fbpx
Wikipedia

HMAC-based one-time password

April 11, 2024

HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC. It is a cornerstone of the Initiative for Open Authentication (OATH).

HOTP was published as an informational IETF RFC 4226 in December 2005, documenting the algorithm along with a Java implementation. Since then, the algorithm has been adopted by many companies worldwide (see below). The HOTP algorithm is a freely available open standard.

Algorithm edit

The HOTP algorithm provides a method of authentication by symmetric generation of human-readable passwords, or values, each used for only one authentication attempt. The one-time property leads directly from the single use of each counter value.

Parties intending to use HOTP must establish some parameters; typically these are specified by the authenticator, and either accepted or not by the authenticated:

  • A cryptographic hash method H (default is SHA-1)
  • A secret key K, which is an arbitrary byte string and must remain private
  • A counter C, which counts the number of iterations
  • A HOTP value length d (6–10, default is 6, and 6–8 is recommended)

Both parties compute the HOTP value derived from the secret key K and the counter C. Then the authenticator checks its locally generated value against the value supplied by the authenticated.

The authenticator and the authenticated increment the counter C independently of each other, where the latter may increase ahead of the former, thus a resynchronisation protocol is wise. RFC 4226 does not actually require any such, but does make a recommendation. This simply has the authenticator repeatedly try verification ahead of their counter through a window of size s. The authenticator's counter continues forward of the value at which verification succeeds and requires no actions by the authenticated.

The recommendation is made that persistent throttling of HOTP value verification take place, to address their relatively small size and thus vulnerability to brute-force attacks. It is suggested that verification be locked out after a small number of failed attempts or that each failed attempt attracts an additional (linearly increasing) delay.

6-digit codes are commonly provided by proprietary hardware tokens from a number of vendors informing the default value of d. Truncation extracts 31 bits or   decimal digits, meaning that d can be at most 10, with the 10th digit adding less variation, taking values of 0, 1, and 2 (i.e., 0.3 digits).

After verification, the authenticator can authenticate itself simply by generating the next HOTP value, returning it, and then the authenticated can generate their own HOTP value to verify it. Note that counters are guaranteed to be synchronised at this point in the process.

The HOTP value is the human-readable design output, a d-digit decimal number (without omission of leading 0s):

HOTP value = HOTP(K, C) mod 10d.

That is, the value is the d least significant base-10 digits of HOTP.

HOTP is a truncation of the HMAC of the counter C (under the key K and hash function H):

HOTP(K, C) = truncate(HMACH(K, C)),

where the counter C must be used big-endian.

Truncation first takes the 4 least significant bits of the MAC and uses them as a byte offset i:

truncate(MAC) = extract31(MAC, MAC[(19 × 8 + 4):(19 × 8 + 7)]),

where ":" is used to extract bits from a starting bit number up to and including an ending bit number, where these bit numbers are 0-origin. The use of "19" in the above formula relates to the size of the output from the hash function. With the default of SHA-1, the output is 20 bytes, and so the last byte is byte 19 (0-origin).

That index i is used to select 31 bits from MAC, starting at bit i × 8 + 1:

extract31(MAC, i) = MAC[(i × 8 + 1):(i × 8 + 4 × 8 − 1)].

31 bits are a single bit short of a 4-byte word. Thus the value can be placed inside such a word without using the sign bit (the most significant bit). This is done to definitely avoid doing modular arithmetic on negative numbers, as this has many differing definitions and implementations.[1]

Tokens edit

Both hardware and software tokens are available from various vendors, for some of them see references below. Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms.[2] As of 2010, OATH HOTP hardware tokens can be purchased for a marginal price.[3] Some products can be used for strong passwords as well as OATH HOTP.[4]

Software tokens are available for (nearly) all major mobile/smartphone platforms (J2ME,[5] Android,[6] iPhone,[7] BlackBerry,[8] Maemo,[9] macOS,[10] and Windows Mobile[8]).

Reception edit

Although the early reception from some of the computer press was negative during 2004 and 2005,[11][12][13] after IETF adopted HOTP as RFC 4226 in December 2005, various vendors started to produce HOTP-compatible tokens and/or whole authentication solutions.

According to the article "Road Map: Replacing Passwords with OTP Authentication"[2] on strong authentication, published by Burton Group (a division of Gartner, Inc.) in 2010, "Gartner's expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time."

See also edit

References edit

  1. ^ Frank, Hoornaert; David, Naccache; Mihir, Bellare; Ohad, Ranen (December 2005). "HOTP: An HMAC-Based One-Time Password Algorithm". tools.ietf.org. doi:10.17487/RFC4226.
  2. ^ a b Diodati, Mark (2010). . Burton Group. Archived from the original on 2011-07-21. Retrieved 2011-02-10.
  3. ^ "Security Authentication Tokens — Entrust". Entrust. 2011.
  4. ^ . Smart Crib. 2013. Archived from the original on 2013-03-20.
  5. ^ . Data Security Systems Solutions. 2006-02-24. Archived from the original on 29 December 2013.
  6. ^ . 2010. Archived from the original on 2010-05-18.
  7. ^ Cobbs, Archie L. (2010). "OATH Token". Archie L. Cobbs.
  8. ^ a b . ActivIdentity. 2010. Archived from the original on 2010-09-17.
  9. ^ Whitbeck, Sean (2011). "OTP Generator for N900". Sean Whitbeck.
  10. ^ . Feel Good Software. 2011. Archived from the original on 2012-04-25.
  11. ^ Kearns, Dave (2004-12-06). "Digging deeper into OATH doesn't look so good". Network World.
  12. ^ Willoughby, Mark (2005-03-21). "No agreement on Oath authentication". Computerworld.
  13. ^ Kaliski, Burt (2005-05-19). "Algorithm agility and OATH". Computerworld.

External links edit

  • RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm
  • RFC 6238: TOTP: Time-Based One-Time Password Algorithm
  • RFC 6287: OCRA: OATH Challenge-Response Algorithm
  • Initiative For Open Authentication
  • Implementation of RFC 4226 - HOPT Algorithm Step by step Python implementation in a Jupyter Notebook

April 11, 2024
hmac, based, time, password, this, article, multiple, issues, please, help, improve, discuss, these, issues, talk, page, learn, when, remove, these, template, messages, this, article, lead, section, short, adequately, summarize, points, please, consider, expan. This article has multiple issues Please help improve it or discuss these issues on the talk page Learn how and when to remove these template messages This article s lead section may be too short to adequately summarize the key points Please consider expanding the lead to provide an accessible overview of all important aspects of the article December 2020 This article may be too technical for most readers to understand Please help improve it to make it understandable to non experts without removing the technical details December 2020 Learn how and when to remove this template message Learn how and when to remove this template message HMAC based one time password HOTP is a one time password OTP algorithm based on HMAC It is a cornerstone of the Initiative for Open Authentication OATH HOTP was published as an informational IETF RFC 4226 in December 2005 documenting the algorithm along with a Java implementation Since then the algorithm has been adopted by many companies worldwide see below The HOTP algorithm is a freely available open standard Contents 1 Algorithm 2 Tokens 3 Reception 4 See also 5 References 6 External linksAlgorithm editThe HOTP algorithm provides a method of authentication by symmetric generation of human readable passwords or values each used for only one authentication attempt The one time property leads directly from the single use of each counter value Parties intending to use HOTP must establish some parameters typically these are specified by the authenticator and either accepted or not by the authenticated A cryptographic hash method H default is SHA 1 A secret key K which is an arbitrary byte string and must remain private A counter C which counts the number of iterations A HOTP value length d 6 10 default is 6 and 6 8 is recommended Both parties compute the HOTP value derived from the secret key K and the counter C Then the authenticator checks its locally generated value against the value supplied by the authenticated The authenticator and the authenticated increment the counter C independently of each other where the latter may increase ahead of the former thus a resynchronisation protocol is wise RFC 4226 does not actually require any such but does make a recommendation This simply has the authenticator repeatedly try verification ahead of their counter through a window of size s The authenticator s counter continues forward of the value at which verification succeeds and requires no actions by the authenticated The recommendation is made that persistent throttling of HOTP value verification take place to address their relatively small size and thus vulnerability to brute force attacks It is suggested that verification be locked out after a small number of failed attempts or that each failed attempt attracts an additional linearly increasing delay 6 digit codes are commonly provided by proprietary hardware tokens from a number of vendors informing the default value of d Truncation extracts 31 bits or log10 231 9 3 textstyle log 10 2 31 approx 9 3 nbsp decimal digits meaning that d can be at most 10 with the 10th digit adding less variation taking values of 0 1 and 2 i e 0 3 digits After verification the authenticator can authenticate itself simply by generating the next HOTP value returning it and then the authenticated can generate their own HOTP value to verify it Note that counters are guaranteed to be synchronised at this point in the process The HOTP value is the human readable design output a d digit decimal number without omission of leading 0s HOTP value HOTP K C mod 10d That is the value is the d least significant base 10 digits of HOTP HOTP is a truncation of the HMAC of the counter C under the key K and hash function H HOTP K C truncate HMACH K C where the counter C must be used big endian Truncation first takes the 4 least significant bits of the MAC and uses them as a byte offset i truncate MAC extract31 MAC MAC 19 8 4 19 8 7 where is used to extract bits from a starting bit number up to and including an ending bit number where these bit numbers are 0 origin The use of 19 in the above formula relates to the size of the output from the hash function With the default of SHA 1 the output is 20 bytes and so the last byte is byte 19 0 origin That index i is used to select 31 bits from MAC starting at bit i 8 1 extract31 MAC i MAC i 8 1 i 8 4 8 1 31 bits are a single bit short of a 4 byte word Thus the value can be placed inside such a word without using the sign bit the most significant bit This is done to definitely avoid doing modular arithmetic on negative numbers as this has many differing definitions and implementations 1 Tokens editBoth hardware and software tokens are available from various vendors for some of them see references below Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms 2 As of 2010 OATH HOTP hardware tokens can be purchased for a marginal price 3 Some products can be used for strong passwords as well as OATH HOTP 4 Software tokens are available for nearly all major mobile smartphone platforms J2ME 5 Android 6 iPhone 7 BlackBerry 8 Maemo 9 macOS 10 and Windows Mobile 8 Reception editThis section needs to be updated Please help update this article to reflect recent events or newly available information August 2023 Although the early reception from some of the computer press was negative during 2004 and 2005 11 12 13 after IETF adopted HOTP as RFC 4226 in December 2005 various vendors started to produce HOTP compatible tokens and or whole authentication solutions According to the article Road Map Replacing Passwords with OTP Authentication 2 on strong authentication published by Burton Group a division of Gartner Inc in 2010 Gartner s expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time See also editInitiative for Open Authentication S KEY Time based one time password algorithm TOTP References edit Frank Hoornaert David Naccache Mihir Bellare Ohad Ranen December 2005 HOTP An HMAC Based One Time Password Algorithm tools ietf org doi 10 17487 RFC4226 a b Diodati Mark 2010 Road Map Replacing Passwords with OTP Authentication Burton Group Archived from the original on 2011 07 21 Retrieved 2011 02 10 Security Authentication Tokens Entrust Entrust 2011 Password sCrib Tokens Smart Crib Smart Crib 2013 Archived from the original on 2013 03 20 DS3 Launches OathToken Midlet Application Data Security Systems Solutions 2006 02 24 Archived from the original on 29 December 2013 StrongAuth 2010 Archived from the original on 2010 05 18 Cobbs Archie L 2010 OATH Token Archie L Cobbs a b ActivIdentity Soft Tokens ActivIdentity 2010 Archived from the original on 2010 09 17 Whitbeck Sean 2011 OTP Generator for N900 Sean Whitbeck SecuriToken Feel Good Software 2011 Archived from the original on 2012 04 25 Kearns Dave 2004 12 06 Digging deeper into OATH doesn t look so good Network World Willoughby Mark 2005 03 21 No agreement on Oath authentication Computerworld Kaliski Burt 2005 05 19 Algorithm agility and OATH Computerworld External links editRFC 4226 HOTP An HMAC Based One Time Password Algorithm RFC 6238 TOTP Time Based One Time Password Algorithm RFC 6287 OCRA OATH Challenge Response Algorithm Initiative For Open Authentication Implementation of RFC 4226 HOPT Algorithm Step by step Python implementation in a Jupyter Notebook Retrieved from https en wikipedia org w index php title HMAC based one time password amp oldid 1194005767, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.