RFC Errata
RFC 4226, "HOTP: An HMAC-Based One-Time Password Algorithm", December 2005
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 6756
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Nicholas Gaya
Date Reported: 2021-11-28
Section 5.3 says:
Let OffsetBits be the low-order 4 bits of String[19]
It should say:
Let OffsetBits be the low-order 4 bits of the last byte of String
Notes:
This change does not affect the computation for 20-byte HMAC-SHA-1 digests. However when using the HMAC-SHA-256 or HMAC-SHA-512 functions as suggested in RFC-6238, the 19th byte and the last byte may differ.
The proposed change matches the reference implementations of both RFC-4226 and RFC-6238 and removes potential ambiguity as to whether implementations should use the 19th byte or the last byte of the digest to determine the offset for dynamic truncation.