5

ive never learned about javascript and network security before, but lately ive taken on some programming challange but i have to send my project link via http post request, and i have to figure the password, the authentication use TOTP with hmac sha 512 as hashing function with given secret key, for past few days im trying to understand what it is all about like totp hotp hmac etc, and i get the idea i have to convert the secret key according to the algorithm, is it? But the algorithm are very new to me and i confuse what should i do to generate the password, anyone could help me? Or at least explain to me what should i do?

gilang
  • 51
  • 1
  • 3

1 Answers1

4

There is nice RFC describing the TOTP: RFC 6238, which mentions also usage of SHA-512. I did this in my implementation of OTP token in Javascript. But even the RFC has code examples in Java (same as freeOTP).

The algorithm is basically the same for all hashes. Basic idea is to take time (rounded down to 30 second boundary by default) and generate the HOTP of this value (instead of counter for HOTP).

HOTP later is basically HMAC with secret encoded in hexadecimal and with the counter (from above -- time for TOTP) padded to specific amount of digits. From the resulting hash, you take only specific part according to RFC.

For playing around, there are several web applications/jsfiddle that can generate you the TOTP on the fly, but they are certainly not for real-world usage.

Jakuje
  • 5,229
  • 16
  • 31
  • +1 for summing up and pointing to the RFC, which I think are very well written and good to understand! – cornelinux Mar 18 '16 at 06:11
  • thankyou very much sir!, i have read the rfc, its very clear indeed even with the code to generate the code, so just now i tried to compile it online, but the compiler got 1 error, it says "error: class TOTP is public, should be declared in a file named TOTP.java" i guess i couldnt compile it online because i dont have the TOTP.java file? and i have 1 more question, in the rfc it says "The test token shared secret uses the ASCII string value "12345678901234567890". " but i cant find in the code where the ascii string value was inputted, because i want to change to my own ascii string – gilang Mar 18 '16 at 18:04
  • so sorry if i were so burdensome, i know its very clear but i didnt have a clue about java or javascript programming before, thank you sir – gilang Mar 18 '16 at 18:06
  • The secred in the code is the "String seed", but it is in hexadecimal, as I described in the post. – Jakuje Mar 18 '16 at 18:07