I understand that HOTP can be used to create numerical One Time Passwords. The algorithm behind being:
K be a secret key
C be a counter
HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ C)) with ⊕ as XOR, ∥ as concatenation, (C is the message)
Truncate be a function that selects 4 bytes from the result of the HMAC in a defined manner.
Then HOTP(K,C) is mathematically defined by:
HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
I have used the following example implementation for my tests and it works fine:
My question is that is it possible to generate an alphanumeric OTP using HOTP instead of numeric. The advantage obviously being that the strength of OTP increases manyfold for a given length. So a 8 digit alphanumeric code is far stringer than an eight-digit numeric code.
Of course, you can do whatever you want after the HMAC(K,C). You can map it to HEX or to alphanumeric.
But then you would also have to create your own OTP token - either a hardware token or a smartphone app. This is the great thing about standards, that you do not have to create your own! ;-)
Alphanumeric has a tricky base, base 62. If you allow two more characters then you can just use base 64 (replacing the
/ with any value you prefer).
Otherwise, just look up a Base N encoding library, such as this one for Java (didn't try it, cannot comment on correctness or performance).
This won't influence the security as there is a 1:1 relation between the generated HOTP bits and the given representation. In other words, the different base representation and alphabet are just a different view on the same bit values.
User contributions licensed under CC BY-SA 3.0