11

We use MobilePASS at work but the latest version of the android client seems to be buggy so I wanted to have a go at implementing the algorithm myself.

You can download the client to play with here: http://www.safenet-inc.com/support-downloads/mobilepass-download-page/

It looks to be based on the HMAC-SHA256 OTP algorithm. The client provides the user with the secret key when creating a new token which is copied into a web interface server side.

The bit I'm unsure about though is the pin. It looks like this is also included in the process but I'm having trouble determining exactly how.

Is there a standard way of extending HOTP to include a pin?

CodesInChaos
  • 24,841
  • 2
  • 89
  • 128
Dean Reilly
  • 181
  • 1
  • 2
  • 7

2 Answers2

7

So I was finally able to work this out. The pin code isn't important and is simply used to decrypt the activation code locally (not sure why our server asks for it in that case).

The activation code is a base32 encoding of a seed where every fifth character acts as a checksum for the previous four.

The seed is then passed through KDF1 to generate the shared secret.

That is then in turn used as part of the HOTP algorithm.

You can see my reimplementation in python here: https://github.com/datr/MobilePASSER/

l0b0
  • 163
  • 9
Dean Reilly
  • 181
  • 1
  • 2
  • 7
  • Does this solution still work with the SafeNet MobilePass software? Whenever I get an activation string its about 152 characters and appears to be Base64. I'm attempting to write a better app myself but can't for the life of me figure out how to get the 6-digit token. – Bradley Delaune Jan 12 '16 at 04:28
  • Bradley, I believe it is still working. I haven't seen these new longer base64 activation codes though. Can you tell me what app or program is generating the new style activation code? – Dean Reilly Mar 25 '16 at 10:33
  • 2
    sorry for such a delayed response...clearly this isn't number 1 priority for me. My code is a base64 string that translates to the following: EnrollmentURL=https://se.safenet-inc.com/selfenrollment/dskpp.aspx?sc=<edit1> UserID=<edit2> Passphrase=<edit3>

    where edit1 is a 10 character code that i don't recoqnize edit 2 is my username within my org edit 3 seems to be a 4 digit random passphrase consisting only of numbers

     – Bradley Delaune Jan 06 '17 at 17:54
  • @BradleyDelaune did you ever get anywhere with this? – Matt Humphrey Jul 04 '23 at 15:15
2

Yes, HOTP can include a PIN/Password also.

If you check RFC 4226, it says

Composite Shared Secrets

It may be desirable to include additional authentication factors in the shared secret K. These additional factors can consist of any data known at the token but not easily obtained by others.
Examples of such data include:

  • PIN or Password obtained as user input at the token
  • Phone number
  • Any unique identifier programmatically available at the token

etc.

And the HOTP Extensions document, also has a reference to this

4.6 PIN/Password "salted" HOTP Response

In this case, the PIN/password value used to control the usage of the token and/or protect access to the key embedded in the hardware (or software) token can be injected in the Response computation, as well as the random question Q:

Response = HOTP (K, Q|P)

Where | stands for concatenation.

etc.

You can check both documents for more info.

Community
  • 1
user93353
  • 2,191
  • 3
  • 23
  • 43
  • Cheers for the links. I tried both of the scheme of concatenating the key and the counter with a hash of the pin but that doesn't seem to match the output. To give you the data I have

    Key: MHQ34-F4XKC-NEHAU-JY2MG Pin: 1234 First Password: 372189

     – Dean Reilly Jul 12 '13 at 14:29