Score:2

Why does OAuth 1.0a require random nonces and how random should they be?

cn flag

What are the requirements of a nonce? <- Typically it is only required that a nonce is unique, however, in certain cases harsher requirements (such as randomness and unpredictability) are put.

The OAuth 1.0a specification states that:

A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.

Why does OAuth 1.0a require randomness?

Also I find it surprising that the spec says 'random' without explicitly requiring cryptographically secure randomness. What could be the benefit of a random, but not cryptographically secure random nonce? I suppose I should understand that the requirement of cryptographically secure randomness is implied here?

Maarten Bodewes avatar
in flag
OAuth basically defines a framework on how authentication tokens can be established. It doesn't go deep into security whatsoever. The authentication framework is secure, but only if it gets configured properly. For OAuth 2 there is a separate RFC with security requirements, which is very much needed. Strangely enough, OAuth 1 does specify requirements for the secrets used. Non-secure random RNG's may not be seeded properly (which may not be such a big issue if the RNG is always started with a fresh tim-stamp) and they are fast, but I'd use a large nonce from a well seeded CSPRNG anyway.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.