Replacing Symantec VIP with a generic TOTP app

Occasionally, I need to log in to a system that requires the use of a Symantec VIP code.  For those that haven’t come across this before the app displays a 6 digit numeric code that changes every 30 seconds.  When logging in to the system, I have to run the app to get the 6 digit code and then type it in, along with a username and password.

This is an example of pseudo-two-factor authentication: I have my password, something I know, as the first factor; and something I have, the app that generates the code, as the second factor.  (Why pseudo-two-factor? Because the code is generated from a secret, it’s really just a fancy password.)

So, what’s the problem?  I resent having a “special” Symantec app on all my devices because, ultimately this is just a layer over the standard Time-based One Time Password (TOTP), as used by Google Microsoft, Facebook and countless others.

Symantec VIP is actually just a layer over TOTP and thanks to a clever bit of work by Dan Lesnki (in turn forked from Cyrozap’s project) it’s possible to do away with the Symantec VIP application and use a “standard” TOTP app, such as Google Authenticator or Authy.

The instructions provided by Dan are pretty straightforward, but I hit a missing dependency that was required to make it work on my RPi 2B.

What are we actually trying to do?

The 6 digit codes that get generated by authenticator apps are created based on 2 factors: the current time (obviously) and a credential.  To add a new credential to a TOTP app we therefore need a compatible credential.

When you initialise Symantec VIP, it generates a new random credential, but not one compatible with TOTP.  VIP credentials start with 4 letters and then 8 digits.  TOTP credentials are usually 32 letters, often represented as a QR code.  Creating a QR code is a “nice to have” (I only have to type in those 32 letters once, so I did without that).

Crozap’s and Dan’s software does the clever bit of creating the TOTP credential from the Symantec VIP credential.

As described above, I’m doing this on a Raspberry Pi 2B which was update to date as of 30th May 2019.

Steps

First, we need Python 3:

sudo -s # Being lazy, saves having to type sudo in front of everything

apt update # Ensure we’re going to get the latest version of packages

sudo apt install python3 # Install Python 3 if not already installed

sudo apt install python3-pip # Install pip (package manager)

pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip # Install latest version

Now we can download and install Dan’s python-vipaccess application.

pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip
 Collecting https://github.com/dlenski/python-vipaccess/archive/HEAD.zip
   Downloading https://github.com/dlenski/python-vipaccess/archive/HEAD.zip
      | 276kB 10.8MB/s
Collecting lxml==4.2.5 (from python-vipaccess==0.3.1)
   Using cached https://www.piwheels.org/simple/lxml/lxml-4.2.5-cp35-cp35m-linux_armv7l.whl
 Collecting oath>=1.4.1 (from python-vipaccess==0.3.1)
   Using cached https://files.pythonhosted.org/packages/73/e4/8eb7f9b6ba62d41857c54724fb3fde5a8952676e1719ea2099063c1fb253/oath-1.4.3-py2.py3-none-any.whl
 Collecting pycryptodome==3.6.6 (from python-vipaccess==0.3.1)
 Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from python-vipaccess==0.3.1)
 Installing collected packages: lxml, oath, pycryptodome, python-vipaccess
   Running setup.py install for python-vipaccess ... done
 Successfully installed lxml-4.2.5 oath-1.4.3 pycryptodome-3.6.6 python-vipaccess-0.3.1

When running the vipaccess command, I got the following error:

ImportError: libxslt.so.1: cannot open shared object file: No such file or directory

To resolve this, install the libxml2-dev and libxslt1-dev two libraries:

apt-get install libxml2-dev libxslt1-dev

Now you should be able to run vipaccess with no issues:

# vipaccess provision -t VSMT -p
 Generating request...
 Fetching provisioning response...
 Getting token from response...
 Decrypting token...
 Checking token...
 Credential created successfully:
         otpauth://totp/VIP%20Access:VSMT22195338?issuer=Symantec&algorithm=SHA1&secret=SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z&digits=6&period=30
 This credential expires on this date: 2022-05-30T14:13:21.891Z

You will need the ID to register this credential: VSMT22195338

You can use oathtool to generate the same OTP codes
 as would be produced by the official VIP Access apps:

    oathtool -d6 -b --totp    SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z  # 6-digit code
     oathtool -d6 -b --totp -v SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z  # ... with extra information

You’ll need to then provide your sysadmin or service desk with the generated credential ID, (VSMT22195338 in the example above), then add the credential (SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z in the example above) to your authenticator app and all should be good!

This entry was posted in Hints and Tips, Security, Tools. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.