Google Authenticator implementation in Perl

Question

I am looking for a simple Perl implementation that verifies a Google authenticator token that has been created using a server side secret. For instance,

The following Google URL allows you to encode a server secret in base32 format (in the below case the secret is e4ytonjeim4hcsrhja5fe5kqfu) as a QR code that can be read from Google authenticator app (see image below):
https://chart.googleapis.com/chart?cht=qr&chs=100x100&chl=otpauth%3A%2F%2Ftotp%2Fmysite%3A29%3Fsecret%3De4ytonjeim4hcsrhja5fe5kqfu%26issuer%3Dmysite

Once the QR code is scanned into the authenticator app it produces tokens like: 716340. How do I verify the correctness of the token?

This question is the Perl equivalent of this Python question: Google Authenticator implementation in Python

It is not an equivalent question. OP on the other question provided code, and asked an on-topic question about it. This question is off topic, you are asking for either a complete solution (with not even an attempt to translate the Python code) or an external resource. Please consider having an attempt and explaining where you are stuck — Neil Slater, Aug 27 '14 at 18:15
Fair enough. If I come up with a complete solution first, I'll definitely post it, but I was asking because someone else may have already jumped through this hoop. I think an answer (even if I'm asking for a complete answer) would be a very useful resource for other people on StackOverflow. I'm also not a Python user, so would probably waste a decent amount of time trying to figure out the syntax (which I might eventually do) when someone else might be able to figure it out immediately. — Vijay Boyapati, Aug 27 '14 at 18:58

score 8 · Answer 1 · answered Sep 12 '14 at 04:27

Here's another solution, and you can verify it matches the tokens produced in this example

use Authen::OATH;
use Convert::Base32;
my $oath = Authen::OATH->new();
my $secret = "JBSWY3DPEHPK3PXP";
my $otp = $oath->totp(  decode_base32( $secret ) );
print $otp."\n";

score 6 · Accepted Answer · edited May 23 '17 at 12:34

Ok it took a little while but I've got a Perl solution (hopefully this makes up for the slightly lazy question :) Thanks to Borodin for his help with this (Taking the SHA1 HMAC of hex strings in Perl)

#!/usr/bin/perl -w

use strict;
use warnings;

use Convert::Base32;
use Digest::HMAC_SHA1 qw/ hmac_sha1_hex /;

my $base_32_secret = "JBSWY3DPEHPK3PXP";
print "".totp_token($base_32_secret)."\n";

sub totp_token {
    my $secret = shift;

    my $key = unpack("H*", decode_base32($secret));
    my $lpad_time = sprintf("%016x", int(time()/30));
    my $hmac = hmac_sha1_hex_string($lpad_time, $key);

    my $offset = sprintf("%d", hex(substr($hmac, -1)));

    my $part1 = 0 + sprintf("%d", hex(substr($hmac, $offset*2, 8)));
    my $part2 = 0 + sprintf("%d", hex("7fffffff"));

    my $token = substr("".($part1 & $part2), -6);
    return $token;
}

sub  hmac_sha1_hex_string {
   my ($data, $key) = map pack('H*', $_), @_;
   hmac_sha1_hex($data, $key);
}

Oesor · Answer 3 · 2014-08-27T20:32:19.493

3

Would Auth::GoogleAuthenticator work for your purposes?

Edit: sure it does; this validates the OTP as generated by the JS. When the counter isn't timely anymore it returns a empty string; i.e. false. And using the URL results in the app being synced to the JS:

use Data::Printer;
use Auth::GoogleAuthenticator;

my $auth = Auth::GoogleAuthenticator->new(secret_base32 => q/e4ytonjeim4hcsrhja5fe5kqfu/);
say $auth->registration_url;
p($auth->verify('252499'));

Output:

otpauth://totp/?secret=e4ytonjeim4hcsrhja5fe5kqfu
1

edited Aug 27 '14 at 20:32

answered Aug 27 '14 at 19:07

Oesor

6,632
2
29
56

This doesn't look like it works. I used the secret on this javascript oauth example: http://blog.tinisles.com/2011/10/google-authenticator-one-time-password-algorithm-in-javascript/ in Google authenticator and they both produce the same tokens. However, when I use the same secret with Auth::GoogleAuthenticator it doesn't produce matching tokens – Vijay Boyapati Aug 27 '14 at 19:40

Gray · Answer 4 · 2018-06-24T14:28:07.977

For posterity, I took the script from @Vijay's answer (thanks dude), simplified the algorithm a bit, added docs from TOTP definition, and added some sample code.

The number generation code I whittled down to which is just a simplification of @Vijay's answer:

use Digest::HMAC_SHA1 qw/ hmac_sha1_hex /;

my $paddedTime = sprintf("%016x", int(time() / $TIME_STEP));
my $data = pack('H*', $paddedTime);
my $key = decode_base32($secret);

# encrypt the data with the key and return the SHA1 of it in hex
my $hmac = hmac_sha1_hex($data, $key);

# take the 4 least significant bits (1 hex char) from the encrypted string as an offset
my $offset = hex(substr($hmac, -1));
# take the 4 bytes (8 hex chars) at the offset (* 2 for hex), and drop the high bit
my $encrypted = hex(substr($hmac, $offset * 2, 8)) & 0x7fffffff;

# the token is then the last 6 digits in the number
my $token = $encrypted % 1000000;
# make sure it is 0 prefixed
return sprintf("%06d", $token);

The full TOTP 2 Factor Auth Perl script can be downloaded from Github.

Google Authenticator implementation in Perl

4 Answers4

Linked