Re: [OAUTH-WG] OAuth token entropy
Oleg Gryb <oleg_gryb@yahoo.com> Sun, 04 November 2012 17:41 UTC
Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C132821F8774 for <oauth@ietfa.amsl.com>; Sun, 4 Nov 2012 09:41:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7vgRFe9VEtf for <oauth@ietfa.amsl.com>; Sun, 4 Nov 2012 09:41:55 -0800 (PST)
Received: from nm16-vm1.bullet.mail.ne1.yahoo.com (nm16-vm1.bullet.mail.ne1.yahoo.com [98.138.91.47]) by ietfa.amsl.com (Postfix) with ESMTP id 1959521F8770 for <oauth@ietf.org>; Sun, 4 Nov 2012 09:41:40 -0800 (PST)
Received: from [98.138.226.176] by nm16.bullet.mail.ne1.yahoo.com with NNFMP; 04 Nov 2012 17:41:37 -0000
Received: from [98.138.89.164] by tm11.bullet.mail.ne1.yahoo.com with NNFMP; 04 Nov 2012 17:41:37 -0000
Received: from [127.0.0.1] by omp1020.mail.ne1.yahoo.com with NNFMP; 04 Nov 2012 17:41:37 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 772222.88938.bm@omp1020.mail.ne1.yahoo.com
Received: (qmail 10635 invoked by uid 60001); 4 Nov 2012 17:41:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1352050897; bh=68lUoom06arXHTGcsvuaGV+LoAey5ETd9At/25HkPfk=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=EJcDXG7eSG0tZeVFjixuHoFv1tLpF7C3+1EcuQ6UWigQww89U/2Yydhcz5DhqYkadrkzRFItOG7iFikVo/h0eDIAE8ZhOh5EUh+dyrezg8lyNnRS1m7cEkRPxZKurfyrOKJbEQBiWxMqFX84l2rU/fvgqcLAfhstng7h7s6XgCw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=mNskpzNjAv98sgAnOJCJLiHr2xKalPH2wdjnyUFN3tOa0iLWjnQf6MhQF6hkcDkl3Vi0o6ODFkx908kmbi+UNpwLq6iMyNwZAYEBNNME0bARrZWKnlSkgL3N4JJve+fowygcpWr5iXhZczUyanUtA0GhmhD/oS377dcE2GwM/hU=;
X-YMail-OSG: cNJ1da4VM1l44qcemH_7n4qgPutkY8t8OYAK_X.8kVwb8_Q XrTOUb9qYedvDkBPcNxjSL6HTCf44zJMkPOYiPaj1aYPdYK5fiSMtNinDNTj mnV7xA9osgyV6zMYoGd0C3YqYbLapcBsKrpbFNZQseG1PG4FhM4UtnkDr8vy ATfJvM4MBRm01i0xk0l.xN3c.N6a4PXrPs2081MKGmsDJTmkQ.qEz4FRu0jw t1kc0mgclflP5D1CPeDOePQPvAUohc15jtiaXhNK4tk9RxXqWxuPnkmhoY6t ooCBvxDs99WkMXpMH8l2jOJhqH.IHVkJCOyfD5Oc2TGpa6B3TqAwhNqDUPD6 oUO4qlzY8RpXxsSEko90Ikuzo0KZQodJ6guDdOMhZk1LXL8N5FsXlRlO31kO zTzD0yhz1Lwq3_voCSHdDq6mvMS3pwPeupDl15.MnUyT1xtFUgCTMB84XTFK lld2_NkJV1EpmG_nFfVRsCP6i_0qN_m3zn0sTwgYbirwvo4h4dMf_qjgDKuh ja6MxntqN5TG2buQeC4V26ZisrafkJJVsF6JNXC008Wi5CsCqInMi8naBedi BFylNOnj07vcEpLTkMWxjHG0txOd6ZQ--
Received: from [67.121.113.70] by web121004.mail.ne1.yahoo.com via HTTP; Sun, 04 Nov 2012 09:41:37 PST
X-Rocket-MIMEInfo: 001.001, Sm9obiwNCg0KSXQgbWFrZXMgcGVyZmVjdCBzZW5zZSB0byBhZGQgY2xpZW50X2lkIGFuZCB2ZXJpZmljYXRpb24gYXMgeW91J3ZlIGRlc2NyaWJlZCwgc2luY2UgdW5saWtlIDEuMCwgY2xpZW50IHNlY3JldHMgYW5kIHNpZ25hdHVyZXMgYXJlIG5vdCByZXF1aXJlZCBpbiAyLjAuIFN0aWxsLCBpZiBhIHB1YmxpYyBjbGllbnQgaXMgYSBiaWcgaGlnaC12b2x1bWUgd2Vic2l0ZSB0aGF0IHRhbGtzIHRvIGEgYmlnIGF1dGhvcml6YXRpb24gc2VydmVyIChlLmcuIFlhaG9vIHRvIEZCKSwgaGF2aW5nIGEgZ29vZCABMAEBAQE-
X-Mailer: YahooMailClassic/15.0.8 YahooMailWebService/0.8.123.460
Message-ID: <1352050897.2907.YahooMailClassic@web121004.mail.ne1.yahoo.com>
Date: Sun, 04 Nov 2012 09:41:37 -0800
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: oleg@gryb.info, John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <E0A32403-9094-49F4-BEEA-29A361C998C5@ve7jtb.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1562933420-1141609334-1352050897=:2907"
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth token entropy
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: oleg@gryb.info
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2012 17:41:56 -0000
John, It makes perfect sense to add client_id and verification as you've described, since unlike 1.0, client secrets and signatures are not required in 2.0. Still, if a public client is a big high-volume website that talks to a big authorization server (e.g. Yahoo to FB), having a good entropy (at least 128 bits) is a good idea. Another good idea would be to make a provision in a spec that would say that most likely the entropy will increase in the future OAuth versions. It would help implementers to make their systems (both clients and authz servers) more flexible and avoid 2K like effects in the future. Just think about fast opinion change about the "safe" symmetric key entropy in SSL for the last 15 years. That opinion was changing so fast that some privacy/compliance officers could not catch up with that pace and continued writing in their official privacy policies something like that: "your private information is protected in transition by SSL with a strong 56-bit encryption" in which cases I had to get back to them asking to remove number of bits from the policy to make it more universal and durable :) --- On Fri, 11/2/12, John Bradley <ve7jtb@ve7jtb.com> wrote: From: John Bradley <ve7jtb@ve7jtb.com> Subject: Re: [OAUTH-WG] OAuth token entropy To: oleg@gryb.info Cc: "oauth" <oauth@ietf.org> Date: Friday, November 2, 2012, 5:40 PM The change we did to the last ish draft of OAuth to have the client send its client ID to the token endpoint even if it is not using a password reduces the need for additional entropy. Originally for public clients using code, an attacker had the address space of all the inflight codes for all clients. We reduced that to only being able to attack one client_id at a time. For confidential clients it should not be possible to brute force the token endpoint. Trying to explain all the issues is hard so those are not bad defaults, 128 bits is a 20 character character password using the printable ascii character set for out of band code delivery. John B. On 2012-11-02, at 3:58 PM, Oleg Gryb <oleg_gryb@yahoo.com> wrote: Thanks, Brian. "Must" for 128 bits makes perfect sense. 160 bits looks good as a recommended entropy as well. WG, Please update the doc. It's important to provide clear guidelines for OAuth implementers, which are many nowadays. --- On Fri, 11/2/12, Brian Campbell <bcampbell@pingidentity.com> wrote: From: Brian Campbell <bcampbell@pingidentity.com> Subject: Re: [OAUTH-WG] OAuth token entropy To: "Oleg Gryb" <oleg@gryb.info> Cc: "Torsten Lodderstedt" <torsten@lodderstedt.net>, "oauth" <oauth@ietf.org> Date: Friday, November 2, 2012, 2:19 PM I believe the original text (which was borrowed from elsewhere) had a must followed by a should rather than two shoulds like that. The text seems to have drifted a bit in various places but the threat model text should probably be aligned with what's in core OAuth at http://tools.ietf.org/html/rfc6749#section-10.10 On Fri, Nov 2, 2012 at 10:16 AM, Oleg Gryb <oleg_gryb@yahoo.com> wrote: Can somebody please provide clarification for this: http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-05#section-5.1.4.2.2 5.1.4.2.2. High entropy of secrets... The probability of any two Authorization Code values being identical should be less than or equal to 2^(-128) and should be less than or equal to 2^(-160). Is there any reason why we have two inclusive conditions in this statement or is it a typo and you meant something else? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -----Inline Attachment Follows----- _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth token entropy Oleg Gryb
- Re: [OAUTH-WG] OAuth token entropy Brian Campbell
- Re: [OAUTH-WG] OAuth token entropy Phil Hunt
- Re: [OAUTH-WG] OAuth token entropy Oleg Gryb
- Re: [OAUTH-WG] OAuth token entropy John Bradley
- Re: [OAUTH-WG] OAuth token entropy Oleg Gryb