Time-based one-time password algorithm

from Wikipedia, the free encyclopedia

The Time-based One-Time Password algorithm (TOTP) is a method for generating time-limited one-time passwords based on the hash-based message authentication code , which (HMAC) as part of the authentication applies. It was developed by the cross-industry Initiative For Open Authentication (OATH) and published as RFC 6238 by the Internet Engineering Task Force (IETF) in July 2011 .

Procedure

The method is essentially based on a cryptographic hash function HMAC, with the help of which a cryptographic hash value is calculated from the secret key K agreed between the sender and recipient and the absolute time. For this purpose, the time is converted into an integer seconds value, usually the number of seconds since January 1st, 1970, and this value is rounded to a step size of 30 seconds. The one-time password is valid within this period of 30 seconds. Depending on the specific implementation and configuration, the temporally adjacent intervals are also accepted. It is essential with this method that the two systems, sender and receiver, must have sufficiently accurate clocks or access such as the Network Time Protocol (NTP) to precise time information, since otherwise the authentication will fail.

Various cryptographic hash functions, such as SHA-1 or the secure methods from the SHA-2 group, such as SHA-512, can be used for the calculation . The hash value calculated in this way is cut to a length of 31 bits and the actual and time-limited one-time password is then formed from this by modulo 10 d , with d = 6 or d = 8 for six or eight digits.

A disadvantage of the method is that anyone who is in possession of the secret key K agreed once between the sender and recipient and who has an exact time can generate valid one-time passwords.

TOTP is an open standard and is free from patents. A similar and older method, which works with a counter instead of the time, is the HMAC-based One-time Password Algorithm (HOTP).

Applications

The method is one of the time-controlled password generators and is used, for example, in the context of authentication when a user (sender) logs on to a web server (recipient) in the context of two-factor authentication , in addition to a conventional password.

Web links

Individual evidence

  1. RFC 6238 TOTP: Time-Based One-Time Password Algorithm