Re: [OAUTH-WG] authz code randomness (was: single use authorization codes)
Brian Campbell <bcampbell@pingidentity.com> Thu, 15 July 2010 14:23 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 86DAA3A691A for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 07:23:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0Tflzh+k+B8 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 07:23:12 -0700 (PDT)
Received: from na3sys009aog101.obsmtp.com (na3sys009aog101.obsmtp.com [74.125.149.67]) by core3.amsl.com (Postfix) with SMTP id 2D7B93A68F5 for <oauth@ietf.org>; Thu, 15 Jul 2010 07:23:12 -0700 (PDT)
Received: from source ([209.85.161.53]) by na3sys009aob101.postini.com ([74.125.148.12]) with SMTP ID DSNKTD8Z2VxGGjnuuzAUEw4NhpkrO60qhAEq@postini.com; Thu, 15 Jul 2010 07:23:23 PDT
Received: by mail-fx0-f53.google.com with SMTP id 19so565704fxm.40 for <oauth@ietf.org>; Thu, 15 Jul 2010 07:23:21 -0700 (PDT)
Received: by 10.223.121.147 with SMTP id h19mr666974far.76.1279203800158; Thu, 15 Jul 2010 07:23:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.105.135 with HTTP; Thu, 15 Jul 2010 07:22:50 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 15 Jul 2010 08:22:50 -0600
Message-ID: <AANLkTinBjLAm8bEGGcKiqmJjeZE1Hfb02dFT22Hn6SZf@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [OAUTH-WG] authz code randomness (was: single use authorization codes)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 14:23:14 -0000
I agree it's important but it belong in security considerations or perhaps somewhere in the definition of the Authorization Code itself? Either way here's some text that could be used as a starting point. I borrowed heavily from concepts and language in SAML regarding artifacts and IDs which bear many similarities (artifacts especially) to authorization codes. The Authorization Code value MUST be constructed from a cryptographically strong random or pseudo-random number sequence [RFC1750] generated by the Authorization Server. The probability of any two Authorization Code values being identical MUST be less than or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160). Also perhaps there should be a suggestion or requirement on the maximum size of the code as well? -Brian On Thu, Jul 15, 2010 at 1:23 AM, Igor Faynberg <igor.faynberg@alcatel-lucent.com> wrote: > An important point, which I think should be captured in the security > consideration section. > > Igor > > Torsten Lodderstedt wrote: >> >> what about guessing/brute force attacks on the code? Supposed an >> authorization server issuing tokens for a client w/o secret. Then the number >> of attempts needed to obtain a token issued to that client only depends on >> the length and randomness of the code. Should the spec state something about >> that? >> >> regards, >> Torsten.
- Re: [OAUTH-WG] authz code randomness (was: single… Brian Campbell
- Re: [OAUTH-WG] authz code randomness (was: single… Torsten Lodderstedt
- Re: [OAUTH-WG] authz code randomness (was: single… Brian Eaton
- Re: [OAUTH-WG] authz code randomness (was: single… Brian Campbell
- Re: [OAUTH-WG] authz code randomness (was: single… Brian Eaton
- Re: [OAUTH-WG] authz code randomness (was: single… Brian Campbell
- Re: [OAUTH-WG] authz code randomness (was: single… Eran Hammer-Lahav
- Re: [OAUTH-WG] authz code randomness (was: single… Brian Eaton
- Re: [OAUTH-WG] authz code randomness (was: single… Brian Campbell