java 双因素认证(2FA)TOTP demo

时间:2021-09-30 20:45:00

TOTP 的全称是"基于时间的一次性密码"(Time-based One-time Password)。它是公认的可靠解决方案,已经写入国际标准 RFC6238。

很早就知道有这个东西了,一直不知道是怎么实现的.

比如 QQ 安全中心的密钥,U盾,就是动态密码之类的.

今天看到阮一峰老师的博客才知道实现原理.

概念性的东西参考

http://www.ruanyifeng.com/blog/2017/11/2fa-tutorial.html

实现代码:

package totp;

import java.security.MessageDigest;

import java.util.Date;

import java.util.UUID;

import java.util.regex.Matcher;

import java.util.regex.Pattern;

public class TOTP {

	// TC = floor((unixtime(now) − unixtime(T0)) / TS)

	// TC = floor(unixtime(now) / 30)

	// TOTP = HASH(SecretKey, TC)

	private static final char[] HEX_DIGITS = "0123456789abcdef".toCharArray();

	public static void main(String[] args) {

		Pattern pattern = Pattern.compile("\\d");

		String key = UUID.randomUUID().toString().replace("-", "");

		for (int i = 0; i < 70; i++) {

			String TC = String.valueOf((int) Math.floor(new Date().getTime() / 1000 / 30));

			String TOTP = sha1(TC + key);

			Matcher matcher = pattern.matcher(TOTP);

			String result = "";

			while (matcher.find()) {

				result += matcher.group();

			}

			result = result.substring(result.length() - 6);

			System.out.println(i + "  --  " + result);

			try {

				Thread.sleep(1000);

			} catch (InterruptedException e) {

				// TODO Auto-generated catch block

				e.printStackTrace();

			}

		}

	}

	public static String sha1(String srcStr) {

		return hash("SHA-1", srcStr);

	}

	public static String hash(String algorithm, String srcStr) {

		try {

			MessageDigest md = MessageDigest.getInstance(algorithm);

			byte[] bytes = md.digest(srcStr.getBytes("utf-8"));

			return toHex(bytes);

		} catch (Exception e) {

			throw new RuntimeException(e);

		}

	}

	public static String toHex(byte[] bytes) {

		StringBuilder ret = new StringBuilder(bytes.length * 2);

		for (int i = 0; i < bytes.length; i++) {

			ret.append(HEX_DIGITS[(bytes[i] >> 4) & 0x0f]);

			ret.append(HEX_DIGITS[bytes[i] & 0x0f]);

		}

		return ret.toString();

	}

}

相关文章