RFC Errata
RFC 4226, "HOTP: An HMAC-Based One-Time Password Algorithm", December 2005
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 5129
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Gerrit Jansen van Vuuren
Date Reported: 2017-09-27
Section Appendix D says:
Count Hexadecimal Decimal HOTP 0 4c93cf18 1284755224 755224 1 41397eea 1094287082 287082 2 82fef30 137359152 359152 3 66ef7655 1726969429 969429 4 61c5938a 1640338314 338314 5 33c083d4 868254676 254676 6 7256c032 1918287922 287922 7 4e5b397 82162583 162583 8 2823443f 673399871 399871 9 2679dc69 645520489 520489
It should say:
Count Hexadecimal Decimal HOTP 0 4c93cf18 1284755224 755224 1 75a48a19 1973717529 717529 2 bacb7fa 195868666 868666 3 66c28227 1724023335 023335 4 2904c900 688179456 179456 5 237e783d 595490877 490877 6 3c9cd285 1016910469 910469 7 24fb960c 620467724 467724 8 1b3c89f6 456952310 952310 9 16374098 372719768 719768
Notes:
From https://www.ietf.org/rfc/rfc4226.txt, Appendix D, page 31
a. There is no mention of the parameters that were used to run the reference implementation to provide to test data. These should be:
codeDigits: 6, addCheckSum: false, truncationOffset: 0.
b. The hashes correspond. And the first row of Table2 (i.e for Count==0) correspond, but for Count 1...9 the values for Hex, Decimal and Hotp do not correspond with the values of the reference implementation.
I am using JDK 1.8.0_144
As a test I have done a copy and paste 'as is' from the reference implementation and run it with sysout statements to print the truncation and otp values for each counter.
The only changes made are: System.out and use of counter=movingFactor to print the movingFactor. None of which alter the logic. Note the differences in test data were found before adding the debug info.
Please see:
https://github.com/gerritjvv/cryptoplayground/tree/master/hmac/java/hmac/src/test/java/org/funsec/hmac
UnitTest method:
https://github.com/gerritjvv/cryptoplayground/blob/master/hmac/java/hmac/src/test/java/org/funsec/hmac/HTOPTest.java#L83
Reference Impl:
https://github.com/gerritjvv/cryptoplayground/blob/master/hmac/java/hmac/src/test/java/org/funsec/hmac/HOTPRef.java