问题描述
共享2FA
代码是否安全?我说的是TOTP
,例如Google Authenticator
或Authy
.
Is it safe to share 2FA
codes? I'm talking about TOTP
like Google Authenticator
or Authy
.
例如,如果我有代码和生成时间,是否可以预测新代码?如果我的代码和时间超过一对,该怎么办?
For example, if i have code and generation time, is it possible to predict new codes?What if i have more than 1 pair of code+time?
我认为可以根据旧信息(代码+时间)来预测新代码.
I think it's possible to predict new codes based on old information (code+time).
那么,如果可能的话,我该怎么办?我正在寻找某种算法.
So if this is possible, how do I do it? Im looking for some algorithm.
已知时间段,时间,代码和秘密长度.
Known Time period, time, code and secret length.
示例:
22:20:30 561918
22:21:00 161664
22:21:30 610130
推荐答案
在内部,这些2FA生成器通常基于基于时间的一次性密码算法.这些算法通过在两个值的组合上使用强大的哈希函数来工作:共享密钥和当前时间增量,并且专门使用称为 HMAC ,只要底层哈希函数是安全的,就可以保证安全.
Internally, these 2FA generators usually work based on a time-based one-time password algorithm. Those algorithms work by using strong hash functions on a combination of two values: a shared secret and the current time increment, and specifically use a construction called HMAC that’s known to be secure provided the underlying hash function is.
因此,如果某人可以通过查看2FA设备的一些时间戳和输出来预测2FA设备的未来输出,则他们要么(1)必须知道共享机密,要么(2)能够破解该共享机密. HMAC.除非有人对Google进行了黑客攻击,或者知道以非公开文献记载的方式对HMAC或底层哈希函数进行了攻击,否则这两种情况都是不太可能的.
As a result, if someone could predict future outputs of your 2FA device by seeing some timestamps and outputs from the 2FA device, then they would either (1) have to know the shared secret or (2) be able to break the HMAC. Both of these are unlikely unless someone either has hacked Google or knows of attacks on HMAC or the underlying hash function in ways beyond what’s in the public literature.
换句话说,您不必担心有人会根据过去的值来猜测将来的值,尽管我仍然建议您不要给出旧的值,因为您不应向除您网站以外的任何人提供2FA值正在登录. :-)
In other words, you shouldn’t need to worry about someone guessing future values given past values, though I’d still advise against giving out old values because you shouldn’t be giving out 2FA values to anyone except the site you’re logging into. :-)
这篇关于给定带有时间戳的旧值,是否可以预测将来的2FA值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!