Triplesec
  1. Triplesec
  2. DIRTSEC-4

Offset value set to 0 when extracting DBC from hmac-sha1 output

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:
      JavaME mobile phone platform and validation server.

      Description

      Hotp.java class implements RFC4226 "HOTP: An HMAC-Based One-Time Password Algorithm".
      In that class,

      hotp.generate(secret, counter, digits) uses
      int offset = 0;

      Section 5.4 from RFC
      "The following code example describes the extraction of a dynamic
      binary code given that hmac_result is a byte array with the HMACSHA-1 result:
      int offset = hmac_result[19] & 0xf ;
      int bin_code = (hmac_result[offset] & 0x7f) << 24

      (hmac_result[offset+1] & 0xff) << 16
      (hmac_result[offset+2] & 0xff) << 8
      (hmac_result[offset+3] & 0xff)
      "

      that is, the offset is the least significant nibble from the last byte of
      hotp.stepOne() output (the 20 bytes from hmac-sha1(k,c))

      Solved by setting offset to this value

      int offset = hmac_result[19] & 0xf;

      1. DIRTSEC-4-1.patch
        0.6 kB
        javier tellez

        Activity

        Hide
        Alex Karasulu added a comment -

        Javier could you supply a patch as attachment ... I will review and apply it. Furthermore if you are interested in working on Tsec then please continue contributing to become a committer. We could use a few good developers on this front.

        Show
        Alex Karasulu added a comment - Javier could you supply a patch as attachment ... I will review and apply it. Furthermore if you are interested in working on Tsec then please continue contributing to become a committer. We could use a few good developers on this front.
        Hide
        javier tellez added a comment -

        First byte of binary (Binary Dynamic Code) should point to byte hash[19]&0x0f

        triplesec/otp/src/main/java/org/safehaus/otp/Hotp.java

        Show
        javier tellez added a comment - First byte of binary (Binary Dynamic Code) should point to byte hash [19] &0x0f triplesec/otp/src/main/java/org/safehaus/otp/Hotp.java

          People

          • Assignee:
            Unassigned
            Reporter:
            javier tellez
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development