We were unable to find any reference material/documentation that specified the details the of OCRA suite(s) implemented in the product. Again, looking into the JS client we find the following: "OCRA-1:HOTP-SHA1-" + n + ":C-QA64" + g + a + b which suggests among other things that a SHA1 crytographic hash function is being used in the OTP computation.
Can we have detailed confirmation of OCRA suite employed including:
- full details of the cryptographic hash function employed including any truncations.
- full details of the data input specification
- Confirmation of whether the client has any control of the OCRA suite, e.g - can we change the hash function being used to at least SHA2 ?
As of now, there is only support for SHA1 crytographic hash function during OTP computation and no support for SHA2 algo. We can't change the hash function being used to SHA2 at client side without supporting it at client SDK side.