Authorization Challenge - kinnay/ABN-Amro GitHub Wiki
Services > Authorization > Authorization Challenge
The format of the login challenge depends on the type of 'access tool' that is used to authorize the session. Here is an overview:
| Access tool usage | Challenge device details | Description |
|---|---|---|
EDENTIFIER1 |
/schemes/ATT_1_12/CH_1 |
Unknown |
SESSION_HANDOVER |
/schemes/ATT_1_12/CH_1 |
Unknown |
EDENTIFIER2_UNCONNECTED |
/schemes/ATT_1_15/CH_1 |
Unknown |
EDENTIFIER2_CONNECTED |
/schemes/ATT_1_16/CH_1 |
Unknown |
SOFTTOKEN |
/schemes/ATT_5_55/CH_1 |
Soft token challenge |
BOUNDDEVICE_USERPIN |
/schemes/ATT_9_62/CH_1 |
Unknown |
BOUNDDEVICE_TOUCHIDPIN |
/schemes/ATT_9_66/CH_1 |
Unknown |
OOBGENERIC |
/schemes/ATT_9_69/CH_1 |
Out-of-band |
Soft Token Challenge
In the soft token challenge, the server provides a public key. The client encrypts the user id and password with the public key and sends them back to the server.
The challenge and response contain a bunch of values, each of which is encoded as follows:
| Offset | Size | Description |
|---|---|---|
| 0x0 | 1 | Field ID |
| 0x1 | 2 | Value size (N) |
| 0x2 | N | Value |
The values are concatenated. The last value always has field id 0 and an empty payload.
The challenge has the following fields:
| Field | Description |
|---|---|
| 2 | Unknown (8 bytes) |
| 3 | Unknown (4 bytes) |
| 4 | RSA modulus (256 bytes) |
| 5 | Public exponent (always 65537) |
To solve the challenge, the following data is encrypted with the public key of the challenge:
| Field | Description |
|---|---|
| 2 | Field 2 from the challenge |
| 3 | Field 3 from the challenge |
| 8 | User id |
| 9 | Password |