Giter VIP home page Giter VIP logo

Comments (5)

widgetii avatar widgetii commented on August 30, 2024 1

Here is my patch for basic v4 tokens decode support
#51

from stoken.

bmassif avatar bmassif commented on August 30, 2024

Hi,

I have the same problem, my token starts with com.rsa.securid://ctf?ctfData=BAEBz1...
I also got a password to install it.

When I try to import it in stoken I get
error: --token string is garbled: General failure
I don't know how much work it would take but it would be nice to be able to import these token into stoken.

from stoken.

cernekee avatar cernekee commented on August 30, 2024

In order to figure out the v3 token format I had to look at how RSA's TokenConverter handled them. I wasn't able to find a public specification. You could start off with an XML file from stoken export --random --sdtid and ask TokenConverter to convert it into different CTF formats.

Not sure if the latest TokenConverter supports the v4 format, however. It doesn't look like it's been updated in a while.

from stoken.

esskar avatar esskar commented on August 30, 2024

any progress on this?
@birou007 @kayrus any chance that you are able to provide an old/expired token that could be used to reverse engineer?

from stoken.

widgetii avatar widgetii commented on August 30, 2024

@esskar I have an expired v4 token and can share it

com.rsa.securid://ctf?ctfData=BAABaKfqKwgEkWDGEgaxp2ZGloQ7dDw2A8PglNlhP8qCBhtop%2BorCASRYMYSBrGnZkaWhDt0PDYDw%2BCU2WE%2FyoIGGznAfd6pVLcjsDtpKoG5APTUrXL51Bdnf%2FCDvZanmNEGhzDCbsDsFTFyLgKzdht0X1tKt23tFwP%2FDYg9xDS1HvS8Jy3QfT04PFNm%2BdCUUZyMIoTzdFT01msNHtrRxePWU7cB32CE48U%2BKlbW4hPyhphJhkg5qxUA38cD05J1s44hI3FTjaq%2FAhAKAQWsDy7TZE6qtU5f6cYIzdr5PKILhTyCeXRxiYuLinAkXEHWm%2F%2FrFKyroQpn%2FVYAA3NLS59HWBQwWyS2kzhtlzJh%2BI25IMhdhLvVdXdjuNzRxkwjc74z

No password locked, but device locked, Device ID d82c467c56fb2058edf8add6

It seems that v4 format is very close to v3 one, especially it has same token size of 291 bytes. First of all I supposed that it has same fields in storage structure, adjusted sources and used v3 code to decrypt v4 seed. It passed checks in v3_compute_hash(NULL, devid, t->v3->nonce, hash); and v3_compute_hash(pass, devid, t->v3->nonce, hash); (comparing nonce_devid_hash and nonce_devid_pass_hash, but stucked at v3_compute_hmac(t->v3, pass, devid, hash). It calculates hmac and compares it with token's mac and finds inequality.

from stoken.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.