dlenski
Migrate from VIP Access QR code?
VIP Access can now generate a QR code to migrate tokens.
It's in this format:
{
"vip": [
"...",
"...",
"SYMC..."
]
}
Is it possible to import these into vipaccess?
VIP Access can now generate a QR code to migrate tokens.
It's in this format:
I can't tell from what you've provided.
What do those first two fields look like?
Base32… base64… hexadecimal… ASCII?
Length?
Can you figure out how to map them into a format similar to what vipaccess provision -p outputs?
Confirming it's a 3 element list.
- The first element is a string. It's 8 uppercase alphanumeric characters (
^[A-Z0-9]{8}$). It's not hex and doesn't appear to be base32/64 or either. Perhaps it's a secret used for the migration? - The second element is also a string. It appears to be an epoch timestamp in seconds, pointing to one hour after the time the migration QR code was generated. Perhaps it's an expiration time.
- The third element starts with
SYMCand appears to be aVIP Access Mobile** (no TrustZone) Credentialas defined here.
Maybe the first argument could be mapped into a secret=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA query-string parameter but I'm not sure how...
Maybe the first argument could be mapped into a
secret=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAquery-string parameter but I'm not sure how...
This first element can't contain more than ~41 bits of randomness (8 × log₂36). So there's no way it can directly map to the 160-bit secret of the SYMC token type.
There's probably an extra level of indirection to obscure the secret. These QR code parameters are likely fed into another web service (e.g. http://vip.symantec.com/get.secret.from.server?cred_password=X&cred_timestamp=Y&cred_id=Z) which then returns the secret, perhaps in a further-obfuscated format like the known provisioning endpoint.
If you can get a MITM capture of the app reading the QR code to migrate the token, that should do the trick.