I am trying to count manual HMAC SHA-1 truncation for HOTP but it doesn't give back the same result as I count it with source code. For example I have code to generate HMAC SHA-1 as:
$hash = hash_hmac('sha1','375317186160478973','test');
It will give me HMAC = c359e469b8ef0939f83e79a300b20a6ef4b53a05
And divide it into [19] arrays so it will be:
c3 59 e4 69 b8 ef 09 39 f8 3e 79 a3 00 b2 0a 6e f4 b5 3a 05
From the last array I have 05 (101 in binary) and after do the 101 & 0xf = 5
So I count from the 5th arrays ef (11101111) 09 (1001) 39 (111001) f8 (11111000)
After that do the (((11101111) & 0x7f) << 24) | (((1001) & 0xff) << 16) | (((111001) & 0xff) << 8) | ((11111000) & 0xff)) % pow (10,6)
It give me a result as: 56024
But if I use this code:
$offset = ($hash[19]) & 0xf;
$otp = (((($hash[$offset + 0]) & 0x7f) << 24) |
((($hash[$offset + 1]) & 0xff) << 16) |
((($hash[$offset + 2]) & 0xff) << 8) |
(($hash[$offset + 3]) & 0xff)) % pow(10, 6);
It give me a result as: 599808
The same different result will show if I write binary or decimal value as the value from arrays. Can someone help me explain where is my fault, so I can count the manual and via source code and give me result a same value of HOTP. Thank you
Apa kabar :) First, SHA-1 is 160 bits (20 bytes) in size not 19. You are using PHP right? The problem is, that accessing the array like that doesn't work since you are always only reading excatly on character:
Following should work:
Important, since
$hashseems to be php a string, you may not simply access it as array since this will return wrong values. But you can get components of the string with the help of thesubstrmethod. You always have to read 2 bytes and convert it into an integer. Sicne the string contains hexa decimal values, you have to use base 16 inintval.PS: I'm assuming that the hash string is exactly 20 bytes long.
Summary: $hash[5] for example will not give you the expected array value 0xEF, but it will give you the 5th string character '4' (part of substring E4).