HOTP
Encyclopedia
HOTP is an HMAC-based
One Time Password
algorithm. It is a cornerstone of Initiative For Open Authentication
(OATH).
HOTP was published as an informational IETF RFC 4226 in December 2005, documenting the algorithm along with a Java implementation. Since then, the algorithms was adopted by many companies worldwide (see below) and became the world's leading standard for event-based OTP authentication.
The HOTP algorithm is a freely available open standard
.
Then HOTP(K,C) is mathematically defined by
The mask
is to disregard the most significant bit
to provide better interoperability between processors.
For HOTP to be useful for an individual to input to a system, the result must be converted into a HOTP value, a 6–8 digits number that is implementation dependent.
), the user can also authenticate the validation server.
Software tokens are available for (nearly) all major mobile/smartphone
platforms (J2ME, Android, iPhone
, BlackBerry
, Maemo
, Mac OS X, Windows Mobile
).
According to a paper on strong authentication (entitled "Road Map: Replacing Passwords with OTP Authentication") published by Burton Group (a division of Gartner, Inc.
) in 2010, "Gartner
's expectation is that the hardware OTP
form factor will continue to enjoy modest growth while smartphone
OTPs will grow and become the default hardware platform over time."
HMAC
In cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...
One Time Password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
algorithm. It is a cornerstone of Initiative For Open Authentication
Initiative For Open Authentication
Initiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication...
(OATH).
HOTP was published as an informational IETF RFC 4226 in December 2005, documenting the algorithm along with a Java implementation. Since then, the algorithms was adopted by many companies worldwide (see below) and became the world's leading standard for event-based OTP authentication.
The HOTP algorithm is a freely available open standard
Open standard
An open standard is a standard that is publicly available and has various rights to use associated with it, and may also have various properties of how it was designed . There is no single definition and interpretations vary with usage....
.
Definition
Let:- K be a secret key
- C be a counter
- HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ C)) be an HMACHMACIn cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...
calculated with the SHA-1 cryptographic hash algorithm - Truncate be a function that selects 4 bytes from the result of h in a defined manner
Then HOTP(K,C) is mathematically defined by
- HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
The mask
Mask (computing)
In computer science, a mask is data that is used for bitwise operations.Using a mask, multiple bits in a byte, nibble, word can be set either on, off or inverted from on to off in a single bitwise operation.-Masking bits to 1:...
is to disregard the most significant bit
Most significant bit
In computing, the most significant bit is the bit position in a binary number having the greatest value...
to provide better interoperability between processors.
For HOTP to be useful for an individual to input to a system, the result must be converted into a HOTP value, a 6–8 digits number that is implementation dependent.
- HOTP-Value = HOTP(K,C) mod 10d, where d is the desired number of digits
Applications
HOTP can be used to authenticate a user in a system via an authentication server. Also, if some more steps are carried out (the server calculates subsequent OTP value and sends/displays it to the user who checks it against subsequent OTP value calculated by his tokenSecurity token
A security token may be a physical device that an authorized user of computer services is given to ease authentication...
), the user can also authenticate the validation server.
Tokens
Both hardware and software tokens are available from various vendors, for some of them see references below. Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms. As of 2010, OATH HOTP hardware tokens can be purchased for a marginal price.Software tokens are available for (nearly) all major mobile/smartphone
Smartphone
A smartphone is a high-end mobile phone built on a mobile computing platform, with more advanced computing ability and connectivity than a contemporary feature phone. The first smartphones were devices that mainly combined the functions of a personal digital assistant and a mobile phone or camera...
platforms (J2ME, Android, iPhone
IPhone
The iPhone is a line of Internet and multimedia-enabled smartphones marketed by Apple Inc. The first iPhone was unveiled by Steve Jobs, then CEO of Apple, on January 9, 2007, and released on June 29, 2007...
, BlackBerry
BlackBerry
BlackBerry is a line of mobile email and smartphone devices developed and designed by Canadian company Research In Motion since 1999.BlackBerry devices are smartphones, designed to function as personal digital assistants, portable media players, internet browsers, gaming devices, and much more...
, Maemo
Maemo
Maemo is a software platform developed by the Maemo community for smartphones and Internet tablets. It is based on the Debian Linux distribution, but has no relation to it...
, Mac OS X, Windows Mobile
Windows Mobile
Windows Mobile is a mobile operating system developed by Microsoft that was used in smartphones and Pocket PCs, but by 2011 was rarely supplied on new phones. The last version is "Windows Mobile 6.5.5"; it is superseded by Windows Phone, which does not run Windows Mobile software.Windows Mobile is...
).
Reception
Although the reception from some of the computer press has been negative during 2004 and 2005, after IETF adopted HOTP as RFC 4226 in December 2005, various vendors started to produce HOTP compatible tokens and/or whole authentication solutions (see above/below).According to a paper on strong authentication (entitled "Road Map: Replacing Passwords with OTP Authentication") published by Burton Group (a division of Gartner, Inc.
Gartner
Gartner, Inc. is an information technology research and advisory firm headquartered in Stamford, Connecticut, United States. It was known as GartnerGroup until 2001....
) in 2010, "Gartner
Gartner
Gartner, Inc. is an information technology research and advisory firm headquartered in Stamford, Connecticut, United States. It was known as GartnerGroup until 2001....
's expectation is that the hardware OTP
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
form factor will continue to enjoy modest growth while smartphone
Smartphone
A smartphone is a high-end mobile phone built on a mobile computing platform, with more advanced computing ability and connectivity than a contemporary feature phone. The first smartphones were devices that mainly combined the functions of a personal digital assistant and a mobile phone or camera...
OTPs will grow and become the default hardware platform over time."
Implementation
- Barada Android app for the client side and PAMPluggable Authentication ModulesPluggable authentication modules are a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface . It allows programs that rely on authentication to be written independent of the underlying authentication scheme...
module for the server side.
See also
- Initiative For Open AuthenticationInitiative For Open AuthenticationInitiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication...
- S/KEYS/KEYS/KEY is a one-time password system developed for authentication to Unix-like operating systems, especially from dumb terminals or untrusted public computers on which one does not want to type a long-term password. A user's real password is combined in an offline device with a short set of...
- Time-based One-time Password AlgorithmTime-based One-time Password AlgorithmTOTP - Time-based One-time Password Algorithm is an extension of the HMAC-based One Time Password algorithm HOTP to support a time based moving factor. TOTP is an Internet Engineering Task Force standard and a cornerstone of Initiative For Open Authentication .-Applications:TOTP can be used to...