Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 23903 invoked from network); 10 Jan 2003 19:12:37 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 10 Jan 2003 19:12:37 -0000 Received: (qmail 26148 invoked by uid 97); 10 Jan 2003 19:13:53 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 26132 invoked by uid 97); 10 Jan 2003 19:13:53 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 26120 invoked by uid 98); 10 Jan 2003 19:13:52 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Mime-Version: 1.0 X-Sender: jimpop@devsys.jagunet.com Message-Id: In-Reply-To: References: <200301101816.NAA29639@devsys.jaguNET.com> Date: Fri, 10 Jan 2003 14:12:28 -0500 To: EKR , "Tomcat Developers List" From: Jim Jagielski Subject: Re: Duplicate session IDs are *common* Content-Type: text/plain; charset="us-ascii" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N At 10:42 AM -0800 1/10/03, Eric Rescorla wrote: >Jim Jagielski writes: > >> Eric Rescorla wrote: >> > >> > Glenn Olander writes: >> > > 5) The strength of the PRNG is largely irrelevant >> > > >> > > As a user, I wouldn't trust any solution which lacks a check for >> > > duplicate session id's, regardless of the strength of the PRNG. >> > This doesn't seem to me to be a plausible position in view >> > of the fact that all of our security mechanisms absolutely >> > depend on statistical uniqueness of randomly generated large >> > numbers. >> > >> >> These are 2 different points I think. If you randomly generate numbers >> between 1 and 1,000,000 you will, after a point in time, have >> duplicate numbers. >Yes, but if you randomly generate numbers between 1 and 2^128, you'll >have to generate roughly 2^64 random numbers to have a good chance of >getting a duplicate. Sure, over time you'll get a duplicate, >but in this context over time needs to be measured over a >time scale far in excess of the time scale that is interesting. > Of course, as you said, it depends on the range and the timespan. But it doesn't change the fact that randomness != uniqueness, which is what Glenn's point was I think. -- =========================================================================== Jim Jagielski [|] jim@jaguNET.com [|] http://www.jaguNET.com/ "A society that will trade a little liberty for a little order will lose both and deserve neither" - T.Jefferson -- To unsubscribe, e-mail: For additional commands, e-mail: