Requirement on token lengths may less than core OAuth requires

Issue #132 resolved
Joseph Heenan created an issue

FAPI Part one says:

[the AS] shall provide opaque non-guessable access tokens with a minimum of 128 bits as defined in section of [RFC6819].

whereas says :

The authorization server MUST prevent attackers from guessing access tokens, authorization codes, refresh tokens, resource owner passwords, and client credentials. The probability of an attacker guessing generated tokens (and other credentials not intended for handling by end-users) MUST be less than or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160).

To me, that makes the requirement in FAPI too weak. 128 bits of length (where the token is only using ASCII) is less than 112 bits of entropy.

We'd need to be insisting on something over 182 bits to come anywhere close to meeting that 'SHOULD' I believe?

Comments (8)

  1. Ralph Bragg

    Joseph, I completely agree, i believe the majority of the openbanking ASPSPs are using encrypted JWTs as the access token which should meet this requirement. Can you let me know if you've found any that aren't and i'll get this clarified by the ISWG.

  2. Nat Sakimura
    • changed status to open

    Good catch. Actually, we should file an errata against RFC6819 as well on this one.

    For Part 1, we should change 5.2.2 -16 as

    1. shall provide opaque non-guessable access tokens with a minimum of 128 bits of entropy
  3. Joseph Heenan reporter

    @Nat I don't believe that's sufficient to comply with RFC6749 either. If you have exactly 128 bits of entropy but the AS has issued two access tokens, then your probably of guessing the token is higher than 2^(-128) by a tiny amount. As the number of access tokens issued by the AS increases, the probability of a correct guess increases.

    I will suggest some wording. Perhaps just suggesting 192 or 256 bits of entropy is the easiest solution?

    (Just as an aside, I tried to work out the mapping between entropy and token length: If we assume a base64 / base64url encoded token, you get [at most] 6 bits of entropy per byte, so a token with 128 bits of entropy has a minimum length of 22 characters or 171 bits.)

  4. Tom Jones

    looking at it seems that authorization bearer tokens can be placed in a url in the general case So the token should not be expanded for all uses beyond what is necessary these are visible to many attackers and should remain secure. While i have no problem with a token in a body requiring 30 characters, i worry about the url case I will try to get a better meaning of "guess-ability" but looking at the docs, that might take a while. so if you need to progress, i would not object to an intermediate value, especially of the security concerns and options were spell out. I will try to do that after dinner.

  5. Tom Jones

    Good morning - i reviewed the guess-ability literature and found that while good formulae exist, the calculations are are more involved than i care to make ( In any case my objection on length is probably not so important if talking about 22 characters versus 30 characters. Still we are talking about one chance in 340 billion billion billion billion versus one chance in 340 thousand billion billion billion. Not a problem i worry about. The proposed rewording is really hard for an SDE to read, Also the issue is the number of valid tokens at any one time, which is not clear. my calculation is that at most 166 bits of entropy are to be required, which can be encoded in 28 ascii characters, which is what the SDE wants to know.

    shall provide opaque access tokens where the probability of an attacker guessing the generated token is less than or equal to 2^(-160). For example, on a server which issues less than 1,000,000 access tokens a token length of 240 bits with 180 bits of entropy meets this requirement; +>>>

  6. Joseph Heenan reporter

    Apologies for the delay. I've spent a little while considering this today and I'd like to suggest this:

    shall provide opaque non-guessable access tokens with a minimum of 128 bits of entropy where the probability of an attacker guessing the generated token is less than or equal to 2^(-160) as per [RFC6749] section 10.10;

    I have deliberately removed the reference to RFC6819, as it seems to be talking solely about token length when it refers to 128bit.

    Please let me know your thoughts.

  7. Nat Sakimura

    Bring access token requirements inline with RFC6749 section 10.10

    Our previous minimum on the length of the token appears to be lower than RFC6749 calls for.

    To address this we take two actions:

    1. Change from 128 bit token to token with 128 bits of entropy

    2. We take the 'should' clause from RFC6749, turn it into a shall (which seems reasonable given FAPI needs to be hitting the high end of any security requirement, and add a practical example to avoid misinterpretation of the requirement.

    Based on the assumption that a token can only have a maximum of 6 bits of entropy for each 8 bit byte (which mainly comes from the requirement that tokens can only use some subset of ASCII) this implies the token needs to be at least 22 characters long.

    It is left as an exercise for the implementor how to fully achieve the guessability restriction in RFC6749, for example through the use of rate limiting or IP blacklisting for repeated attempst to use bad access tokens.

    fixes #132

    → <<cset 0767a115d56c>>

  8. Log in to comment