yubikey-val icon indicating copy to clipboard operation
yubikey-val copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Predictable Nonce?

Open StormTide opened this issue 11 years ago • 2 comments

https://github.com/Yubico/yubikey-val/blob/master/ykval-synclib.php#L47

I'm not sure of implications yet, but this nonce appears to be predictable. If non-predictability is important (as it is for most nonces) suggest change to openssl_random_pseudo_bytes.

StormTide avatar Jan 03 '14 22:01 StormTide

Hello,

The server_nonce field is only used inside the synclib code to keep track of entries in the queue table.

I think it's ok to have it predictable here, though it might still be worth to change to something better. The problem with openssl_random_pseudo_bytes() is that it would make us non-compatible with php 5.2 (though that might not be an issue any more?)

/klas

klali avatar Jan 07 '14 12:01 klali

PHP 5.2 reached EOL over three years ago: http://php.net/eol.php

NiklasBr avatar Feb 25 '14 13:02 NiklasBr