[GH-ISSUE #41] Use a more secure Base32 encoding algorithm #251

New issue

Closed

opened 2026-03-01 17:48:39 +03:00 by kerem · 4 comments

kerem commented 2026-03-01 17:48:39 +03:00

Owner

Copy link

Originally created by @cwt137 on GitHub (Jul 28, 2016).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/41

Please use the paragonie/constant_time_encoding Composer package for doing Base32 encoding. It helps to prevent cache-timing attacks.

Originally created by @cwt137 on GitHub (Jul 28, 2016). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/41 Please use the paragonie/constant_time_encoding Composer package for doing Base32 encoding. It helps to prevent cache-timing attacks.

kerem closed this issue 2026-03-01 17:48:39 +03:00

kerem commented 2026-03-01 17:48:40 +03:00

Author

Owner

Copy link

@aik099 commented on GitHub (Jul 28, 2016):

@cwt137 , please explain how base32 operations can be used to compromise library?

<!-- gh-comment-id:235913246 --> @aik099 commented on GitHub (Jul 28, 2016): @cwt137 , please explain how base32 operations can be used to compromise library?

kerem commented 2026-03-01 17:48:40 +03:00

Author

Owner

Copy link

@aik099 commented on GitHub (Jul 28, 2016):

Currently base32 is used to generate 5 OTP codes, that are compared with user provided OTP code using hash_equals (timing attack safe) function. If I'm not mistaken, then time how long it takes to generate these 5 OTP codes can't be used to perform Timing Attack (I guess that's what you're worried about).

<!-- gh-comment-id:235916796 --> @aik099 commented on GitHub (Jul 28, 2016): Currently base32 is used to generate 5 OTP codes, that are compared with user provided OTP code using `hash_equals` (timing attack safe) function. If I'm not mistaken, then time how long it takes to generate these 5 OTP codes can't be used to perform Timing Attack (I guess that's what you're worried about).

kerem commented 2026-03-01 17:48:40 +03:00

Author

Owner

Copy link

@cwt137 commented on GitHub (Jul 29, 2016):

It is the generation of the secret key that is susceptible to a timing attack and should use constant time base32 encoding

<!-- gh-comment-id:236077895 --> @cwt137 commented on GitHub (Jul 29, 2016): It is the generation of the secret key that is susceptible to a timing attack and should use constant time base32 encoding

kerem commented 2026-03-01 17:48:40 +03:00

Author

Owner

Copy link

@antonioribeiro commented on GitHub (Jun 17, 2017):

Done.
Sorry for the huge delay.
Thank you!

<!-- gh-comment-id:309193620 --> @antonioribeiro commented on GitHub (Jun 17, 2017): Done. Sorry for the huge delay. Thank you!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

9.x

fix-coverage

bump-to-version-9

10.x

reformat-code

add-linting

reorder-imports

8.x

install-php-84

test-on-php84

github-actions

master

7.x

pspstan

revert-124-123-google2fa_fix

v9.0.0

v8.0.3

v8.0.2

v8.0.1

8.0.0

v7.0.0

v6.1.3

v6.1.0

v6.0.1

v6.0.0

v4.0.2

v4.0.1

v5.0.0

v4.0.0

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.0.1

v1.0.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.0

v0.1.0

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/google2fa#251

No description provided.