[Openid-specs-ab] Transient Client Secret Extension for OAuth

Nat Sakimura sakimura at gmail.com
Mon Jul 29 06:29:58 UTC 2013


I have thought of that, and I do not think so.
Adding salt amounts to expanding the entropy of the input string.
So, having enough bit length in the transient secret to start with has the
same effect.
Since the validity period of the transient secret is rather short, you
cannot do the offline attack.
The attacker has to have the rainbow table to start with.

What we want to make sure is that len(tcs) > max_len(available rainbow
table).



2013/7/29 John Bradley <ve7jtb at ve7jtb.com>

> Thinking about it overnight we need to also have a salt sent with the
> hash, to prevent rainbow tables attacks.
>
> On 2013-07-28, at 9:39 PM, Nat Sakimura <sakimura at gmail.com> wrote:
>
> As some of you knows, passing the code securely to a native app on iOS
> platform is next to impossible. Malicious application may register the same
> custom scheme as the victim application and hope to obtain the code, whose
> success rate is rather high.
>
> We have discussed about it during the OpenID Conenct Meeting at IETF 87
> today, and I have captured the discussion in the form of I-D. It is pretty
> short and hopefully easy to read.
>
> You can find it at:
>
> https://bitbucket.org/Nat/drafts/src/
>
> Comments are welcome.
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>  _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130729/74429180/attachment.html>


More information about the Openid-specs-ab mailing list