>>> Seth, I actually think that enforcing nonces should make this attack >>> impossible for guessing OAuth signatures (assuming you enforce nonces >>> for malformed requests). If you can only get a good/bad response once >>> then you're out of luck. >> >> I was thinking that the attacker would be attempting to guess consumer >> and token keys and secrets, not signatures. With that approach, you >> can continue generating valid requests using different keys and >> secrets ad infinitum. Thus, checking nonces and timestamps is >> irrelevant. > > Never mind. I'm wrong. We're talking about signature comparisons > here, not keys.
Yea, the consumer key isn't secure and the consumer secret is never directly compared so there'd be no way to perform this sort of attack. On a completely unrelated side note, does anyone else think this sort of attack sounds really similar to the sort of real-world lock vulnerability described in this paper: http://www.crypto.com/masterkey.html. Just thought that was interesting. Mike --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
