Fix excessive key length recommendations.

jchambers · jchambers · commit ce0b35b7017c · 2020-10-24T13:18:34.000-04:00
diff --git a/README.md b/README.md
@@ -32,8 +32,9 @@ final Key key;
 {
     final KeyGenerator keyGenerator = KeyGenerator.getInstance(totp.getAlgorithm());
 
-    // SHA-1 and SHA-256 prefer 64-byte (512-bit) keys; SHA512 prefers 128-byte (1024-bit) keys
-    keyGenerator.init(512);
+    // Key length should match the length of the HMAC output (160 bits for SHA-1, 256 bits
+    // for SHA-256, and 512 bits for SHA-512).
+    keyGenerator.init(160);
 
     key = keyGenerator.generateKey();
 }
diff --git a/src/main/java/overview.html b/src/main/java/overview.html
@@ -39,7 +39,7 @@ <h2>Usage</h2>
         <pre>final Key secretKey;
 {
     final KeyGenerator keyGenerator = KeyGenerator.getInstance(totp.getAlgorithm());
-    keyGenerator.init(20);
+    keyGenerator.init(160);
 
     secretKey = keyGenerator.generateKey();
 }</pre>
diff --git a/src/test/java/com/eatthepath/otp/ExampleApp.java b/src/test/java/com/eatthepath/otp/ExampleApp.java
@@ -34,8 +34,9 @@ public static void main(final String[] args) throws NoSuchAlgorithmException, In
         {
             final KeyGenerator keyGenerator = KeyGenerator.getInstance(totp.getAlgorithm());
 
-            // SHA-1 and SHA-256 prefer 64-byte (512-bit) keys; SHA512 prefers 128-byte (1024-bit) keys
-            keyGenerator.init(512);
+            // Key length should match the length of the HMAC output (160 bits for SHA-1, 256 bits
+            // for SHA-256, and 512 bits for SHA-512).
+            keyGenerator.init(160);
 
             key = keyGenerator.generateKey();
         }

Original file line number	Diff line number	Diff line change
`@@ -32,8 +32,9 @@ final Key key;`
`32`	`32`	`{`
`33`	`33`	`final KeyGenerator keyGenerator = KeyGenerator.getInstance(totp.getAlgorithm());`
`34`	`34`
`35`		`- // SHA-1 and SHA-256 prefer 64-byte (512-bit) keys; SHA512 prefers 128-byte (1024-bit) keys`
`36`		`- keyGenerator.init(512);`
	`35`	`+ // Key length should match the length of the HMAC output (160 bits for SHA-1, 256 bits`
	`36`	`+ // for SHA-256, and 512 bits for SHA-512).`
	`37`	`+ keyGenerator.init(160);`
`37`	`38`
`38`	`39`	`key = keyGenerator.generateKey();`
`39`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ <h2>Usage</h2>`
`39`	`39`	`<pre>final Key secretKey;`
`40`	`40`	`{`
`41`	`41`	`final KeyGenerator keyGenerator = KeyGenerator.getInstance(totp.getAlgorithm());`
`42`		`- keyGenerator.init(20);`
	`42`	`+ keyGenerator.init(160);`
`43`	`43`
`44`	`44`	`secretKey = keyGenerator.generateKey();`
`45`	`45`	`}</pre>`
Original file line number	Diff line number	Diff line change
`@@ -34,8 +34,9 @@ public static void main(final String[] args) throws NoSuchAlgorithmException, In`
`34`	`34`	`{`
`35`	`35`	`final KeyGenerator keyGenerator = KeyGenerator.getInstance(totp.getAlgorithm());`
`36`	`36`
`37`		`- // SHA-1 and SHA-256 prefer 64-byte (512-bit) keys; SHA512 prefers 128-byte (1024-bit) keys`
`38`		`- keyGenerator.init(512);`
	`37`	`+ // Key length should match the length of the HMAC output (160 bits for SHA-1, 256 bits`
	`38`	`+ // for SHA-256, and 512 bits for SHA-512).`
	`39`	`+ keyGenerator.init(160);`
`39`	`40`
`40`	`41`	`key = keyGenerator.generateKey();`
`41`	`42`	`}`