TOTP rfc6238

24 / 02 / 2019

Standard TOTP protocol (Time based One Time Password) use RFC6238 to generate so called token used for enanched security login.

Alghorithm is well defined online https://tools.ietf.org/html/rfc6238 and core engine is the secure hashing authentication based on HMAC-SHA-1 (rfc2104) and a very good implementation can be found with the cryptographic library for Arduino (including SHA and HMAC-SHA) by Peter Knight

Lot of working apps for either iOS or Android smart phones are available for free on line, like Google Authenticator or RedHat FreeOTP and many others.

Nice to build an arduino based, is the opportunity to learn in deep how the alghorithm works and all the possible parameters affecting performance and security.

To generate the token, based on SHA1, two parameters are needed at the very beginning:

  • a secret key 20 bytes long (160bit)
  • a unix time (i.e., the number of seconds elapsed since midnight UTC of January 1, 1970)

be carefull that time must be UTC time adjusted.

After that, according to the standard suggestion, every 30 second a different 6 digit number is generated.

Very important to test alghoritm are the test vector included inside the rfc, where there are input number to check proper generated result against precalculated values.

A Demo TOTP as been used to test token generated by the code agains those genereted by the original Google Autheticator. This site has been used to generate the secret key: http://security-totp.appspot.com

At the end of all debug here you can see complete sync between the two application.

Two are the main requirements you must take care to have a usable code.

  • Because of heavy accurate time dependency an easy to adjust time procedure.
  • An easy way to set up secret key inside the code without recompiling all.

To reach these goals a simple serial event routine has been set up to read meassage incoming from RS232 and decode them for both parpouse. First command, ADJxx, set new time in the Real Time Clock used with the prototime (a DS3231 module). Second command, KEYxyz, read the key as from manual entry and store it inside the microcontroller eeprom. Key is usually available in Base32 code as a 32 Ascii chars string (see demo site). So just get it and paste it inside the rs232 command as described in the terminal window below.

rs232 connected terminal window

Only for debug the key stored inside the eeprom is readed when program starts up .

UTC time is adjust via sw by now and should be written inside the eeprom too.

Next step will be to setup a 3D printed case to store the Hardware Token and may be some way to power it up.

@2019 - qrpfun.it / g.r.