This project has moved. For the latest updates, please go here.

Decrypting secret key

Jan 12 at 8:53 PM

First of all, thank you for this great add-on to ADFS!
I am trying to figure out how to export/use the secret key from your provider (stored in an attribute on the AD user object) and insert it into a multiotp database, so users can use the same TOTP account across applications. How would I decrypt the key, so it is usable outside of your provider?

Best regards,
Jan 14 at 9:17 PM
Hi tedbear

Thank you for using this component, we are pleased that you like it.

This solution will evolve in version 2.0 from February 2017. and will remain compatible with the current version.

In this version 2, there will be an MMC console allowing you to manage the various parameters present in the configuration file, as well as a complete management of users, various import procedures for users (text, xml, Active Directory ), and all required PoweShell extensions.

Here are the steps to create the TOTP key

1 - depending on your parameters (config file) a random key is generated:
128 bits -> one Guid
256 bits -> two Guid
384 bits -> three Guid
512 bits -> four Guid

2- then this random key is encrypted, using RNGCryptoServiceProvider (random number generator). It is possible in version 2 that we also allow RSA (RSACryptoServiceProvile) encryption, the code is already partly in the solution (Neos.IdentityServer.Multifactor.Certificates.cs in Encrypt Class).

3- The encrypted key is then converted to a string (base64). This encrypted Base64 value key is stored in an Active Directory attribute or in an SQL database
It's the value that you can retrieve, but this one is not compatble with the algorithm TOTP. It must therefore be transformed again.

4- To transform your secretkey into a TOTP key, you must use the static class present in the source code Neos.IdentityServer.Multifactor.Utilities.cs: Base32.
The code is very simple and this is what you need to do in order to pass it on to another system:

secretkey is the stored value (AD or SQL).
string totpkey = Base32.Encode (secretkey);
5- You can transmit the result (totpkey) to a user or store it into another system.
Any TOPT algorithm (RFC 6238) then will generate the same code at the same time.

I hope this can help you

Best regards
Marked as answer by redhook on 6/21/2017 at 10:47 AM