search

jennings / OATH.Net

A small library that implements the HOTP and TOTP algorithms for two-factor authentication. Compatible with the Google Authenticator app for iPhone and Android.
https://www.nuget.org/packages/OATH.Net/
28 stars 14 forks source link

Security concerns with the key generation #10

Closed koczkatamas closed 9 years ago

koczkatamas commented 9 years ago

Two of the constructors of the Key class are very dangerous and should never be used!

new Random() is not a secure random generator. Use RandomNumberGenerator instead!

"As indicated in the algorithm requirement section, keys SHOULD be chosen at random or using a cryptographically strong pseudorandom generator properly seeded with a random value." (https://tools.ietf.org/html/rfc6238)

Also 10 bytes (= 80 bits) random is not enough: "The algorithm MUST use a strong shared secret. The length of the shared secret MUST be at least 128 bits. This document RECOMMENDs a shared secret length of 160 bits." (https://tools.ietf.org/html/rfc4226)

jennings commented 9 years ago

I think you're probably right. Do you want to send a pull request? I can update the NuGet package.

P.S., I also added you as a collaborator, so if you want, you can fix it without a PR. But it would be nice to do it in the open :smile:

jennings commented 9 years ago

@koczkatamas What do you think of 2c0ab4179, does that resolve the concern?

koczkatamas commented 9 years ago

Yeah, it looks good! Thanks. :)