Re: OTP broken?

Dieter Klünter wrote: > Am Sat, 7 Nov 2015 14:33:22 +0100 > schrieb Michael Ströder <michael(a)stroeder.com&gt;: > >> Dieter Klünter wrote: >>> 6. added credentials by ldappasswd >>> userPassword:: >>> e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09 >> >> I have not really tried the module myself yet but I note that the >> key is actually 21 bytes long (see below). Shouldn't that be 20 >> bytes? >> >> Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2 >>>>> 'e1RPVFAxfU5CVUVJNktFSk1ZRENOQlRHSTJUTVFLQ0lOQ0E9PT09'.decode('base64') >> '{TOTP1}NBUEI6KEJMYDCNBTGI2TMQKCINCA====' >>>>> s='NBUEI6KEJMYDCNBTGI2TMQKCINCA===='.decode('base64') >>>>> len(s) >> 21 > > The TOTP1 string is base32 encoded, not base64. If it's sent to the Google Authenticator the base32-encoded form is appended to the totp:// URL. And looking at slapd-totp.c it seems you're also right regarding the storage format in 'userPassword': /* Key is stored in base32 */ But still 17 bytes look strange to me: Python 2.7.10 (default, May 24 2015, 14:46:10) [GCC] on linux2 >>> import base64 >>> base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA====') 'hhDyDK0143256ABCD' >>> len(base64.b32decode('NBUEI6KEJMYDCNBTGI2TMQKCINCA====')) 17 What's the correct length of your shared secret?