We were unable to find any reference material/documentation that specified the details the of OCRA suite(s) implemented in the product. Again, looking into the JS client we find the following: "OCRA-1:HOTP-SHA1-" + n + ":C-QA64" + g + a + b which suggests among other things that a SHA1 crytographic hash function is being used in the OTP computation.
Can we have detailed confirmation of OCRA suite employed including:
- full details of the cryptographic hash function employed including any truncations.
- full details of the data input specification
- Confirmation of whether the client has any control of the OCRA suite, e.g - can we change the hash function being used to at least SHA2 ?