unable to import secureid token

[helterscelter]

I am trying to import a RSA SecureID token that I originally received and installed on my android phone using the RSA v1.2 application. I am specifying the token (from the url I was sent) and have tried entering the IMEI, IMEI SV, SIM, and the DeviceID from the RSA application.

I am loath to post the specifics in this ticket since the values are highly sensitive.

I'm sure this is a case of me being silly or doing something completely wrong; but I am just not sure what it could be.

I didn't see any other way of contacting you on any of the pages about this app, so I figured filing an issue may be the best way to go.

[cernekee]

"I am specifying the token (from the url I was sent) and have tried entering the IMEI, IMEI SV, SIM, and the DeviceID from the RSA application."

Does the failure look like this?

$ stoken import --token=http://127.0.0.1/securid/ctf?ctfData=283144849057951431261040462445741631217721155333513374645173124460220200360477563 This token is bound to a specific device. Enter device serial number (IMEI): 123 IMEI does not match the token. Enter device serial number (IMEI): abc IMEI does not match the token. Enter device serial number (IMEI): error: invalid IMEI

"I am loath to post the specifics in this ticket since the values are highly sensitive."

Right, please don't send that info to anyone.

[helterscelter]

Yes. That is exactly what i am seeing.

Clint On Mar 14, 2013 10:32 PM, "Kevin Cernekee" notifications@github.com wrote:

"I am specifying the token (from the url I was sent) and have tried entering the IMEI, IMEI SV, SIM, and the DeviceID from the RSA application."

Does the failure look like this?

$ stoken import --token= http://127.0.0.1/securid/ctf?ctfData=283144849057951431261040462445741631217721155333513374645173124460220200360477563 This token is bound to a specific device. Enter device serial number (IMEI): 123 IMEI does not match the token. Enter device serial number (IMEI): abc IMEI does not match the token. Enter device serial number (IMEI): error: invalid IMEI

"I am loath to post the specifics in this ticket since the values are highly sensitive."

Right, please don't send that info to anyone.

— Reply to this email directly or view it on GitHubhttps://github.com/cernekee/stoken/issues/1#issuecomment-14940883 .

[cernekee]

OK let's try this as an experiment:

diff --git a/src/securid.c b/src/securid.c
index 5abcaa7..ee657a5 100644
--- a/src/securid.c
+++ b/src/securid.c
@@ -257,7 +257,7 @@ static int generate_key_hash(uint8_t *key_hash, const char *

                /* skip anything that isn't a digit */
                for (; *devid; devid++) {
-                       if (*devid >= '0' && *devid <= '9') {
+                       if (1 || *devid >= '0' && *devid <= '9') {
                                if (len++ > DEVID_CHARS)
                                        return ERR_BAD_PASSWORD;
                                *(p++) = *devid;
@@ -265,7 +265,7 @@ static int generate_key_hash(uint8_t *key_hash, const char *
                }
                if (device_id_hash)
                        *device_id_hash = securid_shortmac(&key[pos],
-                               DEVID_CHARS);
+                               40);
                pos += len;
        } else if (device_id_hash) {
                /* just hash the zeroed devid buffer */

[helterscelter]

fantastic. this patch allows me to import the token using my phone's deviceID (as reported in the RSA app). once imported the KEY it generates is the same one as the RSA app on my phone.

When I view the countdown timer via (stoken-gui) it appears to be 13 seconds behind the timer in the RSA app.

[cernekee]

Thanks for the feedback.

It looks like there are at least two different ways to handle the device ID: one which strips out non-numeric characters and hashes over 32 bytes, and one which strips out non-uppercase-hex characters and hashes over 40 bytes. I will do some more digging and update the stoken project to properly support both cases.

"When I view the countdown timer via (stoken-gui) it appears to be 13 seconds behind the timer in the RSA app."

This just means the clocks are out of sync. You can see Android's system clock in the RSA About menu, and watch the PC clock with something like:

TZ=UTC xclock -digital -twentyfour -update 1 &

To sync the PC time to internet time servers, try:

sudo ntpdate -u pool.ntp.org

[helterscelter]

I always enable NTP update as a rule on my machines (many many things do not like scewed clocks, not just OTP/crypto) and I also generally allow my phone to get it's date/time sync from the network.

$ sudo ntpdate -u pool.ntp.org 16 Mar 18:57:07 ntpdate[6124]: adjust time server 108.61.56.35 offset 0.176137 sec

I checked my phone's time vs pool.ntp.org (using the NTPSync app), and it reported a -14060ms difference between the pool and system clock. (meaning my phone is 14.06 seconds fast.)

I never thought to validate that my phone's clock is correct before. very interesting.

Thanks again for the help.

On Sat, Mar 16, 2013 at 5:09 PM, Kevin Cernekee notifications@github.comwrote:

Thanks for the feedback.

It looks like there are at least two different ways to handle the device ID: one which strips out non-numeric characters and hashes over 32 bytes, and one which strips out non-uppercase-hex characters and hashes over 40 bytes. I will do some more digging and update the stoken project to properly support both cases.

"When I view the countdown timer via (stoken-gui) it appears to be 13 seconds behind the timer in the RSA app."

This just means the clocks are out of sync. You can see Android's system clock in the RSA About menu, and watch the PC clock with something like:

TZ=UTC xclock -digital -twentyfour -update 1 &

To sync the PC time to internet time servers, try:

sudo ntpdate -u pool.ntp.org

— Reply to this email directly or view it on GitHubhttps://github.com/cernekee/stoken/issues/1#issuecomment-15012308 .