Re: Safe session IDs

From: Josh Daymont (joshd@midgard.net)
Date: 01/11/02 

Date: Thu, 10 Jan 2002 15:17:37 -0800 (PST)
From: Josh Daymont <joshd@midgard.net>
To: Ryan M Harris <rmharris@acdinc.net>

The rand(3) function on nearly any commercial OS will be easily guessable
by an attacker. Ditto for the remote IP and almost any other "static
machine state" derived information. Hopefully you aren't relying on these
kinds of session Ids to protect anything that holds client information,
trade secrets and/or credit cards.

I'd recommend that you look into something allow the lines of Yarrow.

explanation of the security of the rand(3) call:

For most operating systems, the rand(3) libcall is implemented using a
linear congruential generator (LCG). These kinds of functions are easily
broken by an attacker after getting only two known consecutive outputs.
Breaking such a function doesn't involve any advanced math and can be
easily understood by anyone who knows basic modular arithmetic and high
school algebra.

Some newer linux distributions use an additive generator based on the
random(3) call. This implementation is slightly more secure than the
linear congruential generators but is still easily broken in under 100
known consecutive outputs, making it unusable for generating secure PRNs.
The math involved in breaking this kind of a generator is even simpler
than for a LCG.

Moral of the story: just because a random number generator advertises
itself as "more random" or "more secure" than a known insecure PRNG
doesn't mean that it provides an adquate level of security.

-Josh Daymont

On Thu, 10 Jan 2002, Ryan M Harris wrote:

> What is the most secure way of generating a session number?
>
> I have used the following formula in the past. Is it secure (from a
> randomness perspective)? Any way to make it more secure/random?
>
> sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from
> here) + microtime() )
>
> Ryan M Harris
>
>

Relevant Pages

  • URL for Yarrow PRNG
    ... for the Yarrow PRNG. ... > linear congruential generator. ... making it unusable for generating secure PRNs. ... >> Ryan M Harris ...
    (SecProg)
  • Re: entropy of /dev/random vs. openssl rand
    ... random number generator is as secure as a true random number generator for ... as most distros seem to do at shutdown and boot does not count as secure. ... attempt to overwrite that file? ... key loop devices, use /dev/urandom. ...
    (Linux-Kernel)
  • Re: Secure hash function and AES
    ... I need a secure, but easy to calculate hash function for wireless ... sensor network. ... I may using AES128 and a random number generator. ... -Encrypt x with key x XOR r. ...
    (sci.crypt)
  • Re: Random Number Generation -----> Hardware or Software?
    ... > long repeat cycle. ... The pattern is not random. ... Whetever some generator is random vs secure is entirely ...
    (comp.arch.embedded)
  • Re: Where do the random numbers come from?
    ... Which part of the protocol is too slow? ... Diffie-Hellman key exchange is too slow for you, ... key exchange so that an attacker can't fake it. ... the best-known random number generator used for non- ...
    (comp.security.ssh)