Skip to content

Single Sign On: Oauth – How to decode the id_token?

In the oauth protocol, the id_token proves successful authentication by the IDP occurred.

When the scope lists openid, oauth will return an id_token.

  • The id_token is in a fixed format.
  • The token is in JWT.
  • Claims are included, if profile and email are in the scopes requested.


How to decode the token?

On the wire, the token is encoded.

Visit to automatically decode the token (just paste in the encoded text).



This will usually state type:jwt, alg:rs256,kid=key id


The payload contains the user claims and includes several critical fields for troubleshooting, if the authentication has issues. 

  • Iss = issuer
  • aud= audience ie the app that is to receive the token
  • iat = issued at time
  • exp = expiry time

Check the iat and expiry time for clock skew at the IDP, particularly, if the IDP’s clocks are ahead of the SP.

Bearer Token

The bearer token, is the equivalent of cash.

Possession of the bearer token is all you need, to get what you want, and cash has no identity linked to it.

The other system is called Proof of possession; however this is not widely used, but acts like a visa card, with an identity linked to it.


Oauth Implicit Flow – Client must validate the signature – but what is the at_hash exactly?

In Oauth, the Implict flow makes reference to the at_hash. So lets consider this parameter in more detail.

Step 1 – take the access token (we’ll call it x).

Step 2 – hash the access token with SHA-256 (we’ll call it Y).

Step 3 – take the left hand side of the hashed token Y1 (which is only 128 bits).

Step 4 – Base64 encode the left hand side of Y1 (we’ll call it Z).

Step 5 – Z is the at_hash, ie the hash of the access token, after its been hashed with SHA-256, only the first left hand halve of the hash taken, and that half is encoded with Base64 to form the at_hash.


The Implict flow spec states that the client MUST validate the SIGNATURE of the ID Token.

Which ransomware targets the education sector?

Both education and healthcare sectors are being targeted by PYSA ransomware. These targets are specially chosen as they hold Personal Data, and use the Windows Operating System


The means of access is Pysa and ChaChi Remote Access Trojan.

Pysa ransonmware



What happens next, once they’ve breached a target site?

Key highlights of the PYSA campaign include:

  • Defense Evasion: PowerShell scripts to uninstall/stop/disable antivirus and other essential services.
  • Credential Access: Dumping credentials from LSASS without Mimikatz (comsvcs.dll).
  • Discovery: Internal network enumeration using Advanced Port Scanner.
  • Persistence: ChaChi installed as a Service.
  • Lateral Movement: RDP and PsExec.
  • Exfiltration: Likely over ChaChi tunnel (not observed).
  • Command and Control (C2): ChaChi RAT.

How do they achieve persistence?


Shortly after its initial execution ChaChi decodes a service name and service description:

Decode Service Name and Description.

Using the decoded service name, ChaChi enumerates all installed services to check if a service with the same name already exists. In this case, it is named “JavaJDBC”. If a service with the specified name is found, then ChaChi will randomly select another service name from a hardcoded, albeit gobfuscated, list of service name strings:

Check if Service Name Exists.

Decoding Alternate Service Names.

After determining an appropriate name to use for service installation, ChaChi then checks to see if it has sufficient administrator privileges to carry out the service creation operation:

Checking if running with Administrative Privileges.

If ChaChi is not running with administrative privileges, it bypasses its persistence code and begins to initialize command-and-control (C2) communications. If the backdoor is running with administrative privileges, it will install itself as a new service that is configured to auto-start, before manually starting the service:

Install as Service and Start the Service.

C2 Communications

ChaChi utilizes two protocols for C2 communications: DNS and HTTP. The primary, preferred method of C2 communication is DNS tunnelling using TXT queries.

TXT or “text” records were originally intended to allow domain admins to associate arbitrary text with a domain, such as domain ownership information or network and server information. Threat actors have taken advantage of this for their own nefarious needs by encoding data in these TXT queries, which is a form of DNS tunnelling.

Decoding C2 IPs and Domains

ChaChi is preconfigured with a list of C2 domains for DNS tunnelling, as well as IP addresses for HTTP C2 failover. The domains are encoded just like any other string in a gobfuscated binary, using a dedicated function that carries out the XOR decode process:

C2 Domains are Decoded from Gobfuscated functions.

The domain that will be used is chosen at random through the use of “Intn” from the “rand” package, which is seeded by the value returned from an earlier call to “time.Now”:

Randomizing C2 Domain Selection.

The decoding of the C2 IP addresses is a little more complicated, although not overly so. As with the C2 domains, the inevitable selection of a C2 IP address is also randomized through calls to “time.Now”, “rand.Seed” and “rand.Shuffle”. The C2 IP decoding function takes several arguments: a pointer to the encoded C2 IP array, an integer value indicating the number of encoded IP addresses, and a hex number used in the decoding of each octet of each IP address. The decoding of the C2 IP addresses works as follows:

  • Read a word (2 bytes) at the initial offset into the C2 IP array determined by the earlier shuffle.
  • Subtract the hex number (0xA in all observed cases) from the retrieved value.
  • Convert the result to its base 10 equivalent (thereby creating a single octet of an IP).
  • Repeat 4 times per encoded IP.
  • Join the decoded octets with a “.” (thus fully decoding a stored C2 IP address).

These steps are repeated until all IP addresses have been decoded

C2 Communications Failover.

This failover method is not ideal for the ChaChi operators. It does not offer the encryption afforded to the DNS tunnelling, and it is nowhere near as covert.

The HTTP C2 communications are performed using POST requests to one of the randomly selected C2 IPs decoded earlier. The content of the HTTP POST is encoded using Base64 and XOR encoding to offer some level of data protection, in the same way as the data was encoded prior to being serialized into the “ChunkData” messages in the case of DNS tunnelling.

Should the C2 check-in fail, it will rotate through the other decoded C2 IPs in an attempt to create a connection. If a connection is established, ChaChi will encode and send POST requests to the C2 and process its responses:

HTTP POST Request and Response Processing.

Decrypting C2 Traffic

As the use of HTTP for C2 communications is less complicated and involves less steps when compared to DNS tunnelling, this section will focus on decryption of DNS traffic.

Decryption of both HTTP and DNS C2 traffic is possible because, once we obtain both the XOR and encryption keys, we can reverse the process that has taken plaintext data and converted it to an encrypted form. Each phase in the encoding and encryption process is reversible:

Encoding and Encryption Process to generate TXT Query.

To do this, we perform the following steps:

  • Retrieve DNS TXT queries from packet captures or DNS logs.
  • Strip the domain name and “.” separators.
  • Decode the string from hex back to bytes.
  • Run the decoded content along with the recovered encryption key through a XSalsa20+Poly1305 decryption process.
  • De-serialize the decrypted data in order to access the packet field of the “ChunkData” messages – other message types are fully decrypted at this point.
  • Apply XOR decoding using the recovered XOR key to the packet field of each “ChunkData” message.
  • Base64-decode the result of the XOR operation.

The result of the above process yields decrypted and de-serialized protocol buffers as well as the original data that was encoded and packed into “ChunkData” packets.

Yara Rule

The following Yara rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:

rule Mal_Backdoor_ChaChi_RAT
                        description = “ChaChi RAT used in PYSA Ransomware Campaigns”
                        author = “BlackBerry Threat Research & Intelligence”                        strings:
                        // “Go build ID:”
                        $go = { 47 6F 20 62 75 69 6C 64 20 49 44 3A }
                        // dnsStream
                        $dnsStream = { 64 6E 73 53 74 72 65 61 6D }
                        // SOCKS5
                        $socks5 = { 53 4F 43 4B 53 35 }
                        // chisel
                        $chisel = { 63 68 69 73 65 6C }                                               condition:
                        // MZ signature at offset 0
                        uint16(0) == 0x5A4D and
                        // PE signature at offset stored in MZ header at 0x3C
                        uint32(uint32(0x3C)) == 0x00004550 and
                        // ChaChi Strings
                        all of them


Why would you use Base32 instead of Base64 encoding?

Recently, there was a conference, and it was mentioned that Base64 encoding, was being replaced with Base32 encoding. The immediate question, is why, especially as Base64 is widely accepted.

The reason for both Base64 and Base32 encoding, is to offer data safety through transportation

Base32 uses more space – a disadvantage

Compared to Base64, Base32 uses roughly 20 % more space however, its main advantage is, that it is more human-readable.

The main reason Base32 is used, is to avoid human error.

UPPER CASE HERE WE COME! – an advantage

One important and simple reason and why Base32 even exists is that it uses A-Z uppercase only (no lowercase) and the numbers 2-7. No 0189. 26 + 6 chars = 32.

There are no lowercase letters and no digits 0189 so “i” “l” “I” and “1” are not confused. There is only I.

Confusion between B and 8, and 0 and O is also eliminated.

If 0 was entered, it can be treated as a O.

But what is clear, the human error non-unique interpretation of the string is reduced significantly. This is not the case with Base64.

All of the above issues with upper and lowercase and numbers being confused all apply to Base64.

Online Base32 encoding


How to Disable SSLv3 – registry edit

Recently some servers that I look after, had Nessus errors, regarding SSL v3. Yeap. Here it was, some 25 years old, security protocol, still active. The best blog that details how to edit the registry to disable SSL v3 is here:

The fix is shown below, as its one of those vulnerabilities, that you edit the registry and then reboot.

A word of caution, the reboot is critical.

Disabling SSLv3

SSLv3 is an obsolete protocol, the main attack vector on which, at the time of writing, is an attack called POODLE. Disabling SSLv3 is the ultimate solution to mitigate security risks. Another option suitable for servers that critically require SSLv3 support is a signalizing TLS_FALLBACK_SCSV cipher suite that allows to keep SSLv3 enabled, but prevents downgrade attacks from higher protocols (TLSv1 =< ). Unfortunately, at the time of writing, Microsoft didn’t yet add support for TLS_FALLBACK_SCSV in SChanel. Therefore, disabling SSLv3 is the only mitigation measure a certificate administrator can apply against POODLE in case of a Windows Server.

  1. Open registry editor:Win + R >> regedit
  2. Navigate to:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\Hardening_9.jpg
  3. By default, there should be only one key presented “SSL 2.0”. We need to create a new one for SSLv3Right-click on Protocols >> New >> KeyName the key ‘SSL 3.0’Hardening_10.jpg
  4. Right-click on SSL 3.0 >> New >> KeyHardening_11.jpgName the key ‘Server’
  5. Right-click on Server >> New >> DWORD (32-bit) ValueHardening_12.jpgName the value Enabled
  6. Double-click the Enabled value and make sure that there is zero (0) in the Value Data field >> click OKHardening_13.jpg
  7. You may need to restart Windows Server to apply the changes.

SSL v3 was released in 1996, ie 25 years ago.

To disable SSL v2 Client or SSL v3 Client

You’ll need this setting for the client:

SSL 2.0 > client

right click > new key > DisabledByDefault > DWord set to 1

  1. In the navigation tree, under SSL 3.0, right-click on Client, and in the pop-up menu, click New > DWORD (32-bit) Value.Windows Registry Key
  2. Name the value DisabledByDefault.
  3. In the navigation tree, under SSL 3.0, select Client and then, in the right pane, double-click the DisabledByDefault DWORD value.Windows Registry Key
  4. In the Edit DWORD (32-bit) Value window, in the Value Data box change the value to 1 and then, click OK.


SAML: What is Base 64 encoding?

During a SAML exchange, the messages use Base 64 encoding, but what exactly is Base 64 encoding, and what does it look like?

Base 64, means that we use 64 characters in the alphabet, with the 65th character being the = equals sign, which is used to terminate the message.

  • Our base 64 alphabet goes from 0 (A in base 64), to 63 (/ in base 64).
  • A base 64 sequence will be composed of caracters : A-Z, a-z, 0-9, + and /.
  • Base 64 uses a 6 bits representation, because you can represent up to 64 different things with 6 bits Bytes.
  • When you convert text to Base 64, it will be first separate into chunks of 24 bits, which is 3 Bytes. Then it will encode each 6 bits of the input with its base 64 value
  • If the input’s amount of bits isn’t a multiple of 6, base 64 complete it with 0 bits.

Tools to see the encoding “live”

SAML Tools has a handy text to Base 64 converter, so that we can see the encoding.

Use this tool:

The RFC states to add “=” signs to reach the 24 bits multiple (so we can have one or more == signs at the end).

Use this tool:

Both of these tools can take Base64 XML and decode into text, so that you can capture SAML messages and then convert to see the text being sent.

Base64 Character Set – See RFC 4648

RFC 4648 is linked here:

Advanced stuff:

We can identify the last group of a base 64 sequence by looking for how many equals signs there are, “=” at the end.

The RFC details the 3 scenarios for padding.

RFC 4648 is linked here:

Base64 Character set


RFC 4648 is linked here:

Identity Management Certification – CAMS

The identity management sector, is booming due to Covid, and working from home. There are a few relatively economic certifications in identity management, such as CISM and CAMS that are moving mainstream.

How come I’m promoting Certifications?

Certifications require active recall, and this is the key to success in the real world. The goal is to close your books and quiz yourself, until its easy to recall the answers from memory, under exam conditions. Once you’ve memorised the concepts, you’ll pass the certification, but this intense study, will upskill you across the board. Most importantly, it will give you confidence, that you have mastered IAM’s.

What is one major reason why companies should conduct access audits?

Correct answer: B)

A)To avoid fines for noncompliance
Correct answerB)To identify potential problems with internal access procedures
C)To develop an access control matrix

Periodic access audit will help identify inappropriate access and potential flaws in internal procedures.

What type of access control is currently most popular for businesses?

Correct answer: A)

Correct answer A)Role-based
Role based access control provides the best access control to ensure access is appropriate.

What do the rows and columns in an access control matrix represent?

Correct answer: A)

Correct answer A)Subjects and objects
B)Objects and rights
C)Permissions and users

Subjects refer to users and objects refer to data that subjects are authorized to access in an access control matrix.

The process allowing authenticated users to access specific information is called what?

Correct answer: A)

Correct answerA)Authorization

Authenticated users must be authorized to access systems and data.

On which three principles should access control be based?

Correct answer: A)

Correct answerA)Least privilege, separation of duties and need to know
B)Separation of duties, role within a company and administrative permissions
C)Need to know, activities within a system and least privilege

Access should always be granted based on least privilege, separation of duties, and need to know.

How is authentication best defined?

Correct answer: C)

A)The way a system recognizes a user
B)The way a system authorizes a user
Correct answerC)The way a user proves who they are

Authentication is the process by which a system validates a user’s identity.

What is an endpoint?

Correct answer: B)

A)A type of malicious attack
Correct answerB)A device within a connected network
C)A security program used to protect against data theft

Endpoint refers to all devices that connect to a network.

Why is security information and event management (SIEM) essential for data security?

Correct answer: B)

A)Ensures compliance
Correct answerB)Helps with early detection of suspicious activity
C)Prevents unauthorized access

Adequate security information and event management may help detect a breach.

What are the consequences of poor access management?

Correct answer: D)

A)Lost productivity
B)Data Breach
C)Fines and penalties
Correct answerD)All of the above

Poor access management practices can lead to data breach cases, lost productivity due to data breach investigations, as well as fines and penalties.

What are the three pillars of the AAA triad?

Correct answer: B)

A)Auditing, accounting, and authorization
Correct answerB)Authentication, authorization, and accounting
C)Accounting, authenticity, and availability

Authentication, authorization, and accounting form the basis for the AAA access management model which support the cybersecurity objectives of confidentiality, integrity and availability also known as CIA.


I have no links to IMI, nor am I sponsored by them.

OpenSSL : How to create a Certificate .crt and check expiry dates

This carries on from my earlier OpenSSL post, on how to create a private key. Its assumed that you have created a private key, ready to create the public key.

A certificate is a public key that has been signed by the private key, and in this way it is “certified” or a certificate.

Step 1 – Use the private key to sign a public key, and “certify” it


req -utf8 -new -key privatekeypem4096.pem -x509 -days 365 -out mycrt.crt


enter the passphrase (ie the password for the private key). This is signing the public key with the private key.

country code – this is a 2 letter code for your country – set by the X509 standards.

state – mandatory in X509 standards

common name – the name of the server or hostname. This site is on domain

Step 2 – View the new certifcate file

x509 -in mycrt.crt -text -noout

Who is the Issuer?

This means your private key has been used to sign and certify the public key, called a “Certificate”. The certificate includes:

  1. Hostname of the server, its for eg
  2. Expiry date for the certificate eg 23 Feb 2023

When does this certificate expire?

If you want to check the expiry dates for a certificate, the OpenSSL command would be:

x509 -noout -in mycrt.crt -dates

That’s step 2 complete.

Step 3 is to crete a CSR, or Certificate Signing Request.

More fun

If you want to check your work online, as you have the .pem file, you can upload this to have the data you’ve created checked.

Upload your .pem file.


Advanced Reading

OpenSSL – How to renew an expired SSL Certificate, so that the new SSL Certificate has the same Public Key as the old Certificate

OPENSSL : How to make a private key using AES 256

When starting to use OpenSSL, the methods and ciphers can seem daunting, so lets break it down. Initially, we always start with the private key. Secondly we create a public key. So lets start with step 1, create a private key, with a symmetric cipher of AES 256. OpenSSL defaults to a *.pem file. We can learn how to convert this to a *.crt later on.

Step 1 – in openssl bin directory (windows)

cd OpenSSL-Win64

cd bin


genrsa -aes256 -out privatekeypem4096.pem 4096

openssl genrsa -aes256 -out privatekeypem4096.pem (centos linux)

The first prompt is for a passphrase, which is between 4 and 1023 characters long. A passphrase is mandatory.

So what happens if we don’t put it in? You get this error.

Enter the pass phrase twice. It’s verified.


open the file with notepad or cat to view the contents.

notepad privatekeypem4096.pem


The private key on its own, has to be followed by the creation of the public key, to be useful for signing certficates. So creating the public key is next.


File Formats

PEM – OpenSSL default

DER – Binary format, in ASCII

PKCS#7 – Base64, in ASCII, popular in Windows

PKCS#12 – Binary format, stores keys, certificates


Alternative syntax

The AES cipher is for the symmetric key. The single symmetric key is for high speed encryption/decryption, and needs to be shared by both parties.

genrsa -aes128 -out privatekeypem4096.pem 4096 = AES 128, legacy

genrsa -aes256 -out privatekeypem2048.pem 2048 = AES 256, with 2048 bits public key

genrsa -aes256 -out privatekeypem4096.pem 4096 = AES 256, with 4096 bits public key


Now, you can generate a private key, with various encryption ciphers.


Step 2 – How to create a Certificate or .crt file

OpenSSL : How to create a Certificate .crt


Advanced Reading

OpenSSL – How to renew an expired SSL Certificate, so that the new SSL Certificate has the same Public Key as the old Certificate

OAUTH: Authorisation Code Interception Attack – RFC 7636

To those supporting OAuth, there’s an interesting attack detailed in RFC 7636. In OAuth, the holder of the code, can obtain an access token…. So how does this work?

A public client or native app, allows all applications to view the transactions, therefore a malicious app, can see and swap the code for the Access Token.

Mitigation – PKCE

The use of PKCE (pixie) or Proof Key Code Exchange blocks this attack.

  1. The device attempting to gain access generates a random string, officially called the code_verifier. code_verifier = the secret. This is transformed to become the code_challenge or t(code_verifier), with the transformation method (t_m).
  2. This code_challenge is sent to the Authorisation Server, along with the Authorisation Request. Therefore we would see (authn request plus code_verifier hash) being sent together. It stores the code_challenge or t(code_verifier) on the server.
  3. The Authorisation Server returns the code.
  4. The client make a call to the token endpoint, and transmits the code plus the code_verifier secret.
  5. The authorisation server compares the code_verifier secret with t(code_verifier) to ensure they match. If they match, this ensures the device that made the code request, is the device exchanging the code for an access token. If it is a match, an access token is granted.
  6. The client calls the api using the access token.


Implicit Flow

In Oauth, please don’t use the Implicit Flow. How do we detect a system is using the Implicit Flow?

Check the Browser, for the access_token.

What would been seen if the PKCE code_challenge is being used?

In the browser, this would be visible:


%d bloggers like this: