Abstract
HTTP session-id’s take an important role in almost any web site today. This paper presents a cryptanalysis of Java Servlet 128-bit session-id’s and an efficient practical prediction algorithm. Using this attack an adversary may impersonate a legitimate client. Through the analysis we also present a novel, general space-time tradeoff for secure pseudo random number generator attacks.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Apache Software Foundation (ASF). Apache jakarta tomcat, http://jakarta.apache.org/Tomcat
Apache Software Foundation (ASF). Apache web server, http://www.apache.org
Barkan, E., Biham, E., Keller, N.: Instant ciphertext-only cryptanalysis of gsm encrypted communication. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 600–616. Springer, Heidelberg (2003)
Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000)
Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator 15, 364–383 (1986)
Boyar, J.: Inferring sequences produced by a linear congruential generator missing low-order bits. Journal of Cryptology 1(3), 177–184 (1989)
Datarescue. Ida: The interactive disassembler, http://www.datarescue.com/idabase/
Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246, Internet Engineering Task Force (January 1999)
Fielding, R., Gettys, J., Mogul, J.C., Frystyk, H., Masinter, L., Leach, P.J., Berners-Lee, T.: Hypertext transfer protocol – HTTP/1.1. RFC 2616, Internet Engineering Task Force (June 1999)
Hartman: Method and system for placing a purchase order via a communications network, U. S. patent 5,960,411 (September 1999)
Hellman, M.E.: A cryptanalytic time-memory trade off. IEEE Trans. Inform. Theory IT-26, 401–406 (1980)
Heuse, M.: Websphere cookie and session-id predictability (2001), http://www.securiteam.com/windowsntfocus/6Q0020K2UU.html
Kristol, D., Montulli, L.: HTTP state management mechanism. RFC 2965, Internet Engineering Task Force (October 2000)
Roth, M.: JSR 152: JavaServer PagesTM 2.0 Specification (November 2003), http://jcp.org/aboutJava/communityprocess/final/jsr152/index.html
Sun Microsystems. The java virtual machine version 1.4.2., http://java.sun.com/j2se/1.4.2/index.jsp
Netcraft. Market share for top servers across all domains August (1995), - March (2004), http://news.netcraft.com/archives/web_server_survey.html
Oechslin, P.: Making a faster crytanalytical time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003) ISBN 3-540-40674-3
Rivest, R.: The MD5 message-digest algorithm. RFC 1321, Internet Engineering Task Force (April 1992)
Yoshida, Y.: JSR-000154 JavaTM Servlet 2.4 Specification (Final Release) (November 2003), http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gutterman, Z., Malkhi, D. (2005). Hold Your Sessions: An Attack on Java Session-Id Generation. In: Menezes, A. (eds) Topics in Cryptology – CT-RSA 2005. CT-RSA 2005. Lecture Notes in Computer Science, vol 3376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30574-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-30574-3_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24399-1
Online ISBN: 978-3-540-30574-3
eBook Packages: Computer ScienceComputer Science (R0)