IETF Logo Mail Archive

Re: [OAUTH-WG] authz code randomness (was: single use authorization codes)

Brian Campbell <bcampbell@pingidentity.com> Thu, 15 July 2010 14:23 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 86DAA3A691A for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 07:23:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0Tflzh+k+B8 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 07:23:12 -0700 (PDT)
Received: from na3sys009aog101.obsmtp.com (na3sys009aog101.obsmtp.com [74.125.149.67]) by core3.amsl.com (Postfix) with SMTP id 2D7B93A68F5 for <oauth@ietf.org>; Thu, 15 Jul 2010 07:23:12 -0700 (PDT)
Received: from source ([209.85.161.53]) by na3sys009aob101.postini.com ([74.125.148.12]) with SMTP ID DSNKTD8Z2VxGGjnuuzAUEw4NhpkrO60qhAEq@postini.com; Thu, 15 Jul 2010 07:23:23 PDT
Received: by mail-fx0-f53.google.com with SMTP id 19so565704fxm.40 for <oauth@ietf.org>; Thu, 15 Jul 2010 07:23:21 -0700 (PDT)
Received: by 10.223.121.147 with SMTP id h19mr666974far.76.1279203800158; Thu, 15 Jul 2010 07:23:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.105.135 with HTTP; Thu, 15 Jul 2010 07:22:50 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 15 Jul 2010 08:22:50 -0600
Message-ID: <AANLkTinBjLAm8bEGGcKiqmJjeZE1Hfb02dFT22Hn6SZf@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [OAUTH-WG] authz code randomness (was: single use authorization codes)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 14:23:14 -0000

I agree it's important but it belong in security considerations or
perhaps somewhere in the definition of the Authorization Code itself?

Either way here's some text that could be used as a starting point.  I
borrowed heavily from concepts and language in SAML regarding
artifacts and IDs which bear many similarities (artifacts especially)
to authorization codes.

    The Authorization Code value MUST be constructed from
    a cryptographically strong random or pseudo-random number
    sequence [RFC1750] generated by the Authorization Server.
    The probability of any two Authorization Code values being
    identical MUST be less than or equal to 2^(-128) and SHOULD
    be less than or equal to 2^(-160).

Also perhaps there should be a suggestion or requirement on the
maximum size of the code as well?

-Brian

On Thu, Jul 15, 2010 at 1:23 AM, Igor Faynberg
<igor.faynberg@alcatel-lucent.com> wrote:
> An important point, which I think should be captured in the security
> consideration section.
>
> Igor
>
> Torsten Lodderstedt wrote:
>>
>> what about guessing/brute force attacks on the code? Supposed an
>> authorization server issuing tokens for a client w/o secret. Then the number
>> of attempts needed to obtain a token issued to that client only depends on
>> the length and randomness of the code. Should the spec state something about
>> that?
>>
>> regards,
>> Torsten.

v2.23.0 | Report a Bug | By Email