CODEWITHSUNDEEP
javaone-time-passwordhmacsha1
gsunnic
gsunnic

Reputation: 321

RFC4226 HOTP Java Implementation

I tried to copy the HOTPAlgorithm.java codes (HOTPAlgorithm.java) and compared it against the official HOTP RFC 4226's sample implementation (RFC4226 Page 27) found on Page 27 of the official RFC4226 document. Both the HOTPAlgorithm.java and the implementation in the RFC4226 are written by the same author whom is Loren Hart and set to version 1.0. Both codes are the same essnetially from my comparison.

I tried to run test vector for 6 digit HOTP codes (without modifying the HOTPAlgorithm.java script) and noticed that the source codes given in the RFC4226 and the HOTPAlgorithm.java produces different test vector results against the published RFC4226 results with exactly the same setting.

Is there a discrepancy in the Java codes published by RFC4226 sample Java codes and the HOTPAlogrithm.java when compared against the RFC4226 test vectors ?

Test Results from HOTPAlgorithm.java and RFC4226 Java codes (both produce the same results):

755224
030356
132975
957805
463120
994243
844697
570244
487336
025740

Test Vectors from RFC4226 Publication (RFC4226 Page 32)

755224
287082
359152
969429
338314
254676
287922
162583
399871
520489

Am I missing something or is there discrepancies between officially published sample codes and officially published results ?

Upvotes: 14

Views: 4523

Answers (2)

Simes
Simes

Reputation: 51

The change to Math.pow() didn't make any difference, but I think you might be making the call to generateOTP() with 0 as the truncationOffset parameter value. Trying this with -1 gives the reference test vectors.

Upvotes: 5

thotheolh
thotheolh

Reputation: 7450

Change 

int otp = binary % DIGITS_POWER[codeDigits];

To

int otp = (int) (binary % Math.pow(10, codeDigits));

Or

int otp = binary % 1000000;

Upvotes: 7

Related Questions