Back to list
Re: ASP/ASP.NET Session IDs
Mar 17 2005 11:41PM
Steven DeFord (security willworker gmail com)
On Thu, 17 Mar 2005 18:35:02 -0500, Darren Bounds
<dbounds (at) intrusense (dot) com [email concealed]> wrote:
> Based on your question it sounds like you're missing an important step
> in the process. The 16-byte cookie string is not merely an encrypted
> 32-bit unsigned integer, but rather the 32-bits combined with X bits of
> random data. Exactly how much data I'm not sure.
Right, but depending on how this random data is generated (ie, how
random is random), this may not be terribly usefully random data (TCP
sequence nubers in some implementations, for example).
> Additionally, if it were possible to 'guess' the session ID in any sort
> of repeatable fashion other than brute forcing, that would represent a
> very flawed and unusable cryptographic algorithm.
Certainly, but that would be the point of looking into it. I mean,
MD5 was thought to be a great hashing function, but an exploit has
been found. I was wondering what they were using for encryption, and
if it might be similarly vulnerable.
steve (at) singingtree (dot) com [email concealed]
[ reply ]
Copyright 2010, SecurityFocus