Hashing of access tokens values for storage #40765
Assignees
Labels
blocker
:Security/Authentication
Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
v7.2.0
v8.0.0-alpha1
Comments
jkakavas
added
blocker
:Security/Authentication
|
Pinging @elastic/es-security |
|
Refresh tokens also require hashing. I assume you mean unsalted hashes, given that Access Tokens have a max lifetime of 1h and Refresh Tokens of 24h hours, and that these id are randomly generated with ~120 bits of entropy. |
Correct, this will be implemented as designed and described in the original email. The fact that these will be unsalted doesn't have to do with the lifetime of the tokens but only with the bits of entropy that makes the computation and storage of rainbow tables impossible |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Since #39631 the access token string is part of the token document ID. We should move forward with the planned changes regarding the hashing of the access token string before it becomes part of the token document id in the same version also ( 7.1 ).
This is required so that potential read access to the token security index will not allow for authentication.
Relates: #37038 , #39631
The text was updated successfully, but these errors were encountered: