Re: OTP broken?

[Dieter Klünter <dieter@dkluenter.de>]

Am Sat, 7 Nov 2015 22:03:04 +0100
schrieb Michael Ströder <michael@stroeder.com>:

> Dieter Klünter wrote:
> > Am Sat, 7 Nov 2015 14:33:22 +0100
> > schrieb Michael Ströder <michael@stroeder.com>:
> > 
> >> Dieter Klünter wrote:
> >>> 6. added credentials by ldappasswd
> >>>    userPassword::
> >>> e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09
> >>
> >> I have not really tried the module myself yet but I note that the
> >> key is actually 21 bytes long (see below). Shouldn't that be 20
> >> bytes?
> >>
> >> Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
> >>>>> 'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64')
> >> '{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA===='
> >>>>> s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64')
> >>>>> len(s)
> >> 21
> > 
> > The TOTP1 string is base32 encoded, not base64.
> 
> If it's sent to the Google Authenticator the base32-encoded form is
> appended to the totp:// URL. And looking at slapd-totp.c it seems
> you're also right regarding the storage format in 'userPassword':
> 
> 	/* Key is stored in base32 */
> 
> But still 17 bytes look strange to me:
> 
> Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2
> >>> import base64
> >>> base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA====')
> 'hhDyDK0143256ABCD'
> >>> len(base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA===='))
> 17
> 
> What's the correct length of your shared secret?

In fact i have tested with various length. You are correct that the key
is question is of 17 bytes. 

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E