2
votes

I have to make an HTTP POST request to the URL http://example.com/test which contains the JSON string as a body part, headers "Content-Type:application/json" and "Authorization: Basic userid:password". userid is [email protected] and password must be 10-digit time-based one time password comply with RFC6238 TOTP using HMAC-SHA-512 for the hash function.

Token shared secret should be "[email protected]" without double quotations.

So, to achieve above I modified the Java code of RFC6238 RC6238 TOTP Algo

To get TOTP, I converted the shared secret "[email protected]" to HMAC-SHA512 using online converter tool as well some codes which generate the same 128 character length HEX code

Making the request always responses that "TOTP is wrong".

I noticed that I generated the wrong secret key, so there is the wrong TOTP. So, how can I generate the correct secret key that complies HMAC-SHA512 with Java code of RFC6238 algorithm?

There is default key as seed on the algorithm:

String seed64 = "3132333435363738393031323334353637383930" +
         "3132333435363738393031323334353637383930" +
         "3132333435363738393031323334353637383930" +
         "31323334";

How can I get such seed64 for my shared secret "[email protected]"? My modified code is 10 digit TOTP

I appreciate help from everyone!

1

1 Answers

4
votes

The example 64 byte seed in Appendix A of RFC 6238 is the HEX encoded version of the ASCII secret 12345678901234567890 provided in Appendix B which contains the truth table.

ASCII 1  2  3  4  5  6  7  8  9  0  1  2  3  4  5  6  7  8  9  0
HEX   31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30

If you want to convert your shared secret using the same pattern, you would convert [email protected] to HEX in string format if you're using the example code provided in Appendix A.

This would come out to the following HEX string :

616263406578616D706C652E636F6D5445585435

To build the example 64 byte seed used for the SHA-512 hash the initial 20 bytes are repeated to make 64 bytes total to achieve an optimal key length for the SHA-512 hash.

Doing the same with your example string would produce the following seed:

String seed64 = "616263406578616D706C652E636F6D5445585435" +
         "616263406578616D706C652E636F6D5445585435" +
         "616263406578616D706C652E636F6D5445585435" +
         "61626340";

If you use the rest of the example code to calculate the time step and request a 10 digit TOTP code, I assume it will work for you.

If you are using something like this in production, you may wish to use a more randomly generated secret.

For example, to generate a 64 byte secret for SHA-512, you could do something like:

  public static String generateRawSecret(int length) {
    byte[] buf = new byte[length];
    new SecureRandom().nextBytes(buf);
    String rawSecret = Base64.getEncoder().encodeToString(buf);
    return rawSecret.substring(1, length + 1);
  }

  // Random 64 byte secret
  String secret = generateRawSecret(64);

It looks like you've already got most of this coded, but if you're looking for some additional Java examples, the following link is a GitHub project that has a simple utility class with a bunch of tests. https://github.com/FusionAuth/fusionauth-2FA