tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Rescorla <...@rtfm.com>
Subject Re: Duplicate session IDs are *common*
Date Fri, 10 Jan 2003 18:42:50 GMT
Jim Jagielski <jim@jaguNET.com> writes:

> Eric Rescorla wrote:
> > 
> > Glenn Olander <glenn@greenoak.com> writes:
> > > 5) The strength of the PRNG is largely irrelevant
> > > 
> > > As a user, I wouldn't trust any solution which lacks a check for
> > > duplicate session id's, regardless of the strength of the PRNG.
> > This doesn't seem to me to be a plausible position in view
> > of the fact that all of our security mechanisms absolutely
> > depend on statistical uniqueness of randomly generated large
> > numbers.
> > 
> 
> These are 2 different points I think. If you randomly generate numbers
> between 1 and 1,000,000 you will, after a point in time, have
> duplicate numbers.
Yes, but if you randomly generate numbers between 1 and 2^128, you'll
have to generate roughly 2^64 random numbers to have a good chance of
getting a duplicate. Sure, over time you'll get a duplicate,
but in this context over time needs to be measured over a
time scale far in excess of the time scale that is interesting.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message