The new attacks on SHA-1 have no impact on the security of
HMAC-SHA-1. The best attack on the latter remains one needing a
sender to authenticate 2^{80} messages before an adversary can create
a forgery. Why?
HMAC is not a hash function. It is a message authentication code
(MAC) that uses a hash function internally. A MAC depends on a
secret key, while hash functions don't. What one needs to worry
about with a MAC is forgery, not collisions. HMAC was designed so
that collisions in the hash function (here SHA-1) do not yield
forgeries for HMAC.
Hi, just thought that this lib is perfect for HOTP / TOTP solutions, except for the base32 part (it currently has base64).
There are other solutions like https://github.com/emn178/hi-base32, https://github.com/LinusU/base32-encode
But do you think it would make sense to also have a Base32 encode/decode function built-in here?
Something like RFC 4648 https://datatracker.ietf.org/doc/html/rfc4648#section-6 that's compatible with apps like Google Authenticator / Microsoft Authenticator / FreeOTP.
Thank you.
Edit:
sha1
might also be handy, which is the default algo on most hotp & totp use cases.As per https://datatracker.ietf.org/doc/html/rfc4226#appendix-B.2