15
\$\begingroup\$

I'm currently creating an OAuth provider in Java using Jersey. To the best of my knowledge Jersey does not provide a method to create oauth tokens so I'm creating my own.

For those unfamiliar with OAuth, the tokens will be used in a somewhat similar fashion to public/private keys to sign and verify all requests to the server.

A String is formed using a token issued by the server (me) and then encrypted with that token secret (which only the server and the application know). The signature is then sent to the server and verified.

Each token must be:

  • non-sequential
  • non-guessable
  • unique (the tokens will be stored in a database so uniqueness can be verified)

This is the code I'm thinking of using to generate the keys:

public String generateToken() {
 SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
 MessageDigest digest = MessageDigest.getInstance("SHA-256");
 secureRandom.setSeed(secureRandom.generateSeed(128));
 return new String(digest.digest((secureRandom.nextLong() + "").getBytes()));
}

I'm generating a Long using Java's SecureRandom with SHA-1-PRNG. Using a 128 bit seed again generated by SecureRandom.

I'm then using SHA-256 to hash the resulting Long to get a 32 character Unicode String as the token.

  • Is anyone able to see any issues with this style of token generation?
  • If multiple tokens were requested in a row, is there a chance of predicting the next one?
  • I assume that 32 characters is more than enough for this kind of request signing.
Jamal
35.2k13 gold badges134 silver badges238 bronze badges
asked Mar 4, 2011 at 12:27
\$\endgroup\$
1
  • \$\begingroup\$ I realize this is quite old, but any reason you wouldn't want to use java.security.KeyPairGenerator and generate, for example an RSA key pair and use those? \$\endgroup\$ Commented Dec 7, 2012 at 21:21

1 Answer 1

15
\$\begingroup\$

Each token must be;

  • non-sequential
  • non-guessable
  • unique

Without reading into any of the OAuth specifics, if the above is the only criteria to which you must adhere, then I would suggest what you're doing is quite a huge effort to achieve what's already been done with GUID (Globally Unique Identifier).

Java has an implementation of this, a class named UUID:

...that represents an immutable universally unique identifier (UUID). A UUID represents a 128-bit value.

Conveniently, a GUID is also a 32 character string.

Some code I found to utilise this using Java:

UUID uuid = UUID.randomUUID();
String randomUUIDString = uuid.toString();

Note that I'm not really qualified to be an authority on this where Java is concerned, though the topic I'm concerning myself with here is very transferable, you will need to determine whether A) a GUID satisfies all criteria of an OAuth token, and B) that the Java implementation works as the rest of the world expects - I can't vouch for that.

answered Apr 8, 2011 at 18:20
\$\endgroup\$
0

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.