For the app I was creating, I needed to implement a way to create One-Time-Passwords (OTP's) using an HMAC algorithm. Although Nuget (and Google) provides quite some libraries and inspiration, I was not able to find a solution that actually fit my needs.
The idea of an HOTP algorithm is defined in this RFC: HOTP: An HMAC-Based One-Time Password Algorithm, so I won't tread into detail on the how-to's and why's of the HOTP.
After some browsing, blood, sweat and hacking, I came up with this solution:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Windows.Security.Cryptography;
using Windows.Security.Cryptography.Core;
using Windows.Storage.Streams;
namespace Acuzio.Util
{
/// <summary>
/// This enumeration contains the algorithms which are allowed to be used for rendering the One-time-password.
/// </summary>
public enum HashAlgorithm
{
SHA1,
SHA256,
SHA384,
SHA512,
MD5
}
public class OTP
{
private byte[] secret;
private HashAlgorithm digest = HashAlgorithm.SHA512;
private int digits = 8;
// 0 1 2 3 4 5 6 7 8
private readonly int[] DIGITS_POWERS = new int[] { 1, 10, 100, 1000, 10000, 100000, 1000000, 10000000, 100000000 };
/// <summary>
/// Create a new instance of the OTP class
/// </summary>
/// <param name="secret">The secret </param>
public OTP(byte[] secret)
{
this.secret = secret;
}
/// <summary>
/// Create a new instance of the OTP class
/// </summary>
/// <param name="secret">The secret </param>
/// <param name="digits">The number of digits in the token </param>
public OTP(byte[] secret, int digits)
{
this.secret = secret;
this.digits = digits;
}
/// <summary>
/// Create a new instance of the OTP class
/// </summary>
/// <param name="secret">The secret</param>
/// <param name="digits">The number of digits in the token</param>
/// <param name="digest">The algorithm to be used</param>
public OTP(byte[] secret, int digits, HashAlgorithm digest)
{
this.secret = secret;
this.digits = digits;
this.digest = digest;
}
/// <summary>
/// Generate a One-time-password for the provided challenge or movingfactor.
/// </summary>
/// <param name="input">The challenge which needs to be used as input</param>
/// <returns>a new one time password</returns>
public string generateOTP(UInt64 input)
{
if (this.digits <= 0 || this.digits > DIGITS_POWERS.Length - 1)
{
throw new ArgumentOutOfRangeException("digits", "The number of digits should be between 1 and 8");
}
String algorithm = null;
switch (digest)
{
case HashAlgorithm.SHA1:
algorithm = MacAlgorithmNames.HmacSha1; break;
case HashAlgorithm.SHA256:
algorithm = MacAlgorithmNames.HmacSha256; break;
case HashAlgorithm.SHA384:
algorithm = MacAlgorithmNames.HmacSha384; break;
case HashAlgorithm.SHA512:
algorithm = MacAlgorithmNames.HmacSha512; break;
case HashAlgorithm.MD5:
algorithm = MacAlgorithmNames.HmacMd5; break;
default:
throw new Exception("The provided algorithm is not supported");
}
MacAlgorithmProvider provider = MacAlgorithmProvider.OpenAlgorithm(algorithm);
byte[] data = BitConverter.GetBytes(input);
byte[] hmac = new byte[] { };
if (BitConverter.IsLittleEndian)
Array.Reverse(data);
//create a hash for the known secret and append the challenge
CryptographicHash hmacHasher = provider.CreateHash(CryptographicBuffer.CreateFromByteArray(this.secret));
hmacHasher.Append(CryptographicBuffer.CreateFromByteArray(data));
//create a hash and reset the hasher
IBuffer buffer = hmacHasher.GetValueAndReset();
CryptographicBuffer.CopyToByteArray(buffer, out hmac);
int offset = hmac[hmac.Length - 1] & 0xf;
int binary = ((hmac[offset + 0] & 0x7F) << 24) |
((hmac[offset + 1] & 0xFF) << 16) |
((hmac[offset + 2] & 0xFF) << 8) |
((hmac[offset + 3] & 0xFF));
int password = binary % DIGITS_POWERS[this.digits];
//return the OTP with zero-padding for the number of desired digits
return password.ToString(new string('0', this.digits));
}
}
}
Below an example on how to use the OTP class (e.g. unit tests).
using System;
using Microsoft.VisualStudio.TestPlatform.UnitTestFramework;
using Acuzio.Util;
using System.Text;
namespace TestProject
{
[TestClass]
public class OTPTest
{
//...
[TestMethod]
public void TestingSha512()
{
string secret = "SomeKey";
byte[] key = Encoding.UTF8.GetBytes(secret);
ulong interval = 66778;
int returnDigits = 6;
OTP generator = new OTP(key, returnDigits, HashAlgorithm.SHA512);
String otp = generator.generateOTP(interval);
Assert.IsNotNull(otp);
Assert.AreEqual(6, otp.Length);
Assert.AreEqual("539281", otp);
}
[TestMethod]
public void TestingSha1()
{
string secret = "12345678901234567890";
byte[] key = Encoding.UTF8.GetBytes(secret);
ulong[] interval = new ulong[] { 0, 1, 2 };
string[] expected = new string[] { "755224", "287082", "359152" };
int returnDigits = 6;
for (int i = 0; i < interval.Length; i++)
{
ulong nextInterval = interval[i];
OTP generator = new OTP(key, returnDigits, HashAlgorithm.SHA1);
String otp = generator.generateOTP(nextInterval);
Assert.IsNotNull(otp);
Assert.AreEqual(6, otp.Length);
Assert.AreEqual(expected[i], otp);
}
}
//...
}
}
Some side notes:
- Exception handling might be improved, but you can tailor it to your own needs;
- I opted for defined class constructors in the OTP class, as we need to have a valid state of the object, before we can use it.
- I used an array of powers, instead of using the pow-function, purely for speed.
