Angular-auth-oidc-client: Code Verifier not cryptographically random

Created on 15 Apr 2020  ·  7Comments  ·  Source: damienbod/angular-auth-oidc-client

As pointed out in this Reddit discussion: https://www.reddit.com/r/Angular2/comments/fzx744/auth_flow_with_pkce/fnevom0 ,
the way the code verifier is generated is not cryptographically random.
Please use crypto.getRandomValues instead of concatenating the current date with a non cryptographycally secure pseudo-random number, because the code verifier shouldn't be easy to guess by a potential attacker.

Release 11 enhancement
Source
picture aiscrim
👍1

Most helpful comment

The key point in the extert you copied is “cryptographically random”.
You are using Math.random(), and if you look at the function documentation (https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random) it clearly states that it

does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.

picture aiscrim on 15 Apr 2020
👍2

All 7 comments

Hi @aiscrim thanks for reporting

Just wondering how you would improve this, I already have 2 random function calls to create the code_verifier

Greetings Damien

damienbod picture damienbod on 15 Apr 2020

7.1. Entropy of the code_verifier

The security model relies on the fact that the code verifier is not
learned or guessed by the attacker. It is vitally important to
adhere to this principle. As such, the code verifier has to be
created in such a manner that it is cryptographically random and has
high entropy that it is not practical for the attacker to guess.

The client SHOULD create a "code_verifier" with a minimum of 256 bits
of entropy. This can be done by having a suitable random number
generator create a 32-octet sequence. The octet sequence can then be
base64url-encoded to produce a 43-octet URL safe string to use as a
"code_challenge" that has the required entropy.

damienbod picture damienbod on 15 Apr 2020

The key point in the extert you copied is “cryptographically random”.
You are using Math.random(), and if you look at the function documentation (https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random) it clearly states that it

does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.

aiscrim picture aiscrim on 15 Apr 2020
👍2

@aiscrim thanks

damienbod picture damienbod on 15 Apr 2020

@damienbod being following this change. I use your library for a couple of my apps. Can we ensure the fix also works in IE? basically, window.crypto || window.msCrypto. Thanks!

aavi picture aavi on 18 Apr 2020

@aiscrim thanks for the hint, we plan to support IE through a second package. The idea is to create a second package and use the full jsrasign and this fix from you. We have 2 imports which are diffferent and this.

Added support for IE.

road map release version 11, and then shortly after version11-IE

thanks for reporting and reviewing the PR

Greetings Damien

damienbod picture damienbod on 18 Apr 2020
👍1

Will close this now, will be part of Release 11, still a bit of work to go for this release. You can see the progress in the master issue, git branch.

damienbod picture damienbod on 22 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sdev95 picture sdev95  ·  3Comments
Expelz picture Expelz  ·  4Comments
mikeandersun picture mikeandersun  ·  4Comments
Roman1991 picture Roman1991  ·  4Comments
Jonesie picture Jonesie  ·  4Comments