Discuss this help topic in SecureBlackbox Forum

Use OTP client and server

One-Time Password (OTP) is a password that is valid for only one session or transaction. OTPs were designed to overcome the weaknesses of traditional static passwords such as, e.g., vulnerability to replay attacks. SecureBlackbox implements support for HMAC-Based One-Time Password (HOTP) and Time-Based One-Time Password Algorithms (TOTP), as described in the corresponding Requests For Comments: RFC 4226 and RFC 6238.

Difference between HOTP and TOTP

The first algorithm (HOTP) generates the one-time password basing on the value of the specific counter synchronized between client and server. The TOTP uses the generation time moment to produce a unique password. In addition, TOTP can use different hash algorithms: HMAC-SHA-1, HMAC-SHA-256, and HMAC-SHA-512. The HOTP and TOTP functionality in SecureBlackbox is implemented in the following components: TElHOTPClient, TElHOTPServer, TElTOTPClient, and TElTOTPServer.

Generation of One-Time Password

One-time passwords generation in SecureBlackbox is performed by TElHOTPClient and TElHOTPClient components. It is based on a secred shared between client and server. The secret key is specified by the KeySecret property; you may also pass it as a parameter to the constructor of the corresponding class: TElHOTPClient or TElHOTPClient. The length of the generated passwords is controlled by the PasswordLen property.

To generate HMAC-Based One-Time Password, call GetPassword method of your HOTP client. This call requires passing of only one parameter: the value of the counter.

To generate Time-Based One-Time Password, call GetPassword method of your TOTP client, and pass the time for which the password is needed. The time should be specified in UTC. The password is valid during time interval specified by TimeInterval, 30 seconds by default. In addition, you can change the hash algorithm used for password generation by modifying the HashAlgorithm property.

Validation of One-Time Password

The validity of one-time passwords is checked by TElHOTPServer and TElTOTPServer components.

To check HMAC-Based One-Time Password, pass user identifier and password to the TElHOTPServer.IsPasswordValid method.

To check Time-Based One-Time Password, use TElTOTPServer.IsPasswordValid. In addition to user identifier and password you can also specify password generation time.

Possible asynchronicity of the HOTP/TOTP client and server counters and clocks can be overcome by setting the TElOTPServer.Delta property.

Managing users of the OTP servers

User data on an OTP server is stored in OTPUserStorage. Various methods and properties of TElOTPUserStorage class allow to change and update user info. Its LoadFromStream and SaveToStream methods allow to load and save the data to the stream.

In a stream, user info is represented by simple XML, e.g.:

<USER Type="HOTPUser">
	<COUNTER>{Counter value}</COUNTER>
for TElHOTPUser, and
<USER Type="TOTPUser">
	<TIMEINTERVAL>{Password validity interval}</TIMEINTERVAL>
	<HASHALGORITHM>{Password hash function}</HASHALGORITHM>
for TElTOTPUser.

How To articles about OTP (One-Time Password)

Discuss this help topic in SecureBlackbox Forum