Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95208 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 4031 invoked from network); 15 Aug 2016 20:21:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Aug 2016 20:21:43 -0000 Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 67.192.241.139 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 67.192.241.139 smtp139.dfw.emailsrvr.com Received: from [67.192.241.139] ([67.192.241.139:46343] helo=smtp139.dfw.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C2/EA-36656-75422B75 for ; Mon, 15 Aug 2016 16:21:43 -0400 Received: from smtp26.relay.dfw1a.emailsrvr.com (localhost [127.0.0.1]) by smtp26.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 45DD1A0255; Mon, 15 Aug 2016 16:21:40 -0400 (EDT) X-Auth-ID: fsb@thefsb.org Received: by smtp26.relay.dfw1a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 0A95BA01B4; Mon, 15 Aug 2016 16:21:39 -0400 (EDT) X-Sender-Id: fsb@thefsb.org Received: from yossy.local (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA) by 0.0.0.0:587 (trex/5.7.1); Mon, 15 Aug 2016 16:21:40 -0400 To: Yasuo Ohgaki , "internals@lists.php.net" References: <592333a7-2c73-38a4-b400-f3f2c7bf2f72@lsces.co.uk> Message-ID: Date: Mon, 15 Aug 2016 16:21:39 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function From: fsb@thefsb.org (Tom Worster) On 8/14/16 4:13 PM, Yasuo Ohgaki wrote: > "Now assume a 128 bit session identifier that provides 64 bits of > entropy. What exactly does this mean? If it means that an attacker knows how to eliminate 2^128 - 2^64 impossible SID values from a search then that SID generation is insecure, dangerous garbage. (This isn't the only statement I've seen on OWASP that strikes me as very odd.) Each bit of output from a CSPRNG such as random_bytes() is equally and independently unpredictable. Hence a brute force attack cannot know that some values are not in its output and may therefore be skipped in a search. There are 64^32 = 2^192 ~= 6.3e+57 different 32-bytes base-64 string values. If a session DB has 1e+7 such SIDs chosen at random then each blind insertion/trial has ~1 in 6.3e+50 chance of a hit. At 1e+4 trials/sec the chance of a hit is ~1 in 6.3e+46 in one second. The age of planet Earth is ~1.4e+17 seconds. Your calculation (I assume based on that sentence from OWASP) has 128-bit SIDs of which only half are unpredictable. So there are 2^64 ~= 1.8e+19 different SIDs and (at 10e+4 trials/sec on a DB of 1e+7 SIDs) the chance of a hit in one second is ~1.8e+8, which is obviously insufficient. But so what? Four-letter passwords are obviously insufficient too. The calculation doesn't support the conclusion... > IMHO, it's nonsense to argue "Session ID collision very rare and > cannot happen", "PHP Session ID safe without collision detection", > etc. If random SIDs math is nonsense that cannot be trusted then it is because either the a) CSPRNG or b) code deriving SIDs from it is **dangerous garbage**. Either way its the dangerous garbage that should be fixed. Nobody should just accept such disgraceful SID generation and patch it up with collision detection. Tom