|
Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. It has been adopted as Internet Engineering Task Force standard RFC 6238,〔(【引用サイトリンク】title=RFC 6238 - TOTP: Time-Based One-Time Password Algorithm )〕 is the cornerstone of Initiative For Open Authentication (OATH), and is used in a number of two factor authentication systems. TOTP is an example of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal. In a typical two-factor authentication application, user authentication proceeds as follows: a user will enter username and password into a website or other server, generate a one-time password for the server using TOTP running locally on a smartphone or other device, and type that password into the server as well. The server will then also run TOTP to verify the entered one-time password. For this to work, the clocks of the user's device and the server need to be roughly synchronized (the server will typically accept one-time passwords generated from timestamps that differ by ±1 from the client's timestamp). A single secret key, to be used for all subsequent authentication sessions, must have been shared between the server and the user's device over a secure channel ahead of time. If some more steps are carried out, the user can also authenticate the server using TOTP. ==Definition== TOTP is based on HOTP with a timestamp replacing the incrementing counter. The current timestamp is turned into an integer time-counter (TC) by defining the start of an epoch (T0) and counting in units of a time step (TS). For example: :TC = (unixtime(now) - unixtime(T0)) / TS :TOTP = HOTP(SecretKey, TC), where the HOTP algorithm is defined below. :TOTP-Value = TOTP mod 10''d'', where ''d'' is the desired number of digits of the one-time password. Let: *''K'' be a secret key *''C'' be a counter *''HMAC''(''K'',''C'') = SHA1(''K'' ⊕ 0x5c5c... ∥ SHA1(''K'' ⊕ 0x3636... ∥ ''C'')) be an HMAC calculated with the SHA-1 cryptographic hash algorithm *''Truncate'' be a function that selects 4 bytes from the result of the HMAC in a defined manner Then we define :''HOTP''(''K'',''C'') = ''Truncate''(''HMAC''(''K'',''C'')) & 0x7FFFFFFF The mask sets the most significant bit to 0, to prevent the number from being interpreted as negative. This guards against different implementations of the modulo operation by processors.〔(【引用サイトリンク】title=RFC 4226 - HOTP: An HMAC-Based One-Time Password Algorithm )〕 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Time-based One-time Password Algorithm」の詳細全文を読む スポンサード リンク
|