科技回声

7 条评论

susam超过 4 年前

This is very interesting if it was done for fun. However, this is very likely unsuitable for real world usage. A couple of issues I could see with a quick glance:- Using '=' for comparing TOTPs in the totp.verify function[1] is not safe from timing attacks.- The function random() used in the totp.random_base32 function[2] is not a cryptographically secure random number generator.[1]: <a href="https://github.com/pyramation/totp/blob/7ec3104/packages/totp/sql/launchql-totp--0.0.3.sql#L111" rel="nofollow">https://github.com/pyramation/totp/blob/7ec3104/packages/tot...</a>[2]: <a href="https://github.com/pyramation/totp/blob/7ec3104/packages/totp/sql/launchql-totp--0.0.3.sql#L121" rel="nofollow">https://github.com/pyramation/totp/blob/7ec3104/packages/tot...</a>

评论 #26260778 未加载

评论 #26267814 未加载

评论 #26267842 未加载

nayuki超过 4 年前

The author's main SQL code seems to be in this file: <a href="https://github.com/pyramation/totp/blob/master/packages/totp/deploy/schemas/totp/procedures/generate_totp.sql" rel="nofollow">https://github.com/pyramation/totp/blob/master/packages/totp...</a>For comparison, these are my relatively short TOTP implementations in {TypeScript, Python, Java, Rust, C++}: <a href="https://www.nayuki.io/page/time-based-one-time-password-tools" rel="nofollow">https://www.nayuki.io/page/time-based-one-time-password-tool...</a> . I even have a 6-line Python function.

评论 #26259777 未加载

评论 #26260798 未加载

评论 #26260354 未加载

pyramation超过 4 年前

Author here. Here is the full code if anyone is interested: <a href="https://github.com/pyramation/totp/blob/master/packages/totp/sql/launchql-totp--0.0.3.sql" rel="nofollow">https://github.com/pyramation/totp/blob/master/packages/totp...</a>

mattowen_uk大约 4 年前

I can't be the only [UK] person who sees 'TOTP' and immediately thinks 'Top of the Pops'! XD

steve-chavez大约 4 年前

Cool! I remember seeing a pg TOTP implementation in this gist[1] before. Seems this extension was based off that?[1]: <a href="https://gist.github.com/bwbroersma/676d0de32263ed554584ab132434ebd9" rel="nofollow">https://gist.github.com/bwbroersma/676d0de32263ed554584ab132...</a>

评论 #26268028 未加载

potatochup超过 4 年前

Can someone explain where/why this might be used? Or is it just for fun?

评论 #26259271 未加载

评论 #26259314 未加载

评论 #26259718 未加载

darkr大约 4 年前

nice to see sqitch[1] in use here1: <a href="https://sqitch.org/" rel="nofollow">https://sqitch.org/</a>

评论 #26272391 未加载

7 条评论

susam超过 4 年前

评论 #26260778 未加载

评论 #26267814 未加载

评论 #26267842 未加载

nayuki超过 4 年前

评论 #26259777 未加载

评论 #26260798 未加载

评论 #26260354 未加载

pyramation超过 4 年前

mattowen_uk大约 4 年前

I can't be the only [UK] person who sees 'TOTP' and immediately thinks 'Top of the Pops'! XD

steve-chavez大约 4 年前

评论 #26268028 未加载

potatochup超过 4 年前

Can someone explain where/why this might be used? Or is it just for fun?

评论 #26259271 未加载

评论 #26259314 未加载

评论 #26259718 未加载

darkr大约 4 年前

nice to see sqitch[1] in use here1: <a href="https://sqitch.org/" rel="nofollow">https://sqitch.org/</a>

评论 #26272391 未加载

RFC6238 TOTP implementation in pure PostgreSQL

7 条评论

RFC6238 TOTP implementation in pure PostgreSQL

7 条评论