Sending single sign in tokens using Keybaord HID for TOTP sign in #3513
Replies: 25 comments
-
Posted at 2019-08-10 by user101436 I think I have found the issue the OTPAuth is too large when loaded with the crypto.js lib.
Gives the following error
I will look for a different OTP lib |
Beta Was this translation helpful? Give feedback.
-
Posted at 2019-08-10 by user101436 I am now trying Tiny-OTP which is only 4K when minified. I still get a memory error |
Beta Was this translation helpful? Give feedback.
-
Posted at 2019-08-10 by user101436 Now trying JS-OTP but still rungging low on memory... |
Beta Was this translation helpful? Give feedback.
-
Posted at 2019-08-10 by Robin Sat 2019.08.10 Hello @user101436, while I'm not going to be able to find a solution to the issue you have, as the crypto and OAuth topics are beyond my knowledge base, I can confirm that attempting to load just the otp file on to an MDBT42Q, produces the same error.
I don't have a Puck nor a Pixl handy, but I believe the Pixl has the same memory capacity. Would you mind posting I double checked with Google's Closure Compiler and there don't appear to be obvious code/string related errors. I saved the .min.js file to disk on Windows10 and have a file size of 25K. I was able to load a 29K file onto the MDBT board, but my file has comment blocks that are stripped prior to upload. Are you able to pare down that file?
Do you know if this otp module can even be loaded on to an Espruino device?
Around the fifth line down scares me a bit. If this is the browser window object, this file may eventually load, but possibly not execute on an Espruino device. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2019-08-10 by AkosLukacs
The You can try one thing: In the Web IDE settings, go to Communication, and
Btw https://github.com/triestpa/Tiny-OTP fits this way, but there is an error running it:
I think Espruino doesn't support default parameters. As Robin said, there could be couple of tiny issues preventing you from uploading code that runs fine on node or in browser... |
Beta Was this translation helpful? Give feedback.
-
Posted at 2019-08-10 by Robin Sat 2019.08.10
Bingo! @AkosLukacs you are correct. Not implemented yet. Below ES6 heading: |
Beta Was this translation helpful? Give feedback.
-
Posted at 2019-08-12 by user101436 Thanks for the suggestions I have JS-OTP (One Time Password) loading now without the error or memory warning by editing out the ES6 default values. I cut and pasted the GIT hub code into the right hand IDE panel and uploaded it from there. I also removed any browser objects as the code was designed to work in browser. But I hit a new issue with HMAC. (HMAC stands for Keyed-Hashing for Message Authentication) The hash features used by JS-OTP and TinyOTP expect a .hmac method on the hash object. The built in crypto libs do not have this feature. I don't think I can implement HMAC so I am looking for an OTP implementation that is not using HMAC. I will update here when I make progress. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-04-27 by user111898 @user101436 Did you do any progress? I'm struggeling with the same issue. I would really love to secure some stuff via TOTP. You know there's the crypto module and the hmac module but there is no tutorial to use them correctly or to create TOTPs.. There is just an outdated tutorial on https://www.espruino.com/hmac because they removed the hashlib with version 2v00 (see changelog https://www.espruino.com/ChangeLog). |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-04-28 by ColinP Hello, I've just gone down a rabbit hole trying to discover how best to do this, and have written some Python code that seems to work. I think it should be OK to translate this into Javascript. I found a Javascript SHA1 implementation that works in the Espruino simulator at http://webtoolkit.info/javascript_sha1.html I had some Python code to do TOTP tokens so had a go at rewriting it to use my own HMAC algorithm based on the Wikipedia page https://en.wikipedia.org/wiki/Hash-based_message_authentication_code I think the Javascript code above returns the digest as hex - it will need to be changed to return an array of bytes but I haven't looked how to do that. But once that is done, I think my python call to sha1() can just use the Javascript code. The "get_hotp_token" function was the original one - I forget where it came from. From what I can see my function and this function return the same results. I hope it should be OK to transliterate my Python code into Javascript. The 'chr' and 'ord' function should be removed - this is as the code uses Python strings, but Javascript arrays won't have this problem. Likewise, the 'b'\x00' *' part is a Python thing that would need to be rewritten for Javascript. I hope my code when combined with the Javascript SHA1 code gives some help anyway.
|
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-04-28 by ColinP Hmm. The posting above went a bit wrong - I guess I'm posting Python code rather than Javascript. Here is the garbled bit, not marked as code to hopefully keep the forum happy def colin_hotp_token(secret, intervals_no): Key is a 10 byte arraykey = base64.b32decode(secret, True) Python debug : print the key as bytes#print "KEY",[ord(x) for x in key] #keybytes=[0, 68, 50, 20, 199, 66, 64, 17, 12, 133] msg is 8 bytes long - number with last byte = least significantmsg = struct.pack(">Q", intervals_no) |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-07-22 by coajaxial Finally got it working using built in SHA1 of the crypto module and a custom implementation of HMAC. Performance: ~16ms per token
|
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-07-23 by @gfwilliams Nice - thanks for posting up! So is that HMAC pretty much standard such that it can interact with other devices? Would you be willing to have that put into Espruino as a module? It seems like it'd be pretty useful to a lot of people |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-07-23 by coajaxial Here is a generic implementation of HMAC. I used the pseudo code from Wikipedia (https://en.wikipedia.org/wiki/HMAC) to implement this in Espruino-compatible JS.
So, to implement a HMAC_SHA1, you can just "curry" the function:
Usage:
THis will print ba38a78074db157c10feb8ed1845975ecdf2b5d9. You can verify this here: https://www.freeformatter.com/hmac-generator.html I used some helper functions to convert byte arrays to string and vice-versa:
I will try to create a module, I will post further progress here. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-07-23 by @gfwilliams That's awesome - thanks! Even just those few lines of HMAC would be amazingly useful. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-07-24 by coajaxial Is there any performance gain when using Uint8Arrays over normal arrays? The thing is, normal arrays have operations like |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-07-24 by @MaBecker One optimization could be using E.toArrayBuffer()
|
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-07-24 by @MaBecker @coajaxial Do you have a snippet how to decode ba38a78074db157c10feb8ed1845975ecdf2b5d9 back to "This is my message" ? |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-07-24 by @MaBecker What about using map to convert to hex string?
|
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-07-27 by @gfwilliams
Yes, there's quite a bit - also memory usage is miles lower :) However it depends how many array items you have - if it's ~32 then it probably doesn't matter - if it's more than that then Uint8Array will noticeably better.
In that case you'd have to do something like:
It's slightly more long-winded but is far faster than a FOR-loop copy :) |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-07-30 by @MaBecker Forget about my decode question HMAC is a MAC/keyed hash, not a cipher. It's not designed to be decrypted |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-08-02 by coajaxial Finally had some time to create the modules: I will add proper READMEs soon. Usage:
|
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-08-03 by @gfwilliams This looks great - thanks! |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-09-30 by @gfwilliams Just wanted to check - please can I pull these into the core set of Espruino modules in the EspruinoDocs repo? |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-10-06 by coajaxial
yes, of course! |
Beta Was this translation helpful? Give feedback.
-
Posted at 2020-10-06 by @gfwilliams Thanks! Just added with espruino/EspruinoDocs@ab0f7fa - it'll be live in a day or so. |
Beta Was this translation helpful? Give feedback.
-
Posted at 2019-08-10 by user101436
Hi I am trying to generate time based single sign on tokens on my Pixl and puckjs. these can then be sent to a PC or phone over BT via the keyboard HID.
My research so far says that I need the crypto.js lib from modules and OTPAuth from npm as it has no dependencies
So far I am only getting erros. I think I do not have my requires working I will post more after I get better results
Beta Was this translation helpful? Give feedback.
All reactions