Solved

Copy data from USB Token

Posted on 2013-05-10
9
3,004 Views
Last Modified: 2013-05-12
Hello,

I need to use a Token to access a website, from a gov website. I need to enter the eleven usb token to access the info and I´m affraid of loosing one of them, is there a possible solution to clone these tokens at the PC, so that´s not necessary to use the physical token?

They do not have password, only the usb token like a pen drive.

Thanks, sorry for my bad english.
0
Comment
Question by:Rodrigoferra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
9 Comments
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 39155765
This sound like you are asking for a hack around security.  That would be a violation of the site terms of service, and an Expert who posted such a hack could be suspended.

If there is some legitimat reason for trying to bypass security, then you will need to give a lot mor detail about what you are doing and why you need this.

Cd&
0
 

Author Comment

by:Rodrigoferra
ID: 39155818
Yeah, it sounds like a hack, but it´s for a white solution! Wich detail can I pass to validate this question?

The certificates are mine, I just thought that virtualizing the tokens as drivers at my machine would do the job, but has no idea how to do it and if it´s possible.

The tokens have PIN, I think that this is the security....
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 39155848
I've posted a request to have a moderator look at the question, because I'm not sure it can be answered without posting a security bypass that would violate site rules, and I have no way to know if you are doing something to your own property, or if you are trying to hack something... no offense intended.

Cd&
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39155851
Usually, no.

Some open source tokens make it possible to extract the secret info, and others (such as RSA) allow you *if you have access to the server side data* to emulate a token in software. but most don't allow you to remove the secret data from the token, ever.

normally a token is what is called a "cryptographically secure pseudorandom number generator"- which means, there is a block of random(ish) data stored on the chip, and a real time clock, and the chip takes the clock data and the random data and hashes it a few dozen times, then takes the lowest 'n' digits of the result to display (or make available via usb)

tokens that have such numbers are of this type.

an alternative type is what is called a pkcs#15 secure pki token - this is the same as an x509 key and certificate (such as is used for https servers) but stored on a token which will allow you to download the certificate *and* upload a hash, to download a signature from that hash. Again, these will usually not allow you to access the actual key, just use it via the contact points (or usb, in those that have a direct usb port)

if you can identify the type of token, we might be able to help further, but I am not holding out much hope. These things are *designed* to not allow you access to the secret data, as doing so removes the purpose in having them.
0
 

Author Comment

by:Rodrigoferra
ID: 39156180
@DaveHowe I think you get the point, it´s a PKCS#15, they are token with digital signatures, but the system requires it to be accessed, so it´s possible to confirm username and digital certificate. These kind of token I´m using here.

If it´s not possible to extract it, I will need more USB ports in my machine to let it! I´m kind of trainee here, so I do the job that no one want to do...

@COBOLdinosaur no offense at all, I think if there is a possibility, it´s necessary to share then we can be able to avoid. The token has so many security, a USB/Card and the PIN, it´s like a credit card, you need, sometimes, the card and the password or the security code! Here in Brazil we usually need a sequence of chars to validate it.

THanks for the tips, any other information?
0
 

Author Closing Comment

by:Rodrigoferra
ID: 39156404
Defined the necessity and reply with tecnology information.
0
 

Author Comment

by:Rodrigoferra
ID: 39158847
Ok, I´m new to all this tecnology involving security, I´m working with PKCS#11 too... I don´t know where to ask for security question without being censured.

But ok, thanks! Best regard´s.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
bitlocker- locked out 8 52
Chrome: Cannot find installed extension (Window resizer) 8 45
File Permissions 9 46
DNS issues on a handful of websites, the rest load fine 9 35
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question