Incorrect key caused by OTP-Sharp base32 encoding problem. (Key Must be Uppercase?)

Issue #9 invalid
Anonymous created an issue

I was having trouble getting KeeOtp to match what Google Authenticator was saying. Additionally when entering the key using the configuration form, it kept getting changed to all 7's when I would later go back to look at the key. After downloading the OTP-Sharp package and comparing what it was showing with Authenticator and looking at the key it was generating, I noticed that it was using an all uppercase key. Out of a whim, I changed my google 2 step key into uppercase and put it in KeeOtp, and this seemed to make everything sync.

If indeed it needs to be all uppercase, the program should change that for you, as Google presents the key in lowercase on their 2-step page.

Comments (13)

  1. Devin Martin repo owner

    The base32 decoder does generate an all uppercase output, but it accepts lowercase input. It will change it to uppercase for re-display and re-encoding from the original value, but that doesn't change the value. Base32 treats uppercase and lowercase the same. I tried to re-produce this problem by putting lowercase values in. While it did change the key to uppercase, it generated the same number either way. I couldn't get it to change the key to all 7's at least not simply by entering lowercase keys. 7 is the last value in the base32 character set. I am wondering if this is some kind of overflow in the base32 decoding.

  2. Devin Martin repo owner

    There is a subtle bug in the encoding of base32 (but not decoding).

    This has to do with edge cases (like 7's). I am betting that the key was put in correctly (Case isn't an issue), edited and improperly re-encoded, then the improperly encoded key was saved in the KeePass DB resulting in an incorrect code. I am looking into the encoding bug now.

  3. Devin Martin repo owner

    A bug with this issue will be added to the OTP-Sharp library (where the bug lives). This bug will be resolved when the problem in the underlying library is fixed.

  4. Devin Martin repo owner

    Porting the base32 implementation in the Google Authenticator android app to C# yields the same results as the base32 implementation that is currently in OTP-Sharp. This may not be a bug. Downgrading the priority.

  5. Devin Martin repo owner

    The base32 encoding problem turned out to be a wild goose chase caused by an incorrect assumption. The uppercase/lowercase problem that was reported wasn't able to be reproduced.

  6. Log in to comment