-! Copyright (C) 2018 Alexander Ilin.
+! Copyright (C) 2018, 2020 Alexander Ilin.
! See http://factorcode.org/license.txt for BSD license.
USING: byte-arrays calendar checksums checksums.sha help.markup
help.syntax kernel math strings ;
ARTICLE: "totp" "Time-Based One-Time Passwords"
"The " { $vocab-link "totp" } " vocab implements time-based one-time password generation as described in RFC 6238 (" { $url "https://tools.ietf.org/html/rfc6238" } ")."
$nl
-"The idea is that a client is able to prove its identity to a server by sumbmitting a password that is only valid for a short period of time. The password needs to be sent via a secure channel inside that time period, and client and server must have a shared secret established in advance. The TOTP protocol uses the number of whole 30-second intervals passed in Unix time as a counter value, which it authenticates with an HMAC and converts into a string of " { $link digits } ". Client and server must use the same secret key, the same hash for the HMAC, the same time reference point (not necessarily Unix time) and the same time interval length for the counter. The string of digits used as the password should be long enough to balance convenience and brute-force attack resistance. For 30-second intervals 6 or more digits are typically used."
+"The idea is that a client is able to prove its identity to a server by submitting a password that is only valid for a short period of time. The password needs to be sent via a secure channel inside that time period, and client and server must have a shared secret established in advance. The TOTP protocol uses the number of whole 30-second intervals passed in Unix time as a counter value, which it authenticates with an HMAC and converts into a string of " { $link digits } ". Client and server must use the same secret key, the same hash for the HMAC, the same time reference point (not necessarily Unix time) and the same time interval length for the counter. The string of digits used as the password should be long enough to balance convenience and brute-force attack resistance. For 30-second intervals 6 or more digits are typically used."
$nl
"Both client and server are able to generate exactly the same digits from the shared secret using their current time as the counter. Server can be programmed to accept values from the adjacent time slots, so that time drift and network delays are compensated for, though that somewhat weakens the system."
$nl
HELP: totp-hash
{ $var-description "A cryptographically secure " { $link checksum } " to be used by " { $link totp } " for the HMAC. See " { $url "https://en.wikipedia.org/wiki/HMAC" } " for more information."
$nl
-"Default value is " { $link sha-256 } "." } ;
+"Default value is " { $link sha1 } ", same as used by Google Authenticator." } ;
HELP: totp-digits
{ $var-description "The number of digits returned by " { $link totp } "."
HELP: totp
{ $values
- { "key" byte-array }
+ { "key" object }
{ "string" string }
}
-{ $description "Generate a one-time password for the " { $snippet "key" } " based on the current system time. The " { $snippet "string" } " length is " { $link totp-digits } ", and the hash used for HMAC is " { $link totp-hash } "." } ;
+{ $description "Generate a one-time password for the " { $snippet "key" } " based on the current system time. If " { $snippet "key" } " is a " { $link string } ", it is expected to contain the key data in Base 32 encoding, otherwise it should be a " { $link byte-array } ". The " { $snippet "string" } " length is " { $link totp-digits } ", and the hash used for HMAC is " { $link totp-hash } "." } ;
{ totp totp* } related-words
projects / factor.git / blobdiff