Highest Voted 'hotp' Questions - Cryptography Stack Exchange

61

votes

2 answers

What are the advantages of TOTP over HOTP?

HMAC-based One Time Password (HOTP) was published as an informational IETF RFC 4226 in December 2005. In May, 2011, Time-based One-time Password Algorithm (TOTP) officially became RFC 6238. What advantages does it introduce?

one-time-password hotp

asked Mar 29 '12 at 23:34

Jader Dias

723
1
5
7

29

votes

1 answer

How does HOTP keep in sync?

My understanding of HOTP is that each password is unique and based on a counter. $$PASSWORD = HOTP_1(K,C)$$ Where $C$ is an incremental counter. What I wish to know, is how you keep the client and server in sync? Looking at current systems…

hotp one-time-password

asked Sep 28 '11 at 17:31

mrwooster

393
3
5

23

votes

2 answers

Why does HOTP use such a complex truncate function?

In the HOTP protocol after calculating a 20 byte hash it is truncated to 4 bytes. For this first an offset is calculated (low-order 4 bits of the last byte) which determines the four bytes to be selected: DT(String) // String =…

hash hotp one-time-password

asked Nov 02 '12 at 11:15

Jeff

523
3
10

12

votes

2 answers

How does SafeNet MobilePASS generate passwords?

We use MobilePASS at work but the latest version of the android client seems to be buggy so I wanted to have a go at implementing the algorithm myself. You can download the client to play with here:…

hmac sha-256 one-time-password hotp

asked Jul 11 '13 at 17:05

Dean Reilly

301
1
3
7

11

votes

2 answers

Why are HOTP and TOTP implementations all using 6 digits and not more?

I was checking the RFC's after wondering for some time. In RFC 4226 - HOTP: An HMAC-Based One-Time Password Algorithm, it states on the appendix: A simple enhancement in terms of security would be to extract more digits from the HMAC-SHA-1…

hmac randomness one-time-password hotp

asked Aug 18 '13 at 07:54

Mamsaac

343
3
7

6

votes

1 answer

How HOTP values are validated according to RFC 4226

In Section 7.2 "Validation of HOTP Values" of the HOTP spec (RFC 4226) it says, in part, The HOTP client (hardware or software token) increments its counter and then calculates the next HOTP value HOTP client. If the value received by the…

standards one-time-password hotp

asked Aug 05 '13 at 12:57

rlandster

317
2
8

6

votes

1 answer

How does the HOTP dynamic truncation function generalize to longer hashes?

HOTP, the HMAC-based One-Time Password algorithm from RFC 4226, uses a "dynamic truncation" function to turn the 20 byte HMAC-SHA-1 value into a 31 bit string. The dynamic truncation (from Section 5.3) works like this (and is probably useless): …

hmac reference-request sha-256 sha-512 hotp

asked Aug 14 '15 at 08:43

otus

32,462
5
75
167

4

votes

1 answer

(How) Can we use HOTP for file encryption?

I recently went through the list of available KeePass plug-ins and noticed one that advertises support for HOTP as a means to derive the database key. Now I trust the developer of this plug-in who is Dominik Reichl, who also signs the KeePass…

file-encryption hotp

asked Apr 16 '16 at 18:54

SEJPM

46,697
9
103
214

4

votes

1 answer

Is it wise to use HOTP (raw bytes) as a key for HMAC?

Assume I have client and server applications with a shared master secret KEY_SECRET already in place. Also assume that the client and server have an implicit shared counter CTR initialized on the same value. Is it wise to sign the data sent from the…

protocol-design hmac mac hotp

asked Nov 03 '15 at 19:54

Petr Dvořák

151
4

4

votes

2 answers

How is de-synchronisation of HOTP solved?

From RFC 4226 I understand how HOTP generates one-time passwords by incrementing a counter and uses the 'look-ahead' window to try to resynchronise (from this counter), if the user tries a few wrong passwords. Say the user leaves their token with…

one-time-password hotp

asked Dec 17 '11 at 11:34

Jim

41
2

4

votes

0 answers

How to migrate SafeNet MobilePASS seed to another TOTP app?

Based on How does SafeNet MobilePASS generate passwords?, I'm not sure if the MobilePASS token can be extracted for use in another TOTP app such as andOTP or KeePassXC. (I guess it depends whether the MobilePASS algorithm is a standard one.) Is this…

one-time-password hotp

asked Jun 28 '22 at 10:54

l0b0

173
1
9

3

votes

1 answer

Can future time-based keys be deduced from a previous key?

If a time-based key generated by an authenticator app like Google Authenticator is compromised, can future keys be deduced from the compromised key?

hmac hotp

asked Aug 13 '21 at 19:51

Oscar

33
2

3

votes

3 answers

Security concern with TOTP

I am pretty new to cryptography and I have been studying up on TOTP (Time Based OTP) and while I have learnt how the computation works, I'm unable to figure out why using TOTP makes a system more secure. Here's what I have understood. TOTP is used…

protocol-design protocol-analysis one-time-password hotp two-factor-authentication

asked Sep 03 '17 at 18:37

Arvind Sasikumar

133
4

2

votes

1 answer

Security Considerations in using SHA-1 for One Time Passwords

SHA-1 is considered broken. That's why I'm assuming that using SHA-1 for RFC2289 OTPs is broken as well. Is this assumption correct? Going further with this assumption using SHA-1 for RFC4226 HOTPs should be broken too, is it? Although this blog…

hmac sha-1 one-time-password hotp

asked Feb 02 '20 at 16:23

Fandi

23
2

2

votes

1 answer

What time is used in a TOTP counter?

I am currently working on a desktop TOTP client. From the TOTP spec at https://www.rfc-editor.org/rfc/rfc6238#section-4.1, the 6 digit OTP is generated from counter (in this case time). But what is "time"? The spec says that the time is in the…

protocol-design protocol-analysis hotp two-factor-authentication

asked Aug 13 '19 at 08:04

M4X_

145
6

Questions tagged [hotp]