2

I'm trying to understand How google authenticator - counter based work. I have tried googling around finding a demo or at least how this work. I understand its a one time password but not like TOTP. I am already working on TOTP but i'm terribly having issue with time sync, because i'm working on an offline PC. So the windows time - well every 2 days or so the time keep shifting two or three seconds ahead.

Anyways, I am looking for a PHP code for HOTP counter based . I have found one or two examples but they have so many missing files.

Please, I would like to find a tutorial about that in PHP language or at least a basic idea to start with. BTW i found this http://www.ietf.org/rfc/rfc4226.txt .

Alihamra
  • 121
  • 1
  • 2

2 Answers2

1

TOTP is indeed a time-based variant of HOTP. In both cases, the sequence of possible passwords is derived from a secret key, and a "changing value". With TOTP, the "changing value" is the current time, which both ends of the protocol supposedly know (current time is public knowledge). In HOTP, the "changing value" is a counter, which is incremented after usage. Both parties (client and server) remember the last used counter value.

If the client and server become desynchronized (e.g. the client sent a password and incremented its counter, but a network issue killed the connection and the server never received it), then there is a process for resynchronization: upon receiving a password, the server compares it not with the next password (according to its counter), but with the next 100 or so passwords, thus allowing for a counter desynchronization of a 100 or so.

This mechanism is well suited to car keys, which:

  • Do not have a common source of time (no clock in the key).
  • Need to work with a unidirectional communication (from key to car, not the other way round).
  • Have a "manual resynchronization" if they got badly out of sync (your 3 years old nephew played with the key for an entire afternoon, getting the key counter way beyond the car counter, even with the +100 offset; you can no longer open the car remotely; but when you ignite the engine, the car and the key communicate through short-range RF to reset the counters).

As for code, a simple google request on "hotp php" points to this and that.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
1

I don't have PHP code for you, but here is a project I used when porting this to one of my companies legacy systems because there were not direct ports I could reference. It's in C# and you can probably use it as pseudocode. I was able to run the C# project on my machine and add break points to make sure my program had the same output at each phase of the process. The results are compatible with Google Authenticator. GoogleAuthCSharp

Here's how it works at a high level

  1. Get the current unix timecode, split into 30 second increments. Reverse the order of the bits.
  2. Get/generate a unique key to this user using a PRNG.
  3. Generate a SHA1-HMAC using the reversed timestamp and the user key as the inputs.
  4. Grab 4 specific bits from the HMAC. These are each individually processed using bitwise "AND"s and shifts.
  5. Do a bitwise "OR" on these 4 elements together. This generates a big integer result.
  6. Do a modular division of this long integer using 1000000. This results in the 6-digit TOTP.

See the MainWindow.xaml.cs file for the actual code.

md_1976
  • 129
  • 2