Errata Search
RFC Number:		Errata ID:
Source of RFC		Status:	All/Any Verified+Reported Verified Reported Held for Document Update Rejected
Area Acronym:	All/Any app art gen int ops rai rtg sec tsv wit	Type:	All/Any Editorial Technical
WG Acronym:		Submitter Name:
Other:	All/Any IAB INDEPENDENT IRTF Legacy Editorial	Date Submitted:
Summary Table Full Records

RFC 6238, "TOTP: Time-Based One-Time Password Algorithm", May 2011

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

---

Errata ID: 5132
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Gerrit Jansen van Vuuren
Date Reported: 2017-09-28

Section Appendix B says:

The test token shared secret uses the ASCII string value
   "12345678901234567890"

It should say:

The test token used for each SHA mode is:
// Seed for HMAC-SHA1 - 20 bytes
         String seed = "3132333435363738393031323334353637383930";
         // Seed for HMAC-SHA256 - 32 bytes
         String seed32 = "3132333435363738393031323334353637383930" +
         "313233343536373839303132";
         // Seed for HMAC-SHA512 - 64 bytes
         String seed64 = "3132333435363738393031323334353637383930" +
         "3132333435363738393031323334353637383930" +
         "3132333435363738393031323334353637383930" +
         "31323334";

Notes:

The text suggests that the secret "12345678901234567890" is used, when in fact this value cannot be found in the reference implementation test generation code and leads to different values (as is expected). The actual secret used is called seed, seed32 and seed64 in the reference implementation test generation code.

Report New Errata