Why ASP.Identy encodes SecurityStamp using Base32 (internal implementation)

Question

I'm considering Base64 to store SecurityStamp within my user aggregate. Before entering a pitfall I'm trying to understand reasons why ASP team chosen to use Base32 instead of simply using Base64.

SecurityStamp is not something human should read or pass manually in requests. I cannot find any obvious advantage in adding internal Base32 implementation rather than using existing Base64.

private static string NewSecurityStamp()
    {
        byte[] bytes = new byte[20];
        _rng.GetBytes(bytes);
        return Base32.ToBase32(bytes);
    }

https://github.com/dotnet/aspnetcore/blob/master/src/Identity/Extensions.Core/src/UserManager.cs#L2438

score 0 · Answer 1 · answered Feb 03 '20 at 08:43

0

If you have a look at the alphabet Base32 is using, you will notice it's all capital letters and 234567. This is done to specifically reduce human error when transferring the code (see more background in this SO answer).

When you further examine the UserManager source code, you will see that NewSecurityStamp is referenced by GenerateNewAuthenticatorKey which I believe is intended to provide human readable output (to, say, set up a 2FA when you've got no QR code to scan).

answered Feb 03 '20 at 08:43

timur

14,239
2
11
32

1

For authentication-key it does make sense but for security-stamp it does not introduce any value. As I mentioned in question it is not supposed to be read or used directly by end user. More to the topic base64 is more efficient when it comes to size. – Ciapeczka Feb 03 '20 at 09:30

Why ASP.Identy encodes SecurityStamp using Base32 (internal implementation)

1 Answers1