SHA-1 is considered broken. That's why I'm assuming that using SHA-1 for RFC2289 OTPs is broken as well. Is this assumption correct?
Going further with this assumption using SHA-1 for RFC4226 HOTPs should be broken too, is it? Although this blog states the following: "it doesn't affect applications such as HMAC where collisions aren't important". Does this also applies for HOTP?
A detailed explanation would be really appreciated.
Thank you very much in advance.
The security property needed for one-time password generation is that of a pseudorandom function. HMAC is assumed to be a pseudorandom function, when the hash function has certain properties. Collision resistance is not a required property for HMAC to be a secure pseudorandom function. However, when collision resistance is broken, this brings into question the general security of the function. As such, although HMAC-SHA1 is not actually broken, it is worthwhile looking at phasing into HMAC-SHA256, when possible.
I will just note that HMAC-SHA1 does not require collision resistance in the normal sense, since it is designed so that the hash of the message is prefixed by a secret key. Thus, the attacker is unable to compute the hash of the message itself.
