Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google Authenticator code does not match server generated code

Tags:

python

django

two-factor-authentication

one-time-password

google-authenticator

Background

I'm currently working on a two-factor authentication system where user are able to authenticate using their smartphone. Before the user can make use of their device they need to verify it first. For this they need to scan a QR code I give them and enter the code that subsequently shows.

Problem

The scanning of the QR code works fine, and it gets read correctly by the Google Authenticator app. However, the generated codes don't match with the ones I'm generating on the server.

What have I tried

I have tried a couple of things in the hope of finding my problem.

  1. I have tried directly inserting both a default secret: 'thiswasmysecretkeyused' and a base64.b32encode() encoded version of the secret: 'ORUGS43XMFZW26LTMVRXEZLUNNSXS5LTMVSA====' in the Google Authenticator app, but these both generated codes different from the server.

  2. I read that the trailing ==== from the key may cause it to not work, so I tried adding one without those as well. Still no good results (they generate the same codes)

  3. I have tried using a different algorithm for generating TOTP codes, for in the unlikely event that the algorithm I'm using (django-otp) is incorrect. The different algorithm I used was taken from this answer. Both algorithms generated the same codes when using the same key.

  4. I checked what the time on my system was. I saw that the operating system was showing 15:03 just like my smartphone was. After dumping the time in python with both time.time() and datetime.datetime.now() I saw the returned time was one hour behind the operating system time; showing 14:03. I tried adding 3600 seconds in to the timestamp used for code generation, but to no avail.

  5. I have tried several other things, but can't quite recall what they all were.

  6. I've looked up the code that accepts keys in Google Authenticator and have verified that it is expecting a base32 string. So my encoding of the key is correct, as far as I'm aware. From the code (EnterKeyActivity.java, line 78):

    Verify that the input field contains a valid base32 string

Code

Generating the secret key; 
def generate_shared_key(self):
    # create hash etc.
    return base64.b32encode(hasher.hexdigest())

Generating the QR code;

key = authenticator.generate_shared_key()
qrcode = pyqrcode.create('otpauth://totp/someurl.nl?secret=' + key)

Generating the TOTP code;

def generate_code(self, drift_steps=0, creation_interval=30, digits=6, t0=0):
    code = str(totp(self.generate_shared_key(), creation_interval, timestamp, digits, drift_steps))
    return code.zfill(digits)

If you need any more code, such as django-otp actual totp generating code, let me know.

Errors

No errors.

Hunches

My hunch is that I must be going wrong somewhere with the key generation or with passing the key to Google Authenticator. Since even manually putting the key in Google Authenticator fails to generate the correct codes. Does Google Authenticator do something more with the key once it's been saved, such as adding an user?

I also noticed in the other algorithm I used that the secret there gets decoded first with;

key = base64.b32decode(secret, True)

Is my original key (a SHA512 hash) wrong? Should I or should I not encode it with base64.b32encode()? If I try to scan the QR code generated without encoding the hash, Google Authenticator says it does not recognize it as a (valid) key.

like image 427
Bono Avatar asked Nov 30 '15 15:11

Bono

1 Answers

Alright, after digging through the code of Google Authenticator I finally found what I was doing wrong.

Key Encoding

Just so it's clear: Google Authenticator does expect a base32 encoded string as a secret. So whether you enter it manually or via a QR code, you have to make sure your secret is a base32 encoded string when you give it to Google Authenticator.

From EnterKeyActivity:

/*
 * Verify that the input field contains a valid base32 string,
 * and meets minimum key requirements.
 */
private boolean validateKeyAndUpdateStatus(boolean submitting) {
    //...
}

Storing

Google Authenticator is storing the key you give it in the database as is. So this means it stores the base32 string of your secret directly in the database.

From EnterKeyActivity:

private String getEnteredKey() {
    String enteredKey = mKeyEntryField.getText().toString();
    return enteredKey.replace('1', 'I').replace('0', 'O');
}

protected void onRightButtonPressed() {
    //...
    if (validateKeyAndUpdateStatus(true)) {
        AuthenticatorActivity.saveSecret(this, mAccountName.getText().toString(), getEnteredKey(), null, mode, AccountDb.DEFAULT_HOTP_COUNTER);
        exitWizard();
    }
    //...
}

From AuthenticatorActivity:

static boolean saveSecret(Context context, String user, String secret, String originalUser, OtpType type, Integer counter) {
    //...
    if (secret != null) {
          AccountDb accountDb = DependencyInjector.getAccountDb();
          accountDb.update(user, secret, originalUser, type, counter);

          //...
    }
}

Retrieval

When Google Authenticator retrieves the secret from the database, it decodes the base32 string so it can use the genuine secret.

From OtpProvider:

private String computePin(String secret, long otp_state, byte[] challenge) throws OtpSourceException {
    //...

    try {
        Signer signer = AccountDb.getSigningOracle(secret);
        //...
    }
}

From AccountDb:

static Signer getSigningOracle(String secret) {
    try {
        byte[] keyBytes = decodeKey(secret);
        //...
    }
}

private static byte[] decodeKey(String secret) throws DecodingException {
  return Base32String.decode(secret);
}

Mistake

My mistake was that, on the server-side, I was using the base32 encoded key for generating TOTP codes, since I thought Google Authenticator used that as well. In hindsight it's of course very logical, but I couldn't find too much info about this. Hopefully this will help out some more people in the future.

TL;DR

Make sure the secret/key you pass to Google Authenticator is a base32 encoded string. Make sure that on the server side you're not using the base32 encoded string, but the decoded string. In Python you can encode and decode you secret/key as follows:

import base64

base64.b32encode(self.key)
base64.b32decode(self.key)
like image 185
Bono Avatar answered Sep 22 '22 01:09

Bono
Sign in to Comment

Related questions

Python: Checking for JSON files and creating one if needed
Run Python HTTPServer in Background and Continue Script Execution
How to map lambda expressions in Java
Want to save & run Python script in Jupyter Notebook (Anaconda)
Filter many to many field in Django model
Storing simple key value pairs with Flask Cache and memcached
How to install cx_Oracle on El Capitan
Match an arbitrary path, or the empty string, without adding multiple Flask route decorators
Two different plots from same loop in matplotlib?
Average of daily count of records per month in a Pandas DataFrame
Subclassing in python of instantiated superclass
Add data to a seaborn jointplot
Running custom Java class in PySpark
How to put the legend on first subplot of seaborn.FacetGrid?
python: getting actual environment variables to modify and pass to subprocess
Is anaconda for Fedora different from anaconda for python?
getting file list using glob in python
speed up loading of animated gif kivy
convert plural nouns to singular NLP
How to set SQLite isolation levels, using Python

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!