search

sdrapkin / SecurityDriven.Inferno

:white_check_mark: .NET crypto done right. Professionally audited.
https://SecurityDriven.NET/inferno/
Other
568 stars 50 forks source link

ValidateTOTP Leading Zero? #36

Closed indy-singh closed 4 years ago

indy-singh commented 4 years ago

Hi,

Playing around with the TOTP api, and I noticed that Validate method call takes in a int in the second parameter:-

https://github.com/sdrapkin/SecurityDriven.Inferno/blob/554fedb6b8aeff48a51d9a6c8bccc62ab46c64ae/Otp/TOTP.cs#L87

What happens if the code has a leading zero (e.g. 094124)?

Thanks, Indy

sdrapkin commented 4 years ago

Hi Indy,

nothing happens - an int with a leading zero is still an int. You can also take a look at the official TOTP test vectors - one of them has a leading zero: https://tools.ietf.org/html/rfc6238#appendix-B

indy-singh commented 4 years ago

Hi Stan,

Thanks for the quick answer. I should have tested this before asking the question.

In either case, for anyone else, the leading zero case does not matter:-

const string secret = "WEX4MILJJVROFSYRDG2YTRR2OBTHIM2K";
var base32Bytes = Base32Encoding.ToBytes(secret);
var totp = new OtpNet.Totp(base32Bytes);
var dateTime = new DateTime(2020, 09, 02, 16, 43, 30, DateTimeKind.Utc);

if (totp.VerifyTotp(dateTime, "073358", out var _, VerificationWindow.RfcSpecifiedNetworkDelay))
{
    Console.WriteLine("yes");
}

if (SecurityDriven.Inferno.Otp.TOTP.ValidateTOTP(base32Bytes, 73358, () => dateTime))
{
    Console.WriteLine("yes");
}

Thanks, Indy