-
-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default secret length should be changed to 20 bytes from 10 bytes #671
Comments
FWIW this issue or vulnerability was introduced in 12.0.0. Old versions of otplib defaulted to 20 bytes of randomness for OTP secret generation. See: Vs: An interesting question to ask here is: why was this changed at all? |
For what is worth, the old version of the lib also has a quirk/bug/vulnerability where in practice it defaults to 15 and not to 20 bytes of entropy. Let's look how its secret key is generated: otplib/packages/otplib-utils/secretKey.js Lines 10 to 23 in dd7dc73
So it randomizes the value and then encodes it to base64 and... slices it to the length? That slicing lowers down the number of entropy bytes that one provides to the function. Let's see how this works for the default length of 20 bytes in a > entropy = crypto.randomBytes(20)
<Buffer 45 07 a2 bc 59 e7 cc 29 be 06 0b 16 d1 b8 bb 8e 5c ed a7 92>
> encoded = entropy.toString('base64')
'RQeivFnnzCm+BgsW0bi7jlztp5I='
> encoded.length
28
> sliced = encoded.slice(0, 20)
'RQeivFnnzCm+BgsW0bi7'
> sliced.length
20
> buffer = Buffer.from(sliced, 'base64')
<Buffer 45 07 a2 bc 59 e7 cc 29 be 06 0b 16 d1 b8 bb>
> buffer.length
15 So the old version defaults gives only 15 bytes of entropy which is 120 bits which is under the "MUST" value and definetely below the "RECOMMENDED" one. The new versions of the library (12.0.0, 12.0.1) does not perform that |
Currently, the secret generation using the default value of 10 bytes is not compliant with the requirements mentioned in RFC 4226 section 4.
It clearly states that it MUST be at least 128 bits which means using the default value of this library is non compliant.
I suggest that the default value is at least increased to 16 bytes or better follow the recommended value of 20 bytes (160 bits) as mentioned in RFC 4226.
Related:
The text was updated successfully, but these errors were encountered: