BugTraq
Jetty Session ID Prediction Feb 05 2007 01:35PM
NGSSoftware Insight Security Research (nisr ngssoftware com) (2 replies)
Re: Jetty Session ID Prediction Feb 05 2007 07:42PM
Michal Zalewski (lcamtuf dione ids pl) (1 replies)
Re: Jetty Session ID Prediction Feb 06 2007 05:04AM
Amit Klein (aksecurity gmail com) (1 replies)
Michal Zalewski wrote:
> On Mon, 5 Feb 2007, NGSSoftware Insight Security Research wrote:
>
>
>> Jetty generates a 64-bit session id by generating two 32-bit numbers in
>> this way, so we end up with an encoded 64-bit integer. By decoding the
>> integer and splitting it into its two component 32-bit integers, we can
>> easily brute-force the generator's internal state.
>>
>
> Why on earth would you want to brute-force it?
>
> http://www.springerlink.com/content/9jkp3179mj6fwh6m/s
> http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C89/138.PDF
>
>

I don't think that the method described in the paper you referenced
above is applicable as-is, because the method requires that the state of
the PRNG is known (the coefficients aren't), while in our situation, the
coefficients are known, but the state isn't known in fullness (only 32
bits out of the 48 are known).

-Amit

[ reply ]
Re: Jetty Session ID Prediction Feb 06 2007 08:20AM
Michal Zalewski (lcamtuf dione ids pl)
Re: Jetty Session ID Prediction Feb 05 2007 06:42PM
Amit Klein (aksecurity gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus