![]() ![]() However, the number must be represented in binary form, as a 64 bit integer. This is what we use as the HMAC message and is how passcodes vary over time. So the time counter increases by 1 every 30 seconds. The time based part of TOTP is just the UNIX epoch time in seconds divided by 30 (integer division). # Outputs to stdout the raw decoded value. # Arg 1: base32-encoded value, does not need to be padded. This encoding scheme has interesting properties that you can read more about on Wikipedia. Base32 encodes 5 bits of data per digit ( 2^5 = 32), and the most common alphabet uses the characters A-Z2-7 to represent the numbers 0 through 31. Decoding base32-dataĪ TOTP secret key is a random string of bytes that is typically encoded in base32, so we’ll need some way to decode this representation, so that we can work with the raw bytes. (They are installed by default in a typical Ubuntu/Debian Linux distribution.) Functional building blocks 1. xxd – work with binary data, encode as hexadecimal digits and decode to raw bytes.base32 – for working with base32-encoded data, which is the typical carrier format for TOTP secret keys.openssl – the famous swiss army knife of command line cryptography.The shell script code relies on the following commands: (Also, I enjoy doing things in weird ways, just for the fun of it.) Requirements Getting started with shell code requires basically zero effort and time, which meant I could spend most of this evening project actually thinking about TOTP. Unless implemented purely in bash (only using bash built-ins), which would be an arduous task, you’ll need to call out to external commands, and there is risk of exposing secrets to other processes running on the same host, as command line arguments.This is mainly due to null bytes being treated as the string terminator character. You need to deal with binary data, and shell scripts cannot safely store and manipulate arbitrary byte arrays in variables without some sort of encoding.But there are some good reasons why that is not the most suitable language for this kind of tool: I chose to write this as shell script code. HMAC is a well known message authentication code algorithm. HOTP again is based upon HMAC: Keyed-Hashing for Message Authentication, described in RFC 2104.TOTP modifies the HOTP algorithm by using the UNIX epoch time as basis for the moving factor or counter. ![]() HOTP: An HMAC-Based One-Time Password Algorithm, described in RFC 4226.TOTP, itself described in RFC 6238, is based upon: The server also stores this secret, associated with the identity, so that it can validate provided codes upon authentication. The phone app stores the secret key and will use it as a basis to generate passcodes. The key is provided as part of the QR code when setting up an authenticator app. The extraction of a user friendly passcode based upon the output of the hashing function.The application of a cryptographic hashing function on a specific combination of the key and the time counter.A time-based factor, referred to as the time counter (a 64 bit ever increasing integer).A shared secret between the client and the server, referred to as the key.This significantly reduces the impact of stolen or leaked passcodes and makes it harder to exploit by a malicious third party. The proof, typically in the form of a passcode, is only valid for a short amount of time, and the code itself does not reveal anything about the shared secret. A valid proof will increase confidence in the client’s identity claim when used for authentication. TOTP, or Time-based One Time Passwords, is a method to securely supply proof of possession of a shared secret between two parties. There are many like it, but this one is mine. I wanted to program most of the details myself, so that in the end, I would understand it better. My goal was to make a simple command line client which could provide me with such codes for a given credential id. I wanted to learn more about how TOTP works – those six digit codes which are often provided by «Authenticator apps» on mobile phones and used as a second factor for online authentication. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |