I spent this week jumping between tasks as I tend to get bored working on the same thing for long. This week I worked on implementing HOTP, flash and troubleshooting the SSL server.
HOTP works by computing an HMAC based on 1- A static secret key generated by the server and known by the client. 2- A changing factor which is a simple counter. The server remembers the last value of the counter for which a correct password was entered. If the user’s counter is different from the servers’, then the generated passwords will not match. However, the server takes into account a specified “Window” for the counter. For example if the window size is 300, then in the case where the first authentication attempt fails, the server will check passwords with counter+1, +2… till passwords match or reaches +300. Obviously the higher the window size, the less secure. We can also make the value of the HOTP longer. For HMAC we are using MD5 hashing, which is known to be vulnerable, however it is adequate for performing a checksum.
When the board is first booted, the PIC32 will generate a random number to be used as the key, which is stored onto the flash and retrieved whenever needed. Right now I’m just using a dummy key and counter and I’ve verified the algorithm to be working properly. These two documents provide the specifications for HOTP/HMAC: RFC 4226 and RFC 2104. Did you know that Google’s Authenticator uses HOTP/TOTP?
Random cool fact: Expired coffee seems ok, aside from tasting plain. Disclaimer: Not responsible should anything happen to you. It could just be my arab stomach.
Oh and have a blessed Ramadan everyone. My cat’s too fat. Needless to say she’ll be fasting with me.