Generating Alphanumeric OTP using HOTP

Question

I understand that HOTP can be used to create numerical One Time Passwords. The algorithm behind being:

K be a secret key
C be a counter
HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ C)) with ⊕ as XOR, ∥ as concatenation, (C is the message)

Truncate be a function that selects 4 bytes from the result of the HMAC in a defined manner.

Then HOTP(K,C) is mathematically defined by:

HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF

I have used the following example implementation for my tests and it works fine:

https://svn.forgerock.org/openam/tags/10.0.0-docs/products/amserver/source/com/sun/identity/authentication/modules/hotp/HOTPAlgorithm.java

My question is that is it possible to generate an alphanumeric OTP using HOTP instead of numeric. The advantage obviously being that the strength of OTP increases manyfold for a given length. So a 8 digit alphanumeric code is far stringer than an eight-digit numeric code.

Answer 1

Alphanumeric has a tricky base, base 62. If you allow two more characters then you can just use base 64 (replacing the + and / with any value you prefer).

Otherwise, just look up a Base N encoding library, such as this one for Java (didn't try it, cannot comment on correctness or performance).

This won't influence the security as there is a 1:1 relation between the generated HOTP bits and the given representation. In other words, the different base representation and alphabet are just a different view on the same bit values.

Answer 2

Of course, you can do whatever you want after the HMAC(K,C). You can map it to HEX or to alphanumeric.

But then you would also have to create your own OTP token - either a hardware token or a smartphone app. This is the great thing about standards, that you do not have to create your own! ;-)