search

StableLib / stablelib

A stable library of useful TypeScript/JavaScript code
https://www.stablelib.com
Other
173 stars 35 forks source link

Thoughts on Base32? #39

Open joshxyzhimself opened 3 years ago

joshxyzhimself commented 3 years ago

Hi, just thought that this lib is perfect for HOTP / TOTP solutions, except for the base32 part (it currently has base64).

There are other solutions like https://github.com/emn178/hi-base32, https://github.com/LinusU/base32-encode

But do you think it would make sense to also have a Base32 encode/decode function built-in here?

Something like RFC 4648 https://datatracker.ietf.org/doc/html/rfc4648#section-6 that's compatible with apps like Google Authenticator / Microsoft Authenticator / FreeOTP.

Thank you.

Edit: sha1 might also be handy, which is the default algo on most hotp & totp use cases.

As per https://datatracker.ietf.org/doc/html/rfc4226#appendix-B.2

   The new attacks on SHA-1 have no impact on the security of
   HMAC-SHA-1.  The best attack on the latter remains one needing a
   sender to authenticate 2^{80} messages before an adversary can create
   a forgery.  Why?

   HMAC is not a hash function.  It is a message authentication code
   (MAC) that uses a hash function internally.  A MAC depends on a
   secret key, while hash functions don't.  What one needs to worry
   about with a MAC is forgery, not collisions.  HMAC was designed so
   that collisions in the hash function (here SHA-1) do not yield
   forgeries for HMAC.
dchest commented 3 years ago

Agree, base32 would be great to have. Not sure when I'll have time to implement it, though.