Re: [OAUTH-WG] SPOP: Code Challenge Discussion

Bill Mills <> Wed, 03 December 2014 18:10 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C64B41A8BC2 for <>; Wed, 3 Dec 2014 10:10:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.59
X-Spam-Level: *
X-Spam-Status: No, score=1.59 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nkDk-BRYlZb7 for <>; Wed, 3 Dec 2014 10:10:15 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E36FC1A8AAD for <>; Wed, 3 Dec 2014 10:10:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1417630208; bh=JApnr05dTfG8NMqJiBejqM1ZYex5k3/xzet89AGb3vs=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=EI2YvhUnMXthqzlDz94te7x4Ad59CY9MgHXMXGbqdRdRLJDccC6YjW4AI99syfV4A3JrhGNCdqLW+AGOUH2xR91CKf13uRv2HAvc7J4PgF4T1+RkZBZ8MK/WavHncSKvdPeLp3ULLBkJV0aj93NA+w5V9xSuUrMWmNDK5SV1RcJRemhpoO9MgHwCUBFV2UXfb0CI3hKctPjqZ2QoAndrIu1m3sVf/jevPo/7uEHo6IjNd0JMqd+7UK1l0QRwVBkz0wRlYDlrZ/L2L4Qykh3EazL3FJg4+lc6Ml1jLpz72sFe46hHH9ooAEYFXCEViXu2PpRuhTWYHr34otdqojJPAA==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048;; b=sBJlBq2EFlaoGeZcSYGNbF9GcP/qHKydcMzu7gMbhCpEPzwhx5swbCOGFzp4PV2u/R1ZeKhqfZAPlF3g42v386Vfy/mQGGgvl43stTJaw7w3tMrBy5F5KjEFigcSZBPtKGbc7faIhlRR3QE90kSGSvYSRYuO/HCQ+1kLvhMsnrWDtFnweUltF03I7CHvpWC2BsdXRHeWBaUcio7QeGoNcEtQfCfp7wEku52Isj/qgIVO5LvA+QYg5oy1TnbL3fCPSUdpnAiR/+kVfI4SvMVCiKBbzzcQ6MBrfJ1N049VniGzZzeGdW61nZq2/FkCd802WKppgBHjcZZnARPjqvd9eg==;
Received: from [] by with NNFMP; 03 Dec 2014 18:10:08 -0000
Received: from [] by with NNFMP; 03 Dec 2014 18:10:08 -0000
Received: from [] by with NNFMP; 03 Dec 2014 18:10:08 -0000
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: FbxnU3IVM1lN7Ivh_FTT.noFw0lSDjptXhQwKE8sfjEtmuq5MlTiZ8SPACGvMFN _pc_1NCqbCfebC_b96wJ9QKhhY0eP1KoTsmF5zBQ7OGlQg416zbB1I3i866VQLGIDLspBfFnXUNx 6goDFLTn3YAkm7IbugibYvCpsAUZnQqd6iLPu3L4NqHjUoCupn7Eif4xIHAofP0FXKaq3EqOWjJS t2DHyoLSArKqzG3vt0gI7_jntZoKvN2LLaPSywFXW09YwIRbrO37.i2sebYINTS67X2blnz_jAoF 4Pfbx8XICUq_Gz8zfebV7VW2iJf5PwwMq8V_skKDETkT1iOogtc_1Il7etjpdT58zvkDjGh.dO24 Gm3m5DslgseZ.GMKPibWHLuhqIFZo4YWyV1yGGWVfx8fB8TvGhbJ8.sWb4uTMkoD1KVKZp0b.skc 0dWh6oTHVY5tqvP4vxjzljH_dPkv.M07ogLk.SsfuAwI_DiWtLJPbzMWE77_vZ2HbCaBx4UAk
Received: by; Wed, 03 Dec 2014 18:10:07 +0000
Date: Wed, 03 Dec 2014 18:10:07 +0000
From: Bill Mills <>
To: Hannes Tschofenig <>, "" <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_4544891_579265890.1417630207266"
Subject: Re: [OAUTH-WG] SPOP: Code Challenge Discussion
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Dec 2014 18:10:17 -0000

Quoting from 7.1 
"It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-octet sequence."
So the spec is already recommending 256 bits of randomness, is that language not clear enough? 

     On Wednesday, December 3, 2014 3:17 AM, Hannes Tschofenig <> wrote:

 Hi all,

I am trying to figure out how to progress the SPOP document and
therefore I read through the discussion about the code challenge, see

I wanted to share my view about this topic.

As a summary, the mechanism works as follows:

C: Compute code_verifier:=rand()
C: Compute code_challenge:=func(code_verifier)

(For this discussion, the function func() is SHA-256.)

C: Send(Authz Request + code_challenge,S)

S: store code_challenge
S: Send(Authz Grant,C)

C: Send(Access Token Request || code_verifier, S)

S: Compute code_challenge':=func(code_verifier)
S: IF (code_challenge'==code_challenge) THEN SUCCESS ELSE FAIL.

The document currently does not say how much entropy the random number
has to have.

The text only talks about the output size and SHA-256 indeed produces a
256 bit output.

Here is the relevant text:

  NOTE: code verifier SHOULD have enough entropy to make it impractical
  to guess the value.  It is RECOMMENDED that the output of a suitable
  random number generator be used to create a 32-octet sequence.

I suggest to recommend at least 128 bits, which is inline with the
recommendations for symmetric ciphers in

I would also suggest to reference RFC 4086 concerning the creation of
random numbers.

Furthermore, since you allow other hash functions to be used as well it
would be good to give guidance about what the properties of those hash
functions should be. You definitely want a cryptographic hash function
that provides pre-image resistance, second pre-image resistance, and
collision resistance.

Given the size of the input and output it is impractical to compute a
table that maps code_verifies to code_challenges.

This mechanism provides better properties than the "plain" mechanism
since it deals with an attacker that can see responses as well as
requests (but cannot modify them). It does not provide any protection
against a true man-in-the-middle attacker.


OAuth mailing list