OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Teodor Cimpoesu (teogecadsoftware.com)
Date: Sat Mar 09 2002 - 05:29:19 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > On Thursday 07 March 2002 17:18, Nancy Gabriel wrote:
    > > Right, so a developer could use as much as deemed necessary for the
    > > site's security policy. Has anyone put together a list of the various
    > > techniques, like some discussed here, others involving hardware, and
    > > rated them for, say, how many random bits are produced, an idea of the
    > > extra CPU time (like an overhead rating), and such? Will that be part of
    > > the OWASP project?
    > >
    > > Say a decision is made to generate session id's using a technique that
    > > gives 128 bits of randomness and uniqueness. Will that be enough for 2
    > > years from now? Will it be hard to upgrade that part of the code and
    > > maintain it?
    > >
    > > I have too many questions!
    >
    > There are no such things as too many questions, only too few answers! (or
    > maybe too many answers...).
    >
    > I doubt anyone has done this systematically. I could envision an API that let
    > you specify that sort of thing. Maybe you would have an "entropy class" that
    > you could instantiate with parameters that would create an object that gave
    > you specified quality levels of ids. Not sure how you would test an
    > implementation for conformance though! I guess some sort of correlation test.
    > I guess if your application was written flexibly enough you could then make
    > the quality of the ids a run-time configuration parameter. Large sites that
    > got tons of hits might use less entropy per id, and a small site could crank
    > it up higher to get the best security.
    >
    > I guess another thing to rate would be "bits of entropy available per unit
    > time" from things like /dev/urandom. If you knew that number for your system
    > then you could write code to partition that entropy out evenly to each id, it
    > would just have to have an id implementation like above. Probably its all a
    > bit more elaborate than the world needs right now, hehe.

    I don't recall on which list I found a link to Bondacio Technologies HYDRA
    Server [http://208.254.152.215/security.html].
    Among `blah,blah marketing' they claim to use a technology that seems to offer
    unlimited good quality entroy (so you'll always trust your session id).

    Here's an except:
    'At the core of HYDRA's security features is a biomorphic technology based on a
    field of mathematics called "Chaotic Dynamics." Using Chaos Theory, HYDRA can
    generate special groups of characters called Bodacions. Bodacions are
    impossible to guess, and never repeat.'

    Anyone will some knowledge in this domain to comment? 

    -- 
Teodor CIMPOESU 
Software Developer, GeCAD Software 
http://www.gecadsoftware.com, http://www.ravantivirus.com

    http://www.cimpoesu.ro/teodor/pk.asc | or blank mail to pkcimpoesu.ro 
KEYID:0xB0BD3699 FP:D6C4 00EB 811A B06E A657  CCE9 2A63 94F9 B0BD 3699