Re: [OAUTH-WG] MAC: Age in nonce
Michael Thomas <mike@mtcc.com> Mon, 21 November 2011 19:03 UTC
Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73FAE21F8B34 for <oauth@ietfa.amsl.com>; Mon, 21 Nov 2011 11:03:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rgioIuM94Gz for <oauth@ietfa.amsl.com>; Mon, 21 Nov 2011 11:03:19 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id D03AE21F8783 for <oauth@ietf.org>; Mon, 21 Nov 2011 11:03:19 -0800 (PST)
Received: from piolinux.mtcc.com (65-165-164-67.du.volcano.net [65.165.164.67]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pALJ3FX2025267 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Nov 2011 11:03:16 -0800
Message-ID: <4ECAA070.2040100@mtcc.com>
Date: Mon, 21 Nov 2011 11:03:12 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080501)
MIME-Version: 1.0
To: Blaine Cook <romeda@gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF6@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAz=scmJyw+ujNZFa8T3kYA1WbLZjUuQ12OP3SfvsdmES0PzaQ@mail.gmail.com>
In-Reply-To: <CAAz=scmJyw+ujNZFa8T3kYA1WbLZjUuQ12OP3SfvsdmES0PzaQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2961; t=1321902197; x=1322766197; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20MAC=3A=20Age=20in=20nonce |Sender:=20 |To:=20Blaine=20Cook=20<romeda@gmail.com> |Content-Type:=20text/plain=3B=20charset=3DUTF-8=3B=20forma t=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=fbP5uet5Ih14ViaWN0SywhRdekSrj0oh+gPISWXafog=; b=iPDR7GujfKmELNoBAtCFGuTV++hBmmP/IZB8Zw+iBnoadPl+L0rtd0c1xP yiZkNnfDOL5o/GgPgjqxSTWX0PlpbQQP93ZCL9JwwIWvIlAxH9r9yvbl9NDX g9/g+yWE8268z0aH4hTcfdzTXRyNSebxrsniJGUatdruZvTF2vn0A=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] MAC: Age in nonce
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2011 19:03:24 -0000
By unique, does that mean statistically unique or verifiably unique? That is, do I need store the nonce or can I just gin up a bunch of entropy of suitable collision resistance? The latter is generally preferable. Mike Blaine Cook wrote: > +1. This is good. > > On 19 November 2011 16:41, Eran Hammer-Lahav <eran@hueniverse.com> wrote: >> We had a long discussion about what to use for the numerical component of >> the nonce string. I would like to suggest we use: >> >> >> >> nonce >> >> REQUIRED. A unique string generated by the client to allow the >> >> server to verify that a request has never been made before and >> >> helps prevent replay attacks when requests are made over an >> >> insecure channel. The nonce value MUST be unique across all >> >> requests with the same MAC key identifier. >> >> >> >> The nonce value MUST consist of an age, a colon character >> >> (%x25), and a unique string (typically random). The age >> >> portion MUST be a monotonically increasing, but not necessarily >> >> unique, positive integer value. The change in the age value >> >> between requests MUST reflect the number of seconds elapsed. >> >> For example, the age can be a client timestamp expressed as >> >> seconds since 01-01-1970 or since the credentials were issued >> >> to the client. The value MUST NOT include leading zeros (e.g. >> >> "000273156"). For example: "273156:di3hvdf8" >> >> >> >> To avoid the need to retain an infinite number of nonce values >> >> for future checks, the server MAY choose to restrict the time >> >> period after which a request with an old age is rejected. If >> >> such a restriction is enforced, the server SHOULD allow for a >> >> sufficiently large window to accommodate network delays. The >> >> server SHOULD use the first age value received from the client >> >> to establish a method for comparing the server time with that >> >> of the client. In addition, the server SHOULD accommodate small >> >> negative changes in age values caused by differences between >> >> the multiple clocks of a distributed client configuration >> >> utilizing more than one device. >> >> >> >> This text keeps the age as a seconds count but uses the first request to >> establish a clock sync on the server side instead of mandating one way to >> calculate it. >> >> >> >> Feedback? >> >> >> >> EHL >> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] MAC: Age in nonce Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC: Age in nonce Blaine Cook
- Re: [OAUTH-WG] MAC: Age in nonce Michael Thomas