Convert DKey Token to Standard TOTP (Time-based One-Time Password)

1 min read


It is normal to have a VPN service at a university. The students just download the Cisco AnyConnect Application and input their username/password and click “Connect” to connect to their school’s local area network and use it in their home or remotely to access the services limited to use in their school or access some databases like CNKI or IEEE-Xplore. But it is also normal to have a 2FA in case to keep the network safe and avoid illegal operations.

Our college uses Dkey Token(宁盾令牌), which caused some trouble like some students uninstalled their app, the data was corrupted, or students just replaced their phone. The normal step is to submit a ticket or workflow to ITSC, request them to unbind Dkey Token and re-activate the 2FA on the campus. BUT, it is prolonged for ITSC to process these steps, and it is tough for students to do some operations on their phones. They even don’t know what 2FA is.

But I really don’t know how to solve these problems. I just find a way to export the seed from Dkey Token and import the seed to other 2FA applications like One Time Password in HE Network Tools, CanoKeys, Microsoft Authenticator, etc.

Do what I want

Our ITSC provided an instruction to help us students install the Dkey by themselves. And there is a QRCode for us to scan.


The content of the QRCode is


We decode it and got

    "version": 1,
    "serviceId": "SN114514191981",
    "companyName": "公司名称",
    "activationMethod": 2,
    "serviceAddress": "",
    "servicePort": 443,
    "tenantId": "deadbeef-cafe-babe-face-deadbeefcafe"

So we should capture the packets during the activation process. I used Charles.


    "requestId": null,
    "success": true,
    "errorCode": 0,
    "errorId": null,
    "data": "{\"serial\":\"114514\",\"crypto\":1,\"seed\":\"beefbeefbeefbeefbeefbeefbeefbeefbeefbeef\",\"timeStep\":60,\"passwordLength\":6}",
    "message": null

Now we get the seed.

Get the secret

The text is a seed in hex string format, which needs to be processed into a secret before it can be used.

First decrypt the seed from the hex string to the binary, then encrypt it with base32, and the obtained value is secret.

Import seed into third-party apps

Now we can use it to get TOTP by ourselves. We can use apps like One Time Password in HE Network Tools, CanoKeys, Microsoft Authenticator, etc.





Elegant and Charismatic.