How to create sccKey for TOTP? Is it connected to the serial number of the token on its back?

[AngelTs]

Is provided seed key is universal for time-based one time password (TOTP) generator? SafeNet eToken Pass: https://cpl.thalesgroup.com/access-management/authenticators/one-time-password-otp/etoken-pass https://thalesdocs.com/sas/operator/tokens/token_types/hardware_tokens/otp_hardware_tokens/index.html

[mrozhnov]

Thales (SafeNet) provides TOTP tokens with different hash (SHA1, SHA256). In most cases - its SHA256 for TOTP. So you can generate a string for seed yourself, The correct string is a string of 64 chars of length witch contains [0-9, a-f] symbols.

[AngelTs]

Thank you so much for your (quick) response. Here is my case - I bought from my bank my hardware SafeNet eToken Pass (the same on the picture from the 1st link) back in 2011. Now I am trying to replace/simulate it with appropriate software program under PC like yours here. The problem is that my bank do not provide any info. I guest that this eToken is SHA1 + time bases (not event based). Do you have some ideals how to use your software in my case? Thanks!

[AngelTs]

To simulate my hardware token with your software: 1."sccTokenType: eToken-PASS-TS"; 2.I set in "sccAuthenticatorId" my hardware eToken Pass serial number (printed on the back); 3.I set in "sccKey" as text SHA256 format my user name + email address + static PIN (all provided from the bank); =>not work - generated codes from hardware token and your software are not the same! Any ideas?

[AngelTs]

I set in "sccKey" text as base32 encode only the serial number of the token, but again without success

[mrozhnov]

The bank uses its own authentication server. When you start using OTP token you have to upload a seed file on the authentication server and make sync with server. Do you have a seed file for you TOTP eToken Pass? You should insert sccKey value to the dat file. Besides there types of TOTP from SafeNet. Old tokens have T0 is 01.01.1970, but new tokens have T0 01.01.2000. So it could be a very big time drift.

[mrozhnov]

Seed file is a file contains "secret" for hardware token. It supplies with token. Your bank has this seed file for your token and already imported it to their authentication server. It's impossible to extract seed from your hardware token. There is a way to change a secret on your token (but it will not work after programming procedure with your bank system because the secret will be changed on the token) using special hardware device from Thales (Safenet) - OTP programming pen and special software form Thales (SafeNet) - OTP programmer. The software will generate a new dat file with new secret key, hardware device will upload the key on the token (there are several pins on the back size of your token).

[AngelTs]

Thank you so much for clarifications! Actually I requested from my bank my key-seed file which is connected to my hardware token, but still not respond. Moreover, the bank not support this hardware SafeNet eToken Pass any more and insist to replaced it with smartphone. Now I am trying to guest my seed file (sccKey), because i suspect that this is text string in base32 encoding or SHA1/256 format and contains the serial number of my hardware token + user name + email address. The reason I suspect this is because the way the bank instructs users to unblock their already locked hardware token (after 3 consecutive failed logins)