Home/ Questions/Q 6949963
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T14:01:45+00:00

I am trying to develop a website and a corresponding helper program (installed on

  • 0

I am trying to develop a website and a corresponding helper program (installed on the user computer). The website and the program will communicate with each other (AJAX mostly), but it will be a large security risk if any other web page can send requests to the program. I want to come up with a solution which makes it extremely hard to inject fraud requests to my program (installed on the user computer). My thoughts are about to use one time passwords, but I have limited security knowledge and therefore ask you for your thoughts.

I have came up with this One-Time-Password algorithm (pseudo):

function otp(seed, counter, unix_timestamp, action)
{
    for(i = 0; i < counter; ++i)
    {
        seed = sha256(seed + i);
    }
    str = seed;

    str = sha256(str + unix_timestamp/60);
    str = sha256(str + action);
    otp = substr(str,0,4); //Convert the first for bytes to an int.
    return (int)otp;
}

It should have the following properties:

  • Can only be used once, (On every otp generation will “counter” be increased => new seed)
  • Will be changed every minute (It depends on time).
  • Bound to an action (login, …), it depends on a specific action.
  • Can easily be generated separately and later be synchronized.

If every request contains OTP code and counter value, is this secure? If not what are your tips to accomplish this? I really want all those properties I mentioned above.

Thanks in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your approach is sensible in principle. Keep in mind, however, that multiple calls to your hash function are pointless – either it’s secure on the first pass, or it isn’t at all.
    Also, you are right now only using the seed to actually authenticate requests (anything else would be known to a would-be attacker), and any weakness in seed generation becomes a weakness in authentication.

    I am not aware of the specific shortcomings of SHA256. However, your problem in general is fairly common and is much easier to describe and solve in standard terms. You want to authenticate a request to your program. Your remote program needs to securely determine the authenticity of a request. This problem is most easily solved with public-key cryptography. For example, make a GnuPG key pair, keep the private key at your website and distribute the public key with your program, and sign any command you send to the program with the private key. The client program receives requests normally and only needs to verify their authenticity via a single call to GnuPG.

    • 0