Admin: Created page with "'''HOTP''' is an HMAC-based one-time password (OTP) algorithm. It is a cornerstone of Initiative For Open Authentication (OA..."

2019-03-21T04:05:41Z

Created page with "'''HOTP''' is an HMAC-based one-time password (OTP) algorithm. It is a cornerstone of Initiative For Open Authentication (OA..."

New page

'''HOTP''' is an [[Hash-based message authentication code|HMAC-based]] [[one-time password]] (OTP) algorithm. It is a cornerstone of [[Initiative For Open Authentication]] (OATH).

HOTP was published as an informational [[IETF]] RFC 4226 in December 2005, documenting the algorithm along with a Java implementation. Since then, the algorithm has been adopted by many companies worldwide (see below). The HOTP algorithm is a freely available [[open standard]].

==Definition==
Let:
*''K'' be a secret key
*''C'' be a counter
*''HMAC''(''K'',''C'') = [[SHA-1|SHA1]](''K'' ⊕ 0x5c5c… ∥ [[SHA-1|SHA1]](''K'' ⊕ 0x3636… ∥ ''C'')) with ⊕ as XOR, ∥ as concatenation, for more details see [[HMAC]] (C is the message)
*''Truncate'' be a function that selects 4 bytes from the result of the HMAC in a defined manner

Then '''HOTP'''(''K'',''C'') is mathematically defined by
:'''HOTP'''(''K'',''C'') = ''Truncate''(''HMAC''(''K'',''C'')) & 0x7FFFFFFF

The [[mask (computing)|mask]] 0x7FFFFFFF sets the result's [[most significant bit]] to zero. This avoids problems if the result is interpreted as a signed number as some processors do.

For HOTP to be useful for an individual to input to a system, the result must be converted into a HOTP value, a 6–8 digits number that is implementation dependent.

:'''HOTP-Value''' = '''HOTP'''(''K'',''C'') mod 10<sup>''d''</sup>, where ''d'' is the desired number of digits
—

==Applications==
HOTP can be used to authenticate a user in a system via an authentication server. Also, if some more steps are carried out (the server calculates subsequent OTP value and sends/displays it to the user who checks it against subsequent OTP value calculated by his [[Security token|token]]), the user can also authenticate the validation server.

==Tokens==
Both hardware and software tokens are available from various vendors, for some of them see references below. Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms. As of 2010, OATH HOTP hardware tokens can be purchased for a marginal price. Some products can be used for strong passwords as well as OATH HOTP.

Software tokens are available for (nearly) all major mobile/[[smartphone]] platforms ([[J2ME]], [[Android (operating system)|Android]], [[iPhone]], [[BlackBerry]], [[Maemo]], [[Mac OS X]], [[Windows Mobile]] after IETF adopted HOTP as RFC 4226 in December 2005, various vendors started to produce HOTP compatible tokens and/or whole authentication solutions (see above/below).

According to a paper on strong authentication (entitled "Road Map: Replacing Passwords with OTP Authentication") published by [[Burton Group]] (a division of [[Gartner|Gartner, Inc.]]) in 2010, "[[Gartner]]'s expectation is that the hardware [[One-time password|OTP]] form factor will continue to enjoy modest growth while [[smartphone]] OTPs will grow and become the default hardware platform over time."<ref name="gartnerotprm"/>

==See also==
* [[Initiative For Open Authentication]]
* [[S/KEY]]
* [[Time-based One-time Password Algorithm]]

==Source==

[http://wikipedia.org/ http://wikipedia.org/]
[[Category:Cryptography]]
[[Category:Cryptographic algorithms]]

HMAC-based One-time Password Algorithm - Revision history

Admin: Created page with "'''HOTP''' is an HMAC-based one-time password (OTP) algorithm. It is a cornerstone of Initiative For Open Authentication (OA..."