Unable to import token with BB10 Device ID

[raghavkrishnapriyan]

I'm experiencing a problem similar to issue #1 below, but with RSA SecurID 1.0.0 on Blackberry 10. I'm unable to import a token secured with a Device ID despite entering in the eight-digit Device ID from the "About" page of the Blackberry app. (The IMEI and serial numbers don't work either.)

Thanks in advance for any help!

$ stoken import --token=<81-digit numeric string>
Enter device ID from the RSA 'About' screen: 
Device ID does not match the token.

[cernekee]

According to SecurIDBlackBerry10_v100_quickstart.pdf, BB10's device IDs are 8 digit hex numbers. This is similar to the Android device ID, but much shorter. Maybe we will luck out and find that they are handled in a similar manner.

The first thing I would try is to prepend the Android header to your 81-digit numeric string:

stoken import --token=http://127.0.0.1/securid/ctf?ctfData=<81-digit numeric string>

This tells the library to use a slightly different method of interpreting the device ID. Without the URI header, it uses the original "feature phone" logic.

If that doesn't work, try tweaking the logic in generate_key_hash() so that it accepts hex digits but uses the non-smartphone string length:

diff --git a/src/securid.c b/src/securid.c
index 5263e31..dab1e8b 100644
--- a/src/securid.c
+++ b/src/securid.c
@@ -266,6 +266,7 @@ static int generate_key_hash(uint8_t *key_hash, const char *pass,
         * 40 (or 32) zero bytes, below.
         */
        for (; *devid; devid++) {
+           is_smartphone = 1;
            if ((is_smartphone && !isxdigit(*devid)) ||
                (!is_smartphone && !isdigit(*devid)))
                continue;

Some additional questions, if none of that works:

• Was your token originally delivered as an 81-digit string, or did you convert a sdtid/xml file using TokenConverter?
• Is there a chance it is bound to your BB 10 GUID? According to SecurIDBlackBerry10_v100_admin.pdf this would look like "b77a1d06-d505-4200-90d3-1bb397748704". Try it with and without the dashes.

[raghavkrishnapriyan]

Thanks for the response. I'm afraid neither appending the Android header nor editing generate_key_hash() worked.

Some additional questions, if none of that works:

• Was your token originally delivered as an 81-digit string, or did you convert a sdtid/xml file using TokenConverter?

The latter -- I converted an sdtid file.

• Is there a chance it is bound to your BB 10 GUID? According to SecurIDBlackBerry10_v100_admin.pdf this would look like "b77a1d06-d505-4200-90d3-1bb397748704". Try it with and without the dashes.

I tried both, but that didn't seem to work.

[cernekee]

What options did you use when running TokenConverter?

Does the sdtid file have a <DeviceSerialNumber> field? If so, what does it look like (base64, hex, GUID, etc.)? Does the number look familiar?

If you happen to have an old/expired/deactivated sdtid file for BB10, that would also be helpful. You can send it to cernekee@gmail.com

[raghavkrishnapriyan]

I tried TokenConverter without any options and with the -f flag.

Yep, the sdtid has a field with the Blackberry 10 GUID. Here's the field:

<TokenAttributes>
    <DeviceSerialNumber>b77a1d06-d505-4200-90d3-1bb397748704</DeviceSerialNumber>
    <DeviceTypeVersion>1.x</DeviceTypeVersion>
    <DeviceTypeFamily>BlackBerry 10</DeviceTypeFamily>
    <DeviceType>PC Software Token V3.0 or later</DeviceType>
    <Nickname> </Nickname>
</TokenAttributes>

I haven't got an expired one right now, but I'll see if I can get hold of one.

[cernekee]

Here is what worked for me:

• Use the iPhone encoding (-iphone) when running TokenConverter to enable "smartphone mode."
• Change the device ID to uppercase when importing: stoken import --devid B77A1D06-D505-4200-90D3-1BB397748704 com.rsa.securid.iphone://ctf?ctfData=20031...

I will run some more tests to see if it makes sense to automatically convert the device ID to uppercase in generate_key_hash().

[raghavkrishnapriyan]

Works perfectly for me too. Thanks so much!