Reprinted from: https://www.cnblogs.com/linianhui/p/security-one-time-password.html

In the field of information security, Cryptography is generally called a password , and Password is called a password . In the cognition of daily users and in the communication process of our developers, most of the things called passwords are actually Passwords, not passwords in the true sense. This article maintains this semantics, using password to refer to Password, and when the password and the password appear at the same time, use English to show the distinction.

0. OTP one-time password

OTP is short for One Time Password, that is, one-time password. In our daily life, there are many scenarios where we come into contact with one-time passwords, such as logging in to an account, retrieving passwords, changing passwords, and transferring funds. Some of the commonly used methods are:

SMS + SMS verification code;
Mail + mail verification code;
Authenticator software + verification code, such as Microsoft Authenticator App, Google Authenticator App, etc.;
Hardware + verification code: such as an electronic cipher for online banking;

The process of these scenarios is generally based on the user providing an account + password, and allowing the user to provide a one-time verification code to provide an additional layer of security protection. Normally, this verification code is a 6-8 digit number, which can only be used once or only in a short period of time (for example, within 5 minutes).

1. HOTP one-time password based on message authentication code

HOTP is the abbreviation of HMAC-Based One Time Password, which is a one-time password based on HMAC (Hash-based message authentication code ). The algorithm details are defined in RFC4226 ( https://tools.ietf.org/html/rfc4226 ), the algorithm formula is: HOTP(Key,Counter), and the disassembly is Truncate(HMAC-SHA-1(Key,Counter)).

Key: key;
Counter: a counter;
HMAC-SHA-1: A function of the HMAC algorithm based on SHA1, which returns the value of MAC. MAC is a 20bytes (160bits) byte array;
Truncate: a function that intercepts numbers, takes the MAC in 3 as a parameter, and obtains a 6-digit or 8-digit number according to the specified rules (too many digits are not convenient for users to input, and too few digits are easy to be guessed by violence);

C# code to implement OTP based on HMAC:

 1 public static string HOTP(byte[] key, byte[] counter, int length = 6)
 2 {
 3     var hmac = counter.ToHMACSHA1(key);
 4 
 5     var offset = hmac[hmac.Length - 1] & 0xF;
 6 
 7     var b1 = (hmac[offset] & 0x7F) << 24;
 8     var b2 = (hmac[offset + 1] & 0xFF) << 16;
 9     var b3 = (hmac[offset + 2] & 0xFF) << 8;
10     var b4 = (hmac[offset + 3] & 0xFF);
11 
12     var code = b1 | b2 | b3 | b4;
13 
14     var value = code % (int)Math.Pow(10, length);
15 
16     return value.ToString().PadLeft(length, '0');
17 }

Call it to try:

1 //key key
2 var key = "lnh_key".ToBytes(Encoding.UTF8);
3 //Counter
4 var counter = "lnh_counter".ToBytes(Encoding.UTF8);
5 // otp6 = 752378
6 var otp6 = SecurityHelper.HOTP(key, counter,6);
7 // otp8 = 49752378
8 var otp8 = SecurityHelper.HOTP(key, counter, 8);

The key is a key required by the HOTP algorithm (non-disclosure); the counter is a counter used every time a HOTP is generated, and one is replaced once it is used. Then it can be used to generate OTP. The first intercepted 6 bits, and the second intercepted 8 bits.

2. TOTP time-based one-time password

TOTP is the abbreviation of Time-Based One Time Password. TOTP is an algorithm extended on the basis of HOTP. The details of the algorithm are defined in RFC6238 ( https://tools.ietf.org/html/rfc6238 ). The core is to replace the counter in HOTP with time T, which can be simple Understand as a timestamp (unixtime) of the current time. Generally, a time step is fixed in practical applications, such as 30 seconds, 60 seconds, 120 seconds, etc., which means that the OTP value calculated based on the TOTP algorithm is the same within the time of this step. Not much nonsense, take a look at the core code of the TOTP algorithm:

1 public static string TOTP(byte[] key, int step = 60, int length = 6)
2 {
3     var unixTime = (DateTime.UtcNow - new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds;
4     var counter = ((int)unixTime) / step;
5     var counterBytes = BitConverter.GetBytes(counter);
6     return HOTP(key, counterBytes, length);
7 }

Call it to try:

//Key key
var key = "lnh_key".ToBytes(Encoding.UTF8);
//Generate within 10 seconds, otp is the same
for (var i = 0; i < 100; i++)
{
    var otp = SecurityHelper.TOTP(key, 10, 6);
    Console.WriteLine(otp);
    Thread.Sleep(1000);
}

3. Three elements of identity authentication

First explain what is identity authentication? It's actually very simple, just make the other person believe that you are you. So how do you make the other person believe that you are you? Divided according to the level of information you can provide, there are roughly three types of information that can prove that you are yourself:

Information you know: For example, our most widely used " user name + password ", because only you know the information combination of " user name + password ", then when you provide this combination to me, I can believe it you are you.
Information you have: If your "username + password" is leaked to a third party, you will be in danger of being impersonated by the third party at this time. What to do? You can further provide information that only you own to prevent the danger of being impersonated by a third party.
Information that is unique to you: Let's suppose that the information you have is also leaked to a third party. At this time, you will be in danger of being impersonated. Going a step further, provide information that is unique to you, such as your fingerprints, iris, facial features, and so on.

3.1 2SV Two Steps Verification

Two-step verification is now a widely used solution to strengthen authentication security. For example, Google’s 2SV ( https://www.google.com/landing/2step/ ), Microsoft’s 2SV ( https://support.microsoft.com/zh-cn/help/12408/microsoft-account-about-two -step-verification ) and so on. The usual practice is to ask the user to provide a one-time password (distributed by SMS, email, or dynamic password generator app ) after the user enters the " user name + password " To the user). There are also security issues that require additional settings by users in some services, such as "where is your birthplace?" and so on.

3.2 2FA two factor authentication (Two Factor Authentication)

2SV has a twin brother 2FA (Two Factor Authentication), so what is the difference between 2SV and 2FA, such as allowing users to provide additional one-time passwords on the basis of " username + password " , about this one time Does the sex code belong to " information you know " or " information you have "? There is no obvious distinction. Those who are interested can check out the discussion here: https://security.stackexchange.com/questions/41939/two-step-vs-two-factor-authentication-is-there-a-difference . If you think this one-time password belongs to " information you know ", then you can think of it as 2SV; if you think this one-time password belongs to " information you have ", then you can think of it as 2FA.

In summary, 2FA is the use of two elements in identity authentication.

Summary & Reference

A brief introduction to the principle of the one-time password and its application scenarios, the complete code please move to: https://github.com/linianhui/code/blob/master/src/SecurityHelper.cs . If there are any errors, please correct me!