tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: Duplicate session IDs are *common*
Date Fri, 10 Jan 2003 19:12:28 GMT
At 10:42 AM -0800 1/10/03, Eric Rescorla wrote:
>Jim Jagielski <jim@jaguNET.com> writes:
>
>> Eric Rescorla wrote:
>> >
>> > Glenn Olander <glenn@greenoak.com> writes:
>> > > 5) The strength of the PRNG is largely irrelevant
>> > >
>> > > As a user, I wouldn't trust any solution which lacks a check for
>> > > duplicate session id's, regardless of the strength of the PRNG.
>> > This doesn't seem to me to be a plausible position in view
>> > of the fact that all of our security mechanisms absolutely
>> > depend on statistical uniqueness of randomly generated large
>> > numbers.
>> >
>>
>> These are 2 different points I think. If you randomly generate numbers
>> between 1 and 1,000,000 you will, after a point in time, have
>> duplicate numbers.
>Yes, but if you randomly generate numbers between 1 and 2^128, you'll
>have to generate roughly 2^64 random numbers to have a good chance of
>getting a duplicate. Sure, over time you'll get a duplicate,
>but in this context over time needs to be measured over a
>time scale far in excess of the time scale that is interesting.
>

Of course, as you said, it depends on the range and the timespan.

But it doesn't change the fact that randomness != uniqueness, which is
what Glenn's point was I think.
-- 
===========================================================================
   Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
      "A society that will trade a little liberty for a little order
             will lose both and deserve neither" - T.Jefferson

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message