OtpAuthenticator
OATH is a common standard for OTP password generation defined in RFC 4226. The OTP is unique for each user that personalized the calculation with a unique seed. A counter value is incremented after each calculation (event based OTP) or valid for a specific time (time based OTP).
An OATH calculation in software is possible but discouraged as the seed could get lost or tampered after flashing or rooting the phone. For this purpose the OATH calculation takes place in the Mobile Security Card where the private seed is kept secure in the OtpAuthenticator applet.
- Download the installation files from the Download page
- Install the
oath.capfile on the Mobile Security Card with JLoad or other Java Card compliant Global Platform loader tools.
Note: JLoad is included in the Mobile Security Developer's Kit - Install with
OtpAuthenticator.apkon your Android device equipped with a Mobile Security Card andMSC_SmartcardServiceinstalled.
Note: WithoutMSC_SmartcardService, please check out the OtpAuthenticator source code and recompile the APK according to BuildingTheSystem - Run the application on the Android phone, open the menu and personalize (=define OATH seed) the applet
The Java Card applet is for demonstration and test purposes only. Do not use in production environments!
The applet need to be compiled and converted to a Java Card CAP file with the following AIDs:
PackageAID: 0xD2:0x76:0x00:0x01:0x18:0x00:0x03:0xFF:0x49:0x10:0x00:0x89:0x00:0x00:0x02:0x00
Applet AID: 0xD2:0x76:0x00:0x01:0x18:0x00:0x03:0xFF:0x49:0x10:0x00:0x89:0x00:0x00:0x02:0x01
Four methods are exported in the interface. The CLA byte is 00 but the applet can communicate on logical channels (01, 02 & 03).
If the applet is not personalized yet (after installation) the OTP generation will generate a 6985. The counter value is incremented each time a OTP is calculated. After setting a new seed, the counter value is reset to 0x00.
CLA: 00
INS: 10
P1: 00
P2: 00
P3: 08
data: <8 bytes counter>
APDU: 00 10 00 00 08 00 00 00 00 00 00 00 01
RESPONSE: 90 00
CLA: 00
INS: 11
P1: 00
P2: 00
P3: 00
data: n/a
APDU: 00 11 00 00 00
RESPONSE: 00 00 00 00 00 00 00 01 90 00
CLA: 00
INS: 12
P1: <number of digits>
P2: 00 (if TOTP is used), 01 (if HOTP is used)
P3: 14
data: <20 hex bytes seed>
APDU: 00 12 06 00 14 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30
RESPONSE: 90 00
CLA: 00
INS: 13
P1: 00
P2: 00
P3: 00
data: n/a
APDU: 00 13 00 00 00
RESPONSE: 37 35 35 32 32 34 90 00
CLA: 00
INS: 14
P1: 00
P2: 00
P3: 00
data: n/a
APDU: 00 14 00 00 00
RESPONSE: 90 00
CLA: 00
INS: 15
P1: 00
P2: 00
P3: 00
data: n/a
APDU: 00 15 00 00 00
RESPONSE: 00 90 00 (if TOTP is used, which is default)
01 90 00 (if HOTP is used)
The Android application is for demonstration and test purposes only. Do not use in production environments!
Please refer to the Mobile Security Developer's Kit for an introduction how to develop Android applications with smart card access.
See source code for more details