1

Topic: eToken - drivers, clients,

Last year bought the EV-certificate for the signature of the code at GlobalSign. Not to wait, while bring eToken, bought empty, and loaded there the certificate from a control bar. Thus did not find at Gemalto drivers for eToken - it appeared that GlobalSign, DigiCert and the other organizations which are letting out certificates on USB-keys, give any drivers. All right, downloaded with GlobalSign, installed SafeNet Authentication Client, all works. Today went to buy  for the Russian public services. As at me rolled empty eToken which entered into an EV-certificate set, gave it for record of the certificate Russian . There like as all wrote down, but, reached the computer and thrusting a key, I do not see in it any certificate though the password which to me installed in , approaches. By this moment  it was already closed, so operatively anything it was not possible to explain, I will ring tomorrow. But generally, if a software for a key is licensed defined  (in this case - GlobalSign), whether it is possible to work through it with certificates of others ? And whether there can different  be certificates in one key? In Russian  to me offered a set from the signature, a key and the license for KriptoPro, but I while took only the signature to begin with to try with VipNet. On it to me told that everyone CSP works only with the certificates which have been let out with its help - that is, VipNet ostensibly will not work with the certificate which has been let out under KriptoPro, and on the contrary. How much all this machinery is compatible with each other? Esteemed about these affairs a little - the impression that is a hell and  was made, and anybody plainly does not understand, neither as it should work theoretically nor as works practically, the majority stupidly buys and puts a ready set, and afterwards adheres to the same decision. Well and to a heap: At the same GlobalSign the secret key is generated on the computer of the client, and in Russian  all do on the computers. On a question on how it corresponds with safety, answered that such order is regulated by standard documents. How uniqueness of a copy of secret key there is technically provided? Or the USB-key itself  secret key in itself, and computer UTS it at all does not see?

2

Re: eToken - drivers, clients,

Hello, Evgenie Muzychenko, you wrote: You all the same eToken and a software title would write specific model of the. And that guessing on a coffee thick quits. As the reality from you is not present, : - the token Model should support GOST. That that to you told that the key there is written down, does not mean that it so. - On the computer should be CSP with GOST support. Otherwise the token is useless absolutely. - which Program you look certificates can not support GOST and is simple filter "superfluous" objects on a key. - normal  the request about the certificate is necessary only. To private key they hands do not pull. - it was valid to buy a set with KriptoPro easier, all generally use it therefore problems would be less.

3

Re: eToken - drivers, clients,

Hello, Evgenie Muzychenko, you wrote: I eat> How much all this machinery it is compatible with each other? Esteemed about these affairs a little - the impression that is a hell and  was made, and anybody plainly does not understand, neither as it should work theoretically nor as works practically, the majority stupidly buys and puts a ready set, and afterwards adheres to the same decision. All this  and the burning loss without  does not work. At some key cost includes the annual license on crypto about. Then it is possible to take out a key from  and to use from the program for example through openssl. But it only  circus. It is more further and  year all this burning loss acquires new ceremonies and rituals. https://habr.com/post/276057 the matter is that not derived key really is, but it serves only for  by means of algorithm RSA. Any of considered  ... is not present, here so: Any of , for usage in territory of the Russian Federation (like) does not use approved FSB RSA, and all of them use  on the basis of GOST - *, therefore eToken - no more than a flash card with the password and the intricate interface.

4

Re: eToken - drivers, clients,

Hello, m2l, you wrote: m2l> You all the same eToken and a software title would write specific model of the. It would be necessary, ask I a type question "on what button to me to push, that all earned?" . But the sense of questions was absolutely another. To write not a problem - eToken Pro 72k, eToken 5110, SafeNet Authentication Client. m2l> As the reality from you is not present Answers to the asked questions too is not present. m2l> - the token Model should support GOST. It on a maximum, in an ideal that all mathematics at signing worked there. But it is not mandatory. m2l> that that to you told that the key there is written down, does not mean that it so. Here to me before talking with , it is desirable the nobility how I can install presence/absence of the certificate and any key in a token. m2l> - on the computer should be CSP with GOST support. Otherwise the token is useless absolutely. It absolutely individual question. While me the fact of presence/absence of the certificate and secret key in a token, and methods of its establishment interests only. m2l> - which program you look certificates can not support GOST and is simple filter "superfluous" objects on a key. I look a native software from SafeNet (SafeNet Authentication Client) which is engaged in initialization of tokens, change of passwords, adjustment of drivers, access modes and all other. Here it can filter "superfluous" objects, displaying thus the shared information about a token? If yes - whether it at least has to show a presence sign in a token of any certificates/keys? m2l> normal  the request about the certificate is necessary only. To private key they hands do not pull. At us in Novosibirsk this Open Company "" (regional certifying center) - unique from accredited till 2018 year who produces  arbitrary jur - and to physical persons. All remaining or are accredited a month-two ago that is suspicious, or produce  only to the state/municipal organizations. m2l> it was valid to buy a set with KriptoPro Now a question at all about CSP, and only about that easier, wrote down to me in a token the certificate, or not. KriptoPro - the purchase, not a question will be necessary.

5

Re: eToken - drivers, clients,

Hello, kov_serg, you wrote: _> All this  and the burning loss without  does not work. What means "does not work"? I understand that the button does not work to "sign" on a site. And how correspond among themselves the hardware carrier and CSP? Always it seemed to me that the data storage format in the carrier is not connected in any way with used CSP, formats of certificates/keys are standardized for a long time, and any CSP only derives the necessary certificate from the carrier and gives to the carrier requests about operations with secret key. It turns out, what everyone CSP installs on the carrier own format of storage of certificates and the keys, incompatible with others CSP? Then why the software from SafeNet shows to me, what the token is perfectly in order, but is simply empty, instead of is spoiled, or has incorrect/not clear contents? _> then it is possible to take out a key from  and to use from the program for example through openssl. And KriptoPro generally somehow uses not derived secret key RSA from a token - for example, for generation of own keys? Or works exceptional with a derived part?

6

Re: eToken - drivers, clients,

Hello, Evgenie Muzychenko, you wrote: I eat> Hello, kov_serg, you wrote: _>> All this  and the burning loss without  does not work. I eat> That means "does not work"? I understand that the button does not work to "sign" on a site. And how correspond among themselves the hardware carrier and CSP? Always it seemed to me that the data storage format in the carrier is not connected in any way with used CSP, formats of certificates/keys are standardized for a long time, and any CSP only derives the necessary certificate from the carrier and gives to the carrier requests about operations with secret key. Yes at each model of a token the driver and library for operation with it. I eat> It turns out, what everyone CSP installs on the carrier own format of storage of certificates and the keys, incompatible with others CSP? Then why the software from SafeNet shows to me, what the token is perfectly in order, but is simply empty, instead of is spoiled, or has incorrect/not clear contents? Yes, such it is possible. Besides these tokens can work in two modes: active when keys  on a token and never abandon it, and the data for the signature is transferred in a token and there it subscribes. And in the passive. In this case - a token simply  a flash card.  somewhere key pair registers in a token. To read about PKCS#11 more in detail. Pkcs11Admin

7

Re: eToken - drivers, clients,

Hello, BlackEric, you wrote: I eat>> Then why the software from SafeNet shows to me, what the token is perfectly in order, but is simply empty, instead of is spoiled, or has incorrect/not clear contents? BE> yes, such it is possible. Whereas to distinguish really empty token from a token which contains incompatible containers, or it is incorrectly labeled, or still that? There are any means for that review what is written down in a token? BE> and in the passive. In this case - a token simply  a flash card. In this case, how I understand, it is possible to derive contents of the container from a token, and afterwards to use the certificate locally? If yes, how it to make? BE> to read about PKCS#11 more in detail. Pkcs11Admin Thanks, tried. It turns out, formats of KriptoPro are incompatible with PKCS#11? With libraries PKCS#11 that go for eToken (eToken.dll/eTPKCS11.dll) it of the container does not see. Whether there are any utilities for review of immediately storage of a token, irrespective of a format of containers?

8

Re: eToken - drivers, clients,

Hello, Evgenie Muzychenko, you wrote: I eat> It it would be necessary, ask I a type question "on what button to me to push, that all earned?" . But the sense of questions was absolutely another. To write not a problem - eToken Pro 72k, eToken 5110, SafeNet Authentication Client. , GOST do not support. I eat> Answers to the asked questions too is not present. Aha, like not the telepathist. I eat> It on a maximum, in an ideal that all mathematics at signing worked there. But it is not mandatory. , I reformulate, the token model should support record in itself of the certificate with unknown type of enciphering. Practice shows that are able not all. I eat> Here to me before talking with , it is desirable the nobility how I can install presence/absence of the certificate and any key in a token. To put KriptoPRO, to open in it a token and to look that for certificates on it. m2l>> - On the computer should be CSP with GOST support. Otherwise the token is useless absolutely. I eat> It absolutely individual question. While me the fact of presence/absence of the certificate and secret key in a token, and methods of its establishment interests only. As far as I understand at eToken like yours there are no utilities for the developers allowing directly to view storage of a token. And what to surprise these certificates with regular means are necessary . Therefore certainly you can rise in a pose - "all should work and so", but it without yours  does not earn in any way.... I eat> I Look a native software from SafeNet (SafeNet Authentication Client) which is engaged in initialization of tokens, change of passwords, adjustment of drivers, access modes and all other. Here it can filter "superfluous" objects, displaying thus the shared information about a token? If yes - whether it at least has to show a presence sign in a token of any certificates/keys? Technically it should show that to the free storage on a token became on how many kilobyte less. m2l>> Normal  the request about the certificate is necessary only. To private key they hands do not pull. I eat> At us in Novosibirsk this Open Company "" (regional certifying center) - unique of accredited to 2018 year who produces  arbitrary jur - and to physical persons. All remaining or are accredited a month-two ago that is suspicious, or produce  only to the state/municipal organizations. Directly all three first the link in Google: the link the link the link About time   it is absolutely not clear. Differences between signatures are not present, not legally, not technically. I eat> Now a question at all about CSP, and only about that, wrote down to me in a token the certificate, or not. KriptoPro - the purchase, not a question will be necessary. He is necessary to look that on the certificate. And by default 30 days free of charge work, to buy what to understand with your tokens it is not necessary. Generally a good variant to look at it opensc, pcsc-tools, pcks-tools in linux.

9

Re: eToken - drivers, clients,

Hello, m2l, you wrote: m2l> GOST do not support. Also it is not necessary. To me it is now interesting to look generally first of all at a method that is in a token (opened for access, certainly). In any kind - though in the form of a binary flow. But, as I understand, in any token is any  in which already there are containers, and access to  should be supported at driver level. Not with absolute units work . m2l> Ok, I reformulate, the token model should support record in itself of the certificate with unknown type of enciphering. Practice shows that are able not all. Unless they not all support record in themselves of freeform objects of the data? It is clear that requests about generation and usage of keys have separate formats, but from different descriptions I understood that in any token it is possible to write down the arbitrary data set, and then it to derive. m2l> to put KriptoPRO, to open in it a token and to look that for certificates on it. Already delivered. The certificate is, though I yet did not have patience to do the remaining procedures described on several tens of pages "manuals on setting". Fiercely I sympathize with those who generally understands nothing in computers, but is forced to potter with these "the professional certificated decisions". And what algorithm of actions though user for whom suddenly something in all this heaping of a software ceased to work though engineer whom caused to correct a problem? To take down all completely and to put reversely, to ? Curiously, how much generally those people what are engaged in development of these systems are adequate? m2l> as far as I understand at eToken like yours there are no utilities for the developers allowing directly to view storage of a token. In arguings it is mentioned any eToken Editor on which screenshots that was required to me is visible. But it like as was spread in composition SDK which is given only to partners-developers. To find it in an easy approach to me it was not possible. m2l> And what to surprise these certificates with regular means are necessary . To a horse it is clear that without  not to receive the full functionality. But possibility to see that generally is written down in a token and to read it (if it is not closed) in "a crude" format to be obliged - at least for diagnostics of problems. m2l> it without yours  does not earn in any way.... Judging by that I had time to read yesterday and today, it and with  does not work more often, rather than works. It is very similar to the grandiose world drank  under the aegis of struggle for safety. m2l> technically it should show that to the free storage on a token became on how many kilobyte less. Well here SafeNet Authentication Client 10.3.25.0 shows only the free storage, and the horse-radish knows, how many it there only. Aladdin eToken PKI Client 5.1.57.0 shows at the same time and the full volume. In appearance they look almost equally - such impression that simply different titles of one software. m2l> directly all three first the link in Google: Well to me was somehow  such offices to search through Google. I searched through  for the list of Ministry of Communications. m2l> about time   it is absolutely not clear. Differences between signatures are not present, not legally, not technically. . For you the organizations, prosecuting similar subjects, look equally if they started to work one month ago, year or ten years? m2l> he is necessary to look that on the certificate. And by default 30 days free of charge work, to buy what to understand with your tokens it is not necessary. It works 90 days, but then as I understand, all the same it is necessary to use it for the certificate is made in KriptoPro. Or there is a method to transform the certificate together with keys under others CSP? If so I would manage and OpenSSL, but at  signing in the browser, through a plug-in from CSP is used. It can be made through OpenSSL and similar utilities? m2l> generally a good variant to look at it opensc, pcsc-tools, pcks-tools in linux. OpenSC is under Windows, but he understands these tokens somehow restrictedly. At it it CardOS M4. opensc-xplorer, as well as opensc-tool, on the majority of requests produce: Using reader with a card: AKS ifdh 0 unable to select MF: Incorrect parameters in APDU However, opensc-tool.exe - list-algorithms quite to itself produces the list from three algorithms.

10

Re: eToken - drivers, clients,

Hello, Evgenie Muzychenko, you wrote: m2l>> Ok, I reformulate, the token model should support record in itself of the certificate with unknown type of enciphering. Practice shows that are able not all. I eat> Unless they not all support record in myself of freeform objects of the data? It is clear that requests about generation and usage of keys have separate formats, but from different descriptions I understood that in any token it is possible to write down the arbitrary data set, and then it to derive. Practice shows that are able not all. I eat> Already delivered. The certificate is, though I yet did not have patience to do the remaining procedures described on several tens of pages "manuals on setting". Fiercely I sympathize with those who generally understands nothing in computers, but is forced to potter with these "the professional certificated decisions". And what for then it was perturbed in the prior message, what  are not necessary? I eat> And what algorithm of actions though the user for whom suddenly something in all this heaping of a software ceased to work though the engineer whom caused to correct a problem? To take down all completely and to put reversely, to ? Curiously, how much generally those people what are engaged in development of these systems are adequate? The answer in offered  a packet with a token and the license on . I eat> In arguings it is mentioned any eToken Editor on which screenshots that was required to me is visible. But it like as was spread in composition SDK which is given only to partners-developers. To find it in an easy approach to me it was not possible. Yes and absence sdk in an easy approach I also meant it. I eat> to the Horse clearly that without  not to receive the full functionality. But possibility to see that generally is written down in a token and to read it (if it is not closed) in "a crude" format to be obliged - at least for diagnostics of problems. All these tokens/smart cards and their integration into system are made so crookedly that only through utilities from SDK. I eat> Judging by that I had time to read yesterday and today, it and with  does not work more often, rather than works. It is very similar to the grandiose world drank  under the aegis of struggle for safety. Well. Only not world, but All-Russia. All who is close to a subject it understand. I eat> Well here SafeNet Authentication Client 10.3.25.0 shows only the free storage, and the horse-radish knows, how many it there only. Aladdin eToken PKI Client 5.1.57.0 shows at the same time and the full volume. In appearance they look almost equally - such impression that simply different titles of one software. There the difference should be in some kilobyte and on good it is necessary to compare before record. But the correct way is as you made, with setting  etc. And the most reliable - sdk. I eat> Well to me was somehow  such offices to search through Google. I searched through  for the list of Ministry of Communications.  through Google, that what to be pleasant, you check under the list. m2l>> about time   it is absolutely not clear. Differences between signatures are not present, not legally, not technically. I eat> Hm. For you the organizations, prosecuting similar subjects, look equally if they started to work one month ago, year or ten years? You simply not up to the end understand that happens. If you will ponder, you will understand that signatures of all accredited under something  are equivalent both technically and legally. Nobody after successful check of the signature will peer into intermediate  and to search how many years this organization works. I eat> OpenSC is under Windows, but he understands these tokens somehow restrictedly. At it it CardOS M4. opensc-xplorer, as well as opensc-tool, on the majority of requests produce: I eat> However, opensc-tool.exe - list-algorithms quite to myself produces the list from three algorithms. If it is short, it does not work. Only under linux and as are still necessary the driver/library under a specific token more often.

11

Re: eToken - drivers, clients,

Hello, m2l, you wrote: m2l> And what for then it was perturbed in the prior message, what  are not necessary? I was perturbed with that they are necessary for the operations, any kripto - not demanding. It like as under Windows or  to demand browser presence to look at the flash card directory. m2l> the answer in offered  a packet with a token and the license on . Where there the answer? If that  is thrust in a token, and was automatically launched (was launched, instead of izvlekalsja-ustanavlivalsja-was adjusted) at an insertion is it would be possible to consider as the answer. And the durable dancings with a tambourine - not the answer. I eat>> In arguings I am mentioned any eToken Editor m2l> Yes it and absence sdk in an easy approach and meant. Well so, what to them hindered to make it in a type eToken Viewer which adding of confidential parameter turns in Editor, and to suppose in an installation set? Or to interpose into the native client an output hardly more informative convergence on the carrier? m2l> All these tokens/smart cards and their integration into system are made so crookedly that only through utilities from SDK. Now and I know it. Would know earlier if here so directly spoke more often, instead of it is allegoric. Such impression that very much are afraid to offend vendors and proengines of this shit. m2l> only not world, but All-Russia. Not,  the world. Last year I too fairly fucked with setting and adjustment of a software for operation with the certificate from GlobalSign, though there fair RSA, on hardware support of a token. m2l> if you will ponder, you will understand that signatures of all accredited under something  are equivalent both technically and legally. Nobody after successful check of the signature will peer into intermediate  and to search how many years this organization works. I proceeded first of all from those reasons that newly-baked  with  probability it can appear any swindle owing to which accreditation can stop, and certificate  to withdraw. The signature is necessary to me first of all in order that it was possible to stick out on  months abroad, without being returned therefrom for submission of any announcement. m2l> if it is short, it does not work. Only under linux and as are still necessary the driver/library under a specific token more often. Like native drivers of a token should provide under any OS access to it , or I again that do not understand?

12

Re: eToken - drivers, clients,

Hello, Evgenie Muzychenko, you wrote: I eat> Where there the answer? If that  is thrust in a token, and was automatically launched (was launched, instead of izvlekalsja-ustanavlivalsja-was adjusted) at an insertion is it would be possible to consider as the answer. And the durable dancings with a tambourine - not the answer. If it is fair, you in this moment distort. Most  a sheaf -  and . To be put two programs and further it works and when it is necessary automatically it is launched. I eat> Well so, what to them hindered to make it in a type eToken Viewer which adding of confidential parameter turns in Editor, and to suppose in an installation set? Or to interpose into the native client an output hardly more informative convergence on the carrier? And what for you bought a company token which does not give to you eToken Viewer? It is the market, you accepted such token, to you it was sold. m2l>> only not world, but All-Russia. I eat> Not,  the world. Last year I too fairly fucked with setting and adjustment of a software for operation with the certificate from GlobalSign, though there fair RSA, on hardware support of a token. There with RSA all is very standard, you had a good time most likely or with a software from a token (as though the such bought) or from a software which pulls standard API - and there variants much than it is possible to replace it, up to the console and openssl. Therefore all strongly is easier and at a normal token theoretically works generally itself. I eat> proceeded first of all from those reasons that newly-baked  with  probability it can appear any swindle owing to which accreditation can stop, and certificate  to withdraw. The signature is necessary to me first of all in order that it was possible to stick out on  months abroad, without being returned therefrom for submission of any announcement. Partly reasonably, but in the list there are comments to  at which withdrew accreditation. And like  with swindles was not. I eat> Like native drivers of a token should provide under any OS access to it , or I again that do not understand? Poor it all both oblique. Expensively and laziness to do normal iron and an insertion to it. Here also drag that can in fire wood. As software-modems once. As a result without fire wood and a heap of libraries on a disk it simply piece of plastic.

13

Re: eToken - drivers, clients,

Hello, m2l, you wrote: m2l> Most  a sheaf -  and . To be put two programs and further it works and when it is necessary automatically it is launched. Programs as I understood, too three - +, KriptoPro and a plug-in for the browser. I and  took, but as already wrote, counted that I will manage one set of drivers (very much I do not love  system  a software, moreover to curves). m2l> And what for you bought a company token which does not give to you eToken Viewer? I did not have a choice. The token was bought under GlobalSign which lets out EV-certificates only on eToken 5110 (the further development eToken Pro 72k). m2l> it is expensive also laziness to do normal iron and an insertion to it. Here also drag that can in fire wood. As software-modems once. As a result without fire wood and a heap of libraries on a disk it simply piece of plastic. And  drag, if only did not so poorly. I at all do not represent, for what tens DLL in the general size in tens megabytes, if there are necessary to all functionality - on some hundreds kilobyte a maximum.