Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Thoughts on Base32? #39

Open
joshxyzhimself opened this issue Jul 12, 2021 · 1 comment
Open

Thoughts on Base32? #39

joshxyzhimself opened this issue Jul 12, 2021 · 1 comment

Comments

@joshxyzhimself
Copy link

joshxyzhimself commented Jul 12, 2021

Hi, just thought that this lib is perfect for HOTP / TOTP solutions, except for the base32 part (it currently has base64).

There are other solutions like https://github.com/emn178/hi-base32, https://github.com/LinusU/base32-encode

But do you think it would make sense to also have a Base32 encode/decode function built-in here?

Something like RFC 4648 https://datatracker.ietf.org/doc/html/rfc4648#section-6 that's compatible with apps like Google Authenticator / Microsoft Authenticator / FreeOTP.

Thank you.

Edit: sha1 might also be handy, which is the default algo on most hotp & totp use cases.

As per https://datatracker.ietf.org/doc/html/rfc4226#appendix-B.2

   The new attacks on SHA-1 have no impact on the security of
   HMAC-SHA-1.  The best attack on the latter remains one needing a
   sender to authenticate 2^{80} messages before an adversary can create
   a forgery.  Why?

   HMAC is not a hash function.  It is a message authentication code
   (MAC) that uses a hash function internally.  A MAC depends on a
   secret key, while hash functions don't.  What one needs to worry
   about with a MAC is forgery, not collisions.  HMAC was designed so
   that collisions in the hash function (here SHA-1) do not yield
   forgeries for HMAC.
@dchest
Copy link
Member

dchest commented Jul 12, 2021

Agree, base32 would be great to have. Not sure when I'll have time to implement it, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants