eToken

The list of modern models

• eToken PRO ^[3] and Safenet eToken 4100 - smart cards ;
• eToken 5110 , eToken PRO ^[3] , SafeNet Token 5100 and SafeNet eToken 5200 - USB keys that are fully functional analogs of smart cards;
• eToken NG-FLASH , eToken NG-OTP , SafeNet eToken 3400 and SafeNet eToken 7300 - hybrid devices;
• eToken PASS and SafeNet eToken 3500 - OTP tokens (hardware one-time password generators);
• eToken Virtual is a smart card emulator software.

Classification

eToken NG-FLASH with 4GB Flash

Functionality

All modern eToken models have smart card functions, with the exception of eToken PASS and SafeNet eToken 3500.

The functions of USB flash drives are provided by the eToken NG-FLASH and SafeNet eToken 7300 combined devices.

EToken NG-OTP, eToken PASS, SafeNet eToken 3400 and SafeNet eToken 3500 have the functions of OTP tokens (devices for generating one-time passwords ).

By type of collateral

The various eToken models are hardware devices , with the exception of eToken Virtual software .

By form factors ^[4]

Functional Environment

EToken PKI Client software, which provides eToken with smart card functions, operates under the control of operating systems:

• BlackBerry
• GNU / Linux
• Mac OS
• Microsoft Windows

EToken hardware OTP tokens require a TMS management server operating on the Microsoft Windows Server 2003 or 2008 platform for their work.

The eToken Virtual software tool is capable of operating under the control of operating systems:

• CentOS 5.2;
• Fedora 9;
• Mac OS X 10.4 and 10.5 ;
• Microsoft Windows Server 2003 and 2008, Vista , XP , 7 , 8 ;
• openSUSE 10.3;
• Red Hat Enterprise Linux 5.2;
• Ubuntu 8.04 (32-bit).

Check Point VPN-1 SecuRemote and VPN-1 SecureClient

Check Point VPN-1 SecuRemote and VPN-1 SecureClient support authentication based on the use of public key certificates and private keys in the memory of smart cards and their analogues. If there is an eToken driver ^[5] on the client computer, an eToken can be used to establish a VPN connection, in the memory of which there is a private key and a corresponding public key certificate that gives the owner the right to connect.

eToken Network Logon

eToken Network Logon is an application developed by Aladdin Knowledge Systems that allows you to store your username, password and Windows domain name in eToken memory and then use eToken in the authentication process. When assigning a new password and changing the password, the random number sensor built into eToken Network Logon can be used, as a result of which the user may not even know his password and, therefore, not be able to log in without eToken. In addition to authentication using passwords inserted from the eToken memory, eToken Network Logon supports the authentication mechanism available in Windows 2000 - Server 2008 using public key certificates and private keys in the memory of smart cards and their analogues.

eToken SafeData and Crypto Database

eToken SafeData ^[6] and “ Crypto DB ” are means of cryptographic information protection (CIP) developed by the Russian company Aladdin R. D. They allow you to encrypt data in separate columns of Oracle database tables. In this case, encryption keys are stored in the database encrypted using public keys of users, and private keys of users are stored in eToken memory. As a result, to access encrypted data, users must use their eToken, in the memory of which private keys corresponding to public keys are stored, with which encryption keys are encrypted. The difference between eToken SafeData and Crypto DB is the cryptographic algorithms used by these cryptographic data protection systems:

• eToken SafeData encrypts data using DES , Triple DES , AES, and RC4 algorithms , and encryption keys - using RSA ;
• Crypto DB encrypts data using algorithms that comply with GOST 28147-89 and RFC 4357 , protects encryption keys using the algorithms described in GOST R 34.10-2001 and RFC 4490 .

eToken SecurLogon for Oracle

eToken SecurLogon for Oracle is a software tool developed by Aladdin R. D. in which the authentication mechanism using public key certificates and private keys is supported by Oracle 8i Database Release 3 (8.1.7) Enterprise Edition and later versions of Oracle using eToken as a key medium. In addition to a separate product, eToken SecurLogon for Oracle is a component of the cryptographic information protection means (Cryptographic Protection Tool) eToken SafeData and “Crypto DB” installed on the workstation of users of these Cryptographic Protection Tools.

eToken SecurLogon for SAP R / 3

eToken SecurLogon for SAP R / 3 is a software tool developed by AstroSoft that allows you to save client connection parameters to the SAP R / 3 application server in eToken memory and then use eToken with saved credentials for authentication in the SAP R / 3 system.

eToken Single Sign-On

eToken Single Sign-On is an application developed by Aladdin Knowledge Systems that allows you to save completed HTML and Windows forms in eToken memory and then automatically substitute data stored in eToken memory into these forms. Thanks to this, eToken can be used as an authentication tool in all web applications in which the authentication interface is an HTML form and in all applications in which the authentication interface is a Windows dialog box . Work with HTML forms is supported only in Internet Explorer and Mozilla Firefox .

IBM Lotus Notes and Domino

Starting with version 6.0, IBM Lotus Notes and Domino support authentication using smart cards and their analogues. If the computer has an eToken driver ^{[5], the} ID file used to authenticate the user or server can be converted in such a way that it cannot be used without connecting the eToken and entering the PIN code .

When accessing a secure Domino server via the web interface using the HTTPS protocol, eToken can be used to authenticate the client.

In addition to authentication, eToken can also be used in Lotus Notes to sign and decrypt emails .

Microsoft Windows

Hardware eToken with smart card functionality can be used for interactive authentication in a Windows 2000 - Server 2008 domain . If the computer has eToken ^[5] drivers, the authentication desktop allows you to not only enter the user name, password and domain name, as usual, after pressing CTRL + ALT + DELETE, but instead of pressing this key combination, connect a smart card (eToken) and enter the PIN code. In addition, starting with Windows XP, it became possible to use smart cards, including eToken, for authentication when starting applications on behalf of another user .

In addition to using eToken as an authentication tool, it can also be used to ensure the security of the workplace in the absence of the user. Windows 2000 – Server 2008 can be configured so that the computer will block when you disconnect eToken.

To use eToken as an authentication tool in a Windows domain, you need an extensive and specially configured enterprise certification authority (Microsoft Enterprise CA). Using eToken, a key pair is generated, and the certification authority issues a public key certificate for the user, in which the entry with smart card is included in the policy for using the private key . After that, the administrator can distribute a security policy object to the user that prohibits logging into the system without a smart card, as a result of which the user cannot log into the system without using the eToken, which stores the prepared public key certificate and the corresponding private key in it.

Novell Modular Authentication Service

Novell Modular Authentication Service ( NMAS ) is a Novell eDirectory component that provides authentication mechanisms for various user systems registered in this directory service . Starting with version 2.1, NMAS allows the use of eToken for authentication of users who work with Microsoft Windows 95 Service Release 2B, NT 4.0 SP 6a or later versions of Windows.

Oracle Application Server

Oracle Application Server supports authentication using public key certificates and private keys . By placing user private keys in eToken memory, you can use eToken to authenticate users in Oracle Application Server without using eToken Single Sign-On.

Oracle E-Business Suite

Oracle E-Business Suite supports integration with the Oracle Application Server Single Sign-On authentication mechanism. Using this integration, authentication of Oracle E-Business Suite users based on public key certificates and private keys in eToken memory is possible.

If integration with Oracle Application Server Single Sign-On is not involved, then the user authentication solution in Oracle E-Business Suite is built as follows:

• user authentication on a web server - based on public key certificates and private keys in eToken memory;
• user authentication on Forms server - using eToken Single Sign-On.

Token Management System

Token Management System ( TMS ) is an application developed by Aladdin Knowledge Systems that enables accounting and management of the eToken life cycle throughout the enterprise. TMS integrates with Active Directory , associates user accounts with eToken issued to it, as well as with issued public key certificates and other details. EToken usage policies are assigned and applied in the same way as security policies in a Windows domain. Developers of various eToken-enabled applications can create so-called TMS connectors, thanks to which the use of eToken in their applications can be controlled by TMS.

Depending on their functionality, different eToken models compete in the market with products from various manufacturers: ActivIdentity, Arcot, Entrust, Eutron, Feitian, Gemalto, Kobil Systems, MultiSoft, RSA Security ( EMC division), Vasco, Aktiv, Aladdin R. D., BIFIT, OKB CAD and others.

• eToken GT - an inexpensive analogue of USB keys eToken PRO, which differed only in a smaller amount of memory;
• eToken R1 - prototype of the first eToken USB dongle , which was not produced commercially ^[7] ;
• eToken R2 - USB dongle with a secure microcontroller, manufactured by Aladdin Knowledge Systems until 2005;
• eToken RIC - USB-key with a secure microcontroller, manufactured by the Russian company Aladdin until 2002.

EToken models with smart card functions have inherent flaws inherent in all devices in which the PIN code is entered not from the device’s own keyboard, but from the terminal keyboard to which the device is connected: with the help of a Trojan program, an attacker can intercept the PIN code and make repeated unauthorized Signing or encrypting any information on behalf of the owner of the device. ^{[8] [9]}

• Safenet Multi-Factor Authentication Products
• Legeso, Denis Online Financial Services Security (rus.) . Intelligent Enterprise (March 17, 2009). Date of treatment October 8, 2010. Archived on April 5, 2012.