Hold your sessions: an attack on java session-id generation

Authors:
Zvi Gutterman;Dahlia Malkhi
Affiliations:
School of Engineering and Computer Science, The Hebrew University of Jerusalem, Jerusalem, Israel;School of Engineering and Computer Science, The Hebrew University of Jerusalem, Jerusalem, Israel
Venue:
CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
Year:
2005

Citing 3
Cited 8

A simple unpredictable pseudo random number generator

SIAM Journal on Computing
Inferring sequences produced by a linear congruential generator missing low-order bits

Journal of Cryptology
Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers

ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology

Tracking the changes of dynamic web pages in the existence of URL rewriting

AusDM '06 Proceedings of the fifth Australasian conference on Data mining and analystics - Volume 61
Cryptanalysis of the windows random number generator

Proceedings of the 14th ACM conference on Computer and communications security
Secretly monopolizing the CPU without superuser privileges

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Cryptanalysis of the random number generator of the Windows operating system

ACM Transactions on Information and System Security (TISSEC)
Hedged Public-Key Encryption: How to Protect against Bad Randomness

ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Authenticated and misuse-resistant encryption of key-dependent data

CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
New applications of time memory data tradeoffs

ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Identity-Based (lossy) trapdoor functions and applications

EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques

Quantified Score

Hi-index	0.00

Visualization

Abstract

HTTP session-id's take an important role in almost any web site today. This paper presents a cryptanalysis of Java Servlet 128-bit session-id's and an efficient practical prediction algorithm. Using this attack an adversary may impersonate a legitimate client. Through the analysis we also present a novel, general space-time tradeoff for secure pseudo random number generator attacks.