Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add requirements for random value entropy #2411

Open
randomstuff opened this issue Nov 25, 2024 · 2 comments
Open

Add requirements for random value entropy #2411

randomstuff opened this issue Nov 25, 2024 · 2 comments
Labels
3) awaiting proposal There is some discussion in issue and reach to some results but it's not concluded with clear propos V6 _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@randomstuff
Copy link
Contributor

randomstuff commented Nov 25, 2024
edited
Loading

Several standards and other references have requirements about entropy of random values.

NIST sp800-63n:

Random values are extensively used in authentication processes, such as nonces and authentication secrets. Unless otherwise specified, random values that reference this section SHALL be generated by an approved random bit generator [RBG]4 that provides at least the minimum security strength specified in the latest revision of [SP800-131A] (112 bits as of the date of this publication).

NIST sp800-63c about Federated user ID (eg. OpenID Connect "sub" claims):

The PPI SHALL contain no identifying information about the subscriber (e.g., username, email address, employee number, etc.). The PPI SHALL be difficult to guess by a party having access to information about the subscriber, having at least 112 bits of entropy as stated in [SP800-131A]. PPIs can be generated randomly and assigned to subscribers by the IdP or could be derived from other subscriber information if the derivation is done in an irreversible, unguessable manner (e.g., using a keyed hash function with a secret key as discussed in [SP800-131A]).

OAuth 2.1 draft:

The probability of an attacker guessing generated tokens (and other credentials not intended for handling by end users) MUST be less than or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160).

This would apply to challenge_verifier, OIDC nonce, generated client_secret, etc.

FAPI 2.0:

Credentials not intended for handling by end-users (e.g., access tokens, refresh tokens, authorization codes, etc.) shall be created with at least 128 bits of entropy such that an attacker correctly guessing the value is computationally infeasible. Cf. Section 10.10 of [RFC6749].

Percival's Cryptographic Right Answers (2009):

Random IDs: Use 256-bit random numbers.

Ptacek's Cryptographic Right Answers (2015):

Random IDs (Was: Use 256-bit random numbers): Remains: use 256-bit random numbers.

Latacora's Cryptographic Right Answers (2018):

Latacora, 2018: Use 256-bit random numbers.

Latacora's Cryptographic Right Answer: Post Quantum Edition (2024):

Use 256-bit random numbers. Be careful with the source though, use /dev/urandom.

Possible options:

  • Add requirement in V6.3 Random Values
  • Add requirement in V51 OAuth and OIDC
  • Add requirement in V3 Session Management
@tghosth
Copy link
Collaborator

tghosth commented Nov 25, 2024

What would be the proposed change in 6.3? @randomstuff

@tghosth tghosth added 3) awaiting proposal There is some discussion in issue and reach to some results but it's not concluded with clear propos _5.0 - prep This needs to be addressed to prepare 5.0 V6 labels Nov 25, 2024
@randomstuff
Copy link
Contributor Author

(Added: « Add requirement in V3 Session Management »)

@randomstuff randomstuff mentioned this issue Nov 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3) awaiting proposal There is some discussion in issue and reach to some results but it's not concluded with clear propos V6 _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@randomstuff @tghosth