Jim Jagielski <[EMAIL PROTECTED]> writes: > Eric Rescorla wrote: > > > > Glenn Olander <[EMAIL PROTECTED]> writes: > > > 5) The strength of the PRNG is largely irrelevant > > > > > > As a user, I wouldn't trust any solution which lacks a check for > > > duplicate session id's, regardless of the strength of the PRNG. > > This doesn't seem to me to be a plausible position in view > > of the fact that all of our security mechanisms absolutely > > depend on statistical uniqueness of randomly generated large > > numbers. > > > > These are 2 different points I think. If you randomly generate numbers > between 1 and 1,000,000 you will, after a point in time, have > duplicate numbers. Yes, but if you randomly generate numbers between 1 and 2^128, you'll have to generate roughly 2^64 random numbers to have a good chance of getting a duplicate. Sure, over time you'll get a duplicate, but in this context over time needs to be measured over a time scale far in excess of the time scale that is interesting.
-Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>