HMAC-based One-time Password Algorithm

From Infogalactic: the planetary knowledge core
Jump to: navigation, search

HOTP is an HMAC-based one-time password (OTP) algorithm. It is a cornerstone of Initiative For Open Authentication (OATH).

HOTP was published as an informational IETF RFC 4226 in December 2005, documenting the algorithm along with a Java implementation. Since then, the algorithm has been adopted by many companies worldwide (see below). The HOTP algorithm is a freely available open standard.

Definition

Let:

  • K be a secret key
  • C be a counter
  • HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ C)) with ⊕ as XOR, ∥ as concatenation, for more details see HMAC (C is the message)
  • Truncate be a function that selects 4 bytes from the result of the HMAC in a defined manner

Then HOTP(K,C) is mathematically defined by

HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF

The mask 0x7FFFFFFF sets the result's most significant bit to zero. This avoids problems if the result is interpreted as a signed number as some processors do.[1]

For HOTP to be useful for an individual to input to a system, the result must be converted into a HOTP value, a 6–8 digits number that is implementation dependent.

HOTP-Value = HOTP(K,C) mod 10d, where d is the desired number of digits

Applications

HOTP can be used to authenticate a user in a system via an authentication server. Also, if some more steps are carried out (the server calculates subsequent OTP value and sends/displays it to the user who checks it against subsequent OTP value calculated by his token), the user can also authenticate the validation server.[example needed]

Tokens

Both hardware and software tokens are available from various vendors, for some of them see references below. Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms.[2] As of 2010, OATH HOTP hardware tokens can be purchased for a marginal price.[3] Some products can be used for strong passwords as well as OATH HOTP.[4]

Software tokens are available for (nearly) all major mobile/smartphone platforms (J2ME,[5] Android,[6][7] iPhone,[8] BlackBerry,[9] Maemo,[10] Mac OS X,[11] Windows Mobile[9]).

Reception

Although the reception from some of the computer press has been negative during 2004 and 2005,[12][13][14] after IETF adopted HOTP as RFC 4226 in December 2005, various vendors started to produce HOTP compatible tokens and/or whole authentication solutions (see above/below).

According to a paper on strong authentication (entitled "Road Map: Replacing Passwords with OTP Authentication") published by Burton Group (a division of Gartner, Inc.) in 2010, "Gartner's expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time."[2]

Implementations

  • Authy is an Android/iOS app for 2 factor authentication using TOTP.
  • Barada Android app for the client side and PAM module for the server side.
  • Duo Push is an HOTP based Android/iOS app for 2 factor authentication which utilizes Out-of-band Push technology for vastly increased security and ease of use.[dubious discuss][citation needed]
  • Google Authenticator open-source client for Android, iOS, and BlackBerry, and also PAM module for the server side.
  • LinOTP is an opensource server implementation for HOTP and other tokens.
  • multiOTP is an opensource PHP implementation for HOTP, TOTP, mOTP and other tokens. It can be used as a command line tool, integrated in a web site, as a web service, as a radius plugin, etc.
  • Oathgen BSD licensed command line HOTP and TOTP client for Windows, Linux, BSD and Macintosh operating systems.
  • OATH Toolkit nonGNU library and command line implementation of client for Linux systems, and also PAM module for the server side.
  • OpenAM is an open source Java based Single Sign On server that supports various HOTP and TOTP client authenticators.
  • privacyIDEA is an authentication backend that supports HOTP, TOTP, OCRA, TiQR, mOTP and other token types like ssh public keys.
  • SailOTP, a free software Sailfish OS client.
  • SMS2 is a free Windows service supporting HOTP and TOTP client authenticators.
  • YubiKey implements both HOTP as well as the OpenPGP card protocol. The hardware devices appear as USB keyboards and "type" the one-time password when their button is pressed.
  • Authenticator is an extension for both HOTP and TOTP for Google Chrome and Chrome OS.
  • FreeOTP is a free software app that implements HOTP and TOTP for Android and iOS.
  • Nitrokey has various USB token models capable of HOTP, TOTP, as well as the OpenPGP card protocol. Further Nitrokey's firmware and hardware are available as open source.

See also

References

  1. https://tools.ietf.org/html/rfc4226#section-5.3
  2. 2.0 2.1 Lua error in package.lua at line 80: module 'strict' not found.
  3. Lua error in package.lua at line 80: module 'strict' not found.
  4. Lua error in package.lua at line 80: module 'strict' not found.
  5. Lua error in package.lua at line 80: module 'strict' not found.
  6. Lua error in package.lua at line 80: module 'strict' not found.
  7. Lua error in package.lua at line 80: module 'strict' not found.
  8. Lua error in package.lua at line 80: module 'strict' not found.
  9. 9.0 9.1 Lua error in package.lua at line 80: module 'strict' not found.
  10. Lua error in package.lua at line 80: module 'strict' not found.
  11. Lua error in package.lua at line 80: module 'strict' not found.
  12. Lua error in package.lua at line 80: module 'strict' not found.
  13. Lua error in package.lua at line 80: module 'strict' not found.
  14. Lua error in package.lua at line 80: module 'strict' not found.

External links

Retrieved from "https://infogalactic.com/w/index.php?title=HMAC-based_One-time_Password_Algorithm&oldid=1205952"