CCob
commented
5 months ago What database format are you working with, legacy or new?
Closed FlangvikAD closed 3 months ago
CCob
commented
5 months ago What database format are you working with, legacy or new?
FlangvikAD
commented
5 months ago new database format.
I exported a ProofOfPossession type certificate.
Also can you tell me if the PIN CODE used for ProofOfPossession encryption is the system PIN CODE that is called or is it generated by Okta Verify itself?
FlangvikAD
commented
5 months ago I've learned something about CNG DPAPI, and I think that if the certificate uses a PIN, then the private key properties of the certificate should contain NgcSoftwareKeyPbkdf2Salt
whereas mine is Createapinprotectedkey, is there any correlation or difference between them?
CCob
commented
5 months ago Yes that's correct, if a CNG key is protected with a PIN it's used in addition to the user account password + fixed entropy. Export needs a little more work for the new format as this was implemented recently and haven't had time to look how that affects export functionality. Hopefully I got some time soon to take a look
FlangvikAD
commented
5 months ago I decompiled the program and it looks like the credentials are set via the CreatePinProtectedKeyPair method of the Okta.Devices.SDK.Windows.Native.dll and the passcode is for network transfer? Maybe I can write a dll to hook the CredentialAccessInteraction.GetCredential method to see the passcode.
CCob
commented
5 months ago I'm going to take a guess that the new DB format will use the same PIN for the software based pop key as it does the TPM backed one. The only difference under the hood will be which crypto provider it's using to load the key.
But it's highly doubtful that it will be marked for export, which means you'll need to go the direct route and use the users DPAPI key + PIN + fixed entropy to get at the raw RSA private key from the users AppData folder
FlangvikAD
commented
5 months ago After analyzing the code, I think the PIN code it uses is not from the windows system itself, but is transmitted over the network by Okta.
Since it uses SecureString, I can't see the Pincode value in memory for now.
Do you have any ideas on how I can view the actual content of PinCode? Much appreciated.
FlangvikAD
commented
5 months ago Also, the certificate was created before I entered the PIN CODE, so at least the PIN CODE used for encryption is not the windows hello pin.
HI. I am using the tool to export the private key, but I don't know what the pin code is and how to get it? I use windows hello without TPM.