Predictable Nonce? #14

Open
StormTide opened this Issue Jan 3, 2014 · 2 comments

Projects

None yet

3 participants

@StormTide

https://github.com/Yubico/yubikey-val/blob/master/ykval-synclib.php#L47

I'm not sure of implications yet, but this nonce appears to be predictable. If non-predictability is important (as it is for most nonces) suggest change to openssl_random_pseudo_bytes.

@klali
Member
klali commented Jan 7, 2014

Hello,

The server_nonce field is only used inside the synclib code to keep track of entries in the queue table.

I think it's ok to have it predictable here, though it might still be worth to change to something better. The problem with openssl_random_pseudo_bytes() is that it would make us non-compatible with php 5.2 (though that might not be an issue any more?)

/klas

@NiklasBr

PHP 5.2 reached EOL over three years ago: http://php.net/eol.php

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment