This document describes an algorithm for challenge-response authentication developed by the Initiative for Open Authentication (OATH). The specified mechanisms leverage the HMAC-based One-Time Password (HOTP) algorithm and offer one-way and mutual authentication, as well as electronic signature capabilities.
OCRA (OATH Challenge-Response Algorithm) is an extension of HOTP (RFC 4226) and allows additional inputs like challenges, counters, passwords, session data, and timestamps to be incorporated into the authentication process.
The OCRA OTP is derived using the following steps:
Let suite be the OCRA Suite string (e.g. OCRA-1:HOTP-SHA1-6:QN08), followed by a single null byte:
message = suite || 0x00 || C || Q || P || S || T
Where:
C= counter (8 bytes, optional)Q= challenge (variable, padded to 128 bytes)P= password (hashed if present, length depends on password hash algorithm)S= session information (padded to 128 bytes if present)T= timestamp (8 bytes, optional)
Let the key be the shared secret, and H be the hash algorithm specified in the suite (e.g. SHA-1, SHA-256, or SHA-512):
Let:
Then extract a 4-byte string starting from offset:
Given digits is the output length (6, 7, or 8 typically), the final code is:
Convert this number to a zero-padded string of digits length.
- The input order must match the suite definition exactly.
Qmust be encoded correctly (decimal, hex, or alphanumeric), right-padded to 128 bytes if shorter.- When
Pis used, the raw password is hashed (e.g., SHA1, SHA256) before concatenation. - Timestamps (
T) are 8-byte big-endian integers representing time steps (e.g. 30s, 60s).
Suite: OCRA-1:HOTP-SHA1-6:QN08
Secret: 3132333435363738393031323334353637383930
Challenge: 00000000 (decimal → hex → right-padded to 128 bytes)
Result: 237653