4

Based on How does SafeNet MobilePASS generate passwords?, I'm not sure if the MobilePASS token can be extracted for use in another TOTP app such as andOTP or KeePassXC. (I guess it depends whether the MobilePASS algorithm is a standard one.) Is this possible? If so, how? Can I use the activation URL (so I don't even have to install MobilePASS), or do I need to extract it from the MobilePASS configuration?

The self-enrolment URL has these parameters:

  • code is a 25 character ASCII alnum string.
  • data is a pipe-separated string with a bunch of properties:
    1. Two zero-padded digits
    2. Two zero-padded digits
    3. My email address
    4. A 16-bit hex-encoded number
    5. A 16-bit hex-encoded number
    6. The string 0
    7. The string 0
    8. An 18-digit number
    9. The string Unknown
    10. A base-64 encoded string which decodes as Mailflow|{"V":"0.0.0000","P":"Win32","AN":"Mail","WT":2}
    11. The string 3000
    12. Empty string
    13. Empty string
    14. Empty string
  • sdata is a base-64 encoded string which decodes as 32 bytes of binary gibberish - no idea what the format is here, but it seems like a good candidate for the secret
  • reserved=0

After going to the enrolment URL I get a base64-encoded string with the following decoded value:

EnrollmentURL=https://[redacted]?sc=[redacted 8-character ASCII alnum string]
UserID=[my username]

Is the sc value the relevant secret, encoded in some way? If I try to use the code directly as a TOTP secret the application (two separate ones) uppercase the string, and generate different codes from MobilePASS.

l0b0
  • 173
  • 1
  • 9

0 Answers0