RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 6287, "OCRA: OATH Challenge-Response Algorithm", June 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 3730

Status: Reported
Type: Technical

Reported By: Simon Josefsson
Date Reported: 2013-09-17

Section 5.2 says:

   This table summarizes all possible values for the CryptoFunction:

     +---------------+--------------------+-------------------------+
     |      Name     | HMAC Function Used |  Size of Truncation (t) |
     +---------------+--------------------+-------------------------+
     |  HOTP-SHA1-t  |      HMAC-SHA1     | 0 (no truncation), 4-10 |
     | HOTP-SHA256-t |     HMAC-SHA256    | 0 (no truncation), 4-10 |
     | HOTP-SHA512-t |     HMAC-SHA512    | 0 (no truncation), 4-10 |
     +---------------+--------------------+-------------------------+

It should say:

   This table summarizes all possible values for the CryptoFunction:

     +---------------+--------------------+-------------------------+
     |      Name     | HMAC Function Used |  Size of Truncation (t) |
     +---------------+--------------------+-------------------------+
     |  HOTP-SHA1-t  |      HMAC-SHA1     | 0 (no truncation), 4-9  |
     | HOTP-SHA256-t |     HMAC-SHA256    | 0 (no truncation), 4-9  |
     | HOTP-SHA512-t |     HMAC-SHA512    | 0 (no truncation), 4-9  |
     +---------------+--------------------+-------------------------+

Notes:

The change disallows 10 digit OCRA codes. The reason for this is subtle and could be discussed. An alternative to disallowing 10 digit codes is to add a Security Consideration discussion about the behaviour when 10 is used.

The Truncate function defined in RFC 4226 section 5.3 works on 31-bit numbers and uses modulo 10^Digit. When Digit=10, that means 10^10. However, 2^31 is smaller than 10^10. This means that the output code can never take on values 2^31..10^10 which causes a significant bias in the number of valid codes.

The entire security analysis in RFC 4226 assumes this is not the case. For example quoting section A.5 "Security Analysis of HOTP": "Suppose m = 10^Digit < 2^31,".

To clarify, there is no attack enabled by this flaw. OCRA with 10 digit codes just doesn't offer as good security as it could. 10 digits is only roughly twice as secure as 9 digit codes instead of 10 times as one would expect.

Report New Errata