< draft-mraihi-totp-timebased   rfc6238.txt 
Internet Engineering Task Force D. M'Raihi Internet Engineering Task Force (IETF) D. M'Raihi
Internet-Draft Verisign, Inc. Request for Comments: 6238 Verisign, Inc.
Intended status: Informational S. Machani Category: Informational S. Machani
Expires: August 28, 2011 Diversinet Corp. ISSN: 2070-1721 Diversinet Corp.
M. Pei M. Pei
Symantec Symantec
J. Rydell J. Rydell
Portwise, Inc. Portwise, Inc.
February 24, 2011 May 2011
TOTP: Time-based One-time Password Algorithm TOTP: Time-Based One-Time Password Algorithm
draft-mraihi-totp-timebased-08.txt
Abstract Abstract
This document describes an extension of one-time password (OTP) This document describes an extension of the One-Time Password (OTP)
algorithm, namely the HMAC-Based One-Time Password (HOTP) Algorithm algorithm, namely the HMAC-based One-Time Password (HOTP) algorithm,
as defined in RFC 4226, to support time-based moving factor. The as defined in RFC 4226, to support the time-based moving factor. The
HOTP algorithm specifies an event based OTP algorithm where the HOTP algorithm specifies an event-based OTP algorithm, where the
moving factor is an event counter. The present work bases the moving moving factor is an event counter. The present work bases the moving
factor on a time value. A time-based variant of the OTP algorithm factor on a time value. A time-based variant of the OTP algorithm
provides short-lived OTP values, which are desirable for enhanced provides short-lived OTP values, which are desirable for enhanced
security. security.
The proposed algorithm can be used across a wide range of network The proposed algorithm can be used across a wide range of network
applications ranging from remote Virtual Private Network (VPN) applications, from remote Virtual Private Network (VPN) access and
access, Wi-Fi network logon to transaction-oriented Web applications. Wi-Fi network logon to transaction-oriented Web applications. The
The authors believe that a common and shared algorithm will authors believe that a common and shared algorithm will facilitate
facilitate adoption of two-factor authentication on the Internet by adoption of two-factor authentication on the Internet by enabling
enabling interoperability across commercial and open-source interoperability across commercial and open-source implementations.
implementations.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering This document is a product of the Internet Engineering Task Force
Task Force (IETF). Note that other groups may also distribute (IETF). It represents the consensus of the IETF community. It has
working documents as Internet-Drafts. The list of current Internet- received public review and has been approved for publication by the
Drafts is at http://datatracker.ietf.org/drafts/current/. Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Internet-Drafts are draft documents valid for a maximum of six months Information about the current status of this document, any errata,
and may be updated, replaced, or obsoleted by other documents at any and how to provide feedback on it may be obtained at
time. It is inappropriate to use Internet-Drafts as reference http://www.rfc-editor.org/info/rfc6238.
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 28, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction ....................................................2
1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Scope ......................................................2
1.2. Background . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Background .................................................3
2. Notation and Terminology . . . . . . . . . . . . . . . . . . . 4 2. Notation and Terminology ........................................3
3. Algorithm Requirements . . . . . . . . . . . . . . . . . . . . 4 3. Algorithm Requirements ..........................................3
4. TOTP Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 5 4. TOTP Algorithm ..................................................4
4.1. Notations . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Notations ..................................................4
4.2. Description . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Description ................................................4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations .........................................5
5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1. General ....................................................5
5.2. Validation and Time-step Size . . . . . . . . . . . . . . 7 5.2. Validation and Time-Step Size ..............................6
6. Resynchronization . . . . . . . . . . . . . . . . . . . . . . 8 6. Resynchronization ...............................................7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Acknowledgements ................................................7
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 8. References ......................................................8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8.1. Normative References .......................................8
9.1. Normative references . . . . . . . . . . . . . . . . . . . 9 8.2. Informative References .....................................8
9.2. Informative References . . . . . . . . . . . . . . . . . . 9 Appendix A. TOTP Algorithm: Reference Implementation ...............9
Appendix A. TOTP Algorithm: Reference Implementation . . . . . . 10 Appendix B. Test Vectors ..........................................14
Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
1.1. Scope 1.1. Scope
This document describes an extension of one-time password (OTP) This document describes an extension of the One-Time Password (OTP)
algorithm HMAC-Based One-Time Password (HOTP) as defined in [RFC4226] algorithm, namely the HMAC-based One-Time Password (HOTP) algorithm,
to support time based moving factor. as defined in [RFC4226], to support the time-based moving factor.
1.2. Background 1.2. Background
As defined in [RFC4226] the HOTP algorithm is based on the HMAC-SHA-1 As defined in [RFC4226], the HOTP algorithm is based on the
algorithm, as specified in [RFC2104] applied to an increasing counter HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an
value representing the message in the HMAC computation. increasing counter value representing the message in the HMAC
computation.
Basically, the output of the HMAC-SHA-1 calculation is truncated to Basically, the output of the HMAC-SHA-1 calculation is truncated to
obtain user-friendly values: obtain user-friendly values:
HOTP(K,C) = Truncate(HMAC-SHA-1(K,C)) HOTP(K,C) = Truncate(HMAC-SHA-1(K,C))
where Truncate represents the function that can convert an HMAC-SHA-1 where Truncate represents the function that can convert an HMAC-SHA-1
value into an HOTP value. K and C reprensent the shared secret and value into an HOTP value. K and C represent the shared secret and
counter value, see [RFC4226] for their detail definition. counter value; see [RFC4226] for detailed definitions.
TOTP is the time-based variant of this algorithm where a value T TOTP is the time-based variant of this algorithm, where a value T,
derived from a time reference and a time step replaces the counter C derived from a time reference and a time step, replaces the counter C
in the HOTP computation. in the HOTP computation.
TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
based on SHA-256 or SHA-512 [SHA2] hash functions, instead of HMAC- based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
SHA-1 function that has been specified for HOTP computation in HMAC-SHA-1 function that has been specified for the HOTP computation
[RFC4226]. in [RFC4226].
2. Notation and Terminology 2. Notation and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] document are to be interpreted as described in [RFC2119].
3. Algorithm Requirements 3. Algorithm Requirements
This section summarizes the requirements taken into account for This section summarizes the requirements taken into account for
designing the TOTP algorithm. designing the TOTP algorithm.
R1 - The prover (e.g. token, soft token) and verifier (authentication R1: The prover (e.g., token, soft token) and verifier (authentication
or validation server) MUST know or be able to derive the current Unix or validation server) MUST know or be able to derive the current
time (i.e. the number of seconds elapsed since midnight UTC of Unix time (i.e., the number of seconds elapsed since midnight UTC
January 1, 1970) for OTP generation. See [UT] for more detail of January 1, 1970) for OTP generation. See [UT] for a more
definition of the commonly known "Unix time". The precision of the detailed definition of the commonly known "Unix time". The
time used by the prover affects how often the clock synchronization precision of the time used by the prover affects how often the
should be done, see Section 6. clock synchronization should be done; see Section 6.
R2 - The prover and verifier MUST either share a same secret or the R2: The prover and verifier MUST either share the same secret or the
knowledge of a secret transformation to generate a shared secret knowledge of a secret transformation to generate a shared secret.
R3 - The algorithm MUST use HOTP [RFC4226] as a key building block. R3: The algorithm MUST use HOTP [RFC4226] as a key building block.
R4 - The prover and verifier MUST use the same time step value X. R4: The prover and verifier MUST use the same time-step value X.
R5 - There MUST be a unique secret (key) for each prover. R5: There MUST be a unique secret (key) for each prover.
R6 - The keys SHOULD be randomly generated or derived using a key R6: The keys SHOULD be randomly generated or derived using key
derivation algorithms. derivation algorithms.
R7 - The keys MAY be stored in a tamper-resistant device and SHOULD R7: The keys MAY be stored in a tamper-resistant device and SHOULD be
be protected against unauthorized access and usage. protected against unauthorized access and usage.
4. TOTP Algorithm 4. TOTP Algorithm
This variant of the HOTP algorithm specifies the calculation of a This variant of the HOTP algorithm specifies the calculation of a
one-time password value, based on a representation of the counter as one-time password value, based on a representation of the counter as
a time factor. a time factor.
4.1. Notations 4.1. Notations
- X represents the time step in seconds (default value X = 30 o X represents the time step in seconds (default value X =
seconds) and is a system parameter; 30 seconds) and is a system parameter.
- T0 is the Unix time to start counting time steps (default value is o T0 is the Unix time to start counting time steps (default value is
0, Unix epoch) and is also a system parameter. 0, i.e., the Unix epoch) and is also a system parameter.
4.2. Description 4.2. Description
Basically, we define TOTP as TOTP = HOTP(K, T) where T is an integer Basically, we define TOTP as TOTP = HOTP(K, T), where T is an integer
and represents the number of time steps between the initial counter and represents the number of time steps between the initial counter
time T0 and the current Unix time. time T0 and the current Unix time.
More specifically T = (Current Unix time - T0) / X where: More specifically, T = (Current Unix time - T0) / X, where the
default floor function is used in the computation.
- X represents the time step in seconds (default value X = 30
seconds) and is a system parameter.
- T0 is the Unix time to start counting time steps (default value is
0, Unix epoch) and is also a system parameter;
- The default floor function is used in the computation. For For example, with T0 = 0 and Time Step X = 30, T = 1 if the current
example, with T0 = 0 and time step X = 30, T = 1 if the current Unix Unix time is 59 seconds, and T = 2 if the current Unix time is
time is 59 seconds and T = 2 if the current Unix time is 60 seconds. 60 seconds.
The implementation of this algorithm MUST support the time value T The implementation of this algorithm MUST support a time value T
larger than 32-bit integer when it is beyond year 2038. The value of larger than a 32-bit integer when it is beyond the year 2038. The
the system parameters X and T0 are pre-established during the value of the system parameters X and T0 are pre-established during
provisioning process and communicated between a prover and verifier the provisioning process and communicated between a prover and
as part of the provisioning step. The provisioning flow is out of verifier as part of the provisioning step. The provisioning flow is
scope of this document, refer to [RFC6030] for such provisioning out of scope of this document; refer to [RFC6030] for such
container specification. provisioning container specifications.
5. Security Considerations 5. Security Considerations
5.1. General 5.1. General
The security and strength of this algorithm depends on the properties The security and strength of this algorithm depend on the properties
of the underlying building block HOTP, which is a construction based of the underlying building block HOTP, which is a construction based
on HMAC [RFC2104] using SHA-1 as the hash function. on HMAC [RFC2104] using SHA-1 as the hash function.
The conclusion of the security analysis detailed in [RFC4226] is The conclusion of the security analysis detailed in [RFC4226] is
that, for all practical purposes, the outputs of the dynamic that, for all practical purposes, the outputs of the dynamic
truncation on distinct inputs are uniformly and independently truncation on distinct inputs are uniformly and independently
distributed strings. distributed strings.
The analysis demonstrates that the best possible attack against the The analysis demonstrates that the best possible attack against the
HOTP function is the brute force attack. HOTP function is the brute force attack.
As indicated in the algorithm requirement section, keys SHOULD be As indicated in the algorithm requirement section, keys SHOULD be
chosen at random or using a cryptographically strong pseudo-random chosen at random or using a cryptographically strong pseudorandom
generator properly seeded with a random value. generator properly seeded with a random value.
Keys SHOULD be of the length of the HMAC output to facilitate Keys SHOULD be of the length of the HMAC output to facilitate
interoperability. interoperability.
We RECOMMEND following the recommendations in [RFC4086] for all We RECOMMEND following the recommendations in [RFC4086] for all
pseudo-random and random generations. The pseudo-random numbers used pseudorandom and random number generations. The pseudorandom numbers
for generating the keys SHOULD successfully pass the randomness test used for generating the keys SHOULD successfully pass the randomness
specified in [CN] or a similar well-recognized test. test specified in [CN], or a similar well-recognized test.
All the communications SHOULD take place over a secure channel e.g. All the communications SHOULD take place over a secure channel, e.g.,
SSL/TLS [RFC5246], IPsec connections [RFC4301]. Secure Socket Layer/Transport Layer Security (SSL/TLS) [RFC5246] or
IPsec connections [RFC4301].
We also RECOMMEND storing the keys securely in the validation system, We also RECOMMEND storing the keys securely in the validation system,
and more specifically encrypting them using tamper-resistant hardware and, more specifically, encrypting them using tamper-resistant
encryption and exposing them only when required: for example, the key hardware encryption and exposing them only when required: for
is decrypted when needed to verify an OTP value, and re-encrypted example, the key is decrypted when needed to verify an OTP value, and
immediately to limit exposure in the RAM for a short period of time. re-encrypted immediately to limit exposure in the RAM to a short
period of time.
The key store MUST be in a secure area, to avoid as much as possible The key store MUST be in a secure area, to avoid, as much as
direct attack on the validation system and secrets database. possible, direct attack on the validation system and secrets
Particularly, access to the key material should be limited to database. Particularly, access to the key material should be limited
programs and processes required by the validation system only. to programs and processes required by the validation system only.
5.2. Validation and Time-step Size 5.2. Validation and Time-Step Size
An OTP generated within the same Time-step will be the same. When an An OTP generated within the same time step will be the same. When an
OTP is received at a validation system, it doesn't know a client's OTP is received at a validation system, it doesn't know a client's
exact timestamp when an OTP was generated. The validation system may exact timestamp when an OTP was generated. The validation system may
typically use the timestamp when an OTP is received for OTP typically use the timestamp when an OTP is received for OTP
comparison. Due to the network latency for an OTP to transmit from a comparison. Due to network latency, the gap (as measured by T, that
requesting application to a validation system and user's actual input is, the number of time steps since T0) between the time that the OTP
time of an OTP to a receiving system, such timestamp gap between the was generated and the time that the OTP arrives at the receiving
actual OTP generation time and server's receiving time may be large. system may be large. The receiving time at the validation system and
The receiving time at the validation system and the actual OTP the actual OTP generation may not fall within the same time-step
generation may not fall within the same Time-step window that produce window that produced the same OTP. When an OTP is generated at the
the same OTP. When an OTP is generated at the end of a Time-step end of a time-step window, the receiving time most likely falls into
window, the receiving time most likely falls into the next Time-step the next time-step window. A validation system SHOULD typically set
window. A validation system SHOULD typically set a policy for an a policy for an acceptable OTP transmission delay window for
acceptable OTP transmission delay window for validation. The validation. The validation system should compare OTPs not only with
validation system should compare OTPs not only with the receiving the receiving timestamp but also the past timestamps that are within
timestamp but also the past timesteps that are within the the transmission delay. A larger acceptable delay window would
transmission delay. A larger acceptable delay window would introduce expose a larger window for attacks. We RECOMMEND that at most one
some OTP attack window. We RECOMMEND that at most one time step is time step is allowed as the network delay.
allowed as the network delay.
The Time-step size has impact on both security and usability. A The time-step size has an impact on both security and usability. A
larger Time-step size means larger validity window for an OTP to be larger time-step size means a larger validity window for an OTP to be
accepted by a validation system. There are the following accepted by a validation system. There are implications for using a
implications with a larger Time-step size. larger time-step size, as follows:
At first, a larger Time-step size exposes larger window for attack. First, a larger time-step size exposes a larger window to attack.
When an OTP is generated and exposed to a third party before it is When an OTP is generated and exposed to a third party before it is
consumed, the third party can consume the OTP within the Time-step consumed, the third party can consume the OTP within the time-step
window. window.
We RECOMMEND default Time-step size for 30 seconds. This default We RECOMMEND a default time-step size of 30 seconds. This default
value of 30 seconds is selected to balance between security and value of 30 seconds is selected as a balance between security and
usability. usability.
Secondly, the next different OTP must be generated in the next Time- Second, the next different OTP must be generated in the next time-
step window. A user must wait till the clock moves to the next Time- step window. A user must wait until the clock moves to the next
step window from the last submission. The waiting time may not be time-step window from the last submission. The waiting time may not
exactly the length of Time-step depending on when the last OTP was be exactly the length of the time step, depending on when the last
generated. For example, if the last OTP was generated at the half OTP was generated. For example, if the last OTP was generated at the
way in a Time-step window, the waiting time for the next OTP is half halfway point in a time-step window, the waiting time for the next
of length of Time-step. In general, a larger Time-step window means OTP is half the length of the time step. In general, a larger time-
larger waiting time for a user to get the next valid OTP after the step window means a longer waiting time for a user to get the next
last successfully OTP validation. A too large window, for example 10 valid OTP after the last successful OTP validation. A too-large
minutes, most probably won't be suitable for typical internet login window (for example, 10 minutes) most probably won't be suitable for
use cases; a user may not be able to get the next OTP within 10 typical Internet login use cases; a user may not be able to get the
minutes and therefore re-login back to the same site in 10 minutes. next OTP within 10 minutes and therefore will have to re-login to the
same site in 10 minutes.
Note that a prover may send the same OTP inside a given time window Note that a prover may send the same OTP inside a given time-step
multiple times to a verifier. The verifier MUST not accept the window multiple times to a verifier. The verifier MUST NOT accept
second attempt of the OTP after the successful validation has been the second attempt of the OTP after the successful validation has
issued for the first OTP, which ensures one-time only use of an OTP. been issued for the first OTP, which ensures one-time only use of an
OTP.
6. Resynchronization 6. Resynchronization
Because of possible clock drifts between a client and a validation Because of possible clock drifts between a client and a validation
server, we RECOMMEND that the validator be set with a specific limit server, we RECOMMEND that the validator be set with a specific limit
to the number of time steps a prover can be 'out of synch' before to the number of time steps a prover can be "out of synch" before
being rejected. being rejected.
This limit can be set both forward and backwards from the calculated This limit can be set both forward and backward from the calculated
time step on receipt of the OTP value. If the time step is 30 time step on receipt of the OTP value. If the time step is
seconds as recommended, and the validator is set to only accept 2 30 seconds as recommended, and the validator is set to only accept
time step backwards then the maximum elapsed time drift would be two time steps backward, then the maximum elapsed time drift would be
around 89 seconds, i.e. 29 seconds in the calculated time step and 60 around 89 seconds, i.e., 29 seconds in the calculated time step and
for two backward time steps. 60 seconds for two backward time steps.
This would mean the validator could perform a validation against the This would mean the validator could perform a validation against the
current time and then further two validations for each backward step current time and then two further validations for each backward step
(for a total of 3 validations). Upon successful validation, the (for a total of 3 validations). Upon successful validation, the
validation server can record the detected clock drift for the token validation server can record the detected clock drift for the token
in terms of number of Time-step. When a new OTP is received after in terms of the number of time steps. When a new OTP is received
this step, the validator can validate the OTP with current timestamp after this step, the validator can validate the OTP with the current
adjusted with recorded number of Time-step clock drifts for the timestamp adjusted with the recorded number of time-step clock drifts
token. for the token.
Also, it is important to note that the longer a prover has not sent Also, it is important to note that the longer a prover has not sent
an OTP to a validation system, the longer (potentially) the an OTP to a validation system, the longer (potentially) the
accumulated clock drift between the prover and the verifier. In such accumulated clock drift between the prover and the verifier. In such
cases, the automatic resynchronization described above may not work cases, the automatic resynchronization described above may not work
if the drift exceeds the allowed threshold. Additional if the drift exceeds the allowed threshold. Additional
authentication measures should be used to safely authenticate the authentication measures should be used to safely authenticate the
prover and explicitly resynchronize the clock drift between the prover and explicitly resynchronize the clock drift between the
prover and the validator. prover and the validator.
7. IANA Considerations 7. Acknowledgements
This document has no actions for IANA.
8. Acknowledgements
The authors of this draft would like to thank the following people The authors of this document would like to thank the following people
for their contributions and support to make this a better for their contributions and support to make this a better
specification: Hannes Tschofenig, Jonathan Tuliani, David Dix, specification: Hannes Tschofenig, Jonathan Tuliani, David Dix,
Siddharth Bajaj, Stu Veath, Shuh Chang, Oanh Hoang, John Huang, and Siddharth Bajaj, Stu Veath, Shuh Chang, Oanh Hoang, John Huang, and
Siddhartha Mohapatra. Siddhartha Mohapatra.
9. References 8. References
9.1. Normative references 8.1. Normative References
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
February 1997, <http://www.ietf.org/rfc/rfc2104.txt>. February 1997.
[RFC2119] "Key words for use in RFCs to Indicate Requirement [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Levels", BCP 14, RFC 2119, March 1997, Requirement Levels", BCP 14, RFC 2119, March 1997.
<http://www.ietf.org/rfc/rfc2119.txt>.
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
Recommendations for Security", RFC 4086, June 2005, "Randomness Recommendations for Security", BCP 106,
<http://www.ietf.org/rfc/rfc4086.txt>. RFC 4086, June 2005.
[RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and [RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and
O. Ranen, "HOTP: An HMAC-Based One-Time Password O. Ranen, "HOTP: An HMAC-Based One-Time Password
Algorithm", RFC 4226, December 2005, Algorithm", RFC 4226, December 2005.
<http://www.ietf.org/rfc/rfc4226.txt>.
[SHA2] NIST, "FIPS PUB 180-3: Secure Hash Standard (SHS)", [SHA2] NIST, "FIPS PUB 180-3: Secure Hash Standard (SHS)",
October 2008, <http://csrc.nist.gov/publications/fips/ October 2008, <http://csrc.nist.gov/publications/fips/
fips180-3/fips180-3_final.pdf>. fips180-3/fips180-3_final.pdf>.
9.2. Informative References 8.2. Informative References
[CN] Coron, J. and D. Naccache, "An accurate evaluation of [CN] Coron, J. and D. Naccache, "An Accurate Evaluation of
Maurer's universal test", LNCS 1556, February 1999, <http: Maurer's Universal Test", LNCS 1556, February 1999,
//www.gemplus.com/smart/rd/publications/pdf/CN99maur.pdf>. <http://www.gemplus.com/smart/rd/publications/pdf/
CN99maur.pdf>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005, Internet Protocol", RFC 4301, December 2005.
<http://www.ietf.org/rfc/rfc4301.txt>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008, (TLS) Protocol Version 1.2", RFC 5246, August 2008.
<http://www.ietf.org/rfc/rfc5246.txt>.
[RFC6030] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric [RFC6030] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric
Key Container (PSKC)", RFC 6030, October 2010, Key Container (PSKC)", RFC 6030, October 2010.
<http://www.ietf.org/rfc/rfc6030.txt>.
[UT] Wikipedia, "Unix time", February 2011, [UT] Wikipedia, "Unix time", February 2011,
<http://en.wikipedia.org/wiki/Unix_time>. <http://en.wikipedia.org/wiki/Unix_time>.
Appendix A. TOTP Algorithm: Reference Implementation Appendix A. TOTP Algorithm: Reference Implementation
<CODE BEGINS> <CODE BEGINS>
/** /**
Copyright (c) 2011 IETF Trust and the persons identified as authors of Copyright (c) 2011 IETF Trust and the persons identified as
the code. All rights reserved. authors of the code. All rights reserved.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS Redistribution and use in source and binary forms, with or without
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT modification, is permitted pursuant to, and subject to the license
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR terms contained in, the Simplified BSD License set forth in Section
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, (http://trustee.ietf.org/license-info).
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/ */
import java.lang.reflect.UndeclaredThrowableException; import java.lang.reflect.UndeclaredThrowableException;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.Date; import java.util.Date;
import javax.crypto.Mac; import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
import java.math.BigInteger; import java.math.BigInteger;
import java.util.TimeZone; import java.util.TimeZone;
/** /**
* This an example implementation of the OATH TOTP algorithm. * This is an example implementation of the OATH
* TOTP algorithm.
* Visit www.openauthentication.org for more information. * Visit www.openauthentication.org for more information.
* *
* @author Johan Rydell, PortWise, Inc. * @author Johan Rydell, PortWise, Inc.
*/ */
public class TOTP { public class TOTP {
private TOTP() {} private TOTP() {}
/** /**
* This method uses the JCE to provide the crypto * This method uses the JCE to provide the crypto algorithm.
* algorithm.
* HMAC computes a Hashed Message Authentication Code with the * HMAC computes a Hashed Message Authentication Code with the
* crypto hash algorithm as a parameter. * crypto hash algorithm as a parameter.
* *
* @param crypto the crypto algorithm (HmacSHA1, HmacSHA256, * @param crypto: the crypto algorithm (HmacSHA1, HmacSHA256,
* HmacSHA512) * HmacSHA512)
* @param keyBytes the bytes to use for the HMAC key * @param keyBytes: the bytes to use for the HMAC key
* @param text the message or text to be authenticated. * @param text: the message or text to be authenticated
*/ */
private static byte[] hmac_sha(String crypto, byte[] keyBytes, private static byte[] hmac_sha(String crypto, byte[] keyBytes,
byte[] text){ byte[] text){
try { try {
Mac hmac; Mac hmac;
hmac = Mac.getInstance(crypto); hmac = Mac.getInstance(crypto);
SecretKeySpec macKey = SecretKeySpec macKey =
new SecretKeySpec(keyBytes, "RAW"); new SecretKeySpec(keyBytes, "RAW");
hmac.init(macKey); hmac.init(macKey);
return hmac.doFinal(text); return hmac.doFinal(text);
} catch (GeneralSecurityException gse) { } catch (GeneralSecurityException gse) {
skipping to change at page 11, line 36 skipping to change at page 10, line 20
SecretKeySpec macKey = SecretKeySpec macKey =
new SecretKeySpec(keyBytes, "RAW"); new SecretKeySpec(keyBytes, "RAW");
hmac.init(macKey); hmac.init(macKey);
return hmac.doFinal(text); return hmac.doFinal(text);
} catch (GeneralSecurityException gse) { } catch (GeneralSecurityException gse) {
throw new UndeclaredThrowableException(gse); throw new UndeclaredThrowableException(gse);
} }
} }
/** /**
* This method converts HEX string to Byte[] * This method converts a HEX string to Byte[]
* *
* @param hex the HEX string * @param hex: the HEX string
* *
* @return A byte array * @return: a byte array
*/ */
private static byte[] hexStr2Bytes(String hex){ private static byte[] hexStr2Bytes(String hex){
// Adding one byte to get the right conversion // Adding one byte to get the right conversion
// values starting with "0" can be converted // Values starting with "0" can be converted
byte[] bArray = new BigInteger("10" + hex,16).toByteArray(); byte[] bArray = new BigInteger("10" + hex,16).toByteArray();
// Copy all the REAL bytes, not the "first" // Copy all the REAL bytes, not the "first"
byte[] ret = new byte[bArray.length - 1]; byte[] ret = new byte[bArray.length - 1];
for (int i = 0; i < ret.length ; i++) for (int i = 0; i < ret.length ; i++)
ret[i] = bArray[i+1]; ret[i] = bArray[i+1];
return ret; return ret;
} }
private static final int[] DIGITS_POWER private static final int[] DIGITS_POWER
// 0 1 2 3 4 5 6 7 8 // 0 1 2 3 4 5 6 7 8
= {1,10,100,1000,10000,100000,1000000,10000000,100000000 }; = {1,10,100,1000,10000,100000,1000000,10000000,100000000 };
/** /**
* This method generates an TOTP value for the given * This method generates a TOTP value for the given
* set of parameters. * set of parameters.
* *
* @param key the shared secret, HEX encoded * @param key: the shared secret, HEX encoded
* @param time a value that reflects a time * @param time: a value that reflects a time
* @param returnDigits number of digits to return * @param returnDigits: number of digits to return
* *
* @return A numeric String in base 10 that includes * @return: a numeric String in base 10 that includes
* {@link truncationDigits} digits * {@link truncationDigits} digits
*/ */
public static String generateTOTP(String key, public static String generateTOTP(String key,
String time, String time,
String returnDigits){ String returnDigits){
return generateTOTP(key, time, returnDigits, "HmacSHA1"); return generateTOTP(key, time, returnDigits, "HmacSHA1");
} }
/** /**
* This method generates an TOTP value for the given * This method generates a TOTP value for the given
* set of parameters. * set of parameters.
* *
* @param key the shared secret, HEX encoded * @param key: the shared secret, HEX encoded
* @param time a value that reflects a time * @param time: a value that reflects a time
* @param returnDigits number of digits to return * @param returnDigits: number of digits to return
* *
* @return A numeric String in base 10 that includes * @return: a numeric String in base 10 that includes
* {@link truncationDigits} digits * {@link truncationDigits} digits
*/ */
public static String generateTOTP256(String key, public static String generateTOTP256(String key,
String time, String time,
String returnDigits){ String returnDigits){
return generateTOTP(key, time, returnDigits, "HmacSHA256"); return generateTOTP(key, time, returnDigits, "HmacSHA256");
} }
/** /**
* This method generates an TOTP value for the given * This method generates a TOTP value for the given
* set of parameters. * set of parameters.
* *
* @param key the shared secret, HEX encoded * @param key: the shared secret, HEX encoded
* @param time a value that reflects a time * @param time: a value that reflects a time
* @param returnDigits number of digits to return * @param returnDigits: number of digits to return
* *
* @return A numeric String in base 10 that includes * @return: a numeric String in base 10 that includes
* {@link truncationDigits} digits * {@link truncationDigits} digits
*/ */
public static String generateTOTP512(String key, public static String generateTOTP512(String key,
String time, String time,
String returnDigits){ String returnDigits){
return generateTOTP(key, time, returnDigits, "HmacSHA512"); return generateTOTP(key, time, returnDigits, "HmacSHA512");
} }
/** /**
* This method generates an TOTP value for the given * This method generates a TOTP value for the given
* set of parameters. * set of parameters.
* *
* @param key the shared secret, HEX encoded * @param key: the shared secret, HEX encoded
* @param time a value that reflects a time * @param time: a value that reflects a time
* @param returnDigits number of digits to return * @param returnDigits: number of digits to return
* @param crypto the crypto function to use * @param crypto: the crypto function to use
* *
* @return A numeric String in base 10 that includes * @return: a numeric String in base 10 that includes
* {@link truncationDigits} digits * {@link truncationDigits} digits
*/ */
public static String generateTOTP(String key, public static String generateTOTP(String key,
String time, String time,
String returnDigits, String returnDigits,
String crypto){ String crypto){
int codeDigits = Integer.decode(returnDigits).intValue(); int codeDigits = Integer.decode(returnDigits).intValue();
String result = null; String result = null;
// Using the counter // Using the counter
// First 8 bytes are for the movingFactor // First 8 bytes are for the movingFactor
// Complaint with base RFC 4226 (HOTP) // Compliant with base RFC 4226 (HOTP)
while(time.length() < 16 ) while(time.length() < 16 )
time = "0" + time; time = "0" + time;
// Get the HEX in a Byte[] // Get the HEX in a Byte[]
byte[] msg = hexStr2Bytes(time); byte[] msg = hexStr2Bytes(time);
byte[] k = hexStr2Bytes(key); byte[] k = hexStr2Bytes(key);
byte[] hash = hmac_sha(crypto, k, msg); byte[] hash = hmac_sha(crypto, k, msg);
// put selected bytes into result int // put selected bytes into result int
int offset = hash[hash.length - 1] & 0xf; int offset = hash[hash.length - 1] & 0xf;
int binary = int binary =
((hash[offset] & 0x7f) << 24) | ((hash[offset] & 0x7f) << 24) |
((hash[offset + 1] & 0xff) << 16) | ((hash[offset + 1] & 0xff) << 16) |
((hash[offset + 2] & 0xff) << 8) | ((hash[offset + 2] & 0xff) << 8) |
(hash[offset + 3] & 0xff); (hash[offset + 3] & 0xff);
int otp = binary % DIGITS_POWER[codeDigits]; int otp = binary % DIGITS_POWER[codeDigits];
result = Integer.toString(otp); result = Integer.toString(otp);
while (result.length() < codeDigits) { while (result.length() < codeDigits) {
skipping to change at page 15, line 36 skipping to change at page 14, line 48
}catch (final Exception e){ }catch (final Exception e){
System.out.println("Error : " + e); System.out.println("Error : " + e);
} }
} }
} }
<CODE ENDS> <CODE ENDS>
Appendix B. Test Vectors Appendix B. Test Vectors
This section provides test values that can be used for HOTP time- This section provides test values that can be used for the HOTP time-
based variant algorithm interoperability test. based variant algorithm interoperability test.
The test token shared secret uses the ASCII string value The test token shared secret uses the ASCII string value
"12345678901234567890". With Time Step X = 30, and Unix epoch as "12345678901234567890". With Time Step X = 30, and the Unix epoch as
initial value to count time steps where T0 = 0, the TOTP algorithm the initial value to count time steps, where T0 = 0, the TOTP
will display the following values for specified modes and timestamps. algorithm will display the following values for specified modes and
timestamps.
+-------------+--------------+------------------+----------+--------+ +-------------+--------------+------------------+----------+--------+
| Time (sec) | UTC Time | Value of T (hex) | TOTP | Mode | | Time (sec) | UTC Time | Value of T (hex) | TOTP | Mode |
+-------------+--------------+------------------+----------+--------+ +-------------+--------------+------------------+----------+--------+
| 59 | 1970-01-01 | 0000000000000001 | 94287082 | SHA1 | | 59 | 1970-01-01 | 0000000000000001 | 94287082 | SHA1 |
| | 00:00:59 | | | | | | 00:00:59 | | | |
| 59 | 1970-01-01 | 0000000000000001 | 46119246 | SHA256 | | 59 | 1970-01-01 | 0000000000000001 | 46119246 | SHA256 |
| | 00:00:59 | | | | | | 00:00:59 | | | |
| 59 | 1970-01-01 | 0000000000000001 | 90693936 | SHA512 | | 59 | 1970-01-01 | 0000000000000001 | 90693936 | SHA512 |
| | 00:00:59 | | | | | | 00:00:59 | | | |
skipping to change at page 17, line 13 skipping to change at page 16, line 13
Table 1: TOTP Table Table 1: TOTP Table
Authors' Addresses Authors' Addresses
David M'Raihi David M'Raihi
Verisign, Inc. Verisign, Inc.
685 E. Middlefield Road 685 E. Middlefield Road
Mountain View, CA 94043 Mountain View, CA 94043
USA USA
Email: davidietf@gmail.com EMail: davidietf@gmail.com
Salah Machani Salah Machani
Diversinet Corp. Diversinet Corp.
2225 Sheppard Avenue East, Suite 1801 2225 Sheppard Avenue East, Suite 1801
Toronto, Ontario M2J 5C2 Toronto, Ontario M2J 5C2
Canada Canada
Email: smachani@diversinet.com EMail: smachani@diversinet.com
Mingliang Pei Mingliang Pei
Symantec Symantec
510 E. Middlefield Road 510 E. Middlefield Road
Mountain View, CA 94043 Mountain View, CA 94043
USA USA
Email: Mingliang_Pei@symantec.com EMail: Mingliang_Pei@symantec.com
Johan Rydell Johan Rydell
Portwise, Inc. Portwise, Inc.
275 Hawthorne Ave, Suite 119 275 Hawthorne Ave., Suite 119
Palo Alto, CA 94301 Palo Alto, CA 94301
USA USA
Email: johan.rydell@portwise.com EMail: johanietf@gmail.com
 End of changes. 103 change blocks. 
252 lines changed or deleted 238 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/
X-Generator: pyht 0.35