By default, the ban on the exported key is set even when the token is created, at the certification authority. If this has not been done there, then we will do this kind of trick.

Installing drivers and Rutoken control module

First of all, you need to install drivers and software for managing and administering the rootken. You can download it on the official website of the manufacturer.

https://www.rutoken.ru/support/download/drivers-for-windows/

At the time of installation, the RUTOKEN token must be disconnected from the computer

This error, in 99 percent of cases, pops up due to the absence or expired CryptoPro CSP license.

After installing CryptoPro, everything looks as it should and the button for exporting the private key is available.

We prohibit the export of the certificate

We export the certificate, as a result you will get a pfx archive. It will contain both public and private keys. Now try importing the certificate. Please note that at the time of import, you do not need to check the "Allow export of the private key" checkbox; we will not give it to unload it.

We enter the pincode (most often it is standard for a rutoken, if you have not changed it)

In some cases, you may receive an error "only certificates for RSA keys can be imported"

To solve it, we need to convert the pfx certificate. We need the OpenSSL utility. Export the private key from the PFX file using OpenSSL:

• pkcs12 -in newcert.pfx -nocerts -out encrypted.key
• We carry out the same actions with the certificate: pkcs12 -in newcert.pfx -nokeys -out cert.pem
• We convert the received certificate and private key to DER format:
  OpenSSL> x509 -in cert.pem -out cert.crt -outform DER
  OpenSSL> rsa -in encrypted.key -out key.der -outform DER
• Writing the converted private key to Rutoken
• We delete the old certificate after checking the new one.

I hope this method will help you, prohibit exporting the private key from the rootken, if you have add-ons or other methods, write about them in the comments.

Purpose

The PinChanger utility is designed to automate the Rutoken formatting and administration procedures: changing the token label, PIN codes and their parameters.

Supported models

• Rutoken S (only on Windows platforms and only using the rtPKCS11.dll library (set by default))
• Rutoken Lite
• Rutoken EDS

Supported platforms

• MS Windows 8/2012/7/2008 / Vista / 2003 / XP / 2000
• GNU / Linux
• Mac OS X

Options

The utility is launched from the command line and has the following parameters:

If necessary, command line parameters can be passed using a configuration file.

If no PIN codes have been set, formatting sets the default PIN codes.

The utility is circular and after performing the specified actions on the connected token, it waits for the next one to be connected.

Formatting

The utility provides the user with the ability to stream format tokens:

1. The user runs the utility by setting the necessary settings in the configuration file or by specifying options on the command line.

The utility formats the detected tokens, writes the results to the log file, waits for the next token to be connected or for the command to terminate work (for example, by pressing the Enter key).

The formatting results are written to the log.

The user can start formatting tokens with automatic generation of a PIN-code of a given length, for this he sets the appropriate option in the configuration file.

Change PIN

The user can change the user or administrator PIN without formatting the token if they know the current user and administrator PINs.

The user sets the current PIN-code of the administrator and the user in the configuration file or command line, sets new PIN-codes, parameters for changing the PIN-code and starts the utility.

The results of changing PIN codes are written to the log.

The user can start changing PIN-codes with automatic generation of new PIN-codes of a given length, for this he sets the corresponding option in the configuration file.

The user can set default PIN-codes, then all tokens will have the same PIN-codes.

The user can set PIN-codes or generate them automatically in UTF-8 encoding by setting the appropriate option in the configuration file.

The user can use pre-generated PIN codes by third-party utilities. To do this, in the settings, he specifies a file that stores a list of generated PIN codes with a line feed character as a separator.

Logging of work to a log file

The log is a file with lines of the following content:

1. In case of formatting

2. If you change your PIN

3. In case of formatting Flash memory

4. If you change the attributes of Flash memory sections

5. If you receive information about the attributes of Flash memory sections

The user can specify the name of the log file and its location. By default, the file is located in the folder with the utility and is called Pinchanger.exe.log.

If, when the utility is restarted, the user has not specified a new name for the log file, the old file is appended.

Examples of using

Format one token with default parameters (remove the -q flag for streaming)

PinChanger.exe -f -q

Format the token by specifying the token name RutokenLabel, user PIN 123456789, and administrator PIN 987654321.

PinChanger.exe -f -L RutokenLabel -u 123456789 -a 987654321 -q

Format the token using a config file by specifying the token name RutokenLabel, user PIN 123456789 and administrator PIN 987654321.

Flash Token to normal and got the best response

Answer from DomMasterIT © [guru]
For your attention
- ChipGenius v2.72 (2009-02-25) - utility for obtaining information about all connected USB devices. Shows VID & PID values. There is a built-in base by which the model and manufacturer of the controller is determined.
- CheckUDisk v5.0 - utility for obtaining information about all connected USB devices.
Shows the idVendor and idProduct values ​​to identify the type of device controller.
It also shows the speed, revision, serial number of the flash drive.
- UsbIDCheck (USB Bench - Faraday USB Test Utility) - a program for obtaining information about all connected USB devices. Shows the idVendor and idProduct values ​​to identify the type of device controller. The list by which you can determine the manufacturer of the device is the usb.ids.txt file in the program folder.
- Flash Disk Utility v1.20 - a program for fast and complete formatting of a flash drive, creating a boot disk, data compression and password encryption, instructions in English.
- FlashNull - utility for checking the performance and maintenance of Flash memory (USB-Flash, IDE-Flash, SecureDigital, MMC, MemoryStick, SmartMedia, XD, CompactFlash, etc.). List of operations performed:
- Read test - checking the availability of each sector of the media (duplicates the functionality of conventional HDD tests)
- Write test - checking the write ability of each sector of the medium (duplicates the functionality of most HDD tests)
- Test of the integrity of the recorded information - checking the compliance of the written and read information (similar to the memtest functionality, but with regard to flash drives).
- Saving an image of the contents of the device - sector-by-sector saving of all (or part) of the content to a file. (similar to dd functionality from UNIX).
- Loading an image into a device - sector-by-sector recording of an image into a device (similar to the dd functionality from UNIX).
The instruction is in Russian.
iCreate_iFormat_V1.32 - utility for iCreate i5122, i5128, i5129 controllers. After installing the program, the working window appears and disappears, inserting a USB flash drive can be formatted ...
- MPTool V2.0 (MXT6208 + A MPTool V2.0) - utility for recovering flash drives on the MXTronics MXT6208A controller. They help Chinese Kingstone flash drives and some Sony fakes.
- UmpTool v1.6.3 - utility for flash recovery on Chipsbank CBM2090 controllers.
Possibly suitable for other CBM209X series controllers.
- USB Disk Storage (HP USB Disk Storage Format Tool v2.1.8) - utility for formatting and creating a bootable USB Flash (supported by NTFS, FAT, FAT32).
- Dr. UFD v1.0.2.17 (PQI Dr. UniFlashDisk 1.0.2.17) - proprietary utility for low-level flash formatting on PQI controllers. Supported models:
- Card Drive Series
- Intelligent Drive Series
- Cool Drive Series
- Traveling Disk Series.
- EzRecover - USB Flash recovery utility, helps when the flash is defined as Security Device, is not detected at all or shows 0Mb volume. In order for EzRecovery to see the flash drive, after starting the program and issuing an error message, remove the USB flash drive and insert it again, and then all the way.
Attention! After using the program, all data on the flash will not be saved.
- FORMAT v30112 - proprietary utility for PQI flash drives. Allows you to format, manage partitions, create hidden and password-protected partitions.
- JetFlash RecoveryTool v1.0.5 - utility for recovery (repair) USB Flash Transcend.

Tokens, electronic keys for accessing important information, are becoming increasingly popular in Russia. A token is now not only a means for authentication in the operating system of a computer, but also a convenient device for storing and presenting personal information: encryption keys, certificates, licenses, and certificates. Tokens are more reliable than the standard “login / password” pair due to the two-factor identification mechanism: that is, the user must not only have a data carrier (the token itself), but also know the PIN code.

There are three main form factors in which tokens are issued: USB token, smart card and key fob. PIN protection is most commonly found in USB tokens, although the latest USB tokens come with RFID tag capability and LCD display to generate one-time passwords.

Let's dwell on the principles of functioning of tokens with a PIN code. A PIN is a specially assigned password that breaks down the authentication procedure into two stages: attaching a token to a computer and entering the actual PIN.

The most popular token models on the modern electronic market of Russia are Rutoken, eToken from Aladdin, and an electronic key from Aktiv. Let's consider the most frequently asked questions regarding PIN codes for a token using the example of tokens from these manufacturers.

1. What is the default PIN?

The table below provides information on the default PIN codes for Rutoken and eToken tokens. The default password is different for different owner levels.

2. Do I need to change the default PIN? If so, at what point in the work with the token?

3. What if the PIN codes on the token are unknown, but the default PIN code has already been reset?

The only way out is to completely clear (format) the token.

4. What if the user's PIN is blocked?

You can unlock the user's PIN through the token control panel. To perform this operation, you need to know the Administrator PIN.

5. What if the Admin PIN is blocked?

It is not possible to unlock the Admin PIN. The only way out is to completely clear (format) the token.

6. What security measures have been taken by manufacturers to reduce the risk of brute-forcing a password?

The main points of the security policy for PIN-codes of USB-tokens of the Aladdin and Aktiv companies are presented in the table below. After analyzing the data in the table, we can conclude that the eToken will presumably have a more secure PIN code. Rutoken, although it allows you to set a password of just one character, which is unsafe, in other parameters is not inferior to the product of the Aladdin company.

The importance of keeping the PIN-code secret is known to all those who use tokens for personal purposes, store their electronic signature on it, trust the electronic key with information not only of a personal nature, but also the details of their business projects. The tokens of the companies "Aladdin" and "Aktiv" have predefined protective properties and together with a certain degree of precaution, which will be shown by the user, they reduce the risk of brute-force attacks to a minimum.

Rutoken and eToken software products are presented in various configurations and form factors. The offered assortment will allow you to choose exactly the token model that best suits your requirements, be it