On 8/14/16 4:13 PM, Yasuo Ohgaki wrote:
"Now assume a 128 bit session identifier that provides 64 bits of
entropy.
What exactly does this mean?
If it means that an attacker knows how to eliminate 2^128 - 2^64
impossible SID values from a search then that SID generation is
insecure, dangerous garbage. (This isn't the only statement I've seen on
OWASP that strikes me as very odd.)
Each bit of output from a CSPRNG such as random_bytes() is equally and
independently unpredictable. Hence a brute force attack cannot know that
some values are not in its output and may therefore be skipped in a search.
There are 64^32 = 2^192 ~= 6.3e+57 different 32-bytes base-64 string
values. If a session DB has 1e+7 such SIDs chosen at random then each
blind insertion/trial has ~1 in 6.3e+50 chance of a hit. At 1e+4
trials/sec the chance of a hit is ~1 in 6.3e+46 in one second. The age
of planet Earth is ~1.4e+17 seconds.
Your calculation (I assume based on that sentence from OWASP) has
128-bit SIDs of which only half are unpredictable. So there are 2^64 ~=
1.8e+19 different SIDs and (at 10e+4 trials/sec on a DB of 1e+7 SIDs)
the chance of a hit in one second is ~1.8e+8, which is obviously
insufficient.
But so what? Four-letter passwords are obviously insufficient too. The
calculation doesn't support the conclusion...
IMHO, it's nonsense to argue "Session ID collision very rare and
cannot happen", "PHP Session ID safe without collision detection",
etc.
If random SIDs math is nonsense that cannot be trusted then it is
because either the a) CSPRNG or b) code deriving SIDs from it is
**dangerous garbage**.
Either way its the dangerous garbage that should be fixed. Nobody should
just accept such disgraceful SID generation and patch it up with
collision detection.
Tom
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
