Safe Haskell | None |
---|---|
Language | Haskell2010 |
One-time password implementation as defined by the HOTP and TOTP specifications.
Both implementations use a shared key between the client and the server. HOTP passwords are based on a synchronized counter. TOTP passwords use the same approach but calculate the counter as a number of time steps from the Unix epoch to the current time, thus requiring that both client and server have synchronized clocks.
Probably the best-known use of TOTP is in Google's 2-factor authentication.
The TOTP API doesn't depend on any particular time package, so the user needs to supply
the current OTPTime
value, based on the system time. For example, using the hourglass
package, you could create a getOTPTime
function:
>>>
import Time.System
>>>
import Time.Types
>>>
>>>
let getOTPTime = timeCurrent >>= \(Elapsed t) -> return (fromIntegral t :: OTPTime)
Or if you prefer, the time
package could be used:
>>>
import Data.Time.Clock.POSIX
>>>
>>>
let getOTPTime = getPOSIXTime >>= \t -> return (floor t :: OTPTime)
- type OTP = Word32
- data OTPDigits
- type OTPTime = Word64
- hotp :: forall hash key. (HashAlgorithm hash, ByteArrayAccess key) => hash -> OTPDigits -> key -> Word64 -> OTP
- resynchronize :: (HashAlgorithm hash, ByteArrayAccess key) => hash -> OTPDigits -> Word16 -> key -> Word64 -> (OTP, [OTP]) -> Maybe Word64
- totp :: (HashAlgorithm hash, ByteArrayAccess key) => TOTPParams hash -> key -> OTPTime -> OTP
- totpVerify :: (HashAlgorithm hash, ByteArrayAccess key) => TOTPParams hash -> key -> OTPTime -> OTP -> Bool
- data TOTPParams h
- data ClockSkew
- = NoSkew
- | OneStep
- | TwoSteps
- | ThreeSteps
- | FourSteps
- defaultTOTPParams :: TOTPParams SHA1
- mkTOTPParams :: HashAlgorithm hash => hash -> OTPTime -> Word16 -> OTPDigits -> ClockSkew -> Either String (TOTPParams hash)
Documentation
The strength of the calculated HOTP value, namely the number of digits (between 4 and 9) in the extracted value.
:: (HashAlgorithm hash, ByteArrayAccess key) | |
=> hash | |
-> OTPDigits | Number of digits in the HOTP value extracted from the calculated HMAC |
-> key | Shared secret between the client and server |
-> Word64 | Counter value synchronized between the client and server |
-> OTP | The HOTP value |
:: (HashAlgorithm hash, ByteArrayAccess key) | |
=> hash | |
-> OTPDigits | |
-> Word16 | The look-ahead window parameter. Up to this many values will be calculated and checked against the value(s) submitted by the client |
-> key | The shared secret |
-> Word64 | The current server counter value |
-> (OTP, [OTP]) | The first OTP submitted by the client and a list of additional sequential OTPs (which may be empty) |
-> Maybe Word64 | The new counter value, synchronized with the client's current counter or Nothing if the submitted OTP values didn't match anywhere within the window |
Attempt to resynchronize the server's counter value with the client, given a sequence of HOTP values.
:: (HashAlgorithm hash, ByteArrayAccess key) | |
=> TOTPParams hash | |
-> key | The shared secret |
-> OTPTime | The time for which the OTP should be calculated.
This is usually the current time as returned by |
-> OTP |
Calculate a totp value for the given time.
totpVerify :: (HashAlgorithm hash, ByteArrayAccess key) => TOTPParams hash -> key -> OTPTime -> OTP -> Bool Source #
Check a supplied TOTP value is valid for the given time, within the window defined by the skew parameter.
data TOTPParams h Source #
Show h => Show (TOTPParams h) Source # | |
defaultTOTPParams :: TOTPParams SHA1 Source #
The default TOTP configuration.
:: HashAlgorithm hash | |
=> hash | |
-> OTPTime | The T0 parameter in seconds. This is the Unix time from which to start counting steps (default 0). Must be before the current time. |
-> Word16 | The time step parameter X in seconds (default 30, maximum allowed 300) |
-> OTPDigits | Number of required digits in the OTP (default 6) |
-> ClockSkew | The number of time steps to check either side of the current value to allow for clock skew between client and server and or delay in submitting the value. The default is two time steps. |
-> Either String (TOTPParams hash) |
Create a TOTP configuration with customized parameters.