That actually makes me wonder what you would need to do to recover a token secret. If you don't have any access to traffic (i.e., if you're off-path), then you basically have to try all possible secrets against the Provider -- which the Provider can prevent by limiting query rates to anything reasonable.
If you're on-path, then it depends on the signature option. If the signers are using PLAINTEXT, then they're hosed no matter what (no time needed). Otherwise, an attacker has to crack either HMAC-SHA1 or RSA-SHA1, neither of which are currently believed feasible in O(many, many years). Am I misunderstanding something, or is the two week thing kind of pointless? Just limit the rate of authentication (to, say, 1000/sec if you've got 25 bits or so of entropy; you'll be good for at least a year) and don't use PLAINTEXT signatures. --Richard On Thu, Jul 23, 2009 at 3:42 PM, Mr-Yellow<[email protected]> wrote: > > The spec doesn't define a max length... Instead.... > > "For example, if Token Secrets are valid for two weeks, Service > Providers should ensure that it is not possible to mount a brute force > attack that recovers the Token Secret in less than two weeks. Of > course, Service Providers are urged to err on the side of caution, and > use the longest secrets reasonable. " > > However with most providers making their tokens infinite expiry this > is kind of defeated as an approach. > > It's also impossible to determine what can be done in X weeks. For a > big botnet owner they might have enough CPU to crack the longest keys > in less then any token expiry period measured in weeks. > > It'd be nice from a developers standpoint to have some indication of > how large to make our database fields for recording tokens. Maybe the > brute-force aspects can be better mitigated elsewhere, as it seems no- > one is following the spec in regards to expiry recommendations. > > Just spent hours looking for what turned out to be a truncated token > because I didn't make a database field long enough. I don't often jump > straight to 255 characters for a varchar field. > > -Ben > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
