Posted on
Questions and Answers

Generate a TOTP token in Bash using `openssl` and `date +%s`

Author
  • User
    Linux Bash
    Posts by this author
    Posts by this author

Blog Article: Generating a TOTP Token in Bash using openssl and date +%s

Introduction

Today, we'll uncover how to generate a Time-based One-Time Password (TOTP) straight from your Linux terminal using openssl and date +%s. This guide is aimed at enhancing your understanding of cybersecurity measures like two-factor authentication (2FA) while providing a practical example using common Linux tools.

Q&A on Generating a TOTP Token in Bash

Q1. What is a TOTP token?

A1. A Time-based One-Time Password (TOTP) token is a temporary passcode used in two-factor authentication systems. It combines something the user knows (a secret key) with something the user has (typically, a time source) to produce a password that changes every 30 seconds.

Q2. Why use openssl and date +%s in Bash for generating a TOTP token?

A2. Using openssl allows you to perform cryptographic functions such as hashing, which is essential for generating a TOTP token. The date +%s command provides the current time in seconds since the Unix epoch (January 1, 1970), which is crucial for the time-based component of the TOTP.

Q3. How does the generation process work?

A3. Essentially, the process involves fetching the current Unix time and using it alongside a secret key to create a hash value with openssl. You then modify this hash to produce a numeric token that changes every 30 seconds.

Background and Simplified Explanation

To understand how a TOTP token is generated, it's good to know about HMAC (Hash-based Message Authentication Code) and its role in TOTP generation. In TOTP, the HMAC procedure takes two inputs: a key (the "secret") and the current timestamp, generally counted in 30-second intervals.

Here’s a simpler breakdown: 1. Get the current time in seconds using date +%s. 2. Combine this timestamp with a secret key and use an algorithm (e.g., SHA1) to hash these values. 3. Transform the hash output into an integer. 4. Modify the integer to a more user-friendly format (usually a six-digit number).

Executable Bash Script for TOTP Token Generation

Below is a Bash script example that generates a TOTP token:

#!/bin/bash

# User-defined secret key
secret='your_secret_key_in_base32'

# Get the current Unix time and calculate the time-step
currentTime=$(date +%s)
timeStep=$((currentTime / 30))

# Decode the Base32 secret key to hexadecimal
decodedSecret=$(echo $secret | base32 --decode | xxd -p)

# Create a binary representation of the time step
timeStepHex=$(printf '%016x' $timeStep | xxd -r -p)

# Calculate HMAC-SHA1
hash=$(echo -n $timeStepHex | openssl dgst -sha1 -mac HMAC -macopt hexkey:$decodedSecret -binary)

# Extract an appropriate portion of the hash
offset=$(echo -n $hash | tail -c 1 | xxd -b -p | cut -d ' ' -f 2 | head -c 1)
value=$(echo -n $hash | hexdump -v -e '/1 "%02x"' | tr -d '\n' | cut -c$((1 + $offset * 2))-$((8 + $offset * 2)))

# Convert to integer and get the final token
token=$((0x$value))
finalToken=$((token % 1000000))
finalToken=$(printf '%06d' $finalToken)

echo "Current TOTP: $finalToken"

Conclusion

By leveraging tools such as openssl and date +%s, you can effectively implement powerful security measures directly from the Bash command line. The ability to generate TOTP tokens in Bash demonstrates the flexibility of Linux systems in integrating with various security protocols, making Linux an excellent choice for system administrators and security-aware users. Remember, while this script is a great way to understand and utilize TOTP, always ensure your secret keys are managed securely and never hard-coded in production scripts.

Further Reading

Related posts