RFC Errata
RFC 6287, "OCRA: OATH Challenge-Response Algorithm", June 2011
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 3900
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: Marcus Bring
Date Reported: 2014-02-24
Held for Document Update by: Stephen Farrell
Date Held: 2014-07-03
Section Appendix A. says:
* @param password a password that can be used, HEX encoded . . . // Put the bytes of "password" to the message // Input is HEX encoded
It should say:
* @param password a password that can be used, hashed with the * SHA-version declared in OCRA-suite and HEX encoded. . . . // Put the bytes of "password" to the message // Input is SHA hashed and HEX encoded
Notes:
The password should be hashed as stated in the RFC and as it is done in the testOCRA class.
This should also eliminate the need to padd the password with zeros since the hash is always of the correct length.
// Password - sha1
if(DataInput.toLowerCase().indexOf("psha1") > 1){
passwordLength=20;
}
// Password - sha256
if(DataInput.toLowerCase().indexOf("psha256") > 1){
passwordLength=32;
}
// Password - sha512
if(DataInput.toLowerCase().indexOf("psha512") > 1){
passwordLength=64;
}