0

Assume we chose to change the secret key in HMAC generation for TOTP, every second.

  • How can we authenticate to such a scheme assuming a 32 byte key is randomly generated passing posix time to srand() for seeding and calling rand() 8 consecutive times.
  • What is the validity duration of each OTP?
Newbie
  • 101
  • 2

1 Answers1

1

The security scheme of TOTP states that the secret is a long-term shared secret. The scheme doesn't make any assumption about validity of tokens in cases which are simply not foreseen by the specification. So you are asking for something which is completely outside the scope of what the TOTP concept addresses.
It's like asking "if inc on paper was invisible, how would we read?" and the answer is: Inc is not invisible, for a very good purpose.
Maybe you want to ask something different like "how can we make this more secure by changing the long-term shared secret to something more dynamic". If so, please rephrase the question.

kaidentity
  • 2,634
  • 13
  • 30
  • So basically TOTP is extracted from the HMAC of a static key + time steps since epoch. True? I'll rephrase the question now. – Newbie Oct 19 '16 at 10:29