Security Now Episode 1008: HOTP and TOTP

Release Date: January 15, 2025

In this milestone episode of Security Now, hosts Leo Laporte and Steve Gibson delve deep into the intricacies of HOTP (HMAC-Based One-Time Password) and TOTP (Time-Based One-Time Password) algorithms. This episode not only addresses listener concerns but also provides a comprehensive analysis of the underlying technologies that secure our digital interactions.

1. Introduction and Overview

The episode kicks off with a brief overview of the show's focus on security and privacy in the digital realm. Steve Gibson introduces the main topic inspired by listener questions regarding the randomness of numbers generated by authenticator apps.

Steve Gibson [00:00]: "He goes into a deep dive on how these one-time based passwords are generated. And you won't believe what a kludge it is. It's mind bending. Stay tuned."

2. Listener Concerns: Repeating Digits in Authenticator Codes

Max Feinlieb, a dedicated listener, raises an intriguing observation about the frequency of repeating digits in his two-factor authentication (2FA) codes. He notes that his authenticator apps often produce codes with non-random repetitions, such as 906090 or 131327, which seem biased towards easier-to-type patterns.

Max Feinlieb:

"I've been noticing lately that the six-digit codes I get for two-factor authentication almost always seem to include one or more repeated digits... Have you or any other listeners observed this?"

Steve Gibson acknowledges Max's observation and sets the stage for a detailed exploration of the HOTP and TOTP algorithms to understand if these repetitions are genuine or merely perceptual.

3. Deep Dive into HOTP and TOTP Algorithms

The hosts embark on an in-depth examination of the HOTP and TOTP standards, referencing the relevant RFCs:

• RFC 4226 (HOTP): Introduces the HMAC-Based One-Time Password algorithm.
• RFC 6238 (TOTP): Builds upon HOTP to incorporate time-based elements.

Steve Gibson explains the foundational mechanics:

Steve Gibson [02:40]:

"HOTP uses a secret key and a moving factor (like a counter) to generate a one-time password. TOTP builds on this by using the current time as the moving factor."

He further breaks down the process:

1. HMAC Generation: Utilizing the SHA1 hash function, HOTP generates a pseudo-random output based on a secret key and a counter.
2. Truncation and Digit Extraction: The output is truncated to extract a 6-digit code.

However, Steve points out a critical flaw in the standard implementation:

Steve Gibson [142:05]:

"The HOTP algorithm... masks off the upper four bits of the last byte, selects four bytes based on an offset, and then divides a 31-bit number by 1,000,000 to generate the final code. This method discards a significant portion of the entropy."

4. Analyzing the Flaws and Implications

The hosts discuss how the standard HOTP truncation method introduces biases:

• Entropy Loss: Only a fraction of the generated bits are utilized, leading to potential predictability.
• Non-Uniform Distribution: Due to dividing by 1,000,000, certain digits may appear more frequently than others, contradicting the expectation of uniform randomness.

Leo Laporte interjects with his observations:

Leo Laporte [111:08]:

"I'm looking at my My2FA app and looking at all the codes and he's right. I don't see any with six unique digits."

Steve Gibson reassures listeners by explaining that these perceived patterns are likely a result of apophenia—the human tendency to perceive patterns where none exist.

Steve Gibson [160:50]:

"Max's observation points out that, knowing what we know now, there cannot be any non-uniform pattern."

5. Meta's Content Filtering and Encryption Concerns

Shifting gears, the episode touches upon Meta's recent changes in content filtering, transitioning from third-party fact-checking to community-driven notes. Matthew Green, a renowned cryptographer, expresses concerns about implications for encryption and potential government interference.

Steve Gibson provides context by referencing the Cybersecurity Infrastructure Security Agency (CISA) guidelines, emphasizing the importance of end-to-end encrypted communications to safeguard against breaches.

Steve Gibson [25:32]:

"I would be very surprised if anything were to change along the lines that Matthew fears... Changes in content moderation are not even in the same world as changes that would weaken our encrypted communications."

6. IoT Cyber Trust Mark and Security News

The discussion moves to the U.S. Cyber Trust Mark, a new label signifying robust cybersecurity standards for consumer IoT devices. Steve Gibson evaluates its potential impact, questioning its visibility to consumers but recognizing its importance for manufacturers striving for competitive advantages through enhanced security measures.

Additionally, the hosts touch upon:

• Syncthing Update: Version 1.29.2 addresses an obscure bug related to directory scanning.
• Government Email Encryption: Despite advancements, a significant number of email servers still lack TLS encryption, underscoring vulnerabilities in official communications.

7. Listener Engagement and Technical Insights

The episode features insightful feedback from listeners like Travis Hayes and Doug Curtis, who share their experiences and technical expertise regarding email encryption and managed service providers (MSPs). Steve Gibson responds by elucidating the challenges of implementing widespread TLS adoption in multi-hop email systems and the importance of encryption irrespective of intermediary server security.

A notable segment involves Josh Caluet from Austin, Texas, who highlights the capabilities of Let's Encrypt in securing email servers, countering the initial assertion that it's unsupported. Steve acknowledges that while possible, automating such processes remains complex and relies heavily on user intervention, reinforcing his point about the kludgy nature of current implementations.

8. Technical Demystification: HOTP and TOTP

Returning to the core topic, Steve Gibson meticulously dissects the HOTP and TOTP algorithms:

• HOTP Standard: Utilizes a secret key and counter, hashes them using HMAC-SHA1, and truncates the result to generate a 6-digit code. However, the truncation method discards significant entropy and introduces biases.

• Steve's Ideal Approach: Advocates for a more straightforward method—using long division of the entire 160-bit HMAC output by 10 repeatedly to extract each digit, ensuring a uniform distribution without discarding entropy.

Steve Gibson [145:56]:

"Dividing the extracted 31-bit value by 1 million... fully uniform in distribution."

Leo Laporte underscores the implications of such flaws, emphasizing the importance of impeccable algorithm design in security protocols.

9. Conclusion and Final Thoughts

As the episode wraps up, Steve Gibson reiterates the necessity of scrutinizing standardized algorithms to ensure their robustness and lack of biases. He emphasizes that while the current HOTP/TOTP implementations work adequately for real-world applications, there's room for improvement to harness the full potential of cryptographic entropy.

Leo Laporte encourages listeners to adopt more secure authentication methods and remain vigilant about the tools and standards that protect their digital identities.

Leo Laporte [135:55]:

"They have a lot of cryptographically savvy moms out there, but it's a fundamental misunderstanding of how SHA1 works."

Key Takeaways:

• HOTP/TOTP Flaws: The standard truncation methods in HOTP/TOTP algorithms discard significant entropy and introduce biases, leading to perceived patterns in authenticator codes.

• Apophenia in Security: Human tendency to perceive patterns can lead to misconceptions about the randomness and security of authentication mechanisms.

• Importance of Encryption: Despite progress, many systems, including government email servers, still lack robust encryption, highlighting ongoing vulnerabilities.

• IoT Security Standards: The introduction of the U.S. Cyber Trust Mark aims to enhance consumer device security, though its effectiveness depends on both manufacturer adoption and consumer awareness.

• Listener Contributions: Feedback from technically adept listeners offers valuable insights into real-world security implementations and challenges, fostering a collaborative learning environment.

This episode serves as a crucial reminder of the complexities involved in designing secure authentication systems and the importance of continuous evaluation and improvement of established standards.