「利用者:T4NeGMp7P4en/sandbox」の版間の差分

ここはT4NeGMp7P4enさんの利用者サンドボックスです。編集を試したり下書きを置いておいたりするための場所であり、百科事典の記事ではありません。ただし、公開の場ですので、許諾されていない文章の転載はご遠慮ください。 登録利用者は自分用の利用者サンドボックスを作成できます（サンドボックスを作成する、解説）。 その他のサンドボックス: 共用サンドボックス | モジュールサンドボックス 記事がある程度できあがったら、編集方針を確認して、新規ページを作成しましょう。

• en:Special:Permalink/1249251528
• HMAC-based One-time Password

HMAC-based one-time password (HOTP)は、HMACを利用したワンタイムパスワード (OTP)のアルゴリズムであり、オープン標準として無料公開されている。また、OATHの基礎となっている。

HOTPは、そのアルゴリズムおよびJavaでの実装例を文書化したRFC 4226という形で、2005年12月に公開された。以来、多くの企業で採用されている。

HOTPは、一回分の認証試行に限り使用可能な(使い捨ての)パスワードとして、人間にも判読しやすい値を対称的に生成するという方法で本人認証を実現する。使い捨てであるという特性は、生成する度にカウンタの値が変動することに由来する。

Parties intending to use HOTP must establish some parameters; typically these are specified by the authenticator, and either accepted or not by the authenticated:

• ${\displaystyle H}$：暗号学的ハッシュ関数

  デフォルトはSHA-1

• ${\displaystyle K}$：共有シークレット

  非公開のランダムなバイト列、BASE32形式で格納される

• ${\displaystyle C}$：カウンタ

  これまでの生成回数を指す

• ${\displaystyle d}$：出力値の長さ

  6–10、デフォルトは6、推奨値は6-8

Both parties compute the HOTP value derived from the secret key ${\displaystyle K}$ and the counter ${\displaystyle C}$. Then the authenticator checks its locally generated value against the value supplied by the authenticated.

The authenticator and the authenticated increment the counter ${\displaystyle C}$ independently of each other, where the latter may increase ahead of the former, thus a resynchronisation protocol is wise. RFC 4226 does not actually require any such, but does make a recommendation. This simply has the authenticator repeatedly try verification ahead of their counter through a window of size s. The authenticator's counter continues forward of the value at which verification succeeds and requires no actions by the authenticated.

The recommendation is made that persistent throttling of HOTP value verification take place, to address their relatively small size and thus vulnerability to brute-force attacks. It is suggested that verification be locked out after a small number of failed attempts or that each failed attempt attracts an additional (linearly increasing) delay.

6-digit codes are commonly provided by proprietary hardware tokens from a number of vendors informing the default value of ${\displaystyle d}$. Truncation extracts 31 ビット or ${\textstyle \log _{10}(2^{31})\approx 9.3}$ decimal digits, meaning that ${\displaystyle d}$ can be at most 10, with the 10th digit adding less variation, taking values of 0, 1, and 2 (i.e., 0.3 digits).

After verification, the authenticator can authenticate itself simply by generating the next HOTP value, returning it, and then the authenticated can generate their own HOTP value to verify it. Note that counters are guaranteed to be synchronised at this point in the process.

The HOTP value is the human-readable design output, a ${\displaystyle d}$-digit decimal number (without omission of leading 0s):

HOTP value = HOTP(${\displaystyle K}$, ${\displaystyle C}$) mod 10^{${\displaystyle d}$}.

That is, the value is the ${\displaystyle d}$ least significant base-10 digits of HOTP.

HOTP is a truncation of the HMAC of the counter ${\displaystyle C}$ (under the key ${\displaystyle K}$ and hash function ${\displaystyle H}$):

HOTP(${\displaystyle K}$, ${\displaystyle C}$) = truncate(HMAC_{${\displaystyle H}$}(${\displaystyle K}$, ${\displaystyle C}$)),

where the counter ${\displaystyle C}$ must be used ビッグエンディアン.

Truncation first takes the 4 least significant bits of the MAC and uses them as a byte offset i:

truncate(MAC) = extract31(MAC, MAC[(19 × 8 + 4):(19 × 8 + 7)]),

where ":" is used to extract bits from a starting bit number up to and including an ending bit number, where these bit numbers are 0-origin. The use of "19" in the above formula relates to the size of the output from the hash function. With the default of SHA-1, the output is 20 バイト, and so the last byte is byte 19 (0-origin).

That index i is used to select 31 bits from MAC, starting at bit i × 8 + 1:

extract31(MAC, i) = MAC[(i × 8 + 1):(i × 8 + 4 × 8 − 1)].

31 bits are a single bit short of a 4-byte word. Thus the value can be placed inside such a word without using the sign bit (the most significant bit). This is done to definitely avoid doing modular arithmetic on negative numbers, as this has many differing definitions and implementations.^[1]

Both hardware and software tokens are available from various vendors, for some of them see references below. Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms.^[2] As of 2010, OATH HOTP hardware tokens can be purchased for a marginal price.^[3] Some products can be used for strong passwords as well as OATH HOTP.^[4]

Software tokens are available for (nearly) all major mobile/スマートフォン platforms (J2ME,^[5] Android,^[6] iPhone,^[7] BlackBerry,^[8] Maemo,^[9] macOS,^[10] and Windows Mobile^[8]).

このページは更新が必要とされています。 このページには古い情報が掲載されています。編集の際に新しい情報を記事に反映させてください。反映後、このタグは除去してください。（2024年10月）

Although the early reception from some of the computer press was negative during 2004 and 2005,^[11][12][13] after IETF adopted HOTP as RFC 4226 in December 2005, various vendors started to produce HOTP-compatible tokens and/or whole authentication solutions.

According to the article "Road Map: Replacing Passwords with OTP Authentication"^[2] on strong authentication, published by Burton Group (a division of ガートナー) in 2010, "ガートナー's expectation is that the hardware OTP form factor will continue to enjoy modest growth while スマートフォン OTPs will grow and become the default hardware platform over time."

• Initiative for Open Authentication
• S/KEY（英語版）
• Time-based One-time Password (TOTP)

• RFC 4226 HOTP: An HMAC-Based One-Time Password Algorithm
• RFC 6238 TOTP: Time-Based One-Time Password Algorithm
• RFC 6287 OCRA: OATH Challenge-Response Algorithm
• Initiative For Open Authentication
• Implementation of RFC 4226 - HOPT Algorithm Step by step Python implementation in a Jupyter Notebook