1

We have the following requirement for creating a token in .NET to be used in providing a challenge token and an actual authentication (auth) token. The auth token will then be used to authenticated preceding transaction along with certificate based authentication. Please have a look and check if the solution below seems sound based on these requirements.

Requirement

  1. Minimum 128 bits long
  2. Randomly generated
  3. Unpredictable/unguessable (i.e. make sure the seeding of the random number generator is good),
  4. Unique during its validity period,
  5. Must not contain any meaningful information (only random data).

Solution

  1. Generate token using rngcryptoserviceprovider and store it as as 16 byte binary. I also saw a related post (Token-based authentication - Securing the token) to hash the token in the database but I'm told that this is not necessary for now so I was thinking what should be that size of my database column? binary(16) is a bit short.

  2. (#2,#3,#5). Using rngcryptoserviceprovider to generate random string https://msdn.microsoft.com/en-us/library/system.security.cryptography.rngcryptoserviceprovider(v=vs.100).aspx)

  3. (#4) table column does not have unique constraint but will get latest based on create time in case in the unlikely event that a duplicate does happen.

Community
  • 1
MichaelChan
  • 235
  • 1
  • 3
  • 10
  • Can you clean up bullet #5? Is the requirement to contain meaningful information or to not contain meaningful information? – Neil Smithline Dec 07 '15 at 01:03
  • In order to answer questions about whether this strategy is sound, it would be helpful to better understand the context. What type of data are you securing? What will you use the token for? What resources do you anticipate your attackers to have (eg: do you expect nation states or anonymous to target this system?) – Neil Smithline Dec 07 '15 at 01:06
  • Sure, I'll cleanup the question and update this post. – MichaelChan Dec 07 '15 at 01:36

0 Answers0