[COLUG] Enterprise Two Factor Authentication

Jim jep200404 at columbus.rr.com
Tue Mar 13 13:30:20 EST 2007 

Pat Collins wrote about Duane's code:

> You scare me when I see code like this in php:
> 
> http://www.freeauth.org/site/wiki/One%20Time%20Passwords%20with%20PHP

Release early, release often. 

which has: 

   $lookupChar = "123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*{}.%:";

Duane, 

What's the rationale for dropping characters such as but not limited to 'g'? 
If you are trying to avoid characters that might be confused, 
such as 'o', 'O', and '0', why is there a '1'? 

Add some explanation to the code about the output from and 
expected input to the encoding functions. 
Also document what's obvious to you, 
like what language you're writing in. 

Eschew magic numbers like 63. Hexadecimal is a little better. Better yet, 
use expressions like ... & ((1<<6)-1) to make it clear that you want to mask 6 bits. 
Even then for generality, I might give that 6 a name, like $nBitsPerByte. 
Hence something like ... & ((1<<$nBitsPerByte)-1). Hence: 

   function getOTP64($otp)
   {
      $nBitsPerByte=6;
...
      $OTP = $lookupChar[$tmp1 & ((1<<$nBitsPerByte)-1)];
...
      $tmp1 = $val[2] >> $nRemainderBits;
...
   }

   function getOTP32($otp)
   {
      $nBitsPerByte=5;
...
      $OTP = $lookupChar[$tmp1 & ((1<<$nBitsPerByte)-1)];
...
   }

Better yet, use a common routine for the encoding. 
I recommend using a loop for your encoding. 
Something akin to: 

function encoder($otp,$nBitsPerByte,$otherMagicNumber,$lookupChar)
{
   for ($i = 0; $i < $otherMagicNumber; $i++)
      $val[$i] = hexdec(substr($otp, $i * 2, 2));

   /* general encoding loop goes here */

   $encodedOTP = "";
   for ($i = 0; $i < $otherMagicNumber; $i++) {
      /* generalized ...<<$nBits... kinds of expressions 
      *  instead of hardcoded magic numbers are very very helpful. */
...

      $encodedOTP .= $lookupChar[$tmp & ((1<<$nBitsPerByte)-1)];
   }

   return $encodedOTP;
}

function getOTP64($otp)
{
   return encoder($otp,6,6,"123456789abcdefhkmnprstuvwxyzABCDEFGHKMNPQRSTUVWXYZ=+[]&@#*{}.%:");
}

function getOTP32($otp)
{
   return encoder($otp,5,7,"0123456789abcdefghkmnoprstuvwxyz");
}

Be at lunch on Friday. Bring a printout of your web page.

More information about the colug432 mailing list