From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 29 October, 2014 1:44:38 PM
Subject: Re: [keycloak-dev] Proposed changes to access code
Should clientSession.id be added to the hash?
On 10/29/2014 6:27 AM, Marek Posolda wrote:
> Yep, it seems that signing and then computing hash of the signature is
> quite an overhead, which is not needed. Especially with additionally
> added uniqueness of ActionKey. So +1 from me
>
> Marek
>
> On 28.10.2014 14:09, Stian Thorgersen wrote:
>> We have a few issues with how we generate access codes:
>>
>> * Abuse of RSA
>> * SHA-1 is no good
>> * Action + timestamp is guessable (this may just be theoretical)
>> * Both key and code query params sent in emails (making the links longer
>> that necessary)
>>
>> To resolve these issues I propose:
>>
>> * When realm keys are updated we generate a realm code secret (UUID) -
>> this is a secret required to create valid codes
>> * When the action and timestamp is updated we generate a action key (UUID)
>> - this is a unique identifier for that specific action
>>
>> Then an access code is created with:
>>
>> MessageDigest digest = MessageDigest.getInstance("sha-256");
>> digest.update(realm.getCodeSecret());
>> digest.update("/".getBytes());
>> digest.update(clientSession.getActionKey());
>>
>> String hash = Base64Url.encode(digest.digest());
>>
>> StringBuilder sb = new StringBuilder();
>> sb.append(hash);
>> sb.append(".");
>> sb.append(clientSession.getId());
>>
>> String code = sb.toString();
>>
>> An example access code will now be:
>>
>>
Ld_L-Ta-tSpQMxGimEIpM4rq57KoplcN_3QxujUsMlM.6d102340-a7fd-44b8-93fd-ed6a8e8a4a15
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev