Package io.github.pratiyush.totp

Class SecretGenerator

java.lang.Object

io.github.pratiyush.totp.SecretGenerator

public final class SecretGenerator
extends Object

Secure generator for TOTP secrets.

This class uses SecureRandom for cryptographically strong random number generation. Secrets are generated as raw bytes and then encoded to Base32 for compatibility with authenticator apps.

Security Recommendations

• Use at least 160 bits (20 bytes) of entropy for SHA-1
• Use at least 256 bits (32 bytes) for SHA-256
• Use at least 512 bits (64 bytes) for SHA-512

Usage Examples

 // Generate secret for default SHA-1 (160 bits)
 String secret = SecretGenerator.generate();
 
 // Generate secret for specific algorithm
 String secret = SecretGenerator.generate(Algorithm.SHA256);
 
 // Generate with custom length
 String secret = SecretGenerator.generate(64); // 64 bytes = 512 bits
 

Field Summary

Fields

Modifier and Type	Field	Description
static final int	DEFAULT_BYTES	Default secret size in bytes (160 bits for SHA-1 compatibility)
static final int	MIN_BYTES	Minimum allowed secret size in bytes

Method Summary

Modifier and Type	Method	Description
static int	entropyBits(int base32Length)	Returns the entropy in bits for a given Base32 secret length.
static String	generate()	Generates a secret with default length (160 bits).
static String	generate(int lengthBytes)	Generates a secret with the specified length in bytes.
static String	generate(Algorithm algorithm)	Generates a secret with appropriate length for the specified algorithm.
static byte[]	generateBytes(int length)	Generates raw random bytes.
static boolean	isValid(@Nullable String base32Secret)	Validates that a secret meets minimum security requirements.
static int	recommendedLength(Algorithm algorithm)	Returns the recommended secret length for a given algorithm.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

DEFAULT_BYTES

public static final int DEFAULT_BYTES

Default secret size in bytes (160 bits for SHA-1 compatibility)

See Also:

• Constant Field Values

MIN_BYTES

public static final int MIN_BYTES

Minimum allowed secret size in bytes

See Also:

• Constant Field Values

Method Details

generate

public static String generate()

Generates a secret with default length (160 bits).

This is compatible with Google Authenticator and provides adequate security for SHA-1 based TOTP.

Returns:

Base32 encoded secret

generate

public static String generate(Algorithm algorithm)

Generates a secret with appropriate length for the specified algorithm.

Parameters:

algorithm - the algorithm that will use this secret

Returns:

Base32 encoded secret

Throws:

NullPointerException - if algorithm is null

generate

public static String generate(int lengthBytes)

Generates a secret with the specified length in bytes.

Parameters:

lengthBytes - number of random bytes (minimum 16)

Returns:

Base32 encoded secret

Throws:

IllegalArgumentException - if lengthBytes is less than 16

generateBytes

public static byte[] generateBytes(int length)

Generates raw random bytes.

The caller is responsible for clearing these bytes after use.

Parameters:

length - number of bytes to generate

Returns:

random bytes

isValid

public static boolean isValid(@Nullable String base32Secret)

Validates that a secret meets minimum security requirements.

Parameters:

base32Secret - the Base32 encoded secret to validate

Returns:

true if the secret is valid

entropyBits

public static int entropyBits(int base32Length)

Returns the entropy in bits for a given Base32 secret length.

Parameters:

base32Length - length of Base32 string (without padding)

Returns:

entropy in bits

recommendedLength

public static int recommendedLength(Algorithm algorithm)

Returns the recommended secret length for a given algorithm.

Parameters:

algorithm - the HMAC algorithm

Returns:

recommended Base32 string length