0

I'm making an application that has a two-factor authentication. We want to use HOTP type OAUTH with SHA1 encryption and 6 digits.

We were unable to perform data verification on a local server. We have been reviewing the standard and we suspect that Yubico adds something extra in the encryption key because not even looping over the counter has been able to return the same code using the same base32 key.

Does anyone know how this can be done? The Yubico SDK does not have, or we did not locate if it has the option to verify and nothing is said on the web about how to verify this data other than using the standard. But the standard doesn't return the same value: For example:

Key: 67OD2HZEXPRZIUPKO2UXIMMGT5VS56QS
Algorithm: SHA1
Counter: 100
digits: 6
Result: 866325

To calculate HOTP I have used OtpNet and also a code that I have made in VB.NET reading the standard. Both return the same result but Yubico does not.

I leave the class here:

Imports System.Security.Cryptography

Public Class YubiKeyHOTPValidator
    Private Shared Function Base32Decode(input As String) As Byte()
        Dim base32 As New Yubico.Core.Buffers.Base32
        Return base32.Decode(input)
    End Function

    Shared Function GenerateHOTP(yubiKeySecretBase32 As String, counter As Long, digits As Integer) As Integer
        Return GenerateHOTP(Base32Decode(yubiKeySecretBase32.ToUpper()), counter, digits)
    End Function
    Shared Function GenerateHOTP(yubiKeySecret As Byte(), counter As Long, digits As Integer) As Integer
        Dim modValue As Integer = 10 ^ digits
        Dim counterBytes As Byte() = BitConverter.GetBytes(counter)

        If BitConverter.IsLittleEndian Then Array.Reverse(counterBytes)

        Using hmac As New HMACSHA1(yubiKeySecret)
            Dim hash As Byte() = hmac.ComputeHash(counterBytes)
            Dim offset As Integer = hash(hash.Length - 1) And &HF
            Dim truncatedHash As Integer = (
                (hash(offset) And &H7F) << 24 Or
                (hash(offset + 1) And &HFF) << 16 Or
                (hash(offset + 2) And &HFF) << 8 Or
                (hash(offset + 3) And &HFF)
            )

            Return truncatedHash Mod modValue
        End Using
    End Function
End Class

For the value: 100 the result is: 242045 and for the 101 is: 491971 according to the standard. Thank you very much and see if someone tells me a little where to go.

Byte Ninja
  • 881
  • 5
  • 13
Lander Cayetano
  • 1

0 Answers0