1

I have written code to generate a 6 digit HOTP value every time a fuction is called. I created this since I want to learn how I can create something by reading a document and experiment with it. I used RFC4226 document as my requirements to achieve my task of generating OTP based on input, counter, Output size and the HMAC-SHA-1 algorithm.

The code works and it returns with a 6 digit OTP everytime the counter is increased. But the problem I do not understand is I tested my code with the test parameters provided in page:31 of RFC4226 document (Link I provided above paragraph). The vaues I get are not as same in that document, But I think I have followed everything mentioned in the document because I cannot seem to find where my mistake is. I know there are libraries to generate HOTP values but I wanted to experiment and learn how to build them myself.

It would be really helpful if anyone can help me o on this and let me know what do I need to do or where am I doing wrong

Blueman7
  • 61
  • 8

1 Answers1

3

For byte_counter must apply:

byte_counter = i.to_bytes(8, byteorder='big')

so that the values in Appendix D can be reproduced.

Note that your implementation is not feature complete compared to the reference implementation in Appendix C (but perhaps a 1:1 port is not intended).

Topaco
  • 40,594
  • 4
  • 35
  • 62
  • Thank you so much for correcting my mistake. I was scratching my head so hard. Yes It is intentional that I did not completely implement the reference. Once again thank you so much Have a great week ahead! ;) – Blueman7 Aug 21 '22 at 15:44
  • Hello, I have a question. Why did you choose 8 as the byte length in your solution? I thought that using 64 bytes would prevent integer overflow if the counter value reached large amounts. – Blueman7 Aug 22 '22 at 05:55
  • @Blueman7 - First of all, this corresponds to the reference implementation: `byte[] text = new byte[8]` in [`generateOTP()`](https://www.rfc-editor.org/rfc/rfc4226.html#page-30). Furthermore, 8 bytes (=64 bits) allow sufficiently large counters: 2^64 is about 1.85 * 10^19. What you mean by *integer overflow* is not clear to me. This I would rather associate with `i` itself, but in Python 3 `int`s are unbound ([here](https://stackoverflow.com/a/7604981/9014097)). – Topaco Aug 22 '22 at 06:59
  • Ohh Now I get it. I was confused and thought of giving the bits as input to the to_bytes method. My bad. Thank you for clariying it. – Blueman7 Aug 22 '22 at 08:51