[KEYPROV] OCRA without truncation

Simon Josefsson <simon@josefsson.org> Tue, 17 September 2013 20:27 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: keyprov@ietfa.amsl.com
Delivered-To: keyprov@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1C24611E8563 for <keyprov@ietfa.amsl.com>; Tue, 17 Sep 2013 13:27:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.299
X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id cI3IJQvlUBrQ for <keyprov@ietfa.amsl.com>; Tue, 17 Sep 2013 13:27:44 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) by ietfa.amsl.com (Postfix) with ESMTP id 876F111E8198 for <keyprov@ietf.org>; Tue, 17 Sep 2013 13:27:39 -0700 (PDT)
Received: from latte.josefsson.org (static-213-115-179-130.sme.bredbandsbolaget.se []) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id r8HKRR3l021724 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <keyprov@ietf.org>; Tue, 17 Sep 2013 22:27:30 +0200
X-Hashcash: 1:22:130917:keyprov@ietf.org::IIBirVVniDil4dPg:6Hiq
From: Simon Josefsson <simon@josefsson.org>
To: keyprov@ietf.org
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Date: Tue, 17 Sep 2013 22:27:26 +0200
Message-ID: <87d2o7xkgh.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97.8 at duva.sjd.se
X-Virus-Status: Clean
Subject: [KEYPROV] OCRA without truncation
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2013 20:27:47 -0000


I'm merging OCRA support into my OATH Toolkit implementation
(<http://www.nongnu.org/oath-toolkit/>) and we are discussing how OCRA
without truncation is supposed to work.

I haven't been able to figure out from the RFC what the output should be
when t=0.  There are no test vectors for that case.

A naive reader would notice this definition in section 5:

   In a nutshell,
                     OCRA = CryptoFunction(K, DataInput)

together with this from section 4.1:

   As a reminder:
                     HOTP(K,C) = Truncate(HMAC-SHA1(K,C))

and section 5.2 which specify the CryptoFunction:

   We define the HOTP family of functions as an extension to HOTP:

   1.  HOTP-H-t: these are the different possible truncated versions of
       HOTP, using the dynamic truncation method for extracting an HOTP
       value from the HMAC output

   2.  We will denote HOTP-H-t as the realization of an HOTP function
       that uses an HMAC function with the hash function H, and the
       dynamic truncation as described in [RFC4226] to extract a t-digit

   3.  t=0 means that no truncation is performed and the full HMAC value
       is used for authentication purposes

so one could interpret this as when t=0, the Truncate function is not
invoked at all, and instead OCRA takes on the output value of the
HMAC-SHA1 function, which is a binary string.

Are there any implementation of OCRA with t=0?  What encoding, if any,
of the HMAC output is used?  Decimal, hex, binary?

The sample code in the RFC will always output the static code "1" as the
OCRA code for t=0, if I read the code correctly, which seems like a bug.