[Openid-specs-fapi] Issue #182: 128 bits of entropy cannot give probability of guessing below 2^-160 (openid/fapi)
issues-reply at bitbucket.org
Tue Oct 16 00:16:18 UTC 2018
New issue 182: 128 bits of entropy cannot give probability of guessing below 2^-160
Financial-grade API - Part 1: Read-Only API Security Profile (draft 05, 2018-08-29) section 5.2.2. "Authorization server" point 16 says:
"shall provide opaque non-guessable access tokens with a minimum of 128 bits of entropy where the probability of an attacker guessing the generated token is less than or equal to 2^(-160) as per [RFC6749] section 10.10;"
You need at least 160 bits of entropy (not 128) for the probability of guessing a token to be less than 2^(-160).
More information about the Openid-specs-fapi