TOTP Demo Application for Google Authenticator
NAME
submission
AUTHOR
Zach Colbert <colbertz@oregonstate.edu>
SYNOPSIS
./submission --generate-qr | --get-otp
DESCRIPTION
To compile, run `make`.
The QR code generation feature generates a random 256-bit key with OpenSSL.
It then encodes the key base-32, and collects some information about the
current user and host to generate an otpauth URI. Using the qrcodegen
library (by @nayuki), the URI is converted to a QR code and printed to the
console. (See NOTES).
This application only supports one user/key at a time. Each time the
QR code generator is executed, the previously generated symmetric key
is overwritten. This key is stored in the "secret" file by default,
in plaintext, with restricted access permissions.
The get-otp feature has only been partially implemented. It can
successfully read the key from the key file, calculate the time value T,
and truncate the result of HMAC(K, T) to calculate a TOTP value.
However, the HMAC implementation I'm using seems to be returning the same
digest for every message (T) I input with the same key (K). I have been
unable to determine why this is, and have not found many good examples
on how to use the openssl/hmac library.
To clean up executables and build files, run `make clean`.
NOTES
I was unable to find a method in C for generating JPG or SVG images in a
timely fashion. Instead, I took after an example from the qrcodegen library
(by @nayuki on GitHub) and print the QR code to the console. Because the
code is made up of literal '#' chars and there's a fair amount of data
stored in the code (plus error correction), the QR code comes out fairly
large. If you find yourself unable to see the entire code, please resize
your terminal window.
All of the code contained here was tested on the COE flip server, so I
recommend compiling and running it there.
I do not have access to an Android device, so this application was tested
using the iOS version of Google Authenticator.
For the entire day I've been finishing this submission, I have been fighting
a >100-degree fever. Please forgive me if you find any funky code or
something doesn't make sense.
COPYRIGHT
See LICENSE file.