[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OTP broken?



Dieter Klünter wrote:
> Am Sat, 7 Nov 2015 14:33:22 +0100
> schrieb Michael Ströder <michael@stroeder.com>:
> 
>> Dieter Klünter wrote:
>>> 6. added credentials by ldappasswd
>>>    userPassword::
>>> e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
>>
>> I have not really tried the module myself yet but I note that the key
>> is actually 21 bytes long (see below). Shouldn't that be 20 bytes?
>>
>> Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
>>>>> 'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
>> '{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA===='
>>>>> s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
>>>>> len(s)
>> 21
> 
> The TOTP1 string is base32 encoded, not base64.

If it's sent to the Google Authenticator the base32-encoded form is appended
to the totp:// URL. And looking at slapd-totp.c it seems you're also right
regarding the storage format in 'userPassword':

	/* Key is stored in base32 */

But still 17 bytes look strange to me:

Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
>>> import base64
>>> base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA====')
'hhDyDK0143256ABCD'
>>> len(base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA===='))
17

What's the correct length of your shared secret?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature