Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-cryptographically secure PRNG use in the OWIN OAuth2 server docs #1884

Closed
zerkms opened this issue Sep 16, 2016 · 3 comments
Closed

Non-cryptographically secure PRNG use in the OWIN OAuth2 server docs #1884

zerkms opened this issue Sep 16, 2016 · 3 comments

Comments

@zerkms
Copy link

zerkms commented Sep 16, 2016
edited by danroth27

http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

Here the GUID is used to generate security tokens.

Instead it should be a cryptographically strong PRNG used, eg RNGCryptoServiceProvider.
@zerkms zerkms changed the title Non-photographically secure PRNG use in the OWIN OAuth2 server docs Non-photographically strong PRNG use in the OWIN OAuth2 server docs Sep 16, 2016
@zerkms zerkms changed the title Non-photographically strong PRNG use in the OWIN OAuth2 server docs Non-photographically secure PRNG use in the OWIN OAuth2 server docs Sep 16, 2016
@zerkms zerkms changed the title Non-photographically secure PRNG use in the OWIN OAuth2 server docs Non-cryptographically secure PRNG use in the OWIN OAuth2 server docs Sep 16, 2016
@danroth27
Copy link
Member

@blowdart

@blowdart
Copy link
Contributor

  1. This is not an ASP.NET Core issue.
  2. GUIDs are (at least on Windows) generated with input from a secure PRNG.

Combining the fact that this is ASP.NET 4.5 is only one Windows (point 1) and point 2, means this is a non-issue.

@zerkms
Copy link
Author

zerkms commented Sep 16, 2016

https://blogs.msdn.microsoft.com/oldnewthing/20120523-00/?p=7553 and https://blogs.msdn.microsoft.com/ericlippert/2012/05/07/guid-guide-part-three/

But yep, this is the wrong repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zerkms @blowdart @danroth27