How is the OTP generated in the safenet eToken Pass? Which algorithm is used for this?
I use a hard token to login to a VPN but I don't get the concept behind it.The password is a combination of a self generated PIN + OTP generated on eToken Pass. How does authentication take place at the back end and what is the criterion for OTP expiration?
The eToken Pass has two modes to operate. Eventbased and Timebased. The basics for these are RFC4226 and RFC6238. BUT Safenet changed the event based tokens this way, that they do not use SHA1 anymore but SHA256, which is - strictly speaking - not HOTP compliant. The event based OTP values do not expire. You can press the button now and use the OTP value tomorrow. The time based OTP value is only valid within a time window, which is defined by the authentication backend.
The "IV" mentioned by @Iserni is a 20 byte (SHA1) or 32 byte (SHA256) symmetric key, which is unique to the token.OTP = truncate(HMAC-SHA1(Key + Counter)) The counter is either the event counter (key presses) or the unixtime/30. The server component knows the last counter and calculates an OTP value and compares the OTP value the user provided with the OTP value the server calculated. More in the RFCs.