|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Jetty Session ID Prediction
From: Michal Zalewski (lcamtuf
dione.ids.pl)
Date: Mon Feb 05 2007 - 13:42:14 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 5 Feb 2007, NGSSoftware Insight Security Research wrote:
> Jetty generates a 64-bit session id by generating two 32-bit numbers in
> this way, so we end up with an encoded 64-bit integer. By decoding the
> integer and splitting it into its two component 32-bit integers, we can
> easily brute-force the generator's internal state.
Why on earth would you want to brute-force it?
http://www.springerlink.com/content/9jkp3179mj6fwh6m/s
http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C89/138.PDF
Cheers,
/mz
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]