diff options
| author | David Reid <dreid@dreid.org> | 2014-02-25 10:51:52 -0800 | 
|---|---|---|
| committer | David Reid <dreid@dreid.org> | 2014-02-25 10:51:52 -0800 | 
| commit | eaf4595794516c7c3a4284dce1c9acc8faa122fa (patch) | |
| tree | 09c77db79276261c2fb9ca01ae5b4a8e8a36029b /docs/hazmat/primitives | |
| parent | a62d2f5abb953ae761b30b7f09038864602bdc2b (diff) | |
| parent | c18dc45eb241d58ec0e81d04ec3f961ad7562ad0 (diff) | |
| download | cryptography-eaf4595794516c7c3a4284dce1c9acc8faa122fa.tar.gz cryptography-eaf4595794516c7c3a4284dce1c9acc8faa122fa.tar.bz2 cryptography-eaf4595794516c7c3a4284dce1c9acc8faa122fa.zip | |
Merge pull request #637 from Ayrx/totp-impl
TOTP Implementation
Diffstat (limited to 'docs/hazmat/primitives')
| -rw-r--r-- | docs/hazmat/primitives/twofactor.rst | 102 | 
1 files changed, 81 insertions, 21 deletions
| diff --git a/docs/hazmat/primitives/twofactor.rst b/docs/hazmat/primitives/twofactor.rst index 9d661612..06be151e 100644 --- a/docs/hazmat/primitives/twofactor.rst +++ b/docs/hazmat/primitives/twofactor.rst @@ -13,13 +13,13 @@ codes (HMAC).  .. currentmodule:: cryptography.hazmat.primitives.twofactor.hotp -.. class:: HOTP(key, length, backend) +.. class:: HOTP(key, length, algorithm, backend)      .. versionadded:: 0.3 -    HOTP objects take a ``key`` and ``length`` parameter. The ``key`` -    should be randomly generated bytes and is recommended to be 160 bits in -    length. The ``length`` parameter controls the length of the generated +    HOTP objects take a ``key``, ``length`` and ``algorithm`` parameter. The +    ``key`` should be randomly generated bytes and is recommended to be 160 +    bits in length. The ``length`` parameter controls the length of the generated      one time password and must be >= 6 and <= 8.      This is an implementation of :rfc:`4226`. @@ -29,23 +29,28 @@ codes (HMAC).          >>> import os          >>> from cryptography.hazmat.backends import default_backend          >>> from cryptography.hazmat.primitives.twofactor.hotp import HOTP - -        >>> key = b"12345678901234567890" -        >>> hotp = HOTP(key, 6, backend=default_backend()) -        >>> hotp.generate(0) -        '755224' -        >>> hotp.verify(b"755224", 0) - -    :param bytes key: Secret key as ``bytes``. This value must be generated in a -                      cryptographically secure fashion and be at least 128 bits. -                      It is recommended that the key be 160 bits. +        >>> from cryptography.hazmat.primitives.hashes import SHA1 +        >>> key = os.urandom(16) +        >>> hotp = HOTP(key, 6, SHA1(), backend=default_backend()) +        >>> hotp_value = hotp.generate(0) +        >>> hotp.verify(hotp_value, 0) + +    :param bytes key: Per-user secret key. This value must be kept secret +                      and be at least 128 bits. It is recommended that the +                      key be 160 bits.      :param int length: Length of generated one time password as ``int``. +    :param HashAlgorithm algorithm: A +        :class:`~cryptography.hazmat.primitives.hashes` +        provider.      :param backend: A          :class:`~cryptography.hazmat.backends.interfaces.HMACBackend`          provider. -    :raises ValueError: This is raised if the provided ``key`` is shorter 128 bits -                        or if the ``length`` parameter is not between 6 to 8. - +    :raises ValueError: This is raised if the provided ``key`` is shorter than 128 bits +                        or if the ``length`` parameter is not 6, 7 or 8. +    :raises UnsupportedAlgorithm: This is raised if the provided ``algorithm`` is not +                                  :class:`~cryptography.hazmat.primitives.hashes.SHA1()`, +                                  :class:`~cryptography.hazmat.primitives.hashes.SHA256()` +                                  or :class:`~cryptography.hazmat.primitives.hashes.SHA512()`.      .. method:: generate(counter) @@ -55,12 +60,12 @@ codes (HMAC).      .. method:: verify(hotp, counter)          :param bytes hotp: The one time password value to validate. -        :param bytes counter: The counter value to validate against. +        :param int counter: The counter value to validate against.          :raises cryptography.exceptions.InvalidToken: This is raised when the supplied HOTP                                                        does not match the expected HOTP.  Throttling ----------- +~~~~~~~~~~  Due to the fact that the HOTP algorithm generates rather short tokens that are 6 - 8 digits  long, brute force attacks are possible. It is highly recommended that the server that @@ -69,7 +74,7 @@ time after a number of failed attempts. The number of allowed attempts should be  possible while still ensuring that usability is not significantly impacted.  Re-synchronization of the Counter ---------------------------------- +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  The server's counter value should only be incremented on a successful HOTP authentication.  However, the counter on the client is incremented every time a new HOTP value is requested. @@ -93,4 +98,59 @@ This can be accomplished with something similar to the following code.              except InvalidToken:                  pass -        return correct_counter
\ No newline at end of file +        return correct_counter + +.. currentmodule:: cryptography.hazmat.primitives.twofactor.totp + +.. class:: TOTP(key, length, algorithm, time_step, backend) + +    TOTP objects take a ``key``, ``length``, ``algorithm`` and ``time_step`` +    parameter. The ``key`` should be randomly generated bytes and is recommended +    to be as long as your hash function's output (e.g 256-bit for SHA256). +    The ``length`` parameter controls the length of the generated one time +    password and must be >= 6 and <= 8. + +    This is an implementation of :rfc:`6238`. + +    .. doctest:: + +        >>> import os +        >>> import time +        >>> from cryptography.hazmat.backends import default_backend +        >>> from cryptography.hazmat.primitives.twofactor.totp import TOTP +        >>> from cryptography.hazmat.primitives.hashes import SHA1 +        >>> key = os.urandom(16) +        >>> totp = TOTP(key, 8, SHA1(), 30, backend=default_backend()) +        >>> time_value = time.time() +        >>> totp_value = totp.generate(time_value) +        >>> totp.verify(totp_value, time_value) + +    :param bytes key: Per-user secret key. This value must be kept secret +                      and be at least 128 bits. It is recommended that the +                      key be 160 bits. +    :param int length: Length of generated one time password as ``int``. +    :param HashAlgorithm algorithm: A +        :class:`~cryptography.hazmat.primitives.hashes` +        provider. +    :param int time_step: The time step size. The recommended size is 30. +    :param backend: A +        :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` +        provider. +    :raises ValueError: This is raised if the provided ``key`` is shorter than 128 bits +                        or if the ``length`` parameter is not 6, 7 or 8. +    :raises UnsupportedAlgorithm: This is raised if the provided ``algorithm`` is not +                                  :class:`~cryptography.hazmat.primitives.hashes.SHA1()`, +                                  :class:`~cryptography.hazmat.primitives.hashes.SHA256()` +                                  or :class:`~cryptography.hazmat.primitives.hashes.SHA512()`. + +    .. method:: generate(time) + +        :param int time: The time value used to generate the one time password. +        :return bytes: A one time password value. + +    .. method:: verify(totp, time) + +        :param bytes totp: The one time password value to validate. +        :param int time: The time value to validate against. +        :raises cryptography.exceptions.InvalidToken: This is raised when the supplied TOTP +                                                      does not match the expected TOTP. | 
