32 bytes, and one which strips out non-uppercase-hex characters and hashes over 40 bytes. I will do some more digging and update the stoken project to properly support both cases.

"When I view the countdown timer via (stoken-gui) it appears to be 13 seconds behind the timer in the RSA app."

This just means the clocks are out of sync. You can see Android's system clock in the RSA About menu, and watch the PC clock with something like:

TZ=UTC xclock -digital -twentyfour -update 1 &

To sync the PC time to internet time servers, try:

sudo ntpdate -u pool.ntp.org

from stoken.

I always enable NTP update as a rule on my machines (many many things do
not like scewed clocks, not just OTP/crypto) and I also generally allow my
phone to get it's date/time sync from the network.

$ sudo ntpdate -u pool.ntp.org
16 Mar 18:57:07 ntpdate[6124]: adjust time server 108.61.56.35 offset
0.176137 sec

I checked my phone's time vs pool.ntp.org (using the NTPSync app), and it
reported a -14060ms difference between the pool and system clock. (meaning
my phone is 14.06 seconds fast.)

I never thought to validate that my phone's clock is correct before. very
interesting.

Thanks again for the help.

On Sat, Mar 16, 2013 at 5:09 PM, Kevin Cernekee [email protected]:

Thanks for the feedback.

It looks like there are at least two different ways to handle the device
ID: one which strips out non-numeric characters and hashes over 32 bytes,
and one which strips out non-uppercase-hex characters and hashes over 40
bytes. I will do some more digging and update the stoken project to
properly support both cases.

"When I view the countdown timer via (stoken-gui) it appears to be 13
seconds behind the timer in the RSA app."

This just means the clocks are out of sync. You can see Android's system
clock in the RSA About menu, and watch the PC clock with something like:

TZ=UTC xclock -digital -twentyfour -update 1 &

To sync the PC time to internet time servers, try:

sudo ntpdate -u pool.ntp.org

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/1#issuecomment-15012308
.

from stoken.