[Openid-specs-fapi] Issue #182: 128 bits of entropy cannot give probability of guessing below 2^-160 (openid/fapi)

James Manger issues-reply at bitbucket.org
Tue Oct 16 00:16:18 UTC 2018


New issue 182: 128 bits of entropy cannot give probability of guessing below 2^-160
https://bitbucket.org/openid/fapi/issues/182/128-bits-of-entropy-cannot-give

James Manger:

Financial-grade API - Part 1: Read-Only API Security Profile (draft 05, 2018-08-29) section 5.2.2. "Authorization server" point 16 says:

"shall provide opaque non-guessable access tokens with a minimum of 128 bits of entropy where the probability of an attacker guessing the generated token is less than or equal to 2^(-160) as per [RFC6749] section 10.10;"

You need at least 160 bits of entropy (not 128) for the probability of guessing a token to be less than 2^(-160).




More information about the Openid-specs-fapi mailing list