search

datr / MobilePASSER

A reimplementation of the MobilePASS client in Python.
67 stars 24 forks source link

Missing the option for 8digit codes and explanation of policy #3

Closed keshto closed 8 years ago

keshto commented 9 years ago

The script only returns a 6 digit code when there are 8digits for the mobilePass event based otp. Additionally, if a policy is supplied (assuming it is the policy string from "Token Information") the script throws an exception because the script is trying to do an append method on a string.

ph1234k commented 8 years ago

So, this is fixable. Change the first line of the get_key definition

EDIT: I am not sure why the code is not showing properly. Tried fixing the formatting. EDIT EDIT: this code did not work. I attempted many modifations and cannot get it to produce a correct value.

I am starting to think the KDF1 implementation is broken once a policy string is applied. Unfortunately I am having trouble finding where this was implemented from.

keshto commented 8 years ago

The policy problem I fixed was just a more of a FYI. The digit though I could not get to work

datr commented 8 years ago

Hey guys,

I'm afraid I never looked into the policy stuff too much (we didn't use it) there might well be stuff missing around that.

@ph1234k I don't think the issue lies in the KDF1 implementation but if you want to check this is the code it was based on: https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/KDF1BytesGenerator.java https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/BaseKDFBytesGenerator.java

My guess is the mobilepass client looks at the policy string and uses that to determine the number of digits there should be in the OTP and modifies how it generates the code to deal with that.

If you guys could provide examples of some policy strings that would be helpful.

chased316 commented 8 years ago

Dean,

Here's an example of index 0 and my key/policy string:

if name == 'main':

key = "SEJUQ-KYURW-IMF7L-UDAFL"

policy = "42962449345"

index = 0

#print generate_mobilepass_token(key, index, policy)  # 641533

key/policy index should result in 641533 for index 0, assuming the mobile client starts with the first OTP in the array. PH1234k and I sit next to each other, and like you found the gui clients to be less than practical. :) Thanks for the quick response, and sorry for resurrecting a 2+ year old project!

chased316 commented 8 years ago

Also, It might be worth updating the code so that it works by default in py 2.7. we noticed that: ` if len(policy) != 0:

    policy_bytes = bytearray(policy, "ascii")

    secret.extend(policy_bytes)`

needs to be typecasted: ` if len(policy) != 0:

    policy_bytes = bytearray(policy, "ascii")

            secret = bytearray(secret)

    secret.extend(policy_bytes)`
keshto commented 8 years ago

Is there an example of an 8 digit one? On Mar 26, 2016 9:55 PM, "chased316" notifications@github.com wrote:

Dean,

Here's an example of index 0 and my key/policy string:

if name == 'main':

key = "SEJUQ-KYURW-IMF7L-UDAFL"

policy = "42962449345"

index = 0

print generate_mobilepass_token(key, index, policy) # 641533

key/policy index should result in 641533 for index 0, assuming the mobile client starts with the first OTP in the array. PH1234k and I sit next to each other, and like you found the gui clients to be less than practical. :) Thanks for the quick response, and sorry for resurrecting a 2+ year old project!

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/datr/MobilePASSER/issues/3#issuecomment-202013363

chased316 commented 8 years ago

8 Digit OTP or 8 digit policy number?

keshto commented 8 years ago

OTP On Mar 26, 2016 9:59 PM, "chased316" notifications@github.com wrote:

8 Digit OTP or 8 digit policy number?

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/datr/MobilePASSER/issues/3#issuecomment-202013546

chased316 commented 8 years ago

@datr I would agree with your assertion on KDF1 not being the problem; I wasn't able to produce the proper value even with other KDF1 libraries, though like you I found they produced different values.

chased316 commented 8 years ago

@keshto To look at 8 digits of the hmac instead of 6, you can change the h= lines to: h = hmac.new(key, message, hashlib.sha256).hexdigest() h = truncated_value(h) h = h % (10**8) return '%0*d' % (8, h)

chased316 commented 8 years ago

It's possible I went the wrong direction, but you get the jist. You simply adjust where in this value we pull our digits.

Regards,

chased316 commented 8 years ago

@keshto,

Can you provide the policy# and activation code you get when your client is registered to use 8 digit OTP?

chased316 commented 8 years ago

@keshto

keshto commented 8 years ago

Things work as expected after @datr 's changes.

To change the key one need only do as @chased316 suggested [https://github.com/datr/MobilePASSER/issues/3#issuecomment-202013873].

Thanks @datr and @chased316 .